Rules for processing and protection of personal data
I. Key definitions
1. Institution means Smart Health DIH, the public institution code 305238898, Mokslininku str. 6A, Vilnius.
2. Data subject means the natural person from whom the Institution receives and processes personal data.
3. Employee means a person who has entered into an employment or similar contract with the Institution and is appointed by the Institution’s Head to process Personal Data or whose personal data is processed.
4. Personal data – any information relating to a natural person – a data subject known to be or may be directly or indirectly identified using data such as name, surname, date of birth, one or more physical, physiological, psychological, economic , cultural or social features.
5. Recipient means the legal or natural person to whom personal data is provided.
6. Provision of data means the disclosure of personal data by transmitting or otherwise making them available (except for publication in mass media).
7. Data management means any act performed using personal data: collecting, recording, storing, classifying, grouping, merging, modifying (adding or correcting), providing, publishing, using, logic and/or arithmetic operations, searching, propagation, destruction or other action or set of actions.
8. Automatic data processing – processing of data, fully or partially carried out by automated means.
9. Data controller means a legal or natural person (who is not a controller’s employee) who is authorized by the data controller to process personal data. The data controller and / or the procedure for assigning it may be specified in laws or other legal acts.
10. Data manager means a legal or natural person who, alone or together with others, establishes the purposes and means of processing personal data. If the purposes for the processing of data are laid down by laws or other legal acts, the manager and / or the procedure for assigning it may be specified in those laws or other legal acts.
11. Special personal data – data relating to the racial or ethnic origin of a natural person, political, religious, philosophical or other beliefs, membership in trade unions, health, sexual life, as well as information on a person’s criminal record.
12. Social and public opinion polling – systematic collection and interpretation of data and / or information on natural and legal persons by means of statistics, analyzes and other methods used by the social sciences in order to obtain the insights required for decision-making purposes. Social and public opinion research can not lead to direct marketing.
13. Consent – a voluntary declaration by the data subject to process his or her personal data for a purpose known to him. The consent to the processing of special personal data must be expressed explicitly – in writing, in the form of a copy of it or in another form, which unequivocally proves the will of the data subject.
14. Direct marketing – activities aimed at offering goods or services by post, telephone or other direct means and / or asking their opinion on the goods or services offered.
15. The third person means a legal or natural person other than the data subject, the data manager and controller and the persons who are directly authorized by the data manager or controller to process the data.
16. Domestic administration – activities that ensure the independent functioning of the manager (structure management, personnel management, management and use of the available tangible and financial resources, management of records).
17. Other terms used in these Rules for the Processing and Use of Personal Data (hereinafter referred to as the Rules) are in conformity with the definitions established in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
II. General provisions
1. These Rules regulate the actions of the Institution and its employees in the processing of personal data using the automated and non-automatic personal data processing facilities installed at the Institution, as well as the rights of the Data subject, the personal data protection measures and other matters related to the processing of personal data.
2. The purpose of the rules for the processing of personal data at the Institution is to regulate the processing of personal data at the Institution, ensuring compliance with and implementation of the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other relevant legal acts.
3. The purpose of the rules is to provide the basic organizational measures for the processing of personal data, data subjects’ rights implementation technical and data security.
4. The Institution collects Data Subject data that it voluntarily provides by e-mail, registered mail, telephone, directly at the Institution‘s office or using the Institution’s website. Personal data collected by the Institution, their term of protection and the persons having the right to process personal data are specified in the Annex No 2 of these Rules.
5. By taking care of the Data Subject’s privacy and valuing the Data Subject’s trust, it undertakes to protect the Data Subject’s privacy and information to use solely for the purposes specified in these Rules, in addition to the Data Subject’s consent to not disclose this information to any third parties other than the Institution’s partners or any other entity that has been ordered by the Data Subject services related to the proper execution of services. In all other cases, the personal data of the Data subject may be disclosed to third parties only in accordance with the procedure provided by legal acts of the Republic of Lithuania. The personal data of the data subject may be transferred by the Agency to governmental or law enforcement authorities upon request and only if provided by applicable law. The institution does not use and disclose any sensitive personal information, such as health information, racial origin, religious beliefs or political opinions, etc., without the explicit consent of the Data Subject, unless required by law or permitted by law.
