Privacy Policy

About ISM Privacy Policy

UAB ISM Vadybos ir ekonomikos universitetas (ISM University of Management and Economics), legal entity reg. No. 111963319, registered address: Aušros Vartų Str. 7A, Vilnius, Lithuania (hereinafter – University), respects each person’s privacy and personal data protection, therefore when processing personal data, it, inter alia, relies on these provisions of Privacy Policy (hereinafter – Policy) and familiarizes visitors of its website with them.

General provisions

This Policy governs collection, processing and storage of personal data by the University as the data controller.

The University carries out activities, which include offering of all levels of accredited study programs, training under the Master of Management program, research for science and business, exchange programs, library services and provision of other education services. In order to provide these services, the University processes personal data, inter alia, on the legal basis and principles specified in the Policy.

Principles of personal data processing

The University processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter – Regulation), the Law of the Republic of Lithuania on Legal Protection of Personal Data and other legal acts regulating personal data processing and storage.

The scope of the processed personal data depends on the services offered by the University and on the information provided by the data subject when using the services of the University and visiting and/or logging on to its website.

The University, inter alia, is guided by the following main data management principles:

  • Personal data must be collected only for explicit and legitimate purposes.
  • Personal data must be processed fairly and legally.
  • Personal data must be kept up to date on a regular basis.
  • Personal data must be stored safely and for no longer than it is required by legal acts and for data processing purposes.
  • Personal data must be processed only by those University employees who have the right to do so according to their job functions.

Data shall be processed only where there is one or more criteria for lawful processing thereof – (i) to ensure provision of services under the contract (i.e. in order to execute the contract or to take steps at the request of the data subject prior to entering into a contract); (ii) where the consent of the data subject is obtained; (iii) where it is necessary to process data for the University to fulfil its legal obligation; (iv) where data processing is necessary in order to protect the vital interests of the data subject or of another natural person; (v) where date processing is necessary for the purposes of the legitimate interests of the University or a third party (see Article 6[1] of the Regulation,

When processing and protecting personal data, the University shall implement organisational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, unauthorised disclosure and against any other unlawful processing. Access to personal data processed by the University shall be granted only to those employees of the University and ancillary service providers to whom this is necessary in order to carry out their functions or to provide services to the University.

By submitting personal data to the University, the data subject is responsible that his personal data would be accurate, correct and complete. If the personal data provided by the data subject change, he must immediately notify the University thereof. The University shall not be liable for the damage incurred by any person and/or to third parties resulting from inaccurate and/or incomplete personal data provided by the data subject or from the data subject’s failure to request to supplement and/or amend the data following their change.

Personal data sources

Personal data are generally obtained directly from the data subject (e.g. current and/or future students, partners, representatives of legal entities), who provides them when using the services offered by the University or visiting its website. Although the person is not required to provide any personal data to the University, it may not be possible to provide certain services to him, if personal data is not submitted.

Purposes of processing personal data

The University processes personal data for the following purposes:

  • In order to provide the services specified on its website;
  • In order to administer and execute contractual relations, to properly fulfil contractual obligations, and to liaise with students, sponsors, customers, suppliers, partners and customers when developing business, providing services and cooperating;
  • For the purpose of conducting and improving studies and performing accounting;
  • For the purpose of carrying out research;
  • For the purpose of using the data bases of employees of the university, service providers and students;
  • For administering payments and debts;
  • For the purposes of direct marketing;
  • For internal administration purposes.

Processing of personal data for the purpose of providing education services

Where a natural person (data subject) uses education and/or other services provided by the University, the University shall process personal data provided by the data subject directly to the University or via the third parties. The University undertakes to transfer personal data of data subjects to third parties only to the extent and only where it is necessary to provide certain services or is required by legal acts. If no personal data are required for the provision of specific services, they shall not be transferred to any party. The University shall transfer personal data to third parties on the basis of the agreement, strictly in accordance with the requirements prescribed by legal acts.

Processing of personal data for the purposes of direct marketing

The University may process the following data for the purposes of direct marketing: first name, surname, name of the legal entity, e-mail address, telephone number, position, class, year of study, and city. Consent for using personal data for the purposes of direct marketing shall be given after signing the contract with the University, ordering an online newsletter or filling in questionnaires and checking the relevant consent box. Consent for direct marketing is voluntary, it is not a pre-condition of contractual relationship with the University and has no effect on the personal relations with the University.

The University may send promotional/information notifications, provided the person has given consent to the University to use his data for the purposes of direct marketing, and to current or former University students and customers – without a separate consent for the purposes of marketing of similar services, where they are provided a clear, free and easily implementable opportunity to object to/refuse any such use of their contact data and if initially they raised no objections to the use of such data for sending each message.

The University may send notifications for the purposes of direct marketing by e-mail and/or phone. The period for data storage for the purposes of direct marketing – until the consent is valid, but not later than 10 years after the expiry of the contractual relationship.

Any person may withdraw his consent for direct marketing at any time by notifying about it by email: or otherwise contacting the University.

Provision of personal data

The University undertakes to respect the confidentiality of the processed personal data. Personal data may only be disclosed to third parties if this is necessary for the benefit of the data subject in order to conclude and execute a contract or for other legitimate reasons.

