Vilnius University Privacy Policy
Vilnius University respects your privacy and the provisions set out in this Privacy Policy and the Description of the procedure for personal data processing at the University of Vilnius provide information about how the University manages your personal data. Our Privacy Policy describes, among other matters, what data and for what purposes are collected, how you can manage your data and how to contact us.
We would like to encourage you to read this Privacy Policy. If you still have questions, please do not hesitate to contact us in one of the ways indicated in the section ‘Contacts for reports and enquiries’. We may be revising this Privacy Policy in the future, therefore we suggest that you should periodically check it on the University website.
General provisions
Vilnius University processes personal data of all members of the University community: current and former employees, students, and other individuals who provided information on the basis of contractual or other legal relations as defined by law.
Your personal data are processed in accordance with the Republic of Lithuania Law on Legal Protection of Personal Data, the Republic of Lithuania Law on Electronic Communications, other related legal acts and directions of controlling authorities (for more information see the section ‘Legal acts’).
The main terms are as follows:
Personal data – any information relating to an individual that can be used to determine his/her identity either directly or indirectly by reference to factors of physical, physiological, mental, economic, cultural or social nature. Personal data include, for example, a person’s name, surname, residence address, facial image, personal code, fingerprints, retina scan, telephone number, email address, internet protocol (IP) address, vehicle registration number, etc.
Data processing – any operation or set of operations carried out with personal data. For example, collection, recording, storage, grouping, combination, alteration, publication, search, destruction, etc.
Data processing by automated means – data processing operations performed by electronic means, i.e. different information and communication means: computers, telephones, tablets, video recorders, photo cameras, etc.
Data subject – you or any other individual whose personal data are processed.
Data controller – organisation or individual who uses personal data for professional purposes, e.g., state institution, municipality, hospital, out-patient department, police, bank, credit union, insurance agency, e-shop, travel agency, school, lawyer, bailiff, notary public, etc. The controller determines the purposes and means of data processing, i.e. for what defined and lawful purposes in accordance with the legal basis and what personal data are processed, who the data are disclosed to, how the data subject’s rights are ensured, what software is used for data processing, etc.
Data processor – an organisation which performs data processing operations on behalf of the data controller. The data processor follows the instructions of the data controller.
Other terms used in the Privacy Policy are understood as defined in the General Data Protection Regulation and other legal acts.
Vilnius University is the data controller of all data collected in processes of the University activity and internal administration as well as the processor of personal data provided by the data subjects and the third parties.
What data and for what purposes are processed?
Administration of the study process
For the administration of the study process at the University (registration of the students admitted to the University, concluding study agreements, organisation and implementation of the study process, issuance of study completion documents, student records) the following data are processed:
- name, surname,
- personal code,
- date of birth,
- number of the identity document (optional),
- sex,
- place of residence (address),
- telephone number,
- email address,
- citizenship,
- marital status,
- work experience,
- social status (belonging to a socially disadvantaged group),
- military service,
education data (name, type and code of the school graduated, year of graduation, country),
data related to studies (study cycle, form, faculty, programme, year, semester, group, type of student, nature of funding, amount and year of the State-supported grant for studies, student card number, completed course units, form of assessment, date, evaluation of learning outcomes), - other data in the diploma document, student identification numbers, bank account number, payments made and/or received, their amounts and dates, type of documents issued to the student, their serial number and expiration (issuance) date.
