Privacy Policy
General Provisions
We care about your privacy and the security of your personal data, which is why we have prepared this privacy policy (hereinafter – Privacy Policy), which explains how we process your personal data, what rights you have and other information about the processing of your personal data.
This Privacy Policy applies when we provide you with general contracting, renovation and modernisation works, concrete work for monolithic structures and other construction contracting works (hereinafter – Work), residential rental services (hereinafter – Services), when you apply for a job vacancy offered by us, when we communicate or cooperate with you in accordance with legal requirements, and when you visit our website, accessible at https://naresta.com/ (hereinafter – Website), on our social networking accounts on Facebook (https://www.facebook.com/UABNaresta), YouTube (https://www.youtube.com/@uabnaresta) and LinkedIn (https://www.linkedin.com/company/uab-naresta/) (hereinafter – Social Accounts), and by contacting us by telephone, e-mail and other electronic communication channels.
As used in this Privacy Policy, the term “personal data” (hereinafter – Personal Data) refers to any information or set of information from which we can directly or indirectly identify you, such as your name, surname, e-mail address, telephone number, etc.
When processing Personal Data, we comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – GDPR) and the requirements of the legal acts of the Republic of Lithuania, as well as the instructions of supervisory authorities.
By using the Services, visiting the Website or our Social Media accounts, or by contacting or reaching out to us, you are deemed to have read and understood this Privacy Policy. If you do not agree to this Privacy Policy, you cannot use the Services, the Site and our Social Accounts.
The Website and Social Accounts may contain links to, for example, our partner websites. This Privacy Policy does not apply to such websites. Please read their privacy policies before submitting your Personal Data to these websites or taking advantage of their offers.
This Privacy Policy is subject to change, so please visit the Site from time to time to review the most recent version of this Privacy Policy posted.
Who are we?
Your Personal Data Controller is NARESTA, UAB, a private limited liability company established in the Republic of Lithuania, legal entity code 122596696, address: Kareivių g. 11B, LT-09109 Vilnius, data is collected and processed in the Register of Legal Entities of the State Enterprise Centre of Registers (hereinafter – Naresta or we).
How do we get your personal data?
Your personal data we get:
directly from you when you provide your Personal Data to us. For example, you enter into a contract for the Work or Services we provide on your behalf or on behalf of another person, make a payment, make an enquiry through the Website, apply for a job offered by Naresta, communicate with us by e-mail or telephone, etc.;
when we collect Personal Data when you use the Website or Social Media Accounts. For example, we may record the history of visits to the Website, the IP address, links opened, etc;
when we receive Personal Data from other persons, such as the Service Provider (who identifies you as a contact person), public registers, state or local authorities or bodies, our partners, other third parties;
when we collect Personal Data when you use the Services or visit our premises, for example, through video surveillance of the premises.
By providing your own or another person’s Personal Data (for example, about your employees or representatives), you are responsible for ensuring that such Personal Data is accurate, complete, and up to date, as well as for informing the data subject or obtaining their consent to have their Personal Data provided to us. In certain cases, we may ask you to confirm that you have the right to provide us with Personal Data (for example, when entering into a contract under a power of attorney).
What personal data do we process?
