1. Purpose of Policy and main concepts
In this Policy we explain which Personal data we collect, how and for what purposes we process these data as well as what rights You are entitled to whenever You use the Company’s services, give consent to receive newsletters, promotional messages, also visit our website www.rubedos.com (hereinafter – the Website) and use its individual features. The Policy is not applied when websites or services of other companies are used, even though they are logged to via the links available on the Company’s website.
If You have any questions regarding this Policy or if you have any complaints regarding the processing of Your personal data, please contact us by e-mail: email@example.com, telephone no. +370 37 220280.
- 1.1. Main concepts used in the Policy:
- 1.1.1. Personal data shall mean any information relating to a natural person (Data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
- 1.1.2. Data subject shall mean a natural person, whose data are processed by the Company;
- 1.1.3. Processing of Personal data shall mean any operation carried out with Personal data: collection, recording, accumulation, storage, classification, grouping, connecting, changing (supplementation or correction), provision, publication, use, logical and/or arithmetical operations, search, dissemination, destruction or any other action or set of actions;
- 1.1.4. Consent of Data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, for example, written (including given by electronic means) or oral declaration. Silence, pre-ticked boxes or inactivity should not therefore constitute consent;
- 1.1.5. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. The Company also means the Data controller;
- 1.1.6. Data processor shall mean a legal or a natural person (other than an employee of the data controller), processing personal data on behalf of the Data controller, i.e. assists the Data controller, executes his instructions;
- 1.1.7. Employee means a person, who has made an employment contract or contract of similar character with the Company;
- 1.1.8. Supervisory authority shall mean State Data Protection Inspectorate;
- 1.1.9. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services, sending newsletters;
- 1.1.10. General Data Protection Regulation shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / GDPR);
- 1.1.11. Authorized person means the Data controller’s appointed person (employee or external person), responsible for Personal data protection;
- 1.1.12. other concepts used in the Rules correspond to the concepts defined in the General Data Protection Regulation and Law on Legal Protection of Personal Data of the Republic of Lithuania.
- 1.2. Hereby it is attempted to help the Data subjects to use their rights.
- 1.3. This Policy is also applied to protection of Personal data of other data subjects (i.e. not clients or employees), whose Personal data are processed or will be processed by the Data controller in the future.
- 1.4. The Personal data processed by the Data controller are accurate, suitable and within the scope necessary for their collection and further processing. The Personal data may be updated regularly, if necessary.
- 1.5. The Personal data in the Website are collected:
- 1.5.1. for the purpose of purchase of products and/or services, execution of a contract (an order) and servicing, client’s identification in the Data controller’s information system, client’s registration and identification on the Website, for issuance of invoices and other financial documents, submission of replies to customer inquiries;
- 1.5.2. for the purpose of employee selection when the person submits his/her data in order to apply for a job position according to an advertisement (e-mail) placed on the Website of the Data controller or directly to the email specified in the ad;
- 1.5.3. for direct marketing if Data subject gives his/her consent.
- 1.6. The Data controller is processing the following Personal data:
- 1.6.1. for the purposes indicated in the clause 1.5.1 of the Policy: name, surname, address, telephone number, e-mail address, billing information, bank account number, name of the parcel addressee, name, surname, address, contact phone;
- 1.6.2. for the purposes indicated in the clause 1.5.2 of the Policy: name, surname, date of birth, address, telephone number, e-mail address, education, work experience;
- 1.6.3. for the purposes indicated in the clause 1.5.3 of the Policy: name, surname, telephone number, e-mail address, organization/represented company (requisites), position.
- 1.7. The legal ground for processing of Personal data, specified in the clause 1.6.1, is the Data controller’s duty to execute the contract made with the Data subject and/or to undertake actions to conclude the contract, fulfil the order upon request (order) of the client.
- 1.8. The legal ground for processing of Personal data, specified in the clause 1.6.2, is the consent of the Data subject, expressed by the person in the submission of Personal data for employment (applying for a job position).
- 1.9. The legal ground for processing of Personal data, specified in the clause 1.6.3, is the consent given by the Data subject.
- 1.10. When the Personal data are processed for the purpose of direct marketing, the Data subject has a right to object free of charge to such processing and to withdraw the consent.
- 1.11. The Data controller may also receive information about the Data subject from public and commercial sources (as permitted by applicable law) and associate it with other information received from or about the Data subject.
