- 1. DEFINITIONS USED IN THE PRIVACY POLICY
- 2. APPLICATION OF THE PRIVACY POLICY
- 3. GENERAL PROVISIONS ON PERSONAL DATA PROTECTION
- 4. PURPOSES AND LEGAL BASES OF DATA PROCESSING
- 4.1. USE OF COOKIES WHEN YOU VISIT OUR WEBSITE
- 4.2. VIDEO SURVEILLANCE
- 4.3. USE OF FREE WIRELESS INTERNET CONNECTION (WI-FI)
- 4.4. RECORDING OF CALLS MADE TO THE INFORMATION CENTRE TELEPHONE NUMBER
- 4.5. NEWSLETTER SUBSCRIPTION
- 4.6. PARTICIPATION IN GAMES, PROMOTIONS, COMPETITIONS AND/OR LOTTERIES ORGANISED BY US
- 4.7. PHOTOGRAPHING AND/OR FILMING OF WINNERS AND PUBLICATION
- 4.8. PHOTOGRAPHING AND/OR FILMING AT EVENTS HELD IN THE SHOPPING CENTRE, IN A PHOTO BOOTH OR AT A PHOTO WALL AND/OR PUBLICATION IN OUR PUBLIC INFORMATION CHANNELS FOR EVENT PROMOTION PURPOSES
- 4.9. ADMINISTRATION OF SOCIAL NETWORKS
- 4.10. PURCHASE OF GIFT CARDS
- 4.11. REGISTRATION FOR FAIRS/MARKETS ORGANISED BY US
- 4.12. SERVICING ENQUIRERS: HANDLING OF REQUESTS, FEEDBACK, COMPLAINTS AND/OR PROVISION OF REQUESTED INFORMATION
- 4.13. ADMINISTRATION OF REPORTS RELATING TO INCIDENTS IN THE SHOPPING CENTRE OR ITS PREMISES
- 4.14. APPLYING FOR VACANCIES
- 4.15. CONCLUSION AND PERFORMANCE OF CONTRACTS WITH OUR PARTNERS/CONTRACTING PARTIES, SERVICE PROVIDERS, SUPPLIERS, CUSTOMERS, CONTRACTORS (SUBCONTRACTORS), OR STEPS TAKEN WITH A VIEW TO ENTERING INTO SUCH CONTRACTS
- 4.16. ACCESS CONTROL TO THE BUSINESS CENTRE
- 4.17. LEGAL REQUIREMENTS AND DISPUTE RESOLUTION
- 5. TO WHOM AND WHY WE DISCLOSE YOUR PERSONAL DATA, INCLUDING TRANSFERS OUTSIDE THE EU/EEA
- 6. HOW WE PROTECT YOUR DATA
- 7. YOUR RIGHTS AS A DATA SUBJECT
- 8. VALIDITY AND AMENDMENTS TO THIS PRIVACY POLICY
Privacy policy
Last reviewed and updated on: 2025 [date].
This AKROPOLIS Privacy Policy (hereinafter – the Privacy Policy) is binding and applies to UAB AKROPOLIS GROUP (hereinafter – the Company or AKROPOLIS GROUP) and its subsidiaries operating in Lithuania (hereinafter the Company and its subsidiaries together referred to as AKROPOLIS, our, we and us) when we collect, use, or otherwise process personal information about you (you, your, and yours).
For the purposes of this Privacy Policy, AKROPOLIS means: AKROPOLIS GROUP, UAB OZO TURTAS (AKROPOLIS Vilnius), UAB TAIKOS TURTAS (AKROPOLIS Klaipėda), and UAB AIDO TURTAS (AKROPOLIS Šiauliai), collectively or individually, as applicable by context (where specified). The contact details of these companies are provided in Section 4 of this Privacy Policy.
PLEASE NOTE that UAB KAUNO AUDINIŲ PROJEKTAS (company code 301744841, address Karaliaus Mindaugo pr. 49, LT-44333 Kaunas), which operates the shopping and entertainment centre AKROPOLIS Kaunas, is not a company belonging to the AKROPOLIS Group. Therefore, this Privacy Policy applies to the processing of your personal data by this company only for the purpose specified in Section 4.1 of this Privacy Policy.
It is important that you read this Privacy Policy carefully, because each time you visit our Website, use our services, or otherwise provide us with personal data, you are required to familiarise yourself with the terms set out in this Privacy Policy. This means that you are legally obliged to comply with the provisions of this Privacy Policy. If these terms are not acceptable to you, you should not provide us with your personal data.
The purpose of this Privacy Policy is to provide information on when and how we process your personal data: how we obtain it, on what legal basis and for what purposes we use it, how we use it, how long we retain it, with whom we share it, how we protect it, and what rights you have in this context. We respect your privacy and are committed to protecting your personal data.
This Privacy Policy may be amended or updated by us from time to time. Therefore, we advise you to read it periodically and review the latest version of the document. The current version of the Privacy Policy is always available on the Website at https://www.akropolis.lt/.
The Website and/or other services provided by AKROPOLIS may only be used by persons who are at least 16 years of age. If you are at least 14 but under 16 years of age, please read this Privacy Policy together with one of your parents or guardians to make sure you understand it and follow it. The Company does not collect personal data of anyone under 14, so if you are younger than 14, you should not provide us with any personal information.
PLEASE NOTE that specific sections of this Privacy Policy (individually or jointly) apply to you depending on the nature of your relationship with us. For example, whether you visit a shopping and entertainment centre and/or our Website, participate in promotional campaigns, games or similar events, and/or use our services. This determines which of your personal data we process, the retention period, and/or the entities that control and process such data.
Please do not provide us with any personal data about yourself if you do not want such information to be used in any way. If, when using the Website and/or any of our services, you provide us with the personal data of third parties, you are responsible for informing those persons about the processing of their personal data and ensuring that they are familiar with this Privacy Policy.
In the following sections of this Privacy Policy, depending on the category relevant to you, you will find information on:
| 1.1. | AKROPOLIS, we, our and us – | all together or, where the context requires otherwise or is specified, any of the companies belonging to the AKROPOLIS Group operating in Lithuania: UAB AKROPOLIS GROUP, UAB OZO TURTAS (AKROPOLIS Vilnius), UAB TAIKOS TURTAS (AKROPOLIS Klaipėda) and UAB AIDO TURTAS (AKROPOLIS Šiauliai), the details and contact information of each of which are provided in Section 4 of this Privacy Policy. |
| 1.2. | Personal data or data – | any information relating to a living individual whose identity is or can be directly or indirectly identified. Separate pieces of information which, when combined, may also help to identify a particular individual likewise constitute personal data. |
| 1.3. | You, your and yours – | all natural persons who had, have, or may potentially have a relationship with us as described in Section 4 of this Privacy Policy, including owners of sole proprietorships, as well as directors, authorised representatives, consultants or contact persons acting on behalf of our clients and/or partners, visitors to the Website, enquirers who contact us by phone, email or other means, and personal data collected and stored when you visit the Website, use services provided by AKROPOLIS, or otherwise provide your personal data to us. |
| 1.4. | GDPR | shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation). |
| 1.5. | Gift card | shall mean a special AKROPOLIS gift card in the prescribed form (including an electronic gift card purchased on the Website and delivered by email), which confirms the fact of pre-payment and entitles the holder to purchase goods or services sold in the Shopping Centre, and which is subject to and governed by the terms and conditions of distribution of AKROPOLIS shopping centre gift cards. |
| 1.6. | Website | shall mean any website registered under an AKROPOLIS domain and administered by AKROPOLIS: AKROPOLIS.LT and AKROPOLIS.EU.
