Privacy policy

Last updated: 2 April, 2024

Under applicable data protection laws, we are obligated to inform individuals about their personal data processing and we fulfil this obligation within this Privacy Policy which explains how we collect, use and protect personal data in accordance with the General Data Protection Regulation No. 2016/679 (“GDPR”) and/or other applicable statutory regulations.

This Privacy Policy covers the information UAB Virtualių paslaugų operatorius („we” or “VPO”) collect about you when you use our services, or otherwise interact with us (for example, by attending our premises or events or by communicating with us), unless a different policy is displayed. We offer a range of services and we refer to all of our services and website as „Services” in this policy.   

1. DEFINITIONS

Client – a contracting entity identified in the concluded business agreement with VPO. End-user – a customer, being the recipient of Client’s service and initiating payment to a Client (merchant), which is processed by VPO. Data Controller – natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Personal data – any information relating to an identified or identifiable natural person. Services – any and all services provided by VPO in accordance with, and as defined in concluded business agreements.

2. DATA CONTROLLER

UAB Virtualių paslaugų operatorius is the Data Controller in respect of personal data described in this Privacy Policy unless specified otherwise. Our contact details: UAB Virtualių paslaugų operatorius Registration code: 300093064 Address: Kauno str. 22-301, LT-03212 Vilnius Contact details: info@vpo.lt

