PERSONAL DATA PROTECTION POLICY
I. GENERAL INFORMATION
| Version: | V1
| Version date: | 31. 08 2023
| Date of policy approval: | 31.08.2023
| Date of adoption of the policy | 14.09.2023
II. OBJECTIVES, SCOPE, AND USERS
3.1 Pickvibe UAB (legal entity code 303144763, registered office address Lazdynų g. 21, Vilnius) (hereinafter referred to as the "Company") seeks to comply with all applicable laws and regulations relating to the protection of personal data in the country in which the Company operates. This Policy sets out the main purposes and principles for the Company's processing of personal data of natural persons, regulates the collection and use of personal data of such persons, the procedure for the exercise of the rights of such persons as data subjects in the Company, security measures, and the responsibilities for processing personal data.
3.2 This Policy shall apply in conjunction with any other policies, rules, procedures and/or guidelines adopted or implemented by the Company and international and/or national legislation.
3.3 The users of this Policy are all permanent or temporary employees of the Company and all persons acting on behalf of the Company who may have access to personal data processed by the Company. The Company shall be obliged to inform such persons of this Policy or any amendments thereto, together with a copy of it, in a signed statement, and such persons shall be obliged to comply with it.
3.4 In the event that any user of this Policy is unclear or does not understand the provisions of this Policy or any of them, such person should seek to resolve the ambiguity and should immediately contact the Company's Chief Executive Officer and/or his/her delegated person for data protection matters, and/or the Company's designated Data Protection Officer, Mr. Evaldas Aleksaitis,
[email protected]
III. RELEVANT DOCUMENTS
4.1 This Policy has been prepared in accordance with:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as Regulation (EU) 2016/679);
4.1.2. the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as "LPPD");
4.1.3. other legal acts regulating the secure processing of personal data and the lawfulness of their processing.
IV. DEFINITIONS
5.1 The following definitions of terms used in this Policy shall be understood as defined in Regulation (EU) 2016/679 and the ADTPA:
5.1.1. personal data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data and an online identifier, or by reference to one or more factors specific to the natural person's physical, physiological, genetic, mental, economic, cultural or social identity.
5.1.2. "Personal data breach" means a breach of security which results in the unintentional or unauthorised destruction, loss, alteration, unauthorised disclosure, unauthorised access to, unauthorised transmission, unauthorised storage or unauthorised processing of, or unauthorised processing of, personal data.
5.1.3 "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
5.1.4. "Data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing. For the purposes of this Policy, the Company.
5.1.5 Sensitive personal data means personal data which, by their nature, are particularly sensitive in relation to fundamental rights and freedoms, and which must be afforded special protection because, in the context in which they are processed, they are likely to result in a serious risk to fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data which can be used to identify a natural person individually, health data or data concerning sex life or sexual orientation.
5.1.6 "Supervisory Authority" means the supervisory authority of the Member State in which the Company has its head office. In the case of the Republic of Lithuania, such authority is the State Data Protection Inspectorate of the Republic of Lithuania, legal entity code 188607912, registered office address A. Juozapavičiaus g. 6, Vilnius, website
www.ada.lt.
5.1.7 "Health data" means personal data relating to the physical or mental health of a natural person, including data relating to the provision of healthcare services, which reveals information about the health status of that natural person.
5.1.8 Third party - a natural or legal person, public authority, agency or other body other than the data subject, controller, processor, or persons who are authorised to process personal data under the direct authority of the controller or processor.
5.2 Other terms used in this Policy other than those referred to in clause 5.1 shall have the meaning given to them in Regulation (EU) 2016/679 and the ADTAA.
V. BASIC PRINCIPLES FOR PROCESSING PERSONAL DATA
6.1 When processing personal data of natural persons, the Company shall be guided by the following principles relating to the processing of personal data.
THE PRINCIPLE OF LAWFULNESS, FAIRNESS AND TRANSPARENCY
6.2 Personal data shall be processed in a lawful, fair and transparent manner in relation to the data subject, which means that the personal data is processed by the Company on a lawful basis, without violation of laws, regulations, other legally binding obligations or restrictions.
