I. KEY DEFINITIONS
1. The following terms are used in the Personal Data Protection Rules (hereinafter referred to as the Rules):
1.1. Company - means VŠĮ Špikis, a public institution established in accordance with the laws of the Republic of Lithuania, with its registered office at L. Asanavičiūtės 4-42, Vilnius, Republic of Lithuania, company code 302609526, correspondence address P. Vileišio 27-34, Vilnius, details of the company accumulated and stored in the Register of Legal Entities.
1.2. Personal data - any information relating to a natural person - a data subject whose identity is known or can be established directly or indirectly by means of data such as name, date of birth, one or more personal, physical, physiological, economic, cultural or social characteristics.
1.3. Employee - means a person who has entered into an employment contract with the Company or is acting in the interests of the Company on the basis of another contract and is appointed by the Company's manager to process personal data.
1.4. Recipient of data - a legal or natural person to whom personal data are provided.
1.5. Data subject - means a natural person from whom the Company receives and processes personal data.
1.6. Provision of data means the disclosure of personal data by transfer or otherwise making available them.
1.7. "Processing of data" shall mean any operation carried out on personal data: collection, recording, storage, storage, classification, grouping, aggregation, modification (addition or correction), provision, publication, use, logical and / or arithmetic operations, retrieval, dissemination, destruction or other action or set of actions.
1.8. Automatic data processing - data processing operations performed in whole or in part by automatic means.
1.9. Data controller - a legal or natural person (who is not an employee of the data controller) authorized by the data controller to process personal data. The data controller and / or the procedure for its appointment may be established by law or other legal acts.
1.10. "Data controller" means a legal or natural person who alone or jointly with others determines the purposes and means of the processing of personal data. If the purposes of data processing are determined by laws and other legal acts, the data controller and / or the procedure for its appointment may be regulated by those laws and other legal acts.
1.11. Website - Websites managed and administered by the company at spikis.lt, shop.spikis.lt, shop-new.spikis.lt, matkaes.spikis.lt, spikis.eu, shop.spikis.eu, shop-new.spikis. eu, matkaes.spikis.eu.
1.12. Consent is a voluntary statement by the data subject to process his or her personal data for a purpose known to him or her.
1.13. Direct marketing is the activity of offering goods and services to individuals and / or seeking their opinion on the goods or services offered by post, e-mail, telephone or other means.
1.14. "Third party" means a legal or natural person, other than a data subject, a controller, a processor and persons directly authorized by the controller or processor to process the data.
1.15. Other terms used in these Rules correspond to the terms established in the Law on the Legal Protection of Personal Data of the Republic of Lithuania.
II. GENERAL PROVISIONS
2. These Rules regulate the actions of the Company and its employees in processing the basic principles and procedure of collection, processing and storage of personal data of natural persons (hereinafter - Data Entities) who have submitted their data on data collection platforms managed by the Company. security risk factors, personal data protection enforcement measures and other issues related to the processing of personal data.
3. The purpose of these Rules in the Company is to regulate the processing of personal data in the Company, ensuring the implementation of the Law on the Protection of Personal Data of the Republic of Lithuania from 2018. May 25 - Compliance with and implementation of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) and other relevant legislation.
4. The purpose of the Rules is to provide for the basic technical and data security organizational measures for the processing of personal data and the implementation of the rights of the Data Subject.
5. Personal data shall be processed and used according to the purposes for which the Data Subject provided them to the Company or for other purposes approved by the Data Subject.
6. On the basis of the rules, data shall be processed for the following purposes:
6.1. Data subject subscriptions for order processing and execution;
6.2. For identification of a data subject in the Company's information system;
6.3. ordering subscription gift vouchers, confirmations, reminders, invoices and other financial documents;
6.4. to solve problems related to the delivery of the subscription;
6.5. fulfillment of other contractual obligations;
6.6. for direct marketing purposes.
7. By submitting his personal data to the Company, the Data Subject confirms and voluntarily agrees that the Company shall manage and process the personal data of the Data Subject for the purposes, means and procedures provided for in these Rules and in compliance with applicable laws and other regulatory enactments.
8. All employees of the Company who process personal data in the Company or become aware of them in the course of their duties, data processors used by the Company or third parties used by the Company to provide the service must comply with the Rules and only if necessary to provide the service.
9. The Rules have been prepared in accordance with the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data from 2018. May 25 - The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data).
