Privacy Statement
1. PURPOSE AND SCOPE
1.1. This Privacy Policy provides information on how UAB Ignitis, legal entity code 303383884, registered office address Laisvės pr. 10, LT-04215 Vilnius (hereafter – the Company), processes personal data.
1.2. The provisions of the Privacy Policy apply to natural persons whose data are processed by the Company:
1.2.1. Customers who use, have used, have expressed an intention to use, or are otherwise related to the services provided by the Company (hereafter – Customers);
1.2.2. Individuals who contact the Company by submitting requests or inquiries directly or via remote communication means, including phone or email;
1.2.3. Individuals who visit the Company’s websites, etc. and other media (see point 2.1.3 below).
2. DEFINITIONS
2.1.1 The terms and abbreviations used in this Privacy Policy have the following meanings:
2.1.2 Personal Data – any information related to a natural person who can be directly or indirectly identified (e.g. name, surname, contact details);
2.1.3 Person – a natural person (data subject) whose data is processed (e.g. the Company’s Customers, individuals submitting requests to the Company, users of the Company’s website, self-service platform and other Company-managed pages/mobile applications);
2.1.4 GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of Personal Data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereafter – the Regulation);
2.1.5 Data Processing – any operation performed on Personal Data (e.g. collection, recording, storage, granting access, transfer);
2.1. Other terms used in the Privacy Policy shall be understood as defined in the legal acts regulating the protection of Personal Data (Regulation, Law on Legal Protection of Personal Data of the Republic of Lithuania, and others).
3. PURPOSES AND LEGAL BASES FOR PERSONAL DATA PROCESSING
3.1. The Company processes Personal Data only for specific purposes based on legal grounds established by legal acts:
3.1.1. When processing is necessary for concluding and/or executing a contract with the Person;
3.1.2. When the Person has given consent for their data to be processed for one or more specific purposes;
3.1.3. When the Company must process Personal Data to comply with legal requirements;
3.1.4. When processing is necessary to pursue the Company’s legitimate interests.
3.2. The main purposes for which the Company processes Personal Data include:
3.2.1. Performing the functions of a public electricity supplier as established by legal acts. The Company processes Personal Data to fulfil its functions and obligations as a public supplier and to exercise its rights under legal acts.
3.2.2. Performing the functions of a natural gas and electricity supplier as established by legal acts. The Company processes Personal Data to fulfil its functions and obligations as an independent natural gas and electricity supplier and to exercise its rights.
3.2.3. Providing services, concluding and executing contracts. The Company processes Personal Data to ensure the proper conclusion and execution of contracts with Customers, the provision of services or goods under contracts, including appropriate Customer notifications regarding issues related to goods, services and contracts, based on contractual or legal requirements.
3.2.4. Providing and managing self-service services. The Company processes Personal Data to provide Customers with self-service options (contract conclusion and management, electricity and natural gas meter readings declaration, payment for electricity, natural gas and other utility services, submission of requests and inquiries, provision of information on invoices, payments, electricity and natural gas consumption, and prices), to ensure self-service functionality, proper Customer identification in the self-service system and management of self-service operations based on contract, consent or the Company’s legitimate interest.
3.2.5. Providing electric vehicle charging services. The Company processes Personal Data to ensure the proper provision of electric vehicle charging services, the operation of related mobile applications, Customer identification and other related general functions (such as payment administration, debt management, handling Customer inquiries), as detailed in this document.
3.2.6. Preparing commercial offers. The Company processes Personal Data to present a commercial offer to the Customer regarding the desired service.
3.2.7. Payment administration. The Company processes Personal Data related to payments for provided services based on contractual and legal requirements.
3.2.8. Debt management. In case of debt, the Company processes Personal Data related to the debt and undertakes debt recovery actions based on contract, legal requirements and legitimate interest.
3.2.9. Resolving submitted inquiries. The Company processes Personal Data to handle and resolve submitted inquiries and complaints based on contract, consent or legal requirements.
3.2.10. Resolving submitted inquiries via the Company’s social network Facebook page. For inquiry processing, the Company may collect the following data of the requesting Person: social network profile name, profile picture, name, surname, phone number, email address, object address, Customer code or the last three digits of the personal code, other contract-related data relevant to the inquiry, and topics and content of inquiries. These Personal Data will be processed based on the Person’s request for a response (Person’s consent) and/or the need to contact the Person. Submitted Personal Data will be stored during the contract’s validity period and for 10 years after its termination. In the absence of a contractual relationship, the provided data will be stored as long as the Company actively uses its social network account, unless the Person deletes (or requests the Company to delete) their provided Personal Data earlier. When a Person submits an inquiry and provides Personal Data, it becomes accessible to Facebook (Meta Platforms Ireland Limited). Information on how Facebook processes provided data can be found in Facebook’s privacy policy.
