Privacy policy
I. MAIN CONCEPTS
Company – MB "Hubs Medical," legal entity code 306961980, Kaunas, data about the Company is collected and stored in the Register of Legal Entities of the Republic of Lithuania. The company's website address: www.hubs.lt and www.hubsmedical.com
Personal data – any information related to a natural person (data subject) whose identity is known or can be directly or indirectly identified using such data as personal code, one or more characteristics specific to the individual’s physical, physiological, psychological, economic, cultural, or social nature.
Data recipient – a legal or natural person to whom personal data is provided.
Data provision – the disclosure of personal data by transmission or making it otherwise available (except for public disclosure through media channels).
Data processing – any operation performed with personal data, such as collection, recording, accumulation, storage, classification, grouping, merging, modification (supplementing or correcting), provision, disclosure, use, logical and/or arithmetic operations, search, dissemination, destruction, or any other action or set of actions.
Automated data processing – actions on data fully or partially carried out by automated means.
Data controller – a legal or natural person who alone or jointly with others determines the purposes and means of processing personal data.
Data processor – a legal or natural person (who is not an employee of the data controller) authorized by the data controller to process personal data.
Special personal data – data related to a natural person's racial or ethnic origin, political, religious, philosophical beliefs, membership in trade unions, health, sexual life, as well as information about a person’s criminal convictions.
Social and public opinion research – the systematic collection and interpretation of data and/or information about natural and legal persons using statistical, analytical, and other social science methods to gain insights necessary for decision-making. Social and public opinion research cannot involve direct marketing.
Consent – a voluntary declaration of the data subject’s will to process their personal data for a known purpose. Consent to process special personal data must be clearly expressed in writing or other forms that unequivocally demonstrate the data subject's will.
Direct marketing – activities aimed at offering goods or services to individuals by mail, phone, or other direct means, and/or soliciting their opinions on the offered goods or services.
Third party – a legal or natural person, excluding the data subject, data controller, data processor, and persons directly authorized by the data controller or data processor to process the data.
The data processor and/or their appointment may be stipulated by laws or other legal acts.
Other terms used in these Personal Data Processing Rules are provided in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
II. MAIN PURPOSES OF PERSONAL DATA PROCESSING AND USE
2.1. The Personal Data Processing Rules (hereinafter referred to as the "Rules") establish the purposes of processing personal data of natural persons, the rights of the data subject, and the procedure for their implementation. The Rules also define organizational and technical data protection measures, as well as other rules related to personal data processing.
2.2. The purpose of the Personal Data Processing Rules is to set the principles and procedures for how personal data is processed within the Company and to ensure the implementation of the rules established by the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts.
2.3. The aim of these Rules is to define the main technical and organizational data security measures for the implementation of personal data processing, ensuring compliance with the Law on Legal Protection of Personal Data and other legal acts regulating personal data processing and protection.
2.4. The Company processes the personal data provided voluntarily by the data subject via mail, registered mail, email, fax, telephone, in person by visiting the Company's or a travel sales agent's point of sale, and by using the Company's website.
2.5. Information received from the data subject is administered and used only for the purposes specified in the Rules.
2.6. Information received from the data subject cannot be disclosed to third parties without a legitimate basis, except for individuals who are involved in or contribute in any form to the fulfillment of the data subject's order. The data subject’s personal data may also be transferred to data processors with whom the Company has entered into personal data processing or other agreements that address personal data processing and security requirements. In such cases, legal responsibility for any breach or damage related to personal data processing lies with the responsible data processor. In other cases, personal data may be disclosed to third parties only when required or permitted by legal acts. Personal data may also be transferred to public administration and law enforcement institutions when such an obligation is established by legal acts.
2.7. The purposes for which the data subject's personal data is used:
2.7.1. For the ordering and administration of services provided by the Company:
2.7.1.1. Identification of the data subject in information systems.
2.7.1.2. Processing of the data subject's orders on the website.
2.7.1.3. Examination and administration of claims and other requests from the data subject.
2.7.1.4. Prompt notification of the data subject regarding changes in the conditions or procedures for purchasing goods or receiving services.
2.7.1.5. Provision of personal data to correspondence service providers or other service providers involved in fulfilling the data subject’s orders.
