Privacy policy

Why is this Privacy Policy necessary?

UAB "Bitė Lietuva" (company code 110688998; registered address: Žemaitės g. 15, LT-03118 Vilnius) (hereinafter – BITĖ; We) is your personal data controller. We highly value and protect the privacy of our customers, therefore, in this Privacy Policy (hereinafter – Policy) we clearly and transparently provide information about the principles of personal data processing of our brands and the assurance of your personal data protection. In this Policy, you can find relevant information about the protection of your personal data, your rights, and how to exercise them.

The purpose of this Policy is to inform you about the personal data processing operations carried out by BITĖ and/or its administered brands and the main personal data protection provisions designed to ensure your privacy. Please note that this Policy does not apply when you browse other websites or use third-party services by connecting through the BITĖ network, therefore, if you browse other websites, we recommend familiarizing yourself with the privacy policy of those websites.

When processing personal data, we follow the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter – Regulation), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania, and the requirements of other related legal acts and the instructions of controlling authorities.

What are personal data and how are they processed?

Personal data – any information directly or indirectly related to you, where your identity is known or can be directly or indirectly determined using the relevant data (e.g., name, surname, personal code, email address, phone number, etc.).

Personal data processing – any operation performed on personal data, including collection, recording, storage, editing, modification, access provision, query submission, transfer, archiving, etc.

When processing your personal data, BITĖ adheres to the following personal data processing principles:

Your personal data are processed only to the extent necessary to achieve the relevant clearly defined and legitimate purposes, taking into account your privacy protection;

Your personal data are processed accurately, fairly, and lawfully and are processed only for purposes that match the purposes specified before collecting your personal data;

Your personal data are processed strictly in accordance with the clear and transparent personal data processing requirements established by legal acts;

Your personal data are processed only in such a form that your identity can be determined no longer than necessary for the purposes for which the personal data are processed;

Appropriate technical and organizational security measures are applied to the processing of your personal data to ensure proper personal data security, including protection against unlawful data processing and accidental loss, destruction, and damage.

For what purposes does BITĖ process your personal data?

Providing electronic communication services and/or selling goods

Processing purpose: Providing electronic communication services and/or selling goods, i.e., concluding and fulfilling fixed-term and/or indefinite contracts (including ensuring the quality of services provided and controlling and accounting for payments for the provided services), providing prepaid electronic communication services (LABAS).

Legal grounds for processing: When you order our services and/or purchase goods, a contract is concluded between you and BITĖ for the provision of specific services and/or the purchase of goods. Therefore, we process your personal data based on Article 6 (1) (b) of the Regulation, i.e., it is necessary for BITĖ to process your personal data to fulfill the contract concluded with you or to take action at your request before concluding the contract.

To comply with the accounting requirements provided in legal acts (e.g., to record income and expenses, manage invoices and payment data as required by accounting laws) and/or to ensure the quality of services provided (i.e., to ensure mandatory service quality requirements as provided in electronic communications laws), BITĖ has a legal obligation to process accounting documents (including personal data) and/or traffic and related data. Therefore, your personal data is processed based on Article 6 (1) (c) of the Regulation, i.e., the legal obligations applicable to BITĖ.

Processed personal data and data usage:

BITĖ collects and processes the following categories of personal data and uses them for the specified purposes:

Basic (identification) personal data, i.e., your name, surname, personal code, date of birth, phone number, email address, other contact details, bank data, identity document data and/or other data necessary to conclude and fulfill the contract;

Contract data, i.e., data about the equipment, selected services, payment plan(s), decisions regarding direct marketing, etc.;

Contract performance (usage) data, i.e., payment, settlement, and debt information, correspondence with BITĖ (e.g., your complaints, BITĖ'S responses to them, and/or other communication related to the performance of the contract). The aforementioned personal data is used so that BITĖ can conclude and fulfill electronic communication service provision and/or goods sale contracts with you (i.e., to provide the ordered electronic communication services and/or equipment and receive payment for it by controlling and accounting for settlements).

Traffic and related data (which are automatically generated when you use electronic communication means), i.e., the date and time of the telecommunications event, phone number, phone number to which the call (SMS, MMS) is directed, call duration, location tag (cell), and other data indicating the geographical location of the end-user devices of the actual electronic communication service user, international mobile subscriber identity (IMSI), international mobile equipment identity (IMEI), data transmission session access point, IP addresses, data volume, telecommunications event tags, as well as other data processed in electronic communication networks or providing electronic communication services (when this data is related to a specific person and/or allows directly/indirectly identifying a specific person). Traffic and related data are used to ensure the security of the electronic communication network and services (i.e., to maintain or restore the security of electronic communication networks and services, to prevent possible security threats by third parties), to ensure communication transmission (i.e., the transmission of your communication via the electronic communication network), as well as to record and/or manage the use of electronic communication services and apply other mandatory service quality requirements provided in electronic communication laws.

