Privacy Statement | ESO - Energijos skirstymo operatorius

Privacy Policy

1. Terms and definitions

The terms and abbreviations used in this Privacy Policy shall have the following meanings:

Personal Data	shall mean any information related to the natural person (data subject), who can be identified either directly or indirectly (e.g., name, surname, contact details, etc.).
Person	shall mean the natural person (data subject), whose data are processed (e.g., the Company’s Customers, Persons, who have applied to the Company by submitting requests or claims, users of the Company’s website, self-service website and other Company-managed websites, etc.).
Company	AB „Energijos skirstymo operatorius“, legal entity code 304151376, registered office address: Laisvės pr. 10, LT-04215 Vilnius, Lithuania.
Data processing	shall mean any action performed with the Personal Data of the Person (e.g., collection, recording, storage, granting of access, transfer, etc.).
EEA	European Economic Area, which consists of the European Union member states, Liechtenstein, Iceland and Norway.
Client	shall mean persons who are using, used, have expressed intent to use, or are otherwise associated with the services provided by the Company (hereinafter referred to as ‘the Clients’).
Services	shall mean services provided by the Company: electricity and natural gas distribution via distribution network (system), connecting customers to electricity and natural gas distribution network (system), maintaining and developing electricity and natural gas distribution network (system), ensuring the security and reliability of distribution network (system), as well as electricity and/or natural gas supply of last resort.
Privacy Policy	published publicly by the Company information regarding Personal Data processing, data subject’s rights, etc. in order to fulfil the obligation to inform data subjects as set out in the Regulation.
Regulation	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
	Other terms used in the Privacy Policy shall be understood as they are defined in the legal acts governing Personal Data protection (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (EU) 2016/679), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, etc.).

2. General provisions

2.1. This Privacy Policy provides the information, on how AB „Energijos skirstymo operatorius“ processes Personal Data.

2.2. The provisions of the Privacy Policy shall apply to natural persons, whose Personal Data are processed by the Company:

2.2.1. the Clients, who use, have used, have expressed their intention to use, or are otherwise related to the services provided by the Company;

2.2.2. individuals who have applied to the Company by submitting requests or inquiries directly, via self-service website and/or online chats or by means of remote communication, including phone or e-mail;

2.2.3. individuals, who have visited the Company’s website, etc.

3. Purposes and legal bases for Personal Data processing

3.1. The Company shall process Personal Data only for specific purposes based on legal grounds established by legal acts, when:

3.1.1. data processing is necessary in order to enter into and/or execute the contract concluded with the Person;

3.1.2. the Person has given consent for their data to be processed for one or more specific purposes;

3.1.3. the Company must process Personal Data in order to comply with legal requirements (compliance with a legal obligation);

3.1.4. the Company must process Personal Data in the performance of tasks assigned by the legal acts to the Company, as electricity and natural gas distribution network (system) operator, in order to ensure the public interest;

3.1.5. Personal Data processing is necessary for the purposes of the Company’s legitimate interests.

3.2. The main purposes for which the Company processes Personal Data include:

3.2.1. Performing the functions of electricity and natural gas distribution network (system) operator provided for in the legal acts. The Company shall process Personal Data carrying out functions and obligations as electricity and natural gas distribution network (system) operator (hereinafter – distribution network operator) and exercising its rights, assigned by the legal acts, based on the grounds of the legal acts (compliance with legal obligation), or fulfilling tasks, assigned to the Company as distribution network operator by legal acts in order to ensure the public interest;

3.2.2. Performing the functions of the supplier of electricity and natural gas last resort provided for in the legal acts. The Company shall process Personal Data carrying out functions and obligations as the supplier of electricity and natural gas last resort and exercising it rights, assigned by the legal acts, based on the grounds of the legal acts (compliance with legal obligation);

3.2.3. Providing services, concluding and executing contracts. The Company shall process Personal Data in order to ensure the proper conclusion and execution of contracts on electricity and natural gas distribution and other contracts (hereinafter – Contracts) with the Clients, the provision of services to the Clients under the Contracts, including appropriate Client notification regarding issues related to the services or contracts, based on the grounds of the conclusion and/or performance of a contract or legal requirements (compliance with legal obligation);

