Privacy Policy
Published and valid from 2023-05-15
The privacy policy (hereinafter referred to as the “Privacy Policy”) of the website www.itella.lt (hereinafter referred to as “the Website”) of the UAB Itella Logistics, legal entity code 110883051, address Pirklių g. 5, LT-02300 Vilnius, Lithuania (hereinafter referred to as “We”), explains how We, as the controller of your personal data, process your personal data when you are using and visiting the Website and what rights you have as a data subject and how you can exercise them.
When processing your personal data, we comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), the Law of the Republic of Lithuania on the Legal Protection of Personal Data, and any other applicable legal acts regulating personal data protection.
If you are using the Website, it means that you have read and understood this Privacy Policy and the purposes, legal grounds, methods and procedures for processing your personal data as set out therein.
Please note that we process certain of your personal data, as will be indicated in this Privacy Policy, on the basis of your consent to the processing of personal data or (and) on the basis of our legitimate interest(s), therefore you have the right to withdraw such consent at any time, without prejudice to the lawfulness of data processing based on consent until the withdrawal of consent, or (and) to object to such use of your personal data. More detailed information about your rights and how to implement them can be found in Section 6 of the Privacy Policy.
- WHAT PRINCIPLES OF PERSONAL DATA PROCESSING DO WE FOLLOW
1.1. When processing your personal data, we:
1.1.1. we will comply with the requirements of current and applicable legislation, including the GDPR;
1.1.2. process your personal data in a lawful, fair and transparent manner;
1.1.3. collect your personal data for specified, explicit and legitimate purposes and will not further process your personal data in a way that is incompatible with those purposes, except to the extent permitted by law;
1.1.4. we will take all reasonable steps to ensure that personal data that is inaccurate or incomplete, in relation to the purposes for which they are processed, immediately corrected, supplemented, suspended, or destroyed;
1.1.5. keep your personal data in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed;
1.1.6. not disclose personal data to third parties or make them public, except in the cases specified in the Privacy Policy or applicable legislation;
1.1.7. ensure that your personal data is processed in such a way as to ensure, by appropriate technical or organisational measures, adequate security of personal data, including protection against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. - LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
2.1. We process your personal data on the following legal grounds:
2.1.1. in concluding, executing, amending and administering the contract (Article 6(1)(b) of GDPR);
2.1.2. in meeting our legal obligations and regulatory requirements (Article 6(1)(c) of GDPR);
2.1.3. in pursuance of our legitimate interest (Article 6(1)(f) of GDPR);
2.1.4. in implementing your consent (Article 6(1)(a) of GDPR).
2.2. To the extent and under the conditions provided for by the applicable legal acts, one or more of the above legal bases may apply to the processing of your personal data. - HOW DO WE COLLECT YOUR PERSONAL DATA?
3.1. We process your personal data obtained in the following ways:
3.1.1. When you provide personal data to us. You provide us with your personal data and other information by using the Website, registering for the self-service of the Website, writing to us or communicating with our customer service team by phone, email or other means, submitting your complaints and/or requests, etc.;
3.1.2. When you use our Website. When you use the Website, certain information (e.g. type of web browser used, number of visits to the Website, pages viewed on the Website, etc.) is collected automatically;
3.1.3. When we receive your personal data from other persons in accordance with the procedure established by legal acts and/or this Privacy Policy. - PURPOSES OF PERSONAL DATA PROCESSING
4.1. The personal data we collect about you depends on the services you use on our website and the personal data you have provided to us.
