PERSONAL DATA PROCESSING REGULATIONS
1. GENERAL PROVISIONS
1.1. These Regulations regulate the processing of personal data in NORDSTREET to ensure the observance and implementation of the Law, the Regulation and other legal acts establishing the processing and the protection of personal data.
1.2. The goal of these regulations is to provide for the main legal principles of the processing of personal data in the NORDSTREET’s activity. These Regulations must be observed by all the persons employed at NORDSTREET and (or) carrying out activity thereat on other grounds, that process NORDSTREET available personal data or become aware of them in the performance of their duties.
1.3. These Regulations were drawn up in accordance with the Law, the Regulation and other legal acts regulating the personal data protection.
2. TERMS AND DEFINITIONS
2.1. In these Regulations, terms from capital letters shall have the following meanings:
2.1.1. “Personal Data“ or “Data“ shall refer to any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.1.2. “Data Processor“ shall refer to NORDSTREET Partners as well as other natural or legal persons which process Personal Data on behalf of NORDSTREET.
2.1.3. “Data Processing“ shall refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.1.4. “Data Controller“ shall refer to NORDSTREET – legal person which determines the purposes and means of the processing of Personal Data.
2.1.5. “Data Subject“ shall refer to a natural person that visited the Data Controller‘s website and registered on it providing his/her Personal Data as well as any other natural person that made a services or other contract with NORDSTREET and transferred to it his/her Personal Data processed hereunder.
2.1.6. “NORDSTREET“ shall refer to Data Controller – UAB “Nordstreet”, legal entity‘s code 304565690, registered address Naugarduko st. 19, Vilnius, Republic of Lithuania.
2.1.7. “Website“ shall refer to the website managed by the Data Controller at https://nordstreet.com.
2.1.8. “Law“ shall refer to the Law of the Republic of Lithuania on the Legal Protection of Personal Data.
2.1.9. “Partners“ shall refer to the NORDSTREET Data Processors – whom the Data Controller cooperates on a constant basis with, seeking to provide quality services, including, but not limited to, the suppliers of the services provided on the platform as well as the suppliers performing platform-programming and (or) -improving works.
2.1.10. “Regulation“ shall refer to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (Data Protection Directive), which came into effect on 25 May 2018.
2.1.11. “Consent“ shall refer to any freely given, specific and unambiguous duly information expression of the Data Subject‘s will by a statement or unambiguous action by which the Data Subject agrees to the processing of the Personal Data relating to him.
2.1.12. “Regulations“ shall refer to these NORDSTREET personal data processing regulations.
2.2. Other notions used herein meet the notions established in the Law and the Regulation.
2.3. The regulations are legally binding both on internal and external levels.
3. PURPOSES AND LEGAL GROUND OF PERSONAL DATA COLLECTION AND PROCESSING
3.1. NORDSTREET processes the following Personal Data for the following purposes and on the following legal ground:
|Personal data category||Personal data types||Personal data processing purposes||Personal data processing legal ground|
|Registration data as well as documents proving the business transaction or economical event and the Data thereof||Name, surname, residence address, phone number, email, bank account number.||Provision of services, performance of NORDSTREET legal obligations provided for in the legal acts of the Republic of Lithuania, e.g. information communication to state authorities, institutions and other public and private entities in accordance with the procedure established in the legislation of the Republic of Lithuania.||Data are processed under the made agreement and it is necessary to process the Data to perform the legal obligation imposed on NORDSTREETD (Art. 6 (1 (b, c)) of the Regulation).|
4. GENERAL PROVISIONS ON PERSONAL DATA COLLECTION, PROCESSING AND STORAGE
4.1. The Personal Data processing by NORDSTREET shall be subject to the general data protection principles such as, primarily: limitation of purposes, decreasing of data amount, limited data storage periods, data quality, tailored and standardized data protection, data processing legal ground, special categories‘ data processing principles and Data security-ensuring means.
4.2. NORDSTREET shall process Personal Data either by itself or by making a Personal Data Processing agreement with the Data Processor in respect of processing the part or all the Personal Data used in the NORDSTREET activity.
4.3. Personal Data processed by NORDSTREET may be provided to third persons and Partners:
4.3.1. In one-off supply cases – only at the data recipient‘s request in cases established in the laws or other legal acts, having established a legitimate purpose;
4.3.2. In multiple supply cases – only under the Personal Data supply agreement, specifying the procedure as well as the terms and conditions meeting the main principles hereof.
4.4. NORDSTREET, intending to supply Data to third persons and (or) Partners, shall be obliged to inform the Data Subject to this effect no later than prior to the first supply of the Personal Data, except for the cases when the laws or other legal acts define the procedure for the collection and provision of such Data as well as the data recipients.
