PRIVACY POLICY

Data Controller

UAB Legal Balance, legal entity code 302528679, address Žalgirio st. 90, Vilnius, telephone number 8 700 66677, e-mail address info@eskolos.lt, website www.eskolos.lt.

1.   TERMS USED

1.1. Personal Data shall mean any information relating to a natural person, i.e. a data subject, whose identity is known or can be established, directly or indirectly, by reference to data such as a personal identification number, one or more factors specific to that person, such as his/her physical, physiological, psychological, economic, cultural or social background, location data, and an online identifier.

1.2. Company shall mean UAB Legal Balance, legal entity code 302528679, address Žalgirio st. 90, Vilnius.

1.3. Data Subject shall mean a natural person who uses the Company's services, or is a representative of a legal entity, or a person who browses the Website, uses the Platform, or whose data is provided to the Company by the Customer.

1.4. Document Preparation Service shall mean a service for the preparation of a document of the Customer's choice or the download of a document template, which the Customer orders using the Platform.

1.5. IP Address shall mean a unique number that identifies the computer, telephone, tablet or other device that connects to the internet. The IP address can be used to identify the country where the computer connects to the internet.

1.6. Customer shall mean a natural person or legal entity registered on the Platform who, in accordance with the Platform Rules, seeks to receive an Offer and/or a Document Preparation Service and/or uses (has used or intends to use in the future) the Company's Claims Enforcement, Debt Collection and/or Document Preparation Services after the conclusion of the Agreement.

1.7. Offer shall mean an offer made by the Company to the Customer and recorded on the Platform as a Purchase Offer or the Service Offer:

1.7.1. Purchase Offer shall mean an offer made by the Company to the Customer to purchase a Claim by paying the Customer a pre-agreed amount of money and/or an offer to purchase a Claim by deferring payment of the Claim pending the collection of all or part of the debt from the Debtor (deferred price payment).

1.7.2. Service Offer shall mean an offer made by the Company to the Customer to provide legal services.

1.8. Account shall mean the result of the Customer's registration with www.eskolos.lt.

1.9. Platform shall mean a remote environment where the Customer, in order to receive the Offer and/or the Document Preparation Service, registers and can receive the Offer, enter into an agreement with the Company, follow the process of exercising the right of recourse and debt collection, and receive the Document Preparation Service, and where the Company submits the Offer, enters into an agreement with the Customer, records the process of exercising the right of recourse, and the process of debt collection and provides the Document Preparation Service. The Platform is available online at www.eskolos.lt.

1.10. Privacy Policy shall mean this document, which sets out the basic rules governing the collection, storage, processing and retention of Personal Data applicable to the use of the Platform.

1.11. Application shall mean the Eskolos application operated and managed by the Company.

1.12. Regulation shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.13. Assignment of the Claim Right shall mean the assignment of the Customer's claim right against the Debtor to the Company by the parties signing an agreement.

1.14. Debtor shall mean a natural person or legal entity who has a valid monetary obligation to the Customer or the Company under the legislation of the Republic of Lithuania.

1.15. Cookies shall mean small files placed on a computer, telephone, tablet or other device used by any person visiting the Website, which the Website uses to identify the device. This shall include not only cookies, but also the use of similar types of tools.

1.16. Website shall mean the website operated by the Company https://www.eskolos.lt/.

1.17. Provision of Legal Services shall mean the provision of debt administration and/or debt collection services to the Customer in accordance with the terms and conditions set out in the Agreement.

2.   GENERAL PROVISIONS

2.1. In this Privacy Policy, we hereby provide you with information about how the Company processes Personal Data when you use the Platform, as well as how the Company processes Personal Data of Debtors. Additional information may be contained in assignment of claims, service agreements and other agreements that you enter into with the Company.

2.2. You may register on the Platform only after you have read and accepted this Privacy Policy. We recommend that you read this Privacy Policy carefully before registering on the Platform. You may revisit the Privacy Policy at any time on the Platform.

2.3. This Privacy Policy shall not address the Company's processing of Personal Data when you visit other websites of the Company, or when you use services published by the Company on or through other websites. If you visit other websites of the Company, use services published or provided by the Company on or through such websites, including the use of the Eskolos mobile application, your Personal Data shall be processed in accordance with the information provided on those websites. In such a case, please have a good look at the Privacy Policies posted on other websites of the Company.

