+370 661 06005
PRIVACY POLICY
This Privacy Policy (hereinafter referred to as the Policy) provides important information about how our Company collects and processes personal data of its clients and other persons, how it uses such data and what measures it undertakes to protect it. In order to ensure your awareness, we recommend you read to carefully this Policy and to get acquainted with the information provided in it.
The Company, or we means AB "Novaturas" – Lietuva (company registration code: 135567698; company address: A. Mickevičiaus g. 27, LT-44245, Kaunas, Lithuania; Company website: www.novaturas.lt, www.travelonspot.com, flights.novatours.eu). The Company described under this Policy is a controller of personal data.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
Dada subject means a natural person from which the Company receives and processes the personal data.
Employee means a person with whom the Company concluded an employment contract or any contract of similar character and, upon the decision of the head of the Company, such a person is authorized to process personal data or whose personal data is processed.
Personal data means any information about a natural person whose identity was defined or whose identity is possible to define (data subject); a natural person is a person whose identity can be defined either directly or indirectly, in particular by using such identifiers as name and surname, personal identification number, location identifier or Internet identifier data, or several identity attributes of such a person like physical, physiological, genetic, mental, economic, cultural, or social identity attributes.
Data recipient means a natural or legal person to whom the personal data is provided.
Data provision means the disclosure of personal data by transfer or other means making such data available (except for publication in the media).
Data processing means an operation conducted with personal data: collecting, recording, storing, classification, grouping, merging, changing (amending or correcting), supplying, publishing, using, logical and (or) arithmetical operations, search, dissemination, destruction or any other activity or collection of such activities
Automatic data processing means data processing operations done by automatic or semi-automatic means.
Data processor means a legal or natural person (who is not the employee of the data controller) authorized by the data controller to process personal data. Data processor and/or its authorization procedures can be defined under laws or other legal acts.
Data controller means a legal or natural person who, alone or together with other persons, defines data processing purposes and methods. If the purposes of data processing are defined under laws or other legal acts, the data controller and /or its authorization procedures may be defined under such laws or other legal acts.
Personal data of special categories means the data related to the racial or ethnic origin of a natural person, his/her political, religious, philosophical, or other beliefs, membership in professional unions, health, sexual life, as well as the information about previous criminal convictions.
Health data means the personal data related to the physical or mental health of a natural person including the data about provision of the health services revealing the information about the health status of such a natural person.
Consent means data provided upon free will, a specific and unambiguous expression of the will of a properly informed person with a statement or unambiguous action, with which he/she agrees gives his/her consent to process the personal data related to him/her.
Direct marketing means activities for proposing to persons goods or services and/or for asking their opinions about such proposed goods or services, made by email, telephone, or any direct method.
Internal Administration means the activities ensuring an independent functioning of the data controller (structure management, personnel management, management of the available material and financial resources and their use, clerical work).
Other definitions used in this Policy are in compliance to the GDPR or other applicable legal acts.
The general principles
The employees of the company when carrying their functions and processing personal data, shall follow the GDPR and other legal acts and this Policy, as well as to follow the requirements of internal documents of the Company executing or supplementing such requirements.
The personal data can be processed only in legal, fair, and transparent manner. In addition, the Company must be able to provide proof that it actually follows the principles of data processing defined under this Policy.
Purpose limitation
Personal data may only be collected for the specified and clearly defined and legal purposes and shall not be processed in contradiction to such proposes. Regarding the personal data related to the employees, the legal purposes, for example, are the management of human resources and internal administration (assignment to duties, and revoking from them, payment of salaries, work management and other human resources issues related to the employees).
Storage and deletion of personal data
Personal data may be kept in a form which permits identification of the data subjects for no longer than it is necessary for the purposes for which personal data is processed.
Data quality and proportionality
The personal data shall be accurate and updated when needed. All reasonable means shall be undertaken to ensure that the personal data which are not accurate, taking into consideration the purposes of their processing, shall be deleted or corrected in an immediate manner. Moreover, the personal data shall be adequate, suitable, and only such (and for the exact amount of) which is necessary for the purposes of their collection and/or processing. The personal data shall be processed in such a way as, by applying technical and organizational instruments, as to be able to ensure proper security of the personal data, including the protection of the data processing without permission or illegal data processing, and from unintentional loss or damage, illegal access.
If the Company doubts the correctness of the personal data it processes, it shall suspend the actions of such processing, to check and correct the data.
Data processing purposes
The Company processes the data of the persons visiting the websites of the Company and/or purchasing the services offered for the following purposes:
• for processing of the purchase (order) of services, administration;
• for the identification of the data subject in the information systems of the Company;
• for the identification of the data subject during the login to his/her account at the website of the Company (when the Company provides with such an opportunity);
• for issuing of coupons, approvals, invoices, and other financial documents;
• for solutions of problems related to the execution, presentation, and use of the services,
• for communications with the data subject if the terms and conditions of the services purchased by the data subject change;
• for the execution of other contractual obligations;
• for direct marketing purposes;
• for business analysis and statistical analysis, general studies which allow to improve services and their quality.
The data can be processed for other purposes which are indicated when you provide your personal data to the Company.
Data processing when purchasing the tourism services offered by the Company
During the purchase of the tourist services, depending on specific types of services (travel direction), the Company, upon the purposes defined under this Policy, collects and processes the following personal data: name, and surname, sex, date of birth or personal identification code, the data of a document proving the personal identity, address, phone number, email address, payment card data, personal contact information (phone number, email address), citizenship, information about the special needs, personal information of the persons who travel together (names, surnames, dates of birth or personal identification codes, salutations, and citizenships, other personal data which are requested during the purchase of service. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
The Company, in this case, processes your personal data on the the following legal basis:
• seeking to ensure a proper provision of services and high quality of the provided services (legitimate interest);
• on the basis of your consent (when the data of special categories (health) are processed);
• for the purpose of execution of the Agreement;
• for the execution of own duties as of the travel organizer, defined under the legal acts.
Data processing after creating an account at the website of www.novaturas.lt
For the purpose of the registration at website www.novaturas.lt and usage of the account, the Company collects and processes email address and the information about the proposals of an interest to the account user. In the account, it is also possible to provide the data in advance which are processed for the purchase of the tourism services (see above).
