The Company shall be committed to processing personal information reasonably, securely and in compliance with the requirements of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR).
PERSONAL DATA PROCESSING PRINCIPLES
Personal data processing within the Company shall be based on these main principles:
Lawfulness, fairness and transparency
which means that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
which means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
which means that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
which means that personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
which means that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
which means that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
which means that the Company, where it acts as the controller of personal data, shall be responsible for, and be able to demonstrate compliance with all the above-mentioned principles of data processing.
LAWFULNESS OF PROCESSING
The Company shall process personal data only if and to the extent that at least one of the following bases applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the Company, as data controller, is subject;
processing is necessary to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, as a data controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The Company shall process the following data:
The legal ground for the processing
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
DATA SHARING WITH THIRD PARTIES
The Company shall engage third parties as data processors only in cases where such third parties capable of ensuring the processing of personal data in accordance with the requirements of the GDPR. The Company shall take measure to ensure that its data processors have adequate technical and organizational arrangements in place.
The Company shall conclude agreements with its data processors, which should include at least the following matters:
subject and duration of data processing;
purpose of the data processing;
personal data (their types) and data subjects (their categories);
rights and obligation of the Company, as data controller;
specific obligations of data processor as they are defined in the GDPR;
conditions and requirements for the engagement of data sub-processors.
Requirements specified in Clauses 4.1 and 4.2, shall also apply in cases when personal data is transferred/shared with companies belonging to the same group as the Company.
The Company shall keep data in a form, which permits identification of data subjects for no longer than it is necessary for the purposes for which personal data is processed (storage limitation principle). The Company shall ensure that data is not kept longer than necessary, thus, the established retention periods shall be followed.
The Company shall define specific retention limits for data in accordance with the requirements of legal acts, applicable in different areas, such as anti-money laundering, archiving, employment, tax, data protection, etc. In case retention period of certain data is not regulated, the Company shall define such limits itself based on storage limitation principle.
The Company shall ensure that data which retention period is completed, is no longer processed. At the end of the defined retention period, the Company shall either destroy personal data or shall anonymize it.
The Company shall implement and continuously adhere to the following organizational measures aimed to implemented information security principles in practice:
Implementation of measure
Personal data security policies and procedures
Roles and responsibilities
Resource and asset management
Personal data security breaches and incidents
The Company shall implement and continuously adhere to the following technical measures aimed to implemented information security principles in practice:
Implementation of measure;
Access control and authentication
Technical log entries and monitoring
Protection of servers and databases
Network and communication security
Mobile, portable devices
Destruction of data
DATA SUBJECTS RIGHTS AND REQUESTS
The Company shall ensure that data subjects rights established by the GDPR can be implemented:
Right to be informed
Right of access
Right of rectification
Right to erasure (“right to be forgotten”)
Right to restriction of processing
Right to data portability
Right to object
Rights in relation to automated individual decision making, including profiling
For the implementation of other data subjects rights, the Company shall take necessary actions to timely and properly react to the data subjects requests. The Company shall take reasonable steps to verify the identity of the data subject and/or its representative.
Normally all requests of data subjects shall be managed by the Company free of charge. In cases, their requests are evidently ungrounded or disproportionate, for example, due to their repetitive nature, the Company may consider to (i) charge a reasonable fee based on actual administrative costs; or (ii) to refuse act on the request. In all such cases, the Company shall inform the data subject in writing.
The Company shall seek to reply to the data subjects request immediately, but in all cases no later than within 1 (one) month. In certain cases, for example, an extremely large amount of data, the Company may prolong this term for another 2 (two) months. In such a case, data subjects will be informed about such prolongation in writing.
The data subject shall also have the right to make a complaint to the State Data Protection Inspectorate (L. Sapiegos str. 17, 10312, Vilnius, the Republic of Lithuania; e-mail: [email protected]; more information on their website[https://vdai.lrv.lt/en/services]).
All employees of the Company shall be responsible for ensuring that this they comply with this Policy and, therefore, adhere to appropriate practices, processes, and controls.
The Policy, their amendments or supplements shall enter into force upon their approval by the order of the General Manager of the Company, unless it specifies another date of entry into force of the Policy, its amendments, or supplements.
The Policy shall be reviewed immediately after respective need is determined.