Personal data processing agreement

Private limited liability company BALTISCHES HAUS, legal entity code 111543781, legal address Jasinskio g. 16A, Vilnius (Controller) and You or legal entity represented by you, concluding main agreement for the supply of goods and/or services with the Controller (Processor), the Controller and the Processor hereinafter jointly referred to as the Parties and each individually to as the Party have concluded Data processing agreement (Agreement) and agreed on the following conditions:

  1. Definitions
    1. Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, or to one or more factors specific to the physical, physiological, psychological, economic, cultural or social identity of that natural person;
    2. Personal data protection legislation means all legislation regulating personal data protection and/or establishing requirements for data security measures, including but not limited to national legislation (the Law on Legal Protection of Personal Data of the Republic of Lithuania; the Law on Electronic Communications of the Republic of Lithuania and other legislation), directly applicable EU legislation (Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – Regulation) – from the date of coming into force thereof) and all amendments or supplements of the aforementioned legislation;
    3.  Data confidentiality means term defining the need for information storage and non-disclosure to
      unauthorized persons, subjects or processes;
    4. Data subject and/or Client means natural person whose data are being processed under the agreement;
    5. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data;
    6. Processor means a natural or legal person processing Personal data for the purpose and under procedure
      specified by Controller;
    7. Security breach means an event, action or inaction which results in or may result in unauthorized access or enables access to information system, information technologies (IT), interfere with or modify the operation of information system, destruct, damage, delete or modify data, exclude or restrict access to data, also, enables misappropriation or use of data by persons having no such right;
    8. Technical and organizational measures means measures for protecting Personal data from accidental or
      unlawful, temporary or permanent, destruction, alteration, unauthorised disclosure or processing. These
      measures shall ensure a level of security that is consistent with the nature of stored Personal data and risks
      associated with processing thereof;
    9. Processor’s employees any persons acting on behalf of or under the instructions of the Processor, including
      employees, consultants, contractors and sub-suppliers.
  2. Subject Matter of the Agreement, Nature and Purpose of Processing, Data Subject Categories and Basis, Data Categories
    1. The Processor shall process Personal data under the Agreement or other written instructions of the Controller to perform main agreement concluded between the Parties.
    2. By performing the Agreement, the Processor shall process the following Personal data of Data subject:
      1. identification data of Data subject (name, surname, personal number);
      2. contact data of Data subject (business address, telephone number, e-mail address, fax);
      3. data about bank account of Data subject (account number, bank, bank code);
      4. information about the activity of Data subject (information about activity according to main agreement);
      5. other information (position occupied, data about authorizations, correspondence with the Controller,
        data generated during the performance of main agreement with the Controller). Gali būti tvarkomi šių Duomenų subjektų kategorijų Asmens duomenys: Valdytojo tiekėjo, Valdytojo tiekėjo darbuotojo, kito Valdytojo tiekėjo pasitelkto fizinio asmens (pvz., atstovo);
    3. Personal data of the following Data subject categories may be processed: supplier of the Controller; employee of the supplier of the Controller; other legal entity engaged by the supplier of the Controller (e.g.representative).
    4. Processing actions: Personal data may be provided to the Processor by e-mail, disclosed by phone or included in notifications in paper form. The Controller or the Processor may also grant the access to interactive resources to the other Party where Personal data are processed in database accessed from internal networks;
    5. The location of processing actions shall be the Republic of Lithuania or any other country of European
      Economic Area.
    6. Data provision methods: the Processor may receive Personal data controlled by the Controller only from
      Controller’s database and/or directly from the Controller.
  3. Personal Data Processing Duration
    1. Under the Agreement, the Processor shall process and store processed Personal data during the validity period of main agreement (appendixes thereof) concluded with the Processor and for at least 10 years thereafter, unless a different period is established in legislation or according to purposes of Personal Data processing.
    2. When processing of Personal data or the Agreement is terminated, the Processor shall be obliged to immediately, but no later than within period specified by the Controller, without charging any additional fee, at the choice of the Controller, destroy or provide (return) to the Controller all Personal data the Processor has processed under the instructions of the Controller in performing the Agreement, also, all available copies of such Personal data. Where Personal data are destroyed, the Processor, at the request
  4. Technical and Organizational Data Security Measures
    1. The Processor shall undertake, at its own expense, to ensure the protection of processed Personal data by implementing relevant technical and organizational measures that are intended to protect processed Personal data from accidental or unlawful destruction, damage, modification, loss, disclosure, also, from any unauthorized processing. These measure shall ensure adequate protection level that would meet the nature of processed Personal data and risks associated with processing thereof.
