Privacy Statement

1.         Terms and definitions

The terms and abbreviations used in this Privacy Statement shall have the following meanings:

Personal Data

shall mean any information related to the natural person, who can be identified either directly or indirectly (e.g., name, surname, contact details, etc.).

Person

shallmean the natural person (data subject), whose data are processed (e.g., the Company’s Clients, persons, who have applied to the Company by submitting requests or claims, users of the Company’s website or self-service website, etc.).

Company

AB „Energijos skirstymo operatorius“, legal entity code 304151376, registered office address: Laisvės pr. 10, LT-04215 Vilnius, Lithuania.

Data processing

shall mean any action performed with the personal data of the Person (e.g., collection, recording, storage, granting of access, transfer, etc.).

Client

shall mean persons who are using, used, have expressed intent to use, or are otherwise associated with the services provided by the Company (hereinafter referred to as ‘the Clients’).

Services

shall mean any goods or services provided by the Company

Privacy Statement

Published publicly by the Company information about the Personal Data processing, data subjects rights, etc. implementing the obligation to inform data subjects provided for in the Regulation.

Regulation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

 

Other terms used in the Statement shall be understood as they are defined in the legal acts governing personal data protection (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (EU) 2016/679), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, etc.).

2.         General provisions

2.1  This Privacy Statement provides the information, on how AB „Energijos skirstymo operatorius“ manages Personal Data.
2.2  The provisions of the Privacy Statement shall apply to the following natural persons, whose Personal Data are processed by the Company:
2.2.1     the clients, who are or were using, have expressed their intention to use, or are otherwise associated with the services provided by the Company (hereinafter referred to as the Clients);
2.2.2     persons who have applied to the Company by submitting requests or claims either directly, via self-service websites, online chats or by means of remote communication, including phone and e-mail;
2.2.3     persons, who have visited the Company’s website, etc.

3.         Purposes and legal grounds of Personal Data processing

3.1  The Company shall process the Personal Data only for particular purposes and on the grounds laid down in the legislation:
3.1.1     when it is necessary to process the data in order to enter into and/or execute the contract concluded with the person;
3.1.2     the person has given the permission to process their data for one or several particular purposes;
3.1.3     the Company must process the Personal Data following the requirements of the legislation;
3.1.4     the Personal Data must be processed for to the Company’s lawful interest.
3.2  Principle objectives of the Company in processing the Personal Data:
3.2.1     The performance of the functions of the operator of natural gas and electricity distribution system (network) provided for in the legal acts. The Company shall process Personal Data in performing distribution system (network) operator’s functions and obligations and exercising distribution system (network) operator’s rights provided for in legal acts;
3.2.2     The performance of the functions of guaranteed natural gas and electricity supply provided in the legal acts. The Company shall process Personal Data in performing guaranteed natural gas and electricity supply functions and obligations and exercising guaranteed natural gas and electricity supply rights provided for in legal acts;
3.2.3     The provision of services, conclusion and execution of contracts. The Company shall process Personal Data in order to ensure the proper conclusion and execution of contracts on electricity and natural gas distribution and other contracts (hereinafter – Contracts) with the Clients, provision of services or supply of goods to the Clients on the basis of the contracts, including the proper notification of the Client about the issues related to the goods, services or contract, on the basis of the contract or legal acts;
3.2.4     Reconstruction of the existing equipment of the Company, installation, operation, maintenance and management of new distribution systems (networks) of the Company, connection of the new users and/or producers (Clients) equipment to the Company’s distribution system (network) on the ground of the consent, contract or legal acts;
3.2.5     The administration of settlements. The Company shall process Personal Data related to payments for the Services provided on the grounds of the contract or legal acts;
3.2.6     Debts management. In case of the debt, the Company shall process Personal Data related to the debt and perform actions for recovery on the grounds of the contract, legal acts and legitimate interest;
3.2.7     Solving questions provided. The Company shall process Personal Data while examining and solving submitted questions and complaints, in accordance with the contract, consent or legal act;
3.2.8     Solving questions provided on the Company’s Facebook accounts and on the Company’s website www.eso.lt. For the purposes of processing the request, the Company may process the following Personal Data of the applying Person: name of the Person’s social network profile, profile photo, name, surname, phone number, e-mail address, object address, object number, Client code or the last 3 digits of the personal identification number, other contract data important for executing Personal requests, the topics and content of the Person’s requests. These Personal Data will be processed on the basis of the Person’s request to provide a response (Person’s consent) and/or in order to contact the Person. The Personal Data provided will be stored during the validity of the contract and for 10 years after the termination of the contract. In the absence of a contractual relationship, the data provided shall be stored as long as the Company actively uses its social network accounts, unless the Person himself deletes (or asks the Company to delete) their Personal Data he provided earlier any time. When a Person submits a Personal Data in a request, it becomes available to Facebook (Meta Platforms Ireland Limited). Information on how Facebook processes the data provided is available in Facebook Privacy Policy.

