Data security policy

1. Introduction

When using our services, you entrust us with your information. We understand the importance of this responsibility and are committed to ensuring your data is secure and easily manageable. We protect your personal information against unauthorized use, alteration, loss, or disclosure without your consent. This Privacy Policy explains what information we collect, why we do so, and how you can review, update or delete it. Effective as of May 25, 2018.

2. Who Has Access?

Data Controller


The controller of your personal data stored in CRC databases is the Crises Research Centre, located at Prancuzu str., 62 – 23, LT – 44457 Kaunas, Lithuania, Tel. +370 676 22222, info@smp.lt, registered in Lithuania with company code 134637880.

The company collects and processes your personal data listed in this Policy on the following legal grounds:

  • Your consent under the conditions set out in the Rules and this Policy;
  • Our legitimate interest;
  • Compliance with legal obligations applicable to the Company;
  • Performance of a contract to which you are a party.

Data Processors


CRC relies on long-term cooperation with data processors. Agreements (GDPR Articles 28-29) have been signed with these processors, ensuring they comply with GDPR requirements.

Commitments Regarding CRC Partners


Before allowing service providers to operate in CRC databases, they undergo a thorough evaluation. All suppliers must meet applicable data protection laws, including GDPR. The terms of cooperation with suppliers are reviewed annually to ensure compliance with legal and regulatory requirements. If a supplier fails to meet these standards, cooperation may be terminated. Under applicable laws, the data controller and processor may disclose your data to the following third parties:

  • State/regulatory or law enforcement authorities;
  • Internal/external auditors;
  • In response to subpoenas, court orders, or other legal processes, as well as to establish or exercise legal rights, or in other legally permitted circumstances;
  • When necessary to investigate, prevent, or stop illegal activity or protect the rights, property, or safety of data processors, users, or others;
  • In the case of corporate transactions such as mergers, consolidations, asset sales, or unlikely events like bankruptcy;
  • Affiliates of the data controller or processor;
  • Partners, advertisers, or investors may receive aggregated and anonymized data only.

Third-Party Data Recipients


We may share your data with third parties providing services such as database, hosting, marketing, or analytics. They only receive necessary information and must process it securely as instructed by us. Data is disclosed to authorities only as required by law. For example, anonymized data may be shared with Google Analytics to analyze website usage. Personal data is processed exclusively within the EU and is not transferred to other countries.

Data Sources


Most of your personal data is collected directly from you, for example, when filling out registration forms or using our services. Data may also be obtained through email or other queries. If additional information is needed to process a request, we may combine your provided data with existing data, such as purchase history or account usage information.

3. What Data Do We Process and Why?

3.1. Account Creation and Management

  • What data is processed? Name, surname, address, email, phone number, date of birth.
  • Purpose: Account creation, management, and provision of services to registered users.
  • Legal basis: Contract (your agreement with the Terms and Policy).
  • Retention period: As long as you use the services. Data from inactive accounts is deleted after 10 years.

3.2. Ensuring Website and Application Functionality

  • What data is processed? Login, account activity, and technical browsing data.
  • Purpose: Ensuring the functionality and security of the website and application.
  • Legal basis: Contract or legitimate interest.
  • Retention period: 180 days from the last activity.

3.3. Provision of Services:

  • What data is processed? Name, surname, address, email, phone number, purchase data, date of birth.
  • Purpose: Order fulfillment, refunds, and application of discounts.
  • Legal basis: Contract, compliance with legal obligations (e.g., VAT invoice retention).
  • Retention period: 10 years (VAT invoices), saved shopping carts are kept until account deletion.

3.4. Providing Offers and News:

  • What data is processed? Name, email, phone number.
  • Purpose: Delivering offers, news, promotional information, and managing communication channels.
  • Legal basis: Your consent.
  • Retention period: As long as you agree to receive news.

3.5. Handling Inquiries and Complaints

  • What data is processed? Name, surname, contact details, inquiry content, additional information (e.g., purchase history).
  • Purpose: Responding to inquiries, resolving complaints, and improving services.
  • Legal basis: Legal obligation, legitimate interest.
  • Retention period: Email inquiries – 180 days, complaints – 12 months.

Important:

  • Ensure the accuracy of provided data. Update it yourself in case of changes.
  • After retention periods expire, data is either deleted or anonymized.

