Personal data processing rules
1. General provisions
These Rules for the processing of personal data (hereinafter referred to as the "Rules") regulate the basic principles and procedures for the collection, processing and storage of personal data of the user of the website www.medstrah.pro (hereinafter referred to as the "Site"), who entered his credible personal data into the forms on the Site (hereinafter referred to as the "Data Subject").
These Rules must be respected by all employees (hereinafter referred to as "Employees") and authorized representatives of JSC Dr Värslas, company code 302417821 (hereinafter referred to as "Management Company") who process personal data and learn such data while doing their job duties. The access to personal data is provided only to those employees who need it to perform their official functions.
Terms and definitions used in these Rules:
Personal data - any information about an individual whose identity has been established or can be established (Data Subject). It is a person whose identity can be identified directly or indirectly, particularly by identifiers (such as first and last name, personal identification number, location and network address), or by one or more, physiological, genetic, psychological, economic, cultural, or social traits;
Data Administrator - a person or a legal entity, state body, agency or other institution that processes personal data on behalf of the Management Company;
Data subject - an individual whose personal data is processed;
Data processing - any operation or series of operations performed with personal data or packages of personal data using automated and non-automated means, such as collecting, recording, sorting, organizing, storing, adapting and transforming data, obtaining data and getting familiar with it, using and disclosing of data through transmission, distribution or in other ways that allow them to be used, as well as the comparison or combination of personal data with other data, restriction, deletion or destruction;
Management company - JSC Dr Värslas, a legal entity registered in the territory of the Republic of Lithuania, legal entity code 302417821, address: Republic of Lithuania. Vilnius region, st. Shiaures, 28
Other terms and definitions used in this Regulation are comply with the terms and definitions provided by the Law of the Republic of Lithuania "On the Legal Protection of Personal Data" (hereinafter referred to as "LPPD") and the provisions of the EU General Data Protection Regulation 2016/679 (hereinafter referred to as " GDPR ").
These Rules are prepared in accordance with the LPPD, GDPR, as well as with General Requirements for Organizational and Technical Measures for the Protection of Personal Data, approved by the decree of the Director of the State Data Protection Inspectorate No. 1T-74 (1.12.E) "About approving of the General requirements for organizational and technical measures for the protection of personal data" dated December 18, 2014, as well as in accordance with other legal acts regulating the processing and protection of personal data
The purpose of these Rules is to regulate the principles and procedures for the collecting, processing and storing of personal data of Subjects, as well as to determine the rights of Data Subjects, risk factors for personal data leakage, personal data protection means and other issues related to processing of such data.
2. Collection, processing and storage of personal data
Based on these Rules, the Management Company processes personal data for the purposes of direct marketing.
When processing personal data, the Management Company relies on the following basic principles for processing personal data:
-personal data is collected for the established and legal purposes provided by law, and processed in the ways consistent with these purposes;
-collecting and processing of personal data are carried out in accordance with the principles of reasonability and proportionality;
-The Management Company does not require the Subjects to provide data that is not necessary; data is not collected or processed in excessive amounts;
Personal data is processed accurately, honestly and lawfully. The Management Company ensures that the Data Administrators authorized by it (including employees) process personal data in accordance with these Rules and the provisions of the LPPD and GDPR.
The Data Administrators authorized by the Managing Company have the right to collect, process, transfer, store, destroy or otherwise use personal data, but only to perform their direct functions specified in job descriptions or in the contract concluded between the Managing company and the Data Administrator.
The data administrator (including employees) is prohibited from arbitrarily collecting, processing, transferring, storing, destroying or using personal data.
The processed personal data must be correct and must be updated (if it is necessary for their processing). Incomplete and inaccurate data should be corrected, supplemented, destroyed or their processing is suspended in the manner defined by these Rules.
Personal data are specified, corrected, changed, supplemented, canceled and restored at the request of the Data Subject, as well as at the initiative of the Management Company.
