Privacy policy

The purpose of the Privacy Policy is to inform how the personal data of data subjects are collected and processed, how long they are stored, to whom they are provided, what rights data subjects have and where to apply to realize them, or any other issues related to the processing of personal data.

Personal data is processed following the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other legal acts regulating the protection of personal data.

UAB „Deimantų fabrikas“ observe the following basic principles of data processing:

• personal data is collected only for clearly defined and legitimate purposes;
• personal data shall be processed only lawfully and fairly;
• personal data is kept up to date;
• personal data shall be stored securely and for no longer than required by the stated purposes of processing or by law;
• personal data shall be processed only by those employees of the Company who are authorized to do so under their job functions or by properly authorized processors.

1. CONCEPTS

1.1. The Data Controller is UAB “Deimantų fabrikas” (hereinafter referred to as the “Company”), legal entity code 304175384, registration address Fabijoniškių st. 5C-1031, Vilnius.

1.2. Data Subject – any natural person whose data is processed by the Company. The Data Controller collects only those data of the Data Subject necessary for the performance of the Company’s activities and/or for visiting, using, and browsing the Company’s websites, Facebook account, etc. (hereinafter referred to as the “Website”). The Company ensures that the personal data collected and processed will be secure and only used for a specific purpose.

1.3. Personal data means any information relating directly or indirectly to a data subject whose identity is known or can be identified, directly or indirectly, by reference to the data concerned. Processing of personal data means any operation performed on personal data (including collection, recording, storage, adaptation, alteration, access, retrieval, transmission, archiving, etc.).

1.4. Consent means any freely given and informed indication by which the data subject agrees to process their personal data for a specified purpose.

2. SOURCES OF PERSONAL DATA

2.1 The data subject provides personal data. The data subject contacts the Company, buys goods sold by the Company, visits the Company’s stores, leaves comments, asks questions, subscribes to newsletters, contacts the Company for information, etc.

2.2. Personal data is obtained when the data subject visits the Company’s website. The data subject fills in the forms on the website or, for whatever reason, leaves their contact details, etc.

2.3. Personal data is obtained from other sources. Data obtained from other bodies or companies, publicly accessible registers, etc.

3. PROCESSING OF PERSONAL DATA

3.1. By providing personal data to the Company, the data subject consents to the Company’s use of the collected data to fulfill its obligations to the data subject by providing the services expected by the data subject.

3.2. The Company processes personal data for the following purposes:

3.2.1. to ensure the maintenance and continuity of the Company’s business. For this purpose, the following data are processed:

• For the purpose of concluding and executing contracts, personal data of suppliers (natural persons) may be processed: name(s), surname(s), personal identification number or date of birth, place of residence (address), telephone number, e-mail address, place of work, position, signature, data contained in the business license (type of activity, group, code, name, periods of activity, date of issue, amount), number of the certificate of individual activity, data on whether the data subject is a VAT payer, bank account and bank, amount of the service/good, currency, and other data provided by the person themself, which the Company obtains under the legislation in the course of the Company’s activities and/or which the Company is obliged to process by law and/or other legislation.
• To conclude and execute contracts, the following data shall be processed for the representatives of the suppliers: name(s), surname(s), telephone number, e-mail address, company name, address, position, details of the mandate (number, date of birth, date of birth of the authorized person, signature).
• Contracts, VAT invoices, and other related documents shall be stored under the time limits specified in the Index of General Document Storage approved by the Order of the Chief Archivist of Lithuania.
• The legal basis for processing is the necessity to perform a contract to which the client, as a data subject, is a party or to take action at the client’s request before entering into a contract with them (Article 6(1)(b) GDPR), where the processing of personal data is required by law (Article 6(1)(c) GDPR).

