Privacy policy

This privacy policy (‘Privacy Policy’) sets out and explains how we process your personal data.


General information

  1. Public institution ‘Travel Lithuania’ (hereinafter – the Institution or the Data Controller) is the operator of the website (hereinafter – the Website).
  2. The Privacy Policy applies to all persons who visit the Website and the terms and conditions set out in the Privacy Policy apply each time you access our content and/or service, regardless of the device (computer, mobile phone, tablet, etc.) you are using.
  3. The Data Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘the Regulation’), as well as with other legal acts regulating the protection of personal data. Terms used in the Privacy Notice shall have the same meaning as terms used in these legal acts.
  4. If you have any questions about the processing of your personal data, preferences or comments, please contact us:

Public institution Keliauk Lietuvoje
Legal entity code: 304971997
Registered office address: Gedimino pr. 38, 01104 Vilnius
Tel. +370 698 03 509

  1. A Data Protection Officer shall be appointed by order of the Director of the Institution and shall be responsible for carrying out the functions referred to in Article 39 of the Regulation. The Data Protection Officer may be contacted by email: or by sending a letter to the above address for the attention of the Data Protection Officer.

Sources of the personal data subject

  1. Personal data of the data subject, i.e. any information about you that allows us to identify you, is obtained:
    1. directly from the data subject (you), for example when you sign contracts or agreements with the Agency, or send your CV when applying for vacancies, or submitting letters or requests;
    2. from other sources such as, where appropriate, other bodies or companies, e.g. publicly accessible registers, marketing agencies, suppliers participating in public procurement procedures, and legal persons, law enforcement authorities, courts and out-of-court dispute resolution bodies.

Rights of data subjects and their implementation

  1. Data subjects have the following rights:
    1. to know (be informed) about the processing of personal data;
    2. to have access to personal data processed;
    3. to request the rectification of inaccurate personal data;
    4. to request the erasure of personal data (‘right to be forgotten’);
    5. to require restriction of the processing of personal data;
    6. to object to the processing of personal data;
    7. to require the transfer of personal data;
    8. to withdraw consent to the processing of personal data;
    9. to lodge a complaint with the State Data Protection Inspectorate about a breach of the processing of personal data.
  2. To exercise any of your rights set out above, please contact us by telephone on + 370 698 03 509, by email to or by post to Gedimino pr. 38, Vilnius. Your rights will be exercised upon prior confirmation of your identity, either in person (by presenting an identity document: ID card or passport) or by means of electronic communications (e.g. electronic signature).
  3. We may prevent you from exercising the rights listed above in cases where, in accordance with the law, it is necessary to ensure the prevention, investigation and detection of criminal offences, breaches of official or professional ethics, as well as the protection of the rights and freedoms of the data subject or of other persons.

Scope, purposes and legal bases of the personal data processed

Purpose of processing

Legal basis for processing

Scope of personal data processed

Duration of storage

Handling and administering incoming enquiries, communications, proposals

GDPR Article 6(1)(f) – legitimate interest (to clarify the circumstances and to properly examine and/or prepare a response)

Identification and contact information of the legal and/or natural person making the request (or being contacted): name, surname, telephone number, email address and/or other information provided

Up to one year from the date of submission

Providing news from the Institution to newsletter subscribers

Article 6(1)(a) GDPR – consent

Email, IP address and other information provided

Until you withdraw your consent or unsubscribe from the newsletters

For the implementation of Lithuanian tourism marketing and tourist information


GDPR Article 6(1)(f) – legitimate interest (legitimate interest of the Authority and of you to provide/receive comprehensive information relevant to tourists)

Name, surname, email address, telephone number or other contact details, place of residence (if home delivery is requested), and other information to be provided

Up to 2 years


  1. We also process information about your use of our Website. The data on your use of our Website may include your IP address, geographical location, browser type and version, operating system, referral source, length of time on the Website, pages viewed and paths followed on the Website, as well as information on the periods of time you use the services and frequency. We use cookies or similar technologies to obtain this data to better understand your use of the Website and its services. We process this data on the basis of your consent. Information on how long this data is stored is available here.
  2. In addition to the specific purposes set out in this Privacy Policy, we may also process your personal data where processing is necessary to comply with legal obligations to which we are subject, or where it is necessary to protect the vital interests of you or other natural persons.

Protection of personal data

  1. To ensure a level of security equivalent to the level of risk in the processing of personal data, we implement appropriate technical and organisational measures to ensure adequate security of personal data, including protection against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
  2. Employees of the Institution shall have the right to process personal data only in the performance of their direct functions and only to the extent necessary for the performance of those direct functions.
  3. Employees of the Institution and/or other persons who, in the exercise of their direct functions, become aware of personal data shall be bound by the principle of confidentiality and shall keep secret any information relating to the personal data of which they have become aware, unless such information would be public information in accordance with the provisions of the legislation. The obligation to keep personal data confidential shall also apply after a transfer of post, employment or contractual relationship.

