The purpose of the Rules of Personal Data Processing of NordBaltic Solutions, UAB (hereinafter ‘the Rules’) is to regulate the processing of personal data at NordBaltic Solutions, UAB, ensuring the compliance with and implementation of the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter ‘the Regulation (EU) 2016/679’), the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts governing the processing and protection of personal data.
The purpose of these Rules is to provide for the general principles of personal data processing and exercise of the data subject’s rights, as well as for the technical and organisational measures concerning data security.
The Rules have to be observed by all persons who work with NordBaltic Solutions, UAB under employment contracts (hereinafter referred to as ‘employees’) or service providers who work with NordBaltic Solutions, UAB on the basis of individual activity certificates or copyright/service contracts (hereinafter referred to as ‘service providers’) and process personal data held by NordBaltic Solutions, UAB or acquire access to such data in the course of performance of their duties or provision of their services. Access to personal data may only be granted to those employees and service providers who need personal data to perform their job functions.
Terms and definitions used for the purposes of the Rules:
Other terms used for the purposes of the Rules correspond to the terms set forth by Regulation (EU) 2016/679 and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.
NordBaltic Solutions, UAB processes personal data for the following purposes:
In performing their functions and processing personal data, employees and service providers at NordBaltic Solutions, UAB have to comply with the general requirements for the processing of personal data:
NordBaltic Solutions, UAB collects personal data strictly in accordance with the procedure established by legal acts, and obtains such data from the following sources:
The following time limits for the storage of personal data shall be established:
NordBaltic Solutions, UAB shall ensure that all necessary information is provided to the data subject in a clear and comprehensible manner.
In cases and in accordance with the procedure established by legal acts, NordBaltic Solutions, UAB may, where NordBaltic Solutions, UAB is required to do so by laws or other legal acts, provide personal data processed by it to third parties based on the respective request from the data recipient (in case of one-time data provision) or a contract for the provision of personal data concluded between NordBaltic Solutions, UAB and the data recipient (in case of multiple provision).
NordBaltic Solutions, UAB implements appropriate organisational and technical data security measures to protect personal data against accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
Where personal data of data subjects change and the data subjects inform NordBaltic Solutions, UAB in writing in this regard, such data shall be updated by erasing the irrelevant personal data and entering the relevant personal data.
When destroying documents that have expired, the documents of NordBaltic Solutions, UAB containing personal data and any copies thereof must be destroyed in such a way that the documents cannot be reproduced and their content cannot be determined.
Documents submitted by data subjects and any copies of such documents, as well as financing, accounting and reporting, archival or other files containing personal data must be stored in locked cabinets or rooms. Documents containing personal data shall not be kept in a place visible and accessible to all to prevent easy access to such documents to any unauthorised persons.
Information containing personal data shall be sent only by secure e-mail.
Personal data files stored on the computers of employees or service providers must be password-protected or encrypted. Employees and service providers are personally responsible for the protection of the data on the personal devices they use.
Passwords for access to personal computers have to be provided, changed and stored in a confidential manner, and be unique, consist of at least 8 characters without using personal information, and changed periodically at least once in 3 months, as well as, in certain circumstances (in the event of a replacement of an employee, a threat of a hack, suspicion that the password has become known to third parties, etc.), at the time of the user’s first login. Employees and service providers of NordBaltic Solutions, UAB may only use the passwords for access to personal data personally and may not disclose them to any third parties.
The computer equipment of NordBaltic Solutions, UAB must be protected against malicious software (by installing and updating antivirus software, etc.). The employee or service provider responsible for computer maintenance have to ensure that personal data files concerning the personal data processed at computer workstations are backed up. In the event of loss or damage to personal data, the employee responsible has to restore them within 24 hours.
In the event of a personal data breach, the employee or service provider has to notify the head of NordBaltic Solutions, UAB immediately. The head of NordBaltic Solutions, UAB or a person responsible appointed by him shall take all necessary measures to eliminate the consequences of the breach and to recover the personal data. The State Data Protection Inspectorate and data subjects whose rights and freedoms have been violated shall be informed about the personal data breach in accordance with the procedure established by legal acts.
Access to personal data may be granted only to the employee or service provider of NordBaltic Solutions, UAB who need to access personal data for the performance of their job functions.
The external service provider (data processor) shall start processing personal data of the date of signature of the contract for the provision of data processing services or of the date specified in that contract. The external service provider loses the right to process personal data when the respective contract expires or is terminated.
An employee or a service provider of NordBaltic Solutions, UAB who processes personal data of data subjects has to:
NordBaltic Solutions, UAB ensures the exercise of the rights of the data subjects (including its employees), i.e., the data subject is guaranteed the right to know about the processing of his or her personal data, to have access to his or her personal data and receive information on how they are processed, to request the rectification or erasure of the data subject’s personal data or to suspend their processing, except for the storage.
Information to data subjects on the processing of their personal data shall be provided on the Internet portal: www.nordbalticsolutions.lt, www.nordbalticsolutions.com, indicating the following:
that the data controller processing the personal data of data subjects is NordBaltic Solutions, UAB, legal entity code: 302897644, registered office address: H. Manto Str.22, Klaipėda;
the scope of personal data of data subjects processed by NordBaltic Solutions, UAB and the purposes of personal data processing, as specified in Chapter II of these Rules;
that personal data shall be provided to third parties only in the cases and according to the procedure established by laws and other legal acts.