Administration of the research process
For determining the authorship of the research output, recording and evaluating the results of employee and student research (and artistic) activity, carrying out study completion procedures at the University, filing and providing documents the following data are processed:
- data subject’s name(s), surname(s),
- personal code,
- personal telephone number(s),
- personal email address,
- workplace,
- date of birth,
- institution (work or study),
- division of (work or study) institution,
- type of studies (for students),
- academic group (for students),
- study commencement date (for students, students-residents, doctoral students),
- study completion date (for students, students-residents, doctoral students),
- personnel group (for employees),
- job position, academic degree (for employees),
- date of research work commencement,
- date of research work completion and/or date of defence,
- email address,
- language of the final paper or thesis,
- topic of the final paper or thesis,
- topic of the final paper or thesis in English,
- summary of the final paper or thesis in Lithuanian and English,
- positions of the participants of the thesis defence process and data for their identification,
- access status of the final paper or thesis on the internet, time limit, date of publication,
- indication of the text-matching check of the final paper or thesis,
- significance of the text-matching check of the final paper or thesis,
- data used to identify the person who carried out the text-matching check,
- documents of the final research paper.
Internal administration and related activity
For internal administration (management of structure, management of information about current and former employees, document management, management of available material and financial resources) the following data are processed:
- name(s), surname(s),
- citizenship,
- address,
- personal code,
- date of birth,
- sex,
- photograph,
- signature,
- marital status,
- names and surnames of family members and dependents and their personal codes,
- personal social insurance (certificate) number,
- sums of wages and social insurance contributions,
- data about voluntary insurance contracts,
- dates of state insurance,
- data about participation in pension schemes,
- current account number,
- telephone number,
- email address,
- curriculum vitae,
- job position,
- data about recruitment (transfer) and dismissal, work experience, position the person desires to be appointed or transferred to,
- employees’ time-card identification number,
- data about education and qualifications,
- academic titles, identification code in the Educators Register,
- date of data input (modification),
- data about vacations,
- data about business trips,
- data about individual work schedule,
- data about wages, benefits, compensations, allowances,
- information about work periods,
- information about incentives and penalties, official misconduct and breach of work duty,
- data about employees’ performance evaluation,
- data about declaration of public and private interests,
- specific personal data related to person’s health,
- data about criminal conviction (for specified positions),
- number(s) of passport and personal identity card, date of issue, date of expiry, authority issuing the document,
- document registration date and number,
- previous employment and position(s),
- former surname,
- numbers of education certificates,
- other personal data provided by the person.
Security of library users and property
For ensuring the security of employees, students and other individuals who visit the University Library as well as the property of the University and the Library the following data are processed:
- name(s), surname(s),
- personal code,
- data for the processing of reader, employee and student identity cards.
{svider-level1 title="Authentication of information systems" class="icon"}
For authenticating the information systems the following data are processed:
- data subject’s name(s), surname(s),
- personal code,
- personal telephone number(s),
- personal email address,
- assigned user name,
- data for reminding of the password.
Administration of user account and identity check
For administering the user account and identity check the following personal data are used:
- data subject’s name(s), surname(s),
- personal code,
- academic degree (if any),
- student card number (for students),
- employee’s time-card identification number (for employees),
- email address,
- (work or study) institution.
Organisation of conferences and other events
For organising conferences and other events the following data are processed:
- data subject’s name(s), surname(s),
- personal code,
- personal telephone number(s),
- current account number (for natural persons transferring payments),
- personal email address,
- workplace,
- date of birth,
- (work or study) institution,
- division of (work or study) institution,
- job position,
- academic degree,
- email address,
- language of final paper or thesis,
- summary of final paper or thesis in Lithuanian and English,
- nature of access to final paper or thesis on the internet, time limit, date of publication,
- data used to identify the person who carried out the text-matching check,
- data of the identification documents used to determine personal identity of the conference participant.
(slider-level1 title="Financial settlements" class="icon"}
For financial settlements with natural persons who are not employed by the University, with legal persons providing services and persons carrying out registered individual activity the following data of data subjects are processed:
- data subject’s name(s), surname(s),
- personal code,
- telephone number(s),
- current account number (for natural persons transferring payments),
- email address,
- represented organisation or institution,
- position,
- academic degree,
- identity document data used for the identification of a person.
Administration of candidate selection
For the administration of candidate selection the following data are processed:
- data provided in the curriculum vitae,
- data subject’s name(s), surname(s),
- personal code,
- photograph,
- personal telephone number(s),
- email address(es) for contact,
- current and previous workplace,
- date of birth,
- (current or previous) study institution,
- position,
- academic degree,
- other personal data voluntarily provided by the candidate.
