1. PERSONAL DATA CONTROLLER

​

UADBB "Legator" (hereinafter referred to as the Company) is the controller of the personal data processed within it, ensuring that personal data in the Company is processed in accordance with the personal data protection requirements applicable to data controllers.

​

Information about the Company: UADBB "Legator", legal entity code 145347184, registered address Žemaitės g. 60, Šiauliai, Lithuania, place of business address Panerių g. 38A, Vilnius, Lithuania.

Website address www.legator.lt, email info@legator.lt, phone +370 5 2159227.

​

The Privacy Policy has been drawn up in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR).

The Privacy Policy provides information on the purposes of personal data processing in the Company, the conditions for lawfulness, the personal data processed by the Company, their origin, retention periods, purposes of provision, the procedure for exercising data subjects' rights, and data recipients.

​

2. EXERCISE OF DATA SUBJECTS' RIGHTS

​

You, as a data subject, have the right to contact the Company regarding matters related to the processing of your personal data, i.e. you have the following rights:

• the right to receive information about data processing;

• the right of access to data;

• the right to request rectification of data;

• the right to request erasure of data ("right to be forgotten");

• the right to restrict data processing;

• the right to data portability (where data is processed by automated means);

• the right to object to the processing of personal data (where personal data is processed on the basis of your consent and/or on the basis of legitimate interest);

• the right to request that no decision based solely on automated processing, including profiling, be applied to you.

​

You have the right to contact the Company regarding the exercise of data subject rights verbally or in writing, by submitting a request in person, by post, or by email at dap@legator.lt. If you contact the Company verbally or submit a written request in person regarding the exercise of data subject rights, you must confirm your identity by presenting an identity document, if the Company has doubts about your identity. If this is not done, the data subject's rights will not be exercised.

​

When contacting the Company in writing regarding the exercise of your rights, it is recommended to submit a request using this form.

​

Upon receipt of your request, the Company shall, no later than 1 (one) month from the date of receipt of the request, provide you with information on what actions have been taken in response to the request. If there is a delay in providing the information within the specified period, you will be informed of this, stating the reasons for the delay and the possibility of lodging a complaint with the State Data Protection Inspectorate.

​

3. PURPOSES AND CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL DATA IN THE COMPANY

The Company, acting as a data controller, processes your personal data for the following purposes:

For your servicing during pre-contractual relations without submitting commercial offers. The legal basis for processing personal data is that processing is necessary in order to take steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR):

​

• providing and administering responses to your enquiries prior to entering into a contract.

For the conclusion and performance of a Commission Agreement for the provision of insurance intermediary services. The legal basis for processing personal data is that processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR):

• conclusion of a Commission Agreement for the provision of insurance intermediary services;

• assessment of your insurance needs and submission of a proposal for the conclusion of an insurance contract;

• administration of insured events under the insurance contract concluded by the Data Subject;

• fulfilment of other obligations assumed under the Commission Agreement for the provision of insurance intermediary services.

​

For the conclusion and administration of an insurance contract. The legal basis for processing personal data is that processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR):

1. conclusion of an insurance contract;

2. fulfilment of other obligations assumed by the Company under the insurance contract being concluded.

​

For the conclusion and performance of other contracts. The legal basis for processing personal data is that processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).

​

For monitoring and improving the quality of services provided by the Company. The legal basis for processing personal data is your consent to the processing of personal data (Article 6(1)(a) of the GDPR):

1. publishing and administering your reviews of the Company's services on the website www.legator.lt.

​

For risk assessment in the context of international sanctions. The legal basis for processing personal data is that processing is necessary for compliance with a legal obligation applicable to the Company, established in point 8 of the Guidelines on the Implementation of International Sanctions for Financial Market Participants approved by Resolution No. 03-98 of the Board of the Bank of Lithuania of 30 May 2023 (Article 6(1)(c) of the GDPR).

​

The Company, acting as a data processor, processes your personal data for the following purposes:

For the conclusion and performance of an insurance contract. The legal basis for processing personal data is that processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR):

• submission of the insurance company's proposal for the conclusion of an insurance contract;

• conclusion of an insurance contract between the insurance company and you;

• fulfilment of other instructions of the insurance company as data controller.

