Affirmed on 21-05-2018 by the Prescript No.: 18-0521 of the General Manager of ‘RCD Room Concept Design’, UAB
‘RCD ROOM CONCEPT DESIGN’, UAB
RULES OF PROCESSING PERSONAL DATA
2. Rules of Processing Personal Data are applied for the ‘Mabre Residence’ Hotel belonging to the ‘RCD ROOM CONCEPT DESIGN’, UAB, which is located at the address: 13 Maironio Str., Vilnius, at the ‘Hazienda Steakhouse’ Restaurant, which is located at the address: 13 Maironio Str., Vilnius, as well as at the ‘Stalas ir virtuvė’ Parlour, which is located at the address: 2 Bokšto Str., Vilnius.
3. The notions used in the Rules shall be understood as they are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter called “the LLPPD”), Labour Code and in other statutes of law regulating the protection of personal data.
4. The provisions of the Rules cannot contradict the personal data processing principles established in the GDPR and other statutes of law regulating the protection of personal data.
THE NOTIONS USED IN THE RULES
5. ‘RCD ROOM CONCEPT DESIGN’, UAB (legal entity’s code: 111580776, head office address: 9b-13 Literatų Str., Vilnius) is a legal entity acting as a Personal Data Controller.
7. Website – www.mabre.lt, where the Guests/Clients may book ‘Mabre Residence’ Hotel rooms for accommodation, order catering services at the ‘Hazienda Steakhouse’ Restaurant, order other services (e.g., conference hall, catering not in the Restaurant premises) and give consent to process personal data. On the Website www.stalasirvirtuve.lt, Clients/Guests may familiarize with the assortment of goods, book and order the goods.
8. Personal Data – the data of natural person, which the Data Controller processes and based on which the Guest/Client of the Company may be identified, including, but not limited to: name, surname, E-Mail address and other.
9. Employee – natural person, who has concluded employment or similar contract with the Company and by the decision of the Company’s manager, is appointed to process Personal Data or whose’ Personal Data is being processed on the procedure determined by the Company.
10. Data Subject – natural person, from who the Company receives and processes Personal Data.
11. Data Processing – any operation performed on the Personal Data: collection, recording, organisation, structuring, storage, usage, termination or other operation.
13. Data Processor – natural person or legal entity, government institution, agency or other institution, which in the name of the Data Controller processes Personal Data.
14. Third Party – natural person or legal entity, government institution, agency or other institution, which is not the Data Subject, Data Controller or Data Processor.
15. The Consent of the Data Subject - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to the Data Subject;
16. Personal Data Safety Breach - breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
CHAPTER THREE THE PRINCIPLES OF PERSONAL DATA PROCESSING
17. ‘RCD ROOM CONCEPT DESIGN’, UAB when processing the Personal Data of Guest/Client follows these principles:
17.1. The Company processes the Personal Data in order to achieve lawful goals determined herein;
17.2. Personal Data is processed correctly, honestly and lawfully by following the requirements of the statutes of law;
The Company processes Personal Data only in such scope necessary to achieve the goals of Personal Data processing.
18. Personal Data is stored in such a form that would allow determining the identity of the Data Subjects for a no longer time than is needed for the purposes for which it was gathered and processed.
19. Personal Data is processed in such a way, that when applying respective technical and organizational means a proper Personal Data security would be ensured, including protection against unauthorized Personal Data processing and accidental loss, destruction or damage of it.
20. The Company when processing Personal Data depersonalizes it as much as possible.
CHAPTER FOUR THE PROCEDURE OF COLLECTING, STORING AND USING PERSONAL DATA
21. The Data Subject when booking rooms/premises at the Hotel expresses their consent that the Data Controller for the purposes of rightful administration, accommodation, account management, safety and debt administration will process this Personal Data of the Data Subject:
- Name and surname;
- Personal document and credit card’s data;
- Duration of living at the Hotel/using the premises;
- Purpose of arrival;
- License plate number of the car with which the Data Subject will arrive to the Hotel, if the car will be parked in the territory of the Company;
- E-Mail address;
- Phone number.