In addition, the University may allow processing of personal data to its data processors, who provide IT, bookkeeping, debt recovery or other services to the University necessary for the operation of the University and who process personal data on behalf of the University. Data processors shall have the right to process personal data only according to the instructions of the University and only to the extent this is necessary to ensure proper execution of the obligations stipulated in the services agreement. The University uses only such data processors who sufficiently ensure that the appropriate technical and organisational measures are in place in order data processing would comply with the requirements of the Regulation and protection of the rights of the data subject would be ensured.

The University may also provide the data of data subjects in response to the requests of the court or public authorities to the extent this is necessary for proper implementation of the existing legislation and instructions of public authorities.

Term for the storage of personal data

Personal data collected by the University shall be stored in printed documents and/or information systems of the University in the electronic format. Personal data shall be processed for no longer than this is required to achieve the data processing objectives or no longer than this is required by data subjects and/or is provided for by legal acts. As a general rule, personal data are processed for a period of 10 years after the expiry of contractual relationship.

Although a person may terminate the contract and withdraw from the University services, the University must continue to protect the data subject’s personal data due to the requirements or legal claims that may occur in the future until the end of the period of limitation for data storage or the claim.

The University seeks not to store any obsolete or unnecessary information and to ensure that personal data and other information are regularly updated, accurate and destroyed in a timely manner.

Rights of data subjects

The data subject has, inter alia, the following rights:

  • To obtain information about his personal data managed by the University, where and how his personal data is collected and on what basis it is processed;
  • To request the University to amend his personal data, to suspend its processing, to destroy it, if the data is incorrect, incomplete or inaccurate, or if it is no longer necessary for the purposes for which they have been collected. In this case the data subject must submit a request. After receipt of the request the University shall review the information provided by the person and take the necessary action. It is of the utmost importance to the university that the personal data processed by it would be accurate and correct;
  • To request the University to destroy his personal data or to suspend processing of such personal data, except for the storage where a person, after familiarization with his personal data, identifies that the personal data is processed unlawfully or unfairly;
  • To object to the processing of personal data, where such data is processed or is about to be processed for the purposes of direct marketing;
  • At any time to withdraw his consent for the processing of personal data for the purposes of direct marketing;
  • If the data subject is concerned with the actions (omission) of the University whereby it is likely that the requirements of this Policy or legal acts are not complied with, he may contact the University and get free assistance.

The person may exercise all of its rights of the data subject by contacting the University by email

If an issue is not resolved with the assistance of the University, the person shall have the right to contact the State Data Protection Inspectorate, which is responsible for the supervision and control of legal acts which govern personal data protection.


In order to improve visits to the website of the University, the University may use cookies – small text information files which are created automatically when browsing the website and are stored in the visitor’s computer or another end user’s device.

The information collected by the cookies allows to ensure more convenient browsing on the University website, to learn more about the behaviour of the website visitors, and to analyze trends and to improve the website, University services or the information provided on the website. The University uses cookies to manage depersonalised personal data.

If the website visitor does not agree that cookies would be stored in his computer or another end user device, he may change his internet browser settings and disable all cookies or to enable/disable them one by one. However, the University draws attention to the fact that in some cases this may slow down the speed of browsing, restrict operation of certain functions of the website or block access to certain pages of the website.

Technical information on cookies used on and social media accounts

Required cookies

The following are the cookies required for the website: Drupal, AdForm and Google Analytics. These cookies allow visitors to browse the website and use the desirable functions, e.g. they provide access to secure/protected areas of the website, so without these cookies such access would not be available. These cookies do not collect visitor information that could be used for marketing or remember the pages on the website visited by the visitor. We could not provide services without the cookies which allow our website to function properly. Cookies of this category cannot be disabled.

Functional cookies

Functional cookies: Drupal provides the opportunity to improve the functionality of the website. For example, to remember such settings selected by visitors as language, colour, font size, login data, etc. These cookies may be installed by us or other suppliers who inform about their services on our website pages. If you disable these cookies, certain or all functions mentioned above will not operate properly.

Operational (analytical) cookies

These are the following cookies: Google Analytics, Youtube, and LinkedIn. They collect information about how the visitor uses our website or our social media accounts. These cookies do not reveal the data of the identity of the person. They are only used to improve the operations of our website and social media accounts.

Target or advertising cookies

These are the following cookies: AdClick, AdScale,, AppNexus,, Facebook Pixel, Youtube, Ibillboard, and LinkedIn. They are used to place advertisements which could be relevant to the visitor and meet his interests, i.e. they would be directed at the targeted marketing. They also serve to reduce the quantities of advertisements in order to measure the effectiveness of the promotional campaign. These cookies are also used for links with social networks, e.g. Facebook and LinkedIn, if a visitor has agreed to the use of cookies on these websites, for instance, by clicking Like and/or Share on Facebook, Youtube or LinkedIn.

Final provisions

The University reserves the right to amend this Policy, therefore, visitors are requested to review it regularly, check if there have been any changes and familiarise themselves with the amended or new provisions. This Policy is governed by the law of the Republic of Lithuania.

We wish you a pleasant browsing on our website!