Data control
Baltisches Haus UAB shall process your, as its client, supplier, your employees’ (representatives’) and your beneficial owners personal data under the following conditions:
Data controller and purpose. Baltisches Haus UAB, legal entity code 111543781, legal address Bokšto g. 6, Vilnius (Company), as data controller, shall collect and process personal data for the following purposes:
- To conclude and perform the agreement concluded between you (your representative) and the Company;
- To ensure the enforcement of international sanctions;
- To conduct surveys. We always look for ways to improve the quality of service. That is why we might invite you to participate in a survey and use your feedback. You can unsubscribe from such surveys at any time by contacting us by e-mail at duomenuapsauga@balthaus.eu or by clicking the unsubscribe link in the e-mail containing the survey.
Data processed by the Company.
- Your or your employees’ (representatives’) personal data that are processed for the purpose of concluding and performing the agreement concluded between you (your representative) and the Company:
- identification data (name, surname, personal number, VAT number);
- contact data (address of place of residence or business address, telephone number, e-mail address indicated by you (your representative));
- financial data (current account number, credit institution);
- data related to object of the concluded agreement (e.g., information about business activity to be carried out in leased or subleased premises; address, unique number, cadastral number, and area of leased or subleased premises; unique number of a building in which leased property is located; lease or sublease fee; the price of the objects to be acquired or disposed of, the price of the contract, the license plate number of the vehicle that is entitled to use the parking lot, etc.);
- power of attorney (representation) data, including personal number, address of place of residence or business address, scope of authorisations of representatives;
- communication with the Company, other data generated during the performance of the agreement (e.g., signature in documents, information about the condition of premises).
- Personal data relating to you or your beneficial owners that are processed for the purpose of enforcing international sanctions:
- identification data (name, surname, date of birth, nationality);
- the ways in which the beneficial owners can exercise control over the legal person of which they are beneficial owners (percentage of shares held or, if control is exercised by other means, a description of the means of exercising that control);
- other data provided in the extract from the Beneficial Owner Subsystem of the Information System for Participants in Legal Entities of the Republic of Lithuania (JANGIS) or data provided by you;
- information obtained in the course of checking international sanctions lists;
- other data necessary for the enforcement of international sanctions.
- Your or your employees’ (representatives’) personal data that are processed for the purpose of conducting surveys:
- identification data (name, surname);
- contact data (telephone number, e-mail address indicated by you (your representative);
- responses to our questions.
Basis for data processing.
- Personal data of the Company’s clients, who are natural persons, (their representatives) that are processed for the purpose of concluding and performing the agreement concluded between you (your representative) and the Company shall be processed on the basis of the agreement concluded (to be concluded) with the Company.
- Personal data of employees (representatives) of Company’s clients, who are legal entities, that are processed for the purpose of concluding and performing the agreement shall be processed on the basis of legitimate interest of the Company to carry out commercial activity (to perform concluded agreement).
- The basis for processing of data of natural persons of the Company’s customers (their representatives) and of beneficial owners of the Company’s customers – legal entities, processed for the purpose of enforcing international sanctions, is the fulfilment of a legal obligation.
- Personal data of the Company’s clients, who are natural persons, (their representatives) / personal data of employees (representatives) of the Company’s clients-, who are legal entities, that are processed for the purpose of conducting surveys shall be processed on the basis of legitimate interest of the Company to receive feedback from our clients and use it to improve the quality of service.
- If necessary, we may process your personal data on different grounds with respect to personal data processing (e.g., to implement the requirements of legislation regulating tax, money laundering prevention, etc.).
Data source. The Company shall obtain personal data directly from you (at request or voluntary), from third parties (e.g., State Enterprise Centre of Registers) or the Company will generate data itself.
Data recipients. Personal data, to the minimum extent necessary in a specific case, may be transferred to entities administering joint files of debtors; financial institutions; State Enterprise Centre of Registers; notaries; State Tax Inspectorate; State Social Insurance Board Fund; insurance companies; debt recovery companies; bailiffs; legal consultants of the Company; auditors; courts; entities providing archiving services; providers of information systems which are used by the Company for the management of relationships with you; survey providers; Financial Crimes Investigation Service under the Ministry of the Interior in the cases prescribed by law; other persons engaged by the Company for the performance of the agreement with you, including companies within the Company’s group.
Data retention period.
- Your or your employees’ (representatives’) personal data that are processed for the purpose of concluding and performing the agreement concluded between you (your representative) and the Company shall be retained for the entire term of validity of the agreement and 10 years following the expiry thereof; afterwards, personal data shall be destroyed (where the basis for further processing no longer exists).
- Personal data of you (your representatives) or your beneficial owners which are processed for the purpose of enforcing international sanctions shall be stored for the duration of the contract and for 10 years after the end of the contract or business relationship, after which (in absence of grounds for further processing) shall be securely destroyed.
