- KEY DEFINITIONS
- Company – means UAB Vivasend – Lithuania (company code: 304530091; registered office address: Žalgirio St. 114 Vilnius, Lithuania; website: www.vivasend.com).
- Data subject – is a natural person whose personal data is processed by a company.
- Employee – is a person who has entered into an employment or similar contract with the Company and is appointed to process personal data by the decision of the Head of the Company or by the decision of the person whose personal data is processed.
- “Personal data” shall mean any information relating to a natural person, a data subject whose identity is known or can be directly or indirectly established by means of data such as name, date of birth, one or more personal, physical, psychological traits or, economic, cultural or social characteristics.
- “Provision of data” means the disclosure of personal data by transmission or other means of making them available (except for publication in the media).
- “Processing of data” shall mean any operation carried out on personal data: collection, recording, storage, classification, grouping, aggregation, modification (addition or correction), provision, publication, use, logical and / or arithmetic operations, retrieval, dissemination, destruction or other action or set of actions.
- “Automatic processing of data” means processing operations carried out in whole or in part by automatic means.
- Data Processor – a Company authorized by the Data Controller to process personal data. The Data Processor and / or the procedure for its appointment are set out in the agreement between the Data Controller and the Data Processor or in other legal acts.
- “Data controller” means a legal or natural person who alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes of the processing are laid down by law, the controller and / or the procedure for his appointment may be laid down in that law.
- “Special categories of personal data” means data relating to a person’s racial or ethnic origin, political, religious, philosophical or other beliefs, trade union membership, health, sexual life and sexual orientation, as well as genetic, biometric personal data used to identify the natural person.
- Consent means a voluntary statement by the data subject of his or her will to process his or her personal data for a purpose known to him or her. Consent to the processing of special categories of personal data must be expressed in a clear, written, equivalent or other form that clearly demonstrates the will of the data subject.
- Direct marketing means the activity of offering goods and services to persons and / or seeking their opinion on goods or services offered by post, electronic telephone or other means.
- “Third party” means a legal or natural person (other than the data subject itself) that controls or processes data directly or is authorized by the controller or a processor of data.
- Other terms used in these Rules of Processing and Use of Personal Data (hereinafter – the Rules) correspond to the terms established in the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter – the Law) and / or in 2016. April 27 Regulation No 1 of the European Parliament and of the Council 2016/679 (hereinafter referred to as the Regulation).
- GENERAL PROVISIONS
- These Rules regulate the actions of the Company and its employees in processing personal data of the Data Subjects and Employees using automatic and non-automatic personal data processing tools installed by the Company, as well as establishing the rights of Data Subject and Employee, personal data protection enforcement measures and other personal data processing issues.
- The purpose of these rules is to regulate the processing of personal data in the Company, ensuring compliance with and implementation of the Law, the Regulation and other related legal acts.
- The Company shall process only those data of the Data Subject which it receives from the Data Controller in a systematic form on the basis of an agreement with the Data Controller. The Company processes only the personal data of the Employees that the Employee provides to the Company for the purposes of concluding and executing the employment contract.
- The Company undertakes to store the received and collected personal data exclusively for the purposes specified in these Rules, without the consent of the Data Controller and the Data Subject not to disclose information related to the processed personal data to any third parties. Personal data may be transferred to other processors only if the agreements with the Data Controllers contain provisions discussing the transfer / provision of personal data to other data controllers and the Data Controller ensures that he has acquired the right to transfer / provide personal data from each data subject. The data are transferred and the Data Controller ensures adequate protection of the transferred personal data.
- The Company shall not be liable for any damage resulting from the use of the Data Subject’s data by third parties to the extent permitted by the relevant laws. In all other cases, the personal data of the Data Subject may be disclosed to third parties only in accordance with the procedure provided by the legal acts of the Republic of Lithuania. The Company may transfer the personal data of the data subject to governmental or law enforcement authorities upon their request and only if it is provided in the applicable legal acts. The Company does not process, use or disclose Special Categories of Personal Data unless the Data Controller provides evidence that the Data Subject’s explicit consent has been obtained for the collection of such data, except as required or permitted by law.
