Privacy Policy

INTRODUCTION

Baltic Helix, UAB ("Company," "we," "us," or "our") is committed to protecting your privacy and ensuring you have a positive experience on our website and services. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal data in accordance with the EU General Data Protection Regulation (GDPR) (EU 2016/679) and the laws of the Republic of Lithuania.

This Privacy Policy applies to:

• Our website www.baltichelix.lt

• Our recruitment services

• All interactions with our company

1. WHO WE ARE

Data Controller:

Baltic Helix, UAB

Vyžuonėlių g. 32, LT-28178 Utena, Lithuania

Phone: +370 6228 0867

Email: info@baltichelix.lt

Data Protection Officer contact: info@baltichelix.lt

2. WHAT PERSONAL DATA DO WE COLLECT?

2.1 Data from Job Candidates

When you apply for a position or submit your CV, we collect:

• Identity information: Full name, date of birth, gender

• Contact details: Email address, phone number, residential address

• Professional information: Qualifications, work experience, certifications, skills

• CV and application documents: All information you submit

• Photographs or videos: Your portrait photo (if submitted)

• Communication: Email correspondence with our team

• Assessment results: Psychometric tests, interview notes, work samples

• Background check data: If required for the position

• References: Contact information of professional references you provide

2.2 Data from Our Employees

If you work for Baltic Helix, we process:

• Employment terms: Job title, department, salary, working hours, work location

• Health data: Pre-employment health checks and occupational health assessments

• Emergency contacts: Names and phone numbers of emergency contacts

• Social security information: Required for payroll and legal compliance

• Performance data: Work evaluations, attendance records, training records

• Workplace monitoring: Security camera footage (for safety and security purposes)

• Bank account details: For salary payments

2.3 Data from Website Visitors

When you visit our website, we automatically collect:

• Technical data: IP address, browser type, operating system, device information

• Usage data: Pages visited, time spent on site, links clicked, referral source

• Analytics: Google Analytics data about how you interact with our website

• Cookies: Small text files that help us remember your preferences

• Session information: Unique identifiers for tracking your visit

2.4 Data from Contact Forms

If you contact us via our website or email:

• Name and contact information

• Your message content

• Any attachments you send

3. LEGAL BASIS FOR PROCESSING

We process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Employment Contract (Article 6(1)(b))

For employees: We process data necessary to perform our employment relationship, including payroll, benefits administration, and compliance with employment law.

3.2 Your Consent (Article 6(1)(a))

For job candidates: When you submit your CV or application, you consent to us processing your data for recruitment purposes. You may withdraw this consent at any time by emailing info@baltichelix.lt

3.3 Legitimate Interests (Article 6(1)(f))

We process data for:

• Recruitment and talent acquisition

• Website improvement and optimization

• Fraud prevention and security

• Direct marketing (job opportunities matching your profile)

• Analytics and business insights

3.4 Legal Obligation (Article 6(1)(c))

We may process data to comply with Lithuanian law, including tax and employment regulations.

4. HOW LONG DO WE STORE YOUR DATA?

We retain personal data only as long as necessary:

• Job candidate CVs: 1 year from submission (unless you withdraw consent)

• Employee data: Duration of employment plus 3 years after termination (for legal and tax purposes)

• Website analytics: Maximum 24 months

• Cookie data: Based on cookie settings and browser

• Contact form inquiries: 2 years or until the inquiry is resolved

• Website visitor data: 12-14 months for Google Analytics

4.1 Data Deletion Procedures

Data is securely deleted using industry-standard methods:

• Electronic files: Permanent deletion or cryptographic erasure

• Physical documents: Shredding or incineration

• Backup systems: Automated purging after retention period

• Data subjects may request early deletion where no legal obligation exists

5. HOW DO WE PROTECT YOUR DATA?

We implement appropriate technical and organizational security measures:

• SSL/TLS encryption: All data transmitted over the internet is encrypted

• Access controls: Only authorized employees can access personal data

• Strong passwords: We require secure passwords (minimum 12 characters) and two-factor authentication

• Antivirus software: Our systems are protected against malware and viruses

• Regular backups: Data is regularly backed up to prevent loss

• Physical security: Servers are located in secure data centers

• Employee training: Our staff receive regular data protection training

• Data processing agreements: All third-party processors have signed data processing agreements

However, no method of transmission over the internet is 100% secure. While we use reasonable security measures, we cannot guarantee absolute security.

6. WHO DO WE SHARE YOUR DATA WITH?

We may share your personal data with:

6.1 Service Providers (Data Processors)

We share data with third parties who assist us in providing services:

• IT service providers: Hosting, CRM systems, HR platforms

• Accounting and legal advisors: For payroll and compliance

• Email service providers: For communications

• Recruitment platforms: Job boards and recruitment tools

• Cloud storage providers: Google Workspace, Microsoft 365

All processors have signed Data Processing Agreements (DPAs) ensuring GDPR compliance.

