Director of UAB IT MEDIA
2018 April 26 by order No.01
RULES FOR THE PROCESSING OF PERSONAL DATA
I. KEY DEFINITIONS
II.GENERAL PROVISIONS
11. The Rules of Personal Data Processing (hereinafter - the Rules) regulate the principles of collection, processing and storage of personal data of potential, existing, former customers and partners, candidates for employees of the Company and employees (hereinafter - Data Subjects), establish the purposes and means of personal data processing , determines who can access personal data and for what purposes, and the measures to ensure the protection of such data.
III. PRINCIPLES FOR THE PROTECTION OF PERSONAL DATA
12. The Company follows the following basic principles of personal data processing:
12.1. Personal data is collected for defined and lawful purposes and is no longer processed for purposes incompatible with those established prior to the collection of Personal Data;
12.2.Personal data is processed accurately, fairly and lawfully;
12.3.Personal data are accurate and, if necessary for the processing of personal data, are constantly updated, and inaccurate or incomplete data are corrected, supplemented, destroyed or suspended;
12.4.Personal data are identical, relevant and only to the extent necessary for their collection and further processing;
12.5. The personal data of the data subject are stored for the time set by the Company, but not longer than the terms established in the legal acts of the Republic of Lithuania, and upon the expiry of the term of personal data storage, they are destroyed;
12.6. The personal data information of the data subject is considered confidential and may be disclosed to third parties only in accordance with the procedure provided for in these Rules and legal acts of the Republic of Lithuania.
IV.PERSONAL DATA OF CANDIDATES AND EMPLOYEES, PURPOSES OF THEIR PROCESSING AND LEGAL BASIS
13. Personal data of candidates for employees (name, surname, data related to this person's qualification, professional abilities and subject characteristics, workplace and other data) are processed for the purposes of employee selection. Candidates' personal data may be collected from an identity document, a description provided and / or a completed questionnaire, and / or obtained from the candidate in another way.
14. Personal data of employees (names, surnames, personal, codes, addresses, date of birth, accounts of the financial institution to which the salary is transferred, social security number, personal data related to the person's qualifications, professional abilities and subject characteristics, former or other workplaces, information on marital status, personal telephone numbers, e-mail addresses, information relating to the employee's state of health which directly affects the employee's job functions and ability to perform them with the employee's consent, such as family members' names, dates of birth, interests and other data) are processed for the purposes and in accordance with the procedure specified in legal acts and these Rules.
15. Personal data of employees shall be processed for the following purposes:
15.1. For hiring employees, concluding employment contracts, executing them, accounting;
15.2. For the proper performance of the employer's duties established by legal acts;
15.3. To maintain proper communication with employees outside working hours;
To ensure suitable working conditions;
16. Personal data of employees, a copy of the employment contract and / or data on the employee's work in the Company may be transferred to state institutions, establishments, organizations, courts and other third parties when required to do so by legal acts, or with such persons and with the employee's consent third parties.
V. PERSONAL DATA OF CLIENTS AND PARTNERS, PURPOSES OF THEIR PROCESSING AND LEGAL BASIS
17. Personal data is processed in the Company when the Client or Partner has given consent and / or when the processing is necessary to fulfill the Agreement to which the Client or Partner is a party or to take action at the Client's or Partner's request before concluding the agreement and / or The company is subject to a legal obligation.
18. The purpose of the processing of personal data is the conclusion and performance of contracts.
19. The Company processes the following personal data of the Data Subjects for the purpose specified in Clause 18 of the Rules:
19. Name of customers (natural persons); surname; address; a mobile phone number; e-mail address, signature, financial institution account number, debit / credit card number, customer IP addresses, date of payments made by customers, amount of payments;
19. Data of clients' (legal entities) representatives - name, surname, position, basis of representation, signature, mobile phone number, e-mail address.
20. The personal data specified in Clause 19 of these Rules are obtained directly from the Data Subject and / or the legal entity represented by him.
21. Personal data specified in Paragraph 20 of these Rules may be transferred:
21. to third parties, with the consent of the Data Subject in each specific case of such provision of data;
21. for the purposes of performing the contract;
21. in other cases where this is necessary for the proper enforcement of the legislation in force.
VI. RIGHTS OF THE PERSONAL DATA SUBJECT
22. The Company undertakes to ensure the rights of the Data Subjects, guarantees that they will be properly implemented, and that all information will be provided in a proper and timely manner.