- Personal data shall be processed and used in accordance with the purposes for which the Data Subject provided them to the Data Controller or for other purposes approved by the Data Subject or the Employee.
- Unless otherwise provided in the agreement between the Data Controller and the Company regarding the provision of services and the processing of personal data of the Data Subject related thereto, the Company shall be deemed to process the personal data of the Data Subject only for the following purposes:
7.1. For identification of the data subject in the information systems of the Data Controller;
7.2. For the identification of the data subject by logging in to his / her account on the Company’s website (when such possibility is provided by the Company);
7.3. For the direct marketing of goods, services or works provided by the controller.
- Unless otherwise provided in the employment contract, the Company processes the personal data of its Employees only for the following purposes:
8.1. Conclusion, execution and accounting of employment contracts;
8.2. For the proper performance of the Company’s obligations as an employer established by legal acts;
8.3. To maintain proper communication with employees during non-working hours;
8.4. To ensure proper working conditions
- By concluding an employment contract with the Company, the Employee confirms and voluntarily agrees that the Company shall manage and process the following personal data of the Employee for the purposes specified in these Rules:
9.1. For the purposes of concluding, executing and accounting employment contracts, the names of employees, personal identification codes, dates of birth, addresses of residence, educational documents, documents certifying the qualifications of employees, numbers of bank accounts to which wages and other benefits are paid, and personal medical records .
9.2. For the purpose of proper performance of the company’s duties as an employer established by legal acts, the names and surnames of employees, personal identification codes, information on the marital status and health status of employees would be processed.
9.3. For the purpose of proper communication with employees outside working hours, the addresses of the employees’ place of residence, personal telephone numbers, personal e-mail addresses would be processed with the consent of the employees.
9.4. In order to ensure decent working conditions, the employer would, with the consent of the employee, process information related to the employee’s state of health, which directly affects the employee’s work functions and the ability to perform them in accordance with legal acts.
- By submitting the personal data of the Data Subjects collected to the Company, the Data Controller confirms that the transferred personal data of the Data Subjects are lawfully collected or obtained by lawful means of obtaining personal data and confirms that the Data Controller has the right to provide the Personal Data of the Data Subjects to the Company.
III. PRIVACY AND PERSONAL DATA
- Information processed by the Company and received from the Data Controller shall normally be specified in the agreement between the Data Controller and the Company regarding the provision of services. Unless otherwise specified in the agreement, the Company may process by order of the Data Controller: Name, surname, address, e-mail address, telephone number, data of identity documents (passport, identity card) (date, place, validity date, number), personal identification code, date of birth, gender, payment card or other payment details, information about the data subject’s services, services or works (their quantities, purchase dates, prices, purchase history and other information related to the acquisition), the data subject’s login name and password in encrypted form on the Data Controller’s website (if the Data Controller provides such an opportunity).
- The Company’s website may collect certain information about the Data Subject’s visit, such as: the Internet Protocol (IP) address through which the Data Subject accesses the Internet; Date and time of the data subject’s visit to the Company’s website; other websites that the Data Subject visits while on the Company’s website; browser used; information about the Data Subject’s computer operating system; mobile app versions; language settings and more. If the Data Subject uses a mobile device, data may also be collected to determine the type of mobile device, the settings of the device, and the geographical (longitude and latitude) coordinates. This information is used to improve the Company’s website, analyze trends, improve products and services and administer the Company’s website. The data subject voluntarily provides this data using the services provided by the Company, becoming a registered user of the Company’s website or visiting the Company’s website.
- If the Data Controller wishes the Company to process other personal data not specified in Paragraph 1 of this Article, or to perform other actions related to the processing of the transferred data, such request shall be formalized by a written instruction of the Data Controller to the Company.
- The information collected by the company about the company’s employees and the purposes of its processing are set out in Article II of these Rules.
- In performing their duties and processing personal data provided by the Data Controller, the employees of the Company shall observe the following principles:
5.1. Personal data is processed accurately, fairly and lawfully.
5.2. Personal data shall be processed in strict accordance with the purposes specified in the contract with the controller, in the instructions of the controller or in these rules.
