DATA MANAGER SAULĖS MIESTAS, UAB,
OPERATING AT TILŽĖS G. 109, LT-77159 ŠIAULIAI, COMPANY CODE 300073193
PERSONAL DATA PROCESSING POLICY
APPROVED
Saulės miestas, UAB
General director
2018 May 18 No. BV-7
1. KEY POLICY CONCEPTS
1.1. ADTAĮ – the Law on the Legal Protection of Personal Data of the Republic of Lithuania.
1.2. Personal data – any information about an identified or identifiable natural person (data subject); “identifiable natural person” means a person who can be identified, directly or indirectly, in particular by an identifier such as name, personal identification number, location and internet identifier or by one or more physical identifiers of that natural person, features of physiological, genetic, mental, economic, cultural or social identity.
1.3. Responsible Employee – an Employee of the Data Controller who, according to the position held and the nature of the work, has the right to perform specific functions related to the Data Processing in a specific factual situation.
1.4. BDAR – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
1.5. Data controller – Saulės miestas, UAB, legal entity operating at Tilžės str. 109, LT-77159 Šiauliai, company code 300073193, VAT payer code LT100001389110, represented by General Manager Dina Bunces.
1.6. Employee means a person who has entered into an employment or similar contract with the Data Controller.
1.7. Recipient of the data means a natural or legal person, public authority, agency or other body to whom the Personal Data is disclosed, whether or not it is a third party.
1.8. Data Subject – an Employee of the Data Controller, a Candidate for a Workplace, a Customer or any other natural person whose Personal Data is processed by the Data Controller.
1.9. Data processing means any operation or set of operations carried out by automatic or non-automatic means on personal data, such as: collection, recording, sorting, storage, adaptation or modification, reproduction, retrieval, use, disclosure by transmission, distribution or other making available , layout or aggregation, blocking, erasure or destruction, as well as any other action that would be considered as processing in accordance with the nature and purposes of the BDAR.
1.10. Data Processor – a natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Data Controller.
1.11. Candidate – a person who participates or seeks to participate in the selection of personnel by the Data Controller.
1.12. Customer means any customer of the Data Controller who uses the services and / or infrastructure provided by the Data Controller.
1.13. Computer equipment – computers, terminals, servers, secure media, other computer equipment owned by the Data Controller on a legal basis (ownership, lease or other grounds) and the software contained therein, including e-mail box, Internet communication programs, cloud computing services, Internet access.
1.14. Trainings – Trainings for Employees related to Personal Data Protection issues organized by the Data Controller.
1.15. Policy means this Personal Data Processing Policy.
1.16. Direct marketing – activities performed by the Data Controller, which are intended to offer the Data Controller’s goods and / or services to persons by post, telephone or other direct means and / or to ask their opinion regarding the offered goods or services.
1.17. Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor or persons authorized to process personal data under the direct authority of the controller or the processor.
1.18. Child in the context of the processing of personal data means a person under the age of 16.
1.19. Other terms used in the Policy correspond to the terms used in BDAR and ADTAĮ.
2. GENERAL PROVISIONS
2.1. The purpose of this Policy is to regulate the procedures of personal data processing, fully or partially automatic processing of Personal Data, as well as non-automatic processing of personalized systematic files, implementation of Data Subject’s rights and technical and organizational measures to protect Personal Data under BDAR, ADTAĮ and other legal acts establishing the protection of personal data.
2.2. The Data Controller shall ensure that in adopting and implementing this Policy it seeks to implement the following essential principles related to the processing of Personal Data:
(a) The personal data are processed in a lawful, fair and transparent manner vis-à-vis the Data Subject (principle of lawfulness, fairness and transparency);
(b) The personal data are collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes (purpose limitation principle);
(c) The personal data are intended to be adequate, relevant and only necessary for the purposes for which they are processed (data reduction principle);
(d) Aim and endeavor to ensure that Personal Data is accurate and, where necessary, updated within a reasonable time of the change; the aim is to take all reasonable measures to ensure that Personal Data which are inaccurate, having regard to the purposes for which they are processed, are erased immediately or rectified within a reasonable time (principle of accuracy);
(e) The purpose is to keep the Personal Data in such a form that the data subjects can be identified for no longer than is necessary for the purposes for which the Personal Data is processed; Personal data may be stored for longer periods if the Personal Data are processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to appropriate technical and organizational measures to protect the data subject’s rights and freedoms (retention limitation principle);
(f) The personal data shall be processed in such a way as to ensure adequate security of the Personal Data, including protection against unauthorized processing or unauthorized processing of the Personal Data, taking into account the general nature of the Personal Data processed by the Data Controller. handling and against accidental loss, destruction or damage (principle of integrity and confidentiality);
(g) The controller is responsible for ensuring that the above principles are complied with and must be able to demonstrate that they are complied with (accountability principle).
2.3. Personal data shall be processed after duly informing the Data Subjects in accordance with the requirements provided for in Chapter 6 of the Policy and the BDAR.
2.4. Data is stored for the periods specified in this Policy for each type of Personal Data. Storage and deletion shall be carried out in accordance with the procedures set out in Policy Chapters 7 and 8.
2.5. Access to Personal Data is granted only to the Responsible Employees performing the necessary functions on the basis of contracts concluded on the basis of a written / oral statement. Access is also granted to Data Processors with whom a data processing agreement in accordance with Chapter 13 of this Policy and in accordance with the BDAR standards has been concluded.
