Duomenų apsaugos taisyklės - Slėnis Trakuose

„CAMPING IN THE VALLEY“, UAB

RULES FOR PROCESSING PERSONAL DATA

„Kempingas slėnyje“, UAB, legal entity code 181209770, registered office address Slėnio g. 1, LT-21121 Trakai (hereinafter - Company), the Personal Data Processing Rules set out the basic procedures and principles for the processing (collection, use, storage, disclosure, transfer, destruction) of personal data. 

CONNECTIONS

  1. ADTAĮ - Law on Legal Protection of Personal Data of the Republic of Lithuania No 63-1479 of 11 June 1996, as amended from time to time;
  2. Personal data - any information relating to a natural person from which it is possible to identify him or her, directly or indirectly, by reference to one or more factors specific to his or her physical, physiological, psychological, economic, cultural or social features. Personal data shall include personal identification data (e.g. name, surname, personal identification number), contact data (e.g. residential address, telephone number, e-mail address), biometric data (fingerprints, iris), etc.
  3. Automatic data processing - Processing of personal data wholly or partly by automated means.
  4. Handbook - CEO of the company
  5. Employee - a natural person with whom the Company has entered into an employment contract or a contract of an analogous nature, on the basis of which the Company processes his/her data, and a person who, in the performance of his/her professional functions with the Company, has the right to process Personal Data;
  6. Data recipient - a natural or legal person, public authority, agency or other body to which the Company provides Personal Data;
  7. Data Subject - a natural person whose Personal Data is processed by the Controller;
  8. DAP - a designated Data Protection Officer, accessible privatumas@capitalica.lt;
  9. EEE - a country that is a member of the European Economic Area;
  10. ES - European Union;
  11. IT Director IT Director, SBA Group;
  12. Incident - an event that creates a likelihood of loss or disclosure of Personal Data or where Personal Data is lost and/or disclosed;
  13. IT systems - Information technology systems used by the Company, including information systems used for the processing of Personal Data;
  14. Supervisory authority - State Data Protection Inspectorate of the Republic of Lithuania;
  15. Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  16. SBA Group - SBA Group companies acting together or individually. The company is part of the SBA Group;
  17. SBA Group Data Exchange Agreement- a joint agreement between all companies within the SBA Group to exchange Personal Data with each other. This agreement sets out the purposes and scope of the processing and the legal status of each of the companies;
  18. SBA Group Information Security Policy - SBA Group companies are subject to a policy on the implementation of technical and organisational measures for the protection of information, including the protection of Personal Data;
  19. Special categories of personal data - Personal data revealing a natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic, biometric, health, sex life, sexual orientation and criminal record data of a natural person used to identify a specific natural person);
  20. Consent - any freely given, specific and unambiguous indication of the will of a duly informed Data Subject, by means of a statement or unambiguous action, by which he or she consents to the processing of Personal Data concerning him or her;
  21. Rules - the Company's Personal Data Processing Rules, as amended from time to time (if any);
  22. Managing - Any act or series of acts or things performed by the Company or by a third party engaged by the Company in relation to Personal Data, whether or not by automated means, including the collection, recording, storage, accumulation, retention, classification, alteration (completion or correction), access, querying, transmission, disclosure, publication, use, retrieval, dissemination, or other act or set of acts, and the like;
  23. Host - a natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller;
  24. Manager - a legal person who, alone or jointly with other data subjects, determines the purposes and means of processing.

GENERAL PROVISIONS

    1. The company is a member of the SBA Group. By processing Personal Data, the Company pursues both the organisation and development of its own activities and, together with the other companies of the SBA Group, the common objectives of the SBA Group. To the extent necessary for the achievement of the Company's and/or SBA Group's specific objectives, the Company exchanges Personal Data with other SBA Group member companies. The exchange of Personal Data within the SBA Group is addressed in the SBA Group Data Sharing Agreement. Unless otherwise provided in the SBA Group Data Sharing Agreement, the Company and the other companies within the SBA Group shall always act as Controllers independent of each other.
    2. The protection of personal data in the Company shall be organised and enforced by the Manager, or by a responsible Employee appointed by the Manager.
    3. The DPO shall provide advice to the Company's employees on the processing of Personal Data and the proper implementation of the Regulation.
    4. If an employee receives a request from a Supervisory Authority, the police, a court or any third party relating to the processing of Personal Data (e.g. to provide a copy of the Personal Data, to provide an explanation of its processing), the request must be forwarded to the DPO without delay, but no later than the next working day.