Traffic management tools data, i.e., IP address, email address. When using traffic management tools, the mentioned personal data is used only to eliminate the threat to network stability and security and is processed no longer than necessary to achieve these purposes.

Sources of data acquisition:

The mentioned personal data (except for contract usage and traffic and related data) are obtained directly from data subjects (private clients and/or business clients) at the time of contract conclusion. Personal data is obtained from other data controllers during the assessment of clients' creditworthiness. Such assessment is performed at the time of contract conclusion and can also be ordered through the self-service website.

To provide prepaid electronic communication services (LABAS), your personal data, obtained when verifying your identity, is used. Contract usage and traffic and/or related data are obtained (automatically generated) during the provision of electronic communication services. To provide BITĖ'S home internet services using a device (router) with an integrated home network monitoring tool, data is obtained using this tool (using the device's factory functionality) during the provision of electronic communication services. You will be additionally informed about this device functionality at the time of purchase.

Data provision:

BITĖ may transfer and/or provide access to the mentioned personal data processed for these purposes to the following categories of data recipients:

(1) other data controllers who may receive this personal data for service provision or implementation of obligations provided in legal acts (e.g., other telecommunications operators, direct delivery service companies, banks and other payment service providers, other BITĖ group companies);

(2) data processors who provide services and process your data on behalf, interests, and order of BITĖ (e.g., companies providing delivery and related administration services, persons providing customer service in the salon or call center, IT service providers, auditors, consultants, debt management and/or collection service providers, etc.). Data is provided to these recipients only according to concluded personal data processing agreements, which specify specific data processing instructions and determine appropriate organizational and technical measures to meet confidentiality and security requirements;

(3) competent government and/or law enforcement authorities (e.g., courts, police, or other supervisory authorities). Data may be provided to these recipients only if required by applicable legal acts and only in the manner provided by legal acts to ensure BITĖ's rights, client, employee, and/or resource security, to submit, provide, and/or defend legal claims.

Data processing terms:

BITĖ processes the mentioned personal data (except for traffic and related data) for 10 years, counting from the end of the last contract with the data subject and final settlement for equipment/services. Traffic and related data, as well as data collected for providing BITĖ's home internet services using a device (router) with an integrated home network monitoring tool, are processed for 6 months, counting from the date of event recording. After this storage period ends, the mentioned data will be destroyed.

Registering users of the LABAS prepaid service

Processing purpose: Our goal is to register you as a LABAS service user to ensure that LABAS prepaid service users are properly identified according to the requirements of the Republic of Lithuania's Electronic Communications Law and to ensure the lawful provision of LABAS services. LABAS prepaid service users can register by choosing one of the following identity verification methods:

Using SMART-ID, MOBILE-ID, or online banking. These digital identity verification methods allow users to confirm their identity quickly and securely.

Physically visiting one of the BITĖ salons. If the user prefers to register in person, they can physically visit any BITĖ salon. The salon staff will perform identity verification by checking the identity document, thereby confirming your identity according to legal requirements.

Identity verification through the platform used by BITĖ for LABAS service user identity verification. Using the platform for LABAS service user identity verification, the data from the identity document is scanned and compared with a facial image (biometric data processing) to reliably verify the person's identity. This method can only be used with your explicit consent to data processing. Registration for LABAS prepaid services can only be performed by persons aged 14 and above.

Legal grounds for processing:

The data of LABAS prepaid service users is processed based on Article 6 (1) (c) of the Regulation, i.e., BITĖ has a legal obligation provided by Article 401 of the Republic of Lithuania's Electronic Communications Law. According to the requirements of the Republic of Lithuania's Electronic Communications Law, BITĖ, as an electronic communications service provider, must fulfill certain rights and obligations related to the identification of prepaid service users. BITĖ has no right to provide public mobile communication services if the user's identity is not identified.

When registering LABAS service users, identity verification can be performed by scanning the information in your identity document and comparing the identity document with a facial image using the platform used by BITĖ for LABAS service user identity verification. Biometric data is processed only with your explicit and informed consent, based on Article 9 (2) (a) of the Regulation. You have the right to withdraw your consent at any time, but the withdrawal does not affect the legality of the data processing before the withdrawal.

Processed personal data and data usage:

BITĖ collects and processes the following categories of personal data:

Data necessary for identity verification: name, surname, personal code, phone number, identity document data, metadata of the identification process (identification number, event time) - used for identity verification to register you as a LABAS service user.