4.2. Please be informed that we process your personal data specified below for the following purposes:
4.2.1. For the purpose of registering for and using our My Smartpost, Smartship and Smartship self-service accounts:
| Data categories | Name; telephone number; e-mail address; the address of the selected post office or pick-up address, information on dispatched parcels, returned parcels, parcel number |
| Legal basis for data processing | Contract (Terms of Use) (Articles 6(1)(b) of GDPR) |
| Term of data processing | Personal data is processed for as long as you use your self-service account and for 2 years after your last login to your self-service account |
| We receive data directly from | you; if you access your Self-Service account via Facebook or Google, we receive personal data from the operators of these social networks |
| We provide or transfer data to | IT, server service providers; Posti Group companies; |
4.2.2. For the purpose of entering into and performing contracts with the Company’s customers, suppliers, partners, i.e. to communicate and identify the customer, supplier or partner, to process and administer orders, to issue or receive accounting documents, to resolve related problems, to perform all other contractual obligations of the Company and to exercise rights
| Data categories | Name; surname; e-mail address; telephone number; full name of the legal entity’s representative; position of the legal representative; contact address of the place of residence or business; consignment number; delivery address; content of correspondence, etc. |
| Legal basis for data processing | The processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to the conclusion of the contract (Articles 6(1)(b) of GDPR); on the basis of the company’s legitimate interest (when contracts are concluded with legal persons) (Article 6(1)(f) of GDPR). |
| Term of data processing | Personal data is processed for the duration of the contract for the provision of services and for 10 years after the expiry of the contract. |
| We receive data directly from | Personal data is obtained directly from the data subjects themselves or their employers |
| We provide or transfer data to | IT and data storage service providers; accounting service providers; payment service providers; audit firms; partners who provide parcel or freight delivery services; Posti Group companies |
4.2.3. For the purpose of filing and handling complaints:
| Data categories | Information about the reason for the claim; description (content) of the claim; consignment number; whether the claim is made by the consignee or the consignor; contact details – name, surname, telephone number, email address |
| Legal basis for data processing | Your consent to the processing of personal data (Article 6(1)(a) of GDPR). |
| Term of data processing | Personal data are processed for as long as the claim is pending and for 3 years after the claim has been processed |
| We receive data directly from | you; |
| We provide or transfer data to | IT, server service providers; Posti Group companies; Law enforcement authorities, dispute resolution services and bodies, courts; partners for whom we deliver on behalf of |
4.2.4. For the purpose of direct marketing (sending newsletters, promotions, surveys and other marketing offers and news):
| Data categories | Name; e-mail address; telephone number |
| Legal basis for data processing | Your consent to the processing of personal data (Article 6(1)(a) of GDPR). |
| Term of data processing | Personal data shall be processed for as long as the Data Subject’s consent is valid, but not longer than 2 years |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; our service providers who provide marketing services; Posti Group companies; |
4.2.5. For the purpose of organising and running lotteries and contests:
| Data categories | Name; e-mail address, other data relevant to a particular lottery/ competition |
| Legal basis for data processing | Contract (specific lottery, contest rules) (Articles 6(1)(b) of GDPR) |
| Term of data processing | Personal data is processed for as long as the lottery or (and) contest is held and for 2 years after the end of the lottery |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; our service providers who provide marketing services; Posti Group companies; |
4.2.6. For the purpose of ensuring the quality of service, objectivity of examination of requests and complaints of persons, recording of telephone conversations shall be carried out:
| Data categories | Content of the telephone call; time of the start of the telephone call; duration of the call; duration call waiting time; caller’s phone number; telephone number of the person who answered |
| Legal basis for data processing | Our legitimate interest (Article 6(1)(f) of GDPR) |
| Term of data processing | Personal data is processed for 3 (three) months from the moment of receipt |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; service providers providing a service for recording and/or storing telephone conversations; Posti Group companies; |
4.2.7. Video surveillance and recording is carried out to ensure the security of our property and proprietary rights and the safety of persons entering premises and areas under our control:
| Data categories | During video surveillance and recording, your image data is processed |
| Legal basis for data processing | Our legitimate interest (Article 6(1)(f) of GDPR) |
| Term of data processing | Video surveillance data is processed for 6 months from the moment they are captured |
| We receive data directly from | Directly from you, i.e. during video surveillance, data is automatically collected by persons entering the video surveillance field |
| We provide or transfer data to | Service providers providing video surveillance and recording services; the security service providers |
4.2.8. For the purpose of managing and administering our social media accounts (Facebook, LinkedIn, YouTube):
| Data categories | Name of the social network account; personal photo; personal reactions to the content we generate (likes, comments, shares) |
| Legal basis for data processing | Your consent to the processing of personal data (Article 6(1)(a) of GDPR) |
| Term of data processing | Personal data is processed for as long as our or your social networking account is valid, unless you express your wish to delete the data contained in our social networking accounts before |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; our service providers who provide marketing services; social network managers |
