PRIVACY POLICY
This Privacy Policy (hereinafter referred to as the "
Privacy Policy") sets out the basic rules for the processing of your personal data when you use the websites
www.bobutespaskola.lt and
www.fino.lt of UAB BnP Finance (hereinafter referred to as the "Company" or "We") (hereinafter referred to as the "Sites"), when you are interested in
employment opportunities, when you make enquiries, when you make use of the services provided by the Company
and when you communicate with the Company.
By using the Company's services and by continuing to browse the websites, the Visitor (website user) confirms that
he/she has read this Privacy Policy and understands its provisions.
DATA CONTROLLER
The controller of the personal data specified in this Privacy Policy is UAB "BnP Finance", company code 302447985, registered office address Ukmergės g. 126, LT-08100 Vilnius, Lithuania.
SOURCES OF PERSONAL DATA
The personal data processed by the Company may be obtained directly from you when you, for example:
• You use the Company's services;
• You enter into a contract and/or represent another person, natural or legal;
• You are applying for a job with the Company and submit your CV and other information relevant to your
employment;
• You communicate with Us by telephone, email, letters, social networking accounts operated by the
Company and the like;
• You browse the Company's websites.
We may also receive your personal data indirectly from you, for example:
• Your data comes from the person representing you;
• Your data is provided by your spouse;
• Your data comes from premium collection companies;
• Your data is obtained from registers, databases, information systems, including but not limited to: Bank of
Lithuania, commercial banks and other financial institutions, the State Social Insurance Fund Board, the
State Enterprise Centre of Registers, UAB Creditinfo Lietuva, UAB Scorify, and other data controllers
maintaining joint data files on debtors, the public register of invalid personal documents, the public register
of wanted persons, provided that such data is necessary for making a decision on the granting of a credit
rating, the provision of credit, the provision of other services, and the management of debts.
THE PURPOSES, CATEGORIES, RETENTION PERIODS AND GROUNDS FOR PROCESSING
PERSONAL DATA
OBJECTIVES RELATING TO THE CONCLUSION AND PERFORMANCE OF CONSUMER CREDIT AND
LOAN AGREEMENTS
Identification
In order to properly identify individuals, we process the following data:
• If you choose to be identified using an electronic signature or the Smart ID app: name, surname, personal
identification number, phone number.
• If you choose to make an identification using the Mark ID application: name, surname, personal
identification number, photo of the person, photo of the identity document (top and back), video of the
identification, IP address, information from the public register of invalid identity documents, information
from the public register of wanted persons.
Legal basis: the processing is necessary for the performance of a contract or for pre-contractual activities (Article 6(1)(b) GDPR), the data subject has given consent to the processing of his/her personal data for this purpose (Article
6(1)(a) GDPR) (for the identification of the Mark ID application), processing is necessary for the fulfilment of a legal
obligation imposed on the data controller (Article 6(1)(c) GDPR).
Retention period:
personal data are kept for 10 years after the end of the business relationship.
Implementation of the "know your customer" principle to prevent money laundering and
terrorist financing
In order to implement the principle of "know your customer" (KYC) for money laundering and terrorist financing. In
order to comply with the "know your customer" or KYC principle, we process the following personal data of the
Company's customers, their representatives and beneficiaries: name, surname, personal identification number, date
of birth, ID number, nationality, address, country of residence, results of verification in public and private registers,
employment, position, activities, income and type of income, information on political participation, sanctions, share
of rights held by the legal entity, and other data on the customer.
Legal basis: processing is necessary for compliance with a legal obligation to which the controller is subject (Article
6(1)(c) GDPR).
Retention period:
personal data is kept for 8 years after the end of the business relationship with the client. In cases
where the transaction was not entered into as a result of the implementation of measures to prevent money
laundering and terrorist financing, the data shall be retained for a maximum of 1 year from the date of receipt.
Creditworthiness assessment and conclusion of a consumer credit agreement
In order to conclude consumer credit agreements, we process the following personal data of persons who have
applied to the Company for the conclusion of a consumer credit agreement:
• data about you: name, surname, personal identification number, place of residence (actual and declared),
telephone number, email address, details of identity document and/or qualified electronic signature;
• data on marital status: marital status, legal status of married couples, number of minors and dependants;
• details of employment: employer, job title, monthly salary, previous jobs in the last 12 months, and
documents and certificates supporting the salary;
• details of your income: economic or self-employed activity, amount of income, personal income tax return
details, amount of national social security benefits, documents and certificates supporting your income;
• data on financial liabilities: financial liabilities, amount, types, overdue and outstanding debts, documents
and certificates supporting the liabilities;
• your credit history: the name and code of your creditors, the amount of your financial obligations, and the
dates on which the debt was incurred and settled;
• asset data: assets held, value of assets;
• details of the credit requested: amount of contracts, purpose of the loan, amount, contract number and
date, repayment date, repayment schedule, unique user code, credit rating given, number of days overdue;
• information that the person is on a list of persons for whom applications have been made to prevent them
from concluding consumer credit agreements;
• information from the public register of invalid personal documents;
• information from the public register of wanted persons;
• information on the fact that the data subject is incapacitated or has limited legal capacity;
• Communication on contract terms, contract performance, etc.
