This Privacy Policy of UAB “Concretus group” (the“Privacy Policy”) applies to individuals who use the services provided by UAB “Concretus group” (the“Company”, “Data Controller” or “we”), supply goods or render services to the Company, enter the Company’s territory or premises, are interested in the employment in the Company, submit queries or visit the website www.concretus.lt (the ‘Website’).
The data controller is UAB Concretus group, legal entity code 124656868, registered office address Žarijų g. 6A Vilnius, Lietuva.
The Privacy Policy establishes and defines the basic principles for the processing of personal data and exercising of the rights of the data subject. Additional information may be included in service contracts and other agreements as well as separate statements.
By using the Company’s services, entering the Company’s premises or territory, submitting a CV to the Company, contacting the Company and submitting his/her data to the Company, as well as by continuing browsing the Website of the Company, the data subject confirms that he/she has read the Privacy Policy and understood its provisions.
The Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”), the Law of the Republic of Lithuania on Legal Protection of Personal Data and other legal acts regulating the processing of personal data.
The Data Controller is guided by the following basic principles of data processing:
Personal data may be obtained:
1. For the purpose of provision of services, purchasing of goods and administration of contracts, the following personal data are processed: the name, surname, job title, signature, name of the represented legal entity, the power of attorney or its copy, the e-mail address, telephone number, address, a copy of the certificate of business or individual activity (for independent contractors), and the personal identification number.
When handling contracts with group companies, the following personal data are processed: the name, surname, job title, signature, the name of the legal entity represented, a power of attorney or its copy.
Legal basis: performance of contractual obligations (Article 6(1)(b) of GDPR) and the legitimate interest of the Data Controller in the development of its business (Article 6(1)(f) of GDPR).
Personal data retention period: 10 years after the end of the contract.
2. For the purpose of internal administration of personnel, the following personal data of the Data Controller’s employees are processed: the name, surname, signature, personal identification number, address, e-mail address, telephone number, bank account number, data contained in children’s birth certificates (the name, surname, date of birth, document number), health cards (evidencing fitness for work), education, certificates, applications.
Legal basis: performance of obligations under an employment contract (Article 6(1)(b) of GDPR) and compliance with legal obligations (Article 6(1)(c) of GDPR), legitimate interest of the Data Controller for the performance of internal administration (Article 6(1)(f) of GDPR), processing of the health data is necessary for carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment and social security and social protection law (Article 9(2)(b) of GDPR).
Personal data retention period: we will keep the employment contract, its annexes and the personal file for 50 years after the end of the employment contract, and we will keep the other data for the period of time provided for by law.
3. For the purpose of analysing business performance, the personal data of employees, suppliers and customers contained in accounting systems are processed.
Legal basis: the legitimate interest of the Data Controller in the development of its business (Article 6(1)(f) of GDPR).
Personal data retention period: no longer than necessary to achieve this purpose.
4. For the purpose of communication with business partners, the following personal data are processed: the company representative’s name, surname, job title, telephone number, e-mail address.
Legal basis: the legitimate interest of the Data Controller to pursue its activities (Article 6(1)(f) of GDPR).
Personal data retention period: no longer than necessary for the purpose.
5. When processing personal data of executives, members of management bodies, shareholders and ultimate beneficial owners for the purposes of internal administration and carrying out of legal obligations, the following personal data are processed: data concerning shareholders: the name, surname, signature, personal identification number, residential address, a copy of the ID document; data concerning shareholders and ultimate beneficial owners: the name, surname, date of birth, country of birth, personal identification number, residential address, nationality, country of residence for tax purposes, tax identification number, information on the ID document (the type, number, country of issue, expiry date), copy of the ID document; data concerning executives and members of the management board: the name, surname, signature, personal identification number, address of the actual and declared residence, a copy of the ID document.
Legal basis: compliance with legal obligations (Article 6(1)(c) of GDPR).
