Privacy Policy

This Privacy Policy was last updated and is effective as of March 20, 2026.

In this Privacy Policy (hereinafter – the “Privacy Policy”), we provide information about what personal data we process about you, for what purposes and legal bases we process it, how long we store it, to whom we may disclose information about you, and what rights you, as a data subject, have.

DEFINITIONS

Company, We, Data Controller – Mark ID, UAB, legal entity code 305098955, registered address Žalgirio g. 90-100, LT‑09303 (office address Žirmūnų g. 139A), Vilnius, email [email protected], website https://marksign.eu/.
Portal/Website – the online portal at www.marksign.eu.
Portal Administrator – Mark ID, UAB, legal entity code 305098955, address Žirmūnų g. 139A, Vilnius LT-09120 (the Company).
User – a natural person using the website https://marksign.eu/ who registers and provides personal data or provides such data without registration.
Personal Data – any information relating to an identified or identifiable natural person whose identity is known or can be directly or indirectly established through data such as a personal identification number or one or more characteristics specific to the individual’s physical, psychological, economic, cultural, or social identity.
Device – a computer, phone, tablet, or any other device used to access the Portal/Website and/or the services provided on the Portal/Website.
IP Address – a unique number identifying a device connected to the internet. An IP address may be used to identify the location from which the device connects to the internet.
Browser – software used to access websites on a personal device.
Account – the User’s login‑based profile on the Portal, created when the User signs in using their identification (login) data.
Identification Data or Login Data – User identification data transmitted via third parties such as SK ID Solutions AS, UAB Bitė Lietuva, AB Telia Lietuva, UAB Tele2, UAB Teledema, AB ZealiD, and VĮ Registrų centras.
Cookies – small files stored on the User’s device when visiting the Portal, enabling the Portal to recognise the User’s device. This term also includes similar technologies (e.g., Flash cookies, Web beacons).
Other concepts used in this Privacy Policy (such as data processor) shall be interpreted as defined in the legislation regulating personal data protection.

DATA CONTROLLER

The controller of the personal data processing operations described in this Privacy Policy – the entity determining the purposes and means of processing – is Mark ID, UAB (the Company), legal entity code 305098955, address Žirmūnų g. 139A, LT‑09120, Vilnius, email [email protected], website https://www.marksign.eu.
Please note that this Privacy Policy also includes information about activities where we act as a data processor on behalf of our clients, in situations where the Company is not the controller of your personal data. In such cases, we provide services to clients strictly according to their instructions. This Privacy Policy outlines the general information about our processing performed on behalf of our clients, including categories of personal data processed. In these cases, we do not independently determine the purposes or means of processing and do not control the personal data provided to us by clients. If you have questions or concerns about your personal data processed under such circumstances, or wish to exercise your data subject rights, we encourage you to contact the relevant data controller directly.

DATA PROTECTION OFFICER

The Company has appointed a Data Protection Officer.
If you wish to clarify or obtain information about how we process your personal data, or if you intend to exercise your rights as a data subject, you may contact the Company’s Data Protection Officer by email at [email protected] or by phone at +370 616 02000.

PURPOSE AND SCOPE OF THE PRIVACY POLICY

Personal data in the Company is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter – GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other applicable legislation, as well as the Company’s internal procedures.
In line with Articles 12–14 of the GDPR, this Privacy Policy provides information about how the Company processes your personal data. Additional information may be provided in separate notices, service agreements, or other documents you enter into with the Company.
This Privacy Policy does not describe how the Company processes personal data when you visit other Company‑managed websites or use services published or provided through other websites. When visiting such sites, your personal data will be processed according to the privacy information provided on those websites. Please make sure to review the applicable privacy notices on any other Company websites you use.

SOURCES OF PERSONAL DATA

Personal data processed by the Company may be obtained from the following sources:
directly from the data subject (e.g., when you use our website www.marksign.eu, contact us, communicate with us on social media, or follow our activities there);
from third parties (e.g., when you submit your personal data to job search platforms, from persons representing you, etc.).
Please note that you are not obliged to provide any personal data. However, if you choose not to provide it, we may be unable to provide you with our services and/or achieve other defined purposes (e.g., assess your application for a job position at the Company).