III. PRIVACY AND PERSONAL INFORMATION
10. The Company, taking care of the Data Subject's privacy and assessing the Data Subject's trust, undertakes to protect the Data Subject's privacy and use the information provided exclusively for the purposes specified in these Rules, without the Data Subject's consent not disclosing this information to any third parties. services related to proper execution. The Company may also transfer the personal data of the Data Subject to third parties acting on behalf of the Company as Data Processors. Personal data may be provided only to those Data Processors with whom the Company has signed relevant agreements or cooperation agreements contain provisions discussing the transfer / provision of personal data and the Data Processor ensures adequate protection of the transferred data.
11. The company follows the following basic data processing principles:
11.1. Personal data is collected, processed and stored only for a legitimate interest and in strict compliance with the requirements of the Law on the Legal Protection of Personal Data of the Republic of Lithuania, other legal acts regulating this area of law in the Republic of Lithuania and these Rules.
11.2. Personal data is collected for defined and legitimate purposes;
11.3. Personal data is processed accurately and fairly;
11.4. The criteria of expediency and proportionality shall be observed in the collection and processing of personal data, without requiring the Data Subject to provide data that is not required;
11.5. Only such personal data is necessary for the provision of quality services, including consulting on the Company's services, and only in the form and to the extent necessary for the performance of contractual obligations;
11.6. The personal data of the data subject may be accessed only by the Company's employees with appropriate competence and / or third parties who have used the Company to provide the service, and only in cases when it is necessary for the provision of the service;
11.7. Personal data may be constantly revised and updated in order to ensure that it is complete, up-to-date and orderly;
11.8. The information of the Data Subject is considered confidential and may be disclosed to third parties only in accordance with the procedure provided for in the legal acts of the Republic of Lithuania or if the Company is obliged to do so;
11.9. Personal data shall be stored for no longer than required by the purposes of data processing, laws and other legal acts.
12. The Company processes the following Personal Data for the purposes set out in the Rules:
12.1. Name;
12.2. Surname;
12.3. Email address;
12.4. Telephone number;
12.5. Company name, address, code, VAT payer code;
12.6. Information on the products, date, price and payment of the purchases made;
12.7. The data subject's login name and password encrypted form on the Company's website.
13. Personal data is processed automatically and non-automatically using the personal data processing facilities installed in the Company.
14. When registering on the Company's Website, the Data Subject must provide complete and correct Personal Data. The Data Subject must make appropriate changes to the Personal Data on the Website if the Personal Data changes after it has been entered on the Website. The Company will not be liable for any damage caused to the Data Subject and / or third parties as a result of the Data Subject providing incorrect and / or incomplete personal data or not modifying or supplementing the data as a result of such changes.
15. The Company may use the data provided by the Data Subject for statistical and marketing purposes. Personal data will be collected, processed and used in a way that does not allow the disclosure of the data subject's identity or other personal data that could be used to identify the person.
16. All personal data specified and received by the Data Subject shall be collected, stored and processed in accordance with the requirements provided for in the Law on Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data in the Republic of Lithuania. The Company ensures the protection of the received data and undertakes to use this information only with the consent of the Data Subject and only in cases provided by law, as well as in cases necessary for the provision of the service ordered by the Data Subject.
IV. SECURITY OF PERSONAL DATA
17. The Company shall implement appropriate organizational and technical measures to prevent unauthorized access or unauthorized use of the Data Subject's data. The Company shall ensure that the data provided by the Data Subject is protected against any unlawful acts: accidental or unlawful destruction, alteration, disclosure, as well as against any other unlawful processing.
18. In order to ensure the protection of personal data, the Company implements or plans to implement the following personal data protection measures:
18.1. administrative (establishment of procedures for secure management of documents and computer data and their archives, as well as work organization in various fields of activity, acquaintance of personnel with the protection of personal data during employment and after the end of employment or similar relations, etc.);
18.2. hardware and software protection (administration of servers, information systems and databases, workplace, maintenance of the Company's premises, protection of operating systems, protection against computer viruses, etc.);
18.3. protection of communications and computer networks (filtering of shared data, programs, unwanted data packets (firewall), etc.).
19. The protection of personal data shall be organized, ensured and performed by the Head of the Company or an employee appointed by him.
20. The Company shall periodically, at least once a year or if necessary, carry out training of Employees with access to personal data, during which the Employees are informed about the application of the provisions of the Rules, if any, the data security requirements of the laws of the Republic of Lithuania. and other issues that are relevant to ensuring the proper and secure processing of personal data.
