Privacy policy

 

PERSONAL DATA PROCESSING REGULATIONS OF UAB „PARADIS LIFTS“

 

CHAPTER I. GENERAL PROVISIONS

 

1. These Personal Data Processing Regulations (hereinafter the Regulations) govern the processing of personal data carried out by UAB “Paradis Lifts” (hereinafter – the Company or the Data Controller), establish the duties of the Company’s employees when processing personal data, the rights of data subjects, the implementation measures for personal data protection, and other matters related to the processing of personal data. These Regulations are mandatory for all employees of the Company.

2. The Company ensures that personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other applicable national and European Union legal acts.

3. Key terms used in these Regulations:

  • Personal Data means any information relating to an identified or identifiable natural person (data subject), directly or indirectly (e.g., name, surname, personal identification number, address, email address, telephone number, location data, online identifier, etc.).
  • Data Subject means a natural person (client, supplier, partner, website visitor, job candidate, employee) whose personal data is processed by the Company.
  • Processing of Data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
  • Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
  • Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

CHAPTER II. CORE PRINCIPLES OF PERSONAL DATA PROCESSING

 

4. The Company and its employees shall strictly adhere to the following principles enshrined in the GDPR when processing personal data:

  • Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The data subject is always provided with clear information about what data is being processed, for what purpose, and on what legal basis.
  • Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Employees are prohibited from using personal data for personal or other purposes unrelated to their job functions.
  • Data Minimisation: Only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed shall be collected and processed. The collection of excessive information is avoided.
  • Accuracy: All reasonable steps shall be taken to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data, having regard to the purposes for which they are processed, shall be erased or rectified without delay.
  • Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Upon expiry of the storage period, the data shall be securely destroyed or anonymised.
  • Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • Accountability: The Company is responsible for, and must be able to demonstrate, compliance with the principles outlined above. The Company maintains records of processing activities and regularly reviews its data processing practices.

CHAPTER III. PURPOSES, LEGAL BASES, AND STORAGE PERIODS FOR PERSONAL DATA PROCESSING

 

5. The Company processes personal data for the following purposes, based on the specified legal grounds and in compliance with the established storage periods:

5.1. Conclusion, Execution, and Administration of Contracts with Clients, Partners, and Suppliers:

  • Data processed: Name, surname, personal identification number (if required by law), workplace, position, contact details (address, email address, telephone number), bank account details, payment information, signature, contract terms, and other data necessary for the performance of contractual obligations.
  • Legal basis: Performance of a contract (Article 6(1)(b) of the GDPR); compliance with a legal obligation (Article 6(1)(c) of the GDPR).
  • Storage period: 10 years after the termination of the contract, in accordance with the Index of General Document Retention Periods.

5.2. Direct Marketing (Provision of Offers, Newsletters):

  • Data processed: Name, surname, email address, telephone number, company name.
  • Legal basis: The data subject’s explicit consent (Article 6(1)(a) of the GDPR).
  • Storage period: 5 years from the date of consent, or until the data subject withdraws their consent.

5.3. Administration of Enquiries, Requests, and Complaints:

  • Data processed: Name, surname, contact details, content of the enquiry, date, time, and correspondence history.
  • Legal basis: The Company’s legitimate interest to provide quality service, respond to enquiries, and defend its rights (Article 6(1)(f) of the GDPR).
  • Storage period: 1 year from the date of the final response to the enquiry, unless a longer storage period is necessary in relation to potential legal disputes, in which case it is stored until the end of the statutory limitation period.

5.4. Recruitment of Job Candidates:

  • Data processed: Data provided in the candidate’s curriculum vitae (CV), cover letter, and other application documents (e.g., information on education, work experience, qualifications, recommendations).
  • Legal basis: The data subject’s consent, expressed by submitting their application (Article 6(1)(a) of the GDPR).
  • Storage period: Throughout the recruitment period. Upon completion of the recruitment process, the data is immediately destroyed, unless separate consent is obtained from the candidate to store the data for future recruitment purposes (for no longer than 1 year).

5.5. Bookkeeping and Compliance with Legal Obligations:

  • Data processed: Data required for issuing invoices and other accounting documents and for maintaining records in accordance with legal requirements (e.g., VAT payer code, self-employment certificate number, etc.).
  • Legal basis: Compliance with a legal obligation (Article 6(1)(c) of the GDPR).
  • Storage period: As stipulated in the Law on Accounting of the Republic of Lithuania and other legal acts (typically 10 years).