PLEASE NOTE that Section 4.1 of this Privacy Policy, which provides information on the use of cookies on the AKROPOLIS.LT Website, also covers cookies used on the subpage (access: www.akropolis.lt/kaunas/en/cookie-policy/) relating to the AKROPOLIS Kaunas shopping and entertainment centre (hereinafter – AKROPOLIS Kaunas), operated by UAB KAUNO AUDINIŲ PROJEKTAS. However, UAB KAUNO AUDINIŲ PROJEKTAS does not belong to AKROPOLIS, and therefore this Policy applies to the processing of your personal data at AKROPOLIS Kaunas only insofar as Section 4.1 of this Privacy Policy on the use of cookies is concerned, and does not apply for any other purposes specified in this Privacy Policy. Information on how UAB KAUNO AUDINIŲ PROJEKTAS processes the personal data of visitors of AKROPOLIS Kaunas and other data subjects, including questionnaires, registration forms, feedback forms, etc., as well as information and/or data collected on the AKROPOLIS.LT subpage (access: www.akropolis.lt/kaunas/en/privacy-policy/), can be found here: www.akropolis.lt/kaunas/en/privacy-policy/. |
| 1.7. | Shopping Centre or SC | shall mean all together or, where the context requires and/or is otherwise specified, any of the following shopping and entertainment centres: AKROPOLIS Vilnius, AKROPOLIS Klaipėda and AKROPOLIS Šiauliai, including the entire premises of the respective shopping centre as well as all common areas and public spaces (also business centre premises, where applicable). |
| 1.8. | Cookie | shall mean a small text element that the Website stores on your computer or mobile device when you visit our Website. This allows the Website to remember your actions and preferences for a certain period of time (such as the selected Shopping Centre, login name, language, font sizes, other display settings, etc.), so that you do not have to re-enter them each time you visit the Website or browse through individual subpages. |
| 1.9. | EEA | shall mean European Economic Area |
| 1.10. | EU | shall mean European Union |
2.1. AKROPOLIS respects your privacy and seeks to ensure the security of your personal information. In doing so, and in compliance with the GDPR, the data protection requirements laid down in the legislation of the Republic of Lithuania, other directly applicable laws regulating personal data protection, as well as the guidance of supervisory authorities, AKROPOLIS applies uniform data protection standards and principles across the entire AKROPOLIS Group by implementing the AKROPOLIS Privacy Policy.
This Privacy Policy does not apply to the processing of personal data carried out by: (i) the shopping and entertainment centre AKROPOLIS Kaunas (which does not belong to our Group), except for the information set out in Section 4.1 of this Privacy Policy on the use of cookies on the subpage (access: www.akropolis.lt/kaunas/en/privacy-policy/) relating to the above-mentioned shopping and entertainment centre in Kaunas, (ii) any other company not belonging to AKROPOLIS (unless the processing of data is carried out on our behalf and we have explicitly indicated this in this Privacy Policy), or (iii) an independent data controller, such as the police, the State Tax Inspectorate, courts, etc.
3.1. When processing your data, AKROPOLIS aims, inter alia, to ensure:
3.1.1. lawfulness, fairness and transparency – to collect and process data transparently, so that you, as data subjects, are fully informed about how we process your data, to comply with all legal acts governing data protection and privacy, and to ensure the proper implementation of obligations laid down in such legislation (principle of lawfulness, fairness and transparency);
3.1.2. security – to protect your personal data in accordance with market standards and by applying appropriate technical or organisational measures to ensure the proper security of personal data (e.g., access control), including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and to update security measures when necessary (principle of integrity and confidentiality).
3.2. When processing your personal data, we always ensure that:
3.2.1. personal data are collected only for the purposes specified in this Privacy Policy and only to the extent necessary to achieve those purposes. Personal data collected for these purposes are not and will not be processed for any other purposes incompatible with the original ones (purpose limitation principle);
3.2.2. only authorised persons bound by confidentiality obligations have access to your data and only to the extent necessary to perform specific functions (based on the need-to-know principle);
3.2.3. only accurate and correct personal data are processed. When providing us with your data, please carefully check the accuracy of the information each time and notify us as soon as possible if you notice any errors. Information on how to update your data if it changes can be found in Section 7 of this Privacy Policy;
3.2.4. personal data collected for the purposes specified in this Privacy Policy are retained only for as long as necessary to achieve those purposes and are then promptly deleted (storage limitation principle);
3.2.5. only such personal data and only to the extent strictly necessary for the purpose of the specific processing operation are processed (data minimisation principle).
3.3. You may provide us with another person’s data (for example, when submitting a request to us or filling in a form to claim a prize) only if (i) you have a legal basis for sharing such data, i.e. if that person has authorised you to share the data with us, and (ii) you have informed him/her of this Privacy Policy, the purposes and scope of data processing, and (iii) you have obtained his/her explicit consent to such provision and processing of data.
3.4. Persons providing data undertake in all cases to provide only true and accurate information.
3.5. We kindly ask you to safeguard your personal information and provide us with your data only to the minimum extent necessary to resolve your enquiry/situation.
3.6. Information on the cookies used on our Website, the data collected through them, and information automatically collected when visiting our Website is provided in more detail in the separate AKROPOLIS Cookie Policy available at www.akropolis.lt/kaunas/en/privacy-policy/.
We process your personal data for the purposes set out in this section of the Privacy Policy and on the corresponding legal bases, each of which is explained in more detail below.
PLEASE NOTE that we may not process all of the data listed under each data processing purpose in this section. The scope of data processed is determined on a case-by-case basis in line with the principle of data minimisation, which means the volume of personal data processed may be smaller than indicated.
When you visit and browse our Website, we collect data about its visitors. We carry out such processing of your personal data through cookies under the main conditions set out below.
More information about the cookies used on our Website, their management, consent to their installation and withdrawal can be found in our Cookie Policy. You can change or update your cookie preferences at any time in the Cookie Policy.
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | To ensure the smooth and secure functioning, administration and management of the Website and the provision and improvement of related services, including business continuity and prevention of security threats, as well as the provision of personalised content to you, the pursuit of marketing and advertising objectives, and the collection and analysis of statistical data on services and user experience on the Website. | |
| Data subjects | Visitors to the Website. | |
| Data sources | We collect your personal data: (i) directly from you (e.g., when you submit questionnaires, registration or feedback forms or use our services), (ii) automatically when you use our Website (e.g., through cookies, technical records and analytics tools), and, in certain cases, from third parties (e.g., social networks or advertising partners if you use their login or integration features). | |
| Legal basis for data processing | Your consent as the data subject (Article 6(1)(a) of the GDPR). | |
| Processed data | Technical data: | IP address (a digital identifier of your device on the internet (e.g., 88.222.111.55) showing from which location (country, city) the connection is made), operating system (Windows, MacOS, Android, iOS, etc.), browser type and version (e.g., Chrome 125, Firefox 117, Safari 16), type of device, time and date of visiting the Website, location, number of Website sessions (i.e., how many times you visited a page of the Website over a certain period), cookies whose use you have consented to. |
| Other data collected for analysis (e.g., to improve the Website experience, optimise content, deliver advertising): | browsing history and behaviour (i.e., which pages of the Website you visited, how you navigated through the Website), including clicks, information on the sections of the Website visited, content viewed on the Website (e.g., how long you spent on specific content, whether you scrolled to the bottom of the page), viewed destinations (i.e., where you were redirected from the Website, such as links to partners or social networks), completed forms/surveys, etc. | |
| Data relating to the confirmation and validity of your consent: | the fact, date and time of the receipt and withdrawal (where submitted) of consent. | |
| Data retention period | Technical data: | as set out in the Cookie Policy. |
| Other data collected for analysis: | 2 years | |
| Data relating to the confirmation and validity of your consent: | 2 years after the expiry of consent. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; |
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163. | ||
| Providers of automated tools for the collection and analysis of statistical data and web analytics services, such as Google Analytics and Google Marketing Platform: | Google LLC (a US company), code 602223102. | |
| The transfer of your personal data outside the EEA | Not foreseen and will generally not take place, except where it is necessary to transfer personal data in connection with the use of services provided by Google LLC. You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
PLEASE NOTE that where the Website contains subpages and forms of UAB KAUNO AUDINIŲ PROJEKTAS (AKROPOLIS Kaunas), we act only as a technical service provider, ensuring the proper functioning of such subpages. We do not review or access the personal data provided in those subpages and forms, except where UAB KAUNO AUDINIŲ PROJEKTAS requires us to resolve technical issues in the relevant subpage and/or form. Although the Website domains belong to us, the controller of such data is the respective entity (e.g., UAB KAUNO AUDINIŲ PROJEKTAS), responsible for the purposes, content and overall GDPR compliance of the data processing applicable to it as the data controller. For our part, we are responsible only for the proper functioning of cookies on such subpages and for GDPR compliance in relation to the provision of server hosting services, and in this respect we act as a data processor for UAB KAUNO AUDINIŲ PROJEKTAS.
