I. GENERAL PART
UAB Novian Technologies;
UAB Novian Systems;
UAB Elsis PRO;
Novian Eesti OU.
General contact address for Novian: Gynėjų St. 14, Vilnius 01109, Lithuania.
For questions concerning the processing of personal data, please contact email@example.com.
We aim to ensure that our clients, website visitors and other persons whose personal data we process are informed in a transparent manner about how we process their data. Therefore, it is important that you, as a visitor to the Website and/or as our client, carefully read this Policy, which contains information about how we collect and use (or wish to collect and use) your personal data.
This Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”), the Republic of Lithuania’s Law on the Legal Protection of Personal Data, as well as other legislative acts of the Republic of Lithuania.
Please note that this Policy may be changed in the future, taking into account changes in the legislation and Novian’s operations; therefore, we encourage you to review it periodically.
Novian shall ensure the confidentiality of personal data, in accordance with the requirements of the applicable laws and the implementation of appropriate technical and organisational measures to protect personal data against its unauthorised access, disclosure, accidental loss, alteration or destruction, or other unlawful processing.
It is your responsibility to ensure that the data you provide is accurate, correct and complete. Knowingly providing incorrect data shall be considered to be a violation of the Policy. If the data provided changes, you must correct it immediately or, if you are unable to do so, inform the Data Controller thereof. Under no circumstances shall we be liable for any damage caused to you and/or third parties as a result of the fact that you have provided incorrect and/or incomplete personal data, or that you have not asked for the data to be updated and/or amended as a result of a change in the data.
II. PRINCIPLES FOR PROCESSING PERSONAL DATA
- Personal data must be processed in a lawful, fair and transparent manner (principle of lawfulness, fairness and transparency);
- Personal data must be collected for clearly identified and legitimate purposes, and not processed in a way that is incompatible with those purposes (purpose limitation principle);
- Personal data must be adequate, relevant and not excessive, in relation to the purposes for which it is processed (principle of data minimization);
- Personal data must be accurate and, where necessary, kept up-to-date; all reasonable steps must be taken to ensure that personal data which is not accurate is erased or rectified without undue delay (principle of accuracy);
- Personal data must be kept and stored in a form which permits the identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed (principle of limitation of the storage period);
- Personal data must be processed in such a way so as to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical and organizational measures (integrity and confidentiality principle);
- The Data Controller shall be responsible for ensuring its compliance with the abovementioned principles, and must be able to demonstrate its compliance with them (accountability principle).
III. MAIN PURPOSES OF PROCESSING PERSONAL DATA
- To monitor website traffic and browsing patterns for statistical purposes;
- To respond to enquiries;
- To send you newsletters, make offers, organise client surveys and organise games (direct marketing);
- To provide tailored advertising (using advertising cookies);
- To manage event registrations;
- For finding and recruiting job candidates;
- For the administration of client accounts (accounts that are designed to provide remote support by logging in through the “Client Area” (except for novian.ee and www.novian.no));
- To conclude contracts;
- To process personal data for other purposes.
IV. CATEGORIES OF PERSONAL DATA, LEGAL BASIS FOR PROCESSING, STORAGE PERIOD AND RECIPIENTS
Novian processes various types of personal data provided by the Data Subject (you), or generated automatically via cookies, when administering the Website. You may choose not to provide your personal data and to visit our Website anonymously, but in certain cases, we may not be able to provide you with a service if you do not provide your personal data (e.g. in the case of job recruitment).
If the Data Subject does not agree to provide his/her personal data, Novian’s services may not be provided to him/her. If the Data Subject provides Novian with the data of other persons related to him/her, the Data Subject must obtain the consent of such persons, or process such data on another lawful basis and make them aware of this Policy.
The following are the main categories of personal data, including but not limited to:
- Personal identification data: name, surname, personal identification number, date of birth, personal identity document details;
- Contact details: address, telephone number, e-mail address;
- Details of education and professional activities;
- Internet Protocol (IP) address, the Data Subject’s login data to the self-service portal, website traffic history, etc.