The Company, in this case, processes your personal data on the the following legal basis:
• in order to ensure the quality of the provided services (legitimate interest);
• on the basis of your consent which you express with your active actions providing the data not mandatory for the registration;
• on the basis of execution of this Agreement.
You may also be allowed to log in to the www.novaturas.lt system with the existing accounts of your social networks. For more information how the data of the users are processed and used you can ask from your social media networks providers and administrators.
Data processing after creating an account ant using hotel booking services via www.travelonspot.com
During the registration at the website www.travelonspot.com and using the service of hotel booking offered by the Company, or by providing feedback on the hotels visited, the Company, for the purposes defined under this Policy collects and processes the following personal data: name and surname, sex, address, phone number, email address, payment card data, names and surnames, dates of both, personal contact information and travel selections of the persons travelling together. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
The Company, in this case, processes your personal data on the the following legal basis:
• in order to ensure the quality of the provided services (legitimate interest);
• on the basis of your consent which you express with your active actions providing the data not mandatory for the registration;
• on the basis of execution of this Agreement.
When advertising the accommodation entities and the services provided by them as well as promoting and improving the services provided social networks are used (e.g., our website has direct links integrated with the social channels). At the website www.travelonspot.com, the information becomes available to the social network provider when the user clicks one of the buttons of the social networks after registering with his/her social network account This information may be shown at the profile of the social network user and seen by other members of the network.
You may also be allowed to log in to the system of www.travelonspot.com using the existing accounts of your social networks. For more information how the data of the users are processed and used you can ask from your social media networks providers and administrators.
Clients feedback
After visiting any accommodation entities selected and booked from the Internet website, Travel on Spot/Novaturas asks the user to provide feedback on the accommodation entities, services provided, If the data subject objects to indicate his/her name net to the feedback provided, the comment may be published by only indicating the nickname of anonymously. When providing the feedback the data subject agrees for showing it for example, at the information page of the website of the accommodating entity, in mobile applications, social network accounts or social network applications, on websites of a relevant accommodating entity or websites of our partners - for the purpose of informing of other travellers. The feedback provided by users on the discretion of Travel on Spot/Novaturo can also be used for marketing purposes, promotion of sales or improvement of services quality, and can be published on internet website or other social media channels: newsletters, advertisements, programmes and other channels belonging to, used and processed by Travel on Spot/Novaturas. Travel on Spot/Novaturas has the right to remove certain feedback on own discretion. If the user indicates that certain comment of the guest was useful or not useful, this information may be used together with the information provided by other users by sorting and defining the sequence of the comments provided.
Data processing when using flight booking services atflights.novatours.eu
During the purchase of air tickets at website flights.novatours.eu, the Company, for the purposes indicated under this Policy, collects and processes the following personal data: greetings of the travelling persons, their names, surnames, child birth date, contact information of the person who purchases the tickets (phone number and email address), as well as information about the payment. In certain cases (after contacting separately), the following personal data may be collected and processed: the data proving the personal identification. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
This data is processed upon the legal basis of the agreement execution.
Processing of personal data when providing other services
When obtaining gift coupons, child escort or other services offered by the Company, for the purposes defined under this Policy, and on the basis of the agreement execution, the Company may process other personal data. The scope of the processed data depends on the specific service which you want to obtain. The data to be provided to be able to provide a service, are indicated during the ordering of the service.
Processing of personal data when using mobile devices
When you use your mobile devices, the data may be collected for the purpose of indicating the type of your mobile device, device settings, geographical coordinates (longitude and latitude).
Processing of personal data when administering and investigating complaints and/or requests
The Company processed the personal data indicated by you when you submit to the Company a request and/or complaint in this internet website, by email, post, or telephone.
The Company processes your personal data under the cases indicated upon the following legal basis:
• seeking to administer requests and/or complaints, to ensure the quality of the services provided (legitimate interest);
• on the basis of your consent expressed by your active actions when you submit a request and/or complaint;
• for the execution of own duties as of the travel organizer, defined under the legal acts.
The Company, seeking to investigate your request and/or complaint, provide information and ensure the quality of its services, has the right to register the information provided by you at the internal information system of the Company.
The Company requests to follow at least these minimal personal data protection requirements when you address the Company:
• not to indicate such personal data, as personal ID code, date of birth, bank account number, vehicle state registration number, real estate data, health data, other personal data of special categories or any sensitive personal data, and similar neither in the subject of your request and/or complaint (your email letter, documents provided in writing, on the internet website), neither in the attached titles of files;
• in the request and/or complaint text or during the telephone call not to indicate personal personal data of special categories or any sensitive personal data, and similar identification code, bank account number, vehicle state registration number, real estate data, health data or any other data if such data has no direct relationship with the request and/or complaint, and to indicate the personal data of other persons only as much as it is necessary for the purposes of the submitted request and/or complaint.
Should the Company need any additional information for the investigation of your request and/or complaint, it will use your contact information to be able to contact you.
The Company also wants to draw your attention that the personal data of the persons who contacted the Company with their requests or complaints, may be transferred to the company UAB "Aviaturas ir partneriai" belonging to the Company group, and that this company helps to ensure fluent and prompt administration of complaints.
Processing of personal data of the shareholders of the Company
The Company processes the personal data of its shareholders in its operations:
• for the purpose of internal administration;
• for the purpose of execution of its legal liabilities related to the registration and processing of the data of the Company shareholders, the accounting of shares, and execution of other liabilities applicable to them.
Processing of personal data of other administrative bodies of the Company
The Company in its activities processes the personal data of the members of the administrative bodies of the Company:
• for the purpose of internal administration;
• seeking to execute its legal obligations related to the administrative bodies (head of the Company, the board of observers, committees, and etc.) formation, organizing of their activities, providing of the data of the administrative body and its members to the public registers and for registration at such registers, application of the Law on the Financial Accounting of Companies (e.g. statement of the data of the board and its members in the annual report), and similar.
The processing of personal data of the administrative bodies of the Company is mandatory on the basis defined bu legal acts.
