This Privacy policy (Privacy policy) contains information about what personal data we are processing for what purpose, how long we keep it, who we can communicate information about you, and what rights you have as a data subject.

Data controller’s data

The manager of the personal data processing operations described in this Privacy Policy, who determines the purposes and means of data processing, is NEO Finance, AB legal entity code 303225546, A. Vivulskio str. 7, Vilnius (hereinafter referred to as „we“ or „data controller“ or „Company“), which operates the peer-to-peer lending platform „Paskolu klubas“ and the payment initiation and account information service  „Neopay“.

Data protection officer

A data protection officer has been appointed in the Company.

If you would like to check or find out how the company processes your personal data, or if you are going to exercise your rights as data subjects, please contact the Company appointed data protection officer, email: [email protected], or by phone +37068700300.

Privacy policy objective and its application

The privacy policy is aimed at persons, who are interested in the Company, its services, potential and current investors, consumer credit recipients, payment service recipients, representatives of business partners, service providers whose personal data are processed for the purpose of cooperation, as well as persons who visit the websites: https://www.paskoluklubas.lt/; https://www.neofinance.com/; https://neopay.online (hereinafter referred to as „website“ or „websites“), use the Company‘s electronic services, communicate with the Company on social networks or other way, or simply monitors the Company‘s activities on social networks.

Additional information may be provided in consumer credit, paid surety, electronic money account and payment service provision and other contracts, as well as in an agreement for investment in consumer credits, in consents for personal data processing or separate privacy notices. We respect your privacy and undertake to process and protect your personal data in a fair and lawful manner in accordance with the applicable legal requirements of the European Union and the Republic of Lithuania and the instructions of the controlling authorities. We apply appropriate technical and administrative measures to protect personal data against loss, unauthorized use, and changes.

By contacting us, you express your will for the Company to contact you regarding your request. By submitting personal data to us on this website or by browsing through it, as well as using electronic services, you confirm that you have read and understood the Privacy policy and are familiarized with the fact your data is processed.

The terms used in this Privacy Policy (e.g. data controller, data processor) shall be understood as defined and interpreted in the General Data Protection Regulation.

The Privacy Policy is governed by the law of the Republic of Lithuania.

Company employees and members of the management bodies are informed about the processing of their personal data in accordance with the procedure, approved by the Company's local acts.

Personal data sources

Personal data may be obtained directly from you when you use our electronic services, you enter into contracts with us in your name or while representing other persons, send your curriculum vitae (CV), as well as other information related to employment, practice in the Company or otherwise contact us, communicate with us through social networks or simply watch our activities on social networks or by visiting the Company or browse our websites.

We may also receive your personal data indirectly, for example, from persons you represent, your spouses, data processors, persons working under a self-employed person's certificate or a business license who provide the Company with financial documents for the purpose of assessing their solvency, in the course of receiving payments from you when the Company acts as a payment service provider, etc. We may also obtain your personal data from databases, registers and information systems that collect individual data, and other external sources, including but not limited to: The Bank of Lithuania, financial institutions, the State Social Insurance Fund Board (SODRA), databases and registers administered by the State Enterprise Centre of Registers, data controllers maintaining joint debtor’s data files, databases managed by CREDITINFO LIETUVA, UAB, Public register of invalid personal documents, Public register of wanted (missing) people, international sanctions lists.

Please note that you are not required to provide any personal data, but it may make it impossible to provide services for you and achieve other set goals.

THE PURPOSES, CATEGORIES, GROUNDS, RETETION PERIODS AND RECIPIENTS OF THE PROCESSING OF PERSONAL DATA

The objectives related to the provision of services by the operator of crowdfunding and peer-to-peer lending platforms

Provision of peer-to-peer lending platform operator services, conclusion and execution of contracts with investors (lenders)

For the purpose of concluding and executing agreements with investors (lenders) where the Company acts as an operator of a peer-to-peer lending platform, we process the following personal data of lenders (investors): name, surname, personal identification number, date of birth, place of residence (address), telephone number, e-mail address, age, amount invested, investment terms, rating of the person to whom the loan is granted, payment history, details of representation, date of conclusion of the contract, method of signing, e-money account and the turnover of money in it, investment report, investor status, password, confirmation of investment, physical or e-mail address, name of the person to whom the investment is granted, name, surname, personal identification number, date of birth, date of birth, address, telephone number, e-mail address. Signature.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR) and the legitimate interest of the controller in the proper formation and performance of a contract (Article 6(1)(f) GDPR) (data of the representative of a legal person are processed on this basis).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

For an investor who had or has an investment in a loan taken out by a borrower, the Primary Market Loan Offer window displays the information of that investment, regardless of the status of that loan (active, repaid) or the status of the investment (confirmed, repaid, sold). The information displayed is exactly the same as what an investor can see in his/her investment overview. This information is only displayed to the investor if the borrower had a loan in the Loan Club before, the investor has invested in it and the borrower takes out a new loan.

Recipients of personal data: data may be transferred to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, the Financial Crimes Investigation Service (FNTT).

Provision of services as operator of a peer-to-peer lending platform, conclusion, and execution of a reimbursable surety agreement

When the Company provides a crowdfunding service to investors and seeks to conclude and execute a remunerated surety agreement, we process the following personal data of investors (lenders) and consumer borrowers: name, surname, personal identification number, address, date of birth, details of representation, amount invested, consumer borrower, remuneration, and physical or electronic signature.

If the contract is concluded with the investor (lender) as a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6 (1) (b) of the General Data Protection Regulation (GDPR)) and the legitimate interest of the controller in the proper formation and performance of a contract (Article 6 (1) (f) GDPR) (data of the representative of a legal person are processed on this basis).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: data may be transferred to the Bank of Lithuania.

For the purposes of credit assessment and other financial services, based on your consent, in the event that you have been awarded an E rating in the Loan Club, the operator of the peer-to-peer lending platform NEO Finance, AB will transfer your personal data to the consumer lender UAB PRO INVEST GROUP.

