BRANDELEKTRA UAB PERSONAL DATA PROTECTION POLICY

DEFINITIONS

PDLPL – the Republic of Lithuania Law on legal protection of personal data.

Data recipient – shall mean a legal or a natural person, law institution, agency, or other institution to whom personal data are disclosed.

Data subject – shall mean an employee of the company, a client, or another natural person whose personal data is processed by the Company.

Data processing – shall mean any operation or a set of operations, which is performed with personal data automatically or not automatically, such as collection, recording, sorting, storage, adaption or modification, reproduction, search, use, disclosure by transmission, distribution, or other ways making them available, arrangement or combination, blocking, deleting or destructing.

Data processor – shall mean a legal person whom in the name of the Company processes data.

ECL – the Republic of Lithuania Law on electronic communications.

Other definitions used in this policy comply with GDPR and PDLPL used definitions.

General provisions

This personal data protection policy applies to the processing of personal data performed by Brandelektra UAB (Company) traders by providing electrical equipment by servicing persons by telephone and/or via the website https://brandelektra.com/en.

We take your privacy very seriously. We collect, store and process all personal data in accordance with the General Data Protection Regulation, the provisions of the PDLPL, the ECL, and other laws governing clients‘ rights and legislation and do not transfer them to any third parties unless required to do so by law, regulation or administrative action. necessary to provide our services, or if you expressly consent to the transfer of your data. The Company always follows good business practices and ensures that your privacy is not compromised. This personal data protection policy describes what personal data we collect and for what purposes we process it when you contact the Company. This personal data protection policy also provides important information on data protection, in particular about your rights as a data subject under the General Data Protection Regulation. This privacy policy complements the service agreement with the customer. In the event of any inconsistency between the personal data protection provisions of the agreement and the personal data protection policy, the provisions of the agreement shall prevail.

Contact details of the company’s data protection officer:

PURPOSES OF THE PROCESSING OF PERSONAL DATA, PROCESSED PERSONAL DATA AND OTHER INFORMATION RELATED TO THE PROCESSING OF PERSONAL DATA

Provision of services by traders

Conditions for lawful processing provided in the GDPR: art. 6 part 1, points a, b and c, art. 9 part 2, points a, b and h. Categories of data subjects: persons to whom the Company’s services are or have been provided. Personal data processed: name, last name, contact details (telephone number, e-mail address). Storing period: personal data is stored within the time limits set by law. Data processing: personal data shall be processed only by the responsible employees of the Company, customer service department, and sales department, and access to this data is strictly limited. Categories of data recipients: data is provided only to those recipients to whom laws or regulations establish the right to receive such data or the obligation to provide it (lawyers, bailiffs, tax authorities, etc.), personal data is not transferred to third countries or international organizations. Personal data may also be provided to specific data recipients at the request/consent of the data subjects.

Video surveillance for the protection of persons and property

Conditions for lawful processing provided in the GDPR: art. 6 part 1, c and f. Categories of data subjects: persons falling within the field of video surveillance. Personal data processed: video data. Storing period: 14 calendar days. Data processing: video surveillance is performed in the Company’s premises (corridor), as well as access to the premises is monitored. Personal data can only be used by responsible employees, access to video data is strictly restricted. Categories of data recipients: the data is not disclosed to anyone, except for those recipients to whom the law or other legislation establishes the right to receive the data or the obligation to provide it (law enforcement authorities, insurance companies, etc.), personal data is not transferred to third countries or international organizations.

Recording of telephone conversations to preserve evidence of the terms of future agreements and/or to save created and ongoing agreements.

Conditions for lawful processing provided in the GDPR: art. 6 part 1, point a. Categories of data subjects: persons calling telephone numbers published by the Company. Personal data processed: telephone number, conversation record. Storing period: 6 months. Data processing: personal data may only be used by responsible staff and access to chat records is strictly limited. Categories of data recipients: the data is not disclosed to anyone, except for those recipients to whom the law or other legislation establishes the right to receive the data or the obligation to provide it (law enforcement authorities, insurance companies, etc.), personal data is not transferred to third countries or international organizations.

