Privacy Policy - LTOU Kaunas

General provisions

Joint-stock company Lithuanian Airports (legal entity code: 120864074; registered office: Rodūnios kelias 10A, Vilnius, Lithuania; tel. +37061244442; email: [email protected] (hereinafter referred to as ‘we’ or ‘Lithuanian Airports’) understands that the protection of personal data is important to our customers, suppliers, partners, and other individuals (hereinafter referred to as ‘data subjects’) who cooperate with or use the services of Vilnius, Kaunas, and Palanga International Airports. For this reason, we take all necessary measures to ensure the privacy of every data subject and the enforcement of their rights regarding the protection of personal data.

You can contact the data protection officer regarding all matters related to data protection at the general email address – [email protected] .

This Privacy Notice applies to all individuals who interact with or use the services of all three Lithuanian airport branches, Vilnius, Kaunas, and Palanga, visit our websites and/or premises, social media accounts, and/or provide personal data to Lithuanian Airports for other purposes.

Our employees and members of the management bodies are informed about the processing of their personal data in accordance with the procedures and measures set forth in the internal regulations of Lithuanian Airports.

This Privacy Notice has been prepared in accordance with the following laws and regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the ‘GDPR’);
The Law on the Legal Protection of Personal Data of the Republic of Lithuania No. XIII-1426 of 30 June 2018 (hereinafter referred to as the the ‘LPPD’);
The Law on Electronic Communications of the Republic of Lithuania No. IX-2135 of 15 April 2004;
The relevant guidelines and interpretations of the European Data Protection Board;
The guidelines of the State Data Protection Inspectorate (hereinafter referred to as the the ‘SDPI Guidelines’);
The guidelines of the European Union Agency for Cybersecurity (hereinafter referred to as the ‘ENISA Guidelines’).

In this Privacy Notice, we provide full details on how we, acting as data controllers, process the personal data of data subjects, including:

information about the purposes and legal grounds for the processing of personal data, the categories of personal data being processed, and the retention periods for personal data;
information about the recipients of personal data to whom such data is disclosed for review or further processing;
information about the rights of data subjects and how to exercise them;
information on other matters related to the processing of personal data.

Purposes, legal basis and duration of personal data processing

How do we collect your data?

Depending on the nature of our collaboration, we process personal data:

Obtained directly from the data subject or their authorized representative (a natural person), including but not limited to cases where we provide you with various services, when you send us inquiries/requests, when you share your experience using the contact details provided by us, when you submit claims or complaints, when you participate in customer loyalty programs organized by us, or when you send us your curriculum vitae in order to apply for job vacancies at the company;
Obtained when generated by electronic means/devices, including but not limited to cases where you enter the premises or territory of Lithuanian Airports, visit our website, or come within the range of our video surveillance and/or audio recording devices;
Obtained from other sources, including but not limited to insurance companies, air carriers, and/or public authorities (state bodies, institutions, or other legal entities performing public functions).

For what purposes and what personal data do we process?