• Live chat correspondence on the internet on contract terms, contract performance, etc., Facebook profile.
Legal basis: the processing is necessary for the performance of a contract or for pre-contractual measures (Article
6(1)(b) GDPR), the processing is necessary for compliance with a legal obligation to which the controller is subject
(Article 6(1)(c) GDPR), and the processing is necessary for the purposes of the controller's legitimate interests in the
development of its business (Article 6(1)(f) GDPR).
Retention period:
personal data are kept for 10 years after the end of the business relationship. In the case where
the transaction was not entered into in connection with the implementation of money laundering and terrorist
financing measures, the data shall be retained for a maximum period of 10 years from the date of receipt. If the
transaction was refused due to the implementation of money laundering and terrorist financing measures, the data
shall be kept for 8 years.
Data recipients: loan risk database administered by the Bank of Lithuania, UAB Creditinfo Lietuva, UAB Scorify.
Administration of self-service accounts on the website
In order to administer the accounts on the website, we process the following personal data of borrowers of
consumer credit and persons applying for loans: name, surname, personal identification number, bank account,
contact information (telephone number, e-mail address, address), information on loans (e.g. amount paid, amount
outstanding, period).
Legal basis: processing is necessary for entering into or performance of a contract with the data subject (Article
6(1)(b) GDPR).
Retention period:
personal data is kept for 10 years after the last contract has been completed. In the absence of a contract, the data will be kept for 10 years from the date of receipt (registration).
Concessional business loans
In cooperation with UAB "Investicijų ir verslo garantijos" (INVEGA) and in order to provide business loans on
preferential terms, we process the following personal data:
• Representatives of borrowers (legal persons): name, surname, contact details (address, telephone number,
e-mail address), identity details (personal identification number, date of birth, identity document number,
nationality, address, country of residence, other identity details);
• Final beneficiaries: name, surname, contact details (address, tel. Identity data (personal identification
number, date of birth, ID number, nationality, address, country of residence, other identity data,
creditworthiness data), creditworthiness data (credit rating, debt, bankruptcy information and other
creditworthiness data), customer identification information (results of checks in public and private
registers, employment, position, activities, income and type of income, information on political
participation, and other customer identification information);
• Borrowers' employees: name, surname, contact details (address, telephone number, email address),
identity details (personal identification number, date of birth, identity document number, nationality,
address, country of residence, other identity details);
• Donors: name, surname, contact details (address, telephone number, email address, phone number)
Identity data (personal identification number, date of birth, identity document number, nationality,
address, country of residence, other identity data, creditworthiness data), creditworthiness data (credit
rating, debt, bankruptcy information and other creditworthiness data), customer identification information
(results of checks in public and private registers, employment, position, occupation, activity, income and
type of income, political participation and other customer identification information);
• Depositors: name, surname, contact details (address, telephone number, e-mail address) Identity data
(personal identification number, date of birth, identity document number, nationality, address, country of
residence, other identity data, creditworthiness data), creditworthiness data (credit rating, debt,
bankruptcy information and other creditworthiness data), customer identification information (results of
checks in public and private registers, employment, position, occupation, activity, income and type of
income, political participation and other customer identification information);
Legal basis: the processing is necessary for the legitimate interests of the controller and third parties in the
performance of the contract with INVEGA (Article 6(1)(f) GDPR).
Retention period for personal data: the data shall be retained for 10 years after the end of the eligibility period,
except, where applicable, where documents and information are necessary to substantiate that
de minimis aid has
been granted in accordance with the provisions of Regulation (EC) No 1407/2013, in which case the personal data
must be retained for 10 years from the date on which the last loan agreement was concluded and the
de minimis
aid was granted.
Recipients of the data: the data processed for this purpose are transmitted to the Competition Council of the
Republic of Lithuania (KOTIS register), UAB "Investicijų ir verslo garantijos".
Managing enquiries
In order to properly administer requests and provide responses, we process the following data of those who have
made requests: name, surname, email address, telephone number, request or application which may contain other
personal data.
