Stiklių viešbutis UAB
Stiklių viešbutis UAB shall ensure that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; the data shall not be processed in any manner inconsistent with the said purposes. Stiklių viešbutis UAB shall apply a number of organisational and technical measures to ensure adequate security of personal data, including protection from unauthorised or illegal processing, as well as from accidental loss, destruction, or damage of such data.
1. Key Terms
1.1. Privacy Policy means the following personal data processing rules and information on use of cookies, as available online at http://www.stikliaihotel.lt/.
1.2. Website means the website at http://www.stikliaihotel.lt/, where the guests of Stiklių viešbutis UAB can book a hotel room(s) and grant their consent to process personal data for direct marketing purposes.
1.3. Data Controller means a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of the Privacy Policy, the Data Controller means Stiklių viešbutis UAB, registration number: 122761710, registered address: Gaono g. 7, LT-01131 Vilnius, contacts: e-mail: reservations@stikliaihotel.lt, phone +370 5 2649595.
1.4. Data Subject means a hotel guest whose personal data are processed by the Data Controller for the purposes of e-commerce and direct marketing.
1.5. Data Processor means a natural or legal person, which assists the Data Controller, based on authorisation granted, to accomplish the objectives set out.
1.6. Personal Data means any information relating to an identifiable guest of the hotel, processed by the Data Controller, including, but not limited to, full name, e-mail address, telephone etc.
1.7. Data Processing means any operation performed on personal data, such as collection, recording, accumulation, storage, alteration (addition or correction), submission, use, destruction or any other operation (set of operations).
1.8. Direct marketing means any operation directed at offering of goods or services to individuals by mail, phone or any other direct channel, offering special discounts and/or enquire their opinion on the goods or services offered.
1.9. Consent means any freely made act by the Data Subject that signifies his/her agreement to the processing of personal data.
1.10. Supervisory Authority means the State Data Protection Inspectorate.
2. General Provisions
2.1. The policy provides for key provisions on collection, accumulation, and processing of personal data.
2.2. Data Subject is deemed to be aware of the Privacy Policy once he/she signifies his/her Consent to the processing of his/her Personal Data.
2.3. The Privacy Policy is available and can be printed out online http://www.stikliaihotel.lt/ any time.
3. Procedure for Collection, Storage, and Use of Personal Data
3.1. A Data Subject shall, when booking a room at the hotel, signify his/her consent to the processing of the following personal data by the Data Controller:
3.1.1. full name,
3.1.2. sex,
3.2. password and security question;
3.3. credit card details;
3.4. amount payable;
3.5. duration of stay at the hotel.
3.6. A hotel guest providing his/her personal data simultaneously confirms these are both precise and complete.
3.7. Personal Data of registered users received for this purpose shall be stored for 3 (three) calendar years after completion of a booking at the hotel.
3.8. Data Subject is informed that, to accomplish the said purpose, the following data processors shall be employed: IT support company and a company in charge of permanent maintenance of PORTEL hotel programme.
3.9. The Data Controller shall provide the following data to the Statistics Lithuania: number of guests, country of origin of guests, purpose of visit, and duration of stay at the hotel.
3.10. Data Subject, who enters his/her e-mail address on the website, accepts that the Data Controller will, for the purpose of direct marketing process the his/her personal data below:
3.10.1. E-mail address,
3.11. Personal Data received for the purposes of Direct Marketing shall be stored for 3 (three) calendar years after submission of such data.
3.12. The Data Controller confirms that the Personal Data shall be collected from the Data Subject directly, and no other sources will be used.
3.13. The Data Controller shall not disclose the Personal Data under processing to the third parties, except:
3.13.1. when Data Subject grants his/her consent for disclosure of personal data,
3.13.2. when executing an order or offering other services – to the Data Processors offering services of delivery of goods or other services so ordered by the client,
3.13.3. law enforcement authorities (when so required by law),
3.13.4. where necessary to prevent or investigate criminal offences.
4. Exercise of Rights by the Data Subject
4.1. Data Subject authorises the Data Controller to collect, control, process and store his/her Personal Data to the extent and for the purpose as is provided by the Privacy Policy.