OBJECTIVES RELATING TO THE PROVISION OF CONSUMER CREDIT

Collecting credit application data, determining, and assessing creditworthiness

For the purpose of the credit application, the data provided and the assessment of creditworthiness, we process the following personal data of the persons who have completed the consumer credit application (and, where applicable, their spouses): name, surname, personal identification number, place of residence and declared place of residence (address), nationality, details of identity document and a copy thereof, age, current and former employment, type of activity of current employment, length of service, education, telephone number, e-mail address, information on income, type and source of income, account statements, details of business license, sole proprietorship, register of income and expenditure, documents proving changes in income, tax return details, copies of documents justifying the receipt of regular benefits, details of assets and encumbrances, number of minor children and dependants, marital status, preferred terms of consumer credit, bank account number, credit rating, expiry date of the credit rating, credit history, types and amounts of financial obligations requested which have been the subject of an adverse decision, existing obligations and arrears, purpose of the consumer credit, details of the credit to be refinanced, whether or not the person is on the list of persons for whom applications have been submitted for the refusal to enter into a consumer credit contract, the physical or email address, and the name of the person concerned. signature, data from the Register of Incapacitated Persons (NAR).

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR) and processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data shall be retained for the duration of the contract and for 10 years after the expiry of the contract and the fulfilment of the obligations under the contract (in case of a contract based on a submitted application) or for 3 years after receipt of the data (in case of a contract based on a submitted application not being concluded).

Extending credit, drawing up and executing contracts with consumer credit borrowers

For the purpose of concluding agreements with consumer credit beneficiaries and granting credit, we process the following personal data of consumer credit beneficiaries: name, surname, personal identification number, place of residence, place of work, telephone number, e-mail address, rating, expiry date of the credit rating, e-money account and its turnover, credit history, purpose of the consumer credit when funds are granted for refinancing, details of the credit to be refinanced, the time of conclusion of the consumer credit agreement, and the physical or electronic signature,

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual activities (Article 6(1)(b) GDPR)

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: loan investors are shown the following personalized personal data of the borrower: credit rating, number assigned in the borrower's system, amount of credit, period of time, monthly payment, purpose of credit, solvency information (income, financial obligations and types of obligations, length of employment, history of debts), gender, age, place of residence (city), marital status, total liabilities and total income of the family (in case of a non-personal loan), number of dependants, assets, level of education.

We may also provide personal data to the Loan Risk Database (PRDB) administered by the Bank of Lithuania and to UAB Creditinfo Lietuva and UAB Scorify, which administer creditworthiness data systems.

OBJECTIVES RELATED TO OTHER SERVICES

Provision of electronic money accounts and payment services, drafting and execution of contracts

For the purpose of concluding and executing agreements on electronic money account and provision of payment services, we process the following personal data of the Company's customers: name, surname, personal identification number, date of birth, place of residence (address), telephone number, e-mail address, age, electronic money account, date of opening of the electronic money account, account turnover, number of the current account at another credit institution, limits of the account transactions.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR) and the legitimate interest of the controller in the proper formation and performance of a contract (Article 6(1)(f) GDPR) (data of the representative of a legal person are processed on this basis).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: information on opened accounts is provided to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania.

Payment initiation, authentication of users/payers, customer, and user support

For the purpose of payment initiation, authentication of users (payers) of the service, provision of services to customers of the payment initiation service and users (payers) of the service, we process the following personal data of the payers: name, surname, payer's account number, personal identification number, the purpose of the payer's payment, the payer's chosen institution for managing accounts, unique financial transaction number.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, contact details, position.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR), processing is necessary for the performance of a legal obligation to which the Company is subject (Article 6(1)(c) GDPR) and for the controller's legitimate interest in the proper formation and performance of contracts (Article 6(1)(f) GDPR) (data of a representative of a legal person are processed on this basis).

Data retention period: data shall be kept for a maximum of 3 years, except for exceptions provided for by law.

Recipients of personal data: in the case of the provision of payment initiation services, your personal data is passed on to the recipients of the transferred funds (i.e. the Company's customers whose goods or services you purchase).

Provision of the Account Information Service, authentication of users of the Account Information Service, servicing of customers and users of the Account Information Service

For the purpose of providing the Account Information Service, authenticating users of the Account Information Service, and servicing customers and users of the Account Information Service, we process the following personal data of the users of the service: name, surname, personal identification number, the institution that manages the user's accounts, the user's account number, and the selected account information.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, contact details, position.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) of the GDPR), processing is necessary for the performance of a legal obligation to which the Company is subject (Article 6(1)(c) of the GDPR) and the controller's legitimate interest in the proper conclusion and performance of contracts (Article 6(1)(f) of the GDPR) (data of a representative of a legal person are processed on this basis).

Data retention period: data shall be kept for a maximum of 3 years, except for exceptions provided for by law.

Recipients of personal data: in the case of the provision of account information services, your personal data is transferred to the recipients of the funds transferred (i.e. the Company's customers whose goods or services you purchase).

OBJECTIVES RELATING TO THE IMPLEMENTATION OF THE PREVENTION OF MONEY LAUNDERING AND TERRORIST FINANCING

Identification, implementation of the Know Your Customer (KYC) principle to prevent money laundering and terrorist financing

Identity identification and the Know Your Customer (KYC) principle for the prevention of money laundering and terrorist financing. For the purpose of the Know Your Customer policy, we process the following personal data of the Company's customers and their representatives: name, surname, date of birth, nationality, address, copy of the identity document, data contained in the identity document, data from the Customer and Beneficiary Recognition Questionnaire, method of identification, photo of the face and the identity document, data on payment through the bank account, value of the executed transactions, whether the person is politically exposed, risk group, limit of the amount to be invested, personal name, alternative names, reason for rejection of identification, date, time of identification, IP address, browser data, publication of the person's search, documents proving representation (in the case of a legal entity).

If the data subject has expressed the wish to use remote means of communication for the purpose of verifying his or her identity, we process the following personal data of the client, the client's representative: signature of the natural person or e-mail signature, image data (image, face of the data subject, identity document, time and date of the image transmission), first name last name, zodiac sign.

Legal basis for processing: the processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR), the legitimate interest of the controller in the proper implementation of the Know Your Customer principle (Article 6(1)(f) GDPR) (this is the basis for the processing of the data underlying the publication of a person's search).

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer. If the transaction has not been concluded and the reason for such refusal is not the implementation of measures to prevent money laundering and terrorist financing, the data shall be kept for 1 year.