6. Personal data shall be processed and used in accordance with the purposes for which the Data Subject has submitted them to the Institution or other purposes approved by the Data Subject.
7. The purposes for which the data subject’s personal data are used:
7.1. The processing of the data subject’s service (order) processing, administration;
7.2. For the identification of the data subject;
7.3. Problems related to the implementation, delivery, utilization of services;
7.4. contacting the Data subject;
7.5. other contractual obligations;
7.6. for direct marketing purposes;
7.7. for public interest purposes;
7.8. security, administrative, crime prevention and legal purposes;
7.9. business analysts and statistical analyzes, general research that allows them to improve their services and improve their quality;
7.10 for audit.
8. The data subject, confirming and voluntarily accepting that the Institution controls and manages personal data of the Data Subject, in accordance with applicable laws and regulations of these Rules, upon submission to the Office of its personal data.
9. The rules are to be observed by all the staff of the Institution who handle personal data in the Office or learn from them in the course of their duties.
10. The rules have been prepared in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.
III. Privacy and personal data
1. The information collected by the Institution may be: the name, surname, address, e-mail address, telephone number, personal identification documents (passport, ID card) of the data subject and / or the person represented by the Data subject (date, place of issue, validity date, number), personal code, date of birth, gender, bank account number, education, workplace, vehicle registration number, image. Some information about the visit of the Data subject may be collected on the Institution’s website, for example: the address of the Internet Protocol (IP) using the Data subject reaches the Internet; Date and time of the visit of the data subject to the Institution’s website; other web pages that the Data subject visits on the Institution’s website; used browser; Information about the computer’s operating system of the Data subject; mobile gadget versions; language settings and more. If the Data Subject uses a mobile device, data can also be collected to determine the type of mobile device, device settings, as well as geographic (longitude and latitude) coordinates. This information is used to improve the Institution’s website, analyze trends, improve product and service, and administer the Institution’s website. The data subject voluntarily submits these data using the services provided by the Institution through the Institution’s website.
2. All personal data specified and received by the Data subject are collected, stored and processed in accordance with the requirements of the Law on the Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data in the Republic of Lithuania. The Institution ensures the protection of the data received and undertakes to use this information only subject to the consent of the Data subject and only in cases provided for by law, as well as in cases which are necessary for the provision of the service ordered by the Data subject.
3. The staff of the Institution shall, in the performance of their duties and in the management of the data subject’s personal data, observe the following principles:
3.1. The data provided by the data subject is collected, processed, protected only because of a legitimate interest and in strict compliance with the requirements of the Republic of Lithuania Law on Legal Protection of Personal Data, the Civil Code of the Republic of Lithuania, other legal acts regulating this area of law in the Republic of Lithuania and these Rules.
3.2. The personal data of the data subject is processed precisely, honestly and lawfully.
3.3. The data subject is collected for specific purposes.
3.4. When collecting and processing personal data, it adheres to the principles of purposefulness and proportionality, it does not require the Data subject to provide data that is not needed.
3.5. Only stores the data that is necessary for providing quality services.
3.6. The personal data of the data subject can only be obtained by the Institution’s employees and / or third parties who have been involved in the provision of the service with the relevant competence, and only in cases where it is necessary to provide the service.
3.7. The Institution of the data subject does not disclose personal data to third parties, except in cases provided for by law, or if the Data subject binds the Institution to do this.
3.8. The Institution strives to ensure that the data subjects; data are comprehensive, up-to-date and are therefore constantly updated.