3.2.4. Providing and managing self-service services. The Company shall process Personal Data to provide Clients with self-service options (conclusion and management of Contracts, submission and tracking of the applications for the connection of electrical equipment and/or Client’s natural gas systems, prosumers service, payout of the compensations for electricity disconnections and servitudes, electricity and natural gas meter readings declaration, providing history of electricity and natural gas consumption, submission of requests and inquiries, provision of information on invoices, payments, electricity and natural gas consumption, and prices). Providing self-service services, ensuring functioning of self-service system and proper Client’s identification in the self-service system and managing of self-service operations are based on the grounds of the conclusion and/or performance of a Contract, Client’s consent or legitimate interest of the Company;

3.2.5. Reconstruction of the existing equipment of the Company, installation of new electricity and natural gas distribution network (system) of the Company, their operation, maintenance and management, the connection of new natural gas and/or electricity consumers and producers (Clients) equipment. The Company shall process Personal Data in order to ensure proper maintenance and operation managed by the Company electricity distribution network and natural gas distribution system, and to connect new electricity and/or natural gas consumers and producers to the Company’s distribution network (system), based on the ground of the Client’s consent, conclusion and/or performance of a Contract or legal requirements (compliance with legal obligation);

3.2.6. Smart metering. The Company performs metering and accounting of distributed electricity and processes Personal Data recorded in smart metering systems in order to ensure the reliability of electricity network equipment, efficient and safe electricity distribution, development, renewal and/or modernization of distribution network, as well as the transmission of energy data to the Client, the Client’s electricity supplier, transmission system operator, and other market participants in accordance with the procedures established by legal acts, as well as fulfilling other functions ant tasks established by legal acts, based on the ground of legal requirements (compliance with legal acts) or the performance of tasks assigned by the legal acts to the Company, as electricity and natural gas distribution network (system) operator, in order to ensure the public interest. More information about the Personal Data processing in smart metering systems can be found in the “SMART Data Processing Rules”;

3.2.7. Payment administration. The Company shall process Personal Data related to payments for provided Services based on the grounds of a conclusion and/or performance of a Contract and legal requirements (compliance with legal obligation);

3.2.8. Debt management. In case of the debt, the Company shall process Personal Data related to the debt and undertakes debt recovery actions based on the grounds of conclusion and/or performance of a contract, legal requirements (compliance with legal obligation) and legitimate interest of the Company;

3.2.9. Administering submitted inquires, requests and complaints. The Company shall process Personal Data while handling and solving submitted inquires, requests and complaints, based on the grounds of conclusion and/or performance of a Contract, legal requirements (compliance with legal obligation), the Client’s consent and legitimate interest of the Company;

3.2.10. Administering inquires submitted via the Company’s Facebook social media accounts and the Company’s website www.eso.lt. For the purposes of processing inquires, the Company shall process Personal Data based on the grounds of conclusion and/or performance of a Contract or the Client’s consent. When a Person submits an inquiry via the Company’s Facebook social media account and provides Personal Data, such data becomes accessible to Facebook (Meta Platforms Ireland Limited). Information on how Facebook processes the data provided is available in Facebook Privacy Policy;

3.2.11. Quality control of the Services provided by the Company. The Company shall process Personal Data in order to ensure the quality of Services being provided: by recording phone calls, when the Clients use client service channels or when the Company’s employees phone the Clients based on the grounds of the legitimate interest of the Company or the Client’s consent;

3.2.12. Clients’ experience and opinions evaluation, providing offers and news (direct marketing). The Company may process Personal Data (name, surname, e-mail address, email interaction data, information and history of the direct marketing consent and withdrawal) by sending surveys, providing offers or and news about the Services being provided by the Company, informing about on ongoing events and inquiring about the quality of the Services being provided by the Company. These data are processed, and information is sent to the Person only if they have provided consent for direct marketing. The Person may withdraw their consent at any time by clicking unsubscribe link in the email which was sent to the person, through their account in the Company’s self-service website https://www.eso.lt/savitarna/, by contacting the Company via e-mail: info@eso.lt, by calling client service number at + 370 660 01852 or by visiting client service area;