We process your Personal Data for the following purposes and under the following conditions:
| Purpose of personal data processing | Processing of Personal data | Terms for Personal data processing | Legal basis for Personal data processing |
| Conclusion and execution of Work Contracts, cooperation, and management of project documentation. | Name, surname, e-mail address, personal identification number (if required), phone number, job title, person you represent (when acting on behalf of a company or another individual), relationship with the represented person, basis for representation, workplace address, financial accounting data, content of communication, and data related to the Works. | We will process personal data during the term of the contract and for 10 years after the end of it. | Performance of a contract with you or taking steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR); Our or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| We will process personal data during the term of the contract and for 10 years after the end of it. | Tenant’s name, surname, e-mail address, personal identification number (if required), phone number, address of the rented apartment, job title, person represented (when acting on behalf of a company or another individual), relationship with the represented person, basis for representation, financial accounting data, content of communication, and data related to the Services. | We will process personal data during the term of the contract and for 10 years after the end of it. | Performance of a contract with you or taking steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR); Our or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| Warranty service, planning, and execution of repairs. | Name, surname, e-mail address, personal identification number (if required), phone number, job title, person you represent (when acting on behalf of a company or another individual), relationship with the represented person, basis for representation, workplace address, financial accounting data, content of communication, and data related to the warranty service. | We will process your personal data for a guarantee period of 5 years. In situations where it is suspected that building elements (structures, pipelines) are defective, the data will be kept for 10 years. If intentionally concealed defects are identified, the data will be retained for 20 years. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) in accordance with the Civil Code of the Republic of Lithuania (Official Gazette, 2000, No. 74-2262). |
| Controlling construction work to check quality, record, and correct defects, and meet technical requirements. | Name, surname, personal identification number (if required), e-mail address, phone number, job title, person you represent (when acting on behalf of a company or another individual), relationship with the represented person, workplace address, basis for representation, content of communication, and data related to the Services. | We will process personal data during the performance of the Works until the signing of the final construction works acceptance-transfer act, the approval of the building completion certificate, or the date of our deregistration as users of the building from the Real Property Register. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) in accordance with the Law on Construction of the Republic of Lithuania (Official Gazette, 1996, No. 32-788); Our or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| Management, operation, and quality improvement of electronic information delivery channels (Website, Social Media accounts). | IP address, data collected through cookies and settings, public information from social media accounts, reactions (“likes”), comments. | Website data – in accordance with the cookie retention periods, but no longer than 2 years; Where data is not included in the cookie information, no longer than 1 year from the date of collection; For social media accounts, data is stored in accordance with the settings selected by the social network manager and/or the user. | Your consent to the processing of personal data (Article 6(1)(a) of the GDPR); Our or a third party’s legitimate interest in properly and efficiently managing social media accounts and other electronic information delivery channels (Article 6(1)(f) of the GDPR). |
| Sending newsletters and organizing surveys on service quality. | Name, surname, e-mail address, phone number (if a decision is made to send notifications via SMS); Data requested for the survey; If communication occurs through social media – publicly available profile information, expressed reactions (“likes”), comments. | 3 years from the date of consent / data submission; Quality survey data – 1 year from the end of the survey; On social media accounts – according to the settings selected by the social network administrator and/or user. If consent is withdrawn earlier than the expiration of the data retention period, the data will be processed until the withdrawal of consent. | Your consent to the processing of personal data (Article 6(1)(a) of the GDPR); Our legitimate interests in managing the mailing lists of newsletter recipients, analysing aggregated marketing results, and resolving issues related to newsletter delivery (Article 6(1)(f) of the GDPR). |
