GDPR

NORDBALTIC SOLUTIONS, UAB
RULES OF PERSONAL DATA PROCESSING

CHAPTER I
GENERAL PROVISIONS

The purpose of the Rules of Personal Data Processing of NordBaltic Solutions, UAB (hereinafter ‘the Rules’) is to regulate the processing of personal data at NordBaltic Solutions, UAB, ensuring the compliance with and implementation of the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter ‘the Regulation (EU) 2016/679’), the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts governing the processing and protection of personal data.
The purpose of these Rules is to provide for the general principles of personal data processing and exercise of the data subject’s rights, as well as for the technical and organisational measures concerning data security.
The Rules have to be observed by all persons who work with NordBaltic Solutions, UAB under employment contracts (hereinafter referred to as ‘employees’) or service providers who work with NordBaltic Solutions, UAB on the basis of individual activity certificates or copyright/service contracts (hereinafter referred to as ‘service providers’) and process personal data held by NordBaltic Solutions, UAB or acquire access to such data in the course of performance of their duties or provision of their services. Access to personal data may only be granted to those employees and service providers who need personal data to perform their job functions.
Terms and definitions used for the purposes of the Rules:

  • ‘personal data’ – any information relating to an identified or identifiable natural person or an employee (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • ‘personal data breach’ – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • ‘data subject’ – a natural person or employee whose personal data is processed by NORDBALTIC SOLUTIONS, UAB or external service providers (‘data processors’) authorised by it;
  • ‘data controller’ – Nord Baltic Solutions, UAB; H. Manto Str.22, Klaipėda;
  • ‘user of data’ – means an employee of the data controller who has the right to use personal data for the performance of the functions assigned to him or her;
  • ‘data recipient’ – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
  • ‘data processor’ – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
  • ‘data processing’ – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, as well as alignment or combination, restriction, erasure or destruction;
  • ‘profiling’ – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • ‘special categories of personal data’ – personal data concerning racial or ethnic origin of a natural person, his or her political opinions or religious, philosophical or other beliefs, membership in trade unions, as well as genetic data, biometric data aimed at identification of a natural person, and the data concerning natural person’s health, sex life and sexual orientation;
  • ‘consent’ – any freely given clear affirmative action, signifying data subject’s agreement to the processing of personal data relating to him or her for the purposes known by him or her;
  • ‘direct marketing’ – an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services;
  • ‘internal administration – activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of available material and financial resources, and clerical work).

Other terms used for the purposes of the Rules correspond to the terms set forth by Regulation (EU) 2016/679 and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.

CHAPTER II
PROCESSING OF PERSONAL DATA

NordBaltic Solutions, UAB processes personal data for the following purposes:

  • Conclusion and performance of contracts with clients and service providers, and compliance with accounting requirements. The following personal data are processed:
    • Conclusion and performance of contracts with clients and service providers (natural and legal persons): the name, surname, position, e-mail address and/or telephone number of a client/service provider or of an employee (representative) of the client/service provider.
    • Compliance with accounting requirements: The personal data of the employees of customers or service providers specified in the invoices are processed – the name, surname and other specified data. In any case, the administration of the accounts shall process those personal data that have to be provided in accordance with the requirements laid down by legal acts.
    • Posting customer feedback on the website of NordBaltic, UAB. The following personal data are processed: the name, surname and position of the employee (representative) of a client or partner, and his or her feedback on the services provided by us.
    • Examination and execution of requests or queries. The following personal data are processed: the name, surname, contact details (telephone number or e-mail address) and other details provided in the request or query.
    • Conducting job interviews and evaluating candidates, where a candidate submits his or her CV and other personal data. The following personal data are processed: general personal data of a candidate for a job: the name, surname, date of birth, data on place of residence, e-mail address, telephone number, information on work experience (workplace, period of work, position, responsibilities, achievements), information on education (educational institution, period of studies, education and qualifications obtained), information on in-service trainings (completed training courses, certificates obtained), information on the languages known by the candidate and level of proficiency in such languages, information on candidate’s IT and driving skills, other competencies and other information that a candidate for a job provides in his or her Curriculum Vitae (CV), cover/motivation letter (if any) or other documents related to application for a job;
    • Information concerning candidate’s evaluation: summary of the interview with the candidate, opinions and observations of the person (s) conducting the selection, results of testing of the candidate (if any).
  • Staff administration and temporary employment (staff hire). The following personal data are processed:
    • General personal data of a worker: the name, surname, date of birth, data on place of residence, e-mail address, telephone number, information on work experience (workplace, period of work, position, responsibilities, achievements), information on education (educational institution, period of studies, education and qualifications obtained), information on in-service trainings (completed training courses, certificates obtained), information on the languages known by the candidate and level of proficiency in such languages, information on candidate’s IT and driving skills, other competencies and other information that a candidate for a job provides in his/her Curriculum Vitae (CV), cover/motivation letter (if any) or other documents.
    • Administration of trainings and events organised by NordBaltic Solutions, UAB. The following personal data are processed: participant’s personal name and surname, place of work, telephone number, e-mail address, personal identification number, personal document number.
    • Administration of e-mail users, management of the www.nordbalticsolutions.lt and www.nordbalticsolutions.com portals, installation and maintenance of information systems and computer workstations. The following personal data are processed: the name, surname, and e-mail address of a person.
    • Processing and internal administration of the data and documentation of employees working under employment contracts. The following personal data are processed: the name and surname, date of birth, personal identification number, citizenship, place of residence, name of the workplace, position, personal bank account (for the purpose of transferring employee’s salary), and the number of the identity document of a person.
    • Sending direct marketing notifications or other information to data subjects. The following personal data are processed: the name, surname and e-mail address.
  • The following information systems are used for the automated processing of data:
    • Email;
    • Facebook and Linkedin;
    • Employee data are processed in the following systems: Sodra database, STI electronic declaration system, Sodra electronic system for the insured, electronic statistical data preparation and transmission system (e-Statistics), STI (declaration data), STI, E-government gateway portal.