2.7.1.6. Fulfillment of other obligations undertaken.
2.7.2. For direct marketing purposes, such as sending offers, newsletters, and advertisements via SMS and email:
2.7.2.1. Providing offers for goods and other services.
2.7.2.2. Analyzing activity to improve service quality.
2.7.3. For issuing financial documents:
2.7.3.1. Issuing accounting documents for purchased goods.
2.8. Personal data is collected only in accordance with the law, either directly from the data subject, by formally requesting information from entities authorized to provide it, or based on contracts or legal acts, by accessing databases, registers, and information systems that store individual data, based on data provision agreements or one-time requests.
2.9. When the data subject provides their personal data to the Company, they voluntarily agree that the Company will manage and process their personal data in compliance with the Rules and other legal requirements.
2.10. When the data subject purchases a product (accessory), they agree and do not object that the personal data provided by the person signing the contract will be managed and processed by the Company. In such cases, it is assumed that the personal data provided by the person signing the contract, concerning another beneficiary, is correct and provided with the beneficiary’s consent. By providing such personal data to the Company, it is assumed that the beneficiary agrees and does not object to the management and processing of their personal data.
2.11. The Company may disclose and transfer the data subject’s personal data to third parties outside the EU, whom the Company engages for the implementation and administration of the data subject’s ordered services. The Company obliges such third parties to maintain confidentiality and security of the personal data transferred to them.
2.12. The Company processes and stores personal data only for as long as necessary to achieve the purposes specified in these Rules for personal data use.
III. PRINCIPLES OF PERSONAL DATA PROCESSING
3.1. When processing personal data, the following data processing requirements must be observed:
3.1.1. Personal data must be collected for specific and legitimate purposes and cannot be processed for purposes incompatible with those established before the data is collected.
3.1.2. Personal data must be processed accurately, fairly, and lawfully.
3.1.3. Personal data must be accurate and, if necessary, updated. Inaccurate or incomplete data must be corrected, supplemented, destroyed, or their processing must be suspended.
3.1.4. The scope of personal data must be limited to what is necessary for its collection and processing.
3.1.5. Personal data must be stored in a form that allows identification of the data subject only for as long as it is necessary for the purposes for which the data was collected and processed.
3.1.6. Personal data must be processed in accordance with the requirements for clear and transparent data processing set out in the Law on Legal Protection of Personal Data and other relevant regulatory acts governing such activities.
IV. FUNCTIONS, RIGHTS, AND RESPONSIBILITIES OF THE DATA CONTROLLER AND DATA PROCESSOR
4.1. The Data Controller has the following rights:
4.1.1. To prepare and adopt internal legal acts regulating the processing of personal data.
4.1.2. To appoint a person or unit responsible for personal data protection.
4.1.3. To authorize Data Processors to process personal data.
4.2. The Data Controller has the following responsibilities:
4.2.1. To ensure compliance with the Law on Legal Protection of Personal Data and other legal acts regulating personal data processing.
4.2.2. To implement the rights of the Data Subject in accordance with the Law on Legal Protection of Personal Data and these Rules.
4.2.3. To ensure the security of personal data by implementing technical and organizational security measures.
4.2.4. To consult with the State Data Protection Inspectorate.
4.2.5. If required by legal acts, to appoint a data protection officer.
4.2.6. To report any data security breach in accordance with the procedures established by legal acts.
4.3. The Data Controller performs the following functions:
4.3.1. Analyzes technological, methodological, and organizational problems related to personal data processing and makes decisions necessary to ensure proper personal data security.
4.3.2. Provides methodological assistance to employees and Data Processors for the purposes of personal data processing.
4.3.3. Organizes employee training on the legal protection of personal data.
4.3.4. Performs other functions necessary to fulfill the Data Controller's rights and responsibilities.
4.4. The Data Processor has the rights, responsibilities, and performs the functions stipulated in the personal data processing or other relevant contracts.
4.5. The Data Processor has the following rights:
4.5.1. To provide the Data Controller with suggestions for improving the technical and software means of data processing.
4.5.2. To process personal data to the extent authorized by the Data Controller.
4.5.3. Other rights specified in the personal data processing or other relevant contracts.
4.6. The Data Processor has the following responsibilities:
4.6.1. To implement appropriate organizational and technical security measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, and other illegal processing.
4.6.2. To inform newly hired employees about the Rules.
4.6.3. To ensure that access to personal data is only granted to authorized individuals in accordance with established procedures.
4.6.4. To ensure that personal data is stored within the time limits specified by legal acts.
4.6.5. To ensure that personal data is processed in accordance with the Rules, the Law on Legal Protection of Personal Data, and other legal acts regulating personal data protection.
