We use cookies to improve your experience on this site and serve more relevant content to you. By continuing to browse our site you agree to our use of cookies, revised Privacy Policy and Terms of Service. More information about cookies I understand

RULES FOR THE PROCESSING OF PERSONAL DATA
AT UAB Vertex

I. GENERAL PROVISIONS

  1. 1. The purpose of the Rules for the Processing of Personal Data (hereinafter – the Rules) at UAB Vertex, legal entity No. 120320756, address Baltupio st. 14, Vilnius, 08304, Lietuva (hereinafter – the Company) is to regulate the processing of personal data.
  2. 2. The Rules were drawn up in accordance with provisions of the EU General Data Protection Regulation (hereinafter – the Regulation or GDPR) and other legal acts governing protection and processing of data.
  3. 3. The terms used in the Rules shall be understood in accordance with the definitions contained in the Regulation and other legal acts.
  4. 4. Data controller and processor – UAB Vertex, legal entity No. 120320756, address Baltupio st. 14, Vilnius, 08304, Lietuva.
  5. 5. The Rules shall be applicable to and shall be binding on the Company and all employees working for the Company.

II. PRINCIPLES FOR DATA PROCESSING

  1. 6. In Company’s activities personal data shall be processed in accordance with the following principles:
  2. 6.1. data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (the principle of lawfulness, fairness and transparency shall be respected);
  3. 6.2. ata shall be collected for specified, explicit and legitimate purposes established before data collection and not further processed in a way incompatible with those purposes (the principle of purpose limitation shall be respected);
  4. 6.3. only adequate, relevant data and data limited to the minimum necessary in relation to the purposes for which they are processed shall be processed (the principle of data minimisation shall be respected);
  5. 6.4. processed data shall be accurate and kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended, every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of accuracy shall be respected);
  6. 6.5. data shall be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data were collected and are processed (the principle of storage period limitation shall be respected);
  7. 6.6. data shall be processed in the way that appropriate data security is ensured by implementing corresponding technical and organisational measures, including protection from unauthorised data processing or unlawful data processing, accidental loss, destruction or damage (the principle of integrity and confidentiality shall be respected).

III. PURPOSES AND SCOPE OF THE PROCESSING OF PERSONAL DATA

  1. 7. he Company shall keep records of personal data processing activities which it is responsible for. Records about personal data processing activities shall be made by the Company in Annex No. 1 to 6 of the Rules
  2. 7.1. General Data records of employees (Annex No. 1);
  3. 7.2. Data records of candidates for employment (Annex No. 2);
  4. 7.3. Sensitive data records of employees (Annex No. 3);
  5. 7.4. Data records of Flirts platform users (Annex No. 4)
  6. 7.5. Data records of potential clients (Annex No. 5);
  7. 7.6. Records of details of suppliers / contractors (Annex No. 6).
  8. 8. Records of data processing shall be inspected and updated constantly, however, at least once a calendar year in order to reflect the real situation with personal data processing at the Company.

IV. FUNCTIONS, RIGHTS AND OBLIGATIONS OF THE COMPANY

  1. 9. The Company shall have the following rights:
  2. 9.1. to draw up and adopt internal legal acts governing the processing of personal data;
  3. 9.2. to decide on supply of personal data;
  4. 9.3. to appoint a person or a unit responsible for protection of personal data;
  5. 9.4. to authorise other persons to process personal data.
  6. 10. The Company shall have the following obligations:
  7. 10.1. to ensure compliance with the personal data processing requirements set forth by the Regulation and other legal acts governing the processing of personal data;
  8. 10.2. to implement the rights of the data subject under the procedure established by applicable legal acts;
  9. 10.3. to ensure protection of personal data by implementing appropriate organisational and technical measures to protect personal data;
  10. 10.4. to choose a data processor providing sufficient guarantees in respect of the technical security measures and organizational measures to protect personal data and ensuring compliance with those measures, as well as to conclude contracts with data processors. To instruct the data processor regarding processing of video data. To be aware of planned contracts with data subprocessors and to provide prior written consent concerning their appointment.
  11. 11. The Company shall perform the following functions:
  12. 11.1. it shall determine the purpose and the scope of the processing of personal data;
  13. 11.2. it shall organise installation of the systems and equipment required for the processing of personal data;
  14. 11.3. it shall award access rights and authorisations to process personal data;
  15. 11.4. it shall analyse technological, methodological and organisational issues related to the processing of personal data and shall adopt resolutions required for ensuring proper processing of personal data;
  16. 11.5. it shall render methodological assistance to employees and data processors concerning issues of the processing of personal data;
  17. 11.6. it shall organise trainings for employees on issues of legal protection of personal data;
  18. 11.7. it shall perform other functions, required for implementation of rights and obligations of the data controller.

