Marmaluzi.lt cares about your privacy and the security of your personal data. By implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we ensure transparency and fair processing of your personal data.
PERSONAL DATA PROCESSING POLICY
1. The personal data processing policy (hereinafter – Policy) of UAB Straikas (hereinafter – Company) is a publicly available part of the Data Processing Rules governing the purposes of processing of personal data of natural persons whose data are processed by the Company, setting forth procedures for the exercise of their rights, establishing organisational and technical data protection measures, and regulating cases where a personal data controller is used.
2. This Policy has been prepared based on the following:
2.1. Republic of Lithuania Law on Legal Protection of Personal Data (hereinafter – LLPPD);
2.2. General Data Protection Regulation (hereinafter – GDPR);
2.3. Resolution No 228 of the Government of the Republic of Lithuania of 28 February 2001 "On the approval of the procedure of payment for disclosing data to a data subject and the procedure of payment for collecting data from registered data controllers";
2.4. Other legal acts relating to the processing and protection of personal data.
3. The Policy shall apply to the processing of data of natural persons by automatic means, and to the processing of filing systems of personal data otherwise than by automatic means. The Policy shall also lay down the rights, obligations and responsibilities of employees of the Company in the processing of personal data.
4. The requirements provided herein shall be binding on all the employees of the Company (hereinafter – Employees), and must also be followed by processors who learn about and process personal data when providing data processing services to the Company, to the extent not covered by individual agreements concluded between the Company and the Processor.
MAIN TERMS AND DEFINITIONS
5. Personal Data / Data – any information relating to a natural person who has been identified or who can be identified directly or indirectly in particular by reference to an identifier such as name and surname, personal number, location data and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
6. Data processing – any operation or sequence of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, sorting, systematisation, storage, adaptation or alteration, retrieval, familiarisation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
7. Controller – UAB Straikas which shall determine the means and measures of the use of personal data when processing the data of Data Subjects.
8. Data Subject – Employees and other natural persons whose data are processed by UAB Straikas.
9. Processor – an entity which processes personal data managed by UAB Straikas under the instructions of UAB Straikas and under service contracts signed with UAB Straikas.
10. Provision of data – the disclosure of personal data by transmission or otherwise making them available (excluding publication of such data in the media).
11. Websites – websites administered by the Company: www.straikas.lt, www.marmaluzi.lt, www.sipsap.eu, www.magnumsultys.lt, www.marmaluzi.ru.
12. Internal administration – activity ensuring the independent functioning of the controller (structure management, staff management, management and use of available material and financial resources, paperwork management, etc.).
13. Other terms used in the Policy shall be understood as they are defined in LLPPD and/or GDPR.
PRINCIPLES AND PURPOSES OF THE PROCESSING OF PERSONAL DATA
14. When performing their functions and processing personal data Employees must:
14.1. Process personal data lawfully, fairly and in a transparent manner;
14.2. Collect personal data for specified, explicit and legitimate purposes and not process them in a manner that is incompatible with those purposes;
14.3. Comply with the principles of expediency, proportionality and data minimisation, not require Data Subjects to provide superfluous data, and not store or process excess data when collecting and processing personal data;
14.4. Ensure the accuracy of personal data and, where necessary, regularly update them; rectify, supplement, destroy or suspend the processing of inaccurate or incomplete personal data;
14.5. Store personal data so as to permit the identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected and processed;
14.6. Process personal data in a manner that ensures adequate protection of personal data, including protection against unauthorised processing or processing of unauthorised data and unintentional loss, destruction or damage by appropriate technical or organisational measures (the principle of integrity and confidentiality).
15. Chief Accountant Kristina Slavinskaja shall be responsible for updating the data of Data Subjects processed in the Company.