We will process your data:
- To respond to your enquiries. The basis for the processing the data shall be our legitimate interest in providing high-quality customer services (Article 6(1)(f) of the GDPR). The following types of data are collected for this purpose: e-mail address, name, surname, telephone number. The data shall be stored for a maximum of three months after responding to your enquiry, unless it needs to be stored for a longer period of time in connection with a potential dispute or claim (i.e. for the protection of our legal interests). The data shall be managed exclusively by the Novian group of companies.
- If you are a client of the Data Controller or represent our client (a legal entity), or if you have expressed your consent, the Data Controller shall send you e-mail newsletters with market and service updates, and shall provide you with information related to the services and events of the Data Controller. The legal basis shall be your consent (Article 6(1)(a) of the GDPR) or the Data Controller’s legitimate interest in providing you, as an existing client, with information about services similar to those you have purchased (Article 6(1)(f) of the GDPR, Law on Electronic Communications).
- You may give your consent to receive newsletters with information related to the market, service news and the Data Controller’s services and events, by entering your e-mail address in the relevant field on the website and clicking on the order link next to it, or by other means. You shall have the right to object without suffering any negative consequences and, once you have consented, you may withdraw your consent at any time by using the unsubscribe link in each newsletter, without affecting the lawfulness of the processing based on your consent prior to withdrawing your consent. In a case where the processing is carried out on the basis of our legitimate interest, you may object to such processing by notifying us at firstname.lastname@example.org. The following types of data are collected for this purpose: name, surname, telephone number, e-mail address. We shall store your data until you withdraw your consent, but for no longer than 2 (two) years from the date of the consent. For this purpose, we shall transfer the data to a data processor, a company providing IT technical support services, which shall process the personal data on a limited basis exclusively on the instructions of the Data Controller, as well as to a newsletter service platform based in the EU, which shall process the data on our behalf.
- We organize meetings and events for our clients, and to do so, we process the following personal data of our clients (or, in the case of legal entities, their representatives): names, surnames, e-mail addresses, telephone numbers, workplaces and position titles. The legal basis for the processing of such personal data shall be our legitimate interest in inviting our clients and their representatives to attend the meetings and events we organize, to ensure the smooth organisation of the event, to send a reminder prior to the event and, if necessary, to make contact after the event has taken place (Article 6(1)(f) of the GDPR). When organizing and administering events, we shall process the following data: name, surname, the company you represent or work for, your position title, contact e-mail address, telephone number. In a case where the processing is carried out on the basis of our legitimate interest, you may object to such processing by notifying us at email@example.com.
- In the case of remote events, we may prepare packages for participants, and therefore offer the option to choose the most convenient post office for the delivery of the event package, which shall be processed on the basis of your consent (Article 6(1)(a) of the GDPR), which is provided by you at the time of your registration for the event. The data shall be kept until the date of the dispatch of the event package, and for a further month to ensure the proper delivery of the event package. You may withdraw your consent by notifying us at firstname.lastname@example.org.
- We shall also invite persons who are not our clients (their representatives) to attend our events and meetings, and for this purpose the data shall be processed on the basis of their consent to participate in the event (which shall be given at the time of registration) (Article 6(1)(a) of the GDPR), as well as in the context of our legitimate interest to ensure the smooth running of the event, to send a reminder prior to the event, and to make follow-up contact after the event, if necessary (Article 6(1)(f) of the GDPR). You may withdraw your consent, or object to the processing of your personal data on the basis of legitimate interest, by notifying us at email@example.com. We shall keep the data (except for the data of our existing clients) for seven business days after the end of the event.
- We shall pass on the data of persons registered for events to our partners who help organise the event, as needed: venue administrator, couriers, suppliers of event sets, etc. This data shall only be used for the purpose of organising the event on the basis of our legitimate interest (Article 6(1)(f) of the GDPR). We shall keep the data (except for the data of our existing clients) for seven business days after the end of the event. In a case where the processing is carried out on the basis of our legitimate interest, you may object to such processing by notifying us at firstname.lastname@example.org.