| Management of consultations regarding Naresta services, as well as handling inquiries or feedback submitted via the general Naresta e-mail address, social media, or other electronic communication channels. | Name, surname, e-mail address, phone number of the contacting person; Other data (if necessary or provided by you): job title, workplace, address; represented person, relationship with them, content of authorization; public information from social media accounts (when communication occurs via social networks); content of feedback, inquiries and responses, their attachments, and correspondence history. | During the communication period and for 1 year after the end of communication; If consent is withdrawn earlier than the expiration of the data retention period, data will be processed until the withdrawal of consent; If you submit an initial order to conclude a contract via an inquiry, the data contained in the inquiry will be retained for the duration of the contract and for 10 years after its termination. | Your consent to the processing of personal data (Article 6(1)(a) of the GDPR); Our or a third party’s legitimate interest in providing consultations, resolving arising issues, and delivering quality services to you (Article 6(1)(f) of the GDPR). |
| Execution, supervision, and quality assurance of the construction process of real estate projects, compliance with technical and occupational safety requirements and environmental impact assessment of planned economic activities. | Name, surname, e-mail address, personal identification number (if required), job title, person you represent (when acting on behalf of a company or another individual), relationship with the represented person, basis for representation, education data (of personnel conducting quality inspections), content of communication, data related to work safety, and planned economic activity environmental impact assessment. | Personal data processed for the purposes of construction process execution, supervision, quality assurance, and compliance with construction technical requirements will be processed during the performance of the works until the signing of the final construction works acceptance-transfer act, the approval of the building completion certificate, or the date of our deregistration as users of the building from the Real Property Register; Personal data processed for compliance with occupational safety requirements will be retained for 10 years from the date of the last entry in the accounting document; Personal data processed for the purpose of planned economic activity environmental impact assessment will be retained until the transfer to the new property manager. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) in accordance with the Law on Construction of the Republic of Lithuania (Official Gazette, 1996, No. 32-788), the Law on Safety and Health at Work (Official Gazette, 2003, No. 70-3170), and the Law on Environmental Impact Assessment of Planned Economic Activity (Official Gazette, 1996, No. 82-1965); Our or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| Conclusion and administration of contracts with subcontractors, service providers, suppliers, and partners. | Name, surname, e-mail address, job title, person you represent (when acting on behalf of a company or another individual), relationship with the represented person, basis for representation, individual activity data, content of communication, data related to contract execution. | We will process personal data during the term of the contract and for 10 years after the end of it. | Performance of a contract with you or taking steps at your request prior to entering a contract (Article 6(1)(b) of the GDPR); Data Controller or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| Communication with the public as established by legal acts, regarding planned or ongoing real estate construction activities by Naresta. | Name, surname, e-mail address, content of communication. | During the communication period and for 1 year after the end of the communication. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) in accordance with the Law on Construction of the Republic of Lithuania (Official Gazette, 1996, No. 32-788). |
| Administration of Naresta’s operations, conclusion, and execution of agreements necessary for the activities. | Name, surname, personal identification number (if required), signature; individual activity data; address, e-mail, phone number; job title; represented person (when acting on behalf of a company or another individual), relationship with them; content of communication. | For the duration of the cooperation / contract and for 5 years after the termination of the cooperation / contract. | Performance of a contract with you or taking steps at your request prior to entering a contract (Article 6(1)(b) of the GDPR); Our or a third party’s legitimate interest in properly and efficiently fulfilling our obligations (Article 6(1)(f) of the GDPR). |
| Management of payments for services, accounting, and debt management. | Name, surname, personal identification number (if required), signature; individual activity data; address, e-mail, phone number; VAT payer information; bank account details, payment data; payment document information; debt information; represented person (when acting on behalf of a company or another individual), relationship with them; content of communication. | According to the Internal Administration Documents Retention Schedule (Official Gazette, 17/03/2011, No. 32-1534), and if not covered by it, according to laws regulating financial operations and accounting; Data not falling within the retention scope of the aforementioned laws – for the duration of the contract/cooperation and 10 years after the termination of the contract/cooperation. | Performance of the contract with you or the intention to take actions at your request prior to concluding the contract (Article 6(1)(b) of the GDPR); Compliance with legal obligations (Article 6(1)(c) of the GDPR) pursuant to the Law on Tax Administration of the Republic of Lithuania (Official Gazette, 28/04/2004, No. 63-2243), the Law on Financial Accounting (Official Gazette, 28/11/2001, No. 99-3515), the Law on Accounting of Enterprises and Enterprise Groups (Register of Legal Acts, 30/06/2024, No. 12134), the Law on Payments (Official Gazette, 17/11/1999, No. 97-2775), the Law on Joint Stock Companies (Official Gazette, 31/07/2000, No. 64-1914), and other legal acts; Our legitimate interests in effectively managing financial operations and debts (Article 6(1)(f) of the GDPR). |