V. SUPPLY OF PERSONAL DATA AND DATA RECIPIENTS

  1. 12. Any provision of personal data should be in conformity with the Regulation and national legal acts governing protection of personal data.
  2. 13. The processor and any other person acting under authorisation of the Company and having access to personal data shall process data only in accordance with instructions of the Company, unless it is required in accordance with legislation of the European Union or national law.

VI. ORGANISATIONAL AND TECHNICAL PERSONAL DATA SECURITY MEASURES

  1. 14. Personal data security policy and procedures:
  2. 14.1. Security of personal data and their processing within the organisation shall be documented as a part of the information security policy. The security policy shall be reviewed and updated if necessary at least once a year.
  3. 15. Roles and responsibilities:
  4. 15.1. Access to personal data shall be granted only to the persons who need personal data for performance of their functions. Only authorized actions may be performed with personal data.
  5. 16. Access management policy:
  6. 16.1. Specific access control rights must be assigned to each role related to the processing of personal data in accordance with the need-to-know principle.
  7. 16.2. Procedure of granting, revocation and alteration of access rights and authorisations to process personal data:
  8. 16.2.1. access rights and authorisations to process personal data shall be awarded, abolished and altered by resolution of the line manager in accordance with internal procedures;
  9. 16.2.2. right of access to personal data shall be revoked after the end of employment relations between the Company and the employee, change of job functions for which access to personal data is not required, as well as after the data processing agreement concluded with the personal data processor is terminated or expires.
  10. 17. Management of resources and assets:
  11. 17.1. The Company possesses IT resources used for the processing of personal data, a register (of hardware, software and network equipment). The register shall contain at least the following information: type of IT resources (e.g. a server, a computerized workplace), a place (physical or electronic). An IT administrator shall be responsible for maintenance of the register.
  12. 17.2. IT resources shall be reviewed and updated regularly.
  13. 18. Management of changes:
  14. 18.1. The Company shall ensure that all changes of IT systems are monitored and registered by an employee responsible for security.
  15. 19. Data processors:
  16. 19.1. Before stating any activities related to the processing of personal data, the Company and data processors shall define, document and agree on compliance with provisions of the Regulation related to the processing of personal data which are applicable to data processors (contractors or on-demand services).
  17. 19.2. The data processor must immediately notify the Company about any detected breaches of data security.
  18. 19.3. The Company and the data processor must officially agree on formal requirements and duties. The data processor must submit documented evidence of conformity with the applicable compliance requirements.
  19. 20. Violations and incidents of security of personal data;
  20. 20.1. The Company has established an incident response plan in order to ensure effective management of incidents related to personal data.
  21. 21. Continuity of activities;
  22. 21.1. The Company has established key procedures to be followed in case of an incident or a violation of security of personal data in order to ensure required continuity and accessibility of processing of personal data using IT systems.
  23. 22. Confidentiality of staff;
  24. 22.1. The Company shall ensure that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities must be clearly explained to employees before execution of the functions and works assigned.
  25. 23. Trainings;
  26. 23.1 The Company shall ensure that all employees are properly informed about security control of IT systems related to everyday work. All employees related to the processing of personal data shall be given training on corresponding data protection requirements and legal obligations by regularly organising trainings, information events or briefings. Frequency of trainings: once a year.
  27. 24. Access control and authentication;
  28. 24.1. The Company has established an access control system applicable to all users of the IT system. The access control system allows creating, confirming, reviewing and deleting user accounts.
  29. 24.2. It shall be avoided to use general user accounts. In places where general user accounts are used it is ensured that all users of the corresponding general account have the same rights and obligations.