Investigation of personal complaints, requests and applications
For the investigation of personal complaints, requests and applications the following data are processed:
- name(s), surname(s),
- personal code,
- address,
- telephone number,
- email address,
- signature,
- date and number (number of registration in the University Document Management System) of the complaint, request or application,
- information (including specific personal data) provided in the complaint, request or application,
- outcome of the investigation of the complaint, request or application,
- information obtained during the process of investigation of the complaint, request or application,
- date and number of the University’s reply to the complaints, requests or applications.
Public order and passage control
To ensure the security of employees, students and other visitors to the University and the property of the University the following data are processed:
- name, surname,
- signature,
- personal code,
- video records of security cameras, and photographs.
Video surveillance at the University is carried out in order to ensure the security of persons, property and visitors as well as public order on the premises and territory of the University. Information is collected for the investigation of related incidents as well.
Security cameras film the courtyards on the University territory, entrances to the University buildings, common areas of use, areas of concentration of equipment of network or engineering systems (server rooms, communication nodes, control panels of the building management system, etc.).
Communication with employees
To ensure appropriate communication with employees, including time off work and in emergencies, the following data are processed:
- name(s) and surname(s) of the employee and his/her contact person for emergencies,
- contact telephone number,
- residence address,
- email address.
Communication with alumni
To ensure appropriate communication with alumni, the following data are processed:
- contact person’s name(s), surname(s),
- contact telephone number,
- date of birth,
- email address,
- represented enterprise, job position.
The mobile app
The mobile app “Vilnius University Library”
The mobile app “Vilnius University Library” processes the following user data:
- user account data (contact person’s name, surname, unique identifier),
- user’s selected language (lithuanian, english),
- history of recent searches in the virtual library made using the mobile app,
- if user subscribes to library news,
- if user consents to receive reminders about ordered and borrowed publications and other indebtedness,
- if user consents to provide anonymous app usage statistics.
The mobile app allows users to log in with a VU community member’s account or an outside user account. A cookie _vubauth, necessary for the authorisation of the mobile app, is generated in the device when logging in. The cookie contains the identifier of the app and the type of login, as well as the type of data to which access is requested, and technical information necessary for obtaining an access token. This cookie is valid until the browser window closes. When logging in with a VU community member’s account or an outside user account, session cookies are generated in the user’s device.
After successful authorisation, a unique access token which allows the mobile app to access user data is generated and stored in both the user’s device and the university servers. This token is valid for three days and can be periodically renewed by the refresh token which is valid for one month. Every time tokens are refreshed, their period of validity is extended.
The mobile app sends encrypted HTTPS requests to the university servers where the information of loaned items, fines for overdue items, item requests, reminders, performed searches and other relevant information is collected and processed.
The IP address, time, type and status of the request, as well as the type of the device that sent the request is stored in the server journal for up to 2 years for the purpose of aggregating statistics and improving the service.
The mobile app uses Firebase Cloud Messaging and Google Analytics for Firebase services.
The Android OS version of the mobile app has a Google Play Services integration, which is necessary for providing the said services.
Depending on the operating system and the user’s consent, the app can register an instance ID on Google’s servers and store it in the user’s device. This identifier is linked with the app and the specific device which the app is installed on. The mobile app can also register tokens on Google’s servers which are then stored in the university servers. These tokens are used for the following purposes:
- sending news notifications and reminders about loaned items,
- collecting app usage statistics.
These consents can be cancelled at any time in the app settings.
More information on identifiers registered in the app and what user data is collected, stored and processed by Google can be found in the Firebase privacy policy: https://firebase.google.com/support/privacy/.
Google privacy policy: https://policies.google.com/privacy.