LEGAL BASIS FOR PROCESSING PERSONAL DATA

    1. The Company processes personal data in accordance with the following legal grounds set out in the Regulation:
      1. the data subject has given consent to the processing of personal data concerning him or her by the Company for one or more specific purposes (Article 6(1)(a) of the Regulation);
      2. the processing of personal data of data subjects by the Company is necessary for the performance of a contract to which the data subject is a party or for the purpose of taking action at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b) of the Regulation);
      3. the processing of personal data is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) of the Regulation);
      4. the processing of personal data is necessary for the protection of the vital interests of the data subject or of another natural person (Article 6(1)(d) of the Regulation);
      5. the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company (Article 6(1)(e) of the Regulation);
      6. the processing of personal data is necessary for the legitimate interests of the Company or of a third party, unless such interests of the data subject or the fundamental rights and freedoms of the data subject, which require the protection of personal data, are overridden by the interests of the Company or of a third party (Article 6(1)(f) of the Regulation);

THE PURPOSES, MAIN CATEGORIES AND TYPES OF PROCESSING OF PERSONAL DATA

  • The processing of personal data within the company must be limited to what is necessary for the achievement of the relevant, clearly defined and legitimate purposes, taking into account the requirements for the protection of personal data.
  • The following main categories and types of personal data are processed by the company:
      1.  Personal data:
        1. identification data (e.g. name, surname, ID number, date of birth, passport/ID card details, etc.); 
        2. contact details (e.g. residential address, telephone number, email address, etc.);
        3. data from video surveillance and recording devices (e.g. video data, image data, vehicle number, etc.);
        4. data from direct marketing, newsletters and other communications (e.g. name, surname, email, fact of consent/information, date, etc.);
        5. Information system data (e.g. IP address, log files, session duration, metadata, etc.);
        6. Cookie data (e.g. session start, end, duration, unique ID code, etc.);
        7. Personal data on corporate social networking communications (e.g. name, photo, correspondence data, „following“ data, when the employee or customer accessed the account, etc.);
        8. Data collected during the application process for Company vacancies (e.g. CV, cover letter, etc.);
        9. data collected during recruitment and employment (e.g. holiday dates, work schedule data, salary data, etc.);
        10. service and contract data;
        11. financial details of customers when paying for services (e.g. bank account number, credit/debit card number, etc.);
        12. other personal data not listed in this section.
      2. Special categories of personal data:
        1. health data;
    2. The company uses cookies on its website. A cookie is a small text file that a website places on your computer or mobile device when you visit that website. Cookies are widely used to make websites work more efficiently and to provide useful information to the website owner.
    3. Cookies are used on a website when a person browsing the website agrees to the use of cookies. A person may withdraw consent at any time by changing the settings on his or her web browser, but in this case certain features of the website may not work.
    4. The company has the right to start using other types of cookies at any time if necessary.
    5. Given that the list of cookies is variable, information about the current cookies used is published on the Company's website, but not in these Terms.
    6. Detailed information on the categories and types of personal data processed by the Company is set out in the Register of Records of Data Processing Activities.

KEEPING A REGISTER OF RECORDS OF DATA PROCESSING ACTIVITIES

    1. The undertaking shall keep a record of its data processing activities, which shall contain and keep up to date the following factual information on the processing of personal data:
      1.  the purposes of processing personal data;
      2.  criteria for lawful processing of personal data; 
      3.  categories of data subjects;
      4.  categories of personal data;
      5.  retention periods for personal data;
      6.  data processors;
      7.  categories of recipients;
    2. The record of data processing activities shall be regularly, but at least once per calendar year, checked and updated to reflect the actual situation of the processing of personal data in the Company.
    3. The record of data processing activities shall be kept in written form. The electronic form stored on the Company's computer(s) shall be equivalent to the written form.
    4. The company may process personal data for no longer than is necessary to achieve the purposes of processing personal data, which are set out in the Register of Records of Data Processing Activities.
    5. The time limits for processing personal data depend on the type of document or contract in question and the basis for processing. The main terms of storage of personal data are specified in the Index of general terms of storage of documents, approved by the Order of the Chief Archivist of Lithuania No.V-100 of 9 March 2011 „On the Approval of the Index of general terms of storage of documents“, as well as in other legislation of the Republic of Lithuania and the Company's internal legal acts and documents.
    6. After the expiry of the retention period specified in the register of records of data processing activities, personal data shall be destroyed in such a way that the identity of the data subjects cannot be established.
    7. A model form for the register of records of data processing activities is set out in Annex 1 to these Rules.