Identification of the final beneficiary

For the purpose of identifying the final beneficiary, we process the following personal data of the final beneficiaries of the Company's clients: name, surname, personal identification number, date of birth, nationality, address, data from the client-beneficiary identification questionnaire (name, surname, share quantity, personal identification number).

Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FICIS).

Monitoring and updating data on relationships

For the purpose of monitoring and updating the relationship, we process the following personal data of the Company's clients and beneficiaries: the data provided in the Client and Beneficiary Recognition Questionnaire (name, surname, number of shares, personal identification number), personal name, alternative names, share of rights in the legal entity.

Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FICIS).

Monitoring suspicious cash transactions

For the purpose of monitoring suspicious monetary transactions, we process the following personal data of the Company's customers and beneficiaries: name, surname, monetary transactions or transactions carried out.

Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FICIS).

THE PURPOSES RELATING TO THE PROVISION OF PERSONAL DATA TO THIRD PARTIES

Data submission to/from the loan risk database administered by the Bank of Lithuania

For the purpose of providing data to/from the loan risk database administered by the Bank of Lithuania, we process the following personal data of consumer credit borrowers: name, surname, personal identification number, terms and conditions of the consumer credit agreement, fulfilment of obligations, and overdue obligations.

Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data is provided for the duration of the consumer credit agreement or for the duration of the contractual obligations.

Recipients of personal data: the Loan Risk Database (PRDB) administered by the Bank of Lithuania.

Providing data to/from the information systems administered by UAB "Creditinfo Lietuva" and the credit bureau system

For the purpose of providing data to/from the information systems and credit bureau systems administered by UAB "Creditinfo Lietuva", we process the following personal data of the borrowers of consumer credits and persons who have been denied a consumer credit: name, surname, personal identification number, date of conclusion of the consumer credit agreement, amount of the consumer credit, interest rate, due date of payment of obligations, history of payments and delays, reasons for not granting the consumer credit.

Legal basis for processing: the legitimate interest of the controller in providing information and the interest of third parties in receiving information (Article 6(1)(f) GDPR).

Data retention period: the data is provided for the duration of the contract or until the obligations are fulfilled. Data on outstanding credit shall be provided once.

Recipients of personal data: consumer credit institutions or financial companies participating in the information system administered by UAB "Creditinfo Lietuva" and the credit bureau system.

Provision of personal data collected for the purposes of implementing the Know Your Customer principle and identification to financial institutions

For the purpose of implementing the Know Your Customer principle and for the purpose of providing personal data collected for the purposes of anti-money laundering and anti-terrorist financing to financial institutions, we process the following personal data of customers and investors: name, surname, personal identification number, copy of identity document, Know Your Customer questionnaire.

Legal basis for processing: consent of the data subject (Article 6(1)(a) GDPR).

Data retention period: the data is retained until the moment the consent is withdrawn. The period of validity of the consent not withdrawn is as long as the data subject is a customer of the Company.

Recipients of personal data: financial institutions with which the Company has entered into agreements for the provision of personal data for the purposes of implementing the Know Your Customer principle and for identification purposes.

Provision of borrower information to investors

For the purpose of providing information about the borrower to investors, we process the following personal data of consumer credit borrowers: credit rating, number assigned in the borrower's system, credit amount, credit period, monthly payment, purpose of the credit, solvency information (income, existing financial obligations and types of obligations, length of employment, debt history), gender, age, place of residence (city), marital status, total family liabilities and total income (if not a personal loan), number of dependants, assets, education level.

Legal basis for processing: the legitimate interest of the controller and third parties to disclose sufficient information to the borrower and the investor in accordance with Article 25 of the Law on Consumer Credit of the Republic of Lithuania (Article 6(1)(f) GDPR).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Recipients of personal data: investors intending to grant consumer credit.

OBJECTIVES RELATING TO DEBT RECOVERY AND ADMINISTRATION

Debt prevention and administration

For the purpose of debt prevention (sending reminders to consumer credit borrowers, making automated calls) and administration, we process the following personal data of consumer credit borrowers' debtors: name, surname, address, amount of the debt, duration of the delay, date of payment, telephone number, email address.

Legal basis for processing: the legitimate interest of the controller in ensuring the proper performance of contractual obligations and the recovery of debts (Article 6(1)(f) GDPR).

Data retention period: the data are processed during the period of sending the reminders and until the recovery of the claim.

Recipients of personal data: contracted debt collection agencies (data processors).

Debt management and recovery

For the purpose of debt administration and recovery, we process the following personal data of clients and debtors: name, surname, personal identification number, date of birth, place of residence (address), telephone number, amount of debt, data necessary to assess the solvency of the debt, and the means of securing the enforcement of the claim.

Legal basis for processing: the legitimate interest of the controller and of third parties (investors) in the enforcement of obligations and the recovery of debts (Article 6(1)(f) GDPR).

Data retention period: the data shall be processed for the duration of the contract and for 10 years after the end of the contractual relationship and/or the fulfilment of the obligations, the recovery of the debt, or the conclusion of a certificate of impossibility to recover the debt.

Recipients of personal data: contracted debt collection agencies (data processors).

Judicial debt recovery

In order to ensure the fulfilment of creditors' claims and to protect the interests of the Company and third parties in recovering debts in court, we process the following personal data of debtors: name, surname, personal identification number, date of birth, place of residence (address), marital status, telephone number, amount of the debt, the data necessary to assess the solvency of the debt, the means of securing the claim.

In order to properly assess the debtor's solvency and administer the debt collection process, we may process debtors' health data in order to enable the debtor to fulfil his/her obligations and/or to defer payment in the event of illness.

Consent to the use of the debtor's health data for this purpose shall be expressed by means of an affirmative act of providing the health data to the Company. Consent to the processing of health data is voluntary. If a person refuses to consent to such processing, he/she cannot provide the Company with the health data and therefore the Company cannot adjust the timetables for the fulfilment of contractual obligations, etc.

Legal basis for processing: the legitimate interest of the controller and of third parties (investors) in ensuring the performance of their obligations (Article 6(1)(f) of the GDPR) and the data subject's consent (Article 9(2)(a) of the GDPR) (the processing of debtors' health data is carried out on this basis).

