PRIVACY POLICY

PRIVACY POLICY
UAB EBV Finance

1. GENERAL PROVISIONS

1.1. UAB EBV Finance (hereinafter – Company or we) is aware that the protection of privacy is an important factor when you visit our website, register via the self-service portal and communicate with us as your partners or clients. We take the protection of your privacy very seriously, therefore we have prepared this privacy policy (hereinafter – Privacy Policy) which explains how we process and protect your data and which of your rights we ensure, as well as provides other information about the processing of your data.

1.2. The term “personal data” used in this Privacy Policy (hereinafter – Personal Data) shall mean any information or set of information by which we may directly or indirectly identify you, such as your name, email address, telephone number, etc.

1.3. We process your Personal Data in compliance with the General Data Protection Regulation No 2016/679 (EU) (hereinafter – GDPR), the regulatory requirements of the Republic of Lithuania, and the instructions of the controlling institutions.

1.4. This Privacy Policy applies when you order and use our services, visit our website at https://www.ebvfinance.com/ (hereinafter – Website), register via the self-service portal available on the Website, visit our accounts on the social networks LinkedIn and Facebook (hereinafter – Social Account), visit our premises, and contact us by phone, e-mail, or in other ways.

1.5. The Website, Self-Service Portal and Social Account may contain links or may redirect you to external websites, such as the websites of our business partners, or companies of the group. Please note that these websites have their separate privacy policies and we do not control the collection of Personal Data on these websites. Before providing your Personal Data on these websites, we encourage you to first read their privacy policies.

1.6. Please read this Privacy Policy carefully. If you use our services, use our Website, register via Self service portal, visit our Social Account or contact us, we shall assume that you have read the Privacy Policy. If you do not agree with the Privacy Policy, we will not be able to provide you with all or part of our services, provide the information that you need, etc.

1.7. This Privacy Policy may be amended. Please visit our Website from time to time to read the latest version of this Privacy Policy.

2. WHO ARE WE?

2.1. Your Personal Data Controller is UAB EBV Finance, data is collected and processed in the Register of Legal Entities of the State Enterprise Centre of Registers, legal entity code 303150257, address Antano Tumėno str. 4-1101, LT-01109 Vilnius, Republic of Lithuania.

2.2. Contact our data protection officer: by phone at +370 628 11111 or by e-mail at legal@ebvfinance.com.

3. WHICH PERSONAL DATA DO WE PROCESS?

3.1. We process Personal Data obtained in the following ways:

3.1.1. When you provide us with Personal Data, for example, when you register via the self-service portal on the Website, order our services, contact us by phone or e-mail, enter into contracts with us, etc.;

3.1.2. When your Personal Data is collected while you are using the Website, the Social Account, while you are visiting our premises with video surveillance, etc.;

3.1.3. When we receive your Personal Data from other persons, such as your employers, state or local authorities or bodies, public registers, our partners, companies administering payments, etc.

3.2. When providing your Data and the Personal Data of others (employees, etc.), you shall be responsible for the accuracy, completeness and relevance of such Personal Data, as well as the consent of other persons to the provision of their Personal Data to us. We may ask you to confirm that you have the right to provide or receive the data of another person. If necessary (for example, when a person contacts us regarding the receipt of his/her Personal Data), we will indicate you as the provider of such data.

