Considering the Directive 95/46/EC of the European Parliament and of the Council that is currently converted into the Law of the Republic of Lithuania on Legal Protection of Personal Data, and taking into account Regulation 2016/679 of the European Parliament and of the Council that comes into force in EU states from 25/05/2018, according to EU sources of primary and secondary law, international legislation, the Constitution of the Republic of Lithuania, the Civil Code and Labour Code of the Republic of Lithuania, Law on Tax Administration of the Republic of Lithuania, Law on Value Added Tax, Accounting Law, Law on State Social Insurance and successor legislation of the Government of the Republic of Lithuania and the Ministry of Finance that are also related to the legal protection of natural persons, UAB Eigida establishes internal rules and principles regarding the legal protection of personal data as the protection of natural persons in the processing of personal data is a fundamental right, i.e. everyone has the right to the protection of personal data concerning him or her.
These rules and principles apply to the relationship between UAB Eigida and its clients that use, have been used, expressed their intention to use or are related to the services provided by UAB Eigida in any other way, including the relationship with the clients before these rules and principles come into force. The right to personal data protection is not absolute, therefore the provisions and principles established in the rules are regulated taking into account the public purpose of personal data legal protection and are coordinated with other fundamental rights, based on the principle of proportionality and economic and financial activities of UAB Eigida.
UAB Eigida implements appropriate organisational and technical measures to protect personal data from any accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing. These measures ensure the level of security that complies with the nature of the personal data to be retained and the risks involved in their processing and are set out in these written rules.
By authorising the responsible persons to process personal data, UAB Eigida establishes that the data shall be processed only following the instructions of the head of the company and his authorised persons and the requirements of legal acts.
The rules and principles of personal data processing apply to the processing of personal data of all natural persons, regardless of their nationality or place of residence.
1. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
These personal data processing principles provide information on how UAB Eigida processes personal data and these personal data processing principles must be followed by all employees of the company who have received, receive or become aware of personal data in any way, process them or ensure personal data protection.
Employees and authorised representatives of UAB Eigida shall ensure that personal data in the company are collected for defined and legitimate purposes and are not further processed for purposes incompatible with those established before the collection of personal data, i.e. the purposes are defined, legitimate and known in advance to the data subject.
The purposes shall be set first, and then the personal data shall be collected, not the other way around. Previously collected personal data for legitimate purposes shall not be used for other purposes without the separate consent of the individual.
UAB Eigida employees and authorised representatives shall use personal data for other purposes only with the consent of the individual, in cases set out by law or it is necessary for the defence of the public interest.
UAB Eigida employees and authorised representatives shall ensure that the personal data are processed accurately, fairly and lawfully, i.e. the personal data is received, collected and stored according to the procedure established by legal acts, the person must be informed in good faith about the purposes of use of the data, the methods of obtaining them and the duration of storage. The data shall not be obtained fraudulently or in any other way that distorts a person’s will regarding data transfer.
UAB Eigida employees and authorised representatives shall ensure that the personal data are accurate and constantly updated if necessary for processing. Inaccurate or incomplete data shall be corrected, supplemented, deleted, or its processing shall be suspended. Data is inaccurate if it is misleading or incorrect concerning the matter.
UAB Eigida employees and authorised representatives shall ensure that the personal data are identical, relevant and limited to the extent necessary for the collection and processing. It is forbidden to collect excess data that is not necessary to achieve the purpose. There shall be a proportion (adequacy) between the amount of data and the desired purpose, i. e. data should be limited to what is needed and not more.
UAB Eigida employees and authorised representatives shall ensure that personal data shall be stored in such a manner that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed, i.e. personal data shall be kept for no longer than is necessary for processing. When personal data are no longer needed for processing, they shall be deleted except for those, that in cases prescribed by the law, shall be transferred to the state archives.
Consent to the processing of personal data must be given in good faith. There must be no doubt as to the content and terms of the consent and the expression of the individual’s will.