Video surveillance is carried out in the public areas and premises of the Shopping Centres, as well as in the public areas of the business centres located within them (i.e., lift lobbies on each floor) – meaning real-time monitoring of images transmitted by video cameras and the recording of video footage (video data processing). When you visit a Shopping Centre or its premises, you enter the field of view of the video cameras.
Before entering the surveillance area, visitors to each Shopping Centre are informed of the video surveillance by warning signs displaying a camera symbol and the necessary information about such processing of your personal data.
Such processing of your personal data is carried out under the following conditions:
| Video data controller
(Depending on which Shopping Centre you are visiting, have visited, or intend to visit) |
Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
|||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
|||
| Purpose of processing video data | To ensure the protection of the property of the video data controller and third parties, as well as the life, health and other rights and freedoms of all persons present in the premises and on the territory of the Shopping Centre, including compliance with public order, and the preservation of evidence necessary to identify and investigate relevant incidents. | ||
| Video data subjects | Natural persons (including a very small proportion of the video data controller’s employees compared to other visitors, employees of companies and other organisations operating in the premises and on the territory of the video data controller, customers and other visitors) who are present in the premises and on the territory of the video data controller. | ||
| Sources of video data | Personal data are collected by technical means (video cameras) when individuals enter or intend to enter the premises and/or the territory of the video data controller. | ||
| Legal basis for processing video data | The legitimate interests of the video data controller and/or third parties (Article 6(1)(f) of the GDPR). | ||
| Video data processed | The image of a person captured in the field of view of video cameras, the image of a vehicle and its registration number, as well as information related to such video data (e.g., location, date, time, etc.). | ||
| Video data retention period | General period: | AKROPOLIS Vilnius | 30 calendar days |
| AKROPOLIS Klaipėda | 20 calendar days | ||
| AKROPOLIS Šiauliai | 20 calendar days | ||
| If a request or complaint has been received regarding the provision of video data, or if there are grounds to believe that an offence, a criminal act, or other unlawful actions have been recorded: | until the completion of the relevant legal proceedings (for example, the examination of a request or claim, or the entry into force of a court or arbitration ruling), and if a final decision is adopted by a court or another dispute resolution authority in the relevant legal proceedings – 5 years from the date of such decision. | ||
| Subsequent data recovery: | not possible. | ||
| Recipients of video data | Law enforcement and judicial authorities. | ||
| The injured party or a person representing them, as well as other interested parties where there is a legitimate purpose and basis. | |||
| Insurance companies and insurance intermediaries (e.g., Aon Baltic, UADBB, legal entity code 110591289), and other professional advisers such as lawyers (where necessary to protect the rights and legitimate interests of the Shopping Centre and/or third parties, including victims). | |||
| Data processors engaged by the video data controller, where and to the extent necessary for the provision of a specific service: | UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135; | ||
| UAB EUROCASH1, provider of shopping centre security services, legal entity code 225329030; | |||
| UAB Euroelektronika, provider of video surveillance equipment and system maintenance services, legal entity code 110474243. | |||
| The transfer of your personal data outside the EEA | Not applicable. | ||
| Use of facial recognition and/or analysis technologies | Not used. | ||
| Grouping or profiling of video data by individual | Not carried out. | ||
| Identification of a person | Not carried out, unless necessary in order to exercise your rights as a data subject in response to your request, or to preserve evidence necessary to identify and investigate relevant incidents. | ||
| Video surveillance carried out by other parties | Individual tenants of the Shopping Centre may carry out video surveillance independently in the premises they lease from the video data controller. The video data controller is not responsible for video surveillance carried out by the tenants of the Shopping Centre or other third parties. | ||
In the public areas and/or premises of the Shopping Centres, as well as in the public areas of the business centres located within them, free access to a wireless internet connection (Wi-Fi) is provided. When you connect to the network and use this service we provide, the related data are processed under the following conditions:
| Data Controller
(Depending on which Shopping Centre you are visiting, have visited, or intend to visit) |
Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
|
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
||
| Purpose of data processing | To ensure the smooth and secure provision of wireless internet connection services. | |
| Data subjects | Visitors of the respective Shopping Centre. | |
| Data sources | Your device (e.g., mobile phone, computer). | |
| Legal basis for data processing | Provision of services: | based on Article 6(1)(b) of the GDPR, where the processing of data is necessary for the conclusion and performance of the service contract, with the data subject being one of the parties to the contract. |
| Ensuring network security and stability: | The legitimate interests of the Controller and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | Location data. | |
| Information about the connected device: | IP address (a digital identifier of your device on the internet (e.g., 88.222.111.55) showing from which location (country, city) the connection is made), device type, connection time, duration of use. | |
| Data retention period | 72 hours after the end of the session. | |
| Subsequent data recovery: not possible. | ||
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135; |
| UAB BALTNETOS KOMUNIKACIJOS, provider of server services, legal entity code 125145862. | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
| Identification or verification of identity | Not carried out. | |
| Grouping or profiling of data by individual | Not carried out. | |
When you call the publicly available Shopping Centre information telephone number and consent to the recording of your call, the call is recorded, and the audio data processed. Recording begins only after you have given your consent and once the Shopping Centre information centre consultant answers the call.
If you do not consent, the call will be terminated before recording begins and your personal data will not be processed – such a call is not recorded. In that case, you are invited to contact the respective Shopping Centre information centre directly or by email.
Your personal data is processed under the following conditions:
| Audio data controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of processing audio data | To ensure the effective handling of the notification or request of audio data subjects, and, where necessary, the preservation of evidence required to identify or investigate relevant incidents. | |
| Audio data subjects | Natural persons – visitors of the respective Shopping Centre or other third parties contacting the audio data controller by phone, as well as employees of the audio data controller who communicate with such persons. | |
| Sources of audio data | Audio data subjects. | |
| Legal basis for processing audio data | Your consent as the data subject (Article 6(1)(a) of the GDPR).
Where a particular audio recording is necessary for the preservation of evidence to identify or investigate relevant incidents, the legal basis for processing that audio recording is our legitimate interest (Article 6(1)(f) of the GDPR). |
|
| Data recorded in audio files | Personal data disclosed during the conversation: | your voice and the content of the conversation, telephone number, date and time of the call, duration. |
| Other information you may choose to provide: | your name, surname, etc. | |
| Data relating to the confirmation and validity of your consent: | the fact, date and time of the receipt and withdrawal (where submitted) of consent. | |
| Audio data retention period | General period: | 14 days. |
| Data relating to the confirmation and validity of your consent: | 2 years after the expiry of consent. | |
| Where necessary for the investigation of a specific incident, or if you submit a request or complaint to us: | until the completion of the relevant legal proceedings (for example, the examination of a request or claim, or the entry into force of a court or arbitration ruling), and if a final decision is adopted by a court or another dispute resolution authority in the relevant legal proceedings – 5 years from the date of such decision. | |
| Subsequent data recovery: | not possible. | |
| Recipients of audio data | Law enforcement and judicial authorities, other state or municipal institutions (where provided for in the relevant legislation or necessary for the performance of the functions assigned to such institutions), or other persons carrying out their official powers. | |
| Other third parties with a legitimate interest – on the basis of their substantiated request or by decision of the audio data controller, where there is a lawful basis for such disclosure. | ||
| Insurance companies and insurance intermediaries, and other professional advisers such as lawyers (where necessary to protect the rights and legitimate interests of the Shopping Centre and/or third parties, including victims). | ||
| Microsoft Corporation, legal entity code 600 413 485. | ||
| Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | UAB EUROCASH1, provider of shopping centre security services, legal entity code 225329030; | |
| the respective owner of the Shopping Centre (UAB OZO TURTAS, UAB TAIKOS TURTAS, UAB AIDO TURTAS). | ||
| Transfer of audio recordings outside the European Economic Area | In principle not foreseen and will generally not take place, except where it is necessary to transfer personal data in connection with the use of Microsoft software, including cloud computing and hosting services (the data processing agreement, third parties to which personal data are transferred, and the personal data protection mechanisms applied are available here). You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
| Identification of a person | Not carried out, unless necessary in order to exercise your rights as a data subject in response to your request, or to preserve evidence necessary to identify or investigate relevant incidents. | |
If you have chosen to subscribe to, or have otherwise agreed to receive, our newsletters (direct marketing and/or messages related to major AKROPOLIS events), we process your email data.
