Privacy policy

PRIVACY POLICY

The purpose of this Privacy Policy is to inform how personal data of data subjects are collected and processed, to explain how long they are stored, to whom they are provided, what rights data subjects have, and where to turn regarding the exercise of these rights or any other questions related to the processing of personal data.

Personal data are processed in accordance with the European Union General Data Protection Regulation (EU) 2016/679 (hereinafter – the Regulation), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, and other legal acts regulating the protection of personal data.

The Stasys Eidrigevičius Arts Centre adheres to the following key principles of data processing:

• Personal data are collected only for clearly defined and legitimate purposes;

• Personal data are processed lawfully and fairly;

• Personal data are regularly updated;

• Personal data are stored securely and no longer than required by the defined purposes of processing or applicable legal acts;

• Personal data are processed only by those employees of the Stasys Eidrigevičius Arts Centre who are granted such a right according to their job functions, or by duly authorized data processors.

1. DEFINITIONS

1.1. Data Controller – Stasys Eidrigevičius Arts Centre (hereinafter – the Centre), legal entity code 304929400, registered address: Respublikos g. 40, Panevėžys, Lithuania.

1.2. Data Subject – any natural person whose data are processed by the Centre. The Data Controller collects only the data necessary for carrying out the Centre’s activities and/or when visiting, using, browsing the Centre’s websites, Facebook, and other social media accounts (hereinafter – the Website). The Centre ensures that collected and processed personal data will be secure and used only for specific purposes.

1.3. Personal Data – any information directly or indirectly related to a data subject whose identity is known or can be determined using the relevant data. Personal data processing means any operation performed on personal data (including collection, recording, storage, editing, modification, granting access, requests, transfer, archiving, etc.).

1.4. Consent – any freely given and conscious confirmation by which the data subject agrees to the processing of their personal data for a specific purpose.

2. SOURCES OF PERSONAL DATA

2.1. Personal data are provided by the data subject themselves when contacting the Centre, using services, attending exhibitions, educational programs, guided tours, events, purchasing tickets, renting premises, buying souvenirs, purchasing gift cards, leaving comments, asking questions, subscribing to newsletters, requesting information, etc.

2.2. Personal data are obtained when the data subject visits the Centre’s website, fills in forms, or otherwise provides their contact details.

2.3. Personal data may also be obtained from other sources – from institutions, companies, publicly available registers, etc.

3. PROCESSING OF PERSONAL DATA

3.1.By submitting personal data to the Centre, the data subject agrees that the Centre may use the collected data in order to fulfill its obligations to the data subject and to provide the services expected by the data subject.

3.2. The Centre processes personal data for the following purposes:

3.2.1. Provision of the Centre’s services

Exhibitions, educational activities, guided tours and events, ensuring attendance of such by visitors, provision of premises rental services, and management of the Centre’s debtors. For these purposes, the following data may be processed:

• For the provision of exhibition, educational, guided tour, and event services: clients’ (natural persons) personal data such as name(s), surname(s), personal identification number, date of birth, email address, residential address, bank account details, bank name, power of attorney details, employer and position, and other data related to the provision of services.

• For the provision of rental services of the Centre’s premises: clients’ personal data such as name(s), surname(s), personal identification number, date of birth, email address, residential address, bank account details, bank name, power of attorney details, employer and position, and other data related to the provision of services.

• For debtor management and transfer of debts for collection: clients’ (debtors, natural persons) personal data such as name(s), surname(s), personal identification number or date of birth, residential address, telephone number, email address, amount of debt, information about goods and/or services provided, and other data related to the debt.

▪ Contracts, VAT invoices, and other related documents are stored in accordance with the terms specified in the General Document Storage Index approved by the Chief Archivist of Lithuania.
▪ Data related to debtor management are stored no longer than necessary for the purposes for which the personal data are processed.
▪ The legal basis for processing: necessity to perform a contract to which the client as data subject is a party, or to take steps at the request of the client prior to entering into a contract (GDPR Article 6(1)(b)); legal obligation to process certain personal data (GDPR Article 6(1)(c)); and the necessity to pursue the legitimate interests of the Centre to improve its activities and business performance indicators (GDPR Article 6(1)(f)).

