Trademarks Trademarks
Trademarks
Design Design
Design
Patents Patents
Patents
Legal consultancy Legal consultancy
Legal consultancy
Technology and e-commerce Technology and e-commerce
Technology and e-commerce
Protection of personal data Protection of personal data
Protection of personal data
Contracts Contracts
Contracts
Copyright Copyright
Copyright
Disputes relating to trademarks, designs, inventions and copyright Disputes relating to trademarks, designs, inventions and copyright
Disputes relating to trademarks, designs, inventions and copyright
services
Trademarks Trademarks
Trademarks
Design Design
Design
Patents Patents
Patents
Legal consultancy Legal consultancy
Legal consultancy
Technology and e-commerce Technology and e-commerce
Technology and e-commerce
Protection of personal data Protection of personal data
Protection of personal data
Contracts Contracts
Contracts
Copyright Copyright
Copyright
Disputes relating to trademarks, designs, inventions and copyright Disputes relating to trademarks, designs, inventions and copyright
Disputes relating to trademarks, designs, inventions and copyright
services
Privacy policy

POLICY ON THE PROCESSING OF PERSONAL DATA OF METIDA 

 

GENERAL PROVISIONS

 

1. The policy on the processing of personal data (hereinafter referred to as the Policy) of UAB METIDA (hereinafter referred to as the Company) shall be the publicly available part of the rules regarding the processing of personal data which regulate the purposes of the processing of personal data of natural persons carried out by the Company, lay down the procedures for the exercise of their rights, establish organizational and technical safeguards for data protection, and regulate the use of a processor.
2. The Policy is based on:
2.1. The Law of the Republic of Lithuania on Legal Protection of Personal Data;
2.2. The General Data Protection Regulation (hereinafter referred to as the GDPR);
2.3. Law of the Republic of Lithuania on the Bar and Patent attorneys;
2.4. Resolution No 228 of the Government of the Republic of Lithuania of 28 February 2001 On the approval of the procedure of payment for disclosing data to a data subject and the procedure of payment for collecting data from registered data controllers;
2.5. Other legal acts governing the processing and protection of personal data.
3. The Policy shall apply to the processing of data of natural persons by automatic means, and to the processing of filing systems of personal data otherwise than by automatic means.
4. The Policy shall also lay down the rights, obligations and responsibilities of the employees of the Company. The provided requirements shall be binding on all the employees of the Company involved in the processing of personal data or who have access to personal data in the course of the performance of functions assigned to them.
5. Processors must also follow the Policy to the extent it is not provided for in their contracts or Data Processing Agreements concluded with the Company.

 

KEY DEFINITIONS

 

6. Personal data shall be any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, economic, mental, cultural or social identity of that natural person.
7. Data Protection Officer shall be an employee of the Company chosen from among the existing employees of the Company on the basis of his professional qualities, in particular his expert knowledge of data protection law and practices, as well as the ability to carry out the tasks referred to in Article 39 of the GDPR, who will help meet the requirements in the implementation of accountability measures (e.g. perform data protection impact assessments and carry out or assist with audits). The data protection officer shall also act as an intermediary between different stakeholders (e.g. supervisory authorities, data subjects and Company divisions).
8. Employee shall be a person who performs permanent functions under a contract or post in the name and/or on behalf of the Company.
9. Processing shall be any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. Controller shall be Company which, when processing data of its Clients, other natural persons or Employees, shall determine the means and measures of the use of personal data.
11. Data Subject shall be a Client, other natural person or an Employee whose data are processed by the Controller.
12. Processor shall be an entity which processes personal data managed by the Company under existing service or other contracts.
13. Provision of data shall be the disclosure of personal data by transmission or otherwise making them available.
14. Client shall be a natural person or a legal entity to which the Company provides agreed services.
15. Superfluous Data shall be data that are not necessary for the purpose for which they are collected.

 

PRINCIPLES AND PURPOSES OF THE PROCESSING OF PERSONAL DATA

 

16. When performing their functions and processing personal data Employees of the Company must:
16.1. Process them lawfully, fairly and in a transparent manner;
16.2. Collect them for specified, explicit and legitimate purposes and not process them in a manner that is incompatible with those purposes;
16.3. Comply with the principles of expediency, proportionality and data minimisation and not require Superfluous Data from Data Subjects;
16.4. Ensure their accuracy and, where necessary, update them;
16.5. Rectify, complete, destroy or block the processing of inaccurate or incomplete personal data;
16.6. Store them so as to permit the identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected and processed;
16.7. Process them in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
17. The processing in the Company shall be supervised by the Data Protection Officer.
18. All information concerning the Clients and the services provided to them shall be confidential and shall remain so after the termination of the services.

