GENERAL RULES FOR PROCESSING PERSONAL DATA

  1. ABBREVIATIONS AND TERMS

    • Abbreviations:

      • Company - UAB "TCG TELECOM", legal entity code 304120498, registered office at Perkūnkiemio g. 7, LT-12131, Vilnius, Lithuania.

      • Rules - these general rules for the processing of personal data.

      • Description - a description of the Company's standard procedures for processing personal data.

      • GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

      • "ADPA" - the Law on Legal Protection of Personal Data of the Republic of Lithuania.

      • ERĮ - Law on Electronic Communications of the Republic of Lithuania.

      • Employees of the Company - persons employed by the Company, with whom employment contracts have been concluded, as well as persons equivalent to them, acting on behalf and in the interests of the Company.

      • Company's website - tcg.lt.

    • Concepts:

      • 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing;

      • 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

      • 'recipient' means the natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not to a third party. However, public authorities which, under Union or Member State law, may receive personal data in the context of a specific investigation shall not be considered as recipients of the data; when processing those data, those public authorities shall comply with the applicable data protection rules that are compatible with the purposes of the processing;

      • 'personal data' means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data and an online identifier, or to one or more factors specific to the natural person's physical, physiological, genetic, mental, economic, cultural or social identity. Personal data includes information about natural persons who:

        • can be (are) identified directly from the relevant information; or

        • can be indirectly identified from the information held in combination with other information, i.e. different information which, taken together, may reveal the identity of a particular person. It should be noted that the ability to identify a person does not necessarily imply the ability to know the person's name, but the identity of a person can be established by using other data, regardless of whether the Company has it (e.g. car registration number, video data, telephone number, etc.).

      • Data Subject - a natural person who is identified or identifiable;

      • "processing" means any operation or sequence of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination or otherwise making available, alignment with or combination with other data, restriction, erasure or destruction;

      • Job description - any documents (contracts of employment, job descriptions, job descriptions, job descriptions, procedures, policies, rules and other documents) that define the job duties/functions of employees with the employer.

  1. SCOPE

    • The purpose of these Rules is to regulate the processing of data by the Company as a data controller, ensuring compliance with and implementation of the GDPR, the GDPR, the AED, the EIR and other laws and regulations governing the processing and protection of personal data.

    • The Rules set out the Company's rights and obligations as a data controller, the procedure for exercising the rights of personal data subjects, and other rules relating to the processing of personal data.

    • The Rules shall apply throughout the Company to the extent that the Company is the data controller.

    • The Rules are an integral part of the Company's standard procedures for processing personal data.

    • All employees of the Company who process personal data or who, in the course of their duties, become aware of, or may become aware of, personal data are required to comply with these Rules.

  2. PRINCIPLES FOR PROCESSING PERSONAL DATA

    • Personal data must:

      • Processed in a lawful, fair and transparent manner in relation to the data subject (principle of lawfulness, fairness and transparency);

      • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) of the GDPR (principle of purpose limitation);

      • adequate, relevant and only necessary for the purposes for which they are processed (principle of data minimisation);

      • accurate and, where necessary, kept up-to-date; all reasonable steps must be taken to ensure that personal data which are not accurate in relation to the purposes for which they are processed are erased or rectified without undue delay (principle of accuracy);

      • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be retained for longer periods if the personal data are to be processed solely for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the data subject's rights and freedoms (retention time limitation principle);

      • processed in such a way as to ensure, by appropriate technical or organisational measures, adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality).

    • In carrying out their duties and processing personal data, the Company's employees, in accordance with the principles set out in Clause 3.1 of the Rules, must ensure, inter alia, that:

      • personal data are collected for specified and legitimate purposes and processed only in ways consistent with those purposes;

      • the collection and processing of personal data respects the principles of purpose limitation and proportionality, does not require data subjects to provide data that are not necessary, and does not accumulate or process excessive data;

      • the processing of personal data is accurate, fair, lawful and transparent. Employees shall have the right to collect, transmit, store, destroy or otherwise process personal data only in the performance of their direct functions as defined in their job descriptions and/or in the performance of the instructions of their line manager and/or the Head of the Company. Employees are prohibited from arbitrarily collecting, transferring, storing, destroying or otherwise processing personal data;

      • personal data are accurate and kept up to date. Personal data shall be rectified, amended, supplemented, destroyed, and their processing shall be suspended at the request of the data subject and/or at the initiative of the Company;

      • appropriate technical or organisational measures are in place to ensure adequate security of personal data, including protection against unauthorised processing, accidental or unlawful loss, destruction, alteration, disclosure or corruption of personal data, as well as against any other unlawful processing;

    • Employees of the Company in the course of their duties and processing of personal data, or in the course of their duties after becoming aware of personal data:

      • must comply with the requirements of the GDPR, the GDPR, the EIR and other applicable law;

      • comply with the Company's local legal acts (Description, Rules, etc.);

      • strictly comply with data security requirements;

      • comply strictly with confidentiality requirements;

      • have the right to collect, process, transmit, store, destroy or otherwise use personal data only in the performance of their direct functions as defined in their job descriptions and/or when carrying out the instructions of their line manager and/or the Head of the Company, and only in accordance with the procedures established by law;

      • must inform the Company (the line manager and/or the Company's manager, as well as the Company's Data Protection Officer or any other authorised person) of any breaches/threats that may be observed in relation to the processing of the data or any actual or potential breaches/threats in relation to the data processing or related matters.