Submitted by the persons requests on the Company’s website www.eso.lt and the Personal Data provided in the requests shall be deleted in 6 months after the request was submitted;

3.2.9     The control of the quality on the Services being provided by the Company. The Company shall process Personal Data in order to ensure the quality of Services being provided: by recording phone calls, when the Clients use client service channels or when the Company’s employees phone the Clients on the ground of the legitimate interest or the consent;
3.2.10   Evaluation of the Clients’ experience, opinion, providing offers and news (direct marketing): the Company may process Personal Data (name, surname, e-mail address) by sending surveys, providing offers or giving news on the Services being provided by the Company and informing about on ongoing events on the grounds of personal consent. The person may withdraw the given consent at any time by clicking unsubscribe link in the email which was sent to the person, in the Company’s self-service account, by e-mail: info@eso.lt, calls by client service number + 370 697 61852 or in the client service area;
3.2.11   The Company’s activities, news, informing and educating the population (the Company’s social network accounts administration). To increase the Company’s renown and communicate in the public sphere, the Company manages the following social network accounts:

in order to achieve legitimate interests of the Company – to inform and educate all target audiences about the Company’s activities, and managing social network accounts of the Company, the Company may collect and process the following Personal Data: Person’s social network profile data (profile name, surname, profile photo), the use of ‘Like’ and ‘Follow’ fields, comments written by the Person, content posted by the Person on the Company’s account (e.g., the Person has shared photos or videos while making comments in the Company’s social networks accounts), other communication. When a Person visits the social network accounts managed by the Company and interacts with the Company (i.e. provides data to the social network accounts managed by the Company), the Person expresses their consent for such processing of their Personal Data, therefore the Personal Data will also be processed on the grounds of the Person’s consent.

Information that the Person provides on the Company’s social network accounts (including messages, use of ‘Like’ and ‘Follow’ fields, other communication) or information received when a Person visits social network accounts of the Company (including information obtained from cookies used by social network managers) is controlled by a specific social network manager. Therefore, we recommend familiarising with the privacy policy of specific social network manager. The Personal Data provided shall be stores as long as the Company actively uses its social network accounts, unless the Person himself deletes (or asks the Company to delete) their Personal Data he provided earlier any time. Information on how data submitted to social network managers are processed is available:

We note that we reserve the right to delete illegal material if it proves necessary to do so (e.g., when content containing swearwords, insulting content inciting hatred on grounds of nationality, racial, religious or other hatred is posted, confidential data (bank account number, telephone number, address, passwords, etc.) of a natural or legal person are disclosed or the laws of the Republic of Lithuania are violated in other ways);

3.2.12   General statistics. The Company can process non-personalized general statistical data of e-mail interactions in order to evaluate effectiveness of the communication carried out by e-mail. For this purpose, the Company will not process any personal data or other information that could identify the Client as a specific person. General statistics do not have any legal or similar significant effect on Client;    
3.2.13   Security of Persons and objects. In order to ensure the security of its employees, Clients and other persons as well as security of the Company’s assets and objects, the Company may perform video surveillance on the grounds of the legal acts or its legitimate interests. In case video surveillance is carried out, the Company informs data subjects about video surveillance using informative signs warning everyone about the video surveillance;
3.2.14   Other purposes. The Company may process the Personal Data for other purposes if the consent of the person’s consent was submitted, the Personal Data must be processed on the grounds laid down in legislation, or on the grounds of the legitimate interest.
3.3  In all the aforementioned cases, the Company shall process Personal Data only in the scope necessary to achieve the clearly defined and legal purposes, in consideration to the requirements of Personal Data protection.