22. The Data Subject when ordering services/goods at the Company and signing the agreement regarding the ordered services/goods expresses their consent that the Data Controller for the purposes of rightful administration, account management, safety and debt administration will process this Personal Data of the Data Subject:
- Name and surname;
- Date of birth;
- Place of residence address;
- E-Mail address;
- Phone number.
23. The Data Subject when submitting their Personal Data confirms that its preciseness and correctness.
24. The Data Controller submits to the Statistics Lithuania this data: the number of Hotel’s guests, the country from which the guest(s) of the Hotel arrived from, purpose of arrival and the duration of living at the Hotel.
25. The Data Subject when browsing the Company’s website is familiarized with the cookies used in the website and which user’s data is (may be) collected while browsing.
26. The Data Controller confirms that the Personal Data is collected directly from the Data Subject and are not collected from other sources.
27. The Data Controller undertakes not to disclose Personal Data being processed to third parties, save for these cases:
27.1. To law enforcement institutions in accordance to the requirements of the statutes of law, if it is mandatory to prevent criminal actions or investigate them;
27.2. In other cases indicated in the statutes of law.
28. The Employees when performing their duties and processing the Personal Data of the Guest/Client must adhere to the primary principles of Personal Data processing:
28.1. Personal Data of the Guest/Client is processed precisely and honestly only from the personal documents or from the data submitted voluntarily by the Guest/Client; the data is collected lawfully only in accordance to the goals determined by the Company, the functions and authorizations vested to the Employees without collecting surplus data.
29. Personal Data must be stored for no longer than the data processing purposes demands it:
29.1. Personal Data of the Guests/Clients, who were living or are still living at the Hotel, collected data for accounting purpose is stored for 3 (three) years from the day of the last booking made by the Guest of the Hotel;
29.2. Personal Data contained in the services/goods ordering agreements personally signed by the Guests/Clients is stored for no shorter period than it is demanded by the institution, which administrates the taxes paid by the Company;
29.3. For the purposes of managing the debts of Guests/Clients and in accordance to the lawful interest, the collected Personal Data is stored for no shorter period than until the time when the person settles with the Company in full.
30. The procedure of collecting Personal Data of the Company’s Guest/Client:
30.1. When the Guest/Client personally fills-out the Guest Card (hereinafter called “the Card”) and voluntarily submits the data, the data (name, surname, personal document number, the duration of living at the Hotel, purpose of arrival, the licence plate of the Guest’s car with which the Guest arrived at the Hotel and which will be parked in the territory of the Hotel, the name of the country from which the Guest arrives, address) is entered into the Hotel’s Porter Software. This data is gathered for the purposes of accounting the Guests, who were living and still are living at the Hotel, protecting the assets of the Guests living at the Hotel, administering the debts of the Guests and, in accordance to the lawful interest, for the purpose of submitting the reports to the Statistics Lithuania;
30.2. When the Guest/Client personally signs the agreement on ordering services/goods, the Personal Data of the Guest/Client, which is indicated in the agreement (name, surname, date of birth, place of residence address, E-Mail address, phone number), is collected for the purposes of accounting and debt managing in accordance to the lawful interest of the Company;
30.3. The managers of the Company, senior administrator and other Employees authorized by the Company for the purposes of accounting and managing the debts have the right to collect and process other Personal Data of the Guest/Client (e.g., data from the personal document, credit card);
31. Personal Data (the country, from which the Guest arrives, the purpose of Guests arrival) is mandatory submitted automatically to the Statistics Lithuania (Law on Statistics of the Republic of Lithuania, 23 December 1999, No.: VIII-1511).
32. Personal Data may be processed for direct marketing purposes, if the Data Subject gives their clear consent.
THE RIGHTS OF THE DATA SUBJECTS
33. The Employees appointed by the manager of the Company ensure that the Personal Data of the Data Subjects is processed lawfully, honestly and transparently. All of the necessary information is submitted to the Data Subject clearly, understandably and in an acceptable form.
34. The Data Subject grants the right to the Data Controller to collect, control, process and store the Personal Data related to the Data Subject in such scope and goals as it is indicated in these Rules of Processing Personal Data.