Biometric data (if applicable, for identity verification through the platform used by BITĖ for LABAS service user identity verification): facial image (biometric facial recognition) - used only with your consent to reliably verify identity during remote identification. When identifying your identity with biometric data, the data in your identity document is also processed. The data in the identity document is collected to compare it with the facial image and confirm your identity.

Technical data generated during identity verification: IP address and device information - collected during registration to protect against potential fraud and ensure service security.

Metadata obtained during the identity verification procedure: identification procedure action number, date, other related information. These data are processed to record the fact of identity verification.

These data are processed to register you as a LABAS prepaid service user, perform identity verification according to applicable legal requirements, to legally provide LABAS prepaid services.

Sources of data acquisition:

When registering LABAS prepaid service users, personal data is obtained from the following sources:

Directly from you. During registration, most data is obtained directly from you when you provide your personal information during the identity verification process. This includes your name, surname, personal code, phone number, as well as identity document data (if applicable). If you register physically, identity verification is performed in BITĖ salons, where your provided documents and other necessary data are checked and recorded during registration.

SMART-ID, MOBILE-ID, online banking. If you choose to verify your identity using SMART-ID, MOBILE-ID, or online banking, we will process the name, surname, personal code, and identification metadata you provided during identity verification.

Platform used by BITĖ for LABAS service user identity verification. You can choose identity verification using biometric (facial image) and identity document data through the platform used by BITĖ for LABAS service user identity verification. In this case, the platform collects your identity document data, performs facial recognition, and compares it with the identity document data to reliably verify identity. Identification metadata is also collected to record the fact of identity verification.

Technical data from the user's device. When registering online, certain technical data, such as IP address and device information, is automatically obtained from your device.

Data provision:

BITĖ may transfer and/or provide access to the mentioned personal data processed for these purposes to the following categories of data recipients:

(1) data processors who provide services and process your data on behalf, interests, and order of BITĖ (e.g., platform used by BITĖ for LABAS service user identity verification, service providers providing technical services). Data is provided to these recipients only according to concluded personal data processing agreements, which specify specific data processing instructions and determine appropriate organizational and technical measures to meet confidentiality and security requirements;

(2) competent government and/or law enforcement authorities (e.g., courts, police, or supervisory authorities). Data may be provided to these recipients only if required by applicable legal acts and only in the manner provided by legal acts.

Data processing terms:

Personal data collected during the registration of LABAS users is stored as long as the user is an active LABAS service user and for 10 years after ceasing to use the services.

If registration is performed using biometric and identity document data through the platform used by BITĖ for LABAS service user identity verification, the facial image data provided through this platform is processed for no longer than three months from the date of identification.

Metadata for recording the identification is processed for six months.

Providing television services and/or selling goods

Processing purpose:

Description: Providing paid television services and/or selling goods, i.e., concluding and fulfilling fixed-term and/or indefinite contracts/orders for internet television and satellite television (including ensuring the quality of services provided and controlling and accounting for payments for the provided services).

Legal grounds for processing:

When you order our television services, a contract is concluded between you and BITĖ for the provision of specific services. Therefore, we process your personal data based on Article 6 (1) (b) of the Regulation, i.e., it is necessary for BITĖ to process your personal data to fulfill the contract concluded with you or to take action at your request before concluding the contract.

When the contract under which you receive BITĖ's television services is concluded with a legal entity, your personal data is processed based on Article 6 (1) (f) of the Regulation, i.e., for the legitimate interests of BITĖ to conclude and fulfill contracts with legal entities and to maintain commercial relations.

To comply with accounting requirements provided in legal acts (e.g., to record income and expenses, manage invoices and payment data as required by accounting laws) and/or to ensure the quality of services provided (i.e., to ensure mandatory service quality requirements provided in electronic communications laws), BITĖ has a legal obligation to process the necessary accounting documents (including personal data). Therefore, your personal data is processed based on Article 6 (1) (c) of the Regulation, i.e., the legal obligations applicable to BITĖ.

Processed personal data and data usage:

BITĖ collects and processes the following categories of personal data and uses them for the specified purposes:

Contract performance data, i.e., payment, settlement, and debt information, correspondence with BITĖ (e.g., client's inquiries, correspondence, requests, and/or other communication related to contract performance).

Service usage data, i.e., data about the used equipment (serial number, IMEI number or other identifiers), login data (IP address, etc.), information about selected services, payment plan(s), provided discounts, TV service usage (e.g., viewed content) and/or other information related to TV service usage.

The aforementioned personal data is used so that BITĖ can conclude and fulfill electronic communication service provision and/or goods sale contracts with you (i.e., to provide the ordered electronic communication services and/or equipment and receive payment for it by controlling and accounting for settlements). Service usage data is additionally processed to ensure service quality and used to offer content recommendations. Please note that internet TV service user's content viewing analysis is performed automatically. Therefore, BITĖ has the right to provide relevant content recommendations to the user based on their experience.

