PERSONAL DATA PROCESSING REGULATIONS
1. GENERAL PROVISIONS
1.1. These Regulations regulate the processing of personal data in NORDSTREET to ensure the observance
and implementation of the Law, the Regulation and other legal acts establishing the processing
and the protection of personal data.
1.2. The goal of these regulations is to provide for the main legal principles of the processing
of personal data in the NORDSTREET’s activity. These Regulations must be observed by all the
persons employed at NORDSTREET and (or) carrying out activity thereat on other grounds, that
process NORDSTREET available personal data or become aware of them in the performance of their duties.
1.3. These Regulations were drawn up in accordance with the Law, the Regulation and other legal
acts regulating the personal data protection.
2. TERMS AND DEFINITIONS
2.1. In these Regulations, terms from capital letters shall have the following meanings:
2.1.1. “Personal Data“ or “Data“ shall refer to any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that
2.1.2. “Data Processor“ shall refer to NORDSTREET Partners as well as other natural or legal
persons which process Personal Data on behalf of NORDSTREET.
2.1.3. “Data Processing“ shall refer to any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
2.1.4. “Data Controller“ shall refer to NORDSTREET – legal person which determines the purposes
and means of the processing of Personal Data.
2.1.5. “Data Subject“ shall refer to a natural person that visited the Data Controller‘s website
and registered on it providing his/her Personal Data as well as any other natural person that
made a services or other contract with NORDSTREET and transferred to it his/her Personal Data processed hereunder.
2.1.6. “NORDSTREET“ shall refer to Data Controller – UAB “Nordstreet”, legal entity‘s code 304565690,
registered address Naugarduko st. 19, Vilnius, Republic of Lithuania.
2.1.7. “Website“ shall refer to the website managed by the Data Controller at https://nordstreet.com.
2.1.8. “Law“ shall refer to the Law of the Republic of Lithuania on the Legal Protection of Personal Data.
2.1.9. “Partners“ shall refer to the NORDSTREET Data Processors – whom the Data Controller cooperates
on a constant basis with, seeking to provide quality services, including, but not limited to, the
suppliers of the services provided on the platform as well as the suppliers performing
platform-programming and (or) -improving works.
2.1.10. “Regulation“ shall refer to the Regulation on the Protection of Natural Persons with
Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing
Directive 95/46/EC (Data Protection Directive), which came into effect on 25 May 2018.
2.1.11. “Consent“ shall refer to any freely given, specific and unambiguous duly information
expression of the Data Subject‘s will by a statement or unambiguous action by which the Data
Subject agrees to the processing of the Personal Data relating to him.
2.1.12. “Regulations“ shall refer to these NORDSTREET personal data processing regulations.
2.2. Other notions used herein meet the notions established in the Law and the Regulation.
2.3. The regulations are legally binding both on internal and external levels.
3. PURPOSES AND LEGAL GROUND OF PERSONAL DATA COLLECTION AND PROCESSING
3.1. NORDSTREET processes the following Personal Data for the following purposes and on the following legal ground:
|Personal data category
||Personal data types
||Personal data processing purposes
||Personal data processing legal ground
Registration data as well as documents proving the business transaction or economical event and the Data thereof
Name, surname, residence address, phone number, email, bank account number.
Provision of services, performance of NORDSTREET legal obligations provided for in
the legal acts of the Republic of Lithuania, e.g. information communication to state
authorities, institutions and other public and private entities in accordance with the
procedure established in the legislation of the Republic of Lithuania.
Data are processed under the made agreement and it is necessary to process the Data
to perform the legal obligation imposed on NORDSTREETD (Art. 6 (1 (b, c)) of the Regulation).
4. GENERAL PROVISIONS ON PERSONAL DATA COLLECTION, PROCESSING AND STORAGE
4.1. The Personal Data processing by NORDSTREET shall be subject to the general data protection
principles such as, primarily: limitation of purposes, decreasing of data amount, limited data
storage periods, data quality, tailored and standardized data protection, data processing legal
ground, special categories‘ data processing principles and Data security-ensuring means.