- Audio/video recording (filming) and photography may take place during our events. Such data shall be processed on the basis of your consent (Article 6(1)(a) of the GDPR), which you provide when registering for the event. The data shall be used for the purpose of presenting the company’s activities, as well as advertising and recording the company’s history. We shall retain your data until you withdraw your consent, but for no longer than 5 (five) years from the date of the consent. This data may be used to promote the company’s activities on the Data Controller’s social networking accounts, as well as on Novian’s and INVL Technology’s social media accounts and websites (Novian.lt, InvlTechnology.lt), and to provide information to our event partners. You may withdraw your consent at any time, by notifying us at email@example.com. The withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of consent.
- To find and recruit candidates. You may submit your CV on our website or on our social media accounts. You may also send us your CV, using our e-mail address specified below. The basis for processing the data shall be a pre-contractual relationship with the data subject (Article 6(1)(b) of the GDPR), our legitimate interest in selecting the most suitable candidates for a job interview (Article 6(1)(f) of the GDPR), and your consent (Article 6(1)(a) of the GDPR). We shall store the personal data provided on the basis of legitimate interest until the recruitment process ends, and for a further three months after the end of the probationary period of the recruited person, or for a period of one (1) year if your consent to process your data for future job offers in the Novian Group is obtained. At the end of this period, we shall delete all the CVs we received and the personal data contained therein. Your consent may be withheld or withdrawn at any time, without any adverse consequences. When sending your CV, please limit your submission to your contact details, educational and professional background and a description of your experience. We may also receive your data from companies that provide recruitment services or recruitment platforms. We shall have the right to contact your former employer(s) and, if you agree, your current employer. Your data shall only be processed within the Novian Group, with the exception of data that we receive from recruitment service providers or recruitment platforms.
- Processing of personal data for the purposes related to the provision of services, in accordance with the concluded contracts (performance of contracts). For this purpose, we shall process information provided to us by and on behalf of our clients, as well as information that we collect independently in the course of the performance of the contracts. For the purpose of the performance of contracts and/or the performance of our duties, we shall process the personal data not only of natural person clients, but also of the employees of legal entity clients or of the employees of their affiliates, and accordingly, the legal grounds for the processing of such personal data are as follows:
- The legal basis for the processing of the personal data of clients who are natural persons shall be the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to the conclusion of a contract (pre-contractual relationship) (Article 6(1)(b) of the GDPR).
- In the case of the processing of personal data of the client’s employees and other persons, the legal basis for the processing of the data shall be the legitimate interest to make a commercial offer, as well as to conclude and duly perform a contract (Article 6(1)(f) of the GDPR).
- Processing of personal data for other purposes
In the course of our business activities, we may also process personal data for other purposes, as set out below:
- When we process accounting records, we do so for the purposes of settlements and other payments, tax clearance and payments, and compliance with the accounting rules. The legal basis for such processing of personal data shall be a legal obligation (Article 6(1)(c) of the GDPR), and may also be a contract concluded with the data subject (Article 6(1)(b) of the GDPR). The data processed, in such a case, shall include the name, surname, personal identification number, date of birth, residential address (actual or declared), bank account number, payables and receivables. Recipients of the data may include the state tax inspectorate, Sodra, banks and other public authorities with the right to carry out inspections.
- In our legitimate interest, to ensure the protection of our confidential information and the continuity of our business (Article 6(1)(f) of the GDPR), we may review our employees’ correspondence with contractors. For these purposes, the Data Controller shall process the following personal data of its employees, and of the persons who send or receive e-mail from its employees: e-mail address, name of the sender or recipient, date and content of the information contained in the electronic work tools. The data recipients may be data processors, i.e. companies providing information technology services (to ensure that information systems are maintained, improved and updated).
