1. Purpose of Policy and main concepts
The purpose of the Policy is to establish the rules for the processing of the data of each company belonging to the Altechna enterprise group as the data controller in order to ensure compliance with and full implementation of the General Data Protection Regulation (EU) 2016/679 and other applicable legislation.
1. 1. Main concepts used in the Policy:
1.1.1. Personal data shall mean any information relating to a natural person (data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
1.1.2 Data subject shall mean a natural person, whose data are processed by the Company.
1.1.3. Processing of personal data shall mean any operation carried out with personal data: collection, recording, accumulation, storage, classification, grouping, connecting, changing (supplementation or correction), provision, publication, use, logical and/or arithmetical operations, search, dissemination, destruction or any other action or set of actions.
1.1.4. Consent of data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, for example, written (including given by electronic means) or oral declaration. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.
1.1.5. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. The concept of a Data controller includes any one or all of the companies belonging to Altechna group, as: UAB Altechna (company code 123542064, office address: Mokslininkų st. 6A-3, LT-08412 Vilnius).
1.1.6. Data processor shall mean a legal or a natural person (other than an employee of the data controller), processing personal data on behalf of the Data controller, i.e. assists the Data controller, executes his instructions.
1.1.7. Employee means a person, who has made an employment contract or contract of similar character with the Company.
1.1.8. Supervisory authority shall mean State Data Protection Inspectorate.
1.1.9. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services, sending newsletters.
1.1.10. General Data Protection Regulation shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation/GDPR).
1.1.11. Authorized person means a person, assigned by the Data controller, who is responsible for personal data protection, including the Data Protection Officer (as understood by the GDPR).
1.1.12. other concepts used in the Rules correspond to the concepts defined in the General Data Protection Regulation and Law on Legal Protection of Personal Data of the Republic of Lithuania.
1.2. Hereby it is attempted to help the data subjects to use their rights.
1.3. This Policy is also applied to protection of personal data of other data subjects (i.e. not clients or employees), whose personal data are processed or will be processed by the Data controller in the future.
1.4. The Personal data processed by the Data controller are accurate, suitable and within the scope necessary for their collection and further processing. The personal data may be updated regularly, if necessary.
1.5. The Personal data in website are collected:
1.5.1. for the purpose of purchase of services and/or products, execution of a contract (an order) and servicing, client’s identification in the Data controller’s information system, client’s registration and identification on the Data controller’s website, for issuance of invoices and other financial documents, submission of replies to customer inquiries;
1.5.2. for direct marketing if Data subject gives his/her consent (to provide promotional messages, newsletters);
1.5.3. for the purpose of employee selection when the person submits his/her data in order to apply for a job position according to an advertisement placed on the website of the Data controller or directly to the email specified in the ad.
1.6. The Data controller is processing the following Personal data:
1.6.1. for the purposes indicated in the clause 1.5.1 of the Policy: name, surname, address, telephone number, e-mail address, billing information, bank account number, name of the parcel addressee, name, surname, address, contact phone;
1.6.2. for the purposes indicated in the clause 1.5.2 of the Policy: name, surname, telephone number, e-mail address, job residence, represented company (requisites);
1.6.3. for the purposes indicated in the clause 1.5.3 of the Policy: name, surname, date of birth, national identity number, address, telephone number, e-mail address, education, work experience.
1.7. The legal ground for processing of Personal data, specified in the clause 1.6.1, is the Data controller’s duty to execute the contract made with the Data subject and/or to undertake actions to conclude the contract, fulfill the order upon request (order) of the Data subject.
1.8. The legal ground for processing of Personal data, specified in the clause 1.6.2, is the consent given by the Data subject.
1.9. The legal ground for processing of Personal data, specified in the clause 1.6.3, is the consent of the Data subject, expressed by the person in the submission of Personal data for employment (applying for a job position).
1.10. The Data controller may also process the Personal Data for other purposes, in compliance with legal requirements or for a legitimate interest.
1.11. When the Personal data are processed for the purpose of direct marketing, the Data subject has a right to object free of charge to such processing and to withdraw the consent.
1.12. The Data controller may also receive information about the Data subject from public and commercial sources (as permitted by applicable law) and associate it with other information received from or about the Data subject.
2. Processing of Personal data
2.1. Only the employees of the Data controller have a right to process Personal data, including their transmission to the third persons specified in the clause 2.2 herein. Every employee has to preserve the secret of Personal data and to comply with the requirements of legal acts on personal data protection and this Policy.