Data processing for the purposes of employees’ selection
By applying for a vacancy in the Company, for example, when sending the CV by email info@novaturas.lt, or contacting the Company in relation to the vacancy announcement, the Company collects and processes the personal data provided in your letter and CV.
The Company processes the data you provided:
• for the purposes of staff selection;
• on the basis of your consent which you express with your active actions when providing your personal data.
The Company stores your data provided via this internet website in relation to the staff selection for 12 months.
The Company wants to draw your attention that the fact of providing of any personal data for the purpose of staff selection and the storage of such data does not mean the application to the vacancies wanted. If you find an advertisement in the website of the company or employment search websites in relation to your wanted vacancy, we invite you to apply directly by using the email address indicated in such an advertisement.
If you, however, provide your personal data in this website seeking to participate in a specific competition, but the Company selects another applicant who meets its needs better, the Company will store the personal data you provided till the end of the specific competition, and if you provide your consent for any further processing of this data for other staff competitions, then your data will be stored for one year after the end of such a competition, unless you revoke your consent earlier.
The Company informs that for the purpose of evaluation of your application, it can apply for recommendations to your previous employers you indicated and request information on your qualification, processional, and business skills. The Company can request such information from your existing employee only having received your separate consent.
The Company also wants to emphasize that it can receive your personal data from the third parties, for example, the companies managing employment advertisements websites, employment agencies, when you provided your data to such companies, as well as from publicly available sources where you published your personal data.
Using the services provided by the Company and concluding tourism services provision agreements the data subject can upon his/her own will agree to allow to use his/her personal data provided for the marketing purposes of the Company by expressing such of his/her consent in an appropriate graph of the tourism services provision agreement with his/her signature.
The data subject may agree to receive the information sent by the Company:
The data subject has the right to refuse the information sent by the Company by clicking on the refusal link in the newsletter or any other letter sent to the data subject by the Company and to refuse such proposals and news.
If, when filling in the questionnaires of the Company after trips (in buses, air planes, or on-line) the data subject does not mark (e.g. by ticking) that he/she agrees to receive the news, proposals, and other information sent by the |Company - he/she will no longer receive them because the information of the data subject will be updated and the latest information provided by the data subject will be used.
If the data subject is a registered user of the Company website who does not want to receive unwanted information about the services of the Company, he/she can make the changes at an time by logging into his/her account at the Company website and marking this (e.g. by ticking) in his/her account at "My data" -> "Information settings".
The data provided by the data subject which are used for the purposes of direct marketing help to ensure a continuous improvement and development of the Company website and services provided by the Company, and provides the opportunity to offer the best proposals.
The data subject can also use his/her right to refuse to process his/her data for direct marketing purposes by informing the Company in writing by post or means of electronic communications.
The Company shall store the personal data for as long as it is necessary to reach its targets for which such data is processed (e.g. to provide services, to investigate a complaint, and etc.) as well as following the requirements of storage of such data defined under the legal acts, legal requirements for limitation periods in relation of providing or protecting against legal clams, and if such are submitted - as long as it is necessary for this purpose..
In order to implement a proper control over the duration of data storage, the Company has appropriate technical and organizational measures to ensure data deletion after the expiration of the data storage period.
Following the GDPR and other documents regulating data protection, the Company applies measures to prevent illegal access to or illegal usage of the data of the data subject. The Company ensures that the data provided by data subjects will be protected from any illegal actions: illegal changes of the personal data, their disclosure or destruction, theft of personal identity, fraud or similar illegal actions.
The Company uses appropriate technical and organizational security measures, appropriate business systems and procedures in place to protect and defend the personal data of the data subject entrusted to the Company. The Company uses security systems, technical and physical measures restricting access to the personal data of the data subject and its use at the servers of the Company. Only the staff of the Company with special permissions can see the personal data of the data subject provided to the Company, and only for work purposes.
The Company uses only such data processors which guarantee the implementation of all necessary technical and organisational measures for the protection of personal data, and which follow such measures.
When you visit our website, we want to provide information and functions specially customized only for you. Cookies are needed for this purposes. They are small elements of information, text files, saved in your Internet browser. For more information on the types of cookies we use and how you can control them you can find in our Company Cookies Policy at www.novaturas.lt.
The Company may use the services of certain service providers (data processors) to manage your personal data. These data processors are the following: the company providing services to the data centre, companies doing the analysis of Internet browsing and internet activities and providing related services, companies designing software, providing, supporting and developing it, companies providing information technology structure services, companies providing communication, security, recruitment, call centre services, and other service providers to which the personal data is disclosed only to the extent needed to provide their services.
If there are sufficient legal grounds (e.g. when it is necessary for concluding or executing the agreement with you and when the information about this transfer was properly provided for you), the data can be transferred to our business partners or agents.
We would like to inform you that certain data related to your visits at out website (IP address, cookies, technical information on the browser you use, other activities related to your browser and information related to your browsing at our website), browsing statistics, analyses, for relevant purposes can be transferred or made available to the subjects operating both in the European Economic Area (EEA), as well as out of this area (e.g. when we use Google Analytics service, when such a subject ins a company registered in the United States of America).
We would also like to draw your attention that if you select a trip outside the EEA, the data you provided may be transferred to our partners operating in such countries and helping us to organize your trip: airlines, hotels, representatives of the Company at the direction of the trip, etc.
We would like remind that the level of personal data protection outside the EEA countries can be lower compared to the EEA countries, and this means a higher level of risk for illegal data processing, but we will meticulously evaluate the conditions under which such data of yours will be processed later and secured after the transfer of the data to the above-mentioned subjects. Your data to such receivers will be transferred only to such scope which is needed to perform the agreement made with you and to provide services for you. With the major partners from the third countries the Company concludes Standard Conditions for Agreements approved by the European Commission about which you can get more information using the Contacts of the Company indicated below:
To other data receivers your personal data may be submitted only on the basis defined under legal acts.
You, in relation to your personal data, have the following rights:
• to get to know about your personal data and how this data is processed;
• to demand to correct incorrect, inexact, or incomplete data;
• to demand to delete your personal data or to limit the processing of such data when such data is processed without following the requirements defined under legal acts or when there is another legal basis;
• to demand to transfer your personal data to another data processor or to provide this data to you in a convenient form (applicable to the data you provided yourself and which is processed using automatized means or on the basis of your consent);
• to disagree to the processing of your personal data if such data is processed on the basis of a legitimate interest, with the exception of cases when there are legitimate reasons for such processing or when it is necessary to submit, execute, or protect legal requirement;
• to revoke, at any time, your consent if you personal data is processed upon the basis of your consent.
