Personal data is processed in accordance with the European Union General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania and legal acts regulating protection of personal data.
Personal data processing by UAB Daitrada
To ensure transparency and responsible processing of personal data, please be informed that the Company processes personal data on the basis of and for the following objectives:
Data collected by UAB Daitrada
The Company collects and processes following categories of personal data:
Grounds for collecting personal data
The Company may collect your personal data only on the grounds of lawful processing specified in legal acts. The Company collects personal data in order to fulfil contractual obligations and legal requirements. In addition, the Company may process your personal data in compliance with legal obligations (to comply with the requirements of regulatory acts, as well as to provide answers to legitimate inquiries of the state and municipalities, etc.) or other legitimate grounds established by legal acts. For other purposes, in which the Company has the right to process personal data of the data subject, when the data subject has expressed his/her consent to the processing of the data for the legitimate interests of the Company or when the Company is bound by a relevant legislation.
Personal data storage period
Personal data collected by the Company is stored in printed documents and/or in the Company’s information systems using digital format. Personal data is processed for no longer than necessary for the purposes of the processing or for no longer than required by you and/or by the law. Although you may have terminated your contractual relationship with the Company, the Company shall continue to store your data as long as data retention periods expire in case of demands or legal claims that may arise in the future.
Personal data disclosing
The Company undertakes to respect confidentiality obligations with regard to data subjects. Personal data may be disclosed to third parties only if this is necessary for the conclusion and performance of the contract for the benefit of the data subject or for other legitimate reasons.
The Company may provide personal data to the processors that provide services and process personal data for the Company. Processors of the Company have the right to handle personal data only in accordance with the instructions of the Company and only to the extent necessary for the proper performance of contractual obligations. The Company uses only those processors that sufficiently ensure that appropriate technical and organizational measures are implemented in such a way that data processing complies with the requirements of the Regulation and that the data subject’s rights are safeguarded.
Data processors to whom the Company transfers personal data or gives access to personal data may be established outside the Republic of Lithuania, the European Union or the European Economic Area. Data transfer to such processors is only allowed if it is permitted by the law and only by taking all necessary measures to ensure the protection of the privacy of personal data.
The company may also provide your data in response to requests from a court or public authority to the extent necessary to properly enforce existing legislation and instructions by public authorities.
To contact the Company with a request for information on whether your personal data is being processed by the Company and, if so, the right to access the personal data processed by the Company (right of access to personal data);
To contact the Company with a request to correct personal data and/or to suspend the processing of such personal data, with the exception of storage, in the event that personal data are found to be incorrect, incomplete or inaccurate (right to request correcting of personal data);
To contact the Company with a request to delete personal data that is processed only with your consent if you cancel the relevant consent. This right does not apply if the personal data requested to be deleted is also processed on different legal basis, i.e. exercising the obligation under applicable law (right to request deleting of personal data);
To contact the Company with a request to restrict (suspend) the processing of personal data, except for storage where, for example, it is requested to correct personal data (while the accuracy of the personal data is checked and/or corrected), or it is determined that the personal data is processed illegally and you do not agree to the deletion of the data, or disagreement is expressed on the processing of personal data (while assessing if legitimate interests of the Company are superior), and so on (right to request restricting of the processing of personal data);
To contact the Company with a request to transfer personal data processed on the basis of your consent or contract/law – you have the right to request that the personal data submitted to the Company, which is processed by automated means, be transferred to you and/or to another controller in a systematic, commonly used and computer-readable format (right to claim transfer of personal data);
To contact the Company and to express objection to the processing of personal data when the processing of personal data is carried out on the basis of a legitimate interest (right to express objection);
At any time to revoke consents issued to the Company.
Regarding exercising of your rights apply by:
If case of failure of finding a solution together, you have the right to apply to the State Data Protection Inspectorate (www.ada.lt), which is responsible for the supervision and control of the personal data protection legislation.
