Rules for processing and using personal data
I.BASIC CONCEPTS
1. Company: UAB, Kvarkas (Įm/k: 300143364) Address: Vilnius, Mėsinių g. 9-1, LT-01133, Lithuania
Telephone: +370 68713560, Email: info@kvarkas.lt
2. Data subject – means a natural person from whom the Company purchases goods and services. Thus entrusting the company with the data required for the purchase.
3. Employee – means a person who has concluded an employment or similar contract with the Company and is appointed to process Personal Data by the decision of the Company’s manager or whose personal data is being processed.
4. Personal data – any information related to a physical person – a data subject whose identity is known or can be directly or indirectly determined, using such data includes name, surname, birth data, one or more physical, physiological, psychological, economic, cultural or of a social nature.
5. Recipient of the data – legal or physical person to whom personal data is provided.
6. Provision of data – disclosure of personal data by transmission or otherwise making them available (except for publication in public media).
7. Data management – any action performed on personal data: collection, recording, accumulation, storage, classification, grouping, combination, change (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination, destruction or otherwise an action or set of actions.
8. Automatic data processing – data processing actions performed in whole or in part by automatic means.
9. Data controller – a legal or physical person (who is not an employee of the data controller) authorized by the data manager to process personal data. The data processor and/or the procedure for its appointment may be determined by laws or other legal acts.
10. Data manager – a legal or physical person who alone or together with others determines the purposes and means of personal data processing. If the purposes of data processing are determined by laws or other legal acts, the data manager and/or the procedure for his appointment may be determined in those laws or other legal acts.
11. Specific personal data – data related to a physical person’s racial or ethnic origin, political, religious, philosophical or other beliefs, trade union membership, health, sex life, as well as information about a person’s criminal record.
12. Social and public opinion research – systematic collection and interpretation of data and/or information about physical and legal persons using statistics, analysis and other methods applied in social sciences in order to obtain insights necessary for decision-making. Direct marketing cannot be carried out during social and public opinion research.
13. Consent – voluntary statement of the will of the data subject to process his personal data for a purpose known to him. Consent to process special personal data must be expressed clearly – in writing, equivalent to it or in another form that undoubtedly proves the will of the data subject.
14. Direct marketing – activities aimed at offering goods or services to individuals by mail, telephone or other direct means and/or asking for their opinion on the offered goods or services.
15. Third-party – a legal or physical person, with the exception of the data subject, data manager, data processor and persons who are directly authorized by the data controller or data processor to process data.
16. Internal administration – activities that ensure the independent functioning of the data controller (structural management, personnel management, management and use of available material and financial resources, clerical management).
17. Other terms used in these personal data processing and use rules (further – the Rules) correspond to the terms established in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
II. GENERAL PROVISIONS
1. These Rules regulate the actions of the Company and its employees in the processing of personal data, using automatic and non-automatic personal data processing tools installed in the Company, as well as determine the rights of the Data Subject, measures for the implementation of personal data protection and other issues related to the processing of personal data.
2. The purpose of the rules for processing personal data in the Company is to regulate the processing of personal data in the Company, ensuring compliance with and implementation of the Law on Legal Protection of Personal Data of the Republic of Lithuania and other related legal acts.
3. The purpose of the rules is to provide the basic technical and data security organizational measures for personal data processing, and implementation of data subject rights.
4. The Company collects the data of the Data subject, which he voluntarily submits by e-mail, registered mail, fax, telephone, directly coming to the office of the Company’s intermediary, registering on the Company’s website and becoming a registered user (when the Company provides such an opportunity), becoming a member of the Company’s club (when such an opportunity is provided by the Company) or by using the Company’s website.
5. Taking care of the Data Subject’s privacy and assessing the Data Subject’s trust, the Company undertakes to protect the Data Subject’s privacy and to use the provided information exclusively for the purposes specified in these Rules.
6. Personal data are processed and used in accordance with the purposes for which the Data Subject provided them to the Company or for other purposes approved by the Data Subject.