Provision of data and lawful processing

  1. Personal data processed by the Institution may not be disclosed to third parties, except as provided for by law and in the performance of contracts for the provision of personal data, but without prejudice to the principle of confidentiality.
  2. Personal data shall not be disclosed to any third party other than the data subject themselves in the absence of a written request from the third party (in the case of a one-off disclosure), a contract with the third party (in the case of a continuous disclosure) or any other legal basis.
  3. Upon receipt of a request for personal data, the Institution shall assess both the purpose of the request for personal data and the proportionality and lawfulness of the request. Personal data shall be provided to data recipients only to the extent necessary to achieve the specific purpose.
  4. List of categories of data recipients (the list is not exhaustive):
    1. state institutions, bodies, companies: the State Social Insurance Fund Board under the Ministry of Social Security and Labour, the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, other institutions and/or bodies as required;
    2. companies providing data centres, website administration and related services, companies developing, providing, maintaining and developing software, companies providing IT infrastructure services, companies providing communication services;
    3. law enforcement authorities;
    4. auditors;
    5. marketing agencies;
    6. postal services, courier services.
  5. In cases where the Institution engages a Data Processor to carry out personal data processing activities, a Personal Data Processing Contract/Agreement shall be concluded between the Institution and the Data Processor and/or the terms of the processing of the personal data shall be discussed in the Master Contract concluded.
  6. The Data Processor must ensure the confidentiality of the personal data communicated by the Institution for processing, and the personal data must be processed using appropriate technical and organisational measures to ensure the protection of personal data, the rights of data subjects and the requirements of the Regulation, taking into account the legislation governing the processing of personal data and the instructions of the Institution.
  7. Where the Agency acts as a Data Processor, i.e. does not process personal data for independent purposes, but has access to personal data in the course of the provision of services to the controller, in this case the Agency shall process the personal data for the purposes and in accordance with the instructions of the controller, to the extent necessary to provide the service.
  8. From time to time, we may need to transfer your personal data to other countries that may have a lower level of data protection policy. In such cases, we would do everything within our power to ensure the security of the personal data transferred.
  9. If we were to send your personal data to countries outside the European Economic Area, we would ensure that one of the following security measures is in place:
    1. The contract signed with the data importer is based on the Standard Contractual Clauses adopted by the European Commission.
    2. The recipient is located in a country recognised by the European Commission as having adequate data protection standards.
    3. There is authorisation from the State Data Protection Inspectorate.
    4. In the absence of any of the above-mentioned appropriate safeguards, we may make use of the exemptions provided for in Article 49 of the Regulation (e.g. transfer of your data on the basis of your consent), but these may only apply in strictly defined cases in the Regulation.

External websites

  1. The Website contains links to external websites, i.e. websites of institutions related to Lithuanian tourism (e.g. accommodation, catering, leisure activities). When following such links, please note that these websites and the services available through them have their own individual privacy policies (rules) for which we cannot accept responsibility. We recommend that you review them in detail before submitting any of your personal data.

Final provisions

  1. The Privacy Rules shall be reviewed and updated according to the needs of the Institution, but at least once every two years, or in the event of a change in the legislation governing the processing of personal data. The Institution shall inform about the changes made by publishing a new version of the Privacy Notice on the Website.

 Privacy Policy last revised on 28 July 2022.





Data collection


1 month

Cookies are used by Google to provide you with browsing experiences and personalised advertisements.

Recent and previous searches


1 year

The cookie is linked to a JavaScript plugin that informs visitors of about the cookies used on the Website.

Unique ID


Until the browser window is switched off

Website functionality cookie

Unique ID


1 week

Login authentication – a tool to save login credentials (only for site administrators).

Login for site administrators


– 1 year
– 30 minutes (depending on cookie type)

This cookie is linked to the AddThis social sharing tool, which is embedded on the Website and allows you to share the content of the Website on different platforms.

Number of page loads


– 2 years
– 30 minutes
– By the end of the session
– 1 year (depends on the type of cookie)

(GOOGLE) Cookies starting with _ga and _utm (e.g. __utma, __utmz) are linked to Google Analytics and used to see a user’s path.

User status (new or returning), browser version used, device model, session duration, number of pages viewed, pages viewed and other information to help identify the user.


1 year

(YANDEX) – measures user status.

User status (new or returning), browser version used, device model, session duration, number of pages viewed, pages viewed and other information to help identify the user.

Font size, contrast on, off

1 week

This cookie is linked to a tool for users with disabilities; saves settings.



1 year

This cookie is linked to the ‘add to favourites’ tool.

Liked content


2 months

Facebook cookie, to see what advertisements are seen by users.



2 months

Facebook cookie, to measure the effectiveness of advertising.



1 year

A geolocation cookie to see where the website has been shared.


11 months

The HotJar cookie, used when a user first visits a website to detect which browser they are using.



30 days

The cookie is used to protect the site from malicious attacks by seeing which user is using a non-unique IP address.



30 days

The cookie is used to understand when the user first visited.