Rules on the processing and use of personal data

1. BASIC CONCEPTS

Data controller means the natural or legal person, public authority, agency or other body who, alone or jointly with others, determines the purposes and means of the processing.
Data Processor refers to the natural person Erik Drozd IV: 880443 who processes personal data on behalf of the Data Controller.
Data Means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, personal identification number, location data and an online identifier, or by reference to one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Processing means any operation or sequence of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination or otherwise making available, alignment with or combination with other data, restriction, erasure or destruction.
Automatic means any action wholly or partly carried out by automatic means.
Data subject means the natural person whose Data is processed.
Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor, or persons authorised by the controller or processor to process personal data.
Technical and organisational measures means measures designed to protect the Data against accidental or unlawful destruction, alteration, disclosure or any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the Data to be protected and the risks associated with their processing.
“Consent” means any freely given, specific and unambiguous indication of the data subject’s wishes, given freely and by means of a statement or an unambiguous action, by which he or she consents to the processing of personal data concerning him or her
1.1. in the Rules:
(a) words used in the plural form shall have the same meaning as those words used in the singular form, and vice versa;
(b) the use of a particular gender (masculine or feminine) in the text shall be interpreted as the use of either of these genders;
(c) the word “includes” or “including” means “includes without limitation” or “including but not limited to”, as appropriate;
(d) references to clauses, annexes and other provisions are to clauses, annexes and provisions of these Rules.

2. GENERAL PROVISIONS

2.1 These Rules govern the processing of personal data by the Processor on behalf of the Data Controller.
2.2 The purpose of the Rules on Processing of Personal Data in the Company is to regulate the processing of personal data in the Company, in accordance with the European Union General Data Protection Regulation 2016/679, the Law on Legal Protection of Personal Data of the Republic of Lithuania, and to ensure the compliance with and implementation of other relevant legal acts.
2.3 The nature, subject matter and purpose of the processing of personal data – carried out by the Data Processor on behalf of the Data Controller -, as well as the information relating to the type of personal data processed and the categories of data subjects, are set out in Annex 1 to these Rules.

3. VALIDITY OF THE RULES

3.1 Compliance with these Rules is binding on the Processor and the Data Controller in accordance with the General Data Protection Regulation.
3.2 These Rules shall remain in force for as long as the Data Processor processes personal data on behalf of the Data Controller. 3.3 At the request of the Data Controller, the Data Processor must cease its processing activities and – if so requested by the Data Controller, and unless otherwise provided for by the applicable data protection legislation – must erase or return all personal data to the Data Controller, together with the erasure of all copies of such data held.

4. OBLIGATIONS OF THE PROCESSOR

4.1 The Data Processor has implemented appropriate technical and organisational measures to ensure that the processing of personal data carried out by it in accordance with the provisions of these Terms and Conditions complies with the requirements of the applicable data protection legislation, in particular with the requirements of the General Data Protection Regulation, and to guarantee the protection of the rights of the data subject.
4.2 The Processor undertakes to process personal data only in accordance with written instructions given by the Data Controller, except where otherwise provided by applicable law. In this case, the Data Processor must, to the extent permitted by law, inform the Data Controller of such legal requirement before processing personal data. If the Processor does not have instructions on how to process personal data in a particular situation, or if any instruction violates applicable data protection law, the Processor must inform the Controller without delay.
4.3 The Processor shall, taking into account the nature of the processing and to the extent possible, use appropriate technical and organisational means to assist the Data Controller in fulfilling the Data Controller’s obligation to respond to requests to exercise the rights of the Data Subject. In accordance with these Rules, the Data Subject’s rights include the rights to request information and, at the Data Subject’s request, to rectify, erase or suspend the processing of personal data.
4.4 The Data Processor shall, taking into account the nature of the processing and the information available to it, assist the Data Controller in complying with its specific obligations under applicable data protection legislation. The specific obligations include the security of the processing (Article 32 of the GDPR), the notification of a personal data breach (Articles 33 to 34 of the GDPR), and the data protection impact assessment and prior consultation (Article 33 of the GDPR).
Articles 35-36 of the GDPR).
4.5 The Processor undertakes to provide the Controller with all information and assistance to demonstrate compliance with the obligations undertaken under these Terms and Conditions.

5. SUB-PROCESSORS

5.1 The Data Controller confirms that the Data Processor may also use other companies listed in the Annex to the Terms and Conditions as auxiliary processors. The Processor shall inform the Data Controller of any planned changes to the use or replacement of sub-processors and the Data Controller shall have the right to object to such changes.
5.2 The Processor shall ensure and, at the request of the Controller, document that the ancillary processors are bound by written contracts under which – in addition to the obligations set out in these Rules – they are required to comply with the relevant processing obligations. The Processor shall be fully responsible to the Data Controller for the obligations fulfilled by the sub-processors.
5.3 The Data Controller may request that the Data Processor inspect the sub-processor or provide confirmation that such inspection has been carried out.