4.         The scope (categories) of processed Personal Data

4.1  The main categories of Personal Data and data which are processed by the Company for the purposes and on the legal grounds set out above:
4.1.1     Identification data – name, surname, personal identification number, date of birth, etc;
4.1.2     Contact data – address, phone number, e-mail address, etc;
4.1.3     Data related to provision of the Services, conclusion and execution of contracts entered into – information about the Services being provided, contract data, order and consumption data, data received by the Company directly from the persons, via self-service websites and online chats, or by remote communication means (phone, e-mail, mobile applications), etc;
4.1.4     Smart accounting data – smart accounting data (physical parameters of electricity grid quality, electricity consumption/generation data, meter status data, meter events, etc.) which the Company processes in the performance of its functions and duties as the distribution system operator as provided for in the legislation. More information on the processing of Personal Data in smart accounting systems is available in “SMART Data Processing Rules”;
4.1.5     Payment data – amounts payable, outstanding debts, payment history, etc;
4.1.6     Financial data – amounts payable to the Company, outstanding debts, payment history, etc;
4.1.7     Data of video and audio records – video data recorded in the Company’s units, audio data recorded during phone conversations, etc;
4.1.8     Data of cookies – information about the person’s location with a precision of a city, the person’s preferences, his behaviour on the Company’s website or self-service, interests, etc. (more detailed information about the cookies used by the Company is available in the „Cookie Policy“). Cookies do not store information which could be used to identify the user directly, however, cookies contain information that could be used to link to the user to their device, browsing history and other information received and stored by cookies;
4.1.9     Other data processed by the Company on the legal grounds provided for in the legal acts.

5.         Receipt of Personal Data

5.1  The Company shall process the Personal Data provided by the persons themselves, received when the Clients are using services provided by the Company (e.g., electricity/natural gas consumption, payments data) or which the Company receives from other sources (e.g., registers managed by the state or private entities) or third parties (e.g., electricity, natural gas suppliers), to the extent necessary on the grounds of the contract, consent, legal acts or legitimate interest of the Company.
5.2  The Company shall have the right to collect and process Personal Data from VĮ Registrų Centras (the State Enterprise Centre of Registers) for the purpose and on the ground of the conclusion of contracts for the provision of services, in accordance with the legal acts of the Republic of Lithuania, as well as when the Company is performing the functions and obligations provided in the legal acts, e.g., ensuring appropriate technical condition of electrical structures and equipment; safe, ensuring reliable and effective operation of the system (network); organizing and coordinating projection and connection works of electrical equipment; remunerating compensation for the servitudes imposed in favour of the Company, etc.

 
6.         Submission of Personal Data

6.1  Following the requirements of the legislation, the Company may transfer the processed Personal Data to the receivers of data belonging to the following categories:
6.1.1     Electricity and natural gas suppliers. In order to ensure proper fulfilment of contracts for providing electricity and natural gas distribution services, the Company may transfer the processed Personal Data (identification data, contact data, readings of electricity/natural gas meters, etc.) and other information necessary for performance of the functions of companies supplying electricity and natural gas in accordance with the legal acts.
6.1.2     Service providers. The Company may transfer the processed Personal Data to third persons acting in the name and/or under the instruction of the Company, that provide the Company with client service, software maintenance, design, labour and work, surveying of Clients, accounting and other services to the Company, in order to ensure appropriate provision, management and development of the Company’s Services. In such cases, the Company shall take necessary measures in order to ensure that the engaged service providers (data processors) are processing Personal Data only for the purposes, for which those were provided, while ensuring proper technical and organizational safeguards, in accordance with the Company’s instructions and requirements of effective legal acts.
6.1.3     Public authorities, law enforcement agencies and supervisory institutions. The Company may transfer the processed Personal Data to public authorities or law enforcement institutions (e.g., police, prosecutor’s office, the Financial Crime Investigation Service, supervisory institutions (e.g. the National Energy Regulatory Council, etc.), when it is mandatory in accordance with effective legal acts or in order to ensure the legitimate interests of the Company or third parties.
6.1.4     Debt administration enterprises, processing consolidated data of debtors, and managing joint databases. If the Client fails to properly and timely perform the payments to be made by the Client in accordance with the Contract, the Company, having informed the Client by post or e-mail 30 days in advance, has the right to provide the Client’s Personal Data to the data controllers who process the consolidated data of debtors, debt management and recovery enterprises, courts, notaries, and bailiffs.
6.1.5     Other third parties. The Company may provide Personal Data to other data recipients (e.g., the Environmental Project Management Agency of the Ministry of Environment of the Republic of Lithuania (EPMA), Public Institution Lithuanian Energy Agency (LEA), UAB „Baltpool“, etc.) on the legal grounds defined in the legal acts.
6.2  Generally, the Company stores personal data in the territory of the European Union or the European Economic Area (EU/EEA). If there are cases when personal data shall be transferred outside the EU/EEA, that can be done only if at least one of the following conditions is met:
6.2.1     The European Commission has recognized that the country to which the data is transferred ensures a sufficient level of personal data protection;
6.2.2     A data processing contract has been concluded in accordance with standard conditions approved by the European Commission;
6.2.3     Codes of conduct are followed and other safeguards in accordance with the Regulation are applied.