23. Data subjects must:
The right to know what personal data are being processed, for what purpose the relevant data is being collected, to whom and for what purpose they may be provided;
To demand the rectification, destruction of one's personal data or the suspension of the processing of one's personal data when they are processed in violation of the provisions of applicable and valid legal acts.
23.3. And other rights provided by legal acts.
24. The Data Subject, considering that the Company has violated the rights of the Data Subject by processing the personal data of the Data Subject, may submit a request to correct such violation. Upon receipt of such a request by the Data Subject, the Company shall acknowledge receipt of the request and indicate the deadline within which a response to the received request will be provided. Such requests are processed by an authorized employee of the Company. After examining the received request, the Company informs the Data Subject about the results and actions to be taken. In this case, if the Data Subject does not agree with the submitted response to the request, he / she has the right to apply to the Inspectorate or a competent Lithuanian court.
VII.PERSONAL DATA SECURITY MEASURES
25. Only employees of the Company or authorized / used persons who have been authorized to access such data and for whom they are necessary for the performance of the assigned functions and only when it is necessary to achieve the above objectives have the right to access the personal data of the Data Subjects.
26. The Company shall take appropriate technical and organizational measures to ensure the security of the processing of personal data in order to protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing, including but not limited to:
To acquaint employees who process personal data with the personal data protection rules established in the Company and internal legal acts intended to regulate appropriate personal data protection;
26.2. To provide access to the Personal Data managed by the Company only to the person for whom such personal data is necessary for the performance of its functions, providing access to ensure that access is protected by passwords assigned personally only to a specific person;
26.3. To ensure the protection of the premises where Personal Data is stored so that unauthorized persons cannot enter them;
26.4. To ensure the protection of computer equipment from malicious software (installation, updating of antivirus programs, etc.);
26.5.Sample and other technical and software measures for personal data protection.
27. All employees who have the right to process personal data or to organize and implement their protection must:
27.1. To strictly comply with the requirements of personal data protection measures and relevant rules, instructions or procedures established in the Company;
27.2. To keep confidential any information related to personal data which they have become acquainted with in the performance of their duties, unless such information would be public in accordance with the provisions of applicable laws or other legal acts. The obligation to maintain the confidentiality of personal data shall apply in the event of a change of duties and the termination of an employment or contractual relationship;
To prevent the accidental or unlawful destruction, alteration, disclosure of personal data, as well as any other unlawful processing, to store documents and data files properly and securely and to avoid making unnecessary copies;
27.4. Immediately notify the Company's manager or his / her authorized person about any suspicious situation that may endanger the security of personal data and take measures to avoid such situation, including loss of passwords or login names to the Company's internal electronic information system or suspected corrupted access data or passwords .
28. Personal data protection technical and software measures must be selected in such a way as to comply with the principles of personal data protection and personal data protection requirements provided by legal acts.
VIII. IDENTIFICATION OF PERSONAL DATA BREACHES AND SUBMISSION OF PERSONAL DATA BREACHES
The Employee (s) of the Company, who has the right of access to personal data, after noticing personal data security violations (actions or omissions that may cause or pose a threat to the security of personal data), must immediately inform the Company's manager or the designated responsible person. person.
In this case, if a personal data protection violation occurs and this violation may pose a significant threat to the rights and freedoms of the Data Subjects, the Company shall, without undue delay, notify the Inspectorate no later than within 72 hours. from learning of this fact.
In the event of a personal data breach, the Company must assess the reasons for the personal breach, assess the effectiveness of the existing technical and organizational measures to ensure personal security, and the current and potential consequences of the breach.
32. The Company undertakes to report the personal data security breach to the Data Subject (s), in the event that this breach may seriously jeopardize the Data Subject's rights and freedoms as specified in Clause 33 of these Rules.
IX. TRANSFER OF PERSONAL DATA TO DATA PROCESSORS
Personal data may be transferred to the Data Processor only on the basis of an agreement (including electronic agreements) between the Company and the Data Processor. This agreement must set out the minimum requirements, including, but not limited to, the subject matter and duration of the processing of Personal Data, the nature and purpose of the processing of Personal Data, the type of Personal Data and the categories of Data Subjects, the Company and the Data Processor.
The Company maintains a list of data processing activities, which, in addition to mandatory information, indicates the Personal Data Processors managed by the Company, their contact details and general information on agreements concluded with the Data Processors, based on which information can be found handles.