Data retention period: the data shall be processed for the duration of the contract and for 10 years after the end of the contractual relationship and/or the fulfilment of the obligations, the recovery of the debt, or the conclusion of a certificate of impossibility to recover the debt.

Recipients of personal data: contracted debt collection agencies (data processors), bailiffs, courts.

Assignment of a claim on a debt to other persons
Pursuant to Article 6.101 of the Civil Code (CC), we have the right to assign all or part of the claim to your debt to third parties in accordance with the procedure provided for in the CC. Your personal data (name, surname, personal identification number, contracts and the information contained therein and other necessary information) are transferred with the debt. Your consent as the debtor (data subject) is not required for such a transfer, but the original or new creditor will inform you of such a transfer of personal data.
The legal basis for the processing/transfer: the legitimate interest of the original and new creditors and the purpose of ensuring the performance of their contractual obligations for the recovery of debts (Article 6(1)(b) and (f) GDPR).

OTHER PURPOSES OF DATA PROCESSING

Maintaining and developing business relationships with partners

For the purpose of maintaining and developing business relations with business partners, we process the following personal data of business partners and their representatives: name, surname, position, workplace, address, telephone number, email address, physical or email signature.

Legal basis for processing: the controller's legitimate interest in ensuring the maintenance of business relations and the administration of contact information (Article 6(1)(f) GDPR).

Data retention period: the data is processed for 10 years after the end of the relationship with the business partner.

Administration of the user area (self-service)

In order to ensure the functionality and administration of the Consumer Zone, we process the following personal data of consumer credit borrowers, investors and representatives: name, surname, personal identification number, address, email address, telephone number, data of login to the platform (date, time, actions performed in the system), IP address.

Depending on the chosen login method, the Company may process the following personal data: personal identification number, security code assigned to identify the person (Smart-ID login), telephone number, security code assigned to identify the person (mobile signature login), and username, password, two-factor authorization (email login), activity history, and any data obtained from other sources.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR) and the legitimate interest of the controller in the proper formation and performance of contracts (Article 6(1)(f) GDPR) (data of the representative of the legal person are processed on this basis).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Transfer of compulsory taxes paid by investors to the state budget

In order to ensure the mandatory fulfilment of investors' tax obligations, we process the following personal data of investors (natural persons who have granted loans): name, surname, personal identification number, date of birth, place of residence (address), permanent/non-permanent resident status of the Republic of Lithuania, amount of interest, amount of taxes.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR) and processing is necessary for the performance of a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Recipients of personal data: the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania

Invoicing clients

In order to provide invoices, we process the following personal data of the Company's customers and their representatives: name, surname, address, type of services provided, amount payable, physical or electronic signature.

Legal basis for processing: processing of data is necessary for the performance of a contract or for pre-contractual actions (Article 6(1)(b) GDPR), the Company's legitimate interest to ensure the proper signing of the Company's documents (Article 6(1)(f) GDPR) (personal data of representatives of customers (legal entities) are processed on this basis).

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Establishing service contracts

For the purpose of concluding service contracts, we process the following personal data of service providers' representatives: name, surname, data related to the representation, position (if the represented person is a legal entity), physical or electronic signature.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR), the Company's legitimate interest in ensuring the proper signing of the Company's documents and the conclusion of contracts (Article 6(1)(f) GDPR).

Data retention period: the data shall be retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

MARKETING, SERVICE QUALITY ASSURANCE AND COMMUNICATION OBJECTIVES

Handling complaints, requests, enquiries, email correspondence

In order to ensure the processing of complaints, requests and the administration of enquiries and email correspondence, we process the following personal data of the Company's customers and other persons who have submitted a complaint, request, enquiry or any other document: name, surname, email address, text of the complaint, request or any other document, the subject matter of the document (in case of a document submitted on a web site), and the physical or electronic signature.

Legal basis for processing: processing is necessary for the performance of a contract or for pre-contractual activities (Article 6(1)(b) GDPR).) (on this basis, personal data are processed when the data subject contacts the Company for the conclusion and/or performance of a contract), the Company's legitimate interest to ensure the proper administration of the documents received and the provision of answers (Article 6(1)(f) of the GDPR) (on this basis, personal data are processed when the data subject contacts the Company for purposes other than the conclusion and performance of a contract).

Retention period: the data shall be kept for 3 years after the resolution of a query, request, complaint or any other document submitted by the data subject.

Ensuring the quality of customer service and developing business relationships (recording conversations)

In order to ensure the quality of customer service over the telephone and to develop business relations with the customer by means of distance communication, we process the following data of the Company's customers and other persons who call the Company: telephone number, audio recording, date and time of the call and the beginning and ending time of the call, the content of the call.

Legal basis for processing: consent of the data subject (Article 6(1)(a) GDPR).

Consent to the use of personal data for the purpose of verifying the content of the telephone conversation shall be expressed by calling the Company's telephone number +370700 80 075. Consent to the recording of conversations is voluntary. If a person refuses to consent to such data processing, he/she may not enter into a contract at a distance, receive advice or other information and must contact the Company by other means of communication, e.g. by e-mail or in person.

Data retention period: the data is kept for 10 years from the date of recording the conversation.

Organisation of lotteries, games

In order to organise lotteries and games and to promote the Company's visibility, we process the following customer data: name, surname, prize won, address, other information depending on the specifics of the game or lottery.

Legal basis for processing: the legitimate interest of the controller in ensuring the development of the business (Article 6(1)(f) GDPR) and the data subject's consent (Article 6(1)(a) GDPR) (on this basis, data about the winner(s) of a lottery or game is made public).

Consent to the publication of personal data for the purpose of raising the Company's profile and business development shall be expressed by signing a written consent to the publication of personal data. Consent to such processing is voluntary, is not a condition of a contractual relationship with the Company and does not affect the relationship between the data subject and the Company.

Data retention period: the data is stored for the duration of the game, the organisation of the lottery and for 10 years after the lottery, the announcement of the winner of the game.

Declaration of prizes won

In order to ensure compliance with our tax obligations and to declare the amount of prizes won by persons who have won lotteries and games, we process the following personal data of customers who have won prizes: name, surname, personal identification number, amount of the prize in monetary terms.

Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR).

Data retention period: the data is stored for 10 years after the data is submitted to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania.

Recipients of personal data: the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania.

