I. CONCEPTS

1. The main concepts used in the description of the procedure for implementing the rights of data subjects (hereinafter – the Description):

1.1. ADTAĮ – the Law on Legal Protection of Personal Data of the Republic of Lithuania;

1.2. personal data – any information about an identified or identifiable natural person;

1.3. data subject – a natural person whose identity can be directly or indirectly determined, in particular by an identifier such as a name and surname, a personal identification number, location data and an Internet identifier, or by one or more characteristics of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity;

1.4. data processing – any operation or sequence of operations carried out by automated or non-automated means with personal data or sets of personal data, such as collection, recording, sorting, systematization, storage, adaptation or change, extraction, familiarization, use, disclosure by forwarding, distribution or otherwise making it possible to use it, as well as juxtaposition or connection with other data, restriction, deletion or destruction;

1.5. data recipient – a natural or legal person, public authority, agency or other Company to whom personal data is disclosed, whether or not it is a third party;

1.6. data controller – a natural or legal person, public authority, agency or other Company that processes personal data on behalf of the data controller;

1.7. data controller – natural or legal person, public authority, agency or other Company, which alone or together with others determines the purposes and means of data processing;

1.8. Regulation – 2016 of the European Parliament and Council. April 27 Regulation (EU) 2016/679;
1.9. VDAI – State Data Protection Inspectorate;

1.10. other concepts as defined in the Regulation, ADTAĮ and other legal acts regulating the processing and protection of personal data.

II. GENERAL PROVISIONS

2. Žaliuzių montavimas, UAB (hereinafter – the Company) The description sets out the data subject’s rights enshrined in the Regulation, the scope of these rights, the conditions and limitations of their implementation, the procedure for submitting and examining requests for data subject rights and the procedure for examining data subject complaints.

3. The description was prepared in accordance with the provisions of Chapter 3 of the Regulation.

4. The description establishes the general procedure for the exercise of rights for all categories of data subjects of the Company:
4.1. employees;

4.2. for candidates for vacancies in the Company;

4.3. shareholders, their representatives;

4.4. for the company’s customers;

4.5. to representatives of suppliers’ legal entities;

4.6. The company’s website www.sunshieldbaltics.eu;

4.7. For natural persons receiving the company’s newsletters;

4.8. to other natural persons whose personal data is processed by the Company.

5. The purpose of the description is to take into account the volume, categories, purposes and grounds of processing of personal data, to ensure the full implementation of the rights of data subjects, to enable data subjects to submit requests and complaints regarding the implementation of their rights and to establish deadlines for responses to requests and complaints submitted by data subjects, no longer than the provisions of Article 12, paragraph 3 of the Regulation.

6. In order to ensure the implementation of the principle of transparency, the company provides data subjects with all the information they need to realize their rights, established in Chapter 3 of the Regulation, in a concise, transparent, understandable and easily accessible form, in clear and simple language.

III. RIGHTS OF DATA SUBJECTS

7. The data subject has the following rights:

7.1. the right to access his personal data processed by the Company;

7.2. the right to demand correction of his personal data;

7.3. the right to demand the deletion of his personal data (“the right to be forgotten”);

7.4. the right to restrict the processing of your personal data;

7.5. the right to object to the processing of his personal data;

7.6. the right to receive the personal data related to him, which he has provided to the Company, in a structured, commonly used and computer-readable format, and to forward the received data to another data controller (“right to data portability”);

7.7. the right to withdraw the given consent at any time.

8. The rights of data subjects are not absolute, they are limited by the provisions of the Regulation and laws and other legal acts of the Republic of Lithuania.

IV. SCOPE OF THE RIGHT TO ACCESS PERSONAL DATA PROCESSED BY THE COMPANY

9. Any subject of the Company’s data has the right to receive confirmation from the Company as to whether the personal data related to him is being processed, and if such personal data is being processed, he has the right to familiarize himself with the personal data he is processing.

10. The data subject also has the right to access the following information:

10.1. for the purpose of processing personal data;

10.2. categories of processed personal data;

10.3. if personal data will be transferred to data recipients – data recipients or their categories;

10.4. the expected storage period for the personal data processed by it, which may be defined by a specific term or other criteria;

10.5. the right to request the Company to correct or delete personal data or to limit the processing of personal data related to the data subject or to object to such processing, as well as the procedure for exercising these rights;

10.6. the right to file a complaint with the supervisory authority;

10.7. if the personal data was not provided by the data subject himself – information about the person who transferred the personal data.

11. When exercising the right set forth in this section, the data subject shall indicate in the application the name, surname, which specific information, provided in point 10 of the Description, he wishes to get acquainted with, or indicate that he wishes to get acquainted with all the information provided for in point 10 of the Description. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the e-mail address known to the Company. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

12. The procedure for implementing the data subject’s right to access his personal data processed by the Company is determined by Chapter XI of the Description.
V. SCOPE OF THE RIGHT TO REQUEST CORRECTION OF PERSONAL DATA

13. Any subject of the Company’s data has the right to demand that the Company immediately correct inaccurate personal data processed by him. Also, the Company’s data subject has the right to demand that the Company supplement his incomplete personal data. The data subject cannot demand that the Company supplement the personal data already processed with new data that are not necessary to achieve the Company’s goals for which the personal data of the relevant data subject is being processed.

14. When submitting a request for the correction of inaccurate personal data or the addition of incomplete personal data, the data subject must specify the name, surname, whose personal data processed by the Company is inaccurate or incomplete, and specify accurate or additional personal data. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the Company via his known e-mail address. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

15. The procedure for implementing the data subject’s right to demand correction or addition of inaccurate or incomplete personal data is determined by Chapter XI of the Description.

VI. SCOPE, CONDITIONS AND LIMITATIONS OF THE RIGHT TO DELETE PERSONAL DATA (“THE RIGHT TO BE FORGOTTEN”)

16. Any subject of the Company’s data has the right to demand that the Company delete the personal data it processes. The data subject can use this right only in case of at least one of the following conditions:

16.1. the personal data processed by the data subject are no longer necessary to achieve the purposes for which they were collected and processed;

16.2. the data subject withdraws the consent on which the processing of his personal data is based in the Company;

16.3. the data subject does not agree to the processing of his personal data and the conditions set out in point 25 of the Description are met for the data subject to exercise the right to object to the processing of his personal data and there are no restrictions on this right established in point 26 of the Description;

16.4. the Company has no legal basis for processing the data subject’s personal data;

16.5. personal data must be deleted in compliance with the legal obligation established by the law of the European Union or the Republic of Lithuania, which applies to the Company.

17. The data subject’s right to require the Company to delete his personal data is limited in the following cases:

17.1. the processing of personal data is necessary for the purposes of occupational medicine in order to assess the employee’s work capacity;

17.2. The company protects the data subject’s personal data in fulfillment of its legal obligations, established by the laws of the Republic of Lithuania and other legal acts;

17.3. The company seeks to assert, enforce or defend legal claims.

18. When submitting a request to delete his personal data, the data subject must indicate the name, surname, one of the conditions presented in point 16 of the Description, as well as what specific personal data the Company must delete, or indicate that the Company must delete all personal data processed by him. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the Company via his known e-mail address. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

19. The procedure for implementing the data subject’s right to demand deletion of personal data processed by the Company is determined by Chapter XI of the Description.
VII. SCOPE, CONDITIONS AND LIMITATIONS OF THE RIGHT TO RESTRICT THE PROCESSING OF YOUR PERSONAL DATA

20. Any subject of the Company’s data has the right to demand that the Company restrict the processing of his personal data. The data subject of the Company can use this right only in case of at least one of the following conditions:

20.1. the data subject submits a request to correct or clarify inaccurate or incomplete personal data. In this case, the processing of personal data is limited to the period until the Company corrects or clarifies inaccurate or incomplete personal data of the data subject;

20.2. the Company has no legal basis for the processing of the personal data of the data subject and the data subject does not agree that the Company deletes his illegally processed personal data, and instead requests to limit their use;

20.3. the personal data processed by the data subject are no longer necessary to achieve the purposes for which they were collected and processed, but are needed by the data subject in order to assert, exercise or defend their legal claims against the Company;

20.4. the data subject has objected to data processing in accordance with Article 21, paragraph 1 of the Regulation, until it is verified whether the legitimate reasons of the Company are superior to the reasons of the data subject.

21. The restriction of the personal data processed by the data subject does not affect the Company’s storage of this data.