7.         Storage of data

7.1  The Company shall process the Personal Data no longer than required by the objectives of data processing or as indicated in the applied legislation, if they shall establish a longer period for storage of data.
7.2  In order to determine the period for storage of data, the Company shall apply the criteria that shall correspond to the obligations defined in the legal acts, also with regard to right of a person, e.g., it shall envisage such a period for storage of a data, during which the requirements related to the contract’s execution may be submitted, if any, or the period necessary to implement and protect legitimate interests of the Company.

Purpose of processing Personal Data

Storage period

Processing Personal Data for the purpose of solving submitted questions

During the term of the contract and 10 years after the end of the contract

Processing Personal Data of the callers for the purpose of solving submitted questions

6 months from the recording

Processing Personal Data for the purpose of direct marketing

3 years from the date consent or until the moment of withdrawal of the Client's consent

Processing Personal Data of Clients‘ for the purpose of execution of the contract

During the term of the contract and 10 years after the end of the contract

Processing of video recording data in order to ensure safety of the persons and objects

30 calendar days

 
8.         Applied protection measures

8.1  The Company shall undertake all the necessary measures to make sure that Personal Data is processed precisely, fairly and legally, only for the set purposes, in strict compliance with clear and transparent requirements of Personal Data processing defined in the legal acts.
8.2  The Company shall ensure the confidentiality of the Personal Data in accordance with the requirements of the legislation in force and implementation of appropriate technical and organisational measures intended for the protection of the Personal Data from illegal access, disclosure, accidental loss, modification or destruction or other illegal processing.

9.         Automated decision making and profiling

9.1  The Company does not manage personal data by means of automated individual decision-making, as provided for in Article 22 of the Regulation. 

10.      Rights of the persons

10.1   A person that has contacted the Company and the personal identity of which was determined by the Company, shall have the right to:
10.1.1.to be familiarised with their Personal Data processed by the Company;
10.1.2.require the rectification of inaccurate, incorrect or incomplete Personal Data;
10.1.3.request the destruction of their Personal Data or to suspend, except for the storage, the actions of processing of the Personal Data, if the processing violates requirements of the applied legislation or the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
10.1.4.request the transfer of the Personal Data related to the Data Subject (applies to the Personal Data submitted by the person himself and processed by automated means on the basis of consent or conclusion and execution of a contract);
10.1.5.restrict the processing of their Personal Data in accordance with the applied legislation, e.g., for the period, during which the Company shall assess, whether the person has the right to ask their Personal Data to be erased;
10.1.6.object the processing of their Personal Data and (or) in a case, where the Personal Data is processed on the grounds consent – to withdraw the given consent on the processing of the Personal Data at any time, with no effect on the lawfulness of processing based on consent before its withdrawal. The consent for direct marketing may be withdrawn by clicking unsubscribe link in the email which was sent to the person, in the Company’s self-service account, by e-mail: info@eso.lt, calls by client service number + 370 697 61852 or in the client service area.