6.3 The Company shall only process personal data in relation to a data subject for the purposes that are lawful and specified in this Policy.
6.4 The Company shall only process sensitive personal data where such processing is compatible, lawful and required or permitted by applicable law, in which case the data may be processed in accordance with the provisions of applicable law.
6.5 The Company shall inform data subjects of the rules, safeguards and rights relating to the processing of personal data and how to exercise their rights in relation to such processing.
PURPOSE LIMITATIONS
6.6 The Company collects personal data for the specified, clearly defined and legitimate purposes defined in this Policy. Personal data shall not be further processed in a manner incompatible with those purposes.
6.7 In order to process personal data for a purpose other than those set out in this Policy, the Company will provide the data subject with information about the purpose and any additional information relating thereto.
PRINCIPLE OF DATA MINIMISATION
6.8 The personal data processed by the Company must be adequate, relevant and only necessary for the purposes for which they are processed. The Company shall limit its processing to those data which are necessary to achieve the purposes of the processing as set out in this Policy and shall not process personal data which are not necessary to achieve those purposes.
PRINCIPLE OF ACCURACY
6.9 The Company shall process personal data in such a way as to ensure that the personal data is accurate and kept up-to-date in the event of any changes to it. The Company shall take all reasonable steps to ensure that personal data which are not accurate in relation to the purposes of their processing as set out in this Policy are erased or rectified without delay.
PRINCIPLE OF LIMITATION OF STORAGE PERIOD
6.10 The Company shall keep personal data in a form which permits identification of the person for no longer than is necessary for the purposes for which the personal data were collected and processed. If the retention period is not prescribed by law, personal data shall be retained for a reasonable period of time or for a period of periodic review.
PRINCIPLE OF INTEGRITY AND CONFIDENTIALITY
6.11 The Company shall process personal data in such a way as to ensure, by appropriate technical or organisational measures, adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
PRINCIPLE OF ACCOUNTABILITY
6.12 The Company is responsible for ensuring compliance with the principles relating to the processing of personal data as required by this Policy and applicable law, and for being able to demonstrate this if required to do so under applicable law to competent authorities and/or data subjects.
VI. IMPLEMENTING THE PROTECTION OF PERSONAL DATA WITHIN THE COMPANY
7.1 In order to comply with the principles relating to the processing of personal data as required by this Policy and applicable law, the protection of personal data in the Company shall be implemented in this section by the following measures.
7.2 The purposes of the processing of personal data within the Company shall be determined by the Head of the Company.
7.3 Personal data of natural persons in the Company shall be processed by the Head of the Company and/or persons authorised by him. The personal data of natural persons processed by the Company shall be accessible to those persons for whom it is necessary for the performance of their duties/functions and only when it is necessary for the achievement of the relevant purposes.
VII.1. PROCESSING OF INDIVIDUAL CATEGORIES OF PERSONAL DATA BY THE COMPANY
PROCESSING OF PERSONAL DATA OF EMPLOYEES AND APPLICANTS FOR EMPLOYMENT
7.4 The processing of personal data of the Company's employees (permanent and temporary), including former employees (hereinafter referred to as the "Employee") and persons seeking employment with the Company (hereinafter referred to as the "Job Applicant"), employed on a contractual basis by the Company (hereinafter referred to as the "Employee"), and the processing of personal data of the Employees and Job Applicants by the Company is set out in the Employees' and Job Applicants' Personal Data Protection Policy, which is attached hereto as Annex No. 1, which regulates the processing of personal data of such persons, the procedure for exercising the rights of such persons as data subjects in the Company, security measures and other issues related to the processing of personal data and the lawfulness of the processing. The provisions of this Policy shall apply to Employees and Job Applicants of the Company to the extent that such matters are not governed by the Personal Data Protection Policy for Employees and Job Applicants.
