Updated 2018-12-28


This Privacy Policy (hereinafter – the Policy) details how the Invalda INVL group of companies (hereinafter – the INVL Group) processes personal data and how cookies are used on its companies’ websites and self-service portals. It also describes the basic rights of a Data Subject which are enshrined in data protection legislation.

This Policy applies to the mutual relations of the INVL Group and persons who use, have used or have expressed the intention to use, or who are in any way associated with, the services and/or activities of the INVL Group, and/or who are shareholders of one or more INVL Group companies, and/or who are associated with target companies in which collective investment undertakings of the INVL Group invest.

The INVL Group shall ensure the confidentiality of personal data in keeping with the requirements of applicable legislation and the implementation of appropriate technical and organisational measures to protect personal data from unlawful access, disclosure, accidental loss, alteration or destruction, or other unlawful processing. In processing personal data, the INVL Group shall abide by the General Data Protection Regulation, the Law on Legal Protection of Personal Data, and other legal acts regulating this area.

Note that in the future this Policy may be modified in light of changes to legislation or INVL Group activities, hence its periodic review is encouraged.


A Personal Data Subject (hereinafter – Data Subject) in the INVL Group is a natural person (who uses, has used or has expressed the intention to use services provided by the INVL Group and/or is a shareholder of one or more INVL group companies) or a person associated with such a person (their representative, spouse, partner or the like). Also deemed a Data Subject is a natural person associated with a legal person that is an INVL Group client and/or shareholder and/or target company in which collective investment undertakings of the INVL Group invest, for example a manager, shareholder, true beneficiary or the like of such a legal person.

The INVL Group (hereinafter – INVL) is any company belonging to the INVL Group that acts as a Personal Data Controller. In the context of this Policy, INVL may refer to AB Invalda INVL, UAB INVL Asset Management, UAB FMĮ INVL Finasta, UTIB INVL Baltic Real Estate, UTIB INVL Technology, AB INVL Baltic Farmland, UAB “Mundus”, turto valdymo bendrovė, or all of these companies together.

A Personal Data Controller is a company belonging to the INVL Group whose services you use, have used or have expressed the intention of using, or whose shareholder you are or with whose activities you are associated. The list of INVL companies and their contact details are published on the website invaldainvl.com.

A Personal Data Processor is a natural or legal person who processes personal data in the name of or on behalf of a Personal Data Controller.

Personal Data is any information relating to a natural person (Data Subject) whose identity is known or can be directly or indirectly established by use of such data as a personal identification number or one or more factors specific to the physical, physiological, psychological, economic, cultural or social identity of that person.

Biometric Data is personal data (in this case a Data Subject’s facial image) resulting from specific technical (facial image and identity document) processing, based on which the identity of a Data Subject can be determined and/or confirmed.

Personal Data Processing is any action performed with personal data: collection, recording, storage, classification, grouping, combination, alteration, provision, publication, use, logical and/or arithmetic operations, search, dissemination, destruction, or another action or set of actions.

The General Data Protection Regulation (hereinafter – GDPR) is Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Other terms used in the Policy are understood as they are defined in the GDPR and other legal acts.


Depending on the services or products which a Data Subject intends to use or does use, INVL processes different categories of personal data. Personal data may be obtained directly from a Data Subject, from activities of the Data Subject in using services or INVL websites, and from external sources such as registers and other third parties (for example, the State Social Insurance Fund Board, registers of debtors and legal persons when the Data Subject is a shareholder, etc.), if INVL has the consent of the Data Subject or legal acts authorise that.

If a Data Subject does not agree to provide their personal data, provision of INVL services to them may be refused.

If a Data Subject provides INVL with data of other persons associated with them, the Data Subject must obtain those persons’ consent and acquaint them with this Policy.

2.1 Main Personal Data Categories

The main categories of personal data include but are not limited to:

  • Personal identity data, such as name, surname, personal code, date of birth, and personal identity document data;

  • Contact details, such as address, telephone number and e-mail;

  • Data regarding education and professional activities;

  • Financial data, such as data regarding property, income and obligations;

  • Bank account data;

  • Financial experience and investment objectives;

  • Data related to implementing the Know Your Client principle, such as data regarding the origin of funds, true beneficiaries, country of tax residency, citizenship, and information about a Data Subject’s participation in politics;

  • Data about a Data Subject’s loved ones, such as information about close family members’ participation in politics;

  • Data related to the provision of services and to customers’ satisfaction with them, such as data regarding the performance or non-performance of agreements, agreements entered into, agreements which are in effect or have expired, requests submitted, declarations made, and a Data Subject’s feedback regarding services;

  • Data collected using means of communication or other technical means, such as video surveillance data, data collected while interacting by telephone or e-mail, and data related to a Data Subject’s visit to INVL websites or use of self-service portals (for example, IP address, log-in details, website visit history, etc.).