4.2.9. For the purpose of selecting candidates to fill vacant posts:
| Data categories | CV; cover letter; other information related to your professional competence that you voluntarily provide when applying for a job position. We only process your personal data that is provided in the documents sent to us and that relates to your competence, skills and experience and that helps us to better assess your potential and career opportunities. |
| Legal basis for data processing | Your consent to the processing of personal data (Article 6(1)(a) of GDPR); Our legitimate interest in selecting suitable candidates (Article 6(1)(f) of GDPR) |
| Term of data processing | We will process your personal data only for as long as the selection of the candidate (usually 3-4 months) to which you have provided information about yourself is carried out. At the end of the selection phase and with your separate consent, we will process your data for another 1 (one) year so that during this period, if a suitable position appears according to your CV, we can offer you to participate in the selection or submit a job offer. |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; recruitment companies that assist us in recruiting candidates and provide us with services related to recruitment, candidate assessment and internal administration; |
4.2.10. For the purpose of personal service (for the purpose of administering requests, enquiries, complaints or other communications between individuals and us):
| Data categories | Name; surname; e-mail address; the content of a request, query, complaint or other message; date and time of referral |
| Legal basis for data processing | Our legitimate interest (Article 6(1)(f) of GDPR) |
| Term of data processing | Personal data is processed for as long as your consent is valid, but no longer than 2 (two) years |
| We receive data directly from | Directly from you |
| We provide or transfer data to | IT, server service providers; Posti Group companies |
4.2.11. For the purpose to ensure the functionality of the Website, administer the Website, diagnose possible malfunctions of the Website, and perform statistical analyses in order to determine your needs in relation to certain functions and to analyse how and where to make the most efficient use of the available resources:
| Data categories | Internet Protocol (IP) address; type of web browser used; number of visits; view pages of the website; time spent on the website; online source from which the person came; information about the device you are using; language; country; internet provider, etc. |
| Legal basis for data processing | Your consent to the processing of personal data (Article 6(1)(a) of GDPR) |
| Term of data processing | Personal data is processed for as long as your consent is valid, but no longer than 2 (two) years |
| We receive data directly from | Directly from you |
| We provide or transfer data | IT, server service providers; Posti Group companies |
- TRANSFER OF PERSONAL DATA
5.1. Please be informed that we do not transfer or otherwise disclose your personal data to third parties, except in the cases specified below:
5.1.1. if there is your request and/or consent;
5.1.2. to data processors who process Your personal data on Our behalf and for the purposes set out by Us and specified in this Privacy Policy (e.g. IT, server service providers, marketing service providers);
5.1.3. to law enforcement authorities, bodies and/or other recipients to whom the data must be communicated in accordance with legal requirements.
5.2. In cases where we transfer data in the case referred to in Section 5.1.2 of this Privacy Policy (i.e. to data processors), we require data processors to process the transferred data only in accordance with our instructions, for the purposes set out by us and in accordance with this Privacy Policy, the laws on the legal protection of personal data and the data processing agreements concluded between us and the data processors.
5.3. In order to fulfil a legitimate purpose and on a legitimate basis, we may transfer your personal data to entities located outside the European Economic Area (EEA) (for example, if our data processors or data recipients are established outside the EEA). In the event that personal data is transferred from the EEA to countries that are not recognised by the European Commission as ensuring an adequate level of protection of personal data, we take all appropriate measures to protect your personal data (for example, we base the transfer of personal data on standard contractual clauses for data transfers approved by the European Commission). - YOUR RIGHTS AND HOW TO EXERCISE THEM
6.1. As a data subject, you have the following rights:
6.1.1. The right to be informed about our processing of personal data. You have the right to obtain information about the processing of your personal data, the sources of your personal data, the purposes of the processing, the legal bases, the retention period and the persons, recipients or processors of the data, the rights of the data subject, etc.
6.1.2. The right to have access to your personal data processed by us. You have the right to access and obtain a copy of the personal data we process about you.
6.1.3. The right to request rectification of your personal data processed by us. You have the right to request the rectification of inaccurate personal data we process about you.
6.1.4. The right to request erasure of data.You have the right to request the erasure of your personal data if: it is no longer necessary for the purpose for which it was collected; you have withdrawn your consent to the processing of your personal data, if the processing of your personal data was based on your consent; we process your personal data on the basis of a legitimate interest and you object to such processing and there are no overriding legitimate grounds for processing the data;we must delete your personal data when implementing our legal obligations or your personal data were processed unlawfully.
6.1.5. The right to restrict data processing. You have the right to restrict our processing of your personal data if you contest the accuracy of the data and we carry out a check in this respect; your personal data have been processed unlawfully but you do not consent to the erasure of the data if your personal data are no longer necessary for the purpose, it was collected but is necessary for the establishment, exercise or defence of legal claims, if you have objected to the processing as described below, until it is verified whether our legitimate reasons prevail over your reasons.