When the contract is concluded with a legal entity (business client), BITĖ processes the following personal data of the legal entity's authorized representatives (parties to the goods and/or services contract):

Identification personal data, i.e., name and surname; personal code; position; contact details (e.g., phone number, email address).

The mentioned data is used to identify the representative of the legal entity when necessary for service provision. Please note that other data collected (generated) during contract conclusion and/or performance is associated with the legal entity and is therefore not considered personal data of the service user.

Sources of data acquisition:

The mentioned personal data is obtained directly from data subjects (individuals and/or legal entities) at the time of contract conclusion and/or automatically generated during the use of TV services. During contract conclusion, client creditworthiness assessment is also performed (see creditworthiness assessment and debt management purpose).

Data provision:

BITĖ may transfer and/or provide access to the mentioned personal data processed for these purposes to the following categories of data recipients:

(1) other data controllers who need these data for service provision or to fulfill legal obligations (e.g., companies providing direct delivery services, banks and other payment service providers, or other BITĖ group companies);

(2) data processors who provide services and process your data on behalf, interests, and order of BITĖ (e.g., companies providing delivery and related administration services, IT service providers, marketing (content) service providers, etc.). Data is provided to these recipients only according to concluded personal data processing agreements, which specify specific data processing instructions and determine appropriate organizational and technical measures to meet confidentiality and security requirements;

(3) competent government and/or law enforcement authorities (e.g., courts, police, or supervisory authorities). Data may be provided to these recipients only if required by applicable legal acts and only in the manner provided by legal acts to ensure BITĖ's rights, client, employee, and/or resource security, to submit, provide, and/or defend legal claims.

Data processing terms:

BITĖ processes the mentioned personal data no longer than necessary for the purpose, but no longer than 10 years, counting from the end of the last contract with the data subject and final settlement for the services.

Conducting e-commerce

Purpose of processing:

To conduct e-commerce (including processing orders placed on the website [www.bite.lt], issuing financial documents, resolving issues related to product delivery and fulfillment, and fulfilling other contractual obligations).

Legal grounds for processing:

When you purchase products and/or order services offered on our website, a contract is formed between you and BITĖ for the provision of specific services and/or product purchases. Thus, your personal data related to the purchase/order of products and/or services is processed in accordance with Article 6, paragraph 1(b) of the Regulation, i.e., to conclude and/or perform contracts (orders) made with you.

When a contract/order (on the basis of which you receive BITĖ services and/or products) is concluded with a legal entity (business client) on the website, the personal data obtained during the ordering process is processed in accordance with Article 6, paragraph 1(f) of the Regulation, i.e., to pursue BITĖ's legitimate interests in concluding and fulfilling contracts with legal entities (business clients) and maintaining commercial relationships.

Processed personal data and their usage:

BITĖ collects and processes the following categories of personal data to achieve the specified purposes:

Basic (identification) personal data, such as name and surname; delivery address; phone number; email address; company code and/or VAT payer code (when purchases are made on behalf of a legal entity and/or by a VAT payer);

Contract (order) data, such as order number, information about ordered products and/or services, and other order details; payment data (e.g., bank account number, bank name, and other information about payment methods); contact details and other records related to the order.

The mentioned personal data is used so that BITĖ can enter into and execute a remote service provision and/or product sales contract with you (i.e., deliver the ordered products and/or services and receive payment for them [performing payment control and accounting]).

Sources of data collection:

The mentioned personal data (necessary for order submission and fulfillment) is obtained directly from BITĖ customers (private and/or business) during order placement on the website and/or contract conclusion.

During the contract conclusion (e.g., purchasing equipment on installment and/or ordering services), your creditworthiness is also assessed (see the purpose of creditworthiness assessment and debt management).

Data sharing:

BITĖ may transfer or provide access to the mentioned personal data to the following categories of recipients:

(1) Other data controllers who may require this personal data for service provision or fulfillment of obligations under the law (e.g., courier companies providing direct delivery services, banks, other payment service providers, or other BITĖ group companies);

(2) Data processors who provide services and process your data on behalf of BITĖ (e.g., courier and related administrative service providers, customer service personnel at stores or call centers, IT service providers, auditors, consultants, debt management and/or recovery service providers, etc.). Data is provided to these recipients only under data processing agreements that specify detailed processing instructions and ensure proper organizational and technical measures that comply with confidentiality and security requirements;

(3) Competent authorities and/or law enforcement agencies (e.g., courts, police, or other supervisory authorities). Data may be provided to these recipients only if required by applicable laws and strictly according to the procedures established by such laws, to ensure BITĖ's rights, and the safety of clients, employees, and/or resources, or to assert, submit, and/or defend legal claims.