| Handling requests, complaints, and disputes in and out of court. | Name, surname, e-mail, phone number, address, job title; represented person (when acting on behalf of a company or another individual), relationship with them; content of the complaint/claim/procedural document, information related to the dispute/claim. | For the duration of the dispute/claim review and for 3 years after the conclusion of the non-judicial dispute/claim resolution, as well as 10 years after the conclusion of the judicial dispute resolution. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) pursuant to the Civil Code of the Republic of Lithuania (Official Gazette, 06/09/2000, No. 74-2262), the Civil Procedure Code (Official Gazette, 06/04/2002, No. 36-1340), and other legal acts; Our legitimate interest to assert, exercise, or defend our rights and legal claims (Article 6(1)(f) of the GDPR). |
| Assessment, selection, and data processing of candidates for the proposed job position to offer employment opportunities in the future. | Name, surname, date of birth, e-mail address, phone number, education, information about the candidate’s career, information included in the CV, information provided in the cover letter, information communicated during the job interview, results of tests and/or practical tasks, links to social media profiles, photo (if provided), publicly available candidate data, name, surname, position, and contact details of the person providing a reference for the candidate. | Data is stored for the duration of the selection process and for 6 months after its completion if the individual has not given consent for further storage of their personal data, or for 2 years after the selection process if the candidate has consented to the storage of their data beyond the selection period; when data is submitted not for a specific selection process, it is stored for 2 years from the date of data receipt. | Your given consent for the processing of Personal Data (Article 6(1)(a) of the GDPR); Our legitimate interest to assess your skills, qualifications, experience, and suitability for specific job positions, and to select the best candidate for the offered job position (GDPR Article 6(1)(f) of the GDPR). |
| Ensuring the safety of individuals and property, protecting information, and aiming to investigate and manage unlawful behaviour or conflict situations through video surveillance. | Video recording, personal image. | Personal data is stored for up to 14 days from the moment it is recorded. Upon expiration of the retention period, video data is automatically deleted, except in cases where it is necessary to retain them for a longer period. If video data needs to be retained beyond the retention period (for example, if they are used as evidence in investigations or disputes, or a justified request from the data subject has been received), such data will be kept only as long as necessary to achieve the specific data processing purposes and will be destroyed immediately when no longer needed. | Our legitimate interest to protect individuals and property, as well as to ensure safe working conditions for employees (Article 6(1)(f) of the GDPR). |
| Access control to premises and/or areas to ensure the security of individuals, property, equipment, and information. | Name, surname, position (for example, when a person activates/deactivates the alarm), and other information related to access/pass control. | Personal data shall be stored for up to 2 years after each entry into the premises and/or areas is recorded. | Our legitimate interest to protect individuals and property, as well as the security of equipment and information (Article 6(1)(f) of the GDPR). |
How do we process data on our social media accounts?
We post information about Services and activities of Naresta on social media accounts, and we may also publish advertisements or communicate with you there, responding to your inquiries.
Users of social media accounts are subject not only to this Privacy Policy but also to the privacy policies and terms of use of the social networks where the social media accounts are hosted. When you contact us on social media accounts and provide certain information (e.g., send us messages, comment on our posts), depending on your chosen privacy settings, we may see your public profile information such as your name, surname, profile picture, e-mail address, etc. This information (for example, a comment you have posted) may also be visible to other visitors of the specific Social Media account, depending on the privacy settings you have chosen.
How do we use your personal data and what principles do we follow?
We only collect and process Personal Data that is necessary to achieve our stated purposes for processing Personal Data.
