Privacy Policy

Girkama, UAB
COMPANY CODE 305144687

PRIVACY POLICY
I. CONCEPTS
1. Seller - Girkama, UAB, company code:305144687, VAT payer code: LT100012376512, medeine.lt - electronic shop, Medeine.lt - trade in leisure goods I. Simonaitytės g. 3-13, LT-06244 Vilnius.
2. Buyer - a) a natural person of legal capacity, i.e. a person who has reached the age of majority and whose legal capacity has not been restricted by a court order; b) a minor aged between fourteen and eighteen who has the consent of his/her parents or guardians; c) a legal person; d) authorised representatives of all of the above.
3. Account - an account created by the Buyer during the registration at medeine.lt, which stores his/her personal data and order history.
4. Medeine.lt.lt Accounts - medeine.lt accounts on social networks, which provide information about medeine.lt and the Services provided therein, as well as the sharing of content published by Customers;
5. Services - all services provided by the Seller to the Buyer.
6. Password - a unique combination of letters and numbers created by the Customer and known only to the Customer, which is entered for the first time when registering at medeine.lt and later to log in to the Account.
7. Personal data shall mean any information relating to a natural person, i.e. a data subject, who is identified or can be identified, directly or indirectly, by reference to data such as a personal identification number or to one or more factors specific to that person, be they physical, physiological, psychological, economic, cultural or social.
8. Personal data controller - Girkama, UAB.
9. Administrator - the responsible employee of the company.
10. Privacy Policy is a document that sets out the basic rules for the collection, use and storage of Personal Data when using the Company's services;
11. IP address - a unique number assigned to a computer,
12. Rules - the company's current "Rules for the Purchase/Sale of Goods"
13. Direct marketing means activities designed to offer goods or services to persons by post, telephone or other direct means and/or to seek their opinion on the goods or services offered.

II. GENERAL PROVISIONS
14. The Privacy Policy sets out the basic rules for the collection, use and storage of Personal Data. The Privacy Policy regulates the basic principles and procedures for the collection, processing and storage of personal data of the electronic shop medeine.lt, the shop Medeine.lt (hereinafter - the Seller) and the customer (hereinafter - the Customer).
15. The collection, processing and storage of personal data of the Customers shall be governed by this Privacy Policy, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts of the Republic of Lithuania.
16. The Privacy Policy is available at www.medeine.lt - in the information section of the e-shop or in the Medeine.lt shop.
17. The medeine.lt website contains links to the websites of other persons, companies or organisations. The Seller is not responsible for the content of such websites and/or the security methods used by such websites, and the Buyer should consult the rules and other documents of the respective website before submitting his/her personal information.
18. The Buyer, having read and understood the company's Privacy Policy, consents to the processing of personal data concerning him/her.

III. PROCEDURE FOR THE COLLECTION AND USE OF PERSONAL DATA
19. The personal data collected is processed for the specific purpose of concluding or performing a purchase contract where one of the parties is the Buyer (the data subject).
20. Personal data shall be processed lawfully when the Customer, having read the company's Privacy Policy and the terms and conditions of electronic services, agrees to the processing of personal data relating to him/her.
21. The processing of personal data is necessary for the purposes of the legitimate interest pursued by the Seller or by the third party to whom the personal data are provided and where the interests of the data subject are not overriding.
22. Personal data shall be collected and processed in other cases specified in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
23. When ordering goods in the e-shop www. medeine.lt, the Buyer shall fill in the information fields with personal data - name, surname, telephone number, e-mail address, delivery address.
24. When registering on medeine.lt, the Buyer shall provide his/her e-mail address and create a password. The Buyer undertakes and shall keep his/her password and login name and other data secure. The Buyer undertakes and is obliged not to disclose to any other third party any Personal Data about himself or herself or about third parties, if such Personal Data of third parties has been made available to him or her, and to inform [email protected] immediately of any apparent breaches.
25. The Buyer is responsible for the provision of his/her Personal Data. When placing an order and entering into a contract, the Customer must provide complete and correct personal data at the time of registration in the e-shop.
26. When paying by electronic banking or payment card, the Buyer enters the data in the bank's system, so this information is not available to the Seller.
27. The Buyer shall be deemed to be aware of the company's Privacy Policy when he/she ticks "I agree".
28. By confirming, the Buyer agrees to the collection and processing of the Buyer's personal data for the purposes of the sale of goods and services in the Shop.
29. The personal data provided by the Buyer: name, surname, address, telephone number, email address are used for the purpose of:
i. process orders for goods and/or services from the Buyer;
ii. issue financial documents;
iii. perform delivery services;
iv. provide a reply/information by email, telephone to the buyer's enquiry;
v. fulfil other contractual obligations.
30. In order to offer a full service on the website, information is stored on the Buyer's computer (device) (cookies). The information recorded is used to identify the Customer as a previous user of the website and to compile statistics on website traffic. The Buyer can at any time view what information (cookies) is being stored and can delete some or all of the stored cookies. The Buyer also has the right to object to the storage and use of information (cookies) on the Buyer's computer/device, in which case some functions of the website may not be available. By using the e-shop, the Buyer agrees to the recording of information on his/her computer (device). The Buyer may withdraw his/her consent at any time by changing his/her browser settings or by contacting the contact details published on the website.

