General Data Protection Regulation (GDPR)

This Ib-Ia Group UAB’s General Data Protection Regulation (hereinafter referred to as the Regulation) has been developed in accordance with the legislation of Lithuania, the Convention on the Protection of Individuals in the course of Automated Processing of Personal Data and other legal acts of Lithuania.

This Regulation defines the procedure for processing and guarantees of ensuring the protection of the rights of personal data subjects in Ib-Ia Group UAB (hereinafter referred to as the Operator) in order to protect the rights and freedoms of a person and a citizen when processing his or her personal data.

DEFINITION OF TERMS

1.1. Basic concepts used in this Regulation:

1.1.1. Personal data – any information relating directly or indirectly to a certain or identifiable individual (personal data subject);

1.1.2. Operator – a state body, municipal body, legal entity or individual, who independently or jointly with other persons organizes and (or) processes personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

1.1.3. Personal data processing – any action (operation) or set of actions (operations) on personal data, performed with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

1.1.4. Automated processing of personal data – processing of personal data using computer technology;

1.1.5. Dissemination of personal data – actions aimed at disclosure of personal data to an uncertain circle of persons;

1.1.6. Sharing of personal data – actions aimed at disclosure of personal data to a certain person or a certain circle of persons;

1.1.7. Blocking of personal data – temporary termination of processing of personal data (except in cases where processing is necessary to clarify the personal data);

1.1.8. Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media bearing the personal data are destroyed;

1.1.9. Depersonalization of personal data – actions as a result of which it becomes impossible to determine the identity of personal data to a specific personal data subject without the use of additional information;

1.1.10 Personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing.

PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING

2.1. Principles of personal data processing.

2.1.1. The processing of personal data by the Operator shall be carried out on the basis of the following principles:

  • Legality and equitable basis;
  • Restrictions on the processing of personal data by achievement of the specific, predetermined, and legitimate goals;
  • Prevention of processing of personal data, incompatible with the purposes of personal data collection;
  • Prevention of the consolidation of databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
  • Processing only those personal data that meet the purposes of their processing;
  • Compliance of the content and volume of the processed personal data with the stated purposes of processing;
  • Preventing the processing of personal data that are excessive in relation to the stated purposes of their processing;
  • Ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing;
  • Destruction or depersonalization of personal data upon achievement of the goals of their processing or in case there is no further need for achievement of these goals, and if it is impossible for the Operator to eliminate the violations of personal data, unless otherwise provided by law.

2.2. Conditions for processing personal data.

2.2.1. The Operator shall process personal data in the presence of at least one of the following conditions:

  • The processing of personal data shall be carried out with the consent of the personal data subject to the processing of his or her personal data;
  • The processing of personal data is necessary for the execution of a contract or agreement to which the personal data subject is a party or beneficiary or guarantor, as well as for the conclusion of a contract or agreement on the initiative of the personal data subject or a contract or agreement under which the personal data subject will be the beneficiary or guarantor;
  • The processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the personal data subject are not violated;
  • Other conditions stipulated by law.

2.3. Confidentiality of personal data.

2.3.1. The Operator and other persons who have gained access to personal data are obliged not to disclose personal data to third parties or distribute them without the consent of the personal data subject, unless otherwise provided by law.

2.3.2. The Operator has the right to transfer personal data to the bodies of inquiry or investigation, other authorized bodies on the grounds provided for by the current legislation of Lithuania.

2.4. Publicly available sources of personal data.

2.4.1. Publicly available sources of personal data (including directories, address books) may be created for information support purposes. The publicly available sources of personal data may include, with the written consent of the subject of personal data, his or her surname, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data reported by the personal data subject.

2.4.2. Information about the personal data subject must be deleted from publicly available sources of personal data at any time at the request of the personal data subject or by the decision of a court or other authorized state bodies.

2.5. Special categories of personal data, as well as biometric personal data, shall not be processed by the Operator.

2.6. Assignment of personal data processing to a third (other) person.

2.6.1. The Operator has the right to assign the processing of personal data to another person, including a person located outside Lithuania (cross-border transfer of personal data), with the consent of the personal data subject, unless otherwise provided by law, on the basis of a contract concluded with this person. The person processing personal data on the instruction of the Operator is obliged to comply with the principles and rules of personal data processing provided for by law. The Operator’s instruction shall define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, establish the obligation of such a person to respect the confidentiality of personal data and ensure the security of personal data during their processing, and shall also specify the requirements for the protection of processed personal data in accordance with the law. The cross-border transfer of personal data is carried out in order to fulfill the rights and obligations under contracts or agreements concluded with personal data subjects, as well as to ensure compliance with laws and other regulatory legal acts.