CHAPTER III
GENERAL REQUIREMENTS FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA

In performing their functions and processing personal data, employees and service providers at NordBaltic Solutions, UAB have to comply with the general requirements for the processing of personal data:

  • personal data shall be collected for the purposes specified in Item 6 of these Rules and subsequently processed in a manner compatible with those purposes;
  • personal data shall be processed accurately, fairly and lawfully;
  • personal data must be accurate and, where necessary for the processing of the personal data, kept up to date; any inaccurate or incomplete data must be rectified, supplemented, erased or processing thereof suspended;
  • personal data must be adequate, relevant and limited to what is necessary for the collection and further processing of such data;
  • personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and for which they are processed;
  • personal data shall be processed in accordance with the requirements for the processing of personal data established in Regulation (EU) 2016/679, the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts.


NordBaltic Solutions, UAB collects personal data strictly in accordance with the procedure established by legal acts, and obtains such data from the following sources:

  • directly from the data subject who fills in the electronic form at www.nordbalticsolutions.com or from candidates for a job who send their CVs to the company’s e-mail addresses;
  • from an employee or service provider when they sign an employment contract or service contract;
  • under a personal data provision or cooperation agreement (in the case of multiple collection of personal data);
  • upon submission of a request to the data controller, which must specify the purpose of the use of personal data, the legal basis for the provision and receipt thereof, and the scope of the personal data requested (in case of one-time collection of personal data).


The following time limits for the storage of personal data shall be established:

  • questionnaires of candidates for a job: 3 (three) years;
  • customer feedback questionnaires: 3 (three) years;
  • personal files of employees: in accordance with the procedure established by legal acts.
  • contracts with service providers and other related information: 10 (ten) years after the end of the contract.


NordBaltic Solutions, UAB shall ensure that all necessary information is provided to the data subject in a clear and comprehensible manner.
In cases and in accordance with the procedure established by legal acts, NordBaltic Solutions, UAB may, where NordBaltic Solutions, UAB is required to do so by laws or other legal acts, provide personal data processed by it to third parties based on the respective request from the data recipient (in case of one-time data provision) or a contract for the provision of personal data concluded between NordBaltic Solutions, UAB and the data recipient (in case of multiple provision).

CHAPTER IV
SPECIAL REQUIREMENTS FOR THE PROCESSING OF PERSONAL DATA

NordBaltic Solutions, UAB implements appropriate organisational and technical data security measures to protect personal data against accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
Where personal data of data subjects change and the data subjects inform NordBaltic Solutions, UAB in writing in this regard, such data shall be updated by erasing the irrelevant personal data and entering the relevant personal data.
When destroying documents that have expired, the documents of NordBaltic Solutions, UAB containing personal data and any copies thereof must be destroyed in such a way that the documents cannot be reproduced and their content cannot be determined.
Documents submitted by data subjects and any copies of such documents, as well as financing, accounting and reporting, archival or other files containing personal data must be stored in locked cabinets or rooms. Documents containing personal data shall not be kept in a place visible and accessible to all to prevent easy access to such documents to any unauthorised persons.
Information containing personal data shall be sent only by secure e-mail.
Personal data files stored on the computers of employees or service providers must be password-protected or encrypted. Employees and service providers are personally responsible for the protection of the data on the personal devices they use.
Passwords for access to personal computers have to be provided, changed and stored in a confidential manner, and be unique, consist of at least 8 characters without using personal information, and changed periodically at least once in 3 months, as well as, in certain circumstances (in the event of a replacement of an employee, a threat of a hack, suspicion that the password has become known to third parties, etc.), at the time of the user’s first login. Employees and service providers of NordBaltic Solutions, UAB may only use the passwords for access to personal data personally and may not disclose them to any third parties.
The computer equipment of NordBaltic Solutions, UAB must be protected against malicious software (by installing and updating antivirus software, etc.). The employee or service provider responsible for computer maintenance have to ensure that personal data files concerning the personal data processed at computer workstations are backed up. In the event of loss or damage to personal data, the employee responsible has to restore them within 24 hours.
In the event of a personal data breach, the employee or service provider has to notify the head of NordBaltic Solutions, UAB immediately. The head of NordBaltic Solutions, UAB or a person responsible appointed by him shall take all necessary measures to eliminate the consequences of the breach and to recover the personal data. The State Data Protection Inspectorate and data subjects whose rights and freedoms have been violated shall be informed about the personal data breach in accordance with the procedure established by legal acts.