Marketing communications
For marketing communications, based on data processor and services agreements, we use the MailerLite cloud platform, created, developed and managed by UAB MailerLite, company code 302942057, address Paupio g. 46, Vilnius. The Company's privacy policy and information about cookies used can be found here https://www.mailerlite.com/legal/cookie-policy
Who is your data disclosed to?
Personal data may be disclosed to the following parties:
- enterprises providing services upon the request of the University, e.g. Lithuanian postal services;
- banks carrying out settlement operations for the University;
- Ministry of Education and Science and Education ITC managing the registers of students, teaching staff, diplomas and qualification certificates;
- other organisations and state institutions (State Social Insurance Fund, State Tax Inspectorate, Information Society Development Committee under the Ministry of Communications), when it is required by law or when it is necessary in order to protect our information society services;
- state information systems such as Lithuanian Academic Electronic Library (eLABa), National Open Access Research Data Archive (MIDAS), National Career Management Information System (KVIS).
The above mentioned enterprises or institutions have only a limited possibility to use your data, because they may not use this information for any purposes other than for providing services to the University.
We may disclose your personal data to other parties in the following cases:
- in order not to violate the law or in accordance with the mandatory requirement of the legal process (e.g. after receiving a legal order or a search warrant or any other court decision);
- to confirm the legality of our operations;
- to protect the rights, property or security of the University;
- in other cases upon your consent or your lawful request.
The University may engage the following data processors in personal data processing: enterprises providing data centre, hosting, cloud computing, website administration and related services, enterprises providing document archiving services, enterprises providing advertising and marketing services, enterprises creating, providing, supporting and developing software, enterprises providing IT infrastructure services, enterprises providing communication services, enterprises providing consultations, enterprises carrying out analysis of internet searches or activity of the internet and providing services. Our aim is that service providers should comply with the General Data Protection Regulation, laws, Vilnius University Privacy Policy and other mandatory requirements of legal acts. The relations between the University as the data controller and a particular data processor are specified in a written agreement or written terms, except in cases when such relations are determined by law or other legal acts.
What do we do to protect your information?
We have implemented reasonable and relevant physical and technical measures to protect the information collected for the purposes of content/service provision. However, you should be aware that, even though we take appropriate action to protect your information, no website or internet operation, computer system or wireless connection is completely secure.
Personal data processing at the University complies with the legal requirements, i.e. your data are only stored for the period that is necessary for the purposes for which the data were collected or for the period determined by legal acts. This means that information shall be deleted when it is no longer necessary for the purposes for which it was collected.
Your rights
Our website provides a simplified procedure of the implementation of your rights. We acknowledge the supremacy of legal acts, the Republic of Lithuania Law on Legal Protection of Personal Data and General Data Protection Regulation 2016/679 (GDPR).
You have the following rights:
- to ask the University to provide information about your personal data processed by the University and the purposes of processing;
- to ask to rectify incorrect, incomplete or inaccurate personal data and/or suspend the processing of such personal data when after checking you establish that the data are incorrect, incomplete or inaccurate;
- to restrict your personal data processing until the lawfulness of their processing is checked upon your request;
- to request to erase personal data (the right to be forgotten);
- to object to the processing of your personal data for direct marketing purposes, including profiling;
- to ask for your personal data to be transferred to another data controller or to be provided directly to you in a commonly used form (it applies to the personal data provided by yourself and processed by automated means upon consent or upon concluding and implementing a contract);
- to withdraw your consent without affecting the use of your personal data executed before the withdrawal of consent.
The University may not provide the data subjects with the conditions for exercising the above rights in the cases laid down in laws when it is necessary to ensure prevention, investigation and detection of criminal offences, violations of official or professional ethics as well as protection of the rights and freedoms of the data subject or other persons.
How will you execute your rights?
- In order to exercise their rights, data subjects submit a personal written request or complaint relating to the personal data processing issues addressed to the University data protection officer.