Personal data are stored in such a way that the identity of the Data Subjects cannot be established to a greater extent than it is necessary to achieve the purposes for which this data was collected and processed;
Personal data are processed in accordance with the requirements for the processing of personal data established by the LPPD and GDPR and other legal acts regulating the relevant activities.
The following personal data are processed for the purposes of direct marketing : name and email address.
If the Management Company processes the personal data of the Data Subject for direct marketing purposes, then this is done only with the consent of the Subject, which he(she) provides by registering on the Site and (or) by subscribing to the newsletter.
The data subject expresses his consent by clicking on the appropriate button next to the consent to the processing of personal data in the registration form. Such data is collected and automatically used only in accordance with the procedure and purposes specified in these Rules.
If the data subject subscribes to the newsletter, a message is sent to his e-mail with the subscription and consent to the processing of personal data. To confirm his consent, the Subject must click on the button "I agree " or activate the link to the Site that is in the message, clearly indicating that such activation constitutes the consent to the processing of personal data.
If the Data Subject does not perform any action (i.e does not click on the "I agree" button or does not activate the link to the Site), it is considered that he does not agree with the subscription and the processing of personal data. If this happens, the Management Company does not process the personal data of the Subject.
The Management Company undertakes not to transfer personal data processed for the purposes specified in these Rules to third parties, with the exceptions provided by the current legislation of the Republic of Lithuania and in the way defined by the current legislation of the Republic of Lithuania.
The personal data of the registered user is stored for 2 (two) years from the moment of his last visit to the Site. After the expiration of this period, the personal data of the registered user are destroyed in the way defined by the current legislation.
The personal data of the registered user are processed using safe organizational and technical means that protect personal data from accidental or illegal destruction, alteration, disclosure, use and any other unauthorized forms of processing.
The management company collects and receives personal data from the following sources:
-Data subjects ;
-At the request of the Data Subject - from the third parties indicated by the Subject himself(herself);
-In cases where the Data Subject registers on the Site of the Management Company using his Facebook or Google (gmail.com) account - from the companies that operate the Facebook and Google platforms.
The management company does not collect and process personal data of Subjects under the age of 16 (sixteen) years old. Consent to the processing of personal data obtained from Subjects under the age of 16 (sixteen) years old is considered invalid.
When registering on the Site of the Management Company, the Data Subject must provide complete, accurate and reliable information about his(her) personal data. If it turns out that the data provided by the Subject is inaccurate, the Management Company has the right to demand that the Subject clarify the personal data and, if he(she) does not do this, to destroy the Subject's data being at its disposal, and also to block the Subject's account.
The data subject must immediately make the appropriate changes to his personal data on the Site of the Management Company or notify the Management Company by mail if his personal data changes after registration on the Site.
The Management Company is not responsible for damage caused to the Data Subject and (or) third parties due to the fact that the Subject provided inaccurate and (or) incomplete personal data, or did not update personal data, or did not make appropriate changes.
The processing of personal data is allowed only to Data Administrators who, in writing or by law, undertake:
-not to disclose, transfer or create conditions for third parties to familiarize themselves with personal data, if the mentioned third parties do not have the right to process personal data, as well as receive personal data in the manner defined by these Rules or by current legislation;
-keep personal data confidential;
-immediately notify the head of the Management Company of any known circumstances that may threaten the security of personal data;
-comply with the provisions of legal acts regulating the protection of personal data.
3. Rights of the data subject
The data subject has the right:
-know (receive information) about the processing of his(her) personal data;
-learn about his(her) personal data and the method of its processing, as well as receive copies of all his(her) personal data transferred to the Management Company in a standard machine-readable format;
-request to correct or destroy his(her) personal data, or suspend the processing of his(her) personal data (except storage) if the data are processed in violation of the provisions of these Rules and other laws;
-refuse to process his(her) personal data, with the exception provided by the current legislation and these Rules;
-demand that his (her) personal data be completely deleted (the right to be forgotten), except in cases where the Management Company cannot delete the data due to the fulfillment of obligations and requirements provided by law.