35. The Data Subject may revoke the consent to collect, process and store the Personal Data related to the Data Subject at any time by submitting or sending the request by post at the address: 13 Maironio Str., Vilnius or at the E-Mail address: [email protected] from the same E-Mail address, which was indicated during registration. The Data Controller after receiving this request of the Data Subject promptly stops the processing of Personal Data and terminates the Personal Data related to the Data Subject.
35.1. The Data Subject has the right to demand that the Data Controller would “forget” about them, i.e., delete all of the data related to the Data Subject, if it is not needed for the purpose for which it was collected and processed, or, if the Data Subject revokes their given consent, or, if the data is processed by infringing the requirements of the statutes of law. The Data Controller grants this request without undue delay no later than within 5 workdays and informs the Data Subject about the undertaken actions.
35.2. The Data Controller has the right not to terminate Personal Data, if it has a legal basis for storing it, especially when it is needed to ensure the security and defence of the country, public order, prevention of crimes, investigation, determination and criminal prosecution, defend important economic and financial interests of the country and the protection of rights and liberties of other persons.
36. The Data Subject, who has properly identified himself/herself and submitted to the Data Controller the document confirming their identity or notarized copy of it, which will only be used for identification purposes and will not be stored, has the right to familiarize with their Personal Data by submitting a written request to the Data Controller by one of these methods: by post or by directly submitting the request at the address: 13 Maironio Str., Vilnius.
36.1. If another person wants to familiarize with the Personal Data of the Data Subject, they must submit the notarized Power of Attorney of the Data Subject; the data to the attorney is submitted only after providing the agreement on representation and indicating the purpose of data usage.
37. In those cases when the Data Subject after familiarizing with their Personal Data determines that they are incorrect, imprecise or not comprehensive, the Data Subject after properly identifying themselves and applying to the Data Controller has the right to demand to correct and/or supplement the Personal Data related to the Data Subject. The Data Controller after determining that the request has merits, promptly corrects and/or supplements the Personal Data being processed, but no later than within 5 workdays, and informs the Data Subject in writing about the undertaken actions.
38.1. If the Data Subject thinks that their lawful interests were infringed while processing the Personal Data of the Data Subject, they have the right to apply to the supervision institution – State Data Protection Inspectorate.
THE PROVISIONS OF CONFIDENTIALITY AND SAFETY
39. The Employees of the Company must adhere to the principle of confidentiality and keep secret any information with which they have familiarized with while carrying-out their duties, unless such information would be made public in accordance to the provisions of the valid laws or other statutes of law. The obligation to keep the secret of data is termless even when the position of Employees changes, at the end of employment or contractual relations.
PERSONAL DATA RECIPIENTS
40. Personal data is (may be) transferred to these Recipients:
40.1. State institutions or institutions, other persons carrying-out the lawful functions granted to them (for example, law enforcement institutions, ‘RCD ROOM CONCEPT DESIGN’, UAB supervision institutions);
40.2. The parties that manage the registers and/or IT systems (in which Personal Data is processed) or who mediate when submitting Personal Data from these registers.
41. On the website http://www.mabre.lt/, the cookies are used for statistical purposes in order to evaluate the attendance of the website and popularity of separate content. Such data processing does not allow determining the identity of the website’s visitor directly or indirectly.
42. The visitor of the website can delete the cookies from their computer or block them in their web browser, however, in such a case, a part of the website’s functionality may be lost or be incorrect.
43. These cookies are used on the website www.mabre.lt of the Company ‘RCD ROOM CONCEPT DESIGN’, UAB:
The name of the cookie
The purpose / designation
When the Client visits the website
Analytical Google Analytics cookie, which collects and stores information
When the Client visits the website
Analytical Google Analytics cookie, which collects statistical information
When the Client visits the website
facebook.com / fr
Analytical Facebook cookie, which is used for advertisements.
When the Client visits the website
44. The Guest has the right to apply to the ‘RCD ROOM CONCEPT DESIGN’, UAB in order to submit the questions, rescind given consents, and submit requests regarding the implementation of the rights of the Data Subject and complaints regarding the processing of Personal Data.
45. The contact data of ‘RCD ROOM CONCEPT DESIGN’, UAB is published on the ‘RCD ROOM CONCEPT DESIGN’, UAB website: www.mabre.lt.