3. WHAT PERSONAL DATA DO WE COLLECT AND WHY?

Purpose Type of Data Legal Basis Retention Period
1.1.  Provision of VPO services: payment initiation and account information service; money remittances. We collect the following information about Clients and, on certain occasions only, about End-users, as the recipients of Client services:
  • name and surname;
  • personal code;
  • date and place of birth;
  • nationality and age;
  • address and place of residence;
  • country of residence of the individual receiving the service (end-user of the client);
  • copy of the identification document (ID card/passport) and its data: number, issuance place and date, expire date;
  • contact details (phone number and email address);
  • source of funds;
  • signature;
  • bank account numbers;
  • date and amount of transactions, currency and location;
  • history of actions performed;
  • information about the beneficiary of the funds (name, surname, personal code or other identification number, date of birth, details about legal entity);
  • in the context of payment initiation services we also collect order number provided by merchant or service provider, transaction details (order amount, description (purpose), status), bank account name and number and unique authentication keys (tokens) created by the bank and the company that are linked to your bank account number.
Performance of a contract (Article 6(1)(b) of the GDPR). Legal obligationArticle 6(1)(c) of the GDPR). We process personal data collected during the provision of our services for as long as you continue to use them. After you stop using our services, we retain this data for a period of 10 years, unless different retention periods are mandated by applicable legislation or our internal company policies. If a business agreement fails to materialize due to the decision to refuse the relevant service, Personal Data will be retained for up to 12 months from the date of data receipt, unless the Data Subject requests deletion in writing. However, if the agreement falls through for different reasons, such as failure to provide necessary information, the data will be stored for 10 years. Correspondence related to relations with the Data Subject will be kept for 5 years following the termination of agreements or business relationships with the individual. Personal data collected for the purpose of provision of payment initiation service will be retained for 3 years after the payment initiation. Personal data collected for the purpose of provision of account information service will be retained for 3 years after account information is provided. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims).
1.2.  Compliance with AML (anti-money laundering) and other applicable regulatory requirements (identity verification, KYC procedure and ongoing monitoring of client’s activity, including risk assessment and management) We collect the following information about clients, including representatives of legal entities (such as employees and members of management bodies, as well as Ultimate Beneficial Owners (UBOs) and managers of the clients), as well as End-users, as the recipients of Client services:
  • Name, Surname, Gender;
  • Date of birth;
  • Personal code or other identification number;
  • Copy of personal identity document and its data: country, date of issuance and validity of the document, type and number;
  • Nationality;
  • Citizenship (if indicated);
  • Contact details (phone number and email);
  • Position;
  • Picture of a person;
  • Signature
  • Address;
  • Bank account details (bank name and bank account number);
  • Transaction details (date and amount of transactions, currency);
  • Information about the beneficiary of the funds (name, surname, personal code or other identification number, date of birth, details about legal entity)
  • Utility bill or another document, which includes the address of a person;
  • Information, if sanctions to the person are applied, if person is politically exposed person, if there is negative media information about the person, if a person is listed by financial and other regulatory authorities, disciplinary bodies and anti-corruption agencies;
  • Number of shares held, voting rights or share capital part (applicable to UBOs);
  • Source of funds, source of wealth.
Please note, that personal data listed above may be collected from a variety of sources. Sometimes directly from you, but also through the company or organization for who you are working or affiliated with, for example as an UBO. End-user data may be collected through the Client, acting as merchant/ service provider. If your company or organization transfers your personal data to us, we expect your business or organization to inform you about this.
Public interest (Article 6(1)(e) of the GDPR) to implement measures for money laundering and terrorist financing prevention (Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania). (Article 6(1)(c) of the GDPR). We retain this data for 8 years from the date of termination of transactions or business relationships with the client. Data retention period may be extended for up to 2 years upon a reasoned instruction of a competent authority (Art. 9(1), 19(10) and (14) of the Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania). If a business agreement fails to materialize due to the decision to refuse the relevant service, Personal Data will be retained for up to 12 months from the date of data receipt, unless the Data Subject requests deletion in writing. However, if the agreement falls through for different reasons, such as failure to provide necessary information, the data will be stored for 10 years. Correspondence related to relations with the Data Subject will be kept for 5 years following the termination of agreements or business relationships with the individual. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims).
1.3.  To handle questions, requests and complaints submitted by you. We collect all data along with any communication and messages you send to us (including the time they were received / submitted). We have a legitimate interest to answer to submitted questions and requests in accordance with the Article 6(1)(f) of the GDPR Personal Data is retained for 5 years after your query is closed. We may continue to retain some information, even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims).
1.4.  To improve our website, ensure its performance, increase its security and adapt both its content and form to the needs of our users. When you visit our website, we collect the following data from you automatically: IP address, operating system, user ID and other information about your activities on our and other websites. We collect and store this information as part of log entries or through the use of cookies. Please refer to our Cookie Policy for more details about cookies. Personal data collected via cookies is processed on the basis of our legitimate interest (Article 6(1)(f) of the GDPR) while we set up cookies on your device only with your consent (Article 6(1)(a) of the GDPR) Please refer to our Cookie Policy for more details about retention periods for cookies.
1.5.  To select a suitable candidate for an open job vacancy. We collect Candidate’s first name, last name, email address and (or) telephone number, information about the Candidate’s work experience (job title, duration of work, job positions, responsibilities and/or achievements), information about the Candidate’s education and qualifications, information on proficiency on languages and other competences required for an open job vacancy, other information provided by the Candidate voluntarily in his/her CV, cover letter or other application documents (e. g. recommendations, references, etc.) which will be processed in the same manner as personal data of the candidate that has been collected by us. Special categories of personal data (e.g., health-related information, information about criminal records) may only be collected if necessary for a specific job position and only to the extent necessary and permitted by the applicable law. We may also collect personal data relating to the Candidate’s qualifications, professional abilities and personal qualities from one’s former employer, after informing the Candidate in advance, and from one’s current employer only with the consent of the Candidate. We have a legitimate interest to select the best possible Candidate for a particular job vacancy (Article 6(1)(f) of the GDPR). We retain this personal data for a period of 3 months after the end of the selection process.
1.6.  Dispute resolution, including debt management, the filing and defence of claims or lawsuits, and cooperation with law enforcement and regulatory authorities in accordance with the applicable law.
  • All the aforementioned information, as well as documents and their attachments sent to you or provided by you, court rulings, decisions and similar data;
  • Information about criminal activities and criminal convictions.
We process this data on the basis of our legitimate interest to defend our rights in legal proceedings (Article 6(1)(f) of the GDPR). We also process this data so we could assert, exercise, or defend legal claims (Article 9(2)(f) of the GDPR). This processing continues during respective legal proceedings and up to 10 years after their conclusion.