Your consent will remain valid for 2 years, unless you withdraw it earlier.
You may withdraw your consent to receive (subscribe to) our newsletters at any time by clicking the link provided in the received newsletter or by contacting us using the contact details below.
Provided that you have opted to receive newsletters from a specific Shopping Center(-s), you may modify your choice at any time by using the link provided in the newsletter.
Your personal data is processed under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | To send newsletters containing news, promotions, offers or information about us, as well as to monitor and analyse interactions with the newsletters, assess the effectiveness of newsletter distribution, and improve their content. | |
| Data subjects | Individuals who have given their consent for their personal data to be processed for direct marketing purposes. | |
| Data sources | Data subjects. | |
| Legal basis for data processing | Sending newsletters by subscription: | Your consent as the data subject (Article 6(1)(a) of the GDPR). |
| Monitoring interactions with newsletters: | the legitimate interests of us and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | Contact details: | e-mail address. |
| Your preference regarding newsletters from a specific Shopping Centre: | indication (choice) of city / district. | |
| Data relating to the confirmation and validity of your consent: | the fact, date and time of the receipt and withdrawal (where submitted) of consent. | |
| Newsletter interaction data: | information on whether the newsletter was read, when and how many times it was read (opened), and whether it was forwarded to others. | |
| Data retention period | General period: | for the duration of the agreement. |
| Data relating to the confirmation and validity of your consent: | 2 years after the expiry of consent. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | Sendinblue SAS (trading as Brevo), newsletter automation platform provider, legal entity code 498 019 298, and its affiliated companies; |
| the newsletter administration and marketing services provider (social media agency), UAB “Turinio rinkodara”, legal entity code 304170889; | ||
| the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; | ||
| UAB Mediapark, website administration services and content management tools provider, legal entity code 302536163; | ||
| persons providing the technical solution for game, enquiry and/or registration forms. | ||
| The transfer of your personal data outside the EEA | It is not foreseen and will generally not take place, except where it is necessary to transfer personal data in connection with the use of services provided by Brevo and/or its affiliated companies processing personal data in the United States. You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
When you wish to participate in our games, promotions, competitions and/or lotteries, register to play (where applicable), and when you win and seek to claim the prize/gift you have won, we process your related personal data.
Processing of your data is carried out under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | During registration and participation (where applicable): | to ensure the organization of the game/promotion/competition/lottery (selection of winners from among the participants) and the sending of notifications about its progress, events, or winnings |
| When claiming a prize: | to ensure proper notification about the prize collection | |
| When collecting the prize (if the prize is monetary or the value of a non-monetary prize is EUR 100 or more): | to ensure the calculation, declaration, and payment of the winner’s income (received in kind or in cash) and the resulting taxes on your behalf to the State Tax Inspectorate. | |
| When submitting a request or complaint: | to ensure the examination of any requests and/or complaints (if any). | |
| Data subject | A person participating in our organized games, promotions, contests, and/or lotteries. | |
| Data sources | Data subject | |
| Legal basis for data processing | During registration and participation (where applicable): | On the basis of Article 6(1)(b) of the GDPR, where the processing of data is necessary for the performance of a contract (the terms of the game/promotion/contest/lottery) to which you, as the data subject, are a party |
| When claiming a prize: | On the basis of Article 6(1)(b) of the GDPR, where the processing of data is necessary for the performance of a contract (the terms of the game/promotion/contest/lottery) to which you, as the data subject, are a party | |
| When collecting a prize
(where the prize is monetary or the value of a non-monetary prize is EUR 100 or more): |
on the basis of Article 6(1)(c) of the GDPR, in order to comply with the legal obligations applicable to the data controller under Article 5 of the Law on Personal Income Tax. | |
| When submitting a request or complaint: | the legitimate interests of the Data Controller and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | During registration and participation (where applicable): | your email address or telephone number, name (nickname). |
| When claiming a prize: | name, winning purchase receipt number, your email address or telephone number. | |
| When collecting a prize
(where the prize is monetary or the value of a non-monetary prize is EUR 100 or more): |
full name, personal identification number, your email address or telephone number. PLEASE NOTE that we will process your full name, surname and personal identification number for this purpose only when providing information to the State Tax Inspectorate in accordance with the annual declaration of payments made to residents classified as Class A and B income, form No. GPM312. | |
| Other personal data: | your email address or telephone number, communication regarding a request or complaint (where a natural person can be identified from it). | |
| Data retention period | At the time of registration and participation, when applying to collect the prize: | 2 months after the end of the game/promotion/contest/lottery period. |
| When collecting a prize
(where the prize is monetary or the value of a non-monetary prize is EUR 100 or more): |
5 years after signing the prize acceptance-transfer deed. | |
| If we receive a request or complaint from you and a dispute arises: | until the completion of the relevant legal proceedings (for example, the examination of a request or claim, or the entry into force of a court or arbitration ruling), and if a final decision is adopted by a court or another dispute resolution authority in the relevant legal proceedings – 5 years from the date of such decision. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; |
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163; | ||
| other IT service and software providers; | ||
| persons providing the technical solution for the game, inquiry and/or registration form; | ||
| our authorised representatives of the respective Shopping Centre, including the Shopping Centre Information Centre employees and agencies acting on our behalf, who under written agreements provide services necessary for the proper fulfilment of the defined purpose and, acting in our interests and on our instructions, collect data from you. | ||
| State Tax Inspectorate. | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
| Participants of the game/promotion/contest/lottery under the age of 14 | Their personal data shall be provided (entered) by one of the parents, guardians or custodians (depending on who, in such case, fills in the data). | |
| Submission of identity documents | In order to verify the winner’s age, the Data Controller or the representatives of the Shopping Centre engaged by it may ask you to present an identity document. Identity documents are only inspected and are in no case copied, photographed, transcribed or otherwise stored. | |
| Failure to provide mandatory data or providing incomplete/incorrect data | According to the rules of the specific game/promotion/contest/lottery, the participant may lose the right to the prize. | |
If, when receiving a prize from our organised game/promotion/contest/lottery, you agree to be photographed and/or recorded on video and that your image may be published on the Website and/or our social media accounts as well as other public communication channels, we will process your related personal data, including your image.
Your consent will remain valid for 2 years, unless you withdraw it earlier.
You may withdraw your consent to the processing of your image at any time by contacting us using the details below. Once we receive your notification of withdrawal of consent, we will immediately cease using your photo and/or video for the purposes specified below.
Such processing of your data is carried out under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | With the data subject’s consent, to publicly use his/her image as a winner when announcing the winners of a particular game/promotion/contest/lottery and when presenting the results in our marketing channels, including publishing it on our Website and/or social media accounts, as well as using it in other of our public channels (except for advertising tools used in marketing campaigns), at our discretion. | |
| Data subject | The winner of the game, promotion, contest or lottery organized by us. | |
| Data sources | Data subject. | |
| Legal basis for data processing | Your consent as the data subject (Article 6(1)(a) of the GDPR). | |
| Processed data | Your image as the data subject, captured in a photograph and/or video recording. | |
| Data relating to the confirmation and validity of your consent: | the fact, date and time of the receipt and withdrawal (where submitted) of consent. | |
| Data retention period | General period: | for the duration of the agreement. |
| Data relating to the confirmation and validity of your consent: | 2 years after the expiry of consent. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; |
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163; | ||
| other IT service and software providers; | ||
| our authorised representatives of the respective Shopping Centre, including the Shopping Centre Information Centre employees and agencies acting on our behalf, who under written agreements provide services necessary for the proper fulfilment of the defined purpose and, acting in our interests and on our instructions, collect data from you. | ||
| Administrator of the social networks Facebook and Instagram – Meta Platforms Inc. (US company), code 20-1665011; social network YouTube administrator – Google LLC (a US company), code 602223102; as well as joint administrators of the social network TikTok – TikTok Technology Limited (an Irish company), code 635755, and TikTok Information Technologies UK Limited (a United Kingdom company), code 10165711. | ||
| The transfer of your personal data outside the EEA | As a rule, this is not foreseen and will normally not occur, except where necessary in connection with the use of Meta Platforms Inc. services. You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
If, during an event in the Shopping Centre or in a specially designated photo area (such as a photo booth or by a photo wall), your (or your child’s) image is captured (for example, by a photographer engaged by us or stored in the memory of the photo booth), we will process that image.