Purpose of data processing	Legal basis for data processing	Categories of data	Data retention period
Drafting and executing contracts with suppliers and subcontractors	Article 6(1)(b) of the GDPR – performance of a contract; Article 6(1)(f) of the GDPR – legitimate interests	First name, last name, personal identification number, date of birth, phone number, email address, and residential address of the representative of the supplier or subcontractor. First name, last name, position, and contact information of the person who signed the contract	10 years after the expiration of a specific contract
Management of invoices from suppliers and subcontractors	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, position, personal identification number, individual business license number (if applicable), VAT ID number (if applicable)	10 years after the issuance of the invoice
Organizing training and providing information to non-airport employees working on airport premises	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, email address, company name/job title of the participant	Data related to aviation security training is retained for the entire retention period; Data related to aerodrome safety training is retained for 4 years after the end of the data subject’s involvement, or until a competent authority conducts an audit of their area of work.
Issuance of temporary permits for individuals seeking access to airport premises	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, type, number and expiry date of the identity document, date of birth, phone number, name of the company where the person works, position, validity period of the temporary permit, name of the restricted area covered by the temporary permit, first and last name of the company/institution employee responsible for the person for whom the temporary permit is requested, as well as the company name; first and last name of the accompanying person; make, model, and license plate number of the vehicle; first and last name of the vehicle driver	1 year after the date of issue of the temporary permit
Issuance of permanent permits for individuals seeking access to airport premises	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, personal identification number, type, number and expiry date of identification document, citizenship, phone number, email address, information on registered places of residence for the past 5 years, places of employment, reasons for unemployment, extracts, confirmations, information on the functions for which authorization is required, positions, confirmation of the accuracy of personal data, criminal record, date, certificates from third parties regarding impeccable reputation, name of restricted area, reasons for permanent permit, name of training, date of training completion, information on who conducted the training, vehicle make, model, state registration number, vehicle operator	5 years after the date of issue of the permanent permit
Issuance of permits to drive motor vehicles in the controlled area of the airport	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, mobile phone number, email address, driver’s license expiration date, license categories, medical certificate expiration date	for at least 4 years after the end of the employee’s period of employment or the revocation or withdrawal of the driver’s license, or until the Transport Competence Agency conducts an audit of this area of activity
Issuance of permits for drone flights	Article 6(1)(c) of the GDPR – legal obligation	Drone pilot’s first name, last name, mobile phone number, and drone pilot license number	5 years after the date of issue
Registration for media representatives to enter the airport premises	Article 6(1)(a) of the GDPR – consent of the data subject	Journalist’s first name, last name, position, email address, phone number	1 year after the date of submission of the applications
Administration of applications for group tours	Article 6(1)(a) of the GDPR – consent of the data subject	First name, last name, date of birth, type of identification document, document number, and expiration date of the tour participants	1 month of the tour’s end date
Video surveillance, implementation of aviation security measures, protection of Lithuanian airport property, and crime prevention	Article 6(1)(f) of the GDPR – legitimate interests; Article 6(1)(c) of the GDPR – legal obligation	Images of passengers and other personal data visible in the video	14 days after the date of the entry
Check of the validity of a flight ticket	Article 6(1)(c) of the GDPR – legal obligation	Passenger’s first name, last name, flight number, flight time	24 hours from the time the flight ticket is checked
Providing contact center services (call recordings, automated messages informing customers)	Article 6(1)(f) of the GDPR – legitimate interests	Call metadata: time, duration, phone number. Call content	3 months from the date the call was recorded
Investigation of traffic accidents and preparation of reports for insurance companies	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(f) of the GDPR – performance of a contract	First and last name of the defendant or victim, copy of driver’s license, copy of identification document, traffic accident report	1 year from the date the traffic accident report was submitted to the insurance company
Sending newsletters to attract customers to the company’s or its partners’ services (direct marketing)	Article 6(1)(a) of the GDPR – consent of the data subject	The email address of a customer or potential customer	Until the consent is revoked, the service agreement is terminated, or it expires
Sending newsletters to partners and subcontractors	Article 6(1)(a) of the GDPR – consent of the data subject	Email address of the subcontractor or partner’s representative	Until the consent is revoked, the service agreement is terminated, or it expires
Organization and operation of lotteries (games)	Article 6(1)(f) of the GDPR – legitimate interests, Article 6(1)(a) of the GDPR – consent, Article 6(1)(c) of the GDPR – legal obligation (obligation to pay taxes)	Lottery participants’ first and last names, residential addresses, personal social media account information, and information required for the fulfillment of tax obligations	Until the end of the lottery (when the prize is awarded to the winner) or by the deadlines set by the owner/administrator of the social network. Data related to the payment of prize taxes is retained for 10 years