  • Data obtained in fulfilling the requirements of legal acts, such as data obtained through inquiries made by notary publics, tax authorities, courts or debt collectors;

  • Data regarding legal representatives (acting under a power of attorney or on some other basis);

  • Data regarding ties to legal persons, such as a legal person’s head, shareholder, member of the board or other governance body, true beneficiary, or similar data needed for purposes of executing a transaction in the name of a legal person.

2.2 Special Personal Data Categories

In certain cases the personal data processed by INVL may also include special-category personal data:

  • biometric data obtained in establishing a Data Subject’s personal identity remotely through the direct transmission of a photograph. Such data are processed only after obtaining the consent of the Data Subject and are retained while the Data Subject uses INVL services and for a further 8 years after the Data Subject stops using those services. The provider of automated remote identification services (Personal Data Processor) is UAB Identifikaciniai projektai (legal entity code: 304617621);

  • data related to convictions and criminal offences. Such data are gathered and processed only when and to the extent that it is essential in the conduct of investments by collective investment undertakings of INVL in target companies, and to the extent allowed by legal acts. They are retained during the lifetime of the collective investment undertaking and for no more than 2 years after the end of such period.

INVL processes special-category personal data only after obtaining the consent of the Data Subject or if such processing is envisaged in the requirements of the law.


The basis for INVL’s processing of personal data may be the performance of agreements made with a Data Subject or the intention to enter into an agreement, a Data Subject’s consent to the processing of their personal data for a specific purpose, or the fulfilment of obligations applicable to INVL by law. INVL may also process personal data based on the concept of legitimate interest (to strengthen IT security, for example) when it has met the requirements established by the GDPR. Under the conditions set out in the applicable legislation, one or more of the above specified legal bases may be adopted for the processing of the same personal data of a Data Subject.

INVL may process a Data Subject’s data for the following purposes (including but not limited to cases where separate consent of the Data Subject is obtained for processing the data):

  • In order to provide INVL’s services and for other activities, including risk assessment, as foreseen in the legal acts applicable to INVL’s activities;

  • In order to inform the Data Subject about the processing of their services, sales-purchases and securities, and about other agreements with INVL;

  • In order to inform the Data Subject about INVL’s services;

  • In order to obtain information from the Data Subject regarding INVL’s services;

  • To ensure the security of INVL and Data Subjects and their assets through video surveillance;

  • To assess the execution and performance of INVL’s agreements and the quality of services provided by INVL (for example, by recording phone calls), to request an opinion about services provided and their quality, to conduct market research, and to organise contests and campaigns for Data Subjects;

  • To analyse and forecast the Data Subject’s habits and needs and ongoing operations with regard to INVL’s services in order to ensure provision of optimal service to the Data Subject and make personalised offers;

  • To perform legal obligations, including implementation of the Know Your Customer principle and prevention of money laundering and terrorist financing.

  • For the protection, maintenance and improvement of technical equipment and IT infrastructure by taking measures to prevent the abuse of services and by seeking to ensure appropriate provision of services;

  • For other lawful purposes, as set out in legal acts.


A Data Subject has the right guaranteed by data protection legislation to ask that a Personal Data Controller, after confirming the Data Subject’s personal identity, do the following:

  • provide information on whether it processes personal data of the Data Subject and, if it does, to acquaint the Data Subject with the personal data of theirs which is processed, and to inform them what personal data of theirs is obtained from what sources for what purpose and how it is processed (including automated decision-making and its significance and consequences for the Data Subject), how long it is stored, and to whom it is provided (the right to get acquainted with one’s own personal data);

  • rectify or correct incorrect, incomplete or inaccurate personal data of the Data Subject (the right to demand the rectification of personal data)

  • under certain circumstances specified in the GDPR (when personal data have been processed unlawfully, the basis for processing the data has disappeared, and so on), to erase the Data Subject’s personal data (the right to demand the erasure of personal data – “the right to be forgotten”);

  • under certain circumstances specified in the GDPR (when personal data have been processed unlawfully, while a request of the Data Subject’s regarding the accuracy or processing of data is being considered, etc.), to restrict the processing of the Data Subject’s personal data, except for its storage (the right to restrict the processing of personal data);

  • provide in writing or in a commonly used electronic form personal data that the Data Subject has provided to the Personal Data Controller which is processed by automated means on the basis of that person’s consent or performance of an agreement, and, if possible, transfer such data to another service provider (the right to personal data portability).

