SECTION I
GENERAL PROVISIONS
1. These terms and conditions establish the main principles of online ticketing for the visitors of the Open-Air Museum of Lithuania (hereinafter, the Museum).
2. This description of the procedure shall apply to ensure smooth ticketing.
3. The accounting of visitors is carried out following the visiting rules, the report of the ticket sales system, and the Museum's reports of the use of tickets.
4. Through the online ticket-sale system provides tickets both to the events organized by the Open-Air Museum of Lithuania and to the Museum itself (as a park). It can be done from the Republic of Lithuania and other countries: Latvia, Estonia, Poland, and all other countries where access to this type of portals is not prohibited. The payments are implemented via the www.paysera.lt payment system. The payment methods include all the main electronic banking services of Lithuanian banks.
5. The ticket sales module is integrated with the Museum's website www.llbm.lt, and is connected with the accounting, trade, and management system "nPoint" that receives and transmits information about the list of events, their names, prices, visitor tickets. These databases are connected.
6. www.llbm.lt is also customized for purchasing tickets with mobile devices.
7. The Internet user interface ensures that the accessibility of the System functions is available in such Internet browsers as Internet Explorer 8 and its' news versions, Mozilla Firefox 11.0 and its' news versions, Google Chrome, Safari.
8. The information is provided in Lithuanian and English.
9. The purchase of the tickets is possible both to registered and unregistered users.
10. When buying tickets online, there is a service fee for each ticket.
SECTION II
THE RULES OF PURCHASING
11. When buying a ticket online, the visitor must make sure that he has chosen the right visitor's category, date, and time.
12. After selecting the tickets, the visitor enters his/her data (name, surname, telephone number, e-mail), checks the cart information, clicks that he agrees with the Conditions of the ticket sale, only then payment procedures take place.
13. Along with the tickets, if the visitor selects the setting "Invoice required", an electronic invoice, based on the personal or company data provided by the customer, will be generated.
14. Payment is made via the payment system www.paysera.lt.
15. Upon the receipt of www.paysera.lt response on successful payment, tickets will be sent to the user by e-mail specified during payment.
16. A visitor who has purchased a ticket online must independently assess the time of arrival to the Open-Air Museum of Lithuania.
17. When purchasing the tickets online, a money transfer fee is applied to each ticket.
18. Pre-school children who do not need to buy a ticket are registered at the checkpoints.
19. When purchasing tickets, the system generates them automatically.
20. The e-ticket holder must print a unique PDF file on an A4 sheet of white paper (in color or black and white), and present it upon arrival at the control point.
21. There is a possibility to scan a barcode from the visitor's mobile device: the visitor is responsible for the mobile data and/or other ways to open each barcode.
22. If the user does not uncheck the "Newsletters" setting, we will save this user's data in the "nPoint" system and it will be possible to generate a list of users to whom the newsletters will be sent.
SECTION III
THE RULES OF USING THE E-TICKETS
23. Visitors who have purchased tickets are admitted to the Museum's Territory only on the day for which the visitor's ticket was purchased. Children under the age of 7 are admitted to the Museum free of charge.
24. Every person wishing to visit the Open-Air Museum of Lithuania must purchase a ticket (according to the category of the visitor).
25. A ticket is valid only on the specified date and time or for the specified event.
26. If the ticket has been purchased with a discount, the visitor must present a document granting the discount at the control point. The visitor must purchase a ticket without a discount if he is unable to present a valid document granting the discount.
27. It is recommended that the visitor assess the geographical location of the Open-Air Museum of Lithuania and arrive at the event earlier, even after purchasing a ticket online.
28. The visitor must keep the ticket until the end of the event.
29. The ticket is scanned and marked only once and is valid for one person only. The control devices show the date and time of the first scan. If the ticket is submitted for a second scan, the visitor will not be admitted. It is strongly recommended to save purchased tickets and not to transfer them to third parties.
30. Tickets are non-exchangeable and non-refundable.
SECTION IV
TICKET CONTROL
31. Ticket control is ensured by barcode scanners installed in turnstiles and performed by ticket controllers with the help of hand-held scanners. In turnstiles, a scanner transmits a visual signal that confirms the validity of the tickets and opens the barrier. The ticket controller scanner transmits a visual signal about a valid (green) or invalid ticket (red) and according to this, the ticket controllers allow or deny the passage to visitors.