PURPOSES, CATEGORIES, LEGAL BASES, RETENTION PERIODS AND RECIPIENTS OF PERSONAL DATA

PERSONAL DATA PROCESSING WHEN THE COMPANY ACTS AS A DATA PROCESSOR

When acting as a data processor, we collect and process personal data on behalf of our clients while providing electronic authentication services, bulk SMS sending services, and document eSigning services.
When acting as a processor and providing these services, we process personal data strictly under the instructions of the data controller (the client whose services you use). The categories of processed personal data depend on the services provided to each client and the client’s instructions. These may include, among others: name, surname; personal identification number; country; phone number; session date and time; operating system; IP address; qualified certificate confirmation; certificate validity period; certificate (encoded); payment card data; chip card data; other personal data contained in a signed document or sent SMS message; transaction reports (e.g., total number per month, distribution by qualified eSignature tool used).
The legal basis for such processing is determined by the data controller (the client whose services you use).
The retention period for these data is also set by the data controller. Personal data processed on behalf of clients are retained only for as long as necessary to fulfil the purpose for which they were collected, or as required by the data controller and/or applicable legislation.
More information about our functions as a data processor is provided in the Personal Data Processing Agreement, which forms part of the General Terms of Service concluded with clients. If you have any questions or concerns regarding the processing of your personal data or wish to exercise your data subject rights, please contact the relevant data controller directly. We will forward any requests received to the appropriate controllers for further action.

PERSONAL DATA PROCESSING WHEN THE COMPANY ACTS AS A DATA CONTROLLER

Search and selection of potential employees
To carry out recruitment for open positions within the Company, we may process the following personal data of candidates: name, surname; contact details (telephone number, email address); CV content; qualification information, work experience, and other applicant‑provided or recruitment‑related information; results of tests performed during the selection process; evaluation from the interview.
Legal bases for processing:
data subject consent (GDPR Art. 6(1)(a)), expressed through your action of submitting your CV or completing an application form;
legitimate interests of the data controller (GDPR Art. 6(1)(f)), based on the need to assess your skills and qualifications and to select a suitable candidate.
If we offer you a position and you accept, your personal data will be processed to a greater extent for the purposes of taking steps prior to entering into an employment contract and ensuring its performance (GDPR Art. 6(1)(b)).
Retention period: data of unsuccessful candidates (those not offered a position) are deleted after the selection process for the specific position is completed, and in any case no later than 6 months from submission.
 
Conclusion and performance of contracts
To conclude and perform service, purchase‑sale, or other types of contracts, we may process the following personal data of clients or other contracting parties: name, surname, telephone number, correspondence address, email address, job title, bank account number, communications carried out in the interests of the contracting parties, personal data contained in the contract, signature, and any other information necessary for the proper execution of the contract. If a contract is concluded with a legal person, we may also process the personal data of the authorised representative acting on behalf of that entity.
The legal bases for processing such data are: performance of a contract or steps taken prior to entering into a contract when the contract is with a natural person (GDPR Art. 6(1)(b)), and the legitimate interests of the data controller to properly conclude and perform contractual obligations when the contract is with a legal person (GDPR Art. 6(1)(f)).
Personal data processed for these purposes are retained for 10 years after the termination of the contract and the full performance of all obligations.
 
