Under applicable data protection laws, we are obligated to inform individuals about their personal data processing and we fulfil this obligation within this Privacy Policy which explains how we collect, use and protect personal data in accordance with the General Data Protection Regulation No. 2016/679 (“GDPR”) and/or other applicable statutory regulations.
This Privacy Policy covers the information UAB Virtualių paslaugų operatorius („we” or “VPO”) collect about you when you use our services, or otherwise interact with us (for example, by attending our premises or events or by communicating with us), unless a different policy is displayed. We offer a range of services and we refer to all of our services and website as „Services” in this policy.
1. DEFINITIONS
2. DATA CONTROLLER
3. WHAT PERSONAL DATA DO WE COLLECT AND WHY?
Purpose | Type of Data | Legal Basis | Retention Period |
1.1. Provision of VPO services: payment initiation and account information service; money remittances. | We collect the following information about Clients and, on certain occasions only, about End-users, as the recipients of Client services:
|
Performance of a contract (Article 6(1)(b) of the GDPR). Legal obligationArticle 6(1)(c) of the GDPR). | We process personal data collected during the provision of our services for as long as you continue to use them. After you stop using our services, we retain this data for a period of 10 years, unless different retention periods are mandated by applicable legislation or our internal company policies. If a business agreement fails to materialize due to the decision to refuse the relevant service, Personal Data will be retained for up to 12 months from the date of data receipt, unless the Data Subject requests deletion in writing. However, if the agreement falls through for different reasons, such as failure to provide necessary information, the data will be stored for 10 years. Correspondence related to relations with the Data Subject will be kept for 5 years following the termination of agreements or business relationships with the individual. Personal data collected for the purpose of provision of payment initiation service will be retained for 3 years after the payment initiation. Personal data collected for the purpose of provision of account information service will be retained for 3 years after account information is provided. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims). |
1.2. Compliance with AML (anti-money laundering) and other applicable regulatory requirements (identity verification, KYC procedure and ongoing monitoring of client’s activity, including risk assessment and management) | We collect the following information about clients, including representatives of legal entities (such as employees and members of management bodies, as well as Ultimate Beneficial Owners (UBOs) and managers of the clients), as well as End-users, as the recipients of Client services:
|
Public interest (Article 6(1)(e) of the GDPR) to implement measures for money laundering and terrorist financing prevention (Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania). (Article 6(1)(c) of the GDPR). | We retain this data for 8 years from the date of termination of transactions or business relationships with the client. Data retention period may be extended for up to 2 years upon a reasoned instruction of a competent authority (Art. 9(1), 19(10) and (14) of the Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania). If a business agreement fails to materialize due to the decision to refuse the relevant service, Personal Data will be retained for up to 12 months from the date of data receipt, unless the Data Subject requests deletion in writing. However, if the agreement falls through for different reasons, such as failure to provide necessary information, the data will be stored for 10 years. Correspondence related to relations with the Data Subject will be kept for 5 years following the termination of agreements or business relationships with the individual. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims). |
1.3. To handle questions, requests and complaints submitted by you. | We collect all data along with any communication and messages you send to us (including the time they were received / submitted). | We have a legitimate interest to answer to submitted questions and requests in accordance with the Article 6(1)(f) of the GDPR | Personal Data is retained for 5 years after your query is closed. We may continue to retain some information, even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims). |
1.4. To improve our website, ensure its performance, increase its security and adapt both its content and form to the needs of our users. | When you visit our website, we collect the following data from you automatically: IP address, operating system, user ID and other information about your activities on our and other websites. We collect and store this information as part of log entries or through the use of cookies. Please refer to our Cookie Policy for more details about cookies. | Personal data collected via cookies is processed on the basis of our legitimate interest (Article 6(1)(f) of the GDPR) while we set up cookies on your device only with your consent (Article 6(1)(a) of the GDPR) | Please refer to our Cookie Policy for more details about retention periods for cookies. |
