Personal data shall be processed in accordance with the European General Data Protection Regulation (EU) 2016/67 (hereinafter – Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legislation regulating personal data protection.
UAB Baltic Modules shall adhere to the following key principles of data processing:
- Personal data shall be collected only for explicit and legitimate purposes;
- Personal data shall be processed only in a lawful and fair manner;
- Personal data shall be constantly updated;
- Personal data shall be stored securely and for no longer than required for the data processing purposes or by legislation;
- Personal data shall be processed only by Company’s employees having such right according to their job functions or by properly authorised data processors.
1.1. Data controller – UAB Baltic Modules (hereinafter – Company), legal entity number – 300567352, registered office address – Vaidaugų g. 1, Toleikiai, Klaipėda District.
1.2. Data subject – any natural person whose data is processed by the Company. Data controller shall collect only such data of the data subject which is necessary for carrying out Company’s activities and/or visiting, using, browsing Company’s websites, Facebook, etc. (hereinafter – Website). The Company shall ensure that collected and processed personal data is secure and used only for a specific purpose.
1.3. Personal data – any information directly or indirectly related to the data subject whose identity is known or who may be identified, directly or indirectly, using respective data. Processing of personal data – any operation performed on personal data (including collection, recording, storage, editing, alteration, granting access, submission of requests, transfer, archiving, etc.).
1.4. Consent – any freely and consciously given indication of the data subject’s wishes by which he/she signifies agreement to the processing of personal data for specific purpose.
- SOURCES OF PERSONAL DATA
2.1. Personal data is provided by the data subject. Data subject contacts the Company, registers for services, uses services provided by the Company, purchases goods and/or services, leaves comments, asks questions, addresses the Company requesting for some information, etc.
2.2. Personal data is obtained when data subject visits Company’s Website. Data subject fills in forms on the website or leaves his/her contact details for any reason, etc.
2.3. Personal data is obtained from other sources. Data is received from other institutions or companies, publicly available registers, etc.
- PROCESSING OF PERSONAL DATA
3.1. By providing personal data to the Company the data subject agrees that the Company uses the collected data for the performance of its obligations in respect of data subject, as well as for the provision of services that data subject expects.
3.2. The Company shall process personal data for the following purposes:
3.2.1. Ensuring business activities and their continuity. The following data shall be processed for this purpose:
a) The following personal data of suppliers (natural persons) may be processed for the purpose of conclusion and performance of agreements: name(s), surname(s), personal number or DOB, place of residence (address), telephone number, e-mail address, workplace, position, bank account and bank where such account is held, date, amount, currency of a monetary operation or transaction, and other data provided by the person himself/herself, obtained by the Company while carrying out business activities in accordance with legislation and/or data which the Company is obliged to process by laws and/or other legislation. For example, data provided in a business certificate (type of activity, group, code, title, periods during which the activity is carried out, date of issue, amount), number of self-employment certificate, data whether data subject is VAT payer and other data necessary for proper performance of the agreement and/or obligations established in legislation. When partner is a legal entity, the following data of its employees or representatives may be processed: name, surname, telephone number, e-mail address, company name, address, position, data provided in the power of attorneys (number, date, DOB of the attorney).
b) When administering inquiries, comments and complaints, the following personal data may be processed: name(s), surname(s), e-mail address, text of the inquiry, comment or complaint.
3.2.2. Direct marketing (newsletter subscription). The following data shall be processed for this purpose:
3.2.3. For the purpose of ensuring security of the property of Company employees and other data subjects (video surveillance). The following data shall be processed for this purpose:
a) Visual image. Video surveillance systems do not use technologies of facial recognition and/or analysis, visual data captured by them are not grouped or profiled according to concrete data subject (person). Data subject is informed about video surveillance by informational signs with camera symbol and company details which are given before entering the monitored territory and/or premise. The area covered by video surveillance systems shall not include the premises where the data subject expects absolute protection of personal data.
3.2.4. For other purposes for which the Company has the right to process the personal data of the data subject, when the data subject has given his consent, when the processing is necessary for the lawful interest of the Company or when the processing is required by the relevant legislation.
- PROVISION OF PERSONAL DATA
4.1. The Company shall undertake to comply with confidentiality obligation in respect of data subjects. Personal data may be disclosed to third parties only if this is necessary for the conclusion and performance of the agreement for the benefit of the data subject or for other legitimate reasons.
