PERSONAL DATA PROCESSING POLICY
1. NO-CV, UAB (hereinafter – Company) Personal data processing policy (hereinafter – Policy) is a part of a publicly disclosed Data processing policy that governs the purposes of processing personal data of natural persons whose data is processed by the Company, establishes procedures for enforcing their rights, sets the organizational and technical data protection measures, regulates the invocation of personal data processors.
2. This Policy is prepared based on :
2.1. Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter – LLPPD) ;
2.2. The General Data Protection Regulation of EU (hereinafter – GDPR);
2.3. Order of the Government of the Republic of Lithuania of the 28th February 2001 No. 228 “Regarding the approval of the order of remuneration for the provision of data to the data subject and remuneration for data collection from registered data controllers”;
2.4. other legislation related to the processing and protection of personal data.
3. This Policy applies to the automatic processing of personal data of natural persons, as well as to the manual processing of systematic sets of personal data. This Policy also establishes the rights, obligations and responsibilities of the Company’s employees in relation to the processing of personal data.
4. The requirements of this Policy are binding to all employees of the Company (hereinafter referred to as Employees) and must also be complied with by data processors who, when providing data processing services to the Company, become aware of and process personal data, whereas not regulated by separate agreements between the Company and data processors.
5. Personal data / Data – means any information relating to an identified or identifiable natural person – directly or indirectly, in particular by reference to an identifier such as a name, a personal code, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
6. Data processing – means any operation or series of operations performed in an automated or non-automated measure on personal data or personal data sets, such as collection, recording, sorting, systematizing, storing, adapting or modifying, extracting, familiarizing, using, disclosing by transmitting, distributing or otherwise making it available for use, as well as collation or interconnection with other data, restriction, deletion or destruction.
7. Data controller – NO-CV, UAB, which determines the ways and means of using the data when processing the data of the Data subjects.
8. Data subject – Employees, job seekers and other natural persons whose data is processed by NO-CV, UAB.
9. Data processor – entities that process personal data controlled by NO-CV, UAB, under the instructions of NO-CV, UAB in accordance with concluded service contracts.
10. Data provision means the disclosure of personal data by transfer or other means of making them available (excluding publication in the media).
11. Mobile application – NO-CV mobile application and the web platform (website) related to this application, administered by the Company, which are designed to provide services for individuals looking for work.
12. Internal administration – activities ensuring the autonomous functioning of the data controller (structure management, personnel management, management and use of available material and financial resources, record keeping).
13. Other terms used in the Policy shall be understood as defined in LLPPD and / or GDPR.
PRINCIPLES AND OBJECTIVES OF PERSONAL DATA PROCESSING
14. In the performance of their duties and the processing of personal data, staff of Data processor shall be required to:
14.1. process personal data in a lawful, fair and transparent manner;
14.2. collect data for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
14.3. observe the principles of expediency, proportionality and data quantity minimization in the collection and processing of personal data, not require the provision of data that is not needed, not stored, and refrain from processing excess data;
14.4. ensure the accuracy of personal data and, where necessary for the purposes of the processing of personal data, keep it up to date; to correct, supplement, delete or suspend processing of inaccurate or incomplete data;
14.5. store personal data in a form, which allows identification of Data subjects for no longer than is necessary for the purposes for which the data was collected and processed;
14.6. process personal data in such a way as to ensure adequate security of personal data by application of appropriate technical or organizational means, including protection against unauthorized processing or unlawful processing and from unintentional loss, destruction or damage of data (integrity and confidentiality principle).
15. CEO Gediminas Vilčiauskas is responsible for updating the data of the Data subjects of the Company.
16. Information about the Data subject must be provided if required by law.
PROCESSING DATA OF COMPANY EMPLOYMENT CANDIDATES
16.1. The Company processes the following data of persons who wish to participate in the Company’s recruitment process or use the Company’s recruitment services: name, surname, date of birth, address, tel. number, email address, education, other details as specified in the documents provided by the candidates to the Company. In the event that the legislation of the Republic of Lithuania provides for additional restrictions on the kind of information on candidates that may be processed, the Data controller shall ensure that only the personal data of candidates that is allowed to be processed is processed. Sensitive data is not processed unless the candidate decides to provide this data about himself.
17. The basis for data processing is consent. Candidates for the vacancies are giving their consent (by conclusive action) to process their data only until the end of the selection process. The data of candidates who have not been selected for the position (vacancy) shall be deleted at the end of the selection procedure, unless they give their explicit consent to the processing of the data at the end of the selection procedure.