Data processing periods:

Data related to the purpose of conducting e-commerce (e.g., orders placed and/or fulfilled on the website, etc.) is processed for 1 year, counting from the date of the order and/or final payment for products/services. After this period, the mentioned personal data will be deleted.

Conducting Direct Marketing

Purpose of processing:

Conducting direct marketing, including marketing (based on consent), general marketing (based on legitimate interest), and individual (one-time) requests for information about BITĖ products and/or services.

Legal grounds for processing:

By providing consent to receive direct marketing (e.g., on the website, in self-service, in a contract, or otherwise) and/or submitting a request for an individual (one-time) offer related to BITĖ products/services, you express your consent for such personal data processing. Therefore, your personal data will be processed based on the legal ground of consent specified in Article 6, paragraph 1(a) of the Regulation.

When you use BITĖ services (e.g., order goods and/or services and provide BITĖ with your contact personal data for this purpose), BITĖ has the right to use this data to conduct general marketing (i.e., directly offer you similar products or services under the provisions of Article 69, paragraph 2 of the Law on Electronic Communications of the Republic of Lithuania). Therefore, your personal data for this purpose will be processed based on the legal ground of legitimate interest specified in Article 6, paragraph 1(f) of the Regulation, i.e., to pursue BITĖ's legitimate interests in offering existing customers similar products and/or services and inquiring about their opinions on them.

Processed personal data and data usage:

BITĖ collects and processes the following categories of personal data for the purposes listed:

Identification data, such as name and surname, email address, phone number(s). These personal data (contact information) are used to directly (via call/SMS/email) provide you with relevant BITĖ information, advertising offers for services and/or products, and inquire about your opinions on BITĖ services, etc.

Individualized client information, such as data on products and/or services of interest to the client, service usage data, browsing data on the website, or other information that helps tailor direct marketing to the client. Client data used for marketing individualization ensures that marketing offers provided by BITĖ align closely with the client's preferences, expectations, and interests, allowing them to receive relevant promotional offers.

Sources of data collection:

These personal data (contact information) are obtained directly from BITĖ clients (private and/or business) when the data subject consents to receive direct marketing, individual BITĖ offers, and/or uses BITĖ services (if they do not object or opt out of receiving these general marketing notifications when submitting data or receiving messages).

Other data used for marketing individualization are obtained (i.e., automatically generated) when you show interest in BITĖ products and/or services, browse the website, or use other BITĖ services.

Additionally, the data subject may withdraw their consent (or object) and/or opt out of receiving direct marketing messages at any time. Upon receiving such a request, BITĖ will cease processing your personal data for this purpose (except for retaining evidence of consent given and/or withdrawn).

Data sharing:

BITĖ may share and/or grant access to the personal data processed for these purposes to the following categories of recipients:

(1) Other data controllers who may receive these personal data for service provision or for compliance with legal obligations (e.g., other companies in the BITĖ group).

(2) Data processors who provide services and process your data on behalf of, in the interest of, and under the instructions of BITĖ (e.g., individuals handling customer service in-store or in the call center, IT service providers, specialized marketing service providers, consultants, etc.). These recipients process data only under signed data processing agreements that include specific instructions and require processors to implement appropriate organizational and technical measures ensuring confidentiality and security.

(3) Competent authorities and/or law enforcement institutions (e.g., courts, police, or other supervisory authorities). These recipients may only receive data if required by applicable laws and solely in accordance with legal procedures to ensure BITĖ's rights, the safety of clients, employees, and/or resources, or to file, submit, or defend legal claims.

Data retention periods:

Data related to direct marketing (e.g., provided and/or withdrawn marketing consents, etc.) are processed for five years from the date of consent but no longer than the consent is valid (i.e., until the withdrawal date). Once the consent expires, evidence of consent may be retained for as long as necessary to protect BITĖ's legitimate interests.

When personal data processing is conducted based on BITĖ's legitimate interests (e.g., for general direct marketing), your data will be processed until you object/opt out of receiving such marketing but no longer than the duration of contractual relationships.

If a client submits a request for an individual BITĖ offer, this inquiry will be processed until the specific purpose is achieved, but no longer than 12 months.

Communicating with You by Phone

Purpose of Processing:

Recording telephone conversations (including ensuring the quality of services and information provided, documenting the circumstances of commercial transactions and their execution, as well as storing confirmation of related matters).

Legal Basis for Processing:

When you call the phone numbers provided by BITĖ, listen to the information about call recording, and continue the conversation, you express consent to the recording of the call. Therefore, BITĖ processes incoming call recordings based on Article 6(1)(a) of the GDPR, i.e., your consent.

