1. DEFINITIONS USED FOR THE PURPOSES OF THE RULES
– all data of natural persons, who allow processing of this personal data by agreeing with these Personal Data Processing Rules (hereinafter – the Rules
1.2. The Controller – BALTIJOS REALIZACIJOS CENTRAS, a private limited liability company, legal entity code 111623156, and BRC finance, UAB, legal entity code 30349387 (hereinafter jointly – the BRC
1.3. An Employee
– a person, who has concluded an employment contract of any type with the BRC.
1.4. A Candidate
– a person, who seeks to conclude any type employment contract to become an Employee.
– any operation or a set of operations performed on personal data in automated or non-automated ways, such as: collection, recording, sorting, storage, adaptation or change, recovery, search for, usage, disclosure when transferring, distribution or processing in any other way to make Data available, arrangement in a necessary order or combination when matching, blocking, erasure or destruction.
1.6. A Data subject
– an Employee of the Data Controller, a Service Recipient or any other natural person, the Data of which is processed by the Processor;
1.7. The Processor
– a natural or legal entity, a public authority, agency or any other institution, which in the name of the Controller processes the Data and the Controller that itself processes the Data of the Data Subject;
1.7.1. The Controller has the following rights:
220.127.116.11. to draw up and adopt internal legal acts, regulating the processing of the Data;
18.104.22.168. to make a decision on Data submission;
22.214.171.124. to appoint a natural or a legal person responsible for Data protection;
126.96.36.199. to authorise and conclude Contracts with the Processors selected for the purposes of Data processing;
188.8.131.52. to conclude Contracts with persons maintaining the equipment of Data processing;
184.108.40.206. to process the Data.
1.7.2. The Controller has the following rights:
220.127.116.11. to ensure lawful and safe Data processing;
18.104.22.168. to implement Data subject rights, provided for in these Rules or legal acts;
22.214.171.124. in appropriate cases to inform the competent institutions on Data processing taking place;
126.96.36.199. to conduct monitoring and control of Data processing;
188.8.131.52. to control entrance to the premises, where the Data is stored;
1.7.3. The Controller performs the following functions:
184.108.40.206. establishes the purpose and volume of Data processing;
220.127.116.11. organizes Data processing;
18.104.22.168. analyses the technological, methodological and organizational problems related to Data processing and makes decisions necessary to ensure proper Data processing;
22.214.171.124. informs and gets consulted by own Employees regarding Data being processed;
126.96.36.199. performs other functions provided for in these Rules or legal acts.
– all agreements and contracts concluded by Data subject and the BRC.
– a physical or technical action, by which Data existing in the document is made unrecoverable by ordinary commercial means. Data hold in electronic form is destroyed by erasing without a possibility to recover. An Employee who is operating a particular computer, on which Data files are kept is responsible for destruction of particular Data kept in electronic form. Employees administering Databases and IT systems of the Data Controller are responsible for destruction of the Data kept in these systems.
2. DATA STORAGE TERM, LEGAL ACTS AND PURPOSES
2.1. These Rules regulate the purposes of Data processing of natural persons, i.e., Data subjects, as well as their rights and implementation of rights procedures, enforces organizational and technical Data security measures, and regulate the cases of engaging a Data Processor.
2.2. These Rules are applied to processing of the Data of the Data subject. In addition, these Rules establish the rights, duties and responsibilities of Data subjects, Processors and the Controller when Data processing takes place.
2.3. The requirements of these Rules are binding to all Employees that process the Data held by the BRC or they become aware of this Data due to their job.
2.4. Data Processors that become aware of this Data during provision of Data processing services to the BRC and during processing of the Data must follow these Rules as well.
2.5. Data may be processed for the following purposes: direct marketing, internal administration, to employ new employees, to conclude Contracts, provide financial services, ensure security and other purposes indicated in the Contract in order to perform obligations.
2.6. The BRC collects and processes the Data pursuant to the Law on Legal Protection of Personal Data of the Republic of Lithuania, General Data Protection Regulation and other legal acts.