 

RIGHTS OF DATA SUBJECTS AND PROCEDURES FOR THEIR EXERCISE

 

Rights of data subjects and awareness-raising

19. Data Subjects shall have the following right:
19.1. To know (be informed) about the processing of their data;
19.2. Upon production to the Company of an identity document or identification by electronic means which allow proper identification of the person, to access to their personal data and their processing, to obtain information from which sources and which data have been collected, for which purpose they are being processed, to which recipients they are provided or have been provided for at least the last one year, and to obtain copies of documents containing their personal data;
19.3. To request the rectification, erasure or restriction of processing of their personal data;
19.4. To object to the processing of their data;
19.5. To have their data transferred to another controller or to be provided directly to the Data Subject in a convenient form (only data provided to the Company by the Data Subject himself);
19.6. To lodge a complaint with the supervisory authority;
19.7. To withdraw consent (if the data are processed on the basis of consent).
20. In all cases, the Company must provide the Data Subject with the information requested by him (unless the Data Subject already has such information):
20.1. Its name, legal entity number and domicile;
20.2. The contact details of the Data Protection Officer;
20.3. Purposes and the legal basis for the processing of personal data of the Data Subject;
20.4. Recipients and categories of recipients;
20.5. The period for which the data will be stored, or the criteria used to determine that period;
20.6. Other additional information (which personal data the data subject is required to provide and the consequences of such omission, as well as information on the right of the Data Subject to access to his personal data and the right to rectification of incorrect, incomplete or inaccurate personal data) to the extent necessary to ensure that the personal data are processed fairly without prejudice to the rights of the Data Subject.

 

Exercise of the rights of the Data Subject

 

21. The Company must:
21.1. Provide the Data Subject with the conditions for exercising the rights provided for in these Rules, except in cases laid down in laws when it is necessary to ensure the security or defence of the State, public order and the prevention, investigation, detection or prosecution of criminal offences, important economic or financial interests of the State, the prevention, investigation and detection of violations of official or professional ethics, and the protection of the rights and freedoms of the Data Subject or of other persons;
21.2. Ensure that all information is provided to the Data Subject in a clear and comprehensible manner;
21.3. Reply to the Data Subject no later than within 20 (twenty) working days from the date of receipt of the request. If the provision of data is refused, a reasoned reply must be provided for non-compliance with the request;
21.4. Inform recipients without delay of any rectification or destruction of personal data requested by the Data Subject, any blocked processing operations, unless the provision of such information would be impossible or excessively difficult (due to the large number of data subjects, data period or unreasonable cost). In this case, the State Data Protection Inspectorate must be notified immediately.
22. The Company shall provide data to the Data Subject free of charge. In certain cases (where the Data Subject manifestly abuses his rights, unreasonably resubmits his requests for information, extracts or documents) such provision of information and data may be subject to a fee.
22.1. To exercise their rights, Data Subjects may contact the Company at ada@metida.com.

 

Provision of data to recipients

 

23. The Company shall provide personal data of Data Subjects without prejudice to the requirements laid down by law and by respecting the confidentiality of the data.
24. In the case of a single disclosure of data, the Company shall give the priority to the provision of information by electronic means.
25. The provision of personal data to public and municipal authorities and bodies, where those authorities and bodies receive personal data on the basis of a specific enquiry for the purpose of carrying out the control functions laid down by law, is not to be regarded as the provision of data to recipients.