4. How Long Do We Retain Personal Data?

In accordance with applicable data protection laws, personal data is retained only as long as necessary to fulfill the purpose for which it was collected. Based on this principle, the following retention periods apply (reviewed annually):

  • Accounting data: Retained for 10 years, then deleted.
  • Personal data: Anonymized after 10 years from the last login (only general information, such as country, birth year, profession, course/certification, and membership data, is retained).
  • Course and certification data: Anonymized 10 years after the qualification expiry date.
  • Membership data: Anonymized 10 years after the last membership date.
  • Submitted inquiries: Deleted 2 years after resolution.
  • Backup copies: Deleted 180 days after creation.

5. How Do We Ensure Security?

We use advanced security technologies and procedures to protect your personal information from unauthorized access, use, or disclosure. We carefully select suppliers and require them to adhere to high security standards. However, transmitting information via the internet or mobile networks always carries a certain level of risk.

Security Measures:

  • Data encryption during storage and transmission.
  • Access to personal data requires a unique username and password.
  • Passwords are hidden, not sent via email, and inaccessible to anyone, including our employees.
  • Regularly archived data backups.
  • All data changes are logged with responsible party information, timestamps, and IP addresses.
  • Data export is limited—only training centers can export participant data for course administration.

6. Cookies

We use cookies. They help identify you as a service user, link your purchase history and other data to your browsing activity. Cookies ensure a smoother browsing experience, allow personalized offers, analyze user behavior, and improve our website and services.

7. Personal Data Breaches

In the event of a personal data breach that may pose a risk to your rights and freedoms, the data controller must notify the supervisory authority of the breach within 72 hours of its detection (as outlined in GDPR Article 55).

If the risk is significant, without prejudice to the provisions of GDPR Article 34, Paragraph 3, the data controller must also inform you about the breach, providing information on its origin, potential consequences, and contact details for further information.

8. What Are Your Rights as a Data Subject?

Data protection laws grant you several rights that you can freely exercise, and we are obligated to ensure your ability to do so. Detailed information on your specific rights and how to exercise them is provided in this Policy. Please read it carefully.

Your rights under data protection laws:

  • Right to information about data processing: You have the right to know how your personal data is processed (purposes, legal basis, recipients, retention periods, etc.).
  • Right to access your data: You can request confirmation of whether your data is being processed and, if so, access it along with related information.
  • Right to rectify data: If your data is inaccurate or has changed, you can request it to be corrected or updated.
  • Right to delete data (“right to be forgotten”): Under certain conditions, you can request the deletion of your data (e.g., when the data is no longer necessary for its original purpose).
  • Right to restrict data processing: Under certain conditions (e.g., if you dispute the accuracy of the data), you can request restrictions on data processing.
  • Right to object to data processing: You can object to the processing of your data based on legitimate interest.
  • Right to withdraw consent: If the processing is based on your consent, you can withdraw it at any time.
  • Right to data portability: You have the right to receive your data in a commonly used format and (if technically feasible) transfer it to another controller.
  • Right to file a complaint: If you believe your rights are being violated, you can file a complaint with the State Data Protection Inspectorate or contact us directly first.

Request handling procedure:

  • Identity verification: Please provide information that allows us to verify your identity (e.g., electronic signature, registration details).
  • Response time: We will respond within 1 month of receiving your request. If necessary, the deadline may be extended by 2 more months.
  • Rejection of requests: If a request does not meet legal requirements, we will notify you with a reasoned response.
  • Restriction of certain processing methods:
    • Data subjects can subscribe to or unsubscribe from newsletters, group messages, or other notifications via the designated account page on this website. Changes made by the data subject take effect within one week.
    • You can also unsubscribe from emails containing news, event notifications, or services by clicking the unsubscribe button or link at the end of each newsletter or group email.
    • However, while the data subject is enrolled in a course and the course is active, the training center may access personal identification and contact details. Since the training center cannot organize courses without being able to contact participants, providing this permission is required when registering for a course.

How to submit a request?

Contact us using the details provided in this Policy. We will respond via electronic or other means specified by you.

It is important to note that, without a specific request, your profile data will be deleted, and other data will be either deleted or securely anonymized if you discontinue using the Services and delete your account.

WARNING: Deleting personal data may result in the irreversible loss of personal links or evidence of memberships, training, certifications, or qualifications. However, as proof of fulfilling responsibilities, the data controller retains a printed copy of the data deletion request. These printed copies are not processed automatically or in cataloging systems, and therefore are not subject to GDPR requirements (GDPR Article 2, Paragraph 1).

9. How Can You Give Consent?

By confirming this Privacy Policy and providing personal data on this website, you confirm your consent for the data controller to process your data for the purposes stated.

10. Whom Can You Contact?

If you have any questions about this Privacy Policy or wish to exercise the rights described above, please contact the data controller at info@pirmojipagalba.lt.