Any questions?8 (5) 2080009

Rules for the processing of personal data

Rules for the processing of personal data

1. Basic concepts

1.1. Company – JSC “Open 24”, a company, incorporated under the laws of the Republic of Lithuania, with its registered office at Konstitucijos ave. 26 Vilnius LT-08105 Republic of Lithuania, company code 300569944, the data of which is accumulated and stored in the Register of Legal Entities.

1.2. Data subject – a natural person, whose personal data the Company manages.

1.3. Personal data - any information, related to a natural person - a data subject, known to be or may be directly or indirectly identified, using such data, as a personal code, one or more physical, physiological, economic, cultural or social characteristics of a person.

1.4. Personal data processing - any act, performed by the Personal Data: collection, recording, storage, classification, grouping, merging, modification (addition or edition), provision, publication, usage, logical and/or arithmetic operations, search, dissemination, deletion or other action or set of actions.

1.5. Automatic mode - actions, performed in whole or in part by automated means.

1.6. Employee - the person, who has concluded a contract of employment or of a similar nature with the Company and is appointed by the Company Head decision to process personal data or whose personal data is processed.

1.7. Manager - the legal or natural person, authorized by the Company to process personal data. The manager (-s) must be registered with the Inspectorate.

1.8. Data receiver – the legal entity or natural person, Personal Data is provided to. The data receiver (-s) must be registered with the Inspectorate

1.9. Inspectorate - the State Data Protection Inspectorate of the Republic of Lithuania.

1.10. Cookies - small text files, sent to the device of each person, visiting the website, which connect to the website and is temporarily stored on that device. During the next visit to the website, your browser will read the cookie and transfer information back to the website or item. The information, collected on the cookie website, helps identify a visitor to the website, save the history of the visit and adapt the content accordingly.

 

2. General provisions

2.1. This document regulates actions of the Company and its Employees in the management of Personal Data, using the automated Personal Data Processing Means, used in the Company, as well as defines the Data Subject Rights, Personal Data Protection Risk Factors, Personal Data Protection Measures and other issues, related to the Personal Data processing.

2.2. Personal data must be accurate, appropriate and only to the extent that it is necessary for its to be collected and be kept processing. If personal data is required for personal data processing, it is constantly updated.

2.3. The goals of personal data processing - direct marketing and other legitimate goals, defined in advance of data collection.

2.4. The Company, for the purpose, specified in Clause 2.3 of the Rules, handles the following Data subject Person details:

(a) name;

(b) surname;

(c) e-mail;

(d) phone number;

(e) sex;

(f) subscribed Information;

(g) loyalty card number, expiration date;

(h) the shop, where the questionnaire is filled.

2.5. The Personal Data processing is governed by the Law on the Legal Protection of Personal Data (No. X-1444 of February 1, 2008), other laws and legal acts, regulating the processing and protection of data, as well as these Rules.

 

3. Personal data processing

3.1. The Company manages personal data for the following purposes:

  • e-commerce services;
  • direct marketing, including newsletter;
  • for other purposes, related to internal administration, for example, for managing employee data of the Company.

3.2. The Company collects and manages the following categories of personal data:

(a) the basic data, necessary for the above-mentioned purposes: name, surname and contact data;

(b) data, necessary for the sale of goods: order details, invoices, data, related to payments, etc .;

(c) other data, collected with your consent, which is defined in detail at the time, when your consent is requested.

3.3. Personal data is processed manually and non-automatically, using personal data processing facilities, used in the Company.

3.4. Only Personnel and Managers are entitled to manage Personal Data. Every Worker/Manager, assigned to handle Personal Data, must protect its confidentiality and comply with the requirements of the legislation on personal data protection.

3.5. An employee/manager must:

(a) keep the secret of personal data;

(b) process personal data in accordance with the laws of the Republic of Lithuania, other legal acts and these Rules;

(c) not disclose the Personal Data, transfer or make it available to any person, not authorized to process it by any means of access;

(d) immediately notify the Company Head or the person, appointed by him, of any suspicious situation that may endanger the security of personal data.