 

DATA PROCESSED BY METIDA

 

26. Processing of data relating to representatives of legal entities for the purposes of the provision of services.
26.1. Basis for the processing: the conclusion and performance of the contract.
26.2. Processed data: the name, title, telephone number, e-mail, other contact details.
The processing may also be extended to other data necessary for the provision of Company services and/or other data provided by the Client or his representative.
26.3. Period of storage of data: data shall be processed to the extent necessary to achieve the purposes for which they are processed.
If their processing is required by the applicable legal acts, some data must be processed for a period laid down by law, but not longer than 50 years.
26.4. Data sources: data shall be obtained directly from Data Subjects or their representatives.
26.5. Data storage locations: a Client’s card with his personal data shall be generated in the database of the Company.
Data may also be processed by storing them in the form of documents created or received in the course of the provision of services or in the form of e-mail.
26.6. Persons (groups of persons) to whom data are transferred: data shall not be provided to third parties.
Data may be provided to courts, public authorities, procedural opponents, etc. at the request of the client or his representative and on a legitimate ground or mandate for the transfer, if this is necessary for the provision of services to the Client or if this is required by the applicable legal acts.
Undertakings providing IT services to the Company shall have access to the databases containing data of Client representatives.
The Company shall require the processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
26.7. Transfer of data to third countries (non-EU/EEC countries): personal data shall not be provided to third countries, unless it is necessary for the proper provision of services to the Client and the Client’s representative has been informed thereof.
26.8. Processing of special categories of data and data of minors: the Company does not process data of minors or special categories of data for this purpose.
26.9. Have data subjects been made aware of the processing and of their rights? Client representatives are aware that personal data provided by them will be processed by the Company when they agree to the provision of services by the Company. The Policy, which is available on the website of the Company, also provides information to Client representatives of their rights.

27. Processing of data of natural persons for the purposes of the provision of services.
27.1. Basis for the processing: the conclusion and performance of the contract.
27.2. Processed data: the name, title, personal number, file number, language, VAT identification number (if any), address, telephone number, e-mail, other contact details.
The processing may also be extended to other data necessary for the provision of Company services and/or other data provided by the Client.
27.3. Period of storage of data: data shall be processed to the extent necessary to achieve the purposes for which they are processed.
If their processing is required by the applicable legal acts, some data must be processed for a period laid down by law, but not longer than 50 years.
27.4. Data sources: data are obtained from the Client.
In certain cases, data may also be obtained indirectly, e.g. from case files.
27.5. Data storage locations: a Client’s card with his personal data shall be generated in the database of the Company.
Data may also be processed by storing them in the form of documents created or received in the course of the provision of services or in the form of e-mail.
27.6. Persons (groups of persons) to whom data are transferred: data shall not be provided to third parties.
Data may be provided to courts, public authorities, procedural opponents, etc. at the request of the client and on a legitimate ground or mandate for the transfer, if this is necessary for the provision of services to the Client or if this is required by the applicable legal acts.
Undertakings providing IT services to the Company shall have access to the databases containing data of the Clients.
The Company shall require the processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
27.7. Transfer of data to third countries (non-EU/EEC countries): personal data shall not be provided to third countries, unless it is necessary for the proper provision of services to the Client and the Client has been informed thereof.
27.8. Processing of special categories of data and data of minors: the Company may process data of minors or special categories of data, if such data are obtained in the course of the provision of services and are necessary for the provision of such services.
27.9. Have data subjects been made aware of the processing and of their rights? Data Subjects are aware that their personal data are being processed by the Company for the purpose of providing services to their Clients. The Policy, which is available on the website of the Company, also provides information to Clients regarding the processing of their data and the resulting rights.

28. Processing of data of potential clients for the purposes of the conclusion of the contract.
28.1. Basis for the processing: the conclusion and performance of the contract.
28.2. Processed data: the name, title, telephone number, e-mail, other contact details.
The processing may also be extended to other data necessary for the provision of Company services and/or other data provided by a potential Client or his representative.
28.3. Period of storage of data: data shall be processed on this basis until a contract is concluded / an order is approved or it is decided not to start cooperation.
28.4. Data sources: data shall be obtained directly from Data Subjects.
28.5. Data storage locations: during negotiations for the provision of services, data of the data subject or his representative shall be stored in the form of e-mails/ the minutes of meetings, etc.
Data may also be processed by storing them in the form of documents created or received for the purpose of providing services in future.
Under certain conditions, which prevent the immediate conclusion of a contract, or during negotiations, data of potential Clients or their representatives may also be stored in the database of the Company by generating cards of potential Clients.
28.6. Persons (groups of persons) to whom data are transferred: data shall not be provided to third parties.
Data may be provided to courts, public authorities, procedural opponents, etc. at the request of the potential Client and on a legitimate ground or mandate for the transfer, if this is necessary for the conclusion of the contract.
Undertakings providing IT services to the Company shall have access to the databases containing personal data of Client representatives.
The Company shall require the processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
28.7. Transfer of data to third countries (non-EU/EEC countries): personal data shall not be provided to third countries, unless it is necessary for commencing the provision of services to the potential Client, and the potential Client or his representative has been informed thereof.
28.8. Processing of special categories of data and data of minors: the Company does not process data of minors or special categories of data for this purpose, unless such data are necessary for commencing the provision of services to the potential Client.
28.9. Have data subjects been made aware of the processing and of their rights? When providing their personal data, potential Clients or their representatives are aware that such data will be processed by the Company. The failure to provide this data would make it impossible to agree on any further provision of services. The Policy, which is available on the website of the Company, also provides information to potential Clients or their representatives of their rights.