PERSONAL DATA PROCESSING RULES
1.1. The Rules for the Processing of Personal Data (hereinafter – the Rules) regulate activities of UAB DAITRADA, legal entity code 179478774, address Tvenkinio Str. 6, Mažonų village, Tauragė District, (hereinafter the Data Controller or the Company), and of its employees in the processing of personal data using automated and non-automated tools for processing of personal data installed in the Company, and also establishes measures for the implementation of personal data protection tools and other issues related to the processing of personal data;
1.3. The Data Subject is a natural person who intends to enter into or has entered into a business relationship with the Data Controller or the business relationship has expired, but the Data Controller processes data of the Data Subject under mandatory legal provisions, or the Data Controller has not initiated a business relationship with the Data Subject on its own initiative but handles his/her personal data under mandatory legal provisions (hereinafter – the Data Subject);
1.5. The Rules must be observed by all employees of the Company who process personal data in the Company, or those that become aware of them while working in the Company, and other individuals providing contractual services who can process personal data;
1.6. The Company collects personal data for defined purposes (purpose principle);
1.7. Personal data of the Data Subject is processed in a lawful, fair and transparent manner (principle of legality, fairness and transparency);
1.8. Personal data of the Data Subject must be adequate, relevant and only such that is necessary to achieve purposes for which they are processed (principle of data volume reduction);
1.9. Personal data must be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that Personal Data that is not accurate in relation to the purposes for which it is processed is immediately erased or corrected (accuracy principle);
1.10. Personal data of the Data Subject shall be kept for no longer than is necessary for the purposes of the processing and the legislation (principle of limiting the storage period);
1.11. Personal data of the Data Subject must be processed in such a way as to ensure proper security of the personal data of the Data Subject by means of appropriate technical or organizational measures, including protection against unauthorized or unlawful processing and from unintentional loss, destruction or damage. The Data Controller does not disclose personal data of the Data Subject to third parties, except in cases provided by the law or if the Data Controller is obliged/given consent to do so by the Data Subject (integrity and confidentiality principle);
2.1. The Company processes personal data on the following basis and objectives:
2.2. The Company handles the following personal data:
2.3. The Company collects personal data only according to the procedure established by legal acts. Personal data may be obtained directly from the Data Subject, from the activities of the Data Subject in the course of using services and from external sources, such as registers managed by the state and private persons, and other third parties.
2.4. Employees of the Company have the right to collect, process, transfer, store, delete or otherwise use personal data only by performing their direct functions and only in accordance with the procedure established by legal acts.
2.5. Employees of the Company are prohibited from arbitrarily collecting, transmitting, storing, deleting or otherwise processing and using personal data for personal, work unrelated purposes.
3.1. The Data Controller may provide access to personal data processed to achieve specified and legitimate purposes for the third parties that provide the Company with services and process personal data. The Company uses only those processors that sufficiently ensure that the appropriate technical and organizational measures are implemented in such a way that data processing complies with the requirements of the Rules and that the rights of the Data Subject are safeguarded. The Company may also provide data of the Data Subject in response to court or state requests to the extent necessary to properly enforce existing legislation and instructions from the public authorities.
3.2. Personal data may be obtained from public registers for the sale of goods, provision of services or management of debts.
3.3. Data is transferred to processors and recipients of data where the right and/or the obligation to do so is duly justified by law.
3.4. Non-automated provision of personal data, when personal data is not provided to the Data Subject itself, must be approved by the Director of the Company unless the data is provided to a supervisory authority.
4.1. The Company usually stores personal data for no longer than it is necessary for the purposes of the processing or no longer than required by the Data Subject and/or provided by the law.
4.2. Employees of the Company responsible for personal data processing, in order to prevent accidental or unlawful destruction, alteration, disclosure as well as any other unauthorized processing of personal data, shall keep documents and data files in a proper and safe manner and avoid unnecessary copying. Copies of documents containing personal data must be destroyed in such a way that they cannot be reproduced and their contents recognized. Copies of personal documents may also be stored digitally.
