PERSONAL DATA PROCESSING REGULATIONS

1.1. These Regulations regulate the processing of personal data in NORDSTREET to ensure the observance and implementation of the Law, the Regulation and other legal acts establishing the processing and the protection of personal data.

1.2. The goal of these regulations is to provide for the main legal principles of the processing of personal data in the NORDSTREET’s activity. These Regulations must be observed by all the persons employed at NORDSTREET and (or) carrying out activity thereat on other grounds, that process NORDSTREET available personal data or become aware of them in the performance of their duties.

1.3. These Regulations were drawn up in accordance with the Law, the Regulation and other legal acts regulating the personal data protection.

2.1. In these Regulations, terms from capital letters shall have the following meanings:

2.1.1. “Personal Data“ or “Data“ shall refer to any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.1.2. “Data Processor“ shall refer to NORDSTREET Partners as well as other natural or legal persons which process Personal Data on behalf of NORDSTREET.

2.1.3. “Data Processing“ shall refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.1.4. “Data Controller“ shall refer to NORDSTREET – legal person which determines the purposes and means of the processing of Personal Data.

2.1.5. “Data Subject“ shall refer to a natural person that visited the Data Controller‘s website and registered on it providing his/her Personal Data as well as any other natural person that made a services or other contract with NORDSTREET and transferred to it his/her Personal Data processed hereunder.

2.1.6. “NORDSTREET“ shall refer to Data Controller – UAB “Nordstreet”, legal entity‘s code 304565690, registered address Naugarduko st. 19, Vilnius, Republic of Lithuania.

2.1.7. “Website“ shall refer to the website managed by the Data Controller at https://nordstreet.com.

2.1.8. “Law“ shall refer to the Law of the Republic of Lithuania on the Legal Protection of Personal Data.

2.1.9. “Partners“ shall refer to the NORDSTREET Data Processors – whom the Data Controller cooperates on a constant basis with, seeking to provide quality services, including, but not limited to, the suppliers of the services provided on the platform as well as the suppliers performing platform-programming and (or) -improving works.

2.1.10. “Regulation“ shall refer to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (Data Protection Directive), which came into effect on 25 May 2018.

2.1.11. “Consent“ shall refer to any freely given, specific and unambiguous duly information expression of the Data Subject‘s will by a statement or unambiguous action by which the Data Subject agrees to the processing of the Personal Data relating to him.

2.1.12. “Regulations“ shall refer to these NORDSTREET personal data processing regulations.

2.2. Other notions used herein meet the notions established in the Law and the Regulation.

2.3. The regulations are legally binding both on internal and external levels.

3.1. NORDSTREET processes the following Personal Data for the following purposes and on the following legal ground:

Personal data category	Personal data types	Personal data processing purposes	Personal data processing legal ground
Registration data as well as documents proving the business transaction or economical event and the Data thereof	Name, surname, residence address, phone number, email, bank account number.	Provision of services, performance of NORDSTREET legal obligations provided for in the legal acts of the Republic of Lithuania, e.g. information communication to state authorities, institutions and other public and private entities in accordance with the procedure established in the legislation of the Republic of Lithuania.	Data are processed under the made agreement and it is necessary to process the Data to perform the legal obligation imposed on NORDSTREETD (Art. 6 (1 (b, c)) of the Regulation).

4.1. The Personal Data processing by NORDSTREET shall be subject to the general data protection principles such as, primarily: limitation of purposes, decreasing of data amount, limited data storage periods, data quality, tailored and standardized data protection, data processing legal ground, special categories‘ data processing principles and Data security-ensuring means.

4.2. NORDSTREET shall process Personal Data either by itself or by making a Personal Data Processing agreement with the Data Processor in respect of processing the part or all the Personal Data used in the NORDSTREET activity.

4.3. Personal Data processed by NORDSTREET may be provided to third persons and Partners:

4.3.1. In one-off supply cases – only at the data recipient‘s request in cases established in the laws or other legal acts, having established a legitimate purpose;

4.3.2. In multiple supply cases – only under the Personal Data supply agreement, specifying the procedure as well as the terms and conditions meeting the main principles hereof.

4.4. NORDSTREET, intending to supply Data to third persons and (or) Partners, shall be obliged to inform the Data Subject to this effect no later than prior to the first supply of the Personal Data, except for the cases when the laws or other legal acts define the procedure for the collection and provision of such Data as well as the data recipients.