​

4. PERSONAL DATA PROCESSED BY THE COMPANY AND RETENTION PERIODS

​

The Company, as a data controller, for the purpose of servicing persons during pre-contractual relations without submitting commercial offers, processes the following personal data:

• first name, surname;

• email address, phone number.

​

The Company, as a data controller, for the purpose of performing the Commission Agreement for the provision of insurance intermediary services, processes the following personal data (depending on the type of insurance contract and the scope of your mandate to the Company):

• identification and contact data (first name, surname, personal identification number, position, representative's position, first name, surname, residential address, phone number, email address, etc.);

• data required for the assessment of insurance needs (depending on the type of insurance contract desired: active leisure/sports activity, information about travel to foreign countries (territory, duration) and data required for assessing travel insurance risk, information about the level of capacity for work, data on income received, etc.);

• insurance contract and insurance certificate data (data and copies of insurance contracts and certificates and related documents, type of insurance, insurance certificate series and number, effective date, expiry date of the insurance certificate, expiry date of the granted power of attorney, insured sum, premium amount, date of insurance premium payment, amount of insurance premiums received, premium payment document number, insurance period, name of the insurance company (insurer), etc.);

• insurance premium payment and account data (payer's first name, surname, purpose of payment, payment deadline, premium amount, payment date, payment order number, whether the premium is paid directly to the insurance company (insurer), bank account number, policyholder's debt, whether payment of the premium has been deferred, data on the validity of certificates (valid/invalid/cover suspended/terminated), amount of debt, etc.);

• data in reports generated by the Company for insurers (insurance certificate number, date, type of insurance, policyholder's first name, surname, personal identification number, premiums paid/unpaid, method of payment (cash, bank transfer, card), etc.);

• insured object data (depending on the type of insurance contract: list of insured property, address of insured property, unique number, year of construction, vehicle registration numbers, vehicle registration certificate data and copy, vehicle make/model, type, engine displacement, engine cylinder displacement, registration number, body number and type, identification number, year of manufacture, purpose of use, number of doors and seats, alarm level, security system, vehicle technical inspection results report, photographs of insured property, data on property damage, real estate register extracts and data contained therein, property valuation reports and data contained therein, information on property security, etc.);

• identification and contact data of the insured property owner (first name, surname, residential address, phone number, email address, etc.);

• insured event data (factual circumstances of the event, certificates from relevant institutions, services and authorities, incident declarations, etc.);

• identification and contact data of insured persons and beneficiaries (insured person's first name, surname, personal identification number, date of birth, age, residential address, phone number, email address, bank account number (to which the insurance benefit is to be paid), document name, etc.).

​

The Company, as a data controller, for the purpose of concluding and administering insurance contracts, processes the following personal data (depending on the type of insurance contract):

• identification and contact data (first name, surname, personal identification number, position, representative's position, first name, surname, residential address, phone number, email address, etc.);

• insured object data (depending on the type of insurance contract: insured object, its purpose, city or region where the insured object is located, unique number, year of construction, object purpose, building construction type, value, condition, method of construction, area, vehicle registration numbers, vehicle registration certificate data and copy, vehicle make/model, type, engine displacement, engine cylinder displacement, registration number, body number and type, identification number, year of manufacture, purpose of use, number of doors and seats, alarm level, security system, information on property security, vehicle technical inspection results report, photographs of insured property, data on property damage, real estate register extracts and data contained therein, property valuation reports and data contained therein);

• insurance premium payment, account request and debt obligation data (payer's first name, surname, purpose of payment, payment deadline, premium amount, payment date, payment order number, whether the premium is paid directly to the insurer, bank account number, policyholder's debt, whether payment of the premium has been deferred, amount of policyholder's debt, amount of discount granted, etc.);

• identification and contact data of the insured property owner (first name, surname, residential address, phone number, email address, etc.);