The data subject has the right to withdraw his consent at any time. The withdrawal of the consent shall not affect the lawfulness of the data processing carried out before the withdrawal of consent. The data subject shall be informed about this before the consent is given. The company shall enable easy withdrawal of the consent.
It is forbidden to process personal data that reveal racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership. It is also forbidden to process genetic and biometric data to identify the natural person, data about the sex life and sexual orientation, criminal record or punishments.
UAB Eigida employees and authorised representatives shall have a right to process personal data when:
- data subject gives his consent;
- a contract is concluded or performed when one of the parties is a data subject;
- a controller is obliged by law to process the personal data;
- official mandates are implemented that are given by laws and other legislation to the state and municipal bodies, institutions or third person to whom the personal data are provided;
- the processing is necessary for the legitimate interest of the controller or of the third party to whom the personal data are provided and where the interests of the data subject are not important;
- such processing is necessary for the performance of the data controller’s rights and obligations in the field of labour law in the cases prescribed by law;
- the data subject has made the personal data public;
- the data is necessary for the trial.
The principles of legal data protection should apply to any information concerning an identified or identifiable natural person.
UAB Eigida shall ensure the confidentiality of the personal data according to the applicable legal requirements and implementation of appropriate technical and organisational measures intended for the protection of personal data from unauthorized access, disclosure, accidental loss, alteration or destruction or other unlawful processing.
UAB Eigida shall have a right to use data processors for the processing of personal data but shall take the necessary measures to ensure that such data processors shall process personal data according to the company’s instructions and applicable legislation and shall require such persons to implement appropriate personal data protection measures.
UAB Eigida shall disclose personal data to the state and municipal institutions, law enforcement authorities and court, third parties to whom the law provides to right to receive, collect and process personal data, only after it receives written request that is justified and reasoned.
In case of reasonable grounds regarding the validity, lawfulness and appropriateness of the request, UAB Eigida shall contact the applicant to clarify and duly indicate the legal grounds and motives regarding the necessity and scope of submission of personal data.
In case of doubt as to the validity of the request received, the head of the company or his authorised representatives shall also inform the personal data protection supervisory authority that shall provide appropriate consultations and conclusions.
In order not to infringe the right of third parties to privacy, while implementing data subject’s right of access to his or her personal data, i.e. while issuing copies of documents or other information, only the personal data related to the data subject shall be disclosed. In this case, it is necessary to provide the personal data only about the data subject to the extent necessary, i.e. anonymise third party data, make extracts of these documents, etc.
UAB Eigida shall inform the data subject about the received requests regarding the transfer of his personal data to third parties. When transferring personal data to other recipients, the company shall inform the data subject regarding which data, to whom and for what purpose his personal data were transferred.
UAB Eigida applies preventive measures to prevent unauthorised access to personal data by third parties, i.e. performs an audit of the company’s internal documents and electronic media at the end of the calendar year and during the third quarter of the following year. Unnecessary information shall be deleted/removed from the electronic media. The documents to be stored shall be archived and transferred to the archive for storage according to the procedure laid down by the legislation and in accordance with the provisions of these rules.
UAB Eigida uses only certified software, computer programmes and other telecommunication measures that comply with the legislation. Service providers shall be certified and qualified legal or natural persons.
While selecting organisational and technical safety measures, UAB Eigida shall follow the General Requirements for Organisational and Technical Personal Data Security Measures approved by Order No 1T-71(1.12.) of the Head of the State Data Protection Inspectorate as of 12 November 2008 (hereinafter – General requirements).
The use of security protocols (e.g.: https) and/or passwords must be ensured when providing personal data via external data transmission networks.
UAB Eigida shall provide only that personal data to the social network www.facebook.com and www.instagram.com for which the person granted explicit consent. The consent shall be in written form or clearly expressed otherwise. However, the expression of consent must be such that later UAB Eigida can prove the expression of the will of the person who gave the consent. The company shall clearly indicate to the person what data shall be collected or received, to what purpose this data shall be distributed, for how long the personal data will be in the public space. A person must be able to choose the time limits for storing his or her data in a public space.