3.6. The employees, who automatically process personal data or can access the local area network, where Personal Data is stored, must use passwords. The passwords must be changed periodically, as well as in certain circumstances (for example, when a worker changes in case of an intrusion, suspicion that the password has become known to third parties, etc.). A worker can only know his password.

3.7. The computer maintenance officer must ensure that personal data files are not "shared" from other computers and that antivirus programs are updated periodically.

3.8. A computer maintenance worker makes copies of data files on computers. Losing or damaging these files requires the responsible employee to restore them within a few days.

3.9. The protection of personal data is organized, guaranteed and carried out by the Company Head or an employee, appointed by him.

3.10. An employee does not have the right to process personal data, when the Contractor's work or a similar contract with the Company expires or the Company Head revokes the Employee's appointment to process personal data.

3.11. The Manager loses the right to process personal data, when the Manager's contract with the Company is terminated.

 

4. Data on the company's website (open24.lt):

(a) by administering the website and diagnosing the problems in the “Open 24” server, we can use the IP addresses of visitor computers. IP address – a unique network code, identifying a computer. It can be used to set up a visitor and collect various demographic information;

(b) Using cookies, we collect data about the use of services. Information about cookies, cookie types and their uses are provided in the 5th paragraph of the Rules;

(c) By registering in the “Open 24” online store, we collect the basic information, necessary for the user identification, which you submit by completing the registration form, i.e. name, surname, e-mail address.

(d) by purchasing goods or services in the “Open 24” e-commerce store, we collect the data, required for the proper order execution, for example, the item and its order details, contact details and related records.

 

5. Cookie usage:

(a) Technical Cookies: ensure website functionality by creating a user account by logging in and managing Data subject orders. These technical cookies are essential for the proper functioning of the site.

(b) Functional cookies: help to remember the wishes of the Data subject and to use our website effectively. For example, these cookies will remember your preferred language, login information, searches and previously viewed items, etc. These functional cookies are not essential for the website to function but adds functionality and improves the experience of the website use by the Data subject.

(c) Analytical cookies: help gain insights on how visitors use the website, help to optimize and improve your website, understand the effectiveness of advertising and communication.

(d) Commercial cookies: Company and third-party cookies are designed to display personalized advertising on our own website and other websites, based on browsing actions, such as items, searched for by the Data subject, viewed goods.

(e) The “Google Analytics” tool is provided by the US company “Google Inc.”, so it also has access to the statistics, collected by this tool. “Google Inc.” is committed to the application of the EU-US Privacy Policy, which ensures that the service provider complies with EU privacy standards. This provider is also subject to contractual privacy obligations. You can read about this at https://www.google.com/analytics/terms/dpa/dataprocessingamugges_20160909.html.

 

6. Implementation of data subject rights

6.1. When submitting a personal identity document to the Company, the data subject is entitled to receive information on the sources and personal data collected, they are processed and provided for. Access to Personal Data is made upon submitting to the Company a written request for access to Personal Data by mail or e-mail.

6.2. The Company, upon receipt of a request from the Data Subject, regarding the processing of his Personal Data, is responsible for the handling of Personal Data, related to it and shall submit the requested data to the Data Subject no later than within 30 calendar days from the date of the Data Submission's request. At the request of the data subject, such data shall be provided at the written or e-mail address.

6.3. The opportunity to correct, delete your Personal Data or suspend your Personal Data Processing activities for the Data Subject is made upon submitting a written request to the Company by post, e-mail. mail or orally, if the Data Subject can be identified. Upon receipt of such a request, the Company immediately verifies the Personal Data and promptly rectifies incorrect, incomplete, inaccurate Personal Data at the request of the Data subject.

6.4. The Company immediately informs the Data Subject about the correction, deletion or removal of personal data done or not at his request.

6.5. The Company also ensures all other rights, guarantees and interests of the personal data subjects, guaranteed by laws and other legal acts of the Republic of Lithuania.