2. Processing of Personal data
- 2.1. Only the employees of the Data controller have a right to process Personal data of the clients, including their transmission to the third persons specified in the clause 2.2 herein. Every employee has to preserve the secret of client’s Personal data and to comply with the requirements of legal acts on Personal data protection and these rules.
- 2.2. We may transfer Your Personal data to the recipients of the data that help us to provide the services provided by the Company, to conduct direct marketing. Such persons may only be partners of the Company acting on behalf of the Company as data processors who provide delivery of consignments, marketing, IT maintenance, legal services, consultants, etc. (Personal data shall be disclosed only within the purpose necessary to provide certain services). The clients’ Personal data may be provided only to the Data processors, with whom the Data controller has made contracts containing provisions on transmission/disclosure of Personal data and if the Data processor secures the protection of Personal data required by the General Data Protection Regulation. In all other cases the clients’ Personal data may be disclosed to the third persons only in accordance with terms and conditions of legal acts of the Republic of Lithuania.
- 2.3. The Data controller observes the confidentiality principle and keeps in secret any information related to Personal data that was learnt while implementing the job functions, unless such information was public according to the valid laws or other legal acts.
- 2.4. Term of Personal data processing: Personal data shall be processed until they are not already needed for the processing purposes:
- 2.4.1. the clients’ Personal data is processed for the period not exceeding 10 years from the last day of the execution of the contract / order or its expiration day or the last day of use of the website's content or services;
- 2.4.2. the candidates’ Personal data received for employment purposes is processed for 6 months from the end of the selection;
- 2.4.3. the clients’ Personal data processed for the purpose of direct marketing shall be processed not longer than until the moment when the consent to receive advertising is withdrawn (revoked).
- 2.5. When Personal data are no longer needed for their processing purposes, they shall be destroyed, except those that, in the cases specified by the law, must be transferred to national archives.
- 2.6. The Personal data protection shall be organized, secured and implemented by the Authorized person of the Data controller.
3. Rights of the Data subject and their implementation procedure
- 3.1. Rights of the Data subject:
- 3.1.1. to know (be informed) about the processing of his/her Personal data;
- 3.1.2. to have an access to his/her Personal data and to be informed of how they are processed;
- 3.1.3. to object against the processing of his/her Personal data;
- 3.1.4. to request rectification, specification, supplementation or destruction of his/her incorrect or incomprehensive Personal data or suspension of further processing of his/her Personal data, with the exception of storage;
- 3.1.5. to request erasure of the data (“right to be forgotten”). This right is valid where one of the following grounds applies:
- 184.108.40.206. the Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- 220.127.116.11. the Data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- 18.104.22.168. the Personal data have been unlawfully processed;
- 22.214.171.124. the Personal data have to be erased for compliance with a legal obligation in the European Union or domestic law to which the Data controller is subject;
- 3.1.6. right to data portability: the Data subject shall have the right to receive the Personal data concerning him or her, which he or she has provided to a Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data controller to which the Personal data have been provided, where:
- 126.96.36.199. the processing is based on consent or on a contract;
- 188.8.131.52. the processing is carried out by automated means.
- 3.2. The Data subject may appeal against supposed unlawful processing of his or her Personal data to the Supervisory authority.
- 3.3. The Data subject has a right to authorize a non-profit organization, institution or association that was incorporated properly according to the law of the Republic of Lithuania, whose objectives indicated in the Articles of Association are in compliance with public interest and that is operating in the area of protection of rights and freedoms of the Data subject within the scope related to Personal data protection to lodge a complaint in his/her name and to use certain rights provided in the General Data Protection Regulation.
- 3.4. Implementation procedure of the Data subject’s rights:
- 3.4.1. the person, who wants to implement the rights listed in the clause 3.1, has to submit a written application to the Company (personally, by post, via representative or by electronic communication means). The application has to be legible, signed by the person and contain the following data: person’s name, surname, residence, contact data and information, which of the aforementioned rights and in what scope, she or he desires to implement;
- 3.4.2. upon submission of the application, the person must identify himself or herself by the following means:
- 184.108.40.206. if the application is delivered directly on arrival to the Data controller – to present personal identity document or its copy certified according to the legal acts of the Republic of Lithuania;
- 220.127.116.11. if the application is delivered by post – to present the copy (duplicate) of personal identity document certified according to the legal acts of the Republic of Lithuania;
- 18.104.22.168. if the application is delivered via representative – to present the document confirming representation and the copy (duplicate) of personal identity document certified according to the legal acts of the Republic of Lithuania;
- 22.214.171.124. if the application is delivered by electronic communication means – to sign by valid e-signature;
- 3.4.3. the right of the Data subject to object to processing of his/her Personal data for direct marketing shall be implemented by the notification of the Data controller about the Data subject’s objection by e-mail.