3.3. We process your Personal Data for the following purposes and under the following conditions:

Purpose of Personal Data processingProcessed Personal DataPersonal Data processing periodsLegal basis for the processing of Personal Data
Provision of VAT and excise duty refund services.Name, surname, position, represented legal entity, relationship with the represented entity, e-mail, phone, signature on documents, self-service portal login details, communication data, and information on how to use the self-service account.During the term of the agreement/ relationship and for 10 years after the expiration of the agreement/ relationship, unless a longer mandatory retention period is applied in accordance with the Index of the Timeframe of Storage of General Documents approved by Order No V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011.Consent of the data subject to such data processing (Article 6 (1) (a) of GDPR);
Data processing is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Conclusion and performance of agreements necessary for the Company’s activities and other internal administration.Name, surname, personal identification number (if required), phone, e-mail, address, represented legal entity, relationship with the legal entity, position, workplace, individual activity certificate no and other data required for cooperation.  During the service/ cooperation period and for 10 years after the end of the provision of services/ cooperation, unless a longer mandatory retention period is applied in accordance with the Index of the Timeframe of Storage of General Documents approved by Order No V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011.Data processing is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Performance of financial operations, accounting, fulfilment of tax obligations, debt managementName, surname, e-mail, phone, position, address, represented legal entity, relationship with the legal entity, VAT code, bank account no,  credit institution, payment information, debt information, payment administrator’s data, tax document information, communication data.In accordance with the legal acts governing financial transactions and accounting, and pursuant to the Index of the Timeframe of Storage of General Documents approved by Order No V-100  of the Chief Archivist of the Republic of Lithuania on 9 March 2011;
Data that does not fall within the scope of retention of the aforesaid legal acts shall be retained for the entire period of validity of the contract or relationship and for 10 years after the expiration of the contract or relationship.
Data processing is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of GDPR);
Aim to fulfil a legal obligation to which the controller is subject (Article 6 (1) (c) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Management, maintenance and improvement of the Website and Social AccountIP address, data collected through the Website’s and Self-service portal’s cookies and settings, used browser, date and time of connection, model and manufacturer of mobile device the operating system of mobile device and data collected through the integration of the Social Account.Website data shall be retained for up to 2 years;
Information on the Linkedin or Facebook social network account shall be retained according to the terms and conditions set by the owner of this network.
Consent of the data subject to such data processing (Article 6 (1) (a) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Administration of inquiries about the Company’s activities, submission of responses to inquiriesName, surname, e-mail, phone, represented legal entity, relationship with the entity, contents of inquiries and responses theretoDuring the communication period and 1 year after the end of the communication;
In remote communication programs – according to the program settings, but not longer than 1 year after the end of the communication;
Personal Data processed on the basis of consent shall be retained as specified, unless the person revokes his/her consent.
Consent of the data subject to such data processing (Article 6 (1) (a) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Performance of direct marketing, submission of newsName, surname, e-mail, phone, information on reading (opening) a newsletter.Data shall be retained for 5 years from the date of receipt of the consent and, if the consent is revoked, until the expiration of the consent.Consent of the data subject to such data processing (Article 6 (1) (a) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Settlement of claims and disputesName, surname, e-mail, phone, represented legal entity, relationship with the represented entity, address/ delivery address, contents of the claim or other similar documents and information/ documents related to the dispute/ claim.For the entire period of the dispute/ claim and for 3 years after the end of the out-of-court dispute/ claim, and for 10 years after the end of the judicial dispute, unless a longer mandatory retention period is applied in accordance with the Index of the Timeframe of Storage of General Documents approved by Order No V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011.Aim to fulfil a legal obligation to which the controller is subject (Article 6 (1) (c) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Evaluation and selection of candidates for an offered job positionName, surname, e-mail, phone, address, data on education and activity, contents of resume (CV), other information required for the selection/ evaluation of a candidate, or information provided by the candidateData shall be retained for the entire duration of the selection period and for 3 months after it unless the person revokes his/her consent earlier. In such a case, Personal Data shall be retained until the expiration of the consent.Consent of the data subject to such data processing (Article 6 (1) (a) of GDPR);
Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Video surveillance to ensure the safety of persons and property.Video surveillance data.Video data shall be retained for 10 days from the date the video is taken.Legitimate interests of the controller or of a third party (Article 6 (1) (f) of GDPR).
Recording of calls to ensure the quality of servicing the customers by telephone and service provision, the quality of employees’ work, and efficient management of the customer files.Name, surname, position, represented legal entity; contact telephone No, e-mail address; conversation records, topic of the conversation, content of the conversation, conversation metadata (date, time, duration, etc.)Call records shall be stored for 3 years as of the date of recording;
 
Other call data shall be stored for 180 days.
Data subject’s consent to such processing (Article 6(1)(a) of the GDPR);
 
Legitimate interests of the controller or a third party (Article 6(1)(f) of the GDPR).

