DATA CONTROLLERS
ASSOCIATION “LITHUANIAN NATIONAL UNION OF STUDENTS”,
OPERATING AT GELEŽINIO VILKO G. 12, LT-03163 VILNIUS,
LEGAL ENTITY CODE 190739547,
AND
UAB “MECENATUM”,
OPERATING AT V. NAGEVIČIAUS G. 3, LT-08237 VILNIUS,
LEGAL ENTITY CODE 305499994
PRIVACY POLICY
1. GENERAL PROVISIONS
1.1. This Privacy Policy (hereinafter referred to as the Policy) regulates the principles and procedures for the processing of personal data by the Lithuanian National Union of Students, operating at Geležinio Vilko g. 12, LT-03163 Vilnius, legal entity code 190739547 (hereinafter referred to as LSS), and UAB “Mecenatum,” operating at V. Nagevičiaus g. 3, LT-08237 Vilnius, legal entity code 305499994 (hereinafter referred to as Mecenatum), hereinafter collectively referred to as Data Controllers.
1.2. The Data Controllers, acting under a joint activity agreement for the administration, development, and marketing of the Lithuanian Student Identity Card project, are jointly responsible for the administrative actions of the Website as set out in this Policy and applicable legal acts.
1.3. In this Policy, a Data Subject is considered to be any natural person whose personal data is processed by the Data Controller.
1.4. The Data Controllers ensure that by adopting and implementing this Policy, they aim to adhere to the following fundamental principles related to personal data processing:
(a) Ensuring that personal data is processed lawfully, fairly, and transparently concerning the Data Subject (principle of legality, fairness, and transparency);
(b) Ensuring that personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing for archiving in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the initial purposes (principle of purpose limitation);
(c) Ensuring that personal data is adequate, relevant, and limited to what is necessary concerning the purposes for which it is processed (principle of data minimization);
(d) Ensuring that personal data is accurate and, where necessary, kept up to date; taking reasonable steps to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);
(e) Ensuring that personal data is stored in a form that permits the identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving in the public interest, scientific or historical research, or statistical purposes, subject to the implementation of appropriate technical and organizational measures required by law to safeguard the rights and freedoms of the Data Subject (principle of storage limitation);
(f) Ensuring that personal data, given the general nature of the personal data processed by the Data Controllers, is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (principle of integrity and confidentiality);
(g) Data Controllers are responsible for and must be able to demonstrate compliance with the above principles (principle of accountability).
2. COLLECTION, PROCESSING, AND STORAGE OF PERSONAL DATA
2.1. By submitting their personal data, the Data Subject agrees and does not object to the Data Controllers managing and processing it for the purposes, means, and procedures specified in this Policy and legal acts.
2.2. If the Data Subject does not agree with this Policy and the processing of personal data described herein, they should not visit the Website and/or use the services of the Data Controllers.
2.3. By providing personal data, the Data Subject grants the Data Controllers the right to collect, accumulate, systematize, use, and process for the purposes specified in this Policy all personal data directly or indirectly provided by the Data Subject while visiting the Website and using its services.
2.4. The Data Subject is responsible for ensuring that the data provided is accurate, correct, and complete. Providing knowingly incorrect data is considered a violation of the Policy. If the provided data changes, the Data Subject must promptly correct it or inform LSS and Mecenatum if correction is not possible. Data Controllers shall not be liable for any damage caused to the Data Subject and/or third parties due to the submission of incorrect and/or incomplete personal data or the failure to correct or update the data.
3. PURPOSES OF PERSONAL DATA PROCESSING FOR THE LITHUANIAN STUDENT IDENTITY CARD ISSUANCE
3.1. LSS processes the following personal data of Data Subjects for the purpose of issuing the Lithuanian Student Identity Card:
(a) Name and surname;
(b) Personal identification code;
(c) Photograph;
(d) Higher education institution;
(e) Study program.
3.2. The data is obtained directly from the Data Subject and from the Student Register and may be transferred to the Data Subject’s higher education institution for the purpose of creating a more convenient study environment. Data is not shared with other third parties.
3.3. The legal basis for processing personal data is Article 6(1)(b) of the GDPR (processing necessary for the performance of a contract or to take steps at the request of the Data Subject prior to entering into a contract).
3.4. Failure to provide any of the data listed in 3.1 will prevent LSS from fulfilling the Lithuanian Student Identity Card contract and issuing the Lithuanian Student Identity Card.
4. PERSONAL DATA PROCESSING FOR DIRECT MARKETING PURPOSES
4.1. Mecenatum and LSS may process the following personal data of consenting Data Subjects for direct marketing purposes:
(a) Email address;
(b) Telephone number;
(c) Address (only if the Lithuanian Student Identity Card is delivered by courier or post).
4.2. The legal basis for processing personal data is Article 6(1)(a) of the GDPR (processing based on the Data Subject’s consent).
4.3. Data Subjects may choose how they receive marketing information:
(a) Receiving only newsletters;
(b) Receiving only SMS messages;
(c) Receiving both newsletters and SMS messages.