2.6. The Responsible Employees of the Data Controller have the right to collect, process, transfer, store, destroy or otherwise use and process Personal Data only in the performance of their direct work functions and only in accordance with the procedure established by legal acts.
2.7. Employees of the Data Controller are prohibited from arbitrarily collecting, transmitting, storing, deleting or otherwise processing Personal Data and using Personal Data for personal purposes not related to direct work functions.
2.8. Responsible staff must:
(a) Process Personal Data in accordance with the legal acts of the European Union and the Republic of Lithuania, as well as this Policy and other internal documents of the Data Controller;
(b) Not to disclose, transfer or facilitate access to Personal Data by any means to persons who are not authorized to process Personal Data;
(c) Immediately notify the Data Controller of any suspicious situation that may endanger the security of Personal Data, other risks of personal data breaches, signs of criminal activity, and non-functioning measures for ensuring the security of Personal Data.
2.9. In order to prevent the accidental or unlawful destruction, alteration, disclosure, as well as any other unlawful processing of Personal Data, the Responsible Employees of the Data Controller shall keep the documents and data files properly and securely and avoid making unnecessary copies. Copies of documents containing Personal Data must be destroyed in such a way that these documents cannot be reproduced and their contents cannot be identified. Copies of personal documents may also be stored electronically.
2.10. In case of doubts about the processing of Personal Data, if personal data protection breaches are detected, other potential risks of Personal Data Management are identified, the Responsible Personnel should contact a higher-ranking person or persons responsible for the processing of Personal Data and further consult on personal data processing issues.
2.11. The Responsible Employee loses the right to process Personal Data when the Employment Contract of the Responsible Employee with the Data Controller expires or when the Personal Data becomes unnecessary for the performance of work functions due to a change in the employee’s position.
2.12. Data shall be transferred to Data Processors and Data Recipients when the right and / or obligation to do so is granted by legal acts on appropriate grounds.
2.13. The data controller’s access rights to the Data shall be immediately terminated upon termination of the service or other type of agreement concluded with the Data Controller, on the basis of which the Data Controller processes the Personal Data, or upon termination of this agreement.
2.14. In the event that certain technical / organizational or any other objective obstacles prevent the immediate revocation of access or that such access is maintained through the temporary extension of individual agreements on the security of transferred Personal Data as referred to in paragraph 2 of this Policy, the Data Controller shall take steps to ensure that comply with the obligations set out in the BDAR and / or the temporarily extended separate agreements on the security of the transferred Personal Data.
2.15. Personal data of the data controller may be submitted to a pre-trial investigation body, prosecutor or court in administrative, civil, criminal cases, as evidence or in other cases prescribed by law.
2.16. Personal Data may also be provided by the Data Controller to other persons (lawyers, consultants, auditors, etc.) used by the Data Controller to provide the necessary services to the Data Controller and / or the Data Subject, as well as to other third parties if Personal Data is transferred in accordance with legal acts. requirements.
2.17. Personal data may be provided in the following ways: in writing, by electronic means of communication, by connecting to individual databases or information systems collecting Personal Data or in another manner agreed by the Data Controller.
2.18. Non-automated provision of Personal Data when Personal Data is not provided directly to the Data Subject itself must be approved by the Data Controller’s Manual, except in cases when Personal Data is provided to the supervisory authority.
2.19. The Data Subject may submit his / her Personal Data upon arrival at the Data Controller’s office, by registered mail as well as by e-mail or on the Data Controller’s website, as well as in any other manner applicable in practice. The Data Subject may also transfer his / her Personal Data when executing a payment order, together with the transfer of his / her personal identification code and other payment data. Personal data is obtained from legal entities by submitting queries to databases administered by them.
2.20. Personal data may be obtained from the Bank of Lithuania; commercial banks; Boards of the State Social Insurance Fund; State Enterprise Center of Registers; the public register of invalid personal documents, the public register of wanted persons, or other public registers, if such Personal Data is necessary for making a decision related to the activities of the Data Controller.
2.21. Personal data of data subjects on convictions and criminal offenses may be processed only if the Data Controller provides for the possibility for the Data Controller to process such Personal Data. The Data Controller may not process such Personal Data on the basis of the Data Subject’s consent.
3. EMPLOYEE DATA PROCESSING
3.1. Employees’ Personal Data is processed for the following employment purposes:
(a) for the purposes of concluding, executing and accounting employment contracts with the controller;
(b) the proper performance of the data controller’s duties under the law and the application of the established tax advantage;
(c) maintain proper communication with Employees during non-working hours;
(d) the processing of Personal Data for preventive or occupational purposes;
(e) the Data Controller to ensure the safety of Employees;
(f) the controller for the purpose of ensuring public security, public order, protecting the life, health, property and other rights and freedoms of individuals;
(g) For internal administrative purposes.
3.2. For the purposes of concluding, executing and accounting employment contracts, the following Personal Data of Employees are processed:
(a) Names and surnames;
(b) Dates of birth;
(c) The bank account numbers to which the salary is transferred;
(d) Social Security Number.
3.3. For the purpose of proper performance of the duties of the data controller established by legal acts, for the purpose of application of the established tax benefit are processed:
(a) Employee identification codes;
(b) Information on the education acquired by the Employees;
(c) Information on the Employee’s marital status (If the Employee wishes to benefit from a tax credit).
3.4. For the purpose of proper communication with Employees outside of work, the following are handled by Employees:
(a) Addresses of residence;
(b) Personal telephone numbers;
(c) Personal Email Addresses.