7. Purposes of using personal data of the data subject:
7.1. For the processing and administration of purchasing (ordering) services of the data subject;
7.2. For the identification of the data subject in the Company’s information systems;
7.3. For the identification of the data subject when logging in to his account on the Company’s website (when the Company provides such an opportunity);
7.4. for issuing purchased (ordered) goods, services, service coupons, confirmations, invoices and other financial documents;
7.5. solving problems related to the implementation, provision and use of services;
7.6. for communication with the Data subject, in the event of a change in the conditions of the services purchased by the Data subject;
7.7. for the fulfillment of other contractual obligations;
7.8. for direct marketing purposes;
7.9. for security, health, administrative, crime prevention disclosure and legal purposes;
7.10. business analysts and statistical analyses, general research that allows to improve services and improve their quality;
7.11. for audit.
8. By submitting his personal data to the Company, the Data Subject confirms and voluntarily agrees that the Company will manage and process the Data Subject’s personal data in compliance with these Rules, applicable laws and other normative legal acts.
9. The rules must be followed by all employees of the Company who process personal data in the Company or become aware of them in the course of their duties, data processors used by the Company or third parties used by the Company to provide the service, and only in cases where it is necessary to provide the service.
10. The rules have been prepared in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.
III. PRIVACY AND PERSONAL DATA
1. The information collected by the company may be: Name, surname, address, e-mail address, telephone number of the data subject and/or the person represented by the data subject, data of documents confirming personal identity (passport, personal identity card) (date of issue, place, date of validity, number), personal identification number, date of birth, gender, credit/debit card or other payment data, data of persons traveling with the Data Subject, information about special needs (applies only to those who have such needs), information about goods or services purchased by the Data Subject (their quantities, dates of purchase, prices of purchased services, purchase history, the employee from whom the product or service was purchased and other information related to the purchase of the service), the Data Subject’s login name and the coded form of the password on the Company’s website (if the Company provides such an opportunity) . The Company’s website may collect certain information about the Data Subject’s visit, for example: Internet Protocol (IP) address that the Data Subject uses to access the Internet; Date and time of the data subject’s visit to the Company’s website; other web pages that the Data Subject visits while on the Company’s web page; the browser used; information about the Data Subject’s computer operating system; versions of mobile apps; language settings and more. If the Data Subject uses a mobile device, data may also be collected to identify the type of mobile device, device settings, as well as geographic (longitude and latitude) coordinates. This information is used to improve the Company’s website, analyze trends, improve products and services, and administer the Company’s website. The data subject provides this data voluntarily by using the services provided by the Company, becoming a registered user of the Company’s website or visiting the Company’s website.
2. All personal data specified and received by the Data Subject are collected, stored and processed in accordance with the requirements stipulated in the Personal Data Protection Law of the Republic of Lithuania and other legal acts regulating the protection of personal data in the Republic of Lithuania. The Company ensures the protection of the received data and undertakes to use this information only with the Data Subject’s consent and only in cases provided for by law, as well as in cases necessary to provide the service ordered by the Data Subject.
3. The company’s employees, while performing their duties and processing the personal data of the Data Subject, adhere to the following principles:
3.1. The information provided by the data subject is collected, processed and stored only for legitimate interest and in strict compliance with the requirements of the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Civil Code of the Republic of Lithuania, other legal acts regulating this area of law in the Republic of Lithuania and these Rules.
3.2. Personal data of the data subject is processed accurately, fairly and legally.
3.3. The personal data of the data subject is collected for defined purposes.
3.4. When collecting and processing personal data, the principles of expediency and proportionality are followed, and the Data subject is not required to provide those data that are not needed and are not collected.
3.5. Collects only those data that are necessary for the provision of quality services, including consulting on the Company’s products and services.
3.6. The personal data of the data subject can be accessed only by employees of the Company with the appropriate competence and/or third parties that the Company has used to provide the service, and only in cases where it is necessary to provide the service.