Personal data retention period: personal data of shareholders and ultimate beneficial owners shall be retained for 10 years after the period of being a shareholder (ultimate beneficial owner) ends; personal data of executives and members of management bodies shall be retained for 10 years after the period of being a manager or a member of a management body ends.
6. For the purpose of safeguarding personal security and property and ensuring uninterrupted and stable corporate operations at the Company (registration of visitors), the following personal data may be collected: the name and surname of an interested party (the person visiting the Company), the name of the organisation, the Company’s employee visited by the interested party, the telephone number and e-mail of such employee, and the time of arrival and departure.
The data of the involved parties may be recorded in a register or stored in electronic format on Proxyclick SA servers in accordance with the personal data policy https://www.proxyclick.com/privacy.
Legal basis: the legitimate interest of the Data Controller in ensuring protection of individuals and property (Article 6(1)(f) of GDPR).
Personal data retention period: 1 working day or until appropriate.
7. For the purpose of video surveillance to protect the Company’s property and people, the following data is collected: video recordings.
Video surveillance in the Company is carried out only on the business premises and/or areas controlled by the Company.
Legal basis: of the Data Controller in ensuring protection of individuals and property (Article 6(1)(f) of GDPR).
Personal data retention period: up to 30 calendar days or for no longer than necessary to achieve this purpose. After the expiry of the retention period, the data of video recordings are automatically deleted. Where there are grounds for believing that a breach of work duties, accident, criminal offence or other unlawful act has been recorded, the video recordings are kept separately stored on a computer or on a removable medium until the end of the relevant investigation and/or proceedings, and are destroyed as soon as they are no longer required.
8. For the purpose of employment in the Company, the following personal data provided by potential employees of the Company (candidates, job applicants) may be collected: the CV, name and surname, contact information.
It should be pointed out that potential employees are informed of the processing of their data and the retention period of data at the time of the first contact.
Legal basis: for the purpose of concluding an employment contract with a potential employee (Article 6(1)(b) of GDPR).
Personal data retention period: if a potential employee applies for a specific position, but no job is offered to him/her, the potential employee’s data are destroyed at the end of the selection process for the position announced by the Company.
Where the Company does not announce the selection of employees or trainees for a specific position, but the data subject nevertheless applies for one or several jobs or internships at the Company, or contacts the Company without specifying a particular position, and voluntarily provides his/her data (e.g. the CV, name and surname, contact details), such personal data of the data subject is not stored.
9. For the purpose of contacting in the event of an accident to an employee or another emergency, the name, surname and telephone number of the contact person are collected.
When entering into an employment contract with the Company, the employee provides the Company with the above-mentioned data of the contact person of his/her choice, i.e., the person who should be informed if an accident happens to the employee or in the event of another emergency occurring during the working hours of the employee who has provided the contact.
By providing the Company with the contact person’s information, the employee confirms that he/she is providing the information with the contact person’s knowledge and consent, and that the latter has been informed of this Privacy Policy. If the contact person does not consent to the processing of his/her personal data by the Company for the purpose set out above, he/she must contact the Company using the contact details provided in this Privacy Policy.
Legal basis: the legitimate interests of the Company to notify the contact person designated by the Company’s employee in the event of an accident to an employee or another emergency (Article 6(1)(f) of GDPR).
Personal data retention period: until the end of the employment contract with the Company’s employee who has designated the contact person or until the Company receives the contact person’s denial of consent / objection to the processing of the contact person’s personal data for the purpose of contacting him/her in the event of an accident to the employee or another emergency.
10. For the purpose of organising and conducting conference calls, online meetings, video conferences and/or webinars, the following personal data provided to the Company by the persons participating in online meetings may be collected: the information about the participants in the meeting (the name, surname, telephone number, e-mail address, password (if not using co-registration), profile picture, department), meeting data (the topic, description, IP address of participants, hardware information of the device, start and end times of the video conference), recordings, telephone data (if joined by phone; the telephone numbers of the incoming and outgoing call, the country, start and end times of the call), text data.
