SPSC company's logo

Personal data processing policy

 

The purpose of the policy

We aim to keep you fully informed about the processing of your personal data, whether you communicate with us orally or in writing, including by electronic means, or by any other means of your choice. This document applies to you if your data is processed by the Closed Joint Stock Company Statybos produkcijos sertifikavimo centras, company code 110068926 (hereinafter referred to as "SPSC"), a legal entity established by the Ministry of the Environment of the Republic of Lithuania and owned by Vilnius Gediminas Technical University, which acts as a controller and processor of personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 ("General Data Protection Regulation").

We care about the protection and privacy of your personal data.

This SPSC Personal Data Processing Policy (the "Policy") is intended to inform you how we collect, use, share and process your personal data provided by you or otherwise collected by us. In doing so, we aim and are committed to ensuring the fair, secure and transparent collection, use and processing of information about you.

Please review this Policy and if you have any questions, please do not hesitate to contact us using one of the methods set out below.

We may change this Policy and we encourage you to review this Policy periodically.

Your personal data is processed in accordance with the General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania, as well as other legal acts.

For the purposes of this Policy, we understand the terms Personal Data and Data Subjects as follows:

Personal Data means any information about you that is provided by you (by yourself) or that we obtain from other sources and that identifies you. This may include your name, surname, personal identification number, contact information, address, information about your contracts with your employer and any other personally identifiable information that we process in the performance of the SPSC's functions.

Data subject (you) means the natural person (customer, their representative) whose personal data we receive and further use. Other terms used in the Policy shall be understood as defined in the General Data Protection Regulation and other legislation.

Contact details of the Data Protection Officer

If you have any questions regarding the processing of your personal data, please contact the SPSC Data Protection Officer by phone +370 5 272 8078, by e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. by post at Saulėtekio al. 3, LT-10257 Vilnius.

What data do we collect about you?

We collect the following personal data from you:

  • basic personal data such as name, surname, telephone number, email address, work address;
  • business data, such as your workplace(s) and its contact details, job title, functions performed;
  • documents proving your qualifications and experience, such as diplomas, qualification certificates, certificates, excerpts from your employment history, etc.;
  • your representatives (whether acting by proxy or otherwise);
  • contracts with your employers.

Important: If you provide us with the data of other persons related to you, you should obtain the consent of these persons and make them aware of this Policy.

We may also collect your personal data if you are related to our clients who are legal entities, for example if you are:

  • The head of the company;
  • a shareholder;
  • a member of the board of directors or other governing body;
  • a representative of the company acting under a power of attorney.

For what purposes do we collect and use your personal data?

We collect and use your personal data provided by you or obtained from other sources. We process your personal data only on the basis of the lawful grounds defined in the legislation governing the protection of personal data. We process your personal data for the following main purposes:

  • To identify and contact you, we collect your name, surname, copy of your identity document (if applicable), address, telephone number, email address and other contact details;
  • to determine whether we can comply with your request(s), we collect data about your place of work, position held, functions performed;
  • to manage our obligations and tasks, including but not limited to:
    • to comply with the requirements of applicable law, rules, regulations, manuals, codes, professional rules and policies;
    • to comply with the requirements of, and comply with requests from, local or foreign authorities, courts, law enforcement agencies, and to comply with legal process or other requirements relating to the resolution of disputes;
    • to investigate or take action against our customers who violate the rules or engage in illegal activities or activities that are harmful to others, we may process data such as information about legal or administrative proceedings in which you are involved and other information communicated to us for the above purposes;
  • to improve the quality of our services. For this purpose, we analyse your personal data, including information about the requests you have made, and analyse the history of your requests. We collect and analyse this data about you for internal purposes, such as audits, to help us provide and improve our services. We collect and analyse this data in order to monitor and analyse trends in our services, to understand which of our services are most relevant to our potential customers and to improve our services and their content.