CHAPTER V
REQUIREMENTS FOR PERSONS PROCESSING PERSONAL DATA

Access to personal data may be granted only to the employee or service provider of NordBaltic Solutions, UAB who need to access personal data for the performance of their job functions.
The external service provider (data processor) shall start processing personal data of the date of signature of the contract for the provision of data processing services or of the date specified in that contract. The external service provider loses the right to process personal data when the respective contract expires or is terminated.
An employee or a service provider of NordBaltic Solutions, UAB who processes personal data of data subjects has to:

  • comply with the general requirements for the processing of personal data and security requirements established by Regulation (EU) 2016/679, the Law on the Legal Protection of Personal Data of the Republic of Lithuania, these Rules and other legal acts;
  • observe the principle of confidentiality and keep confidential any information relating to the personal data that becomes known to him or her in the performance of job functions, unless such information is public in accordance with the provisions of the laws or other legal acts in force. The obligation to maintain the confidentiality of personal data also applies in the event of transfer to another position or the termination of the employment or service provision relationship with NordBaltic Solutions, UAB;
  • observe the organisational and technical security measures concerning personal data, as set out in these Rules, in order to prevent any accidental or unlawful destruction, alteration, disclosure and any other unlawful processing of personal data, as well as protect documents, data files and data stored in databases and avoid making unnecessary copies thereof;
  • not disclose, transfer or facilitate access to personal data by any means to any person who is not authorised to process personal data; and
  • notify the manager immediately of any suspicious situation that may endanger the security of personal data processed by NordBaltic Solutions, UAB.
  • Employees and service providers of NordBaltic Solutions, UAB performing personal data processing functions and having access to personal data processed by NordBaltic Solutions, UAB shall sign a confidentiality agreement in the prescribed form (the form is attached as an annex to the Rules), which shall be safe-kept in the personal file of the respective employee or service provider.
  • The right of employees or service providers of NordBaltic Solutions, UAB to process the personal data of data subjects shall expire when their employment or service provision relationship with NordBaltic Solutions, UAB is terminated or when they are assigned to perform functions not related to data processing. The right of such employee or service provider to access the personal data in information systems shall be revoked immediately. The employee or service provider shall immediately transfer any customer-related personal data to NordBaltic Solutions, UAB and shall delete all copies relating to such data from their personal devices.

