Privacy Policy
UAB Capitalica Asset Management Privacy Policy
General provisions
This privacy policy (hereinafter – the Privacy Policy) provides information on the processing of personal data by UAB Capitalica Asset Management, legal entity code 304234719, registered office address Upės g. 21-1, LT-08128 Vilnius (hereinafter – the Company) and the legal entities under its direct and indirect control.
Natural persons whose data are processed by the Company are subject to provisions of the Privacy Policy, i.e.:
- customers (including employees and/or representatives of legal entities to whom the Company provides its services) who use, used or have expressed an intention to use, or are in any other way related to the services provided by the Company (hereinafter – the Customers);
- persons who refer to the Company with applications, claims, either directly or by means of remote communication, including by telephone or email;
- persons who visit the Company’s websites, etc.
Definitions
The concepts and abbreviations used in this Privacy Policy have the following meanings:
- Personal data means any information relating to a natural person who can be directly or indirectly identified (e.g. name, surname, contact details, etc.).
- Data subject means a natural person (data subject) whose data is processed (e.g. Customers of the Company, persons who referred to the Company with requests or claims, users of the Company’s website, self-service portal and other portals/websites managed by the Company, etc.).
- Data processing means any action performed on personal data (i.e. collection, recording, storage, provision of access, transfer, etc.).
- Services mean any goods and services provided by the Company.
- Supervisory Authority means the State Data Protection Inspectorate.
Other concepts used in the Privacy Policy shall be understood as defined in legal acts regulating the protection of personal data (General Data Protection Regulation (EU) 2016/679 (hereinafter – the Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other laws.
Purposes and legal grounds of personal data processing
The Company processes personal data for specific purposes only, in accordance with the legal grounds provided for by law:
- on the basis of the performance of a contract, where the processing of personal data is necessary for the conclusion and/or performance of the Company’s obligations to the Customer under the concluded contract;
- on the basis of a legal requirement, where the Company is obliged to process personal data, e.g. for tax accounting purposes, for the purpose of providing personal data to public authorities, etc.;
- on the legal basis of a consent, where you give your explicit consent to the processing of your personal data for one or more specific purposes, e.g. processing of personal data of applicants for vacant job positions or sending marketing communications.
- on the basis of a legitimate interest when personal data are processed in pursuit of a lawful interest of the Company, e.g. video surveillance for the purpose of ensuring the protection of its property and/or objects.
Key objectives pursued by the Company in processing personal data:
- provision of services, contract conclusion and performance. The Company processes personal data in order to ensure proper conclusion and performance of contracts with customers, the provision of services or goods to customers on the basis of contracts, including proper information of the customer on matters relating to the goods, services and the contract, on the basis of the contract or legislative requirements;
- preparation of commercial offers. The Company processes personal data for the purpose of making a commercial offer to a customer for a service the customer wishes to acquire;
- debt management. In the event of a debt, the Company shall process personal data relating to the debt and carry out recovery actions on the grounds of a contract, legislative requirements and legitimate interest;
- resolving the issues raised. The Company processes personal data in connection with the handling and resolution of issues or complaints on the grounds of a contract, consent or legislative requirements;
- direct marketing and assessment of customer experience. The Company may process personal data (name, surname, email address, email communication information) for the purpose of providing profiled offers and news about the services, information about ongoing events, and enquiries about the quality of the Services provided. These data are processed and information is only be sent to the person if he has provided a consent to direct marketing and profiling. For profiling purposes, in order to identify whether the information sent is relevant to the Customer and to offer content tailored specifically to the Customer’s needs, the Company may process information about the interaction of the direct marketing e-mails sent (whether the message was read, when and how many times);
- anti-money laundering and anti-terrorist financing activities. In order to comply with the requirements of the Law of on the Prevention of Money Laundering and Terrorist Financing the Republic of Lithuania, the Company is obliged to identify its customers, their representatives and beneficiaries before and in the course of business relations, as well as to obtain and process information on financial income, its sources, and its links to political parties;
- credit and risk assessment. Having obtained a customer’s consent, the Company may process personal data for the purpose of assessing credit risk and determining what services the Company may offer to the customer and under what conditions;
- security of persons and objects. The Company may engage in video surveillance, access control, automatic scanning of car license plates on the basis of the Company’s legitimate interest in order to ensure the security of its employees, its property and objects;
- search for candidates for vacant positions and recruitment. The Company processes identity and contact data of candidates for vacancies, as well as data relating to candidates’ qualifications, professional abilities and business qualities on the grounds of a consent;
- other purposes. The Company may process personal data for other purposes if it has obtained the individual’s consent, and shall be obliged to process personal data in order to comply with legislative requirements or shall have the right to process personal data for its legitimate interest.