V. RIGHTS OF THE DATA SUBJECT
Your rights as a data subject:
- To know what data is being processed about you;
- To require the correction of inaccurate data;
- To require the data to be transferred to another controller;
- To object to the processing of your data;
- To object to the processing or withdraw your consent at any time;
- To require the destruction of your data;
- To require the restriction of the processing of your data;
- To lodge a complaint with the State Data Protection Inspectorate (address – L. Sapiegos St. 17, 10312 Vilnius, website address – https://vdai.lrv.lt/), if the Data Subject considers that his/her personal data is being processed in violation of his/her rights and legitimate interests, in accordance with the applicable legal acts.
The Data Subject shall have the right guaranteed to him/her by the data protection legislation to apply to the Data Controller, so that the Data Controller, having established the personal identity of the Data Subject:
- Provides information on whether it is processing the Data Subject’s personal data and, if it is doing so, to inform the Data Subject about the processing of his/her personal data, what his/her personal data is, from what sources it was obtained, for what purpose and how it is being processed (including automated decision-making, its implications for the Data Subject and its consequences for him/her), for how long the data will be stored and to whom the data is provided (right of access to personal data);
- Corrects or revises the incorrect, incomplete or inaccurate personal data of the Data Subject (the right to have personal data rectified);
- Deletes the Data Subject’s personal data, under certain circumstances listed in the GDPR (where personal data has been unlawfully processed, the basis for processing has ceased to exist, etc.) (the right to request the deletion of personal data – or the “right to be forgotten”);
- Restricts the processing of the personal data of the Data Subject, except for its storage (the right to restrict the processing of personal data), in certain circumstances listed in the GDPR (where personal data is unlawfully processed, during the period of time in which the Data Subject’s request concerning the accuracy of the data or the processing of the data is under examination, etc.);
- Provides in writing, or in a commonly used electronic form, the personal data provided by the Data Subject to the Personal Data Controller, which shall be processed by automated means, on the basis of the Data Subject’s consent or for the performance of a contract and, where possible, transfers the personal data to another service provider (the right of portability of personal data).
- In cases where Novian processes the Data Subject’s personal data on the basis of his/her consent, the Data Subject shall have the right to withdraw his/her consent at any time, and the processing based on such consent shall be immediately discontinued. Please note that, in the event of a withdrawal of consent, Novian may not be able to offer certain services or products to the Data Subject, but shall continue to use the Data Subject’s personal data, e.g. in the context of the performance of a contract entered into with the Data Subject, or where required by law. Withdrawal of consent shall not affect the lawfulness of the processing carried out before the withdrawal of consent.
The Data Subject shall have the right to object at any time:
- To the processing of his/her personal data, and undertake to submit his/her legally justified objection to the Personal Data Controller in writing or by any other means by which the Data Subject can be identified, provided that the processing of the personal data is based on the legitimate interests of the Personal Data Controller;
- To the processing of his/her personal data for direct marketing purposes (including profiling for such purposes), and shall have the right not to provide reasons for such an objection;
- To be subject to a fully automated decision, including profiling, where such decision-making has legal consequences or a similarly significant effect on the Data Subject. This right shall not apply where such decision-making is necessary for the purposes of entering into, or the performance of a contract with the Data Subject, is permitted under the applicable law, or to which the Data Subject has given his/her explicit consent.
Please contact Novian in the first instance (e-mail: firstname.lastname@example.org) with any queries you may have, so that we may resolve them as soon as possible.
VI. PROCEDURE FOR HANDLING REQUESTS TO EXERCISE THE DATA SUBJECT’S RIGHTS
The Data Subject may submit a request for the exercising of the rights set out above to any of the Data Controllers in writing, by post, by e-mail or by visiting the registered office of the Data Controller concerned.
In order to ensure that the personal data processed by Novian is not disclosed to any person who is not entitled to receive it, upon the receipt of a Data Subject’s request for the provision of data or for the exercising of other rights, the Data Subject’s personal identity shall first be established. If the personal identity verification procedure is successful, Novian shall undertake to provide the information requested by the Data Subject without undue delay and, in any event, within one month of the receipt of the Data Subject’s request.
Taking into account the complexity of the request, or if the Data Subject has made several requests, Novian shall have the right to extend the one-month period by a further two months, by informing the Data Subject thereof before the end of the first month and stating the reason for such an extension.