4.2. NORDSTREET shall process Personal Data either by itself or by making a Personal Data Processing
agreement with the Data Processor in respect of processing the part or all the Personal Data used in the NORDSTREET activity.
4.3. Personal Data processed by NORDSTREET may be provided to third persons and Partners:
4.3.1. In one-off supply cases – only at the data recipient‘s request in cases established in
the laws or other legal acts, having established a legitimate purpose;
4.3.2. In multiple supply cases – only under the Personal Data supply agreement, specifying the
procedure as well as the terms and conditions meeting the main principles hereof.
4.4. NORDSTREET, intending to supply Data to third persons and (or) Partners, shall be obliged
to inform the Data Subject to this effect no later than prior to the first supply of the Personal
Data, except for the cases when the laws or other legal acts define the procedure for the collection
and provision of such Data as well as the data recipients.
5. NORDSTREET-COLLECTED PERSONAL DATA PROCESSING PRINCIPLES
5.1. NORDSTREET observes the following Personal Data processing principles:
5.1.1. Collects, processes and stores the information provided by Data Subjects in strict accordance
with the requirements of the Law, the Regulation, other legal acts governing this legal sphere
in the Republic of Lithuania and these Regulations;
5.1.2. Processes and collects Personal Data of Data Subject in good faith, lawfully and for the purposes specified herein;
5.1.3. When collecting and processing Personal Data, observes the principles of practicality
and proportionality and does not require the Data Subjects to provide Data that are not necessary;
5.1.4. Stores personal data in a form allowing identifying the Data Subject for a period not
longer than required to achieve the purposes for which these data were collected.
5.2. Data Subject‘s Personal Data may become available only to duly authorised NORDSTREET employees and only for providing services.
5.3. NORDSTREET makes efforts for the data of the Data Subjects to be complete, not outdated and
accurate, for which reason they are qualified and updated on a constant basis.
5.4. NORDSTREET respects the privacy of the Data Subject and undertakes to constantly observe
the Data Subject‘s data protection principles and confidentiality specified herein.
6. PERSONAL DATA STORAGE PERIODS
6.1. Personal Data are stored for a period not longer than necessary. The personal data storage
period is established under the General Document Retention Periods Guide approved by the order
of the Chief Archivist of the Republic of Lithuania and other legal acts of the Republic of
Lithuania. These data are immediately deleted from the data base upon the expiry of the periods
provided for in the legal acts and these Regulations.
6.2. If the Data Subject registers and provides his Personal Data on the Website or provides them
at the NORDSTREET registered address, NORDSTREET shall be obliged to store them for a period not
longer than 8 (eight) years after the Data Subject‘s last login, or, if the Data Subject provided
the Data at the NORDSTREET registered address and did not create an individual account on the
Website, not longer than 8 (eight) years after the Data Subject‘s last contact with NORDSTREET,
unless a separate consent of the Data Subject to store the Data for a longer period was received.
In both cases, 5 (five) calendar days prior to the expiry of the 8 (eight) years period an inquiry
on whether the Data Subject agrees to the further Data processing shall be sent to the email or
phone specified by the Data Subject. Should the Data Subject express disagreement or not provide
any answer within the said 5 (five) calendar days, NORDSTREET shall delete all the Data related
to the Data Subject as well as his account in the system, if any.
6.3. If the period of storage of Personal Data is not provided for in the General Document Retention
Periods Guide or art. 6.2-6.4 hereof, the Personal Data may be stored for a period not longer than
is necessary to achieve the Personal Data processing purposes specified in section 3 hereof.