3.5. When processing Personal Data for preventive or occupational medical purposes, the Data Controller may process information related to the Employee’s health condition, which directly affects the Employee’s work functions and the ability to perform them in accordance with the procedure established by legal acts.
3.6. For the purposes of public security, public order, protection of personal life, health, property and other rights and freedoms of individuals, the Data Controller may perform video surveillance and process video surveillance data related to Employees in accordance with the Video Data Processing Rules approved by the Data Controller.
3.7. With the consent of the Employee (personnel management, clerical management), the image of the Employee’s person may be processed to ensure the activities of internal administration.
3.8. With the consent of the Employee, other personal data of the Employee may be processed. In cases where the processing of the Employee’s Personal Data requires the Employee’s consent, the Employee has the right to give or refuse consent, as well as to withdraw the given consent at any time without any negative direct or indirect consequences related to his further work. In this case, the Data Controller shall terminate the processing of such Personal Data, unless there is another legal basis for processing the Personal Data.
3.9. The Personal Data specified in Clauses 1 – 3.7 of the Policy shall be processed prior to the commencement of the business relationship (conclusion of the employment contract) on the basis of the consent of the Data Subject or the Data Controller in order to take action before concluding the contract; after the commencement of the business relationship – on the basis of a contract concluded in order to perform the contract, as well as when it is necessary to fulfill the legal obligation of the Data Controller.
3.10. Employees’ Personal Data are obtained directly from Data Subjects, the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, the Board of the State Social Insurance Fund under the Ministry of Social Security and Labor (hereinafter – Sodra).
3.11. Employees’ Personal Data may be systematically processed by fully and partially automated means and not automatically.
3.12. The regular recipients of Employee Data are the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania and Sodra. Personal data is provided to the Social Security through the Electronic Policyholder Service System (EDAS).
3.13. Personal Data of Employees may be transferred to other Data Recipients only at their request or with the consent of the Employees in accordance with the procedure provided for in Chapter 10 of this Policy or in fulfillment of legal obligations or obligations under concluded agreements and only on legitimate grounds.
3.14. Employees are informed about the processing of their Personal Data by signing this Policy.
4. PROCESSING OF CANDIDATE DATA
4.1. Candidates’ Personal Data is processed for the purpose of selecting Candidates for employment.
4.2. The Data Controller processes the following Personal Data provided by the Candidates for the purposes of job selection:
(a) Name;
(b) Date of birth;
(c) Telephone number;
(d) Email Address;
(e) Address of residence;
(f) Education;
(g) Workplace;
(h) Courses taken;
(i) Languages spoken;
(j) Computer skills;
(k) Recommendations;
(l) Other Personal Data contained in the Candidate’s CV and / or other submitted documents voluntarily provided by the Candidate.
4.3. This Personal Data is processed on the basis of the Candidate’s consent or by the Data Controller in order to take action at the Candidate’s request before concluding an employment contract.
4.4. Personal data is obtained directly from the Candidates.
4.5. All or part of the Personal Data referred to in Clause 2 may be processed upon receipt of such Personal Data by the Lithuanian Labor Exchange and / or its territorial divisions and only to the extent necessary to achieve the purpose of personnel selection.
4.6. The data controller may collect personal data related to qualifications, professional abilities and subject characteristics of a Candidate applying for a position or job, after informing the candidate from the former employer and only with the consent of the candidate from the current employer.
4.7. When the Data is not received from the Candidate, the Data Subject shall be informed in accordance with the procedure established in Chapter 9 of the Policy.
4.8. Candidates’ Personal Data may be processed systematically by fully and partially automated means and not by automatic means.
4.9. Proper information of Candidates on the basis of Chapter 6 of this Policy is ensured in different ways depending on how the application for employment was submitted:
(a) If the request is submitted by e-mail or by filling in a questionnaire on the portal where the Data Controller’s announcement is placed, an automatic notification will be sent to the Candidate by e-mail with the necessary information and consent form specified in Chapter 6 of the Policy.
(b) If the request is made in person, the information specified in Section 6 of the Policy, together with the consent form, must be provided at the time of submission of the requesting Employee.
4.10. Candidate data is not passed on to third parties.
4.11. In case the legal acts of the Republic of Lithuania provide for additional restrictions on what information about the Candidates may be processed, the Data Controller shall ensure that only the Personal Data of the Candidates allowed to be processed are processed.
5. CUSTOMER DATA MANAGEMENT
5.1. Customers’ Personal Data is processed for the following purposes of organizing the activities of the Data Controller:
(a) for the purpose of awarding, performing and providing services;
(b) For direct marketing purposes;
(c) to run Loyalty Programs;
(d) to carry out promotional and other promotions (quizzes, games) related to the activities of the Data Controller;
(e) for the purpose of organizing and promoting events;
(f) for the purpose of administering requests and feedback;
(g) WIFI for the purpose of providing a free connection;
(h) perform analysis of Statistics and Customer Behavior;
(i) To protect public safety, public order, the life, health, property and other rights and freedoms of individuals.
(j) For other purposes for which the Data Controller may process the Personal Data with the Customer’s consent, as well as when the Customer’s Personal Data is processed in the interest of the lawful Data Controller or a third party or when the Personal Data is processed to fulfill the Data Controller’s legal obligation.
5.2. The Data Controller may process the following Personal Data of the Clients for the purpose of concluding, executing contracts and providing services:
(a) Name;
(b) Surname;
(c) Bank account number;
(d) Telephone number;
(e) Address of residence;
(f) Email Address.
5.3. This Personal Data is processed on the basis of the Customer’s consent in order to fulfill the contract or to take action at the Customer’s request before concluding the contract.
5.4. The Data Controller may process the following Customer Personal Data for direct marketing purposes:
(a) Name;
(b) Surname;
(c) Telephone number;
(d) Address of residence;
(e) Email Address.
5.5. This Personal Data is processed on the basis of the Customer’s consent or the legitimate interest of the Data Controller or a third party.
5.6. The Data Controller may process the following Personal Data of the Customers who have given consent for the implementation of loyalty programs:
(a) Name;
(b) Surname;
(c) Date of birth;
(d) Gender;
(e) Email Address;
(f) Telephone number;
(g) Address of residence.
5.7. The Data Controller processes the following Personal Data of the Clients who have given their consent in order to carry out advertising and other promotions (quizzes, games):
(a) Name;
(b) Surname;
(c) Telephone number;
(d) Email Address.
5.8. For the purpose of organizing and advertising events, the Data Controller processes the following Personal Data of the Clients:
(a) Image.
5.9. This Personal Data is processed on the basis of the Customer’s consent or the legitimate interest of the Data Controller or a third party.
5.10. For the purpose of administering requests and feedback, the Data Controller processes the following Personal Data of the Clients who have given consent:
(a) Name;
(b) Surname;
(c) City;
(d) Telephone number;
(e) Email Address.
5.11. The Data Controller processes the following Personal Data of the Customers who have given their consent for the purpose of providing a free WIFI connection:
(a) Telephone number.
5.12. The Data Controller processes the following Personal Data of the Customers who have given their consent for statistical and Customer Behavior Analysis:
(a) Name;
(b) Surname;
(c) Gender;
(d) Personal hobbies and habits;
(e) Address of residence;
(f) Telephone number;
(g) Email Address.
5.13. For the purposes of public security, public order, protection of personal life, health, property and other rights and freedoms of individuals, the Data Controller may perform video surveillance and process video surveillance data related to Clients in accordance with the Video Data Processing Rules approved by the Data Controller. These data are processed on the basis of the legitimate interest of the Data Controller or a third party.
5.14. When the Data Controller processes Personal Data for other purposes with the Customer’s consent, the Data Controller may process only such Personal Data as is necessary to achieve this purpose and only to the extent that the Customer’s consent has been obtained.
5.15. When the Data Processor processes the Customer’s Personal Data for other purposes based on the legitimate interest of the Data Controller or a third party, the Data Controller may process only such Personal Data as is necessary to achieve this purpose and only to the extent necessary to achieve this purpose.
5.16. When the Data Processor processes the Customer’s Personal Data for other purposes in order to fulfill a legal obligation, the Data Controller may process only such Personal Data as is necessary to achieve this purpose and only to the extent required by the legal obligation.
5.17. When the Client is a Child, his / her Personal Data may be processed only with the consent of one of the parents or guardians.
5.18. Given that Children need special protection of their interests, information and communications when processing personal data are child-centered should be worded in clear and simple language that is easy for the child to understand.
5.19. The Data Controller ensures that in the event that the Customer is a Child, no profiling actions will be taken against his / her Personal Data.
5.20. When processing the Client’s Personal Data when the Client is a Child, on the basis of the legitimate interests of the Data Controller or a third party, the Data Controller must assess the supremacy of the Child’s interests, fundamental rights and freedoms and process the Personal Data on this basis only in exceptional cases takes precedence over the best interests of the child, his or her fundamental rights and freedoms.
5.21. Customers’ Personal Data may be systematically processed by fully and partially automated means and not automatically.
6. APPROPRIATE INFORMATION TO DATA SUBJECTS
6.1. Before processing the Personal Data, the Data Controller shall provide the Data Subjects with the following information, in writing or by other means, including, where appropriate, in electronic form:
(a) the name, details and contact details of the controller;
(b) the purposes of the processing;
(c) Information on the relevant categories of Personal Data;
(d) the legal basis for the processing of personal data;
(e) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(f) The right to request that the Data Controller grant access to the Personal Data of the Data Subject and correct or delete or restrict the processing of the data, or the right to object to the processing of the Personal Data, as well as the right to data portability;
(g) The right to lodge a complaint with the supervisory authority;
(h) Where applicable, the recipients or categories of recipients of the Personal Data;
(i) Where applicable, the intention of the Data Controller to transfer the Personal Data to a third country or to an international organization;
(j) Where applicable, the existence of automated decision-making, including profiling, and, at least in that case, meaningful information on its rationale, as well as the significance of such processing and the expected consequences for the Data Subject.
6.2. In the event that there is a legal obligation or contract on the basis of the legal processing of Personal Data, the Data Subject shall also be provided with the following information:
(a) Information on whether the Data Subject is obliged to provide Personal Data and the possible consequences of not providing such Personal Data;
(b) Information on whether the provision of personal data is a statutory or contractual requirement or a requirement to be met in order to conclude a contract.
6.3. In the event that the legal basis for the processing of Personal Data is the legitimate interest of the Data Controller or third parties, the legitimate interests of the Data Controller or a third party shall also be indicated to the Data Subject.
6.4. In the event that the Personal Data is processed with the consent of the Data Subject, the Data Subject shall also be provided with information on the right to withdraw his or her consent at any time.
6.5. In case the Personal Data is not obtained from the Data Subject, the above information, except for the one specified in item 2, must be provided, as well as the following additional information:
(a) The categories of personal data to be processed;
(b) What is the source of the personal data and whether the data are obtained from publicly available sources.
6.6. Items 1 to 6.5 do not apply if and to the extent that the Data Subject already has the information.
6.7. In the case of receipt of personal data from outside the Data Subject, where informing the Data Subject does not require a disproportionate effort, the information shall be provided to the Data Subject through:
(a) One month after receipt of the Personal Data;
(b) If the Personal Data will be used to communicate with the Data Subject, no later than the first contact with that Data Subject; or
(c) If it is planned to disclose Personal Data to another Data Recipient – at the latest when disclosing Personal Data for the first time.
6.8. In all cases, the information referred to in points 1 to 6.5 must be provided in a concise, transparent, clear and easily accessible form, in clear and simple language.
6.9. The information shall be provided in writing or by other means, including, where appropriate, in electronic form. At the request of the data subject, information may be provided orally, but in all cases the information collected about a specific person shall be provided only after the Data Subject has proved his or her identity.
6.10. The obligation to provide the above information shall not apply to the extent that:
(a) The provision of such information is impossible or would require a disproportionate effort, financial, economic, intellectual resources. In such cases, the Data Controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject, including the public disclosure of the information;
(b) the receipt or disclosure of personal data is expressly provided for in European Union or national law and applies to the Data Controller and provides for appropriate safeguards for the legitimate interests of the Data Subject;
(c) Where Personal Data must be kept confidential in accordance with the obligation of professional secrecy laid down by European Union or Member State law.
7. DATA RETENTION TERMS
7.1. The Data Controller applies different terms of storage of Personal Data depending on the purpose for which the specific Personal Data is processed.
7.2. The Data Controller applies the following terms of storage of Personal Data:
| No | Purpose of the processing of personal data | Storage time |
| 1. | Labor relations administration | Up to 50 years after the termination of the employment contract in accordance with the General Document Retention Period Index, with the exception of video surveillance, where records, if made, are deleted after 30 days |
| 2. | Selection of candidates | Until the end of the job selection (With the consent of the Candidate, the Curriculum Vitae (CV) of the latter and the data contained therein will be processed for 3 years after the end of the job selection) |
| 3. | Organization of the data controller’s activities | Up to 3 years from the date of the last contact with the Data Subject, except for (i) surveillance of video data, where recordings, if made, are deleted after 30 days; (ii) the execution of promotional campaigns, where the Personal Data is deleted after the purposes of the promotional campaigns have been achieved, unless the Data Subject has given written consent to process the submitted Personal Data for the purposes of direct marketing |
7.3. Exceptions to the above retention periods may be made to the extent that such deviations do not infringe the rights of the Data Subjects, comply with legal requirements, are properly documented and are justified by a legitimate interest of the Data Controller or a third party.
7.4. Data necessary to establish, enforce or defend legal claims shall be kept to the extent necessary to achieve such purposes in judicial, administrative or extrajudicial proceedings.
8. DATA DESTRUCTION
8.1. Personal data is stored to the extent required by the terms and purposes of the processing of personal data. When Personal Data is no longer needed for the purposes of its processing and / or when the term for processing Personal Data provided for in the Policy expires, it must be irretrievably destroyed.
8.2. Destruction is defined as the physical or technical act of making the Personal Data contained in a document irreversible by normal commercially available means.
8.3. Personal data stored in electronic form shall be destroyed by deletion without the possibility of recovery.
8.4. Paper documents containing Personal Data are shredded and the residue is disposed of in a secure manner.
9. RIGHTS OF DATA SUBJECTS
9.1. The data subject may exercise the following rights in accordance with the procedure established by the BDAR:
(a) The right to be informed;
(b) Right of Access to Personal Data;
(c) The right to delete personal data;
(d) The right to rectification of Personal Data;
(e) The right to restrict the processing of Personal Data;
(f) The right to portability of Personal Data;
(g) The right to object to the processing of Personal Data;
(h) The right to object to automatic decision-making and profiling.
9.2. The rights set forth in Clauses 1 (b) – 9.1 (h) of the Policy shall be exercised in accordance with the Procedure for Responding to Requests from Data Subjects, which facilitates the necessary actions within the time limits set by the BDAR, which are as follows:
| Application of data subjects | Period |
| The right to be informed
|
When data are collected (if provided by the Data Subject) or within one month (if provided by a non-Data Subject) |
| Right of access | One month |
| Teisė į patikslinimą | One month |
| Ištrynimo teisė | One month |
| Teisė apriboti Asmens duomenų tvarkymą | One month |
| Teisė į Asmens duomenų perkeliamumą | One month |
| Right to object to the processing of personal data | Upon receipt of an objection, or without undue delay, when the Data Controller has grounds to refuse to comply with the Data Subject’s request for compelling legitimate reasons to process Personal Data that are beyond the Data Subject’s interests or to express, enforce or defend legal claims. |
| Rights related to automatic decision making and profiling | One month |
9.3. Notwithstanding Clause 9.2, the Data Controller shall endeavor to ensure that the information requested by the Data Subjects is provided as soon as possible.
9.4. The time limits referred to in point 9.2 may, if necessary, be extended by a further two months, depending on the complexity and number of applications.
9.5. Standardized Data Subjects ‘Requests for Access to Personal Data are received by filling in the Entities’ Requests for Access to Personal Data Form.
9.6. The Data Controller may not formally rely on non-compliance with the said form as a basis for refusing to accept the Data Subject’s request or delaying its processing.
9.7. The controller must inform the Data Subject of their rights in a clear, concise, transparent, comprehensible and easily accessible form, in clear and simple language.
9.8. The controller has the right to reasonably refuse to allow the Data Subject to exercise his rights or to charge a reasonable fee in the circumstances provided for in Article 12 (5) (b) BDAR.
10. CONSENT
10.1. Unless there are other grounds for processing set out in the BDAR or the ADTA, the data subject must obtain his or her free and explicit consent in order to collect and process his or her Personal Data.
10.2. In case the Personal Data is processed on the basis of the Data Subject’s consent, the Data Controller must provide the Data Subject with the information specified in clauses 6.1 and 6.4 before obtaining such consent for the processing of Personal Data. Consent obtained without the data subject first providing the required information is not considered appropriate.
10.3. The Data Controller must be able to prove that the Data Subject has given his or her unambiguous (and, in the case of Special Categories of Personal Data, explicit consent) consent to the processing of his or her Personal Data.
10.4. The data controller must be able to demonstrate that the data subject’s consent is based on his or her genuine and free choice. This means that the performance of the contract, including the provision of the service, will not be based on the condition of consent to the processing of Data that is not necessary for the performance of that contract.
10.5. The controller must be able to prove that the Data Subject has consented to the processing of his / her Personal Data for one or more specific purposes.
10.6. The statement of consent of the Data Subject, formulated in advance by the Data Controller, shall be provided in an understandable and easily accessible form, in clear and simple language.
10.7. The data controller must be able to prove that the processing of Personal Data is restricted with the express consent of the Data Subject.
10.8. In the event that the Data Controller is unable to ensure that the Data Subject’s consent complies with the requirements set out in this Policy and / or the BDAR, an alternative basis for lawful Data Processing shall be selected.
11. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
11.1. Personal data may be transferred to a third country or to an international organization whose legal regulation has been recognized by the European Commission as ensuring an adequate level of protection of personal data. Transfers to an entity ensuring an adequate level of protection of personal data may take place without any further authorization from the European Commission or the Member States.
11.2. Personal data may also be transferred to third countries or international organizations subject to one or more of the following appropriate safeguards:
(a) Rules binding on undertakings approved by the competent authority, if applicable.
(b) Standard contract terms for data protection adopted by the European Commission.
(c) Standard contractual terms on data protection adopted by the Supervisory Authority or contractual terms recognized by the Supervisory Authority.
(d) A code of conduct defining the international transfer of data has been adopted by associations and other bodies representing different categories of controllers or processors.
(e) Certifications, security features and / or markings that may be used to demonstrate compliance with the data protection measures imposed by the controller or controller.
11.3. Notwithstanding Clause 11.2, the Data Controller may use other necessary safeguards that meet the standards of diligence.
11.4. In the absence of a decision on adequacy by the Data Controller in accordance with point 1 or without appropriate safeguards referred to in point 11.2, the Data Controller shall transfer Personal Data to a third country or international organization or carry out such transfers only under one of the following conditions:
(a) The Data Subject has explicitly consented to the proposed transfer of Personal Data after being informed of the potential risks to the Data Subject of such transfers due to the lack of a decision on adequacy and the lack of appropriate safeguards;
(b) The transfer of personal data is necessary for the performance of a contract between the Data Subject and the Data Controller or for the implementation of pre-contractual measures taken at the request of the Data Subject;
(c) The transfer of personal data is necessary for the conclusion or performance of a contract between the Data Controller and another natural or legal person in the interests of the Data Subject;
(d) The transfer of personal data is necessary for the establishment, enforcement or defense of legal claims.
11.5. The above safeguards are detailed in the BDAR, and this detailed information is mandatory for the Data Controller.
12. PROCEDURE FOR MANAGING AND RESPONDING TO BREACHES OF PERSONAL DATA SECURITY
12.1. The Data Controller has established a procedure for responding to data security breaches and they are mandatory.
12.2. Employees of the Data Controller who have the right to access Personal Data must inform the Responsible Employee and / or their immediate supervisor if they notice any violations of Personal Data Security (inaction or actions that may cause or pose a threat to the security of Personal Data).
12.3. After assessing the risk factors, degree of impact, damage and consequences of the Personal Data Protection Violation, the Responsible Personnel shall decide on the measures necessary to eliminate the Data Protection Violation and its consequences in accordance with the Data Security Violation Response Procedure approved by the order of the Data Controller’s Head.
13. REQUIREMENTS FOR PERSONAL DATA PROCESSING AGREEMENTS
13.1. When concluding a data processing agreement with the Data Controller, the Data Controller shall include in this agreement provisions containing the following information:
(a) The subject of the processing of personal data;
(b) The duration of the processing of personal data;
(c) The nature of the personal data;
(d) The purposes of the processing of personal data;
(e) Types of Personal Data;
(f) Categories of data subjects;
(g) the rights and obligations of the Parties arising from the legal regulation of personal data protection;
(h) Obligation of the Data Controller to act only in accordance with the written instructions of the Data Controller. The data controller retains the right to make the operational and organizational decisions necessary for the provision of the agreed service insofar as this does not change the purposes of the processing of personal data;
(i) Confidentiality obligations of the controller’s staff. The contract must stipulate that the processor ensures that the employees processing the Personal Data have an obligation to ensure confidentiality, unless they already have such an obligation under the law;
(j) Security measures for the processing of personal data. The data controller must contractually undertake to ensure a level of security appropriate to the nature of the Personal Data and the level of threat associated with it;
(k) Use of Other Data Processors. The Data Controller shall be obliged to use other data processors only with the prior consent of the Data Controller and by concluding a written agreement with another processor, which is subject to the same requirements as the contract concluded with the main Data Controller;
(l) Assistance in enforcing the rights of Data Subjects;
(m) Assistance in reporting personal data breaches. The Data Processor must undertake to immediately inform the Data Controller upon learning of any personal data breach;
(n) Assistance in the Personal Data Protection Impact Assessment;
(o) Assistance in consultation with the supervisory authority;
(p) Procedures for erasure and return of personal data. It is necessary to stipulate in the contract what happens to the data held by the processor upon termination of the contract, as the processor may continue to store them only if European Union or national law so provides;
(q) Method (s) of demonstrating compliance;
(r) Assisting the Data Controller or another auditor authorized by the Data Controller in carrying out audits, including inspections.
13.2. The above provisions may be included in the main contract or discussed in a separate agreement on the security of the transferred Personal Data.
14. ADAPTED AND STANDARDIZED DATA PROTECTION GUIDELINES
14.1. The Data Controller shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing, both when establishing the Data Processing Measures and during the Data Processing itself.
14.2. The controller must act taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and purposes of the processing of personal data, as well as the various probabilities and seriousness of the processing of personal data to individuals’ rights and freedoms.
14.3. Customized Personal Data Protection means that any new application or system that uses Personal Data must be designed with the protection of such Personal Data in mind. Privacy must be taken into account throughout the life of the program or system.
14.4. The measures that should be followed in order to implement the adapted principle of personal data protection are:
(a) Limiting the amount of Personal Data collected;
(b) Possibility of control;
(c) Transparency;
(d) Implementation of user-friendly systems;
(e) Ensuring the confidentiality and quality of personal data;
(f) Providing Aliases;
(g) Anonymisation of Personal Data as soon as possible;
(h) Enabling Data Subjects to monitor the processing of Personal Data;
(i) Ensuring the possibility to develop and implement new security measures;
(j) Appropriate Staff Training;
(k) Conducting Audits and Policy Reviews;
(l) Restrictions on the Use of Personal Data.
14.5. Standardized Personal Data Protection requires that the strictest privacy settings be applied to a particular application or system as soon as that application or system becomes available.
14.6. Examples of measures to implement standardized protection of personal data include:
(a) Only Personal Data that is necessary for the specific purpose of the Data Processing shall be processed in a standardized manner;
(b) Technological measures must be designed in such a way as to avoid unnecessary processing of Personal Data;
(c) Default settings in favor of personal data protection;
(d) Features that are not required must be configured.
14.7. These measures aim at the effective implementation of the principles of personal data protection, such as the principle of reduction of the amount of personal data, and at the integration of the necessary safeguards into the processing of personal data in order to comply with the BDAR and protect the rights of data subjects.
14.8. The objectives described in this section are pursued, inter alia, through the Data Protection Impact Assessment procedure.
15. TECHNICAL AND ORGANIZATIONAL MEASURES FOR PERSONAL DATA SECURITY
15.1. The organizational and technical security measures implemented by the Data Controller ensure a level of security that is commensurate with the nature of the Personal Data managed by the Data Controller and the risks involved in their processing.
15.2. The Data Controller shall appoint a person responsible for supervising the processing of Personal Data.
15.3. The Data Controller shall designate the person or Data Controller responsible for carrying out the video surveillance.
15.4. Employees must respect the principle of confidentiality and keep confidential any information relating to Personal Data which they have obtained in the course of their duties, unless such information is in the public domain in accordance with the provisions of applicable laws or regulations.
15.5. Paper forms Employees ‘personal files, Candidates’, Clients ‘and other persons’ files containing sufficiently sensitive Personal Data are stored in a lockable room.
15.6. The security of the premises where Personal Data is stored is ensured (access of unauthorized persons to the respective premises is restricted) by locking them, using access cards, installing an alarm system, and monitoring the premises.
15.7. Access to digitally recorded copies of Personal Data stored on Computer Equipment is password protected.
15.8. Access to Personal Data and the right to perform Personal Data Processing Actions is granted only to those Responsible Employees who need access to Personal Data in accordance with their duties and work functions.
15.9. The following technical data security measures are used to protect Personal Data processed automatically:
(a) Responsible Employees use unique passwords to access Personal Data, which are changed and stored to ensure their confidentiality;
(b) Ensuring the protection of the processed Personal Data against unauthorized connection to the internal computer network by electronic means;
(c) Ensure the use of secure protocols and passwords when transmitting Personal Data via external Personal Data Transmission Networks;
(d) Ensures protection of computer equipment against malicious software (installation, updating of antivirus programs, etc.);
(e) At least once a month, the designated Officer or other responsible person shall make copies of the Personal Data contained in the computers.
15.10. Personal data contained in external media and electronic mail or other high-risk media must be adequately protected.
15.11. The protection of personal data stored, organized and managed by online cloud servers is guaranteed by password-protected access to these online cloud servers, as well as by secure protocols.
15.12. The Data Controller shall also take all technical and organizational measures to ensure that the Personal Data processed during the Employee’s connection to the online cloud servers is protected against unauthorized interference by third parties. Examples of such measures could be the use of a virtual private network (VPN) to connect to online cloud servers via insecure networks.
15.13. The Data Controller seeks to implement appropriate technical and organizational measures to ensure that only those Personal Data that are necessary for each specific purpose of the Data Processing are processed in a standardized manner. This obligation applies to the amount of Personal Data collected, the scope of their processing, the period of their storage and their availability. In particular, such measures shall ensure that an unlimited number of natural persons cannot have access to Personal Data in a standardized manner without the intervention of a natural person.
15.14. The Data Controller shall take the necessary precautions to preserve the integrity of the Personal Data of the Data Subjects and to prevent the damage or loss of this Personal Data, including taking care of the necessary recovery of the Personal Data.
16. STAFF TRAINING
16.1. If necessary, the Data Controller shall provide appropriate training to the Employees who have the right to access the Personal Data on a permanent or regular basis.
16.2. Training should be in line with the realities of Employee performance.
16.3. The content of the training must help the Employees to perform their work duties in accordance with the requirements set out in the BDAR and other legal acts regulating the protection of personal data. To the extent required by BDAR, other legislation and the objectives and purpose of this Policy, Employees shall make every effort to ensure that the Data Controller is able to properly implement its obligations under BDAR and other Personal Data Protection legislation.
16.4. The training is documented, indicating, inter alia, its date, topic, staff involved and the results of the follow-up study (if any).
17. USE OF COMPUTER EQUIPMENT
17.1. The computer equipment may be shared by all Employees of the Data Controller, their groups or assigned to a specific Employee. Computer equipment normally used by a particular Employee may also be used by other Employees of the Data Controller if the circumstances necessitate the use of this Computer Equipment for the performance of work functions.
17.2. It is prohibited for an employee to disassemble, disassemble or otherwise modify computer equipment. The employee is also prohibited from downloading to the Computer Hardware, installing the software, opening the downloaded and / or installed programs despite the prohibition.
17.3. It is strictly forbidden to use the Computer Equipment for any purpose not related to the direct performance of work functions, both during and after work (including but not limited to personal information, other files not related to work functions (music, games, videos, pictures, etc.) ) on a computer). Computer equipment, including the e-mail box provided to the Employee, may be used only for the performance of work functions.
17.4. The employee is prohibited from using the provided e-mail and other electronic means of communication for personal needs, i. y. the Employee may not receive non-job and / or personal letters and files to the provided e-mail address. It is also prohibited for the Employee to send non-job-related and / or personal and private information from the provided e-mail address, or other information related to the Employee’s family members or other relatives, if it is not related to the proper performance of job functions.
17.5. Employees are prohibited from using computer equipment for fraudulent, non-work-related advertising and personal financial gain, viewing, accumulating, distributing, downloading illegal records, programs and information, using document sharing programs, downloading or playing computer games, using the Internet or social networking programs. or websites.
17.6. If the contents of the e-mail box (e-mail or letter attachment) are unclear, incomprehensible or do not open to the Employee, the Employee must immediately contact the Responsible Person and indicate what is unclear, incomprehensible or does not open. The employee has no right to check his / her personal e-mail or other electronic communication programs during or after work, using the Computer equipment.
17.7. The Employee must use the Computer Equipment in accordance with the recommendations and instructions of the representative of the person responsible for computer maintenance and / or the Service Provider of the Data Controller’s Service Provider. Faults or malfunctions that have occurred while using the Computer Equipment must be reported immediately.
17.8. At the request of the Data Controller or when the employment contract is terminated (in the latter case no later than the date of termination of the employment contract), the Employee must immediately return all Computer Equipment to the Data Controller. Equipment must be returned in good condition (subject to normal wear and tear), including intangible assets (including information related to or contained in the Computer Equipment).
17.9. When using the Computer Equipment, Employees are strictly prohibited from disseminating the Data Controller’s confidential information or trade secret on the Internet (e-mails, e-mail) or passing such information to third parties who do not have the right to access such information. Any of the above actions, as well as the forwarding of such information to your personal e-mail, copying such information for personal use or other distribution without the permission of the Data Controller, shall be considered a serious breach of duty.
17.10. If the fact of disclosure of confidential information or trade secret or other breaches of employment relationship is established, the Data Controller may, on the basis of a legitimate interest, process the Personal Data of the Employee to the extent necessary to identify the breach, eliminate the consequences of the breach or suspend the continuing breach.
17.11. A person appointed by the Head of the Data Controller is responsible for monitoring the condition of the computer equipment. The procedure for organizing the maintenance and repair of rented computer equipment shall be established in the lease agreements for this equipment.
17.12. The Employee using this equipment is responsible for the day-to-day maintenance of the Computer Equipment.
17.13. Computer hardware failures are rectified as soon as they are detected. Employees who do not have the necessary training are prohibited from attempting to troubleshoot computer equipment on their own. They must immediately notify the person who maintains the computer equipment of the fault (s).
17.14. Insurance and inspection of computer equipment is organized by a person appointed by the Data Controller.
17.15. During the inspection, the distributed person checks the computer
18. LIABILITY
18.1. Employees who violate BDAR, VDAĮ or other legal acts regulating the processing and protection of Personal Data, or the duties specified in the Policy, are subject to the liability established by the legal acts of the Republic of Lithuania.
19. FINAL PROVISIONS
19.1. The Policy is reviewed and may be changed at the initiative of the Data Controller and / or by changes in the legislation governing the processing of Personal Data.
19.2. The policy and its amendments shall enter into force on the date of their approval. Employees are introduced to the Policy and its amendments by signing.