PRIVACY POLICY OF THE NATIONAL PUBLIC HEALTH CENTER UNDER THE MINISTRY OF HEALTH OF THE REPUBLIC OF LITHUANIA


1   GENERAL INFORMATION

1.1    Please read this privacy policy (“Privacy Policy”) carefully before commencing the use of the App. This Privacy Policy applies solely to the users of the App “Karantinas”. Please note that the Privacy Policy does not apply to the website www.karantinas.lt.

1.2    Capitalized terms in this Privacy Policy are used in the meaning given to them in the Terms unless otherwise expressly set out herein.

1.3    In case you are providing to the Company personal data of third persons, you are obliged to provide to those persons the necessary notifications and, if required, make sure they acquaint themselves with the content of this Privacy Policy, as required under applicable legislation.

2    DATA CONTROLLER AND PROCESSOR

2.1    The controller of your personal data is The National Public Health Center under the Ministry of Health of the Republic of Lithuania, address: Kalvarijų g. 153, LT-08221, Vilnius, Lithuania, registration number: 291349070 (“Controller”).

E-mail:  info@nvsc.lt 

2.2    The processor of your personal data is a Lithuanian limited liability company, UAB IT Sprendimai sekmei, address Fabijoniškių g. 5C-66, LT-06335 Vilnius, Lithuania, registration number: 305442783 (“Controller”).

3    DATA PROTECTION OFFICER

3.1    You shall have the right to communicate with our data protection officer in order to obtain information on the processing of your personal data, using the following contact information: 

E-mail: info@nvsc.lt.  

4    CATEGORIES AND SOURCES OF PERSONAL DATA THE CONTROLLER COLLECTS AND PROCESSES

4.1    Personal data are information that can be used to directly or indirectly uniquely identify, contact, or locate you as a private individual (“Personal Data”). The source of collected Personal Data depends on how you communicate with the Controller. 

4.2    The Controller collects and processes the following categories of your Personal Data:

4.2.1    Access Data. The Controller collects the following data upon you create an account to the App: your first and last name, gender, date of birth, e-mail, phone number, profile picture etc. (“Access Data”)

Source: Provided by the User himself/herself. 

4.2.2    Account Data. The Controller may collect the following data, if you choose to supplement your user profile with additional information: phone number, location, profile image, participation in daily health tasks, surveys, participation in self-isolation program, pictures sent in the self-isolation program etc. (“Account Data”)

Source: Provided by the User himself/herself.

4.2.3    Health, Location Data and Data on the Self-Isolation Program. The Controller may collect any following fitness and location data you share with the Controller: start time of movement, duration, distance, elevation and live location data (GPS information or other phone-related location data via WiFi or Bluetooth if you have enabled these functions), chosen self-isolation location, data on the adherence to the self-isolation program rules, data related to your fitness activity; personal goals; routes, fitness data that you provide in the app, for example and not limited to, sleep hours, water intake, body temperature, weight etc. (“Fitness Data”).

Source: Provided by the user himself/herself.

4.2.4    Wallet data. Including the points collected on your wallet, the tasks that you earned the points for, your point expenditure record. 

Source: While the User uses the App, the Controller collects Wallet Data automatically.

4.2.5    Communication Data. The Controller may collect any data relating to any correspondence exchanged between you and the Controller, including any personal information retained in such correspondence, including but not limited to: your name, e-mail, contents of the message, pictures sent, your nicknames and/or social media account names and addresses, when contacting the Company via its official social media accounts. (“Communications Data”)

Source: Information the User provides during the communications.

4.2.6    Survey Data. The Controller may collect any data that you provide when answering survey questions that are provided on the App related and not limited to your health status and habits, your emotional wellbeing, your work place situation, mood, your free time activities etc.

Source: Provided by the User himself/herself. 

4.2.7    Technical Data.  The Controller may collect any data, that has been given and/or sent by you, or by your device, to the Controller via using the App or via other means of communication, including but not limited to: hardware model used, operating system version, unique device identifiers, statistics about the your device, server log information (the date and time of visit, pages viewed, time spent on the App, etc.), etc. (“Technical Data”)

Source: While the User uses the App, the Controller collects Technical Data from the User’s device automatically.

5    THE PURPOSES OF AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

5.1    The Controller’s legal basis to process your Personal Data depends on the objective and context in which the Controller collects the Personal Data. The Company processes Personal Data on the following three legal grounds: performance of a legal obligation, performance of the Terms and Conditions, and the Controller’s legitimate interest. 

5.2    If the legal basis for processing your Personal Data is:

5.2.1    legitimate interest, this means first and foremost the objective of providing the essential functionalities of the App; 

5.2.2    performance of the Terms and Conditions, this means first and foremost the objective providing the service of the App and data platform to the buyer of this service; 

5.2.3    compliance with an obligation arising from legislation, this means first and foremost that the Controller is required to process certain personal data by law. In this case the Controller cannot decide which data are collected, as it derives from applicable laws. 

5.3    The following depicts a list of processing purposes that are linked to specific data categories and legal basis for processing:

 

Processing purpose

Legal basis for the processing purpose

Categories of personal data used by the Controller for the processing purpose

Diagnose and repair problems within the App

Legitimate interest in providing data security and prevent fraudulent actions

Technical data

Enabling communication between the User and the Controller

Legitimate interest in providing efficient user support 

Communication Data, Technical Data

Providing functioning and accessible App with seamless user experience

Legitimate interest in providing basic functionalities of the App

Technical Data, Account Data, Access Data, Fitness Data, Survey Data 

Improve, personalise and develop the App

Legitimate interest in developing and enhancing the App and the user experience in the course of regular business activities 

Technical Data, Account Data, Access Data, Fitness Data, Survey Data 

Developing consumer profiles, tailoring the contents of the App and general communication to suit User’s preferences, health status, location

Legitimate interest in developing and enhancing the App and the user experience in the course of regular business activities

Technical Data, Account Data, Access Data, Fitness Data, Survey Data

Rewarding you for the completed tasks

Performance of the Terms and Conditions

Fitness Data, Survey Data

Forwarding aggregated and anonymised information to the data receiver (Vilnius city municipality)

Performance of the Terms and Conditions

Anonymised Health and Location Data, Survey Data, Wallet Data, Voluntary self-isolation programme data (data of users who are not obliged to self-isolate according to the laws of the Republic of Lithuania), Data of the persons in enforced self-isolation (i.e. data of people identified by NVSC)

Processing of the personal data 

Performance of a legal obligation

Data of the persons in enforced self-isolation (i.e. data of people identified by NVSC)


5.4    The Controller may process your data for other purposes, provided that the Controller discloses the purposes and the use to you at the relevant time, and that you either consent to the proposed use of the Personal Data, for example, sharing your phone number and your health status with the municipality or health institutions, or the new purpose is compatible with the original purpose brought out herein. 

5.5    Please note that in the course of you using the App, the Controller might analyse your data to further enhance the App. The profiling is based on your behaviour whilst using the App, such as your health status etc. For example, the App will display you content that are more relevant for you based on your behaviour (such as your health risk profile and age) meaning that you will receive personalised content that reflect your interests and your health profile the best. The Controller expects that the profiling will have no further impact, other than providing you with a more customised and pleasant user experience in the future whilst using the App. Most of the data analysed in such way is anonymous, but the Controller may also analyse some personally identifiable data in aggregated form.   

6    RETENTION OF PERSONAL DATA

6.1    Your data (all categories mentioned in Section 4) shall be stored insofar as reasonably necessary to attain the objectives stated in Section 5 of this Privacy Policy, unless stipulated otherwise in applicable laws or in the following: 

6.1.1    Technical Data are retained for 1,5 years as of the collection of the Personal Data. 

6.1.2    Wallet Data are retained for 1,5 years as of the collection of the Personal Data.

6.1.3    Communication Data are retained no longer than for 1.5 years as of the creation of such data. 

6.1.4    Third Party Data, Fitness Data, Survey Data, Access Data and Account Data are retained for 1 year after the deletion of your account or after 2 years of inactivity (not logging into your account), whichever occurs earlier. 