PROCESSING OF PERSONAL DATA OF EMPLOYEES OR REPRESENTATIVES OF BUSINESS PARTNERS OR POTENTIAL BUSINESS PARTNERS
7.5 The Company processes personal data of employees or representatives of business partners or potential business partners for the following purposes:
7.5.1. for the purpose of concluding and properly performing contracts;
7.5.2. for the purpose of settlement and other payment processing and compliance with accounting rules;
7.5.3. for the purpose of protecting the Company's legitimate interests.
7.6 Depending on the purposes of processing personal data, the Company processes the following personal data of employees or representatives of business partners or potential business partners: name, surname, personal identification number, date of birth, nationality, place of residence (address), contact telephone number, e-mail address, identity document data, signature, other personal data, provided that the processing of such data is obliged by legal acts and is only to the extent that it is required to be carried out by legal acts.
7.7 Legal basis for processing personal data of employees or representatives of the Company's business partners or potential business partners:
7.7.1. the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of a contract (pre-contractual relationship);
7.7.2. the consent of the data subject or the processing of personal data which the data subject has made public;
7.7.3. seeking to assert, enforce or defend legal claims;
7.7.4. the legitimate interests of the Company or a third party.
PROCESSING OF PERSONAL DATA OF PARTICIPANTS AND MEMBERS OF THE MANAGEMENT BODIES OF THE COMPANY
7.8 The Company shall process the personal data of its participants and members of the governing bodies for the following purposes:
7.8.1. for the purpose of the proper performance (implementation) of the obligations of the Company's participants and/or governing bodies as set out in the legislation;
7.8.2. for the purpose of the Company's activities;
7.8.3. for the purpose of settlement and other payment processing and compliance with accounting rules;
7.8.4. for the purpose of proper performance of contracts and/or other documents adopted by the participants and/or governing bodies of the Company;
7.8.5. for the purpose of protecting the legitimate interests of the Company.
7.9 Depending on the purposes of processing of personal data, the Company shall process the following personal data of its participants and members of its governing bodies: name, surname, personal identification number, date of birth, nationality, place of residence (address), contact telephone number, e-mail address, identity document data, signature, other personal data, provided that the processing of such data is obligatory for the Company by legal acts and only to such extent as required by the legal acts.
7.10. Legal basis for the processing of personal data of the Company's participants and members of management bodies:
7.10.1;
7.10.2. performance of a contract to which the data subject is a party;
7.10.3. the legitimate interests of the Company or a third party.
PROCESSING OF PERSONAL DATA OF THE COMPANY'S CUSTOMERS (USERS OF THE PRODUCTS UNDER DEVELOPMENT)
7.11.The personal data of the Company's customers who use the services provided by the Company, namely the Company's MobyTime and pickVibe products under development, which are integrated into a single solution on the Pickvibe platform, whose website is www.pickvibe. The processing of personal data is separately detailed in the personal data protection policy of this website, which contains all relevant information relating to the processing and protection of the Company's customers' personal data and which is processed by the Company to support the products and functionalities provided on the Pickvibe platform, as well as information on how customers, as data subjects, can exercise their rights in relation to the personal data processed. The provisions of this policy shall apply to the Company's customers (users of the products under development) to the extent that such matters are not governed by the website's personal data protection policy.
VII. 2. DATA SUBJECTS' RIGHTS AND THE PROCEDURES FOR EXERCISING THEM WITHIN THE COMPANY
7.12.Individuals whose personal data is processed by the Company in accordance with Regulation (EU) 2016/679 (Articles 12-18, 20-22) have the following rights:
7.12.1. to know (be informed) about the processing of their personal data by the Company;
7.12.2. to have access to his/her personal data processed by the Company and how it is processed;
7.12.3. to request that incomplete personal data relating to an individual be rectified or, taking into account the purposes of the processing of personal data by the Company, supplemented;
7.12.4. request the erasure of personal data relating to the individual;
7.12.5. require the Company to restrict the processing of personal data;
7.12.6. to obtain personal data relating to the individual which he/she has provided to the Company in a structured, commonly used and computer-readable format and/or to transmit it to another data controller;
7.12.7. to object to the processing of personal data relating to an individual where such processing is carried out in the public interest or where the processing is necessary for the legitimate interests of the Company or of a third party, where the interests of the individual are not overriding;
7.12.8. where applicable, to request that a decision based solely on automated processing of personal data, including profiling, not be applied to the individual and that such decision be reviewed;
7.12.9. lodge a complaint with the Supervisory Authority.