In order not to infringe the rights of third parties and if there are several persons in the photograph, each person in the photograph must give his or her consent for his or her personal data to be disclosed in a public space.
UAB Eigida shall disclose personal data on the website www.Eigida.lt only those for which the person granted explicit consent. The consent shall be in written form or clearly expressed otherwise. However, the expression of consent must be such that later UAB Eigida can prove the expression of the will of the person who gave the consent. The company shall clearly indicate to the person what data shall be collected or received, to what purpose this data shall be distributed, for how long the personal data will be in the information system. A person must be able to choose the time limits for storing his or her data in the information system.
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that UAB Eigida that has made the personal data public should be obliged to inform the controllers who are processing such personal data to erase any links to or copies or replications of those personal data.
- Personal data means any information relating to the person who can be identified, directly or indirectly, by reference to physical, physiological, psychological, economic, cultural or social factors. Personal data is e.g. name, surname, the address of residence, facial image, personal identification number, fingerprints, iris, telephone number, email address, internet protocol (IP) address, vehicle number, etc.
- Processing means any operation or set of operations performed on personal data (collection, recording, storage, organisation, combination, alteration, disclosure, searching, destruction, etc.).
- Automated data processing means data processing operation performed by electronic means, i.e. different means of information and communication: computers, phones, tablets, smartwatches, video recorders, cameras, voice recorders, etc.
- Client (data subject) means any person whose data is being processed, i.e. each natural person who uses, have used, expressed his intention to use UAB Eigida services or is otherwise related to the services provided.
- UAB Eigida (controller) means a legal person who uses personal data for professional purposes and determines the purposes and means for data processing, i.e. what personal data is processed for a defined and legitimate purpose, for whom they are provided, how data subject’s rights are ensured, what software is used for the processing, etc.
- Recipient means a natural or legal person to whom the personal data are provided.
- Data provision means the disclosure of personal data by transfer or making it available in another way, other than publication in the media.
- Processor means a legal or natural (not an employee of the controller) person who is authorised to process personal data.
- Special personal data means data related to the racial or ethnic origin of the natural person, his political, religious, philosophical or other views, trade union membership, health, sex life and criminal records. The personal identification number is also special personal data.
- Consent means a freely given statement for personal data processing for a purpose known to him or her. Consent to the processing of special personal data shall be expressed explicitly in writing or other equivalent forms that undoubtedly prove the will expressed by the data subject.
- Video monitoring means the processing of video data related to the natural person (hereinafter – video data); the processing using automated video surveillance (video and photo cameras, etc.), regardless of whether this data is stored in media.
- Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Binding corporate rules means personal data protection policies which are adhered to by a controller or processor for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
III. THE PURPOSES AND BASIS OF PERSONAL DATA PROCESSING
Contractual civil relationship
- In contractual civil relationships, the collection of personal data is executed to the extent required by law and the need to carry out transactions properly. Data collected for communication: name, surname, address, phone number, email addresses.
- The client shall submit the data concerning the connection with legal or natural persons if there is representation on behalf of a third party. The person shall submit a mandate or power of procuration in the form prescribed by law. The copies of the mentioned documents shall not be made.
- If the client wishes and seeks to obtain certain deferred payments and other financial benefits due to which the financial risk and burden fall on UAB Eigida, the client shall provide adequate and proportionate financial data related to the reliability of the client and operational assessment, i.e. data on accounts, property, transactions, loans, income and obligations.
- In each case, taking into account contractual relationships, potential burden and risk, the responsible employees of the company shall assess the need to obtain the volume of data and collect only those data that are necessary to achieve the purpose.
- If the objectives pointed out in 4.3 and 4.4 points in these rules are fulfilled, it is possible to collect data about the client’s place of residence for tax purposes, i.e. data on the country of residence, taxpayer’s identification number and nationality.