3.2.2. Ensuring and continuity of the Centre’s activities

For this purpose, the following data may be processed:

• For the conclusion and execution of contracts with suppliers (natural persons): name(s), surname(s), personal identification number or date of birth, place of residence (address), telephone number, email address, employer, position, signature, data contained in business certificates (type of activity, group, code, name, periods of activity, date of issue, amount), individual activity certificate number, information on VAT payer status, bank account and bank name, amount of service/goods, currency, and other data provided by the person, obtained under legal acts during the Centre’s activities and/or which the Centre is obliged to process under law.

• For the conclusion and execution of contracts with suppliers’ representatives: name(s), surname(s), telephone number, email address, company name, address, position, power of attorney details (number, date, authorized person’s date of birth, signature).

▪ Contracts, VAT invoices, and other related documents are stored in accordance with the terms specified in the General Document Storage Index approved by the Chief Archivist of Lithuania.
▪ The legal basis for processing: necessity to perform a contract to which the client as data subject is a party, or to take steps at the request of the client prior to entering into a contract (GDPR Article 6(1)(b)); legal obligation to process certain personal data (GDPR Article 6(1)(c)).

3.2.3. Execution of internship agreements

For this purpose, the following data may be processed:

• Name(s), surname(s), personal identification number or, if absent, date of birth, signature, telephone number, email address, address, educational institution, internship period, activity.

• Interns’ personal data included in relevant documents (contracts, orders, applications, etc.) in electronic form, paper documents, or other media are stored in accordance with the terms specified in the General Document Storage Index approved by the Chief Archivist of Lithuania.
• The legal basis for processing: necessity to perform a contract to which the intern as data subject is a party, or to take steps at the intern’s request prior to entering into a contract (GDPR Article 6(1)(b)); legal obligation to process certain personal data (GDPR Article 6(1)(c)).

3.2.4. Performance of voluntary activities

For this purpose, the following data may be processed:

• Name(s), surname(s), personal identification number or, if absent, date of birth, signature, telephone number, email address, address, period and type of voluntary activity, information about the volunteer’s health, and in the case of a minor volunteer – the parent’s or legal guardian’s name(s), surname(s), telephone number, email address, signature.

• Volunteers’ personal data included in relevant documents (contracts, orders, applications, etc.) in electronic form, paper documents, or other media are stored in accordance with the terms specified in the General Document Storage Index approved by the Chief Archivist of Lithuania.
• The legal basis for processing: necessity to perform a contract to which the volunteer as data subject is a party, or to take steps at the volunteer’s request prior to entering into a contract (GDPR Article 6(1)(b)); legal obligation to process certain personal data (GDPR Article 6(1)(c)).

3.2.5. Administration of job applicants’ CV database

For this purpose, the following data may be processed:

• Name(s), surname(s), date of birth (age), residential address, contact details (telephone number, email address), information about education (educational institution, study period, degree and/or qualification), information about training (completed courses, certificates obtained), information about work experience (employer, employment period, position, responsibilities and/or achievements), information about language skills, IT and driving skills, other competences, and other information provided in the CV, cover letter, or other application documents, as well as employers’ references, recommendations, and referees’ contact details.

• After the end of the recruitment period for a specific position, if the data subject is not selected and no employment contract is signed, the Centre deletes the submitted CVs and other data unless the Centre has obtained the candidate’s consent to process their data for a longer period to offer future positions. In such case, data are stored for 1 (one) year from the date of submission. After this period, the Centre’s responsible persons will destroy the data within 1 (one) week. Longer storage may occur if personal data are necessary for disputes/complaints or on other legal grounds.
• The legal basis for processing: consent of the data subject (GDPR Article 6(1)(a)).

3.2.6. Administration of inquiries, comments, and complaints

For this purpose, the following data may be processed:

• Name(s), surname(s) and/or username, email address, telephone number, address, subject of the inquiry, comment or complaint, and the text of the inquiry, comment or complaint.

• Such data are stored for 2 (two) years from submission.
• The legal basis for processing: necessity for legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (especially where the data subject is a child) (GDPR Article 6(1)(f)); and consent of the data subject (GDPR Article 6(1)(a)).

3.2.7. Sale of gift vouchers

For this purpose, the following data may be processed:

• Name(s), surname(s), value of the gift voucher, purchaser’s name(s), surname(s), voucher number, email address, telephone number, voucher validity date, and payment details.