5. NORDSTREET-COLLECTED PERSONAL DATA PROCESSING PRINCIPLES
5.1. NORDSTREET observes the following Personal Data processing principles:
5.1.1. Collects, processes and stores the information provided by Data Subjects in strict accordance with the requirements of the Law, the Regulation, other legal acts governing this legal sphere in the Republic of Lithuania and these Regulations;
5.1.2. Processes and collects Personal Data of Data Subject in good faith, lawfully and for the purposes specified herein;
5.1.3. When collecting and processing Personal Data, observes the principles of practicality and proportionality and does not require the Data Subjects to provide Data that are not necessary;
5.1.4. Stores personal data in a form allowing identifying the Data Subject for a period not longer than required to achieve the purposes for which these data were collected.
5.2. Data Subject‘s Personal Data may become available only to duly authorised NORDSTREET employees and only for providing services.
5.3. NORDSTREET makes efforts for the data of the Data Subjects to be complete, not outdated and accurate, for which reason they are qualified and updated on a constant basis.
5.4. NORDSTREET respects the privacy of the Data Subject and undertakes to constantly observe the Data Subject‘s data protection principles and confidentiality specified herein.
6. PERSONAL DATA STORAGE PERIODS
6.1. Personal Data are stored for a period not longer than necessary. The personal data storage period is established under the General Document Retention Periods Guide approved by the order of the Chief Archivist of the Republic of Lithuania and other legal acts of the Republic of Lithuania. These data are immediately deleted from the data base upon the expiry of the periods provided for in the legal acts and these Regulations.
6.2. If the Data Subject registers and provides his Personal Data on the Website or provides them at the NORDSTREET registered address, NORDSTREET shall be obliged to store them for a period not longer than 8 (eight) years after the Data Subject‘s last login, or, if the Data Subject provided the Data at the NORDSTREET registered address and did not create an individual account on the Website, not longer than 8 (eight) years after the Data Subject‘s last contact with NORDSTREET, unless a separate consent of the Data Subject to store the Data for a longer period was received. In both cases, 5 (five) calendar days prior to the expiry of the 8 (eight) years period an inquiry on whether the Data Subject agrees to the further Data processing shall be sent to the email or phone specified by the Data Subject. Should the Data Subject express disagreement or not provide any answer within the said 5 (five) calendar days, NORDSTREET shall delete all the Data related to the Data Subject as well as his account in the system, if any.
6.3. If the period of storage of Personal Data is not provided for in the General Document Retention Periods Guide or art. 6.2-6.4 hereof, the Personal Data may be stored for a period not longer than is necessary to achieve the Personal Data processing purposes specified in section 3 hereof.
7. DATA SUBJECT‘S RIGHTS
7.1. The Data Subject shall be entitled:
7.1.1. to know what Personal Data and for what purpose are processed;
7.1.2. to correct or supplement the Personal Data;
7.1.3. to supplement incomplete Personal Data;
7.1.4. to require NORDSTREET to delete the Personal Data related to him;
7.1.5. to require NORDSTREET to limit the Personal Data processing;
7.1.6. to require NORDSTREET to transfer the Personal Data to another data controller;
7.1.7. to file a complaint with the State Data Protection Inspectorate regarding the unlawful processing of Personal Data or the Data breach;
7.1.8. to disagree to the Personal Data Processing, if these Data are processed or intended to be processed for direct marketing purposes and (or) to revoke the given Consent.
7.2. Where Data Subject‘s Personal Data are collected or the Data Subject requests that his right specified in art. 7.1.1 hereof be exercised, NORDSTREET shall provide the following information to the Data Subject:
7.2.1. Personal Data processing purposes for which the Personal Data are processed or intended to be processed as well as the legal ground for Personal Data processing;
7.2.2. Personal Data categories;
7.2.3. Personal data storage period or, if it is impossible, criteria applied to establish that period;
7.2.4. Personal Data recipients, if any, or Personal Data recipients‘ categories to which the Personal Data were or will be disclosed, primarily, Data recipients in third countries or international organizations;
7.2.5. Right to request NORDSTREET to correct or delete Personal Data or limit the processing of Personal Data related to the Data Subject, or disagree to such processing;
7.2.6. Where the Data processing is carried out on the ground of NORDSTREET‘s legitimate interest, – the legitimate interests of NORDSTREET or third person;
7.2.7. Right to file a complaint with the supervision authority;
7.2.8. Where personal data are collected not from NORDSTREET, – all the available information about the sources thereof;
7.2.9. Contact data of NORDSTREET, contact data of personal data official (if any).
7.3. Where NORDSTREET receives Personal Data not from the Data Subject, it shall be obliged to inform the Data Subject to this effect before starting to process the Personal Data.