When BITĖ representatives call you and communicate on relevant matters (e.g., regarding the ordering of goods and/or services, contract execution, or other related circumstances), BITĖ has a legitimate interest in recording these conversations to ensure the quality of services and communication and to collect evidence of concluded commercial transactions, their execution, or other related matters (according to the provisions of Article 61(2) of the Lithuanian Law on Electronic Communications). These personal data are processed based on Article 6(1)(f) of the GDPR, i.e., in BITĖ's legitimate interest. In any case, you will be informed about the recording of your conversation with BITĖ representatives.

Processed Personal Data and Its Use:

BITĖ collects and processes the following categories of personal data and uses them to achieve the stated purposes:

Identification data, i.e., phone number, name, surname, the last four digits of the personal identification number, and/or other additional data, such as identity document number, data related to the use of BITĖ's services, etc. (in cases where client identification is necessary). These personal data are used to identify the client and fulfill their inquiry (e.g., answering questions, ordering goods and/or services, etc.).

Call data (including technical data), i.e., call recording, call date, time, duration, and other technical data. Call recordings (including their content) are used to collect evidence about contracts concluded over the phone, their execution, consent given for direct marketing, or other service-related details. These recordings may also be reviewed/evaluated to ensure the quality of BITĖ staff's service or to decide on improving telephone service quality. Technical data of the recordings are used to properly manage the stored recordings and log (account) the processing of call records.

Sources of Data Collection:

The mentioned personal data is collected directly from the data subjects (individuals and/or authorized representatives of legal entities) during phone communication with BITĖ representatives.

Data Sharing:

BITĖ may transfer and/or grant access to the following categories of recipients for the specified purposes:

(1) Data processors who provide services and process your data on behalf of BITĖ, in its interests and under its instructions (e.g., customer service representatives at call centers, IT service providers, consultants). These recipients process data only under personal data processing agreements, which include specific instructions for data processing and organizational and technical measures ensuring confidentiality and security.

(2) Competent government and/or law enforcement authorities (e.g., courts, police, or other supervisory bodies). These recipients may receive data only when required by applicable laws and only in the manner prescribed by law to protect BITĖ's rights, the safety of clients, employees, and/or resources, or to submit, present, and/or defend legal claims.

Data Retention Periods:

Call recordings related to inquiries, information provision, or commercial transactions (e.g., agreements on essential contract terms) may be retained for no longer than two months from the date of the call. This allows the company to assess service quality and/or retain evidence about the concluded or executed commercial transaction.

If the call captures your consent for direct marketing and/or provision of other information, these recordings will be associated with your (client) data and processed as evidence for five years from the date of consent.

Conducting video surveillance of the territory and/or premises

Processing purpose:

Ensuring the security of persons and premises, protection of property, prevention and detection of criminal acts through video surveillance.

Legal grounds for processing:

When you visit BITĖ's territory and/or premises (e.g., BITĖ's salons), we must ensure the safety of our Employees, customers, visitors, and the protection of BITĖ's property (including preventing criminal acts, conflicts, or other incidents), therefore BITĖ has a legitimate interest in conducting video surveillance on its territory and/or premises. Thus, the specified personal data are processed based on Article 6 (1) (f) of the Regulation, i.e., for BITĖ's legitimate interests.

Processed personal data and data usage:

BITĖ collects and processes the following categories of personal data and uses them for the specified purposes:

Video data (including audio and other technical data), i.e., video recording with audio (including personal data captured in it), technical recording data (e.g., surveillance location, date, time, duration, etc.). The mentioned personal data (except for technical recording data) are used to prevent criminal acts in BITĖ's territory and/or premises and to investigate all circumstances of any recorded criminal acts, conflicts, or other incidents that could have caused / caused a threat to the safety of persons and/or property and to provide evidence to the responsible law enforcement authorities. The technical recording data is used to properly manage the recorded conversations and to log (account for) the management of conversation recordings.

Sources of data acquisition:

The mentioned personal data are obtained directly from data subjects when they visit BITĖ's monitored territory and/or premises. Video recordings with audio are recorded automatically by video cameras, and the data subject is informed about the ongoing video surveillance through informational signs before entering BITĖ's monitored territory and/or premises.

