Privacy politics. Rules on the processing of personal data.


Privacy Politics

Naganas UAB is an important protection of your personal data - that of our clients and other data subjects. Therefore, we are committed to respecting and protecting the privacy of every data subject.

This Privacy Policy contains essential information about the processing of personal data by Naganas UAB, its storage and the rights of data subjects.

If you are unable to resolve the matter with Naganas UAB and if you are concerned about the operation / inaction of Naganas UAB that may be in breach of this Privacy Statement or the legal requirements, you have the right to contact the Supervisory Authority responsible for overseeing and control.

I. Basic Concepts

1. UAB NAGANAS - a legal or natural person, who alone or jointly with others determines the purposes and means of managing the Privacy Policy. Within the scope of these Rules, Data Controller - Naganas UAB, legal entity code: 304388877, VAT code LT100012695713 registered office address: Lietuvininkų g. 18, LT-89430 Šilutė, Lithuania contact information: p. info@naganas.lt, info@naganas.com

2. "Personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person shall be one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, personal identification number, whereabouts and Internet identifier, or to one or more natural persons of that natural person, signs of physiological, genetic, mental, economic, cultural or social identity;

3. "Processing" shall mean any operation or sequence of operations carried out by automated or non-automated means on personal data or sets of personal data, such as collection, recording, sorting, systematization, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination; or otherwise making available, including collating or merging with, limiting, deleting or destroying data;

4. The recipient of the data shall mean the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether a third party or not. However, the authorities which, under Union or Member State law, may obtain personal data in the framework of a specific investigation shall not be considered as recipients of the data; in processing that data, those authorities shall comply with applicable data protection rules which are compatible with the purposes of the processing;

5. 'third party' means any natural or legal person, public authority, agency or any other body which is not the data subject, the controller, the processor or the persons authorized to process personal data directly by the controller or by the processor;

6. 'Data subject's consent' means any freely given specific and unambiguous expression of the will of the data subject by means of a statement or the unequivocal act of which he or she consents to the processing of personal data relating to him or her;

7. "Data subject" means the natural person whose personal data are processed.

II. Personal details

1. Legitimate criteria for the processing of personal data

Naganas UAB collects and further processes your personal data only on the legal grounds defined in the personal data protection legislation:

With your consent;

for the purpose of concluding and / or executing a contract with you.

2. Purposes of processing personal data

Naganas UAB processes data for the purpose of providing services.

3. Personal data processed

Naganas UAB processes the following data:

with your consent, the personal data you submit in the form installed on www.naganas.lt www.naganas.com (this is basic information such as name, email address).

other data that is collected based on your consent and that is defined in detail at the time you are asked for consent;

other data obtained for the purpose of concluding and / or performing the contract with you;

personal data collected for direct marketing purposes (email, date of birth, name).

4. Cookies

In order to improve your experience of visiting Naganas websites, we use cookies - small pieces of text information that are automatically generated when you browse the site and are stored on your computer or other terminal device. The information collected by cookies enables us to ensure the smooth operation of the site, your ability to browse and find out more about the behavior of our site users, analyze trends and improve both the site and your service and services provided by UAB Naganas.

There are two types of cookies on the site:

First-party cookies are created by the site you are visiting. The website appears in the address bar.

Third Party Cookies - Created by other websites. These sites include certain content, such as images, that are displayed on the web page you are visiting. This can be Google, Facebook, Youtube and more.

You can choose whether you wish to accept cookies. If you do not consent to the use of cookies on your computer or other terminal device, you can change your web browser settings to disable all cookies or turn them on / off one by one. However, please note that in some cases, this may slow down your browsing speed, limit the functionality of certain websites, or block access to the site.

5. Term of retention of personal data

We retain your personal data for no longer than is necessary for the purposes of the processing or is required by law, provided that it contains a longer period of storage.

We strive to keep outdated or redundant information and to ensure that personal data and other customer information is kept up to date and accurate.

6. Provision of Personal Data

Naganas UAB provides your data:

With your consent, well-defined recipients of the data;

Bodies or organizations required by law;

To other third parties with your consent, which may be obtained on a case-by-case basis.