16. Information about the Data Subject must be provided if this is required by law.
PROCESSING OF THE DATA OF CANDIDATES APPLYING FOR A JOB
16.1. The Company shall process the following data of persons who wish to participate in the employee selection process carried out by the Company: name, surname, date of birth, address, phone number, e-mail, education, and other data specified in documents submitted to the Company by candidates, including their CV. In cases where the legislation of the Republic of Lithuania provides for additional restrictions on what information about candidates may be processed, the Controller shall ensure that only permitted personal data of candidates are processed. Special data shall not be processed unless the candidate decides to provide such data.
17. Data processing is based on consent. Candidates applying for a job give consent (by implicit action) to process their data only until the end of the selection process. At the end of the employee selection process, the data of candidates who were not selected shall be deleted, unless the candidates give a separate consent to the processing of their data at the end of the selection process.
18. Data are processed for the purpose of internal administration. If a candidate gives consent to continue processing his/her personal data after the selection process with the aim of being offered a job in the future, data shall be processed on the basis of consent.
19. Candidates shall submit their personal data themselves when applying to the Company. In certain cases, when the selection process is executed via third parties (the Company's Processors), data shall be provided to them first, and only then to the Company. In all cases, the Company shall be the Controller.
20. The data of Candidates shall not be disclosed to other Third Parties unless at their sole request and on the legal grounds of transfer.
21. The data of Candidates shall be systematically processed in the Company's databases, to which the Company's IT service providers have access. The resumes (CVs) and cover letters of Candidates may also be stored in paper form.
22. Candidates shall be familiarised with the processing of their data and their rights, including the right to apply to the Company for deletion of data. The information is provided in the Policy published on the Company's websites.
DATA OF NATURAL PERSONS PROCESSED FOR CONTRACT PERFORMANCE PURPOSES
23. The Company may process the following personal data of persons who are the Company's customers, customer representatives or service providers: name, surname, personal number, e-mail, bank accounts, data received from companies providing payment services, and other data provided directly by the Data Subject or data which are necessary for the proper performance of the contract.
24. Data Subjects are aware that, in order to properly perform its rights and obligations, the Company shall process their data on the grounds of concluding and performing the contract.
25. The purpose of data processing is the proper provision of goods and services and the fulfilment of other contractual obligations.
26. Data Subjects shall provide their personal data themselves.
27. Data may be stored in contracts, other physical documents or in the Company's databases, to which companies providing IT services to the Company have access.
Data may also be transferred to other third parties who provide their services to the Company, e.g., accounting firms, debt collectors, etc.
28. Data subjects are familiarised with the processing of their data and their rights. The information is provided in the Policy published on the Company's websites.
PROTECTION OF PERSONS AND PROPERTY, PREVENTION AND DETECTION OF ILLEGAL ACTIVITIES (VIDEO SURVEILLANCE)
29. The purpose of video surveillance is to ensure the safety of Employees and visitors, maintain general order, and protect the property of the Controller, its Employees and visitors within the premises of the Company's factory.
30. Video surveillance in the Company is carried out at the address Lauko str. 6, Didieji Baušiai, Šalčininkai district. Video surveillance is carried out within the premises and outside area belonging to the Company (hereinafter – Area).
31. Video surveillance is carried out continuously and video surveillance cameras are installed so that video surveillance is carried out only within the necessary part of premises, by collecting only the necessary amount of video data.
32. Video surveillance shall not be carried out in premises where the Data Subject has a reasonable expectation of absolute privacy and where such surveillance would degrade human dignity (e.g., in bathrooms, changing rooms, etc.).
33. Data Subjects shall be notified of video surveillance when familiarising with this Policy and when being informed about the processing of their data.
The Controller shall also inform Data Subjects about video surveillance by posting appropriate information boards and signs within the Area. The following information must be provided to Data Subjects entering the Area in a clear and appropriate manner: i) Controller's name, company code, contact information (address and/or phone number); ii) link to the website where this Policy can be found.