3.7. The Company does not disclose the personal data of the data subject to third parties, except in cases provided for by law or if the data subject obliges the Company to do so.
3.8. The company strives to ensure that the Data subjects’ data is complete, not out of date and in order, so it is constantly revised and updated.
4.The Company respects the Data Subject’s privacy and undertakes to constantly comply with the Data Subject’s data protection principles specified in these Rules.
5. The data subject’s personal data is stored no longer than the purposes of data processing, laws and other legal acts require.
IV. MARKETING AND CORRESPONDENCE
1. By purchasing goods sold by the company or by using the company’s services, you agree that the personal data provided by the Data Subject will be used for the Company’s marketing purposes.
2. The possibilities of the data subject to receive the information sent by the Company:
2.1. After visiting the Company’s website, the Data Subject has the opportunity to subscribe to the Company’s newsletters.
2.2. If it is possible to register on the Company’s website and become a registered user, after registering and becoming a registered user of the Company’s website, the Data Subject agrees to receive the Company’s newsletters, information notices, offers, discounts, promotions, etc.
3. The Company also gives the Data Subject the opportunity to refuse the information sent by the Company:
3.1. The Data Subject has the opportunity to opt out of the information sent by the Company by clicking on the link to opt out of the Company’s offers and news provided in the newsletter or other letter sent to the Data Subject.
3.2. If the Data Subject is a registered user of the Company’s website, who no longer wishes to receive unwanted information about the services provided by the Company, he can make changes at any time by logging into his account or by phone, in writing (electronically or physically) notifying the company’s administration of his decision.
4. The data provided by the data subject, which is used for direct marketing purposes, helps to ensure the continuous improvement and development of the Company’s website and the Company’s services and provides an opportunity to provide the best possible service offers.
5. The Company uses the data of the data subject for marketing activities permitted by law. For example: based on the information provided by the Data Subject, when the Data Subject visits the Company’s website, uses mobile apps or browses third-party websites and social networks, offers tailored specifically to the Data Subject may be displayed.
6. Personal data for marketing purposes are collected, processed and used in such a way as to prevent the disclosure of the personal identity of the Data Subject or other personal data that could be used to determine the identity of a person.
7. The data subject can exercise his right to refuse to have his data processed for the purpose of direct marketing by notifying the Company by mail or electronic means.
V. COOKIES („COOKIES“) AND THEIR USAGE
1. Part of the information is collected automatically when the Data Subject visits the Company’s website, since the Internet Protocol address of the Data Subject must be recognized by the Company’s server.
2. The company’s website also uses data analysis management tools – cookies.
3. By using the Company’s website, the Data Subject agrees to save the cookies mentioned in these Rules on the Data Subject’s computer (device).
4. Cookies are small amounts of data that a website places on the Data Subject’s computer. Web pages have no memory. When the Data Subject browses different Internet pages, the Data Subject will not be recognized as the same user. Cookies allow the web page to recognize the Data Subject’s browser. The main purpose of cookies is to remember the choices of the Data Subject, for example the preferred language of the website. Cookies also help the Data Subject to be recognized when returning to the same website. They help you to personalize the website. Cookies cannot be used to run programs or transfer viruses to your computer. Cookies are assigned only to the Data Subject and can only be read by the web server of the domain that sent the cookie to the Data Subject. One of the most important purposes of cookies is to provide a convenient function to save the Data Subject’s time. For example, if the Data Subject uses the website for personal needs or browses the website, cookies will help the website to remember specific information on subsequent visits. This makes it easier to present relevant content, easier to navigate the website, etc. Upon returning to the website, the Data Subject can find his/her previously provided information and thus can more easily use the functions of the website already adapted.
5. There are different types of cookies and different ways of using them. Cookies can be categorized according to their purpose, durability and their location on the website. Data processing with the help of cookies does not allow direct or indirect identification of the user.