7.13. The process and procedure for exercising the rights of persons as data subjects in the Company is separately detailed and contained in the Rules for the Exercise of the Rights of Data Subjects, which are attached to this Policy as Annex 2.
VII.3. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA WITHIN THE COMPANY
7.14. When processing personal data, the Company shall implement and ensure appropriate organisational and technical measures to protect the personal data of natural persons whose personal data are processed by the Company from accidental or unlawful destruction alteration, disclosure, as well as from any other unlawful processing.
7.15. One such measure is the establishment of confidentiality levels for information containing personal data within the Company by means of a separate document, the Information Classification Rules, which are attached to this Policy as Annex 3, in order to maintain the integrity, availability, confidentiality and appropriate use of the personal data processed by the Company
7.16. The Company shall have access to the personal data of the data subjects only to those persons who have been authorised by the Company to have access to such data and only when it is necessary to achieve the purposes set out in this Policy. Access to personal data processed by automated means shall be limited to the Company's employees or other responsible persons authorised to process personal data.
7.17. Employees or other persons responsible for processing the personal data of data subjects shall respect the principle of confidentiality and shall keep secret any information relating to personal data of which they have knowledge in the course of their duties, unless such information is public information in accordance with the provisions of applicable laws or regulations. The obligation of confidentiality of personal data shall also apply to transfers of duties, employment or contractual relationships.
7.18. Employees of the Company or other responsible persons authorised to process personal data of data subjects shall prevent accidental or unlawful destruction, alteration, disclosure, as well as any other unlawful processing of personal data, by storing the documents in a proper and secure manner and avoiding unnecessary making of copies. Copies of documents containing personal data shall be destroyed in such a way that they cannot be reproduced and their contents identified.
7.19. If an employee of the Company or any other responsible person who processes personal data by automated means doubts the reliability of the security measures in place, he or she shall contact the Company's Head of the Company in order to evaluate the security measures in place and, if necessary, initiate the acquisition and implementation of additional measures.
7.20. Employees of the Company or other responsible persons who automatically process personal data or whose computers have access to areas of the local network where personal data are stored shall use passwords created in accordance with the relevant rules. An employee working on a particular computer may only know his or her own password. Passwords are changed periodically and in certain circumstances (e.g. change of employee, threat of hacking, suspicion that a password has been compromised, etc.).
7.21. In responding to any (including potential) personal data breaches, the Company shall be guided by the Company's Personal Data Incident Management Policy, which details the Company's obligations in connection with the identification of a potential and/or actual personal data breach, the procedure for assessing the nature of a personal data breach, the forms and procedures for reporting personal data breaches and discussing other matters relating to personal data breaches, and which are attached to this Policy as Exhibit 4.
VII.4. NOTIFICATION TO DATA SUBJECTS
7.22. The Company shall inform data subjects by means of a privacy statement where the Company processes personal data on its website or by other online means. The Company shall ensure that such notice to data subjects regarding the processing of personal data relating to those personal data is readily accessible and continuously visible, computer readable, enabling direct access to the data, and comprehensible and in plain and simple language.
7.23. The Company defines the basic rules and conditions for the processing of personal data to which all visitors to the website www.pickvibe.lt must adhere in the personal data protection policy of this website.
VII.5. FREE WILL AND CONSENT OF THE DATA SUBJECT
7.24. The Company shall rely on the data subject's consent as the legal basis for processing personal data only if it is satisfied that it meets the conditions set out in Regulation (EU) 2016/679. Consent shall be given freely, in writing, including by electronic means, and in accordance with the requirements of applicable law.
7.25. The Company shall only process sensitive personal data where the data subject expressly consents thereto, unless there are exceptions to the processing of such data in accordance with the provisions of applicable law.