7.4. The rights of the Data Subject shall be exercised upon receipt of his written request provided personally, by email or email, or through a representative, whose powers must be proven by a respective document. The Data Subject or his representative shall present, together with the request, his identity document or a copy thereof duly certified in accordance with the procedure established in the legal acts of the Republic of Lithuania or identify himself by allowed electronic communication means.
7.5. The Data Subject shall be entitled to receive NORDSTREET‘s confirmation on whether the Personal Data related to him are processed and, where his Personal Data are processed, – to get familiarized with the Personal Data and other information specified in art. 7.2 hereof. Where the Data Subject, having familiarized with his Data, establishes that his Data are incorrect, incomplete or inaccurate, he may address NORDSTREET, and NORDSTREET shall immediately check the data and, at the Data Subject‘s request, correct the incorrect, incomplete or inaccurate Data and (or) limit such Data processing actions, except for the storage thereof.
7.6. All answers to the Data Subject are provided in a succinct, transparent, understandable and easily-accessible format in simple and lucid language. NORDSTREET shall provide, free of charge, a copy of the processed Personal Data in electronic or paper format at the Data Subject‘s discretion. For repeated copies requested by the Data Subject, NORDSTREE may charge a reasoned fee established according to the administration expenses for producing such a copy, which cannot exceed the Data provision costs incurred by NORDSTREET. Where the Data Subject files the request by electronic means, the information is provided in customarily used electronic form.
7.7. At the Data Subject‘s request to delete his data, NORDSTREE undertakes to delete the Personal Data without any unfounded delays, provided that:
7.7.1. Personal Data are no longer necessary to achieve the purposes for which they were collected or otherwise processed;
7.7.2. The Data Subject withdraws Consent authorising to process the Personal Data and there is no other legal ground to process the Personal Data;
7.7.3. The Data Subject disagrees to the Data processing, provided there is a legitimate interest of NORDSTREET, and the Data Controller does not establish any superior legitimate reasons to further process the Data;
7.7.4. Personal Data were processed unlawfully;
7.7.5. Personal Data must be deleted in observance of the legal obligations established in the law of the European Union or the Republic of Lithuania.
7.8. For the data deletion purposes, NORDSTREET enciphers the Personal Data of Data Subjects in a way as to make it impossible to trace and establish whom they belong to.
7.9. NORDSTREET is obliged to limit the Data Subject‘s Personal Data Processing without any unfounded delays, provided that:
7.9.1. The Data Subject disputes the Personal Data accuracy, for a period during which NORDSTREET may check the Personal Data accuracy;
7.9.2. Personal Data processing is unlawful and the Data Subject disagrees that the Personal Data be deleted, and asks to limit the use thereof instead;
7.9.3. NORDSTREET no longer needs the Personal Data for the purposes specified in section 3 hereof; however, they are needed for the Data Subject to make, perform or protect legal demands;
7.9.4. The Data Subject objected to Personal Data Processing under the ground of NORDSTREET‘s legitimate interest, until it is verified whether the NORDSTREET‘s lawful reasons are superior to the Data Subject‘s reasons;
7.9.5. NORDSTREET has reasoned doubts regarding the correctness of the Data provided by the Data Subject.
7.10. Where Personal Data Processing is limited under Art. 7.8 hereof, such Personal Data shall be stored until they are corrected or deleted, and they may be processed, except for the storage, only upon receipt of the Data Subject‘s consent or for making, performing or protecting legal demands, or protecting the rights of other natural or legal persons, or for the reason of public interest of importance to the European Union or its member-state.
7.11. The Data Subject shall have the right to withdraw his Consent to the processing of Personal Data at any time without prejudice to the legitimacy of the Processing of Personal Data based on the Consent up to the Withdrawal of the Consent.
7.12. NORDSTREET shall ensure that the Data Subject has the right to receive the Personal Data related to him, which he provided to NORDSTREET in .zip or .rar format, and has the right to forward that Personal Data to another Data Controller at the request and instruction of the Data Subject under the conditions presented in art. 7.12 hereof.
7.13. The Data Subject shall be entitled to forward the Data on him to another Data Controller, and NORDSTREET, to which the Personal Data were provided, shall be obliged not to create any obstacles to that, where:
7.13.1. Data Processing is based on the Data Subject‘s Consent or agreement; and
7.13.2. Data are processed by automated means.
7.14. By exercising its right to Data Portability under Art. 7.12 of the Regulations, the Data Subject shall have the right to request that NORDSTREET forward his Personal Data directly to another Data Controller, where technically feasible.