You shall have the right to object or revoke your consent to the processing of your data at any time when data is processed on the basis of your consent.

3.4. Our Social Account provides information about us, our services, and our activities. In addition to this Privacy Policy, users of the Social Account shall also be subject to the privacy policies and regulations of the managers of the social network that contains the Social Account. When you contact us via our Social Account, we may see certain information on your account, depending on your chosen social network privacy settings. If you post information when communicating with us via the Social Account, the information that you post may be made public, depending on your chosen privacy settings (for example, your comments, feedback, etc. may be displayed).

3.5. In some cases, we may send you messages related to our services or call you, for example, to notify you of the progress of the provided services, remind you to pay an invoice, etc. Such notices are necessary for the proper provision of services and are not considered to be promotional notices.

3.6. You have the right to change and update the information that you have provided to us. In some cases, we need to have accurate, up-to-date information about you, therefore we may ask you to periodically confirm that the information we have about you is correct.

4. HOW DO WE USE YOUR PERSONAL DATA AND WHAT PRINCIPLES DO WE FOLLOW?

4.1. We only collect and process Personal Data that is necessary to achieve the specified purposes of the processing of Personal Data.

4.2. When processing your Personal Data, we:

4.2.1. Comply with the requirements of current, applicable legal acts, including the GDPR;

4.2.2. Process your Personal Data in a lawful, fair and transparent manner;

4.2.3. Collect your Personal Data for specified, clearly defined and legitimate purposes, and do not process it in a way incompatible with those purposes, except to the extent permitted by law;

4.2.4. Take all reasonable measures to ensure that Personal Data that is inaccurate or incomplete, by considering the purposes for which it is processed, is immediately rectified, supplemented, and the processing thereof is suspended, or it is destroyed;

4.2.5. Will retain it in a form that enables you to identify yourself for no longer than is necessary for the purposes for which the Personal Data is processed;

4.2.6. Will does not provide or disclose your Personal Data to third parties other than as set forth in the Privacy Policy or applicable legal acts;

4.2.7. Will ensure that your Personal Data is processed securely.

5. TO WHOM AND WHEN DO WE TRANSFER YOUR PERSONAL DATA?

5.1. We will only transfer your Personal Data as described in this Privacy Policy.

5.2. We may transfer your Personal Data to:

5.2.1. Our partners and consultants such as auditors, lawyers, and other persons with whom we cooperate in the performance of our activities.

5.2.2. Our Personal Data processors, who provide services/perform works for us (e. g. website hosting providers, courier and parcel shipment service providers, security service providers, document archiving service providers).

5.2.3. Operators of social networks that we use to communicate with you, and providers of services related to the Website:

5.2.3.1. LinkedIn Ireland Unlimited Company (Ireland) and LinkedIn Corporation (USA) (data is securely transferred to the service provider by signing the standard contractual clauses for data transfers between EU and non-EU countries approved by the European Commission);

5.2.3.2. Meta Platform Ireland Ltd. (Ireland) and Meta Platform, Inc. (USA) (data is securely transferred to the service provider by signing the standard contractual clauses for data transfers between EU and non-EU countries approved by the European Commission);

5.2.3.3. Google Ireland Ltd. (Ireland) and Google Inc. (USA) (data is securely transferred to the service provider by signing the standard contractual clauses for data transfers between EU and non-EU countries approved by the European Commission).

5.2.4. State or local self-government institutions and bodies, law enforcement and pre-trial investigation bodies, courts and other dispute resolution bodies, and other persons performing the functions assigned by law, in accordance with the procedures provided for by the legal acts of the Republic of Lithuania.

5.2.5. Other third parties such as legal service providers, finance, credit and payment institutions, etc.

5.2.6. Undertakings that belong to the same group of companies as the Company, which can be located in and outside of the EEA.