Self‑service users and account administration
To use the services provided in the self‑service portal, you must register (log in) and provide your personal data. Registration or login is possible through various authentication tools available on the Website (Smart‑ID, Mobile‑ID, ZealiD, LT ID, SimplySign, USB storage, chip card, etc.). Additional information is available at https://support.marksign.eu/article/146-electronic-document-upload.
For the purposes of self‑service administration, contract conclusion, and service provision, we may process the following personal data of self‑service users (company clients and their representatives): identification data (name, surname, personal identification number), contact details (email address, telephone number, correspondence address), financial data (account number, last four digits of a payment card number, card expiry date, information about purchased services or products), eSignature certificate data (country, signing time, validity date, signature format, certificate issuer details), historical data (documents uploaded, signed, their content, login method, login date and time), tracking data (cookies, logs, date and time, IP address, device type, software used), and other data such as represented company details, account creation date, account update date, and service plan information. When logging in to the self‑service portal, your IP address may be used to determine your location.
Personal data are stored only for as long as necessary for the respective processing purposes. Identification and contact data are stored for five years from the last login to the self‑service portal. IP addresses are stored for two weeks from the date of login. Financial data are stored for ten years in accordance with the Accounting Law of the Republic of Lithuania. Browsing data (cookies and log entries) are stored for six months to one year, depending on the cookie type. Device and software data are stored for ten years; however, if no login occurs for more than one year, such data are no longer stored. eSignature certificate data are stored for three months after a document is removed from the self‑service portal. Other personal data are stored for the duration of the contract with the company or for five years after the last login (if no contract was concluded).
Where an account remains inactive for one year, all login data and any data stored within the account are deleted and no longer retained.
 
Payment administration and accounting
For the purposes of administering payments for the services provided by the Company, we may process the following personal data of clients (natural persons) and representatives of clients (legal persons): name, surname, correspondence address, payment card data (name, surname, last four digits of the card number, bank account number, bank name, card expiry date), signature, and data confirming authorisation to act on behalf of a legal person.
The legal bases for processing such data are: performance of a contract or steps taken prior to entering into a contract when the contract is with a natural person (GDPR Art. 6(1)(b)); the legitimate interest of the data controller to properly conclude and perform contracts when the contract is with a legal person (GDPR Art. 6(1)(f)); and the legal obligation placed on the data controller to maintain accounting records (GDPR Art. 6(1)(c)). These personal data are retained for ten years after the completion of the contract.
 
Debt collection
To ensure compliance with contractual obligations and collect outstanding debts, we may process personal data such as name, surname, contact details, correspondence address, debt‑related information (amount owed and the basis for the debt), personal identification number, financial situation, and information about family members.
The legal basis for such processing is the legitimate interest of the data controller to ensure the performance of contracts and collect debts (GDPR Art. 6(1)(f)). These data are retained for ten years after the contract has been completed. Personal data may be transferred to debt collection service providers (for example, UAB Legal Balance), as specified in the section Personal Data Recipients and Data Processors.

Virtual meeting organisation and execution
To organise and conduct conference calls, virtual meetings, video conferences or webinars, the Company may process personal data of individuals participating in such meetings. This may include information about meeting participants (such as name, surname, telephone number, email address, profile photo, job title and department), information related to the meeting itself (such as the meeting topic, description, participants’ IP addresses, technical details of the device used, and the start and end time of the conference), as well as text data, audio recordings and video recordings (image).
The legal bases for processing these data are the legitimate interests of the data controller to ensure secure and convenient communication when organising virtual meetings (GDPR Art. 6(1)(f)), and the data subject’s consent (GDPR Art. 6(1)(a)) in cases where the meeting is recorded in order to ensure traceability and evidential value of the decisions made during the meeting.
Personal data collected for these purposes are processed for as long as necessary to organise virtual meetings, coordinate meeting times, topics and related matters, document decisions made during the meetings, and provide related services. Detailed information about the processing of personal data, including storage periods, is provided at the time of organising a virtual meeting (for example, in the invitation to a recorded meeting).
 