• insurance contract/insurance certificate data (depending on the type of insurance contract: deductible amount, risk factors, insured risks, insurance period, place of insurance, insured sum, deductible amount, insurance premium amount, insurance certificate number, certificate ID number, type/group of insurance risk, insurance group, insurance coverage territory, insurance certificate issue date, insured events, driving experience, whether the contract was concluded through an insurance broker, insurance options, additional conditions of insurance cover, purpose of travel, name of destination country, risk group, number of payments made, number of insured persons, additional risk, insurance contract number, balance of unused funds, whether the premium will be credited upon termination of the insurance contract, building insurance option, data on the validity of insurance contracts (valid/invalid/cover suspended/terminated), etc.).

​

The Company, as a data controller, for the purpose of concluding and performing other contracts, processes the following personal data:

• where the contract is concluded with a natural person: first name, surname, date of birth or personal identification number (where required by applicable legislation for a specific type of contract), residential address, email address, mobile or fixed telephone number, information/financial data transmitted together with payment (bank account number, transaction amount, date and other financial data transmitted with the payment), individual activity certificate number, business certificate number or farmer's certificate number (where the contract is concluded with a person engaged in commercial activity);

• where the contract is concluded with a legal entity: the first name, surname, position, email address and phone number of authorised representatives (directors, attorneys) and/or employees of the legal entity participating in the performance of the contract (for administrative, supervisory or control purposes).

​

The Company, as a data controller, for the purpose of monitoring and improving the quality of services provided by the Company, processes the following personal data:

• first name, surname;

• position;

• image;

• data related to the confirmation and validity of this consent (first name, surname, fact and date of confirmation/withdrawal).

​

The Company, as a data controller, for the purpose of risk assessment of persons in the context of international sanctions, processes the following personal data:

• where a natural person is being assessed: first name, surname, date of birth, nationality, country of residence, profession/main area of activity/source of funds and assets, information about connections with high-risk countries, and other personal data necessary for carrying out the risk assessment;

• where a legal entity is being assessed: first name, surname, and position of persons authorised to represent the legal entity in its relations with third parties, as well as persons participating in the administrative, supervisory and/or control work of the legal entity, and other personal data necessary for carrying out the risk assessment.

​

The Company, as a data processor, for the purpose of concluding and performing insurance contracts, processes the following personal data (depending on the type of insurance contract and the instructions of the insurance company as data controller to the Company):

• identification and contact data (first name, surname, personal identification number, position, representative's position, first name, surname, residential address, phone number, email address, etc.);

• data required for submitting the insurance company's insurance proposal and concluding an insurance contract (depending on the type of insurance contract desired: vehicle make, model; vehicle registration number; vehicle body number; vehicle year of manufacture; insured object, its purpose, building construction type; city or region where the insured object is located; unique number of the insured object, year of construction or manufacture, value, condition, area; health data, active leisure/sports activity, information about travel to foreign countries (destination country, duration of travel, purpose, coverage territory), profession and other data);

• insured object data (depending on the type of insurance contract: insured object, its purpose, city or region where the insured object is located, unique number, year of construction, object purpose, building construction type, value, condition, method of construction, area, vehicle registration numbers, vehicle registration certificate data and copy, vehicle make/model, type, engine displacement, engine cylinder displacement, registration number, body number and type, identification number, year of manufacture, purpose of use, number of doors and seats, alarm level, security system, information on property security, vehicle technical inspection results report, photographs of insured property, data on property damage, real estate register extracts and data contained therein, property valuation reports and data contained therein);

• insurance premium payment, account request and debt obligation data (payer's first name, surname, purpose of payment, payment deadline, premium amount, payment date, payment order number, whether the premium is paid directly to the insurer, bank account number, policyholder's debt, whether payment of the premium has been deferred, amount of policyholder's debt, amount of discount granted, etc.);

• identification and contact data of the insured property owner (first name, surname, residential address, phone number, email address, etc.);

• insurance contract/insurance certificate data (depending on the type of insurance contract: deductible amount, risk factors, insured risks, insurance period, place of insurance, insured sum, deductible amount, insurance premium amount, insurance certificate number, certificate ID number, type/group of insurance risk, insurance group, insurance coverage territory, insurance certificate issue date, insured events, driving experience, whether the contract was concluded through an insurance broker, insurance options, additional conditions of insurance cover, purpose of travel, name of destination country, risk group, number of payments made, number of insured persons, additional risk, insurance contract number, balance of unused funds, whether the premium will be credited upon termination of the insurance contract, building insurance option, data on the validity of insurance contracts (valid/invalid/cover suspended/terminated), etc.).