6.1.5    Survey Data are retained for 1,5 years as of the collection of the Personal Data,

6.1.6    Health, Location Data and Data on the Self-Isolation Programme are retained for 1,5 years as of the collection of the Personal Data or according to the laws of the Republic of Lithuania.

6.2    After the term mentioned in Section 6.1. of this Privacy Policy, the Controller will delete your respective data immediately, except as noted below: 

6.2.1    The Controller retains your Personal Data for a longer period if it is necessary to comply with the Controller’s legal obligations, meet regulatory requirements, resolve disputes, and enforce the Terms.

6.2.2    The Controller may anonymize your Personal Data and retain this anonymized information indefinitely.

7    DATA RECIPIENTS AND SHARING THE PERSONAL DATA AND DATA TRANSFER OUTSIDE OF THE EU OR EEA  („EU/EEA“)

7.1    Only the Controller’s authorised recipients have access to the Personal Data and they may access the Personal Data only for the purpose of providing necessary functions in connection to the App.

7.2    The Controller does not disclose any User-related Personal Data to third parties except for the following Personal Data recipients, who act as separate data controllers:


Categories of Recipients

Reason for sharing

Law enforcement and data protection authorities

Only if the Controller is under a duty to disclose or share User’s Personal Data in order to comply with any legal obligation (for example, if required to do so under applicable law, by a court order or for the purposes of prevention of fraud or other crime)

Operational service providers (legal advisors, auditors etc. bound to confidentiality)

Ensuring adequate performance and functioning of the App; enforcing the Terms and Conditions; ensuring the proper functioning of the Controller’s business activities


7.3    In addition to the recipients mentioned in Section 7.2. of the Privacy Policy, the Controller may transfer personal data to third party service providers who act as data processors and may operate the technical infrastructure that the Controller needs to host, store manage and maintain the App, its contents and the data that Controller processes, also to provide data backup and security. The following depicts a list of authorised processors, their location and their reason for processing: 


Authorised Processor

Processing purpose

Location

Website

Firebase (Google LLC)

Remote app configuration, analytics on software problems, allowing push notifications

USA

https://firebase.google.com/

AWS (Amazon Web Services Inc.)

Cloud storage

USA

https://aws.amazon.com/

Sentry (Functional Software Inc.)

Real time error tracking; observing software problems 

USA

https://sentry.io/


7.4    Please note that, some service providers are located outside the EU/EEA, thus the Controller may transfer your Personal Data outside the EU/EEA. In such cases the Controller shall opt to use special Personal Data protection safeguards, in order to ensure the safety of your Personal Data. You have the right to get acquainted with or obtain information on the transferring of your Personal Data outside the EU/EEA by contacting the Controller using the contact information specified in Sections 2 and 3 of this Privacy Policy.

8    YOUR RIGHTS

8.1    If you are a resident of the EU/EEA, then you have the following data protection rights, which can be exercised by contacting the Controller via contact information referred to in Sections 2 and 3 of this Privacy Policy. You have right to: 

8.1.1    access your Personal Data processed by the Controller and you may demand the correction of inaccurate personal data or demand the erasure thereof;

8.1.2    request restriction of the processing of the Personal Data in respect of them, or the right to object to the processing if it is based on the Controller’s legitimate interest, as well as the right to portability of your Personal Data (transmission of the Personal Data to another legal or natural person), including by electronic means;

8.1.3    recourse to the Data Protection Inspectorate or a court if you find that your rights are violated in the processing of Personal Data, unless a different procedure for contestation is provided under applicable legislation;

8.1.4    not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce significant effect; 

8.1.5    withdraw your consent to the processing of Personal Data in the cases where the legal basis for Personal Data processing is your consent. For withdrawing your consent, you may use the contact information referred to in Sections 2 and 3 of this Privacy Policy.

9    OTHER

9.1    The Controller may unilaterally modify the Privacy Policy from time to time. The latest version of the Privacy Policy is always accessible on the App.

If you have any questions regarding the processing of your personal data or exercising your rights in relation to the Privacy Policy, please contact the Controller at the contact details provided in Sections 2 and 3 of this Privacy Policy.