In such cases when you think your data is processed illegally or by breaching your rights related to the data processing, you have the right to appeal to the State Personal Data Protection Inspectorate (for more information please visit www.ada.lt) and to submit your complaint to it.
However, the Company recommends before submitting the official complaint, to contact the Company by email info@novaturas.ltfor trying to find a proper solution of the problem.
Some information, for example, your personal data you provided to us during your registration at www.novaturas.lt or www.travelonspot.com, or the data related to the services obtained using these accounts, you can find after logging into your user account(s).
In order to protect personal data against unauthorised disclosures, the Company, having received your request for the implementation of your rights, will have to verify your identity. For this reason the Company may ask you to indicate your name, surname, date of birth, e-mail address, or phone number, or request to appear in person in the Company or one of its offices for the purpose of checking your identity. In carrying your this check, the Company may also sent its control notification to the indicated contact (SMS or email) asking to perform the action of authorisation. If the verification procedure is not successful (e.g. your data will differ from the data the Company has, or you do not authorize yourself upon the SMS or email message received), the Company will consider that you are not the subject of the requested data and will reject the request you submitted.
The Company, having received your request and successfully performed the above mentioned verification, no later than within one month from the receipt of your request and completion of the verification procedure, shall provide you with the information about the actions it undertook in relation to your submitted request. Taking into consideration the complexity and number of requests, the Company may have the right to extend the period of one month up to two months by informing you about this no later than within one month from the receipt of your request and completion of the verification procedure and shall state the reasons of such extension.
If you submit your request by electronic means and the Company would be able to verify your identity properly, you will also receive the reply from the Company by electronic means with the exception of the cases when this is impossible (e.g. due to a substantial volume of information, other actual circumstances and reasons), or if you request to reply in different ways.
Under the reasons and/or circumstances defined under legal acts, the Company may refuse to fulfil your request and the Company will inform you about such a refusal by providing the reasons.
The data subject shall provide the Company complete and correct personal data and to inform about relevant changes of such personal data. The Company shall not be held liable for damages caused to the data subject and/or third persons if the data subject provides incorrect and/or incomplete data about himself/herself or did not inform duly and on time about the changes of such data.
It is strictly prohibited to submit false and deceitful orders. Travel, services reservation services offered at the website, can only be used for submitting a legitimate order or customized or purchase for oneself and other persons in the name of which the person submitting the order has the right to act. If the user performs any suspicious activity, frauds or abuses the travel ordering services and other service ordering services offered at the website, the Company may cancel all or part of such orders made in the name of such a user, related to his/her email or account, or to close all accounts of such a user. The Company shall have all rights to undertake necessary legal actions in cases of fraud actions performed by the user. Under such cases, the user who did the fraudulent actions shall be liable for the financial damages suffered by the Company including costs of litigation and any other consequential damages.
The data subject when purchasing the services offered by the Company or otherwise providing to the Company not own, but third persons personal data (e.g. family members, friends data and etc. who travel together) shall inform such persons that all information related to the processing of data can be found in this Policy. The data subject, by providing the personal data of other persons, including the personal data of children and/or personal data of special categories, certifies that he/she is a legitimate representative of such persons (one of the parents, guardians) and that such persons agree on such submitting of their data and processing of such data. The Company reserves the right to contact the person indicated to make sure such a consent was given.
Without providing the personal data requested by the Company, the Company will not be able to provide certain services or to ensure the quality of the services provided.
The Company shall not be liable for communication malfunctions due to which the users of the Company website and other persons could not reach its website or use the services.
The Company cannot absolutely guarantee that the functioning of the Company website will be without any interruptions, without any malfunctions or errors, that the website of the Company would be fully protected from viruses or any other malicious components. The data subject is informed that any materials read by the data subject, downloaded or otherwise received by using the website of the Company, is exclusively received upon the discretion and risk of the data subject, and only the data subject shall be held liable for the damages to the data subject and to his/her computer system.
If the data subject is a registered user of the Company website (when the Company provides such an opportunity), the data subject undertakes all risk and responsibility for the actions of the third persons in the website of the Company done by using the login data of the data subject, and undertakes to execute all obligations undertaken in relation to the usage of the login data of the data subject.
The user, when using this website, accepts and agrees to all liabilities defined under this Policy.
If you have any questions related to the processing of your personal data or this Policy, or questions relayed to the implementation of your rights, please contact us:
AB “Novaturas”
info@novaturas.lt, or
Regarding the services of "Travel on Spot":
info@travelonspot.lt
The contact data of the Data Protection Officer if the Company: dpo@novaturas.lt, phone: +370 5 2649483.
The Company can update this Policy at any time. The Company will inform the visitors about these updates by uploading a new version of this Policy together with the date of the last changes. The visitors understand that by continuing the use of this website after the implementation of the Policy updates, they express their consent with such changes.
Should any of the provisions of this Policy be declared as void or not applicable, this shall not have any effect to the legality of the remaining provisions of the Policy and their validity.
This Policy shall enter info force from its publication on the website of the Company.
Last Updated: March 15, 2019
This Privacy Policy (hereinafter referred to as the Policy) provides important information about how our Company collects and processes personal data of its clients and other persons, how it uses such data and what measures it undertakes to protect it. In order to ensure your awareness, we recommend you read to carefully this Policy and to get acquainted with the information provided in it.
- DEFINITIONS
The Company, or we means AB "Novaturas" – Lietuva (company registration code: 135567698; company address: A. Mickevičiaus g. 27, LT-44245, Kaunas, Lithuania; Company website: www.novaturas.lt, www.travelonspot.com, flights.novatours.eu). The Company described under this Policy is a controller of personal data.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
Dada subject means a natural person from which the Company receives and processes the personal data.
Employee means a person with whom the Company concluded an employment contract or any contract of similar character and, upon the decision of the head of the Company, such a person is authorized to process personal data or whose personal data is processed.