3.2.13. Publicity of the Company’s activities and communication via social media accounts of the Company. To increase the Company’s visibility, share news related to its activities and engage in public communication, the Company administrates the following social media accounts:

• https://www.facebook.com/ESOLietuva (corporate profile of the Company)

• https://www.facebook.com/profile.php?id=100082509562859 (the Company’s Customer Assistant)

• https://www.linkedin.com/company/ab-%E2%80%9Eenergijos-skirstymo-operatorius%E2%80%9C-eso-/mycompany/

• https://www.youtube.com/@EsoLt

The Company shall process Personal Data in it’s social media accounts based on the grounds of legitimate interest of the Company, legal requirements (compliance with legal obligation) or the Client’s consent.

Information that a Person provides on the Company’s social media accounts (including messages, comments, use of ‘Like’, ‘Follow’, ‘Comment’ etc. fields, other communication) or information received when a Person visits social media accounts of the Company (including information obtained from cookies used by social media platform managers) is controlled by a specific social media platform manager. Therefore, we recommend familiarising with the privacy policy of specific social media platform manager. Data retention periods are determined by the respective social media platform manager. Information on how data submitted to social media platform managers are processed is available:

• in the Privacy Policy of LinkedIn: https://www.LinkedIn.com/legal/privacy-policy

• in the Privacy Policy of Facebook: https://www.facebook.com/policy.php

• in the Privacy Policy of Instagram: https://help.instagram.com/519522125107875

• in the Privacy Policy of YouTube: https://www.youtube.com/static?template=privacy_guidelines and https://policies.google.com/privacy.

3.2.14. Protection of the Company’s legitimate interests in case of disputes. The Company based on the ground of its legitimate interest shall process Personal Data to defend/ensure its legitimate interests or claims in case of disputes, to initiate legal proceedings and to ensure its defense in legal disputes;

3.2.15. Safety of individuals and objects. In order to ensure the safety of its employees, Clients and other individuals or objects captured by video surveillance, the Company may carry out video surveillance based on the grounds of legal requirements (compliance with legal obligation) or legitimate interest of the Company. The Company informs Data Subjects about the video surveillance by using informative signs warning everyone about the video surveillance, in cases such surveillance is being conducted.

3.3. In all the aforementioned cases, the Company shall process Personal Data only to the extent necessary to achieve the clearly defined and lawful objectives while adhering to Personal Data requirements.

4. The scope (categories) of processed Personal Data

4.1. The main categories of Personal Data and the data processed by the Company for the above-mentioned purposes and legal grounds include:

4.1.1. Identification data – name, surname, personal identification number and/or (where necessary) date of birth. In cases of identity verification using Smart-ID/Mobile-ID functionality – the issuance and validity date of the qualified electronic seal, verification status (valid/invalid, etc.;

4.1.2. Contact data – address, phone number, e-mail address, etc.;

4.1.3. Social network account data - pseudonym, name, surname, other account information, communication data on the Company’s profile (fields such as ‘Comment’, ‘Like’, ‘Follow’, ‘Share’, etc.), comments left by the individual, reactions to published posts, shares, content posted by the individual on the Company’s profile (e.g., if the individual shares photos or videos in comments), and other communication;

4.1.4. Financial data – bank account number, payer’s account number, invoices and information related to them (e.g., date, amount and purpose of completed payments or other transactions, etc.);

4.1.5. Debt data – information about the debt, the amount of the debt, reminders and notices to pay, repayment history, payment plan and the date of debt closure/write-off, etc.;