6.2 Potential Employers (When Applicable)

If your profile matches a client's requirements, we may share your CV and basic information with them (with your consent where required).

6.3 Government and Regulatory Authorities

We may disclose data when required by law:

• Tax authorities

• Labor inspectorates

• Law enforcement (with proper legal request)

• Data protection authorities

6.4 Business Partners

We may share aggregated, anonymized data with partners for business development.

6.5 International Data Transfers

If we transfer data outside the EU/EEA, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs)

• Adequacy decisions

• Your explicit consent

7. YOUR RIGHTS

Under GDPR, you have the following rights:

7.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you in a structured, commonly-used, machine-readable format.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

7.3 Right to Erasure (Article 17 - "Right to be Forgotten")

You can request deletion of your data, except where:

• We have a legal obligation to retain it

• The data is necessary for the purpose collected

• We have a legitimate interest

7.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we verify its accuracy.

7.5 Right to Data Portability (Article 20)

You can request your data in a portable format to transfer to another organization.

7.6 Right to Object (Article 21)

You can object to:

• Direct marketing

• Processing based on legitimate interests

• Automated decision-making

7.7 Right to Withdraw Consent (Article 7)

You can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

7.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with the State Data Protection Authority if you believe we have violated your rights.

8. HOW TO EXERCISE YOUR RIGHTS

To exercise any of the rights listed above, please contact us:

Email: info@baltichelix.lt

Mail: Baltic Helix, UAB, Vyžuonėlių g. 32, LT-28178 Utena, Lithuania

We will respond to your request within 30 days (extendable to 90 days for complex requests). We may request identification to verify your request.

8.1 Data Subject Verification

When processing rights requests, we will:

• Verify your identity to prevent unauthorized access

• Maintain records of all requests and responses

• Provide the requested information in clear, understandable format

9. DATA BREACH NOTIFICATION

If a personal data breach occurs that poses a risk to your rights and freedoms, we will:

• Notify the State Data Protection Authority (VDAI) within 72 hours of discovery

• Inform affected individuals without undue delay

• Provide information about the breach, its consequences, and remedial actions

9.1 Data Breach Procedures

A breach requiring notification typically includes:

• Unauthorized access to personal data

• Loss or destruction of data

• Any processing that violates GDPR

Exceptions to notification requirement:

• Data that is encrypted or otherwise rendered unintelligible

• Where we have implemented additional security measures post-breach

We maintain an internal breach log documenting all incidents.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What are Cookies?

Cookies are small text files placed on your device that store information about your browsing habits.

10.2 Types of Cookies We Use

Essential Cookies: Required for website functionality

Analytics Cookies: Google Analytics (to understand website usage)

Marketing Cookies: Retargeting and social media pixels (Facebook, LinkedIn)

Preference Cookies: To remember your settings

10.3 Cookie Consent

Before placing non-essential cookies on your device, we will request your explicit consent via a cookie consent banner. You can:

• Accept all cookies

• Reject non-essential cookies

• Customize your preferences

• Withdraw consent at any time through your account settings or browser

10.4 How to Manage Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when they're being set. However, disabling cookies may affect website functionality.

10.5 Third-Party Analytics

We use Google Analytics to analyze website traffic. Google may use this data for its own purposes. Read Google's Privacy Policy at https://policies.google.com/privacy

11. SPECIAL CATEGORIES OF DATA

11.1 Biometric Data

If you submit a photograph with your application, we process this as biometric data only for recruitment purposes and delete it if you're not hired.

11.2 Health Data

Health data is processed only for employees and only for:

• Occupational health and safety compliance

• Pre-employment health assessments

• Emergency medical information

11.3 Criminal Background Checks

For certain positions, we may conduct background checks. This is done only with your explicit consent and in compliance with local law.

12. CHILDREN'S DATA

Our services are not intended for children under 16. We do not knowingly collect data from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

13. THIRD-PARTY LINKS

Our website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies. We are also not responsible for links from third-party sites to our website.

14. AUTOMATED DECISION-MAKING

We do not currently use automated decision-making or profiling that produces legal or similarly significant effects. Any use of automation in recruitment (such as CV screening) involves human review.

15. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of significant changes:

15.1 Notification of Changes

• By email sent to the address you provided

• By prominent notice on our website (minimum 30 days before changes take effect)

• Your continued use of our services constitutes acceptance of the updated policy

• You may opt to stop using our services if you disagree with the changes

16. CONTACT INFORMATION

For any questions or concerns about this Privacy Policy or our data practices:

Baltic Helix, UAB

Vyžuonėlių g. 32, LT-28178 Utena, Lithuania

Email: info@baltichelix.lt

Phone: +370 6228 0867

State Data Protection Authority (VDAI):

Address: A. Mickeviciaus g. 29, Vilnius, Lithuania

Website: https://vdai.lrv.lt

---

Baltic Helix, UAB Management