Programme of recommendations

For the purpose of administering recommendations, in order to develop our business and increase our customer base, we process the following personal data of investors and persons invited by investors: name, surname, email address, amount of the reward for the recommendation, recommendation code.

Legal basis for processing: consent of the data subject (Article 6(1)(a) GDPR).

Consent to the use of personal data for the purpose of administering the Recommendations is given by signing a written consent to the publication of personal data. Consent to such data processing is voluntary, is not a condition of the contractual relationship with the Company and does not affect the relationship between the data subject and the Company. A person who has not consented to such processing of personal data may not make recommendations and may not receive remuneration for recommendations.

Data retention period: the data will be kept for 10 years after the end of participation in the Recommendation.

Organising events (registration of participants)

In order to organise and carry out registration for conferences, trainings, meetings and other events, we process the following personal data of event participants/customers: name, surname, email, date and place of the event, photographs and/or video recordings during the event.

Legal basis for processing: the controller's legitimate interest in ensuring the administration of event participants (Article 6(1)(f) of the GDPR) and the data subject's consent (Article 6(1)(a) of the GDPR) (on which basis photographs and/or videos of event participants are processed).

Consent to photography and/or filming of a person must be given at the time of registration for the event. Consent to such data processing is voluntary, is not a condition of the contractual relationship with the Company and does not affect the relationship between the data subject and the Company.

Data retention period: 5 years after the event or until consent is withdrawn.

Providing direct marketing offers and statistical analysis

In order to provide direct marketing offers or to send invitations to participate in surveys, we process the personal data of the persons seeking direct marketing offers and of the Company's existing customers: name, surname, e-mail address, telephone number, information about the reading of the newsletter (information on whether the newsletter was opened, when and how many times it was opened and the information contained therein).

The legal basis for processing: the data subject's consent (Article 6(1)(a) GDPR) and the controller's legitimate interest in providing similar offers of goods or services to existing customers who have not objected to such processing (Article 6(1)(f) GDPR).

Consent to the use of personal data for direct marketing purposes (for the newsletter service by email and/or SMS) is expressed by subscribing to the Company's newsletter on the Company's websites, or by consenting to direct marketing by ticking a box on other forms of personal data submission. Consent to direct marketing is voluntary, is not a condition of the contractual relationship with the Company and does not affect the relationship between the data subject and the Company.

The Company may also send direct marketing communications to its customers at the email addresses and/or telephone numbers provided by them in order to implement the Company's legitimate interest to inform about applicable promotions, similar services, to send invitations to take part in surveys, contests, if the customer has not objected to the processing of his/her personal data for the purpose of direct marketing.

You may at any time opt-out of direct marketing communications or object to such processing by notifying us at [email protected]. You can also unsubscribe from email communications by clicking on the unsubscribe link at the bottom of the newsletter you receive.

Data retention period: personal data processed on the basis of consent are retained for 5 years or until the consent is withdrawn. Personal data processed on the basis of legitimate interest shall be kept for the duration of the contract with the data subject or the business entity or until the data subject or the representative of the business entity objects to the processing of the data for the purpose of direct marketing.

Providing feedback

In order to receive evaluation and feedback and to properly manage the feedback provided, we process the following personal data of the persons providing feedback: name, surname, initials, nickname, email address, details of loans and/or investments held or to be held (type and/or purpose of the loans, personal history provided, experience with the services provided or to be provided).

Legal basis for processing: consent of the data subject (Article 6(1)(a) GDPR).

Consent to the use of personal data for the purpose of providing feedback shall be given by the data subject at the time of the submission of the feedback by consenting to the processing of such personal data. Consent to the management and provision of feedback is voluntary, is not a condition of the contractual relationship with the Company and does not affect the relationship between the data subject and the Company.

Data retention period: personal data is kept for 5 years or until consent is withdrawn.

For information on how to post, delete and submit feedback, please refer to the separate "Customer Feedback Policy".

Improving the website, updating marketing campaigns, visitor statistics, providing electronic services (use of cookies)

In order to improve the website, to provide and personalise marketing offers, to collect and analyse website visitor statistics, and to ensure the proper provision of electronic services and website functionality, the websites operated by the Company use cookies, plugins and similar technologies. For this purpose, the Company processes the following personal data: visitors' computer browser and its version, language choice, region, browsing time, time zone, data of login to the user's account when using the Websites, other information collected by cookies.

Legal basis for processing: the data subject's consent (Article 6(1)(a) of the GDPR) (on this basis, personal data collected by means of optional cookies are processed) and the controller's legitimate interest in ensuring the proper functioning and maintenance of the website and the provision of electronic services (Article 6(1)(f) of the GDPR) (on this basis, personal data collected by means of mandatory cookies are processed).

Data retention period: the period of retention of personal data depends on the specific cookie used to collect the personal data, but in all cases the retention period shall not exceed 2 years.

Organising and conducting virtual meetings, conference calls, video conferences, webinars

In order to ensure the organisation of virtual meetings and to ensure convenient and secure communication, we process the following data of the persons participating in virtual meetings: information about the participants (name), data about the meeting (topic, IP address of the participants, start and end time of the videoconference), recordings (not required), text data (if required).

Legal basis for processing: the legitimate interest of the controller in ensuring virtual communication (Article 6(1)(f) GDPR).

Data retention period: the data collected for this purpose will be processed for as long as they are needed for the organisation and conduct of the virtual meetings/assemblies and the provision of related services.

COOKIES

Cookies are used on the website are small pieces of text information that are automatically generated while browsing the website and are stored on your computer or other end device that you use. The information gathered by Cookies allows us to make the website more user-friendly, offer suggestions and learn more about the behavior of our users, analyze trends and improve the website. If the Company's website contains links to other sites that also use cookies, these are not described here. We use the term "Cookies" to refer to cookies and other similar technologies such as pixel tags, web beacons and clear GIFs.

We ask for your consent when we record functional, tracking, advertising cookies and/or third party cookies. When we use essential cookies, we use them on the basis of legitimate interest and do not ask for your consent to record such cookies. If we have already obtained your consent, we will not ask for your consent again in the future when using the same cookie for the same purpose. This also applies to cookies used by third parties.