4.1.6. Data related to provision of the Services, conclusion and execution of contracts entered into – information about the Services being provided, contract data (object information (object address, object number), customer code, customer type (Customer, Prosumer, Remote Prosumer), metering device number, etc.), order and energy consumption/production data, data received by the Company through direct communication with the Person, via self-service websites and online chats, or through remote communication means (phone, e-mail, mobile applications), etc.;

4.1.7. Smart metering data – object address, object number, metering point number within the object, unique metering point ID (identification code), customer code, customer type (Customer, Prosumer, Remote Prosumer), metering device number, information on the physical parameters of electricity network quality (voltage, current, power, etc.); accounting data (energy consumption/production), including active/reactive consumption/production energy, energy by quadrants, energy demand registers, maximum energy demand registers, energy quantities by tariff zones, etc.; metering device status data (metering device notifications indicating errors and proper functioning of the meter); metering device events (notifications indicating unauthorized activity, network failures, etc.);

4.1.8. Payment data – amounts payable to the Company, outstanding debts, payment history, payer’s account number, etc.;

4.1.9. Audio and video recording data – video data, audio recording data, phone conversation recordings, etc.;

4.1.10. Cookie data – cookies do not store information which could be used for direct identification of the user. However, cookies contain information that could be used to link to the user’s device, browsing history and other data collected and stored by cookies.

More detailed information about the cookies used by the Company is available in the „Cookie Policy“).

5. Collection of Personal Data

5.1. The Company shall process Personal Data provided by individuals themselves, Personal Data is obtained when Clients use services provided by the Company (e.g., electricity/natural gas consumption, payment data) or received from other sources (e.g., state or privately managed registers), government agencies or institutions, other persons, performing functions assigned to them by legal acts, supervisory institutions (e.g., the National Energy Regulatory Council, the State Consumer Rights Protection Authority, the State Data Protection Inspectorate, etc.) or third parties (e.g., electricity, natural gas suppliers, payment services providers), to the extent necessary based on the grounds of conclusion and/or performance of a Contract, the Client’s consent, legal requirements (compliance with legal obligation) or legitimate interest of the Company.

5.2. The Company shall have the right to collect and process Personal Data from registers managed by the State Enterprise Centre of Registers (e.g., the Population Register, the Real Estate Register, etc.) for the purpose and on the basis of concluding and executing Contracts for the provision of services, in accordance with the procedures established by the legal acts of the Republic of Lithuania, as well as when the Company performs functions and obligations provided for in the legal acts, e.g., ensuring appropriate technical condition of electrical structures and equipment; the reliable, efficient and safe, operation of the electricity and natural gas network (system); organizing and coordinating projection and connection of electrical equipment; remunerating compensations for the servitudes imposed in favour of the Company, etc.

5.3. The Company shall have the right to collect and process Personal Data from registers from the Family Social Support Information System, the Board of the State Social Insurance Fund under the Ministry of Social Security and Labour Information System, and the Agency for the Protection of the Rights of a Person with Disability Information System, for the purpose and on the basis of concluding and executing Contracts for the provision of services, as well as when the Company performs functions and obligations provided for in the legal acts, such as applying established by laws additional guarantees for vulnerable customers.

6. Disclosure of Personal Data

6.1. The Company, in compliance with legal requirements, may transfer processed Personal Data to the following categories of data recipients:

6.1.1. Electricity and Natural Gas Suppliers. In order to ensure proper execution of the electricity distribution and natural gas distribution services, the Company may transfer processed Personal Data and other information necessary for the performance of the functions of companies supplying electricity and natural gas as defined by legal acts.