    2. Security measures applied by the Processor to protect processed Personal data from unlawful processing, disclosure, accidental loss, destruction, damage, modification shall be specified in Controller’s instructions (if any), legislation, Agreement and appendixes thereof.
    3. At the request of the Controller, the Processor shall provide evidence of technical and organizational Personal data protection measures applied to the processing of Personal data under the Agreement. The Processor shall undertake to ensure that these protection measures would be implemented before the start of processing of Personal data, also, shall undertake to periodically assess, supplement and/or improve organizational and technical measures.
  5. Obligations of the Parties
    1. The Processor shall properly document all security breaches related to Personal data processed on the ground of this Agreement. Notification of the Processor shall include (but will not be limited to) the following information:
      1. description of the nature of the breach of Personal data security, list of Data subject categories affected and the number of Data subjects, as well as the impact of the breach on Personal data processing process;
      2. contact information of data protection officer or any other contact person who could provide more information on the matter;
      3. recommended measures for reducing possible negative consequences pertaining to Personal data security breach;
      4.  description of risks associated with Personal data security breach with respect to Data subjects;
      5.  description of measures implemented (suggested to implement) by the Processor for the prevention of Personal data security breaches;
      6. other reasonably necessary information enabling the Controller to comply with Personal data
        protection legislation, including obligation to notify supervisory authorities and/or Data subjects.
    2.  Upon receipt of Controller’s instructions, the Processor shall take required corrective actions with respect to Data subjects.
    3. The Processor shall notify the Controller in the following cases:
      1. actual or suspected Personal data security breach related to the processing of Personal data processed under this Agreement. The Processor shall immediately, but no later than within 24 hours from finding out of such breach, notify the Controller and, upon receipt of permission of the Controller, without any delay, shall eliminate the problem and prevent any further damage, also, shall reduce the consequences of such breach;
      2. supervisory authorities have taken any procedural actions related to the processing of Personal data processed under the Agreement with respect to the Processor. The Processor shall immediately, but no later than within 24 hours from becoming aware of such fact, notify the Controller of this;
      3. Data subject submits a request for implementation of the rights of Data subject or a complaint concerning Personal data processed under the Agreement and/or this Agreement. The Processor shall notify the Controller of this without any delay, but no later than within 1 business day by forwarding such request/complaint to the Controller;
      4. the Processor intends to implement reforms that could have negative impact on its ability to perform obligations with respect to the Controller under the Agreement. The Processor shall immediately, but no later than within 3 business days from the date of decision making, notify the Controller of this;
      5. any proceedings are initiated with respect to the Processor related to Personal data processing under
        the Agreement which may result in compensation or sanctions in accordance with Personal data protection legislation. The Processor shall immediately, but no later than within 24 hours from the beginning of such proceedings, notify the Controller of this. The Processor shall undertake to provide to the Controller any information requested by the Controller which is allowed by the legislation (including, but not limited to information about suspicion on the breach), not to interfere with controller’s participation in the investigation of the breach.
    4. The Processor shall collaborate when implementing the rights of Data subjects, i.e., at the request of the Controller, shall provide information required for the implementation of Data subject rights (information must be non-confidential, should not contain commercial secret and be allowed under legislation) at a specified time. If the Controller provides information about Data subject’s request to restrict or delete Personal data (if any) received under the Agreement, the Processor shall take all possible measures to implement such right. The Processor shall undertake, within time period established in legislation, to reply to the inquiries of supervisory authorities concerning Personal data of Data subjects processed by the Processor and/or processing actions.
    5. The Processor shall not disclose Personal data or any other information related to the processing of Personal data without advance written consent of the Controller, unless the Processor must disclose such information in accordance with legislation. In such case, the Processor shall immediately notify the Controller, if such notification does not violate legislation.