Having received a request from the Data Subject to realize one of the Subject's rights listed in clause 3.1 of these Rules, the Management Company undertakes to satisfy it no later than within 20 (twenty) business days, or provide the Data Subject with a written refusal to perform actions related to personal data.
The data subject who has submitted an identity document either in accordance with the procedure provided for by current legislation or using electronic means that allow the proper identification of a person who has confirmed his identity, has the right to get familiar with his(her) personal data stored by the Management Company free of charge.
Messages, notifications and requests of the Data Subject addressed to the Management Company are sent to the e-mail address: mail@medstrah.pro or by post to the legal address of the Management Company specified in clause 1.2 of these Rules.
4. Cookies
The site uses cookies to help ensure the quality of the services provided to visitors.
A cookie file is a small text document with a unique identification number that is sent from the Site of the Management Company to the hard drive of the device of the Data Subject so that the Management Company can distinguish the connection of the device of the Data Subject to the system of the Management Company and thus adapt and organize the operation of the Site for specific Data Subject.
The data that the Management Company receives by using cookies are not personal data and are not used to identify the Data Subject.
The Data Subject expresses his consent to the terms of the Cookie Policy and the use of cookies in accordance with the procedure and purposes provided in these Rules by ticking “I agree”.
If the Data Subject does not agree to the use of cookies, the Website of the Management Company may function improperly.
Information about the cookies used:
|
Name |
Description |
Creation time / expiration date |
|
CMSSESSIDX |
A standard cookie used for user session support. |
When entering the website / before closing the website window |
|
cookiesAgree |
A cookie that is used to recognize the fact of your consent to the use of cookies on our website. |
From the moment of consent / until deletion |
|
cookiesLevelX |
. Cookie used to recognize the cookies that you authorize to use on our website. |
From the moment of consent / until deletion |
|
_ga |
This cookie is used by Google Analytics to understand the purpose of a user's visit, compile reports on site activity for website operators and improve customer satisfaction when visiting the site. |
From the moment of consent/2 years |
|
_gat |
These cookies are used by Google Analytics to collect statistical information about website traffic. |
When you visit the website for the first time / until the end of the session |
|
_gid |
This cookie is used by Google Analytics to identify a person. |
When you visit the website for the first time/2 days |
To find out how to cancel website tracking by Google Analytics using cookies, the Data Subject may visit http://tools.google.com/dlpage/gaoptout.
Types of cookies:
Session cookies
Session cookies make it possible to identify the Data Subject during one visit to the Site of the Management Company, so that all page changes or choices are remembered when moving from one page to another. These cookies allow you to easily and quickly navigate multiple pages of the Site without having to re-process the information every time you visit a new location. Session cookies are temporary and disappear after the Data Subject closes the browser window or leaves the site.
Persistent cookies Persistent cookies are cookies that remain on the computer of the Data Subject for a certain period of time after the end of the browsing session, so they can save certain parameters and user's actions when he(she) visits the site again.
First party cookies
These are cookies that are necessary for the proper functioning of the Dr Värslas UAB Website.
Third party cookies These are cookies used by other organizations through the Site of the Management Company. The website of the Management Company, Dr Värslas UAB uses Google Analytics cookies to analyze its traffic.
Google Analytics anonymously collects information about the number of visitors and places from which connections to the Site of the Management Company were made, as well as information about which segments of the Site visitors were interested in. These cookies are generated by Google Analytics. Read more about Google Analytics at http://www.google.com/analytics.
Any information collected using cookies is stored until their expiration date and is not used for purposes other than those specified in these Rules. The site of the Management Company contains links to the websites of other persons, businesses and organizations. The management company is not responsible for the content of such websites and their privacy practices. Therefore, if you go to other sites using a link from the Site of JSC Dr Värslas, you should separately ask about their privacy policy.