18. The purpose of data processing is internal administration. If the candidate’s consent to the processing of his data after the end of the selection procedure is obtained with an objective to offer a future job, the data shall be processed on the basis of consent.
19. Candidates submit their personal data when applying to the Company. In some cases, when sampling is conducted through third parties (the Company’s data processors), the data is first provided to them and only thereafter to the Company. In all cases, the Company is the Data controller.
20. Candidate data shall not be disclosed to other Third parties unless the candidates request and where there are legitimate grounds for such transfer.
21. Candidate data is systematically processed in the Company’s databases, the access to which is available to the Company’s IT service providers. Candidates’ resumes or motivation letters may also be kept in paper form.
22. Candidates are made aware of their data processing and their rights, including the right to apply to the Company for data deletion. Informing shall be concluded in the Policy publicly available on the Company’s Websites.
DATA ON NATURAL PERSONS PROCESSED FOR THE PURPOSES OF SERVICE PROVISION
23. The Company can process the following data of persons, who use the Company’s service in a Mobile application (job seekers): name, surname, gender, work experience, skills, language, e-mail, phone, address, type of employment sought, data which is received from payment service providers (i.e. Paysera), as well as other data provided directly by the Data subject.
24. Service users agree to the terms and conditions of use of the Company’s managed Mobile application before using it. The basis for data processing is the conclusion and performance of the contract, which may be concluded in a Mobile application environment.
25. The purpose of data processing is to provide services properly.
26. Data subjects themselves submit their personal data. In specific cases, data may be obtained from third parties, e.g. when Data subjects make purchases, the data comes from payment service companies or, when you sign in with your Google or Facebook account, the data comes directly from these companies.
27. The data is stored in the Company’s databases, to which the companies providing IT services to the Company have access. Data of job seekers can be disclosed to other third parties, clients of the Company (companies which are looking for employees).
28. The purpose of data processing of the job seekers is providing employment services to the Company’s clients. If the job seekers’ consent to the processing of his data after the end of the selection procedure is obtained with an objective to offer a future job, the data shall be processed on the basis of consent.
29. Data subjects are made aware of the processing of their data and of their rights. Notification shall be made in the Policy publicly available the Company’s website and in the mobile Application, as well as rules of usage, provided in the Mobile application.
DATA PROCESSING FOR DIRECT MARKETING PURPOSES
30. For the purposes of direct marketing, the Company processes the following personal data: name, surname, email address. Other contact details may also be processed.
31. Data processing is based on consent.
32. Data subjects themselves submit their personal data to the Company.
33. The data is stored in the Company’s databases, to which the companies providing IT services to the Company have access. Data shall not be disclosed to other third parties unless a request to do so from the Data subject is obtained and where there are legitimate grounds for such transfer.
34. The Company does not process minor’s data or sensitive personal data for this purpose. Nevertheless, when collecting data for direct marketing purposes, the Company does not verify the age of the Data subjects as this would be treated as excess data collection.
35. Data subjects are made aware of their data processing and their rights, including the right to apply to the Company for data deletion. Notification shall be made in the Policy, publicly disclosed on the Company’s Website and in the Mobile Application.
DATA PROCESSING FOR INQUIRY, REQUEST OR COMPLAIN ADMINISTRATION, EVALUATION AND EXAMINATION
36. The Company may process the following data of the contacting natural persons for the specified purpose: name, surname, language, e-mail. address. The Company may also process other data directly obtained from the Data subject and necessary for the investigation, administration or evaluation of the request, inquiry or complaint.
37. The basis for data processing is the conclusion and performance of the contract.
38. Data subjects themselves submit their personal data.
39. The data is stored in the Company’s databases, to which the companies providing IT services to the Company have access. Data shall not be disclosed to other third parties unless a request to do so from the Data subjects is obtained and where there are legitimate grounds for such transfer.
40. Data subjects are made aware of the processing of their data and of their rights. Notification shall be made in the Policy, publicly disclosed on the Company’s Website and in the Mobile Application.
42. These cookies are or may be used on the Company’s website.
Name of cookie Description Moment of creation Expiry time Data used
_ga A unique ID is logged and used to generate statistics about how a visitor uses the site. By clicking the “I agree” button 2 years Unique identifier
_gid This cookie is used to distinguish users. By clicking the “I agree” button 24 hours Unique identifier
_gat* These cookies are used to limit the number of requests. When entering the page 10 min Unique identifier
pll_language This cookie is used to save the visitor’s preferred language. When entering the page 1 year Language
43. The Company can collect data on visitor actions and their browsing habits on a website.
44. For more information, you can visit: http://www.google.com/analytics .
45. To learn how to disable tracking on the web pages with Google Analytics cookies, you can visit: http://tools.google.com/dlpage/gaoptout .