At every event and/or other type of activation (for example, in a temporary interactive zone in the Shopping Centre, in communication initiatives, etc.) where photography and/or filming takes place, a notice board will be placed in a visible location to inform you accordingly. If details of an event in the Shopping Centre are made public (for example, on our website or on our social media accounts), this notice will also be published together with the event description, clearly separated from the terms of the event itself.
If you would like your (or your child’s) image captured in a photograph and/or video recording to be removed from the event’s photo gallery, video gallery or similar, please contact us using the details provided below. Once we receive your request, and where this is technically feasible, we will cease using your (or your child’s) photograph and/or video recording for the purposes described below.
PLEASE NOTE that if your image has been included in publicly available sustainability reports of the data controller and/or the controller’s annual reports or other similar public documents, its removal may be unduly burdensome, disproportionate, or may remain necessary to protect the legitimate interests of the controller. In such cases, if you object to the processing of your image for these purposes, we will inform you separately of the actions we take.
Such processing of your data is carried out under the following conditions:
| Data controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | To publicise Shopping Centre events by publishing photographs and/or video recordings of events held in the Shopping Centre and/or other types of activation activities on our website and/or social media accounts, and by using them in other public information channels at our discretion (excluding advertising tools used in marketing campaigns). | |
| Legal basis for data processing | The legitimate interests of the Controller and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | Your (or your child’s) image, as the data subject, captured in a photograph and/or video recording. | |
| Data retention period | General period: | 2 years after the date of the event. |
| If a photograph is used in our sustainability reports, annual reports and/or other similar public documents (excluding advertising tools used in marketing campaigns): | 10 years after the date of the document. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the photographer or photo booth operator; |
| the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; | ||
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163; | ||
| other IT service and software providers | ||
| Administrator of the social networks Facebook and Instagram – Meta Platforms Inc. (US company, code 20-1665011), social network YouTube administrator – Google LLC (a US company), code 602223102; as well as joint administrators of the social network TikTok – TikTok Technology Limited (an Irish company), code 635755, and TikTok Information Technologies UK Limited (a United Kingdom company), code 10165711. | ||
| The transfer of your personal data outside the EEA | In principle, such transfer is not envisaged and will not normally take place, except where it is necessary to transfer personal data in connection with the use of the services of Meta Platforms Inc. and/or Google LLC. You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
For the purpose of managing our social networking accounts (Facebook, Instagram, YouTube, Tik Tok) and communicating with social media users, we process your personal data in connection with these activities.
Such processing of your data is carried out under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | Managing our social media accounts (Facebook, Instagram, YouTube, Tik Tok) and communicating with social media users. | |
| Data subjects | Users of social networks (Facebook, Instagram, YouTube, Tik Tok) who interact with our accounts. | |
| Data sources | We obtain personal data directly from you and/or from the relevant social network. | |
| Legal basis for data processing | Our legitimate interest in communicating with users of our social media accounts (Article 6(1)(f) GDPR). | |
| Processed data | Social network profile name or full name | |
| Profile picture | ||
| Public comments and other interactions with our social media accounts | ||
| Content of any messages exchanged with us, where applicable | ||
| Data retention period | As we do not administer the above-mentioned social networks, but only our accounts within them, and act as a joint controller together with the companies that operate these social networks, we invite you to consult the privacy policies of the relevant social networks for information on how long your personal data is stored:
|
|
| Data recipients |
Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | IT service and software providers. |
| Administrator of the social networks Facebook and Instagram – Meta Platforms Inc. (US company), code 20-1665011. | ||
| Administrator of the YouTube social network – Google LLC (US company, code 602223102). | ||
| Joint administrators of the social network TikTok – TikTok Technology Limited (an Irish company), code 635755, and TikTok Information Technologies UK Limited (a United Kingdom company), code 10165711. | ||
| The transfer of your personal data outside the EEA | Such transfer is not envisaged and will not normally take place, except where it is necessary to transfer personal data in connection with the use of the services of Meta Platforms Inc. and Google LLC. You can find more detailed information about the transfer of your personal data outside the EEA in Section 5 of this Privacy Policy. | |
When you purchase an electronic version of a Gift Card or request an invoice and we need to contact you in order to deliver the electronic Gift Card or purchase documents, we process the relevant personal data.
Such processing of your data is carried out under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | To ensure the preparation and delivery of the electronic Gift Card purchased by the buyer and/or the purchase documents in the manner indicated by the buyer, as well as related communications. | |
| Data subjects | Gift Card purchasers: natural persons and/or representatives of legal entities. | |
| Data sources | Data subjects. | |
| Legal basis for data processing | In relation to buyers who are natural persons – Article 6(1)(b) GDPR, where the processing is necessary for the performance of a purchase–sale contract to which you, as the data subject, are a party.
In relation to buyers who are legal entities – Article 6(1)(f) GDPR, where the processing is necessary for the legitimate interests of the data controller, the legitimate interest being the conclusion and performance of a contract with the buyer through its representatives (to contact the buyer, etc.). |
|
| Processed data | When purchasing an electronic Gift Card: | your e-mail address and any additional data provided at your discretion as the buyer (in the case of a legal entity – by the buyer’s representative), such as name and/or surname (only if you provide it yourself). |
| When requesting a purchase document: | your e-mail address and your name and surname as the buyer (or, in the case of a legal entity, as the buyer’s representative). | |
| Data retention period | 2 weeks. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the gift card issuer UAB Gera dovana, company code 301075902; |
| our authorised representatives of the Shopping Centre, including the Shopping Centre Information Centre employees and agencies acting on our behalf, who under written agreements provide services necessary for the proper fulfilment of the defined purpose and, acting in our interests and on our instructions, collect data from you. | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
| Identification of a person | Not carried out. | |
When you register to take part in fairs/markets organised by us by providing your personal data, or when you are selected as one of the participants in a fair, we process your personal data.
Such processing of your data is carried out under the following conditions:
| Data Controller
(Depending on which shopping centre’s fair / market you intend to participate in) |
Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
|
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
||
| Purpose of data processing | To ensure the organisation of the fair / market and the selection of participants, the administration and communication with the selected participants, as well as the examination of any related claims. | |
| Data subjects | Participants in the fair/market. | |
| Data sources | Data subjects. | |
| Legal basis for data processing | For participants who are natural persons acting under a certificate of individual activity, personal data are processed on the basis of Article 6(1)(b) GDPR, where the processing is necessary for the conclusion and performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
For participants who are legal entities, personal data (e.g. contact details of representatives) are processed on the basis of Article 6(1)(f) GDPR, where the processing is necessary for the purposes of the legitimate interests pursued by the data controller, namely the conclusion and performance of a contract with the legal entity, through its appointed representatives or contact persons. |
|
| Processed data | The name and surname of the person submitting the participant’s registration on their own behalf (acting under a certificate of individual activity) or the representative appointed by the participant (legal entity), together with a link to a Facebook profile / website or photo gallery, e-mail address, telephone number, and a description of activities. | |
| If the link you provide to a Facebook profile / website / photo gallery, or the photographs you send us, contain personal images: | your and/or third parties’ personal image.
PLEASE NOTE that by providing us with images of third parties, you undertake to obtain their consent and to inform them of this Privacy Policy. |
|
| Data retention period | 2 weeks after the end of the fair/market. In specific cases, in accordance with applicable legal requirements or in the cases set out in Sections 4.15 (e.g. contractual relations between you or the entity you represent and us) or 4.17 of this Privacy Policy, your personal data may be retained for a longer period. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; |
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163; | ||
| other IT service providers, software suppliers, and persons providing the technical solution for the fair participants’ registration form; | ||
| UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135. | ||
| Transfer of personal data outside the European Economic Area | Not applicable. | |
When you leave us your feedback, enquiry, or complaint, request information about events held at the shopping centre, or contact us on other matters of concern to you via our Website (in the designated section) or through the official contact email addresses we publish (by sending a message), and provide (indicate) your personal data, we process your data.