29. Processing of data of persons wishing to participate in the selection of staff carried out by the Company for internal administrative purposes.
29.1. Basis for the processing: Candidates to vacant positions give their consent (by their conduct) to the processing of their data until the end of the selection process.
29.2. Processed data: the name, date of birth, e-mail, telephone number, education, former employers. The processing may also be extended to other data contained in the documents submitted by candidates, including, but not limited to, the Curriculum Vitae (CV).
In the event that the legal acts of the Republic of Lithuania provide for additional restrictions regarding which information on candidates can be processed, the Company shall ensure that only authorised personal data of candidates are processed.
29.3. Period of storage of data: upon completion of the selection process for a vacant position, data of candidates who have not been selected shall be erased, unless the candidates give their individual consent to the further processing of their data.
29.4. Data sources: Candidates provide their own personal data when applying to the Company. In certain cases where the selection is carried out through third parties (processors of the Company), data shall be first made available to them and only afterwards to the Company. In all cases, the Company shall be the Controller.
29.5. Data storage locations: data of the candidates shall be subject to structured processing in databases of the Company, to which providers of IT services to the Company shall also have access.
CVs or cover letters of the candidates may also be kept on paper.
29.6. Persons (groups of persons) to whom data are transferred: data of the candidates shall not be provided to third parties.
Providers of IT services to the Company shall also have access to the database containing the candidates’ data.
The Company can use the services of third parties for the selection of staff, including, but not limited to, undertakings, portals and persons engaged in or assisting in the selection of staff. The Company shall require these processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
29.7. Transfer of data to third countries (non-EU/EEC countries): personal data of the candidates shall not be transferred to third countries.
29.8. Processing of special categories of data and data of minors: special categories of data shall not be processed, unless the candidate decides to provide such data in his own right.
Minors are not employed in the Company and therefore their data are not processed.
29.9. Have data subjects been made aware of the processing and of their rights? Data Subjects are made aware of the processing of their data and their rights, including the right to request that the Company erases their data. Information is provided in the Policy, which is available on the website of the Company.

30. Processing of data of persons who wished to participate in the selection of staff carried out by the Company for internal administrative purposes after the end of the selection process, with the aim of offering a position in future. Also, processing of data of persons applying for a position in the Company without a specific selection process for internal administrative purposes, with the aim of offering a position in future.
30.1. Basis for the processing: the Company shall process data of these candidates only with the individual consent of the candidates.
30.2. Processed data: the name, date of birth, e-mail, telephone number, education, former employers. The processing may also be extended to other data contained in the documents submitted by candidates, including, but not limited to, the Curriculum Vitae (CV).
In the event that the legal acts of the Republic of Lithuania provide for additional restrictions regarding which information on candidates can be processed, the Company shall ensure that only authorised personal data of candidates are processed.
30.3. Period of storage of data: data shall be processed for specified purposes for a maximum period of two years from the date of the consent. Once the Company has offered a position to the candidate, but the latter has refused, yet consented to further processing of his personal data, such data shall be processed for a period of two years from the date on which the consent was renewed.
30.4. Data sources: Candidates provide their own personal data when applying to the Company. In certain cases where the selection is carried out through third parties, data shall be first made available to them and only afterwards to the Company. In all cases, the Company shall be the Controller.
30.5. Data storage locations: data of the candidates shall be subject to structured processing in databases of the Company, to which providers of IT services to the Company shall also have access.
CVs or cover letters of the candidates may also be kept on paper.
30.6. Persons (groups of persons) to whom data are transferred: data of the candidates shall not be provided to third parties.
Providers of IT services to the Company shall also have access to the database containing the candidates’ data.
The Company can use the services of third parties for the selection of staff, including, but not limited to, undertakings, portals and persons engaged in or assisting in the selection of staff.
The Company shall require the processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
30.7. Transfer of data to third countries (non-EU/EEC countries): personal data of the candidates shall not be transferred to third countries.
30.8. Processing of special categories of data and data of minors: special categories of data shall not be processed, unless the candidate decides to provide such data in his own right.
Minors are not employed in the Company and therefore their data are not processed.
30.9. Have data subjects been made aware of the processing and of their rights? Data Subjects are made aware of the processing of their data and their rights, including the right to request that the Company erases their data. Information is provided in the Policy, which is available on the website of the Company.

