Confirmed 2023/02/03
UAB „SSPC Real Estate“ in order of the director No.: V-23-10

RECREATION AND ENTERTAINMENT COMPLEX ‘HARMONY PARK’
PRIVACY POLICY

I GENERAL PROVISIONS

I.1. This privacy policy applies to the recreation and entertainment complex “Harmony Park”, located at the address: Saulės Vaikų g. 18, Vazgaikiemis, Prienu district, LT-59021 (41st kilometer of Kaunas-Alytus road) (hereinafter – Complex). The Privacy Policy of the Complex (hereinafter – the Privacy Policy) regulates the guests of the hotel, villas (hereinafter – the Hotel), visitors to the SPA, restaurant and stables located on the territory of the Complex, other natural persons who visit the Complex, its territory and use the services offered by the Complex (hereinafter – the Guest) , as well as Personal data processing of the Complex’s suppliers, contractors, other business partners, candidates for vacant jobs in the Complex. Natural persons, by submitting their Personal data, confirm that they are accurate and complete. I.2.  Terms used in the Privacy Policy shall be understood as defined in the 2016 April 27 Regulation (EU) of the European Parliament and Council No. 2016/679 on the protection of natural persons in the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter – GDPR). I.3. In the performance of their duties, employees of the complex must comply with the basic principles of personal data processing and confidentiality and security requirements established in the GDPR, the Law on the Legal Protection of Personal Data of the Republic of Lithuania (hereinafter – LR), other valid legal acts and this Privacy Policy.

II TERMS USED IN THE PRIVACY POLICY

II.1.  Personal data – any information about an identified or identifiable natural person. An identifiable natural person is a person who can be directly or indirectly identified in particular by an identifier such as name, social security number, year of birth, passport or identity card number, location data and internet identifier, or by one or more characteristics of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity;

II.2. Recipient of data – a natural or legal person, public authority or other institution to which Personal Data is disclosed;

II.3. Data Subject – Guest of the Complex or other natural person whose Personal Data is received and processed by the Data Controller;

II.4. Consent of the Data Subject – any freely given, specific and unambiguous expression of the will of a duly informed Data Subject by means of a statement or unequivocal actions by which he consents to the processing of Personal Data related to him;

II.5. Data processing – any operation or sequence of operations carried out by automated or non-automated means with Personal Data or Personal Data Sets, such as collection, recording, sorting, systematization, storage, adaptation or change, extraction, familiarization, use, disclosure by transmission, distribution or otherwise making it possible to use them, as well as juxtaposition or combination with other data, restriction, deletion or destruction;

II.6. Data Controller – a natural or legal person who processes Personal Data on behalf of the Data Controller;

II.7. Data controller or Company – Complex manager UAB SSPC Real Estate, company code 300573857, registered office address Islandijos pl. 32B, Kaunas, tel.: +370 650 98 012, which alone or together with other persons determines the purposes and means of Personal Data processing. The address of the administration of the complex is Saulės Vaikau st. 18, Vazgaikiemis, Prienų district, LT-59021 (41st kilometer of Kaunas – Alytus road).

II.8. The website of the complex is www.harmonypark.lt;

II.9. Profiling – any form of automated processing of Personal Data, when Personal Data is used to evaluate certain personal aspects related to a natural person, in particular to analyze or predict aspects related to that natural person’s work performance, economic situation, state of health, personal interests, interests, credibility, conduct, location or movement.

III. PRINCIPLES OF PERSONAL DATA MANAGEMENT

III. 1. When processing Personal Data, the Company is guided by the following principles:

  • The Company processes personal data only to achieve the legal purposes defined in this Privacy Policy;
  • Personal data is processed accurately, honestly and legally, in compliance with the requirements of legal acts; The company processes personal data in such a way that personal data is accurate and, in the event of a change, is constantly updated;
  • The Company processes Personal Data only to the extent necessary to achieve the purposes of Personal Data Processing;
  • Personal data is stored in such a form that the identity of data subjects can be determined no longer than is necessary for the purposes for which these data were collected and processed;
  • Personal data is processed in such a way that adequate security of Personal data is ensured by applying appropriate technical or organizational measures, including protection against unauthorized or illegal data processing and against accidental loss, destruction or damage;
  • The company, when processing personal data, depersonalizes the data as far as it is technically possible; By order, the head of the company appoints a responsible person who familiarizes the employees of the Complex with this Privacy Policy and the rules for handling personal data established in it.

IV. PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

IV.1. PROCESSING OF PERSONAL DATA FOR THE DATA SUBJECT WHEN BOOKING A HOTEL ROOM

IV.1.1. The Company, when a person reserves a room in the Hotel and personally fills out the guest card upon arrival at the Hotel, for the purposes of administration, accommodation, accounting and debt management, recovery, as well as for the purpose of keeping statistics, in order to fulfill the contract to which the Data Subject is a party, as well as in the performance of the Data Controller in accordance with The legal obligation to register accommodation service orders (reservations) under the Tourism Law of the Republic of Lithuania is managed by the name, surname, date of birth, signature, number of the passport, personal identity card or other document confirming the identity of the person, the country that issued the document confirming the personal identity, the nationality of the person being accommodated , address of place of residence, length of stay at the Hotel, name and surname of minor child arriving with parents, guardians, name and surname of spouse arriving together. The person filling out the guest card presents a valid personal identification document for identification. If the person does not provide the personal data provided for in this section (by providing part of them or by providing incorrect personal data), the Hotel has the right not to provide accommodation services to the person.