3.2.2. Jewellery retailing, jewellery repair, administration of the Company’s debtors. For this purpose, the following data is processed:

• In the course of jewellery retailing and jewellery repair services, personal data of customers (natural persons) may be processed: name(s), surname(s), date of birth, telephone number, e-mail address, residential address, bank account details, bank, other data related to the sale of goods and services.
• In the course of the administration of the Company’s debtors, personal data of customers (debtors, natural persons) may be processed: name(s), surname(s), date of birth, residential address, e-mail address, amount of debt, information on the sale of goods, other data related to the debt.
• Contracts, VAT invoices, and other related documents shall be stored in accordance with the time limits specified in the Index of General Document Retention approved by the Order of the Chief Archivist of Lithuania.
• Data relating to the administration of the Company’s debtors shall be kept no longer than is necessary for the purposes for which the personal data are processed.
• The legal basis for processing is the need to perform a contract to which the customer is a party as a data subject or to take action at the customer’s request before entering into a contract with the customer (Article 6(1)(b) of the GDPR), where the processing of certain personal data is required by law (Article 6(1)(c) of the GDPR), and the need to pursue the legitimate interests of the Company to improve the Company’s performance and indicators of business success (Article 6(1)(f) of the GDPR).

3.2.3. Administration of enquiries, comments, and complaints. For this purpose, the following data is processed:

• Name(s), surname(s) and/or username, email address, telephone number, address, subject of the query, comment or complaint, text of the query, comment or complaint.
• The data of enquiries, comments, and complaints shall be stored for one calendar year from the submission date.
• The legal basis for processing is that the processing is necessary for the legitimate interests of the controller or of a third party, except where such interests or fundamental rights and liberties of the data subject override those interests or fundamental rights and liberties that make it necessary to ensure the protection of the personal data, in particular where the data subject is a child (Art. 6 (1) (f) of the GDPR) and where the consent of the data subject is required (Art. 6 (1) (a) of the GDPR).

3.2.4. Sale of gift vouchers. For this purpose, the following data is processed:

• Name(s), surname(s), value of the gift voucher, name(s) of the purchaser of the gift voucher, date of sale, number of the gift voucher, email address, telephone number, expiry date of the gift voucher, billing details, name of the recipient of the voucher, name(s) of the employee who made the sale.
• Personal data is stored until the gift voucher’s redemption date.
• The legal basis for the processing is the need to perform a contract to which the customer is a party as a data subject or to take action at the customer’s request prior to the conclusion of a contract with them (Article 6(1)(b) of GDPR).

3.2.5. Games, competitions. For this purpose, the following data is processed:

• Name(s), surname(s) and/or username(s), email address, residential address, personal identification number (if the value of the prize awarded exceeds 200 EUR).
• The personal data of the winning participants is stored for six months after the end of the game or competition.
• The legal basis for the processing of the data is the data subject’s consent (Article 6(1)(b) GDPR).

3.2.6. E-commerce. For this purpose, the following data are processed:

• Name(s), surname(s), purchase history, delivery address, residential address, telephone number, email address, and payment details for the goods/service.
• Personal data is stored only to the extent and for the time necessary to achieve the stated purposes. When the customer’s personal data no longer needs to be processed, a decision shall be taken to destroy it, except for those that must be archived following statutory requirements or the Company’s internal local regulations.
• The legal basis for the processing is the need to perform a contract to which the customer is a party as a data subject or to take action at the customer’s request prior to the conclusion of a contract with him/her (Article 6(1)(b) of GDPR).

3.2.7. Direct marketing. For this purpose, the following data is processed:

• Name(s), surname(s), date of birth, email address, telephone number.
• The data is stored for five years after the date of consent. This period may be extended if the personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including an investigation conducted by the DPAI in a civil, administrative, or criminal proceeding or any other case provided by law. In such a case, personal data may be kept for as long as necessary for these processing purposes and destroyed as soon as they are no longer necessary.
• The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the GDPR) and the need to pursue the legitimate interests of the Company in improving its operations and business success rates (Article 6(1)(f) of the GDPR).

