Personal data organizing

1. KEY POLICY CONCEPTS

1.1. ADTAĮ – the Law on the Legal Protection of Personal Data of the Republic of Lithuania.

1.2. Responsible employee – an employee of the Company who, according to the position and nature of work, has the right to perform specific functions related to data processing.

1.3. BDAR – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).

1.4. Company – Data controller UAB EVIJA & Partner, legal entity code 302642070.

1.5. Employee means a person who has entered into an employment contract, a temporary employment contract or a voluntary activity contract with the Company.

1.6. Data / Personal data – any information about an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, a personal identification number, a location and internet identifier, or by one or more physical identifiers of that natural person, characteristics of physiological, genetic, mental, economic, cultural or social identity.

1.7. The recipient of the data is a natural or legal person, public authority, agency or other body to whom the Personal Data is disclosed, whether or not it is a third party.

1.8. Data subject – an employee of the Company, a customer or other natural person whose Personal Data is processed by the Company.

1.9. Data processing means any operation or set of operations on personal data carried out by automatic or non-automatic means, such as: collecting, recording, sorting, storing, adapting or modifying, reproducing, searching, using, disclosing, transmitting, distributing or otherwise making available , arrangement or combination, blocking, deleting or destroying.

1.10. Data Processor – a natural or legal person, public authority, agency or other institution that processes Personal Data on behalf of the Company.

1.11. Third Party – a natural or legal person, public authority, agency or other institution that is not a User of the Services, the Company, the data controller, or persons who are allowed to process personal data by the direct authorization of the Company or the Data Processor.

1.12. Other terms used in the Policy correspond to the terms used in the BDAR and the ADTA.

2. GENERAL PROVISIONS

2.1. The purpose of this Policy is to inform the Data Subjects about the procedure for processing their Data and the terms of their storage and to indicate their rights in relation to this Data and the Company.

2.2. The company shall ensure that it complies with the following essential principles regarding the processing of personal data:

2.2.1. Personal data must be processed in a lawful, fair and transparent manner (principle of lawfulness, fairness and transparency);

2.2.2. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

2.2.3. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed (data reduction principle);

2.2.4. Personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);

2.2.5. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;

2.2.6. Personal data must be processed in such a way as to ensure adequate security of personal data through appropriate technical or organizational measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality);

2.2.7. The company is responsible for ensuring that the above principles are followed and must be able to demonstrate that they are followed (accountability principle).

2.3. The Company may authorize the Data Processors to process the Data it manages, i. i.e. information technology and electronic communications service providers, advisors, auditors, consultants, security services and other persons who process the data managed by the Company for the specified purposes and in accordance with the instructions of the Company. The data controller’s access rights to the Data shall be terminated upon termination of the personal data processing agreement concluded with the Company or upon termination of this agreement.

3. APPROPRIATE INFORMATION TO DATA SUBJECTS

3.1. The data managed by the Company shall be provided to third parties with the consent of the Data Subject or other basis for lawful provision of data.

3.2. The following information must be provided to data subjects before processing their Personal Data:

3.2.1. Company name, details and contact details;

3.2.2. Purposes of data processing;

3.2.3. The legal basis for data processing;

3.2.4. Contact details of the Data Protection Officer, if applicable;

3.2.5. The period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

3.2.6. The right to request that the Company allow access to the personal data of the Data Subject and to correct or delete them, or to restrict the processing of the data, or the right not to consent to the processing of the Data, as well as the right to portability of the Data;

3.2.7. The right to lodge a complaint with the supervisory authority;

3.2.8. If available, the recipients or categories of recipients of the personal data;

3.2.9. Where applicable, the Company’s intention to transfer personal data to a third country or international organization;

3.2.10. Where applicable, the existence of automated decision-making, including profiling, and, at least in that case, meaningful information on its rationale, as well as the significance of such Processing and the expected consequences for Data Subjects.