5.3. The personal data of the data subject may be processed only by the Company’s employees with appropriate competence (IT systems, website or database administrators or the Company’s managers) only in cases when it is necessary to provide the service ordered by the Data Controller.
5.4. The Company does not disclose personal data to any third parties, except in cases provided by legal acts or if the Company is obliged to do so by the Data Controller or the Data Subject itself.
- Every employee of the Company who processes personal data must:
6.1. sign a confidentiality agreement.
6.2. process personal data in strict accordance with the laws of the Republic of Lithuania, other legal acts, instructions and these Rules.
6.3. protect the confidentiality of personal data. He shall observe the principle of confidentiality and shall keep confidential any information relating to personal data which he has obtained in the course of his duties, unless such information is in the public domain in accordance with the provisions of the laws or regulations in force. The principle of confidentiality must be observed by the Company’s employee even after the employment relationship has ended.
6.4. not disclose, transfer or facilitate access to personal data by any means to any person who is not authorized to process personal data;
6.5. in order to prevent the accidental or unlawful destruction, alteration, disclosure, as well as any other unlawful processing of personal data, it must store documents and data files properly and securely and avoid making unnecessary copies. Copies of company documents containing personal data must be destroyed in such a way that these documents cannot be reproduced and their contents cannot be identified.
6.6. immediately notify the Company’s manager or the responsible person appointed by him of any suspicious situation that may pose a threat to the security of personal data and take measures to avoid such a situation.
- MARKETING AND CORRESPONDENCE
- The Data Controller, using the Company’s services, ensures that the personal data of the Data Subjects for direct marketing purposes are managed only on a legal basis and undertakes not to perform any direct marketing actions against those Data Subjects who have expressed their consent to the processing of personal data or otherwise informed the Data Controller. that it does not want the data subject’s data to be processed for direct marketing purposes.
- The Data Controller must give the Data Subject the possibility to refuse the information sent by the Data Controller:
2.1. The Data Subject must be able to opt out of the information sent by the Data Controller in the newsletter or other letter sent to the Data Subject by clicking on the link provided by the Data Controller for offers and news.
2.2. The Data Subject has the right to object to the data processing actions performed by the Data Controller and the Data Processor by expressing its disagreement in writing or by e-mail addressed to the Data Controller.
- The controller undertakes to take appropriate action within one month to comply with the Data Subject’s requests for the processing of newsletters or other direct marketing measures or the refusal to process his personal data for direct marketing purposes. processing of personal data or to take other measures provided for in Article 12 of the Regulation.
- In case the Data Controller fails to act at the request of the Data Subject, the Data Controller assumes all legal (including administrative) liability that may arise for the Data Processor (whose automatic data processing tools are used by the Data Controller) for such failure of the Data Controller.
- The Data Controller has the right to use the personal data of the data subject only for the performance of marketing activities permitted by law, i.e. – on the basis of the information provided by the Data Subject, may send or transmit by video or audio means the proposals of the Data Controller of a general nature or specially adapted to the Data Subject.
- Personal data for the purposes of direct marketing must be processed and used in such a way that the Company will not be able to disclose the identity of the Data Subject or other personal data from which the personal identity can be identified.
- COOKIES AND THEIR USE
- The Company informs the Data Subjects that part of the information may be collected automatically at the time when the Data Subject visits the Company’s website, as the Data Subject’s Internet Protocol address must be recognized by the Company’s server.
- Data analysis management tools – cookies – may also be used on the Company’s website.
- Cookies are small amounts of data that the website places on the Data Subject’s computer. Web pages have no memory. When the data subject browses different web pages, the data subject will not be recognized as the same user. Cookies allow the website to recognize the Data Subject’s browser. The main purpose of cookies is to remember the data subject’s choices, such as the preferred language of the website. Cookies also help to identify the Data Subject when returning to the same website. They help to tailor the website to personal needs. Cookies cannot be used to run programs or transfer viruses to your computer. Cookies are intended only for the Data Subject and can only be read by the web server of the domain that sent the cookie to the Data Subject. One of the most important purposes of cookies is to provide a convenient function to save the Data Subject’s time. For example, if the Data Subject uses the website for personal needs or browses the website, cookies will help the website to remember specific information later. This makes it easier to present relevant content, easier to navigate the website, and so on. When returning to the website, the Data Subject can find his / her previously provided information, thus making it easier to use the already adapted functions of the website.