22. After the company satisfies the data subject’s request to limit the processing of his personal data, it can no longer process the data subject’s restricted personal data, except for storage, unless it receives the data subject’s written consent or seeks to assert, enforce or defend its legal claims, as well as when it seeks to protect the rights of another natural or legal person or can justify further processing of restricted personal data in the public interest. The Company must inform the data subject of the existing reasons that allow the Company to process restricted personal data of the data subject no later than within 10 days.

23. When submitting a request to restrict his personal data, the data subject must indicate the name, surname, one of the conditions specified in point 20 of the Description, under which the Company must restrict the personal data processed by the data subject, or indicate that the Company must restrict all personal data processed by the data subject, and determine the period for which the processing of his personal data is restricted. The period of limitation of personal data may be defined in the request by a specific term or other criteria. The period of restriction of personal data cannot be longer than is necessary for the data subject to achieve the goals for which the restriction of processing of personal data is requested. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the e-mail address known to the Company. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

24. The procedure for implementing the data subject’s right to demand restriction of personal data processed by the Company is determined by Chapter XI of the Description.
VIII. SCOPE, CONDITIONS AND LIMITATIONS OF THE RIGHT TO OBJECT TO PERSONAL DATA PROCESSING

25. Any data subject of the Company has the right to object to further processing of his personal data by the Company. The data subject of the Company can use this right only in case of at least one of the following conditions:

25.1. The Company processes the personal data of the data subject on the basis of the legitimate interest of the Company or third parties. On the basis of this clause, the data subject’s right to object to the processing of his personal data is limited in accordance with the procedure established in Clause 26 of the Description;

25.2. the data subject’s personal data is processed for direct marketing purposes. If the data subject’s personal data is processed not only for direct marketing, but also for other purposes, the data subject’s objection to the processing of his personal data for direct marketing purposes does not affect the processing of his personal data for other purposes.

26. The data subject’s right to object to the processing of his personal data on the basis of the condition set out in point 25.1 of the Description may be limited if the Company proves that its or third parties’ existing legitimate interest prevails over the interests, rights and freedoms of the data subject, or if the data subject’s personal data processed by the Company, the further processing of which the data subject does not consent to, is necessary for the Company to assert, fulfill or defend its legal claims.

27. When submitting a request for objection to the further processing of his personal data, the data subject must indicate the name, surname, one of the conditions specified in point 25 of the Description, with which the data subject does not agree to the further processing of his personal data, or indicate that the data subject does not agree to the processing of all his personal data. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the e-mail address known to the Company. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

28. The procedure for the data subject’s right to object to the further processing of his personal data is determined by Chapter XI of the Description.

IX. SCOPE, CONDITIONS AND LIMITATIONS OF THE RIGHT TO DATA PORTABILITY

29. Any data subject of the Company has the right to receive the personal data related to him, which he has provided to the Company, in a structured, commonly used and computer-readable format. Also, the Company’s data subject has the right to demand that personal data received by the Company be forwarded to another data controller. If the Company has the technical capabilities, the data subject may require the Company to directly forward his personal data to another data controller. These rights can be exercised by the Company’s data subject only under the following two conditions:

29.1. the processing of the personal data of the data subject is based on the consent of the data subject or the execution of the contract concluded between the data subject and the Company;

29.2. the personal data of the data subject are processed by automated means, i.e. i.e. in digital form.

30. When submitting a request to receive personal data related to him in a structured, commonly used and computer-readable format, the data subject must indicate the name, surname, what personal data the data subject seeks to obtain or indicate that the data subject seeks to obtain all personal data processed by his Company. If the data subject submits a request to the Company to forward his/her personal data directly to another data controller, the data subject shall additionally indicate in the request to which data controller the personal data indicated by him/her should be forwarded. The request must be confirmed by the data subject’s physical or electronic signature. If the data subject cannot confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits the request to the e-mail address known to the Company. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.

31. The procedure for the data subject’s right to portability is determined by Chapter XI of the Description.

X. SCOPE AND CONDITIONS OF THE RIGHT TO WITHDRAW CONSENT

32. If the Company processes the data subject’s personal data on the basis of consent, the data subject has the right to withdraw the given consent at any time.

33. The data subject’s withdrawn consent to process his personal data does not affect the legality of the data subject’s personal data processing carried out during the period of validity of the consent.

34. When submitting a request to the Company by which the data subject revokes the consent given by him, he must indicate the name, surname, as well as the date of signing the consent, the purpose of processing the data subject’s personal data specified in the consent, or other information specified in the consent that would help identify the consent that the data subject wants to revoke. The request must be confirmed by a physical or electronic signature of the data subject. If the data subject is unable to confirm the request with a signature due to the method of transmission of the request or other reasons, the Company determines the identity of the data subject in other ways, for example, when the data subject submits a request to the Company at his known e-mail address. postal address. In the request, the data subject can indicate in which way he wants to receive a response to the submitted request.
35. The procedure for the data subject’s right to withdraw consent is determined by Chapter XI of the Description.

XI. PROCEDURE FOR THE SUBMISSION AND EXAMINATION OF REQUESTS BY DATA SUBJECTS

36. The rights of the data subject, established in Chapter III of the Description, are implemented in accordance with the procedure and terms established by this chapter.

37. The data subject submits a Company Request in order to exercise one or more rights enshrined in Chapter III of the Description. The data subject can submit a free-form request or fill out a request form approved by the Company, which can be found on the website www.sunshieldbaltics.eu. The data subject’s request must meet the requirements of Chapters IV-X of the Description for the content of the request:

37.1. the content of the request for access to personal data must meet the requirements of point 11 of the Description;

37.2. the content of the request to correct personal data must meet the requirements of point 14 of the Description;

37.3. the content of the request to delete personal data must meet the requirements of point 18 of the Description;

37.4. the content of the request to limit the processing of personal data must meet the requirements of point 23 of the Description;

37.5. the content of the request to object to the processing of personal data must meet the requirements of point 27 of the Description;

37.6. the content of the request for the right to data portability must meet the requirements of point 30 of the Description;

37.7. the content of the request revoking the given consent must meet the requirements of point 34 of the Description.

38. The request is submitted by e-mail. by mail [email protected].

39. The request can be submitted by the data subject himself or through a representative. When submitting a request on behalf of the data subject, the representative of the data subject must submit a valid power of attorney together with the request that meets the requirements of the Civil Code of the Republic of Lithuania and other laws and legal acts of the Republic of Lithuania.

40. The company examines the received request of the data subject no later than within 1 month from the date of receipt of the request. The company has the right to extend the period of consideration of the data subject’s request up to 2 months if, for important reasons, it cannot consider the received request within 1 month. The Company must inform the data subject about the extended period of consideration of the data subject’s request no later than within 1 month from the date of receipt of the request, providing important reasons why it cannot examine the data subject’s request within the 1-month period.

41. The company provides the response to the data subject’s request to the data subject in the manner indicated by the data subject in his request. If the data subject does not indicate in the request how they would like to receive a response from the Company, or if the Company cannot provide the response to the data subject in the manner specified in the data subject’s request due to technical obstacles or other reasons, the response to the data subject is provided to the data subject’s e-mail address. postal address or other contact data managed by the data subject.

42. The company provides answers to data subjects’ requests free of charge. If the data subject makes manifestly unreasonable or disproportionate requests, the content of the requests is repetitive, the Company may:

42.1. refuse to submit an answer to an unreasonable or disproportionate request, as well as to a request with repetitive content. In this case, the data subject is informed about the Company’s refusal to provide an answer to his request within 1 month from the date of receipt of the request;

42.2. to demand, before submitting a response to the data subject’s request, a reasonable fee corresponding to the administrative costs that the Company will incur in collecting the information requested by the data subject, examining the request and submitting a response to the request.

43. The Company must confirm the identity of the data subject before exercising his/her rights. If the Company cannot confirm the identity of the data subject from the submitted content of his/her request, it may request the data subject to provide additional information or otherwise confirm his/her identity within 10 days from the date of receipt of the data subject’s request. When asking the data subject to provide additional information or to confirm his identity in another way, the Company indicates what additional information the data subject must provide or what other measures the data subject must take in order to properly confirm his identity, and also indicates a reasonable deadline for the provision of additional information or the implementation of other measures. If the data subject does not provide the Company with additional information within the deadline set by the Company or does not undertake to implement other measures specified by the Company that would help identify the data subject, the Company has the right to refuse to examine and provide an answer to the data subject’s request. The data subject is informed about the Company’s refusal to accept the request and the reasons for the refusal within 10 days from the end of the deadline set by the Company for the data subject for the provision of additional information or the implementation of other measures.