2.2 We may transfer Your Personal Data to the recipients of the data that help us to provide, improve or support Services, help with our business operations or who performing services for us, in order to prevent damage to our property or for safety reason. Such persons may be business partners, service providers, contractors, acting on behalf of the Company as data processors, who provide delivery of correspondence (consignments), marketing, IT maintenance, website hosting, payment processing, audit, legal services, etc. (Personal data shall be disclosed only within the purpose necessary to provide certain services). These entities have the right to process Personal data only for the purposes for which they were transferred, ensuring appropriate technical and organizational security measures in accordance with the Company’s instructions and the requirements of applicable legislation. Personal data may also be shared between Altechna group companies (for purposes of administration, recruitment, clients servicing and marketing). We may disclose Your Personal data if we sell or transfer all or a portion of our business or assets, or in connection with a corporate merger, consolidation, restructuring, or other company change. In all other cases, Personal data may be disclosed to government authorities, law enforcement body, courts and other third parties only in accordance with terms and on the grounds established by legal acts of the Republic of Lithuania.
2.3. The Data controller observes the confidentiality principle and keeps in secret any information related to Personal data that was learnt while implementing the job functions, unless such information was public according to the valid laws or other legal acts.
2.4. The Personal data shall be processed for no longer than is necessary for the purposes, for which they were collected, or for such period, which is prescribed by law:
2.4.1. the clients’ Personal data shall be processed for the period not exceeding 10 years from the last day of the execution of the contract/order or its expiration day or the last day of use of the website’s content or services;
2.4.2. the Personal data processed for the purpose of direct marketing shall be processed not longer than until the moment when the consent to receive advertising is withdrawn (revoked);
2.4.3. the candidates’ Personal data received for employment purposes shall be processed for 6 months from the end of the selection.
2.5. When Personal data are no longer needed for their processing purposes, they shall be destroyed, except those that, in the cases specified by the law, must be transferred to national archives.
2.6. The Personal data protection shall be organized, secured and implemented by the Authorized person of the Data controller.
3. Rights of the Data subject and their implementation procedure
3.1. Rights of the data subject:
3.1.1. to know (be informed) about the processing of his/her Personal data;
3.1.2. to have an access to his/her Personal data and to be informed of how they are processed;
3.1.3. to object against the processing of his/her Personal data;
3.1.4. to request rectification, specification, supplementation or destruction of his/her incorrect or incomprehensive Personal data or suspension of further processing of his/her Personal data, with the exception of storage;
3.1.5. to request the erasure of the data (“right to be forgotten”). This right is valid where one of the following grounds applies:
22.214.171.124. the Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
126.96.36.199. the Data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
188.8.131.52. the Personal data have been unlawfully processed;
184.108.40.206. the Personal data have to be erased for compliance with a legal obligation in the European Union or domestic law to which the Data controller is subject;
3.1.6. right to data portability: the Data subject shall have the right to receive the Personal data concerning him or her, which he or she has provided to a Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data controller to which the Personal data have been provided, where:
220.127.116.11. the processing is based on consent or on a contract;
18.104.22.168. the processing is carried out by automated means.
3.2. The Data subject may appeal against supposed unlawful processing of his or her personal data to the Supervisory authority.
3.3. The Data subject has a right to authorize a non-profit organization, institution or association that was incorporated properly according to the law of the Republic of Lithuania, whose objectives indicated in the Articles of Association are in compliance with public interest and that is operating in the area of protection of rights and freedoms of the Data subject within the scope related to personal data protection to lodge a complaint in his/her name and to use certain rights provided in the General Data Protection Regulation.
3.4. Implementation procedure of the Data subject’s rights:
3.4.1. the person, who wants to implement the rights listed in the clause 3.1, has to submit a written application to the Company (personally, by post, via representative or by electronic communication means). The application has to be legible, signed by the person and contain the following data: person’s name, surname, residence, contact data and information, which of the aforementioned rights and in what scope, she or he desires to implement;
3.4.2. upon submission of the application, the person must identify himself or herself by the following means:
22.214.171.124. if the application is delivered directly on arrival to the Data controller – to present personal identity document or its copy certified according to the legal acts of the Republic of Lithuania;
126.96.36.199. if the application is delivered by post – to present the copy (duplicate) of personal identity document certified according to the legal acts of the Republic of Lithuania;
188.8.131.52. if the application is delivered via representative – to present the document confirming representation and the copy (duplicate) of personal identity document certified according to the legal acts of the Republic of Lithuania;
184.108.40.206.if the application is delivered by electronic communication means – to sign by valid e-signature;
3.4.3. the right of the Data subject to object to processing of his/her Personal data for direct marketing shall be implemented by the notification of the Data controller about the Data subject’s objection by e-mail.
3.5. For the rights listed in clause 3.1 the Data subject can apply to any Data controller. To implement the rights of the Data subject is authorized the Data controller – UAB Altechna.
