by the Order of the Director of the Public Enterprise
Eastern Europe Studies Centre of
15 July 2020 No. 179
CHAPTER I. GENERAL PROVISIONS
- The Description of the Procedure for Personal Data Processing at the Eastern Europe Studies Centre (hereinafter referred to as the Description) sets out the requirements for the processing and protection of personal data, the purposes and principles of personal data processing, the rights of data subjects and their implementation, technical and organisational data protection measures.
- The Description has been prepared with respect for the right to privacy and to ensure the protection of personal data in the Centre in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), the Republic of Lithuania Law on Legal Protection of Personal Data and other legal acts.
- The Description applies and is binding on the data controller, the Eastern Europe Studies Centre (hereinafter referred to as the Centre) and all persons working in the Centre who process personal data or became aware of them in the course of their duties.
- The Centre processes the personal data of all current and former employees of the Centre and other persons who have submitted information on the basis of contractual and other legal relations in accordance with the procedure established by law.
- The Centre is the controller of all data collected in the Centre’s activities and internal administration processes, as well as the controller of personal data transferred by data subjects and third parties.
- Terms used in the Description shall be understood as defined in the Regulation.
CHAPTER II. PURPOSES OF PROCESSING YOUR PERSONAL DATA
Personal data is processed in the Centre for the following purposes:
- For the purpose of internal administration (personnel, document management, use of material and financial resources): name (s), surname (s), personal identification number, date of birth, photograph, signature, personal social security number, citizenship, address, current account number, telephone numbers, e-mail address, curriculum vitae, marital status, position; data on admission (transfer) to office, dismissal; data on education and qualifications; data on annual leave; data on a separate work schedule; data on wages, severance pay, compensations, benefits; information on working hours; information on incentives and penalties, breaches of job duties; passport or identity card number of the citizen of the Republic of Lithuania, date of issue, date of validity, institution that issued the document, date of registration of documents and number; numbers of diplomas obtained, other personal data provided by the person. Data is obtained from data subjects (employees), legal entities: SE Centre of Registers, Board of the State Social Insurance Fund under the Ministry of Social Security and Labour, State Tax Inspectorate.
- For the purpose of performance of goods, works, service contracts with suppliers: name (s), surname (s) of the supplier (natural person), personal identification number, address, telephone number, e-mail address, bank account number and other personal data provided by the person. The data is obtained from the data subject.
- For the purpose of organising and carrying out public procurement procedures: name (s), surname (s) of suppliers (natural persons), personal identification number, education, place of work, position, address, telephone number, e-mail address and other personal data provided by the person. The data is obtained from the data subject.
- For the purpose of organising conferences and other events: name, surname, personal identification number, date of birth, telephone numbers, bank account number (for natural persons – payers and natural persons – beneficiaries), e-mail address, place of work, organisation or institution represented, position, data of identity documents used for identification. The data is obtained from the data subject.
- For the purpose of administration of candidates: name, surname, personal identification number, curriculum vitae and data provided in the data subject – photograph, telephone numbers, e-mail address, current and former places of work, date of birth, higher education institution, position, degree and other personal data voluntarily provided by the candidate. The data is obtained from the data subject.
CHAPTER III. PRINCIPLES OF PERSONAL DATA PROCESSING
- When performing their functions and processing personal data, the employees of the Centre must follow the principles of personal data processing:
- personal data must be processed in a lawful, fair and transparent manner (the principle of legality, fairness and transparency);
- personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- personal data must be adequate, appropriate and only necessary for the purpose for which they are processed (data minimization principle);
- personal data must be accurate and, where necessary, kept up to date;
- all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);
- personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
- personal data must be processed in such a way as to ensure the proper security of personal data, including protection against unauthorized processing or unlawful processing of data, and accidental loss, destruction or damage, by applying appropriate technical or organizational measures (a principle of integrity and confidentiality);
- The processing and protection of personal data shall be ensured by each employee of the Centre in accordance with their competence.
- The Centre is responsible for ensuring compliance with the abovementioned principles (principle of accountability).
CHAPTER IV. PROCESSING OF PERSONAL DATA
- Data are collected at the Centre in accordance with the procedure established by legal acts, receiving them directly from the data subject, formally requesting the necessary information and having the right to provide it on the basis of entities or contracts. In some cases, personal data are processed with the consent of the data subject.
- When collecting personal data from the data subject, the following information must be provided (unless the data subject already has such information):
- data controller’s address, telephone, e-mail address;
- purposes for which the personal data of the data subject are intended to be processed;
- what personal data of the data subject are required;
- what are the consequences of not providing personal data;
- to whom and for what purposes his personal data will be provided;
- from which sources and what personal data of the data subject are collected or intended to be collected (when the data
- on the data subject are obtained indirectly from the data subject);
- on the data subject’s right of access to his or her personal data and the right to request the correction of incorrect, incomplete or inaccurate personal data.
- Personal data which are processed or which are intended to be processed following a transfer to a third country or to an international organisation shall be transferred only if the data controller and the data processor comply with the provisions of the Regulation.
- Employees who have the right to process personal data shall respect the principle of confidentiality and shall not, without legal justification, disclose any personal data relating to them, which they have obtained in the course of their duties, unless such information is in accordance with applicable laws or regulations. The obligation to maintain the confidentiality of personal data shall also apply upon transfer to another position or upon termination of employment.
- Employees who process personal data in the course of their direct duties shall sign an undertaking to maintain the confidentiality of personal data before taking up their duties (Annex). These responsibilities are stored in personal files and/or in the Centre’s document management system.
- Employees performing personal data processing functions must prevent the accidental or unlawful destruction, alteration, disclosure of personal data, as well as any other unlawful processing, by storing documents properly and securely and by avoiding making unnecessary copies. Copies of documents containing personal data must be destroyed in such a way that their contents cannot be reproduced and identified.