5.2.7. If necessary, to companies that intend to purchase or are purchasing the Company’s business, or are engaging in joint ventures or other forms of cooperation with us, as well as companies established by us.

5.3. We normally process Personal Data within the EU/EEA, however in some cases, for example, in order to properly provide you with services or in case of other necessity, your Personal Data may be transferred outside the EU/EEA. Your Personal Data will only be transferred outside the EU/EEA subject to an adequate level of personal data protection and only under at least one of the following conditions:

5.3.1. Data processing or data provision agreements are signed with the data recipient, based on the standard contractual clauses approved by the European Commission;

5.3.2. A special permit was obtained from the State Data Protection Inspectorate of the Republic of Lithuania to carry out the transfer of data outside the EU/EEA;

5.3.3. On the basis of a decision adopted by The European Commission on the suitability of the country in which our partner is established  Such a decision means that the country ensures an adequate level of security of Personal Data; or

5.3.4. You have given your consent to the transfer of your Personal Data outside the EEA.

6. WHAT RIGHTS DO YOU HAVE?

6.1. As a data subject, you shall have the following rights regarding your Personal Data:

Your rightScope of implementation of the right
Know (be informed) about the processing of your Personal Data (right to know)You have the right to receive information about the processing of your Personal Data in concise, simple and understandable language.
Familiarize with your Personal Data and with the procedures for processing such data (right to access)This right means that you can ask us to provide:
·         Confirmation that we are processing your Personal Data;
·         List of your processed Personal Data;
·         List of purposes and legal grounds for the processing of your Personal Data;
·         Confirmation on whether we are sending your Personal Data to third countries, and if so what security measures have been taken;
·         The source of your Personal Data;
·         Information on whether profiling is applied;
·         Data retention period indication.
We will provide the aforesaid information if this does not violate the rights and freedoms of others.
Right to request to rectify or update incomplete personal data in accordance with the Personal Data processing purposes (right to rectification)Applied if our information related to your Personal Data is incomplete or inaccurate.
Request to erase your Personal Data or suspend the processing thereof (excluding retention) (right to have personal data erased and right to be forgotten)Applied if:
·         The information that we have is no longer needed to achieve the set purposes;
·         We process your data with your consent and you decide to withdraw this consent;
·         We process data based on legitimate interests and, after the receipt of your request, it is determined that your private interests override ours;
·         Information was obtained illegally.
Request us to restrict the processing of your Personal Data due to legitimate reasons (right to restrict processing)This right can be exercised while we analyse the situation, i.e.:
·         If you dispute the accuracy of the information;
·         If you object to the processing of your Personal Data when such processing is carried out in accordance with legitimate interests;
·         We use information unlawfully, however, you object to the erasure of such information;
·         We no longer need the information, however, you are asking us to retain it for litigation purposes.
Right to data portabilityThis right can be exercised if you have provided your data and we process it automatically, based on your consent or an agreement concluded with you.
Right to object to the processing of Personal DataThis right may be exercised when such data processing is carried out for the legitimate interests of the data controller or a third party. We may refuse to exercise this right if we prove that we need to process your data for compelling legitimate reasons which take precedence over your interests.
You may also object at any time to the processing of your Personal Data for direct marketing purposes, including profiling, as far as it relates to such direct marketing.
Right to withdraw consentYou can withdraw your consent to process Personal Data at any time if such data is processed on the basis of consent.
Right to submit a complaint to a supervisory authorityYou can apply to the authority responsible for the supervision and control of personal data protection legislation – the State Data Protection Inspectorate. We aim to resolve disputes, therefore we ask you to contact us first.

6.2. If you do not want your Personal Data to be processed for direct marketing purposes, including profiling, you may opt-out of such processing without providing any reasons for such refusal by writing an e-mail to legal@ebvfinance.com, or notifying us in another way specified in the message sent to you (for example, by clicking on the appropriate link in the newsletter).