7. Personal data transfer

7.1. Personal data may be provided only to the Data Providers, the Company has signed respective agreements with on the Transfer/Provision of Personal Data; the Data Protection shall ensure adequate protection of the Personal Data transferred. Personal data may also be transferred to third parties in other cases, provided for in the laws and other legal acts of the Republic of Lithuania.

7.2. The Company does not use and disclose any sensitive personal information, such as health information, race, religious beliefs or political opinions without the explicit consent of the Data Subject, unless required or permitted by law.

7.3. Personal data may also be transferred to third parties in other cases, provided for in the laws and other legal acts of the Republic of Lithuania.

 

8. Personal Data protection risk factors

8.1. A breach of personal data protection - an act or omission that may result in undesirable effects, as well as in violation of the mandatory rules of the laws, regulating the personal data protection. The personal data protection, damage violation impact degree and consequences, in each case, shall be established by a commission, formed by the Company Head or his authorized person.

8.2. Personal Data protection risk factors:

(a) unintentional, when personal data protection is violated due to accidental reasons (data processing error, data media, deletion of data records, erroneous routes (addresses) for data transfer, etc., or system interruptions due to power failure, computer virus, etc., internal rules violation, system maintenance shortage, software tests, inadequate data carrier maintenance, inadequate line capacity and protection, network integration of computers, protection of computer programs, lack of fax supplies, etc.);

(b) deliberate violation of Personal Data protection (unauthorized intrusion into Company's/hotel premises, personal data storage repositories, information systems, computer network, malicious personal data infringement, deliberate distribution of computer viruses, personal data theft, unlawful use of another Worker's right etc.);

(c) unexpected accidental events (lightning, fire, flood, flood, storm, electrical wiring, effects of temperature and/or humidity changes, impacts of dirt, dust and magnetic fields, accidental technical accidents, other inevitable and/or uncontrolled factors, etc.).

 

9. Implementing measures for the personal data protection

9.1. To ensure the personal data protection, the Company implements or intends to implement the following Personal Data protection measures:

(a) administrative (organization of safe documents and computer data and their archives, as well as the organization of work in different fields of activity, introduction of personnel to the personal data protection in employment and after the termination of employment or similar relations, etc.);

(b) technical and software security (administration of servers, information systems and databases, maintenance of work places, maintenance of the Company's premises, protection of operational systems, protection against computer viruses, etc.);

(c) communications and computer networks (firewalling, sharing data, programs, unwanted data packets, etc.).

9.2. Technical and software tools for protecting personal data must ensure the following:

(a) installation of operating system and database copies, copying technique and compliance control;

(b) continuous processing technology;

(c) the strategy of updating systems in unforeseen cases (management of surprises);

(d) physical (logical) separation of the environment testing programs from operating mode processes;

(e) authorized use of data, its integrity.

9.3. All Employees, who have the right to manage personal data or organize and enforce its protection, must strictly observe the requirements of the Personal Data protection measures and relevant rules, instructions or procedures, established by the Company.

 

10. Terms for the personal data processing

10.1. The Company manages the Personal Data during the client's participation in the loyalty program and for no longer than what the data processing goals require or provides for by law, if they provide for longer data storage.

10.2. When Personal Data is no longer needed to be processed, it is deleted, except for that, which, in the cases, specified by law, must be transferred to state archives.

10.3 The data for direct and indirect marketing campaigns is retained by the company for no longer than the intended purpose of the data processing, legislation or data subject. Upon the Subject’s request, the Company deletes all the data, not required to be stored, in accordance with all legal requirements, regarding the Data Subject.

 

11. Responsibility

11.1. The employees, who violate the Law on the Legal Protection of Personal Data of the Republic of Lithuania, other legal acts, regulating processing and protection of Personal Data or these Rules, apply the liability measures, provided for in the laws of the Republic of Lithuania.

 

12. Final provisions

12.1. Compliance with the rules and, if necessary, review, trusted by the Company Head or his authorized person.

12.2. Responsible employees are introduced to the Rules by signing.