PERSONAL DATA PROCESSING POLICY

1. BASIC POLICY CONCEPTS

1.1.  LPPD – Law on Legal Protection of Personal Data of the Republic of Lithuania;

1.2.  Responsible employee — Employee of the Company, who, according to the position and nature of his work, has the right to perform specific functions related to the processing of Data.

1.3.  BDAR – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).

1.4.  Company — Data Processor UAB “BIOK laboratorija”, legal entity code 120536985.

1.5.  Employee means a person who has concluded an employment contract, a temporary employment contract or a voluntary activity contract with the Company.

1.6.  Data/Personal data – means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.7.  Data recipient – is a natural or legal person, public authority, agency, or other body to which Personal data is disclosed, whether it is a third party or not.

1.8.  Data subject — Employee of the Company, client, or other natural person whose Personal data is processed by the Company.

1.9.   Processing of data means any operation or set of operations carried out by automatic or non-automatic means with personal data, such as: collection, writing, sorting, storage, adaptation or modification, reproduction, search, use, disclosure by transmission, distribution or otherwise being made available, arrangement in a certain order or combination by alignment, blocking, erasure or destruction.

1.10.  Data processor – means the natural or legal person, public authority, agency, or other institution – which processes personal data on behalf of the Company.

1.11.  Third party — a natural or legal person, public authority, agency or other body that is not a user of the Services, the Company, the Data processor, or persons who, by direct authority of the Company or the Data processor, are permitted to process personal data.

1.12.   Other terms used in the Policy correspond to those used in GDPR and LPPD.

2.  GENERAL PROVISIONS

2.1.  The purpose of this Policy is to inform Data subjects about their Data processing procedures and their storage terms and to indicate their rights in relation to these data and the Company.

2.2.  The Company shall ensure that it complies with the following essential principles relating to the processing of personal data:

2.2.1. Personal data must be processed in a lawful, fair, and transparent manner (principle of legality, fairness, and transparency);

2.2.2. Personal data shall be collected for determined, clearly defined and legitimate purposes and shall not continue to be processed in a manner incompatible with those purposes;

2.2.3. Personal data must be adequate, relevant, and only necessary to achieve the purposes for which they are processed (the principle of reducing the amount of data);

2.2.4. Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are not accurate in relation to the purposes for which they are processed are immediately deleted or corrected (accuracy principle);

2.2.5. Personal data shall be stored in such a form that the identity of the Data subject can be established no longer than is necessary for the purposes for which it is processed;

2.2.6. Personal data must be processed in such a way that appropriate technical or organizational measures ensure adequate security of personal data, including protection against unauthorized processing or unlawful processing and against accidental loss, destruction, or damage (the principle of integrity and confidentiality);

2.2.7. The Company is responsible for complying with the above principles and must be able to demonstrate that they are being followed (accountability principle).

2.3.   The Company may authorize the Data processors under its control, i.e. providers of information technology and electronic communications services, advisors, auditors, consultants, security services and other persons who process the data managed by the Company for the specified purposes and in accordance with Company instructions. The Data processor’s access rights regarding the Data shall be terminated upon termination of the personal data processing agreement concluded with the Company or upon termination of this agreement.

8.  ADEQUATE INFORMING OF DATA SUBJECTS

8.1.  Data controlled by the Company shall be provided to third parties with the consent of the Data subject or other legal data provision basis.

8.2.  Data subjects must provide the following information before proceeding to the processing of their Personal data:

8.2.1.  Company name, requisites, and contact details;

8.2.2.  Objectives of data processing;

8.2.3.  Legal basis for data processing;

8.2.4.  The contact details of the Data protection officer, where applicable;

8.2.5.  The period of storage of Personal data or, where this is not possible, the criteria used to determine that period;

8.2.6.  The right to request that the Company allow access to the Personal data of the Data subject and to rectify or delete them, or to restrict the processing of data, or the right to object to the processing of the Data, as well as the right to Data portability;

8.2.7.  The right to complain to the supervisory authority;

8.2.8.  If available, recipients of Personal data or categories of recipients of personal data;

8.2.9.  Where applicable, about the Company’s intention to transfer personal data to a third country or to an international organization;

8.2.10. Where applicable, whether there is automated decision-making present, including profiling, and, at least in those cases, meaningful information about its logical justification, as well as the significance and expected consequences of such Data processing for Data subjects.