46. Data is passed to IT service providers and Google. Data shall not be disclosed to other third parties unless a request to do so is obtained and where there are legitimate grounds for such transfer.
TERMS OF DATA STORAGE
48. The data controller shall apply the following time limits for the storage of personal data:
No. Purpose of processing of personal data Term of storage
1. Processing of employee data for the purposes of internal administration. Up to 50 years after the end of the employment contract, in accordance with the Index for retention periods in the General documentation.
2. Processing of personal data of job candidates . Until the end of selection.
3. Processing of personal data of job candidates after the end of the selection takes place after obtaining permission to process data. Two years from the date of obtaining of the consent.
4. Provision of employment services. Data shall be processed for a period which shall not exceed 5 years or more, if it is allowed by laws.
5. Administration, evaluation and examination of requests, inquiries or complaints. 6 months from the date of receipt of the request.
6. For direct marketing purposes. 3 years from obtaining consent.
7. Cookies to improve the quality of your use of the site. The length of time a cookie stays on your computer depends on the type of cookie.
49. Exceptions to the above retention periods may be determined insofar as such exceptions do not violate the rights of the Data subjects, meet legal requirements and are properly documented.
DATA SUBJECTS RIGHTS AND PROCEDURES FOR THEIR IMPLEMENTATION
Ensuring Data subjects’ rights and awareness
50. Data subjects have the right to:
50.1. to know (be informed) about the processing of their personal data.
50.2. by submitting to the Company an identity document or by electronic means that allows the person to be properly identified – to access their personal data and its processing, to obtain information on the sources and what specific personal data is collected, the purpose for which it is processed, the recipients at least in the last 1 year, in addition – to receive a copy of the documents containing their personal data;
50.3. require the rectification, erasure or restriction of personal data except for storage where the processing is in breach of legal requirements;
50.4. to object to the processing of their personal data;
50.5. to request transfer of data to another data controller or to provide it directly to the Data subject in a form that is convenient for the Data subject (such data provided to the Company by the Data subject itself);
50.6. lodge a complaint with the supervisory authority;
50.7. revoke consent (if personal data is processed on the basis of consent).
51. In all cases, the Company must provide the Data subject with information (unless the Data subject already has such information) about:
51.1. its name, legal entity code and registered office;
51.2. contact details of the data protection officer, if any;
51.3. for what purposes and on what legal basis is the personal data of the Data subject processed;
51.4. the recipients of the data and their categories;
51.5. the period for which the data will be stored or the criteria used to determine that period;
51.6. other additional information (what of the Personal data must be provided by the Data subject and the consequences of failure to provide the data, about the Data subject’s right of access to his personal data and his right to correct incorrect, incomplete, inaccurate personal data) in the volume that is needed, in order to ensure the proper personal data processing without the violation of the rights of the Data subject;
51.7. the communication of his personal data to third parties at the latest at the time the data are first provided during the first time and if the Data subject was unaware that the data will be transferred to another party.
Order for the implementation of data subjects’ rights
52. The Company is obliged to:
52.1. enable the Data subject to exercise the specified rights of the Data Subject, except as in cases stipulated by law, when it is necessary to ensure national security or defense, public order, crime prevention, investigation, detection or criminal prosecution, important state economic or financial interests, prevention of violations of service or professional ethics, its investigation and detection, protection of the rights and freedoms of the Data subject or other persons;
52.2. Data subjects must contact the Company branch to exercise their rights at the following contacts: firstname.lastname@example.org
52.3. The Company must ensure that all necessary information is provided to the Data subject in a clear and comprehensible manner.
52.4. The reply to Data subject must be sent no later than in 20 (twenty) business days from the date of receipt of the request. If the Data subject is refused access to the data, he shall be given a reasoned and substantiated reply regarding the non-execution of his request.
53. The Company shall immediately inform the data recipients of the personal data, which was corrected or destroyed at the request of the data subject, the suspended processing of personal data, unless the provision of such information would be impossible or excessively difficult (due to the high number of data subjects, data period, unreasonably high costs). In this case, the State Data Protection Inspectorate must be notified immediately.
54. The Company shall provide the data to the Data subject free of charge. In certain cases (whenever the Data subject clearly abuses his rights, submits unreasonably repeated requests for information, excerpts, documents), such provision of information and data to the Data subject may require remuneration in accordance with legal requirements and the rates set by the Company.
Provision of data to data recipients
55. The Company shall provide the Data of the Data subject according to the requirements of the legal acts and while ensuring their confidentiality.