Legal basis: processing is necessary for the purposes of the legitimate interests of the controller and of third parties
in administering requests (Article 6(1)(f) GDPR).
Retention period: 5 years after the request has been resolved.
OTHER OBJECTIVES
Debt management
In the course of managing debts owed to the Company, we process the following personal data of customers and
guarantors:
• data about you: name, surname, personal identification number, place of residence (actual and declared),
telephone number, email address, details of identity document and/or qualified electronic signature;
• data on marital status: marital status, legal status of married couples, number of minors and dependants;
• Workplace details: employer, workplace, job title, monthly salary, previous jobs in the last 12 months,
documents and certificates to support salary;
• details of your income: economic or self-employed activity, amount of income, personal income tax return
details, amount of national social security benefits, documents and certificates supporting your income;
• data on financial commitments: financial commitments, amount, types, overdue and outstanding debts,
documents and certificates supporting the commitments, amount of contracts, purpose of the loan,
amount, contract number and date, date of repayment, repayment schedule, unique user code, credit
rating assigned, number of days overdue;
• your credit history: the name and code of your creditors, the amount of your financial obligations, the dates
on which the debt was incurred and settled;
• asset data: assets held, value of assets.
Legal basis: the processing is necessary for the legitimate interests of the controller and third parties in order to
recover debts (Article 6(1)(f) GDPR).
Retention period:
personal data is kept for 10 years after the commitments have been fully met.
Data recipients: debt collection companies, UAB Creditinfo Lietuva, UAB Scorify, loan risk database administered by
the Bank of Lithuania, courts.
UAB BnP Finance shall provide information on the identity, contact details and credit history, i.e. financial and
property obligations and their fulfilment, debts and their payment, to the credit bureau UAB "Creditinfo Lietuva"
(company code: 111689163, address: A. Goštauto g. 40A, LT 01112 Vilnius, Lithuania, www.manocreditinfo.lt, tel.:
(8 5) 2394149 and/or UAB "Scorify" (company code: 302423183, address, financial institutions, telecommunication
companies, insurance companies, electricity and utility providers, trading companies, etc.),
The credit history data of consumer credit borrowers will be processed in accordance with the legitimate interests
of UAB Creditinfo Lietuva and UAB Scorify and/or interested third parties (Article 6(1)(f) of the GDPR) in relation to
creditworthiness assessment and debt management. The creditworthiness assessment involves the automatic
assessment of personal characteristics (profiling), which may affect your ability to enter into future transactions.
Automated credit scoring helps you to lend responsibly by assessing information provided by the individual, credit
history, public information, etc. Automated scoring methods are regularly reviewed to ensure their fairness,
efficiency and impartiality.
Credit history data is kept for 10 years after the fulfilment of obligations. You can access your credit history by
contacting the managers directly. You also have the right to request rectification or erasure or restriction of
processing and the right to object to processing, to request human intervention in automated decision-making, to
express your point of view and contest the decision, as well as the right to data portability. You can find out more
about the exercise and limitations of these rights and about the automatic assessment of characteristics (profiling)
at www.manocreditinfo.lt and www.scorify.ai. If your rights are violated, you can contact the Data Protection
Officers
of Creditinfo Lietuva UAB at
[email protected] and Scorify UAB at
[email protected] or file a complaint with the State Data Protection Inspectorate or the court.
For the purpose of validating the content of conversations, ensuring quality of service and
uniform practices, and objectivity in dealing with data subjects' requests and complaints
(recording of conversations)
In order to confirm the content of the conversation, to ensure the quality of the services provided by means of
telephone communication, to form a uniform customer service practice and to ensure the objectivity of the
processing of requests and complaints from data subjects, we process the following personal data of callers:
telephone number, audio recording, metadata of telephone conversation recordings (telephone number of the
caller, date of the call, start and end time).
Legal basis: the data subject has given consent to the processing of his/her personal data for this purpose (Article
6(1)(a) GDPR) and the processing is necessary for the purposes of the legitimate interests of the controller in order
to confirm the content of conversations (Article 6(1)(f) GDPR).
Retention period: the data is kept for 10 years from the date of receipt.
Maintaining business relations
In order to maintain business relations with businesses, we process the following contact details of business
representatives: name, surname, job title, email address, telephone number, signature.
Legal basis: processing is necessary for the performance of a contract or for pre-contractual activities (Article 6(1)(b) of the GDPR) (for natural persons) and processing is necessary for the legitimate interests of the controller in order to ensure the communication with business partners (Article 6(1)(f) of the GDPR) (for legal persons).
Retention period: the data is kept for 10 years from the date of receipt.