4. WHO DO WE DISCLOSE YOUR PERSONAL DATA TO WITHIN AND OUTSIDE THE EEA?

We may disclose your personal data to third parties (“Data recipients”) to facilitate the delivery of our services or when we are legally obligated to do so. Data recipients may act as controllers and/or processors when processing personal data. If a Data recipient processes your personal data as a controller, they are responsible for informing you about the processing. In such instances, you should directly contact the Data recipient regarding the processing of your personal data. Your personal data may be disclosed to the following Data recipients:
  • Government agencies and entities carrying out legal functions (e.g., regulatory authorities, tax authorities, law enforcement agencies, judicial bodies).
  • Financial institutions, as mandated by law, such as your bank.
  • Participants in payment transactions, both national and European (e.g., merchants from whom you make purchases).
  • Companies that handle databases and records, or help share personal information from these sources, like population lists or business registries.
  • Individuals and firms providing financial and legal consultation, conducting audits, or offering other services to our company.
  • AML/KYC compliance platform service providers;
  • Workplace communication and collaboration service providers;
  • Accounting service providers;
  • Cloud service providers;
  • Servers rent and maintenance providers;
  • Other partners and external service providers (e.g., software, IT infrastructure maintenance, web hosting and web support, electronic communications, archiving, etc.).
For all of these service providers, we will only provide as much data as it is necessary to perform a particular service. We may transfer your personal data outside the EEA but only based on appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA. That is, we may transfer your personal data based on an adequacy decision by the European Commission, EU Commission’s approved Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework or using other possible safeguards and derogations where it is allowed by the applicable laws. Please reach out to us via info@vpo.lt for detailed information about your personal data transfers outside of the EEA. Please note! When you communicate with us via social networks, you should inquire about their applicable data protection terms and conditions and read their privacy policy. All personal information you provide to us via social networks is controlled and managed by that particular social network (e.g., Facebook (Meta Platforms Ireland Limited)). Sale or merger. We may also disclose your personal data to third parties in the event that we sell or buy any business or assets (due to liquidation, bankruptcy or otherwise), or merge with another company or business. In this case we may transfer your data to a prospective seller or buyer/investor of such business or assets as client’s information may be among the transferred assets in said transactions.

5. HOW DO WE PROTECT YOUR PERSONAL DATA?

When processing and storing your personal data, we implement organisational and technical measures to ensure that personal data is protected against accidental or unlawful destruction (e.g., backups on a regular schedule), alteration, disclosure, and any other unlawful processing. These measures include encryption, physical access security, regular auditing, and other technologies.

6. YOUR RIGHTS

Under the GDPR you have the following rights:
  • Know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR);
  • Access your personal data that is being processed (Article 15 of the GDPR);
  • Request the correction of inaccurate personal data relating to you (Article 16 of the GDPR);
  • Request the deletion of personal data relating to you (“the right to be forgotten”) (Article 17 of the GDPR). Please note! You have the right to be forgotten only if it can be justified by one of the following reasons: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you do not consent to the processing under Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
  • Restrict data processing (Article 18 of the GDPR). Please note! You have the right to restrict the processing of your data only if: (i) personal data is inaccurate; (ii) the processing of personal data is unlawful, but you do not consent to the erasure of the data; (iii) we no longer need your personal data to fulfil our purpose, but it is necessary for you to assert, enforce or defend legal requirements; (iv) you object to the processing under Article 21 (1) of the GDPR unless the legitimate reasons of our company override your own.
  • Transfer your personal data when the processing is based on consent or contract and the data is processed by automated means (Article 20 of the GDPR);
  • Object to the processing of personal data for reasons specific to your case where the processing is in the legitimate interests of 1stopVAT or of a third party, unless we prove that the processing is for compelling legitimate reasons overriding your interests, rights and freedoms, or for the purpose of asserting, enforcing or defending legal requirements (Article 21 of the GDPR).
If you believe that our company is unlawfully processing your personal data or is not implementing your rights, you have the right to file a complaint with the competent Data Protection Authority or to make a claim against us with a competent court (either in the country where you live, the country where you work or the country where you deem that data protection law has been infringed). Contact details for State Data Protection Inspectorate, the supervisory data protection authority in Lithuania: L. Sapiegos street 17, 10312 Vilnius, (8 5) 271 2804, 279 1445, ada@ada.lt. You can find contact details of other competent authorities within the EU, here. You can exercise rights over your data by reaching out to: info@vpo.lt

 CONTACT US

If you have any questions about this Privacy Policy or about your personal data processing, please contact us by email: info@vpo.lt.