6.1.6. The right to object to the processing of personal data. You have the right to object to the processing of your data by us for direct marketing purposes, to object to the processing of your personal data in the public interest or in our legitimate interests, unless these interests are overridden by Your reasons.
6.1.7. The right to your personal data portability. You have the right to receive the personal data you have provided to us or to request the transfer of such data to another controller in a structured, commonly used and computer-readable format, provided that the processing of your personal data is based on your consent or on a contract between us and your personal data are processed by automated means.
6.1.8. The right to submit a complaint to the State Data Protection Inspectorate. If you believe that your rights have been violated, you have the right to contact the State Data Protection Inspectorate.
6.2. To exercise your rights, you can contact us at any time at the contact email address GDPR.lt@itella.com We have the right to ask you to provide proof of your identity before we can exercise your right(s).
6.3. Please be informed that the exercise of your rights may depend on the conditions for the exercise of a specific right set out in the legislation, and therefore, in the case of specific grounds set out in the legislation, we have the right to refuse to grant your request for the exercise of a specific right on the grounds stated in the legislation.
6.4. Responses to your requests for the exercise of your rights shall be provided promptly, but at the latest within 30 calendar days from the date of receipt of such request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Within one month from the date of receipt of the request, we will inform you of such extension, together with the reasons for the delay. Requests for the exercise of rights shall be executed free of charge. We have the right to request a reasonable fee if your requests are manifestly unfounded, repetitive or excessive. - DIRECT MARKETING MESSAGES
7.1. We will only send you direct marketing communications if we have your prior consent to such processing of your personal data. You may withdraw your consent at any time by sending an email to marketing.lt@itella.com and/or by following the instructions in each message.
7.2. We would like to inform you that the withdrawal of consent does not affect the lawfulness of the processing based on consent carried out prior to the withdrawal of consent.
7.3. Subject to the conditions laid down by law, we may use your personal data for the marketing of our own similar services on the basis of our legitimate interest. You have the right to object to this in advance by contacting us by email at marketing.lt@itella.com. You may subsequently object to or opt out of such use of your personal data by contacting us by email at marketing.lt@itella.com and/or by following the instructions in each message. - PROFILING
8.1. We may use your personal data for profiling only with your prior written consent.
8.2. With your consent, we may carry out profiling activities in order to classify you as a relevant customer category and to provide you with tailored commercial offers that meet your needs.
8.3. When processing your personal data for the above purposes, we do not use such automated decision-making processes, including profiling, which may have legal consequences for you or which may have a similar significant impact. In any case, you have the right to demand human intervention in order to express your opinion or to object to such attribution. You can do this by sending us a notification by email to marketing.lt@itella.com. - ASSURANCE OF PERSONAL DATA SECURITY
9.1. You undertake to provide Us only with your own data and only with the correct data, and to protect and not disclose to anyone any of your data, including login data (e.g. to the Self Service on the Website).
9.2. We will process your personal data in a responsible and secure manner, taking into account the requirements for the security of personal data set out in the legislation. When establishing measures for the processing of personal data, and during the processing of the data, we will implement technical and organisational measures of an adequate level of data protection as provided for by law, designed to protect the personal data processed by us against accidental or unlawful destruction, damage, alteration, loss, disclosure, as well as against any other unauthorised processing. The level of personal data security measures are determined in accordance with the risks that arise from the processing of personal data. - COOKIES
Please be advised that the Website uses Cookies. You can find more information about Cookies in the “Cookie Policy”, which is an integral part of the Privacy Policy. - RIGHT TO FILE A COMPLAIN
If you believe that your rights have been violated, you can always contact us at GDPR.lt@itella.com or (and) submit a complaint to the State Data Protection Inspectorate (L. Sapiegos g. 17, LT-10312 Vilnius, e-mail ada@ada.lt). - CONTACTS
12.1. The Data Controller who processes the personal data specified in this Privacy Policy when you use our Website is:
UAB Itella Logistics
Code of legal entity 110883051
Address: Pirklių g. 5, LT-02300 Vilnius, Lithuania
12.2. You may contact Us at the contact details provided below for any issues and additional information related to this Privacy Policy:
GDPR.lt@itella.com - VALIDITY AND CHANGES TO THE PRIVACY POLICY
13.1. We have the right to change our Privacy Policy at any time. We will inform you about any changes to the Privacy Policy on the Website, publish a new version of the Privacy Policy on the Website, so please regularly review the Privacy Policy provisions.
13.2. Changes to the Privacy Policy shall take effect from the date of their publication, i.e. from the date they are posted on the Website.