2.4. The processing of personal data in the Company shall be governed by the Regulation, the Republic of Lithuania Law on Legal Protection of Personal Data and other legal acts, as well as the local acts of the Company.

3.   PRINCIPLES OF PERSONAL DATA PROCESSING

3.1. The scope of personal data processed depends on the services ordered or used on the Platform and the information provided by the Data Subject when ordering and/or using the services, visiting the Website, registering on the Platform. The purposes of the processing of personal data are further described below.

3.2. The processing of personal data shall be carried out only under the criterion of lawful processing – in order to ensure the provision of the services published on the Website; with the consent of the person; when the Company is obliged to process personal data by the relevant legislation; when the processing of personal data is necessary to process the personal data due to the legitimate interest of the Company or of the third party (including its creditors); and in order to fulfil a contract with the Data Subject.

3.3. We aim to process Personal Data accurately, fairly and lawfully, and to process it only for the purposes for which it is collected, in accordance with the clear and transparent principles and requirements for the processing of personal data as set out in law.

3.4. You are not obliged to provide any Personal Data, but it is possible that certain services may not be provided unless Personal Data is provided.

4.   EXTENT, PURPOSES, GROUNDS FOR PROCESSING PERSONAL DATA

4.1. Customer Identification and the Drafting and Execution of the Agreement with the Customer

4.1.1. In order to identify the Customer (including the use of digital solutions such as Smart ID, mobile signature, remote facial recognition) and to enter into and perform an Assignment of Claim or Legal Services Agreement or to execute an order for a Document Preparation Service, we shall process the following personal data of Customers who are natural persons: name, surname, personal identification number, biometric data (facial image), photograph of the personal identity document, bank account number, residential address, contact information (e-mail, telephone number), copy of the personal identity document, electronic signature certificate, correspondence history, identifier of the user's device, information on the login session to the Platform. If the Customer is a legal entity, we shall process the following additional data about the Customer's legal entity representative for the specified purpose: name, surname, personal identification number, power of attorney confirmation document, personal identity document, electronic signature certificate.

4.1.2. Sources of Personal Data: data subject, Customer which is a legal entity.

4.1.3. Legal basis: the processing is necessary for the performance of a contract or in order to take action at the request of the data subject prior to the conclusion of a contract (Article 6(1)(b) of the Regulation), and the processing of biometric data shall be carried out on the basis of consent of the data subject (Article 9(2)(a) of the Regulation).

4.1.4. Retention period: 10 years after the end of the contractual relationship or 2 years from the moment of receipt of the data (in the absence of a contract with the Customer).

4.2. Debt Collection, Including Assessment of Debt Collection Options

4.2.1. In order to collect debts (e.g. arising from a loan agreement, promissory note, service agreement, contract agreement, unpaid wages, flight compensation, etc.) which are acquired by the Company from the original creditors or which are administered by the Company on the basis of a contract for the provision of legal services, we shall process the following Debtors' personal data in our capacity as a Customer's representative (data processor), including the assessment of the possibility of collecting the debts: name, surname, personal identification number/date of birth, contact information (e-mail, telephone number), residential address, documents supporting the debt, amount of the debt, circumstances and date on which the debt was incurred, the fact and date on which the debt or part of it was settled and any other data provided by the data subject or his/her creditor (customer) (e.g. social account data), workplace, marital status (spouse’s name, surname, personal identification number/date of birth, workplace, assets), assets held, number/extent of enforcement proceedings, data on other creditors of the Debtor, data from registers, credit history from the UAB Creditinfo Lietuva database. If the Debtor is a legal entity, we shall process the following personal data about the manager and participant of the legal entity for the purpose indicated: name, surname, personal identification number/date of birth, residential address, contact details (e-mail, telephone number).

4.2.2. Sources of Personal Data: The Customer, the cross-border collection platforms (EOS Cross-border, etc. ) partners (debt collection companies), bailiffs, the Lithuanian Chamber of Bailiffs, the State Enterprise Centre of Registers (the Register of Legal Entities, the Population Register, the Register of Contracts and Liens, the Register of Property Seizure Acts, the Real Property Register and Cadastre and the Register of Wills), the data subject, judicial authorities, UAB Creditinfo Lietuva and other data controllers processing joint debtor data files, the Authority of Audit, Accounting, Property Valuation and Insolvency Management under the Ministry of Finance of the Republic of Lithuania, the Public Register of Invalid Personal Documents, the Public Register of Wanted Persons, social networking sites, www.rekvizitai.lt, other publicly available sources, provided that such data are necessary for the provision of debt collection or other services, including the assessment of the possibility of debt collection.