IV.1.2. For the purpose of ensuring security and order, in pursuit of the legitimate interests of the Data Controller and when such legitimate interest is to ensure the internal order and safety of the Complex in the territory, the Data Controller also collects the license plate number of the Guest’s car with which the Guest arrived at the Hotel. The Guest indicates the car’s registration number on the filled-in guest card or in another place specified by the Data Controller.

IV.1.3. For the purpose of contacting a person regarding a Hotel reservation or other matters related to registration, stay in the Complex, in order to submit an advance or VAT invoice, for the purpose of executing a contract to which the Data Subject is a party, the Company processes the Guest’s phone number and e-mail address. If the Guest does not provide the specified personal data, the Hotel will not be able to provide the Guest with the necessary information and properly provide services.

IV.1.4. The name and surname of minor children arriving with tourist groups, the name of the organization with which the child arrived, are collected in order to ensure the safety of children staying in the Hotel.

IV.1.5. For a person making a Hotel room reservation on the website of the Complex, for accommodation, administration and accounting purposes, in order to fulfill the contract to which the Data Subject is a party, the Company processes the name, surname, country (optional), phone number, email address of the person making the Hotel room reservation, billing address (optional), the number of adults and minor children intending to come to the Hotel. When making a Hotel room reservation online and in order to complete the reservation, for the above-mentioned purposes and legal basis, the Data Subject additionally provides credit/debit card data – card type, card number, name and surname of the owner indicated on the card, card validity date, cvc code. If the Hotel room reservation is made by a legal entity, the name, surname, country (optional), telephone number, billing address (optional), e-mail address and the above credit/debit card information of the person representing the legal entity are indicated.

When the data subject makes a hotel room reservation by phone, the Company asks the person to provide the same personal data as indicated above, except for credit/debit card data. The Company provides information related to the reservation and its confirmation, sends invoices, pre-invoices for payment of services to the billing address provided by the data subject by phone and e-mail. If the guest does not provide the mandatory personal data provided in this section (by providing part of them or by providing incorrect personal data), the Hotel has the right not to confirm the room reservation.

IV.1.6. An external reservation system such as e.g. website www.booking.com may collect as much or more personal data as indicated above. Managers of the external reservation system are responsible for such processing of personal data. The Company is not responsible for how the personal data of the Data Subject is processed by external reservation system managers. Therefore, before submitting any data in external reservation systems, it is recommended to familiarize yourself with the personal data privacy policy of the managers of external reservation systems in detail.

IV.2. DATA PROCESSING FOR THE DATA SUBJECT TO VISIT A SPA AND WATER ENTERTAINMENT SPACE, RECEIVE MEALS OR OTHER SERVICES (HORSE RIDINGACTIVITIES, EQUIPMENT RENTAL, ETC.)

IV.2.1. Spa and water entertainment reservations can be made by contacting the Hotel by phone, e-mail, or upon arrival at the spa and water entertainment area. In order for the data subject to reserve a visit to the spa and water entertainment area of ​​the hotel, the Data Controller processes the customer’s name, surname, phone number and room number (if he is a Hotel Guest), as well as the names and surnames of the persons who will visit the spa and water entertainment area of ​​the reservoir together, age (if it is unaccompanied minors or of retirement age). The name and contact details of the person booking a visit to the reservation spa and water entertainment area are processed for the purpose of providing the services for which it is intended that the party is the Data Subject. The data of other persons, together with the reserved submission person, are processed for the purpose of provision, on the basis of legitimate interest, when the legal interest of the Data Controller is determined together with the arriving persons to whom the services will be provided, to calculate the price of such services, etc. When applying for services to persons of retirement age, the Data Controller may indicate such persons their age and provide a certificate of pension recipient. Personal data is processed on the basis of the legitimate interests of the Data Controller, when the legitimate interest is to determine whether the person is entitled to a service discount (if applicable). If the person does not provide the Personal data provided for in this section (part of the submission or if the personal data is incorrect), the Complex has the right not to provide the services.

IV.2.2. An external reservation system such as e.g. TreatWell may collect as much or more Personal Data as stated above. Managers of the external reservation system are responsible for such processing of Personal Data. The Company is not responsible for how the Data Subject’s Personal Data is processed by external reservation system managers. Therefore, before submitting any data in external reservation systems, it is recommended to familiarize yourself with the personal data privacy policy of the managers of external reservation systems in detail.

IV.2.3. In order for the Data Controller to properly provide the wellness/health care services ordered by the client, the Data Controller processes data on the client’s health status. Such data can be about the clients’ level of work ability, special needs, blood type, diseases they have or have contracted, etc. The data is processed on the basis of the Data Subject’s consent. If the client does not provide the necessary data about the client’s state of health, the Complex may not provide the client with wellness/healthcare services.