7.15. No later than within 30 (thirty) days after the receipt of the Data Subject’s request or instruction, NORDSTREET shall respond and perform the actions specified in the request or refuse to act upon request, stating the reasons for the refusal. If necessary, considering the complexity and the number of requests, the period may be extended by 2 (two) months more. In such a case, NORDSTREET shall inform the Data Subject of such extension and provide the reasons for the delay within 30 (thirty) days of receipt of the request.
7.16. NORDSTREET may refuse to act upon the Data Subjects‘ requests in cases specified in Art. 23 (1) of the Regulation, including, but not limited to, when required to ensure:
7.16.1. The performance of the legal obligations imposed on NORDSTREET;
7.16.2. The public order or the prevention of criminal acts;
7.16.3. Protection of rights and freedoms of users or other persons.
7.17. NORDSTREET shall be obliged to immediately report to the Data Subject about the Data correction, deletion or suspension of Data processing actions done or refused to be done at his request.
7.18. NORDSTREET, having noticed that other data controllers have failed to comply with the Regulation or the Law in the field of data protection, may appeal to the State Data Protection Inspectorate by filling in and submitting a complaint to the following address:
State Data Protection Inspectorate
A. Juozapavičiaus st. 6
Phone (8 5) 279 1445
Unified service desk phone (8 5) 271 2804
Fax (8 5) 261 9494
8. PERSONAL DATA SECURITY BREACHES
8.1. In the event of Personal Data security breach, NORDSTRET shall inform the State Data Protection Inspectorate to this effect without any unfounded delays and, where possible, within no more than 72 hours after becoming aware of the Personal Data security breach, unless the personal data security breach poses no hazard to the Personal Data of the Data Subjects.
8.2. When personal data breaches may pose a significant risk to the Personal Data of the Data Subject, NORDSTREET shall, without any unfounded delays, report a personal data breach to the Data Subject. Such notification shall be submitted by NORDSTREET to the Data Subject in writing according to the available contact details of the Data Subject
8.3. NORDSTREET assesses the seriousness of the personal data security breach and the necessity of notice, taking into account the level of hazard to the Data Subject (health, life, property, honour and dignity thereof and etc.).
9. CONFIDENTIALITY AND SECURITY PROVISIONS
9.1. NORDSTREET implements and ensures the following appropriate organizational and technical means against casual or unlawful destruction, modification, disclosure and any other unlawful processing of data:
9.1.1. organizational: drawing up these Regulations, performance control thereof, appointing a person in charge of the data protection, separation of the place where Personal Data are stored from publically accessible places, employees process Personal Data according to their duties and are familiarized with the content hereof;
9.1.2. technical: using antivirus software. Installing signalization in the premises, using certified software, requirement of passwords when logging in to the computers on which the Personal Data are stored, data uploading to special data uploading servers.
9.2. These means ensure the level of security that meets the nature of the protected Personal Data and the risk imposed by the processing thereof.
9.3. Persons employed and (or) carrying out the activity on other legitimate grounds shall be obliged to observe the confidentiality principle and hold confidential any information related to Personal Data which they got familiarized with in the performance of their duties, unless such information is public in accordance with the provisions of the effective laws or other legal acts. The principle of confidentiality as well means that the persons that process the Personal Data are prohibited to disclose them, except for the cases provided for in the Regulation. The obligation to protect Personal Data shall stay in effect for an unlimited period of time, even after taking another job or upon the termination of the employment or contractual relations.
10. MARKETING AND CORRESPONDENCE
10.1. The Data Subject, when using the services provided by NORDSTREET, may freely agree that the Personal Data provided by the Data Subject be used for NORDSTREET marketing purposes, expressing his consent in a separate consent on Data Processing.
10.2. The possibilities of the Data Subject to receive the NORDSTREET marketing offers:
10.2.1. The Data Subject, having visited the NORDSTREET website, has the possibility to agree to receive NORDSTREET marketing offers;
10.2.2. The Data Subject, having visited the NORDSTREET‘s physical location and expressed his consent on a separate NORDSTREET-provided sheet on allowing to process the Personal Data.
10.3. NORDSTREET also provides the Data Subject with the possibility to refuse the offers sent by NORDSTREET:
10.3.1. The Data Subject has the possibility to refuse the NORDSTREET offers by clicking to the offers refusal link in the NORDSTREET letter to the Data Subject or by clicking to the refusal link on the Website;
10.3.2. The Data Subject may exercise his right to refuse that his Data be processed for direct marketing purposes by notifying the NORDSTREET by mail or email as well.