 
11.      Implementation of the rights of individuals

11.1   The persons may appeal regarding this Privacy Statement or Personal Data processing performed by the Company in writing by the following address: Laisvės pr. 10, LT-04215 Vilnius, Lithuania; by e-mail: info@eso.lt, Client service phone number +370 697 61852 (calls are charged in accordance with the rate applied by the network operator), in the Company’s self-service account or to visit any Client Service area.
11.2   The contact details of the Company’s data protection officer: dap@ignitis.lt.
11.3   For the purposes of the implementation of his rights in accordance with the General Data Protection Regulation (EU) 2016/679, the person shall submit to the Company a written in a person, by post, through a representative or by means of electronic communication.
11.4   When submitting the request, the person must confirm his identity:
11.4.1   if the request is submitted directly, to an employee of the Company’s unit responsible for servicing of individuals, the person must present a personal identity document;
11.4.2   if the request is submitted by post, employee of the Company will contact the person additionally regarding the most convenient and appropriate method of the person identification;
11.4.3   if the request is submitted through the representative, the representative shall indicate his first name and surname as well as contact details for communication, by which the individual’s representative wishes to receive the reply and the first name, surname, and personal identification number of the represented person and present a notarised copy of the personal identity document and a copy of the document of the representation document certified in accordance with the established procedure
11.4.4   if the request is submitted by means of electronic communication, the request shall be signed by a qualified e-signature or formed by electronic means which allow ensuring integrity and inalterability of the text.
11.5   The Company may refuse to undertake actions under the person’s request if such request is obviously unjustified and non-proportional.
11.6   Not later than within one month from the day of receipt of the request, the Company shall provide the person with a reply indicating information about the actions taken upon receipt of the request, in accordance with Articles 15-22 of the General Data Protection Regulation (EU) 2016/679. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests under consideration. Within one month from the receipt of the request, the Company shall inform the person of any such extension, while indicating reasons for the extension.    

11.7   The Company has the right to refuse to provide the person with information requested by that person if:
11.7.1   the Personal Data was collected directly from the person and that information has already been provided to the person;
11.7.2   the Personal Data was received not from the person himself;
11.7.3   the provision of the information requested by the person is impossible or would require non-proportional efforts;
11.7.4   where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by the law of the European Union or the Republic of Lithuania, including the obligation to protect professional secret;
11.8   In implementation of the person’s right to familiarize himself/herself with his/her Personal Data processed by the Company, the Company:
11.8.1   shall have the right to request the person to specify the submitted request, if the Company is processing a big quantity of information related to that person;
11.8.2   shall provide the person with information to the extent as not to infringe the rights of other persons if certain information about the person is also related with other persons.
11.9   If the issues related with the processing of Personal Data carried out by the Company and (or) personal rights shall not be solved, the person shall have the right to contact and to submit a claim to the State Data Protection Inspectorate. In all cases, please contact the Company before submitting a claim so we can find a suitable solution.

 
12.      Obligations of the persons

12.1   When providing their Personal Data to the Company, the persons confirm that they are familiarised themselves with the terms of the Personal Data processing provided in this Privacy Statement and do not object that the Company shall processes the Personal Data provided by the persons, the data and information provided by the persons are correct and accurate, and that the Company shall not be liable for the submission and processing of excessive data, if such data are provided by the person to the Company through negligence.

12.2   The person undertakes to inform the Company about any changes in the submitted data or other related information.

13.      Links to other sites

13.1   The Company’s website www.eso.lt contains links to third-party owned websites. By navigating to a different website, the Person shall agree to the data protection and other provisions of that website. We recommend separately familiarise with the terms of use of each visited website that does not belong to the Company.

14.      Privacy Statement validity and changes

14.1   The main Personal Data processing provisions are provided in this Privacy Statement. Additional information, how the Company is processing Personal Data, may be provided in the Company’s contracts, other documents, website www.eso.lt, self-service website, or by remote client service channels (phone, e-mail, etc.)
14.2   Should legislation requirements and/or processes, etc., of the Company change, the Company has a right to amend and/or supplement this Privacy Statement unilaterally. The Company shall post the changes in this Privacy Statement on the Company’s website. In certain cases, the company may also inform the persons about changes by mail, e-mail or otherwise (e.g., by a press release).

15.      Final provisions

15.1   The supervision and control of the requirements provided in the Privacy Statement shall be ensured by the employees carrying out the compliance functions within the Company.
15.2   The Privacy Statement and amendments thereof shall be coordinated with Personal Data Protection Expert at AB „Ignitis grupė“.
15.3   The Privacy Statement is published publicly on the Company‘s website www.eso.lt.
15.4   The Privacy Statement is reviewed and updated as needed, but at least once a year. The Compliance Expert of Business Resilience Union shall be responsible for the updating of the Privacy Statement.

16.      Annexes
Annex 1. Form of the Request for Personal Data Processing