44. If the data subject’s representative, when submitting the data subject’s request on behalf of the data subject, does not provide a power of attorney at the same time, or the power of attorney provided by him is invalid or does not meet the requirements of the Civil Code of the Republic of Lithuania and other laws and legal acts of the Republic of Lithuania, the Company has the right to refuse to accept the request submitted by the representative of the data subject. The representative of the data subject is informed about the Company’s refusal to accept the request and the reasons for the refusal within 10 days from the date of receipt of the request.

45. Requests from data subjects are examined, responses to requests are prepared, and in the cases specified in this section of the Description, the responsible employee of the Company informs the data subjects and requests additional information from them or determines the implementation of other measures.

46. The company, having examined the data subject’s request, provides the data subject with an answer. The response indicates whether the request was granted or denied. If the request is satisfied, the response indicates to what extent the request is satisfied and sets a deadline, taking into account the complexity of the request, during which the Company undertakes to implement the requirements specified in the request. If the request is partially granted or rejected, the response shall indicate the reasons for which the request was only partially granted or denied. If the request was only partially satisfied or rejected, the data subject has the right to submit a complaint to the Company in accordance with the procedure established in Chapter XII of the Description.

XII. PROCEDURE FOR SUBMISSION AND EXAMINATION OF COMPLAINTS BY DATA SUBJECTS

47. In order to ensure the full implementation of the rights of data subjects, the company provides opportunities for data subjects to file complaints regarding the review of partially unsatisfied or rejected requests. Data subjects can also file complaints if the Company does not take any action on the submitted data subject’s request within 1 month from the date of submission of the request to the Company, i.e. i.e., does not provide an answer in accordance with the procedure set forth in Chapter XI of the Description, does not inform the data subject of the refusal to provide an answer, and does not perform other actions specified in Chapter XI of the Description.

48. The complaint must state one of the reasons established in point 47 of the Description, for which the complaint is filed. If the complaint is filed because the Company only partially satisfied or rejected the data subject’s request, the complaint must state the reasons why the data subject believes that his complaint should be satisfied in full. A copy of the data subject’s partially satisfied, rejected or unexamined request is attached to the complaint.

49. The complaint is submitted by e-mail. by mail [email protected].

50. The data subject can file a complaint himself or through a representative. When submitting a complaint on behalf of the data subject, the representative of the data subject must submit a valid power of attorney together with the complaint, which meets the requirements of the Civil Code of the Republic of Lithuania and other laws and legal acts of the Republic of Lithuania.

51. The deadlines for examining the data subject’s complaint coincide with the deadlines for examining the data subject’s request, established in point 40 of the Description.

52. The methods of submitting a response to a data subject’s complaint coincide with the methods of submitting a response to a data subject’s request provided for in Clause 41 of the Description.

53. The company provides answers to data subjects’ complaints free of charge.

54. The Company refuses to consider the complaint of the data subject if it has examined and submitted a response to the complaint of the data subject for the same reasons and for the same request of the data subject. The data subject is informed about the Company’s refusal to consider the repeated complaint of the data subject and the reasons for the refusal within 10 days from the date of receipt of the repeated complaint.

55. If the data subject’s representative, when submitting a data subject’s complaint on behalf of the data subject, does not provide a power of attorney at the same time, or the power of attorney submitted by him is invalid or does not meet the requirements of the Civil Code of the Republic of Lithuania and other laws and legal acts of the Republic of Lithuania, the Company has the right to refuse to accept the complaint submitted by the representative of the data subject. The representative of the data subject is informed about the Company’s refusal to accept the complaint and the reasons for the refusal within 10 days from the date of receipt of the complaint.

56. Complaints of data subjects are examined and responses to complaints are prepared by a responsible employee of the Company. The complaint cannot be processed by the same employee who processed the data subject’s request, on the basis of which the data subject submits the complaint.

57. The company, having examined the data subject’s complaint, provides the data subject with an answer. The response indicates whether the complaint was upheld or rejected. If the complaint is justified and satisfied, the request submitted by the data subject is reviewed and the response indicates to what extent the request is satisfied and a deadline is set, taking into account the complexity of the request, during which the Company undertakes to implement the requirements specified in the request. If the complaint is rejected, the reasons for rejecting the complaint are indicated in the response.

XIII. FINAL PROVISIONS

58. All data subjects of the Company, exercising their rights, established in Chapter 3 of the Regulation, and employees who deal with requests and complaints of data subjects, must comply with the procedure for exercising the rights of data subjects established in this Description.

59. The description of the procedure for implementing the rights of data subjects is available for the Company’s data subjects on the website www.sunshieldbaltics.eu.

________________________________

APPROVED
Blind installation, UAB director
2018 October 2 by order no. ___

Žaliuzių montavimas, UAB
PERSONAL DATA PROCESSING RULES
I. CONCEPTS

1. The main terms used in the Personal Data Processing Rules (hereinafter – the Rules):

1.1. ADTAĮ – the Law on Legal Protection of Personal Data of the Republic of Lithuania.

1.2. Personal Data – any information about an identified or identifiable natural person;

1.3. Recipient of Data – a natural or legal person, public authority, agency or other Company to whom personal data is disclosed, whether or not it is a third party;

1.4. Data subject – a natural person whose identity can be directly or indirectly determined, in particular by an identifier such as a name and surname, a personal identification number, location data and an Internet identifier, or by one or more characteristics of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity;

1.5. Data processing – any operation or sequence of operations performed by automated or non-automated means with personal data or sets of personal data, such as collection, recording, sorting, systematization, storage, adaptation or change, extraction, familiarization, use, disclosure by forwarding, distribution or otherwise making it possible to use it, as well as juxtaposition or combination with other data, restriction, deletion or destruction;

1.6. Data Controller – a natural or legal person, public authority, agency or other Company that processes personal data on behalf of the data controller;

1.7. Data Controller – a natural or legal person, public authority, agency or other Company, which alone or together with others determines the purposes and means of data processing

1.8. Profiling – any form of automated processing of personal data where personal data is used to assess certain personal aspects related to a natural person, in particular to analyze or predict aspects related to that natural person’s work performance, economic situation, state of health, personal interests, interests, reliability, behavior, location or movement;

1.9. Regulation – 2016 of the European Parliament and Council. April 27 Regulation (EU) 2016/679.
1.10. Sub-processor – another external data processor used by the data processor, who, in the performance of the service provision functions entrusted to him, will process personal data on behalf of the data controller;

1.11. Health data – personal data related to the physical or mental health of a natural person, including data on the provision of health care services that reveal information about the state of health of that natural person;

1.12. Direct marketing – activity aimed at offering goods or services to individuals by mail, telephone or other direct means and/or asking for their opinion on the offered goods or services;

1.13. Video surveillance – processing of video data related to a natural person (hereinafter – video data) using automatic video surveillance tools (video and photo cameras, etc.), regardless of whether this data is saved on a medium.

1.14. VDAI – State Data Protection Inspectorate;

1.15. other concepts as defined in the Regulation, ADTAĮ and other legal acts regulating the processing and protection of personal data.

II. GENERAL PROVISIONS

2. Žaliuzių montaviams, UAB (hereinafter – the Company) Rules determine the purposes, bases, categories of data subjects, categories of personal data, terms of transfer of personal data to third parties, terms of personal data storage, conditions, restrictions and procedures for destruction of personal data, rights of data subjects, organizational and technical personal data protection measures, regulate the procedure for using personal data processors and the Company’s relationship with data processors, the content and preparation procedure of records of data processing activities, responsibility of employees handling personal data.

3. The purpose of the rules is to ensure the proper processing and protection of personal data, the right to inviolability of the private life of natural persons, to protect the basic rights and freedoms of natural persons related to the processing of their personal data.
4. The rules apply to the processing of personal data automatically and manually.

5. The requirements of the rules are mandatory for all employees of the Company who process the Company’s personal data or come to know them in the course of their duties.