4.6.6. To maintain the confidentiality of personal data, not to disclose or transmit the processed information, and not to allow any unauthorized person to access the information by any means.
4.6.7. To assist the Data Controller in fulfilling their obligations.
4.6.8. If required by legal acts, to appoint a data protection officer.
4.6.9. To immediately inform the Data Controller of any data security breach.
4.6.10. To fulfill other responsibilities established by legal acts.
4.7. The Data Processor performs the following functions:
4.7.1. Implements personal data security measures.
4.7.2. Processes personal data according to the requirements of legal acts and the instructions of the Data Controller.
4.7.3. Performs other functions specified by legal acts.
V. IMPLEMENTATION OF DATA SUBJECT'S RIGHTS
5.1. The rights of the data subject are implemented as follows:
5.1.1. Right to information about data processing: Information about the processing of the data subject's personal data by the Data Controller, as provided in Articles 13 and 14 of the General Data Protection Regulation (GDPR), is delivered in writing at the time of collecting personal data. This information is provided by the Data Controller to the data subject.
5.1.2. Right of access to data: The right of the data subject to access their personal data is implemented by the Data Controller. Upon the data subject's request, the Data Controller must provide information on whether the data subject’s personal data is being processed or not; provide information related to the processing of the data subject’s personal data as outlined in Articles 15(1) and (2) of the GDPR if personal data is being processed; and provide a copy of the processed personal data. The data subject has the right to request that the personal data be provided in a form other than the one provided by the Data Controller, but a fee may be charged, calculated based on the Data Controller’s administrative costs.
5.1.3. Right to rectification of data: The right of the data subject to request rectification of data is implemented by the Data Controller. The data subject, according to Article 16 of the GDPR, has the right to request the correction of any inaccurate personal data or the completion of incomplete data. The Data Controller may ask the data subject to provide proof confirming that the processed personal data is inaccurate or incomplete. If the corrected personal data was transmitted to data recipients, the Data Controller will inform them unless it is impossible or requires disproportionate effort. The data subject has the right to request information about such data recipients.
5.1.4. Right to erasure of data ("right to be forgotten"): The data subject’s right to request the erasure of their personal data ("right to be forgotten") is implemented by the Data Controller. The right is implemented according to Article 17 of the GDPR. The data subject’s right to request erasure may not be fulfilled in cases specified in Article 17(3) of the GDPR. If the personal data was transmitted to data recipients, the Data Controller will inform them unless it is impossible or requires disproportionate effort. The data subject has the right to request information about such data recipients.
5.1.5. Right to restrict data processing: The data subject’s right to restrict data processing is implemented by the Data Controller. According to Article 18(1) of the GDPR, the Data Controller must implement the data subject's right to restrict the processing of their personal data. Restricted personal data is stored, and the data subject is informed via email before the restriction is lifted. If the restricted personal data was transmitted to data recipients, the Data Controller will inform them unless it is impossible or requires disproportionate effort. The data subject has the right to request information about such data recipients.
5.1.6. Right to data portability: The right of the data subject to data portability is implemented by the Data Controller. The Data Controller implements this right as outlined in Article 20 of the GDPR. The data subject does not have the right to data portability regarding personal data processed manually in non-automated, structured files, such as paper records. When requesting data portability, the data subject must indicate whether they wish their personal data to be transferred to them or another data controller. Transferred data is not automatically deleted, and if the data subject wishes to have the data erased, they must submit a separate request for the "right to be forgotten."
5.1.7. Right to object to data processing: The data subject, according to Article 21 of the GDPR, has the right to object, at any time, to the processing of their personal data due to reasons related to their specific situation. The Data Controller informs the data subject of this right in writing. If the data subject objects to the processing of their personal data, such processing may continue only if it is determined that the reasons for processing override the interests, rights, and freedoms of the data subject, or if the personal data is necessary for establishing, exercising, or defending legal claims.
5.1.8. Right not to be subject to automated decision-making, including profiling: The data subject has the right to request not to be subject to a decision based solely on automated processing, including profiling, as implemented by the Data Controller. In such cases, the data subject can request that a decision affecting them be reviewed by a human. Upon such a request, the Data Controller must perform a thorough assessment of all relevant data, including the information provided by the data subject.