4.4. Data Subjects may unsubscribe from marketing messages at any time by:
(a) Clicking the “Unsubscribe” button at the end of each newsletter;
(b) Managing their preferences in the “Profile” section of their account on the Website.
4.5. Marketing communications are limited to a maximum of three messages per month.
4.6. Data Subjects can manage their consent for marketing communications in the Website’s “Profile” section.
5. PERSONAL DATA PROCESSING FOR RESPONDING TO DATA SUBJECT QUERIES REGARDING THE LITHUANIAN STUDENT IDENTITY CARD
5.1. LSS processes the following personal data of consenting Data Subjects for the purpose of responding to queries:
(a) Name and surname;
(b) Personal identification code;
(c) Higher education institution;
(d) Telephone number;
(e) Email address;
(f) Other voluntarily provided data.
5.2. The data is obtained directly from the Data Subject and is not shared with third parties.
5.3. The legal basis for processing personal data is Article 6(1)(a) of the GDPR (processing based on the Data Subject’s consent).
6. PERSONAL DATA STORAGE AND RETENTION PERIODS
6.1. The Data Controllers implement organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.
6.2. The following data retention periods apply:
| Purpose of Personal Data Processing | Retention Period |
|---|---|
| Website registration | Until the Data Subject requests account deletion |
| Lithuanian Student Identity Card issuance | 2 years from one of the following events, whichever occurs later:
fulfillment of obligations to LSS |
| Direct marketing | Until the Data Subject withdraws consent, but no longer than 2 years after the loss of student status and/or return of the card |
| Responding to website-related queries | 3 years from the last contact or until consent withdrawal |
| Responding to Lithuanian Student Identity Card queries | 3 years from the last contact or until consent withdrawal |
6.3. Exceptions to the above retention periods may be made if such deviations do not violate Data Subject rights, comply with legal requirements, and are properly documented.
6.4. Data necessary for legal claims are retained as long as necessary for judicial, administrative, or out-of-court procedures.
7. INFORMATION ABOUT COOKIES
7.1. The Data Controllers use cookies on the Website to distinguish users and ensure a better browsing experience.
7.2. Cookies are small text files stored on the user’s browser or device.
7.3. The Website uses the following types of cookies:
| Name | Provider | Expiration | Type | |||
|---|---|---|---|---|---|---|
| CookieConsent | lsp.lt | 1 metai | HTTP | |||
| 1.gif | imgsct.cookiebot.com | Naršymo seansas | Pixel |
7.4. The Website uses statistical cookies for anonymous information collection to generate reports on Website interaction:
| Name | Provider | Expiration | Type | |||
|---|---|---|---|---|---|---|
| _ga | lsp.lt | 2 metai | HTTP | |||
| _ga_# | lsp.lt | 2 metai | HTTP | |||
| _gat | lsp.lt | 1 diena | HTTP | |||
| _gid | lsp.lt | 1 diena | HTTP |
7.5. Users can consent to cookies by clicking “Agree” upon accessing the Website.
7.6. Users can withdraw consent by deleting or blocking cookies in their browser settings.
8. DATA SUBJECT RIGHTS
8.1. Data Subjects have the right to:
(a) Access their personal data and understand how it is processed;
(b) Correct inaccurate, incomplete, or outdated data;
(c) Request the suspension or cessation of data processing;
(d) Withdraw consent at any time without affecting previous processing validity.
8.2. Data Subjects may exercise their rights by submitting a written request to LSS via email at pagalba@lsp.lt or nuolaidos@lsp.lt, by mail to A. Vivulskio g. 36, LT-03114 Vilnius, or by visiting the Data Controllers’ offices.
8.3. Dissatisfied Data Subjects may lodge complaints with the State Data Protection Inspectorate.
9. FINAL PROVISIONS
9.1. Legal relations related to this Policy are governed by Lithuanian law.
9.2. Data Controllers are not liable for damages caused by third parties or force majeure circumstances.
9.3. Data Controllers have the right to amend this Policy.
9.4. Amendments take effect upon publication on the Website.
9.5. Continued use of the Website constitutes acceptance of amendments.
10. LIABILITY AND DISCLAIMERS
10.1. The Data Controllers are not responsible for any loss, damage, or other consequences resulting from disruptions in Website services, loss or corruption of data caused by the actions or inactions of the user, third parties, errors, malicious activity, or improper Website usage.
10.2. They are also not liable for interruptions and/or resulting damages caused by factors outside their control, such as power or internet outages.
10.3. Data Controllers have the right to amend this Policy at any time.
10.4. Amendments take effect upon publication on the Website.
10.5. Users who continue using the Website after amendments are deemed to accept the changes.
11. GOVERNING LAW
11.1. This Privacy Policy is governed by the laws of the Republic of Lithuania.
11.2. In case of disputes, they shall be resolved in accordance with Lithuanian legal procedures.
Privacy Policy last updated 2024-07-05