6.1.2. Other energy market participants, entitled to receive energy data in order to perform functions provided for in the legal acts. Based on the Data Subject’s consent, the Company may grant access to processed Personal Data via the Centralized Energy Data Exchange Platform (such as electricity consumption, electricity generation, metering devices, smart metering device data, etc.) to eligible parties authorized to receive such data. In the absence of the Data Subject’s consent, access to Personal Data may be granted to eligible parties performing functions and (or) tasks, assigned by legal acts and carried out in order to ensure public interest;

6.1.3. Service providers. The Company may transfer processed Personal Data to third parties acting in the name and/or under the instruction of the Company, that provide the Company with client service, accounting, audit, legal, software maintenance, design, labour and work, surveying of Client and other services to the Company, in order to ensure appropriate provision, management and development of the Company’s Services. In such cases, the Company shall take necessary measures to ensure that the engaged service providers (data processors) are processing Personal Data only for the purposes, for which those were provided, while ensuring proper technical and organizational safeguards, in accordance with the Company’s instructions and requirements of effective legal acts;

6.1.4. Public authorities, law enforcement agencies and supervisory institutions. The Company may transfer processed Personal Data to public authorities or law enforcement institutions (e.g., courts, police, prosecutor’s office, the Financial Crime Investigation Service, supervisory institutions (e.g. the National Energy Regulatory Council, the State Consumer Rights Protection Authority, the State Data Protection Inspectorate, etc.), when it is mandatory in accordance with effective legal acts or in order to ensure the legitimate interests of the Company or third parties;

6.1.5. Debt collection agencies and joint data registers, managing consolidated data of debtors. If the Client fails to make payments due under the Contract in timely manner, based on the legitimate interest of the Company, the Company has the right, after informing the Client by post or e-mail 30 days in advance, to provide the Client’s Personal Data to the data controllers, who process the consolidated data of debtors, debt management and collection companies, courts, notaries, and bailiffs;

6.1.6. Other third parties. The Company may transfer Personal Data to other data recipients (e.g., the Environmental Project Management Agency of the Ministry of Environment of the Republic of Lithuania (EPMA), Public Institution Lithuanian Energy Agency (LEA), the State Data Agency, UAB „Baltpool“, etc.) where required under the legal obligations established in the legal acts (compliance with legal obligation).

6.2. The Company processes Personal Data within the European Union and the European Economic Area (EU/EEA). However, in certain cases - for example, if a Personal Data processor or sub-processor engaged by the Company is established outside the EU/EEA - it may be necessary to transfer certain Personal Data outside the EU/EEA or to grant access to such data to a processor located outside the EU/EEA, if such data transfer is necessary for the provision of the Services. Personal Data may be transferred outside the EU/EEA only if the Company ensures appropriate safeguards as required by the Regulation and if there is a legal basis for such data transfer.

7. Storage of data

7.1. The retention period for Personal Data, processed by the Company, is determined based on the specific purposes for which Personal Data was collected and processed, or the retention period established by legal obligation defined in applicable legal acts, or in accordance with the Company’s legitimate interests, such as the purpose of asserting, exercising, or

Purpose of Personal Data Processing	Retention Period
Processing Personal Data for the purpose of providing Services, concluding and executing Contracts	During the term of the Contract and 10 years after the end of the Contract
Processing Personal Data for the purpose of payment administration	10 years from the date of creation of the document (for example, the date of creation of VAT invoice)
Processing Personal Data for the purpose of debt management	10 years from the date of debt collection
Processing Personal Data for self-service management	During the account’s validity period and 2 years from the last action, i.e. if the Client does not use the self-service system for more than two years, the account is deleted, and all related data is erased.
SMART metering data processing	In the smart energy metering device (meter), data is collected and stored for 3 months. In the smart energy metering information system, data is collected and stored for 3 years from the moment it is transferred (received) into the system, after which it is archived and stored for 10 years.
Processing Personal Data for the purpose of administering submitted inquires, requests and complaints	No longer than 5 years from the resolution of the inquiry, request or complaint.
Processing Personal Data of the callers for the purpose of solving submitted questions	6 months from the date of call recording. For the purpose of the Company’s legitimate interests, in the event of disputes, legal proceedings or investigations telephone call recordings may be retained or otherwise processed for a longer period. A call recording, during which the Client has given consent for direct marketing is stored until the consent expires and after the expiry the consent will be retained for an additional 3 years for the purpose of protecting the Company’s legitimate interests in the event of a dispute (as evidence to confirm the fact of giving and/or withdrawing consent).
Processing Personal Data for the purpose of direct marketing	3 years from the date consent or until the moment of withdrawal of the Client's consent. After the expiry the consent will be retained for an additional 3 years for the purpose of protecting the Company’s legitimate interests in the event of a dispute (as evidence to confirm the fact of giving and/or withdrawing consent).
Processing Personal data for the purpose of protection of the Company’s legitimate interests in case of disputes	When Personal Data is necessary for the purpose of protection of the Company’s legitimate interests in the event of claims under civil law, it shall be retained for no longer than 10 years from the termination of the contract. When Personal Data is necessary for the purpose of protection of the legitimate interests of the Company in the cases where the Company is involved in a legal proceedings or investigations, it shall be retained until the end of such investigation or legal proceeding.
Processing of video recording data in order to ensure safety of the persons and objects	30 calendar days
Website usage data (cookies)	Retention periods are specified int he Cookie Policy