Social media administration
The Company manages and administers its accounts on the social media platforms Facebook and LinkedIn. Any information provided by individuals on these platforms (including messages, use of “Like” or “Follow” features, and other interactions), as well as information collected when visiting the Company’s social media accounts, is controlled by the provider of the respective social media platform. For example, LinkedIn collects information about what content users see, what actions they take on the platform, and with whom they interact. Therefore, the Company recommends that users review the privacy notices of the respective social media providers.
More information about the LinkedIn Privacy Policy is available at: https://www.linkedin.com/legal/privacy-policy.
More information about the Facebook Privacy Policy is available at: https://www.facebook.com/privacy/policy/.
The Company selects and configures relevant settings of its social media accounts based on its target audience and communication objectives. However, social media providers may restrict the ability to change certain essential settings, meaning the Company cannot fully control what personal data the social media provider collects when the Company creates or administers an account on the platform.
Such settings may influence the processing of personal data when individuals use social media, visit the Company’s social media pages or view the Company’s content on the platform. In general, social media providers process personal data (including any data collected as a result of the settings chosen by the Company) for their own purposes and under their own privacy policies. However, when individuals interact with the Company through social media — by visiting its profile, viewing posts or engaging with content — the Company receives certain information about the individual. In administering its social media accounts and aiming to increase brand awareness, the Company processes data such as name and surname (or the user’s social media username), comments left on the Company’s posts and the date they were posted, information about user reactions to the Company’s content, and information about following the Company’s account on the platform.
The legal basis for this processing is the legitimate interest of the data controller to ensure effective communication, visibility and promotion of the Company’s activities and to maintain convenient communication with clients and potential clients (GDPR Art. 6(1)(f)).
Such data are processed until they are removed by the data subject or until the specific post to which the personal data relate is deleted as no longer relevant for presenting or promoting the Company’s activities.
 
Processing of information about shareholders and board members
To manage information about the Company’s shareholders and board members and fulfil legally applicable obligations, the Company may process personal data such as name, surname, personal identification number, residential address, date of appointment, contact details (telephone number and email address) and the number of shares held.
The legal basis for this processing is the data controller’s legal obligation (GDPR Art. 6(1)(c)).
Personal data are stored for ten years from the date the individual ceases to be a shareholder or board member.
 
Provision of ultimate beneficial owner information to the JANGIS register
To fulfil obligations related to the identification and reporting of ultimate beneficial owners (UBOs), the Company may process personal data such as name, surname, date of birth, personal identification number, the country that issued the identity document, residential address, and details regarding ownership rights (percentage of shares and voting rights) or other control rights (board chair, board member, manager, senior manager, or number of transferred voting rights expressed in percentages).
The legal basis for this processing is the data controller’s legal obligation (GDPR Art. 6(1)(c); Article 25(1) of the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania).
Personal data are stored for eight years from the date the information is removed from the Register of Legal Entities Participants Information System.
 
Enquiry management
To manage enquiries submitted to the Company, we may process personal data such as name, surname, contact details (telephone number, email address), information provided in the enquiry and signature.
The legal basis for this processing is the data controller’s legitimate interest to ensure proper administration of enquiries (GDPR Art. 6(1)(f)).
The retention period depends on the nature of the enquiry and is determined according to the General Document Retention Schedule approved by the Chief Archivist of Lithuania.
 
Direct marketing and pixel technologies
When sending direct marketing communications or invitations to participate in surveys, the Company processes personal data of natural persons. Detailed information about such processing is provided in the Privacy Notice on Personal Data Processing for Direct Marketing Purposes, published in the section “Personal Data Protection” on the Company’s website.
Marketing emails may include tracking technologies, including pixels, which allow us to collect statistical data on email opens and interactions. Tracking pixels (also known as web beacons or clear GIFs) are small graphic files embedded in marketing emails that enable the Company to determine whether an email was opened, whether links were clicked, or whether other actions were taken. More information about the processing of personal data collected through pixels is available in the above‑mentioned direct marketing privacy notice.
 
Website improvement, visitor analytics and provision of electronic services (cookies)
To improve the website according to user needs, ensure the functioning of electronic services and maintain website functionalities, the Company uses cookies, plugins and similar technologies. For these purposes, the Company may process data such as IP address, browser type and version, language preferences, region, browsing time, selected time zone, login details and other information collected through cookies.
The legal basis for processing depends on the type of cookie used. Non‑essential cookies are processed on the basis of the data subject’s consent (GDPR Art. 6(1)(a)), while essential cookies are processed on the basis of the data controller’s legitimate interest to ensure proper website operation (GDPR Art. 6(1)(f)).
Retention periods depend on the specific cookie type but never exceed two years.
More detailed information is provided in the section “Cookies”.
 
Live chat customer support (tawk.to)
To provide relevant information and respond to enquiries, the Company uses a live chat function on its website and may process personal data provided voluntarily during a chat, such as name, surname, email address (for troubleshooting purposes), telephone number, the content of the enquiry, date and time.
The legal basis is the data controller’s legitimate interest to respond quickly and effectively to client and potential client requests (GDPR Art. 6(1)(f)).
Personal data processed for this purpose are stored for three months from the date of the enquiry.
The tawk.to, Inc. platform acts as a data processor, and its privacy notices should be reviewed for further details.
 
Case studies (testimonials) on the website
To carry out effective marketing and attract new clients through the experiences of existing or long‑term clients (published in the “Case studies” section on the marksign.eu website), the Company processes data such as name, surname, employer, job title, photo (image) and testimonial content.
The legal basis is the data subject’s consent (GDPR Art. 6(1)(a)).
Detailed information about processing for this purpose, including retention periods and data recipients, will be published soon.

COOKIES

The Website uses cookies – small text files automatically created while browsing and stored on your computer or other end device. Information collected through cookies helps ensure more convenient browsing, provide relevant suggestions, understand user behaviour on our Website, analyse trends and improve the Website. If the Company’s Website contains links to other websites that also use cookies, such cookies are not described here.
Before storing functional, analytical, advertising or third‑party cookies, we request your consent. Essential cookies are stored on the basis of the Company’s legitimate interest, and your consent is not requested for such cookies. If you have already given your consent, we will not request it again when the same cookie is used for the same purpose in the future. This also applies to third‑party cookies.
You may withdraw your consent to the use of non‑essential cookies at any time by changing your browser settings, disabling all cookies or disabling/enabling specific cookies individually. Please note that in some cases this may slow down your browsing experience, limit certain website functions or restrict access to parts of the Website. To adjust cookie settings, we recommend using the cookie banner or available browser settings.
The following categories of cookies may be used on the Website:
essential cookies that allow you to use Website features and access your user account;
performance (session) cookies that improve Website functionality and collect general anonymous statistical information;
analytical cookies (including those used by Google Analytics) that help recognise and count Website visitors and understand how they navigate the Website;
functional cookies that allow the Website to recognise returning visitors and provide customised content;
and advertising cookies that display ads relevant to your interests and may also be used to measure the effectiveness of advertising campaigns.

Below is a list of cookies used on the Website (please note that this information is currently under review and will be updated shortly):
_ga (Google) – registers a unique ID needed to generate statistical data on how the data subject uses the Website; stored for 1 year and 1 month; category: statistics.
_ga_# – used by Google Analytics to record how many times a user has visited the Website; stored for 1 year and 1 month; category: statistics.
_gid (Google) – registers a unique ID needed to generate statistical data on how the data subject uses the Website; stored for 1 day; category: statistics.
_gat (Google) – used by Google Analytics to control the rate of data collection on high‑traffic sites; stored for 1 day; category: statistics.
_dc_gtm_UA‑# (Google) – associated with websites using Google Tag Manager to load scripts and code; considered strictly necessary because other scripts may not function without it; stored for 1 day; category: statistics.
_hjAbsoluteSessionInProgress (HotJar) – used to count how many times the Website has been visited by different data subjects by assigning an ID to avoid double‑counting; stored for 1 day; category: statistics.
_hjFirstSeen (HotJar) – used to determine whether a data subject is visiting the Website for the first time or is a returning visitor; stored for 1 day; category: statistics.
_hjIncludedInSessionSample_# (HotJar) – determines whether the data subject’s navigation should be recorded for statistical purposes; stored for 1 day; category: statistics
_hjSession_# (HotJar) – used to collect statistics about Website visits, such as visit count and time spent; stored for 1 day; category: statistics.
_hjSessionUser_# (HotJar) – used to collect statistics about Website visits, such as visit count and time spent; stored for 1 year; category: statistics.
_hjCookieTest (HotJar) – records statistical data about user behaviour on the Website and is used for internal analysis; stored for 1 session; category: statistics.
collect (Google) – used to send data about user behaviour and device use to Google Analytics and to track users across devices and marketing channels; stored for 1 session; category: statistics.

