top of page


General Provisions

BIG STONE, UAB Privacy Policy regulates the purposes for which the personal data of natural persons are being processed by BIG STONE, UAB as well as sets forth the procedure for exercise by the individuals of their rights in this respect, establishes the relevant organizational and technical measures aimed at the personal data protection, and regulates the cases when third persons, i.e. data processors, shall be engaged by BIG STONE, UAB for personal data processing.

​Terms and definitions used in this Privacy Policy of BIG STONE, JSC:

  1. Data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable person is the person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, surname, identification number, address of the place of residence and online identifier.

  2. Data controller or the Company shall mean BIG STONE, UAB, legal entity code 125864085, with its registered office at Juodasis kelias 104A, Vilnius, address of operations Kauno str. 5, Ukmergė, tel. +370 340 60078, mob. phone +370 67773284, fax +370 34051345, e-mail:;

  3. Data subject shall mean all clients of the Company and other natural persons whose Data are processed by the Company;

  4. Data Processor shall mean a natural or legal person, which processes the Data controlled by the Company;

  5. Website shall mean the Company-owned website at

  6. Policy shall mean this document and the regulations of the binding nature set forth herein by establishing the procedure of Data processing;

  7. Hotel shall mean the Company-owned building, i.e. BIG STONE Hotel, as well as the land plot where the Hotel is built, located at Kauno str. 5, Ukmergė;

  8. Other terms and definitions used herein are in line with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as well as Law of the Republic of Lithuania on Legal Protection of Personal Data and other data processing regulating legislation.



Purposes of Personal Data Processing

The Company shall process the Data for the following purposes:

  1. ​Registration of the Company’ customers (Hotel guests), management of accounts receivable, bookkeeping activities of the Company and delivery of notifications to the Company customers;

  2. Recording of employment and work time of the Company employees as well as other purposes being associated with legal relationship of employment and compliant to the requirements of the applicable legislation;

  3. Direct marketing purposes;

  4. Access to Website (for statistical and marketing purposes);

  5. Protection of individuals and property, prevention of offences, identification of individuals held legally responsible, and detection of offences (video surveillance).

Basic rules applicable to Data processing for the purposes of registration of the Company’ customers (Hotel guests), management of accounts receivable, bookkeeping activities of the Company and delivery of notifications to the Company customers:

​By making a hotel room reservation or a table/banquet room reservation, the Data Subject is giving consent to processing of the following personal data:

  1. Name and surname;

  2. Personal number;

  3. Date of birth;

  4. Data on personal identity document (number);

  5. Address;

  6. Phone number;

  7. E-mail address;

  8. Gender;

  9. Type of payment, payment card data (number and validity), if paid by card;

  10. Amount payable;

  11. Number of nights spent;

  12. Plate number of a vehicle used by the Hotel guest for arrival;

  13. Room number in the Hotel;

  14. Table number in the Hotel restaurant, or the name of a banquet room;

  15. Information listed in Subparagraphs 2.1.1 – 2.1.14 above is required for identification of the Company’s customers in order to contact them later, if necessary, as well as for ensuring due execution of payments for goods and services delivered by the Company, and for adequate bookkeeping activities of the Company.

  16. The Data Subject, by providing the relevant personal data, confirms that such are correct, and shall notify of any changes thereof, if necessary.

  17. Personal data received from the Company customers for the registration purposes are stored for 5 (five) years following the date of the reservation. Data required for management of the amounts receivable from the customers will be stored until the date of recovery of the relevant debt, but no longer than for the period of 10 (ten) years. Data required for the bookkeeping purposes will be stored for the period not less than required by the applicable legislation. As soon as the Data is no longer required for the processing purposes, or in case the established retention period expires, the Data will be securely destroyed or erased, except for the cases when storage of certain data is mandatory under the applicable legislation;

  18. The data on the Hotel guests provided by the Company to the Statistics Lithuania includes the information on the number of guests, countries from which the guests come, the purpose of guests’ arrival, and the number of nights spent.

Basic rules applicable to Data processing for the purposes of recording the employment and wok time of the Company employees as well as other purposes being associated with legal relationship of employment and compliant to the requirements of the applicable legislation:

  1. ​The information processed for the purposes of concluding, executing and recording of the employment contracts include the employees’ names and surnames, address of the place of their residence, date of birth, number of bank account (with prior written consent of an employee) for salary transfer, and social security number;

  2. The information processed for the purposes of proper execution of the duties imposed by the applicable legislation on the Company as the employer include personal numbers of the Company’ employees, and information on employees’ marital (family) status;

  3. The information processed for ensuring adequate communication with the employees outside workhours (subject to their prior consent) include address of the place of their residence, personal phone numbers, personal e-mail addresses;

  4. Processing of the data required by the Company for ensuring proper working conditions is subject to written consent of an employee and include the information related to the employee’ health status, which directly affects the employee’s job functions and possibility of their exercise in accordance with the procedure established by the applicable legislation;

  5. At the time of employment in the Company a person shall submit to a responsible employee his/her identity document (ID card or passport). The Company collects the following data in this relation: name, surname, personal number, and date of birth;

  6. Address of the place of residence, bank account number, social security number, personal phone number and personal address of the newly employed person, subject to his/her consent, shall be drawn up by the Company from the questionnaire filled in by such employee in the form established by the Company;

  7. Employees of the Company entitled to process personal data of the Company’ employees are:

    1. Administrator of the Company (HR Manager (Specialist)) who is entitled to process the following personal data of the Company’ employees: [...];

    2. Accountant of the Company who is entitled to process the following personal data of the Company’ employees: [...];

  8. Data of the Company’ employees will be stored exclusively to the extent and for the period required for achieving the purposes established in this Paragraph of the Policy.