31. For direct marketing purposes.
31.1. Basis for the processing: consent.
In certain cases, personal data may also be processed on the basis of a legitimate interest. Given that the Company is specialised in intellectual property law, both the Company and its clients (client representatives) or partners have an interest in obtaining relevant information in the context of that area. For this reason, direct marketing communications containing relevant information or publications of the Employees of the Company may be sent to Clients of the Company or other persons interested in obtaining this information. All recipients shall be given the possibility to refuse processing for marketing purposes at any time.
31.2. Processed data: the name, position, employer, e-mail, telephone number; other contact details may also be processed.
In some cases, e.g. if a business card is available, the image may also be processed.
31.3. Period of storage of data: data shall be processed on the basis of consent for a maximum period of 4 years. Before the expiry of a period of 4 years, the Company may request the Data Subject to renew its consent. Once the consent is renewed, data shall be stored for a maximum period of 8 years (in total).
Where the processing is performed on the basis of a legitimate interest of both parties, the processing shall be carried out until such time as the Data Subject refuses such processing.
31.4. Data sources: data shall be obtained directly from Data Subjects.
31.5. Data storage locations: cards of Data Subjects shall be generated in databases of the Company. Data may also be stored in specialised applications or e-mails.
Data may also be kept in a physical form, e.g. in business cards or on paper consent forms.
31.6. Persons (groups of persons) to whom data are transferred: data shall not be provided to third parties.
Undertakings providing IT services to the Company shall have access to the databases containing data of Data Subjects.
The Company shall require the processors to process data in accordance with the legal acts applicable in the Republic of Lithuania and in the European Union.
31.7. Transfer of data to third countries (non-EU/EEC countries): personal data shall not be provided to third countries.
31.8. Processing of special categories of data and data of minors: the Company does not process data of minors or special categories of data for this purpose. Nevertheless, the Company does not check the age of Data Subjects when collecting data for direct marketing purposes, as this would be considered the collection of Superfluous Data.
31.9. Have data subjects been made aware of the processing and of their rights? When they agree to the processing of data for direct marketing purposes, Data Subjects are made aware of their rights in the context of the protection of personal data. The Policy, which is available on the website of the Company, also provides information to Data Subjects of their rights.

32. For internal administrative purposes, the Company may also process other personal data the processing of which is defined in the rules regarding the processing of personal data approved by the Company.

 

ORGANISATIONAL AND TECHNICAL SAFEGUARDS FOR THE PROTECTION OF PERSONAL DATA

 

33. The Company shall make maximum efforts to ensure that the organisational and technical safeguards it applies for the protection of data comply with the requirements of the GDPR and other legal acts. In order to protect personal data against accidental or unlawful destruction, alteration, disclosure or any other unlawful processing, the following infrastructural, administrative and telecommunication (electronic) measures shall be taken:
33.1. Adequate layout and maintenance of technical equipment, maintenance of information systems, network management, security of Internet use and other information technology tools;
33.2. Strict compliance with the standards laid down by the fire service;
33.3. Proper organisation of work, and other administrative measures;
33.4. Implementation of the necessary data security measures;
33.5. Practical tests shall be carried out for emergency recovery of personal data;
33.6. Assurance of recovery of data from the last available data backup copy in case of loss of data due to hardware failure, software error or other breach of data integrity;
33.7. Other necessary measures.
34. The Data Protection Officer of the Company shall be responsible for implementing organisational and technical safeguards for the protection of data.
35. Employees who process personal data shall observe the principle of confidentiality and shall be subject to the obligation of secrecy of any information relating to Data Subjects that they came to know in the course of their duties. This obligation shall continue to apply on transfer to another position in the Company or on termination of employment or contractual relationship with the Company.
36. Employees shall process personal data by automatic means only after they have been granted access to the relevant information system. Access to personal data may be granted only to a person who needs personal data for the performance of his functions. Upon termination of employment relationship, access shall be denied to the Employee.
37. Employees shall transfer documents containing personal data only to those Employees who, by virtue of their duties or individual assignments, are authorised to use personal data.
38. When performing processing data of a Data Subject, Employees must prevent any accidental or unlawful processing and must keep the documents in an appropriate and secure manner (avoiding the collection of unnecessary copies containing data of a Data Subject, etc.). Document copies containing data of a Data Subject shall be destroyed in such a way that their contents cannot be reproduced and identified.
39. Employees’ computers containing files with data of persons/entities shall not be accessible from other computers in the network. The anti-virus software of these computers shall be constantly updated.
40. Without there being any further need, files containing personal data shall not be reproduced digitally, i.e. copies of files shall be created on local computer disks, portable media, cloud storage, etc.
41. The use of secure protocols and/or passwords for the transmission of personal data via external data transmission networks shall be ensured in the Company.
42. The safety control of personal data contained in external data storage media and e-mails and their erasure after their use shall be ensured by transferring them to databases.
43. The Data Protection Officer shall ensure that appropriate organisational arrangements are in place to achieve the following objectives:
43.1. Control of the access of unauthorised persons to the premises of the Company by means of a door locking system and a general security alarm system;
43.2. Protection of the internal computer network of the Company.
44. Employees shall organise their work so as to limit as far as possible the possibility for other persons to find out personal data undergoing processing. This provision shall be implemented as follows:
44.1. By making sure that documents containing personal data undergoing processing or a computer allowing to open files containing personal data are not left unattended in such a way that the information contained therein can be read by Employees unauthorised to use specific personal data, trainees or other persons;
44.2. By keeping documents in such a way that they (or fragments thereof) cannot be read by random persons;
44.3. Where documents containing personal data are transferred to other Employees, divisions of the Company or authorities by persons who are not authorised to process personal data or by post or courier, they shall be transferred in a sealed opaque envelope. This provision shall not apply if the said notices are delivered in person and confidentially.
45. The Data Protection Officer shall be responsible for managing of and responding to personal data breaches.

 

 

USE OF A PROCESSOR

 

46. Where the Company authorises the Processor to carry out personal data processing operations, data protection principles, rules and liability clauses shall be set out in the contract for the provision of services or, in the absence thereof, a separate written agreement shall be concluded between the parties on the proper processing of personal data.
47. Agreements on whether to transfer the processing of data of a Data Subject to the Processor shall be adopted by the managing partner of the Company and, failing that, by other Employees of the Company who may act on behalf of the Company in accordance with the rules regarding the processing of personal data approved by the Company.
48. The Company must select the Processor who guarantees the necessary knowledge, reliability and resources to implement and ensure compliance with technical and organisational safeguards for the protection of data, including the technical and organisational safeguards for the protection of data covered by this Policy.
49. When authorising the Processor to process personal data, the Company shall prescribe that the processing of personal data shall be carried out in accordance with the instructions of and rules approved by the Company, and specify the processing operations to be carried out by the Processor. The Company shall also inform the Processor of the duration, nature, type of processing, categories of Data Subjects, the Processor’s obligation to erase or return personal data at the end of the provision of services, and other data processing requirements approved by the Company.
50. When concluding a contract with the Processor, the Company must ensure that personal data are processed in a confidential manner and that the Processor obtains the prior written approval of the Company if it intends to involve third parties/sub-processors in the processing.
51. The Data Protection Officer shall keep, review and, where necessary, initiate the renewal/amendment/termination of contracts and cooperation with Processors.

 

FINAL PROVISIONS

 

52. The Company shall ensure that Employees authorised to process personal data are fully informed about the processing of such data and its rules. The Data Protection Officer shall be responsible for organising and providing adequate information for employees using personal data.
53. The Data Protection Officer shall be responsible for supervising compliance with the provisions of the policy and for monitoring and periodic updating of the provisions laid down therein.

Our website uses cookies in order to improve this website, to offer better and customised services. If you agree, press ‘Accept‘. We will not place cookies on your device if you do not agree. However, certain functions of the website may not function properly or may not function at all. Please see our Privacy policy for more information about personal data processing, cookies, data they collect and your rights.