RULES FOR THE PROCESSING OF PERSONAL DATA

1. General provisions   
   1. The following rules for the processing of personal data (hereinafter referred to as the Rules) regulate the principles and procedure of how the main personal data of a visitor to the www.sekmeslab.lt website (hereinafter reffered to as the Website), who has entered their true personal data into the questionnaires available on the website or ordered its newsletter (henceforth referred to as the Data Subject), is collected, processed and stored. 
   2. All of the employees (hereinafter collectively referred to as employees) of Sėkmės Laboratorija, company number 300151717 (hereinafter referred to as the Data Controller), and authorised persons that manage personal data or come into knowledge of this personal data in their professional duties must comply with these rules. Access to this personal data can only be provided to those employees that need access to this personal data to fulfil their professional functions. 
   3. Terms used in the Rules: 
      1. personal data is understood to be any information about a natural person who has been identified or who can be identified (data subject); and a natural person who can be identified is a person who can be directly or indirectly identified in particular by reference to an identifier such as name and surname, national identification number, location data and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; 
      2. processor – a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller; 
      3. data subject – a natural person whose data is processed; 
      4. data processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
      5. data manager – Sėkmės Laboratorija, UAB, legal person of the Republic of Lithuania, company number 300151717, 14-16 Aguonų St., LT-03213 Vilnius, Republic of Lithuania.    
      6. Other terminology used in these Rules is defined in the provisions of the Republic of Lithuania Law on Legal Protection of Data (LLPD) and the EU General Data Protection Regulation No. 2016/679 (GDPR). 
   4. These Rules have been drawn up according to the LLPD and GDPR, the General Requirements for Organisational and Technical Data Protection Measures, approved by the director of the State Data Protection Inspectorate on 12 November 2008 with directive No. 1T-71 (1.12) (updated version of the 18 December 2014 directive No. 1T-74(1.12.E) of the director of the State Data Protection Inspectorate) on the Approval of General Requirements for Organisational and Technical Data Protection Measures, and other legal acts regulating the processing and protection of personal data. 
   5. The purpose of these Rules is to regulate the principles and procedure for collecting, processing and storing the personal data of Data subjects as well as to lay out the rights of Data Subjects, risk factors associated with Personal Data protection, measures for implementing Personal Data protection and other issues related to the management of Data. 