When processing your Personal Data, we:
comply with the requirements of current and applicable legislation, including the GDPR;
process your Personal Data in a lawful, fair and transparent manner;
collect your Personal Data for specified, explicit and legitimate purposes and do not process it in a way that is incompatible with those purposes, except to the extent permitted by law;
take all reasonable steps to ensure that Personal Data that is not accurate or complete in relation to the purposes for which it is processed is promptly rectified, supplemented, suspended or destroyed;
keep them in such a form that your identity can be established for no longer than is necessary for the purposes for which the Personal Data are processed;
do not provide Personal Data to third parties and will not disclose Personal Data to third parties other than as set out in this Privacy Policy or applicable law;
ensure that your Personal Data is processed securely, by ensuring technical and organisational security measures, and by limiting access to Personal Data to only those of our employees who need such access for the purposes of their job functions.
To whom and when do we transfer your personal data?
We may transfer your Personal Data to processors or recipients who assist us in the performance of our activities:
providers of financial accounting, customer management, document management and HR services;
providers of marketing, advertising, newsletters, and customer quality evaluation services;
providers of maintenance services for security and CCTV equipment;
providers of communication, IT, and website management services;
providers of payment and other financial services;
providers of debt collection services;
providers of newsletters and customer quality evaluation services;
providers of HR services;
providers of training services;
providers of audit services;
providers of insurance services;
providers of paper documents archiving services;
providers of delivery and transportation services, including couriers;
construction partners (subcontractors).
To publish content on Social Media Accounts, we provide Personal Data to the following social networking platform operators:
LinkedIn Ireland Unlimited Company (Ireland) and LinkedIn Corporation (USA) (data transmitted in accordance with an eligibility decision adopted by the European Commission);
Meta Platforms Ireland Ltd. (Ireland) and Meta Platforms Inc. (USA) (data transmitted in accordance with an eligibility decision adopted by the European Commission);
Google Ireland Limited (Ireland) and Google LLC (USA) (data transmitted in accordance with an eligibility decision adopted by the European Commission);
We may provide personal data to law enforcement and pre-trial investigation authorities, courts and other dispute resolution authorities, other persons performing functions assigned by law, in accordance with the procedure provided by the legislation of the Republic of Lithuania. We provide these entities with information as required by law or as mandated by the entities themselves.
We may also transfer personal data, if necessary, to companies that intend to buy or acquire our business or engage in joint activities or other forms of cooperation with us, as well as to companies established by us.
Generally, we process Personal Data within the territory of the European Union/European Economic Area (hereinafter – EU/EEA), but in some cases your Personal Data may be transferred outside the EU/EEA. The transfer of your Personal Data outside the EU/EEA is based on:
the basis of a data processing or transfer agreement that describes such transfer and incorporates the Standard Contractual Clauses approved by the European Commission; or
the basis of an adequacy decision adopted by the European Commission, meaning that the Commission has recognized the country in which the third party is established and/or operates as ensuring an adequate level of personal data protection; or
a specific authorisation by the State Data Protection Supervisor to conduct such transfers; or
Your consent to the transfer of your Personal Data outside the EU/EEA.
What rights do you have?
As a data subject, you have the following rights in relation to your Personal Data:
to be informed about the processing of your Personal Data and to have access to your Personal Data, i.e. to obtain confirmation as to whether we are processing your Personal Data and to request access to the processing of your Personal Data and the related information;
to submit a request to us to rectify inaccurate or incorrect information about you or to complete it where it is incomplete.
to request us to delete the information we hold about you where there is a basis for deleting the information;
To submit a request to restrict the processing of the available information about you, when you dispute the accuracy of the Personal data or object to the Personal data processing, disagree to the deletion of your unlawfully processed Personal data, or need the Personal data to make, enforce or defend legal claims;
to object to the use of Personal Data where we process your Personal Data for our legitimate interests and/or the legitimate interests of third parties (including profiling, if any);
request us to transfer/receive Personal Data that you have provided to us under a contract or consent to the processing of Personal Data and that we process by automated means in a commonly used electronic format;
to object to being subject to a decision based solely on automated processing, including profiling, if such decision-making may have legal consequences or similarly significant effects on you;
to withdraw the consents, you have given us for the processing of your Personal Data where we use your Personal Data based on your consent, including where we process Personal Data for direct marketing purposes, including profiling in connection with direct marketing;
To file a complaint to the State Data Protection Inspectorate.