Personal data means any information about a natural person whose identity was defined or whose identity is possible to define (data subject); a natural person is a person whose identity can be defined either directly or indirectly, in particular by using such identifiers as name and surname, personal identification number, location identifier or Internet identifier data, or several identity attributes of such a person like physical, physiological, genetic, mental, economic, cultural, or social identity attributes.
Data recipient means a natural or legal person to whom the personal data is provided.
Data provision means the disclosure of personal data by transfer or other means making such data available (except for publication in the media).
Data processing means an operation conducted with personal data: collecting, recording, storing, classification, grouping, merging, changing (amending or correcting), supplying, publishing, using, logical and (or) arithmetical operations, search, dissemination, destruction or any other activity or collection of such activities
Automatic data processing means data processing operations done by automatic or semi-automatic means.
Data processor means a legal or natural person (who is not the employee of the data controller) authorized by the data controller to process personal data. Data processor and/or its authorization procedures can be defined under laws or other legal acts.
Data controller means a legal or natural person who, alone or together with other persons, defines data processing purposes and methods. If the purposes of data processing are defined under laws or other legal acts, the data controller and /or its authorization procedures may be defined under such laws or other legal acts.
Personal data of special categories means the data related to the racial or ethnic origin of a natural person, his/her political, religious, philosophical, or other beliefs, membership in professional unions, health, sexual life, as well as the information about previous criminal convictions.
Health data means the personal data related to the physical or mental health of a natural person including the data about provision of the health services revealing the information about the health status of such a natural person.
Consent means data provided upon free will, a specific and unambiguous expression of the will of a properly informed person with a statement or unambiguous action, with which he/she agrees gives his/her consent to process the personal data related to him/her.
Direct marketing means activities for proposing to persons goods or services and/or for asking their opinions about such proposed goods or services, made by email, telephone, or any direct method.
Internal Administration means the activities ensuring an independent functioning of the data controller (structure management, personnel management, management of the available material and financial resources and their use, clerical work).
Other definitions used in this Policy are in compliance to the GDPR or other applicable legal acts.
- DATA PROCESSING PRINCIPLES
The general principles
The employees of the company when carrying their functions and processing personal data, shall follow the GDPR and other legal acts and this Policy, as well as to follow the requirements of internal documents of the Company executing or supplementing such requirements.
The personal data can be processed only in legal, fair, and transparent manner. In addition, the Company must be able to provide proof that it actually follows the principles of data processing defined under this Policy.
Purpose limitation
Personal data may only be collected for the specified and clearly defined and legal purposes and shall not be processed in contradiction to such proposes. Regarding the personal data related to the employees, the legal purposes, for example, are the management of human resources and internal administration (assignment to duties, and revoking from them, payment of salaries, work management and other human resources issues related to the employees).
Storage and deletion of personal data
Personal data may be kept in a form which permits identification of the data subjects for no longer than it is necessary for the purposes for which personal data is processed.
Data quality and proportionality
The personal data shall be accurate and updated when needed. All reasonable means shall be undertaken to ensure that the personal data which are not accurate, taking into consideration the purposes of their processing, shall be deleted or corrected in an immediate manner. Moreover, the personal data shall be adequate, suitable, and only such (and for the exact amount of) which is necessary for the purposes of their collection and/or processing. The personal data shall be processed in such a way as, by applying technical and organizational instruments, as to be able to ensure proper security of the personal data, including the protection of the data processing without permission or illegal data processing, and from unintentional loss or damage, illegal access.
If the Company doubts the correctness of the personal data it processes, it shall suspend the actions of such processing, to check and correct the data.
- WHAT DATA WE COLLECT AND FOR WHICH PURPOSES WE STORE IT
Data processing purposes
The Company processes the data of the persons visiting the websites of the Company and/or purchasing the services offered for the following purposes:
• for processing of the purchase (order) of services, administration;
• for the identification of the data subject in the information systems of the Company;
• for the identification of the data subject during the login to his/her account at the website of the Company (when the Company provides with such an opportunity);
• for issuing of coupons, approvals, invoices, and other financial documents;
• for solutions of problems related to the execution, presentation, and use of the services,
• for communications with the data subject if the terms and conditions of the services purchased by the data subject change;
• for the execution of other contractual obligations;
• for direct marketing purposes;
• for business analysis and statistical analysis, general studies which allow to improve services and their quality.
The data can be processed for other purposes which are indicated when you provide your personal data to the Company.
Data processing when purchasing the tourism services offered by the Company
During the purchase of the tourist services, depending on specific types of services (travel direction), the Company, upon the purposes defined under this Policy, collects and processes the following personal data: name, and surname, sex, date of birth or personal identification code, the data of a document proving the personal identity, address, phone number, email address, payment card data, personal contact information (phone number, email address), citizenship, information about the special needs, personal information of the persons who travel together (names, surnames, dates of birth or personal identification codes, salutations, and citizenships, other personal data which are requested during the purchase of service. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
The Company, in this case, processes your personal data on the the following legal basis:
• seeking to ensure a proper provision of services and high quality of the provided services (legitimate interest);
• on the basis of your consent (when the data of special categories (health) are processed);
• for the purpose of execution of the Agreement;
• for the execution of own duties as of the travel organizer, defined under the legal acts.
Data processing after creating an account at the website of www.novaturas.lt
For the purpose of the registration at website www.novaturas.lt and usage of the account, the Company collects and processes email address and the information about the proposals of an interest to the account user. In the account, it is also possible to provide the data in advance which are processed for the purchase of the tourism services (see above).
The Company, in this case, processes your personal data on the the following legal basis:
• in order to ensure the quality of the provided services (legitimate interest);
• on the basis of your consent which you express with your active actions providing the data not mandatory for the registration;
• on the basis of execution of this Agreement.
You may also be allowed to log in to the www.novaturas.lt system with the existing accounts of your social networks. For more information how the data of the users are processed and used you can ask from your social media networks providers and administrators.