7. DATA SUBJECT‘S RIGHTS
7.1. The Data Subject shall be entitled:
7.1.1. to know what Personal Data and for what purpose are processed;
7.1.2. to correct or supplement the Personal Data;
7.1.3. to supplement incomplete Personal Data;
7.1.4. to require NORDSTREET to delete the Personal Data related to him;
7.1.5. to require NORDSTREET to limit the Personal Data processing;
7.1.6. to require NORDSTREET to transfer the Personal Data to another data controller;
7.1.7. to file a complaint with the State Data Protection Inspectorate regarding the unlawful
processing of Personal Data or the Data breach;
7.1.8. to disagree to the Personal Data Processing, if these Data are processed or intended to
be processed for direct marketing purposes and (or) to revoke the given Consent.
7.2. Where Data Subject‘s Personal Data are collected or the Data Subject requests that his right
specified in art. 7.1.1 hereof be exercised, NORDSTREET shall provide the following
information to the Data Subject:
7.2.1. Personal Data processing purposes for which the Personal Data are processed or intended
to be processed as well as the legal ground for Personal Data processing;
7.2.2. Personal Data categories;
7.2.3. Personal data storage period or, if it is impossible, criteria applied to establish that period;
7.2.4. Personal Data recipients, if any, or Personal Data recipients‘ categories to which the
Personal Data were or will be disclosed, primarily, Data recipients in third countries or international organizations;
7.2.5. Right to request NORDSTREET to correct or delete Personal Data or limit the processing of
Personal Data related to the Data Subject, or disagree to such processing;
7.2.6. Where the Data processing is carried out on the ground of NORDSTREET‘s legitimate interest, –
the legitimate interests of NORDSTREET or third person;
7.2.7. Right to file a complaint with the supervision authority;
7.2.8. Where personal data are collected not from NORDSTREET, – all the available information about the sources thereof;
7.2.9. Contact data of NORDSTREET, contact data of personal data official (if any).
7.3. Where NORDSTREET receives Personal Data not from the Data Subject, it shall be obliged to
inform the Data Subject to this effect before starting to process the Personal Data.
7.4. The rights of the Data Subject shall be exercised upon receipt of his written request provided
personally, by email or email, or through a representative, whose powers must be proven by a
respective document. The Data Subject or his representative shall present, together with the
request, his identity document or a copy thereof duly certified in accordance with the procedure
established in the legal acts of the Republic of Lithuania or identify himself by allowed
electronic communication means.
7.5. The Data Subject shall be entitled to receive NORDSTREET‘s confirmation on whether the Personal
Data related to him are processed and, where his Personal Data are processed, – to get familiarized
with the Personal Data and other information specified in art. 7.2 hereof. Where the Data Subject,
having familiarized with his Data, establishes that his Data are incorrect, incomplete or inaccurate,
he may address NORDSTREET, and NORDSTREET shall immediately check the data and, at the Data Subject‘s
request, correct the incorrect, incomplete or inaccurate Data and (or) limit such Data processing
actions, except for the storage thereof.
7.6. All answers to the Data Subject are provided in a succinct, transparent, understandable and
easily-accessible format in simple and lucid language. NORDSTREET shall provide, free of charge,
a copy of the processed Personal Data in electronic or paper format at the Data Subject‘s
discretion. For repeated copies requested by the Data Subject, NORDSTREE may charge a reasoned
fee established according to the administration expenses for producing such a copy, which cannot
exceed the Data provision costs incurred by NORDSTREET. Where the Data Subject files the request
by electronic means, the information is provided in customarily used electronic form.
7.7. At the Data Subject‘s request to delete his data, NORDSTREE undertakes to delete the Personal
Data without any unfounded delays, provided that:
7.7.1. Personal Data are no longer necessary to achieve the purposes for which they were collected or otherwise processed;
7.7.2. The Data Subject withdraws Consent authorising to process the Personal Data and there is
no other legal ground to process the Personal Data;
7.7.3. The Data Subject disagrees to the Data processing, provided there is a legitimate interest
of NORDSTREET, and the Data Controller does not establish any superior legitimate reasons to further process the Data;
7.7.4. Personal Data were processed unlawfully;
7.7.5. Personal Data must be deleted in observance of the legal obligations established in the
law of the European Union or the Republic of Lithuania.
