Privacy policy - Sanatorija Gradiali

We respect the privacy of our Guests and other persons concerned and shall responsibly protect, fairly and lawfully process the personal data provided by you in the course of the provision of accommodation and other services, and shall make all reasonable efforts to ensure the security and confidentiality of the personal data and other information processed.

Through this Privacy Policy (hereinafter referred to as the “Policy”) we aim to inform you how “Sveikatos uostas”, UAB, company code: 303997416, address: Vanagupės g. 15, Palanga, and “Palangos Žvorūnė”, UAB, company code: 152679144, address: Vanagupės g. 15, Palanga, Lithuania, (hereinafter referred to as the “Joint Data Controllers” or the ““Gradiali” Medical SPA & Wellness”) collects, uses, protects and shares your personal data.

Please familiarise yourself with this Policy and review it periodically, as we may update it as necessary, and if you have any questions regarding the processing of personal data, please contact us at duomenuapsauga@gradiali.com.

In processing your personal data, “Gradiali” Medical SPA & Wellness shall observe the General Data Protection Regulation (hereinafter referred to as the “GDPR”), the Republic of Lithuania Law on Legal Protection of Personal Data, the Republic of Lithuania Law on Electronic Communications, the recommendations and interpretations of the State Data Protection Inspectorate, as well as other legislation governing the protection of personal data.

This Policy shall apply when personal data is provided during registration for accommodation and other services provided by “Gradiali” Medical SPA & Wellness, as well as when using our Website www.gradiali.lt (hereinafter referred to as the “Website”), when communicating with us by telephone, when visiting the territory of “Gradiali” Medical SPA & Wellness, as well as when concluding service provision or other agreements with us.

Personal data is any type of information about you that can be used to directly or indirectly identify you, such as your name, personal identification number, the date of your visit to the Website and your IP address, as well as other identifiers of your physical, physiological, mental, economic, cultural or social identifiers.

We process your personal data for the following purposes

1.
For the purpose of booking accommodation:

When booking by phone, we collect the following personal data: name, surname, e-mail address, number of guests, number and type of rooms, length of stay, payment details. Purpose of collecting personal data: booking for accommodation, provision of SPA, wellness, and catering services. Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the order/registration for accommodation/service provision (in order to enter into a service provision agreement) (Article 6(1)(c) of the GDPR). Personal data provided during booking/registration by phone is stored for 2 months from the date of provision.
When booking by e-mail or via the www.gradiali.lt (booking.gradiali.com) Website,we collect the following personal data: name, surname, e-mail address, number of guests, number and type of rooms, length of stay, payment details. Purpose of collecting personal data: booking for accommodation, provision of SPA, wellness, and catering services. Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the order/registration for accommodation/service provision (in order to enter into a service provision agreement) (Article 6(1)(c) of the GDPR), as well as the fulfilment of a legal obligation (statutory obligation under the Republic of Lithuania Law on Tourism) (Article 6(1)(b) of the GDPR). Personal data is stored for 10 years from the date of booking/registration.
When checking in at the reception desk, we collect the following personal data by providing you with a registration form for completion: name, surname, passport No., date of birth, accompanying guests (name, surname), nationality, phone number, vehicle license plate No., room No., period of stay, signature; details if an invoice is required. Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the order/registration for accommodation/service provision (in order to enter/when entering into a service provision agreement) (Article 6(1)(c) of the GDPR), as well as the fulfilment of a legal obligation (statutory obligation under the Republic of Lithuania Law on Tourism) (Article 6(1)(b) of the GDPR). Personal data provided at the reception desk at the time of check-in/registration is stored for 5 years from the date of completing the registration form.

2.
For the purpose of registering for the provision of wellness and SPA services/procedures:

When registering by phone or e-mail, we collect the following personal data: name, surname, phone number, year of birth, gender, wellness services/procedures chosen. Purpose of collecting personal data: registration for the provision of wellness and SPA services/procedures. Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the order/registration for the provision of services (in order to enter into a service provision agreement) (Article 6(1)(c) of GDPR). Personal data provided during registration by phone is stored for 2 months from the date of provision. Personal data provided by e-mail is stored for 2 years from the date of provision.
When checking in at the SPA or treatment reception desk, we collect the following personal data by providing you with a registration form to complete: name, surname, telephone number, year of birth, gender. Purpose of collecting personal data: registration for the provision of wellness and SPA services/procedures. Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the order/registration for the provision of services (in order to enter into a service provision agreement) (Article 6(1)(c) of GDPR). Personal data provided at the reception desk is stored for 2 years from the date of provision.