III. PRINCIPLES AND PURPOSES OF PROCESSING PERSONAL DATA

6. When processing personal data, the company follows the principles established in the Regulation related to the processing of personal data:
6.1. according to the principle of justice and fairness – personal data must be processed in a legal and fair manner in relation to the data subject;
6.2. based on the principle of transparency – information and notifications related to the processing of that personal data must be easily accessible and understandable, presented in clear and simple language;

6.3. purpose limitation principle – personal data must be collected for established, clearly defined and legitimate purposes and not further processed in a manner incompatible with those purposes;

6.4. according to the principle of reducing the amount of data – personal data must be adequate, suitable and only what is needed to achieve the purposes for which they are processed;

6.5. according to the principle of accuracy – personal data must be accurate and updated when necessary;

6.6. in accordance with the principle of storage duration limitation – personal data must be kept in such a form that the identity of the data subjects can be determined for no longer than is necessary for the purposes for which the personal data is processed;

6.7. in accordance with the principle of integrity and confidentiality – personal data must be processed in such a way that adequate security of personal data is ensured through the application of appropriate technical or organizational measures, including protection against unauthorized or illegal data processing and against accidental loss, destruction or damage;

6.8. based on the principle of accountability – the Company is responsible for ensuring adequate security of personal data, processing personal data legally, and ensuring the rights of data subjects.

IV. FUNCTIONS, RIGHTS AND OBLIGATIONS OF THE COMPANY

7. The company performs the following functions:

7.1. when selling goods and services, ensures proper processing and protection of personal data of customers (natural persons);

7.2. in a concise, transparent, understandable and easily accessible form, in clear and simple language, provides information to data subjects about the ongoing processing of their personal data from the moment of receiving the data subjects’ personal data;

7.3. analyzes technological, methodological and organizational problems of personal data processing and makes decisions necessary for proper personal data security;

7.4. provides methodological assistance to employees for the purposes of processing personal data;

7.5. organizes employee training on personal data processing and protection issues;

7.6. ensures the proper implementation of the rights of data subjects;

7.7. implements organizational and technical personal data protection measures that correspond to the nature of the personal data to be stored, the scope of the processed personal data and the risk of processing this data;

7.8. performs other functions necessary to implement the Company’s rights and obligations in the field of personal data processing and protection.
8. The Company has the following rights:

8.1. prepare and adopt internal legislation regulating the processing and protection of personal data;

8.2. instruct the data processors to handle the personal data provided for in the personal data processing agreement;

8.3. other rights enshrined in the Regulation and other legal acts of the Republic of Lithuania.

9. The company has the following responsibilities:

9.1. ensure that the requirements of these Rules, the Regulation, ADTAĮ and other legal acts regulating the processing and protection of personal data are complied with;

9.2. properly implement the data subject’s rights in compliance with the requirements established in the Regulation;

9.3. ensure the security of personal data by implementing technical and organizational measures for the security of personal data;

9.4. maintain records of data processing activities;

9.5. notify the State Data Protection Inspectorate no more than 72 hours after becoming aware of a breach of personal data security, unless the breach of personal data security does not endanger the rights and freedoms of natural persons;

9.6. to report a personal data security breach to the data subject without undue delay, when the personal data security breach may result in a significant risk to the rights and freedoms of the data subject;

9.7. to ensure that personal data is stored within the terms specified in the Rules, no longer than is necessary to achieve the purposes set out in the Rules;

9.8. use only those data processors for the processing of personal data who guarantee the necessary technical and organizational personal data protection measures;

9.9. not to store, not to disclose, not to transfer processed personal data and not to make it possible for any person who is not authorized to process this personal data, and who is not granted access to this data, both within the Company and outside it, to get acquainted with it by any means;

9.10. other duties stipulated in the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania.

V. SEARCH, SELECTION AND RECRUITMENT OF CANDIDATES FOR VACANCIES

10. The company processes the following personal data of candidates for the purpose of searching, selecting and recruiting candidates for vacant positions:

10.1. name;

10.2. last name;

10.3. phone number;

10.4. email postal address;

10.5. Personal data in the CV:

10.5.1. education;

10.5.2. work experience;

10.5.3. qualification;

10.5.4. other information about the candidate for the vacant position.

11. Personal data of candidates for vacant positions is processed in order to take action at the request of a candidate for a vacant position before concluding a contract (Article 6, Paragraph 1, Clause b of the Regulation), i.e. i.e. to check the suitability of a candidate for a vacant position for the conclusion of an employment contract.

12. Every candidate for a vacant position in the Company is informed that the Company will process his personal data when assessing the compliance of his qualifications, work experience, and other abilities with the Company’s requirements for the vacant position, as well as when inviting the candidate to a job interview or in other ways when selecting a candidate for a vacant position.

13. The personal data of a candidate for a vacant position is transferred to other companies and institutions only with the written consent of the candidate.

14. The company may transfer the personal data of job candidates to data processors on the basis of agreements on personal data processing.

15. The personal data of candidates for vacant positions is handled by employees authorized by the Company Director. Only those employees who are tasked with processing the relevant data have access to the personal data of candidates for vacant positions.

16. The personal data of a candidate for a vacant position is processed until the employment contract is signed or the candidature is rejected. Within 10 (ten) working days from the rejection of the candidature, the personal data of the candidate for the vacant position is deleted from the computers, the internal database of the Company, copies of the CV (curriculum vitae) and other documents containing the personal data of the candidates for the vacant positions are destroyed.

VI. INTERNAL ADMINISTRATION

17. The company processes the following employee data for internal administration purposes:

17.1. name;

17.2. last name;

17.3. address of permanent residence;

17.4. phone number;

17.5. date of birth;

17.6. personal code;

17.7. personal identity card/passport data;

17.8. settlement bank account number;

17.9. e-mail address;

17.10. personal data contained in the CV and activity description;

17.11. social security number;

17.12. health check book data and other data related to the employee’s health;

17.13. information about:

17.13.1. seniority;

17.13.2. education;

17.13.3. qualification;

17.13.4. work experience;

17.13.5. work skills.

17.14. position;

17.15. signature;

17.16. the amount of wages;

17.17. severance payments, compensations;

17.18. allowance;

17.19. information about working hours;

17.20. information about the employee’s incentives and violations of work duties;

17.21. information about the evaluation of the employee’s performance;

17.22. data on the employee’s vacation;

17.23. information about marital status;

17.24. information about the level of working capacity;

17.25. information about disability;

17.26. vehicle state registration number.

18. The company processes the following personal data of shareholders and their representatives for internal administration purposes:

18.1. name;

18.2. last name;

18.3. phone number;

18.4. e-mail address;

18.5. signature.

19. The company processes information about employees’ marital status, work ability level, disability, other health data only in cases where it seeks to ensure the guarantees provided by the laws and legal acts of the Republic of Lithuania regulating labor relations and social relations for employees. The purpose established by the company for the processing of personal data of special categories of employees meets the condition provided for in Article 9(2)(b) of the Regulation, which allows the processing of special category personal data when it is necessary for the data controller to be able to fulfill its obligations, and the data subject to exercise special rights in the field of labor and social security law, to the extent permitted by the law of the Union or a Member State, as well as the condition provided for in Article 9(2)(h) of the Regulation, which allows the processing of special category personal data for the purposes of occupational medicine, in order to to assess the employee’s work capacity.

20. The internal administration of the Company consists of the management of the Company’s structure, management of documents, personnel, capital, available material and financial resources, administration of the office, the Company’s financial reporting, convening and registration of general meetings of shareholders, and execution of adopted decisions.

21. The personal data of employees is processed on the basis of the fulfillment of the terms of employment contracts concluded with employees (Article 6, paragraph 1, point b of the Regulation), as well as on the basis of the fulfillment of the Company’s legal obligations arising from the laws and legal acts of the Republic of Lithuania regulating labor relations and social relations (Article 6, paragraph 1, point c of the Regulation).
22. The personal data of shareholders and their representatives are processed on the basis of the fulfillment of the Company’s legal obligations arising from the Company’s Founding Agreement and the requirements of the Law on Joint Stock Companies of the Republic of Lithuania (Article 6, Part 1, Clause c of the Regulation).

23. The company transfers personal data of employees to the State Tax Inspectorate under the Ministry of Finance, the State Social Insurance Fund Board under the Ministry of Social Security and Labour, the State Labor Inspectorate under the Ministry of Social Security and Labour, JV “Registrų centras”, the Lithuanian Labor Exchange under the Ministry of Social Security and Labour, the Service for Determining Disability and Work Capability under the Ministry of Social Security and Labour, and other state and municipal institutions and bodies in fulfillment of the laws and legal acts of the Republic of Lithuania legal obligations. Only those employees’ personal data, which are managed by the Company and which are required to be transferred by state and municipal institutions and the Company, are transferred. To other companies and institutions to which the transfer of personal data of employees is not required by law and the transfer of personal data is not necessary to ensure the continuity of operations, employee data may be transferred only after obtaining their written consent.