Organisation and conduct of conference calls, virtual meetings/meetings, videoconferences
and/or webinars
For this purpose, the following personal data may be collected and provided to the Company by the persons
participating in the virtual meetings: information about the meeting participants (name, surname, telephone
number (optional), email address, etc. The data concerning the meeting (subject, description (optional), IP address
of the participants, hardware information of the device, start and end time of the video conference), recordings
(optional), telephone data (if connected by telephone) (originating and receiving telephone number, country, start
and end time of the call), text data (if necessary).
We would also like to mention that persons participating in virtual meetings are additionally informed about the
processing of their personal data and the data retention periods before the processing of such personal data starts,
i.e. before the virtual meeting.
Legal basis: the legitimate interests of the controller to ensure the organisation and conduct of remote meetings
and to ensure convenient and secure communication (Article 6(1)(f) GDPR).
Retention period: the personal data referred to above will be processed for as long as they are necessary for the
organisation and conduct of the virtual meetings/assemblies and the provision of the related services.
Internal management of personal data of executives, members of management bodies,
shareholders and final beneficiaries and compliance with legal obligations
For this purpose, the following personal data are processed: shareholders' data - name, surname, signature, personal identification number, residential address, copy of personal document; shareholders' and final beneficiaries' data - name, surname, date of birth, country of birth, personal identification number, residential address, nationality, country of residence for tax purposes, tax identification number, information on the identity document (type, number, country of issue, expiry date), copy of the identity document; for executives and members of the board of
directors: name, surname, signature, personal identification number, address of actual and declared residence, copy of identity document.
Legal basis: processing is necessary for compliance with a legal obligation to which the controller is subject (Article
6(1)(c) GDPR).
Retention period for personal data: for shareholders and final beneficiaries, personal data shall be retained for 10
years after the end of the period of being a shareholder/final beneficiary; for managers and members of
management bodies, personal data shall be retained for 10 years after the end of the period of being a manager or
a member of a management body.
Recipients: the State Enterprise Centre of Registers.
Recruitment and selection
In order to carry out the recruitment and selection of candidates for vacant positions in the Company, we process
the following personal data of applicants: name, surname, e-mail address, telephone number, address, contacts,
curriculum vitae (CV) and the information contained therein.
Legal basis: the data subject has given consent to the processing of his/her personal data for this purpose (Article
6(1)(a) of the GDPR) and the processing is necessary for the purpose of concluding or performing a contract with the data subject (Article 6(1)(b) of the GDPR).
Retention period:
personal data processed on the basis of consent are stored for 1 year. Data processed on other
grounds will be erased and no longer retained after the end of the selection process.
Direct marketing
In order to inform you about the Company's services, promotions or news, we send you newsletters and process the
following data of the persons who have consented to receive direct marketing offers: name, surname, telephone
number, e-mail address, the amount of the consumer credit granted and the data of the payments made under the
consumer credit agreement, statistical information on the opening and the reading of the direct marketing
messages.
Legal basis: the data subject has given consent to the processing of his/her personal data for this purpose (Article
6(1)(a) of the GDPR) and the processing is necessary for the purposes of the legitimate interests of the controller in
informing persons about the Company's activities and business development, as well as for the marketing of the
Company's similar services in accordance with Article 81(2) of the Law on Electronic Communications of the Republic of Lithuania (Article 6(1)(f) of GDPR).
You have the right to unsubscribe from promotional communications sent by the Company at any time and you have
the right to object, without giving reasons for your objection, to the processing of your personal data for the purpose
of direct marketing. We will consider your request to withdraw your consent to direct marketing within a maximum
of 14 (fourteen) days from the date of receipt of such request.
Pursuant to Article 81(2) of the Law on Electronic Communications of the Republic of Lithuania on E , the Company
may use the contact details of a data subject who has expressed his/her willingness to become a customer of the
Company and who has submitted a credit application to market its similar services by means of e-mail or SMS
messages. The data subject is given the opportunity to object to such use of his/her contact details by informing the
Company by email to
[email protected] or, in the case of communications, by unsubscribing from such communications by clicking on the dedicated link provided in each communication sent.
You can also withdraw your consent and exercise your right to object to the processing of personal data for direct
marketing purposes in the following ways:
• by clicking on the link in each email sent to you;
• by logging in to your account and ticking your opt-out option;
• by informing the Company by email;
• by expressing their will clearly and unambiguously in writing to an employee of the Company.
Retention period:
personal data shall be stored for a maximum of 5 (five) years from the date of consent or until
you withdraw your consent. After the expiry of the data processing period or if you withdraw your consent, We will
retain the data on the fact of your consent for 10 (ten) years from the expiry of the data processing period specified
in the consent or withdrawal of consent for the purpose of asserting, exercising or defending Our legal claims.