32. If a pass with the same ticket is to be made a second time, a scanner on the turnstiles shall indicate that the ticket has already been used and will not open the passageways, also the date and time of the first scan shall be displayed on the controller scanner.
33. If the visitor is not being passed through the checkpoint, the administrator is invited, at the box office (in the admin module) it is checked why the ticket was canceled. The reason for the cancellation will be indicated: the ticket has already been used or has expired.
SECTION V
FINAL PROVISIONS
34. Tickets to the Open-Air Museum of Lithuania can be purchased at the ticket offices and on the Museum's website.
35. A ticket may be used only once, for one person. The ticket must be kept throughout the whole visit.
THE RULES OF PROCESSING THE PERSONAL DATA IN THE OPEN-AIR MUSEUM OF LITHUANIA
SECTION I
GENERAL PROVISIONS
1. The purpose of the Rules of the Processing of Personal Data in the Open-Air Museum of Lithuania (hereinafter - the Museum) is to establish the requirements for the processing and protection of personal data, as well as the main technical and organizational measures for personal data processing, data subject rights, and data protection.
2. The Rules must be complied with by all Museum's employees working under employment contracts, as well as other persons employed by the Museum who process personal data in the Museum or become aware of them in the course of their duties. Access to the personal data may be granted only to those persons whose functions require it.
3. The terms used in the Rules correspond to the terms used in the Law on the Legal Protection of Personal Data.
4. Personal data in the Museum shall be collected only following the procedure established by legal acts, by receiving them directly from the data subject or by submitting a formal request to the entities processing and entitled to provide the necessary information, as well as by accessing individual databases, registers and information systems. In cases and according to the procedure established by legal acts, the Museum provides personal data processed by it to the Ministry of Culture of the Republic of Lithuania, the State Social Insurance Fund Board and the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, other third parties upon request (in case of one-time personal data collection) or personal data agreement (in case of multiple collections of personal data), under the provisions of the Law on Legal Protection of Personal Data of the Republic of Lithuania.
5. Personal data shall be processed in manual files and/or automatically.
SECTION II
MAIN OBJECTIVES AND PROTECTION PRINCIPLES
6. Personal data in the Museum is processed with these purposes established by legal acts and internal administration that are the following:
6.1. considering the applicants for the Museum employees working under employment contracts the following data is being processed: personal name, surname, personal identification number, date of birth, address of residence, e-mail address and contact telephone numbers, positions to which is applied, data on education, qualification, length of service, results of the competition (selection), date and number of registration of documents, other personal data provided by the person.
6.2. market research - the following data of the Museum visitors are processed: age group, gender, education, satisfaction with the services provided by the Museum;
6.3. conclusion, execution, accounting of cooperation agreements between individual buyers and/or suppliers - the following personal data are processed: name, surname, personal identification number, e-mail address, and contact telephone number, address, number, and copy of the activity certificate.
7. The processing of personal data of the employees of the Museum is regulated in detail by the Description of the Personal Data Protection Policy of the Employees.
8. Data shall be processed following the General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.
9. Only those staff members who have been appointed to do so by order of the Director and/or it is a part of their duties shall have the right to process personal data. Employees are aware that they must protect personal data from any possible violations and immediately inform the responsible person about any situation that may pose a danger or is already threatening the security of personal data.
10. While performing their duties and processing personal data, the employees of the Museum must observe the following principles of processing and protection of personal data:
10.1. personal data shall be collected for specified, legitimate purposes and in a manner consistent with those purposes;
10.2. the collection and processing of personal data shall comply with the principles of purpose and proportionality, data subjects shall not be required to provide data that are not necessary, redundant data are not being collected or processed;
10.3. personal data are processed accurately, fairly, and lawfully. The employees of the Museum process personal data following the Law on Legal Protection of Personal Data and other legal acts regulating the processing of personal data. The employees of the Museum have the right to collect, process, transmit, store, destroy or otherwise use personal data only in the performance of their direct functions, or by order of the Director of the Museum and only following the procedure established by legal acts. Museum staff is prohibited from arbitrarily collecting, processing, transmitting, storing, destroying, or otherwise using personal data. Personal data must be accurate and, where necessary for the processing of personal data, kept up to date. Inaccurate or incomplete data shall be corrected, supplemented, destroyed or suspended;
10.4. personal data are revised, corrected, changed, supplemented, destroyed at the request of the person, as well as with the initiative of the Museum. The data shall also be revised and updated as soon as the data subject informs about the change;
10.5. personal data must be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed.