8. Applied protection measures

8.1. The Company shall ensure the security and confidentiality of the Personal Data in accordance with the requirements of the legislation in force and implements appropriate technical and organisational measures to protect Personal Data from illegal access, disclosure (except where the data must be provided in accordance with legal requirements or other legal grounds established in the Regulation), accidental loss, alteration or destruction or other illegal processing. These measures include the selection and configuration of appropriate computer systems, the protection of the information systems, as well as organizational measures such as restricting access to systems, documents, and premises, careful selection of service providers, and continuous training of employees.

9. Automated decision making and profiling

9.1 The Company does not process Personal Data by means of automated individual decision-making, as provided for in Article 22 of the Regulation.

10. Rights of the persons

10.1. The Person that has contacted the Company and whose identity has been verified by the Company has the following rights:


Right to be informed and right of access to Personal Data	The Person shall have the right to receive information about the processing of their Personal Data in a transparent, comprehensible and easily accessible form, in clear and plain language. If the Person is unclear about any part of this Privacy Policy, the Person is welcome to contact us using the contact details provided in this Privacy Policy. The Person also have the right to obtain confirmation from the Company if their Personal Data is being processed and, in such case, to be provided with information about how the Company process their Personal Data, including the right to obtain a copy of such data.
Right to have Personal Data rectified	The Person shall have the right to request that the Company rectify or supplement inaccurate or incomplete their Personal Data.
The right to have Personal Data erased (“right to be forgotten“)	The Person shall have the right to ask the Company to erase their Personal Data if the following circumstances exist: the Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; or the Person has withdrawn the consent and there is no other legal basis for processing their Personal Data; or for the other reasons set out in Article 17 of the Regulation. Please note that Article 17(3) of the Regulation provides for exceptions to the above cases where processing of Personal Data is necessary. If such exceptions apply in the case of the Person, the Company will inform them accordingly.
Right to request restriction of processing of Personal Data	The Person shall have the right to request that the Company restrict the processing of their Personal Data if: the Person disputes the accuracy of the Personal Data – until accuracy is verified; the processing is unlawful and the Person does not consent to the erasure of their Personal Data and instead requests the restriction of its use; the Company no longer needs the Personal Data for the purposes of processing it, but the Person requires it to assert, exercise or defend legal claims; the Person objects to the processing of their Personal Data – until it is verified that the Company’s legitimate grounds for processing override the Person’s rights and legitimate grounds for non-processing. Where the processing of Personal Data is restricted, such Personal Data may be processed (other than stored) only with the Person’s consent or for the purpose of establishment, exercising or defending legal claims, for the protection of the rights of another natural or legal person or for an important public interest.
Right to data portability	The Person shall have the right to receive their Personal Data that they have provided to the Company in a structured, commonly used and computer-readable format, and the right to transfer that data to another controller if: the data are processed on the basis of consent or a contract; and the data are processed by automated means. The Person also shall have the right to request that the Company transfers their Personal Data directly to another controller if this is technically possible.
Right to object	The Person shall have the right to object at any time to the processing of their Personal Data which is processed for the performance of a task carried out in the public interest or in the legitimate interest of the Company. In this case, the Company will no longer process their Personal Data unless the Company can demonstrate legitimate grounds for processing Personal Data which override interests, rights and freedoms of the Person or are necessary for the establishment, exercise or defence of legal claims.
Right to withdraw consent	If Personal Data is processed on the basis of the Person’s consent, the Person shall have the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent carried out prior to the withdrawal of consent. The Person may withdraw their consent at any time by clicking unsubscribe link in the email which was sent to the Person, through their account in the Company’s self-service website https://www.eso.lt/savitarna/, by contacting the Company via e-mail: info@eso.lt, by calling client service number at + 370 660 01852 or by visiting client service area.
Right to lodge a complaint with a supervisory authority	If the Person believes that the processing of their Personal Data by the Company violates the provisions of the Regulation, they have the right to lodge a complaint with the supervisory authority (e.g. in Lithuania – the State Data Protection Inspectorate (address L. Sapiegos str. 17, 10312 Vilnius, Lithuania, e-mail: ada@ada.lt, website: https://vdai.lrv.lt). Before submitting a complaint to the relevant supervisory authority, we would be grateful if you would contact us with your concerns. We will make every effort to resolve your issue promptly and carefully.