- Cookies can be divided into categories according to their purpose, longevity and their place on the website. The processing of data with the help of cookies does not allow the direct or indirect identification of the user.
- The following types of cookies may be used on the Company’s website:
6.1. Technical cookies: The Company strives to provide users of the Company’s website with an advanced and easy-to-use website that automatically adapts to their wishes and needs. To achieve this, the Company may use technical cookies that allow you to view the website and enable its proper functioning. The company’s website only works properly thanks to technical cookies.
6.2. Functional cookies: The Company may also use functional cookies, which allow to remember the data subject’s choices and at the same time to use the website effectively. For example, thanks to cookies, the website remembers the language chosen by the Data Subject, the searches or reviews performed, and the services offered by the Company. These types of cookies are not necessary for the operation of the website, but they add more possibilities and make browsing the Data Subject more pleasant.
6.3. Analytical Cookies: These types of cookies may be used by the Company to understand how the Company’s visitors use the Company’s website, to discover the weak and strong parts of the website, to optimize and improve the website and to further implement advanced solutions. The data collected includes the pages viewed by the Data Subject, the type of platform used by the Data Subject, date and time information, the number of clicks, mouse movements and browsing activities, keywords and other text collected by the Data Subject while browsing the website. Analytical cookies may also be used by the Company for online advertising companies in order to analyze the behavior of users after they have been shown the Company’s online advertising. The Company does not know which Data Subject it is, it only collects anonymous information.
6.4. Commercial cookies: these cookies may be used by the Company to place the Company’s advertisements on other websites. So-called “targeted ads” appear based on information about the goods or services a visitor is looking for.
- The purpose of these management tools is to ensure the quality of website browsing, help the Company to learn about the Company’s website and its individual parts, understand the Company’s website user traffic, improve the Company’s website, online services and better meet visitor needs.
- No personal data of the Data Subject will be collected with the help of cookies.
- USE OF WEBSITE INDICATORS
- The Company has the right to use not only cookies but also website indicators on its website. It is a very small graphic image that enters the Data Subject’s computer as part of a web page or as an HTML e-mail message. The Company has the right to use these images as online advertising or on third-party websites to find out whether the user to whom the advertisement is displayed is placing an order, analyzing consumer movement and seeking to optimize the services offered.
- The Company may include web beacons in promotional emails or informational messages to determine if emails have been opened. Some website indicators may be added by third party service providers to determine the effectiveness of the Company’s advertising campaigns or email communications. Website indicator The Company may also use it to place a persistent cookie on the Data Subject’s computer in order to identify the Data Subject’s computer each time it visits certain pages or sends e-mails and to collect anonymous information about the attendance of such pages. The Company prohibits the use of website indicators to collect or access personal information.
VII. SECURITY AND PROCESSING OF PERSONAL DATA
- Personal data processed in the Company shall be stored on computer media in electronic form. Personal data of data subjects are processed automatically in systematized files, and personal data of the Company’s employees are processed manually.
- In accordance with the law and the Regulation, the Company shall apply technical and organizational measures to prevent unauthorized access or illegal use of the Data Subject’s data. By using the user authentication system, the Company ensures that the data provided by the Data Subject is protected against illegal actions: unlawful alteration, disclosure or destruction of personal data, theft of personal identity, fraud. The data storage and processing databases used by the Company are protected from unauthorized access via computer networks. Only employees of the Company with special permissions have the right to see the personal data of the Data Subject received from the Data Controller or submitted to the Company for work purposes.
- Taking into account that the Data Processor processes (uses) the data subjects ‘data automatically and does not have the possibility to change, revise, update or otherwise modify the data, the Data Controller shall ensure that the data subjects’ personal data are complete, up-to-date and orderly. , updated.