IV.2.4. A person intending to visit the Hotel’s SPA and water entertainment area can be presented with the rules of the SPA and water entertainment area for perusal and, marking his name and surname, the date of acquaintance, to sign. Such information is provided by individuals for the purpose of providing services, on the basis of the legitimate interest of the Data Controller, in order to defend against claims and/or possible legal disputes. If the person arrives together with minor children, a consent form for the minor’s representatives is submitted to be filled out and signed, in which they are asked to indicate the names, surnames and age of the minors, as well as to mark whether the person filling out the form agrees with the rules specified in the form, and to indicate whether

minors arriving in person have health problems that should be known to the staff of the spa and water entertainment area. Such information is provided by individuals for the purpose of providing services, on the basis of the consent of the person representing minors: the representative of minors may not agree to provide information about the minor’s health problems, in any case, the full responsibility for accompanying minors and their state of health rests with the adult person accompanying the minor. If the guest does not fill out or incompletely fills out the consent form of the minor’s representative(s), without presenting his/her identity

data and if you do not agree to comply with the rules of the spa and water entertainment area, the Data Controller has the right not to provide services to the Guest and minors who came with him.

IV.2.5. When reserving a table in the Hotel’s restaurant, the name, telephone number, and room number of the person reserving the table are indicated in the reservation book (if the reservation is made by a Hotel guest). Personal data is processed for the purpose of providing services, on the legal basis of contract performance. If the person does not provide the Personal data provided for in this section (by providing part of them or by providing incorrect Personal data), the Hotel restaurant has the right not to make a table reservation.

IV.2.6. In order for Hotel Guests to temporarily rent equipment intended for recreation and entertainment in the Complex (scooters, bicycles, etc.), Hotel Guests must conclude an equipment rental agreement and indicate their name and surname, the number of the reserved Hotel room, contact phone number, and sign the agreement. If the contract is concluded by persons who have not reserved a room at the Hotel, the date of birth, personal document number and e-mail are additionally requested in the contract. When completing the contract, in order to identify the lessee of the equipment, the employee of the Company has the right to ask the lessee of the equipment to provide an identity document. Personal data is processed for the purposes of service provision, debt management and collection. Processing data is necessary in order to fulfill a contract to which the Data Subject is a party. If the person does not provide the data specified in this point, the Company has the right not to rent the equipment to the person.

IV.2.7. For persons seeking to use the services of the Complex stud farm, the person must provide his name and phone number to reserve the service. When the client arrives at the stud, the person fills out the contract, in which he indicates his name, surname and year of birth. Personal data is processed on the legal basis of contract performance in order to provide services. If the person does not provide the data specified in this point, the Company has the right not to provide the services to the person.

IV.5. DATA PROCESSING WHEN PURCHASING A GIFT COUPON

IV.3.1. In order to purchase a Complex gift voucher on the Complex website, a person must provide his name, surname, telephone number, and e-mail address. In order to complete the purchase of the gift voucher, additional bank card data is provided – card type, card number, cvc code, name and surname of the owner indicated on the card, card validity date. If the Hotel room reservation is made by a legal entity, the name, surname, telephone number, e-mail address and bank card information of the person representing the legal entity at the time of purchase of the gift card are indicated. It is necessary to process the buyer’s personal data in order to fulfill the contract, which country is the Data Subject. The data of the person representing the legal entity is processed on the basis of legitimate interest, when the legitimate interest is to identify the person representing the legal entity and properly fulfill the submitted order. The provided phone number and e-mail address are processed in order to contact the buyer regarding the order in case of additional questions, as well as when submitting the purchased gift certificate to the e-mail address. If the buyer does not provide the above data, the buyer will not be able to purchase the Complex gift voucher. If the gift voucher is purchased for another person, the name of the recipient of the voucher and other personal data of the recipient of the gift voucher provided by the purchaser of the gift voucher it is also processed.

IV.3.2. A guest who comes to the Complex and seeks to use a Harmony Park gift voucher or pass received as a gift, fills out a form confirming the fact of using the gift certificate or pass, indicates the number of the gift certificate or pass, the date of visit, his name and surname and signs the form. These personal data are processed for the purposes of administration and accounting, on the basis of legitimate interest, when the legitimate interest of the Data Controller is to account for used gift vouchers, travel vouchers, to defend against legal disputes arising from the fact of the use/non-use of gift vouchers or vouchers.

IV.4. DATA PROCESSING BY DATA SUBJECT

PERSONAL DATA FOR CREATING AN ACCOUNT ON THE WEBSITE OF THE COMPLEX

IV.4.1. In order for a person to use the benefits provided by the Complex’s website, such as adjusting submitted orders, contacting the Hotel, making a faster reservation, a person can create their own personal account on the Complex’s website. For the purpose of providing services to a person, a person, in order to create such an account, provides the following personal data to the Data Controller: name, surname, e-mail, telephone number, address (not mandatory). Personal data is processed on the basis of the Data Subject’s consent. It is considered that the Data Subject, by completing and specifying the personal data required to create an account, agrees to such processing of personal data for the purpose of providing services to him. If the mandatory personal data required to create an account is not provided, the person will not have the opportunity to create an account. The data subject can cancel his existing account on the website of the Complex at any time by contacting the Data Controller by e-mail. by email to info@harmonypark.lt (or by other methods specified in Chapter VIII of the Privacy Policy) and by submitting an electronic signature request to delete the Data Subject’s account.

