This privacy policy (hereinafter referred to as the “Policy”) of UAB “Nord DECO” (hereinafter referred to as the “Company”) recognizes that the protection of personal data is important to you – our clients and other data subjects (hereinafter referred to as “data subjects”) – and is committed to respecting and protecting the privacy of each data subject. Data subjects entrust us with their personal information, and we are responsible for earning their trust every day.
Therefore, with this Privacy Policy:
– the Company’s commitment and responsibility to protect and respect personal privacy are defined;
– it is explained how the Company collects, uses, and stores (processes) personal data;
– data subjects are informed about how their personal data is processed and what rights each data subject has.
When processing the personal data of data subjects, we comply with the General Data Protection Regulation of the European Parliament and of the Council, the Law of the Republic of Lithuania on the Legal Protection of Personal Data, the Law of the Republic of Lithuania on Electronic Communications, and other directly applicable legal acts regulating the protection of personal data, as well as instructions from competent authorities.
The Privacy Policy applies in cases where a person uses the Company’s services, loyalty program, gives consent to receive promotional messages, as well as when visiting our website www.norddeco.lt. The Privacy Policy does not apply in cases where other companies’ websites or services are used, even if accessed through links on the Company’s website.
If you have any questions, observations, or comments regarding the Privacy Policy, you can contact us by email: info@norddeco.lt or by phone +37065577669.
1.1.2 personal data – any information relating to an identified or identifiable natural person (data subject), whose identity can be directly or indirectly established using such data as personal identification number, one or more factors specific to the physical, physiological, psychological, economic, cultural, or social identity of that natural person;
1.1.3 processing of personal data – any action or set of actions performed with personal data: collection, recording, storage, accumulation, storage, classification, grouping, linking, modification (supplementation or correction), provision, disclosure, use, logical and (or) arithmetic operations, searching, dissemination, destruction, or other action or set of actions;
1.1.4. data subject’s consent – any freely given, specific, informed, and unambiguous expression of the data subject’s will, by statement or by clear affirmative action, by which the data subject agrees to the processing of personal data relating to him or her, for example, written, including electronic means, or oral statement. Silence, pre-ticked boxes, or inactivity are not considered consent;
1.1.5. data controller – a legal or natural person who, alone or jointly with others, determines the purposes and means of processing personal data. In this Policy, the Company is considered the data controller;
1.1.6 data processor – a legal or natural person (who is not an employee of the data controller) authorized by the data controller to process personal data;
1.1.7 employee – a person who has entered into an employment or similar agreement with the Company;
1.1.8 supervisory authority – the State Data Protection Inspectorate;
1.1.9 direct marketing – activity aimed at offering goods or services to individuals by post, telephone, or any other direct means, and (or) soliciting their opinions on the goods or services offered;
1.1.10 Company’s website – www.norddeco.lt;
1.1.11 General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.1.12 other terms used in the Rules correspond to the terms provided for in the General Data Protection Regulation and the Law on Personal Data Protection of the Republic of Lithuania.
1.2 This Policy aims to facilitate data subjects’ exercise of their rights.
1.3 This Policy also applies to other data subjects (i.e., not clients or employees) whose personal data the Company processes or will process in the future, for the protection of personal data.
1.4 The personal data processed by the Company are accurate, appropriate, and only of such scope as is necessary for their collection and further processing. If personal data processing is necessary, the personal data are regularly updated.
1.5 Personal data may be collected on the website:
1.5.1 Provision of Company’s services (order processing, administration, fulfillment, payment, application of discounts), customer identification in the Company’s information system, customer identification when logging into their account on the Company’s website, issuance of invoices and other financial documents;
1.5.2 With the data subject’s consent, for direct marketing purposes.
1.6 For the purposes specified in section 1.5 of the Policy, the Company processes the following personal data: name, surname, email address, address, phone number.
1.7 1.5.1. The legal basis for the processing of personal data specified in point 1.6 is the Company’s obligation to fulfill the contract concluded with the data subject and/or at the request (order) of the data subject to take action to conclude a contract.
1.8 The legal basis for the processing of data specified in point 1.5.2 is the consent given by the data subject.
1.9 When personal data is processed for direct marketing purposes, the data subject has the right to withdraw their consent at any time free of charge by revoking their consent.