3.6. The Authorized person shall examine the applications indicated in the clause 3.4.1 herein. The application has to be examined and the response has to be given not later than in 30 calendar days upon the application’s submission.
3.7. When the Data subject submits applications according to the clause 3.4.1, she or he should not misuse his or her rights evidently. If the Data subject misuses his or her right (for example, refers to the Data controller regarding information on the processed Personal data more often than once in six months), the Data controller has a right to demand that the Data subject would cover the administrative costs related to implementation of such applications.
3.8. The objection of the Data subject to processing of his or her Personal data for direct marketing should be responded immediately, as soon as possible. The responsible employees of the Data controller have to secure that Personal data would not be further processed for the purpose of direct marketing.
4. Cookies and their usage
4.1. In order to improve the client’s experience while visiting the Data controller’s website, we are going to use the cookies – small portions of textual information that are created automatically while browsing the website and that are stored in the client’s computer or another terminal device. The information collected with the help of cookies allows us securing the opportunity to the client to browse more conveniently, to submit attractive offers and to learn more about behaviour of the website’s users, to analyse the tendencies and to improve the website, servicing and services provided by the Data controller.
4.2. When using the website, the client agrees to the usage procedure of cookies and may decide whether to accept cookies. If the client disagrees to recording of cookies into his or her computer or other terminal device, the client may change the browser’s settings and turn off all the cookies or turn on/off each of them separately. However, we would like to note that in some cases this may slow down browsing speed, restrict operation of certain functions of websites or block access to the website. More information is available at allaboutcookies.org.
4.3. You will find out more about cookies used on the website by the Data controller in the Cookies List.
5. Social media
5.1. The Company has created and managed accounts in the social media Facebook, LinkedIn and Instagram. Any information, that You submit on social media such as Facebook, LinkedIn, Instagram (including notices, “Like” and “Follow” fields, and other communications), or which You receive after visiting Company’s Facebook, LinkedIn, Instagram account (including information provided by social media using cookies), or by reading Company records on the social media network, is controlled by the social network controller. Therefore, we recommend You to read third-party privacy notices and contact the service providers directly if You have any questions about how they use Your Personal data.
6. Security of Personal data
6.1. The Data controller implements appropriate organizational and technical measures intended for the protection of Personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.
6.2. When the Data controller detects violations of Personal data security, it shall remove them immediately.
6.3. The Data controller’s employees have to follow the confidentiality principle provided in the clause 2.3 herein.
6.4. The antivirus software has to be updated continuously in the Data controller’s computers.
6.5. If Personal data security was violated, the Data controller shall notify the Supervisory authority thereof without unreasonable delay and, if possible, within 72 hours after having learnt of such violation of Personal data security, unless violation of Personal data security should not cause hazard to rights and freedoms of natural persons. If the Supervisory authority is not notified about violation of Personal data security in 72 hours, the reasons of delay have to be attached to the notification.
6.6. When big hazard to rights and freedoms of natural persons may be caused because of violation of Personal data security, the Data controller shall notify the Data subject thereof without unreasonable delay.
7.1. The Data subject must submit thorough and accurate Personal data to the Data controller and to inform it about appropriate changes of the Personal data.
7.2. The Data controller has no possibility to guarantee completely that functioning of the Data controller’s website will be unhindered and completely protected against any viruses. The Data controller shall not be liable for damage, including damage resulting from interruptions to the use of the website, of data loss or damage resulting from acts or omissions of the Data subject or third parties acting on the Data subject, including incorrect data entry, other errors, deliberate damage, other inappropriate use of the Data controller’s website. The Data controller shall never assume responsibility for direct or indirect losses resulting from usage of material or documents available on the Data controller’s website. The Data subject is notified that any material read, downloaded or otherwise received via the Data controller’s website is received exclusively at the discretion and risk of the Data subject, who will be solely responsible for any damage caused to the Data subject or his/her computer system.
7.3. Unless provided otherwise, the intellectual property rights (including copyrights) to the content and information of the Data controller’s website belong to the Data controller. It is forbidden to reproduce, translate, adapt or use otherwise any section of the Data controller’s website without a written advance consent of the Data controller. It is forbidden to perform any other actions that would or could violate the Data controller’s intellectual property rights to its website or that wouldn’t be in compliance with fair competition.
8. Final provisions
8.1. This Policy shall be reviewed and, if necessary, updated at least once in two years or if the legal acts regulating personal data protection change.
8.2. By the consent of the Data controllers, the Policy, its amendments and supplements are approved by the head of one of the Data controllers – UAB Altechna – and it will be binding on all companies belonging to Altechna group.
9. Contact data
Mokslininku st. 6A, Vilnius LT-08412, Lithuania
Tel. +370 5 272 5738
E-mail: [email protected]