Translation from Lithuanian
Approved
by Airhotel CEO’s Order No. DS26 on 02.05.2018

AIRHOTEL UAB
PRIVACY POLICY

1. BASIC CONCEPTS
1.1. Privacy Policy – shall mean these rules for processing Personal Data as well as information on the use of cookies published on the website at https://www.airhotel.lt.
1.2. Website – shall mean the website at https://www.airhotel.lt in which Airhotel UAB guests may book a hotel room/rooms for accommodation and give consent to process their Personal Data for the purpose of Direct Marketing.
1.3. Data Controller – shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing Personal Data. In this privacy policy the Data Controller – Airhotel UAB, legal entity code: 302598948, legal office address: Oro uosto g. 2, 54460, Karmėlava, Kaunas district, contact data o: el. p. info@airhotel.lt, tel. No. +370 691 70775.
1.4. Data Subject – shall mean a hotel guest whose Personal Data are processed by the Data Controller for electronic trade, Direct Marketing purposes.
1.5. Data Processor – shall mean a legal or a natural person processing Personal Data on behalf of the Data Controller according to the powers granted to him with a view of implementing the goals set.
1.6. Personal Data – shall mean any information relating to a natural person (Data Subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
1.7. Data processing – shall mean any operation carried out with Personal Data: collection, recording, accumulation, storage, changing (supplementation or correction), provision, use or any other action or set of actions.
1.8. Direct Marketing – shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services.
1.9. Consent – shall mean an indication of will given freely by a Data Subject indicating his agreement with the processing of his Personal Data for the purposes known to him. His consent with regard to special categories of Personal Data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the Data Subject’s free will.
1.10. Third Parties – shall mean a legal or a natural person, public authority, agency or other institution with the exception of the Data Subject, the Data Controller, the Data Processor and persons who have been directly authorised by the Data Controller or the Data Processor to process data;
1.11. Cookies – shall mean a small scope set of data that are provided from this website and stored in the visitor’s computer or other device.
1.12. Employee – shall mean a person who has concluded an employment contract with Airhotel UAB.
1.13. Supervisory authority –shall mean the State Personal Data Protection Inspectorate.

2. GENERAL PROVISIONS
2.1. By this Privacy Policy the Data Controller seeks to ensure that Personal Data of the Data Subject shall be processed accurately, fairly and lawfully and collected for specified and legitimate purposes defined in this Privacy Policy and later are not processed for purposes incompatible with the purposes determined.
2.2. The goal of processing Personal Data – electronic trade, Direct Marketing.
2.3. By applying organisational and technical measures, the Data Controller shall ensure appropriate security of Personal Data, including the protection against any other unlawful or unauthorised processing of Personal Data, and against accidental or unlawful loss, destruction or damage.
2.4. The aim of this Privacy Policy shall be to lay down the provisions for the collection, accumulation and processing of Personal Data.
2.5. This Privacy Policy has been prepared in accordance with the Republic of Lithuania Law on the Protection of Personal Data, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as well as other legal acts regulating the protection of Personal Data.
2.6. The Data Controller hereby confirms that while implementing this Privacy Policy, the following principles for the processing and protection of Personal Data shall be strictly complied with:
2.6.1. shall be collected for specified and lawful goals set out in legal acts and shall be processed in the
manner compatible with these goals;
2.6.2. when collecting and processing Personal Data of the Data Subject the principles of purposefulness and proportionality shall be complied with, without demanding the Data Subject to furnish such Personal Data that are not necessary. No excessive Personal Data shall be accumulated and processed;
2.6.3. Personal Data of the Data Subject shall be processed accurately, fairly and lawfully;
2.6.4. Personal Data of the Data Subject shall be precise, and, if necessary regarding the processing of Personal Data, shall be permanently renewed; inaccurate or incomplete Personal Data shall be supplemented, erased or their further processing must be suspended;
2.6.5. Personal Data of the Data Subject shall be kept in a form which permits identification of Data Subjects for no longer than it is necessary for the purposes for which the data were collected and processed.
2.7. This Privacy Policy is available and it may be downloaded at any time from the website at https://www.airhotel.lt.

