Privacy policy

APPROVED 2024 of Viktorija Zaidelė , the
executor of the activity . March 01 Order no. V-01
 

PERSONAL DATA PROTECTION POLICY

CHAPTER I
GENERAL PROVISIONS

1. This procedure regulates the processing, use and storage of personal data, determines the rights of data subjects, risk factors for personal data protection violations, personal data protection implementation measures and other issues related to personal data processing.
2. By applying organizational and technical measures, the operator ensures adequate security of personal data, including protection against unauthorized or illegal data processing and against accidental loss, destruction, or damage.
3. Concepts used in the procedure:

3.1. The subject of personal data is the customer - a natural person or a person related to the customer (customer's representative, spouse, partner, etc.).

3.2. The controller of personal data is Viktorija Zaidelė performing individual activities according to the certificate, Certificate no. 1319028, activity registered at Kaunas district, Paparčių km., Šaltalankių st. 15, 54319 (hereinafter - operator). Contact phone no. +37066404370

3.3. Personal data - information related to a natural person - data subject including, but not limited to, such data as: personal code, name, surname, telephone number, e-mail address, vehicle registration number, one or more physical, physiological, psychological, economic characteristics characteristic of a person , signs of a cultural or social nature.

3.4. Processing of Personal Data is any action or sequence of Personal Data performed by automated or non-automated means, including its collection, recording, accumulation, storage, destruction, classification, transfer, change (filling or correction), granting of access, submission of requests, transmission , publication, use, search.

3.5. Consent is a freely expressed action of the Data Subject, by which he agrees to the processing of personal data.

3.6. Registration or order form is a document, including an electronic one, that confirms the agreement concluded between the operator and the subject of personal domains.

CHAPTER II
PURPOSES, BASIS AND SCOPE OF PROCESSING PERSONAL DATA

4. The basis for the processing of personal data in the activity may be the execution of the contract concluded with the data subject, the consent of the data subject to processing his personal data, as well as the execution of the applicable obligations established by law.
5. Personal data is processed in accordance with the requirements of the Law on Legal Protection of Personal Data.
6. From 2018 May 25 Personal data is processed in accordance with the directly applicable Law of 2016. April 27 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data (hereinafter - the Regulation).
7. The data subject's data is processed for the following purposes (including, but not limited to, cases where a separate consent of the data subject is obtained for data processing):
7.1. to provide services and perform other activities as provided for in the legal acts applicable to individual activities according to the certificate;
7.2. to inform the client about his service contracts and fulfillment of obligations concluded with the operator;
7.3. to inform the data subject about new operational services and news;
7.4. to ensure the safety of the operator's and clients' property, when performing video surveillance;
8. to evaluate the conclusion and execution of the operator's contracts and the quality of the services provided, to ask for opinions on the services provided, service and their quality, and to conduct market research;
9. for other legal purposes as specified in the legal acts of the Republic of Lithuania.

CHAPTER III
RIGHTS OF THE DATA SUBJECT

10. The rights guaranteed to the data subject in connection with the processing of his personal data include the right to:
10.1. request correction of the Data Subject's data if they are incorrect, incomplete or inaccurate;
10.2. do not consent to the processing of the Data Subject's data, if the basis for processing the Data Subject's data is legitimate interests;
10.3. to receive information about whether the operator processes Data Subjects' data and, if so, to get acquainted with them;
10.4. to receive the Personal data provided by the Data Subject, which are processed on the basis of his consent or contract performance, in writing or in a commonly used electronic form and, at the request of the Data Subject, transfer such data to another service provider (data portability);
10.5. withdraw your consent to process the Data Subject's data;
10.6. The company revises, corrects and updates personal data at the initiative of the person whose data is being processed. The company's employees can correct the data subject's data in the event that the data provided by the data subject itself contains grammatical errors.
10.7. The Data Controller has the right to reasonedly refuse to allow the Data Subject to exercise his rights or to charge a reasonable fee in accordance with Article 12 of the General Data Protection Regulation. on the 5th for the intended circumstances.
10.8. Submit a complaint about the Data Controller's actions (inaction) to the State Data Protection Inspectorate (website address www.ada.lt) within 3 months from the date of receiving the response from the Data Controller or within 3 months when the deadline for the Data Controller's response to the data subject's request expires (i.e. after 30 calendar days from the date of the Data Subject's request). The Data Subject can submit a complaint/request to the operator by e-mail. by mail
10.9.D the data subject has the right to disagree that:
10.9.1. his personal data would be processed, and undertakes to submit his legally based objection to the Company in writing or in a way that allows the identification of the data subject, if he decides that the Company is processing the data subject's data illegally;
10.9.2. his personal data would be processed for direct marketing purposes, and has the right not to state the reasons for such objection.