- A data subject may submit a written request or complaint in person at the University stem division processing the data subject’s data or at the Document Management subdivision of the Lawmaking division of the University Central Administration (Room 111, 3 Universiteto St., Vilnius), or at the Information Technologies Assistance division of the Information Technology Service Centre (Room 106, Connecting Building, 9 Saulėtekio al., Vilnius), as well as by registered post or via the National information system for delivery of electronic messages and electronic documents eDelivery.
- The request or complaint must contain a return address for correspondence. Requests and complaints sent by unregistered post or lacking a return address are investigated in line with general procedures but not replied to in writing.
- The request must be legible and signed, must contain the data subject’s name, surname, residence address and other contact details to maintain communication of the preferred form, information specifying the data subject’s right and the requested scope of its implementation.
Upon submission of the request the data subject must confirm his/her identity:
- when submitting his/her request the data subject must show a document certifying his/her identity to the controller’s or processor’s employee who is registering the request;
- when sending the request by post or messenger the data subject must also submit a copy of the document certifying his/her identity approved by a notary public or by equivalent or simplified procedure as established in the Civil Code of the Republic of Lithuania and other legal acts;
- when sending the request via the National information system for delivery of electronic messages and electronic documents eDelivery the identity of the data subject is confirmed by the secure electronic signature in accordance with the requirements of Article 26 of Regulation (EU) 910/2014.
- A data subject may exercise his/her rights personally or through a legally authorized representative.
- If a representative applies on behalf of the represented data subject, he/she must provide his/her name, surname, place of residence, contact details for communication, as well as the represented individual’s name, surname, place of residence, information specifying the data subject’s right and the scope of exercising requested and attach a document confirming representation or a copy of the document approved in accordance with the procedures set by legal acts. The representative’s request must satisfy the same requirements as set out for the request of the individual represented.
We will provide a reply to your request within 30 (thirty) calendar days from the date of the receipt of the request. In exceptional cases which require additional time, we will notify you and will have the right to extend the period for the provision of requested data or investigation of other requirements listed in your request for up to 60 (sixty) calendar days from the date of your enquiry.
The information requested will be provided to you free of charge. In cases when your requests are unjustified or disproportionate due to their repetitive content, the University may refuse to take action upon your request.
Cookies
We collect the data of our website visitors in accordance with the Republic of Lithuania Law on Legal Protection of Personal, the Republic of Lithuania Law on Electronic Communications, other related legal acts and directions of controlling authorities.
We have to draw your attention to the fact that the University websites may contain links to social networks and webpages of other enterprises or organisations. The University privacy and cookies policy applies only when you are visiting the websites of the University and its divisions.
The University does not take responsibility for the content of the webpages of the third parties or their principles of privacy protection. If you use a link on the University website to access other websites, you have to check their privacy policy.
When administering the websites and diagnosing disruptions in the work of the University webpage servers we record the visitors’ computer IP addresses and operations on the webpages. The IP address is a unique code identifying a computer in the networks. This code and the sequence of operations on webpages may be used to identify a visitor and collect different statistical information. This information is collected in compliance with the requirements of cyber security and information security regulation.
In order to ensure the quality of services provided and the operation of the website, we use cookies on the University webpages and collect information about the use of services.
When you subscribe to the University newsletters, we collect the basic information necessary for the identification of the user that you provide in the registration form, i.e., name, surname, email address and IP address.
We safeguard the data collected about the visitors of the University websites against loss, unlawful use and alterations. The University employees sign a written commitment not to disclose or disseminate information obtained in their work about the website visitors to the third parties.
The University websites use technical cookies which have been designed and are used directly (without interference of the third parties) for the transfer of this website information through the electronic communication network. Technical cookies are not used for any other purposes. This data processing does not allow to identify you directly or indirectly. The University retains the right to disclose anonymous statistical information to the third parties.