Please note that the persons attending online meetings are additionally informed about the processing of their personal data and the data retention periods before the processing of such personal data starts, i.e., before the online meeting.
Legal basis: the legitimate interests of the Data Controller to ensure the organisation and conduct of remote meetings and to ensure convenient and secure communication (Article 6(1)(f) of GDPR).
Personal data retention period: the personal data referred to above will be processed for as long as they are necessary for organising and conducting online meetings, and providing the related services.
11. For the purpose of customer service (enquiry management) and record-keeping, the following personal data are processed:thename, surname, e-mail, telephone number, job title, text of the enquiry, and other data provided by the data subject.
Legal basis: the legitimate interest of the Company in the administration of enquiries (Article 6(1)(f) of GDPR).
Personal data retention period: 3 years after the response to the enquiry.
12. For the purpose of implementing the provisions of the Law on the Protection of Whistleblowers, the following personal data of whistleblowers, persons allegedly in breach, witnesses and employees conducting the investigation is processed: the name, surname, personal identification number or date of birth, job title, place of work or relationship with the Company, contact information (telephone number, e-mail address, residential address), information about the breach, and the signature.
Legal basis: the legitimate interest of the Company in the proper implementation of the provisions of the Law on the Protection of Whistleblowers (Article 6(1)(f) of GDPR).
Personal data retention period: 5 years after the last decision taken in examining the information submitted.
13. For the purpose of implementing the provisions of the Labour Code on the prevention of violence and/or harassment at work, the following personal data of the persons who have reported or allegedly experienced or committed violence and/or harassment at work, also witnesses and employees conducting the investigation is processed:thename, surname, job title in the Company or the relationship with the Company, contact details (telephone number, e-mail address), the information about the event (time, duration, other circumstances), and the signature.
Legal basis: the legitimate interest of the Company in the proper implementation of the provisions of the Labour Code on the prevention of violence and/or harassment at work (Article 6(1)(f) of GDPR).
Personal data retention period: 5 years after the last decision taken in examining the information submitted.
14. The processing personal data for the purpose of direct marketing may include the data subject’s name, surname, job title, e-mail address, telephone number, unique customer ID.
The Company may send informational messages, invitations to participate in surveys or conduct surveys over the phone if the individual has given consent to the Company to use his/her data for direct marketing purposes, and the Company may do the same to its existing customers without separate consent to marketing and surveys for similar services, provided that they are given a clear, free and easily implemented opportunity to object to or opt-out of such use of their contact data and that they have not objected to such use of their data at the beginning of the sending of each communication.
For direct marketing purposes, the Company may send communications by email or contact the individual by telephone.
Legal basis: the data subject’s consent (Article 6(1)(a) of GDPR) and the Data Controller’s legitimate interest in providing offers and inviting to take surveys (Article 6(1)(f) of GDPR).
Consent to the use of personal data for direct marketing purposes is expressed by ticking the appropriate box in the notification provided to the person regarding the processing of personal data. Consent for direct marketing is voluntary, is not a condition of the contractual relationship with the Company and does not affect the relationship between the data subject and the Company.
In cases where the information sent by the Company or provided by telephone is no longer relevant, the individual may withdraw the consent to direct marketing at any time or object to the processing of personal data on the grounds of legitimate interest by informing the Company about it at the following email address: dap@concretus.lt.
Personal data retention period: until the expiry of the period specified in the data subject’s consent or until the consent is withdrawn; until the end of the long-term contract with the customer or for the maximum period of 24 months after the completion of a single transaction with the customer / supplier, if offers or invitations to take part in surveys are based on legitimate interest. Consents given by data subjects are kept for 3 years after the expiry of the period specified in them or after withdrawal of the consent given.