3.2.8. To ensure the security of the Company’s employees, other data subjects, and property (video surveillance). For this purpose, the following data is processed:

• Image. Video surveillance systems do not use facial recognition and/or analysis technologies, nor do they cluster or profile the captured video data according to a specific data subject (person). The data subject shall be informed about the video surveillance by means of information signs with the video camera’s symbol and the Company’s details, which shall be displayed before entering the monitored area and/or premises. The field of surveillance of CCTV cameras shall exclude premises where the data subject expects absolute protection of personal data.
• Personal data (image data) obtained by CCTV cameras shall be stored for up to 14 (fourteen) calendar days from the moment of their capture, after which they shall be automatically destroyed unless there are grounds to believe that an offence, criminal offence or other unlawful act has been committed (until the end of the relevant investigation and/or proceedings).
• The lawful basis for processing is that the processing is necessary for the purposes of the legitimate interests of the controller or of a third party unless such interests of the data subject or the fundamental rights and freedoms of the data subject, which require the protection of personal data, override those interests, in particular where the data subject is a child (Article 6(1)(f) of GDPR).

3.2.9. Other purposes for which the Company has the right to process the data subject’s personal data, where the data subject has expressed their consent, where the processing is necessary for the Company’s legitimate interest, or where the Company is obliged to process the data by the relevant legal acts.

4. USE OF SOCIAL NETWORKS

4.1. All information you provide via social media (including messages, use of the “Like” and “Follow” fields, and other communications) is controlled by the operator of the relevant social network.

4.2. Our Company currently has an account on the social networking site Facebook, whose privacy policy is available at https://www.facebook.com/privacy/explanation;

4.3. Our Company currently has an account on the social network Instagram, the privacy policy of which is available at https://help.instagram.com/519522125107875;

4.4. Our Company currently has an account on the social network LinkedIn, whose privacy policy is available at https://www.linkedin.com/legal/privacy-policy;

4.5. Our Company currently has an account on the social network “TikTok”, whose privacy policy is available at https://www.tiktok.com/legal/page/row/privacy-policy/en;

4.6. We recommend that you read the privacy notices of third parties and contact the service providers directly if you have any questions about their use of your personal data.

5. SENDING NEWSLETTERS


5.1. The Company uses a third-party service, Omnisend, to send newsletters. The third-party Omnisend uses only the email address of the recipient of the newsletter for the successful sending of newsletters. “Omnisend’s” privacy policy can be found at:

• „Omnisend“ privacy Policy: https://www.omnisend.com/privacy/.

5.2. You can unsubscribe from the newsletters sent to you by clicking on the “Unsubscribe” button at the bottom of each email you receive, by replying to the email you receive, or by contacting the Company directly by email to express your wish to no longer receive the Company’s newsletters.

6. E-COMMERCE

6.1. The Deimantų fabrikas UAB e-shop is built using the WooCommerce platform. The data collected for e-commerce is stored on WooCommerce servers. The privacy policy of the e-commerce platform is available at:

• „WooCommerce“ privacy policy: https://docs.woocommerce.com/documentation/get-help/woocommerce-com/privacy.

6.2. The Company uses the platforms of Kevin, PayPal, SEB bankas, SB lizingas, and Esto to accept payments. The privacy policy of the payment acceptance platform is available at:

• „Kevin“ privacy policy: https://www.kevin.eu/en-lt/docs/privacy-policy/;
• „PayPal“ privacy policy: https://www.paypal.com/us/legalhub/privacy-full;
• „SEB bankas“ privacy policy:
  https://www.seb.lt/sites/default/files/tac/Privatumo_politika_LT.pd;
• „SB lizingas“ privacy policy: https://www.sblizingas.lt/duomenu-apsaugos-politika/;
• „Esto“ privacy policy: https://esto-lt-public.s3.eu-central-1.amazonaws.com/docs/lt-lt/ESTO%20Privatumo%20politika.pdf.

6.3. Our website is protected by a security protocol based on a data encryption system certificate (SSL). The web address of such a shop contains the letter “s”: “https://”.

7. PROVISION OF PERSONAL DATA

7.1. The Company undertakes to respect the duty of confidentiality towards data subjects. Personal data may be disclosed to third parties only if necessary for the conclusion and performance of a contract for the benefit of the data subject or other legitimate reasons.

7.2. The Company may provide personal data to its data processors who provide services to the Company and process personal data on behalf of the Company. The processors shall have the right to process the personal data only on the instructions of the Company and only to the extent necessary for the proper performance of their obligations under the contract. The Company shall only use processors that provide sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing complies with the requirements of the Regulation and that the data subject’s rights are protected.