34. Video data may also be transferred by the Controller to a pre-trial investigation institution, the prosecutor or the court as evidence regarding administrative, civil and criminal cases at their disposal, as well as in other cases provided by law.
DATA PROCESSING FOR DIRECT MARKETING PURPOSES
35. For the purposes of direct marketing, the Company processes the following data of natural persons: name, surname and e-mail. Other contact details may also be processed.
36. Data processing is based on consent.
37. Data Subjects shall provide their personal data to the Company themselves.
38. Data is stored in the Company's databases, to which companies providing IT services to the Company have access. Data may also be stored in paper forms.
39. Data shall not be disclosed to third parties unless a request to do so is obtained and where there are legitimate grounds for such transfer.
40. The Company does not process the data of minors or sensitive personal data for this purpose. Nevertheless, when collecting data for direct marketing purposes, the Company does not verify the age of the Data Subjects as this would be treated as excess data collection.
DATA PROCESSING FOR THE ADMINISTRATION, EVALUATION AND EXAMINATION OF REQUESTS, INQUIRIES OR COMPLAINTS
41. The Company may process the following data of the contacting natural persons for the specified purpose: name, surname, language and e-mail address. The Company may also process other data directly obtained from the Data Subject and necessary for the examination, administration or evaluation of requests, inquiries or complaints.
42. The basis for data processing is the conclusion and performance of the contract. Data may also be processed with the consent of the Data Subject, conveyed by implicit actions upon their transfer to the Company.
43. Data Subjects shall provide their personal data themselves.
44. Data is stored in the Company's databases, to which companies providing IT services to the Company have access. Data shall not be disclosed to third parties unless a request to do so is obtained and where there are legitimate grounds for such disclosure.
45. Data Subjects shall be familiarised with the processing of their data and their rights. The information is provided in the Policy published on the Company's websites.
47. The following cookies are used or may be used on the Company's websites: XSRF-TOKEN, laravel_session, ga, _gat, _gid, _icl_current_language, wp-settings-2, wp-settings-time-2, wpml_referer_url, qtrans_front_language, PHPSESSID, restaShop-1adcf06d034a24dcf07a641eaa1b7606, restaShop-6cd48e517dbf06d155bf8f8a983fee04, __atuvc, _ga, cookieconsent_status, __cfduid, _fbp, _ga, _hjid, _ym_d, _ym_isad, _ym_metrika_enabled, _ym_metrika_enabled_28822050, _ym_mp2_substs_28822050, _ym_uid, metrika_enabled.
48. The Company may collect data on visitor actions and their browsing habits on the website.
49. Data may be transferred to IT service providers and Google. Data shall not be disclosed to other Third Parties unless a request to do so is obtained and where there are legitimate grounds for such disclosure.
50. The websites allow you to opt out of the use of unnecessary cookies.
DATA RETENTION PERIODS
51. The Controller shall apply the following personal data retention periods:
No. Purpose of processing of personal data Retention period
1. Processing of employee data for the purposes of internal administration. Up to 50 years after the expiration of the employment contract, in accordance with the Index of Retention Periods of General Documents.
2. Processing of personal data of candidates applying for a job. Until the end of the selection process.
3. Processing of personal data of candidates applying for a job after obtaining their permission to process data after the end of the selection process. Two years from the date of receipt of the curriculum vitae.
4. Provision of services. Data are processed within the deadlines provided by law, i.e. for no more than 10 years.
5. Administration, evaluation and examination of requests, inquiries or complaints. 6 months from the date of receipt of the inquiry.
6. For direct marketing purposes. 3 years from obtaining consent.
7. Cookies to improve the quality of your use of the site. The length of time a cookie stays on your computer depends on the type of cookie.
8. Protection of persons and property, prevention and detection of illegal activities with the help of video cameras. 14 days.
52. Exceptions to the above retention periods may be determined insofar as such exceptions do not violate the rights of the Data Subjects, meet the legal requirements and are properly documented.