The Company can process the data as a separate data controller or together with other data controllers (i.e. joint controllers within the meaning of Article 26 of the Regulation). An agreement shall be concluded between joint controllers, establishing their respective responsibilities for the fulfilment of the obligations under the Regulation in a transparent manner, defining the individual functions of joint controllers and their relationship with data subjects. The data subject shall have access to the essential provisions of this agreement at the written request of the data subject. The data subject may exercise his/her rights under the Regulation in respect of each of the data controllers.
The Data Controller undertakes to respect the duty of confidentiality towards data subjects. Personal data may be disclosed to third parties only if necessary for the conclusion and performance of a contract for the benefit of the data subject or for other legitimate reasons.
The Data Controller may provide your personal data:
The data may be processed by data processors providing services of accounting, website hosting, data centre/server rental, IT maintenance, external audit, protection, legal, data protection officer and other services to the Company. Data processors shall have the right to process personal data only upon instructions from the Company and to the extent necessary for the proper performance of their obligations under the data processing agreement. The Company seeks assurance from the data processors that the data processors have also implemented appropriate organisational and technical security measures and maintain the confidentiality of personal data.
Potential employees of the Company (candidates, persons seeking employment) shall provide the Company with the following personal data: CV, full name, contact information. Potential employees shall be informed of the processing of their data and the retention period of data at the time of the first contact. Also, prospective employees can consult this Privacy Policy on the processing of their data.
Personal data of potential employees submitted during the recruiting process for a specific position announced by the Company shall be processed to conclude an employment contract with a potential employee.
If a prospective employee applies for a specific position, but no job is offered to him/her, the potential employee’s particulars shall be destroyed at the end of the selection process for the position announced by the Company.
Where the Company does not announce the selection of employees or trainees for a specific position, but the data subject nevertheless applies for one or several jobs or internships at the Company, or contacts the Company without specifying a particular position, and voluntarily provides his/her data (e.g. CV, full name, contact details), such personal data of the data subject is not stored.
The Company has the Data Protection Officer. The Data Protection Officer can be contacted by e-mail at dap@concretus.lt.
Each data subject shall have the following rights:
(a) right to information about the processing of their data;
(b) right of access to his/her processed personal data and the way of processing, namely to obtain information on the period of retention of personal data, the technical and organisational measures taken to ensure data security, to receive information from which sources and for what purpose his/her personal data is collected, to whom it is transferred / provided;
(c) right to rectification and erasure or blocking, other than storage, of his/her data, where the processing is not carried out under legal provisions;
(d) right to object to the processing of his/her personal data, unless such processing is required for the legitimate interest of the data controller or a third party to whom the personal data is provided, and the interests of the data subject are not overriding;
(e) right to erasure of the submitted personal data;
(f) right to restriction of processing of personal data;
(g) right to require that the personal data provided by him/her be transmitted by the data controller to another data controller, if it is processed based on the data subject’s consent or contract and by automated means, and where it is technically possible (data portability);
(h) right to file a complaint with the State Data Protection Inspectorate regarding the processing of personal data.
You can submit the request to the Company in person or through a representative:
Where the request is made on behalf of the data subject, the representative must submit a power of attorney issued to him/her by the data subject and certified by the notary along with the request.
The request for video recordings must specify the exact circumstances of the incident (including: the address of the premises / territory controlled by the Company; the specific location within those premises / in the territory where the incident occurred; the date and time of the incident (up to half-hour accuracy).
At least within 30 calendar days from the date of receipt of the request, we will provide:
The Company aims to implement appropriate, technically feasible and cost-effective organisational and technical data security measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and any other illegal processing. All personal data and additional information provided by the data subject are treated as confidential.
Access to personal data is limited to those employees, service providers and authorised data processors who need personal data to perform the functions assigned to them by their organisational unit.
The Website www.concretus.lt does not use cookies, i.e., small text information files that are created automatically by browsing the website and stored on a computer or another terminal device.
The Company is free to change this Privacy Policy, which will come into effect from its publication on the website www.concretus.lt. Last updated on 6 February 2024.