11. Personal data shall be provided to third parties upon the request of the recipient of the data, which shall specify the purpose of obtaining and using the personal data, the legal basis for the provision and receipt, and the scope of the request. Where personal data are processed automatically and appropriate data security measures are applied, the priority of the provision of personal data at the request of the recipient shall be given to provision by electronic means. Personal data shall be provided to third parties only in the cases and following the procedure established by-laws, agreements, and other legal acts.
12. The protection of personal data against accidental or unlawful destruction, alteration, disclosure, as well as against any other unlawful processing, shall be ensured by the implementation of appropriate organizational and technical measures.
13. Compliance with the principles of processing and protection of personal data shall be ensured by the Director of the Museum by taking appropriate organizational measures (orders, decrees, assignments, etc.).
SECTION III
RESPONSIBILITIES OF THE CONTROLLER AND THE PROCESSOR OF THE PERSONAL DATA
14. The controller and processor of personal data is a budgetary institution, entitled Open-Air Museum of Lithuania, legal entity code 190757221, address J. Aisčio str. 2, Rumšiškės, Kaišiadorys district, which:
14.1. ensures the implementation of the rights of the data subject and performs the duties of the controller of personal data established in the legal acts regulating the processing of personal data;
14.2. appoints persons responsible for the processing of personal data in the Museum;
14.3. prepares procedures regulating the protection and processing of personal data, which shall be reviewed at least once every two years or in the event of changes in the law, and if necessary, initiate amendments;
14.4. organizes training and consultations for the Museum staff in the field of the legal protection of personal data.
SECTION IV
SPECIAL REQUIREMENTS
15. The Museum shall implement the organizational and technical security measures for personal data specified in the Rules to protect them from an accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing.
16. Personal data (documents containing personal data or copies thereof) shall be stored in dedicated premises (lockers, safes, etc.), in areas of the local network, on computer hard drives. Personal data (documents containing personal data or copies thereof) must not be kept in a visible place accessible to all, where unauthorized persons have unhindered access to them.
17. Personal data (documents containing personal data or copies thereof) on external data carriers and/or e-mail must be deleted immediately after their use and/or transferred to storage places no later than within 5 working days.
18. Terms of storage of personal data (documents containing personal data or copies thereof) in the Museum shall be determined by the Museum's documentation plan. Personal data (documents containing personal data or copies thereof) shall be kept for no longer than is required for data processing. When personal data are no longer needed for their processing, employees processing personal data shall destroy them within a specified period, except for those that must be transferred to state archives in cases prescribed by law.
19. Documents containing personal data must be destroyed in such a way that their contents cannot be reproduced and identified.
20. In performing its functions, the Museum uses the services of the Secure State Data Transmission Network (hereinafter – SVDPT). SVDPT is a closed telecommunications network based on the TCP/IP protocol and separated from public networks. It provides departmental and interdepartmental data transfer services, operates a closed e-mail system for electronic correspondence between state institutions and a separate closed domain name system. The security and prevention of SVDPT services are ensured by the accredited SVDPT CERT - Network and Information Security Incident Investigation Group, the purpose of which is to solve various computer security problems arising in the information systems of SVDPT and Lithuanian public administration institutions. SVDPT-CERT informs and advises clients on various software and technical system vulnerabilities and analyzes the trends for assuring the security of information.
21. Areas of the Museum's local network, computers where personal data are stored must be protected by passwords or access rights to them must be restricted. Passwords for access to personal data are provided, changed, and stored to ensure their confidentiality, they must be unique, consisting of at least 8 characters, without the use of personal information. Passwords for accessing personal data must be changed periodically at least once every 3 months, and in case of certain circumstances (change of employee, threat of burglary, suspicion that the password has become known to third parties, etc.) and during the first login - must be changed.
22. Computers containing personal data must use a screen saver with a password. Museum staff must use access passwords for personal data in person and not disclose them to third parties.
SECTION V
REQUIREMENTS FOR PERSONS PROCESSING PERSONAL DATA
23. Access to personal data may be granted only to those employees of the Museum who need such data for the performance of their functions.