  30. 24.3. A fully functioning authentication mechanism allowing access to the IT system has been implemented. Minimum required user information to login into the IT system is a user login name and a password. The password shall be generated according to certain level of complexity:
  31. 24.3.1. passwords shall be granted, changed and saved ensuring their confidentiality;
  32. 24.3.2. passwords shall be unique, consisting of at least 8 characters, they should not contain any information of personal nature;
  33. 24.3.3. passwords shall be changed at least once every 3 months;
  34. 24.3.4. passwords must be changed by the user during first login.
  35. 24.4. The access control system is able to detect and prohibit using any passwords which are not in compliance with the described level of complexity.
  36. 25. Audit logs and monitoring;
  37. 25.1. Audit logs shall be made for each IT system and each application used for the processing of personal data. Technical records shall contain all possible types of entries of personal data (e.g. date, time, review, change, deletion). The storage period of audit logs shall be at least 1 year.
  38. 25.2. Entries in technical records shall bear time stamps and must be protected from possible damage, falsification or unauthorized access. Time synchronization mechanisms used in IT systems shall be synchronised according to a common time source.
  39. 26. Protection of servers, databases;
  40. 26.1. Databases and servers of applications shall be configured to operate properly and to use a separate account with the least operating system privilege granted.
  41. 26.2. Data bases and servers of applications shall process only those personal data which are required for work in compliance with the purpose of data processing.
  42. 27. Protection of workstations;
  43. 27.1. Users shall not be able to switch off, override or avoid security setting.
  44. 27.2. Antivirus applications and their databases of viruses shall be updated at least every week.
  45. 27.3. Users shall not have the privilege to install, remove, administer any unauthorized software.
  46. 27.4. IT systems shall have a session time set, i.e. if the user is not active and performs no actions in the system during the set period of time, his or her session must be terminated. Proposed duration of inactive session is not more than 15 min.
  47. 27.5. Critical security updates of the operating system must be installed regularly and without any delay.
  48. 28. Network and communication security;
  49. 28.1. Where access to the used IT systems takes place via the internet, an encrypted communication channel, i.e. cryptographic protocols (e.g. TLS, SSL), shall be used.
  50. 29. Backup copies:
  51. 29.1. Backup copies and data recovery procedures shall be defined, documented and clearly linked to the roles and responsibilities.
  52. 29.2. Appropriate physical level of environment, premises depending on the data stored shall be ensured for the storage media for backup copies.
  53. 29.3. The process of making backup copies shall be monitored in order to ensure its completeness.
  54. 29.4. Complete backup copies of data shall be made regularly. Frequency of making backup copies:
  55. 29.4.1. everyday – an enclosed copy;
  56. 29.4.2. every week – a complete copy.
  57. 30. Mobile, portable devices:
  58. 30.1. Procedures of administration of mobile and portable devices shall be established and documented by explicitly describing proper use of such devices.
  59. 30.2. Mobile, portable devices which will be used for work with information systems shall be authorised prior to use.
  60. 30.3. Mobile devices shall have an adequate level of access control procedures, as well as other equipment used for the processing of personal data.
  61. 31. Software security:
  62. 31.1. Software used in information systems (for processing of personal data) should conform to best practice for software security, best practice for development of secure software, software development frameworks and standards.
  63. 31.2. Specific security requirements shall be defined during initial stages of software development.
  64. 31.3. Programming standards ensuring security of data and best practice shall be adhered to.
  65. 31.4. Software development, testing and verification phases shall be implemented taking into account key security requirements.
  66. 32. Data destruction, removal:
  67. 32.1. Before removing any data medium, all data stored in it shall be destructed using dedicated software which supports sophisticated data destruction algorithms. Where it is impossible (e.g., CD, DVD storage media, etc.), a physical destruction of the storage media shall be performed ensuring that recovery of data is impossible.
  68. 32.2. Paper and portable data storage media containing personal data shall be destructed using dedicated shredders.
  69. 33. Physical security:
  70. 33.1. Physical protection of the environment and premises where IT system infrastructure is situated from unauthorised access shall be appropriately implemented.