- The Company shall assist the Data Controller in fulfilling the Data Controller’s obligation to respond to requests to exercise the data subject’s rights, taking into account the nature of the data processing and, to the extent possible, using appropriate technical and organizational measures. Under these rules, the data subject’s rights include the right to request information and, at the data subject’s request, to rectify, destroy personal data or suspend the processing of personal data.
- Employees who process personal data automatically or from whose computers can access areas of the local network where personal data is stored must use passwords. Passwords must be changed periodically, as well as in the event of certain circumstances (eg a change of employee, a threat of burglary, suspicion that the password has become known to third parties, etc.). An employee working on a particular computer can only know their password.
- The computer maintenance officer must ensure that the personal data files provided by the Data Controller are not “shared” from other computers and that the antivirus programs are updated periodically.
- The computer maintenance officer shall make copies of the data files on the computers. If these files are lost or damaged, the responsible employee must restore them within a few working days.
- The employee loses the right to process personal data when the employee’s employment or similar contract with the Company expires, or when the head of the Company revokes the employee’s appointment to process personal data.
- Documents related to the Company’s employees and their copies, financing, accounting and reporting, archival or other files containing personal data are stored in lockers / drawers. Documents containing personal data must not be kept in a visible place accessible to all.
- In order to ensure the protection of personal data, the Company implements or plans to implement the following personal data protection measures:
10.1. administrative (establishment of secure processing of employees’ documents and computer data and databases, as well as organization of work in various areas of activity, acquaintance of personnel with personal data protection, etc.)
10.2. hardware and software protection (administration of servers, information systems and databases, maintenance of workplaces, Company’s premises, protection of operating systems, protection against computer viruses, etc.);
10.3. protection of communications and computer networks (filtering of shared data, programs, unwanted data packets (firewall), etc.).
- The technical and software measures for the protection of personal data must ensure:
11.1. installation of a repository for copies of operating systems and databases;
11.2. Strategy for contingency updating of systems (contingency management);
11.3. authorized use of the data, their integrity.
- Upon establishment of a possible fact of personal data processing violation, a commission shall be formed by at least 3 (three) employees of the Company and the Data Controller to investigate the circumstances of the event, which shall provide a recommendation conclusion on the violation within 30 (thirty) days.
- Identification of personal data breaches that may result in material or non-material damage to Data Subjects, such as loss of control of their personal data, restriction of rights, discrimination, theft or falsification of their personal identity, and financial loss may result. his reputation, the loss of confidentiality of personal data covered by professional secrecy or other economic or social damage to the staff member concerned,
The company notifies the Data Controller, which in turn informs the State Data Protection Inspectorate.
- The Data Controller has the right to use other data processors only with the prior consent of the Data Controller and having entered into a written agreement with another processor, which is subject to the same requirements as the contract concluded with the Central Processor.
- The data processors used by the Company or third parties used by the Company to provide the ordered services must guarantee the necessary technical and organizational measures for the protection of personal data and ensure that such measures are complied with.
- The Company, taking into account the nature of the data processing and the available information, shall assist the Data Controller in fulfilling specific obligations in accordance with the applicable data protection legislation. Specific obligations include security of data processing (Article 32 of the Regulation), notification of personal data breaches (Articles 33-34 of the Regulation) and data protection impact assessment and prior consultation (Articles 35-36 of the Regulation).
- The Company undertakes to provide the Data Controller with all information and to provide him / her with all assistance in proving that the obligations assumed under these rules are fulfilled, as well as to facilitate and assist the Data Controller or another auditor authorized by him. on the spot.
- The processed personal data transferred by the Data Controller shall be processed until a separate instruction of the Data Controller, but in any case not longer than until the expiry or termination of the agreement between the Data Controller and the Company.
- At the end of the above-mentioned processing period, personal data shall be deleted, together with the deletion of all available copies of such data or transferred to the Data Controller, in accordance with the Data Controller’s instructions. In the event that the Data Controller’s instruction is not received by the date of termination or termination of the agreement between the Data Controller and the Company, the Data Processor shall delete all data transmitted by the Data Controller and all available copies of such data on the next business day.
VIII. RIGHTS OF THE DATA SUBJECT
- The data subject shall have the following fundamental rights:
1.1. be aware of the processing of your personal data;
1.2. to get acquainted with what personal data are processed and for what purpose and to whom they are provided;
1.3. to demand correction, correction or supplementation of incorrect or incomplete personal data of the Data Subject, destruction of the personal data of the Data Subject or suspension of the processing of personal data of the Data Subject, except storage, when the data is processed in violation of these rules and other legal acts;
1.4. not to consent to the processing of personal data of the Data Subject;
1.5. to require that the personal data of the Data Subject be provided to him / her in a freely accessible electronic form so that he / she can transfer these data to another data processor (right to data portability);
1.6. require the destruction of your personal data (“right to be forgotten”) in cases where:
1.6.1 personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
1.6.2. The data subject revokes the consent (if the legal basis for the processing of his personal data was consent);
1.6.3. it is established that the personal data of the Data Subject have been processed unlawfully;
- Taking into account the limited powers of the Company to process personal data transferred by the Data Controllers, the Data Subject is informed that he / she must apply to the Data Controller for the exercise of all rights of the Data Subject, therefore the Company informs on 1 p. The Company will immediately forward the implementation of the specified rights to the Data Controller, who will be held responsible for the implementation of the said rights.
- If the Data Subject is a registered user of the Company’s website, he / she may view and edit the personal information provided on the Company’s website and contact details of contacting the Data Subject by visiting the relevant sections of the Company’s website.
- The Data Controller or the Employee acting as the Data Subject must provide the Company with complete and correct personal data of the Data Subject and take all necessary actions and measures to update changes in the personal data of the Data Subject in a timely manner. The Company will not be liable for any damage caused to the Data Subject as a result of the Data Controller or the Employee acting as the Data Subject providing incorrect and / or incomplete personal data or failing to take appropriate and timely measures to update the changed data.
- The Company is not responsible for internet connection failures, due to which users of the Company’s website and other persons cannot access the website or use the services.
- The Company does not have the possibility to fully guarantee that the operation of the Company’s website will be without any disruptions or errors, or that the Company’s website will be fully protected from viruses or other harmful components.
- The Data Controller accepts all risk and responsibility for the actions of third parties on the Company’s website performed using the Data Controller’s login data and undertakes to fulfill all obligations accepted by using the Data Controller’s login data.
- The Company shall not be liable for operating losses, loss of profits, loss of goodwill, any other indirect losses and damage resulting therefrom. Data loss is considered an indirect loss.
- The General Liability of the Data Processor for the damage caused by the data processing actions shall in any case be limited to the amount paid to the Company for the services for the last 6 (six) months and calculated from the moment of the dispute. If less than 6 (six) months have elapsed, the remuneration paid is considered to be the average remuneration paid multiplied by 6 (six) months.
- VALIDITY AND AMENDMENT OF THE RULES
- The Rules for the Data Controller shall enter into force from the moment of signing the Service Agreement with the Company or from ordering the Company’s services on the Company’s website, depending on whichever comes first and from which the Data Controller is deemed to have read and agreed to the provisions of these Rules.
- The Company has the right to partially or completely change the Rules by announcing it on the Company’s website.
- Additions or amendments to the Rules shall take effect from the date of their publication, therefore from the date they are posted on the Company’s website.
- If the Data Controller does not agree with the new wording of the Rules, the Data Controller has the right to refuse to use the services provided by the Company and the Company’s website.
- If, after supplementing or amending the Rules, the Data Controller continues to use the services provided by the Company or the Company’s website, it shall be deemed that the Data Controller agrees with the new version of the Rules.
- FINAL PROVISIONS
- The law of the Republic of Lithuania shall apply to these Rules and to the relations arising on the basis of these Rules.
2. Any disagreement arising from the implementation of these Rules shall be settled through negotiations. If no agreement is reached, disputes shall be settled in accordance with the procedure established by the legal acts of the Republic of Lithuania.