In all of the above cases, the Company shall process personal data only to the extent necessary to achieve the respective clearly defined and legitimate purposes, taking into personal data protection requirements.
Scope (categories) of the personal data processed
The following are the main categories of personal data and the data processed by the Company for the purposes and on the legal bases listed above:
- identity or identification data – name, surname, personal identification number, date of birth, etc.;
- contact data – address, telephone number, email address, etc.;
- data relating to the provision of the Services and the conclusion and performance of contracts – contract data;
- payment data – amounts due to the Company, outstanding debts, payment history, etc.
- data relating to customers’ financial income, its sources, links to political parties, etc., processed in the context of AML/CTF procedures;
- data relating to credit and risk assessment – information on liabilities and debts to third parties, where the Company assesses the solvency of customers before providing services to them;
- video surveillance, access control, automatic scanning of car registration plates, data recorded for the purpose of ensuring the security of its property and/or objects;
- Cookie data – information about visitor behaviour on the Company’s website or self-service, etc. (more detailed information about the use of cookies can be found in the “view site information” function of the Company’s website.
- other data which the Company processes in accordance with the legal grounds established by law.
Provision of personal data
The Company may, in observance of legislative requirements, transfer the personal data processed to the following categories of recipients:
- service providers. The Company may transfer the personal data processed to third parties acting on behalf of and/or at the direction of the Company (including, inter alia, legal entities directly or indirectly controlled by the Company) providing customer support, software maintenance, design, contracting, accounting, mailing and other services to the Company in order to ensure proper provision, management, and development of the Company’s services. In such cases, the Company shall take the necessary measures to ensure that the hired service providers (data processors) process the personal data provided only for the purposes for which it was provided, ensuring appropriate technical and organisational security measures, in accordance with the Company’s instructions and the requirements of applicable legislation.
- Governmental, law enforcement and supervisory institutions. The Company may provide the personal data processed to governmental or law enforcement authorities (e.g. police, prosecutor’s office, Financial Crime Investigation Service, etc.), supervisory authorities (e.g. the Bank of Lithuania, etc.), where this is required by applicable law or to ensure legitimate interests of the Company or third parties.
- Persons/ companies engaged in debt collection proceedings and administration of joint databases. In the event of the Customer’s failure to duly and timely fulfil the payments due under the Contract, the Company shall have the right to provide the Customer’s personal data administering joint debtor data files, debt management and collection companies, courts, notaries or bailiffs having notified the customer thereof 30 calendar days in advance by post or e-mail.
- Other third parties. The Company may provide personal data to other recipients in accordance with the lawful grounds defined by law.
As a general rule, the Company stores customer data in the territory of the European Union or the European Economic Area (EU/EEA). In the event where customer data should be transferred outside the EU/EEA, this shall only be done if at least one of the following conditions is met:
- the European Commission has recognised that the country where the data is transferred ensures an adequate level of protection of personal data;
- there is a data processing contract concluded in accordance with standard terms and conditions approved by the European Commission;
- codes of conduct and other safeguards under the Regulation are complied with.
Data storage
The Company shall process data no longer than for the period of time required by the specified data processing purposes or provided for by applicable legislation, if such legislation provides for a longer storage period.
The Company shall apply criteria for determining the data storage period which are in line with the obligations laid down in the legislation, taking also into account the rights of the individual, e.g. by providing for a storage period during which claims relating to the performance of a contract may be made, if any, etc.
More detailed information on the storage periods for the respective categories of data can be obtained by e-mailing to privatumas@capitalica.lt or by mail sent to UAB Capitalica Asset Management, Upės g. 21-1, LT-08128 Vilnius.
Applicable security measures
The Company ensures the confidentiality of personal data in accordance with the requirements of applicable legislation and the implementation of appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, accidental loss, alteration or destruction, or other unlawful processing.
Automated decision-making and profiling
The Company does not process personal data by means of automated individual decision-making as provided for in Article 22 of the Regulation. The Company only engages in profiling (i.e. automated processing of personal data where personal data is used to assess certain personal aspects relating to an individual), but this does not give rise to any legal consequences or similar significant effects for the Individual. The Company engages in profiling in order to manage the sending of unsolicited and irrelevant marketing offers by categorising customers according to the type of services they use, the method of payment, etc.
Rights of persons
Persons may contact the Company in order to:
- get familiar with his personal data processed by the Company;
- request rectification of his incorrect, incomplete or inaccurate personal data;
- ask to destroy personal data or suspend actions of processing of personal data, if they are taken in violation of legal requirements or if personal data are no longer necessary to achieve the purposes for which they were collected or otherwise processed (with the exception of storage, if this is required by legal requirements;
- receive personal data relating to him which the person has provided in a structured, commonly used electronic format;
- object to the processing of his personal data and/or, where personal data is processed on the basis of a consent, to withdraw his consent to the processing of his personal data at any time, without prejudice to the lawfulness of the processing on the basis of the consent prior to the withdrawal of the consent. A consent to direct marketing may be withdrawn:
- by contacting privatumas@capitalica.lt;
- by mail to: UAB Capitalica Asset Management, Upės g. 21-1, LT-08128 Vilnius;
- by using the “Unsubscribe” functionality in the received electronic information message;
- submitting a complaint about the processing of personal data to the Supervisory Authority.
Implementation of persons’ rights
Persons may apply regarding the processing of their personal data by the Company directly by mail to: UAB Capitalica Asset Management, Upės g. 21-1, LT-08128 Vilnius or by arriving to the Company’s registered office.
Contact details of the Company’s Data Protection Officer: privatumas@capitalica.lt
In order to exercise his rights under the Regulation, a person must submit to the Company a completed application in the form approved by the Company in person, by mail, via a representative or by electronic means.
When submitting an application, the person shall confirm his identity:
- if an application is filed directly to the employee, the person shall provide proof of identity;
- if an application is submitted by mail, a copy of the identity document certified by a qualified electronic signature shall be submitted along with the application;
- if the application is submitted through a representative, the representative shall indicate his name, address and contact details for correspondence where the person’s representative wishes to receive a response, as well as the name and personal identification number of the person represented, and shall provide a copy of the representative’s identity document certified by a qualified electronic signature, and a copy of the document proving representation or of the representation document certified in accordance with the procedure established by law;
- if the application is submitted by electronic means, it shall be signed by a qualified electronic signature or made by electronic means which guarantee the integrity and the unalterability of the text.
The Company may refuse to act on a person’s application if the person’s application is manifestly unfounded or disproportionate.
The Company shall respond to the person within one month from the date of receipt of the application at the latest. The response shall include information on the action taken having received the application in accordance with Articles 15 – 22 of the Regulation. This time limit may be extended by an additional two months, if necessary, depending on the complexity of the application and the number of applications being processed. The Company shall inform the person of the extension of the time limit for examining his application within one month from the date of receipt of the application, indicating the reasons for the extension.
Duties of persons
By submitting their personal data to the Company, persons confirm that they are duly acquainted with the terms and conditions of personal data processing set out in this Privacy Policy, they do not object to the Company processing personal data provided by them, the data and information provided by the persons are accurate and correct, and the Company is not liable for the submission and processing of excessive data if the person has negligently submitted data to the Company.
The person undertakes to inform the Company of any changes to the data or other relevant information provided.
Validity of the Privacy Policy and amendments thereto
This Privacy Policy sets out the main provisions for the processing of personal data. Additional information on the Company’s processing of personal data can be found in the Company’s contracts and other internal documents of the Company.
In case of changes in legal requirements and/or in the Company’s processes, services, etc., the Company shall have the right to unilaterally review and update this Privacy Policy. The Company shall inform about any amendments to the Privacy Policy by posting it on the Company’s website.
The Privacy Policy last updated on 16 11 2023.