7.8. For the data deletion purposes, NORDSTREET enciphers the Personal Data of Data Subjects in
a way as to make it impossible to trace and establish whom they belong to.
7.9. NORDSTREET is obliged to limit the Data Subject‘s Personal Data Processing without any unfounded delays, provided that:
7.9.1. The Data Subject disputes the Personal Data accuracy, for a period during which NORDSTREET may check the Personal Data accuracy;
7.9.2. Personal Data processing is unlawful and the Data Subject disagrees that the Personal
Data be deleted, and asks to limit the use thereof instead;
7.9.3. NORDSTREET no longer needs the Personal Data for the purposes specified in section 3 hereof;
however, they are needed for the Data Subject to make, perform or protect legal demands;
7.9.4. The Data Subject objected to Personal Data Processing under the ground of NORDSTREET‘s
legitimate interest, until it is verified whether the NORDSTREET‘s lawful reasons are superior to the Data Subject‘s reasons;
7.9.5. NORDSTREET has reasoned doubts regarding the correctness of the Data provided by the Data Subject.
7.10. Where Personal Data Processing is limited under Art. 7.8 hereof, such Personal Data shall
be stored until they are corrected or deleted, and they may be processed, except for the storage,
only upon receipt of the Data Subject‘s consent or for making, performing or protecting legal
demands, or protecting the rights of other natural or legal persons, or for the reason of public
interest of importance to the European Union or its member-state.
7.11. The Data Subject shall have the right to withdraw his Consent to the processing of Personal
Data at any time without prejudice to the legitimacy of the Processing of Personal Data based on the Consent up to the Withdrawal of the Consent.
7.12. NORDSTREET shall ensure that the Data Subject has the right to receive the Personal Data
related to him, which he provided to NORDSTREET in .zip or .rar format, and has the right to
forward that Personal Data to another Data Controller at the request and instruction of the Data
Subject under the conditions presented in art. 7.12 hereof.
7.13. The Data Subject shall be entitled to forward the Data on him to another Data Controller,
and NORDSTREET, to which the Personal Data were provided, shall be obliged not to create any obstacles to that, where:
7.13.1 Data Processing is based on the Data Subject‘s Consent or agreement;
7.13.2. Data are processed by automated means.
7.14. By exercising its right to Data Portability under Art. 7.12 of the Regulations, the Data
Subject shall have the right to request that NORDSTREET forward his Personal Data directly to
another Data Controller, where technically feasible.
7.15. No later than within 30 (thirty) days after the receipt of the Data Subject’s request or instruction,
NORDSTREET shall respond and perform the actions specified in the request or refuse to act upon request,
stating the reasons for the refusal. If necessary, considering the complexity and the number of
requests, the period may be extended by 2 (two) months more. In such a case, NORDSTREET shall
inform the Data Subject of such extension and provide the reasons for the delay within 30 (thirty)
days of receipt of the request.
7.16. NORDSTREET may refuse to act upon the Data Subjects‘ requests in cases specified in Art. 23 (1)
of the Regulation, including, but not limited to, when required to ensure:
7.16.1. The performance of the legal obligations imposed on NORDSTREET;
7.16.2. The public order or the prevention of criminal acts;
7.16.3. Protection of rights and freedoms of users or other persons.
7.17. NORDSTREET shall be obliged to immediately report to the Data Subject about the Data
correction, deletion or suspension of Data processing actions done or refused to be done at his request.