3.
“Gradiali” Medical SPA & Wellness processes your health data when you are provided with inpatient or outpatient rehabilitation, as well as therapeutic services (subject to a doctor’s consultation). During the provision of therapeutic services, the following personal data is collected: name, surname, personal identification number, address, diagnosis, social status, referring institution and physician, assigned physician, profile, examination description, procedures prescribed, treatment applied, procedures purchased.

Purpose of collecting personal data: provision of therapeutic services.

Legal basis for processing personal data: your consent to the processing of your health data (Article 9(2)(1) of the GDPR).

Personal data processed for the purpose of outpatient rehabilitation is stored for 15 years from the date of provision.

Personal data processed for the purpose of inpatient rehabilitation is stored for 25 years from the date of provision.

4.
“Gradiali” Medical SPA & Wellness processes your name, surname, payment details, e-mail address and phone number for the purpose of providing you with a gift voucher purchase service.

Legal basis for processing of personal data: it is necessary to provide this personal data for the purpose of making and fulfilling the purchase order (in order to enter into a service provision agreement) (Article 6(1)(c) of the GDPR).

Personal data is stored for a period of 10 years from the date of registration.

5.
Direct marketing carried out by “Gradiali” Medical SPA & Wellness is:

news, commercial offers and surveys communicated by e-mail;
news, commercial offers and surveys communicated by phone.

The legal basis for the processing of personal data: consent given by the person for the processing of personal data for direct marketing purposes or the legitimate interest of “Gradiali” Medical SPA & Wellness, under the conditions set out in the Republic of Lithuania Law on Electronic Communications.

For the purpose of direct marketing, the following personal data provided by the person is processed: name, surname, e-mail address, phone number, company name.

Personal data is processed for the purpose of direct marketing is stored for a period of 3 (three) years from the receipt of consent.

The person giving consent shall always have the right to refuse all or part of the direct marketing offers at any time. This can be done by clicking on the link in the received newsletter/offer that allows you to opt-out of receiving all or part of the direct marketing offers. You can also opt-out of direct marketing offers by sending an e-mail to marketing@gradiali.com. Opting out of direct marketing offers will not have negative consequences, but you will no longer receive relevant offers, news or other direct marketing information in the future.

Revocation of consent shall not affect the processing of personal data already carried out prior to the revocation of consent or prior to the statement of refusal to consent to direct marketing and the consequences of such processing.

6.
“Gradiali” Medical SPA & Wellness processes call recordings for quality improvement and complaint handling purposes. Phone calls are recorded when:

the person calls “Gradiali” Medical SPA & Wellness him/herself;
the employees of “Gradiali” Medical SPA & Wellness call the person.

The legal basis for the processing of personal data is consent to the recording of the call. Consent to the recording of calls is given when the person continues the conversation (when the person calls “Gradiali” Medical SPA & Wellness) or confirms that he or she consents to the recording of the conversation (when “Gradiali” Medical SPA & Wellness calls the person).

If the person does not consent to the recording of the call, he/she may contact “Gradiali” Medical SPA & Wellness in other ways: by e-mail info@gradiali.com or by visiting “Gradiali” Medical SPA & Wellness.

For the purpose of recording calls, the following personal data is processed: phone number, name, date of the call, start and end time of the call, content of the call.

Call recordings are stored for 2 months after the recording.

7.
“Gradiali” Medical SPA & Wellness carries out video surveillance on the territory and premises of “Gradiali” Medical SPA & Wellness.

Video surveillance is carried out to ensure the protection of property rights, the security and integrity of property and the safety of employees and guests.

The processing of video recordings is based on Article 6(1)(f) of the Regulation, i.e. the processing is necessary for the purposes of the legitimate interests of the Data Controller or a third party.