3.3. The information shall be provided in a concise, transparent, clear and easily accessible form, in plain language.

3.4. Information is provided in this policy, in writing, by email. by post or other means. At the request of the data subject, the information may be provided orally.

3.5. The information collected about a specific person shall be provided only after the Data Subject has proved his / her identity and submitted a signed request or a copy thereof.

3.6. The obligation to provide information shall not apply to the extent that:

3.6.1. The provision of such information is impossible or would require a disproportionate effort. In such cases, the Company shall take appropriate measures to protect the freedoms and legitimate interests of the Data Subject, including the public disclosure of information;

3.6.2. The fact of receipt or disclosure of data is clearly established in the legal acts of the EU or the Republic of Lithuania, which establish appropriate measures to protect the legitimate interests of the Data Subject;

3.6.3. Where personal data must remain confidential, including an obligation of professional secrecy.

4. DATA RETENTION TERMS

4.1. The company applies different terms of personal data storage depending on the categories of personal data processed:

No.
Purpose of the processing of personal data
Shelf life
1.

Data processing for direct marketing purposes
10 years from the date of consent

Data processing for promotional purposes
1 year from the date of consent

Data processing for e-commerce purposes
2 years since last login or purchase

Data processing for the purpose of participating in the testing of a cosmetic product
3 years from the end of the study

Video surveillance for property protection purposes
Not longer than 30 days

Video surveillance for the purpose of organizing and conducting training
Not more than 1 year

4.2. Exceptions to the above retention periods may be made to the extent that such deviations do not infringe the rights of the Data Subject, comply with legal requirements and are properly documented.

4.3. If the Data is used as evidence in civil, administrative or criminal proceedings or in other cases prescribed by law, the Data may be stored to the extent necessary for these purposes of Data Processing and destroyed immediately when they are no longer needed.

5. DESTINATION OF DATA

5.1. Destruction is defined as the physical or technical act of making the data contained in a document irrecoverable by normal commercially available means.

5.2. Personal data stored in electronic form shall be destroyed by erasure without the possibility of recovery.

5.3. An employee working on a specific computer where personal data files are stored is responsible for the destruction of personal data files stored in electronic form.

5.4. Employees administering these systems are responsible for the destruction of data contained in the Company’s databases and IT systems.

6. RIGHTS OF DATA SUBJECTS

6.1. The data subject may exercise the following rights:

6.1.1. The right to be informed;

6.1.2. Right of access;

6.1.3. Right of cancellation;

6.1.4. Right of adjustment;

6.1.5. Right to restrict data processing;

6.1.6. The right to data portability;

6.1.7. The right to object to the processing of data;

6.1.8. Rights related to automatic decision making and profiling.

7. PROCEDURE FOR EXERCISE OF PERSONAL DATA RIGHTS

7.1. A data subject who has submitted an identity document to the Company or the Data Processor or in accordance with the procedure established by legal acts or by electronic means that allow proper identification of a person who has confirmed his or her identity has the right to receive information from which sources and for what purpose. they are processed, to whom the data are provided and have been provided in the last 1 year.

7.2. Personal data shall be provided to the Data Subject for access, as well as corrected and deleted or their processing shall be suspended on the basis of the Data Subject’s identity and personal identification documents or by electronic means of communication that allow for proper identification upon request. When the data subject applies to the Company in writing, a notarized copy of the identity document shall be attached to the application, except in cases when the written application is submitted directly to the Company’s employees and the data subject submitting the application can be identified at the time of application.

7.3. Requests of data subjects regarding the processing of Personal Data are accepted and registered in the Company’s registration and management journal by the employee (s) authorized by the Director of the Company.

7.4. Upon receipt of a request from the Data Subject regarding the processing of his / her personal data, the Company must respond whether the Personal Data related to him / her is processed and provide the requested Data to the Data Subject no later than within 30 calendar days from the date of the Data Subject. At the request of the Data Subject, such Data shall be provided in writing.

7.5. When providing the Personal Data of the Data Subject processed by the Data Subject to the Data Subject, the Company shall ensure appropriate organizational and technical data security measures so that other Data Subjects cannot be identified from the submitted Data.