2.1 To process customers’ personal data within the Company, including their transfer to third parties as envisaged in Section 2.2 of the Policy, only employees have the right. Each employee must keep the confidentiality of customer personal data and comply with the requirements of personal data protection legislation and these Rules.
2.2 When executing concluded service provision contracts of the Company, Customers’ personal data may only be transferred to the Company’s partners, acting on behalf of the Company as data processors, who provide delivery and other services related to the performance of the service contract (personal data are disclosed only to the extent necessary for the provision of the relevant services). Customers’ personal data may be provided only to those data processors with whom the Company has signed contracts containing provisions regarding the transfer/provision of personal data, and if the data processor ensures the protection of transferred personal data as required by the General Data Protection Regulation. In all other cases, customers’ personal data may be disclosed to third parties only in accordance with the procedure established by the laws of the Republic of Lithuania.
2.3 The Company adheres to the principle of confidentiality and keeps confidential any information related to personal data that it becomes acquainted with while performing duties, unless such information is public according to the provisions of applicable laws or other legal acts.
2.4 Term of Personal Data Processing: Personal data are processed until they are no longer necessary for the purposes of processing:
2.4.1 Customer personal data collected and processed for the purpose of providing Company services (point 1.6.1) are processed for no longer than 10 years from the date of the last order (purchase) fulfillment;
2.4.2 Customer personal data processed for direct marketing purposes as specified in point 1.6.2 are processed no longer than until the withdrawal (revocation) of consent to receive advertisements.
2.5 When personal data are no longer necessary for the purposes of processing, they are destroyed, except for those that, in accordance with the law, must be transferred to state archives.
2.6 The protection of personal data is organized, ensured, and implemented by employees authorized by the Company.
3.1 Data Subject Rights:
3.1.1 To know (be informed) about the processing of their personal data by the Company;
3.1.2 To acquaint themselves with the personal data processed by the Company and how they are processed;
3.1.3 To refuse the processing of their personal data;
3.1.4 To request correction, supplementation, or rectification of inaccurate or incomplete personal data, the destruction of their personal data, or to suspend, except for storage, the processing of their personal data;
3.1.5 To demand the deletion of data (“right to be forgotten”). This right applies in one of the following cases:
3.1.5.1 Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
3.1.5.2 The data subject withdraws consent on which the processing is based, and there is no other legal ground for processing;
3.1.5.3 Personal data have been processed unlawfully;
3.1.5.4 Personal data must be erased in compliance with a legal obligation under European Union or national law;
3.1.6 The right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller, where:
3.1.6.1 The processing is based on consent or on a contract;
3.1.6.2 The data are processed by automated means.
3.2 The data subject has the right to lodge a complaint with a supervisory authority regarding the potentially unlawful processing of his or her personal data.
3.3 The data subject has the right to authorize a non-profit organization, institution, or association properly established under the laws of the Republic of Lithuania, whose objectives, as set out in its statutes, are in the public interest and which operates in the field of protection of the data subject’s rights and freedoms concerning the protection of their personal data, to lodge a complaint on his or her behalf and to exercise certain rights provided for in the General Data Protection Regulation.
3.4 Procedure for the Implementation of Data Subject Rights:
3.4.1 In order to exercise the rights specified in point 3.1, the individual must submit a written request to the Company (in person, by post, through a representative, or by electronic means). The request must be dated, signed by the individual, and must specify: the individual’s name, surname, place of residence, contact details, and information about which of the rights mentioned above and to what extent the individual wishes to exercise;
3.4.2 When submitting the request, the individual must confirm their identity by:
3.4.2.1 If the request is submitted in person by visiting the Company – provide a document confirming the individual’s identity or a copy thereof certified in accordance with the procedure established by the laws of the Republic of Lithuania;
3.4.2.2 If the request is submitted by mail – provide a copy of the document confirming the individual’s identity certified in accordance with the procedure established by the laws of the Republic of Lithuania;
3.4.2.3 If the request is submitted through a representative – provide a document confirming representation;
3.4.2.4 If the request is submitted electronically – sign with an electronic signature;
3.4.3 The data subject’s right to refuse the processing of their personal data for direct marketing purposes is implemented by informing the Company of their objection via email and providing information about all accounts created by the Company on its website, if any were created;
3.4.4 If the data subject has an account on the Company’s website, they can review and edit the personal information and contact details provided on the Company’s website by visiting their account. Through their account on the Company’s website, the data subject can also exercise their right to refuse the processing of their personal data for direct marketing purposes.