When INVL processes a Data Subject’s personal data on the basis of their consent, the Data Subject has the right to withdraw the consent they have given at any time and the data processing based on that consent will be halted immediately. Note that when consent is withdrawn, it may be that INVL will be unable to offer the Data Subject certain services or products but will continue to use personal data of the Data Subject, for example, to perform an agreement entered into with the Data Subject or if that is required by law.

A Data Subject has the right at any time to object to:

  • the processing of their personal data, undertaking to present their legally grounded objection to the Personal Data Controller in writing or in another way by which the Data Subject’s identity can be established, if the basis for processing the personal data is the Personal Data Controller’s legitimate interests;

  • the processing of their personal data for purposes of direct marketing (including related profiling) and has the right to not give a reason for that objection;

  • being subject to a decision based solely on automated processing, including profiling, which has legal effects in their regard or similarly significantly affects the Data Subject. This right shall not apply if such decision-making is necessary for entering into or performing an agreement with the Data Subject, is authorised by applicable legislation, or is based on the explicit consent of the Data Subject.

A Data Subject has the right to present a complaint regarding processing of personal data to the State Data Protection Inspectorate (address A. Juozapavičiaus St. 6, 09310 Vilnius, Lithuania; website www.ada.lt) if the Data Subject thinks their personal data is being processed in violation of their rights and lawful interests under the applicable legislation. We kindly request that issues which arise be addressed first of all to INVL, so that we can resolve them as quickly as possible.


A Data Subject must present any request to exercise the specified rights to their Personal Data Controller (see section 1, “DEFINITIONS”). Contact data for INVL’s companies is published on the website invaldainvl.com.

To protect against any disclosure of personal data processed by INVL to persons without the right to receive it, when a request to provide data or exercise other rights is received from a Data Subject, first of all that person’s identity shall be established. If the identity verification process is successful, INVL undertakes, without undue delay but never later than within one month of receiving the Data Subject’s request, to provide information about actions taken with regard to the request submitted by the Data Subject. In light of a request’s complexity or if a Data Subject submits several requests, INVL shall have the right to extend the one-month period by two more months, informing the Data Subject about that by the end of the first month and specifying the reason for the extension.

A Data Subject is not required to pay any fee to obtain information about their processed personal data (or to exercise any other rights). INVL may, however, charge a reasonable fee if a Data Subject’s request is clearly unfounded, submitted repeatedly or disproportionate.


A Personal Data Controller may disclose/transmit a Data Subject’s personal data for processing to the following third parties which assist the Personal Data Controller in performing and administering the provision of services:

  • companies which provide information technology services (in order to ensure the maintenance, improvement and upgrading of information systems);

  • companies which provide website administration and related services;

  • companies which provide document storage and archiving services;

  • companies which provide postal services (for sending reports and other notifications to a Data Subject);

  • auditors;

  • UAB Identifikaciniai projektai (Data Subject identification by means of direct photo transmission);

  • companies that belong to INVL (with the Data Subject’s consent or if authorised by applicable legislation);

  • credit and financial institutions, including a depository, the Nasdaq Vilnius securities exchange, financial intermediaries, the central depository, and third parties participating in the financial instrument trading lifecycle of execution, clearing and settlement;

  • debtor registers, which accumulate information about missed payments, and debt collection companies.

Data are also provided to:

  • state institutions and other persons performing functions entrusted to them by the law (for example, law enforcement bodies, bailiffs, notaries public, and institutions responsible for tax administration, supervising INVL and investigating financial crimes, including the Bank of Lithuania and the Financial Crime Investigation Service);

  • the State Tax Inspectorate, in order to implement the Agreement between the Governments of the Republic of Lithuania and the United States of America to Improve International Tax Compliance and to Implement the Foreign Account Tax Compliance Act as well as other international obligations of the Republic of Lithuania in this area;

  • The State Social Insurance Fund Board.

INVL commits to take the necessary measures and endeavour that other persons to whom personal data may be provided, also process personal data in keeping with INVL’s indications and the applicable legislation, and implement appropriate personal data protection measures.