4. The Institution shall respect the privacy of the Data Subject and undertakes to comply with the Data Protection Principles of the Data subject specified in these Rules.
5. The personal data of the data subject shall not be stored for longer than required by the data processing objectives, laws and other legal acts.
IV. Marketing and correspondence
1. Data subject’s ability to receive information sent by the Institution:
1.1. By visiting the Institution’s website, the Data Subject has the ability to subscribe to the Institution‘s newsletters .
2. The Institution also allows the Data Subject to refuse the information sent by the Institution:
2.1. The Data Subject has the option to refuse the Institution’s Information, by clicking on the link in the email in the newsletter or other offer.
3. The data provided by the data subject, used for direct marketing purposes, helps to ensure continuous improvement and development of the Institution’s website and services.
4. Personal data for marketing purposes shall be collected, processed and used in such a way as to prevent disclosure of the Data Subject’s identity or any other personal data that would allow identification of the identity.
5. The data subject has the right to refuse to process its data for the purpose of direct marketing, and may be implemented by informing the Institution by post or by electronic means.
V. Personal data security and handling
1. In accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania, the European Union, etc. the Data Protection Regulatory Authority, the Institution shall apply measures to prevent unauthorized access or unlawful use of the Data Subject data. The body ensures that the data provided by the Data Subject is protected against any unlawful actions: unauthorized alteration, disclosure or destruction of personal data, identity theft, fraud, and that the level of protection of personal data conforms to the requirements of the legal acts of the Republic of Lithuania. The data storage and processing databases used by the institutions are protected against unauthorized access through computer networks.
2. The Institution shall use appropriate business systems and procedures to protect and defend personal data entrusted to the Data subject’s Institution. The Institution uses security systems, technical and physical means that restrict access to the Data Subject’s personal data and their use on the Institution’s servers. Only employees with special permits have the right to see the Data Subject’s personal data submitted to the Institution for work purposes.
3. Personal data are processed manually and automatically using personal data processing facilities installed at the Institution.
4. Personal data of data subjects may be processed only by persons authorized by the Director of the Institution.
5. Every employee handling personal data must:
5.1. sign confidentiality promise / contract.
5.2. to process personal data strictly in accordance with laws, other legal acts, instructions and these Rules of the Republic of Lithuania.
5.3. to keep secret of personal data. You must respect the confidentiality principle and keep confidential any personal data relating to your personal data in the course of your duties, unless such information is made public in accordance with applicable laws and regulations. The employee must comply with the confidentiality principle upon termination of the employment relationship.
5.4. not disclosed, transferred or made available to any person who is not authorized to process personal data access to personal data by any means;
5.5 To prevent accidental or unlawful destruction, alteration, disclosure, and any other unauthorized disclosure of personal data, personal data must securely store the documents and data files and avoid unnecessary duplication. Copies of the institution’s records containing personal data must be destroyed in such a way as to prevent the reproduction and recognition of their contents.
5.6. immediately inform the Head of the Institution or the person appointed by him / her of any suspicious situation that may endanger the security of personal data and take measures to prevent such a situation.
6. The computer maintenance officer must ensure that personal data files are not shared from other computers and that antivirus programs are periodically updated.
7. The computer maintenance officer shall make copies of the data files on the computers. Losing or damaging these files requires the responsible employee to restore them within no more than a few business days.
8. An employee is deprived of the right to process personal data when an employee’s contract or a similar contract with the institution terminates or when the head of the institution revokes the appointment of a staff member to process personal data.
9. Data subjects’ documents and copies thereof, financing, accounting and reporting, archives or other files containing personal data are stored in lockers or safes. Documents containing personal data should not be considered in a visible place accessible to everyone.
10. In order to ensure the protection of personal data, the Institution implements or intends to implement the following personal data protection measures:
10.1. administrative (identification of safe documents and computer data and their archives, as well as organization of work procedures in various fields of activity, introduction of personnel to the protection of personal data, etc.)