4.2.3. Legal basis: the processing is necessary for the purposes of the legitimate interests of the Company in assessing the possibility of collection of debts, collection of arrears and/or carrying out the data controller's instructions (Article 6(1)(f) of the Regulation).

4.2.4. Retention period: 10 years after the end of the contractual relationship (after the debt has been collected or a document confirming the impossibility of collecting the debt has been drawn up) or until the Customer (the Data Controller) has instructed us to delete the data, or for a period of 2 years from the moment of receipt of the data (in the case of the absence of an agreement with the Customer).

4.2.5. Data recipients: UAB Creditinfo Lietuva (for more information on the transfer of data to UAB Creditinfo Lietuva, please refer to Clause 5.5. of the Privacy Policy), bailiffs, judicial authorities, notaries, the Authority of Audit, Accounting, Property Valuation and Insolvency Management under the Ministry of Finance of the Republic of Lithuania, the Customer.

4.3. Provision of Document Preparation Service

4.3.1. In order to execute the order for the Document Preparation Service, we shall process the following personal data of Customers and third parties (the Customer's counterparty): name, surname, personal identification number/date of birth, residential address, e-mail address, amount of the debt, due date of payment, and legal basis for the debt. If the Customer or third party is a legal entity, we shall process the personal data of the manager of this legal entity: name, surname, basis of representation.

4.3.2. Sources of personal data: data subject, Customer (in relation to third parties).

4.3.3. Legal basis: the processing is necessary for the performance of a contract or to take action at the request of the data subject prior to the conclusion of a contract (Article 6(1)(b) of the Regulation); the processing is also necessary for the purposes of the legitimate interests of the Company in the performance of an order for a Document Preparation Service (in relation to legal entities or third parties) (Article 6(1)(f) of the Regulation).

4.3.4. Retention period: 10 years after the end of the contractual relationship with the Customer.

4.3.5. Data recipients: Customers.

4.3.6. The Customer shall be responsible for entering the personal data of the above-mentioned third parties into the Platform. The Company shall act as a processor of the Customer's data during the provision of the Document Preparation Service by processing the data provided by the Customer from third parties. Under no circumstances shall the Company be liable for the lawfulness of the use of such data.

4.4. Provision of Information to Debtors and Customers

4.4.1. In order to efficiently carry out debt collection activities, i.e. to inform the Debtors about the debt, change of creditor or other related circumstances, the Company shall inform the Debtors by mail or by using an automated texting, calling and e-mailing programme implemented in the Company's managed information systems. The Company may use a data processor for this purpose. When informing Debtors about the obligations incurred and to be repaid, we shall process the following Debtors' personal data, depending on the method of informing Debtors:

4.4.1.1. If Debtors are informed by SMS: telephone number, content of the SMS message.

4.4.1.2. If Debtors are informed by e-mail: e-mail address, content of e-mail.

4.4.1.3. If Debtors are informed by telephone call: telephone number, content of audio message.

4.4.1.4. If Debtors are informed by mail: name, surname, address.

4.4.2. Sources of Personal Data: Customer, data subject.

4.4.3. Legal basis: the processing is necessary for the legitimate interests of the Company to inform the Debtors of the obligations incurred and to be repaid (Article 6(1)(f) of the Regulation).

4.4.4. Retention period: 10 years after the end of the contractual relationship (after the debt has been collected or a document confirming that the debt cannot be collected has been concluded).

4.4.5. Data recipients: postal service providers.

4.4.6. For the purpose of informing debtors, the Company shall also uses an automated communication application via various online platforms such as Messenger, Viber, Whatsapp, etc., which is provided by Wingnut Labs Ltd (Webio), based in Dublin, Ireland (for more information on the processing of the data see: https://knowledge.webio.com/portal/en/kb/articles/data-processing-overview). Categories of personal data communicated to the data processor: name, surname, telephone number, amount of the debt, grounds, creditor and other information constituting personal data that may be provided or received through this communication channel.

4.4.7. For the purpose of informing debtors and Customers, the Company shall also use automated SMS and e-mail sending platforms VivaSend, Omnisend, the administrators of which are third parties (data processors), to whom the Company may transmit your e-mail addresses and the content of the information sent. Platform administrators shall ensure the use of technologies compliant with standards in this area when providing e-mail services and may collect information on the date of reading the e-mail, the data subject's actions after opening the e-mail and other information for this purpose. VivaSend's Privacy Policy can be found here: https://vivasend.lt/privatumo-ir-slapuku-politika/; Omnisend's Privacy Policy can be found here: https://www.omnisend.com/privacy/.