24. Only those actions which the employees of the Museum are entitled to make with personal data may be performed.
25. Museum employees and other persons processing personal data must:
25.1. comply with the personal data processing and security requirements established in the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the Rules and other legal acts;
25.2. observe the principles of confidentiality and to keep in secret any information related to personal data, which they have accessed while performing their functions unless such information is public under the requirements of applicable legal acts (obligation to keep personal data secret is also valid after termination of employment in the Museum);
26.3. not disclose, transfer or facilitate access to personal data by any means to any person who is not authorized to process personal data;
25.4. immediately notify the Museum employee, performing the coordination and control functions, of any suspicious situation that may endanger the security of personal data processed in the Museum. In the event of a personal data breach, the Museum staff member coordinating and controlling compliance with the legal requirements for personal data protection in the Museum assesses the risk factors, the degree of impact, damage and consequences, and submits it to the Museum Director to eliminate the damage or its' consequences.
26. The employees of the Museum shall lose the right to process the personal data when their employment relationship with the Museum is terminated or when they are assigned to perform functions that are not related to data processing.
SECTION VI
DATA SUBJECTS' RIGHTS
27. A data subject who has submitted an identity document or confirmed his/her identity following the procedure established by legal acts or by electronic means (if they allow the proper identification of a person) has the right to refuse to have his/her data processed in the Museum and to obtain information from which sources and what personal data have been collected, for what purpose they are processed, to which recipients the data are and have been provided within one year.
28. The Museum must create conditions for the data subject to exercise the rights specified in Paragraph 27 of the Rules, except for the cases established by law, when it is necessary to ensure:
28.1. state security and defense;
28.2. public order, prevention, investigation and detection of criminal offenses or prosecution;
28.3. important economic or financial interests of the state;
28.4. prevention, investigation, and detection of violations of official or professional ethics;
28.5. protection of the rights and freedoms of the data subject or other persons.
29. If, after getting acquainted with his/her data, the data subject determines that the data are incorrect, incomplete, or inaccurate, and as a result applies to the Museum, the Museum shall verify the personal data and correct or clarify them if necessary within 5 working days.
30. If, after getting acquainted with his/her data, the data subject determines that his/her data are processed illegally, dishonestly and applies to the Museum, the Museum shall immediately check the lawfulness and integrity of the personal data processing within 5 working days with a written demand of a data subject destroys the illegal data or fraudulently collected personal data or suspend the processing of such personal data, except for storage, unless a request for destruction or rectification of the data has been submitted.
31. In case of doubts regarding the accuracy of the data provided by the data subject, the Museum shall suspend the processing of these data, check them and correct them.
32. The data subject shall be notified in written about performed or not performed rectification, destruction, or suspension of personal data processing operations at the request of the data subject. The Museum informs the recipients about corrected, destroyed personal data or suspended processing activities at the request of the data subject, except in cases when it would be impossible or too difficult to provide such information (due to a large number of data subjects, data period, unreasonable costs). In such a case, the State Personal Data Protection Inspectorate must be notified immediately.
33. The data subject may complain about the actions (omissions) of the Museum related to the implementation of the data subject's rights to the State Personal Data Protection Inspectorate within the terms established by the Law on Legal Protection of Personal Data of the Republic of Lithuania.
SECTION VII
PROCEDURE FOR MANAGING AND RESPONDING TO BREACHES OF PERSONAL DATA SECURITY
34. Employees of the data controller or data processor who have the right of access to personal data shall inform the Director of the Museum or the appointed responsible person if they notice data security breaches (actions or omissions that may cause or pose a threat to the security of personal data).
35. After assessing the risk factors of the data protection breach, the degree of impact of the breach, the damage and the consequences, the Director of the Museum shall, in each specific case, make decisions on the measures necessary to eliminate the data protection breach and its consequences.
SECTION VIII
FINAL PROVISIONS
36. The Rules are reviewed in the event of changes in the activities of the Museum and/or legal acts regulating the protection of personal data, as well as regularly every three years.
37. Employees of the company shall be acquainted with all the rules concerning the protection of personal data by signing. Violation of these rules is subject to statutory liability for Museum staff.
38. A museum employee performing the functions of coordination and control of compliance with the requirements for the legal protection of personal data in the Museum shall perform a risk assessment of personal data processing at least once every two years and submit a report to the director of the personal data controller.
39. The Rules shall be easily accessed at the Museum's public Network.