A data subject, having submitted an identity document to NordBaltic Solutions, UAB or confirmed his or her identity in accordance with the procedure established by legal acts or by electronic means that allow a proper identification of a person, shall have the right, free of charge, to access his or her data processed by NordBaltic Solutions, UAB and receive information concerning the sources from which such data have been obtained and the particular data that have been collected, the purposes for which they are processed, and the data recipients to whom the personal data may be provided and have been actually provided within the past year.
Upon receipt of the data subject’s request, NordBaltic Solutions, UAB shall, no later than within 20 calendar days of the date of receipt of the data subject’s request, respond, indicating whether personal data of the data subject are processed, and provide the requested data or the reasons for refusing to satisfy the request. At the request of the data subject, such data shall be provided in writing.
Where, having accessed his or her personal data, the data subject finds out that his or her personal data are incorrect, incomplete or inaccurate and contacts NordBaltic Solutions, UAB in this regard, NordBaltic Solutions, UAB shall immediately verify the personal data and, at the data subject’s written request submitted in person, by post or by electronic means, rectifies immediately any incorrect/inaccurate or supplements incomplete personal data processed by NordBaltic Solutions, UAB and/or suspends the processing of such personal data, except for storage, until any incorrect/inaccurate personal data are rectified, incomplete personal data are supplemented or personal data are erased.
In case of doubt regarding the accuracy of the personal data provided by the data subject, NordBaltic Solutions, UAB shall suspend the processing of such data, verify and correct them. Such personal data may only be used to verify their accuracy.
NordBaltic Solutions, UAB shall immediately notify the data subject of the rectification or erasure of personal data/suspension of personal data processing operations that have or have not been performed at the request of the data subject. NordBaltic Solutions, UAB shall also immediately notify data recipients of the rectification or erasure of personal data or suspension of processing carried out at the request of the data subject, unless it proves impossible or involves disproportionate effort.
Where the data subject does not consent to the processing of his or her personal data, the data subject may object to such processing by submitting a relevant written notice to NordBaltic Solutions, UAB in person, by post or by electronic means.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. The above right shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
At the request of the data subject, NordBaltic Solutions, UAB shall notify the data subject of the termination or refusal to terminate the processing operations of personal data concerning the data subject.
NordBaltic Solutions, UAB has to create conditions for the data subject to exercise the rights established in this Chapter VI, except for the cases established by law.
In order to exercise the rights provided for in this Chapter VI, the data subject shall submit a written request, indicating the purpose of the request and the data subject’s name, surname, place of residence and contact details for communicating with him or her. Where a request concerning the exercise of the data subject’s rights is submitted by a data subject’s representative, the request has to indicate the name, surname and place of residence of the representative, as well as the name, surname and place of residence of the person being represented, and a document proving the basis for the representation has to be submitted along with the request.
All requests submitted to NordBaltic Solutions, UAB in writing, including in electronic form, have to be signed by the data subject or his or her representative.
A written request of a data subject may be submitted in person, by post or by electronic means.
Information to the data subject, depending on his or her request, may be provided orally; giving access to the respective document; submitting a certificate, an extract from the document, a paper copy of the document or electronic media; providing access to the information file. If a request does not specify the information submission form, NordBaltic Solutions, UAB shall submit it in the same form as the relevant request.
Where any private information is sent to the data subject by post, it may only be sent by registered mail.
Printed written information notices sent or provided to data subjects (natural persons) concerning services provided to data subjects (natural persons), invoices, employee payslips submitted by the employer, and individual offers of commercial nature intended to data subjects (natural persons) that contain personal data of data subjects (natural persons), including but not limited to the name, surname and place of residence of a person, have to be provided in a closed form, which may indicate only the information necessary for postal services, and the content of such notices may be visible only to the data subject (natural person) to whom the notice is addressed or, with the relevant data subject’s consent, to a third party after opening or unpacking the notice. The above provisions shall not apply if the said notices are served on personal data subjects (natural persons) personally and confidentially.
Information shall be provided in Lithuanian.
Complaints concerning actions or omissions of NordBaltic Solutions, UAB related to the exercise of the data subject’s rights may be lodged with the State Data Protection Inspectorate.
Employees and service providers of NordBaltic Solutions, UAB shall acquaint with these Rules through the Dokobit system with a signed confirmation of such acquainting.
The head of NordBaltic Solutions, UAB is responsible for the supervision and control of compliance with the Rules, and a periodic review thereof carried out at least once in 2 years.
Employees and service providers of NordBaltic Solutions, UAB and members of NordBaltic Solutions, UAB who violate the requirements of the Rules shall be liable in accordance with the procedure established by the legal acts of the Republic of Lithuania.
Trainings on personal data processing and security issues for employees, service providers and members of NordBaltic Solutions, UAB shall be organised periodically but not less frequently than once a year. The head of NordBaltic Solutions, UAB is responsible for organising the trainings.
In the event of any changes in the requirements of legal acts regarding the protection of personal data, the person responsible for reviewing and amending, where necessary, the company’s internal documentation and the provisions of agreements with service providers shall be the head of NordBaltic Solutions, UAB.