CHAPTER IV. RECIPIENTS AND PROCESSORS OF PERSONAL DATA

 

6. The Company may disclose personal data to third parties only on a legitimate basis and while ensuring data confidentiality. The categories of recipients include:

  • Data Processors: IT infrastructure (servers, cloud), software, accounting, marketing, legal services companies, and courier services. The Company engages only those data processors who guarantee compliance with GDPR requirements. Written data processing agreements are concluded with all data processors.
  • State Institutions: Courts, law enforcement agencies, the State Tax Inspectorate, and other institutions to which the Company is legally obliged to provide data.
  • Other Persons: Financial institutions, debt collection agencies, auditors, and legal advisors, where necessary to protect the legitimate interests of the Company.

7. Personal data is not transferred to third countries (outside the European Union / European Economic Area), unless an adequate level of data protection as provided for in the GDPR is ensured.

CHAPTER V. RIGHTS OF DATA SUBJECTS AND THEIR IMPLEMENTATION PROCEDURE

 

8. A data subject whose data is processed by the Company has the following rights:

  • Right to be informed about the processing of their personal data.
  • Right of access to their processed personal data and to obtain a copy thereof.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure (‘right to be forgotten’) when the data is no longer necessary for the purposes for which it was collected, consent is withdrawn, or the data is processed unlawfully.
  • Right to restriction of processing under certain circumstances (e.g., while the accuracy of the data is being verified).
  • Right to object to the processing of personal data when it is carried out for direct marketing purposes or based on the legitimate interests of the Company.
  • Right to data portability (to receive personal data in a machine-readable format).
  • Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with the State Data Protection Inspectorate (L. Sapiegos g. 17, Vilnius, www.ada.lt).

9. Procedure for the Implementation of Rights:

  • To exercise their rights, the data subject must submit a written request to the Company by email to info@paradislifts.com or by registered mail to Draugystės g. 19, LT-51230, Kaunas, Lithuania.
  • The request must be accompanied by a copy of a document verifying the identity of the data subject or another reliable method of identification to prevent the disclosure of data to unauthorised persons.
  • Information requested shall be provided free of charge. However, where requests are manifestly unfounded or excessive, the Company may charge a reasonable fee or refuse to act on the request.
  • The Company shall respond to the request no later than one month from the date of its receipt. If necessary, this period may be extended by two further months, taking into account the complexity and number of requests. The data subject will be informed of any such extension within the first month.

CHAPTER VI. TECHNICAL AND ORGANISATIONAL DATA SECURITY MEASURES

 

10. The Company implements appropriate and risk-proportionate technical and organisational measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing:

Organisational Measures:
  • Access Control: Access to personal data is granted only to those employees for whom it is necessary to perform their job functions, in accordance with the “need-to-know” principle. Access rights are reviewed regularly.
  • Employee Commitments and Training: All employees who process personal data have signed confidentiality agreements and are regularly familiarised with personal data protection requirements and best practices.
  • “Clean Desk” Policy: Employees are obliged not to leave documents containing personal data in unsecured locations.
Technical Measures:
  • IT Security: Firewalls, antivirus software, and secure passwords that are periodically changed and meet complexity requirements are used. Multi-factor authentication is applied where possible.
  • Data Encryption: Sensitive data transmitted over external networks is encrypted. The hard drives of portable computers are encrypted.
  • Physical Security: Documents and devices containing personal data are stored in locked rooms or cabinets. Server rooms are secured.
  • Backups: Regular backups of data are made and stored in a secure location.

CHAPTER VII. MANAGEMENT OF PERSONAL DATA BREACHES

 

11. In the event of a personal data breach, the Company shall take immediate action to contain it and mitigate its potential negative consequences.

12. Every employee who becomes aware of a potential personal data breach must immediately inform their line manager and the responsible person.

13. Having identified a breach that is likely to result in a risk to the rights and freedoms of natural persons, the Company shall notify the State Data Protection Inspectorate without undue delay and, where feasible, not later than 72 hours after having become aware of it.

14. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company shall communicate the personal data breach to the data subjects without undue delay.

15. All personal data breaches are recorded in an internal breach register.

CHAPTER VIII. FINAL PROVISIONS

 

16. These Regulations are reviewed at least once every 2 years and updated in the event of changes in legislation, the Company’s business processes, or technologies.

17. Employees are familiarised with these Regulations and any amendments thereto in writing or by electronic means.

18. Employees shall be held liable for violations of the provisions of these Regulations in accordance with the procedure established by law.

19. For all questions related to the processing of personal data, please contact us by email at info@paradislifts.com or by telephone at +370 626 09000.

Scroll naar boven