6. TRANSFER OF DATA TO THIRD COUNTRIES

6.1 The obligation to process personal data in accordance with the Terms and Conditions may only be performed in a Member State of the European Union (EU) or a Member State of the European Economic Area (EEA). Any transfer of personal data to a country that is not an EU or EEA Member State may only take place with the prior written consent of the Data Controller and only if the specific conditions set out in the applicable data protection legislation, Chapter V of the General Data Protection Regulation, are met.
6.2 The Data Controller may withdraw its consent to the transfer of data to third parties at any time in accordance with clause 6.1 of these Rules. In this case, the Data Processor must immediately cease the transfer of the data and, at the request of the Data Controller, provide written confirmation of such termination.

7. INFORMATION SECURITY AND CONFIDENTIALITY

7.1 The Data Processor shall ensure adequate protection of personal data in accordance with these Terms and Conditions with a view to protecting personal data against destruction, alteration, unauthorised dissemination or access. Personal data shall also be protected against any other form of unlawful processing.
7.2 The Processor shall draw up and keep up-to-date a description of its technical, organisational and physical measures in order to comply with the requirements of applicable data protection legislation.
7.3 The collection and processing of personal data shall comply with the principles of expediency and proportionality and shall not require the Data Subject to provide data that are not necessary.
7.4 Only data that is necessary for the provision of quality services, including advice on the Company’s products and services, shall be collected.
7.5 The Data Subject’s personal data may only be accessed by the Company’s employees with the relevant expertise and/or third parties engaged by the Company to provide the service, and only where necessary to provide the service.
7.6 Without the prior written consent of the Data Controller, the Data Processor undertakes not to disclose or otherwise make available to any Third Party, other than ancillary processors engaged pursuant to these Terms and Conditions, any personal data processed pursuant to these Terms and Conditions.
7.7 The Processor shall ensure that all persons involved in the processing of personal data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality.

8. LIABILITY

8.1 The Data Subject shall provide the Company with complete and correct Personal Data of the Data Subject and shall inform the Company of any relevant changes to the Personal Data of the Data Subject. The Company shall not be liable for any damage caused to the Data Subject and/or third parties as a result of the Data Subject’s provision of incorrect and/or incomplete personal data or failure to inform the Data Subject of any changes thereto in a proper and timely manner.
8.2 The Company shall not be liable for communication failures that prevent users of the Company’s website and other persons from accessing the website or using the services.
8.3 The Company cannot guarantee that the functioning of the Company’s website will be uninterrupted or error-free, or that the Company’s website will be completely free from viruses or other harmful components. The Data Subject is informed that any material that the Data Subject reads, downloads or otherwise obtains through the use of the Company’s website is at the sole discretion and risk of the Data Subject, and the Data Subject shall be solely liable for any damage caused to the Data Subject and the Data Subject’s computer system.
8.4 If the Data Subject is a registered user of the Company’s website (where the Company provides such an option), the Data Subject assumes all risk and liability for the actions of third parties on the Company’s website made using the Data Subject’s login details and undertakes to fulfil all obligations arising from the use of the Data Subject’s login details.

9. AMENDMENT OF THE RULES

9.1 The Company shall have the right to amend the Rules in whole or in part by notice on the Website.
9.2 Amendments or changes to the Rules shall come into force from the date of their publication, i.e. the date they are posted on the website.
9.3 If the Data Subject does not agree with the new version of the Rules, the Data Subject shall have the right to refuse to use the services provided by the Company and the Online Shop.
9.4 If the Data Subject continues to use the services provided by the Company’s website after the addition or modification of the Terms, the Data Subject shall be deemed to have accepted the new version of the Terms.

10. DURATION OF STORAGE OF DATA SUBJECTS’ PERSONAL DATA

Unless otherwise specified in this Data Protection Policy or in the laws or regulations of the Republic of Lithuania, we will retain:
– Personal Data with the expressed consent of the Data Subject for marketing, statistical, and analytical purposes – 3 years.
– All other personal data received, for the periods provided for in-laws and sub-legislative acts.

11. FINAL PROVISIONS

11.1 By visiting the Company’s website and providing information about themselves to the Company’s partners and/or employees, the Data Subject shall be deemed to have read and agreed to the provisions of these Terms and Conditions.
11.2 The law of the Republic of Lithuania shall apply to these Terms and Conditions and to the relations arising on the basis of these Terms and Conditions.
11.3 All disagreements arising out of the performance of these Terms shall be settled by negotiation. In the event of failure to reach an agreement, disputes shall be settled in accordance with the procedure established by the legislation of the Republic of Lithuania.