2.7. The BRC does not have to employ a Data protection officer, still it has the right to have such an officer. In the case, if the Data Controller adopts a decision to appoint the Data protection officer, such an officer would be directly subordinate to the head of the Data Controller, still independence guarantee would be applied to this officer. The Data Controller, having appointed the Data protection officer submits his/her contact data to the State Data Protection Inspectorate not later than within 5 days after appointment.
2.8. The Employees of the Data Controller that have the right to access the Data, having noticed breaches of Data security (inaction or actions of persons that could pose or are posing a threat to Data security) must inform a responsible Employee and (or) their immediate supervisor.
3. THE RIGHTS OF DATA SUBJECTS
3.1. Data subjects have the right to be informed on the processing of their Data, familiarize with their Data processed receive the copies of documents, containing their Data.
3.2. Data Processor must submit to the Data subject the following information:
3.2.1. legal entity code and headquarters of the Processor;
3.2.2. for what purposes Data is processed;
3.2.3. to whom and for what purposes Data is submitted;
3.2.4. a legal basis for Data processing;
3.2.5. what Data of the Data subject must be submitted and what consequences are for failure to submit the Data;
3.2.6. Data collected from Data subjects which is to be rectified if this Data is incorrect, incomplete and inaccurate;
3.2.7. how Data processing is ensured in order not to breach the rights of the Data subject;
3.2.8. from what sources and what Data of the Data subject has been collected;
3.2.9. Data storage term, and if there is no such term – to establish it;
3.2.10. to what Data recipients the Data has been submitted.
3.3. The Processor is not obliged to submit the Data indicated in Item 3.2, if such a submission is impossible or it would need disproportionate efforts. In such cases, the Processor takes appropriate measures to protect the rights and freedoms of the Data subject and to protect the legitimate interest of Data subject, including information announcement publicly.
3.4. The rights indicated in Items 3.1 and 3.2. may be implemented by the Data subject after submitting an application and proving its identity within 30 days after the day of notification receipt. The application may be submitted by the Data subject via email [email protected]
or having arrived at the address Senasis Ukmergės kelias 18, Užubaliai village, Vilnius district.
3.5. The Data Processor must inform the Data subject on the intention to transfer the Data to third persons not later that before the moment when data is submitted for the first time, except for the cases when the law or any other legal acts define the procedures of such Data collecting and submission as well as Data recipients or it has been provided for in these Rules.
3.6. After the Data subject request to destroy the Data if it is not necessary anymore in order to achieve the purposes, for which the Data has been collected, or in any other way processed, the Data Controller may perform additionally the following actions of Data processing:
3.6.1. submit circumstances due to which Data processing actions have been suspended;
3.6.2. submit a request regarding consent from the Data subject to process further its Data;
3.6.3. if necessary, to protect the rights and legitimate interests of third persons.
3.7. The Data Processor must immediately inform the Data recipients about the rectified or destroyed upon the request from the Data subject Data, as well as about Data processing actions.
3.8. Data subject, when implementing its right to object that its data would be processed submits (personally, via e-mail or via electronic communication means) to the Data Controller or Processor a written notification on disagreement regarding its Data processing. If the disagreement of the Data subject is legally justified, Data processing actions are suspended except for the cases provided for in the law and informs Data recipients and the Data subject.
4. PROCESSING OF DATA OF THE DATA SUBJECT
4.1. Data processed should be accurate and updated on a regular basis. Inaccurate or incomplete Data must be rectified, complemented, destroyed or its processing suspended.
4.2. Data is processed, ensuring Data protection, therefore, the BRC implements the following:
4.2.1. Data administration, i.e., ensures safe processing of documents and computer Data, familiarizes the Employees with Data protection;
4.2.2. protection of hardware and software, i.e., ensures administration of information systems and Databases, updates the workplaces, ensures operating system protection, updating of protection against computer viruses on a regular basis;
4.2.3. security of premises, where Data is stored.
4.3. The BRC grants access to the Data to the Employees only to whom this access is necessary for implementation of operation functions in accordance with their jobs.