4.2. The Company may provide personal data to its data processors, which provide services to the Company and process personal data on behalf of the Company. Data processors have the right to process personal data only in accordance with Company’s instructions and only to the extent that is necessary for proper implementation of obligations outlined in the agreement. The Company shall engage only those data processors that sufficiently ensure that appropriate technical and organisational measures are implemented in such a way that the data processing would comply with the requirements of Regulation and the rights of the data subject would be ensured.
4.3. The Company may also provide personal data when responding to requests from court or public authorities, to the extent necessary for proper implementation of the applicable legislation and the instructions of the public authorities.
4.4. The Company guarantees that no personal data shall be sold or leased to any third parties.
- PROCESSING THE PERSONAL DATA OF MINORS
5.1. Persons under 14 years of age cannot provide any personal data through the website of the Company. If a person is under 14 years of age, in order to use the services of the Company, prior to providing personal information, it is mandatory to submit a written consent of one of the representatives (father, mother, guardian) to the processing of personal data.
- STORAGE PERIOD OF PERSONAL DATA
6.1. Personal data collected by the Company is stored in printed documents and/or in the Company’s information systems. Personal data shall be processed no longer than it is necessary to achieve the purpose of the data processing or no longer than required by the data subjects and/or provided by legislation.
6.2. Even though the data subject may terminate the agreement and refuse the services of the Company, the Company shall still be obliged to store data of the data subject for any claims or legal actions that may arise in the future, until expiry of the data storage period.
- RIGHTS OF THE DATA SUBJECT
7.1. The right to receive information about data processing.
7.2. The right to get acquainted with the processed data.
7.3. The right to rectification.
7.4. The right to erasure (“The right to be forgotten”). This right shall not apply if personal data requested to be erased is also processed on other legal grounds, such as processing necessary for performance of the agreement or fulfilment of an obligation under applicable legislation.
7.5. The right to restriction of processing.
7.6. The right to object to data processing.
7.7. The right to data portability. The right to data portability shall not have negative impact on rights and freedoms of others. The data subject shall not have the right to data portability with regard to personal data that is processed in files structured by non-automated means, such as paper files.
7.8. The right not to be subject to a decision based solely on automated processing, including profiling.
7.9. The right to make a complaint regarding the processing of personal data to State Data Protection Inspectorate.
- The Company must create conditions for the data subject to exercise the above-mentioned rights of the data subject, except in cases established by law, when it is necessary to ensure the security or defence of the state, public order, prevention, investigation, detection or prosecution of criminal activities, important economic or financial interests of the state, prevention, investigation and detection of violations of integrity or professional ethics, protection of the rights and freedoms of the data subject or other persons.
- EXERCISE OF THE RIGHTS OF THE DATA SUBJECT
9.1. The data subject may contact the Company regarding the exercise of his/her rights:
9.1.1. Submitting written request personally, by post, through a representative or by electronic means – e-mail email@example.com;
9.1.2. Orally – by phone 8 650 70474 (for calls from other networks and from abroad +370 650 70474);
9.1.3. In writing – at the following address: Vaidaugų g. 1, Toleikiai, Klaipėda District.
9.2. In order to protect data from unauthorized disclosure, the Company, upon receipt of data subject’s request to provide data or exercise other rights, shall be obliged to verify the identity of the data subject.
9.3. The Company shall be obliged to reply to data subject’s request no later than within one month from the date of receipt of data subject’s request, taking into consideration specific data processing circumstances. If necessary, this period may be extended for two more months taking into consideration the complexity and number of requests.
- LIABILITY OF THE DATA SUBJECT
10.1. The data subject must:
10.1.1. Inform the Company about any changes of the provided information and data. It is important for the Company to have correct and valid information of the data subject;
10.1.2. Provide necessary information so that, in case of data subject’s request, the Company could identify data subject and make sure it communicates or cooperates with particular data subject (to provide personal identity document or under procedure established by legislation or via electronic means of communication that would enable proper identification of the data subject). This is necessary for the protection of data relating to data subject and other persons, so that disclosed information about the data subject would be provided only to the data subject without violating the rights of other persons.
- FINAL PROVISIONS
11.2. In developing and improving the Company’s activities, the Company has the right