CHAPTER VI
EXERCISE OF DATA SUBJECT’S RIGHTS

NordBaltic Solutions, UAB ensures the exercise of the rights of the data subjects (including its employees), i.e., the data subject is guaranteed the right to know about the processing of his or her personal data, to have access to his or her personal data and receive information on how they are processed, to request the rectification or erasure of the data subject’s personal data or to suspend their processing, except for the storage.
Information to data subjects on the processing of their personal data shall be provided on the Internet portal: www.nordbalticsolutions.lt, www.nordbalticsolutions.com, indicating the following:
that the data controller processing the personal data of data subjects is NordBaltic Solutions, UAB, legal entity code: 302897644, registered office address: H. Manto Str.22, Klaipėda;
the scope of personal data of data subjects processed by NordBaltic Solutions, UAB and the purposes of personal data processing, as specified in Chapter II of these Rules;
that personal data shall be provided to third parties only in the cases and according to the procedure established by laws and other legal acts.
A data subject, having submitted an identity document to NordBaltic Solutions, UAB or confirmed his or her identity in accordance with the procedure established by legal acts or by electronic means that allow a proper identification of a person, shall have the right, free of charge, to access his or her data processed by NordBaltic Solutions, UAB and receive information concerning the sources from which such data have been obtained and the particular data that have been collected, the purposes for which they are processed, and the data recipients to whom the personal data may be provided and have been actually provided within the past year.
Upon receipt of the data subject’s request, NordBaltic Solutions, UAB shall, no later than within 20 calendar days of the date of receipt of the data subject’s request, respond, indicating whether personal data of the data subject are processed, and provide the requested data or the reasons for refusing to satisfy the request. At the request of the data subject, such data shall be provided in writing.
Where, having accessed his or her personal data, the data subject finds out that his or her personal data are incorrect, incomplete or inaccurate and contacts NordBaltic Solutions, UAB in this regard, NordBaltic Solutions, UAB shall immediately verify the personal data and, at the data subject’s written request submitted in person, by post or by electronic means, rectifies immediately any incorrect/inaccurate or supplements incomplete personal data processed by NordBaltic Solutions, UAB and/or suspends the processing of such personal data, except for storage, until any incorrect/inaccurate personal data are rectified, incomplete personal data are supplemented or personal data are erased.
In case of doubt regarding the accuracy of the personal data provided by the data subject, NordBaltic Solutions, UAB shall suspend the processing of such data, verify and correct them. Such personal data may only be used to verify their accuracy.
NordBaltic Solutions, UAB shall immediately notify the data subject of the rectification or erasure of personal data/suspension of personal data processing operations that have or have not been performed at the request of the data subject. NordBaltic Solutions, UAB shall also immediately notify data recipients of the rectification or erasure of personal data or suspension of processing carried out at the request of the data subject, unless it proves impossible or involves disproportionate effort.
Where the data subject does not consent to the processing of his or her personal data, the data subject may object to such processing by submitting a relevant written notice to NordBaltic Solutions, UAB in person, by post or by electronic means.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. The above right shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
At the request of the data subject, NordBaltic Solutions, UAB shall notify the data subject of the termination or refusal to terminate the processing operations of personal data concerning the data subject.
NordBaltic Solutions, UAB has to create conditions for the data subject to exercise the rights established in this Chapter VI, except for the cases established by law.
In order to exercise the rights provided for in this Chapter VI, the data subject shall submit a written request, indicating the purpose of the request and the data subject’s name, surname, place of residence and contact details for communicating with him or her. Where a request concerning the exercise of the data subject’s rights is submitted by a data subject’s representative, the request has to indicate the name, surname and place of residence of the representative, as well as the name, surname and place of residence of the person being represented, and a document proving the basis for the representation has to be submitted along with the request.
All requests submitted to NordBaltic Solutions, UAB in writing, including in electronic form, have to be signed by the data subject or his or her representative.
A written request of a data subject may be submitted in person, by post or by electronic means.
Information to the data subject, depending on his or her request, may be provided orally; giving access to the respective document; submitting a certificate, an extract from the document, a paper copy of the document or electronic media; providing access to the information file. If a request does not specify the information submission form, NordBaltic Solutions, UAB shall submit it in the same form as the relevant request.
Where any private information is sent to the data subject by post, it may only be sent by registered mail.
Printed written information notices sent or provided to data subjects (natural persons) concerning services provided to data subjects (natural persons), invoices, employee payslips submitted by the employer, and individual offers of commercial nature intended to data subjects (natural persons) that contain personal data of data subjects (natural persons), including but not limited to the name, surname and place of residence of a person, have to be provided in a closed form, which may indicate only the information necessary for postal services, and the content of such notices may be visible only to the data subject (natural person) to whom the notice is addressed or, with the relevant data subject’s consent, to a third party after opening or unpacking the notice. The above provisions shall not apply if the said notices are served on personal data subjects (natural persons) personally and confidentially.
Information shall be provided in Lithuanian.
Complaints concerning actions or omissions of NordBaltic Solutions, UAB related to the exercise of the data subject’s rights may be lodged with the State Data Protection Inspectorate.

CHAPTER VII
FINAL PROVISIONS

Employees and service providers of NordBaltic Solutions, UAB shall acquaint with these Rules through the Dokobit system with a signed confirmation of such acquainting.
The head of NordBaltic Solutions, UAB is responsible for the supervision and control of compliance with the Rules, and a periodic review thereof carried out at least once in 2 years.
Employees and service providers of NordBaltic Solutions, UAB and members of NordBaltic Solutions, UAB who violate the requirements of the Rules shall be liable in accordance with the procedure established by the legal acts of the Republic of Lithuania.
Trainings on personal data processing and security issues for employees, service providers and members of NordBaltic Solutions, UAB shall be organised periodically but not less frequently than once a year. The head of NordBaltic Solutions, UAB is responsible for organising the trainings.
In the event of any changes in the requirements of legal acts regarding the protection of personal data, the person responsible for reviewing and amending, where necessary, the company’s internal documentation and the provisions of agreements with service providers shall be the head of NordBaltic Solutions, UAB.

Privacy policy last revision: 08-06-2022

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram