Products catalog

Home/ Clients/ Rules for handling and use of personal data

Rules for handling and use of personal data

  • 1. BASIC CONCEPTS
    Data controller means a natural or legal person, public authority, agency or other body that alone or jointly with others determines the purposes and means of data processing.
    Data Controller means the company MB "Gamtos dovanos", which processes personal data on behalf of the Data Controller.
    Data Means any information about an identified or identifiable natural person (data subject); an identifiable natural person is a person whose identity can be determined directly or indirectly, in particular by an identifier such as a name, a personal identification number, location data and an Internet identifier, or by one or more of that natural person's physical, signs of physiological, genetic, mental, economic, cultural or social identity.
    Data processing means any operation or sequence of operations carried out by automated or non-automated means with personal data or sets of personal data, such as collection, recording, sorting, systematization, storage, adaptation or change, extraction, familiarization, use, disclosure by transmission, distribution or otherwise making it possible to use them, as well as juxtaposition or combination with other data, restriction, deletion or destruction.
    Automated method refers to actions performed wholly or partially by automatic means.
    Data Subject means the natural person whose Data is processed.
    Third Party Means a natural or legal person, public authority, agency or other body that is not the data subject, data controller, data processor, or persons who are authorized to process personal data by direct authorization of the data controller or data processor.
    Technical and organizational measures mean measures designed to protect Data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing. The aforementioned measures must ensure a level of security that corresponds to the nature of the Data to be stored and the risks posed by its handling.
    Consent - any freely given, specific and unambiguous expression of the will of a properly informed data subject by means of a statement or unequivocal actions by which he agrees to the processing of personal data related to him
    1.1. In the rules:
    (a) words in the plural have the same meaning as those words used in the singular and vice versa;
    (b) the use of a specific gender (masculine or feminine) in the text must be interpreted as the use of either of these genders;
    (c) the word "includes" or "including" means "includes without limitation" or "including but not limited to" respectively;
    (d) references to clauses, annexes and other provisions are references to clauses, annexes and provisions of these rules.
    2. GENERAL PROVISIONS
    2.1. These rules regulate the processing of personal data by the Data Processor on behalf of the Data Controller.
    2.2. The purpose of the rules for processing personal data in the company is to regulate the processing of personal data in the company, in accordance with the General Data Protection Regulation of the European Union No. 2016/679, the Law on Legal Protection of Personal Data of the Republic of Lithuania and to ensure compliance and implementation of other related legal acts.
    2.3. The nature, subject and purpose of the processing of personal data - which is carried out by the Data Processor on behalf of the Data Controller - as well as information related to the type of personal data processed and the categories of data subjects, are specified in Appendix 1 of these Rules.
    3. EFFECTIVENESS OF RULES
    3.1. Compliance with these rules is mandatory for the Data Processor and the Data Controller in accordance with the General Data Protection Regulation.
    3.2. These rules are valid as long as the Data Controller processes personal data on behalf of the Data Controller. 3.3. At the request of the Data Controller, the Data Processor must stop its ongoing data processing activities and - if the Data Controller so wishes and unless otherwise provided by the applicable data protection legislation - must delete or return all personal data to the data controller, simultaneously deleting all available copies of such data.
    4. OBLIGATIONS OF THE DATA PROCESSOR
    4.1. The data processor has implemented appropriate technical and organizational measures to ensure that the processing of personal data carried out by him in accordance with the provisions of these Rules meets the requirements of the applicable data protection legislation, specifically the requirements of the General Data Protection Regulation, and guarantees the protection of the data subject's rights.
    4.2. The Data Processor undertakes to process personal data only in accordance with the written instructions provided by the Data Controller, except in cases where the applicable legal acts determine otherwise. In such a case, before starting to process personal data, the Data Processor must inform the Data Controller about such a legal requirement, as far as legal acts allow. If the Data Processor does not have instructions on how to process personal data in a specific situation, or if any instruction violates the applicable data protection legislation, the Data Processor must immediately inform the Data Controller.
    4.3. The Data Processor, taking into account the nature of data processing and using appropriate technical and organizational measures to the extent possible, helps the Data Controller to fulfill the Data Controller's obligation to respond to requests to exercise the Data Subject's rights. According to these Rules, the Data Subject's rights include the rights to request information and - at the request of the Data Subject - to correct, destroy personal data or suspend personal data processing actions.
    4.4. The Data Processor, taking into account the nature of Data Processing and available information, helps the Data Controller to fulfill specific obligations in accordance with applicable data protection legislation. Specific obligations include data processing security (Article 32 of the General Data Protection Regulation), notification of a personal data breach (Articles 33-34 of the General Data Protection Regulation) and data protection impact assessment and prior consultation (General Data Protection Regulation Articles 35-36 of the Protection Regulation).
    4.5. The Data Processor undertakes to provide the Data Controller with all information and provide him with all assistance in order to prove that the obligations assumed under these Rules are fulfilled.
    5. AUXILIARY DATA PROCESSORS