4.5. Direct Marketing

4.5.1. For direct marketing purposes, the Company shall process the following personal data: name, surname, e-mail address, telephone number.

4.5.2. Sources of personal data: data subject.

4.5.3. Legal basis: consent of the data subject (Article 6(1)(a) of the Regulation).

4.5.4. Retention period: the data shall be processed for a period of 5 years from the receipt of the data subject's consent or until you withdraw your consent to the processing of personal data. If you withdraw your consent to the processing of your personal data for the purpose(s) set out in this Clause, only the fact of your consent shall be retained for a period of 10 years from the expiry of the consent period or the withdrawal for the purpose of asserting, exercising, or defending any legal claims of the Company.

4.5.5. You shall have the right to unsubscribe from promotional communications sent by the Company at any time, and you shall have the right to object to the processing of your personal data for the purpose of direct marketing, without giving reasons for your objection. You may withdraw your consent to the processing of personal data for the purpose of direct marketing by expressing your will clearly and unambiguously in writing to an employee of the Company. You may also exercise your right to object to the processing of personal data for the purpose of direct marketing in the following ways:

-     by clicking on the link in each e-mail sent to you;

-     by logging in to your Account and ticking your opt-out option;

-     by contacting the Company by telephone or e-mail at duomenys@legalbalance.lt with “Unsubscribe” in the subject field and indicating in the e-mail your name, surname and the address, telephone number or e-mail address where you do not wish to receive information.

4.5.6. For the purpose of providing personalised advertising, the Company shall use the Google Customer Match tool and process the following personal data: name, surname, e-mail address, telephone number, country, mobile device identification number. Legal basis for processing: consent of the data subject (Article 6(1)(a) of the Regulation). You shall have the right to object to the processing of your personal data for the purpose of providing personalised advertising by selecting the appropriate settings at: https://adssettings.google.ca/anonymous?hl=en. 

4.6. Recording Conversations

4.6.1. In order to ensure the quality of our services, to establish uniform practices, and to objectively deal with data subjects' requests or complaints, we record calls and process the following personal data of callers: telephone number, audio recording, and the metadata of the audio recording (the date of the call and the time at which the call started and ended). Before the start of the call, we shall inform you that the call is being recorded. By continuing the call, you consent to the recording of the call. If you do not agree to the interview being recorded, you are welcome to come to the Company for the interview.

4.6.2. Sources of personal data: data subject.

4.6.3. Legal basis: consent of the data subject (Article 6(1)(a) of the Regulation).

4.6.4. Retention period: for the purposes set out in this Clause, your personal data shall be processed for a period of one year from the receipt of the personal data. Where there are reasonable grounds to believe that the call recording material records the commission of a criminal offence or other unlawful acts, the necessary data from the call recording shall be transferred to secure media and retained in perpetuity for as long as there is an objective need for them to do so, even after the expiration of the term for retention of the call recordings referred to in this Clause.

4.6.5. Data recipients: courts, law enforcement and other public authorities.

4.6.6. For the purposes set out in this Clause, your personal data shall only be processed if the call takes place using telephone numbers assigned to the Company. The Company's telephone numbers shall be published on the Website.

4.6.7. To listen to call recordings or to obtain copies thereof, please contact the Company in accordance with the procedures set out in this Privacy Policy.

4.7. Implementation of the Law on International Sanctions and the “Know Your Customer” Principle

4.7.1. In order to implement the “Know Your Customer” principle and to comply with the obligations set out in the Republic of Lithuania Law on International Sanctions, we shall process the following personal data of the Customers (natural persons), the managers of the Customers (legal entities) and the final beneficiaries: name, surname, personal identification number, date of birth, nationality, country of residence, position, inclusion in the international lists of international financial sanctions, and any other personal data, which may comprise the content of the documents submitted to the Company.

4.7.2. Sources of personal data: the data subject, the Customer (legal entity), SE Centre of Registers, institutions and companies maintaining lists of sanctioned persons.