11. The exercise of individuals (data subjects) rights

11.1. The Persons may appeal regarding this Privacy Policy or Personal Data processing performed by the Company in writing by the following address: Laisvės pr. 10, LT-04215 Vilnius, Lithuania; by e-mail: info@eso.lt, Client service phone number +370 660 01852 (calls are charged in accordance with the rate applied by the network operator), through the account in the Company’s self-service website or by visiting any client Service area.

11.2. The contact details of the Company’s data protection officer: dap@ignitis.lt.

11.3. For the purposes of the implementation of their rights under the Regulation, the Person shall submit a written request to the Company either in free form or using Company’s approved form in person, by post, via the account in the Company’s self-service website, through a representative or by means of electronic communication.

11.4. When submitting the request, the Person must verify their identity:

11.4.1. if the request is submitted directly, to an employee of the Company’s unit responsible for servicing of individuals, the Person must present a personal identity document;

11.4.2. if the request is submitted by post, employee of the Company will contact the Person additionally regarding the most convenient and appropriate method of the Person verification;

11.4.3. if the request is submitted through the representative, the representative shall indicate his first name and surname as well as contact details for communication, by which the individual’s representative wishes to receive the reply and the first name, surname, and personal identification number of the represented person and present a notarised copy of the personal identity document and a copy of the document of the representation document certified in accordance with the established procedure

11.4.4. if the request is submitted by means of electronic communication, the request shall be signed by a qualified e-signature or formed by electronic means which allow ensuring integrity and inalterability of the text;

11.4.5. in order to ensure data protection and enable the individual to exercise their rights, the Company has the right to request additional information necessary to verify the individual’s identity.

11.5. The Company must, no later than within 1 month from the date of receiving the request, either fulfil the individual’s rights or refuse to fulfil the request, stating the reasons for such refusal. This period may be extended by an additional 2 months if necessary, considering the complexity and number of the requests being processed. In such a case, the Company shall inform the individual about the extension within 1 month from the date of receiving the request, along with the reasons for delay.

11.6. In implementation of the Person’s right to familiarize himself/herself with his/her Personal Data processed by the Company, the Company:

11.6.1. shall have the right to request the Person to specify the submitted request, if the Company is processing a big quantity of information related to that Person;

11.6.2. shall provide the Person with information to the extent as not to infringe the rights of other persons if certain information about the Person is also related with other persons.

12. Links to other sites

12.1. The Company’s website www.eso.lt contains links to third-party owned websites. We recommend separately familiarise with the terms of use of each visited website that does not belong to the Company.

13. Validity and changes to the Privacy Policy

13.1. The main Personal Data processing provisions are provided in this Privacy Policy. Additional information, how the Company is processing Personal Data, may be provided in the Company’s contracts, other documents, the Company’s website www.eso.lt, self-service website, or by remote client service channels (phone, e-mail, etc.)