31. The Buyer's Personal Data shall be provided to the Member States of the European Union or other foreign countries under the same terms and conditions and in the same manner as to entities located in the Republic of Lithuania and only for the purposes set out in this document.

IV. CORRECTION, ADDITION AND DELETION OF PERSONAL DATA
32. The Buyer has the following rights:
33. To access your Personal Data held by the Seller. The Buyer, having provided the Seller with a document confirming his/her identity or having confirmed his/her identity in accordance with the procedure established by law or by means of electronic communications that allow proper identification of the person, shall have the right to obtain information on the sources and the collection of his/her personal data, the purpose for which they are processed, and the recipients of the data to which they are provided.
34. The Seller, upon receipt of an enquiry from the Buyer regarding the processing of his personal data, shall respond to the question of whether the personal data relating to him are processed and provide the Buyer with the requested data no later than 30 calendar days from the date of the Buyer's enquiry. Such data must be provided in writing at the request of the Buyer. The Seller shall provide such data to the Buyer free of charge once per calendar year. In the case of gratuitous provision of data, the amount of remuneration shall not exceed the cost of providing the data.
35. The Buyer has the right to request the rectification, destruction or suspension of the processing of his/her personal data.
36. If the Buyer, after consulting his/her personal data, finds that his/her personal data are incorrect, incomplete or inaccurate and contacts the Data Controller, the Data Controller shall immediately verify the personal data and, at the written request of the data subject, whether in person, by post or by means of electronic communication, immediately correct the incorrect, incomplete, inaccurate personal data, and/or suspend the processing of the personal data, with the exception of the storage of the personal data.
37. If the Buyer, having accessed his/her personal data, determines that his/her personal data are being processed unlawfully and unfairly and contacts the Seller, the Data Controller shall immediately verify the lawfulness and fairness of the processing of the personal data free of charge and shall, at the request of the data subject (expressed in writing), immediately destroy the unlawfully and unfairly collected personal data or suspend the processing of such personal data, with the exception of the storage of such data.
38. If the processing of personal data has been suspended at the request of the Buyer, the personal data whose processing has been suspended shall be stored until rectification or destruction (at the request of the Buyer or after the expiration of the data retention period). Further processing of such personal data may be carried out only for the purpose of proving the circumstances which led to the suspension of the processing; if the Customer consents to the further processing of his/her personal data; or if necessary to protect the rights or legitimate interests of third parties.
39. The Seller shall notify the Buyer of the rectification, destruction or suspension of the processing of personal data, whether or not carried out at the Buyer's request.
40. Personal data shall be rectified and deleted or their processing suspended upon the Buyer's request, in accordance with the documents confirming the identity of the Buyer and his/her personal data.
41. If the Seller doubts the correctness of the personal data provided by the data subject, the Seller shall suspend the processing of such data and shall verify and correct the data. Such personal data may only be used to verify their correctness.
42. The Seller shall inform the Buyers about the rectification or destruction of personal data at the request of the Buyer, the suspension of processing of personal data, except where it would be impossible or excessively difficult (due to the large number of Buyers, the length of the period of the data, or the unreasonable costs) to provide such information. In this case, the State Data Protection Inspectorate shall be notified immediately.
43. The Buyer may object to the Privacy Policy to the processing of their Personal Data. In this case, the Buyer will not be able to purchase goods and/or services.
44. The Buyer may correct and/or complete personal data in the Account. The Buyer is responsible for the correctness of the corrected and/or added data.

V. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
45. The Seller undertakes not to disclose the Buyer's Personal Data to third parties, except in the following cases:
a. if the Customer consents to the disclosure of Personal Data;
b. in the performance of the Buyer's order or other services, to the Seller's partners providing delivery or other services ordered by the Buyer;
c. law enforcement authorities in accordance with the procedure provided for by the legislation of the Republic of Lithuania;
d. where it is necessary to prevent or investigate criminal offences.
VI. MODIFICATION OF THE RULES ON THE PROCESSING OF PERSONAL DATA
46. The Seller has the right to change the Privacy Policy. The new version of the Privacy Policy shall come into force from the date of its publication on www.medeine.lt - in the information section of the e-shop or in the Medeine.lt shop. If the Buyer continues to use the services provided by the Seller after the addition or change of the Privacy Policy, it shall be deemed that the Buyer accepts the new version of the Privacy Policy.
VII. RISK FACTORS FOR A PERSONAL DATA BREACH
47. A personal data breach is an act or omission that may cause or has caused undesirable consequences and is contrary to the mandatory provisions of the law on the protection of personal data.
48. Unintentional, where the protection of Personal Data is breached for accidental reasons (processing errors or system failures due to power outages, computer virus, etc..
49. Intentional, when the protection of Personal Data is violated deliberately (unauthorised intrusion into premises, information systems, computer network, malicious violation of the rules established for the processing of Personal Data, deliberate spreading of a computer virus, theft of Personal Data, unauthorised use of another person's rights etc.);
50. Accidental events (lightning, fire, flood, inundation, storms, burning of electrical wiring, exposure to temperature and/or humidity changes, influence of dirt, dust and magnetic fields, accidental technical breakdowns, other factors beyond the control and/or control, etc).
VIII. IMPLEMENTING MEASURES FOR THE PROTECTION OF PERSONAL DATA
51. Customer data shall be stored and processed in accordance with the requirements of the Law on Legal Protection of Personal Data of the Republic of Lithuania, the General Data Protection Regulation GDPR (EU) 2016/679 and other applicable legislation of the Republic of Lithuania.
52. In order to ensure the protection of the Buyer's data, the Company shall implement or intend to implement Personal Data Protection Measures.
53. Administrative, document and computer security, staff awareness of Personal Data Protection.
54. Hardware and software security (administration of information systems and databases, maintenance of workstations and premises).
55. Protection of communication networks. Data security is ensured by SSL ( Secure Socket Layer) certificates. Data travelling between the Buyer's computer and the server will not be read or altered by third parties as it is encrypted with the COMODO CA Limited certificate.

IX. TIME LIMIT FOR PROCESSING PERSONAL DATA
56. The Buyer's Personal Data shall not be stored for longer than the stated purposes of processing the data require. Personal data related to sales in Medeine.lt stores, electronic customer inquiries, etc. shall be stored for 5(five) years from the date of the Person's last login to the e-shop system or the Person's last purchase.
57. When Personal Data are no longer required for the purposes of their processing, they shall be destroyed, except for those which must be transferred to public archives in the cases provided for by law.

X. NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY

58. In the event of a personal data breach, the State Data Protection Inspectorate shall be notified, where possible, not more than 72 hours after becoming aware of the personal data breach. A notification form shall be completed.
59. The notice must include:
(a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned;
(b) the name and contact details of a person who can provide further information;
(c) a description of the likely consequences of a personal data breach;
(d) a description of the measures taken or proposed to be taken. the undertaking to remedy the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where it is not possible to provide the information at the same time, the information may be provided in stages.
60. The controller shall document all personal data breaches, including the facts relating to the personal data breach, its impact and the corrective action taken.
63. Where a personal data breach is likely to result in a serious risk to the rights of natural persons, the controller shall also notify the Purchaser of the personal data breach.

X. COMMUNICATION OF INFORMATION OR CLAIMS
61. The Buyer may submit a request related to the processing of Personal Data directly to the address Taikos pr. 43 , LT- 50224 Kaunas; e-mail address [email protected].
62. The Seller, upon receipt of the Buyer's request, shall provide the Buyer with a reply within 30 (thirty) calendar days from the date of the request, and shall perform or refuse to perform the actions specified in the request. Only requests concerning the processing of personal data which are made in writing shall be considered.
XI. LIABILITY
63. Employees who violate the Law on Legal Protection of Personal Data of the Republic of Lithuania, other legal acts regulating the processing and protection of Personal Data, or this Privacy Policy shall be subject to the measures of liability provided for by the laws of the Republic of Lithuania.
XII. FINAL PROVISIONS
64. Compliance with the Privacy Policy shall be supervised by the Head of the Company or his/her authorised representative.
65. Responsible employees of the company shall be acquainted with the Privacy Policy by signature.
66. This document is the property of the company and may not be copied or otherwise distributed.