IV.5. DATA PROCESSING FOR DIRECT MARKETING PURPOSES

IV.5.1. By providing the Data Controller with his/her name, e-mail address or telephone number, the Data Subject may or may not consent to the use of his/her personal data for the purpose of direct marketing. When processing personal data for the purpose of direct marketing, the data controller may also receive information about whether the newsletter was read: when and how many times it or the link in it was opened.

IV.5.2. The Data Controller, upon receiving the consent of the individual, has the right to send the Data Subject information about the services and goods offered by the Complex. The data subject can at any time opt out of the direct marketing messages provided to him by contacting the Data Controller by e-mail. by mail to info@harmonypark.lt (or by other means specified in Chapter VIII of the Privacy Policy) and by submitting a request signed with an electronic signature, or by clicking the unsubscribe link at the bottom of the received newsletter.

IV.6. PERSONAL DATA PROCESSING FOR THE PURPOSE OF SERVICE QUALITY ASSURANCE WHEN CONDUCTING SURVEYS, INVESTIGATING RECEIVED COMPLAINTS, AS WELL AS CONTACTING CUSTOMERS ABOUT SERVICES BY EMAIL OR TELEPHONE

IV.6.1. In order to improve the quality of its services, the Data Controller conducts surveys about the services provided to Guests (Guests answering the questions in writing), and also asks them to leave feedback about the services received in the Guest Book. When leaving feedback on the services provided to the Data Subject, the Data Subject may be asked to provide the data of the Guest and/or persons who arrived with him, such as, for example, to which age group the Guest belongs, with whom the Guest arrived at the Complex. The guest may also be asked to provide the room number they have reserved, their name, email address and phone number. All these personal data are processed on the basis of the Data Subject’s consent. The data subject may not provide all or part of the personal data. The Guestbook and Guest Profile process such data as provided by the Data Subject. Personal data is processed on the basis of the Data Subject’s consent. It is considered that the Data Subject, who submitted personal data to Harmony Park in the Guest Profile or Guest Book, agrees to their processing for the purpose of improving the quality of services provided by the Data Controller.

IV.6.2. In order to improve the quality of the services provided, the Data Controller, after providing the services, provides the Guests with tipping forms for the employees of the Complex to fill in, where they are asked to indicate the Guest’s room number, the name and surname of the person giving the tip, and to sign the form. The guest’s personal data is processed in order to identify the person who leaves a tip for the Complex employee, based on the legitimate interest of the Data Controller. If the guest does not provide the requested data in the tipping form, the tip will not be given to the employee.

IV.6.3. The data controller may process personal data obtained through social media platforms (such as Facebook, Instagram, LinkedIn and others) or online reviews (such as TripAdvisor) in order to investigate complaints from individuals or respond to customer requests, reviews about the Complex, monitor your reputation on the Internet, so that with the help of these tools, the Data Controller can evaluate and improve the quality of its services. For the purposes specified in this section, the Data Controller processes the Personal Data of the Data Subject on the basis of the Data Controller’s legitimate interest.

IV.6.4. The Data Controller processes the Personal Data of persons who are interested in the Data Controller’s services and who wish to order the services of the Complex when contacting the Data Controller by telephone for the purpose of ensuring the quality of the services provided by the Data Controller, based on the consent of the callers. The data manager processes the following personal data: date, time, duration of the conversation, recording of the telephone conversation, telephone number from which the call is made, name and other data required for the provision of services or provided by the caller. If a person does not agree with the processing of personal data provided for above, the person can apply in writing by e-mail to info@harmonypark.lt or come to the Hotel and contact the Complex’s administration employee with questions. It is considered that the Data Subject agrees to the processing of his Personal Data for the purpose of improving the quality of services, if the Data Subject, after listening to a short message about the ongoing recording of conversations, continues the conversation and communicates with the Complex employee. When a person applies to the Complex by e-mail, the personal data provided by the Data Subject in their letter is processed. It is considered that the person who submitted his personal data to the Complex agrees to the processing of his personal data.

IV.6.5. After the Guest stays at the Complex Hotel, the Data Controller, in order to evaluate and improve the quality of its services and offer tailored services to the Data Subject when he stays at the Hotel the next time, the Data Controller processes the Guest’s name, the number of times the Guest stayed at the Complex Hotel, when, what price they paid for the services, what was ordered for the hotel room and what additional services were ordered. These data are processed by the Data Controller on the basis of the legitimate interest of the Data Controller.

IV.7. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PROTECTING PERSONS AND PROPERTY, PREVENTING LAW VIOLATIONS, IDENTIFYING VIOLATORS, EXPLAINING LAW VIOLATIONS

IV.7.1. Persons entering the territory of the Complex enter the observation field (rooms and/or territory of the hotel, restaurant, hippodrome) monitored by video cameras (without sound). Video cameras record personal image and vehicle image data. Persons are informed about video surveillance in the monitored area, in a visible place by submitting public notices.