- We will anonymize survey responses no later than within 3 months – this means that the responses will no longer be associated with you.
Data processing conditions. Personal data may be collected, stored, processed, including provided, in digital form, both in material and paper media, by any means of communication, including e-mail, by ensuring safe processing and limiting unauthorized access to personal data.
Your or your employees’ (representatives’) and your beneficial owners rights: 1) to contact the Company and request the access to his/her personal data and obtain a copy of processed personal data; 2) to request rectification of incorrect personal data; 3) to request erasure of personal data in the cases provided by the law or restrict processing thereof; 4) to request transfer of personal data; 5) on the basis of legitimate interest, when the Company processes personal data, to object the processing of data; 6) to contact the State Data Protection Inspectorate regarding unlawful processing of your personal data.
To exercise the aforementioned rights or in connection with any other matters related to processing of your personal data, you may contact the Company by e-mail duomenuapsauga@balthaus.eu.
When during the collaboration with the Company you receive personal data form the Company, you shall undertake:
- to comply with the General Data Protection Regulation No. 2016/679 (GDPR) and other legislation regulating personal data processing, and to collaborate with the Company so that it could perform its obligations under the aforementioned legislation;
- to notify the Company about any personal data safety breach related to the personal data transferred to you by indicating at least the circumstances of the breach and measures implemented to minimise the consequences.
When during the collaboration with the Company you transfer personal data, you shall undertake:
- to notify all natural persons whose personal data are being transferred (employees, assignees, members of management bodies, employees or representatives of your suppliers, other persons) prior to transfer of personal data in the extent specified in GDPR, of the fact that their personal data may be transferred to the Company and may be processed by the Company for the purpose of conclusion and/or performance of the agreement between you and the Company, and, and at the Company’s request, to immediately provide supporting evidence;
- to notify the Company about the obligation to update, erase or restrict processing of personal data transferred;
- not to transfer to the Company personal data of any persons who have not been notified about data processing carried out by the Company.
Liability. You shall be liable for non-performance or improper performance of obligations assumed by this notification and shall compensate the Company any resulting damages, including compensation of sanctions imposed on the Company by the supervisory authorities.
PERSONAL DATA PROCESSING AGREEMENT
Private limited liability company BALTISCHES HAUS, legal entity code 111543781, legal address Jasinskio g. 16A, Vilnius (Controller) and You or legal entity represented by you, concluding main agreement for the supply of goods and/or services with the Controller (Processor), the Controller and the Processor hereinafter jointly referred to as the Parties and each individually to as the Party have concluded Data processing agreement (Agreement) and agreed on the following conditions:
- Definitions
- Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, or to one or more factors specific to the physical, physiological, psychological, economic, cultural or social identity of that natural person;
- Personal data protection legislation means all legislation regulating personal data protection and/or establishing requirements for data security measures, including but not limited to national legislation (the Law on Legal Protection of Personal Data of the Republic of Lithuania; the Law on Electronic Communications of the Republic of Lithuania and other legislation), directly applicable EU legislation (Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – Regulation) – from the date of coming into force thereof) and all amendments or supplements of the aforementioned legislation;
- Data confidentiality means term defining the need for information storage and non-disclosure to
unauthorized persons, subjects or processes; - Data subject and/or Client means natural person whose data are being processed under the agreement;
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data;
- Processor means a natural or legal person processing Personal data for the purpose and under procedure
specified by Controller; - Security breach means an event, action or inaction which results in or may result in unauthorized access or enables access to information system, information technologies (IT), interfere with or modify the operation of information system, destruct, damage, delete or modify data, exclude or restrict access to data, also, enables misappropriation or use of data by persons having no such right;
- Technical and organizational measures means measures for protecting Personal data from accidental or
unlawful, temporary or permanent, destruction, alteration, unauthorised disclosure or processing. These
measures shall ensure a level of security that is consistent with the nature of stored Personal data and risks
associated with processing thereof; - Processor’s employees any persons acting on behalf of or under the instructions of the Processor, including
employees, consultants, contractors and sub-suppliers.
- Subject Matter of the Agreement, Nature and Purpose of Processing, Data Subject Categories and Basis, Data Categories
- The Processor shall process Personal data under the Agreement or other written instructions of the Controller to perform main agreement concluded between the Parties.
- By performing the Agreement, the Processor shall process the following Personal data of Data subject:
- identification data of Data subject (name, surname, personal number);
- contact data of Data subject (business address, telephone number, e-mail address, fax);
- data about bank account of Data subject (account number, bank, bank code);
- information about the activity of Data subject (information about activity according to main agreement);
- other information (position occupied, data about authorizations, correspondence with the Controller,
data generated during the performance of main agreement with the Controller). Gali būti tvarkomi šių Duomenų subjektų kategorijų Asmens duomenys: Valdytojo tiekėjo, Valdytojo tiekėjo darbuotojo, kito Valdytojo tiekėjo pasitelkto fizinio asmens (pvz., atstovo);
- Personal data of the following Data subject categories may be processed: supplier of the Controller; employee of the supplier of the Controller; other legal entity engaged by the supplier of the Controller (e.g.representative).