• Personal data are not stored.
• The legal basis for processing: necessity to perform a contract to which the client as data subject is a party, or to take steps at the client’s request prior to entering into a contract (GDPR Article 6(1)(b)).

3.2.8. E-commerce (sale of tickets, souvenirs, etc.)

For this purpose, the following data may be processed:

• Name(s), surname(s), residential address, telephone number, email address, delivery address, payment details.

• Data are stored for 2 years.
• The legal basis for processing: necessity to perform a contract to which the client as data subject is a party, or to take steps at the client’s request prior to entering into a contract (GDPR Article 6(1)(b)).

3.2.9. Direct marketing

For this purpose, the following data may be processed:

• Name(s), surname(s), email address, telephone number.

• Data are stored for 5 years from the date of consent. This period may be extended if data are or may be used as evidence in pre-trial or other proceedings, including investigations by the State Data Protection Inspectorate, or in civil, administrative, or criminal cases, or in other cases provided by law. In such cases, data are stored as long as necessary and destroyed immediately once no longer required.
• The legal basis for processing: consent of the data subject (GDPR Article 6(1)(a)); and necessity to pursue the legitimate interests of the Centre to improve its activities and business performance (GDPR Article 6(1)(f)).

3.2.10. Ensuring the safety of employees, other data subjects, and property (video surveillance)

For this purpose, the following data may be processed:

• Video footage. Video surveillance systems do not use facial recognition and/or analysis technologies. The captured video data are not grouped or profiled by individual data subjects. Notices with camera symbols and Centre details are displayed before entering monitored premises/territories. Areas where data subjects expect absolute privacy are not monitored.

• Video data are stored for up to 30 days from recording and then automatically deleted, except where an incident (offense, crime, or other unlawful act) is suspected, in which case the data are stored until the investigation and/or proceedings are completed. Video data capturing the delivery, preparation, exhibition, and return of international exhibitions are stored throughout the exhibition’s presence at the “Stasys Museum” and its Creativity Centre “Pragiedruliai”, and for an additional 30 days after the exhibition has been removed.
• The legal basis for processing: necessity for legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the data subject’s rights and freedoms, especially when the data subject is a child (GDPR Article 6(1)(f)).

3.2.11. Other purposes

Personal data may also be processed for other purposes where the Centre has the right to do so: when the data subject has given consent, where necessary to pursue the Centre’s legitimate interests, or where required by applicable legal acts.

4. USE OF SOCIAL NETWORKS

4.1 All information you provide through social media platforms (including messages, “Like” and “Follow” functions, and other communication) is controlled by the respective social network operator.

4.2 At present, our Centre has an account on the social network Facebook, whose privacy policy is available at: https://www.facebook.com/privacy/explanation.

4.3 Our Centre also has an account on the social network Instagram, whose privacy policy is available at: https://help.instagram.com/519522125107875.

4.4 Our Centre has an account on the social network LinkedIn, whose privacy policy can be found at: https://www.linkedin.com/legal/privacy-policy.

4.5 Our Centre also has an account on the social network YouTube, whose privacy policy is available at: https://policies.google.com/privacy?hl=en-US.

4.6 We recommend reading the privacy notices of third parties and contacting service providers directly if you have any questions regarding how they use your personal data.

5. NEWSLETTERS

5.1 The Centre uses third-party service provider MailChimp for sending newsletters. Only the recipient’s email address is used for successful delivery.
MailChimp Privacy Policy: https://mailchimp.com/legal/privacy/

5.2 You may unsubscribe at any time by clicking the “Unsubscribe” link at the bottom of any email, replying to the email, or contacting the Centre directly by email.

6. E-COMMERCE

6.1 The Centre’s online store is powered by Shopify. Data collected for e-commerce purposes are stored on Shopify servers.

• Shopify Privacy Policy: https://www.shopify.com/legal/privacy

6.2 Payments are processed through Paysera.

• Paysera Privacy Policy: https://www.paysera.lt/v2/en-LT/legal/privacy-policy2020

6.3 Our website is protected by a security protocol based on a data encryption system certificate (SSL). Websites that use this protocol can be recognized by the letter “s” in their internet address, for example: “https://”.

7. PROVISION OF PERSONAL DATA

7.1. The Center undertakes to maintain confidentiality with regard to data subjects. Personal data may be disclosed to third parties only if necessary for the conclusion and performance of contracts with the data subject, or for other lawful reasons.

7.2. The Center may provide personal data to its data processors, who provide services to the Center and process personal data on behalf of the Center. Data processors are entitled to process personal data only according to the Center’s instructions and only to the extent necessary to properly fulfill the obligations set out in the contract. The Center includes only those data processors who ensure that appropriate technical and organizational measures are implemented in such a way that data processing complies with the requirements of the Regulation and the rights of the data subject are protected.

7.3. The Center may also provide personal data in response to a request from a court or state authorities, to the extent necessary to properly comply with applicable laws and instructions from state authorities.

7.4. The Center guarantees that personal data will neither be sold nor rented to third parties.

8. PROCESSING OF PERSONAL DATA OF MINORS

8.1. Individuals under the age of 14 are not allowed to provide any personal data through the Center’s website. If a person is under 14 years old, in order to use the Center’s services, written consent from one of their legal representatives (parent or guardian) must be provided prior to submitting personal information for data processing.

9. PERSONAL DATA RETENTION PERIOD

9.1. Personal data collected by the Center is stored in printed documents and/or the Center’s information systems. Personal data is processed no longer than necessary for the purposes of data processing or longer if required by the data subject and/or by applicable law.

9.2. Even if the agreement is terminated and the Center ceases providing services, the Center is still obliged to retain the data of the data subject, which may be stored in the future due to possible claims or legal requirements, until the end of the data retention period.

10. DATA SUBJECT RIGHTS

10.1. The right to receive information about data processing.

10.2. The right to access the data being processed.

10.3. The right to request correction of data.

10.4. The right to request deletion of data (“Right to be Forgotten”). This right does not apply if the requested personal data is being processed based on other legal grounds, such as processing necessary for the performance of a contract or required by applicable laws.

10.5. The right to restrict data processing.

10.6. The right to object to data processing.

10.7. The right to data portability. The right to data portability must not negatively affect the rights and freedoms of others. Data subjects’ rights to data portability do not apply to personal data processed in a non-automated manner in structured files, e.g., paper files.

10.8. The right to object to automated decision-making, including profiling, based solely on automated processing.

10.9. The right to lodge a complaint regarding personal data processing with the State Data Protection Inspectorate.

11. The Center must provide conditions for the data subject to exercise the rights specified above, except in cases where primary measures are prohibited to ensure national security or defense, prevention, investigation, detection or prosecution of criminal offenses, important state economic and financial interests, the functioning of public authorities, the protection, investigation, and detection of rights and duties, and the protection of freedoms.

12. PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS

12.1. To exercise their rights, a data subject may contact the Center:

12.1.1. In writing, by mail, through a representative, or electronically via email: info@semc.lt;

12.1.2. Verbally, by phone: +370 620 73061;

12.1.3. In writing, by post: Respublikos g. 40, Panevėžys.

12.2. They may also contact the Center’s Data Protection Officer via email: asmensduomenys@sdg.lt.

12.3. To protect data from unauthorized disclosure, upon receiving a request from the data subject to exercise any rights, the Center must verify the identity of the data subject.

12.4. The Center’s response must be provided to the data subject no later than one month from the date of the request, taking into account the specific data processing measures. This period may, if necessary, be extended by up to two months, considering the complexity and number of requests.

13. DATA SUBJECT RESPONSIBILITIES

13.1. The data subject must:

13.1.1. Inform the Center of any changes to the submitted information and data. It is important for the Center to have accurate and valid information about the data subject;

13.1.2. Provide necessary information so that the Center can identify the data subject and ensure it is interacting with the correct individual (e.g., by providing a document verifying identity or using appropriate electronic communication methods). This is necessary to protect the data of the data subject and others, and to provide information without violating the rights of others.

14. FINAL PROVISIONS

14.1. By providing personal data to the Center, the data subject agrees to the Privacy Policy, understands its provisions, and consents to comply with them.

14.2. In developing and improving the Center’s activities, the Center reserves the right to unilaterally amend this Privacy Policy at any time. The Center may partially or fully change the Privacy Policy, informing about changes by posting them on the website stasysmuseum.com.

14.3. Amendments or changes to the Privacy Policy take effect from the date of their publication, i.e., the date they are posted on the website stasysmuseum.com.