Social media management for communication purposes (LinkedIn, Facebook, Instagram, YouTube)	Article 6(1)(f) of the GDPR – legitimate interests; Article 6(1)(a) of the GDPR – consent of the data subject	Social media account usernames, first names, last names, nicknames, comments, profile information, and information collected via cookies from electronic devices	Taking into account that LA does not administer the specified social networks, but only its own account on them, and acts as a joint data controller together with the companies that administer the specified social networks, information regarding retention periods can be found in the privacy policy of the respective social network
Information collected by cookies	Article 6(1)(a) of the GDPR – consent of the data subject	The specific information collected by cookies is listed in the cookie management window	The duration of specific cookies is listed in the cookie management window
Reviewing and responding to customer and passenger complaints, compliments, suggestions, and questions	Article 6(1)(a), (c), and (f) of the GDPR – legal obligation, legitimate interest, consent of the data subject; Article 9(2)(f) of the GDPR – compliance with legal obligations	First name, last name, email address, place of residence, mobile phone number, international bank account number, flight details, information regarding injuries/health, and other data and documents submitted during the review of the complaint/claim/request	3 years after the date of submission
Ensuring the operation of the terminal for VIPs, as provided for in the internal regulations of Lithuanian airports	Article 6(1)(c) of the GDPR – legal obligation	Passenger’s first and last name; arrival/departure date, time, and flight number; airport of departure/arrival; first and last names of persons meeting/seeing off passengers; information about vehicles used to see off/meet passengers, including their make and license plate numbers	3 years from the date of service provision
Business Club Administration	Article 6(1)(b) of the GDPR – performance of a contract	Customer’s first and last name, flight number, personal identification number, class, loyalty card number, flight time)	3 months from the date the club card is scanned
Fast Track Service	Article 6(1)(b) of the GDPR – performance of a contract	Customer activity reports, service usage time, flight number, first name, last name	3 months from the date of using the service
Management of the online stores VNO.lt and e-shop.lt	Article 6(1)(b) of the GDPR – performance of a contract	Account details (if purchasing while logged in); if purchasing as a guest (first name, last name, email address);	Order history is stored in your account for 3 years. Personal data provided when shopping as a guest is stored along with the order details and related documents (e.g., invoice) to the extent necessary to comply with legal requirements.
Creation and management of accounts for the online stores VNO.lt and e-shop.lt	Article 6(1)(b) of the GDPR – performance of a contract	Account creation and login information: First name, last name, email address, phone number	Account data is stored for the duration of active use and for an additional 3 years after the last login if the account is no longer in use. You can also delete your account yourself at any time.
Organization of tenders for the purchase of land, buildings, or other real estate; organization of real estate lease tenders by JSC LA; organization of land lease auctions; and conclusion of contracts	Article 6(1)(b) of the GDPR – performance of a contract; Article 6(1)(c) of the GDPR – compliance with a legal obligation	Name, surname, personal identification number, residential address, telephone number, email address, bank account number, signature, and other information related to the organization and conduct of the tender/auction (communications, documents, etc.) of the tender/auction participant (natural person). First name, last name, phone number, email address, basis of representation, duties, signature, and other information related to the organization and conclusion of the tender/auction (communication, documents, etc.) of the representative of a legal entity participating in the tender/auction.	10 years after the expiration of the contract 10 years from the end of the auction/tender
Conducting auctions of unnecessary and unsuitable movable property	Article 6(1)(b) of the GDPR – performance of a contract; Article 6(1)(c) of the GDPR – compliance with a legal obligation	Participant’s first name, last name, personal identification number, phone number, email address, mailing address, bank account number, and other information related to the auction (correspondence, documents, etc.)	Auction data is retained for 10 years
Purchase Invoice Management	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(b) of the GDPR – performance of a contract	Supplier’s first name, last name, individual business license number, personal identification number, position, VAT ID number	10 years from the date the purchase invoice was issued
Sales Invoice Management	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(b) of the GDPR – performance of a contract	Customer’s first name, last name, position, personal identification number, position, individual business license number, VAT ID number	10 years from the date the sales invoice was issued
Debt management and monitoring of the company’s debtors	Article 6(1)(f) of the GDPR – legitimate interests; Article 6(1)(b) of the GDPR – performance of a contract	Debtor’s first name, last name, personal identification number, amount owed, phone number, email address	3 years from the date the debt is established
Representation of JSC Lithuanian Airports in legal proceedings to protect the legal entity’s infringed rights and legitimate interests	Article 6(1)(c) of the GDPR – legal obligation; Article 6(1)(f) of the GDPR – legitimate interest	First and last names of plaintiffs, defendants, third parties, and their representatives; court staff; independent and court-appointed experts; contact information; residential and business addresses	5 years from the date of the final and binding decision in the case