2.6.2. The person processing personal data on the instruction of the Operator is not obliged to obtain the consent of the personal data subject to the processing of his or her personal data.

2.6.3. If the Operator instructs the processing of personal data to another person, the Operator is responsible to the personal data subject for the actions of the above-noted person. The person who processes personal data on the instruction of the Operator is responsible to the Operator.

2.7. Purpose of personal data processing.

2.7.1. The processing of personal data may be carried out by the Operator solely for the purpose of fulfilling the rights and obligations under contracts and agreements concluded with personal data subjects, ensuring compliance with laws and other regulatory legal acts, as well as for the purpose of observing other legitimate interests of the Operator or personal data subjects.

2.7.2. Personal data shall be collected and used to the extent justified by the purpose of processing such personal data. The Operator shall seek ways and methods to exclusively use depersonalized personal data to the extent justified by the purposes of personal data processing.

2.7.3. Achievement of the goals of personal data processing may be a condition for termination of personal data processing.

2.8. Regardless of the existing judicial practice and explanations of authorized bodies, the Operator shall classify as personal data, among others, the following information:

  • Personal and biographical data;
  • Data that allows the identification of the subject or his or her terminal equipment (cookies, web beacons, pixel tags, IP addresses, information about the browser or other software program that provides access to the display of advertising) and other digital marking technologies;
  • Other personal data.

RIGHTS OF THE PERSONAL DATA SUBJECT

3.1. Consent of the personal data subject to the processing of his or her personal data.

3.1.1. The personal data subject shall decide on the provision of his or her personal data and consents to their processing freely, of his or her own free will and in his or her own interest. Consent to the processing of personal data must be specific, well-informed, and conscious. Consent to the processing of personal data may be given by the personal data subject or his or her representative in any form that allows confirming the fact of its receipt, unless otherwise provided by law. In case of obtaining consent to the processing of personal data from a representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject shall be examined by the Operator.

3.1.2. Consent to the processing of personal data may be revoked by the personal data subject. If the personal data subject withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in the law.

3.1.3. The obligation to provide proof of obtaining the consent of the personal data subject to the processing of his or her personal data or proof of the existence of the grounds specified in the law is assigned to the Operator.

3.2. Rights of the personal data subject.

3.2.1. The personal data subject has the right to receive information from the Operator concerning the processing of his or her personal data, if such right is not restricted in accordance with the laws.

3.2.2. The personal data subject has the right to require the Operator to clarify his or her personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his or her rights.

3.2.3. The operator is obliged to immediately terminate, at the request of the personal data subject, the processing of his or her personal data for the above-noted purposes.

3.2.4. It is prohibited to make decisions that generate legal consequences with respect to the personal data subject or otherwise affect his or her rights and legitimate interests, based solely on automated processing of personal data, except in cases provided for by laws or with the written consent of the personal data subject.

3.2.5. If the personal data subject believes that the Operator processes his or her personal data in violation of the requirements of the law or otherwise violates his or her rights and freedoms, the personal data subject has the right to appeal against the actions or inaction of the Operator by sending a corresponding notification to the Operator in writing, as well as contacting the authorized body for the protection of the rights of personal data subjects.

ENSURING THE SECURITY OF PERSONAL DATA

4.1. The security of personal data processed by the Operator shall be ensured by the implementation of legal, organizational and technical measures necessary to meet the requirements of the Federal legislation in the field of personal data protection.

4.2. To prevent unauthorized access to the personal data, the Operator shall apply the following organizational, technical, and legal measures:

  • Restriction of the composition of persons having access to the personal data;
  • Familiarization of personal data subjects with the requirements of the Federal legislation and with this Operator’s General Data Protection Regulation;
  • Organization of accounting, storage, and circulation of information media;
  • Checking of the readiness and effectiveness of the use of information security tools;
  • Differentiation of user access to information resources and hardware and software for information processing;
  • Registration and accounting of actions of users of personal data information systems;
  • Use of anti-virus tools and personal data protection system recovery tools;
  • Use, if necessary, of means of inter-network shielding, intrusion detection, security analysis, and cryptographic protection of information.

FINAL PROVISIONS

5.1. Other rights and obligations of the Operator as the operator of personal data are determined by the legislation of Lithuania in the field of personal data.

5.2. The Operator’s officials guilty of violating the norms governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by laws.

5.3. This Regulation may be changed by the Operator taking into account the changing requirements of legislation, as well as the development of organizational and technical measures to protect personal data. The text of this Regulation can be changed by replacing the current version posted on the Internet with a new version or by publishing changes to such Regulation.