Orto24.lt (UAB “MT SPRENDIMAI”) PRIVACY POLICY

The personal data controller, the administrator of the websites www.mtsprendimai.lt and the online store www.orto24.lt (hereinafter – Data Controller), is UAB “MT sprendimai”, legal entity code 302345891, address A. Juozapavičiaus St. 9A-170, Vilnius, phone: +370 5 2126645, email: info@mtsprendimai.lt.

1. General Provisions

1.1. This Privacy Policy sets out:

– what personal data we collect and process about you and to what extent this is related to our relationship with you;

– where we obtain personal data from;

– how we handle that personal data;

– how we protect personal data;

– to whom we transfer and disclose such personal data;

– how we ensure your rights in the field of personal data protection;

– how we comply with personal data protection rules.

1.2. All personal data is collected and processed in accordance with the requirements for the processing of personal data established by the Law on Legal Protection of Personal Data of the Republic of Lithuania and the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

2. Definitions Used in the Privacy Policy

Data Processor – service providers who provide services (perform work) for us and process your data on our behalf. Data Processors may only process Personal Data in accordance with our instructions and only to the extent necessary to properly fulfill contractual obligations.

Data Subject – a natural person working with us, or a natural person interested in our services or products, or in any form having ordered or purchased our services or goods, or a natural person participating in our projects and trainings.

Personal Data – any information related to a natural person – a data subject, whose identity is known or can be directly or indirectly determined by using such data as a personal code, or one or more characteristics of a physical, physiological, psychological, economic, cultural, or social nature specific to a person.

Processing of Personal Data – any operation performed on personal data: collection, recording, accumulation, storage, classification, grouping, merging, modification (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination, destruction, or any other action or set of actions.

Direct Marketing – activity aimed at offering goods or services to individuals by mail, telephone, or other direct means and/or inquiring about their opinion on offered goods or services.

Privacy Policy – our approved document that sets out the conditions for the processing of personal data when we administer natural persons working with us, as well as when administering natural persons’ inquiries, organizing the provision of services and sales of goods, including through our managed website and online store. The conditions of the Privacy Policy apply each time you access our content and/or service, regardless of the device you use (computer, mobile phone, tablet, television, etc.).

Other terms used in this policy are understood as defined in Regulation (EU) 2016/679.

3. What Personal Data We Process

3.1. We process personal data that allows us, in compliance with applicable legal requirements, to administer natural persons working with us, as well as to handle inquiries from natural persons, organize service provision and sales processes, implement projects, and organize and conduct training.

3.2. Personal data includes:

– first name;

– surname;

– date of birth;

– personal identification code;

– gender;

– address;

– phone numbers;

– email addresses;

– social security number;

– nationality;

– curriculum vitae;

– signature;

– data on employment, transfer, or dismissal;

– data on education and qualifications;

– training data;

– vacation data;

– data on salary, severance payments, compensations, allowances;

– data on foreign language proficiency level;

– information on working hours;

– information on incentives and penalties;

– information on work performed and tasks assigned;

– Lithuanian passport or ID card number, issue date, expiry date, issuing authority;

– driving license number (if driving is required by job description), issue date, expiry date, issuing authority, registration date and number;

– data on visits to healthcare institutions;

– referrals for consultations, examinations, treatment;

– medical certificates and forms.

3.2. Without receiving the necessary Personal Data and consent to process them, we will not be able to ensure compliance with applicable legal requirements when administering natural persons working with us, nor will we be able to handle inquiries, organize service provision and sales processes, implement projects, or organize and conduct training.

3.3. We obtain personal data from data subjects themselves and from:

– Register of Legal Entities;

– Healthcare institutions;

– Compulsory Health Insurance Information System “Sveidra”;

– State Social Insurance Fund Board Information System (Sodra);

– Disability and Capacity for Work Assessment Office information system;

– Lithuanian Labour Exchange;

– Healthcare licensing information system;

– Register of Health Care and Pharmacy Specialists’ Licenses.

4. How We Use Your Personal Data

4.1. Your data may be used for the following purposes:

– administration of natural persons working with us;

– preparation and provision of responses to inquiries;

– sale of goods;

– provision of services (orthopedic aids, participation in projects, participation in training, etc.);

– contacting you;

– direct marketing.

4.3. We will only process your personal data where we have a legal basis to do so. The legal basis for processing personal data in all cases is the data subject’s consent, i.e., your consent.