7.3. The Company may also provide personal data in response to requests from courts or public authorities to the extent necessary for the proper exercise of the applicable law and for compliance with instructions from public authorities.

7.4. The Company guarantees that personal data will not be sold or rented to third parties.

8. PROCESSING OF PERSONAL DATA OF MINORS

8.1. Persons under the age of 14 may not submit any personal data through the Company’s website. If a person is under the age of 14 to benefit from the Company’s services, the written consent of a representative (parent, mother, guardian) for processing the personal data is required before submitting personal information.

9. STORAGE PERIOD FOR PERSONAL DATA

9.1. Personal data collected by the Company shall be stored in printed documents and/or in the Company’s information systems. The processing of personal data shall not be longer than is necessary to achieve the purposes of the processing or longer than is required by the data subjects and/or provided for by law.

9.2. Although the data subject may terminate the contract and refuse the Company’s services, the Company shall remain obliged to retain the data subject’s data for any future claims or legal claims that may arise until the retention periods expire.

10. DATA SUBJECT RIGHTS

10.1. The right to receive information about processing.

10.2. Right of access to the data processed.

10.3. Right of access to the data processed.

10.4. The right to have the data erased (‘Right to be forgotten’). This right does not apply if the personal data for which erasure is requested is also processed on another legal basis, such as processing necessary for the performance of a contract or the performance of an obligation under applicable law.

10.5. Right to restrict processing.

10.6. Right to object to processing.

10.7. Right to data portability. The right to data portability shall not adversely affect the rights and freedoms of others. The data subject shall not have the right to data portability regarding personal data processed in non-automatically structured files, such as paper files.

10.8. The right to request that a decision based solely on automated processing, including profiling, not be applied.

10.9. The right to lodge a complaint about the processing of personal data with the State Data Protection Inspectorate.

11. The Company shall enable the Data Subject to exercise the rights as mentioned above of the Data Subject, except in cases provided by law, where it is necessary to ensure national security or defence, public order, prevention, investigation, detection, or prosecution of criminal offences, important economic or financial interests of the State, prevention, investigation, and detection of breaches of official or professional ethics, or protection of the rights and freedoms of the Data Subject or any other person.

12. PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT

12.1. The data subject may contact the Company to exercise his/her rights:

12.1.1. by submitting a written request in person, by post, through a representative, or by electronic means – by e-mail: [email protected];

12.1.2. orally by telephone: +370 601 71855;

12.1.3. in writing to the following address: Fabijoniškių g. 5C-1031, Vilnius.

12.2. To protect the data from unauthorised disclosure, the Company shall verify the data subject’s identity upon receipt of a data subject’s request to provide the data or to exercise other rights.

12.3. The Company’s response to the data subject shall be provided no later than one month from the date of receipt of the data subject’s request, taking into account the specific circumstances of processing personal data. Depending on the complexity and number of requests, this period may be extended by a further two months if necessary.

13. RESPONSIBILITIES OF THE DATA SUBJECT

13.1. The data subject shall:

13.1.1. inform the Company of changes to the information and data provided. It is important for the Company to have correct and valid data subject information;

13.1.2. Provide the necessary information to enable the Company to identify the data subject at the data subject’s request and to verify that it is communicating or cooperating with the data subject (either by means of a document proving the identity of the data subject or by means of a procedure established by law or by means of electronic communication which allow the data subject to be properly identified). This is necessary to protect the data subject’s data and the data of others so that the information disclosed about the subject is provided only to the subject without prejudice to the rights of other persons.

14. FINAL PROVISIONS

14.1. By submitting personal data to the Company, the data subject agrees to this Privacy Policy, understands its provisions, and agrees to abide by it.

14.2. During the development and improvement of the Company’s activities, the Company shall have the right to change this Privacy Policy at any time unilaterally. The Company has the right to unilaterally, partially, or completely change the Privacy Policy by notifying you on the website https://factorybyribas.lt/ and https://factorybyribas.com.

14.3. Amendments or changes to the Privacy Policy shall come into force from the date of their publication, i.e., from the date on which they are posted on the website https://factorybyribas.lt/ and https://factorybyribas.com.