Rules of personal data processing.
Rules of personal data processing.
- Public institution „Klaipėda ID“ rules of personal data processing (‘Rules’) set the rules of personal data processing in public insitution „Klaipėda ID“ (‘Institution’).
- The purpose of the Rules is to ensure the implementation of Directive 95/46/EC General Data Protection Regulation (‘GDPR’).
- The terms used in these Rules correspond to the terms used by the GDPR.
- Employees of the Institution, authorized to process personal data, must follow these Rules.
- Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Controller – public institution „Klaipėda ID“, company code 142031277.
Principles relating to processing of personal data
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Rights of the data subjects
The data subject shall have the rights:
- Right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
- Right to obtain from the controller information, such as the purposes of the processing; the recipients or categories of recipient to whom the personal data have been or will be disclosed.
- Right to access the personal data. The data subject shall have the right to get the following information: the categories of the personal data concerened, the purposes of the processing.
- The controller shall provide the information to the data subject in 30 days after the data subject written request.
- Right to request from the controller rectification of personal data. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (‘right to be forgotten’). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the personal data have been unlawfully processed.
- Right to restriction of processing. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
- Right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
- Right to object. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Personal data is processed in the Institution for the following purposes:
- implementation of contracts with suppliers of services/works;
- implementation of contracts with residents of the Cultural Factory;
- organization of events;
- protection of individuals and property;
- investment attraction;
- communication with state and municipal enterprises, associates, educational establishments and business enterprises;
- internal Institution administration;
- For the purpose of implementation the contracts with suppliers of services / works, the following data shall be collected: company details, company representative’s name, surname, representative’s e-mail address, telephone number.
- For the purposes of implementation the agreements with the Cultural Factory residents, the following data shall be collected: company details, company name, surname, representative’s e-mail address, telephone number. If the resident is a natural person, then the name of the natural person, address of the residence, telephone number, e-mail address.
- For the purpose of events‘ organization, the following data shall be collected: name, surname of the natural person, name of the company being represented, telephone number, e- mail address.
- For the purpose of the reporting, the following data shall be collected: the data received while implementing the contracts with suppliers of services / works and contracts with Cultural Factory’s residents, data collected while organizing events.
- In order to ensure the protection of individuals and property, video data is collected at the Cultural Factory.
- For the purpose of attracting investments, the following data shall be collected: company details, company representative’s name, surname, representative’s e-mail address, telephone number.
- For the purpose of networking with state and municipal enterprises, associations, education institutions and business enterprises, the following data shall be collected: company details, company representative’s name, surname, representative’s e-mail address, telephone number.
- For the purposes of the internal administration of the Institution, the following data shall be collected: employee’s name, surname, personal identification number, personal social security number, nationality, address, telephone number, e-mail address, CV, marital status, position, data on admission (transfer) to office, dismissal, data on education and qualifications, training data, vacation data, pay, severance pay, compensation, allowance, information on working time, incentives, penalties, information on work performed and tasks performed, passport or identity card of a citizen of the Republic of Lithuania information, such as date of issue, date of validity, institution issuing the document.
- Personal data must be kept for no longer than it is required by the by the purposes for which the processing is carried out.
- Procedure of data processing:
- Data of service and works contractors is stored in virtual storage.
- Data of Cultural factory residents is stored in virtual storage.
- Data collected during the organized events is stored in a virtual storage.
- Data collected for the purpose of attracting investments is stored in the contact list of the project management system.
- Data collected during meetings with state and municipal enterprises, educational institutions and business enterprises is included in the contact list of the virtual project management system.
- Data of the employees is stored in the accounting program.
- Data transfer to third parties:
- The data may be transferred to the institutions which control the activities of the Institution. The Institution is directly subordinate to the Klaipėda City Municipality Administration.
- The data may be transferred to the institutions to which the Institution must provide reports on activities funded by the European Union.
- Employees’ data is transferred to the State Social Insurance Fund Board, Center of Registers.
Confidentiality and security provisions
- The employees must observe the principle of confidentiality and keep confidential any information relating to personal data with which they have become aware. The obligation to keep confidential any information applies also after the change of the position or leaving the Institution.
- The Institution shall appoint, by order of the director, employees who can work with personal data. Employees can only access and use documents and data files that they have been authorized to access and manage.
- Employees must prevent personal data from any accidental or unlawful destruction, alteration or disclosure, also take care of the proper and safe storage of documents and data files avoiding unnecessary duplication. If the employee doubts the reliability of the security measures installed, he must contact his supervisor to assess the security measures available and, if necessary, initiate the purchase and installation of additional measures.
- Employess who can access personal data or from whom computers virtual file storage can be accessed, must use the paswords. Passwords must be changed periodically, at least once every three months, as well as in certain circumstances (for example, when the password might become known to third parties, etc.). The employee can only know his computer password.
- Computers that store personal data can not be freely accessible from other network computers. The antivirus program for these computers must be kept up to date.
- Wireless Internet network is secure in the Institution, guests use „Guest“ type passwords.
Personal data archiving
- Archived personal data must be stored in the locked room.
- The data controller must ensure that the archive is not accessible to unauthorized persons.
- Institution employees must sign these rules.
- The rules are published on the Institution website.