PLUGINS

The Company’s websites use plugins (social plugins). These plugins are installed to allow Website visitors to be redirected to the Company’s accounts on social media platforms or to communication windows within such platforms.

When you click a plugin icon, you are directed to the plugin provider’s page, and the provider receives information such as the page from which the request was initiated, as well as the date and time of the request. Plugins can be recognised by the Facebook and LinkedIn logos.

Any information submitted on the plugin provider’s site or collected when accessing a page containing the Company’s plugin is controlled by the plugin provider. Information about the personal data collected and stored, the legal bases for processing, storage periods, and applied technical and organisational security measures is provided in the privacy notices of the respective plugin providers.

Personal data recipients and data processors

Your personal data may be provided to certain recipients if a valid legal basis exists and appropriate security measures are ensured. These may include:

• VĮ Registrų centras;
• mobile signature service providers;
• state authorities, law enforcement institutions and other persons when required by Lithuanian law or when the provision of data is necessary to establish, exercise or defend the Company’s legal claims;
• social media platform operators;
• and business partners.

In addition, access to your personal data may be granted to data processors engaged by the Company (such as debt collection service providers like UAB Legal Balance, document storage service providers, consultancy providers and similar service providers). All processors process personal data strictly according to our instructions and within the scope defined by us. We ensure that all processors implement appropriate technical and organisational measures and maintain the confidentiality of the personal data they process.

With your consent, personal data may also be provided to other parties.

Transfer of personal data outside the EU/EEA

Your personal data may be transferred outside the European Union where contracts with data processors include safeguards compliant with EU legal requirements. Data may also be transferred outside the EU when necessary for the conclusion or performance of contracts and for the proper provision of services to the Company’s clients. In such cases, the Company ensures that personal data transferred outside the EU/EEA receive an adequate level of protection.

When transferring data outside the EU/EEA, the Company relies on one of the following:

• decisions of the European Commission recognising a country as providing adequate protection;
• approved certification mechanisms;
• or standard contractual clauses adopted by the European Commission.

A third country outside the EU/EEA must ensure an adequate level of data protection as determined by the European Commission.

Profiling and automated decision‑making

The Company does not carry out profiling or automated decision‑making that would have significant or adverse effects on you.

Technical and organisational security measures

To protect the personal data it processes, the Company implements organisational and technical security measures in accordance with:

• GDPR;
• ISO/IEC 27001 (Information Security Management Systems);
• the Cybersecurity Law of the Republic of Lithuania;
• and the Law on the Legal Protection of Personal Data.

The Company’s information security management system is certified under ISO/IEC 27001, confirming compliance with the standard’s requirements. The Company implements strict access control measures, encryption, backup procedures and other security practices to protect personal data from accidental or unlawful destruction, alteration, disclosure or any other unlawful processing.

DATA SUBJECT RIGHTS

As a data subject, you have the rights described in this section.

Right to be informed about the processing of your personal data

When we obtain your personal data directly from you, we inform you about the processing at the time the data is collected, either verbally and/or in writing.

If we receive your personal data from another source, we will inform you about the processing within one month of obtaining the data. If your personal data are used for communicating with you, the information will be provided no later than at the time of our first contact with you.

Right of access

You have the right to submit a request to the Company to access the personal data we process about you. Within one month of receiving your request, we will verify whether we process your personal data. If we do, we will provide the information you request, including the categories of data processed, retention periods, the sources from which the data were obtained, the purposes of processing, the recipients of the data, and, upon your request, a copy of the personal data being processed.

Where objectively justified, the response period may be extended (up to three months), and you will be informed accordingly.

If your requests are manifestly unfounded or excessive, we may refuse to act on them.

Right to rectification

You have the right to request the correction of inaccurate, incorrect or incomplete personal data.

We will inform you whether the requested correction or deletion has been carried out. We will also inform any recipients of the corrected or deleted data, unless doing so is impossible or would require disproportionate effort. Upon your request, we will provide information about such recipients.