7.26. The data subject shall have the right to withdraw his or her consent at any time.
VII.6. STORAGE OF PERSONAL DATA AND STORAGE PERIODS
7.27. The Company shall ensure the security of the premises where the personal data are stored, the proper placement and review of technical equipment, proper network management, maintenance of information systems and the implementation of other technical and/or organisational measures necessary to ensure the protection of personal data.
7.28. The Company shall keep personal data in a form which permits identification of the individual for no longer than is necessary for the purposes for which the personal data were collected and processed. If the retention period is not prescribed by law, personal data shall be retained for a reasonable period of time or for a period of periodic review.
7.29. The retention periods and the main requirements related to the retention of personal data processed by the Company are detailed in the Company's personal data retention rules, which are attached to this Policy as Annex 5. The Company may also specify the retention periods of personal data processed by the Company in the Company, to the extent that they are not detailed in the Company's personal data retention rules, in other documents, such as, for example, the privacy statement published on the Company's website or on the website of a product developed by the Company.
VII. DATA PROCESSORS
8.1 The Company's Manager may engage data processors, such as information technology and electronic communications service providers, advisors, auditors, consultants, security services and other persons to process personal data processed by the Company in accordance with this Policy, for the purposes set out in this Policy and in accordance with the Company's instructions, subject to the strict confidentiality of the processing of personal data.
8.2 The reliability of the processor must be assessed before the processor is used. Processors shall be considered trustworthy if they guarantee that they have sufficient expertise, resources and reliability to ensure the security of the processing of personal data.
8.3 The Company shall enter into written agreements with processors which provide that the processors shall process personal data only in accordance with the Company's instructions and subject to confidentiality obligations. These contracts shall also specify the level of security and/or requirements, if any, applicable to the Company's data protection. The contract must specify the procedure by which the Company's representative is empowered to verify the processor's compliance with its obligations, as well as the processor's liability for breaches of the contract and/or the processing of personal data.
8.4 The data processors, if any, engaged and authorised by the Company shall be identified in the Company's register of records of personal data processing activities. For each new contract with a data processor, the list of data processors shall be updated with the details of the new data processor at the initiative of the Company's manager. In the event of termination of a contract with a processor, the necessary changes shall be made to the aforementioned records of processing activities on the initiative of the Company's manager.
8.5 The Company's manager shall inform the Company's relevant employees of any changes to the list of data processors by the usual means within the Company no later than 3 (three) working days after the change to the list of data processors.
VIII. DATA RECIPIENTS
IX.1. THIRD PARTIES
9.1 Personal data shall be collected, processed and provided to public authorities and/or other persons on the basis of the laws and legal acts of the Republic of Lithuania and upon a reasoned written request, and only if there is a legal basis for the provision of such data and/or the consent of the data subject. Personal data of data subjects may be transferred to third parties only in the cases and in accordance with the procedure provided for in the laws and other legal acts of the Republic of Lithuania.
9.1.1. on a permanent basis - personal data of the Company's employees: to the Board of the State Social Insurance Fund under the Ministry of Social Security and Labour, the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, the Labour Exchange under the Ministry of Social Security and Labour of the Republic of Lithuania, the State Labour Inspectorate under the Ministry of Social Security and Labour of the Republic of Lithuania;
9.1.2. in one-off cases - to other third parties when the Company's obligation to provide personal data is provided for by laws or other legal acts, in other cases and in accordance with the procedure provided for in the laws and other legal acts of the Republic of Lithuania (for example, the Company's personal data of certain (individual) employees may be transferred to bailiffs, etc.).
9.2 The list of third parties to whom the Company provides personal data shall be provided and, if necessary, updated by indicating this in the Company's record of personal data processing activities.
9.3 All requests received for the provision of personal data (single and multiple) to third parties shall be notified to the Company's Head of the Company prior to the commencement of the provision of personal data or the sending of a refusal to provide personal data. The legal basis and purpose for the provision of personal data shall in all cases be decided by the Head of the Company.
9.4 In the absence of a legal basis for the provision of personal data processed by the Company to third parties, the person or institution submitting the request shall be informed thereof by a reasoned written response to the request from the Head of the Company.