CHAPTER IV
SECURITY OF PERSONAL DATA

11. The organizational and technical data security measures implemented by the Data Controller ensure a level of security that corresponds to the nature of the Data managed by the Data Controller and the risks posed by their processing.
12. The operator carries out technical and software protection (administration of information systems and databases, maintenance of workplaces, protection of operating systems, user access monitoring (monitoring), protection against computer viruses, etc.).
13. The operator applies administrative security measures (safe handling of documents and computer data and their archives, staff training during employment and exit/dismissal, etc.).
14. The Data Controller undertakes not to disclose the Data Subject's personal data to third parties, with the exception of the Data Controller's employees or if this is necessary according to the mandatory provisions of legal acts, or the written consent of the Data Subject has been obtained.
15. Employees of the data controller must observe the principle of confidentiality and keep secret any information related to personal data that they have become familiar with in the course of their duties, unless such information is public in accordance with the provisions of applicable laws or other legal acts.
16. Personal data on laptops, if they are not used in the internal data transmission network of the Data Controller, are protected by appropriate measures that correspond to the risks posed by Data Processing.
17. Employees are granted access to personal data only to the extent necessary for the proper performance of duties and the implementation of work functions.
18. Employees who automatically process personal data or from whose computers it is possible to access areas of the local network where personal data are stored must use passwords. Passwords must be changed periodically (at least every 3 (three) months), as well as when certain circumstances arise (for example, when an employee changes, when there is a threat of hacking, when there is a suspicion that the password has become known to third parties, etc.). An employee working on a particular computer can only know his password.
19. The employee loses the right to process personal data when the employee's employment or similar contract with the Company ends, or when the head of the Company cancels the appointment of the employee to process personal data.
20. Personal data contained in external media and e-mail must be properly protected and immediately transferred to databases after their use.
21. The assessment of the risk posed by personal data is carried out by determining the probabilities and risks of threats, taking into account the integrity, availability and confidentiality of the data according to each purpose of personal data processing.
22. Employees who have noticed violations of personal data security, signs of a criminal act, non-functioning personal data security measures must immediately inform the head of the Company.
23. After assessing the risk factors of a Data Protection violation, the degree of impact of the violation, damage and consequences, in accordance with the relevant internal procedures, the Data Controller makes decisions on the measures necessary to eliminate the Data Protection violation and its consequences and inform the necessary entities.
24. Personal data must be stored no longer than the purposes of data processing require, as well as in accordance with the accounting rules for individual activities, the General Index of Document Storage Terms and other legal acts regulating the chosen field of activity.

CHAPTER V
FINAL PROVISIONS

25. Data subjects can familiarize themselves with this personal data protection policy at www.graziaiatrodai.lt and Facebook business account
26. The policy will be reviewed once per calendar year at the initiative of the Data Controller and/or when legal acts regulating personal data processing change.
27. Relations arising on the basis of this policy shall be governed by the law of the Republic of Lithuania.
28. All disagreements arising from the implementation of this policy shall be resolved by negotiation. In case of failure to reach an agreement, disputes are resolved in accordance with the procedure established by the legal acts of the Republic of Lithuania.
29. This policy comes into force in 2020. May 25 You can get in touch with this policy and/or general issues related to data protection by contacting the following contacts:
E-mail by mail: info@graziaiatrodai.lt
Tel. No. +37066404370