PLEASE NOTE that for the purposes set out in this section, the processing of your personal data does not include the processing of voice call recordings when you call the publicly available information line of the shopping centre. Information on how we process your personal data in order to ensure the effective handling of voice data subjects’ notifications or enquiries, as well as, where necessary, to retain evidence for the determination or investigation of relevant events, can be found in Section 4.4 of this Privacy Policy.
We kindly ask you to provide only your first name and an email address or phone number.
Such processing of your data is carried out under the following conditions:
| Data Controller | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Purpose of data processing | To ensure proper and objective consideration of your enquiry and the provision of the necessary/requested information or a reply to your question, request, or requirement. The enquiry data may also be used to improve our activities and the quality of the services we provide to you, taking into account your feedback and suggestions. | |
| Data subjects | Persons submitting enquiries, feedback, or complaints on our Website (in the designated section) or via the official contact email addresses we publish. | |
| Data sources | Data subjects | |
| Legal basis for data processing | The legitimate interests of the Data Controller to respond to your enquiry and/or provide you with detailed information about us that concern you (Article 6(1)(f) of the GDPR).
Compliance with legal requirements applicable to us, if we have a legal obligation to respond to your enquiry (Article 6(1)(c) of the GDPR). Performance of a contract concluded with you, if your enquiry relates to our mutual contractual obligations (Article 6(1)(b) of the GDPR). |
|
| Processed data | Your first name, email address or phone number. | |
| At your choice, potentially other information such as your surname, the entity you represent, your position, etc. | ||
| Data contained in communications with the Data Controller (including employees): | date and time of the enquiry, date and time of the response, content of correspondence, etc. | |
| We kindly ask you to protect your personal information and provide us with your data only to the minimum extent necessary to objectively assess your enquiry and provide you with a response. | ||
| Data retention period | Your personal data for the purposes specified in this section will be processed for 1 year from the date of collection. In specific cases, in accordance with applicable legal requirements or in the cases set out in Sections 4.15 (e.g. where your enquiry relates to contractual relations between you or the entity you represent and us) or 4.17 of this Privacy Policy, your personal data may be retained for a longer period. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | the website hosting service provider UAB BALTNETOS KOMUNIKACIJOS, legal entity code 125145862; |
| the website administration services and content management tools provider UAB Mediapark, legal entity code 302536163; | ||
| other IT service and software providers | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
| Identification of a person | Not carried out. | |
When you contact us (e.g. using our officially published contact details or in person) regarding an incident that has occurred in the Shopping Centre or on its premises and provide (indicate) your personal data, we process the data you provide.
We kindly ask you to protect your personal information and provide us with your data only to the minimum extent necessary to objectively assess your enquiry and provide you with a response. In addition, when contacting us for the first time, please provide only your first name and an email address or telephone number through which we can contact you.
Such processing of your data is carried out under the following conditions:
| Data Controller
(Depending on the Shopping Centre where the incident occurred) |
Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
|
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
||
| Purpose of data processing | To ensure proper and objective consideration of your enquiry regarding an incident that occurred in the Shopping Centre or on its premises, communication in relation thereto, and the resolution of any disputes (if such arise). | |
| Data subjects | Persons contacting us regarding an incident that occurred in the Shopping Centre or on its premises. | |
| Data sources | Data subjects. | |
| Legal basis for data processing | The legitimate interests of the Controller and/or third parties (Article 6(1)(f) of the GDPR).
Where special categories of data are processed (e.g. health data), Article 9(2)(f) of the GDPR additionally applies – when processing is necessary for the establishment, exercise, or defence of legal claims. |
|
| Processed data | Your first name, email address, or phone number. | |
| At your choice, potentially other information such as your surname, the damage suffered and its extent, the entity you represent, your position, etc. | ||
| Data contained in communications with the data controller (including employees): date and time of the enquiry, date and time of the response, correspondence content, including the circumstances of the incident, etc. PLEASE NOTE that if you voluntarily provide information about health-related injuries, such data will be considered special category data and will be processed more strictly, only where objectively necessary in order to implement a potential compensation mechanism or to defend against legal claims. | ||
| Data retention period | 1 year from the examination of your claim and the provision of a response to you. In specific cases, in accordance with applicable legal requirements or in the cases set out in Section 4.17 of this Privacy Policy (i.e. where a dispute arises), your personal data may be retained for a longer period. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135. |
| Insurance intermediary Aon Baltic, UADBB, company code 110591289. | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
When you apply for a vacant position at AKROPOLIS or for a professional or voluntary internship and provide us with your personal data (including the data contained in the attached curriculum vitae (CV), cover letter, or information provided during a meeting, etc.), we process your data under the conditions set out below.
PLEASE NOTE that in assessing your suitability for the position, we may contact your former employers and/or educational institution (in the case of an internship) in order to enquire about your qualifications, skills, or professional attributes. We will do so on the basis of our legitimate interest to select motivated, qualified, and most suitable candidates for the specific position.
| Data Controller
(Depending on which AKROPOLIS company has announced the vacant position you are applying for) |
AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
||
| Purpose of data processing | During the recruitment process: | to assess your application for a specific position, carry out selection procedures and, if necessary, contact you and offer you a position or internship. |
| After the specific recruitment process is completed, but you are not selected for the vacant position / internship: | with your separate consent, to consider your application and contact you in the future if a vacancy arises that matches your qualifications (for the purpose of creating and administering a candidate database). | |
| Data subjects | Candidates applying for employment or for a professional or voluntary internship at AKROPOLIS. | |
| Data sources | Most often, personal data are provided directly by the data subjects themselves when contacting us, or via other recruitment channels, e.g. online portals where we publish information about job vacancies. Candidates’ personal data may also be provided to us by entities offering personnel search and recruitment services (only in cases where we use their services). | |
| Legal basis for data processing | During the recruitment process: | The legitimate interests of the Controller and/or third parties (Article 6(1)(f) of the GDPR). |
| After the specific recruitment process has ended: | your separate consent as the data subject (Article 6(1)(a) of the GDPR). | |
| Processed data | General information about the candidate: | first name, surname, date of birth, residential address, email address, phone number, information on work experience or internships (employer, employment period, position, responsibilities, achievements), education (educational institution, study period, qualification obtained), information on further training (courses attended, certificates obtained), language proficiency, IT and driving skills, licences held (if required by Lithuanian law for your activity), other competencies, link to your personal LinkedIn profile, salary expectations, and any other information you provide in your CV, cover letter, or other documents submitted to us. |
| References and employer feedback: | the person providing the reference or feedback, their contact details, the content of the reference or feedback. | |
| Information related to candidate evaluation: | information provided during the job interview, as well as conclusions and/or evaluations formed during the interview by us and/or by our representatives involved in the recruitment process (entities providing personnel search and recruitment services). | |
| Data relating to the confirmation and validity of your consent: | the fact, date and time of the receipt and withdrawal (where submitted) of consent. | |
| Data retention period | General period: | 1 month after the end of the specific recruitment process. |
| If we receive your consent to process your data as a candidate in order to offer potential future vacancies: | 1 year from the date the data are provided or until withdrawal of consent (whichever occurs first). | |
| Data relating to the confirmation and validity of your consent: | 2 years after the expiry of consent. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | providers of IT services, database and software maintenance services; |
| UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135; | ||
| Entities providing personnel search and recruitment services. | ||
| Third-party data provided in your application (e.g. contact details) | We consider that the consents of the respective data subjects have been obtained for the processing of the data provided, including for their disclosure to us. Accordingly, before submitting such third-party data to us, you undertake to inform those persons of this Privacy Policy. | |
| The transfer of your personal data outside the EEA | Not applicable. | |
If you are selected for the proposed position and conclude an employment or internship contract with us, the recruitment data will be retained in accordance with the procedure and time limits established for the processing of personnel data, which you will be informed of at the time of concluding the contract.
When you are our existing or prospective partner (or their representative), e.g. a tenant, advertising client, supplier, consultant, etc., or you contact us on any other grounds related to the conduct of your or our business activities, e.g. submitting a press release, a cooperation proposal, etc., we process your data under the conditions set out below.