Basic rules applicable to Data processing for direct marketing purposes:

  1. ​Data for such purposes may be processed exclusively with a prior consent of the Data Subject, except for the cases set forth in Par 4.3 hereof;

  2. Consent of the Data Subject to processing of his/her Data for direct marketing purposes shall be expressed by his/her deliberate actions (by filling in a guest card, questionnaire, lottery form, by ticking a relevant check mark in the form, etc.). The consent shall specify the information on identity of the Data Controller and its contact details, the purpose of Data processing, the rights of the Data Subject, including the right of consent withdrawal, as well as other relevant information;

  3. No prior consent of the Data Subject shall be required if proposals are sent by the Company to the e-mail addresses indicated by customers exclusively for the marketing of the Company-offered and/or similar goods and services, and only if the customers are provided with clear, free of charge and easily exercised opportunity to disagree with such data usage provided that a customer has not initially objected to usage of such data when such proposals are submitted (e.g. ensuring the possibility to express disagreement by clicking an active hyperlink, or providing an e-mail address to which a notice may be sent by the customer on his/her disagreement);

  4. Data Controller collects the Data exclusively from the Data Subject. Data from the sources other than indicated herein are not subject to collection;

  5. Direct marketing activities are exercised by the Company through sending newsletters by e-mail;

  6. The Data processed by the Company for this purpose include the name and e-mail address. Indication of the name is optional, thus the Data Subject may not specify the name if he/she does not wish so;

  7. The Data referred to herein shall be processed by the Company until the Data Subject withdraws his/her consent, or for 5 (five) years following the receipt of the relevant consent from the Data Subject. The Company shall have the right to address the Data Subject before the relevant consent expiry asking for re-confirmation of the consent;

  8. Data Subject shall be entitled to withdraw, at any time, his/her consent to processing of the Data for direct marketing purposes, by notifying the Company thereof to e-mail address, or by clicking the link for consent withdrawal which is contained in each newsletter. Upon receipt of the request from the Data Subject to erase the Data, the Company, no later than within two business days, shall block the Data processing for direct marketing purposes and destroy (erase) all associated data.

Basic rules applicable to Data processing for access to Website (for statistical and marketing purposes):

  1. ​By visiting the Website or at the time of login the users acknowledge that they have read this Policy and gave their consent to be bound by its provisions;

  2. Each time the Website is visited, the information on the computer used for connecting to the Website and the information about visits will be collected, including IP address, and the login date and time;

  3. The Website uses cookies which contain the information being transferred to Internet browser and stored on it. Such information will be sent each time when the browser requests opening a page from the server. This allows the server to identify and monitor Internet browser;

  4. Cookies are used for statistical and marketing purposes to collect demographical data and geographical information on the browsing person (gender, age, country, city), to measure Website audience and popularity of a particular content by monitoring the time taken to find and read the relevant information, as well as to collect the information on devices used for browsing (phone, computer, etc.). Cookies are also used for recognizing a visitor as a previous visitor of the Website;

  5. Seeking to analyze the information on the Website usage, the Company uses Google Analytics and other similar tools which generate statistics and other information on the basis of cookies stored on the users’ devices. Information collected on the Website visits is used for making reports on the Website use;

         Cookie                                                     Cookie purpose description                                           Expiry

               Hs                        Used to identify unique visitor ID and monitor visitor session state across the website                  Persistent

          svSession                                                                                      Storage                                                                             Session

       XSRF-TOKEN                                                                               Storage                                                                             Persistent

  1. Website visitors may delete cookies stored on their device or block such cookies on their browser; however, certain parts of the Website in such case may not function or function inadequately;

  2. Website may contain links to other websites. The Company is not responsible for the privacy policies or practices of any third party.


Basic rules applicable to Data processing for protection of individuals and property, prevention of offences, identification of individuals held legally responsible, and detection of offences (video surveillance):

  1. Hotels guests arriving for stay are entering the video-surveillance (with no audio recording) zone (premises and territory of the hotel and restaurant). The Hotel uses CCTV cameras to track individuals and vehicles and monitor the related data. The detailed lists of the territories and premises subject to video-surveillance is available at the Hotel reception;

  2. Video-surveillance is used for protection of individuals and property, prevention of offences, identification of individuals held legally responsible and detection of offences.