5.2. The data subject can exercise their rights by contacting the Company in person, in writing, by post, or by email at info@hubs.lt. If the data subject applies in person or in writing, they must provide proof of identity with an identification document. Without verification, the data subject's rights will not be implemented. This does not apply when the data subject requests information about personal data processing under Articles 13 and 14 of the GDPR. When submitting a request by post, a notarized copy of the identification document must be included. When submitting a request by email, the request must be signed with a qualified electronic signature or created using electronic means ensuring text integrity and immutability. This rule does not apply when the data subject requests information about personal data processing under Articles 13 and 14 of the GDPR. The request must be legible, signed, and contain the data subject’s name, surname, address, date of birth, and/or other contact details necessary to maintain communication or to provide the response regarding the implementation of the data subject’s rights.
5.3. The data subject may exercise their rights either personally or through a representative. The representative must provide their name, surname, address, and other contact details for communication and also include the name, surname, and date of birth of the represented person, along with proof of representation. In cases of doubt about the data subject's identity, the Company has the right to request additional information for verification.
5.4. When submitting a written request for the implementation of the data subject’s rights, it is recommended to use the request form provided in Annex 1 of the Rules.
5.5. In all matters related to the processing of personal data and the exercise of the data subject’s rights, the data subject has the right to contact the person responsible for data protection within the Company. To ensure confidentiality as per Article 38(5) of the GDPR, correspondence addressed to the data protection officer must be marked accordingly on the envelope.
5.6. The Company must provide the data subject with information on the actions taken in response to their request no later than one (1) month after receiving the request. If there is a delay in providing the information, the data subject will be informed of the delay within the same period, along with the reasons for the delay and information about their right to file a complaint with the State Data Protection Inspectorate.
5.7. If the request does not comply with the procedures and requirements established in this section of the Rules, the Company will not review the request and will promptly notify the data subject of this decision, including the reasons, no later than five (5) working days after receiving the request.
5.8. If it is determined during the review of the request that the data subject's rights are restricted for reasons specified in Article 23(1) of the GDPR, the Company will inform the data subject accordingly.
5.9. The Company provides information requested by the data subject regarding the implementation of their rights in the national language.
5.10. All actions related to the implementation of the data subject's rights and the provision of information are free of charge, except in cases specified in this section of the Rules.
5.11. If the data subject believes the Company has violated their rights, they, or their representative, may submit a complaint to the State Data Protection Inspectorate, or file a claim with the Kaunas District Court. In the case of material or non-material damage resulting from a violation of the data subject’s rights, the data subject has the right to compensation, which may be claimed through the Kaunas District Court.
VI. PROCESSING OF PERSONAL DATA
6.1. The Company processes data both automatically and manually, including the following personal data:
The data subject's name, surname, residential address, email address, mobile or landline phone number, credit/debit card or other payment information, special needs information (only applicable to data subjects for whom it is relevant), Internet Protocol (IP) address, date and time of visits to the Company’s website. In addition to the information provided by you, data may also be collected regarding how you use the services offered by us, through software on your devices or other means.
6.2. Personal data is retained only as long as necessary to fulfill the purposes of data processing, depending on the type of document or file in which the data is contained. Upon the expiration of the retention period for a document containing personal data, a decision is made regarding its destruction, and the document is destroyed in accordance with the procedures set forth in the Law on Documents and Archives of the Republic of Lithuania. Documents containing personal data that are intended for permanent storage are transferred to state archives in accordance with the requirements of the Law on Documents and Archives of the Republic of Lithuania.
VII. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
7.1. Personal data may be processed for direct marketing purposes only after the data subject has provided consent. Consent for personal data to be processed for direct marketing purposes may be given in various ways, such as by opting to subscribe to the Company’s newsletters; expressing a preference in writing; providing consent in a contract, on the Company’s website, or through another medium (by signing, checking a box, or other means) to receive commercial offers and other activities related to the Company’s services (games, lotteries, etc.).
7.2. If the Company has received contact details (name, surname, email, and/or postal address) from data subjects while providing services, the Company may use these details for its own service marketing purposes without separate consent from the data subject. The data subject has the right to opt out of the use of their personal data for marketing purposes by notifying the Company by email, registered mail, or other clearly expressed means.
7.3. Once the data subject has given consent for the processing of their personal data for direct marketing purposes, tailored offers may be shown to the data subject when visiting the Company's website, browsing third-party websites, and social networks, or using mobile applications.
7.4. Personal data used for direct marketing purposes is stored for 3 years or less, if the data subject submits a request to stop receiving direct marketing communications.