7.6. The Company, upon receipt of the Data Subject’s request for the processing of video data related to it, shall respond no later than within 3 business days from the date of receipt of the Data Subject’s request whether the video data related to it is stored, and if so, the Company shall record and provided on a secure storage medium (CD, DVD, etc.).

7.7. The Personal Data of the Data Subject processed by the Company shall be provided to the Data Subject free of charge once a calendar year.

7.8. When submitting Personal Data, a video to the Data Subject for the second time of the year, the Data Subject shall be informed about the established amount of remuneration (for example, for receiving a CD, DVD or other medium containing a video, preparation of documents, etc.). The provision of data for remuneration shall be guided by the principle that the amount of remuneration shall not exceed the costs of data provision and the remuneration rules for the provision of data to the Data Subject, approved by the Government of the Republic of Lithuania in 2011. September 14 by resolution no. 1074

7.9. If the Data Subject, having become acquainted with his / her Personal Data, determines that his / her Personal Data is incorrect, incomplete or inaccurate and applies to the Company, the Company shall immediately verify the Personal Data and upon the Data Subject’s written request in person, by post or electronic to correct incorrect, incomplete, inaccurate Personal Data and / or suspend the processing of such Personal Data, except for storage.

7.10. If the Data Subject, having become acquainted with his / her Personal Data, determines that his / her personal data is processed illegally or fraudulently and applies to the Company, the Company shall immediately, but not later than within 5 business days, verify the lawfulness, integrity and at the request of the subject (expressed in writing), immediately destroy the illegally and fraudulently collected Personal Data or suspend the processing of such Personal Data, except for storage.

7.11. If, at the request of the Data Subject, the processing of his / her Personal Data is suspended, the personal data whose processing is suspended shall be stored until it is rectified or destroyed (at the request of the Data Subject or after the expiry of the Data Storage Term). Other processing operations with such Personal Data may only be carried out for the purpose of proving the circumstances that led to the suspension of the processing operations; if the Data Subject consents to the further processing of his / her Personal Data; if necessary to protect the rights or legitimate interests of third parties.

7.12. The Company shall immediately, but not later than within 5 business days, notify the Data Subject of the rectification, destruction or suspension of the processing of Personal Data performed or not performed at the request of the Data Subject.

7.13. If the Company doubts the accuracy of the Personal Data provided by the Data Subject, the Company shall suspend the processing of such Data, verify and correct the Data. Such Personal Data may only be used to verify their accuracy.

7.14. The Company shall immediately, but not later than within 5 business days, inform the data recipients about the Personal Data corrected or destroyed at the request of the Data Subject, suspended the processing of Personal Data, unless it would be impossible or excessively difficult to provide such information (due to the large number of Data Subjects, data period, unreasonably high costs). In such a case, the State Data Protection Inspectorate shall be notified immediately.

7.15. At the request of the Data Subject, the Company shall notify the Data Subject of the termination or refusal to terminate the processing of his / her Personal Data.

7.16. If it is established that the Company processes the Personal Data of the Data Subject illegally and unfairly, these Data shall be destroyed immediately, but not later than within 5 business days, at the initiative of the Company or at the request of the Data Subject.

7.17. The Data Subject shall submit a written notice of disagreement regarding the processing of Personal Data to the Company in person, by post or by electronic means. If the disagreement of the Data Subject is legally justified, the Company must immediately, but not later than within 5 business days, terminate the processing of Personal Data free of charge, except in cases prescribed by law, and inform the data recipients.

7.18. When Personal Data is processed on the legal basis specified in Article 5 (1) (5) and (6) of the Data Protection Act, the Data Subject has the right to object to the processing of his / her Personal Data without stating the reasons for the objection. Before collecting Personal Data, the Company shall acquaint the Data Subject with the right to object to the processing of its personal data. At the request of the Data Subject, the Company must notify the Data Subject of the termination or refusal to terminate the processing of his / her Personal Data.