3.2.11. Direct marketing and customer experience evaluation. The Company may process Personal Data (name, surname, email address, email interaction data) to provide the Company’s and/or its partners’ offers, as well as personalised offers, Company news about services, information about ongoing events and to inquire about service quality. These data are processed, and information is sent to the Person only if they have provided consent for direct marketing and profiling. For profiling purposes, to identify whether the sent information is relevant to the Customer and to offer tailored content, the Company may process information about sent direct marketing messages (whether the message was read, when and how many times). Personal Data for direct marketing will be processed as long as the Person remains a Customer or until consent is withdrawn, whichever occurs first. Consent can be withdrawn and its settings changed at any time by logging into the self-service account at https://e.ignitis.lt or https://mano.ignitis.lt, in the eparkai.lt platform, mobile applications ‘Energysmart’, ‘Ignitis ON’, ‘Ignitis self-service’, or by calling +370 611 21802. Additionally, consent preferences can be adjusted by visiting a Customer service centre or by clicking the ‘Unsubscribe’ link in a marketing email.
3.2.12. Protection of the Company’s legitimate interests in case of disputes. The Company may process Personal Data to defend/ensure its legitimate interests/claims in case of disputes, as well as to have evidence, for example, of the fact of consent given/withdrawn.
3.2.13. Credit and risk assessment. Upon receipt of the Client’s consent, the Company may process Personal Data to assess credit risk and determine what Services and under what conditions the Company may offer the Client.
3.2.14. Credit and risk assessment. With the Customer’s consent, the Company may process Personal Data to assess credit risk and determine what services and conditions the Company can offer the Customer.
3.2.15. Mediation. The Company may process Personal Data when concluding agreements for the purchase or rental of remote solar power plants.
3.2.16. Technical suitability of properties for service provision. The Company may process data regarding the suitability of an Individual’s buildings for the installation of a solar power plant and the potential/future economic efficiency of the installed power plant to ensure proper service delivery.
3.2.17. General statistics. The Company processes non-personalised general statistical data related to interactions with emails sent to Clients. This allows the Company to manage customer traffic across service channels and assess the effectiveness of email communication. For this purpose, the Company does not process any Personal Data or other information that could identify a Client as a specific individual. General statistical data does not have any legal or otherwise significant impact on Clients.
3.2.18. Other purposes. The Company may process Personal Data for other purposes if it has obtained the Individual’s consent, is required to do so under legal regulations or has the right to process data based on a legitimate interest.
3.3. In all the aforementioned cases, the Company processes Personal Data only to the extent necessary to achieve clearly defined and lawful objectives while adhering to Personal Data protection requirements.
4. SCOPE OF PROCESSED PERSONAL DATA (CATEGORIES)
4.1. The main categories of Personal Data and the data processed by the Company for the above-mentioned purposes and legal bases include:
4.1.1. Identity Data – e.g. first name, last name, personal identification number, date of birth;
4.1.2. Contact Data – e.g. address, phone number, email address;
4.1.3. Data Related to Service Provision, Contract Formation and Execution – e.g. contract details, order and energy consumption data, and information obtained through direct communication with Individuals via self-service websites or remote communication tools (phone, email, mobile applications);
4.1.4. Data Related to Electric Vehicle (EV) Charging Services, in addition to the aforementioned data – information on when and how much electricity was charged into the vehicle, the duration of connection to the charging station, the specific EV charging station used, the time period spent there, charging history, additional session management keys (RFID) and, if provided by the Client, the vehicle model, license plate number and unique identifier (MAC address);
4.1.5. Data Related to the Use of the EV Charging Mobile Application – information provided when creating an account and using the mobile application, including the Internet Protocol address, device type and details about how the application is used;
4.1.6. Payment Data – e.g. amounts payable to the Company, outstanding debts, payment history;
4.1.7. Financial Data – information regarding obligations and debts to third parties when the Company assesses a Client’s creditworthiness before providing Services;
4.1.8. Audio and Video Recording Data – e.g. video footage captured at the Company’s facilities or EV charging stations, telephone call recordings;
4.1.9. Cookie Data – e.g. information about an Individual’s location at the city level, preferences, behaviour on the Company’s website or self-service portal, interests, (detailed information about cookies used by the Company can be found in the Cookie Policy);
4.1.10. Other Data – any other data processed by the Company in accordance with legal regulations.
5. COLLECTION OF PERSONAL DATA
5.1. The Company processes Personal Data provided by individuals themselves, data obtained when Clients use the Company’s Services (e.g. energy consumption, payment data), or data received from other sources (e.g. state or privately managed registers) or third parties (e.g. energy distribution operators), as necessary, based on contractual agreements, consent, legal requirements or the Company’s legitimate interest.
5.2. The Company has the right to collect Personal Data from the State Enterprise Centre of Registers for the purpose of concluding electricity purchase–sale and service provision agreements, following the legal procedures established by the laws of the Republic of Lithuania.