OTHER CONDITIONS FOR PROCESSING PERSONAL DATA

    1. If the processing of personal data is based on consent, such processing must comply with the following conditions:
      1.  The company must be able to prove that the data subject has consented to the processing of his or her personal data;
      2.  the request for consent must be presented in a way that is clearly distinguishable from other questions, in a clear and easily accessible format, and in clear and plain language;
      3.  the data subject shall be informed of the right to withdraw his or her consent at any time;
      4.  Withdrawing consent should be as easy as giving it;
      5.  the consent must contain information on the data subjects' rights under the Regulation;
      6.  the consent must contain a reference to the Company's Privacy Policy and/or these Terms;
    2. A model form of „Consent to the processing of personal data“ is provided in the following Annex 2 to the Rules;
    3. The Company's employees are not allowed to change/amend the „Consent for Processing of Personal Data“ form without the approval of the DPO;
    4. If the processing of personal data is intended to be carried out on the basis of the criterion of legitimate interest for processing pursuant to Article 6(1)(f) of the Regulation, the DPO must assess whether it is necessary to:
      1.  personal data protection impact assessments;
      2.  assessing the legitimate interest (the 'balance test').
    5. If a new or existing activity/process/information technology is planned to be created, developed or changed in the Company and the employee of the Company's department responsible for the change assesses that such change may have a substantial and significant impact on the protection of personal data and compliance with the Regulation, the DPO shall be contacted for a conclusion/assessment;
    6. The company may carry out direct marketing or send other communications (e.g. newsletters) in the following cases:
    7. only with the prior consent of the data subject and/or the client;
    8. direct marketing is carried out and/or communications are sent using the contact details (email addresses or contact telephone numbers) of existing and/or former customers, provided that the subscriber is given a clear, free and easily enforceable opportunity to object to or opt-out of such use of the contact details for the purposes set out above, and provided that the customer has not objected to such use at the start of each communication.

USE OF PROCESSORS

    1. When cooperating with other companies outside the SBA Group, the Company shall only exchange Personal Data in accordance with written data processing agreements or the relevant provisions governing the protection of Personal Data in business contracts and/or their annexes.
    2. In such a case, authorised processors must ensure that appropriate technical and organisational measures for the protection of personal data are implemented and that compliance with such measures is ensured;
    3. The essential conditions for data processors are set out in the Company's standard form of the Agreement on the Processing of Personal Data to be signed between the Company and the data processor;
    4. In order to ensure that the processors used comply with the requirements of the Regulation and other legislation, or in the event of doubts that processors may be processing personal data only in partial compliance with the requirements of the Regulation, the Company shall be entitled to send a questionnaire to processors, a model form of which is set out in these Annex 3 to the Rules and, on the basis of the answer to this questionnaire, to determine whether the processor is complying adequately with the Regulation.

MANAGEMENT OF PERSONAL DATA BREACHES/INCIDENTS

    1. A personal data breach is any intentional or negligent violation of the protection of personal data where:
      1.  the destruction, loss or alteration of personal data;
      2.  unauthorised disclosure of personal data to employees or third parties who are not authorised to process personal data;
      3.  unauthorised access to personal data;
    2. In the event of an incident, the Employee must inform the DPO, the Manager and/or the IT Director immediately, but no later than 8 hours after becoming aware of the incident.
    3. Detailed procedures for the management of personal data breaches shall be laid down in other internal legal acts of the Company. 