10.2 hardware and software security (administration of servers, information systems and databases, maintenance of work places, office premises, protection of operating systems, protection against computer viruses, etc.);
10.3 communications and computer networks (firewalling, sharing data, programs, unwanted data packets , etc.).
11. The technical and software measures for protecting personal data must ensure:
11.1 installation of operating system and database copies, copying technique and compliance control;
11.2. continuous processing technology;
11.3. the strategy of updating systems in unforeseen cases (management of surprises);
11.4 the physical (logical) separation of the environment testing programs from operating mode processes;
11.5 authorized use of data, their integrity.
12. Institutions must use the data processors or third parties used by the Institution to provide the requested services to guarantee the necessary technical and organizational protection of personal data and to ensure that such measures are followed. Inform the Institution of the intention to conclude contracts with the auxiliary data processors and receive prior written approvals from the Institution regarding their appointment.
VI. Data subject rights
1. The data subject has the following fundamental rights:
1.1. know about processing your personal data;
1.2. access to your personal data and how they are processed;
1.3. to demand the rectification, destruction or deletion of the Data Subject’s personal data or the suspension, except for storage, of the actions of the Data Subject’s processing of personal data where the personal data of the Data Subject is processed without complying with the applicable and applicable legal acts;
1.4. to refuse to process personal data of the Data Subject.
2. The Data Subject also has the right to refuse to provide personal data. In this case, the Data Subject automatically waives his claim regarding the quality of the services provided by the Institution, as the requested data may be necessary in order to properly provide the requested / ordered services of the Data Subject.
3. The data subject who submitted the identity document has the right to access the personal data of the Data Subject’s data held and processed by the Institution and to receive information from which sources and what personal data collected by the Data Subject collect, for which purpose they are processed and provided to them. Upon receipt of the written request by the Data Subject (registered mail or by e-mail), the requested data shall be submitted in writing (by registered mail or by electronic mail) within 30 calendar days from the date of receipt of the request by the Data subject, or shall indicate the reasons for refusal to satisfy such request. The Response to the Data Subject shall be submitted in the same form as the request was received, unless the request of the Data Subject expresses a desire to obtain information in another way.
VII Intellectual property rights
1. Unless otherwise specified, the software required for the Institution services is available or used on the Institution’s website and intellectual property rights (including copyrights) to the content of the website and information belong to the Institution. In addition to the prior written permission of the Institution, it is prohibited to reproduce, translate, adapt or otherwise use any part of the website of the Institution (any content, logo, software, products, services, etc.) in commercial activities of third parties. It is forbidden to perform any other actions that may violate the Institution’s property rights to the Institution’s website, as well as to conflicts with fair competition, advertising that violates copyright, other legislation and current practice.
2. Any unlawful exercise of the rights or any of the foregoing actions will constitute a material breach of the intellectual property (including copyright and other) rights of the Institution.
VIII. Rules for change
1. The Institution has the right to part or completely change the Rules by notifying on the Institution’s website.
2. The amendments to the rules shall come into force from the day of their publication, that is, from the date on which they are posted on the Institution’s website.
3. If the Data Subject does not agree with the new version of the Rules, the Data Subject has the right to refuse to use the services provided by the Institution and its services on its website.
4. If, after the addition or replacement of the Rules, the Data Subject continues to use the services provided by the Institution and its services on its website, the Data Subject is deemed to accept the new version of the Rules.
IX Final provisions
1. Upon access to the Institution’s website by the data subject and providing information about himself to the Institution’s partners and / or employees, the Data Subject shall be deemed to have read and agree to the provisions of these Rules.
2. The law of the Republic of Lithuania shall apply to relations arising on these Rules and on the basis of these Rules.
3. All disputes arising from the execution of these Rules shall be resolved by negotiation. Failing to reach an agreement, disputes shall be resolved in accordance with the procedure established by legal acts of the Republic of Lithuania.