- Due to the conclusion and performance of the contract with the client, and for the sake of the client’s data update and correctness, UAB Eigida shall have the right to use external and internal registers when it is necessary to perform a contract or to take action at the client’s request before the conclusion of the contract or fulfilling legal obligation. The company’s actions regarding the collection or receipt of personal data must be adequate and proportionate.
- VAT invoices that are issued, VAT invoices that are received, consignment notes, CMR documents, cash receipts, cash expense orders and other documents that record economic and financial transactions shall contain only necessary personal data established by law.
- The head of the company UAB Eigida or his authorised persons shall make reference documents that specify which personal data are necessary and prescribed by law. Responsible persons who carry out economic and financial transactions shall be signing an acknowledgement.
- Personal data obtained in a contractual civil legal relationship shall be subject to the principles of the legal protection of personal data set out in these Rules of Procedure.
- If the person voluntarily provided additional, i.e. excessive personal data, it shall be considered that the person implied his consent for the collection, evaluation and processing of the mentioned data in contractual civil relationships.
- Personal data obtained in contractual civil relationships shall be archived according to the procedure prescribed by law. After the need to protect them ceases to exist, the individual’s ‘right to be forgotten’ must be properly exercised.
- Given that civil legal relations are subject to the general prescription period of 10 years and that individual civil relationships are subject to a shorter prescription period, that the Law on Tax Administration, the Law on State Social Insurance and other legislation indicate the prescription period of 5 years or shorter, contracts that are terminated or expired 5 years ago or earlier and due to which no legal proceedings are taking place between the UAB Eigida and the client, shall be submitted for further archiving according to the Law on Documents and Archives of the Republic of Lithuania (Valstybės žinios, 30/12/1995 No 107-2389). This will ensure further efficient management and availability of documents, and documents will be protected from damage, loss, illegal use, alteration and destruction.
- UAB Eigida shall have a right to collect personal data due to the provision of additional services to the client, due to opinion enquiry, market investigation and statistics, organisation of games and promotions, legitimate interest in improving the company’s services and launching new products and services.
- In each specific case mentioned in 4.13. or not mentioned in it, UAB Eigida shall clearly provide the clients or persons with the purposes of personal data collection, what data will be collected and for how long the received data will be stored. The person shall grant his consent in writing and state that he or she understood the purpose and scope of the data collection and storage time limits for the data received.
- Personal data that were obtained for the provision of additional services to the client, due to opinion enquiry, market investigation and statistics, organisation of games and promotions, legitimate interest in improving the company’s services and launching new products and services shall be destroyed according to the procedure prescribed by law within 3 months after the need to protect them ceases to exist, i.e. ‘the right to be forgotten’ must be properly exercised.
- When conducting sales transactions through e-store, the clients and the scope of their data submission shall be delimited.
- The client (legal or natural person) who conducts economic and commercial activities and wishes to purchase the products, not for his personal needs, shall provide data that are necessary for carrying out the transaction and that are specified by legislation.
- The client (user) that wishes to purchase the products for his personal needs, shall submit the data that is necessary for the delivery of the product, i.e. name, surname and address. However, a person may provide only an address and a nickname with an identification code if the goods are delivered by a courier and the goods are delivered by the courier in person.
- Personal data is transferred to the recipients such as:
- Public bodies and institutions, other persons who perform functions assigned to them by law. The data shall be transferred according to the written request or when required under regulatory requirements.
- Credit and financial institutions and third parties participating in trading, settlement and reporting cycle. Only the data that are necessary for the performance of settlement procedures or mandatory following the requirements established by legal acts shall be transferred.
- Auditors, legal and financial consultants. Only the data necessary for the performance of the task shall be transferred. An agreement on the protection of confidential information shall be signed.
- Third parties that manage registers or mediate in the transfer of personal data from such registers. The data is transferred according to the written request or when required under regulatory requirements.