Investigating cases of injury or death on airport premises and providing relevant findings	Article 6(1)(c) of the GDPR – legal obligation; Article 9(2)(f) of the GDPR – compliance with legal requirements	First name, last name, personal identification number, information on the person’s health condition, injuries sustained, details regarding the long-term and short-term consequences of the injuries, and causes of death	3 years from the date of the injury or death
Check-in of departing passengers at the main terminal	Article 6(1)(c) of the GDPR – legal obligation	Passenger’s first name, last name, flight number, flight time, destination	3 years from the date the passenger list was drawn up
Assisting passengers with disabilities using the SITATEX messaging system; recording airport operations related to the proper assistance of these passengers	Article 6(1)(c) of the GDPR – legal obligation	First name, last name of the passenger with a disability, and a description of their needs (without specifying details of their health condition)	1 week from the date the notice was issued
Implementation and technical support of the Common Use Terminal Equipment (CUTE) system	Article 6(1)(c) of the GDPR – legal obligation	Passenger’s first name, last name, personal identification number, flight number, flight time, destination, boarding pass, baggage tag number	Data is not stored in the data controller’s storage facilities; it is transferred to data processors (airlines operating within the airport premises)
Maintenance of JSC Lithuanian Airports’ email accounts and administration of the communications contained therein	Article 6(1)(f) of the GDPR – legitimate interests	The interested party’s first name, last name, email address, and the content of emails (related to the company’s business activities)	Electronic correspondence is retained for 2 years
Ensuring higher standards of aviation safety and improving the passenger experience in this area	Article 6(1)(c) of the GDPR – legal obligation	Passenger’s first name, last name, flight number	Until the passenger boards the plane
Providing conference center rental services and ensuring access control to restricted areas	Article 6(1)(b) of the GDPR – performance of a contract	Participant’s first name, last name, and purpose of attending the conference	3 months from the date of the event
Providing information about advertising spaces available for booking	Article 6(1)(a) of the GDPR – consent of the data subject	First name, last name, and email address of the person interested in advertising opportunities	Within 1 month of the date of receipt of the notice regarding available advertising space
Issuance and administration of loyalty cards	Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, phone number, and email address of the loyalty cardholder	3 months from the date the application for a loyalty card was submitted
Reservation of temporary parking spaces for company guests	Article 6(1)(a) of the GDPR – consent of the data subject; Article 6(1)(f) of the GDPR – legitimate interests	The visitor’s vehicle registration number and place of employment	1 month from the date the meeting is scheduled
Inspection of Illegally Transported Items	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, boarding pass, explanation regarding prohibited items	1 month from the date on which it was determined that the passenger was in possession of a prohibited item
JSC Lithuanian Airports Customer Relationship Management System Administration	Article 6(1)(b) of the GDPR – performance of a contract; Article 6(1)(c) of the GDPR – compliance with a legal obligation	First name, last name, email address	5 years from the date of the last transaction (if accounting records are retained, 10 years from the date of the last transaction)
Handling tenant complaints and ensuring operations, managing emergencies	Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, email address, and phone number of the tenant’s representative; personal data contained in the complaint	5 years from the date the tenant filed the complaint
Management of online media contact forms	Article 6(1)(a) of the GDPR – consent of the data subject	First name, last name, position, and email address of the journalist or equivalent	1 month from the date the form is submitted
Conduct of Public Hearings	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, phone number, and email address of the person interested in the project	3 months from the date the minutes of the meeting were drawn up
Conducting internal investigations based on information received through the reporting channel from whistleblowers	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, position, personal identification number, employer, email address or home address, phone number	5 years from the date of receipt of the report of the violation
Administration of the Register of Improper Payments and the Register of Gifts	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, and title of the person giving the gift	3 years from the date the entry was made
Ensuring the short-term and long-term archiving of building documents managed by the company	Article 6(1)(f) of the GDPR – legitimate interests	Personal data indicated in other cells of the table	The data retention periods specified in the other cells of the table apply
Processing of customer/passenger images for professional and commercial purposes, with the aim of promoting the company’s activities in the public domain	Article 6(1)(a) of the GDPR – consent of the data subject	Customer/passenger first name, last name, email address, photo	Until the data subject submits a withdrawal
Conducting public procurement tenders	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, email address, certificates, credentials, resumes, and special permits of the supplier or supplier’s employee	10 years from the end of the public procurement tender
Administration of the Customer Experience (CRM) Management System	Article 6(1)(b) of the GDPR – performance of a contract	First name, last name, email address, and comments about the customer’s experience left in the system	5 years from the date of the last transaction (if accounting records are retained, 10 years from the date of the last transaction)