The use of your personal information helps us to manage, improve and develop our services and to minimise disruptions to the services we offer by electronic means. It also allows us to facilitate our communication and make it the most tailored to each customer. By analysing your experience of our services, we gain a better understanding of what you need and the way in which you prefer to receive our services, which makes our functions more efficient;

  • so that we can communicate with you:
    • to answer your questions and requests about the provision of our services, and to receive your feedback;
    • send you important notifications, for example to remind you of the expiry date of your certificate or your obligation to provide us with the information we need;
    • send you technical notices, updates, security alerts, support and administrative messages;
  • to provide services remotely. For this purpose, we store your telephone number, email address and other data that identifies you;
  • to enable us to implement the prevention and detection of breaches of the law. We may also use contact information for this purpose in order to inform you of illegal activities on your behalf.

What gives us the right to receive and use your personal data?

We obtain and use your personal data under at least one of the following conditions:

  • You intend to subscribe to our services;
  • You have given your consent;
  • The processing of your personal data is possible on a statutory basis;
  • For the purposes of our legitimate interests, such as:
    • To improve the quality of our services, to ensure the consistency and sustainability of our operations, to ensure that the services we provide to you are comprehensive and meet your expectations and to maximise your satisfaction with our services;
    • to bring and defend legal claims, and to take other lawful steps to avoid or minimise losses;
    • to prevent unlawful activities and to continuously assess the risks involved (e.g. unauthorised use of information published on our website).

Important: If you do not provide us with the personal data that is necessary to comply with the request, or that is required by law or contract, we will not be able to provide you with the services.

Where do we get your personal data from?

We use the personal data that you provide to us when you apply for and use our services, when you make requests or claims, and when we record the content of conversations during remote meetings with Certification Experts.

We may also receive your personal data from other sources:

  • State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania;
  • State Enterprise Centre of Registers;
  • Audit, Accounting, Asset Valuation and Insolvency Management Authority under the Ministry of Finance of the Republic of Lithuania;
  • Creditinfo Lietuva UAB;
  • from insurance companies;
  • from legal persons when you are a representative, employee, founder, shareholder, participant, owner, etc. of these legal persons;
  • from other legal persons who use us to provide services to you.

We may collect your personal information through emails sent to or from SPSC. Otherwise, we collect and generate information about you when you provide it to us, for example, by signing up or providing feedback electronically.

We may combine the information we hold about you from different sources.

Who do we provide your personal data to?

The SPSC ensures the protection of personal data in accordance with both directly applicable European Union legislation and the legislation of the Republic of Lithuania, and therefore provides your personal data to third parties on the basis of one-off legitimate requests from these persons or in accordance with concluded data provision agreements. In all cases, the SPSC requires a legal basis from the data recipient. In the absence of a legal basis, SPSC refuses to provide your personal data.

We may transfer your personal data:

  • to courts and other law enforcement and/or dispute resolution authorities in the exercise of their lawful powers or at our initiative, in connection with the establishment, exercise or defence of legal claims;
  • companies providing messaging, event organisation and related services;
  • representatives of bodies with market surveillance functions;
  • other third parties in connection with the transfer or sale of our services, mergers, acquisitions, or the reorganisation of all or part of our services, or similar corporate changes.

We may also use the following or other data processors to process the personal data referred to in this Policy, such as: companies providing data centres, website administration and related services, companies providing document archiving and destruction services, companies developing, providing, maintaining and developing software, companies providing information technology infrastructure services, companies providing communication services, companies providing web browsing or web analytics services.

The recipients of your data have the right to process your personal data only on the instructions of the SPSC and only to the extent necessary for the proper performance of the obligations set out in the data provision agreement. We take all necessary measures to ensure that our data processors have also implemented appropriate organisational and technical security measures.

How long do we keep your personal data?

We keep your personal data in printed documents and in SPSC information systems for no longer than is necessary for the purposes for which it was collected, or for the period of time required by law and for as long as is necessary for the purposes of archiving the documents, in accordance with the statutory requirements and time limits.

How secure is your personal information?