7.18. NORDSTREET, having noticed that other data controllers have failed to comply with the Regulation
or the Law in the field of data protection, may appeal to the State Data Protection Inspectorate
by filling in and submitting a complaint to the following address:
State Data Protection Inspectorate
A. Juozapavičiaus st. 6
Phone (8 5) 279 1445
Unified service desk phone (8 5) 271 2804
Fax (8 5) 261 9494
8. PERSONAL DATA SECURITY BREACHES
8.1. In the event of Personal Data security breach, NORDSTRET shall inform the State Data Protection
Inspectorate to this effect without any unfounded delays and, where possible, within no more than
72 hours after becoming aware of the Personal Data security breach, unless the personal data
security breach poses no hazard to the Personal Data of the Data Subjects.
8.2. When personal data breaches may pose a significant risk to the Personal Data of the Data Subject,
NORDSTREET shall, without any unfounded delays, report a personal data breach to the Data Subject.
Such notification shall be submitted by NORDSTREET to the Data Subject in writing according to
the available contact details of the Data Subject
8.3. NORDSTREET assesses the seriousness of the personal data security breach and the necessity of
notice, taking into account the level of hazard to the Data Subject (health, life, property,
honour and dignity thereof and etc.).
9. CONFIDENTIALITY AND SECURITY PROVISIONS
9.1. NORDSTREET implements and ensures the following appropriate organizational and technical
means against casual or unlawful destruction, modification, disclosure and any other unlawful processing of data:
9.1.1. organizational: drawing up these Regulations, performance control thereof, appointing a
person in charge of the data protection, separation of the place where Personal Data are stored
from publically accessible places, employees process Personal Data according to their duties
and are familiarized with the content hereof;
9.1.2. technical: using antivirus software. Installing signalization in the premises, using certified
software, requirement of passwords when logging in to the computers on which the Personal Data are
stored, data uploading to special data uploading servers.
9.2. These means ensure the level of security that meets the nature of the protected Personal
Data and the risk imposed by the processing thereof.
9.3. Persons employed and (or) carrying out the activity on other legitimate grounds shall be obliged
to observe the confidentiality principle and hold confidential any information related to Personal
Data which they got familiarized with in the performance of their duties, unless such information
is public in accordance with the provisions of the effective laws or other legal acts. The principle
of confidentiality as well means that the persons that process the Personal Data are prohibited
to disclose them, except for the cases provided for in the Regulation. The obligation to protect
Personal Data shall stay in effect for an unlimited period of time, even after taking another job
or upon the termination of the employment or contractual relations.
10. MARKETING AND CORRESPONDENCE
10.1. The Data Subject, when using the services provided by NORDSTREET, may freely agree that the
Personal Data provided by the Data Subject be used for NORDSTREET marketing purposes, expressing
his consent in a separate consent on Data Processing.
10.2. The possibilities of the Data Subject to receive the NORDSTREET marketing offers:
10.2.1. The Data Subject, having visited the NORDSTREET website, has the possibility to agree to
receive NORDSTREET marketing offers;
10.2.2. The Data Subject, having visited the NORDSTREET‘s physical location and expressed his
consent on a separate NORDSTREET-provided sheet on allowing to process the Personal Data.
10.3. NORDSTREET also provides the Data Subject with the possibility to refuse the offers sent by NORDSTREET:
10.3.1. The Data Subject has the possibility to refuse the NORDSTREET offers by clicking to the
offers refusal link in the NORDSTREET letter to the Data Subject or by clicking to the refusal link on the Website;
10.3.2. The Data Subject may exercise his right to refuse that his Data be processed for direct
marketing purposes by notifying the NORDSTREET by mail or email as well.
10.4. NORDSTREET shall use the data of the Data Subject for legitimate marketing activities.
Personal data are collected, processed and used for marketing purposes in a manner so as not to
disclose the Data Subject‘s identity or other Data to third persons without the separate consent of the Data Subject.
11. FINAL PROVISIONS
11.1. The Data Subject may get familiarized with the Regulations by way of direct addressing NORDSTEET,
using the contact data specified.
Law updated on 6 May 2019.