56. In the case of one-time data provision, the Company shall give priority to the provision of information by electronic means.
57. The provision of personal data to state and municipal institutions and bodies, when such institutions and bodies receive personal data for the performance of the statutory control functions, shall not be considered as the provision of data to recipients.
ORGANIZATIONAL AND TECHNICAL MEASURES FOR PERSONAL DATA PROTECTION
58. The Company makes every reasonable effort to ensure that the Company’s organizational and technical data security measures comply with GDPR requirements. The following infrastructural, administrative and telecommunications (electronic) measures shall be taken to protect personal data against accidental or unlawful destruction, alteration, disclosure or any other unlawful processing:
58.1. proper hardware layout and maintenance, information systems maintenance, network management, ensuring Internet usage security and other information technology measures:
58.2. access to Data and the right to carry out Data processing operations shall be granted only to the Employees or subcontractors of Company who need access to the personal data in the context of their duties and performed work functions or services.
58.3. ensuring security of premises where personal data is stored (only authorized persons have access to concerned premises).
58.4. after assigning a computer or electronic communication device to a particular Employee, such computer / electronic communication device (s) must be password protected. Passwords must be changed periodically, as well as in the presence of certain circumstances (changes of employee, threat of hacking, suspicion that the password has become known to third parties, etc.).
58.5. ensuring the protection of personal data against unauthorized access to the internal computer network by electronic means of communications.
58.6. ensuring the use of secure protocols for the transmission of personal data through external data communication networks.
58.7. strict adherence to safety standards issued by the security service;
58.8. proper organization of work and other administrative measures;
58.9. the necessary data security measures are installed taking into account the results of the risk assessment;
58.10. backup and recovery of data;
58.11. ensuring that data is restored from the latest available backup copies in the event of loss of data due to hardware failure, software error or other data integrity violation;
58.12. other means.
59. The Company’s CEO Gediminas Vilčiauskas is responsible for the implementation, control and enforcement of these organizational and technical data security measures.
60. Employees or subcontractors of Company who process personal data must observe the principle of confidentiality and keep any relevant information they have accessed in the course of their duties confidential. This obligation shall continue to apply after transfer to another position within the Company or upon termination of the employment or contractual relationship with the Company.
61. Employees or subcontractors of Company may process personal data in an automatic way only after they have been granted access to the relevant information system. Access to personal data may only be granted to a person who needs personal data to perform his functions. Upon termination of employment relationships, the Employee’s rights to access registers and other programs shall be revoked.
62. Employees or subcontractors of Company may transfer documents containing personal data only to Employees or subcontractors of Company who are entitled to work with personal data under duties or separate assignments.
63. Employees or subcontractors of Company performing Data subject’s Data processing functions, shall prevent accidental or unauthorized processing, and shall maintain records in a proper and secure manner (avoiding unnecessary storage of the Data Subject’s data, etc.). Copies of documents containing data of the Data subject shall be destroyed in such a way that the contents of such documents cannot be reproduced and their contents identified.
64. Employees or subcontractors of Company whose computers store the Data or whose computers are enabled to access the Company’s information systems where the Data is stored must use passwords on their computers; “Guest” type user accounts in such systems, i.e. no-password accounts are prohibited. These computers also need to use a screen saver with a password.
65. Unless necessary, files with Data need not be digitally duplicated, i.e., copies of them being made to local computer disks, removable media, remote file storage, etc.
66. The security control and erasure of personal data contained in external data storage media and electronic mail after their use is ensured by transferring them to databases.
67. CEO Gediminas Vilčiauskas must ensure:
67.1. control of unauthorized access to server premises;
67.2. protection of the Company’s internal computer network.
68. Employees or subcontractors of Company must organize their work in such a way as to limit the access of other persons to the personal data processed as much as possible. This provision shall be implemented:
68.1. by refraining from leaving documents with processed personal data or a computer that can open files containing personal data, without supervision, so that information contained therein can be read by Employees who are not authorized to work with specific personal data, students or other persons;
68.2. by storing documents in such a way that they (or their fragments) cannot be read by accidental persons;
68.3. if documents containing personal data are transmitted to other Employees, units, branches, offices, subcontractors of Company via persons who are not authorized to process personal data, or by post or courier, they must be transmitted in a sealed opaque envelope. This paragraph shall not apply where such messages are issued personally and confidentially.
69. CEO Gediminas Vilčiauskas is responsible for managing and responding to personal data breaches.
70. Amendments or additions to the Policy are announced at the Company’s websites or Mobile application environment.