Data processing after creating an account ant using hotel booking services via www.travelonspot.com
During the registration at the website www.travelonspot.com and using the service of hotel booking offered by the Company, or by providing feedback on the hotels visited, the Company, for the purposes defined under this Policy collects and processes the following personal data: name and surname, sex, address, phone number, email address, payment card data, names and surnames, dates of both, personal contact information and travel selections of the persons travelling together. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
The Company, in this case, processes your personal data on the the following legal basis:
• in order to ensure the quality of the provided services (legitimate interest);
• on the basis of your consent which you express with your active actions providing the data not mandatory for the registration;
• on the basis of execution of this Agreement.
When advertising the accommodation entities and the services provided by them as well as promoting and improving the services provided social networks are used (e.g., our website has direct links integrated with the social channels). At the website www.travelonspot.com, the information becomes available to the social network provider when the user clicks one of the buttons of the social networks after registering with his/her social network account This information may be shown at the profile of the social network user and seen by other members of the network.
You may also be allowed to log in to the system of www.travelonspot.com using the existing accounts of your social networks. For more information how the data of the users are processed and used you can ask from your social media networks providers and administrators.
Clients feedback
After visiting any accommodation entities selected and booked from the Internet website, Travel on Spot/Novaturas asks the user to provide feedback on the accommodation entities, services provided, If the data subject objects to indicate his/her name net to the feedback provided, the comment may be published by only indicating the nickname of anonymously. When providing the feedback the data subject agrees for showing it for example, at the information page of the website of the accommodating entity, in mobile applications, social network accounts or social network applications, on websites of a relevant accommodating entity or websites of our partners - for the purpose of informing of other travellers. The feedback provided by users on the discretion of Travel on Spot/Novaturo can also be used for marketing purposes, promotion of sales or improvement of services quality, and can be published on internet website or other social media channels: newsletters, advertisements, programmes and other channels belonging to, used and processed by Travel on Spot/Novaturas. Travel on Spot/Novaturas has the right to remove certain feedback on own discretion. If the user indicates that certain comment of the guest was useful or not useful, this information may be used together with the information provided by other users by sorting and defining the sequence of the comments provided.
Data processing when using flight booking services atflights.novatours.eu
During the purchase of air tickets at website flights.novatours.eu, the Company, for the purposes indicated under this Policy, collects and processes the following personal data: greetings of the travelling persons, their names, surnames, child birth date, contact information of the person who purchases the tickets (phone number and email address), as well as information about the payment. In certain cases (after contacting separately), the following personal data may be collected and processed: the data proving the personal identification. The data is provided during the execution of an agreement, purchasing a service, as well as during the consultations by phone, email, or by providing the information through other persons.
This data is processed upon the legal basis of the agreement execution.
Processing of personal data when providing other services
When obtaining gift coupons, child escort or other services offered by the Company, for the purposes defined under this Policy, and on the basis of the agreement execution, the Company may process other personal data. The scope of the processed data depends on the specific service which you want to obtain. The data to be provided to be able to provide a service, are indicated during the ordering of the service.
Processing of personal data when using mobile devices
When you use your mobile devices, the data may be collected for the purpose of indicating the type of your mobile device, device settings, geographical coordinates (longitude and latitude).
Processing of personal data when administering and investigating complaints and/or requests
The Company processed the personal data indicated by you when you submit to the Company a request and/or complaint in this internet website, by email, post, or telephone.
The Company processes your personal data under the cases indicated upon the following legal basis:
• seeking to administer requests and/or complaints, to ensure the quality of the services provided (legitimate interest);
• on the basis of your consent expressed by your active actions when you submit a request and/or complaint;
• for the execution of own duties as of the travel organizer, defined under the legal acts.
The Company, seeking to investigate your request and/or complaint, provide information and ensure the quality of its services, has the right to register the information provided by you at the internal information system of the Company.
The Company requests to follow at least these minimal personal data protection requirements when you address the Company:
• not to indicate such personal data, as personal ID code, date of birth, bank account number, vehicle state registration number, real estate data, health data, other personal data of special categories or any sensitive personal data, and similar neither in the subject of your request and/or complaint (your email letter, documents provided in writing, on the internet website), neither in the attached titles of files;
• in the request and/or complaint text or during the telephone call not to indicate personal personal data of special categories or any sensitive personal data, and similar identification code, bank account number, vehicle state registration number, real estate data, health data or any other data if such data has no direct relationship with the request and/or complaint, and to indicate the personal data of other persons only as much as it is necessary for the purposes of the submitted request and/or complaint.
Should the Company need any additional information for the investigation of your request and/or complaint, it will use your contact information to be able to contact you.
The Company also wants to draw your attention that the personal data of the persons who contacted the Company with their requests or complaints, may be transferred to the company UAB "Aviaturas ir partneriai" belonging to the Company group, and that this company helps to ensure fluent and prompt administration of complaints.
Processing of personal data of the shareholders of the Company
The Company processes the personal data of its shareholders in its operations:
• for the purpose of internal administration;
• for the purpose of execution of its legal liabilities related to the registration and processing of the data of the Company shareholders, the accounting of shares, and execution of other liabilities applicable to them.
Processing of personal data of other administrative bodies of the Company
The Company in its activities processes the personal data of the members of the administrative bodies of the Company:
• for the purpose of internal administration;
• seeking to execute its legal obligations related to the administrative bodies (head of the Company, the board of observers, committees, and etc.) formation, organizing of their activities, providing of the data of the administrative body and its members to the public registers and for registration at such registers, application of the Law on the Financial Accounting of Companies (e.g. statement of the data of the board and its members in the annual report), and similar.
The processing of personal data of the administrative bodies of the Company is mandatory on the basis defined bu legal acts.
Data processing for the purposes of employees’ selection
By applying for a vacancy in the Company, for example, when sending the CV by email info@novaturas.lt, or contacting the Company in relation to the vacancy announcement, the Company collects and processes the personal data provided in your letter and CV.
The Company processes the data you provided:
• for the purposes of staff selection;
• on the basis of your consent which you express with your active actions when providing your personal data.
The Company stores your data provided via this internet website in relation to the staff selection for 12 months.
The Company wants to draw your attention that the fact of providing of any personal data for the purpose of staff selection and the storage of such data does not mean the application to the vacancies wanted. If you find an advertisement in the website of the company or employment search websites in relation to your wanted vacancy, we invite you to apply directly by using the email address indicated in such an advertisement.