    5.1. The Data Controller confirms that the Data Processor can also use other companies specified in the Appendix to the Rules as auxiliary data processors. The Data Controller informs the Data Controller of all planned changes related to the use or replacement of auxiliary data processors, and the Data Controller has the right to disagree with such changes.
    5.2. The Data Processor ensures and, at the request of the Data Controller, confirms with documents that the auxiliary data processors are bound by written contracts, according to which - in addition to the obligations set out in these Rules - they must fulfill the relevant data processing obligations. The Data Processor is fully responsible to the Data Controller for the obligations performed by the auxiliary data processors.
    5.3. The Data Controller may request that the Data Processor verify the subsidiary data processor or provide confirmation that such verification has been carried out.
    6. TRANSFER OF DATA TO THIRD PARTIES
    6.1. The obligation to process personal data in accordance with the Rules can only be performed in a member state of the European Union (EU) or a member state of the European Economic Area (EEA). Any transfer of personal data to a country that is not an EU or EEA member state can only be carried out with the prior written consent of the Data Controller and only if the special conditions specified in the applicable data protection legislation, Chapter V of the General Data Protection Regulation are met.
    6.2. The data controller may at any time withdraw his consent to the transfer of data to third parties in accordance with clause 6.1 of these rules. In such a case, the Data Controller must immediately terminate the transfer of data and, at the Data Controller's request, provide written confirmation of such termination.
    7. INFORMATION SECURITY AND CONFIDENTIALITY
    7.1. The data processor ensures adequate protection of personal data in accordance with these Rules with the aim of protecting personal data from destruction, alteration, unauthorized distribution or unauthorized access. Personal data is also protected against other types of illegal processing.
    7.2. The data processor prepares and constantly updates the description of its technical, organizational and physical measures so that it meets the requirements of the applicable data protection legislation.
    7.3 When collecting and processing personal data, the principles of expediency and proportionality are observed, the Data subject is not required to provide data that is not necessary.
    7.4. Only those data that are necessary for providing quality services, including consulting on the Company's products and services, are collected.
    7.5. The personal data of the data subject can be accessed only by employees of the Company with the relevant competence and/or third parties that the Company has used to provide the service, and only in cases where it is necessary to provide the service.
    7.6. Without the prior written consent of the Data Controller, the Data Processor undertakes not to disclose personal data processed in accordance with these Rules or otherwise allow access to them to any Third Party, except for auxiliary data processors who are used in accordance with these Rules.
    7.7. The data processor ensures that all persons involved in the processing of personal data are committed to ensuring confidentiality or that they are subject to the corresponding confidentiality obligation established by law.
    8. LIABILITY
    8.1. The Data Subject must provide the Company with complete and correct personal data of the Data Subject and inform about the relevant changes in the Data Subject's personal data. The company will not be responsible for the damage caused to the Data Subject and/or third parties due to the fact that the Data Subject provided incorrect and/or incomplete personal data or did not properly and timely inform about their changes.
    8.2. The Company is not responsible for connection failures, due to which users of the Company's website and other persons cannot access the website or use the services.
    8.3. The Company cannot fully guarantee that the functioning of the Company's website will be uninterrupted and without any interruptions and errors, that the Company's website will be completely protected from viruses or other harmful components. The Data Subject is informed that any material that the Data Subject reads, downloads or otherwise receives using the Company's website is obtained exclusively at the Data Subject's discretion and risk, and the Data Subject is solely responsible for any damage caused to the Data Subject and the Data Subject's computer system.
    8.4. If the Data Subject is a registered user of the Company's website (when such an opportunity is provided by the Company), the Data Subject assumes all risk and responsibility for the actions of third parties on the Company's website, carried out using the Data Subject's login data, and undertakes to fulfill all obligations undertaken using the Data Subject's login data.
    9. CHANGE OF RULES
    9.1. The company has the right to partially or completely change the Rules by announcing it on the website.
    9.2. Additions or changes to the rules take effect from the date of their publication, i.e. i.e. from the day they are placed on the website.
    9.3. If the Data Subject does not agree with the new version of the Rules, the Data Subject has the right to refuse to use the services provided by the Company and the online store.
    9.4. If the Data Subject continues to use the services provided by the Company's website after the addition or amendment of the Rules, the Data Subject is deemed to agree to the new version of the Rules.
    10. PERIOD OF STORAGE OF DATA SUBJECTS' PERSONAL DATA
    Unless otherwise stated in this data protection policy or the laws of the Republic of Lithuania or other legal acts, we will protect:
    • Personal Data with expressed consent of the Subject of personal data for marketing, statistical, analytical purposes - 3 years.
    • All other received personal data, within the terms provided by laws and by-laws.
    11. FINAL PROVISIONS
    11.1. When the Data Subject visits the Company's website and provides information about himself to the Company's partners and/or employees, it is considered that the Data Subject has familiarized himself with and agrees with the provisions of these Rules.
    11.2. These Rules and relations arising on the basis of these Rules are governed by the law of the Republic of Lithuania.
    11.3. All disagreements arising from the implementation of these Rules shall be resolved through negotiations. In case of failure to reach an agreement, disputes are resolved in accordance with the procedure established by the legal acts of the Republic of Lithuania.
      

 

 

© 2024 MB "Gamtos dovanos". Without MB "Gamtos dovanos" confirmation any use or copying of site content is prohibited.
Rent an e-shop verskis.lt