    6. The Processor shall ensure that all persons related to the processing of Personal data would be placed under obligation to guarantee the confidentiality or would be subject to confidentiality obligation in accordance with the laws. Confidentiality obligation shall be valid for indefinite period.
    7. The Processor shall undertake to provide access to Personal data only to those employees of the Processor who need such access to Personal data for performance of work functions and to ensure the performance of Processor’s duties under the Agreement, also, to notify Processor’s employees on how to process Personal data, and ensure that Processor’s employees having access to Personal data would have signed confidentiality agreement including non-disclosure obligation.
    8. At the request of the Controller, the Processor, within time period specified by the Controller, shall provide all necessary information, documents and assistance required for the Controller to be able to properly perform all requirements of Personal data processing legislation and prove the compliance with such requirements, including privacy impact assessment and consultation with supervisory authority by submitting notifications about security breaches. The Processor shall allow supervisory authority to carry out inspections
      related to the processing of Personal data performed by the Processor under the agreement or to the activity of the Processor and/or contribute to them.
    9. The Controller, by submitting an advance notification, without interrupting the activity of the Processor, shall have the right to carry out inspections and/or on-site audits on the premises of Processor’s domicile during regular working hours. Such audits or inspections may be carried out by Controller’s employees or other professional third parties acting according to the instructions of the Controller subject to confidentially obligations acceptable to the Processor.
    10.  The Processor shall not have the right to transfer (except under procedure provided for in the Agreement) Personal data or grant access to them to third parties or engage sub-processors for processing of Personal data without the permission of the Controller. If such permission is obtained, the Processor shall enter into an agreement with relevant sub-processor prior to transfer of Personal data and establish same obligations pertaining to Personal data protection as provided for in this Agreement with respect to the Processor.
    11. Where applicable, if the sub-processor fails to comply with Personal data protection legislation or fails to perform Personal data protection obligations, the Processor shall bear full responsibility for non-performance of obligations under Personal data protection legislation and/or this Agreement by sub-processors.
  6. Liability and Loss Compensation
    1. The guilty Party causing the damage to the other Party shall compensate the other Party for direct losses incurred. The Parties agree that neither Party shall be liable for compensation of indirect losses to the other Party. Neither Party shall compensate non-material damage incurred by the other Party and/or third parties (clients, employees, consultants of the Party, etc.), except in cases provided by the laws. The Parties agree that obligations of the Parties concerning liability and loss compensation set out in this item shall remain valid upon expiry of main agreement or this Agreement.
  7. Other Conditions
    1. Legal relationships of the Parties under this Agreement shall be subject to the law of the Republic of Lithuania. All disputes arising out of this Agreement shall be settled by mutual arrangement of the Parties. In case of failure to reach an agreement, any disputes, disagreements or claims arising out of or related to this Agreement, its violation, termination or validity shall be settled in the court of the Republic of Lithuania according to legal address of the Controller, unless otherwise provided in legislation
    2. Unless otherwise provided by the Parties, this Agreement shall come into force from the obligation to follow it and shall be valid till separate notification of the Controller to the Processor about termination thereof, but in any case, as long as the Processor processes Personal data according to instructions of the Controller under main agreement. Upon termination or expiry of main agreement signed between the Controller and Processor, this Agreement shall be terminated automatically. The Agreement shall apply from 25 May 2018
      and shall become an integral part of main agreement signed between the Controller and Baltisches Haus, UAB and you (company represented by you) (Article 6.189(2) of Civil Code).
    3. The Processor shall have no right to transfer all or part of its rights, duties or liabilities arising out of this Agreement to third parties without advance written consent of the Controller.
    4. If any condition of the Agreement becomes invalid, this will not have impact on the validity of other
      conditions of this Agreement. Invalid condition shall be replaced with other valid condition closest to the
      meaning of replaced condition.
    5. This Agreement shall be an integral part to the agreement on the supply of goods and services signed between the Controller and the Processor.
    6. In case of any contradictions between the main agreement and the Agreement, the conditions of main agreement shall prevail..
This Website uses mandatory cookies to ensure the basic functions of the Website. Other cookies are not automatically set unless you agree with them.
Please visit our Privacy Policy for more information.

These cookies are essential for the basic functions of the Website and cannot be disabled.

These cookies help us to understand how you use the Website. The data collected by these cookies does not directly identify you.