- Processing actions: Personal data may be provided to the Processor by e-mail, disclosed by phone or included in notifications in paper form. The Controller or the Processor may also grant the access to interactive resources to the other Party where Personal data are processed in database accessed from internal networks;
- The location of processing actions shall be the Republic of Lithuania or any other country of European
Economic Area. - Data provision methods: the Processor may receive Personal data controlled by the Controller only from
Controller’s database and/or directly from the Controller.
- Personal Data Processing Duration
- Under the Agreement, the Processor shall process and store processed Personal data during the validity period of main agreement (appendixes thereof) concluded with the Processor and for at least 10 years thereafter, unless a different period is established in legislation or according to purposes of Personal Data processing.
- When processing of Personal data or the Agreement is terminated, the Processor shall be obliged to immediately, but no later than within period specified by the Controller, without charging any additional fee, at the choice of the Controller, destroy or provide (return) to the Controller all Personal data the Processor has processed under the instructions of the Controller in performing the Agreement, also, all available copies of such Personal data. Where Personal data are destroyed, the Processor, at the request
- Technical and Organizational Data Security Measures
- The Processor shall undertake, at its own expense, to ensure the protection of processed Personal data by implementing relevant technical and organizational measures that are intended to protect processed Personal data from accidental or unlawful destruction, damage, modification, loss, disclosure, also, from any unauthorized processing. These measure shall ensure adequate protection level that would meet the nature of processed Personal data and risks associated with processing thereof.
- Security measures applied by the Processor to protect processed Personal data from unlawful processing, disclosure, accidental loss, destruction, damage, modification shall be specified in Controller’s instructions (if any), legislation, Agreement and appendixes thereof.
- At the request of the Controller, the Processor shall provide evidence of technical and organizational Personal data protection measures applied to the processing of Personal data under the Agreement. The Processor shall undertake to ensure that these protection measures would be implemented before the start of processing of Personal data, also, shall undertake to periodically assess, supplement and/or improve organizational and technical measures.
- Obligations of the Parties
- The Processor shall properly document all security breaches related to Personal data processed on the ground of this Agreement. Notification of the Processor shall include (but will not be limited to) the following information:
- description of the nature of the breach of Personal data security, list of Data subject categories affected and the number of Data subjects, as well as the impact of the breach on Personal data processing process;
- contact information of data protection officer or any other contact person who could provide more information on the matter;
- recommended measures for reducing possible negative consequences pertaining to Personal data security breach;
- description of risks associated with Personal data security breach with respect to Data subjects;
- description of measures implemented (suggested to implement) by the Processor for the prevention of Personal data security breaches;
- other reasonably necessary information enabling the Controller to comply with Personal data
protection legislation, including obligation to notify supervisory authorities and/or Data subjects.
- Upon receipt of Controller’s instructions, the Processor shall take required corrective actions with respect to Data subjects.
- The Processor shall notify the Controller in the following cases:
- actual or suspected Personal data security breach related to the processing of Personal data processed under this Agreement. The Processor shall immediately, but no later than within 24 hours from finding out of such breach, notify the Controller and, upon receipt of permission of the Controller, without any delay, shall eliminate the problem and prevent any further damage, also, shall reduce the consequences of such breach;
- supervisory authorities have taken any procedural actions related to the processing of Personal data processed under the Agreement with respect to the Processor. The Processor shall immediately, but no later than within 24 hours from becoming aware of such fact, notify the Controller of this;
- Data subject submits a request for implementation of the rights of Data subject or a complaint concerning Personal data processed under the Agreement and/or this Agreement. The Processor shall notify the Controller of this without any delay, but no later than within 1 business day by forwarding such request/complaint to the Controller;
- the Processor intends to implement reforms that could have negative impact on its ability to perform obligations with respect to the Controller under the Agreement. The Processor shall immediately, but no later than within 3 business days from the date of decision making, notify the Controller of this;
- any proceedings are initiated with respect to the Processor related to Personal data processing under
the Agreement which may result in compensation or sanctions in accordance with Personal data protection legislation. The Processor shall immediately, but no later than within 24 hours from the beginning of such proceedings, notify the Controller of this. The Processor shall undertake to provide to the Controller any information requested by the Controller which is allowed by the legislation (including, but not limited to information about suspicion on the breach), not to interfere with controller’s participation in the investigation of the breach.