IV.7.2. Video surveillance is carried out for the purposes of protection of persons and property, prevention of violations of the law, identification of offenders, clarification of violations of the law, in order to protect the vital interests of the data subject or other natural person, as well as on the basis of legitimate interest, theft of property of the Data Controller and/or other third parties, etc. for the purpose of prevention.

IV.8. PROCESSING OF DATA RECEIVED BY THE LOCK CARD FOR THE PURPOSE OF PROPERTY AND PERSONAL PROTECTION, THEFT PREVENTION

IV.8.1. In order to ensure that the visit of the Guests to the Hotel and the SPA and water entertainment area is safe, for the purpose of property and person protection and theft prevention, the Hotel carries out customer access control. Access control is carried out using the room lock card issued to the Guest, as well as the SPA magnetic bracelet. The room lock card records the time of the Guest’s exit/entry to the Hotel room, the SPA magnetic bracelet records the time of the Guest’s exit/entry to the spa and water entertainment area, the Guest’s room number, if one is reserved. During the Guest’s stay, the Data Controller assigns the Guest a room lock card and a SPA magnetic bracelet (if SPA, water entertainment is ordered), and determines its validity period. A person who has not reserved a room in the Hotel is given only a wristband to access the SPA. Data obtained by a person using the access cards or wristbands provided to a person can only be used to reveal suspected criminal acts, administrative law violations, or to prove, reveal, and may be transferred to the property of Hotel employees, service providers, third parties or the property of the Hotel, to the health or life of individuals only to persons who have the right to receive this data in accordance with the procedure established by law. Interpreting the specified data is necessary in order to protect the vital interests of the data subject or other natural person, as well as legitimate ones on the basis of interests in order to protect the property of the Data Controller and third parties.

IV.9. PROCESSING OF PERSONAL DATA IN THE EMPLOYMENT COMPLEX

4.9.1. Potential employees of the Complex (candidates, job seekers) provide the following personal data to the Complex: resume, first name, last name, phone number, e-mail address, mail, other personal data. If a potential employee contacts Complex through social media tools, such as LinkedIn, the manager of the social network may process the person’s interest in positions posted by Complex for the purposes set out in the policy of the manager of the social network. The data subject’s personal data submitted when applying for a specific advertised position or submitted on the individuals’ own job posting websites are processed for the purpose of selection. It is considered that when a candidate applies to Complex for the purpose of employment and submits his personal data, or a person looking for a job and submits a resume with his personal data to job search websites, the candidate agrees to the processing of personal data for the purpose of selection. If the candidate is not offered a job, after the end of the selection for a specific position advertised by the Complex, the candidate’s data is destroyed, except for the case if the person gives consent to store the data for the purpose of selecting other future employees of the Complex.

IV.10. PROCESSING OF DATA ABOUT CONTRACTORS, SUPPLIERS, SERVICE PROVIDERS, OTHER BUSINESS PARTNERS

IV.10.1. The data controller, for the purpose of concluding and executing the contract, cooperation, receives and processes the data of the contractor, supplier, service provider and other business partners (hereinafter – the Contracting Party), when the Contracting Party is a natural person, or of the person representing the Contracting Party, when the Contracting Party is a legal entity , as well as the personal data of the employees of the Contracting Party participating in the conclusion and execution of the contract, other data processors used by the Contracting Party and the persons and employees representing them. The personal data of the Contracting Party, when the Contracting Party is a natural person, is processed on the legal basis of the fulfillment of the contract to which the Data Subject is a party. The personal data of the person representing the Contracting Party, when the Contracting Party is a legal entity, as well as other employees of the Contracting Party participating in the conclusion and execution of the contract, data processors used by the Contracting Party and the persons and employees representing them, are processed on the basis of the interest of the Data Controller judge, when a legitimate interest is established, execute the contract with the Contracting Party, using the representatives of the Contracting Party (contacting the Contracting Party, etc.).

IV.10.2. The following personal data are obtained and processed for the purpose of concluding and executing the contract and cooperation: name, surname, position, term of representation, telephone number, e-mail address and other information specified in the document, e-mail or publicly available website provided by the Contracting Party and the representatives of the Contracting Party. A personal code or date of birth, passport or personal identity card number, address of actual residence or registered residence may also be obtained from the Contracting Party. When concluding and executing the contract, the Contracting Party, when it is a natural person, and the representatives of the Contracting Party may be asked to provide their identity document. Submission of personal data is not required or mandatory, however, without processing this personal data specified in point, the Contracting Parties will not be able to enter into and/or execute the contract.

IV.11. DATA PROCESSING RELATED TO THE COLLECTION OF CONTRIBUTIONS

IV.11.1. In order to ensure that the client will pay for the services provided by the Complex, the data controller may use the services of entities providing payment collection services or choose such payments himself. For this purpose, the Data Controller collects and can submit the customer’s identification data, order data and e-mail data to entities providing payment collection services, which send the invoice with a reference to the customer’s e-mail address for payment postal address. The data controller collects the customer’s credit/debit card data for the purpose specified in this section. After receiving the customer’s credit/debit card details, the data controller checks the customer’s credit limit. the Data Controller processes data related to premiums collection only for the purposes of guaranteeing the payment of services (based on legitimate interest). If the Data Subject changes the order or there are other payment refund conditions, the Data Controller returns the money to the Data Subject directly through a commercial bank.