PROCEDURES FOR EXERCISING THE RIGHTS OF DATA SUBJECTS

    1. The data subject whose Personal Data is processed by the Company has the following rights:
      1.  to know (be informed) about the processing of your Personal Data;
      2.  access to your Personal Data and how it is processed;
      3.  to request the rectification, destruction or suspension of the processing of his/her Personal Data (other than storage) where the Personal Data is processed in breach of the requirements of the legislation and these Rules;
      4.  to object to the processing of their Personal Data;
      5.  to receive Personal Data concerning him or her that he or she has provided to the Company in a structured, commonly used and computer-readable format (right to data portability);
      6.  where Personal Data are processed on the basis of consent, the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent prior to the withdrawal of consent;
      7.  lodge a complaint with the Supervisory Authority regarding the processing of Personal Data.
    2. In exercising the right provided for in Clause 5.1.2 of the Rules, the data subject may contact the Company and obtain from the Company a confirmation as to whether or not the personal data concerning him or her are being processed and, if such personal data are being processed, shall have the right of access to personal data and the following information:
      1.  the purposes of processing;
      2.  the categories of personal data concerned;
      3.  the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
      4.  the right to request the controller to rectify or erase personal data or to restrict or object to the processing of personal data concerning the data subject;
      5.  the right to lodge a complaint with the Supervisory Authority;
      6.  where the personal data are not collected from the data subject, all available information on their sources;
      7.  information about automated decision-making, including profiling, which produces legal effects or similarly significantly affects the data subject;
      8.  information on the transfer of data to a third country or international organisation.
    3. The information referred to in clause 5.2 shall be provided to the data subject once the Company's employees have established the identity of the data subject. The Company, upon receipt of an enquiry from a data subject regarding the processing of his or her Data, shall respond to whether the Data relating to him or her is being processed and shall provide the data subject with the requested data no later than one month from the date of the data subject's request. This period may be extended by a further two months if necessary, depending on the complexity and number of requests. The company shall inform the data subject of such extension within one month of receipt of the request, together with the reasons for the delay. Such Personal Data shall be provided in writing at the request of the data subject. Personal Data shall be provided to the data subject free of charge.
    4. If the data subject, after consulting his or her Personal Data, finds that his or her Personal Data is incorrect, incomplete or inaccurate, he or she may contact the Company, which shall immediately verify the Personal Data and, at the request of the data subject, rectify the incorrect, incomplete or inaccurate Personal Data and/or suspend the processing of such data, except for the storage of such data.
    5. If the data subject, having accessed his or her Personal Data, determines that it is being processed unlawfully and fraudulently and contacts the Company, the Company shall immediately verify the lawfulness and fairness of the processing free of charge and, at the written request of the data subject, shall destroy the unlawfully and fraudulently collected Personal Data or shall suspend the processing of the Personal Data, except for the storage of such Data.
    6. In the event of suspension of processing, the data concerned shall be kept until rectification or destruction (at the request of the data subject or after the expiry of the data retention period). Further processing operations may only be carried out on such data:
      1.  for the purpose of proving the circumstances which led to the suspension of processing;
      2.  if the data subject consents to the further processing of his or her data;
      3.  where it is necessary to protect the rights or legitimate interests of third parties;
      4.  to bring, pursue or defend legal claims;
      5.  for reasons of substantial public interest of the European Union or a Member State.
    7. The company shall immediately inform the data subject of the rectification, destruction or suspension of processing operations, whether or not carried out at his or her request. 
    8. If an employee directly receives a request for the exercise of the Data Subject's rights (e.g. to erase Personal Data, to obtain a copy, to obtain information about its processing), this request must be forwarded to the DPO without delay, but no later than the next working day after receipt.

FINAL PROVISIONS

    1. These Rules shall enter into force upon approval by the Chief Executive Officer of the Company;
    2. These Rules shall be communicated to staff members either by signature or by electronic means which allow confirmation of such communication. 
  2. Staff members are personally responsible for compliance with these Rules insofar as it relates to their direct duties. 
  3. Improper compliance with the obligations set out in the Rules or the Regulation, if such actions of the Employee may result in damage to Data Subjects, shall be considered a serious breach of employment obligations and the Employees may be subject to the sanctions set out in the Labour Code of the Republic of Lithuania for such acts.

ANNEXES

    1. Annex 1 „Register of records of data processing activities“;
    2. Annex 2 „Model form of consent to the processing of personal data“;
    3. Annex 3 „Model form for a questionnaire for data processors on compliance with the General Data Protection Regulation“
×