3. PROCEDURE FOR THE COLLECTION, STORAGE AND USE OF PERSONAL DATA
3.1. By booking a hotel room/rooms the Data Subject expresses his/her consent that the Data Controller shall manage the following Personal Data:
3.1.1. forename, surname,
3.1.2. sex,
3.1.3. password and security question;
3.1.4. credit card data ;
3.1.5. amount payable;
3.1.6. duration of stay in the hotel.
3.2. By furnishing his/her Personal Data, the Data Subject confirms that they are accurate and complete.
3.3. Personal Data of registered Data Subjects received for the goal set out in Clause 3.1 of the Privacy Policy shall be kept for 3 (three) calendar years from the date of booking by the Data Subject.
3.4. The Data Subject is informed that for implementing this goal, Data Processors are engaged – a company providing IT supervision services and a company carrying out permanent supervision of the PROTEL hotel software.
3.5. The Data Controller shall furnish the following data to the Department of Statistics of the Republic of Lithuania: number of Data Subjects; state from which the Data Subject (s) arrived, goal of arrival, duration of stay in the hotel.
3.6. By entering his/her e-mail address on the website, the Data Subject agrees that the Data Controller shall process the Personal Data concerning him or her provided below for the purpose of Direct Marketing:
3.6.1. e-mail address ;
3.6.2. forename, surname.
3.7. Personal Data received for the purpose of Direct Marketing shall be kept for 3 (three) calendar years from the date of furnishing the Personal Data.
3.8. The Data Controller confirms that Personal Data shall be collected only directly from the Data Subject and shall not be collected from other sources.
3.9. The Data Controller undertakes not to disclose the Personal Data processed to Third Parties, except for the cases set out below:
3.9.1. the Data Subject has given his/her consent for the transfer of his/her Personal Data;
3.9.2. the transfer of Personal Data is necessary for the conclusion or performance of a contract between the Data Controller and a Third Party in the interests of the Data Subject;
3.9.3. to law enforcement institutions pursuant to requirements of legal acts;
3.9.4. the transfer is necessary for the prevention or investigation of criminal offences.