21. Only Employees of the Company who have been properly trained and informed in accordance with Article 20 of the Rules have the right to process personal data. Each Employee assigned to process personal data must:
21.1. strictly comply with the Rules and the laws governing the protection of personal data;
21.2. to protect the confidentiality of personal data. He shall observe the principle of confidentiality and shall preserve the confidentiality of any information relating to personal data which he has obtained in the course of his duties, unless such information is made public in accordance with the provisions of the laws or regulations in force;
21.3. not to disclose, transfer or create conditions for access to personal data by any means to persons who are not authorized to process personal data and who are not entitled to receive personal data in accordance with the procedure established by the Rules or laws;
21.4. store documents and data files properly and securely and avoid making unnecessary copies. Copies of company documents containing personal data must be destroyed in such a way that their contents cannot be reproduced and identified;
21.5. immediately notify the Company's manager or his / her designee of any suspicious situation that may pose a threat to the security of personal data.
22. Employees processing personal data may perform personal data processing operations only on computers or smart devices owned by the Company and equipped with licensed and secure software. All computers or smart devices used to process Employees' personal data must be protected by passwords, which must be changed at least once every 30 days and must consist of at least 8 hybrid characters.
23. An employee shall not have the right to transfer to any third party computers or smart devices that are used for the processing of personal data, except for the cases provided for in these Rules or the laws of the Republic of Lithuania.
24. Personal data is stored in the Company's active database for 3 (three) years from the moment of the last active action in the Data Subject's account on the Website. At the end of the period of data storage in the active database, the personal data of the Data Subject shall be destroyed.
25. The Company periodically, but not less than twice a year, performs testing of managed information systems, including databases, during which the reliability of the Company's servers and information systems, resilience to resilience, resilience to cyber attacks, viruses and other system threats are checked. factors. Personal data is not used during testing of company-operated systems.
26. The company shall make copies of the data in the active database at least once a day, which are stored in the passive database. Access to the passive database is granted only to the system administrator appointed by the Company's manager, who in the event of an accidental data loss restores the last copies of the Company's database within 48 hours of data loss from the passive database.
27. The company's servers, where active and passive databases are stored, shall be provided with an uninterrupted and autonomous supply of electricity, the servers shall be stored and stored in premises where fire and security alarms are installed. The premises are locked and cannot be accessed by unauthorized persons.
V. RIGHTS OF THE DATA SUBJECT
28. The data subject has the following fundamental rights:
28.1. be aware of the processing of your personal data contained in the Company;
28.2. to have access to his or her personal data and to receive information on the sources from which his or her personal data have been collected, the purpose for which they are processed and to whom they are provided;
28.3. require rectification, destruction of the personal data of the Data Subject or suspension, except for storage. Such data shall no longer be stored unless the Data Subject becomes aware that the processing of personal data has been carried out unlawfully or fraudulently.
28.4. refuse to process the personal data of the Data Subject when such data are processed or are intended to be processed for the purposes of direct marketing or for a legitimate interest pursued by the Company or a third party to whom the personal data are provided;
28.5. withdraw consent at any time to the processing of data for direct marketing purposes;
28.6. since 2018 May 25 the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) The data subject acquires the right to data portability and the right to request the deletion of the data ("right to be forgotten") or to request a restriction on their processing. This can be done using the contact form.
29. If the Data Subject is concerned about the Company's actions (omissions), which may not comply with the requirements of these Rules or legal acts, the Data Subject has the right to contact the Company in any way convenient for him / her: e. by mail info@spikis.lt, by phone +37068773818, by ordinary or registered mail (Špikis Public Institution, P. Vileišio 27-34, Vilnius).
30. If the issue with the Company cannot be resolved, the Data Subject has the right to apply to the State Data Protection Inspectorate (A. Juozapavičiaus St. 6, 09310 Vilnius, e-mail ada@ada.lt, tel. +37052712804), which is responsible for personal data protection. supervision and control of the legislation governing
31. Upon receipt of a written request from the data subject (by e-mail, ordinary or registered item), the company shall provide the requested data in writing (by e-mail or registered item) or indicate the reasons for refusing to comply with such request no later than within 30 calendar days from the date of receipt of the request. .
32. Upon submission of a written request to the Company by the Data Subject in writing (by e-mail, ordinary or registered shipment), if the Data Subject can be identified, the Company shall immediately, but not later than within 5 working days, correct incorrect, incomplete, inaccurate personal data or completely destroy all available Personal Data. data and shall inform the Data Subject thereof.