III. Naganas UAB uses personal data security measures

The activity of UAB Naganas on the Internet complies with all the requirements of the international legal acts, the legal acts of the European Union and the laws of the Republic of Lithuania.

General Data Protection Regulation (BDAR)

Naganas UAB observes the provisions of the General Data Protection Regulation when processing personal data of data subjects and has implemented appropriate organizational and technical measures ensuring personal data security, which help to protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful handling.

IV. Procedures for the exercise of data subjects' rights

You have the right to:

apply to Naganas UAB for information on your personal data processed by Naganas UAB ("right to know" and "right to access");

apply to Naganas UAB for correction or deletion of your personal data when you determine that the data is incorrect, incomplete or inaccurate ("right to rectify and delete");

apply to Naganas UAB to suspend the processing of your personal data if you determine that personal data is being processed unlawfully or in bad faith (the "right to suspend");

to contact Naganas UAB with a request to refuse further processing of your personal data ("right to refuse");

to apply to Naganas UAB to restrict the processing of your data if the processing of personal data is unlawful ("the right to restrict");

apply to Naganas UAB to delete your data when personal data have been processed unlawfully or personal data are no longer necessary for the purposes for which they were collected or otherwise processed ("the right to be forgotten");

apply to Naganas UAB for information on personal data processed by Naganas UAB and to receive the data in a systematic, commonly used and computer readable format ("right to data portability").

Consent given for direct marketing purposes may be revoked at any time by the Data Subject. This Consent may be revoked by clicking the link in the email you received or by sending an email to info@naganas.lt info@naganas.com with STOP or DON'T SEND.

In exercising these rights, you may apply to Naganas UAB in any way that is convenient to you:

In writing - Email by e-mail: info@naganas.lt

Tel. No. +37065661454

Naganas UAB

Rules on the processing of personal data

Naganas UAB shall ensure that personal data are processed in a lawful, fair and transparent manner, collected only for the purposes set out and clearly defined in this Privacy Policy (hereinafter the Policy), and not further processed in a way incompatible with those purposes.

I. KEY DEFINITIONS

Data Controller - UAB NAGANAS - a legal or natural person who alone or jointly with others determines the purposes and means of managing the Privacy Policy. Within the scope of these Rules, Data Controller - Naganas UAB, legal entity code: 304388877, VAT code LT100012695713 registered office address: Lietuvininkų g. 18, LT-89430 Šilutė, Lithuania contact information: p. info@naganas.lt, info@naganas.com

Data Subject - A customer whose personal data is processed by the Data Controller for the purpose of administering the Ad Portal.

'Controller' means a natural or legal person who assists the Controller, in accordance with the powers delegated to him, to achieve its stated purpose.

Personal Data - The personal data of a natural person processed by the Data Controller and enabling the Customer to be identified, including but not limited to: name, e-mail address, telephone number, etc.

"Processing" shall mean any action on a personal data: collection, recording, storage, storage, alteration (addition or rectification), provision, use, deletion or any other act or set of operations.

Consent means the free will of the Data subject to consent to the processing of personal data.

II. GENERAL PROVISIONS

The rules set out the basic provisions for the collection, storage and processing of personal data.

III. PROCEDURES FOR THE COLLECTION, STORAGE AND USE OF PERSONAL DATA BY THE DATA MANAGER

For the purposes of administering the Online Store, the Data Controller shall process the following personal data relating to the Data Subject both automatically:

- name and surname;

- payment details;

- email address;

- Phone number;

- IP address

- payment details of the service (bank account number, method of payment, etc.)

For this purpose, personal data is stored for 2 (two) calendar years from the last visit to the e-shop.

Data processors:

Server rental and maintenance company.

The Customer is responsible for the accuracy of the above data. Customer is provided with a User ID. The Customer may at any time:

- correct and / or complete the Personal Data in the Account. For corrected and / or supplemented data - the Customer is responsible for correctness;

- The controller shall process the following personal data automatically for direct marketing purposes:

- name and surname;

- electronic mail;

- date of birth (for birthday suggestions).

Consent granted for this purpose may be revoked at any time by the Data Subject. The given Consent may be revoked by clicking on the link in the received email or by e-mail info@naganas.lt with STOP or DO NOT SEND.

Personal data received for this purpose shall be stored for 2 (two) calendar days after the submission of the data.

Manages contact details of partner / supplier staff for smooth collaboration:

- name,

- Phone number,

- Email address.

This personal data is stored by the Data Controller for 2 (two) calendar years from the date of termination of the contract.

The Controller undertakes not to disclose personal data processed to third parties, except in the following cases:

- subject to the data subject's consent to the disclosure of the personal data,

- the Data Controllers referred to in the Rules,

- law enforcement authorities, as required by law,

- where it is necessary to prevent or to investigate criminal offenses.

IV. EXERCISE OF DATA SUBJECT 'S RIGHTS

The Data Subject, having duly identified himself / herself, has provided the Data Controller with a personal identification document or a notarized copy, which will be used for identification only and will not be stored, by accessing the Data Controller by written request by post or direct delivery. address: Lietuvininkų g. 18, LT-89430 Šilutė.

If another person wishes to access the Data Subject's personal data, he or she must provide a notarised power of attorney to represent the Data Subject, and the lawyer is only provided with a representation agreement and an indication of the purpose of the use.

Upon receipt of the Data subject's request for access to the personal data processed, the Controller shall reply within 30 (thirty) calendar days of receipt of the request. The reply shall indicate whether personal data are being processed with the Data Subject and, if so, what and to whom they have been provided within the last 1 (one) calendar year. The answer is provided free of charge.

If the Data subject, having become aware of his / her personal data, determines that the personal data have been collected or obtained from unauthorized sources or that the personal data are being processed for purposes other than those for which consent has been given, the Data subject has the right processing and / or deletion of personal data relating thereto. The Data Controller shall verify the Data Subject's request and, upon finding that the request is justified, shall, without delay, but not later than within 5 (five) business days, grant the Data Subject's request and inform in writing of the action taken. The controller has the right not to delete personal data from the server if he has a legitimate reason to protect it, especially when it comes to national security and defense, public order, crime prevention, investigation, detection or prosecution, important national economic or financial interests, and the protection of freedoms.

In cases where the Data Subject becomes aware of his or her personal data as inaccurate or incomplete, he / she shall, after properly identifying himself / herself, request in writing that the personal data relating to him / her be corrected and / or supplemented. If the controller determines that the request is justified, the personal data processed shall be corrected or supplemented without delay, but not later than within 5 (five) working days and shall be informed in writing of the action taken.

The data subject has the right to have the Data Controller "forget" it, namely to delete all data relating to him / her, provided that the data are not required for the purpose for which they were collected and are not required by law to keep them.

Where the Controller processes personal data automatically and upon request of the Data Subject to transfer its personal data to another Controller and such data transfer is possible at no additional cost, the Controller shall transfer / transmit to a readable computer no later than 30 (thirty) calendar days storage of all requested data.

The data subject shall have the right to apply to the Supervisory Authority if he / she considers that the processing of his / her personal data has harmed his or her legitimate interests.

V. RISK FACTORS FOR THE PERSONAL DATA PROTECTION RISK AND THEIR SOLUTION

The Data Controller shall implement the following organizational and technical measures for the protection of personal data in order to ensure adequate protection of Personal Data:

Organizational measures:

The Controller shall organize its work arrangements in such a way as to ensure the secure handling and / or transfer of computer data and / or documents and their archives.

Access to the Data Subject's personal data shall be granted only to Employees who need them for the performance of their job functions and only to those who have signed confidentiality agreements and are familiar with other internal procedures for processing personal data.

Technical measures:

Data processors (service providers) appointed by the Data Controller shall act only with the authorization of the Data Controller.

Personal data is protected against loss, unauthorized use and alteration.

It shall be ensured that the server room is locked and that the data contained therein can be accessed only by persons with a legitimate interest and with the permission of the director.

Provides protection of computer hardware against malicious software (eg, installing, updating antivirus programs).

All paper documents are protected from unauthorized access (locked).

The Data Controller shall ensure that, in order to prevent the processing of personal data beyond the retention periods provided for in these Personal Data Processing Rules, it shall periodically check the data and destroy those whose retention period has expired.

The Controller shall ensure that every effort is made to log on to the computer to connect to the stored data, who and when, successful or unsuccessful.