- 3.5. The Authorized person shall examine the applications indicated in the clause 3.4.1 herein. The application has to be examined and the response has to be given not later than in 30 calendar days upon the application’s submission.
- 3.6. When the Data subject submits applications according to the clause 3.4.1, she or he should not misuse his or her rights evidently. If the Data subject misuses his or her right (for example, refers to the Data controller regarding information on the processed Personal data more often than once in six months), the Data controller has a right to demand that the Data subject would cover the administrative costs related to implementation of such applications.
- 3.7. The objection of the Data subject to processing of his or her Personal data for direct marketing should be responded immediately, as soon as possible. The responsible employees of the Data controller have to secure that Personal data would not be further processed for the purpose of direct marketing.
4. Cookies and their usage
- 4.1. In order to improve the client’s experience while visiting the Data controller’s website, we are going to use the cookies – small portions of textual information that are created automatically while browsing the website and that are stored in the client’s computer or another terminal device. The information collected with the help of cookies allows us securing the opportunity to the client to browse more conveniently, to submit attractive offers and to learn more about behaviour of the website’s users, to analyse the tendencies and to improve the website, servicing and services provided by the Data controller.
5. Social media
- 5.1. At present, the Company has created and managed accounts in the social media Facebook, LinkedIn. Any information, that You submit on social media such as Facebook, LinkedIn (including notices, "Like" and "Follow" fields, and other communications), or which You receive after visiting our social media accounts (including information provided by social media using cookies), or by reading Company records on the social media network, is controlled by the social network controller. Therefore, we recommend You to read third-party privacy notices and contact the service providers directly if You have any questions about how they use Your Personal data.
6. Security of Personal data
- 6.1. The Data controller implements appropriate organisational and technical measures intended for the protection of Personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.
- 6.2. When the Data controller detects violations of Personal data security, it shall remove them immediately.
- 6.3. The Data controller’s employees have to follow the confidentiality principle provided in the clause 2.3 herein.
- 6.4. The antivirus software has to be updated continuously in the Data controller’s computers.
- 6.5. If Personal data security was violated, the Data controller shall notify the Supervisory authority thereof without unreasonable delay and, if possible, within 72 hours after having learnt of such violation of Personal data security, unless violation of Personal data security should not cause hazard to rights and freedoms of natural persons. If the Supervisory authority is not notified about violation of Personal data security in 72 hours, the reasons of delay have to be attached to the notification.
- 6.6. When big hazard to rights and freedoms of natural persons may be caused because of violation of Personal data security, the Data controller shall notify the Data subject thereof without unreasonable delay.
- 7.1. The Data subject must submit thorough and accurate Personal data to the Data controller and to inform it about appropriate changes of the Personal data.
- 7.2. The Data controller has no possibility to guarantee completely that functioning of the Data controller’s website will be unhindered and completely protected against any viruses. The Data controller shall not be liable for damage, including damage resulting from interruptions to the use of the website, of data loss or damage resulting from acts or omissions of the Data subject or third parties acting on the Data subject, including incorrect data entry, other errors, deliberate damage, other inappropriate use of the Data controller's website. The Data controller shall never assume responsibility for direct or indirect losses resulting from usage of material or documents available on the Data controller’s website. The Data subject is notified that any material read, downloaded or otherwise received via the Data controller’s website is received exclusively at the discretion and risk of the Data subject, who will be solely responsible for any damage caused to the Data subject or his/her computer system.
- 7.3. Unless provided otherwise, the intellectual property rights (including copyrights) to the content and information of the Data controller’s website belong to the Data controller. It is forbidden to reproduce, translate, adapt or use otherwise any section of the Data controller’s website without a written advance consent of the Data controller. It is forbidden to perform any other actions that would or could violate the Data controller’s intellectual property rights to its website or that wouldn’t be in compliance with fair competition.
8. Final provisions
- 8.1. This Policy shall be updated at least once in two years or if the legal acts regulating personal data protection change.
- 8.2. The Policy is publicly available on the Data controller's Website. The amended Policy enters into force on the day it was published on the Website. Persons who intend to use our services are advised always to get acquainted with the latest version of the Privacy Police.
9. Contact data
Rubedo sistemos, UAB
+370 37 220280
K. Baršausko st. 59b, LT-51423 Kaunas, Lithuania