4.4. To access Databases of Data subjects, unique passwords are given, the confidentiality of which is ensured. The passwords are changed regularly, and also after certain conditions appearing, for example, after a new employee is employed, a threat of hacking is posed, under suspicion that the password became known to third persons and the like.
4.5. In the Databases of Data subjects, Data processing actions are captured. It is possible to access Databases of Data subjects from particular computers only, which are identified by external IP addresses.
4.6. An Employee responsible for maintenance of computers ensures that the Data files on one computer would not be “visible” from other computers.
4.7. The server, in which Databases of Data subjects are (hereinafter – the Server) is present in other room than the BRC premises, i.e., although it is logged in to Databases of Data subjects through the computers present in the BRC premises, Data is not stored on the BRC computers.
4.8. In addition, Data may be stored in card indexes, files or on any other environment adapted to storage specifically. Such Data is updated on a regular basis, changed or destroyed in accordance with these Rules.
4.9. Court procedural documents are processed for 5 years after court proceedings and after data subject has implemented court rulings or decisions. In the case of dispute in court, the term for Data of Data subjects processing is prolonged to the last day of dispute hearing in the court.
4.10. Data may be transferred, still not in a greater volume which is mandatory to such recipients as the following:
4.10.1. State bodies and institutions, other persons, performing functions entrusted to them (for example, law enforcement institutions, bailiffs, notaries, tax administration bodies, institutions performing financial crime investigation activities and BRC supervision activities,), credit and financial institutions, insurance service providers and intermediaries of financial services.
4.10.2. Auditors, law and finance consultants, Data Processors authorized by the BRC.
4.10.3. Legal service institutions, advocates, advocate firms or law firms, to which claims against Data subject debt are transferred, institutions of dispute hearing in court or not in court, notaries and bankruptcy administrators.
4.10.4. Persons that ensure proper fulfilment of Data subject obligations, such as backers, inheritors, guarantors, pledgers.
4.10.5. Legal persons providing insurance services to persons, Data of which is processed, and they have concluded loan Contracts or other financial Contracts with the BRC;
4.10.6. Legal persons rendering to Data Controller services of Data systematization, transfer, storage and processing.
4.10.7. Legal persons rendering payment collection services to persons, Data of which is processed, and they have concluded loan Contracts or other financial Contracts with the BRC.
4.10.8. Legal and natural persons, offering to Data Controller loans or other financial Contracts, linked by Data subject Contracts of service provision and (or) assisting Data subject in performing other actions related to loan obtaining.
4.10.9. Legal and natural persons, concluding loan Contracts or other financial type Contracts, also linked by service provision Contract in the name of the Data Controller.
4.10.10. Other persons rendering services to the BRC, such as archiving, post services, sale; message sending platforms and other authorized parties.
4.10.11. To other third parties upon consent of the Data subject, which may be obtained in a particular case.
5. EMPLOYEE DATA PROCESSING FOR THE PURPOSES OF INTERNAL ADMINISTRATION
5.1. The BRC for the purposes of internal administration processes the following Data:
5.1.1. Name, surname, personal identification number, place of residence address, date of birth, personal identity document Data and a copy of the document, e-mail address, personal phone number, payment account number, amount of salary, amount of taxes paid, social insurance number, information on marital status, a photo, other information necessary to be processed in the context related to employment relationship, including information, but not limiting to, on health condition, which influences directly the performance of work functions of the Employee, as well as influencing a possibility to perform these functions in accordance with the procedures prescribed in legal acts.
5.2. Employee Data is received directly from Data subjects, State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania and State Social Insurance Fund Board.
5.3. Employee Data is processed systematically in the Server, to which the BRC has access as well as the Employees of the company providing bookkeeping services and information technology service providers. Original Employment Contracts or other documents are kept in the index cards or files that are stored in separate, adapted to such a purpose premises.
5.4. A permanent recipient of Data of the Employees is the State Social Insurance Fund Board (SODRA). Data is submitted to the SODRA through the EDAS (E-Service System for Insurers).
5.5. Employee Data may be transferred to other third parties upon their request only and if there is a legitimate ground for transfer.
