Personal Data Protection
UAB E-Bros Rules for Processing Personal Data


1.1. Company – UAB “E-Bros”, a company established under the laws of the Republic of Lithuania, having its registered office at 62 K. Donelaičio st., Kaunas LT-44248 Lithuania, company code 302502296, the data of which is accumulated and stored in the Register of Legal Entities.
1.2. Data subject – a natural person whose personal data are processed.
1.3. Personal data – any information relating to a natural person (‘data subject’); a natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4. Personal data processing – any act performed with personal data, including collection, recording, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used.
1.5. Automatic mode – actions performed in whole or in part by automated information technology means.
1.6. Employee – a person who has concluded a contract of employment or a similar nature with the Company and is appointed by the decision of the Head of the Company to process personal data or whose personal data is processed.
1.7. Controller – a legal or natural person who is authorized by the Company to process personal data. The controller(s) must be registered with the Inspectorate.
1.8. Recipient – a natural or legal person to whom personal data is disclosed. The data recipient (s) must be registered with the Inspectorate.
1.9. Inspectorate – the State Data Protection Inspectorate of the Republic of Lithuania.
1.10. Customer – the Company’s customer, who has entered into a contract with the Company and provided the employees of the Company with access to the Personal Data stored by the Customer, if it is necessary to perform contractual obligations.



2.1. This document regulates the actions of the Company and its Employees in the management of Personal Data, using the automated Personal Data Processing Means used in the Company, as well as defines the Data Subject Rights, Personal Data Protection Risk Factors, Personal Data Protection Measures, and other matters related to the processing of Personal Data.
2.2. The Company and its employees do not accumulate personal data for direct marketing or other purposes.
2.3. Company employees may be given access to a client-managed personal data system for maintenance, development or other clearly defined purposes.
2.4. Personal data must be accurate, appropriate and only to the extent that it is necessary for work purposes. If personal data is required for personal data processing, personal data is constantly updated.
2.5. Employees are strictly forbidden to copy Personal Data to any computer media. For testing, only transcoded data can be used to prevent the original Personal Data from being restored.



3.1. Personal data is processed manually and automatically using personal data processing tools used in the Company.
3.2. Only Employees and Controllers are entitled to manage Personal Data. Every Employee / Controller who is assigned to handle Personal Data must protect the confidentiality of Personal Data and comply with the requirements of the legislation on the protection of personal data.
3.3. The Employee / Controller must:
a) protect the confidentiality of Personal Data;
b) manage the Personal Data in accordance with the laws of the Republic of Lithuania, other legal acts and these guidelines;
c) not to disclose, transmit, or permit any means of accessing the Personal Data to any person who is not authorized to process Personal Data;
d) immediately inform the Head of the Company or the person appointed by him of any suspected situation which may endanger the security of personal data.
3.4. Employees who automatically process personal data or from whose computers can access the local area network, where Personal Data is stored, must use passwords. Passwords must be changed periodically, as well as in certain circumstances (for example, when a different employee starts using a computer, in the event of possible network intrusion, a suspicion that the password has become known to third parties, etc.). An employee who works with a particular computer can only know his own password.
3.5. The protection of personal data is organized, guaranteed and carried out by the head of the Company or an employee appointed by him.
3.6. An employee does not have the right to process personal data when the employee’s work contract or a similar contract with the Company expires or the Head of the Company revokes the employee’s appointment to process personal data.
3.7. The Controller does not have the right to process personal data when the Controller’s contract with the Company is terminated.



4.1. The Company does not store any personal data.
4.2. The Company ensures all other rights, guarantees, and interests of the personal data subjects guaranteed by laws and other legal acts of the Republic of Lithuania.



5.1. Employees of the Company who have access to the Customer’s data have no right to transmit or disclose data to anyone.
5.2. The Company does not use and disclose any sensitive personal information, such as health information, racial origin, religious beliefs or political opinions, without the explicit consent of the Data Subject, unless it is required or permitted by law.
5.3. Personal data may also be transferred to third parties in other cases provided in the laws and other legal acts of the Republic of Lithuania.



6.1. A breach of personal data protection is an act or omission that may result in undesirable effects, as well as in violation of the mandatory rules of the laws, regulating the personal data protection. The personal data protection, damage violation impact degree, and consequences, in each case, shall be established by a commission, formed by the Company Head or his authorized person.
6.2. Personal data protection risk factors:
a) Unintentional, when personal data protection is violated due to accidental reasons (data processing error, data media, deletion of data records, incorrect routes (addresses) for data transfer, etc. or system interruptions due to power failure, computer virus, etc., internal rules violation, system maintenance shortage, software tests, inadequate data carrier maintenance, inadequate line capacity and protection, network integration of computers, protection of computer programs, the lack of fax supplies, etc.);
a) Deliberate violation of Personal Data protection (unauthorized intrusion into the Company’s / hotel premises, personal data storage repositories, information systems, computer network, a malicious data infringement, deliberate distribution of computer viruses, personal data theft, unlawful use another employee’s right, etc.);
b) unexpected accidental events (lightning, fire, flood, storm, electrical wiring, effects of temperature and/or humidity changes, impacts of dirt, dust and magnetic fields, accidental technical accidents (e.g. hardware crash), other invincible and/or uncontrollable factors, etc.).



7.1. To ensure the personal data protection, the Company implements or intends to implement the following Personal Data protection measures:
a) administrative (organization of safe documents and computer data and their archives, as well as the organization of work in different fields of activity, an introduction of personnel to the personal data protection during the employment period and after the termination of employment period or similar relations, etc.);
b) technical hardware and software security (administration of servers, information systems, and databases, maintenance of workplaces, maintenance of the Company’s premises, protection of operational systems, protection against computer viruses, etc.);
c) communications and computer networks (firewalling, sharing data, programs, unwanted data packets, etc.).
7.2. The technical and software tools for protecting personal data must ensure the following:
a) installation of operating system and database copies, copying technique, and compliance control;
b) continuous processing technology;
c) the strategy of updating systems in unforeseen cases (management of surprises);
d) the physical (logical) separation of the environment testing programs from operating mode processes;
e) authorized use of data, its integrity.
7.3. All Employees who have the right to manage personal data or to organize and enforce its protection must strictly observe the requirements of the Personal Data protection measures and relevant rules, instructions or procedures, established by the Company.



8.1. Company’s employees have access to Personal Data only after having received a legitimate access to the customer data.
8.2. No personal information is stored in the company.
8.3. When Personal Data is no longer needed to be processed, it is deleted, except for that, which, in the cases, specified by law, must be transferred to state archives.



9.1. Employees, who violate the Law on the Legal Protection of Personal Data of the Republic of Lithuania, other legal acts, regulating the processing and protection of Personal Data or these Rules, apply the liability measures, provided for in the laws of the Republic of Lithuania.



10.1. Compliance with the rules and, if necessary, review, trusted by the Head of the Company or his authorized person.
10.2. Responsible Employees are introduced to the Rules by signing.