8.3.   The information must be presented in an accessible, transparent, clear, and easily accessible form, in simple language.

8.4.    The information is provided in this policy, in writing, by e-mail or by other means. Information may be provided orally at the request of the data subject.

8.5.     Information collected about a particular person is provided only after the Data subject proves his identity and submits a signed request or a copy thereof.

8.6.     The obligation to provide information shall not apply to the extent that:

8.6.1.   The provision of such information is impossible or would require disproportionate efforts. In such cases, the Company shall take appropriate measures to protect the freedoms and legitimate interests of the Data subject, including public publication of information;

8.6.2.  The fact of receiving or disclosing data is clearly established in the EU or the Republic of Lithuania legislation, which establishes appropriate safeguards for the protection of the legitimate interests of the Data subject;

8.6.3.  When personal data must remain confidential, including the obligation to protect secrecy.

9. DATA STORAGE TERMS

9.1. The Company applies different terms of storage of personal data depending on the categories of personal data processed:

No. Purpose of processing of personal data                                                         Term of storage

1.  Data processing for direct marketing purposes                                         10 years from the date of consent

2.  Processing of data for advertising promotions                                             1 year from the date of consent

3.  Processing of data for electronic commerce purposes                                2 years from the last login or purchase

4.  Data processing for the purpose of participating in cosmetic product testing     3 years from the end of the study

5.  Video surveillance for the purpose of protection of property rights                           Not more than 30 days

6.  Video surveillance for the organization and conduct of training                                 Not more than 1 year

9.2.  Exceptions to the above retention periods may be determined insofar as such exceptions do not violate the rights of the Data subject, meet legal requirements, and are properly documented.

9.3.   If the Data is used as evidence in civil, administrative or criminal proceedings or in other cases provided for by law, the Data may be stored to the extent necessary for these purposes of Data processing and destroyed immediately when they are no longer needed.

10.  DATA DESTRUCTION

10.1.  Destruction is defined as a physical or technical act by which the data contained in a document is rendered non-recoverable by conventional commercially available means.

10.2.  Personal data stored in electronic form shall be destroyed by deletion without the possibility of recovery.

10.3.  The destruction of personal data files stored in electronic form is the responsibility of an employee working on a specific computer on which the personal data files are stored.

10.4.  The employees administering these systems are responsible for the destruction of the data contained in the Company’s databases and IT systems.

11.  RIGHTS OF DATA SUBJECTS

11.1.  The data subject may exercise the following rights:

11.1.1.   Right to be informed;

11.1.2.   Right of access;

11.1.3.   Right of erasure;

11.1.4.   Right to adjustment;

11.1.5.   Right to limit the processing of data;

11.1.6.   Right to data portability;

11.1.7.   Right to object to data processing;

11.1.8.   Rights related to automatic decision-making and profiling.

12.    PROCEDURES FOR THE IMPLEMENTATION OF PERSONAL DATA RIGHTS

12.1.  The Data subject, having provided the Company or the Data processor with a personal identity document or in accordance with the procedure established by law or by electronic means of communication, which allow to properly identify a person, having confirmed his or her identity, has the right to receive information from which sources and what of his / her Personal data has been collected, for what purpose it is processed, to which data recipients are the Data provided and were provided within the last 1 year.

12.2.  Personal data shall be provided for access and familiarization to the Data subject, as well as corrected and destructed, or their processing operations shall be suspended in accordance with the documents confirming the identity of the Data subject and his/her Personal data confirming documents, or by means of electronic communication that allow to correctly identify a person upon receipt of the Data subject’s request. When the Data subject applies to the Company in writing, a notarized copy of personal identity document should be attached to the request, except when the written request is submitted directly to the Company’s employees and at the time of submission of the request there is an opportunity to identify the applicant Data subject.

12.3.  Requests of Data subjects regarding the processing of Personal Data are accepted and registered in the Company’s registration and management log by the Company Director’s authorized employee (s).

12.4.   The Company, having received a request from the Data subject regarding the processing of his/her personal data, is obliged to answer whether the Personal data relating to him/her is processed and to submit the requested Data to the Data subject no later than 30 calendar days from the date of the Data subject’s request. At the request of the Data subject, such Data shall be provided in writing.