5.1. NORDSTREET observes the following Personal Data processing principles:

5.1.1. Collects, processes and stores the information provided by Data Subjects in strict accordance with the requirements of the Law, the Regulation, other legal acts governing this legal sphere in the Republic of Lithuania and these Regulations;

5.1.2. Processes and collects Personal Data of Data Subject in good faith, lawfully and for the purposes specified herein;

5.1.3. When collecting and processing Personal Data, observes the principles of practicality and proportionality and does not require the Data Subjects to provide Data that are not necessary;

5.1.4. Stores personal data in a form allowing identifying the Data Subject for a period not longer than required to achieve the purposes for which these data were collected.

5.2. Data Subject‘s Personal Data may become available only to duly authorised NORDSTREET employees and only for providing services.

5.3. NORDSTREET makes efforts for the data of the Data Subjects to be complete, not outdated and accurate, for which reason they are qualified and updated on a constant basis.

5.4. NORDSTREET respects the privacy of the Data Subject and undertakes to constantly observe the Data Subject‘s data protection principles and confidentiality specified herein.

6.1. Personal Data are stored for a period not longer than necessary. The personal data storage period is established under the General Document Retention Periods Guide approved by the order of the Chief Archivist of the Republic of Lithuania and other legal acts of the Republic of Lithuania. These data are immediately deleted from the data base upon the expiry of the periods provided for in the legal acts and these Regulations.

6.2. If the Data Subject registers and provides his Personal Data on the Website or provides them at the NORDSTREET registered address, NORDSTREET shall be obliged to store them for a period not longer than 8 (eight) years after the Data Subject‘s last login, or, if the Data Subject provided the Data at the NORDSTREET registered address and did not create an individual account on the Website, not longer than 8 (eight) years after the Data Subject‘s last contact with NORDSTREET, unless a separate consent of the Data Subject to store the Data for a longer period was received. In both cases, 5 (five) calendar days prior to the expiry of the 8 (eight) years period an inquiry on whether the Data Subject agrees to the further Data processing shall be sent to the email or phone specified by the Data Subject. Should the Data Subject express disagreement or not provide any answer within the said 5 (five) calendar days, NORDSTREET shall delete all the Data related to the Data Subject as well as his account in the system, if any.

6.3. If the period of storage of Personal Data is not provided for in the General Document Retention Periods Guide or art. 6.2-6.4 hereof, the Personal Data may be stored for a period not longer than is necessary to achieve the Personal Data processing purposes specified in section 3 hereof.

7.1. The Data Subject shall be entitled:

7.1.1. to know what Personal Data and for what purpose are processed;

7.1.2. to correct or supplement the Personal Data;

7.1.3. to supplement incomplete Personal Data;

7.1.4. to require NORDSTREET to delete the Personal Data related to him;

7.1.5. to require NORDSTREET to limit the Personal Data processing;

7.1.6. to require NORDSTREET to transfer the Personal Data to another data controller;

7.1.7. to file a complaint with the State Data Protection Inspectorate regarding the unlawful processing of Personal Data or the Data breach;

7.1.8. to disagree to the Personal Data Processing, if these Data are processed or intended to be processed for direct marketing purposes and (or) to revoke the given Consent.

7.2. Where Data Subject‘s Personal Data are collected or the Data Subject requests that his right specified in art. 7.1.1 hereof be exercised, NORDSTREET shall provide the following information to the Data Subject:

7.2.1. Personal Data processing purposes for which the Personal Data are processed or intended to be processed as well as the legal ground for Personal Data processing;

7.2.2. Personal Data categories;

7.2.3. Personal data storage period or, if it is impossible, criteria applied to establish that period;

7.2.4. Personal Data recipients, if any, or Personal Data recipients‘ categories to which the Personal Data were or will be disclosed, primarily, Data recipients in third countries or international organizations;

7.2.5. Right to request NORDSTREET to correct or delete Personal Data or limit the processing of Personal Data related to the Data Subject, or disagree to such processing;

7.2.6. Where the Data processing is carried out on the ground of NORDSTREET‘s legitimate interest, – the legitimate interests of NORDSTREET or third person;

7.2.7. Right to file a complaint with the supervision authority;

7.2.8. Where personal data are collected not from NORDSTREET, – all the available information about the sources thereof;

7.2.9. Contact data of NORDSTREET, contact data of personal data official (if any).

7.3. Where NORDSTREET receives Personal Data not from the Data Subject, it shall be obliged to inform the Data Subject to this effect before starting to process the Personal Data.

7.4. The rights of the Data Subject shall be exercised upon receipt of his written request provided personally, by email or email, or through a representative, whose powers must be proven by a respective document. The Data Subject or his representative shall present, together with the request, his identity document or a copy thereof duly certified in accordance with the procedure established in the legal acts of the Republic of Lithuania or identify himself by allowed electronic communication means.