Loyalty programme
In order to offer our loyal customers extra money, we process the following personal data used to assign customers
to the relevant loyalty group: name, activity, payment of contributions.
We also process the following personal data when we create and provide you with personalised loyalty programme
offers (if you have consented to receive them): name, surname, email address, telephone number.
Legal basis: the data subject has given consent to receive personalised loyalty programme offers (Article 6(1)(a) of
the GDPR) and a legitimate interest in assigning the customer to the relevant loyalty group for the purpose of
providing additional money (Article 6(1)(f) of the GDPR).
Duration of storage of personal data: Data used for the purpose of assigning a customer to a particular loyalty group
is processed for 10 (ten) years from the date of execution of the contract with you; data used for the purpose of
providing loyalty programme offers is processed for 5 (five) years from the date of receipt of your consent to receive
direct marketing offers.
Publication of the Company's customers' opinions on the quality of the Company's services on
the Company's websites
In order to inform you about the services provided by the Company and the quality of those services, we process
the following personal data of the customers who have left a review: name, surname, email address, IP address,
information contained in the content of the review, and the data justifying the consent/ withdrawal of consent.
Legal basis: the processing is necessary for the legitimate interests of the controller to ensure the administration of
consents (Article 6(1)(f) GDPR).
Retention period: the data will be processed for 5 (five) years from the date of receipt.
Website administration and maintenance of functions
In order to improve the website, to analyse and collect statistics on website visitors and to ensure the proper
provision of electronic services and website functionalities, cookies, plug-ins and similar technologies are used on
the websites operated by the Company. For this purpose, the Company processes the following personal data of
website visitors: IP address, date of login, other information obtained by cookies.
Legal basis: the data subject has given consent to the processing of his/her personal data for this purpose (Article
6(1)(a) of the GDPR) (on which basis the processing of personal data collected by means of optional cookies is carried out), and the processing is necessary for the purposes of the legitimate interests of the controller in order to ensure the operation of the website, the maintenance of its functions and the provision of electronic services (Article 6(1)(f) of the GDPR) (on which basis personal data collected by means of optional cookies are processed).
Retention period: the retention period of
personal data depends on the cookie used to collect the personal data,
but in all cases the retention period shall not exceed 2 years.
SLAPS
The website uses cookies, which are small pieces of text information that are automatically created when you browse the website and stored on your computer or other terminal device. The information collected by cookies enables us to provide you with a more user-friendly browsing experience, to provide electronic services, to make offers and learn more about the behaviour of users of our websites, to analyse trends and to improve our website and services. Where the Company's website contains links to other websites that also use cookies, these are not described here.
We ask for your consent when we record functional, tracking, advertising cookies and/or third party cookies. When
we use essential cookies, we use them on the basis of legitimate interest and do not ask for your consent to record
such cookies. If we have already obtained your consent, we will not ask for your consent again in the future when
using the same cookie for the same purpose. This also applies to cookies used by third parties.
Your consent to the use of non-essential cookies can be revoked at any time by changing your browser settings, by
disabling all cookies or by disabling/enabling cookies one by one. Please note that in some cases, this may slow down
your internet browsing speed, restrict the functionality of certain websites or block access to the website. To set the
necessary (desired) cookie options, it is recommended that you use the functions available in the cookie notice or in
your web browser.
We use the following types of cookies on our websites:
• Strictly necessary cookies. Necessary to enable you to use the features of the website and to log in to your
user account. Without these cookies, you would not be able to use the electronic services we provide.
• Functional cookies. These are designed to improve the performance of the website and collect general
anonymous information about the use of the website.
• Statistical cookies Allow the Company to identify and count visitors to the website and to track how visitors
move around the website as they use it. This helps to improve the performance of the website, for example
to ensure that users can easily find what they are looking for.
• Marketing cookies. Used to recognise visitors when they return to a website. This allows the company to
provide tailored content on social networks, remember information relevant to visitors, etc.