VII. PROCEDURE FOR MANAGEMENT OF PERSONAL DATA SECURITY BREACHES AND RESPONSE TO THE BREACHES

  1. 34. Employees of the Company who possess rights of access to personal data shall be obliged to notify the director of the Company and the data protection officer (if it is appointed) of any personal data security breaches (activities or omission which may pose or pose a threat to security of personal data).
  2. 35. After evaluating the risk factors of the personal data security breach, the degree of impact of the breach, damage and consequences in each particular case, on a proposal of the data protection officer (if it is appointed), the director of the Company shall adopt resolutions concerning measures required for rectification of the breach and its consequences.

VIII. RIGHTS OF THE DATA SUBJECT

  1. 36. The data subject shall have the following rights:
  2. 36.1 the right to obtain information about the processing of data;
  3. 36.2 the right to access his or her personal data and the right to be aware of how they are processed;
  4. 36.3 the right to require rectification of data;
  5. 36.4 the right to require deletion of data (“the right to be forgotten”);
  6. 36.5 the right to restrict data processing;
  7. 36.6 the right to data portability;
  8. 36.7 the right to object to data processing;
  9. 36.8 the right to require that the decision taken on the basis of automated processing of data only is not applicable.
  10. 37. Right to obtain information about the processing of data
  11. 37.1. Information about the processing of personal data of the data subject carried out by the Company provided for in Article 13 and 14 of the Regulation shall be provided in the personal data protection privacy policy or terms of use published on the websites of the Company provided services.
  12. 37.2. Information about the processing of personal data of the data subject shall be provided during receipt of personal data.
  13. 37.3. Where personal data of the data subject are collected not directly from the data subject, it shall be notified of the processing of data of such data subject as follows:
  14. 37.3.1. during a reasonable period of time from receipt of personal data, however, in any event within one month, taking into account particular circumstances of the processing of personal data;
  15. 37.3.2. if personal data will be used for maintenance of relations with the data subject – at the latest when contacting the data subject for the first time; or
  16. 37.3.3. if it is foreseen to disclose personal data to another data recipient – at the latest during first disclosure of data.
  17. 37.4. Persons who are not employees of the Company and whose video data are processed through video surveillance shall be notified of video surveillance as follows:
  18. 37.4.1. Information plates should be hanged next to entrances to the premises where video surveillance is carried out;
  19. 37.4.2. Information plates should indicate that video surveillance is carried out, they should bear the name and the number of the Company, contact information (address or telephone number), other additional information (e.g., purpose of video surveillance).
  20. 37.5. Employees shall be informed about video surveillance in their workplace, in the premises of the Company where they work and monitoring of electronic communications in their workplace as follows:
  21. 37.5.1. starting video surveillance and / or monitoring electronic communications or on the first day of work of the employee, or on the first day of work after vacation of the employee, period of incapacity for work, etc., if video surveillance and / or monitoring of electronic communications was started during this period;
  22. 37.5.2. by acquainting them with these Rules against receipt;
  23. 37.5.3. by notifying the data subject of future review of data of electronic communications and workplace monitoring and possibilities to participate in the review.
  24. 37.6. Senders of electronic messages sent to employees of the Company and recipients of electronic messages sent by employees of the Company (where it is technologically possible) shall be informed about monitoring of electronic communications in the workplace as follows:
  25. 37.6.1. by adding a warning about existence of monitoring of electronic communications of the legal entity and use of e-mail address or other communication means for work only at the end of an outgoing e-mail or a message provided by other means of communication;
  26. 37.6.2. by immediately replying to the received message and providing information about the existence of monitoring of electronic communications of the legal entity and use of e-mail address or other means of communication for work purposes only.
  27. 38. Right to access data and to be aware of how they are processed
  28. 38.1. Upon request of the data subject to access personal data the Company shall submit following:
  29. 38.1.1. information whether personal data of the data subject are processed or not;
  30. 38.1.2. formation whether personal data of the data subject are processed or not; information related to the processing of personal data provided for in Article 15 (1) and (2) of the Regulation, if personal data of the data subject are processed;
  31. 38.1.3. a copy of the processed personal data.
  32. 38.2. The data subject shall have the right to request that a copy of the personal data being processed is submitted in a form other than submitted by the Company, however a corresponding fee shall be charged for it which shall be calculated referring to administrative expenses.
