Privacy Policy

  1. INTRODUCTION

    1. This Legal Click UAB (hereinafter referred to as the Company) personal data processing and privacy policy (hereinafter  referred to as the Privacy Policy) sets out the basic privacy conditions applicable to the website https://www.legalclick.eu/ (hereinafter referred to as the Website).
    2. In the course of its activities, the Company processes the data of its employees and customers (customer representatives) and processes this data in accordance with this Privacy Policy. The Company respects the privacy of individuals and undertakes to protect their right to the lawful processing and protection of personal data
    3. The Privacy Policy regulates the actions of the Company and its employees when processing personal data using automatic and non-automatic personal data processing tools installed at the Company, as well as establishes the rights of data subjects, personal data protection measures, and other issues related to the processing of personal data.
    4. The Privacy Policy regulates the processing of personal data by the Company, ensuring compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive on the protection of personal data (General Data Protection Regulation). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the Law) and other legal acts of the Republic of Lithuania regulating the processing and protection of personal data, compliance and implementation.
    5. The Company collects personal data that a person voluntarily provides on the Website, by email, registered mail, by telephone, in person at the Company’s office, by registering on the Company’s Website and becoming a registered user (where the Company provides such an option), by purchasing services on the Website or by using the Company’s Website.
    6. The Privacy Policy applies to all persons visiting the Website, as well as to the actions they may perform on the Website, including registration (where the Company provides such an option) or communication on the Website, as well as the use of the Website’s services (hereinafter referred to as the “Services“). The Privacy Policy also applies when you visit social media accounts related to the Website, such as Facebook, LinkedIn, Instagram, and YouTube (hereinafter referred to as “Social Accounts“).By using the Website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the Privacy Policy, you are not entitled to use the Website and the Services..
    7. The Website may contain links to third-party websites, products, and services, as well as social network extensions (e.g., Facebook plugins). This Privacy Policy does not cover third-party websites, services, or content, and we encourage you to review the privacy practices of such third parties.

  2. TERMS

    1. Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who is identifiable, in particular by reference to an identifier such as a name, an individual identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    2. Data subject means a natural person from whom the Company receives and processes personal data.
    3. Employee means a person who has entered into an employment or similar contract with the Company and has been appointed by the Company’s manager to process Personal Data or whose personal data is being processed.
    4. Data recipient means a person to whom personal data is disclosed.
    5. Data provision – disclosure of personal data by transferring or otherwise making it available (except for publication in the media).
    6. Data processing – any operation performed on personal data: collection, recording, storage, classification, grouping, joining, alteration (supplementing or correcting), provision, disclosure, use, logical and/or arithmetic operations, search, dissemination, destruction or any other action or set of actions.
    7. Automated data processing – data processing operations carried out wholly or partly by automated means.
    8. Data processor – a legal or natural person (other than an employee of the data controller) authorized by the data controller to process personal data. The data processor and/or the procedure for its appointment may be specified in laws or other legal acts.
    9. Data controller – Legal Click UAB, legal entity code 306832277, address Žirmūnų g. 115-96, Vilnius, e-mail: info@legalclick.eu
    10. Consent– any freely given, specific, and unambiguous indication of the data subject’s wishes by a statement or by clear affirmative actions, by which he or she, by or through an authorized natural person, signifies agreement to the processing of personal data relating to him or her.
    11. Direct marketing – activities aimed at offering goods or services to individuals by mail, telephone, or other direct means, and/or inquiring about their opinion on the goods or services offered.
    12. Third party – a legal or natural person, other than the data subject, the data controller, the data processor, and persons who are directly authorized by the data controller or data processor to process data.
    13. Other terms used in the Privacy Policy shall be understood as defined in the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the processing of personal data.

  3. PRINCIPLES OF PERSONAL DATA PROTECTION

    1. The Company processes personal data in accordance with the following principles:
      1. Principle of lawfulness, fairness, and transparency. Data is processed lawfully, fairly, and transparently.
      2. Principle of purpose limitation. Data is collected for specified, explicit, and legitimate purposes;
      3. Principle of data minimization. Personal data is processed in a manner that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
      4. Accuracy principle. The Company keeps data accurate and updates it when necessary, and all reasonable measures must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is erased or rectified without delay;
      5. Principle of storage limitation. Personal data shall be kept only for as long as necessary;
      6. Integrity and confidentiality principle. Data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage;
      7. Accountability principle. The Company is responsible for compliance with all data protection principles and for demonstrating its compliance.
    2. The Company respects the privacy of the Data Subject and undertakes to comply at all times with the principles of personal data protection set out in the Privacy Policy.