Your consent to the use of non-essential cookies can be revoked at any time by changing your browser settings, by disabling all cookies or by disabling/enabling cookies one by one. Please note that in some cases, this may slow down your internet browsing speed, restrict the functionality of certain websites or block access to a website. To set the necessary (desired) cookie options, it is recommended that you use the functions available in the cookie notice or in your web browser.

We use the following types of cookies on the websites https://www.paskoluklubas.lt/, www.neofinance.com and www.neopay.online:

Strictly necessary cookies. Necessary to enable you to use the features of the website and to log in to your user account. Without these cookies, you would not be able to use the electronic services we provide.

Performance enhancing (session) cookies. They are designed to improve the performance of the website and collect general anonymous information about the use of the website.

Tracking cookies (tracking cookies from Google Analytics). These cookies allow the Company to identify and count visitors to the website and to track how visitors move around the website as they use it. This helps to improve the performance of the website, for example to ensure that users can easily find what they are looking for.

Functional cookies. Used to recognize visitors when they return to a website. This allows the company to provide tailored content on social networks and to remember information relevant to visitors.

Promotional cookies. They are used to serve advertising ads that should be of interest to you and relevant to your interests. They may also be used to help measure the effectiveness of an advertising campaign.                                      

PLUG-INS

Social plugins are used on websites operated by the company. The plug-ins are installed on the website to enable website users to be directed to the Company's social networking accounts or the Company's correspondence window on communication platforms.

Controllers of plugins used on the website:

·   Meta Inc., One Hacker Way Menlo Park, California, 94025, USA ("Facebook");

·   "Twitter, Inc." 1355 Market St #900, San Francisco, CA 94103, USA ("Twitter");

·   Google LLC, 1600 Amphitheatre Parkway Mountain View, California, 94043, USA ("Youtube").

Clicking on the plugins icon redirects you to the plugin manager page and provides the plugin manager with the page from which the request was made, the time and date of the request. The plugins are identified by the Facebook, Twitter and Youtube logos.

The information that a person submits on the plugin manager's page or that a person receives when visiting links to plugins on the Company's website is controlled by the plugin managers. Information on the personal data collected and stored, the legal basis for processing, the data retention periods, the technical and organisational security measures applied is provided in the privacy notices of the plugin managers.

The processing of personal data by the plug-in controllers is available at:

·   Facebook Privacy Policy, at http://www.facebook.com/privacy/policy/;

·   "Twitter's privacy policy, at https://twitter.com/en/privacy;

·   "Youtube's privacy policy at www.support.google.com/youtube/answer/10364219.

STATISTICS

Any data you provide or that we collect may be processed for statistical purposes. We will process your data in such a way that you can no longer be identified once the data has been included in a statistical evaluation.

For statistical purposes, we may also process personalized data about your device, location, behavior, from which website the visitor came to the Company's website and other data.

Data may be obtained both from you and from other data sources specified in this Privacy Policy.

Site visitors’ statistics are analyzed using Google Analytics. The information collected by Google Analytics cookies about your website browsing history may be transmitted to and stored on servers outside the EU/EEA.

You have the right to refuse the processing of your data for statistical purposes at any time, but the Company has the right to continue such processing if it can demonstrate that the processing is for legitimate reasons which override your rights and legitimate interests.

Legal basis for processing: the processing is necessary to comply with a legal obligation to which the Company is subject (Article 6(1)(c) of the GDPR) (provision of statistical data on the website and to the supervisory authority, as provided for by the Consumer Credit Act) and the controller's legitimate interests in monitoring the volume, sources, popularity and other statistics of the provision of services (Article 6(1)(f) of the GDPR).

Data retention period: the data is processed for the duration of the Company's activities.

PROCESSING OF PERSONAL DATA ON SOCIAL NETWORKS

Promoting the company's visibility (social media management)

The company manages the following social media accounts:

·       https://www.facebook.com/NEOFinance

·       https://www.facebook.com/PaskoluKlubas

·       https://www.facebook.com/get.neopay.online

·       https://www.linkedin.com/company/paskolu-klubas/

·       https://www.linkedin.com/company/neofinance/

·       https://www.linkedin.com/company/neopay-openbanking/

·       https://www.linkedin.com/company/neo-finance-group/

·       https://www.instagram.com/neofinance_team/

·       https://www.youtube.com/@paskoluklubas2787  

Legal basis for processing: Article 6(1)(f) GDPR (processing is necessary for the legitimate interests of the company to ensure the development of its business).

The information you provide on social network profiles operated by the Company (including messages, use of the "Like" and "Follow" fields, and other communications), or that you receive when you visit the Company's accounts (including information received through cookies used by social network managers), is controlled by the social network manager. We therefore recommend that you read the privacy notices of the social network manager.

As the administrator of your social media account, we choose the appropriate settings based on our target audience and our performance management and promotion objectives. The social network manager may have limited the ability to change certain, essential settings when providing the Company with the ability to create and manage a social network account, and thus we cannot influence what information the social network manager will collect about you after the Company has created a social network account.

Any such settings may affect the processing of personal data when you use social media, visit the Company's account or read the Company's posts on the social media network. Even if you only look at our posts on Facebook, LinkedIn, Instagram or YouTube, the operator of the social network may receive certain personal information, such as which terminal device you are using, your IP address, etc.

In general, the social network manager will process your personal data (even those collected when we have selected additional account settings) for the purposes set by the social network manager in accordance with the social network manager's privacy policy. However, when you use a social network, interact with the Company through a social network, visit the Company's account on a social network or follow the Company's posts on a social network, the Company receives information about you. The amount of data we receive depends on the account settings we have selected, the agreements we have made with the social network manager to order additional services, and the cookies set by the social network manager.