5.6. Employee Data is processed and stored for 50 years after expiration date of each Employment Contract.
6. PROCESSING OF DATA OF CANDIDATES TO JOB POSITIONS
6.1. The BRC processes the following Data submitted for the purposes of being a candidate to a job position:
6.1.1. Name, surname, phone number, e-mail address, professional experience, specialization, work experience, personal traits, languages known, the fact of having a driving license, recommendations, other Data, submitted by a Candidate voluntarily and existing in his/her CV and/or other documents submitted.
6.2. Candidate Data is obtained directly from Data subjects on their own initiative and this Data is processed in the Server, the BRC has access to. Candidate documents may be kept in index cards or files, which are stored in a separate room, adapted for this purpose.
6.3. Candidate Data is processed for not longer than 1 year after the day of Data receipt, Data is processed for a longer period upon a separate consent received from the Candidate, still not longer than for 3 years.
6.4. Candidate Data is not transferred to third persons.
6.5. In the case when legal acts of the Republic of Lithuania prescribe additional restrictions on what information on candidates may be processed, the Data Controller ensures that only permitted to be processed personal Data is processed.
6.6. If there a legal dispute appears between the RBC and a data subject, the term for Data subject Data processing and storage is prolonged for a respective time period of the legal dispute.
7. DATA PROCESSING FOR THE PURPOSES OF DIRECT MARKETING
7.1. The BRC, processes the following Data subject Data using, still not limiting to, its website www.brc.lt for direct marketing:
7.1.1. E-mail – processed for 5 years from the day of consent.
7.1.2. __lc.*, lc_* – processed for 2.5 years from the consent day on the website.
7.1.3. _gid – processed during the period of login to the website.
7.1.4. _ga – processed for 2 years on the website from day of consent.
7.1.5. law; XSRF-TOKEN; brc session – processed for 7 days from the consent on the webpage day.
7.2. Data indicated in Item 7.1.1 of the Rules is collected after the consent from Data subject has been obtained.
7.3. Data indicated in Items 7.1.2, 7.1.3, 7.1.4, 7.1.5 may be at any time destroyed by Data subject on the basis of Internet browser user’s instruction. Data indicated in this Item of the Rules is stored in HTTP Cokie and HTML Local Storage. Data indicated in this Item of the Rules is collected for the purposes to grant a smooth functioning of the website, to improve browsing experience and for direct marketing.
7.4. Data is not transferred to third parties for the purposes of marketing, except for information technology service providers under Contracts with the BRC or the companies of direct marketing.
8. BRC CLIENT DATA PROCESSING
8.1. BRC for the purposes of Contract execution or provide financial service, processes the following Data of the clients:
8.1.1. Data of the clients with whom the purchase-sale Contracts or other type Contracts are concluded, except for leasing obtaining and guarantor Contract – name, surname, personal identification number, address, e-mail address, phone number, payment account number, numbers of Contracts, dates of Contracts, data of manufacture of a car being purchased, its price, make of the car, car run, car registration number, car registration document number and series, term of validity of car compulsory technical inspection, events, during which damage has been done to the car, the condition of the car.
8.1.2. Data of the clients that wish to obtain leasing or become a guarantor – apart from the Data indicated in Item 8.1.1 of these Rules, the following Data is processed additionally – financing conditions to be wished, such as a day of payment, the first payment, Contract term, balance value, particular conditions, additional services; property buyer out / guarantor – name, headquarters address, company code, a representative, phone number; Financial obligations of the Data subject towards third parties and other obligations, a copy of a personal document (a passport, personal identity card, driving license) that are obtained in electronic or physical way.
8.2. Client Data is processed for 10 years after obligation fulfilment day.
8.3. Data of the clients, indicated in Item 8.1.2. of these Rules is processed and stored for 12 months if a decision has been made to refuse provision of financial services.
8.4. Client Data is collected directly from Data subjects after they have given their consent and ensuring Contract obligations fulfilment from state registers or other publicly available Data.