- Personal data contained in the texts of relevant documents (contracts, orders, requests, etc.) are stored in specially designated premises (lockers, safes, etc.). Documents containing personal data must not be stored in such a way that would provide unauthorized persons with unhindered access to them.
- Personal data is stored in accordance with the Republic of Lithuania Law on Documents and Archives and the terms specified in the Index of Terms of Storage of General Documents approved by the Order of the Chief Archivist of Lithuania. Other personal data are stored for no longer than is necessary to achieve the intended purposes.
CHAPTER V: RIGHTS OF DATA SUBJECTS AND PROCEDURES FOR THEIR IMPLEMENTATION
- The data subject whose data are processed by the Centre shall have the following rights:
- to know (be informed) about data processing in the Centre (right to know);
- to get to know your data and how it is processed (right to access);
- to request rectification or, in the context of the purposes for processing personal data, supplement incomplete personal data (right to rectify);
- to demand the deletion of personal data (right to be forgotten);
- to require the data controller to restrict the processing of personal data (right to restrict);
- to ask the data controller to perform the data transfer operations (right to transfer).
- When exercising the right to know his or her personal data processed by the Centre, the data subject shall have the right to receive information on:
- the purposes of the processing of personal data;
- the relevant categories of personal data;
- the recipients or categories of recipients of the data;
- the intended period of retention of the personal data or the criteria for determining the period of retention of the personal data, if possible;
- sources of personal data.
- In order to exercise his/her rights, the data subject shall submit a free-form written request or complaint addressed to the Director of the Centre regarding the processing of personal data. The request must be legible, signed, contain the name, surname, address and other contact details of the data subject for the maintenance of the preferred form of communication, information on which of the data subject’s rights and to what extent they are wanted to be exercised.
- Upon receipt of a request from the data subject for the exercise of the personal data subject’s rights, no later than one month from the date of receipt of the request, he/she shall be provided with information on the action taken on the request. In the cases provided for in the Regulation, the answer may be postponed for up to two months by informing the data subject.
- If, during the examination of the request, it is established that the data subject’s rights are restricted on the grounds provided for in Article 23 (1) of the Regulation, the data subject shall be informed thereof.
- The Centre shall have the right to refuse to provide the data subject with the information requested by it if it is established that the data subject’s request is manifestly unfounded. The reasons for the refusal to provide the requested information must be stated in writing.
- If the data subject submits the request by electronic means, the information shall also be provided to the data subject by electronic means, unless the data subject requests otherwise.
- Information shall be provided in the state language upon the request of the data subject regarding the exercise of his/her rights. Information held by the Centre in a non-official language may be provided to the data subject if the information is processed in that language.
- All actions shall be taken at the request of the data subject for the exercise of his/her rights and the information shall be provided free of charge.
- The data subject has the right to submit a complaint to the State Data Protection Inspectorate regarding the actions (inaction) of the Centre.
- The data subject has the right to demand compensation for pecuniary and non-pecuniary damage caused to him/her by the Centre due to illegal processing of personal data (inaction).
- The data subject may exercise his/her rights only after the Centre has been able to verify his/her identity.
- The Centre must ensure that the data subject’s rights are properly exercised and that all information is provided to the data subject in a clear, comprehensible and acceptable form.
CHAPTER VI. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA
- Personal data (documents containing personal data or copies thereof) shall be stored in dedicated premises, local area network areas, computer hard drives. Personal data (documents containing personal data or copies thereof) must not be kept in a visible place accessible to all, where unauthorized persons have unhindered access to them.
- When storing personal data, the Centre shall implement and ensure appropriate organisational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, as well as against any other unlawful processing.
- If an employee or other responsible person has doubts about the reliability of the security measures in place, he/she must contact the Head of the Centre to assess the security measures available and, if necessary, initiate the purchase and implementation of additional measures.
- Employees who automatically process personal data or from whose computers can access areas of the local network where personal data is stored shall use passwords (based on technical cyber security requirements). Passwords shall be changed periodically or immediately as a result of certain circumstances (e.g. a change in employee, a threat of burglary, a suspicion that the password has become known to third parties).
- The employee shall be responsible for the protection of the passwords used, providing the Centre with adequate technical and/or software security measures. All places of work and systems of the Centre are protected by antivirus programs.
- The employee shall not be aware of the passwords of other computerized place of work users of the Centre. In the event of an urgent reason to connect to the computers of such employees (employee leave, incapacity for work), this shall be done with the knowledge and assistance of the employees authorized by the Centre.
- If personal data breaches are identified, the Centre shall take immediate measures to prevent the unlawful processing of personal data.
CHAPTER VII. PERSONAL DATA BREACHES
- The employees of the Centre who have the right of access to the data must inform the Head of the Centre if they notice any breaches of data security (omissions of persons or actions that may cause or pose a threat to data security).
- After assessing the risk factors, the degree of impact of the breach, the damage and the consequences, the employees responsible shall decide on the measures necessary to remedy the breach and its consequences.
- The Centre must notify the State Data Protection Inspectorate of a data security breach that may endanger the rights and freedoms of a natural person without undue delay and no later than 72 hours after becoming aware of it.
- Failure to comply with this description, taking into account the seriousness of the breach, is considered a violation of labour discipline, for which the employees may be subject to liability provided for in the Labour Code of the Republic of Lithuania.
CHAPTER VIII. FINAL PROVISIONS
- This Description is reviewed and updated in the light of changes in the legislation governing the processing of personal data.
Employees must comply with the obligations set out in the Description and follow the principles set out in this Description when performing their work functions.
- The Centre reserves the right to amend this Description in whole or in part. Employees are informed about the changes by signing.