Through their account on the Company’s website, the data subject can also exercise their right to refuse the processing of their personal data for direct marketing purposes. The request is reviewed, and a response is provided to the individual no later than 30 days from the date of receipt of the request.
3.6 When submitting requests under point 3.4.1, the data subject should not blatantly abuse their rights. In the event that the data subject abuses their right (for example, contacting the Company for information about their processed personal data more than once within six months), the Company has the right to demand reimbursement of administrative costs associated with fulfilling such requests from the data subject.
3.7 The data subject’s objection to the processing of their personal data for direct marketing purposes is addressed promptly, within the shortest possible time. To ensure that personal data are no longer processed for direct marketing purposes, the Company’s employees responsible for computer maintenance must take appropriate measures.
4.1 In order to enhance the customer experience while visiting the Company’s website, we use cookies – small pieces of text information that are automatically created while browsing the website and are stored on the customer’s computer or other end device. The information collected through cookies allows us to ensure the customer’s browsing convenience, provide attractive offers, learn more about user behavior on the website, analyze trends, and improve both the website and the services provided by the Company.
4.2 By using the website, the customer agrees to the Company’s cookie usage policy and can choose whether to accept cookies. If you do not agree to cookies being stored on your computer or other end device, you can change your internet browser settings to disable all cookies or enable/disable them one by one. However, please note that in some cases, this may slow down internet browsing speed, restrict the functioning of certain website features, or block access to the website. For more detailed information, please visit www.aboutcookies.org or www.google.com/privacy_ads.html.
4.3 The information collected using cookies is used for the following purposes: functional cookie usage and service provision, service development, usage analysis, and targeted marketing orientation.
5.1 The Company implements organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing.
5.2 In case of detecting breaches of personal data security, the Company promptly addresses and resolves them.
5.3 The Company’s employees adhere to the principle of confidentiality, as outlined in Section 2.3 of the Policy.
5.4 Antivirus software on the Company’s computers must be constantly updated.
5.5 In the event of a personal data security breach, the Company informs the supervisory authority without undue delay and, if possible, within 72 hours from becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the supervisory authority is not notified of the personal data security breach within 72 hours, the reasons for the delay are included in the notification.
5.6 When a personal data security breach may pose a significant risk to the rights and freedoms of individuals, the Company promptly notifies the data subject about the breach.
6.1 The data subject must provide the Company with comprehensive and accurate personal data and inform about any relevant changes in their personal data.
6.2 The Company cannot guarantee completely uninterrupted operation of its website or that it will be fully protected against viruses. Under no circumstances does the Company accept responsibility for direct or indirect losses related to the use of materials or documents available on the Company’s website. The data subject is informed that any material they read, download, or otherwise obtain using the Company’s website is obtained solely at the data subject’s discretion and risk. Therefore, the data subject is responsible for any damage caused to themselves or their computer system.
6.3 The Company is not liable for damages, including damages resulting from the use of the website being interrupted, for the loss or damage of data, resulting from the actions or inaction of the Data Subject or third parties acting on behalf of the Data Subject, including erroneous data entry, other errors, intentional harm, or any other inappropriate use of the Company’s website.
6.4 Unless otherwise specified, intellectual property rights (including copyright) to the content and information of the Company’s website belong to the Company. Without prior written consent from the Company, reproduction, translation, adaptation, or any other use of any part of the Company’s website is prohibited. It is prohibited to perform any other actions that violate or may violate the Company’s intellectual property rights to the website, as well as actions that contradict fair competition.
7 Final provisions
7.1 Personal data protection is organized, ensured, and implemented by an authorized employee of the Company.
7.2 This Policy is updated no less than once every two years or in the event of changes in the legal acts regulating the protection of personal data.
7.3 The Policy is publicly announced on the Company’s website. Company clients are informed about this Policy through electronic means.
7.4 Supplements or amendments to the Policy become effective from the date of their publication on the Company’s website. If, after the supplementation or amendment of the Policy, Company clients continue to use the website and its services, it is considered that they agree to these supplements and/or amendments.