6.3. We may refuse to exercise the rights listed above, except for the right to refuse the processing of Personal Data for direct marketing purposes or in other cases where Personal Data is processed with your consent, where your request allows us not to comply with the provision of the GDPR, or, where required by law, it is necessary to ensure the prevention, investigation and detection of criminal offences, breaches of official or professional ethics, and the protection of the rights and freedoms of the data subject, of us, and of other persons.

6.4. You may submit to us in writing any request or instruction related to the processing of Personal Data by e-mail to legal@ebvfinance.com. In order to better understand the content of your request, we may ask you to fill out the necessary forms, as well as provide us with an identity document or other information (e.g., verify your identity with an electronic signature) that would help us verify your identity. Upon submission of a request by e-mail, depending on its contents, we may ask you to come to us or provide your request in writing. You can also send your request by mail to our registered office, or directly coming to our registered office.

6.5. Upon receipt of your request or instruction regarding the processing of Personal Data, we will provide a response thereto within 1 month from the date of the request, perform the actions specified in the request, or inform you why we refuse to perform them. If necessary, the specified period may be extended for 2 more months depending on the complexity and number of requests. In this case, we shall inform you about such an extension within 1 month from the receipt of the request.

6.6. If Personal Data is deleted at your request, we will only keep copies of the information that is necessary to protect our legitimate interests and those of others, comply with the obligations of public authorities, resolve disputes, identify disruptions, or comply with any agreements that you have entered into with us.

7. WILL WE SEND YOU NEWS?

7.1. With your consent, we may use your Personal Data for direct marketing purposes to send you newsletters, offers and information about our services that we believe may be of interest to you.

7.2. News can be sent by e-mail. Your contact details may be passed on to our partners/processors who provide us with news delivery or quality assessment services.

7.3. After sending the newsletter, we may collect information about the people who received it, e.g., which message was opened, what links were clicked, etc. Such information is collected in order to offer you relevant news tailored to your needs.

7.4. Even if you have given your consent to the processing of your Personal Data for direct marketing purposes, you can easily withdraw this consent at any time regarding all or part of your Personal Data. To do this, you can:

7.4.1. notify us of the withdrawal in the manner specified in the electronic notifications and/or offers (for example, by clicking on the “unsubscribe” link in the newsletter, etc.); or

7.4.2. send us a message to the email address provided in this Privacy Policy. If you request to withdraw your consent in this manner, we may ask you to verify your identity.

7.5. If you withdraw your consent, we will make every effort to immediately stop sending our news to your contact details. Withdrawal of consent shall not automatically oblige us to delete your Personal Data or provide you with information about the Personal Data that we process, therefore you should make a separate request regarding these actions.

7.6. Our advertising partners use various mobile and internet cookies in order to show you personalized advertisements that would be relevant to you. Personalized ads will be shown to you only with your consent. Advertising personalization cookies are used to measure a group, activate contextual advertising, and/or target campaigns. We do not control these third-party tracking technologies and their use. Third-party cookies are regulated by the privacy policies of third parties. You can refuse the use of personalized cookies by changing your browser settings or otherwise as described in Section 9 of the Privacy Policy.

8. HOW DO WE PROTECT YOUR PERSONAL DATA?

8.1. Your Personal Data is processed responsibly and securely and is protected from loss, unauthorized use, and alteration. We have implemented physical and technical measures (such as controlled access, data sharing restrictions, use of passwords, identity verification, protection against viruses or malware, data protection documentation, etc.) to protect the information that we collect from an accidental or unlawful destruction, damage, alteration, loss, disclosure, or any other unlawful processing. The security measures for Personal Data are determined by taking into account the risks arising from the processing of Personal Data.

8.2. Our employees have undertaken in writing not to disclose or distribute your Personal Data to third parties and unauthorized persons.