4. IMPLEMENTATION OF THE DATA SUBJECT’S RIGHTS
4.1. Data Subject shall be considered to have taken note of this Privacy Policy and having read it when s/he expressed his/her Consent to process his/her Personal Data.
4.2. The Data Subject grants the Data Controller the right to collect, control, process and store Personal Data concerning him or her within such a scope and for such goals as it is laid down in this Privacy Policy.
4.3. The Data Subject may cancel at any the consent to collect, control, process and store Personal Data concerning him or her without any additional substantiation by appealing to the Data Controller in writing in one of the following ways: 1) accessing the website account; 2) in the case of Direct Marketing – by clicking the link “Cancel the subscription”; 3) by post or delivering the request directly to the address: Oro uosto g. 2, 54460, Karmėlava, Kauno raj., 4) by e-mail address: info@airhotel.lt from the same e-mail address registered at the time of registration.
4.4. On receipt of such a request of the Data Subject, the Data Controller shall immediately stop the processing of
Personal Data and destroy all Personal Data concerning him or her. The Data Controller has the right not to erase Personal Data from the server if they have a lawful basis to store it, especially when it is necessary to ensure security and defence of the State, public order, crime prevention, detection or prosecution, to protect important economic of financial interests of the State, to protect the rights and freedoms of other persons.
4.5. The Data Subject, upon properly identifying himself and submitting to the Data Controller an identity document or a copy thereof properly attested by a notary which shall be used only for identification and shall not be stored, has the right to become familiar with Personal Data collected by him and information concerning the management thereof, including but not limited to: 1) goals of processing Personal Data ; 2) categories of respective Personal Data; 3) intended storage periods of Personal Data; 4) when Personal Data
are collected not from the Data Subject himself/herself, all available information on their sources, etc.
4.6. The Data Subject shall submit a request regarding familiarisation with own Personal Data to the Data Controller in one of the following ways: 1) by post or 2) delivering directly at the address Oro uosto g. 2, 54460, Karmėlava, Kauno raj.
4.7. If other person wants to get access to the Personal Data of the Data Subject, s/he must submit a power of attorney attested by a notary, whereas Personal Data are furnished to a counsel only upon the production of a representation agreement and indication of the goal for using the Personal Data.
4.8. Having received a request from the Data Subject, the Data Controller must reply him/her within 30 calendar days from the date of the Data Subject’s request. The answer shall state whether the Personal Data of the Data Subject are processed, and if yes, what data and to whom they were furnished during the last 1 (one) calendar year. The answer shall be provided free of charge.
4.9. Where after familiarising with his/her Personal Data the Data Subject finds that his/her Personal Data are collected or received from unlawful sources or that the Personal Data are processed not for those purposes for which the Consent has been given, the Data Subject has the right to appeal to the Data Controller by e-mail – info@airhotel.lt with a request to suspend such actions of Personal Data processing and (or) erase Personal Data concerning him or her. The Data Controller shall check the request of the Data Subject and, upon finding the request grounded, shall immediately, but no later than within 5 working days, shall satisfy the request of the Data Subject and shall inform him/her on the actions taken in writing.
4.10. Where the Data Subject, after familiarising with his/her Personal Data, finds that his/her Personal Data are inaccurate or incomplete, s/he has the right, upon properly identifying himself, to appeal in writing to the Data Processor with a request to rectify and/or supplement the Personal Data concerning him or her. The Data Controller, upon finding that the request is grounded, shall rectify or supplement the Personal Data immediately, but no later than within 5 working days, and shall inform on the actions taken in writing. 4.11. The Data Subject has the right to demand that the Data Controller would “forget” him/her, namely, would erase all Personal Data concerning him or her, if these Personal Data are not necessary for the goal for which they have been collected and processed, or if the Data Subject revokes the given Consent, or if Personal Data are processed by violating the requirements of legal acts. The Data Controller shall satisfy such a request
immediately, but no later than within 5 working days, and shall inform on the actions taken in writing.
4.12. The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data  have been provided.
4.13. A request of the Data Subject regarding the production of structured Personal Data shall be submitted to the Data Controller in writing in one of the following ways: 1) by post or 2) delivering directly at the address Oro uosto g. 2, 54460, Karmėlava, Kauno raj. Having received a request from the Data Subject, the Data Controller must reply him/her within 30 calendar days from the date of Data Subject’s request. The Data Subject has the right to ask that the Data Controller would transfer the Personal Data directly to another Data Controller, however only in the case when this is technically feasible.
4.14. If Data Subject thinks that his/her lawful interests have been infringed when processing his/her Personal Data, s/he has the right to appeal to the Supervisory Authority.

5. RISK FACTORS FOR INFRINGING THE PROTECTION OF PERSONAL DATA AND SOLUTION THEREOF
5.1. The Data Controller, seeking to ensure appropriate protection of Personal Data, shall implement the following organisational and technical measures for the protection of Personal Data:
5.1.1. Organisational:
5.1.1.1. The Data Controller shall organise the work procedure in such a way that safe processing and, if applicable, transfer of computer data and/or documents and management of the
archives thereof would be ensured;
5.1.1.2. accesses to the Personal Data of the Data Subject shall be granted only to those Employees who need them for the performance of their work functions and only to those who have
signed confidentiality agreements and have taken note of other rules of procedure within the scope of the Personal Data processing.
5.1.2. Technical:
5.1.2.1. Data Processors (service providers) appointed by the Data Controller shall act only within the powers granted by the Data Controller.
5.1.2.2. Personal Data shall be protected against loss, unauthorised use and alterations. The internet connection shall be encrypted, whereas the website shall be conducted through
https://protocol.
5.1.2.3. protection of computer hardware against malware shall be ensured (e.g. installation, renewal of antivirus updates), whereas the intranet shall be protected by a firewall.