Cookies used on the website
| Cookie name |
Function |
Period of validity |
Data used |
| _dc_gtm_UA-25151995-1 |
Identifies the user and provides information on how the page was accessed and used |
10 minutes |
In use, not in use |
| _fbp |
Identifies the user and provides information on how the page was accessed and used |
3 months. |
Number used by Facebook |
| _ga |
Identifies the user and provides information on how the page was accessed and used |
3 years |
Number used by Google analytics |
| _gcl_au |
Identifies the user and provides information on how the page was accessed and used |
3 months. |
Number used by Google Adsense |
| _gid |
Identifies the user and provides information on how the page was accessed and used |
1 d. |
Number used by Google analytics |
| ChatRoom |
Stores the information you need when browsing the website |
1 d. |
Number used by Google analytics |
| cookie-information |
Acceptance of the Cookie Policy |
3 years |
User choice |
| cookie-enable |
Acceptance of the Cookie Policy |
3 years |
User choice |
| PHPSESSID |
Stores the information you need when browsing the website |
1 d. |
Unique identifier |
INSIDE
Social plugins are used on websites operated by the company. The plug-ins are installed on the website to enable
website users to be directed to the Company's social networking accounts or the Company's correspondence
window on communication platforms.
Clicking on the plugins icon redirects you to the plugin manager page and provides the plugin manager with the page from which the request was made, the time and date of the request. The plugins are identified by the Facebook, Twitter and Youtube logos.
The information that a person submits on the plugin manager's page or that a person receives when visiting links to
plugins on the Company's website is controlled by the plugin managers. Information on the personal data collected
and stored, the legal basis for processing, the data retention periods, the technical and organisational security
measures applied is provided in the privacy notices of the plugin managers.
PROCESSING OF PERSONAL DATA ON SOCIAL NETWORKS
Promoting the company's visibility (social media management)
Together with social networks, we manage social media accounts on Facebook, Youtube and Twitter. The
information that a person provides on social media (including the use of the "Like" and "Follow" fields and other
communications) or that a person receives after visiting the Data Controller's accounts is controlled by the social
network managers. Therefore, the Data Controller recommends that you consult the privacy notices of the social
network managers.
Legal basis: the processing is necessary for the legitimate interests of the controller to promote the Company's
visibility and business development (Article 6(1)(f) GDPR).
As the administrator of social media accounts, we choose the appropriate settings based on our target audience and
our performance management and promotion objectives. Social network managers may have limited the ability to
change certain, essential settings and thus the Data Controller cannot influence what information about an individual
will be collected by social network account managers once the Data Controller has created social network accounts.
Any such settings may affect the processing of personal data by an individual when using social media, visiting the
Controller's accounts or reading the Controller's posts on social media. Generally, social media managers process
personal data (even data collected after the Data Controller has selected additional settings) for the purposes
specified by the social media manager, in accordance with the privacy policies of the social media managers.
However, when a person uses social networks, communicates with the Data Controller via social networks, visits the
Data Controller's accounts on social networks, the Data Controller receives information about the person. The scope
of the data received depends on the settings of the accounts selected by the Data Controller, the agreements with
the managers of the social networks for ordering additional services, and the cookies set by the managers of social
networks.
RECIPIENTS AND PROCESSORS OF PERSONAL DATA
We may provide your personal data to the following persons, taking into account the basis for the provision of the
data and to ensure the security of the data transmitted:
• personal data processors selected by the Company for the purpose of carrying out lawful processing of
personal data on behalf of and/or at the direction of the Company;
• third parties to assess your solvency, the risk of entering into and/or performing an obligation/contract
and/or to manage your debt;
• financial institutions participating in the information systems administered by UAB "Creditinfo Lietuva" and
UAB "Scorify", in order to enable financial institutions to assess your creditworthiness and financial risk and
to manage your indebtedness, where the data subject's request/consent for the provision of such data is
received;
• in the event of a breach by you of the terms of your contract with the Company, to third parties who will
be used to protect and defend the Company's rights and legitimate interests that have been violated;
• to third parties whose activities are related to debt collection or the creation, administration or use of a
debtor database for the purpose of administering your debt and/or collecting your debt owed to the
Company;
• other persons (lawyers, consultants, auditors, etc.) engaged by the Company to provide the Company
and/or services necessary for the Company and/or you;
• to other third parties if the data is transferred in accordance with the requirements of the legal acts of the
Republic of Lithuania, for example, the reporting of the contract concluded with you to the Loan Risk
Database administered by the Bank of Lithuania;
• providers of personal identification services (e.g. MarkID);
• for business partners;
• to state authorities, law enforcement agencies and other persons in accordance with the procedure
established by the legislation of the Republic of Lithuania, or where the provision of data is necessary for
the purpose of asserting, exercising or defending the Company's legal claims;
• contribution collection companies.
Your personal data may be provided to third parties in the following ways: in writing, by means of electronic
communications, by accessing databases or information systems that store individual data, or by any other means
agreed by the controllers of personal data.
You can provide the information about yourself, your personal data requested by the Company by coming to the
Company's registered office, logging into your user account or by sending an email or postal mail.
TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EE
Your data may be transferred outside the European Union, subject to the signing of agreements with data processors that comply with European Union law.