We use a variety of security technologies and procedures to protect your personal information from unauthorised access, use or disclosure. We require our suppliers to use appropriate measures that can protect your confidentiality and ensure the security of your personal information. However, the security of information transmissions, whether via the Internet or email, may sometimes not be guaranteed for reasons beyond SPSC's control, so you should exercise caution when submitting confidential information to us by means of your choosing other than through the electronic systems used by SPSC.

What are your rights?

You have the following rights:

  • The right to access your personal data;
  • the right to have incorrect, inaccurate or incomplete data corrected;
  • the right to restrict the processing of your personal data until the lawfulness of the processing has been verified at your request;
  • the right to request the erasure of personal data;
  • the right to object to the processing of personal data for direct marketing purposes, including profiling, and where the processing is carried out for our legitimate interests;
  • the right to request the transfer of your personal data to another controller or to have them provided directly to you in a form that is convenient for you (applies to personal data provided by you and processed by automated means on the basis of consent or on the basis of a request or for the conclusion and performance of a contract);
  • the right to withdraw the consent you have given, without prejudice to the use of your personal data prior to the withdrawal of your consent;
  • the right to lodge a complaint with the supervisory authority, the State Data Protection Inspectorate (for more information see www.ada.lt);

How will you exercise your rights?

We will make every effort to exercise your rights and answer any questions you may have about the information contained in this Policy. You may submit a request for the exercise of the above rights, as well as complaints or notifications (hereinafter referred to as "Request") to the SPSC Data Protection Officer by email to This email address is being protected from spambots. You need JavaScript enabled to view it. post to Saulėtekio al. 3 LT-10257 Vilnius, or by coming to the address indicated.

We will respond to your Request no later than 30 (thirty) calendar days from the date of receipt of the Request. In exceptional cases requiring additional time, we will have the right to extend the time limit for the provision of the requested data or for the processing of any other requirements set out in your Request by up to 60 (sixty) calendar days from the date of your request, upon notice to you.

We will refuse to comply with your Request with a reasoned response where the circumstances set out in the General Data Protection Regulation and other legislation are established, by informing you in writing.

What are the principles of personal data protection that we follow?

We comply with the following principles when collecting and using the personal data you entrust to us, as well as personal data obtained from other sources:

  • Your personal data is processed in a lawful, fair and transparent manner (the principle of lawfulness, fairness and transparency);
  • Your personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes (purpose limitation principle);
  • Your personal data is adequate, relevant and only necessary for the purposes for which it is processed (data minimisation principle);
  • the personal data processed are accurate and, where necessary, kept up to date (principle of accuracy);
  • your personal data are kept in a form which permits identification for no longer than is necessary for the purposes for which your personal data are processed (principle of limitation of storage period);
  • Your personal data are processed in such a way as to ensure, through appropriate technical or organisational measures, adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality).

Our obligations

In collecting and using the personal data you entrust to us, as well as personal data obtained from other sources, we undertake to:

  • Process your personal data only for clearly defined and legitimate purposes;
  • not to process your personal data for purposes other than those set out in this Policy, except as required by law;
  • to process your personal data lawfully, accurately, transparently, fairly and in such a way as to ensure the accuracy, identity and security of the personal data processed;
  • ensure that no excessive personal data is processed;
  • process your personal data for no longer than is necessary for the purposes for which the personal data are processed;
  • be responsible for compliance with the principles set out in this Policy and be able to demonstrate compliance with them;
  • comply with any other obligations under the law.

Validity and amendments to the Privacy Policy

This Policy comes into force on 25 May 2018. Last revised and re-edited on 17 August 2023 due to changes in the company's activities and status, change of registered office address.

The Policy may be amended to reflect changes in the law and our operations. We will notify you of changes on our website www.spsc.lt and by other means.

Cookie Notice

Please note that this website uses cookies. These cookies do not reveal any of your personal information and are used for the functionality of the website. Without these cookies, the website cannot function properly, and they can only be disabled by changing your browser settings. By continuing to browse, you agree to the use of these cookies.

Cookie policy