Management of cookies on the website

Conditions for lawful processing provided in the GDPR: art. 6 part 1, point a, if the Company’s website contains non-technical cookies. It should be noted that the consent of the data subject in accordance with the provisions of the ECL is only required for non-technical cookies. Categories of data subjects: persons browsing the Company’s website. Personal data processed: when you connect to a website, we process your IP address, network (browser used by your device), location data, and more. Data processing: personal data may only be processed by the responsible staff of the service provider and access to the data is strictly limited. Categories of data recipients: data is not shared, personal data is not transferred to third countries or international organizations. Cookies are small text files that our Platform wants to place on your computer or other Internet-connected devices, such as tablets or smartphones. If your browser settings accept cookies, your browser adds text as a small file. The cookies used by the Company are necessary for the operation of the website and are technical. Most cookies are deleted from your device at the end of your browser session (session cookies). We only use the information stored in the necessary cookies to provide the necessary information on the website.

Cookie name

Description

Storing period

1P_JAR

A cookie from hotjar.com is used to observe how visitors use the website.

1 month

APISID/HSID/NID/SAPISID/SID/SSID

Google Analytics cookie, used to enable the session.

2 years

CONSENT

Google cookie.

January 1st, 2038.

OGPC

Google cookie.

1 month

SIDCC

A security cookie designed to protect user data from unauthorized access.

2 months

_cfduid

The cookie is intended to support additional services: cloudfare.

1 year

_utma

Tracking cookie from Google Analytics. The information is sent to the server anonymously. Cookies identify unique visitors and track user sessions. For more information, see the Google site.

2 years

_utmz

Tracking cookies from Google Analytics. The information is sent to the server automatically.

6 months

_ga

This cookie collects information about user behavior on a website and is used to store statistical information

2 years

_gid

This cookie collects information about user behavior on a website and is used to store statistical information.

Twenty four hours

The cookie message informs you that we use cookies. By continuing to use our Platform after we display the cookie message, you agree to the cookies and confirm that you are aware of them. You can configure your browser to refuse some or all cookies or to ask for your permission before accepting them. For information on how you can change your browser settings, visit www.aboutcookies.org or www.allaboutcookies.org.

Conditions for lawful processing provided in the GDPR: art. 6 part 1, point a. Categories of data subjects: persons who have agreed to direct marketing. Personal data processed: name, last name, telephone number, e-mail. postal address, address. Storing period: 5 years from the date of the last provision of services to the data subject. Data processing: personal data may only be used by responsible staff and access to the data is strictly limited. Categories of data recipients: data is not shared, personal data is not transferred to third countries or international organizations. We ask for your consent for direct marketing separately by concluding a service agreement or in other ways established by the Company, but in any case, it is expressed by your active actions. The personal data requested is necessary for us to send you marketing emails with the latest information about the Company’s activities, services, special offers, and/or other marketing communications. You can revoke your permission to continue receiving marketing emails at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal of consent.

Processing of personal data for the purpose of organizing and conducting registered training

Conditions for lawful processing provided in the GDPR: art. 6 part 1, points a and b. Categories of data subjects: persons participating in the training. Personal data processed: name, last name, contact details (telephone number, e-mail address), payer, the amount payable. Storing period: 1 month after training. Data processing: personal data may only be used by responsible employees. Categories of data recipients: data shall not be disclosed to anyone unless such data is required by law or regulation, such as law enforcement authorities or similar.

Personal service (via Brandelektra website)

Conditions for lawful processing provided in the GDPR: art. 6 part 1, point a and art. 9 part 2, point a. Categories of data subjects: persons who apply to the Company. Personal data processed: name, last name, contact data (telephone number, e-mail address), and other data that a natural person wishes to provide to the Company by applying via the website https://brandelektra.com/lt/. Storing period: data is deleted when a person’s application to the Company is examined. Data processing: personal data may only be used by responsible employees. Categories of data recipients: no data is provided to anyone.