​

The Company processes personal data that you voluntarily provide to the Company by regular post, registered post, email, telephone, via the enquiry form on the website www.legator.lt, or by visiting the Company's registered office or other place of service provision in person.

​

Personal data retention periods where the Company acts as a data controller:

• personal data for the purpose of servicing persons during pre-contractual relations is retained for 3 years from the date of receipt of the personal data;

• for the purpose of performing the Commission Agreement for the provision of insurance intermediary services, where an insurance contract was concluded between you and the insurance company, as well as for the purpose of concluding and performing insurance contracts and other contracts, personal data is retained for the duration of the contract and for 10 years after the contract expires. If no insurance contract was concluded between you and the insurance company, personal data is retained for 3 years from the moment of receipt of the personal data;

• accounting documents confirming a business transaction or business event (invoices, payment orders, advance expense reports, cash receipt and expenditure orders, etc.) are retained for 10 years;

• personal data for the purpose of monitoring and improving the quality of services provided by the Company is retained for 5 years from the date of publication of the review on the website www.legator.lt, unless consent is withdrawn earlier. You have the right to withdraw your consent by submitting a notification by email to dap@legator.lt;

• personal data for the purpose of risk assessment of persons in the context of international sanctions is retained for the duration of the assessment and for 8 years after the end of the business relationship or the completion of a one-off transaction or assessment, if no transaction was carried out. This period may be extended by a reasoned instruction from a competent authority.

​

Upon expiry of the retention period of a document containing personal data, a decision is made regarding its destruction and the document is destroyed in accordance with the procedure established by the Law on Documents and Archives of the Republic of Lithuania.

The Company, acting as a data processor, retains personal data for the period established by the data controllers.

​

5. TRANSFER OF PERSONAL DATA

​

Information received from you as a data subject is administered and used solely for the purposes set out in the Privacy Policy.

​

Information received from you as a data subject may not be disclosed to third parties without a lawful basis, except to persons who participate in or contribute in any way to the performance or provision of the services you have ordered. Your personal data may also be transferred to data processors or joint data controllers with whom the Company has concluded Personal Data Processing or other agreements addressing the requirements for personal data processing and security. In such cases, legal liability for a personal data processing breach or loss shall be borne by the data processor or data controller responsible for the breach or damage. In other cases, personal data may be disclosed to third parties only where required or mandated by law. Personal data may also be transferred to public administration and law enforcement authorities where such an obligation is established for the Company by law.

 

In order for the Company to provide you with services, data may be provided to:

• insurance companies with which we work (AAS "BTA Baltic Insurance Company", AB "Baltic Underwriting Agency", ADB "Compensa Vienna Insurance Group", ADB "Compensa Life Vienna Insurance Group", ERGO Insurance SE operating through the Lithuanian branch of ERGO Insurance SE, ERGO Life Insurance SE, Balcia Insurance SE Lithuanian branch, etc.);

• MB "Gemma Alba", providing accounting services;

• where it is established that international sanctions apply to a person — to the Financial Crime Investigation Service and/or the Bank of Lithuania.

​

6. FINAL PROVISIONS

​

If you have any questions related to personal data protection, please contact us by phone at +370 5 215 9227 or by email at dap@legator.lt.

​

The Company reserves the right to amend this Privacy Policy, and therefore kindly asks you, as visitors to the website, to check whether the Privacy Policy has changed and to familiarise yourself with any amended and/or new provisions of the Privacy Policy.

​

Amendments or changes to the Policy take effect from the date of their publication on the website.

​

Privacy Policy last updated on 30 March 2026.