2. Collecting, processing and storing Personal Data 

1. In compliance with these rules, the Data Controller shall process Personal Data for the purpose of direct marketing.
2. The Data Controller shall process Personal Data based on the main principles of personal data processing: 
   1. Personal data is collected for defined and legal purposes, as stipulated by the relevant legal documents, and processed in a manner consistent with these purposes; 
   2. Personal data is collected and processed according to the principle of purposefulness and proportionality; the Data Controller shall not demand that the Data Subject provide data that is not necessary, stored or processed, i.e., excess data; 
   3. Personal data is processed accurately, fairly and legally. The Data Controller ensures that the data processors it authorises (including its employees) process personal data in compliance with these Rules, the LLPD and GDPR. The data processors authorised by the Data Controller have the right to collect, process, transfer, store, delete and otherwise use personal data exclusively for their direct professional functions, as defined by their job description, job provisions or the contract signed by the Data Controller and data processor. The data processor (including employees) shall not arbitrarily collect, process, transfer, store, delete or otherwise process personal data for their own purposes. Processed data must be accurate and, if necessary for the processing of personal data, up to date. Inaccurate or uncomprehensive data shall be corrected, supplemented, deleted or their processing will be terminated according to the procedure established by these Rules; 
   4. Personal data can be adjusted, corrected, altered, supplemented, annulled and restored upon the Data Subject’s request or on the initiative of the Data Controller; 
   5. Personal data is stored in a format that would allow the identification of the Data Subject’s identity for no longer than is necessary for the purpose this data was collected and processed for; 
   6. Personal Data is processed according to the LLPD and GDPR and other requirements for personal data protection stipulated by legal acts regulating relevant areas of activity.  
3. The following personal data is processed for the purposes of direct marketings: name, email address.  
4. The Data Controller shall only process the Data Subject’s personal data for the purposes o direct marketing if the Data Subject gives their consent by registering on the Website and/or ordering the newsletter. The Data Subject’s consent is expressed by marking the appropriate option regarding agreement to personal data processing on the registration form. Such data is collected and automatically used only according to the procedure and for the purposes laid out in these Rules.  
5. When the Data Subject subscribes to the newsletter, an email is sent to receive the Data subject’s confirmation of the subscription and consent to the processing of their personal data, which the Data Subject gives by clicking the “I agree” button or activating the link provided in the email; the Data Controller shall clearly identify that the activation of this link shall be considered as consent to process personal data. It will be deemed that the Data Subject has not given their consent for processing personal data if the Data Subject does not take any action (does not click on the “I agree” button and does not activate the link). If the Data Subject does not give their consent, the Data Controller shall not in any way process the Data Subject’s personal data. 
6. The Data Controller shall not pass any personal data processed for the purposes stipulated in these Rules to any third parties, except for cases allowed by the laws of the Republic of Lithuania and according to the procedure they establish. 
7. The personal data of a registered user is stored for 2 years after the Registered User’s last sign-in to the Website. Once the data storage expiry date passes, the Registered User's personal data is destroyed according to the procedure established by law.  
8. The personal data of a Registered User is processed using secure organisational and technical measures that protect the personal data from accidental or illegal destruction, adjustment, disclosure, use or any other kind of illegal processing. 
9. The Data Controller collects and receives personal data from the following informational sources:
   1. Data subjects;
   2. From third parties indicated by the Data Subject and at the Data Subject’s request;
   3. In those cases when the Data Subject registers to the Data Controller’s website by using an existing Facebook or Google (Gmail) account, from the companies that manage Facebook.com or Google.com.
10. The Data Controller does not collect or process any personal data of Data Subjects younger 16 years of age. The consent of Data Subjects under the age of 16 regarding the processing of personal data are held to be void. As they register to the Data Controller’s website, the Data Subject must present comprehensive and correct Personal Data. If it transpires that the data provided by the Data Subject is inaccurate, the Data Controller has the right to demand that the Data Subject correct the inaccurate data, and if the Data Subject does not do so, the Data Controller has the right to destroy the Data Subject’s data it has in its knowledge and terminate the Data Subject’s account.
11. The Data Subject shall immediately make the necessary adjustments to their personal data on the Data Controller’s website or inform the Data Controller by email, if the personal data of the Data Subject changes after registration on the Data Controller’s website. The Data Controller shall not be held responsible for damage incurred by the Data Subject and/or third parties as a result of the Data Subject’s failure to provide accurate and comprehensive personal data or the Data Subject’s failure to change or add to their personal data.
12. For the purposes of data processing, the Data Controller shall only authorise data processors that are in writing or legally bound to:
    1. not disclosing or passing on personal data and not creating the conditions for any third parties to gain access to the personal data in any way if they are not authorised to process them and who have not been given the right to receive personal data according to the procedure laid out in these Rules or required by law;
    2. keeping the Personal Data secret;
    3. immediately report to the chief officer of the Data Controller about any known circumstances that could pose a threat to the security of the Personal Data;
    4. comply with the provisions of legal acts regulating the protection of personal data.

3. Rights of the Data Subject 

1. The Data Subject has the right to: 
   1. know (be informed) about the processing of their Personal Data;  
   2. access information about their personal data and how it is processed as well as receive copies of the personal data that has been submitted to the data controller in a common format that can be read by computer devices; 
   3. demand to correct or destroy their personal data or terminate the processing of their personal data, except for its storage, if the data is processed in violation of these Rules or the provisions of other laws; 
   4. not give their consent to the processing of their personal data, with the exception of cases stipulated in the relevant legal acts and these Rules. 
   5. demand that their personal data is completely deleted (the right to be forgotten), except for cases when the Data Controller cannot delete personal data in compliance with the requirements and duties established in the relevant legal acts.
2. Upon receiving a request from the Data Subject regarding the application of one of the Data Subject’s rights as laid out in point 3.1. of these Rules, the Data Controller executes this right no later than in 20 working days of the Data Subject’s request or provides the Data Subject with a written refusal regarding the execution of actions related to the personal data. 
3. By providing a document of identification or otherwise verifying their identity using legally acceptable electronic means, the Data Subject can find out free of charge what personal data of theirs the Data Controller has.  
4. The Data Subject’s notifications and requests are to be sent to the Data Controller by email to  info@sekmeslab.lt, or by post to the Data Controller's address, as indicated in point 1.2. of the Rules.  