6. USE OF COOKIES
6.1. Cookies are used on the internet website for statistical purposes by assessing the clickstream and popularity of individual content. Such processing of Personal Data does not allow to find out directly or indirectly the website user’s identity.
6.2. The following type cookie may be used on the internet website:
6.2.1. user’s session cookies – they are created when the user starts a browsing session on the website or in the browser and are erased when the browser is closed;
6.2.2. long-term cookies – cookies are retained in the device used by the user. Upon closing a browser or website, cookies are not erased. These cookies are valid for a different time, depending on the cookie itself;
6.2.3. initial cookies – cookies that are used or created by the website visited by the user. These cookies are used in order to adapt to the website user’s needs;
6.2.4. Third Parties’ cookies – cookies of other websites placed on the website visited by the user. This type cookies are most often used for the purposes of data analysis. In Facebook and Google, domains of Third Parties’ cookies are met most often.
6.3. A website user may erase cookies from his/her computer or block them in his/her internet browser; the blocking of cookies, however, may disrupt the user’s access to particular website functions or their operation, what, in the result, may make browsing ineffective or impossible.

7. FINAL PROVISIONS
7.1. This Privacy Policy shall be revised every 2 (two) years and shall be renewed, if necessary.
7.2. This Privacy Policy is subject to the legal acts, directives and regulations adopted by the Republic of Lithuania and the European Union.
7.3. This Privacy Policy shall enter into force from 2 May 2018 and shall be published on the internet website.

LIST OF PERSONAL DATA PROTECTION MEASURES

1. Unlawful physical access to computer equipment:
1.1. the premises are lockable;
1.2. an alarm system has been installed in the premises;
1.3. control of persons’ access to the premises has been ensured (physical or electronic).

2. Unlawful users of software:
2.1. user log-in procedure has been established;
2.2. users’ right to use the software is controlled.

3. Unlawful user login to the network:
3.1. the intranet internal network is protected by firewalls;
3.2. employees login to the intranet is controlled;
3.3. third party user login is controlled.

4. Theft:
4.1. physical access to servers has been restricted;
4.2. software to data has been restricted.

5. Software bugs:
5.1. certified software is used;
5.2. the software used is updated in accordance with the established procedure.

6. Malevolent applications:
6.1. anti-virus updates are installed in servers;
6.2. anti-virus updates are installed in workstations;
6.3. employees are familiarised with the procedure how to act in case of malware attack.

7. Use of unauthorised software:
7.1. only lawful software is used;
7.2. control of the software used is permanently performed in workstations ;
7.3. employees have not been granted the right to install software by themselves.

8. Users’ mistakes:
8.1. employees are trained to work with the software.

9. Failures of data transfer network equipment:
9.1. equipment is maintained according to the manufacturer’s recommendations;
9.2. maintenance and troubleshooting is performed by qualified specialists;
9.3. condition of the data transfer network is monitored.

10. Malfunction of computer hardware:
10.1. equipment is maintained in accordance with the manufacturer’s recommendations;
10.2. maintenance and troubleshooting is performed by qualified specialists;
10.3. the most important software is backed up;
10.4. technical condition of the most important computer hardware is permanently monitored.

11. Flooding:
11.1. appropriately designed and installed premises for the storage of the most important computer equipment.

12. Fire:
12.1. fire extinguishers are in the premises;
12.2. smoke and heat detectors are installed in the premises of the building.

13. Temperature and humidity fluctuations:
13.1. conditioning system has been installed in premises where the servers are located;
13.2. temperature and humidity fluctuations are permanently monitored;
13.3. air conditioning system is maintained according to the manufacturer’s requirements .

14. Natural disaster:
14.1. a recovery plan has been prepared.

15. Power supply interruptions:
15.1. uninterruptable power supply sources (UPS) are available for the most important computer equipment;
15.2. the state of the power supply is monitored.

16. Failures of supply and communication lines:
16.1. cables are in insulating sleeves;
16.2. electricity and data cables have been safely separated.