DATA SUBJECT RIGHTS AND PROCEDURES FOR THEIR IMPLEMENTATION
Ensuring Data Subject rights and awareness
53. Data Subjects have the right to:
53.1. Know (be informed) about the processing of their personal data;
53.2. By submitting to the Company an identity document or by electronic means that allows the person to be properly identified – to access their personal data and its processing, to obtain information on the sources from which personal data are collected, which specific personal data are collected, and to which data recipients are the data being provided or were provided in the last 1 year; in addition – to receive a copy of the documents containing their personal data;
53.3. Require the rectification, erasure or restriction of personal data except for storage where the processing is in breach of the legal requirements;
53.4. Object to the processing of their personal data;
53.5. Request to transfer the data to another controller or to provide data directly in a form that is convenient for the Data Subject (data provided to the Company by the Data Subject itself);
53.6. Lodge a complaint with the supervisory authority;
53.7. Revoke consent (if personal data are processed on the basis of consent).
54. In all cases, the Company must provide the Data Subject with the following information (unless the Data Subject already has such information):
54.1. Name, legal entity code and registered office address;
54.2. Contact details of the data protection officer, if any;
54.3. For what purposes and on what legal basis are the personal data of the Data Subject processed;
54.4. Data recipients and their categories;
54.5. Data retention period or criteria used to determine that period;
54.6. Other additional information (which personal data must be provided by the Data Subject and the consequences of failure to provide such data; information about the Data Subject’s right of access to his or her personal data, and right to request the correction of incorrect, incomplete or inaccurate personal data) in the volume that is needed, in order to ensure proper personal data processing without violating the rights of the Data Subject;
54.7. Provision of the Data Subject's personal data to third parties not later than until the moment the data are provided for the first time, and if the Data Subject was unaware of the fact that his/her data will be transferred to another party.
PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT
55. The Company must:
55.1. Enable the Data Subject to exercise the specified rights of the Data Subject, excluding cases provided by law when it is necessary to ensure national security or defence, public order, criminal offence prevention, investigation, determination or prosecution, important economic or financial interests of the state, prevention, investigation and determination of professional ethics violations, and protection of the rights and freedoms of the Data Subject or other persons;
55.2. To exercise their rights, Data Subjects must contact the accounting department of the Company via the following contacts: firstname.lastname@example.org, +37061086791
55.3. The Company must ensure that all necessary information is provided to the Data Subject in a clear and comprehensible manner.
55.4. A reply must be provided to the Data Subject not later than within 20 (twenty) business days from the date of receipt of the request. If the Data Subject is refused access to the data, the Data Subject shall be given a reasoned and substantiated reply regarding the non-execution of his/her request.
56. The Company must immediately inform the data recipients of the personal data corrected or destroyed at the request of the Data Subject, and the suspended processing of personal data, unless the provision of such information would be impossible or excessively difficult (due to the high number of Data Subjects, data period, or unreasonably high costs). In this case, the State Data Protection Inspectorate must be notified immediately.
57. The Company shall provide data to the Data Subject free of charge. In certain cases (whenever the Data Subject clearly abuses his/her rights, or submits unreasonable repeated requests for information, excerpts and documents), such provision of information and data to the Data Subject may require remuneration in accordance with the legal requirements and the rates set by the Company.
Provision of data to data recipients
58. The Company shall provide the Data of the Data Subject according to the requirements of the legal acts and while ensuring their confidentiality.
59. In the case of one-time data provision, the Company shall give priority to the provision of information by electronic means.
60. Provision of personal data to state and municipal institutions and bodies, when such institutions and bodies receive personal data for the performance of statutory control functions, shall not be deemed as the provision of data to recipients.