Data provision:

BITĖ may transfer and/or provide access to the specified personal data processed for these purposes to the following categories of data recipients:

(1) data processors who provide services and process your data on behalf, in the interest, and by order of BITĖ (e.g., those performing security functions, IT service providers, consultants, or other legal service providers, etc.). These recipients are provided with data only under concluded personal data processing agreements, which include specific data processing instructions and determine appropriate organizational and technical measures to meet confidentiality and security requirements;

(2) competent government and/or law enforcement authorities (e.g., courts, police, or other supervisory authorities). These recipients may be provided with data only if required by applicable laws and only in the manner provided by legal acts to ensure BITĖ's rights, the safety of clients, employees, and/or resources, to submit, provide, and/or defend legal claims.

Data processing terms:

Video recordings or related personal data captured in BITĖ's territory and/or premises are processed for 14 (fourteen) days from the date of recording. If the video recording captures circumstances of criminal acts and/or other incidents, these video recordings may be processed for the entire period of the investigation of this incident (including investigations carried out by law enforcement authorities, judicial processes, etc.).

Communicating with You on Social Networks

Purpose of Processing:

Increasing BITĖ's representation and awareness in the public space, communication with subjects on social networks. To properly represent BITĖ and increase the awareness of BITĖ's managed brands in the public space, we manage brand accounts on the following social networks: "Facebook", "Instagram", "LinkedIn", and "YouTube".

Conditions of Lawfulness of Processing:

By visiting BITĖ's managed social network accounts (pages) and communicating with Us (i.e., providing your personal data on Our managed social network accounts), you express your consent to such personal data processing. Therefore, we will process your personal data based on the condition of lawfulness of processing specified in Article 6(1)(a) of the Regulation, i.e., your given consent.

Processed Personal Data and Data Usage:

BITĖ processes the following categories of personal data and uses them to achieve the specified purposes:

Account data, i.e., name, surname (title), photos (e.g., profile and/or those tagged with BITĖ's managed brand).

Communication data, i.e., information about communication on BITĖ's managed brand accounts (e.g., "like", "follow", "comment", "share" or visit, etc.), information about received messages (message content, receipt time, attachments, correspondence history, etc.); information about participation in BITĖ's organized events and/or games (e.g., participation, non-participation, interest, fulfillment of game rules, etc.); information about BITĖ's evaluations (e.g., evaluation score, feedback, etc.). The mentioned personal data is used for the representation of BITĖ's managed brands in the public space, administration of BITĖ's managed brand accounts, organization of events/games, and other communication between BITĖ's managed brands and subjects.

Sources of Data Collection:

The mentioned personal data is obtained from the social network administrator (i.e., data subjects' profiles on social networks) on BITĖ's managed social network accounts. You provide data on social networks to BITĖ when you visit and perform other actions or otherwise communicate on BITĖ's managed social network accounts.

Data Provision:

BITĖ may transfer and/or provide access to the specified personal data processed for these purposes to the following categories of data recipients:

(1) other data controllers who may receive this personal data due to the provision of services or the implementation of obligations specified in legal acts (e.g., social network administrators);

(2) data processors who provide services and process your data on behalf of, in the interests of, and at the request of BITĖ (e.g., IT service providers, marketing or related service consultants, etc.). Data is provided to these recipients only under concluded personal data processing agreements, which specify specific data processing instructions and set appropriate organizational and technical measures that meet confidentiality and security requirements for processors.

We draw your attention to the fact that personal data provided on social networks is processed jointly with social network administrators (i.e., on "Facebook", "Instagram", "YouTube", and "LinkedIn" platforms). Therefore, the communication you provide to BITĖ is also received by the social network administrator. Thus, if you want to learn more about personal data processing on a specific social network, we suggest you familiarize yourself with the privacy policies of the specific social network administrator:

(1) "Facebook" privacy policy;
(2) "Instagram" privacy policy;
(3) "LinkedIn" privacy policy;
(4) "YouTube" privacy policy.

Data Processing Terms:

Personal data processed on BITĖ's managed social network accounts (social media platforms) is not additionally collected and processed in BITĖ's internal systems (except when BITĖ has another basis for such data processing). Therefore, this data is processed according to the terms set by the social network administrator, but no longer than your consent for such data processing is valid (i.e., until you delete the relevant communication data yourself).

We note that we reserve the right to delete illegal material if it becomes clear that it is necessary to do so (e.g., when rights-violating or illegal posts, hate-inciting comments, obscene feedback (clearly sexual content) or attachments (e.g., photos or videos) are published, which inter alia violate copyright, personal rights, or other legal acts and moral and ethical norms).

What are your duties and responsibilities?

You are responsible for the accuracy, correctness, and completeness of the personal data you provide. Therefore, if your personal data necessary for the aforementioned purposes changes, you have the duty to inform BITĖ immediately about the changes. Please note that by providing your personal data, you assume full responsibility for the legality of your personal data provision and are liable for any damages BITĖ and/or third parties may incur due to the unlawful processing of such personal data.

How do we ensure the security of your personal data?