4. Cookies 

1. The website uses cookies, which help ensure the quality of service provided to Users.  
2. A cookie is a small text document that has a unique identification number and is transferred from the Data Controller’s website to the Data Subject’s hard disk so that the Data Controller can distinguish when the Data Subject’s device logs on to the Data Controller’s system for the purpose of adapting how the website works and is organised to a specific Data Subject.  
3. The information transferred to the Data Controller through cookies is not personal data and is not used to determine the Data Subject's identity.  
4. The Data Subject gives their consent to the website’s cookie policy by clicking “I agree” with the use of cookies according to the procedure and purposes laid out in these Rules. If the Data Subject does not give their consent to the use of cookies, the Data Controller’s website might not function the way it should. 
5. Information about cookies used on our website: In order to find out more about cookies, for example, how to manage or delete them, the Data Subject can visit http://www.allaboutcookies.org.
   
   

   Name	Description	Creation/Expiry times
   CMSSESSIDX	A standard cookie used to manage the user's session.	Upon opening the website/until the user closes the website
   cookiesAgree	A cookie which records whether you have consented to the use of cookies on our website.	From the time of consent/until it is deleted
   cookiesLevelX	A cookie identifying the types of cookies you have accepted on our website.	From the time of consent/until it is deleted
   _ga	This cookie is used by Google Analytics to assess the purpose of the user's visit, generate reports on the website activity to website operators, and improve user's experience when browsing on the website.	From the time of consent/ 2 years
   _gat	This cookie is used by Google Analytics to collect statistical information about the website traffic.	Upon the first visit to the website/until the end of the session
   _gid	This cookie is used by Google Analytics to distinguish you from other users.	Upon the first visit to the website/ 2 days

    

   In order to find out more about cookies, for example, how to manage or delete them, the Data Subject can visit http://www.allaboutcookies.org.

   In order to find out how to terminate the observation of websites with Google Analytics cookies, the Data Subject can visit: http://tools.google.com/dlpage/gaoptout.

    
6. Types of cookies:

1. Session cookies

Session cookies enable the Data Controller's website recognise the Data Subject during one visit to the Data Controller’s website to keep track of your changes and choices from page to page. Cookies allow you to proceed through many pages of a site quickly and easily without having to reprocess information in a new area. Session cookies are temporary and disappear once you close the browser or log off the website.Persistent cookies

Persistent cookies are cookies that remain on the Data Subject’s hard drive after the Data Subject’s browsing session is over, so it can record the choices or actions of users when the website is visited during a new session.

3. First party cookies

These are cookies that are necessary for the Sėkmės Laboratorija website to function properly.

4. Third party cookies

These are cookies that are used by other organisations through the Data Controller’s website. In the Data Controller’s case, the Sėkmės Laboratorija website uses Google Analytics cookies that are used to analyse the audience data of the website. Google Analytics anonymously collects information about the number of users, the location the Data Controller’s website was accessed from, and which parts of the website were browsed by users. These cookies are generated by Google Analytics. For more about Google Analytics, go to http://www.google.com/analytics.

Any information collected through cookies is stored until their expiry and is not used for any purpose other than the purposes laid out in these Rules.

5. The Data Controller's website contains links to the websites of other individuals, companies and organisations. The Data Controller shall not be held responsible for the content of such websites or their privacy policies. Having clicked a link leading out of the Sėkmės Laboratorija website and onto other websites, the Data Subject should examine the privacy policy of those websites.