  4. PURPOSES AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

    1. Personal data is processed and used in accordance with the purposes for which the Data Subject provided it to the Company or for other purposes approved by the Data Subject.
    2. Purposes of use of the Data Subject’s personal data:
      1. Processing and administration of the purchase (order) of services provided by the Data Subject;
      2. Identification of the Data Subject in the Company’s information systems;
      3. Identification of the Data Subject when logging into their account on the Website (where the Company provides such an option);
      4. Issuing and submitting confirmations of ordered services, invoices, and other financial documents;
      5. Resolving issues related to the performance of the contract;
      6. for contacting the Data Subject in the event of a change in the terms and conditions of the services purchased by the Data Subject;
      7. for the fulfillment of other contractual obligations;
      8. for the Company’s direct marketing purposes;
      9. for security, administrative, crime prevention, disclosure, and legal purposes;
      10. business analysts, general research that allows for the improvement of service quality;
      11. contacting the Data Subject for the purpose of obtaining customer feedback on the services purchased;
      12. evaluating a candidate’s suitability for a job, contacting the relevant candidate, etc.;
      13. auditing.
    3. By voluntarily providing their personal data to the Company, the Data Subject confirms and voluntarily agrees that the Company may manage and process the Data Subject’s personal data in accordance with this Privacy Policy, applicable laws, and other regulatory acts.
    4. The Privacy Policy must be complied with by all Company employees who process personal data held by the Company or who become aware of such data in the course of their duties, Data processors engaged by the Company or third parties engaged by the Company to provide data processing services, and only to the extent necessary to provide the service.
    5. The Company undertakes not to disclose personal data to third parties without the consent of the Data Subject, except to ensure the proper performance of the contract and other services related to the proper performance of the services ordered by the Data Subject. The Company may also transfer the Data Subject’s personal data to third parties who act as Data Processors on behalf of the Company. Personal data may only be provided to those Data Processors with whom the Company has signed the relevant Data Processing Agreements. It is assumed that the Data Subject is aware of this, agrees to it, and the Company shall not be liable for any damage arising from the use of the Data Subject’s data by third parties to the extent permitted by law. In all other cases, the Data Subject’s personal data may be disclosed to third parties only in accordance with the procedure provided for by the laws of the Republic of Lithuania.
    6. Legal basis for data processing (Article 6(1) of the Regulation):
      1. The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
      2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
      3. processing is necessary for compliance with a legal obligation to which the controller is subject;
      4. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

  5. COLLECTION AND PROCESSING OF PERSONAL DATA

    1. The personal data collected by the Company may include: the Data Subject’s first name, last name, telephone number, email address, name of the legal entity on whose behalf the data subject is acting, credit/debit card or other payment details, information about the services purchased by the data subject (quantities, purchase dates, prices of services purchased, purchase history), The Data Subject’s login name and password in encrypted form on the Website (if the Company provides such an option). The Website may collect certain information about the Data Subject’s visit, such as: the Internet Protocol (IP) address used by the Data Subject to access the Internet; The date and time of the Data Subject’s visit to the Website; other web pages visited by the Data Subject while on the Website; the browser used; information about the Data Subject’s computer operating system; mobile application versions; language settings, etc. If the Data Subject uses a mobile device, data may also be collected to determine the type of mobile device, device settings, and geographical coordinates (longitude and latitude). This information is used to improve the Website, analyze trends, improve products and services, and administer the Website. The Data Subject voluntarily provides this data when using the services provided by the Company, becoming a registered user of the Website (if the Company provides such an option) or when visiting the Website.
    2. All personal data provided and obtained from the Data Subject is collected, stored, and processed in accordance with the requirements of the Law on Personal Data Protection of the Republic of Lithuania and other legal acts regulating personal data protection in the Republic of Lithuania. The Company ensures that the data provided by the Data Subject is protected against any unlawful actions: unlawful alteration, disclosure or destruction of personal data, identity theft, fraud, and that the level of personal data protection complies with the requirements of the laws of the Republic of Lithuania.
    3. Persons who are authorised to process employees’ personal data shall comply with the principle of confidentiality and keep confidential any information relating to personal data that they become aware of in the course of their duties, unless such information is public in accordance with the provisions of applicable laws or other legal acts. The obligation to maintain the confidentiality of personal data shall also apply after the transfer to other duties, after the termination of employment or contractual relations.
    4. Documents containing personal data shall not be kept in a place accessible to everyone. Personal data contained in the texts of relevant documents (contracts, orders, requests, etc.) shall be stored in accordance with the terms specified in the General Document Storage Terms Index approved by order of the Chief Archivist of Lithuania. Other personal data shall be stored for no longer than is necessary to achieve the purposes set out in this policy. The terms for the storage of individual personal data shall be determined by the head of the Company.