24. The company transfers the personal data of shareholders and their representatives to the State Tax Inspectorate under the Ministry of Finance, JV “Registrų centras”, other state and municipal institutions and bodies in fulfillment of the legal obligations established by the laws and legal acts of the Republic of Lithuania. The Company has no legal obligation to transfer the personal data of shareholders and their representatives to other state and municipal institutions, institutions or companies, the transfer of this personal data can only be carried out after obtaining the consent of the relevant Company shareholders and their representatives.

25. The company may transfer the personal data of employees and shareholders, their representatives to data processors on the basis of agreements on personal data processing.

26. Personal data of employees and shareholders, their representatives are processed by employees authorized by the Company Director. Access to the personal data of specific employees and shareholders and their representatives is only available to those employees who are assigned to process the relevant data.

27. The employee’s personal data is processed, except for storage, until the end of the employment relationship. After termination of the employment relationship with the employee, his personal data will continue to be stored according to the terms set in the General Document Storage Terms Index and the Company.

28. The personal data of shareholders and their representatives are processed, with the exception of storage, while shareholders and their representatives participate in the general meeting of shareholders and implement other duties and rights of shareholders, established in the founding agreement and the Law on Joint-Stock Companies of the Republic of Lithuania, in relation to the Company. If the shareholder’s representative no longer represents the shareholder in the relationship with the Company, his personal data will continue to be stored according to the terms set by the General Document Storage Terms Index and the Company

29. Personal data of employees, shareholders, their representatives are deleted from all computers, external media, internal and external databases, contracts, registration logs, timesheets, protocols, decisions and other documents containing the personal data of employees, shareholders, their representatives are destroyed after the expiration of the storage terms of the General Document Retention Index and the storage of documents containing the personal data of employees, shareholders, and their representatives determined by the Company. terms.

VII. INVENTORY AND OTHER GOODS ARE SUPPLIED TO THE SUPPLIERS COMPANY

30. The Company processes the following personal data of supplier representatives for the purposes of inventory and other goods supplied by suppliers to the Company:

30.1. name;

30.2. last name;

30.3. signature;

30.4. phone number;

30.5. email address.

31. The personal data of suppliers’ representatives are processed on the basis of the execution of sales contracts (Article 6, paragraph 1, point b of the Regulation), i.e. i.e. When entering into purchase and sale contracts, in accordance with the procedure established by the Civil Code of the Republic of Lithuania and other legal acts of the Republic of Lithuania, which determine the requirements for the conclusion of purchase and sale contracts, and in fulfilling one’s obligations and exercising one’s rights, established in the purchase and sale contracts.

32. The personal data of the supplier representatives without the consent of the supplier representatives can be transferred only when the Company fulfills the legal obligation to disclose the personal data of the relevant supplier representative to the State Tax Inspectorate under the Ministry of Finance, JV “Registrų centras”, other state and municipal institutions and bodies in accordance with the procedure established by law. In other cases, the personal data of suppliers’ representatives can be transferred only after receiving their written consent.

33. The company may transfer personal data of supplier representatives to data processors on the basis of agreements on personal data processing.
34. The personal data of suppliers’ representatives are processed by employees authorized by the Company’s director. Access to the personal data of specific supplier representatives is only available to those employees who are assigned to handle the relevant data.

35. Personal data of suppliers’ representatives, with the exception of storage, is processed until the end of the purchase-sale agreement and all mutual obligations between the supplier and the Company are fulfilled.

36. After the end of the purchase and sale agreements concluded with the suppliers, the personal data of the supplier representatives will continue to be stored in the General Document Retention Terms Index and the terms set by the Company, and all computers, external media, internal and external databases will be deleted, contracts, invoices and other documents containing the personal data of the supplier representatives will be destroyed after these terms have expired.

VIII. DIRECT MARKETING

37. The company processes the following personal data of data subjects for direct marketing purposes:

37.1. name;

37.2. last name;

37.3. phone number;

37.4. e-mail address;

37.5. city.

38. The company conducts direct marketing by sending newsletters to those who subscribe to them, providing data subjects with other information about the offered goods, services, promotions, news, events, conducting surveys on the quality and assortment of the goods sold, the services provided.

39. Personal data of data subjects in order to achieve the purposes set out in this section are processed on the basis of the data subject’s consent (Article 6, paragraph 1, point a of the Regulation).

40. The data subject’s personal data, processed for the purpose of direct marketing, may be transferred without the data subject’s consent only to the Company in fulfillment of the legal obligation to disclose the relevant data subject’s personal data to state and municipal institutions and bodies in accordance with the law. In other cases, the personal data of the data subject may be transferred only after receiving his written consent.

41. The company may transfer personal data of data subjects processed for the purpose of direct marketing to data processors on the basis of agreements on personal data processing without the prior consent of data subjects.

42. Personal data of data subjects are processed by employees authorized by the Company’s director for the purpose of direct marketing. Access to the personal data of specific data subjects is limited to those employees who are assigned to process the relevant data.

43. Personal data of data subjects for the purpose of direct marketing is processed until the data subject withdraws the given consent, but no longer than 10 (ten) years from the date of acquisition of personal data. After the data subject withdraws his consent, his personal data is deleted from all computers, servers, external databases and media.

IX. VIDEO MONITORING AND VIDEO DATA PROCESSING

44. Video surveillance and video data processing is carried out by the Company and third parties on the basis of legitimate interests, in order to ensure the safety of employees and third parties, the protection of the Company’s property, the order of work organization, control of access to the Company’s territory and premises. Other measures, such as additional mechanical locks, are not sufficient to achieve the above-mentioned goals.

45. Every visitor and employee knows that they are being monitored by video cameras, as they are informed about the video surveillance carried out on the Company’s territory and premises with informative links. Informational links contain the following information:

45.1. general information about the Company and contact details of its representative;

45.2. the goals that the Company pursues when conducting video surveillance;

45.3. legitimate interest on the basis of which the Company carries out video surveillance of the territory;

45.4. categories of relevant personal data;

45.5. the storage period of image data defined by a specific term or other criteria;

45.6. rights of filmed persons;

45.7. the right to submit a complaint to the State Data Protection Inspectorate;

45.8. the source of the video data collected is video cameras filming in the Company territory.

46. Video surveillance is carried out in the following Company territory:

46.1. At the entrance to the territory, in the parking lot, in the yard, in the production premises, in the administrative premises, in the employees’ kitchens, in the warehouses at Smiltyny kel. 3, Smiltyn I village, Kaunas district;

46.2. In sales showrooms at Raudondvarios pl. 131, Kaunas (PC “Ermitžas”), Lukšio st. 34, Kaunas (PC “Banginis”), Statybininkų st. 71A / Likiškėlių str. 72, Kaunas (PC “Senukai”).

47. Video data without the written consent of the data subject may be transferred to law enforcement institutions, the prosecutor’s office or the court as evidence in civil, administrative or criminal proceedings, as well as to other institutions or institutions in accordance with the procedure established by law.

48. Image data can be processed by the Company’s data processors on the basis of agreements on personal data processing.

49. Image data is handled by employees authorized by the Company Director. Only those employees who are assigned to handle the relevant data have access to the video data. Employees authorized by the director are responsible for the technical maintenance of the video surveillance system and video data processing.

50. Video data is stored on recording devices for 14 calendar days. After the specified period, the image data is automatically deleted.

51. The video recorder allows you to search for videos by date and time.

52. If video data is written to external media, these media are stored in locked volumes. External storage media with recorded video data required as evidence shall be kept in sealed envelopes.

53. Transferred copies of videos are registered together with a cover letter (in writing).

54. Video data on external media is stored for 14 calendar days, unless a longer period of personal data storage is necessary to protect the interests of the Company, its employees or customers or other natural persons in civil, administrative and criminal proceedings.