The Data Subject shall not have to pay any fee to obtain information about the personal data processed about him/her (or to exercise any other rights). However, Novian may charge a reasonable fee if the Data Subject’s request is manifestly unfounded, repeated or disproportionate.
VII. TRANSFERRING DATA TO THIRD PARTIES
The Data Subject’s personal data may be disclosed/processed by the Data Controller to the following third parties for reasons including, but not limited to, assisting the Data Controller in the operation and administration of the Website and related services:
- Companies providing website administration and related services based in Lithuania;
- An electronic communications partner based in Lithuania, which helps manage the delivery of online advertising;
- Companies engaged by Novian to provide services for the evaluation of the quality of services provided by Novian (including the collection of opinions on the services, and the quality of the services), market research, games and promotions to the Data Subjects;
VIII. GEOGRAPHICAL AREA OF THE PROCESSING
Novian shall generally only process the personal data of the data subject within the territory of the European Union/European Economic Area (EU/EEA), but in some cases the personal data may be transferred outside the EU/EEA, e.g. information collected by cookies shall be transferred to Google, and we cannot exclude the possibility that this data shall be transferred to a parent company in the USA.
In the case of transfers outside the EU/EEA, we shall apply measures to ensure adequate protection (transfers to a country recognised by the European Commission as having an adequate level of data protection, in accordance with the Standard Contractual Clauses as approved by the EC) and, where necessary, such transfers shall be carried out on the basis of other lawful grounds:
- Upon the receipt of explicit consent;
- Where the transfer is necessary for the performance of a contract concluded between the client and the Data Controller, or for the implementation of pre-contractual measures taken at the request of the client as a Data Subject;
- Where the transfer is necessary for the establishment, exercising or defence of legal claims;
- Through other appropriate or adapted safeguards and means that allow the lawful transfer of personal data to third countries.
IX. AUTOMATED DECISION-MAKING
In order to ensure the most appropriate delivery of services to the Data Subject, and to provide the Data Subject with marketing offers tailored to the Data Subject’s needs, and in order to improve the quality of the services provided by Novian, Novian may automatically analyse the Data Subject’s personal data, including information on the use of the services, and on the behaviour in the Novian corporate websites and self-service portals.
It is hereby noted that Novian’s analysis of the Data Subjects’ data shall not have any legal or similarly significant effect on the Data Subjects.
The Data Subject may, at any time, object to the automated processing of his/her personal data and set his/her browser to refuse all or some browser cookies.
XI. CONTACT INFORMATION
- UAB Novian (Code 121998756, Registered office address Gynėjų St. 14, Vilnius, Tel. No. (8 5) 219 0000, E-mail email@example.com, Website address www.novian.lt.
- UAB Novian Technologies (Code 301318539, Address Gynėjų St. 14, Vilnius, Tel. No. (8 5) 219 0000, E-mail firstname.lastname@example.org, Website address www.novian.lt, W-mail of the Data Protection Officer email@example.com);
- UAB Novian Systems (Code 125774645, Address Gynėjų St. 14, Vilnius, Tel. No. (8 5) 273 41 81, E-mail firstname.lastname@example.org, Website address www.novian.lt, E-mail of the Data Protection Officer email@example.com);
- UAB Elsis PRO (Code 300064148, Address Gynėjų St. 14, Vilnius, Tel. No. (8 37) 474 011, E-mail firstname.lastname@example.org, Website address www.elsispro.com);
- Novian Eesti OÜ (Address Pärnu Mnt. 186, Tallinn, Estonia, Tel. No. +372 6715 188, E-mail email@example.com, Website address www.novian.ee);
- Andmevara AS (Address Pärnu Mnt. 186, Tallinn, Estonia, Tel. No. +372 6715 188, E-mail firstname.lastname@example.org, Website address www.novian.ee);
- Zissor (Address Bragernes Torg 6, 3017 Drammen, Norway, Tel. No. +47 22 83 85 00, E-mail email@example.com, Website addresswww.zissor.com).
Last updated: 27/04/2023.