- The Processor shall collaborate when implementing the rights of Data subjects, i.e., at the request of the Controller, shall provide information required for the implementation of Data subject rights (information must be non-confidential, should not contain commercial secret and be allowed under legislation) at a specified time. If the Controller provides information about Data subject’s request to restrict or delete Personal data (if any) received under the Agreement, the Processor shall take all possible measures to implement such right. The Processor shall undertake, within time period established in legislation, to reply to the inquiries of supervisory authorities concerning Personal data of Data subjects processed by the Processor and/or processing actions.
- The Processor shall not disclose Personal data or any other information related to the processing of Personal data without advance written consent of the Controller, unless the Processor must disclose such information in accordance with legislation. In such case, the Processor shall immediately notify the Controller, if such notification does not violate legislation.
- The Processor shall ensure that all persons related to the processing of Personal data would be placed under obligation to guarantee the confidentiality or would be subject to confidentiality obligation in accordance with the laws. Confidentiality obligation shall be valid for indefinite period.
- The Processor shall undertake to provide access to Personal data only to those employees of the Processor who need such access to Personal data for performance of work functions and to ensure the performance of Processor’s duties under the Agreement, also, to notify Processor’s employees on how to process Personal data, and ensure that Processor’s employees having access to Personal data would have signed confidentiality agreement including non-disclosure obligation.
- At the request of the Controller, the Processor, within time period specified by the Controller, shall provide all necessary information, documents and assistance required for the Controller to be able to properly perform all requirements of Personal data processing legislation and prove the compliance with such requirements, including privacy impact assessment and consultation with supervisory authority by submitting notifications about security breaches. The Processor shall allow supervisory authority to carry out inspections
related to the processing of Personal data performed by the Processor under the agreement or to the activity of the Processor and/or contribute to them. - The Controller, by submitting an advance notification, without interrupting the activity of the Processor, shall have the right to carry out inspections and/or on-site audits on the premises of Processor’s domicile during regular working hours. Such audits or inspections may be carried out by Controller’s employees or other professional third parties acting according to the instructions of the Controller subject to confidentially obligations acceptable to the Processor.
- The Processor shall not have the right to transfer (except under procedure provided for in the Agreement) Personal data or grant access to them to third parties or engage sub-processors for processing of Personal data without the permission of the Controller. If such permission is obtained, the Processor shall enter into an agreement with relevant sub-processor prior to transfer of Personal data and establish same obligations pertaining to Personal data protection as provided for in this Agreement with respect to the Processor.
- Where applicable, if the sub-processor fails to comply with Personal data protection legislation or fails to perform Personal data protection obligations, the Processor shall bear full responsibility for non-performance of obligations under Personal data protection legislation and/or this Agreement by sub-processors.
- The Processor shall properly document all security breaches related to Personal data processed on the ground of this Agreement. Notification of the Processor shall include (but will not be limited to) the following information:
- Liability and Loss Compensation
- The guilty Party causing the damage to the other Party shall compensate the other Party for direct losses incurred. The Parties agree that neither Party shall be liable for compensation of indirect losses to the other Party. Neither Party shall compensate non-material damage incurred by the other Party and/or third parties (clients, employees, consultants of the Party, etc.), except in cases provided by the laws. The Parties agree that obligations of the Parties concerning liability and loss compensation set out in this item shall remain valid upon expiry of main agreement or this Agreement.
- Other Conditions
- Legal relationships of the Parties under this Agreement shall be subject to the law of the Republic of Lithuania. All disputes arising out of this Agreement shall be settled by mutual arrangement of the Parties. In case of failure to reach an agreement, any disputes, disagreements or claims arising out of or related to this Agreement, its violation, termination or validity shall be settled in the court of the Republic of Lithuania according to legal address of the Controller, unless otherwise provided in legislation
- Unless otherwise provided by the Parties, this Agreement shall come into force from the obligation to follow it and shall be valid till separate notification of the Controller to the Processor about termination thereof, but in any case, as long as the Processor processes Personal data according to instructions of the Controller under main agreement. Upon termination or expiry of main agreement signed between the Controller and Processor, this Agreement shall be terminated automatically. The Agreement shall apply from 25 May 2018
and shall become an integral part of main agreement signed between the Controller and Baltisches Haus, UAB and you (company represented by you) (Article 6.189(2) of Civil Code). - The Processor shall have no right to transfer all or part of its rights, duties or liabilities arising out of this Agreement to third parties without advance written consent of the Controller.
- If any condition of the Agreement becomes invalid, this will not have impact on the validity of other
conditions of this Agreement. Invalid condition shall be replaced with other valid condition closest to the
meaning of replaced condition. - This Agreement shall be an integral part to the agreement on the supply of goods and services signed between the Controller and the Processor.
- In case of any contradictions between the main agreement and the Agreement, the conditions of main agreement shall prevail..