ORGANISATIONAL AND TECHNICAL MEASURES FOR PERSONAL DATA PROTECTION
61. The Company makes every effort to ensure that its organisational and technical data security measures comply with GDPR requirements. The following infrastructural, administrative and telecommunications (electronic) measures shall be taken to protect personal data against accidental or unlawful destruction, alteration, disclosure or any other unlawful processing:
61.1. Proper hardware layout and maintenance, information system maintenance, network management, ensuring Internet usage security and other information technology measures:
61.2. Access to Data and the right to carry out Data processing operations shall be granted only to the Employees who need access to the personal data in the context of their duties and performed work functions.
61.3. Ensuring security of premises where personal data is stored (only authorised persons have access to the concerned premises).
61.4. After assigning a computer or electronic communication device to a particular Employee, such computer / electronic communication device must be password protected. Passwords must be changed periodically, as well as in the presence of certain circumstances (change of employee, threat of hacking, suspicion that the password has become known to third parties, etc.).
61.5. Ensuring the protection of personal data against unauthorised access to the internal computer network by electronic means of communications.
61.6. Ensuring the use of secure protocols for the transmission of personal data through external data communication networks.
61.7. Strict adherence to the safety standards established by a fire prevention service;
61.8. Proper organisation of work and other administrative measures;
61.9. Necessary data security measures are installed taking into account the results of the risk assessment;
61.10. Backup and recovery of data;
61.11. Ensuring that data are restored from the latest available backup copies in the event of loss of data due to hardware failure, software error or other data integrity violation;
61.12. Other necessary means.
62. The Company’s Director Gintaras Didžiokas shall be responsible for the implementation, control and enforcement of these organisational and technical data security measures.
63. Employees who process personal data must comply with the principle of confidentiality and keep any relevant information they have accessed in the course of their duties confidential. This obligation shall continue to apply after transfer to another position within the Company or upon termination of the employment or contractual relationship with the Company.
64. Employees may process personal data in an automatic way only after they have been granted access to the relevant information system. Access to personal data may only be granted to a person who needs personal data to perform his/her functions. Upon termination of the employment relationship, the Employee’s rights to access registers and other programs shall be revoked.
65. Employees may transfer documents containing personal data only to Employees who are entitled to work with personal data based on their duties or separate assignments.
66. Employees performing the Data Subject’s Data processing functions must prevent accidental or unauthorised processing, and must store documents in a proper and secure manner (by avoiding unnecessary accumulation of the Data Subject’s data, etc.). Copies of documents containing data of the Data Subject shall be destroyed in such a way that the contents of such documents cannot be reproduced and their contents identified.
67. Employees whose computers store Data or whose computers are enabled to access the Company’s information systems where Data is stored must use passwords on their computers; “Guest” type user accounts in such systems, i.e. no-password accounts are prohibited. These computers also need to use a screen saver with a password.
68. Data files must not be digitally reproduced, i.e. copies of them should not be made and stored in local computer disks, removable media, remote file storage, etc., unless it is necessary to do so.
69. The security control and erasure of personal data contained in external data storage media and electronic mail after their use is ensured by transferring them to databases.
70. Director Gintaras Didžiokas shall ensure the following:
70.1. Control of unauthorised access to server premises;
70.2. Protection of the Company’s internal computer network.
71. Employees must organise their work in such a way as to limit the access of other persons to the personal data processed as much as possible. This provision shall be implemented as follows:
71.1. By refraining from leaving documents containing processed personal data or a computer that can open files containing personal data, without supervision, so that information contained therein can be read by Employees who are not authorised to work with specific personal data, students or other persons;
71.2. By keeping documents in such a way that they (or fragments thereof) cannot be read by random persons;
71.3. If documents containing personal data are transferred to other Employees, divisions or authorities via persons who are not authorised to process personal data or via mail or courier, they shall be transferred in a sealed opaque envelope. This provision shall not apply if the said notices are delivered in person and confidentially.
72. Director Gintaras Didžiokas shall be responsible for controlling and responding to personal data breaches.
73. Amendments or additions to the Policy shall be published on the Company’s websites.
Latest version 2020 03 23