Content management system administration, publication of safety documentation	Article 6(1)(f) of the GDPR – legitimate interests	System username, email address, user activity reports, data access status	6 months from the date of publication of the safety documentation
Investigation of non-serious aviation incidents falling within the airport’s jurisdiction	Article 6(1)(c) of the GDPR – legal obligation	Name, surname, age, nationality, and license of the aircraft commander or crew member; name, surname, and position of ground staff	5 years from the date of the aviation incident investigation report / record
Organizing partner surveys to improve the quality of cooperation and the services provided	Article 6(1)(f) of the GDPR – legitimate interests	Email addresses of service providers’ / suppliers’ employees	3 months from the date of receipt of the completed survey form
Assessment of the compliance of contractors’ and subcontractors’ employees with the requirements set forth in the Law on the Protection of Objects Important for Ensuring the National Security of the Republic of Lithuania and the Law on the Prevention of Corruption of the Republic of Lithuania	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, information regarding a person’s criminal record / convictions / legal capacity, information regarding cooperation with foreign intelligence / security services, information regarding involvement in terrorist organizations, information regarding the individual’s dependence on alcohol, narcotics, psychotropic substances, or other psychoactive substances, information regarding the existence of mental disorders	5 years since the last assessment was conducted
Administration of the Hot Work Registry and issuance of hot work permits, ensuring compliance with the Republic of Lithuania’s Fire Safety Law	Article 6(1)(c) of the GDPR – legal obligation	Name, surname, position, and signature of the work supervisor; name, surname, and signature of the person conducting the briefing; signature of the person who performed the air analysis; name, surname, and signature of the person who prepared the hot work site; name, surname, and signature of the person who issued the permit	3 business days after the completion of hot work
Screening of the company’s investors, partners, shareholders of legal entities, and beneficiaries to ensure compliance with national and international sanctions and to monitor the implementation of the Law on the Protection of Objects Important to the National Security of the Republic of Lithuania	Article 6(1)(c) of the GDPR – legal obligation	First name, last name, details of participation in a legal entity, percentage of shares/stocks held, number/percentage of voting rights, date of birth, personal identification number, place of residence, country that issued the identity document, nationality, country of residence	3 years from the date of receipt of the inspection report or conclusion regarding the individual from the service provider’s / JADIS / JANGIS databases
Notifying owners, users, or trustees of plots of land or other real estate located within noise protection zones regarding special land use conditions and potential compensation	Article 6(1)(c) of the GDPR – legal obligation	The first and last name, business name, and declared place of residence or registered address of the owner, user, and/or trustee of a plot of land or other real estate registered in the Real Estate Register	3 years from the date of the information provided to the individual
Issuance of a PPR permit to use the airfields at Vilnius, Kaunas, or Palanga International Airports for their intended purpose	Article 6(1)(c) of the GDPR – legal obligation	First name and last name of the person completing the PPR form, email address of the person completing the PPR form, first name and last name of the aircraft operator (natural person), a copy of the aircraft operator’s (natural person’s) certificate, first name and last name of the air carrier (natural person), air carrier’s email address, name and surname of the flight owner/customer (natural person), planned flight details, details of the content of the passenger/aircraft crew declarations	3 years from the date the PPR form was submitted on the company’s website
Review of applications for de minimis state aid	Article 6(1)(e) of the GDPR – public interest / performance of a task carried out in the public interest	First name and last name of the person submitting the request/application; first name and last name of the manager of the air carrier receiving the assistance; information regarding the position held by the person submitting the request/application or the manager of the air carrier receiving the assistance	3 years from the date of receipt of the request/application
Ensuring the protection of data subjects’ rights and interests	Article 6(1)(c) of the GDPR – legal obligation, and Article 6(1)(a) of the GDPR – consent (when data is provided at the initiative or by the choice of the data subject)	First name, last name, residential address, phone number, and email address; details of the representative and the representation; the data subject’s right; information related to the exercise of that right; attachments; signature; and other data processed by the Company that is related to the data subject, to the extent necessary to fulfill the request	1 year from the date of submission of the response
Recording of calls made to the publicly listed phone numbers (+37052739326; +37061297706) are recorded to ensure a prompt response to security and safety incidents, proper documentation of incidents, the conduct of investigations, and the assessment of threats, hazards, and risk factors to national security interests	Article 6(1)(f) of the GDPR – legitimate interests	Call recording, time, date, and duration	30 days from the date of the call recording
Ensuring compliance by verifying that trained employees perform their assigned duties	Article 6(1)(f) of the GDPR – legitimate interests	First Name, Last Name, content of answers provided during training sessions and tests, test results and/or evaluation, signature, position, image of the individual’s permanent ID, evaluator’s First Name, Last Name, signature	4 years from the date of the inspection