VI. PROTECTION AND DELETION OF PERSONAL DATA

Upon expiry of the retention period, personal data collected shall be securely destroyed, in accordance with the method chosen by the Data Controller (deletion, deletion of paper documents using services of confidential data deletion companies or otherwise).

Proper destruction of data shall be ensured by a responsible person appointed by the Data Controller.

VII. SUPERVISORY AUTHORITY AND DATA SUBJECT INFORMATION PROCEDURE FOR INFRINGEMENTS

Procedure for informing the supervisory authority.

In the event of a personal data breach in the Company that may affect the rights and freedoms or other legitimate interests of the Data subjects, the Chief Executive Officer shall inform the Supervisory Authority.

In the event of a personal data breach, the supervisory authority shall, where possible, be informed no later than 72 (seventy-two) hours after becoming aware of the personal data breach.

If the Supervisory Authority is notified of a personal data breach within 72 (seventy-two) hours, the reasons for the delay shall be attached to the notification.

The Supervisory Authority must be informed where a personal data breach could result in bodily injury, material or non-pecuniary damage to the Data subject, in particular where processing could lead to discrimination, theft or misrepresentation, financial loss, reputation damage, loss of personal data. confidentiality of data subject to professional secrecy and serious economic or social harm; where Data subjects may be deprived of, or prevented from exercising, their rights and freedoms.

The notification to the Authority shall include the following information:

- describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of relevant personal data records,

- name, position and contact details of the contact person for further information,

- describes the likely consequences of the personal data breach,

- describe the measures taken or proposed to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In cases where a personal data breach cannot be notified to the Supervisory Authority at the same time, the information shall be communicated in phases.

The company manager or authorized person shall document all personal data breaches, including facts relating to the personal data breach, its effects and the corrective action taken. The supervisory authority may request such information.

Procedures for informing the data subject.

In cases where the violation of personal data protection may violate the rights and freedoms of the Data subjects, the Director of the Company shall make a decision to inform the Data subjects about the violation.

Data subjects shall be informed in the following order:

- By submitting information on the Company's website or

- Outgoing message via email by e-mail or (and) SMS or (and) e-mail regarding a personal data breach, with appropriate contact details to be contacted for further information.

VIII. SURVEILLANCE AUTHORITY AND DATA SUBJECT INFORMATION PROCEDURE FOR INFRINGEMENTS

Procedure for informing the supervisory authority.

In the event of a personal data breach in the Company that may affect the rights and freedoms or other legitimate interests of the Data subjects, the Chief Executive Officer shall inform the Supervisory Authority.

In the event of a personal data breach, the supervisory authority shall, where possible, be informed no later than 72 (seventy-two) hours after becoming aware of the personal data breach.

If the Supervisory Authority is notified of a personal data breach within 72 (seventy-two) hours, the reasons for the delay shall be attached to the notification.

The Supervisory Authority must be informed where a personal data breach could result in bodily injury, material or non-pecuniary damage to the Data subject, in particular where processing could lead to discrimination, theft or misrepresentation, financial loss, reputation damage, loss of personal data. confidentiality of data subject to professional secrecy and serious economic or social harm; where Data subjects may be deprived of, or prevented from exercising, their rights and freedoms.

The notification to the Authority shall include the following information:

- describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of relevant personal data records,

- name, position and contact details of the contact person for further information,

- describes the likely consequences of the personal data breach,

- describe the measures taken or proposed to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In cases where a personal data breach cannot be notified to the Supervisory Authority at the same time, the information shall be communicated in phases.

The company manager or authorized person shall document all personal data breaches, including facts relating to the personal data breach, its effects and the corrective action taken. The supervisory authority may request such information.

Procedures for informing the data subject.

In cases where a violation of personal data protection may violate the rights and freedoms of the Data subjects, the Director of the Company shall make a decision to inform the Data subjects about the violation.

Data subjects shall be informed in the following order:

- By submitting information on the Company's website or

sent by email by e-mail or (and) SMS or (and) e-mail regarding a personal data breach, with appropriate contact details to be contacted for further information.

FINAL PROVISIONS

These Personal Data Processing Rules are reviewed once every 2 (two) years and updated as necessary.

These Rules are effective for the Company from 2018 onwards. May 31