This includes any electronic communication between us via officially published general contact addresses, as well as personalised work email addresses of ours or yours (representative) (e.g. info@akropolis.lt, name.surname@akropolis.lt), completion and submission of electronic forms (e.g. Lease Application) on your or our Website, provision of data during a telephone conversation, etc.
| Data controller (depending on the entity with which the transaction is concluded / intended to be concluded) | AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
||
| Purpose of data processing | With regard to existing partners (representatives): | to perform / administer contractual obligations undertaken, to ensure proper communication and to resolve related issues. |
| In respect of prospective partners (representatives) or other types of business contacts: | to organise and carry out partner selection procedures and, if necessary, to contact you and make an offer, as well as to ensure proper communication and resolve related issues or respond to your enquiries. | |
| Data subjects | Service providers, suppliers, partners / contracting parties, clients, contractors (subcontractors), including potential ones, as well as representatives of service providers, suppliers, partners / contracting parties, clients, contractors (subcontractors), including potential ones. | |
| Data sources | Personal data are provided by the data subjects themselves. In the case of representatives, their personal data may be provided to us by the represented service provider, supplier, partner / contracting party, client, contractor (subcontractor). We also have the right to verify information in public registers where necessary for the above-mentioned purpose (e.g. to confirm proper representation). | |
| Legal basis for data processing | With regard to existing partners (representatives): | Article 6(1)(b) of the GDPR, where processing is necessary for the performance of a contract to which you, as the data subject, are a party. |
| In respect of prospective partners (representatives) or other types of business contacts: | the legitimate interests of the Data Controller and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | Data of a natural person (as our partner): | first name, surname, personal identification number, date of birth (for foreign natural persons), details of individual activity certificate / business licence, identity document data (for foreign natural persons), address, bank account number, date, amount and purpose of payments or other settlements, email address, telephone number, link to personal LinkedIn / Instagram / Facebook account (PLEASE NOTE that this data is only relevant where services are provided to us by natural persons acting as influencers). |
| Data of a legal entity’s representative or contact person (as our partner): | first name, surname, position, personal identification number (where necessary in representation relationships, e.g. for granting official authorisations to act on behalf of the company), identity document data (for foreign natural persons), email address, telephone number. | |
| Data on relationships with the service provider, supplier, partner / contracting party, client, contractor (subcontractor), including their representatives: nature of the services provided, goods supplied, type of cooperation, correspondence content. | ||
| Data retention period | 10 years after the performance of the relevant contract. If no contract is concluded, communication-related data are retained for 1 year after the provision of the data concerned. Accounting documents confirming an economic transaction or event (invoices, payment orders, advance payment reports, cash receipts and disbursement orders, etc.) are retained for 10 years. | |
| Data recipients | Data processors engaged by the controller, to the extent necessary for the provision of the relevant service | providers of IT services, database and software maintenance services; |
| AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135. | ||
| The transfer of your personal data outside the EEA | Not applicable. | |
| Submission of identity documents | In order to verify the identity of a partner’s representative, you may be asked to present an identity document (e.g. identity card). PLEASE NOTE that the document is only viewed on site – it is not copied, scanned, transcribed, or otherwise stored. | |
At the business centre located in the AKROPOLIS Vilnius shopping centre, as well as in the administrative premises of the AKROPOLIS Klaipėda and Šiauliai shopping centres, access control is carried out: i) through automatic electronic gates, which open when a (personalised) electronic key is presented, or ii) through electronic door scanners, which open the door when a (personalised) electronic key is presented, or iii) by a business centre security officer verifying the data provided in advance to security regarding the person’s lawful basis to be present in the business centre at the relevant time.
Such processing of your personal data is carried out under the following conditions:
| Data Controller
(Depending on which Shopping Centre business centre or administrative premises you are visiting, have visited, or intend to visit) |
AKROPOLIS GROUP, UAB
Address: Ozo g. 25, LT-07150 Vilnius |
|
| Shopping and entertainment centre AKROPOLIS Vilnius
OZO TURTAS, UAB |
||
| Shopping and entertainment centre AKROPOLIS Klaipėda
OZO TURTAS, UAB |
||
| Purpose of data processing | Shopping and entertainment centre AKROPOLIS Šiauliai
AIDO TURTAS, UAB |
|
| Data subjects | Natural persons who enter or may enter the territory of the business centre or administrative premises, including employees working there, representatives of tenants or service providers, visitors, suppliers, guests, or other third parties. | |
| Data sources | Data subjects and/or the employers or employer representatives of data subjects, or access control equipment. | |
| Legal basis for data processing | The legitimate interests of the Controller and/or third parties (Article 6(1)(f) of the GDPR). | |
| Processed data | Names, surnames, and employers of tenant employees and persons providing services or carrying out work in the respective business centre or administrative premises. Data on movement into/out of the business centre / administrative premises, as well as into/out of specific business centre office premises: entry/exit date and time (timestamp); access card number (linked to the data subject); door or gate location (specific room or zone). | |
| Data retention period | Names, surnames, and employers of tenant employees and representatives of persons providing services in the respective business centre: | until such person works or otherwise has a lawful basis to be present in the Business Centre. |
| Data on movement within the Business Centre (including name, surname, employer): | 30 days after the electronic key scan. | |
| Data recipients | Law enforcement and judicial authorities | |
| The injured party or a person representing them, as well as other interested parties where there is a legitimate purpose and basis | ||
| Data processors engaged by the controller, to the extent necessary for the provision of the relevant service: | UAB AKROPOLIS GROUP, provider of shopping centre management services, legal entity code 302533135; | |
| UAB EUROCASH1, provider of shopping centre security services, legal entity code 225329030; | ||
| UAB Arevita, company code 133950712, provider of electronic gate and/or electronic door scanner maintenance services. | ||
| Transfer of access data outside the European Economic Area | Not applicable. | |
| Submission of identity documents | In order to verify identity, a security officer may ask you to present an identity document (e.g. employee ID card or identity card). However, your identity documents are only viewed and are never copied or stored in any way. | |
| Data review | Your data are reviewed only when suspicions arise / unauthorised access is detected, or when an incident occurs, including an event with indications of an offence, unlawful act, or other illegal activity. | |
| Monitoring or control of tenant employees | Not carried out. | |
| Other | Individual business centre tenants carry out / may carry out independent access control to their leased office premises. The Data Controller is not responsible for access control carried out by tenants or other third parties. | |
All personal data referred to in this section in relation to each of the above-mentioned purposes of personal data processing may also be processed for the purpose of establishing, exercising, or defending legal claims. For this purpose, personal data will be processed on the basis of our legitimate interest in establishing, exercising, or defending legal claims (Article 6(1)(f) of the GDPR). We will process such data for this purpose until the completion of the relevant legal proceedings (for example, the examination of a claim, or the entry into force of a court or arbitration ruling), and if a final decision is adopted by a court or another dispute resolution authority in the relevant legal proceedings – 5 years from the date of such decision.
5.1. When purchasing certain services from third parties (service providers), such as database administration, call centre service providers, software, communications, data centres, hosting, cloud service providers, professional consultants (e.g. lawyers, auditors, or accountants), etc., we may transfer your personal data to such processors/recipients. This is necessary to ensure, carry out, and/or administer the relevant services or their benefits, to obtain the necessary advice, to develop specific functionalities, and to perform other actions.
5.2. Your data may also be provided to other data controllers, including competent governmental or judicial authorities (including arbitrators, mediators, opposing parties and their lawyers, where required for judicial proceedings) or law enforcement authorities such as the police, or supervisory authorities. Please note that this is done only in cases and under procedures established by law, to authorised persons upon request, and only where required under applicable legislation or in legally defined cases and procedures, with a legal basis, for the purpose of safeguarding our rights, ensuring the safety of our visitors, employees, and assets, and for the establishment, exercise, and defence of legal claims, including cases where your personal data are transferred to debt collection companies.
5.3. We provide each relevant data processor with only the minimum personal data necessary for the provision of their services or the implementation of their functions, and only where there is a legal basis. Our engaged data processors may process your personal data only according to our instructions, may not use them for other purposes or transfer them to other parties, and must strictly comply with the confidentiality obligations binding on them and/or their representatives.
5.4. When purchasing certain services, we engage processors (recipients) established in the EU or whose data centres are located in the EU. Therefore, in the processing of your personal data, transfers of your personal data outside the EU/EEA are generally not foreseen and usually not applied, except to the extent necessary for the use of the service packages of Google LLC, Microsoft Corporation, including cloud and hosting services, the newsletter automation service provider Sendinblue SAS (trademark Brevo) and its associated companies, or Meta Platforms Inc.