Information about data recipients

Who do we share your data with?

Lithuanian airports engage only those data processors that ensure compliance with the GDPR and the same level of personal data security as set forth in our personal data protection policy.
The recipients of data from Lithuanian airports can be divided into the following categories:

state or municipal agencies, institutions, or other public authorities that are legally required to obtain personal data;
companies that provide data center, hosting, cloud, and website management services, as well as those that develop, maintain, and enhance software, including providers of information technology infrastructure and communications services;
service providers and subcontractors other than those listed above, to whom the provision of certain services at Lithuanian airports has been outsourced;
law enforcement agencies, upon their request or at our initiative, if there are reasonable grounds to suspect that a criminal offense has been committed.

Do we transfer your data outside the European Union and the European Economic Area?

We ensure that your data is processed in accordance with the requirements and standards set forth in European Union legislation, and we would like to inform you that the majority of your personal data is processed within the European Union or the European Economic Area.

In cases where Lithuanian airports are unable to properly perform their functions and/or provide the services you request without relying on data processors located outside the European Economic Area, we undertake to ensure that your personal data is transferred to third countries or international organizations in accordance with the data transfer requirements set forth in Articles 45–50 of the GDPR.

Personal data may be transferred to third countries and international organizations on the following grounds:

based on the European Commission’s adequacy decision, which means that the European Commission has recognized the country in which the third party is established and/or operates as ensuring a level of personal data protection equivalent to that of the European Union;
based on a data transfer agreement concluded with a third party, which has been drafted in accordance with the standard contractual clauses approved by the European Commission;
based on the standard data protection clauses drafted by the State Data Protection Inspectorate;
in accordance with the code of conduct approved by the State Data Protection Inspectorate, which sets forth the mandatory and enforceable obligations of a data controller or data processor in a third country to implement appropriate safeguards;
based on a data transfer certificate approved by the State Data Protection Inspectorate, which confirms the data controller’s or data processor’s commitment to apply appropriate and mandatory safeguards in the third country.

Information about your rights and how to exercise them

What rights do you have, and how can you exercise them?

In accordance with the provisions of the GDPR, you, as a data subject, may exercise the following rights:

The right to access personal data. That is, you may request information regarding whether your personal data is being processed, and if it is, you have the right to access the personal data being processed.
The right to correct personal data. That is, you may request that we correct your personal data if you find that the personal data we process is incorrect, incomplete, or inaccurate.
The right to erase data (the ‘right to be forgotten’). That is, you may submit a request to have your personal data erased if you believe that your data is being processed unlawfully or unfairly, or in other cases provided for by law.
The right to restrict data processing. That is, to submit a request to restrict (suspend) the processing of your personal data, except for storage, in cases where you dispute the accuracy of the data or object to its processing, you do not consent to the deletion of your unlawfully processed data, or you need the data to assert, exercise, or defend legal claims;
The right to data portability.  That is, to request that your personal data, which was obtained directly from you and is processed by automated means, be transferred to you and/or another data controller in a structured, commonly used, and machine-readable format.
The right to object to the processing of your data. That is, to object to the processing of personal data when the data is processed on the legal basis of a legitimate interest or a public interest.
The right to object to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. 
The right to withdraw at any time the consent you have given us regarding the processing of your personal data, including, but not limited to, consent for the use of your personal data for direct marketing purposes.

You can exercise your rights:

By sending us a free-form request via email. The request must be signed with an electronic signature, or a copy of your ID document certified by a notary must be attached to the request so that we can verify your identity;
By sending the request via registered mail to Rodūnios kelias 10A, Vilnius, Lithuania, the request must be signed with an electronic signature or accompanied by a copy of your identity document certified by a notary;
By making a verbal request when visiting the offices of the Lithuanian Airports Administration. In this case, an administration employee may temporarily ask you to present a document confirming your identity so that your identity can be verified;
By submitting a request through your authorized representative. In this case, your representative must provide their first name, last name, contact information, a copy of an identity document certified by a notary, and information about you: first name, last name, and other information that would allow us to identify you as the data subject, as well as a copy of the document certifying your representation, certified by a notary.