  33. 38.3. By exercising the right of the data subject to access personal data the right of third persons to private life shall be ensured, e.g.: if the data subject accesses a video record where other identifiable persons are visible or it contains other information which may infringe privacy of third persons (e.g., licence plate number of the vehicle), these images must be retouched or the possibility to identify third persons must be eliminated in other ways. The right to access your personal data may impose no negative impact on rights and freedoms of other persons, including commercial secrets or intellectual property.
  34. 39. Right to require rectification of data
  35. 39.1. Pursuant to Article 16 of the Regulation the data subject shall have the right to require that any inaccurate personal data concerning him or her being processed are rectified, and the right to have incomplete personal data completed.
  36. 39.2. In order to make sure that personal data of the data subject being processed are inaccurate or incomplete, the Company may request the data subject to provide the proof thereof.
  37. 39.3. If personal data of the data subject (rectified upon request of the data subject) were transferred to data recipients, the Company shall inform about it data recipients, unless it is impossible or involves a disproportionate effort. The data subject shall have the right to request that information about such data recipients is submitted to him or her.
  38. 40. Right to require deletion of data („right to be forgotten“)
  39. 40.1. The right of the data subject to deletion of his or her personal data („right to be forgotten“) shall be exercised in the cases provided for in Article 17 of the Regulations.
  40. 40.2. ses provided for in Article 17 of the Regulations. The right of the data subject to require deletion of personal data („right to be forgotten“) may be not exercised in the cases provided for in Article 17 (3) of the Regulation.
  41. 40.3. If personal data of the data subject (deleted upon request of the data subject) were transferred to data recipients, the Company shall inform these data recipients about it, unless it is impossible or involves a disproportionate effort. The data subject shall have the right to require information about such data recipients.
  42. 41. Right to restrict data processing
  43. 41.1. In the cases provided for in Article 18 (1) of the Regulation the Company shall be obliged to exercise the right of the data subject to restrict the processing of his or her personal data.
  44. 41.2. The personal data, processing of which is restricted, shall be stored, and before abolition of such restriction, the data subject shall be informed about it by electronic communication means and / or in writing.
  45. 41.3. If personal data of the data subject (processing of which is restricted upon request of the data subject) were transferred to data recipients, the Company shall inform about it these data recipients, unless it is impossible or involves a disproportionate effort. The data subject shall have the right to require information about such data recipients.
  46. 42. Right to data portability
  47. 42.1. Pursuant to Article 20 of the Regulation the data subject shall have the right to personal data portability only in cases where data is processed on consent or contract basis and data subject provided this data in a structured, commonly used and machine-readable format.
  48. 42.2. The data subject does not have the right to data portability when the processing is manual and the personal data are contained or are intended to be contained in a filing system, for example, paper files.
  49. 42.3. In exercising his or her right to data portability, the data subject must provide information if he or she wants that personal data were transmitted directly from one controller to another, where technically feasible.
  50. 42.4. The data is not deleted automatically based on data subject request to exercise the right to data portability. The data subject must request to exercise his or her right to require deletion of data (“right to be forgotten”).
  51. 43. Right to object to the processing of data
  52. 43.1. Pursuant to Article 21 of the Regulation the data subject shall have the right to object to the processing of his or her personal data by the Company for the reasons relating to him or her in the following cases:
  53. 43.1.1. IT account / behaviour data records.
  54. 43.1.2. direct marketing where it is based on legitimate interest.
  55. 43.2. The Company shall inform about the right of the data subject to object to the processing of his or her personal data by providing information in writing and / or on the website, or in these Rules.
  56. 43.3. If the data subject declares his or her objection to the processing of personal data, such processing shall be carried out, only if it is reasonably decided that the reasons for which processing of personal data is performed prevail over interests, rights and freedoms of the data subject or if personal data are required in order to lodge, enforce or defend any legal claims.
  57. 44. Right to require that the decision taken on the basis of automated processing of data
  58. 44.1. The Company shall not take any decisions on the basis of automated processing of personal data only, therefore this right shall not be exercised in respect to the processing of personal data carried out by the Company.