X. LOCATION DETERMINATION

55. The institution uses positioning equipment (GPS) in cars.

56. Positioning equipment (GPS) is used in cars and processing of location data is carried out on the basis of the Institution’s legitimate interest in order to determine the fuel consumption of employees using the Institution’s cars with positioning equipment (GPS) for work purposes, as well as to ensure work organization procedures so that employees use cars during work for the performance of work functions (Article 6, Paragraph 1, Clause f of the Regulations). Every employee who uses the Institution’s cars with positioning equipment (GPS) is informed that the Institution can determine his location with the help of this equipment.

57. Location data may be processed by the Institution’s data processors on the basis of agreements on personal data processing.
58. The location data is processed and stored on the Institution’s data manager server for 1 year after the location data is captured by the location device (GPS). After the specified period, location data is automatically removed.

XI. SALE OF GOODS ON THE INTERNET

59. For the purposes of online sales of goods, the Company processes the following personal data of buyers:

59.1. name;

59.2. last name;

59.3. address;

59.4. phone number;

59.5. city;

59.6. date of birth;

59.7. e-mail address;

59.8. account number;

59.9. credit card details;

59.10. details of the credit institution;

59.11. Paysera account information;

59.12. Paypal account information.

60. Buyers’ personal data are processed on the basis of the execution of sales contracts (Article 6, paragraph 1, point b of the Regulation), i.e. i.e. When concluding purchase and sale contracts, the company shall comply with the procedure established by the Civil Code of the Republic of Lithuania and other legal acts of the Republic of Lithuania, which determine the requirements for the conclusion of purchase and sale contracts, and by fulfilling its obligations and exercising its rights, established in the purchase and sale contracts.

61. Buyers’ personal data may be transferred without the buyers’ consent only when the Company fulfills its legal obligation to disclose the relevant buyer’s personal data to the State Tax Inspectorate under the Ministry of Finance, JV “Registrų centras”, other state and municipal institutions and institutions in accordance with the law. In other cases, personal data of buyers can be transferred only after receiving their written consent.

62. The company may transfer personal data of buyers to data processors on the basis of agreements on personal data processing.

63. Personal data of buyers are processed by employees authorized by the Company’s director. Only those employees assigned to handle the relevant data have access to specific personal data of Buyers.

64. Buyers’ personal data, with the exception of storage, are processed until the purchase and sale agreement expires and all mutual obligations between the buyers and the Company are fulfilled.

65. After the end of the purchase and sale agreements concluded with the buyers, the personal data of the buyers will continue to be stored according to the terms set in the General Document Retention Terms Index and the Company and will be deleted from all computers, external media, internal and external databases, contracts, invoices and other documents containing the personal data of the buyers will be destroyed after these terms have expired.

XII. ACCOUNT MANAGEMENT

66. When individuals create personal accounts on the website www.sunshieldbaltics.eu. The company processes the following personal data:
66.1. name;

66.2. last name;

66.3. date of birth;

66.4. email address.

67. Personal data is processed in order to facilitate people’s shopping on the Company’s website, to enable individuals to purchase goods and services under favorable conditions, to apply promotions and discounts, to retain existing customers and attract new customers and to maintain long-term relationships with them, to improve the quality of the Company’s services.

68. Personal data is processed on the basis of consent (Article 6, Paragraph 1, Clause a of the Regulation), i.e. i.e. when a person fills out an application for the creation of a personal account and gives consent to the processing of personal data.

69. By requiring the date of birth to be specified in the application for the creation of a personal account, the company ensures that accounts are not created by persons younger than 14 (fourteen) years of age, unless the consent of the parents of such persons is provided.

70. Personal data without the consent of individuals can be transferred only when the Company is fulfilling the legal obligation to disclose the data of the relevant person to the State Tax Inspectorate under the Ministry of Finance, JV “Registrų centras”, other state and municipal institutions and institutions in accordance with the procedure established by law. In other cases, customer data can be transferred only after obtaining the written consent of the individuals.

71. The company may transfer personal data to data processors on the basis of agreements on personal data processing.

72. Personal data is processed by employees authorized by the Company’s director. Access to specific personal data is only available to those employees who are assigned to process the relevant data.

73. Personal data is deleted after the person withdraws consent to process personal data, but no longer than 10 (ten) years from the date of acquisition of personal data.

XIII. IMPLEMENTATION OF THE LOYALTY PROGRAM

74. During the implementation of the loyalty program, the Company processes the following personal data of the participants of the loyalty program:

74.1. name;

74.2. last name;

74.3. date of birth;

74.4. phone number;

74.5. e-mail address;

74.6. city.

75. The personal data of the participants of the loyalty program is processed on the basis of consent (Article 6, paragraph 1 point a of the Regulation), i.e. when the person fills out the questionnaire provided by the Company regarding the loyalty program and gives consent to the processing of personal data

76. Personal data is processed in order to enable the participants of the loyalty program to purchase goods and services under favorable conditions, to apply promotions and discounts to them, to maintain existing and attract new customers, to maintain long-term relations with them, to improve the quality and range of goods sold and services provided by the Institution, taking into account the needs of the participants of the loyalty program. The loyalty program carried out by the company consists of invitations of program participants to exclusive events, organization of contests, personalized offers and services, promotions and discounts for program participants. The component of the loyalty program is the direct marketing carried out by the Company, with the help of which the content of the loyalty program is realized. Personal data processing requirements for the Company’s direct marketing are set out in Chapter XI of the Rules.

77. Named loyalty cards are issued to the participants of the loyalty program, which confirm their participation in the loyalty program and their right to receive the services offered by the Institution’s loyalty program.

78. A person becomes a member of the Company’s loyalty program by filling out the loyalty program questionnaire provided by the Institution in writing or electronically.

79. By requiring the date of birth to be indicated in the loyalty program participation form, the company ensures that persons younger than 14 (fourteen) years of age do not participate in the loyalty program, unless the consent of the parents of such persons is provided.

80. The institution may transfer the personal data of the loyalty program participants to data processors on the basis of agreements on personal data processing without the prior consent of the program participants.

81. The personal data of the participants of the loyalty program is processed by employees authorized by the Director of the Institution. Access to the personal data of specific loyalty program participants is limited to those employees who are assigned to handle the relevant data.

82. The personal data of the participants of the loyalty program is processed until the program participants terminate their participation in the Institution’s loyalty program and return the named loyalty card issued by the Institution (if one was issued), but no longer than 10 (ten) years from the date of acquisition of personal data. After the participants of the Loyalty Program terminate their participation in the Institution’s loyalty program and return the named loyalty card issued by the Institution (if one was issued), their personal data are manually deleted from the Institution’s computers where they were processed and stored, as well as their name cards are destroyed.

XIV. RIGHTS AND OBLIGATIONS OF THE DATA SUBJECT

83. Data subjects have the following rights:

83.1. the right to access processed personal data;

83.2. the right to demand correction or clarification of incorrect or inaccurate personal data;

83.3. the right to demand the deletion of processed personal data;

83.4. the right to restrict the processing of personal data;

83.5. the right to receive personal data related to data subjects that they have provided to the data controller in a structured, commonly used and computer-readable format, and to forward that data to another data controller;

83.6. the right to object to the processing of personal data;

83.7. the right to withdraw their consent to the processing of their personal data at any time.

84. The conditions, limitations and the procedure for the implementation of the rights of data subjects are determined by the description of the procedure for the implementation of the rights of data subjects approved by the Company’s director.

85. Data subjects have the following responsibilities:

85.1. Provide complete and correct personal data to the company;

85.2. if the personal data of the data subject changes or if the data subject provides incorrect personal data, immediately inform the Company and provide new or corrected personal data;

85.3. to honestly use and not abuse their rights.

XV. ORGANIZATIONAL AND TECHNICAL PERSONAL DATA PROTECTION MEASURES

62. In the company, the security of personal data is ensured by the specified organizational and technical data protection measures:

62.1. protection, management and control of access to personal data is ensured;

62.2. the integrity of processed personal data is ensured;

62.3. access to personal data is granted only to employees who have the authority to process personal data. Employees who work with personal data must have signed pledges to handle personal data properly and keep this data confidential;

62.4. after the data subject submits a request to change or correct his personal data, his request is registered, examined according to the procedure established by the Company’s description of the procedure for the implementation of the rights of data subjects and, if the request is satisfactory, the personal data of the data subject is updated in the internal database, and unnecessary personal data is deleted;

62.5. The company’s personnel, financial, accounting and reporting files, as well as other archival files and relevant electronic files, are transferred to new employees appointed by the Company’s director by means of a transfer-acceptance act;

62.6. when destroying documents whose storage terms have expired and which contain personal data of data subjects, they and their copies must be destroyed in such a way that these documents cannot be restored and their content cannot be identified;

62.7. requirements for passwords for logins to computers used by the Company, areas of the local network where personal data are stored, software and e-mail accounts:

62.7.1. the new password must be unique, consisting of at least 8 characters, of which at least one character must be a number and at least one uppercase letter;

62.7.2. it is forbidden to use personal information when creating a combination of password characters.