4.7.3. Legal basis: the processing of data is necessary for the purposes of the legitimate interests of the Company to know its customers and to comply with a legal obligation under Article 4(1) and (2), Article 7(1) and (2) of the Republic of Lithuania Law on International Sanctions (Article 6(1)(f) of the Regulation).

4.7.4. Retention period: the data shall be processed for as long as the contract concluded with the Customer is valid, after which the data shall be retained for 10 years for the purpose of asserting, exercising or defending the Company's legal claims and for the purpose of fulfilling the Company's statutory obligation to archive documents. In the absence of a contract with the Customer, the data shall be retained for 5 years from the moment the data is received.

4.7.5. Data recipients: Financial Crimes Investigation Service.

4.8. Inquiry Administration

4.8.1. When administering inquiries submitted on the Company's Website, including inquiries received via the Facebook Messenger integration, we shall process the following personal data of the persons submitting such inquiries: name, surname, contact details (telephone number, e-mail address), inquiry which may contain other personal data.

4.8.2. Sources of personal data: data subject.

4.8.3. Legal basis: processing is necessary for the legitimate interests of the Company in administering inquiries (Article 6(1)(f) of the Regulation).

4.8.4. Retention period: 10 years from the time of data collection.

4.9. Chatbot (Virtual Assistant)

4.9.1. In order to administer inquiries from potential clients, Customers, as well as Debtors visiting the Website and to answer questions regarding the Company's services, debt repayment options and other relevant issues, the Company's Website shall use a chatbot. A chatbot is a rule-based software that understands a user's text messages and responds with answers. The Company may use a data processor for this purpose. When administering the chatbot, we shall process the following personal data of inquirers: name, surname, e-mail address, the inquiry, which may contain other personal data, the user's clicks within the chatbot, Facebook profile name, surname, photograph address.

4.9.2. Sources of personal data: data subject, social network Facebook.

4.9.3. Legal basis: the processing of data is necessary for the legitimate interests of the Company to administer inquiries and to respond to inquiries from interested parties (Article 6(1)(f) of the Regulation).

4.9.4. Retention period: 10 years from the time of data collection.

4.9.5. Please note that your questions are answered by a chatbot (computer) and we cannot accept legal liability for the accuracy of such answers in all cases.

4.10. Assurance of the Functionality of the Website, Collection of Statistical Information

4.10.1. In order to improve the Website, to update marketing campaigns, to analyse and collect statistics on visitors to the Website, and to ensure the proper functioning of the functionalities of the Website, the Website shall use cookies, plug-ins and similar technologies. For this purpose, the Company shall process the following personal data of visitors to the Website: IP address, time of access to visitor accounts, Website browsing history and date. Website visitor statistics shall be analysed using Google Analytics cookies. The information collected by Google Analytics cookies about your browsing history shall be transmitted to and stored on Google servers.

4.10.2. Sources of personal data: data subject, Cookies and similar technologies.

4.10.3. Legal basis: the processing of the data is necessary for the legitimate interests of the Company to ensure the operation of the websites (on this basis, the processing of personal data collected on the basis of strictly necessary cookies is carried out) (Article 6(1)(f) of the Regulation), and the data subject's consent is required (personal data collected by means of non-essential cookies shall be processed for this purpose) (Article 6(1)(a) of the Regulation).

4.10.4. Retention period: the retention period of personal data depends on the specific cookie used to collect the personal data, but in all cases the retention period shall not exceed 2 years. The specific terms shall be set out in the Website's Cookie Policy.

4.11. Promotion of the Company's Visibility (Social Media Management)

4.11.1. The information you provide on social networking profiles operated by the Company (including messages, the use of the “Like” and “Follow” fields, and other communications), or that you receive when you visit the Company's accounts (including information obtained through the use of cookies used by the social networking operators), is under the control of the operator of the social networking site. We therefore recommend that you read the privacy notices of the social network operator, where you can find all the information about the categories of personal data collected, the retention periods and recipients, etc.

4.11.2. Legal basis: the processing is necessary for the legitimate interests of the Company to promote the visibility of the Company (Article 6(1)(f) of the Regulation).

4.11.3. As the administrator of your social media account, we shall choose the appropriate settings based on our target audience and our performance management and promotion objectives. The social network operator may restrict the ability of the Company to change certain essential settings by allowing the Company to create and administer a social network account, and thus we may not be able to influence what information about you is collected by the social network operator once the Company has created a social network account.