5. Measures for the implementation of personal data protection

1. The Data Controller implements appropriate organisational and technical means to protect  personal data from accidental or illegal destruction, adjustment, disclosure, or any other kind of illegal processing. In order to ensure the protection of personal data, the Data Controller implements the following data protection measures:
   1. administrative (secure processing of document and computer data as well as their archives, establishing procedures for organising certain areas of work, introducing personnel to personal data protection during recruitment and if the working relationship or similar relationship is terminated, etc.);
   2. technical and software protection (administering service stations, information systems and databases, supervision of workstations and Company premises, ensuring the security standards of servers that store databases, etc.);
   3. communications and computer network security (firewalling for general data, software, undesirable data packages, etc.)
2. Every data processor that is authorised to carry out personal data processing action is obliged to comply with personal data protection requirements. 
3. The Data Controller applies the following organisational measures for the protection of personal data: 
   1. the protection, management and control of access to personal data is ensured; 
   2. access to personal data is only provided to individuals that need the personal data to fulfil their professional functions with regard to data processing action; 
   3. the data processor shall only carry out those data processing actions that they are authorised to carry out by the Data Controller’s authorisation, order or assignment; 
   4. compliance with requirements for access to personal data passwords: ensured confidentiality; unique passwords; made up of no less than 8 symbols, not comprised of any kind of personal information; changed no less frequently than once in 3 months; mandatory password change during first log-in; 
   5. access to premises where personal data is stored is restricted for unauthorised persons; 
   6. the Data Controller ensures the termination of personal data once the storage expiry date, as defined by these Rules, is reached; 
   7. anti-virus software is used and updated in order to ensure the protection of hardware and software from damaging software; 
   8. no less frequently than once a year, impact on personal data security is assessed; 
   9. personal data stored in active (operational) databases is encrypted; 
   10. data protection measures are used to control the actions of individuals administering databases/service stations/information systems. 
4. The employees of the Data Controller who process personal data or have knowledge of this personal data through their duties, must abide by the principle of confidentiality and keep any information related to personal data secret, except for when this information is public, as defined by the relevant laws of the Republic of Lithuania. Employees must abide by the principle of confidentiality even if their working relationship with the Data Controller ends. 

6. Violations of personal data security and notification 

1. A violation of personal data protection is any action or lack of action that leads or can lead to undesirable consequences and violates the laws and norms regulating personal data protection. The degree, damage and consequences of violations of personal data protection are determined in each case by the chief officer of the Data Controller or a committee composed of persons authorised by the chief officer.
2. If a violation of personal data security occurs, the Data Controller must immediately, but no later than 48 hours after finding out about the violation of personal data security, notify the State Data Protection Inspectorate and the Data Subjects about the violation, except for cases in which the violation does not pose a real threat to the rights and freedoms of the Data Subjects. Notifications about violations of personal data security are sent to the email addresses provided by Data Subjects to the Data Controller, or by post, if the Data Subject has not provided the Data Controller with the said email address.
3. In those cases when the violation of personal data security is not related to accidental natural events (lightning, flooding, fire, etc.) but is the consequence of human action, the Company, upon finding out about the violation of personal data security, must immediately contact that relevant law enforcement institutions with a statement about the potentially criminal activity.   

7. Final Provisions 

1. All notifications related to the processing of personal data are submitted to the Data Controller by email (info@sekmeslab.lt) or by post (to the mailing address: Sėkmės Laboratorija UAB, 14-64 Aguonų St., LT-03213 Vilnius). 
2. The Data Controller shall provide a reply using the same method by which the notification was received from the Data Subject no later than 20 calendar days from the day the Data Controller received the Data Subject’s request. 
3. Compliance with these Rules is enforced by the chief officer of the Data Controller or their authorised person. The Rules are reviewed and, if necessary, revised no less than once a calendar year. Additions or revisions to the Rules come into force once they are announced, i.e., from the day they are posted on the Data Controller’s Website.
4. The employees of the Data Controller who are authorised to process personal data verify that they have been introduced to the Rules by signature.