6. DISCLOSURE OF PERSONAL DATA
6.1. The Company, in compliance with legal requirements, may transfer processed Personal Data to the following categories of data recipients:
6.1.1. Energy Distribution Operator. To ensure the proper execution of the Electricity Purchase–Sale and Service Provision Agreement, the Company transfers processed Client Personal Data (identity data, Client-declared electricity meter readings and other information necessary for the energy distribution operator’s legally mandated functions).
6.1.2. Gas Distribution Operator. The Company may transfer processed Personal Data (identity data, contact details, service-related data and other necessary data) for purposes such as guaranteed gas supply, accounting for transported gas, damage assessment and compensation, ensuring the reliability and technical safety of gas systems and managing emergencies, in accordance with the requirements of the Republic of Lithuania’s Natural Gas Law, Natural Gas Supply and Consumption Rules, Trading in Natural Gas Rules and other applicable legal regulations.
6.1.3. Service Providers. The Company may transfer processed Personal Data to third parties acting on behalf of and/or under the instructions of the Company, who provide customer service, software maintenance, design, construction, accounting, payment administration, correspondence delivery and other services to ensure the proper provision, management and development of the Company’s Services. In such cases, the Company takes necessary measures to ensure that the engaged Service Providers (data processors) process the provided Personal Data solely for the intended purposes, using appropriate technical and organisational security measures, in compliance with the Company’s instructions and applicable legal requirements.
6.1.4. Government, Law Enforcement and Supervisory Authorities. The Company may provide processed Personal Data to government or law enforcement authorities (e.g. police, prosecution offices, the Financial Crime Investigation Service) and supervisory institutions (e.g. the State Energy Regulatory Council) when required by applicable legal regulations or to protect the legitimate interests of the Company or third parties.
6.1.5. Debt Collection Agencies and Joint Data Registries. If the Client fails to make payments due under the Agreement in a timely manner, the Company has the right, after informing the Client by post or email 30 calendar days in advance, to provide the Client’s Personal Data to administrators of joint debtor databases, debt management and collection companies, courts, notaries and bailiffs.
6.1.6. Other Third Parties. The Company may provide Personal Data to other data recipients based on legally defined grounds.
6.2. The Company generally stores Client data within the European Union (EU) or European Economic Area (EEA). If cases arise where Client data must be transferred outside the EU/EEA, this is done only when at least one of the following conditions is met:
6.2.1. The European Commission has recognised that the country receiving the data ensures an adequate level of Personal Data protection.
6.2.2. A data processing agreement has been concluded based on the European Commission’s standard contractual clauses.
6.2.3. Compliance with codes of conduct and/or other protective measures under the Regulation is ensured.
7. PERSONAL DATA RETENTION
7.1. The Company processes Personal Data only for as long as necessary to fulfil the specified data processing purposes or as required by applicable legal regulations if they stipulate a longer retention period.
7.2. To determine the retention period, the Company applies criteria that align with legal obligations and consider the rights of the Data Subject, such as setting a retention period during which claims related to contract performance may arise.
|
Purpose of Personal Data Processing |
Retention Period |
|
Processing of Personal Data of callers for inquiry resolution purposes |
Two months from the date of call recording. If the inquiry involves contract execution, data is retained for the entire contract period and ten years after contract termination. |
|
Processing of Client Personal Data for direct marketing purposes and for defending legitimate interests in disputes (evidence of consent provision and/or withdrawal) |
Until the consent expires, and after the expiry of the consent this will be retained for a further three years by the Company for the purpose of protecting its legitimate interests in the event of a dispute (for the purpose of evidence to confirm the fact of giving and/or withdrawing consent). |
|
Processing of Client Personal Data for contract execution purposes |
Throughout the contract duration and ten years after contract termination. |
|
Processing of Client Personal Data for EV charging services and the related Ignitis ON mobile application |
If no payments (financial transactions) have been made: two years from the Client’s last login to their Ignitis ON electronic account. If payments have been made: ten years from the last financial transaction and two years from the Client’s last login to their electronic account. |
|
Processing of Client Personal Data for self-service management |
During the account’s validity period and two years from the last action. If inactive for more than two years, the account is deleted and all related data is erased. |
8. PERSONAL DATA RETENTION PERIODS
8.1. The Company ensures the confidentiality of Personal Data in accordance with applicable legal requirements and implements appropriate technical and organisational measures to protect Personal Data from unauthorised access, disclosure, accidental loss, alteration, destruction or other unlawful processing.