13.2. Should legislation requirements and/or processes, etc., of the Company change, the Company has a right to amend and/or supplement this Privacy Policy unilaterally. The Company shall post the changes in this Privacy Policy on the Company’s website. In certain cases, the company may also inform the Persons about changes of the Privacy Policy by mail, e-mail or otherwise (e.g., by a press release).

14. Final provisions

14.1. The supervision and control of the requirements provided in the Privacy Policy shall be ensured by the employees carrying out the compliance functions within the Company.

14.2. The Privacy Policy and amendments thereof shall be coordinated with Personal Data Protection Expert at AB „Ignitis grupė“.

14.3. The Privacy Policy is published publicly on the Company‘s website www.eso.lt.

14.4. The Privacy Policy is reviewed and updated as needed, but at least once a year. The Compliance Expert of Business Resilience Union shall be responsible for the updating of the Privacy Policy.

16. Annexes
Annex 1. Request Form for Personal Data Processing

The types of cookies used by ESO are as follows:
Necessary cookies	necessary to ensure that: you could use various parts of the websites managed by ESO; websites are functioning properly and cannot be turned off. - Without these cookies we would not be able to provide certain services; - These cookies do not collect your data for profiling and targeted marketing purposes.
Statistical cookies	- necessary to be able to learn about users' browsing habits in ESO digital channels and to ensure a perfect user experience while using them; - These cookies make it possible to monitor how customers use our services and help improve the quality of our service.
Functional cookies	- help us to improve the website's features and personalized content solutions; - allow the Website to remember your settings (such as your username, language of your choice or a specified geographical location) and provide you with personalized solutions; - These cookies collect personalized data and do not track your browsing history on external websites.
Marketing cookies	- used to see your content settings and provide you with relevant information about our services, improve the effectiveness of targeted marketing and your experience on our website; - may be used for our advertising purposes on third party websites. In such a case, we would also receive information about your browsing history on our official partner sites, where we place our promotional materials.
Performance cookies	- They are short-term cookies that are stored for as long as the website visitor keeps the web browser open, providing access to the website. Session cookies remind the website of what the visitor chose on the previous page, thus avoiding re-entering information.

Cookie	Cookie Type	Cookie Expiration Time
EWSID	Necessary	Until the end of the session
NCSID	Necessary	Until the end of the session
privacy_1	Necessary	14 days
privacy_2	Necessary	14 days
privacy_3	Necessary	14 days
privacy_4	Necessary	14 days
privacy_verify	Necessary	14 days
_ga	Statistical	2 years
_gat	Statistical	1 minute
_gid	Statistical	24 hours
TS01234491	Necessary	Until the end of the session

Cookie	Cookie Type	Cookie Expiration Time
EW4SITE	Necessary	Until the end of the session
SITEXSRF	Necessary	Until the end of the session
privacy_2	Necessary	10 days
privacy_3	Necessary	10 days
privacy_4	Necessary	10 days
privacy_verify	Necessary	10 days
_ga	Statistical	2 years
_gid	Statistical	24 hours
_gat	Statistical	1 minute
NID	Functional	6 months
TS01e0eb24	Necessary	Until the end of the session

Cookie	Cookie Type	Cookie Expiration Time
EW4SITE	Necessary	Until the end of the session
SITEXSRF	Necessary	Until the end of the session
privacy_2	Necessary	10 days
privacy_3	Necessary	10 days
privacy_4	Necessary	10 days
privacy_verify	Necessary	10 days
_ga	Statistical	2 years
_gat	Statistical	1 minute
_gid	Statistical	24 hours
_fbp	Marketing	3 months
_fr	Marketing	3 months
TS013ba818	Necessary	Until the end of the session

Cookie	Cookie Type	Cookie Expiration Time
_ga	Statistical	2 years
_gat	Statistical	1 minute
_gid	Statistical	24 hours
ENCSID	Functional	Until the end of the session
EWSID	Functional	Until the end of the session
TS01234491	Necessary	Until the end of the session