VIII. COOKIE AND OTHER WEBSITE INDICATOR POLICY
8.1. The Company may use cookies, web beacons, and other technologies.
8.2. Cookies are text files that the website sends to the browser's cookie file on your computer's hard drive. This allows the website to recognize you when you visit again or to remember relevant information about you. Such information may include the pages you visited, the menu options you selected, specific information you entered into forms on the website, and the date and time of your visit.
8.3. There are two main types of cookies:
8.3.1. Temporary (Session) Cookies: These are temporary cookies that expire when your browser session ends, meaning when you leave the website. Session cookies allow the website to recognize you as you navigate through its internal pages during a single browsing session, enabling you to use the website more efficiently.
8.3.2. Persistent Cookies: These cookies are stored on your computer until they expire or are deleted. They enable the website to recognize you when you return, remember your preferences, or provide services that were made available during your previous visits.
8.4. For more information on cookies and how they are used, visit www.allaboutcookies.org, where you can also find instructions on how to remove cookies from your device.
8.5. In addition to cookies that provide information to us, we also use cookies that collect information and send it to third parties, such as Google Analytics. Please check third-party websites for more information about how they use cookies. The cookie policies of these third-party websites may differ from ours. You can block both first-party and third-party cookies through your browser settings. Some of our cookies may collect and store your personal information, such as your name or email address.
8.6. The Company may also use web beacons in addition to cookies. A web beacon is an electronic image, also known as a "one-pixel" (1×1) or GIF file. The web beacon recognizes certain information on the visitor's computer, such as the cookie number, the time and date of page views, and the description of the page where the web beacon is located. You can disable some web beacons by rejecting cookies associated with them. Web beacons can be used to determine whether emails sent to you have been opened.
IX. PROTECTION OF PERSONAL DATA
9.1. The processing and protection of personal data are ensured by each employee according to their area of responsibility.
9.2. Personal data is stored in document files or on computer hard drives.
9.3. Individuals responsible for processing personal data must take measures to prevent accidental or unlawful destruction, alteration, disclosure, or any other form of illegal data processing. They are required to properly and securely store documents and data records and avoid making unnecessary copies.
9.4. Copies of Company documents that contain personal data must be destroyed in a manner that prevents their recovery or recognition of their content. Documents and both paper and electronic copies containing personal data, as well as archived or other files, are stored in locked cabinets, drawers, or safes. If such storage facilities are not available, they are kept using reasonable security measures.
9.5. Employees of the Company whose computers store personal data must use passwords. Passwords must be unique, consisting of at least 8 characters, and must not contain personal information. Passwords must be changed at least once every two calendar months, and their confidentiality must be ensured. Passwords must not match personal data of the Company employee or their family members. If necessary (e.g., change of employee, security breach risk), passwords must be updated.
9.6. Computers of Company employees that store personal data must have antivirus programs that are updated automatically.
9.7. Computer files stored on Company computers that contain personal data must not be accessible to other computer users who do not work with personal data.
9.8. Every Company employee involved in personal data processing must sign a confidentiality agreement.
9.9. Company employees must immediately inform the Company’s management or its authorized person of any incident that may pose a threat to personal data security and take all preventive measures possible to avoid such incidents.
X. LEGAL RESPONSIBILITY
10.1. The data subject is required to provide the Company with only accurate personal data about themselves, the persons they represent, or beneficiaries.
10.2. The data subject must promptly inform the Company of any changes to their personal data or the personal data of the persons they represent or beneficiaries.
10.3. The Company is not liable for any damages suffered by the data subject or third parties if the data subject provides incorrect, inaccurate, or incomplete personal data about themselves, the persons they represent, or beneficiaries, or fails to notify the Company about any changes to such data.
XI. FINAL PROVISIONS
11.1. These Rules may be amended and/or supplemented, with any changes or additions taking effect from the moment they are published. If the data subject does not agree with the amended and/or supplemented Rules, they have the right to stop using the services provided by the Company.
11.2. Any changes to or invalidity of specific provisions of these Rules due to changes in or expiration of mandatory legal provisions do not affect the validity of other provisions of the Rules. In such cases, the invalid provisions are replaced with applicable legal provisions.
11.3. These Rules must be reviewed and amended, if necessary, at least once per calendar year, especially if mandatory legal requirements change.
11.4. Any disputes arising from or related to these Rules will be resolved according to the laws of the Republic of Lithuania.
11.5. Any disagreements or disputes between the Parties related to these Rules will be resolved in a competent court of the Republic of Lithuania based on the location of the Company’s registered office.
11.6. These Rules have been prepared in accordance with the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the legal protection of personal data.