List of Cookies
|
Cookie Name |
Description |
Moment of creation/ Expiration time |
|
;_utma |
A tracking cookie from Google Analytics. Information to the server is sent anonymously. Cookies identify unique users and keep track of their sessions.
|
When your browser loads the webpage/ 2 years |
|
_utmx |
A tracking cookie from Google Analytics used to determine a user's inclusion in an experiment.
|
When your browser loads the webpage / 18 months |
|
_utmxx |
A tracking cookie from Google Analytics used to determine the experiments a certain user has been included in. |
When your browser loads the webpage / 18 months |
|
_utmz |
A tracking cookie from Google Analytics. Information to the server is sent anonymously. |
When your browser loads the webpage / |
|
_gid, _ga |
A tracking cookie from Google Analytics used to distinguish users (2 years)
|
When your browser loads the webpage / 2 years |
|
dc_gtm_UA-XXXXX, NID, IDE, DSID |
Google cookies which serve to provide personalised offers |
When your browser loads the webpage / 2 years |
|
language, _icl_current_language, pll_language |
Language cookies used to identify the preferred language of the webpage. |
When your browser loads the webpage / 2 years |
|
SimpleSAMLAuthToken, SimpleSAMLSessionIDSSO (SimpleSAMLphp), joomla_user_state cookies |
Cookies store information about an active session confirmed by the user (only for registered users) |
When your browser loads the webpage / |
|
_pk_id.X.XXXX, _pk_ref.X.XXXX, _pk_ses.X.XXXX |
piwik cookies are used to collect the statistics on the webpage visitors’ behaviour |
When your browser loads the webpage / 1 year |
|
reDimCookieHint |
A cookie used to identify if the user has accepted our privacy policy. |
When your browser loads the webpage / Unlimited |
|
wplc_chat_status |
Chat helper cookie
|
When your browser loads the webpage / |
| fr | Facebook cookie for advertising. It is used for statistical analysis and repeated redirection in casebook or other Facebook Advertising platforms | When your browser loads the webpage / 6 months |
| _fbp | Facebook cookie. It collects technical data about visitors` behavior, IP adress | When your browser loads the webpage / 1 year |
| SYNC, GUID, TradeDoublerGUID | TradeDoubler system cookie. It helps to link user's actions on the site with advertising | Generated after user does specified actions on the site. For example, subscribes to newsletter / 1 year |
| lidc | LinkedIn cookie. Used for routing | Share buttons and ad tags / 1 day |
| bcookie, bscookie | LinkedIn cookie. Browser ID cookie; Secure browser ID cookie | Share buttons and ad tags / 1 year |
| gtag.js | Google cookie, used for advertising to identify users and interactions with the site | Generated after user enters the site/ Valid for up to 540 days |
Contacts for reports and enquiries
For consultation:
If you have any questions concerning the information provided in this Privacy Policy or the protection of your personal data and execution of your rights at the University of Vilnius, please contact the University data protection officer Viktoras Bulavas by any of the following means:
- via the National information system for delivery of electronic messages and electronic documents eDelivery;
- email: ;
- telephone +370 236 6200;
- postal address: 3 Universiteto St., LT-01513 Vilnius, Lithuania.
For submission of requests or complaints:
- Employees submit requests or complaints concerning the execution of data subject’s rights via the University Document Management System “Avilys“. A request can be submitted as follows: “Templates“ → “New internal document template“ → “Request concerning personal data protection“.
- Former employees, current and former students, other data subjects submit requests or complaints addressed to the University data protection officer in writing at the University stem division processing personal data in which they study (studied), worked or have (had) other contractual relations.
- Requests can also be submitted at the Document Management subdivision of the Lawmaking division of the University Central Administration (Room 111, 3 Universiteto St., Vilnius), or at the User Service subdivision of the Information Technologies Assistance division of the Information Technology Service Centre (Room 106, Connecting Building, 9 Saulėtekio al., Vilnius).
Final provisions
This Privacy Policy may be renewed in order to correct errors or to comply with the new legal acts or technical requirements. The latest version of this Privacy Policy will always be available on the University website. In case of updates of the provisions of the Privacy Policy which we consider essential, you will be informed about them on the internet website and by other means.