Personnel management

Conditions for lawful processing provided in the GDPR: art. 6 part 1, points a, b, c, f, and art. 9 part 2, points a, b, h. Personal data processed and categories of data subjects:

  • personal data of candidates for the position: name, last name, photo of the person, contact details (telephone number, e-mail address, address, education, information about work in other workplaces, other data provided by the person in his/her CV).

  • personal data of former employees: name, last name, personal identification code, contact data (telephone number, e-mail address), and other data provided by the natural person to the Company.

  • personal data of employees: name, last name, personal identification code, contact data (telephone number, e-mail address), job function and other personal data specified in the employment contract, data of special categories and other data that a natural person wishes to provide to the Company.

Storing period: personal data is stored within the legal deadlines, except for personal data processed for the purpose of selection of candidates, unnecessary personal data is destroyed 3 months after the end of the vacancy selection procedure, unless the data subject wishes to have his/her personal data processed 3 years due to a possible future vacancy selection procedure. Data processing and security: personal data may only be used by responsible staff. Categories of data recipients: public authorities (ex. tax inspectorate, The State Social Insurance Fund Board), personal data is not transferred to third countries or international organizations.

Accounting management

Conditions for lawful processing provided in the GDPR: art. 6 part 1, points a, b, c and art. 9 part 2, points a, b, h. Personal data being processed: billing, payment data, any other information specified in the payment order. Categories of data subjects: persons who make payment orders to the Company or to whom the Company makes payment orders. Storing period: personal data is stored within the time limits set by law. Data processing: personal data may be used only by responsible employees authorized to manage accounting. Categories of data recipients: data is provided only to those data recipients to whom the law or other legal acts establish the right to receive such data (lawyers, bailiffs, tax authorities, etc.), personal data is not transferred to third countries or international organizations.

Data processors

The company has the right to use data processors in accordance with the provisions of the General Data Protection Regulation. A contract for the processing of personal data shall be concluded with them in accordance with the requirements of that Regulation. Data sub-processors can not be used without the consent of the Company.

The company uses data processors only in cases when such personal data processing operations cannot be performed by themselves, i.e.

  • Company‘s computer program maintenance services;

  • telephony services;

  • server rental services.

These service providers undertake data processing procedures on behalf of the Company and only in accordance with the Company’s instructions. Third parties who process personal data shall be selected carefully and in accordance with applicable data protection law. In certain circumstances, the Company’s external service providers may be granted access to your personal data, but only for the specified data processing purposes. Under the agreements, such third parties are obliged to ensure that their level of data protection is at least equivalent to that provided by the Company and required by applicable law. All data processed on behalf of the Company remains under the control of the Company. Compliance with the Company’s instructions, data protection levels, and contractual obligations concluded with the data processor is constantly monitored.

RIGHTS OF THE DATA SUBJECT AND THEIR ENFORCEMENT

The Company will exercise the rights of data subjects without undue delay, but in any case, no later than within one month from the receipt of the request, provide the data subject with information on the actions taken upon receipt of the request. The Company may extend the one-month period for another two months, depending on the complexity and number of requests, but in any case, the Company will inform you of such extension within one month of receiving the request, together with the reasons for the delay.

For you, the General Data Protection Regulation guarantees the rights of the data subject. At any time, after the Company has fully verified your identity, you have the right to:

  • be informed about the processing of data. The Company will provide you with all information to which you are entitled and which is not specified in this personal data protection policy, for example, the recipients of personal data, if any; the storing periods of the personal data or, if that is not possible, the criteria used to determine that period; the right to request that the Company grants access to the personal data of the data subject and to correct or delete it, or to restrict the processing of the data, or the right to object to the processing of the data, as well as the right to data portability; whether the provision of personal data is a legal or contractual requirement, and so on.