IV.12. PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF ORGANIZING GAMES, PROMOTIONS, COMPETITIONS

IV.12.1. In order to pursue the legitimate interests of the Data Controller, in each case, so that the Data Controller can carry out the organized contest or game, and the person can participate in the contest or game, the Data Controller specifies the rules of the contest or game what personal data the person who wants to participate in the contest or game must have submit to the Data Controller. Normally, the Data Controller asks for the following personal data in the form: first name, last name, e-mail address, postal address, phone number, city, age. Depending on the nature of the game or contest, the game or contest may require a minimum age for participants based on applicable law and therefore request that a person state their age on the game or contest entry form. If the participant of the game or contest is under 18 years of age, but upon reaching the age of 16, and participating in the game or contest, the participant confirms that he has the consent of his parents, guardians for participation in the game or contest and the disclosure of personal information to the Data Controller. With the consent of the participant, the Data Controller may use the contact data provided by the person, information about the city where the participant lives, for statistical and direct marketing purposes (for more details, see p. 4.5 of the Policy). The data controller considers that the person agrees to the processing of the information provided by the person about the city, if the participant specifies this optional information in the game or competition questionnaire. The Participant’s contact details are also collected by the Data Controller in order to

to enforce the rules of the game or contest and to notify the winner of the prize.

IV.12.2. Whether to participate in ongoing contests and games, and also, accordingly, whether to provide personal data, is the choice of the individual. If the data required for participation in the game or contest is not provided, the person will not be able to participate in the game or contest. In order to achieve maximum transparency, on the basis of legitimate interest, the data manager usually publishes the name and surname of the winner of the competition or game.

V. RECIPIENTS OF PERSONAL DATA

V.1. The privacy of the Guests and other persons is important to the Data Controller, therefore, without the consent of the Data Subject, the Data Controller does not provide Personal Data to other persons, except for the following persons:

  • in the event of a dispute – to persons providing legal services to the Data Controller;
  • auditors, other consultants;
  • used data processors, such as for example: a company providing accounting services, marketing service providers, a company providing IT services, service providers of reservation computer programs, companies providing security, personnel services, etc.;
  • payment service providers (banks, credit institutions, payment initiation service providers, etc.); to state institutions, law enforcement agencies and other persons in accordance with the procedure established by legal acts;
  • insurance companies.

V.2. If the Data Controller discloses the personal data of the Data Subject to others for groups of recipients of data than specified in this Privacy Policy, the Data subject is informed about this by the Data Controller no later than when the data is disclosed for the first time, except if such information has already been provided by the Data Controller to the Data Subject previously provided to the Data Subject or concluded with the Data Subject in the documents.

VI. PERSONAL DATA STORAGE TERMS

VI.1. Personal data is processed no longer than is necessary to achieve the purposes of data processing or no longer than is required by the Data Subjects and/or provided for by applicable legal acts. In the event of a change in the term of personal data storage established by legal acts, the Data Controller shall keep the personal data provided by the Data Subject (collected by the Data Controller) for the specific purpose of personal data processing for the term specified in the law.

VI.2. As of the date of approval of this Privacy Policy, the personal data provided by the Guest in the Guest registration card are stored for 5 (five) years from the date of making the reservation by the Data subject. The storage term is determined in accordance with the Law on Tourism of the Republic of Lithuania, as well as the description of the procedure for registration of citizens of the member states and other countries approved on the basis of this law, and the 5 (five) year storage term for completed registration cards.

VI.3. The Data Controller normally processes data during the conclusion of the contract, execution, provision of services and for 10 years from the end of the contract, provision of services or the end of the relationship, in compliance with the requirements set out in legal acts related to the archiving of documents and in order to assert, fulfill or defend the legal requirements of the Data Controller.

VI.4. For visits to the SPA and water entertainment area, Hotel restaurant, horse riding activities, personal data is processed for the purpose of providing services, stored during the period of service provision and no longer than 3 (three) years after the provision of services, in accordance with the shortened 3 (three) year statute of limitations set out in the Civil Code of the Republic of Lithuania, applicable to claims for damages.

VI.5. For direct marketing purposes, on the basis of the Data Subject’s consent, the Data Controller processes personal data for no longer than 3 years after receiving the Data Subject’s consent or until the Data Subject revokes the given consent for data processing. After the expiry of the term of consent to direct marketing, as well as if the Data Subject withdraws the consent, the consent is stored for another 2 (years) in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania and the 2 (two) year period established therein to submit a complaint to the Supervisory Authority.

VI.6. For the purpose of ensuring the quality of services, when conducting customer surveys, examining received complaints, personal data is stored and processed for no longer than 1 (one) year from the submission of such personal data. Records of telephone conversations made for the purpose of service improvement shall be kept by the Data Controller for no longer than 14 days. The forms for providing tips to the employees of the Complex are kept by the Data Controller for 7 days after the provision of services to the Guest.

VI.7. Video surveillance material with personal data, personal data obtained using a lock card, magnetic bracelet are stored and processed for no longer than 1 month from the date of data capture/receipt.