Data may be transferred outside the European Union where the transfer is necessary for the conclusion and
performance of contracts and the proper provision of services to the Company's customers. In such a case, the
Company shall take steps to ensure that any transfer of personal data outside the EU/EEA is properly executed and
that the privacy rights of data subjects are protected to the maximum extent possible. The Company's transfer of
personal data outside the EU/EEA shall be guided by:
• a decision on the eligibility of a foreign country taken by the European Commission;
• Certification mechanism approved in a foreign country;
• Decision adopted by the European Commission on standard contractual clauses.
The third country outside the EU/EEA in which the recipient of the personal data is located is required by a decision
of the European Commission to ensure an adequate level of protection of personal data.
PROFILING AND AUTOMATED DECISION-MAKING
In order to assess your creditworthiness and to make a semi-automated decision on the granting of consumer credit,
the amount of interest and the amount of instalments to be paid, to monitor your transactions, to prevent money
laundering and fraud, or for any other purposes related to the Company's legitimate interests, the performance of
its statutory obligations and the performance of the contract concluded with you, the Company may carry out
profiling relating to the processing of your personal data by means of automated or semi-automated processing.
When making credit decisions by automated means, we use mathematical or statistical procedures and implement
technical and organisational measures to ensure that the factors leading to inaccuracies in personal data are
corrected and the risk of error is minimised, and that personal data are protected in a way that takes into account
the possible risks to your rights and legitimate interests.
An automatic credit decision can only be taken in an ideal case, i.e. when the Company has no doubts about your
creditworthiness in the light of the Company's consumer credit assessment criteria, otherwise no automatic credit
decision is taken and the consumer is assessed individually.
The decision on the granting of consumer credit, the amount of interest and the amount of the instalments to be
paid under the consumer credit agreement is taken by semi-automated processing of your data, and you have the
right to contest such a decision and to have it reviewed by the Company.
The Company also carries out profiling related to the assignment of Customers to a particular loyalty group. We carry out this loyalty grouping in order to offer our most loyal Customers additional money. Customers are assigned to a particular loyalty group based on data such as activity, payment of instalments, lateness, etc. For profiling purposes, the Company processes the following personal data: the amount of credit granted and the payments made during the performance of the credit agreement.
Please be informed that in addition to the rights set out in the section "Data Subject Rights" of this Privacy Policy,
you also have the right to request human intervention, to express your point of view and to contest a decision taken
by automated means (Article 22(3) GDPR).
DATA SUBJECT RIGHTS
As a data subject, you have the rights set out below in this section.
The right of access to personal data processed about you
You have the right to obtain confirmation from the Company as to whether or not the Company processes your
personal data and to have access to your personal data and the manner in which they are processed, i.e. to obtain
information on the period of retention of personal data, information on the sources and nature of the personal data
collected, the purpose for which they are processed, to whom they are provided, and the duration of their storage.
Within one month of receipt of the request, we will check whether your personal data is processed by the Company.
If we determine that we are processing your personal data, we will provide you with information about the personal
data processed and a copy of the personal data processed.
We can extend the time limit for responding if necessary. We will inform you of this. You have the right to apply to
the State Data Protection Inspectorate for such an extension.
If your requests are manifestly unfounded or disproportionate, we have the right to refuse to comply with your
request.
Right to have personal data rectified
If your data has changed or you believe that the data processed by the Company about you is incomplete or
inaccurate, you have the right to request that the Company amend, correct or supplement your personal data.
The right to have personal data erased ("right to be forgotten")
You have the right to request the erasure of your data in the cases provided for by law. We have the right to refuse
to comply with this request in the cases provided for by law, including but not limited to the cases discussed in Article 17(3) of the Regulation.
If we comply with your request and the personal data (deleted at your request) have been transferred to recipients,
we will inform these recipients unless this would be impossible or would require a disproportionate effort. We will
provide information about such recipients upon your request.
Right to restrict processing
Under certain conditions established by law (e.g. contestation of the accuracy of the data, unlawful processing, etc.),
you have the right to submit a request to the Company to restrict the processing of your personal data.
The Company will inform all recipients of the data after implementing your request for restriction of processing,
unless this would be impossible or would require a disproportionate effort. You have the right to make a request for
information about those recipients.
We will keep personal data for which processing operations are restricted until they are destroyed (at the request
of the data subject or after the expiry of the data retention period), and other processing operations may only be
carried out with such personal data:
• for the purpose of demonstrating the circumstances which led to the restriction of the processing of
personal data;
• if you give your written consent to further processing of your personal data;
• where necessary to protect the rights or legitimate interests of the Company or third parties.