In cases where there has been prior communication between you and Lithuanian airports and we are able to verify your identity based on that communication, it is not necessary to submit copies of documents confirming your identity.

The request must be clear and, if submitted in writing, legible. Where possible, it should include the data subject’s first and last name, contact information in the preferred format for communication, and details regarding which of their rights under the GDPR, including the scope thereof, the data subject wishes to exercise and/or enforce.

We will respond to your request no later than one calendar month from the date of receipt of the request. In exceptional cases requiring additional time, we reserve the right, after notifying you, to extend the deadline for providing the requested data or reviewing other requirements specified in your request to up to 3 calendar months from the date of your request.

Where can you submit questions regarding personal data?

Jeigu dėl šiame privatumo pranešime pateiktos informacijos ar Jūsų asmens duomenų apsaugos ir Jūsų teisių įgyvendinimo Lietuvos oro uostuose iškiltų klausimų, maloniai prašome kreiptis į mūsų atstovą, atsakingą už duomenų apsaugą, bet kuriuo jums patogiu būdu:

by email: [email protected] ;
in person: Rodūnios kelias 10A, Vilnius, Lietuva.

Lithuanian Airports does not restrict your right to contact the State Data Protection Inspectorate if you believe that we are processing or have processed your personal data unlawfully, or if you have reasonable grounds to suspect that we have violated your rights as a data subject under the GDPR. You may submit complaints to the State Data Protection Inspectorate:

At the Inspectorate office’s address: L. Sapiegos g. 17, Vilnius, Lithuania;
by email: [email protected].

Other issues related to the processing of personal data

How do we protect your data?

To ensure a level of security appropriate to the risks involved in the processing of personal data, Lithuanian Airports implements appropriate technical and organizational security measures. When selecting and implementing appropriate technical and organizational security measures to ensure the appropriate level of security for data processing, we are guided by:

ENISA guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing;
best practises in information security; 
SDPI guidelines: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf.

Consequences of failure to provide data

You have the right to refuse to provide your personal data; however, the provision of your personal data is necessary and essential for the purposes set out in this Privacy Notice, therefore, if you do not provide your personal data, we would be unable to fulfill our obligations, achieve the stated purposes, and provide you with the necessary services.

Cookies

Cookies are small text files that a website stores in your computer’s or mobile device’s browser, hard drive, or other storage medium when you visit our websites. This allows the website to ‘remember’ your actions and preferences (e.g., login name, language, font size, and other display options) based on the assigned identification number, so that you do not have to re-enter them every time you visit the site or navigate through its various sections. The information collected by cookies allows us to ensure a more convenient browsing experience on the website, provide recommendations, and learn more about the behavior of our website visitors, analyze trends, and improve both the website and the services provided by Lithuanian Airports.

The cookies used by Lithuanian Airports can be divided into the following main categories:

Necessary cookies. These cookies ensure the proper functioning of the website or its individual sections and enable users to access the features provided by the website. Without these cookies, it is not possible to ensure the proper, uninterrupted, and efficient functioning of the website.
Preference cookies. These cookies are used to improve the user experience and the quality of the website for visitors. The cookies store the website settings you have selected and saved, such as your preferred language, region, and/or website layout.
Statistical cookies. By using cookies that collect statistical data, which gather anonymous information and generate reports, website owners or administrators can learn how visitors interact with the website or its individual sections. The use of these cookies allows Lithuanian Airports to improve the performance of their websites, for example, by ensuring that users can easily find what they are looking for.
Marketing cookies. Marketing cookies are used to enable us to show you ads that are tailored to your needs and are likely to interest you. Such ads are significantly more valuable to visitors to our website, as they are unlikely to cause negative emotions.
Unclassified cookies. These are cookies that we classify in collaboration with their respective providers. Most often, these are cookies that perform personalized functions, and their purpose and scope are determined by the cookie provider. You can find more detailed information about these cookies in the cookie control panel.

You can find out which specific cookies are used on Lithuanian Airports websites and how to manage them in the cookie control panel on each website.

Final provisions

This Privacy Notice may be amended at the discretion of the data controller or in response to changes in applicable legal requirements.

Only the current version of the Privacy Notice, which includes the current data processing operations, is published on the website.