VI.8. The data submitted by the candidates for the selection for the specific workplace offered by the Complex is processed and stored during the selection period. After the end of a specific selection, when an employment contract is not concluded with the candidate, the Personal Data of the candidates, upon receiving the consent of the candidate, are stored for 1 (one) year or until the Data Subject revokes the given consent for data processing.

VI.9. The Complex processes the data collected during the monitoring of the guests’ behavior for the purpose of improving the services and adapting them to the needs of the guests for no longer than 3 years from the last contact with the Data subject.

VI.10. Payment card data is stored by the Data Controller for no more than 5 years after settlement.

VI.11. Personal data obtained through social media platforms or online reviews, in order to examine customer complaints or respond to feedback about the Complex, monitor the reputation of the Complex on the Internet, so that with the help of these tools the Complex can evaluate and improve the quality of its services, the Data Controller processes no longer than 1 year from the collection of such data.

VI.12. Data on the state of health are stored for the period specified in the legislation.

VI.13. If the Data Subject withdraws consent to data processing or the data processing term expires (when the data is processed on the basis of the Data Subject’s consent), in this case only data confirming the fact of the Data Subject’s consent is stored, but no longer than 2 (two) years from the end of the consent period or consent cancellation in order to assert, enforce or defend the legal claims of the Data Controller.

VII. RIGHTS OF DATA SUBJECTS RELATING TO PERSONAL DATA

The data subject can exercise his rights by personally visiting the Complex’s administration or by sending a request confirmed by an electronic signature to the contacts specified in Chapter XI of this Privacy Policy. The data controller provides the relevant response and/or records and in any case does so no later than 1 month from the date of receipt of the request. The Data Controller provides confirmation of the actions taken in response to the Data Subject’s request or informs if it cannot fulfill any specific request and indicates the reasons for such a decision. The data controller has the right to reject requests that are unreasonably repetitive, redundant or clearly unjustified, or to charge an adequate fee for such requests. At the request of the data subject, information can be provided orally, allowing access to the document, by providing a certificate, an extract of the document or a paper copy of the document, electronic media, access to the information file. If a person does not indicate the form of information submission in his request, the information is provided to him in the same form as the request was received. Attention is drawn to the fact that the rights of data subjects are not absolute and may be limited in accordance with the procedure established by the legal acts of the Republic of Lithuania, under the conditions set forth in Article 23 of GDPR.

  1. RIGHT TO WITHDRAW CONSENT. The data subject may at any time withdraw his consent to allow the processing of his personal data without incurring any costs and without affecting the lawfulness of data processing based on this consent prior to its withdrawal. Upon withdrawal of consent, the Data Controller stops activities and services related to this consent. When personal data is processed for the purposes of direct marketing, the Data Subject has the right to object at any time to the processing of personal data related to him for the purposes of such marketing, including profiling to the extent related to such direct marketing. When the Data Subject objects to data processing for direct marketing purposes, Personal Data is no longer processed for such purposes. The data subject has the right to opt out of direct marketing messages provided to him by notifying the Data Controller by e-mail info@harmonypark.lt or by clicking the unsubscribe link at the bottom of the newsletter received by Complex.
  2. RIGHT TO ACCESS PERSONAL DATA. The Data Subject has the right to receive confirmation from the Data Controller as to whether the Personal Data related to him is being processed, and if such Personal Data is being processed, he has the right to familiarize himself with the Personal Data. The Data Controller, upon receiving a request, provides the Data Subject with a copy of the personal data it processes. The right to receive a copy cannot adversely affect the rights and freedoms of others.
  3. RIGHT TO DEMAND CORRECTION OF DATA. The data subject has the right to demand that the Data Controller immediately correct inaccurate personal data related to him without undue delay. Taking into account the purposes for which the data were processed, the Data Subject has the right to demand that incomplete Personal Data be supplemented, among other things, by submitting an additional statement.
  4. RIGHT TO REQUEST DELETE OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”). The Data Subject has the right to demand that the Data Controller delete Personal Data related to him without undue delay, and the Data Controller is obliged to delete Personal Data without undue delay, if this can be justified in accordance with GDPR regulations. The Data Controller has the right to refuse to comply with the Data Subject’s request in the cases established by legal acts, including, but not limited to, the cases discussed in Article 17, Part 3 of the GDPR. This right cannot be exercised either, if the Data Controller is obliged to store personal data in accordance with the law or on other legal grounds.
  5. RIGHT TO LIMIT DATA PROCESSING. The Data Subject may have the right to limit the processing of Personal Data, when the Data Subject has doubts about the accuracy or legality of the Data Processing, or a request is made that the Data Controller no longer needs data to be stored for the purposes of establishing, submitting or defending legal claims, or the Data Subject has objected to the Data Processing based on in their legitimate interests. If the Data Subject requests such a restriction, the Data Controller will usually no longer process the Data Subject’s information, but will only store it.
  6. RIGHT TO DATA PORTABILITY. The data subject has the right to receive his/her data in electronic format and transfer data from one system to another when the data is processed on the basis of consent, legitimate interest or agreement, as well as when the data is processed by automated means. Using his right to data portability, the Data Subject has the right to have one Data Controller directly transfer personal data to another, when this is technically possible. The specified right cannot have a negative impact on the rights and freedoms of other persons.
  • THE RIGHT TO DISAGREE. In the course of its activities, the Data Controller processes some of the personal information of the Data Subjects on the basis of legitimate interests. In doing so, the Data Controller ensures that such data processing does not violate the Data Subject’s personal information protection requirements. The data subject has the right, for reasons related to his specific case, at any time to object to the processing of Personal Data related to him, when such data processing is carried out in accordance with Article 6, paragraph 1, point f, including profiling based on those provisions. The Data Controller no longer processes Personal Data, except in cases where the Data Controller proves that the data is processed for compelling legitimate reasons that override the interests, rights and freedoms of the Data Subject, or to assert, enforce or defend legal claims.
  • THE RIGHT TO OBJECT THE DATA SUBJECT TO ONLY AUTOMATED DATA PROCESSING, INCLUDING PROFILING. The data subject has the right to know and be informed according to which logic Personal data is processed automatically and what the consequences of such Personal data processing could be when the data is processed only in an automated way. When the Data Subject applies for the review of a decision based on automated data processing (if such decisions are taken by the Data Controller in relation to the Data Subject), the Data Controller will perform a detailed evaluation of all relevant data, including the information provided by the Data Subject.
  • RIGHT TO SUBMIT A COMPLAINT OR QUESTION. If the Data Subject believes that the Data Controller does not comply with GDPR or the requirements of the applicable laws of the Republic of Lithuania when processing the Data Subject’s personal data, the Data Subject may submit a complaint to the supervisory authority. In Lithuania, such issues are supervised by the State Data Protection Inspectorate (www.ada.lt).