6. The following types of cookies are used on the company’s website:
6.1. Technical cookies: The Company strives to provide users of the Company’s website with an advanced and easy-to-use website that automatically adapts to their wishes and needs. In order to achieve this, the Company uses technical cookies that allow the website to be viewed and enable its correct operation. The company’s website works properly only thanks to technical cookies.
6.2. Functional cookies: The Company also uses functional cookies that allow the Data Subject’s choices to be remembered and also to use the website efficiently. For example, thanks to cookies, the website remembers the language chosen by the Data Subject, the searches or views performed, the products and services offered by the Company. This type of cookie is not necessary for the operation of the website, but they add more possibilities and make the Data Subject’s browsing experience more pleasant.
6.3. Analytical cookies: the Company uses this type of cookies in order to understand how the Company’s visitors use the Company’s website, to discover the weak and strong parts of the website, to optimize and improve the work of the website and to further implement advanced solutions. The collected data includes the pages viewed by the Data Subject, the type of platform used by the Data Subject, date and time information, the number of clicks, mouse movements and browsing activities, keywords and other text that the Data Subject collects while browsing the website. The Company also uses analytical cookies for online advertising companies in order to analyze the behavior of users after they are shown the Company’s online advertising. The company does not know which Data subject it is, it only collects anonymous information.
6.4. Commercial cookies: the Company uses these cookies to place the Company’s advertisements on other web pages. So-called “targeted ads” are displayed based on information about the goods or services the visitor is looking for.
7. The purpose of these management tools is to ensure the quality of browsing the website, help the Company to find out the attendance of the Company’s website and its individual parts, to understand the flows of users of the Company’s website, to improve the Company’s website, services provided online and to better meet the needs of visitors.
8. Every time when visiting the Company’s website, the Data Subject can accept or refuse to use cookies, but in this case the Company cannot guarantee the quality of browsing the website. Most Internet browsers automatically accept cookies, but if the Data Subject wishes, the browser can be easily modified to not accept them. Thus, the Data Subject has the opportunity to delete part or all of the cookies from his computer at any time, or to block them using the Internet browser on his computer. Užblokavus slapukus, dėl techninių priežasčių kai kurios Bendrovės internetinio puslapio dalys Duomenų subjektui gali neveikti ar veikti netinkamai.
9. No personal data of the customer is stored with the help of cookies.
10. No information is provided to any third parties during the recording of necessary cookies.
VI. USE OF SITE INDICATORS
1. The company sometimes uses not only cookies, but also web page indicators. It is a tiny graphic image of just one pixel that enters the Data Subject’s computer as part of a web page or as an HTML electronic message. Directly or through other service providers, the Company uses these images as Internet advertising or on third-party websites to find out whether the user to whom the advertisement is displayed makes an order, analyzing the movement of users and aiming to optimize the services offered.
2. The Company may include web page indicators in promotional e-mails or newsletters to determine whether the e-mails have been opened. Some website indicators may be added by third-party service providers to determine the effectiveness of the Company’s advertising campaigns or email communications. Websites can use the indicator to place a persistent cookie on the Data Subject’s computer. It will then be able to recognize the Data Subject’s computer every time they visit certain pages or send e-mails and collect anonymous information about the visits to such pages. The company prohibits the use of website indicators to collect or access personal information.
VII. SECURITY AND HANDLING OF PERSONAL DATA
Pursuant to the Law on Legal Protection of Personal Data of the Republic of Lithuania, the European Union, etc. legal acts regulating data protection, the Company applies measures that would prevent unauthorized access or unauthorized use of the Data Subject’s data. The Company ensures that the data provided by the Data Subject is protected against any illegal actions: illegal alteration, disclosure or destruction of personal data, identity theft, fraud, and that the level of personal data protection meets the requirements of the legal acts of the Republic of Lithuania. The data storage and processing databases used by the company are protected from unauthorized access through computer networks.
2. The Company uses appropriate business systems and procedures that allow to protect and defend the personal data entrusted to the Company by the Data Subject. The Company uses security systems, technical and physical measures that limit access to the Data Subject’s personal data and their use on the Company’s servers. Only employees of the Company with special permissions have the right to see the personal data of the Data Subject submitted to the Company for work purposes.