62.8. computer and local network usernames and passwords are private. After finishing work, it is important to log off from any used computer and local network and make sure that others do not use your personal computer or local network username and password;

62.9. Passwords of computers used by the company, local network areas, and software accounts that process personal data must be changed at least once every 2 months. Passwords for standard users of video cameras provided by the manufacturer must be changed once every 1 year. In the event of a personal data security breach of the local network, the passwords of all users of the Company’s local network must be changed immediately. If there is a possibility that the password of a specific computer, local network, software, e-mail account used by the Company has been disclosed to third parties or made public on external networks, such password must be changed immediately;

62.10. prohibited via the Company’s e-mail email accounts to send malicious, illegal and other inappropriate e-mails. letters. If an e-mail is received a letter with suspicious content or attachments, it is forbidden to open or save such a letter and its attachments, and the e-mail address of the respective sender the email address must be blocked. It is also prohibited to open or use any e-mail. executable file received by mail (.exe, .cmd, .bat, .scr, .com, etc.). Before replying or forwarding a letter to a third party, you must always check the content of the letter you are sending. It is forbidden to configure work e-mail. mail on a personal computer, phone, tablet, other device;

62.11. On the company’s website, the possibilities for public Internet search systems and search engine robots to copy the information on the website and to find copies of previously published information that has already been removed from the website must be maximally limited;

62.12. improper use of the Company’s work computers or damage to them is prohibited. After finishing using the work computer, it is always mandatory to lock its screen. Only accounts related to work and the Company’s activities are used on the computers used by the Company, which process personal data;

62.13. it is forbidden to use external media on Company computers that may contain malicious programs or viruses (USB, CD-ROM, DVD drives, external HDD, SSD, etc.);

62.14. all operating system and software used by the Company are supported and licensed. All the operating system and software used by the Company are automatically updated according to the procedure established by the manufacturer of the licensing company. The Company’s programs are licensed only for their use within the Company and not elsewhere;

62.15. computers, local network areas where personal data are stored, software and e-mail accounts of employees or other persons who are no longer processing personal data on behalf of the Company are deleted within 12 months.

62.16. the latest licensed anti-virus software is installed on all Company computers;

62.17. The company’s local network and computers have firewalls;

62.18. the security of the premises where personal data is stored is ensured. Access to premises where personal data is stored is restricted for third parties or employees who are not authorized to work with the relevant personal data;

62.19. Company documents, their copies, financing, accounting and reporting, archival and other files containing the personal data of the Company’s data subjects are stored in locked cabinets, safes or premises;

62.20. employee personal files transferred for archival storage are stored in the Company’s archive in a locked document storage until transfer to the archive;

62.21. The Company’s employees responsible for the processing of video data are obliged not to allow unauthorized persons into the premises where video data recording devices are located, and upon noticing malfunctions of the video system, they must immediately notify the Director of the Company and the persons performing technical maintenance of video surveillance;

62.22. security control and deletion of personal data on external data carriers is ensured;

62.23. it is ensured that the testing of information systems in the Company is not carried out with real personal data, except in necessary cases, during which organizational and technical personal data security measures are used to ensure the security of real personal data;

62.24. personal data are transferred to external networks from the Company’s local network only after they are first encrypted;

62.25. The video surveillance system used by the company is technically maintained. System malfunctions must be eliminated promptly, using all available technical resources.

XIII. USE OF PERSONAL DATA PROCESSOR

63. The Company has the right to use a data processor who will process the personal data assigned by the Company.

64. In cases where the Company uses a data processor to perform personal data processing actions, a written agreement between the Company and the data processor on personal data processing. This agreement is drawn up on the basis of the main contract between the Company and the data processor, for the proper execution of which the data processor must process the personal data entrusted by the Company.

65. The company has the following duties towards the data processor:

65.1. make sure that the technical and organizational protection measures applied by the data processor ensure adequate protection of the rights and legitimate interests of the personal data and data subjects assigned to the data processor;

65.2. inform the data processor about a data security breach, if the data security breach poses a risk to the data processor’s processing of personal data commissioned by the Company;

65.3. to appoint persons responsible for providing additional written instructions or instructions to the data processor, implementing other duties and rights of the Company, as well as coordinating the actions of the data processor and the Company;

65.4. within a reasonable period of time, to inform the data processor in writing about the satisfied request of the data subject to correct, delete certain of his personal data or limit the processing of this personal data and to provide a written instruction to the data processor to correct, delete or limit the processing of the relevant data. The Company’s obligation to inform the data processor in writing about the correction, deletion or restriction of the processing of personal data and to issue written instructions to the data processor occurs only if the data subject and his personal data, which the Company corrected, deleted or restricted their processing, fall into the categories of data subjects and personal data processed by the data processor, specified in the agreement on personal data processing. The Company’s written instruction contains the name, surname, category of the data subject, a list of his personal data that the Company has corrected, deleted or restricted their processing, determines the actions that the data processor must perform, and specifies the deadline for performing the actions, taking into account the amount and scope of processing of the personal data that is instructed to be corrected, deleted or restricted. When the data processor is instructed to correct certain personal data of the data subject, the Company must also provide in the instruction how the relevant data must be corrected;

65.5. perform other duties provided for in the Regulation, ADTAĮ, other legal acts, which establish requirements for the processing and protection of personal data, to the extent that the performance of these duties is related to the proper implementation of the agreement on the processing of personal data.

66. The company has the following rights in relation to the data processor:

66.1. check and assess whether the data processor actually implements the technical and organizational measures described by the data processor in the agreement on personal data processing;

66.2. require the data processor to implement additional technical and organizational measures or adjust the personal data processing activities assigned by the Company, if the Company reasonably believes that without additional technical and organizational measures or the data processor not adjusting the personal data processing activities, there may be a risk to the security of personal data and the rights and legitimate interests of the data subjects whose personal data is processed by the data processor. The data processor may refuse to comply with the Company’s instruction to implement additional technical and organizational measures or to adjust the personal data processing activities commissioned by the Company, if the data processor would incur unreasonably high costs due to the implementation of the corresponding additional technical and organizational measures or the adjustment of data processing activities, and the Company would refuse to compensate them.

66.3. if the data processor has performed an audit or has received a certificate issued by an approved certification company regarding the compliance of the technical and organizational measures applied by him with the requirements of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania, to receive a copy of the audit report or certificate;

66.4. control how the data processor and other persons authorized by the data processor to process personal data assigned by the Company comply with the obligation of confidentiality established in the agreement on personal data processing;

66.5. allow the data processor to use other data processors (hereinafter – Sub-processors) for the processing of personal data assigned by the Company;

66.6. use another data processor for processing the same personal data for the same or other purposes;

66.7. get acquainted with the data processor’s documents documenting the process of personal data processing commissioned by the Company, and receive copies of these documents, as well as receive other information from the data processor related to the processing of personal data commissioned by the Company;

66.8. restrict the processing of all or part of the personal data by the data processor commissioned by the Company, when the Company has reason to believe that the personal data processed by the data processor is inaccurate or incorrect, the processing of the personal data of the data processor or its authorized persons is carried out for purposes other than those specified in the agreement on the processing of personal data, the processing does not correspond to the nature of the processing described in the agreement on the processing of personal data, the data processor and its authorized employees do not comply with the obligation of confidentiality, the technical and organizational measures applied by the data processor no longer ensures adequate protection of the rights and legitimate interests of personal data and data subjects processed on behalf of the data processor Company, the data processor does not actually implement technical and organizational measures, the data processor violates the terms of the agreement on personal data processing, the requirements of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania regarding the processing and protection of personal data. The execution of the main contract is suspended for the period of restriction of personal data processing, unless the restriction of personal data processing does not prevent the proper implementation of the main contract;

66.9. to terminate the main contract with the data processor on the same grounds that apply to the limitation of personal data processing by the data processor, except in cases where the Company has reason to believe that the personal data entrusted to the Company by the data processor to be processed is inaccurate or incorrect;

66.10. to provide the data processor with additional written instructions or instructions regarding personal data processing and security cases in order to properly implement the requirements for personal data processing and protection carried out by the data processor;

66.11. has other rights towards the data processor provided for in the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania.