Right to data portability
You have the right to transfer the data relating to you which are processed by the Company by automated means
on the basis of consent or contract to another controller. Upon your request for transfer, the Company will provide
you with the data in a structured, commonly used and computer-readable format to you or to the controller you
have indicated, where technically possible.
Right to withdraw consent to data processing
You have the right to withdraw your consent to the processing of your personal data at any time where the
processing of your personal data is based on your consent.
Right to object
You have the right to object at any time, on grounds relating to your particular case, to the processing of personal
data concerning you where such processing is carried out on the basis of legitimate interest and for the performance
of a public function, including profiling on the basis of those provisions.
The Company shall no longer process your personal data unless it can demonstrate that the processing is carried out for compelling legitimate reasons which override your interests, rights and freedoms or for the defence of a legal claim.
Where your data is processed for direct marketing purposes, you have the right to object to such processing at any
time. The Company shall suspend the processing of personal data for direct marketing purposes upon request.
Right to lodge a complaint with a supervisory authority
If you believe that the processing of your Personal Data by us infringes your rights and legitimate interests under
applicable law, you may lodge a complaint with the supervisory authority, the State Data Protection Inspectorate.
The State Data Protection Inspectorate's complaints procedure can be found here:
https://vdai.lrv.lt/lt/atmintines/atmintine-asmenims-ketinantiems-kreiptis-i-valstybine-duomenu-apsaugos-
inspekcija-del-skundo-pateikimo/kaip-kreiptis-i-inspekcija
THE PROCEDURE FOR CONTACTING THE COMPANY REGARDING THE RIGHTS OF THE DATA
SUBJECT
You can exercise your rights at any time by logging in to your user account at www.bobutespaskola.lt and submitting
a request, as well as by coming to the Company's registered office at Ukmergės g. 126, Vilnius or by submitting a
free-form application form together with a copy of your identity document to
[email protected].
We will notify you within 30 (thirty) days at the latest of the destruction or restriction of the processing of the
personal data of the data subject, whether or not carried out at your request.
The Company, acting as a data controller, shall have the right to reasonably refuse to exercise your right to restrict
the processing of the data subject's data on the grounds set out in the GDPR, including, but not limited to, if further
processing, storage or retention is necessary for the Company to assert, exercise or defend its legitimate interests.
The Company's refusal to exercise your rights as a data subject may be appealed to the State Data Protection
Inspectorate of the Republic of Lithuania.
You will be provided with information about the processing of your data, the lawfulness and fairness of the
processing will be verified, the processing will be terminated, and the data will be destroyed free of charge.
PERSONAL DATA PROTECTION
The Company's aim is to ensure that all information received from you and from public data files is as secure as
possible. The Company uses various administrative, technical and physical security measures to protect this
information from unauthorised access, use, copying or disclosure.
The Company notes that data transmitted by electronic communications are transmitted over communication
networks operated by electronic communications service providers and therefore the Company cannot guarantee
and is not responsible for the security and safety of the data transmitted by such means.
You must take active measures to ensure the confidentiality of his/her personal data and must make every effort to
protect his/her login password to the Website from third parties and not to disclose it to third parties in any direct
(indirect) way and to ensure that no third parties can use his/her data for the use of the Website and/or the services
provided by the Company, and/or for any other purposes.
You are responsible for any acts of third parties that are committed using your data, and all obligations and liabilities
arising from or in connection with such acts of third parties shall be borne by you to the fullest extent.
CONTACTS FOR THE DATA PROTECTION OFFICER
The Company has a Data Protection Officer. His/her contact details are as follows: telephone +370 700 800 70, e-mail
[email protected].
FINAL PROVISIONS
The Websites may contain links to third-party websites, legislation, as well as links to social networks (the ability to
share the Website content on Facebook and Instagram). It should be noted that third party websites linked to the Site are subject to the privacy policies of those websites and the Company is not responsible for the content of the information provided by those websites, their activities and the provisions of their privacy policies.
POLICY REVIEW
The law of the Republic of Lithuania shall apply to the enforcement and interpretation of the provisions of the Privacy Policy.
This Privacy Policy shall not be deemed to be an agreement between the Company and the Data Subject regarding the processing of the Data Subject's personal data. This Privacy Policy informs you about the principles of the Company's processing of your personal data, and the Company has the right to unilaterally amend and/or supplement this Privacy Policy at any time, so we recommend that you always familiarize yourself with the latest version of this Privacy Policy.
Changes and/or additions to the Privacy Policy shall come into force after their publication on the Website.
If any provision of the Privacy Policy becomes or is found to be invalid, the remaining provisions shall remain in effect.
Last updated 2024 24 January