3.Personal data is processed manually and automatically using personal data processing tools installed in the Company.
4. Personal data of data subjects can be processed only by persons authorized by the General Director of the Company.
5. Every employee who processes personal data must:
5.1. sign a confidentiality pledge/agreement.
5.2. process personal data in strict accordance with the laws of the Republic of Lithuania, other legal acts, instructions and these Rules.
5.3. keep personal data confidential. Must adhere to the principle of confidentiality and keep secret any information related to personal data that he has become familiar with in the performance of his duties, unless such information is public in accordance with the provisions of applicable laws or other legal acts. The Company’s employee must observe the principle of confidentiality even after the end of the employment relationship.
5.4. not to disclose, transfer or provide conditions for access to personal data by any means to any person who is not authorized to process personal data;
5.5. in order to prevent accidental or illegal destruction, alteration, disclosure of personal data, as well as any other illegal processing, must store documents and data files properly and securely and avoid making unnecessary copies. Copies of company documents containing personal data must be destroyed in such a way that these documents cannot be reproduced and their contents cannot be identified.
5.6. to immediately notify the head of the Company or the responsible person appointed by him about any suspicious situation that may pose a threat to the security of personal data and to take measures to avoid such a situation.
6. Employees who automatically process personal data or whose computers can access areas of the local network where personal data are stored must use passwords. Passwords must be changed periodically, as well as when certain circumstances arise (for example, when an employee changes, when there is a threat of hacking, when there is a suspicion that the password has become known to third parties, etc.). An employee working on a particular computer can only know his password.
7. The employee responsible for computer maintenance must ensure that personal data files are not “visible” (shared) from other computers, and antivirus programs are updated periodically.
8. The employee responsible for computer maintenance makes copies of the data files on the computers. If these files are lost or damaged, the responsible employee must restore them within a few working days at the latest.
9. The employee loses the right to process personal data when the employee’s employment or similar contract with the Company ends, or when the Company’s manager cancels the appointment of the employee to process personal data.
10. Documents of data subjects and their copies, financing, accounting and reporting, archival or other files containing personal data are stored in locked cabinets or safes. Documents containing personal data must not be kept in a visible place accessible to all.
11. In order to ensure the protection of personal data, the Company implements or plans to implement the following personal data protection measures:
12.1. administrative (establishing the procedure for the safe handling of documents and computer data and their archives, as well as the work organization of various fields of activity, familiarization of personnel with personal data protection, etc.)
12.2. hardware and software protection (administration of workstations, information systems and databases, maintenance of workplaces, Company premises, protection of operating systems, protection against computer viruses, etc.);
12.3. Protection of communications and computer networks (filtering of shared data, programs, unwanted data packets (firewalling), etc.).
13. Personal data protection technical and software measures must ensure:
13.1. installation of storage for copies of operating systems and databases, determination of copying techniques and compliance control;
13.2. continuous data management (processing) process technology;
13.3. the strategy of resuming system activity in unforeseen cases (management of contingencies);
13.4. physical (logical) separation of the application testing environment from work mode processes;
13.5. authorized use of data, their invulnerability.
14. Data processors used by the Company or third parties used by the Company to provide the ordered services must guarantee the necessary technical and organizational personal data protection measures and ensure that such measures are observed. Inform the Company about the intention to enter into contracts with auxiliary data processors and obtain prior written consents from the Company regarding their appointment.
VIII. RIGHTS OF THE DATA SUBJECT
1. The data subject has the following basic rights:
1.1. know about the processing of your personal data;
1.2. get familiar with your personal data and how it is handled;
1.3. demand correction, destruction of the Data Subject’s personal data or suspension, except for storage, of the Data Subject’s personal data processing actions, when the Data Subject’s personal data are processed in violation of the provisions of applicable and valid legal acts;
1.4. not to consent to the processing of the personal data of the Data Subject.
