Lighthouse Asset Management, company code 304045309, address Liepų st. 83, LT-92195 Klaipėda is the Data Controller of the website www.lighthouse-am.lt and its data.
Lighthouse Asset Management (hereinafter referred to as the Institution) respects and is committed to your right to privacy and the protection of personal data. Lighthouse Asset Management shall process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Republic of Lithuania Law on Legal Protection of Personal Data, the Republic of Lithuania Law on Electronic Communications and other legal acts regulating personal data protection.
• Personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data processing shall mean any operation or sequence of operations performed with personal data or sets of personal data by automated or non-automated means, such as collection, recording, sorting, organisation, storage, adaptation or modification, extraction, access, usage, disclosure, transfer, distribution, or otherwise making data available for use, as well as their alignment or combination with other data, restriction, erasure or destruction;
• Data Controller shall mean the Lighthouse Asset Management, company code 304045309, address Liepų st. 83, LT-92195 Klaipėda.
General Data Processing Requirements
• Personal data of the data subject must be processed in a lawful, honest and transparent manner (legality, fairness and transparency principle);
• Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
• Personal Data must be adequate, appropriate and only necessary for the purpose for which they are processed (data minimization principle);
• Personal Data must be accurate and, if necessary, updated; all reasonable steps must be taken to ensure that personal data, which are not accurate considering the purposes for which they are processed are immediately erased or corrected (accuracy principle);
• Personal data must be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; processed in such a way as to ensure adequate security of personal data by appropriate technical or organisational measures, including protection against unauthorized or unlawful processing of data and against unintentional loss, destruction or damage (principle of integrity and confidentiality).
Rights of data subjects
Data subjects shall have the following rights:
- The right to be informed about the processing of your personal data. When collecting personal data, the Data Controller must provide information on the purposes for which the personal data are processed, to whom and for what purposes are they provided.
- The right to access your personal data The person shall have the right to contact the Data Controller and receive information on what sources and what personal data have been collected, for what purpose they are processed, to whom they are provided. Upon receipt of the request, the Institution shall provide a written response no later than 30 calendar days from the date of the request.
- The right to request rectification of data. If the data subject, upon getting acquainted with his or her personal data, finds that his or her personal data are incorrect, incomplete or inaccurate, the Institution must immediately verify the personal data and, at the request of the data subject (in written, oral or other form), immediately correct incorrect, incomplete, inaccurate personal data and/or suspend the actions of processing of such personal data, except for storage.
- The right to request the deletion of data (right to be forgotten). The data subject shall have the right to request the Data Controller to delete personal data immediately, and the Data Controller must delete personal data without undue delay in one of the following circumstances:
1. When personal data are no longer necessary for the purposes for which they were collected and processed;
2. Where the personal data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
3. When personal data has been processed illegally.
- The right to restrict data processing. The data subject shall have the right to request the Data Controller to restrict the data processing in cases where the personal data subject contests the accuracy of the data for a period during which the Data Controller may verify that accuracy; where the processing of personal data is unlawful and the data subject does not consent to the deletion of the data, instead requesting a restriction on their use; when the Data Controller no longer needs the personal data for processing purposes, but the data subject needs them in order to make, enforce or defend legal claims.
- The right to data portability. The data subject shall have the right to recover his or her personal data from the Data Controller in a structured, commonly used and computer-readable format.
- The right to object to the processing of personal data. The person has the right to object (in writing, orally or otherwise) to the processing of certain optional personal data. Such objection may be expressed at the time of data collection without completing certain fields (lines) of the request, contract or questionnaire, or at a later stage in any form following a request from the data subject to terminate the processing of certain optional personal data. In order to exercise this right, the data subject must be provided with information, which his or her personal data are not subject to processing.
- Personal data is processed on the website for the following purposes:
– Attracting investment,
– Liaison with business and investment stakeholders,
– Event organisation.
- The following data shall be collected for the purpose of attracting investments: name, surname, e-mail address of the company’s representative.
- In liaison with business, the following data shall be collected: name, surname of the company’s representative, e-mail address of the representative.
- For the purpose of organising events, the following data shall be collected: name, surname of the natural person or the name of the company he or she represents, e-mail address.
- Personal data must be kept for no longer than is necessary for the purposes of the processing.
- Data collection and storage procedure: Data collected for investment, communication and event purposes shall be stored in a contact list in the project management system.
- Data transfer to third parties: The data may be transferred to the authorities controlling the activities of the Institution.
Confidentiality and Security Provisions
- The employees of the Institution shall be bound by the obligation of confidentiality and shall observe confidentiality with regard to any information relating to personal data obtained in the performance of their duties. The duty to keep the secrecy of personal data shall be valid also after the changing of a position, upon the expiry of employment or contractual relationships.
- The Institution shall appoint employees who can work with personal data. Employees may access and use only those documents and data files to which they have been authorized to access and process.
- Employees must take measures to prevent the accidental or unlawful destruction, alteration, disclosure of personal data and any other unlawful processing, by keeping documents and data files properly and securely and by avoiding unnecessary copying. If the employee doubts the reliability of the security measures installed, he or she must contact his or her immediate supervisor to assess the security measures available and, if necessary, initiate the purchase and implementation of additional measures;
- Employees who process personal data or from whose computers can access the virtual file repository that stores personal data must use passwords. Passwords must be changed periodically, at least once every three months, as well as in certain circumstances (e.g. change of employee, threat of burglary, suspicion that the password has become known to third parties, etc.). The employee working on a particular computer can only know his or her own password.
- Employee computers that store subject data cannot be freely accessed from other computers on the network. The antivirus program on these computers must be kept up to date.
- The Institution shall ensure the protection of the wireless Internet network, the guests of the Institution shall connect to the wireless network with „guest“ type passwords.
Data storage in the archive
- Archived data must be stored in a locked room.
- The Data Controller must ensure that the archive is not accessible to unauthorized persons.
- The rules shall be published on the website of the Institution.