LinkedIn Privacy Policy: https://www.LinkedIn.com/legal/privacy-policy  

Facebook Privacy Policy: https://www.facebook.com/policy.php  

Instagram privacy policy: https://help.instagram.com/519522125107875  

YouTube privacy policy: https://www.youtube.com/static?template=privacy_guidelines and https://policies.google.com/privacy  

RECIPIENTS AND PROCESSORS OF PERSONAL DATA

We may provide your personal data to the following persons, considering the basis for the provision of the data and to ensure the security of the data transmitted:

·       for investors, when we broker consumer credit (providing personalized information necessary for investment: borrower rating, repayment history, purpose of the loan, date of loan);

·       providers of personal identification services (Mark ID, SK ID Solutions AS Lithuanian branch);

·       for beneficiaries when a payment initiation service is provided;

·       consumer credit institutions or financial companies participating in the information system "Infobankas" and the credit bureau system administered by UAB "Creditinfo Lietuva";

·       financial institutions with which we have contracted to provide personal data for identification purposes;

·       State Social Insurance Fund Board (SODRA);

·       in the case of a dispute, to the people who provide us with legal services, lawyers;

·       UAB Legal Balance for the purposes of out-of-court debt recovery;

·       auditors, other consultants, notary offices, bailiff offices;

·       the data processors used (server administrators, cloud service providers, IT service providers, credit rating platform administrators, SMS senders)

·       for business partners;

·       To third parties for the initiation of payments and transfers and other payment solutions: gambling companies, betting companies, gaming companies, and gaming companies that use the data to identify and verify the identity of the person;

·       Prevention of money laundering and operators of platforms for screening politically exposed persons;

·       the Bank of Lithuania, the Financial Crimes Investigation Service under the Ministry of the Interior of the Republic of Lithuania, the Ministry of Foreign Affairs, the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, the Statistics Department of Lithuania and the State Data Protection Inspectorate;

·       to state authorities, law enforcement agencies and other persons in accordance with the procedure established by the legislation of the Republic of Lithuania, or where the provision of data is necessary for the purpose of asserting, exercising or defending the Company's legal claims;

·       the provider(s) of the text messaging service (data processors).

If you participate in games or lotteries organised by the Company, we may, with your consent, make your winnings public.

With your consent, we may also provide personal data to others.

We may also provide your data to protect your vital interests (for example, if you feel unwell on our premises and we need to seek medical help).

If we disclose your personal data to other groups of data recipients than those specified in this Privacy Policy, we will inform you of this at the latest when we disclose the data for the first time, unless we have already provided you with such information before.

We may use data processors who will process personal data in accordance with our instructions and to the extent determined by us, to the extent necessary to achieve the purposes of the processing. When we use processors, we aim to ensure that the processors also have appropriate organisational and technical security measures in place and maintain the confidentiality of personal data.

TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EE

Your data may be transferred outside the European Union, subject to the signing of agreements with data processors that comply with European Union law.

Data may be transferred outside the European Union where the transfer is necessary for the conclusion and performance of contracts and the proper provision of services to the Company's customers. In such a case, the Company shall take steps to ensure that any transfer of personal data outside the EU/EEA is properly executed and that the privacy rights of data subjects are protected to the maximum extent possible. The Company's transfer of personal data outside the EU/EEA shall be guided by:

·   the European Commission's decision on the eligibility of a foreign country;

·   A certification mechanism approved in a foreign country;

·   European Commission decision on standard contractual clauses.

The third country outside the EU/EEA in which the recipient of the personal data is located is required by a decision of the European Commission to ensure an adequate level of protection of personal data.

PROFILING AND AUTOMATED DECISION-MAKING

In order to achieve the purposes set out in the Privacy Policy, such as the provision of your credit rating, the provision of a consumer credit offer, the implementation of the requirements of the Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing, we may analyze personal data in an automated manner, make automated decisions, and classify data subjects into groups after taking into account the personal aspects related to data subjects. We carry out automated decision-making, including profiling, on the basis of your consent for the purpose of concluding or performing a contract with you, or to comply with statutory requirements (Article 6(1)(a), (b), (c), Article 22(2) of the GDPR respectively).

For the purposes of profiling and automated decision-making for the purpose of granting your credit rating and providing you with a consumer credit offer, we process the following personal data: name, surname, place of residence, nationality, age, gender, your credit history, number of minor children and dependants, marital status, spouse's data, existing financial obligations and overdue payments, information on your income, employment, data on your assets, information on the desired consumer credit (amount, maturity), your income, and any other necessary data.

For the purposes of profiling for the purposes of the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, we process the following personal data: name, surname, date of birth, place of residence (address), nationality, income, source of income, position held, type of activity carried out, information on political vulnerability, number of shares held in the company and other data provided in the client profile or obtained from external sources such as international sanctions lists, publicly available information, etc.

The processing of the personal data indicated will be carried out in accordance with the purposes set out above:

·       for profiling and automated decision-making for the purposes of granting your credit rating, making an offer of consumer credit, we will process your data for a maximum period of 10 years;

·       when carrying out profiling for the purposes of the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, for a maximum period of 8 years. The storage period may be further extended for a maximum of 2 (two) years on the grounds provided by law.

Please note that in the context of automated decisions and profiling, you have the right to request human intervention, to express your views and to contest a decision taken by automated means (Article 22(3) GDPR).

DATA SUBJECT RIGHTS

As a data subject, you have the rights set out below in this section.

The right to know (be informed) about the processing of your personal data

When we receive information directly from you about the processing of personal data, we inform you orally and/or in writing at the time of receipt of the personal data.

If we do not receive the personal data directly from you, we will inform you about the processing of your personal data within 1 (one) month of receipt of the data, and if we use your personal data to communicate with you, no later than the first time we contact you.

The right of access to personal data processed

The right to have access to your personal data and how they are processed, i.e. to be informed about the period of retention of personal data, the sources and nature of the personal data collected, the purposes for which they are processed, and the purposes for which they are disclosed to whom.

Within 1 (one) month of receipt of the request, we will check whether your personal data is processed by the Company. If we determine that we are processing your personal data, we will provide you with information about the personal data processed and a copy of the personal data processed.

We can extend the time limit for responding if necessary. We will inform you of this. You have the right to apply to the State Data Protection Inspectorate for such an extension.

You have the right to request access to the personal data we hold about you and how it is processed, and to ask for the provision of such data. Data may be provided free of charge once per calendar year, but in other cases the Company may charge a fee up to the cost of providing the data.

If your requests are manifestly unfounded or disproportionate, we have the right to refuse to comply with your request.

If you do not specify the form in which the information is to be provided in your request, we will provide the information in the same form in which the request is received.

Request rectification of personal data and suspension of the processing of such personal data if, after consulting the personal data, you discover that the data are incorrect, incomplete or inaccurate.