7.5. The Data Subject shall be entitled to receive NORDSTREET‘s confirmation on whether the Personal Data related to him are processed and, where his Personal Data are processed, – to get familiarized with the Personal Data and other information specified in art. 7.2 hereof. Where the Data Subject, having familiarized with his Data, establishes that his Data are incorrect, incomplete or inaccurate, he may address NORDSTREET, and NORDSTREET shall immediately check the data and, at the Data Subject‘s request, correct the incorrect, incomplete or inaccurate Data and (or) limit such Data processing actions, except for the storage thereof.

7.6. All answers to the Data Subject are provided in a succinct, transparent, understandable and easily-accessible format in simple and lucid language. NORDSTREET shall provide, free of charge, a copy of the processed Personal Data in electronic or paper format at the Data Subject‘s discretion. For repeated copies requested by the Data Subject, NORDSTREE may charge a reasoned fee established according to the administration expenses for producing such a copy, which cannot exceed the Data provision costs incurred by NORDSTREET. Where the Data Subject files the request by electronic means, the information is provided in customarily used electronic form.

7.7. At the Data Subject‘s request to delete his data, NORDSTREE undertakes to delete the Personal Data without any unfounded delays, provided that:

7.7.1. Personal Data are no longer necessary to achieve the purposes for which they were collected or otherwise processed;

7.7.2. The Data Subject withdraws Consent authorising to process the Personal Data and there is no other legal ground to process the Personal Data;

7.7.3. The Data Subject disagrees to the Data processing, provided there is a legitimate interest of NORDSTREET, and the Data Controller does not establish any superior legitimate reasons to further process the Data;

7.7.4. Personal Data were processed unlawfully;

7.7.5. Personal Data must be deleted in observance of the legal obligations established in the law of the European Union or the Republic of Lithuania.

7.8. For the data deletion purposes, NORDSTREET enciphers the Personal Data of Data Subjects in a way as to make it impossible to trace and establish whom they belong to.

7.9. NORDSTREET is obliged to limit the Data Subject‘s Personal Data Processing without any unfounded delays, provided that:

7.9.1. The Data Subject disputes the Personal Data accuracy, for a period during which NORDSTREET may check the Personal Data accuracy;

7.9.2. Personal Data processing is unlawful and the Data Subject disagrees that the Personal Data be deleted, and asks to limit the use thereof instead;

7.9.3. NORDSTREET no longer needs the Personal Data for the purposes specified in section 3 hereof; however, they are needed for the Data Subject to make, perform or protect legal demands;

7.9.4. The Data Subject objected to Personal Data Processing under the ground of NORDSTREET‘s legitimate interest, until it is verified whether the NORDSTREET‘s lawful reasons are superior to the Data Subject‘s reasons;

7.9.5. NORDSTREET has reasoned doubts regarding the correctness of the Data provided by the Data Subject.

7.10. Where Personal Data Processing is limited under Art. 7.8 hereof, such Personal Data shall be stored until they are corrected or deleted, and they may be processed, except for the storage, only upon receipt of the Data Subject‘s consent or for making, performing or protecting legal demands, or protecting the rights of other natural or legal persons, or for the reason of public interest of importance to the European Union or its member-state.

7.11. The Data Subject shall have the right to withdraw his Consent to the processing of Personal Data at any time without prejudice to the legitimacy of the Processing of Personal Data based on the Consent up to the Withdrawal of the Consent.

7.12. NORDSTREET shall ensure that the Data Subject has the right to receive the Personal Data related to him, which he provided to NORDSTREET in .zip or .rar format, and has the right to forward that Personal Data to another Data Controller at the request and instruction of the Data Subject under the conditions presented in art. 7.12 hereof.

7.13. The Data Subject shall be entitled to forward the Data on him to another Data Controller, and NORDSTREET, to which the Personal Data were provided, shall be obliged not to create any obstacles to that, where:

7.13.1 Data Processing is based on the Data Subject‘s Consent or agreement;

7.13.2. Data are processed by automated means.

7.14. By exercising its right to Data Portability under Art. 7.12 of the Regulations, the Data Subject shall have the right to request that NORDSTREET forward his Personal Data directly to another Data Controller, where technically feasible.

7.15. No later than within 30 (thirty) days after the receipt of the Data Subject’s request or instruction, NORDSTREET shall respond and perform the actions specified in the request or refuse to act upon request, stating the reasons for the refusal. If necessary, considering the complexity and the number of requests, the period may be extended by 2 (two) months more. In such a case, NORDSTREET shall inform the Data Subject of such extension and provide the reasons for the delay within 30 (thirty) days of receipt of the request.