5.5. Transfers of personal data to Google LLC, Microsoft Corporation, or Meta Platforms Inc. are based on the adequacy decision adopted by the European Commission on 10/07/2023 (the EU–U.S. Data Privacy Framework), which allows European companies to transfer personal data to the U.S. without breaching the GDPR requirements on international transfers. Transfers of personal data outside the EEA when the Data Controller uses the service packages of the newsletter automation service provider Sendinblue SAS (trademark Brevo) and associated companies processing personal data in the U.S. are based on the Standard Contractual Clauses prepared according to templates approved by the European Commission (Article 46 of the GDPR).
5.6. In the paragraph 5.4 above of this Privacy Policy, or if any other recipients of data referred to in the section 4 above of this Privacy Policy are located outside the EEA, your personal data will be transferred outside the EU/EEA in compliance with an adequate level of personal data protection, provided that there is a legal basis for the transfer of personal data and at least one of the following conditions applies: i) the non-EU/EEA country where the Data Recipient is established ensures an adequate level of personal data protection as determined by a European Commission decision; ii) the Data Controller or the Data Processor implements appropriate data security measures, such as the transfer of personal data on the basis of a contract that incorporates the standard clauses approved by the European Commission or other standard clauses approved in accordance with the established procedure, an approved code of conduct, or a certificate granted to the Data Recipient; iii) derogations apply, e.g., when you have explicitly consented to the transfer of personal data, the transfer of personal data is necessary for the performance of a contract concluded with you, or the transfer of personal data is necessary for the establishment, exercise or defence of legal claims, or for important reasons of public interest.
5.7. We may transfer your personal data to other natural or legal persons where this is related to and necessary for organisational changes of AKROPOLIS, e.g. transfer of AKROPOLIS shares, assets or part thereof, and for this purpose carrying out legal due diligence of AKROPOLIS (to representatives of potential acquirers, auditors, etc.) or transferring the relevant data to the acquirer. Data may also be transferred to other natural and/or legal persons only to the extent necessary to ensure proper implementation of the personal data processing purposes set out in this Privacy Policy.
5.8. A specific list of recipients (including processors) is provided in Section 4 of this Privacy Policy, depending on the circumstances of your data processing. Accordingly, your personal data may be transferred to the recipients listed in this section for any of the purposes of data processing described in Section 4, depending on the specific situation.
6.1. To protect your privacy and data, we apply various technical and organisational measures to safeguard your personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or use, as well as against all other unlawful forms of processing, including but not limited to:
6.1.1. regularly updating and testing our security technologies;
6.1.2. granting access to your personal data only to authorised employees. To ensure the privacy and security of your information, we regularly provide training to our employees on data protection and the importance of confidentiality;
6.1.3. using encryption solutions to protect sensitive information;
6.1.4. implementing procedures to ensure that suspected data security breaches are properly investigated and that measures are taken to protect your data;
6.1.5. adopting and carefully applying this Privacy Policy and other related procedures, with the overall aim of processing personal data strictly in compliance with applicable legal requirements and ensuring secure data processing.
6.2. Although we strive to protect the personal data we process, please understand that we cannot ensure or guarantee the security of any information you transmit to us, as nowadays no method of data transmission or storage is 100% secure.
7.1. As a data subject, you have the right to contact us regarding any questions relating to the processing of your personal data. You have the following rights in relation to your personal data processed by us:
7.1.1. Right to be informed about the processing of your data. You have the right to receive information about the processing of your personal data in a transparent, understandable, and easily accessible form, in clear and plain language. This is provided for in this Privacy Policy. If any part of this Privacy Policy is unclear to you, we kindly invite you to contact us using the contact details provided in Section 4.
7.1.2. Right of access to your personal data. You also have the right to obtain our confirmation as to whether your personal data are being processed, and, where that is the case, to access information about how we process your personal data, including the right to receive a copy of such data.
7.2. Right to request erasure of your data (“right to be forgotten”). You have the right to request that we erase your personal data where there is no justified reason for us to continue processing them, where the personal data are no longer necessary for the purposes for which they were collected or processed, you withdraw the consent on which the processing was based and there is no other legal basis for processing, or in other circumstances laid down in Article 17 of the GDPR. PLEASE NOTE that Article 17(3) of the GDPR provides exceptions to the above, where processing of personal data remains necessary. If such exceptions apply in your case, we will inform you accordingly;
7.3 Right to request rectification of inaccurate or incomplete data. You have the right to request that AKROPOLIS correct or supplement inaccurate or incomplete personal data concerning you. PLEASE NOTE that this right does not apply to a request to amend inaccurate personal data relating to you that have been recorded in video and/or audio footage. Such recorded data cannot objectively be altered.
7.4. Right to request restriction of processing. You have the right to request that we restrict (suspend) the processing of your personal data if you contest the accuracy of the personal data – until their accuracy is verified; the processing is unlawful, and you object to the erasure of the personal data and instead request restriction of their use; we no longer need the personal data for the purposes of processing, but you require them in order to establish, exercise, or defend legal claims; or you object to the processing of your personal data under the procedure set out below – until it is verified whether our legitimate grounds override your legitimate grounds. Where processing of personal data is restricted, such personal data may (except for storage) be processed only with your consent or only for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.
7.5. Right to object. You have the right to object at any time to the processing of your personal data where such processing is carried out for the performance of a task carried out in the public interest or on the basis of our legitimate interest. In this case, we will no longer process your personal data unless we can demonstrate legitimate grounds for processing your personal data which override your interests, rights and freedoms, or are necessary for the establishment, exercise or defence of legal claims.
7.6. Right to withdraw consent. Where personal data are processed on the basis of your consent, you have the right to withdraw your consent at any time (without affecting the lawfulness of processing based on consent prior to its withdrawal), except where there are legitimate grounds for such processing or where the processing is necessary for the establishment, exercise, or defence of legal claims.
7.7. Right to data portability. You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, as well as the right to transmit those data to another controller, where the processing is based on consent or contract, and the processing is carried out by automated means. You also have the right to request that we transmit your personal data directly to another controller, where technically feasible.
7.8. Right to lodge a complaint with a supervisory authority. If you believe that your personal data are being processed unlawfully or that your rights are being infringed, you have the right to lodge a complaint with the State Data Protection Inspectorate – State Data Protection Inspectorate, L. Sapiegos g. 17, 10312 Vilnius, tel. (370 5) 271 2804, 279 1445, Fax (370 5) 271 2804, 279 1445, Fax (370 5) 261 9494, Email: ada@ada.lt). For more information, visit www.ada.lt. Before lodging a complaint with the supervisory authority, we would appreciate it if you contacted us to raise the issues of concern to you. We will make every effort to resolve your issue promptly and carefully.
7.9. To exercise your rights or if you have other questions related to the processing of your data, you can contact us:
i) Tel.: +370 65923632, ii) Email: privatumas@akropolis.lt, or iii) Postal address: Ozo g. 25, LT-07150 Vilnius. Please address your letter to: UAB AKROPOLIS GROUP, Data Protection Officer.
When contacting us, please indicate the requester and the subject matter and/or circumstances of the enquiry. We will respond to your enquiry as soon as possible, but no later than within 1 month of receipt of your request. However, taking into account the complexity, nature, and scope of the information requested, or the number of your requests, we may extend this period by a further 2 months. We will inform you of this by the end of the first month and indicate the reasons for such an extension.
8.1. This Privacy Policy is subject to ongoing review and may be amended unilaterally at our discretion.
8.2. This Privacy Policy was last updated (latest valid version from): [] [] 2025 .
8.3. We will inform you of any amendments to the Privacy Policy by changing the publication date in its preamble on our Website, and, where necessary, in the case of material amendments to this Privacy Policy, by other means, e.g. by using the email address you have provided to us.
8.4. We always post the current version of our Privacy Policy on our Website a www.akropolis.lt/kaunas/en/privacy-policy/.
8.5. You can always obtain previous versions of this Privacy Policy by contacting us at the contacts specified in Section 4 of this Privacy Policy, according to the specific personal data processing operation relevant to you.
Join our community
Be the first to know about the best offers, events and the latest information from the AKROPOLIS shopping center.
Thank you for joining!
From now on, you’ll be the first to know about news, exclusive offers, and inspiration – straight to your inbox.
We look forward to seeing you in our emails!