CONFIRMED

Director of UAB "Vilkaz".

in 2023 February 8 Order No. V-20220208-1

MARKETING RULES

CHAPTER I

GENERAL PROVISIONS

1. These UAB "Vilkaz" (hereinafter - the Company) Marketing Rules (hereinafter - the Rules) determine the principles, goals and data protection requirements of the Company's marketing and advertising and related personal data, processing, and their implementation.

2. The rules are prepared in accordance with the General Data Protection Regulation (EU 2016/679) (hereinafter - GDPR), the Law on the Legal Protection of Personal Data (1996-07-03, No. 63-1479), the Company's Personal Data Protection Policy and others, personal data legal acts regulating protection.

3. Terms used in the rules:

3.1. Direct marketing - activity that is intended to offer goods or services to individuals by mail, telephone or other direct means and/or ask for their opinion on the offered goods or services;

3.2. Advertising - activity that increases the awareness of the services provided by the Data Controller using visual means (photos, videos, etc.);

 In the following Rules, the terms direct marketing and advertising will be collectively referred to as "marketing".

3.3. Data Controller - UAB "Vilkaz" (enterprise code: 306007307, address: Danės St. 47, 92108 Klaipėda) - a legal entity that acts as a Personal Data Controller and which alone or jointly with others determines the purposes and measures of data processing;

3.4. Personal data - information about a natural person whose identity has been determined or whose identity can be determined (data subject) by the Data Controller in the course of marketing, including, but not limited to, the name of the person, position, image (photo), videos (footage);

3.5. Data subject – means a natural person from whom the Company receives and processes personal data;

3.6. Data processing - any operation or sequence of operations performed by automated or non-automated means on personal data or sets of personal data, such as collection, recording, sorting, systematization, storage, adaptation or modification, extraction, familiarization, use, disclosure by transmission, distribution or otherwise by making it possible to use them, as well as juxtaposition or combination with other data, restriction, deletion or destruction;

3.7. Data processor - a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller;

3.8. Data Recipient - a natural or legal person, government authority, agency or other body to which personal data is disclosed, whether or not it is a third party. However, public authorities which, under Union or Member State law, may receive personal data in the context of a specific investigation are not considered data recipients; when processing that data, those public authorities comply with the applicable data protection rules appropriate to the purposes of the data processing;

3.9. Third party - a natural or legal person, public authority, agency or other institution that is not a data subject, data controller, data processor, or persons who are allowed to process personal data by direct authority of the data controller or data processor;

3.10. Consent of the data subject - any freely given, specific and unambiguous expression of the will of a properly informed data subject by means of a statement or unequivocal actions by which he agrees to the processing of personal data related to him.

II. SECTION

PRINCIPLES OF PERSONAL DATA MANAGEMENT

4. The data controller ensures that when adopting and implementing these Rules, it seeks to implement the following essential principles related to personal data processing:

4.1. Personal data are processed in a legal, fair and transparent manner in relation to the data subject (principle of legality, fairness and transparency);

4.2. Personal data is collected for established, clearly defined and legitimate purposes and is not further processed in a way incompatible with those purposes (principle of legality, fairness and transparency);

4.3. Further processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes (principle of purpose limitation);

4.4. Personal data are adequate, appropriate and only necessary to achieve the purposes for which they are processed (principle of reducing the amount of data);

4.5. Efforts are made to ensure that personal data are accurate and, if necessary, updated within a reasonable period of time from the fact of change;

4.6. All reasonable measures are taken to ensure that personal data that are not accurate, taking into account the purposes of their processing, are immediately deleted or corrected within a reasonable period of time (principle of accuracy);

4.7. Personal data is kept in such a form that the identity of the Data Subjects can be determined within a short period of time