We may refuse to exercise your rights where your request is not permitted by the GDPR or other legal provisions, except to object to the processing of your Personal Data for direct marketing purposes or in other cases where the processing of Personal Data is carried out with your consent.
If you do not want your Personal Data to be processed for direct marketing purposes, for the purposes of conducting surveys, including profiling, you may opt out of such processing without providing any reasons for your objection by sending an email to the specified address or by using another method indicated in the message provided to you (for example, by clicking the relevant link in the newsletter).
If you wish to withdraw your consent to the processing of your Personal Data or exercise any of your other rights listed above, you may contact us at info@naresta.lt. To better understand your request, we may ask you to fill in the relevant application form and sign it with an advanced or qualified electronic signature.
To ensure maximum security, in certain cases we will only be able to process your request after verifying your identity. This may include, for example, asking you to provide a personal document or other information.
We do not normally charge any fee for exercising your rights. However, the law allows us to charge a reasonable fee or to refuse to comply with your request if it is manifestly unfounded or excessive.
Upon receipt of your request or instruction regarding the processing of your personal data, we will provide you with a response within 1 month of the date of your request and will carry out the actions specified in the request or inform you why we refuse to do so. If necessary, this period may be extended by a further 2 months, depending on the complexity and number of requests. In such case, we will inform you of the extension within 1 month from the date of receipt of the request.
If Personal Data is erased at your request, we may retain copies of the information as necessary to protect our legitimate interests and those of others, to comply with obligations of public authorities, to resolve disputes, to identify disturbances or to comply with agreements.
How do we process data for newsletters, direct marketing, quality surveys?
We may send information about our activities, services (direct marketing messages) to your email address and/or telephone number if you have given us your consent to do so, and if you or the organisation you represent is a client of ours. With your consent, we may also ask you to help us assess the quality of our services, performance, and support.
After sending newsletters, we may collect information about the recipients, such as which message was opened, which links were clicked, and similar data. This information is collected if you agree and to offer you relevant and more tailored news.
Your contact details may be passed on to our partners/processors who provide us with newsletters or customer quality assessment services.
If you no longer wish to receive our newsletters, you can unsubscribe in the way indicated in the electronic messages (for example, by clicking on the “unsubscribe” link in the newsletter, etc.) or by sending us a message to info@naresta.lt.
If you withdraw your consent, we will endeavour to stop sending you news immediately, but this may take some time. As our news campaigns are planned in advance, you may still receive our newsletters one more time, even after withdrawing your consent.
Withdrawal of consent does not automatically oblige us to destroy your Personal Data or to provide you with information about the Personal Data we process, and you should make a separate request for these actions.
How do we store your personal data?
Your Personal Data is processed responsibly and securely and is protected against loss, unauthorised use, and alteration. We have put in place physical and technical measures to protect the information we collect from accidental or unlawful destruction, damage, alteration, loss, disclosure, or any other unauthorised processing. Personal data security measures shall be determined in accordance with the risks involved in the processing of Personal Data.
Our employees are under a written obligation not to disclose or distribute your Personal Data to any unauthorised third party.
How to contact us?
If you have any questions regarding the information contained in this Privacy Policy, please contact us by e-mail info@naresta.lt or by phone +370 5 262 55 00.
If you believe that your rights have been violated under the GDPR, you can lodge a complaint with our supervisory authority, the National Data Protection Inspectorate. For more information and contact details, please visit the Inspectorate’s website (https://vdai.lrv.lt/). We aim to resolve all disputes promptly and peacefully, so please contact us first.
Final Provisions
If we amend this Privacy Policy, we will inform you by posting the updated Privacy Policy on the Website or through other customary means of communication.