5. Personal data protection means
The management company uses appropriate organizational and technical means designed to protect personal data from accidental or unlawful destruction, alteration, disclosure and any other unauthorized forms of processing. In order to ensure the protection of personal data, the Management Company uses the following protection measures:
-administrative (settings for the secure processing of documents, computer data and their archives, as well as the procedure for organizing work in various fields of activity; making personnel familiar with the protection of personal data when hiring, as well as after the termination of employment and other similar relationships, etc.) ;
-protection of hardware and software (administration of servers, information systems and databases; keeping in order the workplaces and premises of the Management Company; ensuring security standards for servers on which databases are stored, etc.);
-protection of communication and computer networks (filtering (firewalling) of public data, programs, unwanted data packets, etc.).
All management companies involved in the processing of personal data are required to comply with the security requirements for the processing of personal data.
The management company takes the following organizational measures to ensure the security of personal data:
-ensuring the protection, management and control of access to personal data;
-access to personal data is provided only to the person who needs it to perform functions related to processing the data;
-personal data can be used only to perform data processing operations for which the Management Company issues a power of attorney, instruction or order for the Data Administrator;
-implementation of requirements for passwords for access to personal data: their confidentiality is guaranteed; they are unique, consist of 8 (eight) or more characters, do not contain personal information; they change at least 1 (one) time in 3 (three) months; the user is obliged to change the password at the first login to the system;
-restricting the access of unauthorized persons to the room in which personal data are stored; -a guarantee of the destruction of personal data after the expiration of the data storage period provided for by these Rules; -ensuring the protection of computer equipment from malicious programs - installing an antivirus program and updating it;
-assessment of the impact on the security of personal data at least 1 (one) time per year;
-encryption of personal data stored in an active (functioning) database;
-taking measures to ensure the security of personal data, using which the actions of the administrators of the database / servers / information system are monitored.
Employees of the Management Company who process personal data or gained access to personal data in the course of performing their official duties are obliged to comply with the principle of confidentiality and keep in secret any information regarding personal data, unless such information is publicly available in accordance with the current legislation of the Republic of Lithuania. Employees are obliged to comply with the principle of confidentiality even after the employment relationship comes to an end.
6. Violation of personal data protection requirements and notifications
A violation of the requirements for the protection of personal data is an act or inaction that can lead to undesirable consequences, as well as contradict the legal requirements that regulate the protection of personal data.
In each individual case, the impact and the damage caused and the consequences of violation of the requirements for the protection of personal data are determined by the head of the Management Company or a commission formed by his authorized representatives.
In case of violation of the requirements for the protection of personal data, the Management Company immediately, but no later than 48 (forty-eight) hours after it became aware of the violation, notifies the State Inspectorate for the Protection of Data and Data Subjects, except in cases when such a violation of the requirements for the protection of personal data does not pose a real threat to the rights and freedoms of the Subjects.
Notification of violation of the requirements for the protection of personal data are sent to the e-mail address of the Data Subject, which the Subject has provided to the Management Company, by post, if the Data Subject has not provided the Management Company with his e-mail address.
In cases when the violation of the requirements for the protection of personal data is not connected with random natural phenomena (such as lightning, floods, fire, etc.) and is the result of human actions, the Management Company, after learning about such a violation, undertakes to immediately contact the relevant law enforcement authorities with a statement about the alleged crime.
7. Final provisions
All messages and notifications regarding the processing of personal data are sent to the Management Company by e-mail mail@medstrah.pro or by mail.
The Management Company shall provide the answer in the form in which the message or notification of the Data Subject was received and no later than within 20 (twenty) calendar days from the date of receiving the message or notification from the Data Subject.
Compliance with these Rules is monitored by the manager of the Management Company or his authorized representative. The rules are reviewed and, if necessary, updated at least 1 (one) time per calendar year. Amendments and additions to these Rules come into force after their publication, i.e. from the date of their posting on the Site of the Management Company.