9. AUTOMATED DECISION-MAKING AND PROFILING
9.1. The Company does not process Personal Data through fully automated individual decision-making, as outlined in Article 22 of the Regulation. The Company only conducts profiling (i.e. automated processing of Personal Data used to evaluate certain personal aspects related to an individual), but this does not produce legal effects or similarly significant impacts on the Data Subjects. Profiling is conducted to manage the distribution of marketing offers, ensuring that unwanted and irrelevant marketing communications are minimised. Clients are categorised based on, for example, the types of services they use and payment methods.
10. RIGHTS OF INDIVIDUALS
10.1. A Person contacting the Company has the right to:
10.1.1. Access their Personal Data processed by the Company;
10.1.2. Request correction of incorrect, incomplete or inaccurate Personal Data;
10.1.3. Request the deletion of Personal Data or the suspension of Personal Data processing (except for storage) if such processing violates applicable legal requirements or if the Personal Data is no longer needed to achieve the purposes for which it was collected or otherwise processed;
10.1.4. Receive their processed Personal Data in a structured, commonly used, and machine-readable format and/or transfer such data to another data controller (note: This right applies to Personal Data provided by the Person and processed by the Company based on consent, contractual execution or if the data is processed by automated means);
10.1.5. Request the deletion of Personal Data processed by the Company when the processing violates applicable legal requirements or when the data is no longer needed to achieve the purposes for which it was collected or otherwise processed;
10.1.6. Restrict the processing of their Personal Data under applicable legal regulations, e.g. for the period during which the Company assesses whether the individual has the right to request deletion of their Personal Data;
10.1.7. Object to the processing of their Personal Data and/or withdraw consent at any time if the processing is based on consent, without affecting the lawfulness of data processing carried out before the withdrawal (consent for direct marketing can be withdrawn by calling customer service on 1802 or +370 611 21802, via the self-service website, the mobile application for EV charging services, by clicking ‘unsubscribe’ in a received newsletter or by submitting a request through the Company’s Help Centre).
11. EXERCISING INDIVIDUAL RIGHTS
11.1. Individuals can submit requests regarding the processing of their Personal Data by the Company in writing to Laisvės pr. 10, LT-04215 Vilnius, by calling customer service on 1802 or +370 611 21802, by submitting a request through the Company’s Help Center, or by visiting any Ignitis Customer Service Centre. Calls to 1802 are charged based on the caller's network operator tariff, and calls to the long number are charged as calls to the Telia network.
11.2. The contact details of the Company’s Data Protection Officer are: [email protected]
11.3. To exercise their rights under the Regulation, individuals must submit a completed request in the form approved by the Company, either in person, by mail, through a representative or via electronic communication.
11.4. When submitting a request, the individual must confirm their identity:
11.4.1. If submitted in person, the individual must present an identity document to the Company’s service staff.
11.4.2. If submitted by mail, the request must be accompanied by a notarised copy of the identity document.
11.4.3. If submitted through a representative, the representative must provide their full name, address and contact details for communication, along with the full name and personal code of the represented individual. Additionally, a notarised copy of the representative’s identity document and a document proving representation (or a legally certified copy) must be provided.
11.4.4. If submitted via electronic communication, the request must be signed with a qualified electronic signature or formatted using electronic means ensuring data integrity and immutability.
11.5. The Company may refuse to act on an individual’s request if the request is manifestly unfounded or excessive. The Company will respond to the request within one month of receipt, providing information on actions taken under Articles 15–22 of the Regulation. If necessary, this period may be extended by two additional months, considering the complexity and number of requests. The Company will inform the individual within one month of receiving the request if an extension is needed, stating the reasons for the delay.
11.5.1. When fulfilling an individual’s right to access their Personal Data processed by the Company:
11.5.2. The Company has the right to ask the individual to specify their request if the Company processes a large amount of information related to the individual.
11.5.3. The Company will provide only the necessary information to avoid infringing on the rights of other individuals if the requested data is associated with multiple individuals.
12. INDIVIDUAL RESPONSIBILITIES
12.1. By submitting their Personal Data to the Company, individuals confirm that they have properly reviewed the Personal Data processing conditions provided in this Privacy Policy, do not object to the processing of their provided Personal Data by the Company, and ensure that the data and information they submit is accurate and correct. The Company is not responsible for the submission and processing of excessive data if such data is provided negligently by the individual.
12.2. Individuals must inform the Company of any changes to their submitted data or related information at [email protected].
13. VALIDITY AND CHANGES TO THE PRIVACY POLICY
13.1. This Privacy Policy presents the primary provisions regarding the processing of Personal Data. Additional information on how the Company processes Personal Data may be provided in Company agreements, other documents, the website www.ignitis.lt or through remote customer service channels (e.g. phone, email).
13.2. In response to changes in legal requirements and/or Company processes or services provided, the Company reserves the right to unilaterally amend and/or supplement this Privacy Policy. The Company will inform individuals of Privacy Policy changes by posting an announcement on its website. In certain cases, the Company may also inform individuals via mail, email or other means (e.g. public announcements in the media).