2. The Data Subject also has the right to refuse to provide personal data. In such a case, the Data Subject automatically waives its claim regarding the quality of services provided by the Company, as the requested data may be necessary in order to properly provide the services requested/ordered by the Data Subject.
3. The data subject, who has submitted a document confirming the identity of the person, has the right to familiarize himself with the personal data of the data subject held and processed by the Company and to receive information from which sources and what personal data of the data subject is collected, for what purpose it is processed and to whom it is provided. Upon receipt of the Data Subject’s request in writing (registered mail or e-mail), the Company provides the requested data in writing (registered mail or e-mail) no later than within 30 calendar days from the date of receipt of the Data Subject’s request or indicates the reasons for refusing to fulfill such a request. The answer is provided to the Data Subject in the same form in which the request was received, unless the Data Subject’s request expresses a wish to receive information in another way.
4. If the Data Subject is a registered user of the Company’s website, he can view and edit the personal information provided on the Company’s website and the contact details for contacting the Data Subject by visiting the relevant sections of the Company’s website.
IX. INTELLECTUAL PROPERTY RIGHTS
1. Unless otherwise specified, the software required for the Company’s services is available or used on the Company’s website and the intellectual property rights (including copyright) in the content and information of the website belong to the Company. Without the prior written consent of the Company, it is prohibited to reproduce, translate, adapt or in any other way use any part of the Company’s website (any content, logo, software, products, services, etc.) in the commercial economic activities of third parties. It is prohibited to perform any other actions that may violate the Company’s property rights to the Company’s website, as well as those that are contrary to fair competition, advertising, copyright, other legal acts, and valid practices.
2. Any unauthorized use of the rights or any of the aforementioned actions will constitute a fundamental violation of the Company’s intellectual property (including copyright and other) rights.
X. RESPONSIBILITY
1. The Data Subject must provide the Company with complete and correct personal data of the Data Subject and inform about relevant changes in the Data Subject’s personal data. The Data Subject must provide the Company with complete and correct personal data of the Data Subject and inform about relevant changes in the Data Subject’s personal data.
2. The Company is not responsible for connection failures due to which users of the Company’s website and other persons cannot access the website or use the services.
3. The Company cannot fully guarantee that the functioning of the Company’s website will be uninterrupted and without any interruptions and errors, that the Company’s website will be completely protected from viruses or other harmful components. The Data Subject is informed that any material that the Data Subject reads, downloads or otherwise receives using the Company’s website is obtained exclusively at the discretion and risk of the Data Subject, and only the Data Subject is responsible for any damage caused to the Data Subject and the Data Subject’s computer system.
4. If the Data Subject is a registered user of the Company’s website (when the Company provides such an opportunity), the Data Subject assumes all risk and responsibility for the actions of third parties on the Company’s website, carried out using the Data Subject’s login data, and undertakes to fulfill all obligations undertaken using the Data Subject’s login data.
XI. CHANGE OF RULES
1. The group of companies has the right to partially or completely change the Rules by announcing it on the web pages of the companies.
2. Additions or changes to the rules take effect from the date of their publication, i.e. from the day they are placed on the Companies’ websites.
3. If the Data Subject does not agree with the new version of the Rules, the Data Subject has the right to refuse to use the services provided by the Company and the Company’s website.
4. If the Data Subject continues to use the services provided by the Company or the Company’s website after the addition or amendment of the Rules, the Data Subject is deemed to agree to the new version of the Rules.
XII. FINAL PROVISIONS
1. When the Data Subject visits the Company’s website and provides information about himself to the Company’s partners and/or employees, it is considered that the Data Subject has familiarized himself with and agrees with the provisions of these Rules.
2. These Rules and relations arising on the basis of these Rules are governed by the law of the Republic of Lithuania.
3. All disagreements arising from the implementation of these Rules shall be resolved through negotiations. In case of failure to reach an agreement, disputes are resolved in accordance with the procedure established by the legal acts of the Republic of Lithuania.