12.5.   When the Data subject is provided with the Data subject’s Personal data, processed by the Company, the Company shall ensure appropriate organizational and technical data security measures so that other Data subjects cannot be identified from the Provided Data.

12.6.   Upon receipt of the Data subject’s inquiry regarding the processing of video data related to him/her, the Company shall, no later than 3 working days from the date of receipt of the request of the Data subject, respond whether the related video data is stored and, if stored, the Company shall record the video data and provide the data in a secure data media (CD, DVD, etc.).

12.7.   The Personal data of the Data subject processed by the Company shall be provided to the Data subject free of charge once a calendar year.

12.8.   Whenever the Data subject is provided with Personal data, video, the Data subject shall be informed about the established amount of remuneration (for example, for receiving a CD, DVD or other medium containing a copy of the video, preparation of documents, etc.), payment procedure for the provision of data. When providing data for a fee, the principle is followed that the amount of remuneration shall not exceed the cost of data provision and the rules on remuneration for the provision of data to the Data subject, approved by the Government of the Republic of Lithuania Resolution of 14 September 2011 No. 1074 are complied with..

12.9.   If the Data subject, having familiarized with his/her Personal data, finds that his/her Personal data is incorrect, incomplete or inaccurate, and appeals to the Company, the Company shall immediately verify the Personal data and at the written request of the Data subject, submitted in person, by mail or by electronic means of communication, shall promptly correct the incorrect, incomplete, inaccurate Personal data and/or suspend the processing of such Personal data, with the exception of storage.

12.10. If the Data subject, having become acquainted with his / her Personal Data, determines that his / her Personal data is processed illegally or dishonestly and applies to the Company, the Company must immediately, but no later than within 5 business days, verify the legality and fairness of the processing of such Personal data, and at the request of the Data subject (in a written form) immediately destroy the Personal data, which was collected in an unlawful or unfair way or stop any processing activities with such data, with the exception of storage.

12.11.  Whenever the Personal data processing actions are terminated at the request of the Data subject, the Personal data the processing operations of which have been suspended must be stored until it is rectified or destroyed (at the request of the Data subject or after the expiration of the Data storage term). Other processing actions with such Personal data may be carried out only for the purpose of proving the circumstances that led to the suspension of the data processing operations; if the Data subject gives consent to further processing of his/her Personal data; if it is necessary to protect the rights of third parties or legitimate interests.

 12.12. The Company shall immediately, but not later than within 5 business days, inform the Data subject about the rectification, destruction or suspension of Personal data processing operations carried out or not carried out at his/her request.

12.13.  If the Company doubts the correctness of the Personal data provided by the Data subject, the Company suspends the processing of such Data, then checks and clarifies the Data. Such Personal data may only be used to verify their correctness.

12.14.  The Company shall immediately (but no later than 5 business days ) inform the Data recipients of the Personal data, which was corrected or destroyed at the request of the Data subject, the suspended processing of Personal data, unless the provision of such information would be impossible or excessively difficult (due to the high number of Data subjects, data period, unreasonably high costs). In this case, the State Data Protection Inspectorate is notified immediately.

12.15.  At the request of the Data subject, the Company shall notify the Data subject about the termination of the processing of Personal data or refusal to terminate the data processing operations.

12.16.  If it is established that the Company processes the Personal data of the Data subject unlawfully and unfairly, such Data shall be destroyed immediately, but not later than within 5 business days, at the initiative of the Company or at the request of the Data subject.

12.17.  The Data subject shall submit a written notification about the disagreement regarding the processing of Personal data to the Company personally, by post or by means of electronic communication. If the disagreement of the Data subject is legally justified, the Company shall immediately, but not later than within 5 working days, terminate the processing of Personal Data free of charge, except in cases provided by law, and inform the data recipients.

12.18.   Where Personal Data is processed on the legal basis referred to in Article 5 (1) (5,6) of the LPPD, the Data subject has the right to object to the processing of his/her Personal data without specifying the reasons for disagreement. Before collecting Personal data, the Company shall acquaint the Data subject with the right to object to the processing of his/her Personal data. At the request of the Data subject, the Company is obliged notify the Data subject about the termination of the processing of Personal data or refusal to terminate the data processing operations.