The Company shall be committed to processing personal information reasonably, securely and in compliance with the requirements of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR).
PERSONAL DATA PROCESSING PRINCIPLES
Personal data processing within the Company shall be based on these main principles:
Lawfulness, fairness and transparency
which means that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
which means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
which means that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
which means that personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
which means that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality
which means that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
which means that the Company, where it acts as the controller of personal data, shall be responsible for, and be able to demonstrate compliance with all the above-mentioned principles of data processing.
LAWFULNESS OF PROCESSING
The Company shall process personal data only if and to the extent that at least one of the following bases applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the Company, as data controller, is subject;
processing is necessary to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, as a data controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The Company shall process the following data:
|The legal ground for the processing
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
DATA SHARING WITH THIRD PARTIES
The Company shall engage third parties as data processors only in cases where such third parties capable of ensuring the processing of personal data in accordance with the requirements of the GDPR. The Company shall take measure to ensure that its data processors have adequate technical and organizational arrangements in place.
The Company shall conclude agreements with its data processors, which should include at least the following matters:
subject and duration of data processing;
purpose of the data processing;
personal data (their types) and data subjects (their categories);
rights and obligation of the Company, as data controller;
specific obligations of data processor as they are defined in the GDPR;
conditions and requirements for the engagement of data sub-processors.
Requirements specified in Clauses 4.1 and 4.2, shall also apply in cases when personal data is transferred/shared with companies belonging to the same group as the Company.
The Company shall keep data in a form, which permits identification of data subjects for no longer than it is necessary for the purposes for which personal data is processed (storage limitation principle). The Company shall ensure that data is not kept longer than necessary, thus, the established retention periods shall be followed.
The Company shall define specific retention limits for data in accordance with the requirements of legal acts, applicable in different areas, such as anti-money laundering, archiving, employment, tax, data protection, etc. In case retention period of certain data is not regulated, the Company shall define such limits itself based on storage limitation principle.
The Company shall ensure that data which retention period is completed, is no longer processed. At the end of the defined retention period, the Company shall either destroy personal data or shall anonymize it.
The Company shall implement and continuously adhere to the following organizational measures aimed to implemented information security principles in practice:
|Implementation of measure
Personal data security policies and procedures
Roles and responsibilities
Resource and asset management
Personal data security breaches and incidents
PERSONAL DATA PROCESSING PRINCIPLES
The Company shall implement and continuously adhere to the following technical measures aimed to implemented information security principles in practice:
|Implementation of measure
Access control and authentication
Technical log entries and monitoring
Protection of servers and databases
Network and communication security
Mobile, portable devices
Destruction of data
DATA SUBJECT’S RIGHTS AND REQUESTS
The Company shall ensure that data subject’s rights established by the GDPR can be implemented:
Right to be informed
The data subject shall have a right to be informed about their data processing, including the purposed and legal grounds of processing. For implementation of the data subjects’ right to be informed, the Company shall publish this Policy in its website.
Right of access
The data subject shall have the right to get information as to whether personal data concerning him or her are being processed, and, if that is the case, access to the personal data and defined information about such data processing.
Right of rectification
The data subject shall have the right to request to rectify inaccurate personal data concerning him or her or complete the incomplete personal data.
Right to erasure (“right to be forgotten”)
The data subject shall have the right to request the erasure of personal data concerning him or her in the following cases:
- the personal data are no longer necessary;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
Right to restriction of processing
The data subject shall have the right to request the restriction of processing from the Company in the following cases:
- the accuracy of the personal data is contested by the data subject – for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;
- the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller in the following cases:
- the processing is based on consent or on a contract pursuant; and
- the processing is carried out by automated means.
Right to object
The data subject shall have the right to object at any time to processing of personal data concerning him or her which is based on legitimate interest or public interest, including profiling.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing of personal data. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Rights in relation to automated individual decision making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
For the implementation of other data subjects’ rights, the Company shall take necessary actions to timely and properly react to the data subjects’ requests. The Company shall take reasonable steps to verify the identity of the data subject and/or its representative.
Normally all requests of data subjects shall be managed by the Company free of charge. In cases, their requests are evidently ungrounded or disproportionate, for example, due to their repetitive nature, the Company may consider to (i) charge a reasonable fee based on actual administrative costs; or (ii) to refuse act on the request. In all such cases, the Company shall inform the data subject in writing.
The Company shall seek to reply to the data subject’s request immediately, but in all cases no later than within 1 (one) month. In certain cases, for example, an extremely large amount of data, the Company may prolong this term for another 2 (two) months. In such a case, data subjects will be informed about such prolongation in writing.
The data subject shall also have the right to make a complaint to the State Data Protection Inspectorate (L. Sapiegos str. 17, 10312, Vilnius, the Republic of Lithuania; e-mail: [email protected]; more information on their website).
All employees of the Company shall be responsible for ensuring that this they comply with this Policy and, therefore, adhere to appropriate practices, processes, and controls.
The Policy, their amendments or supplements shall enter into force upon their approval by the order of the General Manager of the Company, unless it specifies another date of entry into force of the Policy, its amendments, or supplements.
The Policy shall be reviewed immediately after respective need is determined.