9. HOW DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

9.1. Cookies are small text files that store information (often consisting only of a sequence of numbers and letters identifying the device, but may also contain other information) which is used by your device (computer, tablet, mobile phone, etc.) browser (e.g., Google Chrome, Internet Explorer, Firefox, Mozilla, Opera, etc.) based on its settings, and stored on your device’s hard drive. The term “cookies” is used in the Privacy Policy to describe cookies and other similar technologies, for example, Pixel Tags, Web Beacons, and clear GIFs. The use of cookies ensures better and more efficient operation of the Website or Self-Service Portal, as well as integration with the Social Account.

9.2. We use cookies to analyse information flows and user behaviour, to promote trust and ensure security, as well as to ensure the proper functioning of the Website or Self-Service Portal, to improve it, to remember your chosen settings, to personalize the content displayed to you, and to link the Website with the Social Account.

9.3. You can choose whether you want to accept cookies. If you do not agree to cookies being stored on the browser of your computer or another device, you can mark this in the cookie consent banner, change the settings of the browser you are using, and disable cookies (all at once or one at a time, or in groups). To opt-out of cookies on your mobile device, you must follow the official instructions for that device. Please note that in some cases opting out of cookies may slow down your browsing speed, limit certain Website or Self-Service Portal functionalities, or block access to the Website or Self-Service Portal. For more information, visit http://www.AllAboutCookies.org or https://www.google.com/privacy_ads.html.

9.4. You may disable the use of third-party cookies for advertising purposes by visiting the Network Advertising page at http://www.networkadvertising.org/managing/opt_out.asp.

9.5. We may use strictly necessary cookies that are required for the operation of the Website or Self-Service Portal, as well as analytical cookies and functional cookies to analyse the traffic of the Website or Self-Service Portal, memorize user preferences, and adapt them for the Website or Self-Service Portal to improve its functionality, performance cookies, third-party cookies used by third parties, and advertising cookies designed to show you personalized and general advertisements.

9.6. We also use the following products and tools to record cookies:

Piano AnalyticsAs part of the operation of our website, we use the analysis tool “Piano Analytics” from the provider Piano Software Inc (111 S Independence Mall East, Suite 950, Philadelphia, PA 19106). The use of the “Piano Analytics” analysis tool enables us to collect and store usage information from users of our website in anonymised form using a measurement method. We use the “hybrid measurement” method of “Piano Analytics”, which enables us to use both conventional tracking processes and non-personalised reach measurements. Further information regarding the handling of your data and data protection by Piano Software Inc. can be found here: https://piano.io/privacy-policy/
CookieBot Cookie ConsentThis tool helps us inform you about the cookies that we use as transparently as possible. It helps us achieve this goal by providing you with detailed information about our used tracking technologies, and helps us ensure that optional cookies are used only with your consent. More information available at https://www.cookiebot.com/en/privacy-policy/.

10. CONTACT US

10.1. If you have any questions regarding the information provided in this Privacy Policy, please contact us via e-mail at legal@ebvfinance.com or by phone at +370 628 11111.

10.2. If you wish to make a complaint regarding the processing of Personal Data, please do so in writing by providing as much information as possible. We will cooperate with you and try to immediately resolve any issues. A complaint can be submitted via this link.

10.3. If you believe that your rights have been violated pursuant to the GDPR, you may lodge a complaint with our supervisory authority – State Data Protection Inspectorate. More information and contact details can be found on the inspectorate’s website (https://vdai.lrv.lt/). We aim to resolve any disputes promptly and amicably, therefore we ask you to contact us first.

11. FINAL PROVISIONS

11.1. We may change this Privacy Policy. We will notify you of any changes on the Website or Self-service Portal by posting an updated Privacy Policy or by other usual means of communication. Amendments or supplements to the Privacy Policy shall become effective from the date the Privacy Policy is updated as specified in the Privacy Policy unless a different effective date is specified.

11.2. If you continue using the Website or Self-service Portal, ordering services, using our Social Account, and contacting us after the amendment of the terms and conditions of the Privacy Policy, this shall confirm that you agree to the amended terms and conditions of the Privacy Policy.

Updated on 20.03.2024.