- Debt collection agencies to which claims on a customer’s debt are transferred, courts, out-of-court redress bodies and insolvency administrators. Only the data necessary for the performance of the task shall be transferred according to the written request or mandatory following the requirements established by legal acts. An agreement on confidential information may be signed with the persons concerned.
- Persons who ensure proper performance of the client’s obligations to UAB Eigida: guarantors and collateral providers. The data shall be transferred according to the written request. Only the data necessary for the performance of the task shall be transferred.
- Other persons related to UAB Eigida service provision: archiving, postal service providers and other authorised parties.
- Only the data necessary for the performance of the task shall be transferred. A confidential information agreement shall be signed with the authorised persons.
- UAB Eigida uses safe, reliable and certified data transfer channels. In case of doubts regarding the safety of the personal data transfer channel, the company shall make every effort to clarify problematic issues to eliminate all doubts regarding the safety of the personal data transfer channel.
RIGHTS OF THE CLIENT AS DATA SUBJECT
- To have personal data concerning him or her rectified if the data is incorrect, incomplete or inaccurate.
- To object to the processing of his personal data if the processing of personal data is based on a legitimate interest, including for marketing purposes.
- To have his or her personal data erased that are processed under his consent if the client withdraws the relevant consent. This right shall be limited if the personal data requested to be deleted are also processed on another legal basis, such as processing necessary for the performance of the contract or the performance of an obligation under the applicable law.
- To receive information on whether UAB Eigida handles his or her personal data and, if so, to get acquainted with them.
- To receive personal data provided by him or her, which are processed on the basis of consent or performance of the contract, in writing or in a commonly used electronic form, and, if possible, transfer such data to another provider.
- To withdraw one’s consent for personal data processing.
- If a person considers that his/her personal data is being processed in violation of his/her rights and legitimate interests in accordance with the applicable legal acts, he/she may file a complaint regarding the processing of personal data with the head of UAB Eigida. UAB Eigida shall examine the person’s complaint within 3 business days from the day of the receipt and provide a motivated and meaningful reply in writing.
- A person who does not agree with the decision made by UAB Eigida may submit a complaint regarding the processing of personal data to the State Data Protection Inspectorate; the website address is www.ada.lt.
- The client has the right to apply to UAB Eigida in order to submit inquiries, withdraw consents, submit requests or complaints regarding the implementation of the data subject’s rights.
Ringuvos st. 47-1 LT-45230 Kaunas
Phone: +370 674 77517
The head of the company Eimutis Stanaitis
RESPONSE TO PERSONAL DATA BREACHES
- In the event of a personal data breach, responsible persons at UAB Eigida without undue delay and, if possible, notifies competent law enforcement agency and supervisory authority no later than within 72 hours after becoming aware of the personal data breach, unless the violation of the security of personal data should not endanger the rights and freedoms of natural persons.
- Upon becoming aware of the personal data breach, the processor without undue delay shall inform the data controller and indicate in the notification:
a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and categories and approximate number of personal data records concerned;
b) name and surname (title) and the contact details of the data protection officer or another contact person who can provide more information;
c) a description of possible personal data breach consequences;
d) a description of measures that have been taken or suggested by the data protection officer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- If it is not possible to provide the information immediately, the information may be provided without undue delay in phases.
- The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
VALIDITY AND AMENDMENT OF RULES AND PRINCIPLES
- The client can get acquainted with internal rules of procedure and operational principles regarding the legal protection of personal data and the relevant provisions on the internet: www.Eigida.lt
- UAB Eigida shall have a right to unilaterally change these rules and principles at any time and inform the clients about any substantial changes via mail or email, SMS or other means.
- The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website.
- UAB Eigida should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. UAB Eigida shall answer the requests of the data subject without undue delay and no later than within one month and specify reasons why he does not intend to satisfy any requests of the client
- UAB Eigida should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.