7.16. NORDSTREET may refuse to act upon the Data Subjects‘ requests in cases specified in Art. 23 (1) of the Regulation, including, but not limited to, when required to ensure:

7.16.1. The performance of the legal obligations imposed on NORDSTREET;

7.16.2. The public order or the prevention of criminal acts;

7.16.3. Protection of rights and freedoms of users or other persons.

7.17. NORDSTREET shall be obliged to immediately report to the Data Subject about the Data correction, deletion or suspension of Data processing actions done or refused to be done at his request.

7.18. NORDSTREET, having noticed that other data controllers have failed to comply with the Regulation or the Law in the field of data protection, may appeal to the State Data Protection Inspectorate by filling in and submitting a complaint to the following address:

State Data Protection Inspectorate

A. Juozapavičiaus st. 6

09310 Vilnius

Phone (8 5) 279 1445

Unified service desk phone (8 5) 271 2804

Fax (8 5) 261 9494

Email ada@ada.lt

8.1. In the event of Personal Data security breach, NORDSTRET shall inform the State Data Protection Inspectorate to this effect without any unfounded delays and, where possible, within no more than 72 hours after becoming aware of the Personal Data security breach, unless the personal data security breach poses no hazard to the Personal Data of the Data Subjects.

8.2. When personal data breaches may pose a significant risk to the Personal Data of the Data Subject, NORDSTREET shall, without any unfounded delays, report a personal data breach to the Data Subject. Such notification shall be submitted by NORDSTREET to the Data Subject in writing according to the available contact details of the Data Subject

8.3. NORDSTREET assesses the seriousness of the personal data security breach and the necessity of notice, taking into account the level of hazard to the Data Subject (health, life, property, honour and dignity thereof and etc.).

9.1. NORDSTREET implements and ensures the following appropriate organizational and technical means against casual or unlawful destruction, modification, disclosure and any other unlawful processing of data:

9.1.1. organizational: drawing up these Regulations, performance control thereof, appointing a person in charge of the data protection, separation of the place where Personal Data are stored from publically accessible places, employees process Personal Data according to their duties and are familiarized with the content hereof;

9.1.2. technical: using antivirus software. Installing signalization in the premises, using certified software, requirement of passwords when logging in to the computers on which the Personal Data are stored, data uploading to special data uploading servers.

9.2. These means ensure the level of security that meets the nature of the protected Personal Data and the risk imposed by the processing thereof.

9.3. Persons employed and (or) carrying out the activity on other legitimate grounds shall be obliged to observe the confidentiality principle and hold confidential any information related to Personal Data which they got familiarized with in the performance of their duties, unless such information is public in accordance with the provisions of the effective laws or other legal acts. The principle of confidentiality as well means that the persons that process the Personal Data are prohibited to disclose them, except for the cases provided for in the Regulation. The obligation to protect Personal Data shall stay in effect for an unlimited period of time, even after taking another job or upon the termination of the employment or contractual relations.

10.1. The Data Subject, when using the services provided by NORDSTREET, may freely agree that the Personal Data provided by the Data Subject be used for NORDSTREET marketing purposes, expressing his consent in a separate consent on Data Processing.

10.2. The possibilities of the Data Subject to receive the NORDSTREET marketing offers:

10.2.1. The Data Subject, having visited the NORDSTREET website, has the possibility to agree to receive NORDSTREET marketing offers;

10.2.2. The Data Subject, having visited the NORDSTREET‘s physical location and expressed his consent on a separate NORDSTREET-provided sheet on allowing to process the Personal Data.

10.3. NORDSTREET also provides the Data Subject with the possibility to refuse the offers sent by NORDSTREET:

10.3.1. The Data Subject has the possibility to refuse the NORDSTREET offers by clicking to the offers refusal link in the NORDSTREET letter to the Data Subject or by clicking to the refusal link on the Website;

10.3.2. The Data Subject may exercise his right to refuse that his Data be processed for direct marketing purposes by notifying the NORDSTREET by mail or email as well.

10.4. NORDSTREET shall use the data of the Data Subject for legitimate marketing activities. Personal data are collected, processed and used for marketing purposes in a manner so as not to disclose the Data Subject‘s identity or other Data to third persons without the separate consent of the Data Subject.

11.1. The Data Subject may get familiarized with the Regulations by way of direct addressing NORDSTEET, using the contact data specified.

Law updated on 6 May 2019.