8.5. Client Data may be transferred to the following companies rendering services to the BRC: companies of legal services, advocates, advocate firms or law firms, providers of information technology services, leasing givers or financial services companies or enterprises.
9. VIDEO SURVEILLANCE
9.1. The purpose of video surveillance – to ensure security of the Employees and visitors, general order, to protect the property of the Data Controller, its Employees and Clients.
9.2. Video surveillance takes place continually throughout 24-hour day on the territories and premises of the BRC divisions at the following addresses: Savanorių av. 247, Vilnius, Tilžės str. 53, Klaipėda, Senasis Ukmergės kelias 18,
Užubaliai village, Vilnius district, Tilžės str. 60, Klaipėda. The BRC informs the Employees and other Data subjects on the Video surveillance taking place by information boards hung as well as by signs on the monitored territories that must be visible prior to getting into.
9.3. The view is monitored in the places only, where it is necessary to achieve the purposes provided for in Item 9.1 of these Rules.
9.4. Video surveillance cannot be performed in the premises, where a Data subject reasonably expects to be protected to the extent maximum possible and where such surveillance would humiliate the human dignity (e.g., in toilets, dressing rooms and the like).
9.5. The Employees are familiarized about the video surveillance during familiarization with these Rules and provision of information on personal Data being processed by the Employees.
9.6. The following information must be submitted to the Data subject clearly and properly:
9.6.1. about the fact of video surveillance;
9.6.2. name of Data recipient, company code, contact information (address and /or phone number);
9.6.3. link to the website, where these Rules are provided.
9.6.4. The Controller may submit Video Data to a pre-trial investigation institution, prosecutor or court as this Data may serve as evidence in the administrative, civil, criminal cases or in any other cases in accordance with legal acts.
9.7. The term of Video Data processing and storage is 1 month after the moment of capture.
9.8. Video Data may be transferred to a security office, rendering services to the BRC, a pre-trial investigation institution, prosecutor or court as this Data may serve as evidence in the administrative, civil, criminal cases or in any other cases in accordance with legal acts.
10. DATA PROCESSOR
10.1. The BRC has the right to engage Data Processors, i.e., providers of information technology and electronic communications services, advisors, auditors, consultants, security services and other persons, who process the Data controlled by the Data Controller for the purposes established by the Data Controller and in accordance with Controller’s instructions.
10.2. The Data Controller concludes written Contracts with Data Processors, where it is provided for that Data Processors process the Data under instructions form the Data Controller only. In these Contracts, a security level must be indicated applied to the BRC Data protection, and the same Rules of Data Processing are applied to Data Processor.
10.3. In the Contract, there should be provided for that the Processor ensures that the Employees processing personal Data have undertaken to ensure confidentiality, except for the cases when they already have access in accordance with legal acts.
10.4. The Data Processor must be obligated to engage other Data Processors after having received the consent from the Data Controller in advance only and having concluded a written Contract with other Processor, and the same requirements are set out for it as for the Contract concluded with the main Processor.
11. FINAL PROVISIONS
11.1. These Rules are binding to Data Controller, Processors, Employees that process the Data or due to their job position they become aware of it.
11.2. The Employees who have breached these Rules are responsible in accordance with the procedure provided by law of the Republic of Lithuania.
11.3. These Rules may be reviewed and modified on the initiative of the Data Controller and (or) when legal acts are changed that regulate Data processing.
11.4. These Rules and their amendments come into force from the day of their approval.
11.5. The Employees are familiarized with the Rules and their amendments under signature. All Data subjects must give written consents to process their data if this is provided for in these Rules or on the basis of legal acts.
11.6. The Rules are placed on the website www.brc.lt and are publicly available.
11.7. The BRC reserves the right to change the Rules. After changing the Rules, a separate consent from a Data subject regarding Data processing is not necessary, except for the cases when such a consent is necessary or is required by law of the Republic of Lithuania.
11.8. These Rules are subject to the law of the Republic of Lithuania. Disputes arising from these provisions are to be resolved in the courts of the Republic of Lithuania, and in the case of failure to reach agreement – in the courts of the Republic of Lithuania.