  • to get acquainted with the processed data. The Company will confirm to you whether the personal data related to you is processed, and if such personal data is processed, will provide all the necessary information: the purposes of the data processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed; the periods for which the personal data will be stored or, if that is not possible, the criteria for determining that period; the right to request the controller to rectify or erase personal data or to restrict or object to the processing of personal data relating to the data subject; where personal data is not collected from the data subject, all available information on their sources. The company will provide a copy of the personal data processed. When the data subject submits the request by electronic means, the information shall be provided in the electronic form normally used.

  • request correction of data. The data subject has the right to request the Company to correct inaccurate personal data without undue delay. Depending on the purposes for which the data was processed, the data subject has the right to request that incomplete personal data would be supplemented.

  • request the deletion of data («right to be forgotten»). If there are grounds (for example, personal data is no longer needed to achieve the purposes for which they were collected, etc.), you can request for your personal data to be deleted.

  • the processing of your data. You may request that the processing of your data would be restricted if it meets the criteria set out in the General Data Protection Regulation, for example, the Company no longer needs your personal data for processing, but needs it to protect legal claims; You dispute the accuracy of the data for the period during which the Company may verify the accuracy of the personal data and so on.

  • data portability. In cases where the Company processes your personal data by automated means with your consent or based on an agreement with the Company, you have the right to receive your personal data in a structured and computer-readable format and transfer it to another data controller. You have the right for the Company to transfer your personal data to another data controller whenever technically possible.

  • disagree. You have the right to object at any time to the processing of your personal data when such processing is carried out for the legitimate interests of the Company, except when the Company processes the data for reasons beyond the data subject’s rights, freedom, or interests, legal requirements. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the further processing of the data for marketing purposes. If you object to the processing of data for direct marketing purposes, the Company will no longer process your personal data for such purposes.

  • It should be noted that the Company does not currently apply automated decision making. To exercise any of the rights outlined in this section, you may contact the Company at the contacts listed below. Notwithstanding any other remedy, you also have the right to lodge a complaint with the supervisory authorities at any time.

BREACHES OF PERSONAL DATA SECURITY

The Company will always report a personal data security breach to the State Data Protection Inspectorate unless such a breach will not endanger the rights and freedoms of individuals. If the nature and seriousness of the breach would pose a significant threat to the rights and freedoms of individuals, the Company must also notify you, as the data subject, of the breach. Infringements shall be reported in accordance with the General Data Protection Regulation.

The notification to the data subject in clear and simple language (by sending a notification by e-mail, SMS, post, etc.) should include:

  • a description of the nature of the breach;

  • contact details of the Data Protection Officer;

  • a description of the likely consequences of the breach;

  • a description of the measures taken by the Company to remedy the breach;

  • other information that the Company believes should be provided to the data subject.

If the submission of the notification would require a disproportionate amount of effort, the Company will instead publish the violation on its website. In the event of a breach, the Company will not notify the data subject if: appropriate safeguards have been put in place for the personal data affected by the breach; immediately after the violation, the Company has taken measures to ensure that the rights and freedoms of individuals can no longer be seriously endangered; this would require a disproportionate amount of effort to contact individuals. In that case, the breach shall be made public.

Data security

The company takes great care to protect your personal data using appropriate data protection measures. These include active and reactive risk management, periodic software updates, the use of firewalls and antivirus programs, access control and security systems, controlled access/user rights granting and maintenance, skills training for personal data processing staff, and as well as the evaluation and selection of data controllers. Paper documents are kept locked, in premises where access control and other security measures are applied. Persons working with personal data are bound by confidentiality obligations under the law, the controller’s internal regulations, and/or confidentiality agreements. Data is backed up. The company is constantly updating its internal practices.

Final Provisions

This personal data protection policy is also a record of the Company’s data processing activities.

The Company is constantly developing and improving its operations, therefore the Company has the right to change this data protection policy at any time in accordance with applicable laws and other legal acts. All changes are immediately published on the Company’s website.

This personal data protection policy is reviewed periodically, but at least once every two years.

If you have any questions about the processing of your data or questions about your rights, please contact our Data Protection Officer: