Your personal data submitted with the order is stored and never transferred to third parties, except when required for the execution of the order or as required by the laws of the Republic of Lithuania.
1. MAIN DEFINITIONS
1.1. Company – UAB “8 DRAMBLIAI“, a company incorporated under the law of the Republic of Lithuania with its registered office at Nemenčinės pl 4C-104, Vilnius, the Republic of Lithuania, company code 303223673, data on the company is collected and stored in the Register of Legal Entities.
1.2.Data subject – natural or legal person (purchaser of the service) whose data is processed in the Company.
1.3.Personal data – means information related to natural person – Data subject, indicated in the paragraph 2.4 of these Rules.
1.4. Processing of personal data – means any action taken with Personal Data: collection, recording, compilation, storage, classification, grouping, merging, modifying (adding or amending), providing, using, deleting or any other action or set of actions.
1.5. Processing of personal data by automatic means – actions of processing of personal data completely or partly performed using automatic means.
1.6. Employee – means a person who has an employment or similar contract with the Company and is designated by the decision of the Director of the Company to process Personal Data.
1.7. Data Processor – means a legal or natural person authorised by the Company to process personal data.
1.8. Data controller - a legal or natural person who either alone or jointly with others determines the purposes and means of the processing of personal data.
1.9. Data recipient - means a legal or natural person to whom Personal data is provided.
1.10. Inspectorate – State Data Protection Inspectorate of the Republic of Lithuania.
1.11. Other terms used in these personal data processing rules correspond to the definitions set forth in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
2. GENERAL PROVISIONS
2.1. This document regulates the actions of the Company and its Employees in processing of Personal Data using the automated Personal Data processing tools installed in the Company, as well as defining the rights of Data subjects, Risk factors of personal data breach, Personal data protection implementation measures and other issues related to Personal data processing.
2.2. Personal data must be accurate, relevant and not excessive in relation to the purposes for which they are collected or further processed.
2.3. Purposes of processing of personal data – means necessary for purchase and implementation of services and other legal purposes defined in advance of data collection.
2.4. The Company processes Personal data of Data subjects for the purpose indicated in the Paragraph 2.3 of the following Rules:
2.4.5. phone number;
2.4.6. place of residence (address);
2.4.9. data on the services / goods purchased by the Data subject, their quantities, dates of purchase and other information related to the services;
2.5. By submitting its personal data to the Company, the Data subject confirms and voluntarily agrees that the Company shall manage and process the Data subject’s personal data in accordance with these Rules, applicable laws and other regulatory provisions.
2.7. The processing of Personal Data is governed by the Law on Legal Protection of Personal Data of the Republic of Lithuania, Regulation (EU) 2016/679, other laws and legal acts regulating the processing and protection of data, as well as these Rules.
3. PROCESSING OF PERSONAL DATA
3.1. Personal data is processed automatically by using means of processing of personal data installed and/or leased by a company.
3.2. Only Employees and Controllers shall have the right to process Personal Data. Each Employee and/or Controller designated to process Personal Data must maintain the confidentiality of Personal Data and comply with the requirements of personal data protection legislation.
3.3. Employee / Controller must:
3.3.1. maintain the confidentiality of Personal Data;
3.3.2. process Personal Data in accordance with the laws of the Republic of Lithuania, other legal acts and these Rules;
3.3.3. not disclose, transfer or not grant an access to Personal Data by any means to any person who is not authorised to process Personal Data;
3.3.4. immediately notify the Director of the Company or his appointed person of any suspicious situation that may endanger the security of Personal Data.
3.4. Employees who automatically process personal data or persons from whose computers local area networks can be accessed and where Personal Data is stored must use passwords. Passwords must be changed at least every 30 days, as well as in certain circumstances (e.g. upon change of the employee, in case of threat of hacking, suspicion that the password has become known to third parties, etc.). An employee working on a specific computer can only know his own password.
3.5. The protection of personal data shall be organized, ensured and enforced by the Director of the Company or an Employee appointed by him.
3.6. The Employee loses the right to process the Personal Data when the Employee’s employment or similar contract with the Company expires or when the Director of the Company revokes the Employee’s appointment to process the Personal Data.
3.7. The Controller loses the right to process the Personal Data upon termination of the Controller’s contract with the Company.
4. RIGHTS OF DATA SUBJECTS AND THEIR ENFORCEMENT
4.1. The Data Subject by submitting an identity document to the Company shall have the right to obtain information from the Company, from which sources and which Personal Data have been collected, the purposes for which they are processed and to whom the data is provided. Access to Personal Data shall be made upon written request to the Company for access to Personal Data by mail, fax or e-mail.
4.2. Data subject shall have the right to data portability. The following right shall allow data subjects unobstructed access to the personal data which they have provided to the data controller in a systematic, commonly used and computer readable format and the right to transfer that data to another controller. Data portability is the right of the data subject to receive a subset of the personal data relating to the data subject processed by the controller and to store that data for further personal use.
4.3. Upon request of the Data Subject regarding the processing of his / her Personal Data, the Company shall reply whether the Personal Data related to him / her are processed and shall provide the Data subject with the requested data no later than 30 calendar days from the date of referral by the Data subject. At the request of the Data subject, such data shall be provided in writing to the address indicated or by e-mail.
4.4. The right to correct, delete or suspend the processing of your Personal Data shall be provided to the Data Subject upon written request to the Company by mail, fax, e-mail or verbal request if the Data Subject can be identified. Upon receipt of such a request, the Company shall promptly verify the Personal Data and, upon request of the Data Subject, promptly correct any incorrect, incomplete, inaccurate Personal Data.
4.5. The Company shall promptly notify the Data Subject of the rectification or deletion of the Personal Data, whether performed or not at its request.
4.6. The Data subject may complain about the Company’s actions (inactivity) to the State Data Protection Inspectorate within 3 months from the date of receipt of the reply from the Company or within 3 months from the date of termination of the deadline for reply set in paragraph 4.3. The Data subject may complain to the court in accordance with the procedure prescribed by law, regarding the actions (inactivity) of the State Data Protection Inspectorate.
4.7. The Company shall also guarantee all other rights, guarantees and interests of the personal data subjects guaranteed by the laws and regulations of the Republic of Lithuania.
5. TRANSFER OF PERSONAL DATA
5.1. Personal Data may be provided only to the Recipients of the Data with whom the Company has entered into relevant agreements for the transfer / provision of Personal Data and if the Recipient of the Data ensures adequate protection of the transferred Personal Data. Personal data may also be transferred to the third parties in other cases and according to the procedure laid down by the laws and other legal acts of the Republic of Lithuania.
5.3. Unless required or permitted by law, the Company does not collect sensitive personal information such as information related to health, racial origin, religious beliefs or political opinion.
6. RISK FACTORS FOR PERSONAL DATA PROTECTION BREACH
6.1 Personal data protection breach - actions or omissions which may cause or cause adverse effects, and which are contrary to the mandatory statutory provisions governing the protection of personal data. The degree of impact, damage caused and consequences of the infringement of the personal data will be determined on each individual case by a commission formed by the Head of the Company or a person authorised by him.
6.2. Risk factors for personal data protection breach:
6.2.1. unintentional, when Personal Data Protection is breached due to accidental reasons (errors in data processing, data carriers, deletion, destruction of data records, identification of incorrect routes (addresses) during transmission of data, etc.) or system failures due to power failure, computer virus, etc., violation of internal regulations, lack of system maintenance, software tests, inadequate data carrier maintenance, inadequate line capacity and protection, networking of computers, computer program security, inadequate supply of fax materials, etc.);
6.2.2. intentional, when the Personal Data Protection is deliberately violated (unauthorized intrusion into Company premises, into storage of personal data carriers, information systems, computer network, malicious violation of established rules when processing Personal Data, deliberate spread of computer virus, personal data theft, unlawful exercise of the rights of another Employee, etc.);
6.2.3. unexpected random events (lightning, fire, flood, inundation, storms, burning of electrical installations, effects of changes in temperature and / or humidity, impact of dirt, dust and magnetic fields, accidental technical incidents, other irresistible and / or uncontrollable factors, etc.).
7. MEASURES FOR THE IMPLEMENTATION OF PERSONAL DATA PROTECTION
7.1. To ensure the protection of Personal Data, the Company implements or intends to implement the following Personal Data Protection Measures:
7.1.1. administrative (establishing secure procedures for the management of documents, computer data and their archives, as well as arrangement for the organization of work in the various fields of activity, familiarisation of staff with personal data, protection during employment and at the end of employment or similar relationship, etc.);
7.1.2. security of hardware and software (administration of servers, information systems and databases, maintenance of workstations, undertaking’s premises, protection of operating systems, protection against computer viruses, etc.);
7.1.3. communications and computer network security (filtration of shared data, applications, unwanted data packages (firewalls), etc.).
7.2. The personal data protection hardware and software tools shall ensure:
7.2.1. installation of a repository of operating systems and databases, setting of copy technology and control of compliance;
7.2.2. technology for continuous data processing (handling)
7.2.3. a strategy for updating systems operation in case of emergency (management of uncertainties);
7.2.4. physical (logical) separation of application test environment from operating mode processes;
7.2.5. authorised use of the data and its inviolability.
7.3. All Employees who have the right to process or organize and enforce Personal Data protection must comply strictly with the Personal Data Protection Measures and any applicable rules, instructions or procedures established by the Company.
8. PERIOD OF PROCESSING OF PERSONAL DATA
8.1. The Company shall start processing the Personal Data from the moment of registration of the Data Subject (Service Purchaser) and shall continue processing until the Data Subject’s service purchase is completed.
8.2. When Personal Data is no longer needed for the purposes of processing, it shall be destroyed, except for data to be transmitted to the State Archives as required by the law.
9.1. Employees who violate the Law on Legal Protection of Personal Data of the Republic of Lithuania, other legal acts regulating the processing and protection of Personal Data or these Rules shall be subject to the liability measures provided by the laws of the Republic of Lithuania.
10. FINAL PROVISIONS
10.1. Supervision and, if necessary, review of compliance with the Rules shall be entrusted to the Head of the Company or his authorised person.
10.2. Responsible Employees shall be made aware of the Rules upon signature.