We understand that by providing us with your personal data, you expect them to be processed in a lawful, transparent, and fair manner and to be protected by appropriate technical and organizational security measures. Therefore, when determining personal data processing measures, we consider the risks arising from personal data processing and accordingly implement appropriate data protection technical and organizational measures to ensure the physical protection of personal data, restrict access rights to personal data, encrypt personal data in certain cases, ensure network security, protect personal devices, make backup copies of data, and apply other protective measures to safeguard your personal data from accidental or unlawful destruction, damage, alteration, loss, disclosure, and any other unlawful processing.

When processing your personal data, access to personal data is granted only to authorized employees of BITĖ and BITĖ's partners who need such access to perform their assigned work functions and who are obliged to comply with confidentiality or other technical and organizational personal data processing requirements specified in legal acts and/or BITĖ's internal rules.

Additionally, please note that in certain cases, data processors engaged by BITĖ (e.g., IT services, marketing (content) services, etc.) may be established not only in a member state of the European Union or the European Economic Area but also outside of it, so your personal data processing may be carried out in a third country. Nevertheless, we assure you that your data will be transferred only in accordance with legal requirements, applying appropriate protective measures (i.e., signing personal data processing/provision agreements), ensuring that you can exercise enforceable data subject rights and effective data subject rights remedies.

What rights do you have and how can you exercise them?

You have the following data subject rights:

- to request access to your personal data processed by BITĖ and receive a copy of this data;

- to request the correction of incorrect, incomplete, or inaccurate personal data and/or restrict the processing actions of such personal data by BITĖ (except for storage);

- to request the deletion of unlawfully, unfairly processed, or excessive personal data and/or restrict the processing actions of such personal data (except for storage);

- to object to the processing of your personal data by BITĖ when this data is processed or intended to be processed based on BITĖ'S or a third party's legitimate interests, including profiling based on these provisions;

- to withdraw your consent at any time when your personal data is processed by BITĖ on the basis of consent (e.g., for direct marketing, personnel selection, or other purposes). However, it is important to note that the withdrawal of consent does not affect the lawfulness of data processing carried out before the withdrawal;

- to request to receive your personal data (in a structured, commonly used, and machine-readable format) and/or transfer it to another data controller when it is technically feasible ("right to data portability");

- to file a complaint with the State Data Protection Inspectorate (ada@ada.lt) regarding BITĖ'S actions and/or inactions in processing your personal data.

BITĖ does not apply fully automated decision-making, including profiling, based on the processing of your data, which could have legal consequences for you or otherwise significantly affect you. However, based on your browsing and/or order history, you may be assigned to the relevant category under which we can provide you with the most relevant information (e.g., newsletters, individual offers, special discounts, etc.).

How to exercise your rights:

To exercise the above-mentioned data subject rights, please contact BITĖ'S Data Protection Officer by email at: duomenu.apsauga@bite.lt. You can also exercise your data subject rights in other ways (e.g., by submitting a written request directly to BITĖ employees; sending a request by registered mail or through a representative to BITĖ'S registered address). You can download a sample request form here.

Please note that to exercise your data subject rights, you must confirm your identity in one of the following ways:

(1) by submitting a request to a BITĖ employee, together with a valid identity document;

(2) by submitting a request electronically (by email: duomenu.apsauga@bite.lt), confirming the request using electronic communication means that allow proper identification of the person (e.g., mobile signature, qualified electronic signature, etc.).

Upon receiving your request to exercise your data subject rights, we will respond to you without delay, but no later than within 1 month from the date of the request. This period may be extended by another two months if necessary, considering the complexity and number of requests. You will be additionally informed of such an extension within one month.

The requested information will be provided free of charge. However, if we see that your requests are clearly unfounded or disproportionate, especially due to their repetitive nature, we have the right to charge a reasonable fee for that (i.e., to request reimbursement of administrative costs) or refuse to take action on such a data subject's request.

If you have any questions about the information provided in this Policy and/or wish to express your dissatisfaction or complaints about BITĖ'S privacy policy, please contact BITĖ in any way convenient for you:

(1) in writing - by email: duomenu.apsauga@bite.lt; bendraukime@bite.lt and/or to the registered address: Žemaitės g. 15, LT-03504 Vilnius;

(2) by phone +370 699 23 230 (call price according to the payment plan rates) and/or by visiting any BITĖ salon.

How to find out about changes to this Policy?

When BITĖ updates this Policy, we will inform you of significant changes by posting a notice on the website www.bite.lt and/or providing this information directly to you. However, to be sure about the current version of the Policy and data protection provisions, you should occasionally review and familiarize yourself with the latest version of the Policy published on the website.

Updated: 2024-12-20