We will notify you of the rectification, destruction or suspension of the processing of your personal data, whether or not carried out at your request. We will inform the recipients of the data unless it would be impossible or excessively difficult to provide such information. Upon your request, we will provide you with information about such recipients.

The right to request the erasure of personal data or the restriction of processing operations if, after consulting your personal data, you discover that personal data are being processed unlawfully or fraudulently.

We will notify you of the restriction of processing that has or has not been made at your request. We will inform the recipients of the data unless this is impossible or would require a disproportionate effort. Upon your request, we will provide you with information about such recipients.

Personal data whose processing has been restricted shall continue to be stored by the Company.

The right to object to the processing of personal data, unless we are processing the personal data for the legitimate interest of the Company or of another person to whom the personal data is provided, and your interests are not overridden.

If you object to the processing of your personal data, we will continue to process your personal data if we reasonably decide that the reasons for processing your personal data override your interests, rights and freedoms or if your personal data are necessary for the establishment, exercise or defence of legal claims.

The right to withdraw consent to data processing

You have the right to withdraw your consent to the processing of your personal data at any time where the processing of your personal data is based on your consent.

The right to be "forgotten"

You have the right to request the erasure of your data in the cases provided for by law. We have the right to refuse to comply with this request in the cases provided for by law, including but not limited to the cases discussed in Article 17(3) of GDPR.

If we comply with your request and the personal data (deleted at your request) have been transferred to recipients, we will inform these recipients unless this would be impossible or would require a disproportionate effort. We will provide information about such recipients upon your request.

Right to data portability

You have the right to request that the personal data you have provided, if it is processed on the basis of consent or a contract, and if it is processed by automated means, be transferred to another controller or transmitted to you in a structured, commonly used and computer-readable format, if this is technically feasible. When applying for the exercise of this right, you must indicate whether you wish the personal data to be transferred to you or directly to another controller.

If we comply with your request and you wish to have the data transmitted on a digital medium, we will make the personal data processed by the Company available on a CD-ROM or on a CD-ROM recorded by the Company on a one-off basis, with you being reimbursed for the cost of the purchase of the medium.

The right to data portability cannot be exercised in relation to personal data processed in non-automatically structured files such as paper files.

Personal data transferred are not automatically deleted. If you wish to do so, you must contact the Company to exercise your right to be forgotten.

The right to object to automated processing, including profiling

You have the right to know and be informed of the logic behind the automatic processing of personal data and the possible consequences of such processing when the processing is carried out only by automated means.

If you request a review of a decision based on automated data processing (if such decisions are taken by the Company in respect of you), we will carry out a full assessment of all relevant data, including the information you have provided.

The right to lodge a complaint with the State Data Protection Inspectorate or a competent court in relation to the processing of personal data

You may complain about the Company's actions or omissions in relation to the exercise of the data subject's rights, either by yourself or through a duly authorised representative or a non-profit institution, organisation or association complying with the requirements of Article 80 of the GDPR, to the State Inspectorate for Data Protection, at L. Sapiegos g. 17, Vilnius, email address [email protected], website https://vdai.lrv.lt, as well as to the competent court of the Republic of Lithuania.

The right to compensation for damages suffered as a result of a breach of the data subject's rights

If you have suffered damage as a result of a violation of the data subject's rights, you have the right to compensation, which you must seek from the competent court of the Republic of Lithuania.

THE PROCEDURE FOR CONTACTING THE COMPANY IN THE EXERCISE OF THE DATA SUBJECT'S RIGHTS

You may apply for the exercise of the data subject's rights orally or in writing by submitting your request in person, by post or by electronic means to the contacts indicated in this Privacy Policy. If you decide to contact the Company in writing, we recommend that you submit a free-form request.

You must prove your identity by providing proof of identity. Failure to do so will prevent us from accepting your requests and will result in the data subject's rights not being enforced. This does not apply if you request information about the processing of personal data in accordance with Articles 13 and 14 of the GDPR.

If you decide to apply in writing (by post) to exercise your rights as a data subject, you must submit a copy of your identity document certified by a notary public or other legal authority together with your application. If your personal data (name, surname) have changed, you must submit a copy of the documents confirming the change. If they are sent by post, they must be certified by a notary public or other procedure established by law.

If you choose to submit your request electronically, it must be signed with a qualified electronic signature or be made by electronic means that guarantee the integrity and unalterability of the text. This does not apply if you are requesting information on the processing of personal data in accordance with Articles 13 and 14 of the GDPR.

The request for the exercise of the data subject's rights must be legible, signed and contain your name, address and/or other contact details for communication or for receiving a reply.

If you have chosen to exercise your rights through a representative, your representative must provide his/her name, surname, address and/or other contact details for the communication by which your representative wishes to receive the reply, as well as your name and other data necessary for the proper identification of the data subject, and provide a document or a copy of a document confirming representation.

If we have any doubts about your identity or data, we have the right to request additional information to verify it.

You can contact the Company's Data Protection Officer (DPO) on any issues related to the processing of personal data and the exercise of your rights. We recommend that you indicate that the correspondence is addressed to the Company's Data Protection Officer.

If you do not follow the procedure set out in this section when contacting us, we will inform you within 7 (seven) calendar days of receipt of your request and point out the deficiencies. If you do not remedy the deficiencies identified or do not inform the Company of reasonable grounds why the deficiencies identified cannot be remedied, we will not consider the request.

In the event of objective circumstances which prevent the deficiencies referred to above from being remedied, we may decide to accept your application and process it.

FINAL PROVISIONS

The Websites may contain links to third-party websites, legislation, as well as links to social networks (the ability to share the Website content on Facebook and Instagram). It should be noted that third party websites linked to the Website are subject to the privacy policies of those websites and the Company is not responsible for the content of the information provided by those websites, their activities and the provisions of their privacy policies.

You can contact us in the following ways for all data processing issues:

·       E-mail: [email protected]

·       By calling 8 700 80 075

·       Mailing address: A. Vivulskio str. 7, Vilnius, Lithuania.

POLICY REVIEW

We may review and modify our Privacy Policy at any time. The changes will come into effect starting from their publication on the Websites.

We recommend to always check the latest version of the Privacy policy.

Last updated by order of the Chief Executive Officer on 24 February 2023.

_____________________________