If you, however, provide your personal data in this website seeking to participate in a specific competition, but the Company selects another applicant who meets its needs better, the Company will store the personal data you provided till the end of the specific competition, and if you provide your consent for any further processing of this data for other staff competitions, then your data will be stored for one year after the end of such a competition, unless you revoke your consent earlier.
The Company informs that for the purpose of evaluation of your application, it can apply for recommendations to your previous employers you indicated and request information on your qualification, processional, and business skills. The Company can request such information from your existing employee only having received your separate consent.
The Company also wants to emphasize that it can receive your personal data from the third parties, for example, the companies managing employment advertisements websites, employment agencies, when you provided your data to such companies, as well as from publicly available sources where you published your personal data.
- Marketing proposals and newsletters
Using the services provided by the Company and concluding tourism services provision agreements the data subject can upon his/her own will agree to allow to use his/her personal data provided for the marketing purposes of the Company by expressing such of his/her consent in an appropriate graph of the tourism services provision agreement with his/her signature.
The data subject may agree to receive the information sent by the Company:
- After visiting the website of the Company (www.novaturas.lt, www.travelonspot.com, flights.novatours.eu) and subscribing for Company newsletters.
- By using the services provided by the Company (filling in the questionnaires of the Company after your travel by air plane, by bus on-line or during the events organized by the Company), and by concluding tourism services provision agreements (via our travel agents) by expressing your consent to receive newsletters, information notifications, proposals, discounts, sales off and etc. by marking this in an appropriate graph (e.g. by ticking).
- If an opportunity is provided to register and become the member of the Company's club, after the registration and approval of the Company club membership, the data subject may express his/her consent to receive newsletters, information notifications, proposals, discounts, sales off and etc.
- If you are provided with an opportunity to register to the website of the Company and to become a register user of it, after completion of the registration and after becoming the registered member of the Company website, the data subject may express his/her consent to receive newsletters, information notifications, proposals, discounts, sales off and etc.
The data subject has the right to refuse the information sent by the Company by clicking on the refusal link in the newsletter or any other letter sent to the data subject by the Company and to refuse such proposals and news.
If, when filling in the questionnaires of the Company after trips (in buses, air planes, or on-line) the data subject does not mark (e.g. by ticking) that he/she agrees to receive the news, proposals, and other information sent by the |Company - he/she will no longer receive them because the information of the data subject will be updated and the latest information provided by the data subject will be used.
If the data subject is a registered user of the Company website who does not want to receive unwanted information about the services of the Company, he/she can make the changes at an time by logging into his/her account at the Company website and marking this (e.g. by ticking) in his/her account at "My data" -> "Information settings".
The data provided by the data subject which are used for the purposes of direct marketing help to ensure a continuous improvement and development of the Company website and services provided by the Company, and provides the opportunity to offer the best proposals.
The data subject can also use his/her right to refuse to process his/her data for direct marketing purposes by informing the Company in writing by post or means of electronic communications.
- PERIOD OF STORING OF PERSONAL DATA
The Company shall store the personal data for as long as it is necessary to reach its targets for which such data is processed (e.g. to provide services, to investigate a complaint, and etc.) as well as following the requirements of storage of such data defined under the legal acts, legal requirements for limitation periods in relation of providing or protecting against legal clams, and if such are submitted - as long as it is necessary for this purpose..
In order to implement a proper control over the duration of data storage, the Company has appropriate technical and organizational measures to ensure data deletion after the expiration of the data storage period.
- PRIVACY AND PERSONAL DATA SECURITY
Following the GDPR and other documents regulating data protection, the Company applies measures to prevent illegal access to or illegal usage of the data of the data subject. The Company ensures that the data provided by data subjects will be protected from any illegal actions: illegal changes of the personal data, their disclosure or destruction, theft of personal identity, fraud or similar illegal actions.
The Company uses appropriate technical and organizational security measures, appropriate business systems and procedures in place to protect and defend the personal data of the data subject entrusted to the Company. The Company uses security systems, technical and physical measures restricting access to the personal data of the data subject and its use at the servers of the Company. Only the staff of the Company with special permissions can see the personal data of the data subject provided to the Company, and only for work purposes.
The Company uses only such data processors which guarantee the implementation of all necessary technical and organisational measures for the protection of personal data, and which follow such measures.
- USE OF COOKIES
When you visit our website, we want to provide information and functions specially customized only for you. Cookies are needed for this purposes. They are small elements of information, text files, saved in your Internet browser. For more information on the types of cookies we use and how you can control them you can find in our Company Cookies Policy at www.novaturas.lt.
- TRANSFER OF PERSONAL DATA
The Company may use the services of certain service providers (data processors) to manage your personal data. These data processors are the following: the company providing services to the data centre, companies doing the analysis of Internet browsing and internet activities and providing related services, companies designing software, providing, supporting and developing it, companies providing information technology structure services, companies providing communication, security, recruitment, call centre services, and other service providers to which the personal data is disclosed only to the extent needed to provide their services.
If there are sufficient legal grounds (e.g. when it is necessary for concluding or executing the agreement with you and when the information about this transfer was properly provided for you), the data can be transferred to our business partners or agents.
We would like to inform you that certain data related to your visits at out website (IP address, cookies, technical information on the browser you use, other activities related to your browser and information related to your browsing at our website), browsing statistics, analyses, for relevant purposes can be transferred or made available to the subjects operating both in the European Economic Area (EEA), as well as out of this area (e.g. when we use Google Analytics service, when such a subject ins a company registered in the United States of America).
We would also like to draw your attention that if you select a trip outside the EEA, the data you provided may be transferred to our partners operating in such countries and helping us to organize your trip: airlines, hotels, representatives of the Company at the direction of the trip, etc.
We would like remind that the level of personal data protection outside the EEA countries can be lower compared to the EEA countries, and this means a higher level of risk for illegal data processing, but we will meticulously evaluate the conditions under which such data of yours will be processed later and secured after the transfer of the data to the above-mentioned subjects. Your data to such receivers will be transferred only to such scope which is needed to perform the agreement made with you and to provide services for you. With the major partners from the third countries the Company concludes Standard Conditions for Agreements approved by the European Commission about which you can get more information using the Contacts of the Company indicated below:
To other data receivers your personal data may be submitted only on the basis defined under legal acts.