Right to restrict processing

You have the right to request the restriction of processing in the following circumstances:

– when you contest the accuracy of the data, processing will be restricted for the period necessary for the Company to verify the accuracy;

– when you contest the lawfulness of the processing and request restriction instead of deletion;

– when the data are needed for the establishment, exercise or defence of legal claims after the normal storage period has expired;

– when you have objected to the processing and the restriction is applied until it is verified whose interests are overriding.

Restricted personal data may be processed, except for storage, only with your separate consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural person, or for important public interest reasons. Before lifting a restriction, we will inform you accordingly.

Right to erasure (“right to be forgotten”)

In the cases provided for in Article 17 of the GDPR, you have the right to request the deletion of personal data if you establish that your data are being processed unlawfully or unfairly.

The Company may refuse to delete data in the cases specified in Article 17 of the GDPR.

We will inform you whether the requested deletion has been carried out. We will also inform data recipients, unless doing so is impossible or requires disproportionate effort. Upon your request, information about such recipients will be provided.

Right to object to processing

You have the right to object to the processing of your personal data unless the processing is carried out on the basis of the Company’s or a third party’s legitimate interests and your interests do not override those interests.

If you object to processing, your data will no longer be processed unless we determine that the legitimate grounds for the processing override your interests, rights and freedoms, or the data are necessary for the establishment, exercise or defence of legal claims.

Right to withdraw consent

If your personal data are processed on the basis of your consent, you have the right to withdraw that consent at any time.

Right to data portability

You have the right to request that personal data you have provided, if processed based on consent or a contract and by automated means, be transferred to another data controller or provided to you in a structured, commonly used and machine‑readable format, where technically feasible. When submitting such a request, you must indicate whether the data should be transferred to you directly or to another controller.

This right cannot be exercised for data processed by non‑automated means, such as paper files.

Right to lodge a complaint

You may lodge a complaint regarding the Company’s actions or inactions related to the exercise of your data subject rights with the State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, email [email protected], website https://vdai.lrv.lt/en/, or with a competent court of the Republic of Lithuania. A complaint may be submitted by you directly, through an authorised representative or through a non‑profit organisation or association that meets the requirements of Article 80 of the GDPR.

PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS

You may contact the Company to exercise your rights verbally or in writing, by submitting a request in person, by post or using electronic means via the contact details provided in this Privacy Policy.

If you choose to exercise your rights verbally, you must confirm your identity by presenting an identity document.

If you choose to exercise your rights in writing (by post), you must include a copy of your identity document with your request.

If your request is submitted electronically, it must be signed with a qualified eSignature or created in a manner that ensures text integrity and immutability. Without these requirements, we cannot accept your request and the rights cannot be fulfilled. If we have doubts regarding your identity, we may request additional information necessary to verify it. These identity verification requirements do not apply when you request information under Articles 13 and 14 of the GDPR.

A request must be legible, signed and contain your name, surname, correspondence address and/or other contact details needed to respond.

If your rights are exercised through an authorised representative, the representative must provide their name, surname, correspondence address and/or other contact details, the name and surname of the data subject they represent, and information needed to identify the data subject, as well as a document confirming the right of representation or a certified copy thereof.

For any questions about the processing of personal data or the exercise of your rights, you may contact the Company’s Data Protection Officer. If you contact the Data Protection Officer directly, we recommend indicating that the correspondence is intended exclusively for the Company’s Data Protection Officer.

FINAL PROVISIONS

The laws of the Republic of Lithuania apply to the implementation and interpretation of this Privacy Policy.

If any provision of the Privacy Policy becomes invalid or is deemed unenforceable, the remaining provisions will continue to apply.

This Privacy Policy is valid from the date of its publication on the Website. It does not constitute an agreement between you and the Company regarding the processing of personal data. The purpose of this Privacy Policy is to inform you about how the Company processes personal data.

The Company may amend the Privacy Policy at any time. The Policy is reviewed when legal requirements change, but in any case not less than once per calendar year. All amendments are published on the Website and take effect upon publication. We recommend reviewing the Privacy Policy regularly.