4.3. Upon expiration of the terms provided for in the Rules, personal data stored in digital format shall be destroyed by the responsible employees of the Company by performing certain actions in the system. Personal data stored in a physical form (e.g. documents containing personal data) are destroyed by the Company’s employees using technical means (e.g. document shredders). The destruction takes place when there is no possibility of restoring the destroyed personal data.
5.1. The rights guaranteed to the Data Subject by the legislation, relating to the processing of their personal data, include the right:
(a) to request correction of the Data Subject’s data if it is incorrect, incomplete or inaccurate;
(b) to refuse processing of the Data Subject’s data if the grounds for the processing of Data Subject’s data are not based on legitimate interests;
(c) to request deletion of the Data Subject’s data, which is processed only with their consent, if the Data Subject revokes the relevant consent. This right does not apply if the Data Subject’s data requested for erasure is also processed on a different legal basis, such as processing necessary for the performance of a contract or is enforcement of an obligation and right under applicable law;
(d) to limit the processing of the Data Subject’s data in accordance with applicable legal acts, e.g. regarding period through which the Company will assess whether the Data Subject has the right to request that the Data Subject’s data be deleted;
(e) to obtain information if the Company handles the Data Subjects’ data and, if so, gain access to it;
(f) to receive Personal Data provided by the Data Subject, which is processed on the basis of their consent or by law, in writing or a common digital format and, at the request of the Data Subject, to transfer such data to another Data Controller (data transferability);
(g) to withdraw their consent to the processing of the Data Subject’s data;
(h) to disagree with a fully automated decision-making, if such decision-making is applied and if such decision-making has legal consequences or similar significant impact on the Data Subject. This right does not apply in cases when such decision-making is necessary for the purposes of concluding or executing a contract with the Data Subject, it is permitted by applicable law or the Data Subject has given their explicit consent;
5.2. The Company adjusts, corrects and updates personal data upon initiative of the person whose data is processed. Company employees may correct data of the Data Subject only if data submitted by the Data Subject carry grammar errors.
5.3. The Data Controller has the right to reasonably refuse to allow the Data Subject to exercise their rights or to charge a reasonable fee under circumstances set in Article 12 (5) of the Regulation.
6.1. The organizational and technical data security measures implemented by the Data Controller ensure a level of security that is consistent with the nature of the data controlled by the Data Controller and the risks associated with its processing, including but not limited to the measures specified in this section.
6.2. The Company provides hardware and software protection (administration of information systems and databases, maintenance of workstations, protection of operating systems, protection against computer viruses, etc.).
6.3. The Data Controller applies administrative security measures (secure management of documents and computer data and their archives, etc.).
6.4. The Data Controller undertakes not to disclose personal data of the Data Subject to the third parties, except the Company employees or if it is required by mandatory statutory provisions, or upon the Data Subject’s written consent.
6.5. Employees of the Data Controller must observe the principle of confidentiality and keep confidential any information relating to personal data of which they have become aware in the course of their duties, unless such information is public in accordance with applicable laws or regulations.
6.6. Personal data on computers, if used outside the Data Controller’s internal data transmission network, are protected by appropriate means that are consistent with the risk of Data Processing.
6.7. Company employees are granted access to personal data only to the extent necessary for the proper performance of their duties.
6.8. Employee of the Company loses the right to process personal data when he is no longer an employee of the Company or when the Director of the Company revokes the appointment of an employee of the Company to process personal data.
6.9. Employees of the Company, having noticed personal data security breaches, signs of criminal activity, non-functioning personal data protection measures, must immediately inform the Director of the Company.
6.10. Having assessed the Data Protection risk factors, the degree of impact, the damage and the consequences of the violation, the Data Controller shall make decisions on the measures necessary to eliminate the Data Protection violation and its consequences and to inform the required entities within 72 hours.
6.11. Security of the premises where the Personal Data is stored is ensured (only authorized persons have access to the premises, premises are locked, protected by alarms, unavailable to unauthorized persons).
7.1. Each employee of the Company has been familiarized with these Rules.
7.2. The Director of the Company is responsible for the implementation of these Rules in the activities of the Company.