Video recordings are stored for 30 calendar days.

8.
“Gradiali” Medical SPA & Wellness processes the personal data of clients, suppliers, vendors and/or their representatives for the purposes of commercial relations, conclusion and execution of agreements.

For this purpose, personal data is processed on the basis of the legitimate interest of the “Gradiali” Medical SPA & Wellness and its clients, vendors and suppliers to conclude and properly execute agreements.

Personal data processed for this purpose include: name, surname, workplace, position, phone number, email address.

The provision of this personal data is necessary for the conclusion and execution of the agreement.

Personal data is stored for 10 years from the expiry of the agreement. This period shall be extended for a further 5 years if the commercial relations with the above-mentioned clients, suppliers and vendors are continued.

To whom your personal data is provided

law enforcement authorities, courts and state institutions in accordance with the procedure provided for by the legislation of the Republic of Lithuania;
other third parties (data processors) who process and/or have access to your personal data on behalf of and under the instructions of the Company, e.g. service providers involved in the development, maintenance and support of booking systems and/or other persons who assist “Gradiali” Medical SPA & Wellness in the proper provision of services to you;
entities providing legal and insurance services, where disclosure of such personal data is necessary to establish, exercise or defend the rights and legitimate interests of “Gradiali” Medical SPA & Wellness;
to the partners of “Gradiali” Medical SPA & Wellness in cooperation with whom you are provided services, as well as to any third parties, in accordance with the cases and to the extent provided for by legislation.

“Gradiali” Medical SPA & Wellness shall take appropriate measures to ensure that the processors it engages process the personal data entrusted to them only for the purposes specified by “Gradiali” Medical SPA & Wellness, carry out only those actions that “Gradiali” Medical SPA & Wellness has instructed them to carry out, and ensure appropriate organisational and technical measures for the security of personal data.

What your rights are

As a data subject, you have the following rights:

being aware of the processing of your personal data;
becoming informed of your personal data;
requesting the rectification of incorrect, incomplete or inaccurate personal data;
requesting the restriction of processing operations;
the right to object to the processing of your personal data where the processing is based on legitimate interest;
requesting the erasure of personal data (if you withdraw your consent);
the right to data portability;
withdrawing your consent at any time (where personal data is processed on the basis of consent);
the right to lodge a complaint with the data protection authority, whose contacts can be found at vdai.lrv.lt.

If you intend to exercise your rights, please contact “Gradiali” Medical SPA & Wellness by e-mail duomenuapsauga@gradiali.com or by submitting your request or instruction directly to us at the address Vanagupės g. 15, LT-00171, Palanga, together with a document confirming your identity.

If you believe that “Gradiali” Medical SPA & Wellness is not properly processing your personal data or is not properly implementing or not implementing your rights, please contact “Gradiali” Medical SPA & Wellness first, as we are committed to resolving any issues with you. In case you are not satisfied with our response, you also have the right to contact the State Data Protection Inspectorate, about which you can find all the information at www.vdai.lrv.lt.

How we protect your personal data

We implement appropriate organisational and technical personal data security measures designed to protect your personal data against accidental or unlawful disclosure, deletion, alteration or other unauthorised acts. The above measures are adopted on the basis of the risks to your rights and freedoms as a data subject.

In this case, we ensure strict control over access to the data processed and limit this access to those of our employees who directly require the personal data for the performance of their duties, including by monitoring the use of this access. We ensure that access to personal data is restricted by using appropriate passwords and by entering into confidentiality agreements with those who are granted access to your personal data.

Our employees who have access to personal data are informed about the requirements for the security of personal data and ensure the confidentiality of all personal data they process.

What your rights and obligations are

By using our services, you take full responsibility for the correctness and accuracy of the personal data you provide. By providing your personal data, you take full responsibility for the lawfulness and accuracy of the provision of your personal data.

If the personal data or other relevant information you have provided has changed, you must immediately amend and/or supplement the personal data or other relevant information you have provided.

Who to contact regarding personal data protection queries

If you have any queries regarding the processing of your personal data, please contact “Gradiali” Medical SPA & Wellness at duomenuapsauga@gradiali.com.