Personal data shall be processed no longer than is necessary to fulfil the purposes of the data’s processing. Retention periods for personal data shall be defined in internal legal acts in light of the nature of agreements with a Data Subject, INVL’s legitimate interests and requirements of the law (for example, accounting and anti-money laundering requirements, the statute of limitations for a claim, etc.).

As a general rule, INVL processes personal data collected in providing services for as long as the Data Subject uses INVL’s services, and retains the data for 10 years after the Data Subject stops using those services.

If a Data Subject uses contact forms on INVL companies’ websites to submit queries, information provided in those forms, including the Data Subject’s contact details, will be retained until the query is addressed, and no longer than for 1 year after the query is submitted, unless a longer retention period is lawfully permitted for other reasons.


INVL processes a Data Subject’s personal data only within the territory of the European Union/European Economic Area (EU/EEA). Personal data is not transmitted to third countries.


 In seeking to ensure the most appropriate service for a Data Subject and to provide marketing offers suited to the Data Subject’s needs and in improving the quality of the services INVL provides, INVL may use automated means to analyse a Data Subject’s personal data, including information about their use of services and behaviour on INVL companies’ websites and self-service portals.

Note that the actions taken by INVL to analyse a Data Subject’s data do not have any legal or other similar significant effects for the Data Subject. A Data Subject may object at any time to the processing of their personal data for direct marketing purposes and configure their browser to refuse all or some browser cookies.


  • AB Invalda INVL (legal entity code 121304349, registered address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 527 90601, e-mail info@invaldainvl.com, website www.invaldainvl.com);

  • UAB INVL Asset Management (legal entity code 126263073, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 700 55959, e-mail info@invl.com, website www.invl.com, data protection officer’s e-mail dap@invl.com);

  • UAB INVL Finasta (legal entity code 304049332, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 521 11294, e-mail gerovesvaldymas@invl.com, website www.invlfinasta.com, data protection officer’s e-mail dap@invl.com);

  • UTIB INVL Baltic Real Estate (legal entity code 152105644, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 5279 0601, e-mail breinfo@invl.com, website www.invlbalticrealestate.lt);

  • UTIB INVL Technology (legal entity code 300893533, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 527 90601, e-mail info@invltechnology.lt, website www.invltechnology.lt);

  • AB INVL Baltic Farmland (legal entity code 303299781, address Gynėjų St. 14, Vilnius, Lithuania, tel. +370 525 95056, e-mail farmland@invaldainvl.com, website www.invlbalticfarmland.com);

  • UAB “Mundus”, turto valdymo bendrovė (legal entity code 303305451, address Vilniaus St. 31, Vilnius, Lithuania, tel. +370 672 30426, e-mail info@mundus.lt, website www.mundus.lt).


Cookies are information that is recorded on the computer of a person visiting INVL webpages. Cookies are used to recognise a visitor as someone who previously visited the website and to gather website traffic statistics, as well as to show the visitor advertisement intended specifically for them and to improve the functionality of actions performed on a self-service portal. Under their default settings, most browsers accept cookies. Visitors, however, have the ability to turn off cookies by changing their browser settings. Browser settings can also be set to accept only certain cookies or to generate a warning each time and offer a choice of whether or not to allow cookies to be saved on your computer. Note that if cookies are disabled, some website functions may not work.

More information about cookies used by INVL is available at: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.

Cookies used by UAB "Mundus", turto valdymo bendrovė on its website (www.mundus.lt):

  • crumb (identifies user’s computer and verifies requests for security purposes, valid until the end of the browsing session)

  • ss_cid (collects Squarespace metrics, valid for 2 years)

  • ss_cookieAllowed (confirms that user has seen cookie message and allowed cookies, valid for 1 month)

  • ss_cpvisit (collects Squarespace metrics, valid for 2 years)

  • ss_cvisit (collects Squarespace metrics, valid for 30 minutes)

  • ss_cvr (collects Squarespace metrics, valid for 2 years)

  • ss_cvt (collects Squarespace metrics, valid for 30 minutes)

INVL’s websites may include links to third-party websites and legal acts as well as to social networks (an option to share site content on Facebook, LinkedIn, Instagram and YouTube, for example). It should be noted that the third-party websites whose links are provided on INVL’s websites are subject to those websites’ privacy policies or other documents corresponding to a privacy policy, and INVL does not take responsibility for the content presented on those websites, their activities or the provisions of their privacy policies.

INVL has the right at any time to unilaterally modify this Privacy Policy, informing data subjects about the changes on the websites of the INVL Group.