4.2. Data Subject shall be free to revoke his/her consent for collection, processing, and storage of his/her personal data any time (and in the event the personal data are processed for direct marketing purposes, no additional grounds shall be required) by contacting the Data Processor in writing as follows: 1) by logging to the website account; 2) in the event of direct marketing – by clicking a link contained in each e-mail (newsletter); 3) by mail or personal delivery at: Gaono g. 7, LT-01131 Vilnius, 4) by e-mail address at: reservations@stikliaihotel.lt from the same e-mail address as was provided at the time of registration. The Data Controller shall, upon receipt of such a request by the Data Subject, suspend processing of personal data immediately, and destroy relevant Personal Data. The Data Controller shall be free to refuse deleting personal data from the server if there is a legitimate reason to store these, in particular, in the interests of national security and defence, public order, crime prevention, investigation, discovery or prosecution, in order to secure vital national economic or financial interests, and protection of rights and liberties of other people.
4.3. A Data Subject shall, upon adequate identification, and upon production, to the Data Controller, of a personal identity document (or a notarised copy) to be used for identification only (and shall not be stored), be free to access his/her personal data based on a written application addressed to the Data Controller as follows: by mail or personally at the following address: Gaono g. 7, LT-01131 Vilnius.
4.4. A third party, wishing to access Personal Data of a Data Subject, shall be required to produce a notarised power of attorney; Personal Data shall be disclosed to an attorney upon production of a representation agreement, and upon indication of purpose of data use.
4.5. The Data Controller shall, upon receipt of a request by a Data Subject to access his/her personal data processed, respond within 30 (thirty) calendar days after receipt of relevant enquiry. Such an answer shall indicate whether the Personal Data of a Data Subject are currently processed, and if so, the nature and recipients of such data within 1 (one) calendar year. Such an answer shall be provided free of charge.
4.6. In the event the Data Subject, having accessed his/her Personal Data, finds that his/her Personal Data have been collected or received from illegal sources, or that the data are currently processed for different purposes than listed in the consent, he/she may then contact the Data Controller by e-mail seeking suspension processing of such Personal Data and/or deletion of his/her Personal Data. Where the Data Controller finds a request by Data Subject valid, it shall execute a request by a Data Subject immediately, within 5 business days, and inform of any actions so taken in writing.
4.7. In the event the Data Subject, having accessed his/her Personal Data, finds them not precise or incomplete, he/she may then, upon adequate identification, apply in writing seeking correction and/or supplement of his/her Personal Data. Where the Data Controller finds an application valid, it shall correct or supplement the Personal Data immediately, within 5 business days, and inform of any actions so taken in writing.
4.8. A Data Subject may request the Data Controller to “forget” him/her, i.e. request to have all of his/her Personal Data deleted, unless, however, such data are required for the purposes they were collected and processed, or unless the Data Subject withdraws his/her consent, or unless the data are processed in breach of legal requirements. The Data Controller shall execute such a valid request and shall inform the Data Subject of steps taken immediately, within 5 business days.
4.9. Where a Data Subject believes his/her legitimate interests were breached in course of processing of his/her Personal Data, he/she shall be free to contact the Supervisory Authority.
5. Risk Factors of Breach of Personal Data Protection and Methods to Resolve These
5.1. To ensure protection of Personal Data, the Data Controller shall implement the following organisational and technical personal data protection measures
5.1.1. Organizational measures
5.1.1.1. The Data Controller shall operate according to procedures so as to ensure secure processing and/or transfer of digital data and/or documents and their archives.
5.1.1.2.Access to the Personal Data of the Data Subject shall only be granted to those employees when so required to carry out their official functions, and only subject to confidentiality agreements, provided the employees have been introduced to other rules of procedure concerning data processing.
5.1.2. Technical measures
5.1.2.1. Data processors (service providers) appointed by the Data Controller shall act upon authorisation of the Data Controller only.
5.1.2.2. Personal data shall be protected from loss, unauthorised use and change. Internet connection shall be encoded, while webpage shall function via https:// protocol.
5.1.2.3. Hardware shall be protected from malware (e.g. installation and update of anti-virus software), while internal network shall be protected with a firewall.
6. Use of Cookies
6.1. http://www.stikliaihotel.lt/ website shall include cookies; they shall be used for statistical purposes, to assess the visiting rate of the website and popularity of specific content. Such processing of data does not allow for personal authentification of a website visitor, directly or otherwise.
6.2. A website visitor can either delete cookies from his/her PC, or have them blocked on his/her browser; this may make certain functions of the website unavailable (or disrupt their functioning).
7. Final Provisions
7.1. The above Privacy Policy shall be revised 2 times (twice) per year, and updated wher necessary.
7.2. The Privacy Policy shall enter into effect on 27 February 2018, and shall be published on the Website.
Approved by the order of the director of Stiklių viešbutis UAB dated 27/02/2018 No. 20180227