X.2. THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
9.5 The Company will only transfer personal data to a third country or an international organisation if the Company has put in place appropriate safeguards, provided that enforceable data subject rights and effective remedies are available and no derogations exist under applicable law.
9.6 The general principles and procedures relating to the transfer of personal data processed by the Company to a third country or an international organisation are detailed in the Company's Rules on the Transfer of Personal Data to Third Countries or International Organisations, which are attached to this Policy as Appendix 6.
IX. DATA PROTECTION OFFICER
10.1 In accordance with the provisions of Regulation (EU) 2016/679, the Company has appointed a Data Protection Officer [Evaldas Aleksaitis,
[email protected]].
10.2 The Data Protection Officer's Terms of Reference are attached to this Policy as Annex 7, which sets out the Data Protection Officer's reporting lines, general requirements, functions, rights and responsibilities as an employee of the Company.
X. GUIDELINES FOR THE IDENTIFICATION OF THE LEAD SUPERVISORY AUTHORITY
11.1 The competent lead supervisory authority of the Company shall be the supervisory authority of the Member State in which the Company has its head office. In the case of the Republic of Lithuania, such authority is the State Data Protection Inspectorate of the Republic of Lithuania, legal entity code 188607912, registered office address A. Juozapavičiaus g. 6, Vilnius.
XI. COMPANY AND LIABILITY
12.1. The Company's permanent or temporary employees and all persons acting on behalf of the Company are responsible for the implementation of the provisions of this policy and the proper processing of personal data and may be held responsible for their violation in accordance with the procedure established by legal acts.
12.2.. All questions related to the protection of personal data of data subjects in the Company, which are not covered by this policy, are directed to the head of the Company and/or his authorized person in matters of data protection and/or to the data protection officer appointed by the Company, Evaldas Aleksaitis, e-mail: info@pickvibe. com.
XII. DATA PROTECTION IMPACT ASSESSMENT AND CONTROL
13.1. The company, in the cases specified in Regulation (EU) 2016/679, performs an assessment of the impact on data protection. In the data protection impact assessment rules, which are attached to this policy as Annex no. 8, the general principles and procedures that should be followed in the Company when determining data processing operations for which the requirement to perform a data protection impact assessment are applicable, performing an impact assessment on personal data protection, obtaining the opinion of data subjects or their representatives on the planned data processing and what actions and for whom, when to take.
13.2. The head of the company and/or the person authorized by him and/or the data protection officer must review the compliance of this policy with the requirements of external laws and by-laws at least once a year, perform the effectiveness of the implementation of the protection of personal data of data subjects in the company's business processes and, taking into account the results, update it.
13.3. If necessary, the Company may adopt internal legislation that either supplements and/or implements the provisions of this policy or deviates from it. Such internal legal acts are approved in accordance with the procedure established by the Company.
XIII. MANAGEMENT OF RECORDS BASED ON THIS DOCUMENT
14.1. In order to comply with Regulation (EU) 2016/679, the company manages records of data processing activities for which it is responsible, keeping a record data register in electronic form, which meets the content requirements set out in Regulation (EU) 2016/679, and which is attached to this policy as attachment no. 9.
14.2. The Company's compliance with the main reporting requirements of Regulation (EU) 2016/679 is ensured in the register of data processing activity records, i.e.:
14.2.1. management of records of all data processing activities;
14.2.2. record management of data processor agreements;
14.2.3. record management of data security violations, including notification of violations to the Supervisory Authority and data subjects.
XIV. ACCESSORIES
15.1. The following appendices shall apply together with this policy as an integral part thereof:
15.1.1. Personal data protection policy for employees and job applicants.
15.1.2. Rules for implementing the rights of data subjects.
15.1.3. Information classification rules.
15.1.4. Personal data incident management rules.
15.1.5. Personal data storage rules.
15.1.6. Rules for transferring personal data to third countries or international organizations.
15.1.7. Job regulations of the data protection officer.
15.1.8. Rules for impact assessment on data protection.
15.1.9. Register of personal data processing activity records.
15.2. If necessary, the Company may accept additional supplements.