VIII. PROCEDURE FOR CONTACTING THE COMPLEX FOR THE IMPLEMENTATION OF THE RIGHTS OF THE DATA SUBJECT

VIII.1. Apply for the implementation of the Data Subject’s rights The Data Subject has the right orally or in writing by submitting a request in person, by mail or by electronic means to the contacts specified in this Privacy Policy. The request to exercise the Data Subject’s rights must be legible, signed, and must contain the name, surname, address and/or other contact details of the person making the request to maintain communication or receive an answer regarding the exercise of the Data Subject’s rights.

VIII.2. When contacting the Data Controller regarding the implementation of the rights of the Data Subject, the Data Subject must confirm his identity. If this is not done, the Data Controller will not be able to accept the Data Subject’s requests and the Data Subject’s rights will not be implemented. This provision does not apply if information about the processing of personal data is requested in accordance with Articles 13 and 14 of the GDPR.

VIII.3. If a person decides to contact the Data Controller personally regarding the implementation of the Data Subject’s rights, the Data Subject must provide the Data Controller with his or her identity document. If a person decides to apply to the Data Controller in writing for the exercise of the Data Subject’s rights, by submitting a request by mail, the Data Subject will also have to come to the Complex’s administration and provide the Data Controller with an identity document or confirm their identity in another agreed way. If a person decides to submit an application by electronic means, the application must be signed with a qualified electronic signature. This provision does not apply if a person applies for information about the processing of personal data in accordance with Articles 13 and 14 of the GDPR.

VIII.4. If the Data Controller has doubts about the identity and data of the person submitting the request, the Data Controller has the right to request additional information necessary to be sure of it.

IX. PERSONAL DATA PROTECTION RISK FACTORS AND THEIR SOLUTION

In order to ensure adequate protection of Personal Data, the Data Controller implements the following organizational and technical Personal Data Protection measures:

Organizational:

1.1. The data controller organizes the work procedure in such a way as to ensure the safe handling and (if applicable) transfer of computer data and/or documents and their archives;

1.2. access to the Personal Data of the Data Subject is granted only to those Employees who need them to perform work functions and only to those who have signed confidentiality agreements and are familiar with other internal procedures in the scope of Personal Data Processing.

Technical:

2.1. Data Processors (service providers) appointed by the Data Controller act only on the authority of the Data Controller;

2.2. Personal data is protected against loss, unauthorized use and changes. The Internet connection is encrypted, and the website of the Complex is executed via the https:// protocol;

2.3. Protection of computer equipment against harmful software (eg installation of antivirus programs, updates) is ensured, and the internal computer network is protected by a firewall.

X. PRIVACY POLICY CHANGES

We regularly review our privacy policy. This version was updated in 2023. February 1

XI. CONTACT INFORMATION

Contacts for comments, requests or questions about personal data processing:

SSPC Real Estate UAB, company code 300573857, registered office address Islandijos pl. 32B, Kaunas, phone: +370 650 98 012, e-mail mail info@harmonypark.lt.

Contact details of the Data Protection Officer – duomenuapsauga@balticred.com, Tel.:

+370 37 239 017.

leaf
leaf
Newsletter icon

Newsletter subscription
Cookies
Our website may use both essential and non-essential cookies. Necessary cookies help ensure the proper functioning of the website, are installed automatically and do not require your consent. Non-necessary cookies help ensure the best browsing experience for you and are only used with your consent. If you disable this notification or do not click on the confirmation box, only necessary cookies will be saved to your device. You can revoke your consent at any time by changing your internet browser settings and deleting saved cookies. See cookies for more information privatumo politikoje
Voucher