  6. RIGHTS OF DATA SUBJECTS AND THE PROCEDURE FOR THEIR IMPLEMENTATION

    1. A data subject whose data is processed in the activities of the Company as a data controller has the following rights:
      1. the right to know (be informed) about the processing of their data;
      2. the right to access their personal data;
      3. the right to request the rectification of data;
      4. the right to request the erasure of data (the right to be forgotten);
      5. the right to restrict the processing of data;
      6. the right to data portability;
      7. the right to object to the processing of personal data;
      8. the right to lodge a complaint with a supervisory authority;
      9. the right to object to being subject to a decision based solely on automated processing, including profiling.
    2. The data controller shall take appropriate measures to provide the data subject with the information required by law and all notifications regarding the exercise of the data subject’s rights in a concise, transparent, and easily accessible form, using clear and plain language. The information shall be provided in writing or by other means, including by electronic means. At the request of the data subject, the information may be provided orally, provided that the identity of the data subject is established. The data subject may exercise his or her rights only when he or she enables the data controller to establish his or her identity. The identity of the data subject shall be established by requesting the data subject to provide an identity document (passport or ID card) or a copy thereof, as well as by using an electronic signature or other lawful means.
    3. Upon receiving a request for the exercise of the Data Subject’s rights, the Company shall respond to the Data Subject without delay, but in any case no later than within one calendar month from the date of receipt of the request. Depending on the complexity and number of requests, this period may be extended by two calendar months. The data controller shall inform the Data Subject of the extension within one calendar month of the date of receipt of the request. The information shall be provided to the Data Subject in the same form in which they submitted their request for the exercise of their rights, unless the Data Subject requests otherwise.
    4. It is recommended that all issues and disputes related to the right of access to data be resolved by contacting the Company (data controller). If the Company fails to properly exercise the Data Subject’s right to access data or its actions otherwise violate the laws governing the protection of personal data, the Data Subject has the right to lodge a complaint with the State Data Protection Inspectorate (hereinafter referred to as the “SDI“). (information on how to lodge a complaint with the Inspectorate can be found on the Inspectorate’s website at: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas) or defend their violated rights in court.
    5. The information provided to data subjects, the exercise of the data subject’s rights, and all related notifications and actions are free of charge. Where the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Data Controller may:
      1. charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested;
      2. refuse to act on the data subject’s request.
    6. The data controller must be able to demonstrate that the request is manifestly unfounded or excessive.

  7. FUNCTIONS, RIGHTS, AND RESPONSIBILITIES OF THE DATA CONTROLLER

    1. As the Data Controller, the Company has the following rights:
      1. to prepare, review, and update this Privacy Policy and other internal legal acts governing the processing of personal data;
      2. decide on the provision of Personal Data;
      3. appoint a person responsible for the protection of Personal Data;
      4. authorize other persons to process personal data or provide data to third parties.
    2. The Company, as the Data Controller, has the following obligations:
      1. to ensure compliance with the requirements for the processing of personal data set out in the Regulation and applicable national legislation governing the processing of personal data and in this policy;
      2. to ensure the exercise of the rights of the Data Subject in accordance with the procedure established by law;
      3. to ensure the security of personal data by implementing appropriate organizational and technical measures for the security of personal data;
      4. select only a data processor who guarantees the necessary technical and organizational measures for the protection of personal data and ensures that such measures are complied with, and conclude contracts with data processors;
      5. notify the competent supervisory authority of the processing of personal data in accordance with the procedure established by the Regulation and other legal acts.
    3. The Company, as the Data Controller, performs the following functions:
      1. determines the purpose and scope of personal data processing;
      2. grants access rights and authorizations to process personal data;
      3. analyzes technological, methodological, and organizational issues related to the processing of personal data and takes decisions necessary to ensure the proper processing of personal data;
      4. provides methodological assistance to employees and data processors on issues related to the processing of personal data;
      5. ensures that employees processing personal data are familiar with the requirements of legislation governing the protection of personal data;
      6. performs other functions necessary to implement the rights and obligations of the data controller.