4.4. Consent to process personal data may only be given by persons aged 18 or over. For minors, the consent of parents or legal guardians is required.

4.5. We confirm that personal data will be collected and processed in accordance with applicable European Union and Lithuanian legal requirements and supervisory authority instructions. All reasonable technical and administrative measures will be applied to ensure the security of personal data against loss, unauthorized use, or alteration. All our employees are bound in writing not to disclose or distribute information obtained at work, including information about website and online store visitors.

5. How and How Long We Store Your Data

5.1. We will not retain your Personal Data longer than is necessary to achieve the purpose for which it is processed or as required by specific legal regulations. When your personal data is no longer needed, it will be securely deleted or destroyed.

5.2. In determining the appropriate retention period, we consider the volume, nature, and confidentiality of personal data, as well as the purposes for which we process your data and whether those purposes can be achieved by other means. We also consider legal and contractual obligations.

5.3. We have implemented appropriate organizational and technical security measures to help protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing.

5.4. For direct marketing purposes, personal data is processed for 5 years from the moment of collection. Upon expiry of the processing period, the data will be destroyed by an authorized employee.

6. To Whom We Disclose Your Data

6.1. We may provide your Personal Data to Data Processors who provide services (perform work) for us and process your data on our behalf. Data Processors may only process data according to our instructions and to the extent necessary to properly fulfill our obligations. When engaging subcontractors, we take all necessary measures to ensure that Data Processors implement appropriate organizational and technical measures and maintain data confidentiality.

6.2. We may provide personal data in response to court or state authority requests, only to the extent necessary to comply with applicable laws or received legal obligations.

6.3. We may also provide your personal data to:

– healthcare institutions – for the purpose of providing healthcare services;

– the State Patient Fund under the Ministry of Health of the Republic of Lithuania – to ensure payment of healthcare, rehabilitation, nursing, social services, and other costs related to healthcare services from the Compulsory Health Insurance Fund budget through regional patient funds;

– the State Health Care Accreditation Agency under the Ministry of Health – for the purpose of implementing delegated licensing, technology assessment, medical device conformity assessment, and supervision of licensed activities and medical device markets;

– the State Social Insurance Fund Board Information System (Sodra).

7. Data Subject Rights

7.1. A Data Subject has the right to:

– know (be informed) about the processing of their personal data (right to be informed);

– access their personal data and learn how it is processed (right of access);

– request correction or, considering the purposes of processing, completion of incomplete data (right to rectification);

– request erasure or suspension of processing (except storage) of their personal data (right to erasure / “right to be forgotten”);

– request restriction of processing on legitimate grounds (right to restriction);

– the right to receive or transfer personal data to another company (data portability);

– the right to object to processing or withdraw consent at any time.

7.2. To obtain information on personal data processing, the Data Subject must submit a written request.

7.3. The request must be legible, signed, and include the data subject’s first name, surname, personal code, or if unavailable, date of birth or other identifying details, address, contact details, information on which rights (from section 7.1.) are requested and to what extent, and the preferred method of receiving a response.

7.4. To submit a request, the Data Subject must confirm their identity:

– when submitted in person – by presenting a valid identity document;

– when submitted by mail – by attaching a notarized or legally certified copy of the identity document;

– when submitted electronically – by signing with a qualified electronic signature.

7.5. The Data Subject may exercise their rights personally or through a representative.

7.6. If a representative submits a request on behalf of the Data Subject, they must provide their own details and those of the represented person, indicate which rights are to be exercised, and attach a valid authorization document. The request must comply with sections 7.3 and 7.4 of this Privacy Policy.

8. Changes to the Privacy Policy

8.1. The Data Controller reserves the right to amend this Privacy Policy in part or in full at any time. Amendments or additions take effect from their approval unless otherwise specified. Changes are published on our website.

8.2. The Data Subject becomes familiar with amendments either when giving consent to data processing or by visiting our website.

8.3. Continued use of our website and online store after changes means acceptance of the updated Privacy Policy.

9. Final Provisions

9.1. Cooperation between us and the Data Subject is based on principles of fairness and legality.

9.2. All notices or inquiries regarding data processing must be submitted through our Data Protection Officer: dap@mtsprendimai.lt, address: A. Juozapavičiaus St. 9A-170, Vilnius, phone: +370 5 2126645.