IX. PROCEDURE FOR EXERCISE OF RIGHTS OF THE DATA SUBJECT

  1. 45. The data subject shall have the right to apply for exercise of the rights of the data subject orally or in writing by submitting a request personally, by mail or by electronic means.
  2. 46. If it is applied for exercise of rights of the data subject orally or a written request is submitted personally, the data subject must prove his or her identity by submitting an identity document. If the data subject fails to do it, rights of the data subject shall not be exercised. This provision shall not be applicable if the data subject applies for information about the processing of personal data pursuant to Article 13 and 14 of the Regulation.
  3. 47. If it is applied for exercise of rights of the data subject in writing by submitting a request by mail, a copy of an identity document certified by a notary must be submitted together with the request. By submitting a request by electronic means, the request must be signed with a qualified electronic signature or it must be compiled using electronic means which allow ensuring integrity and unchangeability of the text. This provision shall not be applicable if the data subject applies for information about the processing of personal data pursuant to Article 13 and 14 of the Regulation.
  4. 48. The request to exercise rights of the data subject must be legible, signed personally, it must contain first name and last name, address and / or other contact details of the data subject to be used for communication purposes or for replies concerning exercise of rights of the data subject.
  5. 49. The Company processes a large quantity of information concerning the data subject, therefor pursuant to Recital 63 of the Regulation, the data subject must specify the information or processing activities to which the request relates.
  6. 50. The data subject may exercise his or her rights personally or through a representative.
  7. 51. The presentative of the person must indicate his or her first name and last name, address and / or other contact details of the data subject to be used for communication purposes or for replies, as well as first name and last name and / or other contact details of the person represented, in addition, the presentative must submit a representation document or its copy.
  8. 52. In case of any doubts concerning identity of the data subject, the Company shall request additional information.
  9. 53. The data subject shall have the right to contact the data protection officer (if it is appointed) whose data are published on the website for all questions concerning the processing of personal data of the data subject and use of his or her rights. In order to ensure confidentiality provided for in Article 38 (5) of the Regulation, if the data protection officer is contacted by mail, the envelope should bear a notice that the correspondence is addressed to the data protection officer.
  10. 54. Upon receipt of a request of the data subject, information about what actions were taken upon the request must be provided at least within one month from the receipt of the request. If the information is delayed, the data subject shall be informed about it during the time period set by specifying the reasons of delay and the possibility to lodge a complaint with the Estonian Data Protection Inspectorate.
  11. 55. If a request is submitted not under the procedure and not in compliance with the requirements described hereunder, it shall not be processed, and the data subject shall be informed about it immediately, however, at least within 5 working days with reasons indicated.
  12. 56. If during processing of the request it is established that rights of the data subject are restricted on the bases provided for in Article 23 (1) of the Regulation, the data subject shall be informed about it.
  13. 57. Information requested by the data subject concerning exercise of his or her rights shall be provided in the official language and / or in English.
  14. 58. All actions requested by the data subject to exercise rights of the data subject shall be performed and information shall be provided free of charge. If requests of the data subject are clearly unfounded or disproportionate, first of all due to their repetitive character, the Company may or will charge a reasonable fee for it taking into account administrative expenses of the information provision or notices and actions requested; or it may refuse to take any actions requested.
  15. 59. The data subject shall have the right to lodge an appeal against actions or omission of the Company related to exercise of rights of the data subject independently or through a representative of the data subject, a non-profit institution, organisation or association authorized by the data subject in compliance with the requirements provided for in Article 80 of the Regulation, with the Estonian Data Protection Inspectorate, Tatari 39, Tallinn 10134, Estonia, e-mail : info@aki.ee, website www.aki.ee, as well as with a court according to the registered address of the Company.
  16. 60. In case of any material or nonmaterial damage caused by a breach of rights of the data subject, the data subject shall have the right to a compensation to be awarded by a competent court at the place of registration of the Company.

X. ASSESSMENT OF IMPACT ON DATA PROTECTION AND PRIOR CONSULTING

  1. 61. Where rights and freedoms of natural persons may be seriously jeopardised and in case of other legal grounds, before initiating processing of personal data the Company shall carry out an assessment of the impact of foreseen data processing operations on protection of personal data. Single assessment may be carried out for examination of a sequence of similar operations of processing posing a serious risk.
  2. 62. The information which is mandatory according to applicable legislation and impact assessment conclusions shall be provided in a report to be signed by the manager of the Company or another person in charge for data protection.
  3. 63. If required, the Company shall perform a review in order to assess whether personal data are processed in accordance with the assessment of impact on data protection, at least in the cases where the risk imposed by processing operations changes.
  4. 64. Before initiating processing of data, the Company shall consult with the Estonian Data Protection Inspectorate if the assessment of impact on data protection indicates that during processing of personal data high risk is possible if the Company fails to take any measures seeking to reduce the risk.

XI. FINAL PROVISIONS

  1. 65. Employees who are authorised to process personal data or access them performing their duties shall be obliged to follow the Rules, key requirements applicable to the processing of personal data, as well as confidentiality and security requirements provided for in the Regulation and the Rules.
  2. 66. After approval of the Rules, employees shall be made familiar with them against receipt. If a new employee is employed, he or she must be made familiar with the Rules on the first day of work. The director of the Company or an employee appointed by the director shall be liable for staff management.
  3. 67. The Rules shall be reviewed at least once a year and updated, if required.

Contact

Lithuania office

UAB “Vertex”, Baltupio g. 14, Vilnius
LT 08304 Lithuania
VAT: LT203207515
Reg: 120320756
LT967044060005496524
SEB bankas

support eta vertexsms.com

Our Partners in Latvia

SIA “Vertex LV”, Jātnieku iela 77A-24
Daugavpils, LV 5410 Latvia
Vat: LV50003866501
Reg: 50003866501
LV67HABA0551014753384
SWEDBANK

svetlana eta vertexsms.com

Feel free to contact us




We are Social

We are supported

Vertex is EU supported

We are certified

Vertex is ISO 27001 (Information security management) certified