  3. Video data are controlled and processed by the Company;

  4. The footage is stored for [...] months, at the end of which it is erased automatically;

  5. The footage may be presented to insurers in case of an insured event, and to the pre-trial investigation authorities as well as courts in case of offences;

  6. Information on the Hotel (specific territory) video-surveillance can be found on special notices placed in the visible locations.

Rights of Data Subjects and Procedure for Exercise thereof

Data Subject shall have the right:

  1. ​To be informed of the existence of the processing operation and its purposes;

  2. Upon presentation to the Company of identity papers, or after applying by electronic means which enable the Data Subject to be identified, to request and obtain access to his/her Data, receive the information on data processing operations, the sources of information, the data being collected, the purpose of processing, as well as obtain copies of the documents containing his/her personal data;

  3. To request rectification of incorrect, imprecise or incomplete Data;

  4. To request erasure of his/her Data when such are no longer required, or if processing thereof does not comply with the applicable regulatory requirements;

  5. To request restriction of his/her Data processing in particular case;

  6. To object to the processing of his/her Data when such Data are undergoing processing or are intended for processing for direct marketing purposes, or object to processing of any particular data related to him/her;

  7. To obtain his/her Data in computer-readable format and forward such to other data controller (‘data portability’);

  8. To lodge a complaint with a supervisory authority;

  9. To revoke his/her consent (if personal data are processed on the basis of the consent).

  10. Any other individual or entity asking for access to the personal data of the Data Subject shall present a notarized power of attorney issued in this relation. Lawyers shall be entitled to access the Data only upon submission of the relevant representation agreement or any other document proving authorizations granted to the lawyer to represent the Data Subject and only subject to indication of the Data usage purpose.

  11. The Company undertakes to provide the Data Subject with the following information (except for the cases when such information is already available to the Data Subject):

    1. Name of the company, legal entity code and registered office address;

    2. Contact information of Data Protection Officer, if any;

    3. Purpose and legal basis for processing the Data of the Data Subject;

    4. Data recipients, their categories, if any;

    5. The period for which the Data are stored, or the criteria applicable to determine such period;

    6. Other additional information (sources used to obtain the Data; Data to be submitted by the Data Subject and the consequences, where he or she does not provide such Data; the right of access to the Data which have been collected on the Data Subject, and the right to request rectification of incorrect, imprecise or incomplete Data), insofar as it is necessary for ensuring adequate processing of the Data without prejudice to the rights of the Data Subject;

    7. Information on provision of the Data to third persons, by notifying the Data Subject thereof no later than at the time when the Data is provided to such third parties for the first time, where the Data Subject has not been aware of the provision of his/her Data.

  12. The Company shall ensure that when exercising by the Data Subjects of their right to the data portability, only the data processed by automated means on the basis of a relevant contract or a consent are forwarded. In such case the Data will be provided to the Data Subject in a filed manner in a commonly used electronic computer-readable form.

  13. The Company shall provide the means for the Data Subject to exercise his/her rights, except for the cases established by the applicable legislation where there is a need for ensuring national security and defense, public order, prevention, investigation and prosecution of criminal offences, fundamental national economic or financial interest, prevention, investigation and determination of official or professional integrity breaches, protection of the rights and freedoms of the Data Subject or other individuals.

  14. Data Subject seeking to exercise his/her rights shall address the Company by e-mail at

  15. The Company shall ensure that all necessary information shall be provided to the Data Subject in a clear and intelligible manner.

  16. The Company should be obliged to respond the Data Subject at the latest within 30 (thirty) calendar days following the relevant request receipt, or give reasons in case of refusal to provide the Data to the Data Subject.

  17. The Data shall be obtained by the Data Subject free of charge. In particular cases (manifest abuse by the Data Subject of the rights, undue multiple submission of requests for information, extracts, documents), provision of such information and data may be subject to payment at the rates approved by the Company.

​Organizational and Technical Measures for Personal Data Protection

To ensure adequate Data protection the Company implements the relevant organizational and technical measures including without limitation:

  1. ​Organizing the activities in a manner to ensure secure processing and portability of computer data and/or documents and archived files;

  2. Granting access to the Data only for those employees of the Company who need such Data for performance of their work duties, have signed the relevant confidentiality undertakings and are aware of the internal procedures effective in place;

  3. In case a data processor is engaged for the Data processing, the Data Controller shall conclude a relevant agreement on the Data processing;

  4. Ensuring protection of the computer hardware and software against malicious software (e.g. by installing and updating antivirus software), and protecting the internal computer networks by installing firewalls.

Other Provisions

  1. ​This Policy is effective from the date of its approval and shall be applicable to the employees of the Company engaged in Data processing as well as the Company customers, Data processors, other interested persons and Website visitors;

  2. The Policy shall be reviewed at least once per 2 (two) years, and updated or changed, if necessary. Any changes and/or amendments to the Policy will be made available for the Data Subjects and/or other interested persons on the Website of the Company.

  3. All issues associated with the data protection and processing by the Company as well as this Policy shall be referred by the interested persons to the contact details of the Data Controller.

bottom of page