4.11.4. Any such settings may affect the processing of personal data when you use social media, visit the Company's account or read the Company's posts on a social media network. Even if you only look at our posts on Facebook, LinkedIn, Instagram or YouTube, the social network operator may receive certain personal information, such as which end device you are using, your IP address, etc.

4.12. The Company may process your personal data for other purposes in accordance with the requirements of the Regulation and the Republic of Lithuania Law on Legal Protection of Personal Data.

5.   DATA RECIPIENTS AND DATA PROCESSORS

5.1. The Company undertakes to respect the duty of confidentiality towards data subjects. Personal Data may be disclosed to third parties only if it is necessary for entering into and performance of a contract for the benefit of the data subject, for the performance of a legal obligation to which the Company is subject, for the protection of the Company's or a third party's legitimate interests, or for other legitimate reasons.

5.2. Without prejudice to the data recipients set out in Section 4 of the Privacy Policy, we may also provide your personal data to the following recipients:

5.2.1. public bodies and institutions, and other persons exercising functions assigned to them by law (e.g. law enforcement authorities, bailiffs, notaries, tax administration, supervisory authorities, financial crime investigation authorities);

5.2.2. chartered accountants, legal and financial advisers;

5.2.3. companies within the group to which the Company belongs;

5.2.4. the legal entities you represent.

5.3. The data may be processed by data processors providing the Company with cross-border collection services (EOS Cross-border platform, etc.), accounting, data centre and/or server rental, IT maintenance, external auditing, security, legal, data protection officer and other services.

5.4. Data processors shall have the right to process personal data only on the instructions of the Company and only to the extent necessary for the proper performance of their obligations under the data processing agreement. The Company, with the help of processors, seeks their confirmation that the processors have implemented appropriate organizational and technical security measures and will maintain the confidentiality of personal data.

5.5. If the data subject is more than 30 days late in performing his/her obligations, on the basis of a legitimate interest in the collection of debts, the Company shall transfer information about your personal identity, contact details and credit history, i.e. financial and property obligations and their fulfilment, debts and their payment, to the credit bureau UAB Creditinfo Lietuva (company code: 111689163, address: A. Goštauto st. 40A, LT 03163 Vilnius, Lithuania, www.manocreditinfo.lt, tel. No.: (+370 5) 2394149). The Credit Bureau shall process and provide to third parties (financial institutions, telecommunication companies, insurance companies, electricity and utility providers, trading companies, etc.) your personal data received from the Company in order to pursue its legitimate interests and purposes of assessing your creditworthiness and managing your debts. Creditworthiness assessment shall involve an automated assessment of a person's characteristics (profiling), which may adversely affect your ability to transact in the future. Automated assessment helps to ensure responsible lending and the legitimate interests of creditors by assessing information provided by the individual, credit history, public information, etc. Automated assessment methods shall be regularly reviewed to ensure their fairness, transparency, efficiency and impartiality. Credit history data shall be processed for 10 years after the fulfilment of obligations. You may access your credit history by contacting the Credit Bureau UAB Creditinfo Lietuva directly. You shall also have the right to request rectification or erasure or restriction of data processing, and the right to object to the processing of your personal data, to request human intervention and participation in automated decision-making, to express your point of view and contest the decision, as well as the right to data portability in the cases provided by law. You can find out more about the implementation and restrictions of these rights, automatic assessment of properties (profiling) at www.manocreditinfo.lt.

6.   PROFILING AND AUTOMATED DECISION MAKING

6.1. We are committed to protecting your privacy and ensuring transparency in our data processing practices. We would like to inform you that we do not carry out profiling or automated decision-making processes that may have a significant impact on your rights, interests or otherwise have a significant effect on you.

7.   TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA

7.1. Your data may be transferred outside the EU/EEA, subject to the signing of agreements with the recipients that comply with European Union law.

7.2. Data may be transferred outside the EU/EEA where the transfer is necessary for the conclusion and performance of contracts and the proper provision of services to the Company's customers. In such a case, the Company shall take steps to ensure that any transfer of personal data outside the EU/EEA is properly executed and that the privacy rights of data subjects are maximally protected.

7.3. When transferring personal data outside the EU/EEA, the Company shall be guided by:

7.3.1. Decision on the eligibility of the foreign country taken by the European Commission;

7.3.2. Certification mechanism approved in a foreign country;

7.3.3. Decision adopted by the European Commission on standard contractual clauses.

7.4. The third country outside the EU/EEA in which the recipient of the personal data is located shall be required by a decision of the European Commission to ensure an adequate level of protection of personal data.