1.5. To select a suitable candidate for an open job vacancy. | We collect Candidate’s first name, last name, email address and (or) telephone number, information about the Candidate’s work experience (job title, duration of work, job positions, responsibilities and/or achievements), information about the Candidate’s education and qualifications, information on proficiency on languages and other competences required for an open job vacancy, other information provided by the Candidate voluntarily in his/her CV, cover letter or other application documents (e. g. recommendations, references, etc.) which will be processed in the same manner as personal data of the candidate that has been collected by us. Special categories of personal data (e.g., health-related information, information about criminal records) may only be collected if necessary for a specific job position and only to the extent necessary and permitted by the applicable law. We may also collect personal data relating to the Candidate’s qualifications, professional abilities and personal qualities from one’s former employer, after informing the Candidate in advance, and from one’s current employer only with the consent of the Candidate. | We have a legitimate interest to select the best possible Candidate for a particular job vacancy (Article 6(1)(f) of the GDPR). | We retain this personal data for a period of 3 months after the end of the selection process. |
1.6. Dispute resolution, including debt management, the filing and defence of claims or lawsuits, and cooperation with law enforcement and regulatory authorities in accordance with the applicable law. |
|
We process this data on the basis of our legitimate interest to defend our rights in legal proceedings (Article 6(1)(f) of the GDPR). We also process this data so we could assert, exercise, or defend legal claims (Article 9(2)(f) of the GDPR). | This processing continues during respective legal proceedings and up to 10 years after their conclusion. |
4. WHO DO WE DISCLOSE YOUR PERSONAL DATA TO WITHIN AND OUTSIDE THE EEA?
We may disclose your personal data to third parties (“Data recipients”) to facilitate the delivery of our services or when we are legally obligated to do so. Data recipients may act as controllers and/or processors when processing personal data. If a Data recipient processes your personal data as a controller, they are responsible for informing you about the processing. In such instances, you should directly contact the Data recipient regarding the processing of your personal data. Your personal data may be disclosed to the following Data recipients:- Government agencies and entities carrying out legal functions (e.g., regulatory authorities, tax authorities, law enforcement agencies, judicial bodies).
- Financial institutions, as mandated by law, such as your bank.
- Participants in payment transactions, both national and European (e.g., merchants from whom you make purchases).
- Companies that handle databases and records, or help share personal information from these sources, like population lists or business registries.
- Individuals and firms providing financial and legal consultation, conducting audits, or offering other services to our company.
- AML/KYC compliance platform service providers;
- Workplace communication and collaboration service providers;
- Accounting service providers;
- Cloud service providers;
- Servers rent and maintenance providers;
- Other partners and external service providers (e.g., software, IT infrastructure maintenance, web hosting and web support, electronic communications, archiving, etc.).
5. HOW DO WE PROTECT YOUR PERSONAL DATA?
When processing and storing your personal data, we implement organisational and technical measures to ensure that personal data is protected against accidental or unlawful destruction (e.g., backups on a regular schedule), alteration, disclosure, and any other unlawful processing. These measures include encryption, physical access security, regular auditing, and other technologies.6. YOUR RIGHTS
Under the GDPR you have the following rights:- Know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR);
- Access your personal data that is being processed (Article 15 of the GDPR);
- Request the correction of inaccurate personal data relating to you (Article 16 of the GDPR);
- Request the deletion of personal data relating to you (“the right to be forgotten”) (Article 17 of the GDPR). Please note! You have the right to be forgotten only if it can be justified by one of the following reasons: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you do not consent to the processing under Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
- Restrict data processing (Article 18 of the GDPR). Please note! You have the right to restrict the processing of your data only if: (i) personal data is inaccurate; (ii) the processing of personal data is unlawful, but you do not consent to the erasure of the data; (iii) we no longer need your personal data to fulfil our purpose, but it is necessary for you to assert, enforce or defend legal requirements; (iv) you object to the processing under Article 21 (1) of the GDPR unless the legitimate reasons of our company override your own.
- Transfer your personal data when the processing is based on consent or contract and the data is processed by automated means (Article 20 of the GDPR);
- Object to the processing of personal data for reasons specific to your case where the processing is in the legitimate interests of 1stopVAT or of a third party, unless we prove that the processing is for compelling legitimate reasons overriding your interests, rights and freedoms, or for the purpose of asserting, enforcing or defending legal requirements (Article 21 of the GDPR).