- RIGHTS OF THE DATA SUBJECT
You, in relation to your personal data, have the following rights:
• to get to know about your personal data and how this data is processed;
• to demand to correct incorrect, inexact, or incomplete data;
• to demand to delete your personal data or to limit the processing of such data when such data is processed without following the requirements defined under legal acts or when there is another legal basis;
• to demand to transfer your personal data to another data processor or to provide this data to you in a convenient form (applicable to the data you provided yourself and which is processed using automatized means or on the basis of your consent);
• to disagree to the processing of your personal data if such data is processed on the basis of a legitimate interest, with the exception of cases when there are legitimate reasons for such processing or when it is necessary to submit, execute, or protect legal requirement;
• to revoke, at any time, your consent if you personal data is processed upon the basis of your consent.
In such cases when you think your data is processed illegally or by breaching your rights related to the data processing, you have the right to appeal to the State Personal Data Protection Inspectorate (for more information please visit www.ada.lt) and to submit your complaint to it.
However, the Company recommends before submitting the official complaint, to contact the Company by email info@novaturas.ltfor trying to find a proper solution of the problem.
Some information, for example, your personal data you provided to us during your registration at www.novaturas.lt or www.travelonspot.com, or the data related to the services obtained using these accounts, you can find after logging into your user account(s).
In order to protect personal data against unauthorised disclosures, the Company, having received your request for the implementation of your rights, will have to verify your identity. For this reason the Company may ask you to indicate your name, surname, date of birth, e-mail address, or phone number, or request to appear in person in the Company or one of its offices for the purpose of checking your identity. In carrying your this check, the Company may also sent its control notification to the indicated contact (SMS or email) asking to perform the action of authorisation. If the verification procedure is not successful (e.g. your data will differ from the data the Company has, or you do not authorize yourself upon the SMS or email message received), the Company will consider that you are not the subject of the requested data and will reject the request you submitted.
The Company, having received your request and successfully performed the above mentioned verification, no later than within one month from the receipt of your request and completion of the verification procedure, shall provide you with the information about the actions it undertook in relation to your submitted request. Taking into consideration the complexity and number of requests, the Company may have the right to extend the period of one month up to two months by informing you about this no later than within one month from the receipt of your request and completion of the verification procedure and shall state the reasons of such extension.
If you submit your request by electronic means and the Company would be able to verify your identity properly, you will also receive the reply from the Company by electronic means with the exception of the cases when this is impossible (e.g. due to a substantial volume of information, other actual circumstances and reasons), or if you request to reply in different ways.
Under the reasons and/or circumstances defined under legal acts, the Company may refuse to fulfil your request and the Company will inform you about such a refusal by providing the reasons.
- LIABILITY
The data subject shall provide the Company complete and correct personal data and to inform about relevant changes of such personal data. The Company shall not be held liable for damages caused to the data subject and/or third persons if the data subject provides incorrect and/or incomplete data about himself/herself or did not inform duly and on time about the changes of such data.
It is strictly prohibited to submit false and deceitful orders. Travel, services reservation services offered at the website, can only be used for submitting a legitimate order or customized or purchase for oneself and other persons in the name of which the person submitting the order has the right to act. If the user performs any suspicious activity, frauds or abuses the travel ordering services and other service ordering services offered at the website, the Company may cancel all or part of such orders made in the name of such a user, related to his/her email or account, or to close all accounts of such a user. The Company shall have all rights to undertake necessary legal actions in cases of fraud actions performed by the user. Under such cases, the user who did the fraudulent actions shall be liable for the financial damages suffered by the Company including costs of litigation and any other consequential damages.
The data subject when purchasing the services offered by the Company or otherwise providing to the Company not own, but third persons personal data (e.g. family members, friends data and etc. who travel together) shall inform such persons that all information related to the processing of data can be found in this Policy. The data subject, by providing the personal data of other persons, including the personal data of children and/or personal data of special categories, certifies that he/she is a legitimate representative of such persons (one of the parents, guardians) and that such persons agree on such submitting of their data and processing of such data. The Company reserves the right to contact the person indicated to make sure such a consent was given.
Without providing the personal data requested by the Company, the Company will not be able to provide certain services or to ensure the quality of the services provided.
The Company shall not be liable for communication malfunctions due to which the users of the Company website and other persons could not reach its website or use the services.
The Company cannot absolutely guarantee that the functioning of the Company website will be without any interruptions, without any malfunctions or errors, that the website of the Company would be fully protected from viruses or any other malicious components. The data subject is informed that any materials read by the data subject, downloaded or otherwise received by using the website of the Company, is exclusively received upon the discretion and risk of the data subject, and only the data subject shall be held liable for the damages to the data subject and to his/her computer system.
If the data subject is a registered user of the Company website (when the Company provides such an opportunity), the data subject undertakes all risk and responsibility for the actions of the third persons in the website of the Company done by using the login data of the data subject, and undertakes to execute all obligations undertaken in relation to the usage of the login data of the data subject.
The user, when using this website, accepts and agrees to all liabilities defined under this Policy.
- HOW TO CONTACT US
If you have any questions related to the processing of your personal data or this Policy, or questions relayed to the implementation of your rights, please contact us:
AB “Novaturas”
info@novaturas.lt, or
- Mickevičiaus g. 27, LT-44245, Kaunas, Lithuania
Regarding the services of "Travel on Spot":
info@travelonspot.lt
The contact data of the Data Protection Officer if the Company: dpo@novaturas.lt, phone: +370 5 2649483.
- FINAL PROVISIONS
The Company can update this Policy at any time. The Company will inform the visitors about these updates by uploading a new version of this Policy together with the date of the last changes. The visitors understand that by continuing the use of this website after the implementation of the Policy updates, they express their consent with such changes.
Should any of the provisions of this Policy be declared as void or not applicable, this shall not have any effect to the legality of the remaining provisions of the Policy and their validity.
This Policy shall enter info force from its publication on the website of the Company.
Last Updated: March 15, 2019