10.4. NORDSTREET shall use the data of the Data Subject for legitimate marketing activities. Personal data are collected, processed and used for marketing purposes in a manner so as not to disclose the Data Subject‘s identity or other Data to third persons without the separate consent of the Data Subject.
11. USING COOKIES
11.2. The Data Controller, using the cookies, collects the following Data: IP address, Browser type, demographic data, other Website visitor behaviour data.
11.3. The following cookies are used on the Website:
11.3.1. Advertising cookies. Advertising cookies are used for showing ads that are of interest to a specific Website‘s visitor and meet his interests. They are as well used for making some ads visible only for a certain number of times and helping to measure the efficiency of the advertising campaign;
11.3.2. Compulsory cookies. Compulsory cookies are used to allow a Website visitor to browse the Website and use its functions;
11.3.3. Session cookies. Session cookies. Session cookies allow identifying a Website visitor through a single visit to the Website, seeing his behaviour, clicks during the session, and memorizing them while browsing the Website. Session cookies are temporary and are deleted as soon as the browser is closed or disconnected from the Website;
11.3.4. Functional cookies. Functional cookies allow the Website to memorize things that a Website visitor chooses (such as his name, language or region) and offer enhanced features that are personally tailored to the Website visitor. The information gathered from these cookies can be made anonymous, and they cannot track the visitor’s browsing activity on other websites;
11.3.5. Analytical cookies. These cookies are used for the statistical analysis of the Website visitor‘s navigation methods.
|Cookie name||Description, destination|
|Default expiration time|
|_dc_gtm_UA-*||The cookie is used to upload scripts and codes to the website.||Session||Analytical|
|laravel_session||The cookie is used to create a Website visitor session ID so that the system can identify the Website visitor as unique and distinguish him from other Website visitors using the Website.||1 day||Compulsory|
|PHPSESSID||The cookie is designed to help ensure the integrity of the website’s functionality.||Session||Session|
|remember_web_*||The cookie extends Website visitor access time.||Session||Session|
|XSRF-TOKEN||The cookie is used to identify sessions on the Website.||2 hours||Session|
|Word Press Multi Language:|
|_icl_current_language||The cookie helps to display the website in the desired language.||1 day||Functional|
|_icl_visitor_lang_js||The cookie helps the system remember the Website’s language that the visitor uses.||2 days||Functional|
|wpml_browser_redirect_test||The cookie helps to display the website in the desired language.||Session||Session|
|wpml_referer_url||The cookie is used to set the language.||Session||Session|
|mailerlite:webform:shown:*||Mailerlite cookie is designed for enabling Mailerlite services on the Website and ensuring their proper functioning.||No expiry date||Functional|
|Facebook , Facebook Inc.:|
|_fbp||Used to store the Website visitor data and use it for advertising and “Facebook Analytics”.||1 day||Advertizing|
|Tawk.to cookie used to provide the Website visitor with online help via the chat box system.||6 months||Functional|
|TawkConnectionTime||These cookies are used to enable live chat with clients on the Website.||Session||Functional|
|_ga||The cookie is used by Google Analytics to evaluate the purpose of the visitor’s visit to the Website, to report on the activity of the Website visitor to the Data Controller and to improve the visitor’s experience of visiting the Website.||1 year||Analytical|
|_gcl_au||The cookie is used by Google Analytics to identify a Website visitor and receive information about how the page was accessed and used||3 months||Analytical|
|_gid||The Google Analytics cookie is used for tracking purposes in order to distinguish Website visitors.||24 hours||Analytical|
11.4. The Data Controller uses the Data from the cookies used on the Website for the following purposes:
11.4.1. to ensure the smooth use, operation and facilitation of the Website browsing process;
11.4.2. user identification;
11.4.3. to analyse website visits statistics, website visitors behaviour;
11.4.4. to improve the quality of the services available on the Website.
11.5. By using computer settings, a visitor to a website can edit the settings for using cookies, i.e. delete (block) cookies or a part thereof. A website visitor can find more information about all the cookie settings at http://www.allaboutcookies.org. For more information about Google Analytics cookies and their settings, please visit http://tools.google.com/dlpage/gaoptout. It is important to note that changing your cookie settings may block some features of the Website.
12. FINAL PROVISIONS
12.1. The Data Subject may get familiarized with the Regulations by way of direct addressing NORDSTEET, using the contact data specified.
Law updated on 6 May 2019.