67. The data processor has the following duties towards the Company:

67.1. process personal data only in accordance with the provisions of these Rules, the agreement on personal data processing and additional instructions or instructions provided by the Company, including the transfer of personal data to third parties. The data processor must process personal data without the Company’s instructions when the legal obligation of the data processor is determined by the law of the European Union or a member state. In such a case, before starting to process personal data, the data processor shall notify the Company of his legal obligation no later than within 2 days, except for cases where, based on the law of the European Union or a member state, such notification is prohibited for important reasons of public interest. If the data processor has not received additional written instructions or instructions from the Company on how to process personal data in a specific situation, or if additional written instructions or instructions given by the Company contradict the requirements of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania regulating the processing and protection of personal data, the data processor shall inform the Company immediately, but no later than within 2 days;

67.2. upon receiving a request from the VDAI, to carry out the instructions or recommendations provided in the request, as well as to cooperate with the VDAI in other ways in the performance of its direct functions. The data processor must inform the Company about the instructions or recommendations provided in the VDAI request no later than within 2 days;

67.3. to help the Company implement the rights of data subjects provided for in Chapter 3 of the Regulation, if the data processor is tasked with processing the personal data of the relevant category of data subjects;

67.4. upon receipt of a data subject’s request to provide information about his personal data to a data processor commissioned by the Company to process, or to exercise another right provided for in Chapter 3 of the Regulation, transfer this request to the Company no later than 2 days from the date of receipt of the request;

67.5. Upon the company’s request, provide all information about the processing of personal data carried out on its behalf;

67.6. ensure the actual implementation of appropriate organizational and technical measures, as well as implement additional technical and organizational measures at the Company’s request, unless the data processor incurs unreasonably high costs due to the implementation of relevant additional technical and organizational measures, and the Company refuses to compensate them;

67.7. At the company’s request, provide a copy of the audit report or certificate, if the data processor has performed an audit or has received a certificate issued by an approved certification company regarding the compliance of the technical and organizational measures applied by it with the requirements of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania;

67.8. no later than 5 days from the date of conclusion of the agreement on personal data processing, compile and approve the list of employees of the data processor authorized to process personal data assigned by the Company and submit it to the Company. If the data processor changes, supplements, updates and re-approves the list of employees authorized to process personal data commissioned by the Company, the data processor must submit the changed, supplemented or updated list to the Company within 5 days from the date of approval of the new list;

67.9. after concluding an agreement on the processing of personal data, enter into promises with the employees regarding the proper processing of personal data, which meet the condition of the duty of confidentiality of the data processor and its authorized employees. The data processor is prohibited from allowing employees to get acquainted with the Company’s personal data and to start processing them, as well as to provide access to this personal data until such promises are made with them;

67.10. to ensure that authorized employees process personal data assigned by the Company for the purposes set out in the agreement on personal data processing, comply with the established nature of personal data processing, the obligation of confidentiality, the procedure for implementing organizational and technical personal data protection measures and other requirements;

67.11. process personal data only to the extent that is determined in the agreement on personal data processing and is necessary to perform the functions according to this agreement;

67.12. Upon the Company’s request, provide copies of documents documenting the personal data processing process commissioned by the Company;

67.13. inform the Company about a breach of personal data security in accordance with the procedure established by the description of the procedure for managing and responding to breaches of personal data security and take other steps to eliminate the breach;

67.14. compensate the Company for the losses incurred by the data processor in violation of the Rules, the terms of the agreement on the processing of personal data, the Regulation, ADTAĮ and other legal acts that regulate data processing and protection;

67.15. upon expiry of the agreement on personal data processing, return to the Company the data entrusted by it to process and delete copies of personal data or delete personal data entrusted by the Company without return;

67.16. perform other duties provided for in the Regulation, ADTAĮ, other legal acts, which establish requirements for the processing and protection of personal data, to the extent that the performance of these duties is related to the proper implementation of the agreement on the processing of personal data.

68. The data processor has the following rights in relation to the Company:

68.1. change, supplement, update the list of data processor employees authorized to process personal data assigned by the Company;

68.2. to consult with the Company and request additional instructions and instructions regarding cases of personal data processing and protection that are not defined by the provisions of the Rules and the terms of the agreement on personal data processing, in order to properly implement the requirements for personal data processing and protection carried out by the data processor;

68.3. With the consent of the Company, use other data processors (Subprocessors) for the processing of personal data assigned by the Company;

68.4. implement additional organizational and technical security measures for the protection of personal data processed by the Company after coordinating these measures with the Company;

68.5. has other rights in relation to the Company provided for in the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania.

69. Conditions and procedure for using another data processor (sub-processor):

69.1. the data processor may use sub-processors only after receiving the prior written consent of the Company;

69.2. the data processor must inform the Company in advance of any planned changes related to the use or replacement of sub-processors and obtain the Company’s written consent;

69.3. the same obligations and other requirements imposed on the data processor must be determined in the contract or other agreement between the data processor and the subprocessor;

69.4. the data processor has the duty to make sure that the sub-processor actually implements the organizational and technical security measures set out in the contract between the data processor and the sub-processor or another agreement, as well as to control how the sub-processor and its authorized employees carry out the processing of the Company’s personal data assigned to it by the data processor;

69.5. the data processor is fully responsible to the Company for the improper processing of the Company’s personal data by the subprocessor, as well as other violations of requirements and conditions.

70. Conditions and procedure for returning personal data to the Company and deleting them:

70.1. after the expiration of the agreement on personal data processing, the data processor must return to the Company all personal data of the Company processed on the basis of the agreement on personal data processing and delete or destroy both paper and digital copies of this personal data, unless the Company instructs the data processor to delete all personal data processed by it without returning them, or the return of personal data is impossible due to the way, amount of personal data was submitted or for other reasons or would require disproportionate efforts of the data processor. If the data processor does not return personal data to the Company because the return of personal data is not possible or would require disproportionate efforts of the data processor, the data processor must delete or destroy such personal data;

70.2. the data processor does not return the personal data processed on the basis of the agreement on personal data processing to the Company, nor does it delete these data or their copies, if the data processor has a legal obligation to store the relevant personal data in accordance with the procedure established by the legal acts of the Republic of Lithuania.

71. Responsibility of the company and data processor:

71.1. The company and/or its data processor shall be liable for violations of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania regulating the processing and protection of personal data in accordance with the procedure established by the Regulation and laws;

71.2. The company and/or its data processor must compensate any person for material and non-material damage due to violations of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania, regulating the processing and protection of personal data, in accordance with the law.
72. The company chooses a data processor that guarantees the necessary technical and organizational data protection measures and ensures that such measures are followed.

XIV. RECORDS OF PERSONAL DATA PROCESSING ACTIVITIES

73. The company prepares and registers data processing activity records. Data processing activity records are prepared in the Company for internal administration, direct marketing purposes and video surveillance. Data processing activity records can be prepared in the Company for other purposes as well. The records of data processing activities maintained contain the following information:

73.1. data processing purposes;

73.2. general information about the Company;

73.3. Contact details of the company representative;

73.4. the nature of processing activities related to the purpose of personal data processing;

73.5. categories of data subjects and processed personal data;

73.6. categories of data recipients to whom personal data has been or will be disclosed;

73.7. terms of erasure of personal data;

73.8. general description of technical and organizational security measures;

73.9. rights applicable to data subjects.

74. Records of personal data processing activities must be managed in writing, including in electronic form.

75. The company, upon receiving a request from the State Data Protection Inspectorate, must provide relevant data processing activity records.

76. The company has a set form for processing activity records.

XVI. FINAL PROVISIONS

77. All employees of the Company who process personal data and data processors are obliged to comply with these Rules, the basic personal data processing, confidentiality and security requirements established in the Regulation.

78. Employees handling personal data are familiarized with the Rules by signing.

79. Failure to comply with these Rules by employees who manage or have access to personal data managed by the Company is considered a violation of employment duties.

80. Employees processing personal data who have violated the requirements of the Regulation, ADTAĮ and other legal acts of the Republic of Lithuania regulating the processing and protection of personal data shall be held accountable in accordance with the law.