  8. TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE SECURITY OF PERSONAL DATA

    1. The Company implements the following appropriate organizational and technical measures for the security of personal data in order to prevent unauthorized or unlawful processing of data and to protect against accidental loss, destruction, or damage:
      1. access to personal data is protected, managed, and controlled;
      2. access to personal data is only granted to persons who need it to perform their duties;
      3. personal data may only be used for the purposes for which the user has been authorized;
      4. access to personal data must be protected by passwords or other means. If passwords are used, they must meet the following requirements:
        • the maximum validity period of a password for logging into a personal account is 90 days, after which it must be changed to a new one;
        • the minimum length of a password is 12 characters, including at least one capital letter and at least one number;
        • the same password cannot be used several times in a row or a password that has already been used before.
      5. data is protected against unauthorized access by electronic means of communication;
      6. the premises where personal data is stored are physically protected, restricting access by unauthorized persons;
      7. the computer equipment used to process data is protected by antivirus software; the software installed on the Company’s IT equipment is regularly updated;
      8. responsible Company employees determine the data storage periods for different categories of data.
      9. To ensure the availability of personal data throughout its storage period, backup copies of such data are made in accordance with the backup schedule. Backup copies are stored in a secure environment with access audit records. Access is restricted to authorized employees only.
    2. If personal data security breaches are detected, the Company takes immediate measures to prevent unlawful processing of personal data.
    3. In such a case, if a personal data breach occurs and this breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company shall notify the VDAI without undue delay, no later than 72 hours after becoming aware of the fact.
    4. In the event of a personal data breach, the Company shall assess the causes of the personal data breach, the existing technical and organizational measures to prevent the personal data breach, and the existing technical and organizational measures to prevent the personal data breach.

  9. PROVISION OF PERSONAL DATA

    1. The Company does not provide data to third parties. The Company processes data only within the European Union.
    2. Personal data may be provided to third parties only in accordance with the procedure established by the Regulation and other applicable national legislation governing the protection of personal data, and this shall be done to the minimum extent necessary for the specific case.
    3. Data may be provided to:
      1. Law enforcement authorities – courts, pre-trial investigation authorities, and other authorities in accordance with the procedure established by law (e.g., the State Tax Inspectorate, the State Social Insurance Fund, etc.);
      2. To service providers providing services to the Company, including legal, financial, tax, information technology, business management, personnel administration, and accounting advisors/service providers, having a legitimate basis for the provision of personal data;
      3. if it is decided to sell, purchase, merge or otherwise reorganise the Company’s business, personal data may be disclosed to potential or existing buyers and other consultants to the minimum extent necessary and on a legitimate basis, or personal data may be obtained from sellers and other consultants.
    4. Regular data processors of the Company – legal, financial, tax, information technology, business management, personnel administration, and accounting advisors/service providers.
    5. The Company and its authorized persons, including the Company’s data processors (if applicable), who have access to personal data, may process the data only in accordance with the Company’s instructions, except in cases provided for by European Union or Member State law.

  10. EMPLOYEE RESPONSIBILITIES

    1. Company employees are required to assist the Company in keeping their data up to date. Employees are required to notify the organization of any changes in their data, such as a change of residence, bank, or bank account number.
    2. In the course of their work, employees may have access to the data of other employees and customers. In such cases, these employees must comply with the personal data protection obligations of the relevant employees and customers.
    3. Employees with access must:
      1. only access data that they are authorized to access and only for purposes necessary to perform their job duties;
      2. not disclose data to other persons, except those (whether inside or outside the Company) who are authorized to access such data;
      3. protect the data (for example, by complying with rules on access to premises, access to computers, including password protection, and rules on the secure storage and destruction of documents);
      4. not to take personal data or equipment that is or may be used to access personal data outside the Company without taking the necessary security measures (such as encryption or password protection) to protect the data or the equipment itself;
      5. not to store personal data on local disks or personal devices used for non-work purposes;
      6. to immediately report any personal data breaches they notice to the person responsible for personal data security at the Company.
    4. Failure to comply with these requirements may result in disciplinary action against the employee. Significant or intentional violations of this Privacy Policy, such as unauthorized access to personal data, unauthorized disclosure of data, etc., may be considered a serious breach of work discipline and may be grounds for dismissal without notice.

  11. FINAL PROVISIONS

    1. All Company employees who are authorized to process personal data or who become aware of such data in the course of their duties must comply with this Privacy Policy and the basic requirements for the processing of personal data set out in the Regulation and this Privacy Policy.
    2. Employees shall be informed of this Privacy Policy in writing. Upon hiring a new employee, they must be informed of the Privacy Policy on their first day of work.
    3. The Privacy Policy shall be reviewed at least once a year and, if necessary, amended or updated in accordance with the Company’s internal rules.