8.   RIGHTS OF DATA SUBJECTS

8.1. Each data subject has the following rights:

8.1.1. the right to know about the processing of your personal data;

8.1.2. the right to have access to your personal data and how they are processed;

8.1.3. the right to have your personal data rectified, erased or to restrict the processing of your personal domains;

8.1.4. the right to object to the processing of your personal data, unless the processing is carried out for the purposes of a legitimate interest pursued by the data controller or by a third party to whom the personal data are disclosed and the interests of the data subject are not overriding;

8.1.5. the right to have the Personal Data provided erased or to restrict the processing of Personal Data;

8.1.6. the right to have Personal Data, if processed by automated means, transmitted by the data controller to another data controller where this is technically feasible (data portability);

8.1.7. the right to object to automated data processing, including profiling;

8.1.8. the right to object to the processing of Personal Data for direct marketing purposes;

8.1.9. the right to withdraw your consent to data processing;

8.1.10. the right to lodge a complaint with the State Data Protection Inspectorate regarding the processing of Personal Data.

8.2. The data subject shall have the right to request the exercise of the data subject's rights orally or in writing, in person, by post or by electronic means. If the exercise of the data subject's rights is requested in writing by post, a copy of the person's personal identity document must be submitted with the request. If the data subject's personal data, such as name and surname, have changed, they shall be accompanied by a copy of the documents confirming the change in those data. In the case of a request submitted by electronic means, the request must be signed with a qualified electronic signature or must be made by electronic means which guarantee the integrity and the unalterability of the text.

8.3. The request for the exercise of the data subject's rights must be legible, signed by the data subject, and contain the data subject's name, surname, address and/or other contact details for the purpose of contacting the data subject or for the purpose of obtaining a response regarding the exercise of the data subject's rights.

8.4. The data subject may exercise his/her rights himself/herself or through a representative. In the request, the person's representative shall indicate his/her name, surname, address and/or other contact details for communication, by which the person's representative wishes to receive a reply, as well as the name of the represented person and any other data necessary for the proper identification of the data subject, and shall provide the document confirming the representation, or a copy thereof. In case of doubt as to the identity or data of the data subject, the Company shall request additional information necessary to verify it.

8.5. If the data subject does not apply in accordance with the procedure set out in this Chapter, the data subject shall be informed of the deficiencies at the latest within 7 calendar days of receipt of the application. The data subject's request shall not be considered if the data subject fails to rectify the deficiencies identified or fails to inform the Company of the reasons why the deficiencies identified cannot be rectified. In the event of objective circumstances which prevent the data subject from rectifying the deficiencies identified, the Company may, after assessing them, accept the data subject's request and process it. If the data subject applies in writing without complying with the form of the request established by the Company, this shall not be considered a deficiency in the data subject's request.

8.6. Upon receipt of the request, we shall provide a response no later than within 30 calendar days from the date of receipt of the request. In exceptional cases, this period may be extended by a further 30 (thirty) days upon notice to you.

8.7. The Company, acting as Data Controller, shall have the right to reasonably refuse to exercise your rights on the grounds set out in the Regulation.

8.8. You shall be provided with information about the processing of your data, the lawfulness and fairness of the processing shall be verified, the processing shall be terminated, and the data shall be deleted free of charge. Information shall be provided in Lithuanian.

8.9. You may submit your request by e-mail to duomenys@legalbalance.lt, by mail or by coming to the office at Žalgirio st. 90, LT-09303 Vilnius. In order to ensure the confidentiality enshrined in Article 38(5) of the Regulation, correspondence addressed to the Data Protection Officer by mail shall be marked on the envelope as addressed to the Data Protection Officer.

9.   DATA PROTECTION OFFICER

9.1. The Company has an appointed Data Protection Officer.

9.2. If you would like to clarify, find out how the Company processes your personal data, or if you intend to exercise your rights as a data subject, please contact the Company's designated Data Protection Officer by e-mail: duomenys@legalbalance.lt.

10. FINAL PROVISIONS

10.1. The law of the Republic of Lithuania shall apply to the enforcement and interpretation of the provisions of the Privacy Policy.

10.2. We may amend our Privacy Policy at any time. Any amendments to the Privacy Policy shall be posted on the Website. Amendments and/or supplements to the Privacy Policy shall come into force after their publication on the Website.

10.3. We recommend that you regularly review our Privacy Policy.