    • Employees who violate the Rules and/or the GDPR and/or the HIPC and/or the EIR and/or other applicable law shall be liable in accordance with the procedure established by law.

  3. PURPOSES, MEANS, SCOPE AND SOURCES OF PROCESSING OF PERSONAL DATA

    • The Company processes a variety of personal data depending on the nature and content of the legal relationship between the Company and the data subject.

    • The Company processes personal data automatically and non-automatically.

    • The Company processes personal data for the following purposes:

      • order management;

      • customer administration;

      • provision of products and services;

      • quality assurance of products and services;

      • managing incidents and problems;

      • invoicing and payments;

      • communication handover;

      • security of electronic communications networks and services;

      • Detection of technical faults and errors in the electronic communications network;

      • calculation of payments;

      • prevention of fraud, fraudulent use;

      • marketing, direct marketing;

      • personalised services;

      • Mandatory personal identification;

      • Mandatory quality assurance of services;

      • Mandatory processing of data to ensure its availability to law enforcement authorities, emergency services;

      • data breach notification;

      • Enforcement of judicial decisions;

      • Mandatory network and data security monitoring;

      • Ensuring number portability;

      • Accounting;

      • Notification, reporting to authorities;

      • and for other purposes specified in these Rules.

    • Categories of personal data processed by the Company:

      • Basic personal data:

        • Personal identification data (name, surname, personal identification number, date of birth, personal identification document (passport, identity card));

        • contact data (name, surname, telephone number, e-mail address, address (for delivery of goods, installation of services, sending of bills, etc.);

        • information relating to the ordering and provision of goods and/or services, the contract concluded, the equipment purchased and/or used (name, surname, address (for the delivery of goods, installation of services, billing, etc.), telephone number, e-mail address, etc.) Date, number and other details of the contract for the goods and/or services, date of commencement, date of termination, duration, status, information about the equipment purchased and/or used, domain (for website hosting services), SIM card number, mobile subscriber identifier (IMSI), PIN and PUK codes, MAC, IP address, equipment name, model, number, International Mobile Equipment Identification (IMEI) number, maintenance and/or servicing information);

        • consents, opt-outs of the data subject (information on consents given to the Company, withdrawal of consents, submission of opt-outs);

        • data subject profiles (profiles of the data subject that have been created in the course of profiling activities (if any) carried out by the Company);

        • Video data (video data may be captured by video surveillance equipment installed by the Company when the data subject visits the Company's showrooms (if personally identifiable));

        • the data subject's communications with the Company (records of telephone conversations: date, time, duration of the call, telephone number, recording of the telephone conversation and data provided during the telephone conversation, which may be recorded when the data subject calls the Company's customer service centre or responds to calls from the Company's employees. Correspondence with the data subject by email: emails, their date and content);

        • Information on blocked International Mobile Equipment Identifiers (IMEI) (International Mobile Equipment Identifier (IMEI), blocking status, handset model, date of manufacture of the model, basis for blocking, operator, blocking country);

        • other information about the person (age, gender, language of communication indicated by the person, membership of a disadvantaged group or pensioner category, etc.).

      • Traffic data (data generated by means of communications and the Company's services which are necessary for the transmission of information over an electronic communications network and/or for the accounting of such transmission):

        • the date, time, duration and route of the start and end of the communication;

        • the data transmission protocol;

        • the date and time of the connection, the IP address used during the connection, the IP address of the destination, the amount of data sent;

        • the geographical location of the user's terminal equipment;

        • date, time, sending mark of the Short Message Service (SMS).

      • Location data other than traffic data;

      • Communication content data;

      • Data collected by cookies.

    • The categories and purposes of personal data processed by the Company as set out in clauses 3-4.4 of these Terms and Conditions are illustrative. The exact personal data, the purposes for which they are processed and other conditions are detailed in the individual personal data processing policies.

    • Unless otherwise specified in the individual personal data processing policies, personal data shall be obtained directly from the data subject. Personal data shall be stored in the Company's databases and, where possible, in the activation created for each data subject,

  4. DATA SUBJECT RIGHTS

    • When collecting personal data, the Company must provide the data subject with the following information: its details, the purposes for which the data subject's personal data are processed, to whom and for what purposes the data are provided, and what personal data the data subject is required to provide.

    • The data subject shall exercise his/her rights in accordance with the procedure laid down by law. The data subject has the following rights:

      • to have access to his/her personal data and to the procedure for processing them;

      • to request the rectification of any incorrect, incomplete or inaccurate personal data;

      • request the erasure of his/her personal data ('right to be forgotten');

      • to request the restriction of the processing of personal data other than storage;

      • object to the processing of personal data;

      • request the transfer of the data to another controller or to have the data provided directly to the data subject in a form that is convenient for the data subject (data that the data subject himself/herself provided to the Company);

      • request that a decision based solely on automated processing not be applied to him or her and that such decision be reviewed;

      • to withdraw the consents given to the Company at any time.

    • The data subject may contact the Company in order to exercise his/her rights by submitting a request to info@tcg.lt or to the Company's registered office address.

    • The Company shall provide the data subject with information on the action taken following the request no later than one month after receipt of the request. This period may be extended by a further two months if necessary, depending on the complexity and number of requests. The company shall inform the data subject of such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject submits a request by electronic means, the information shall also be provided to the data subject, where possible by electronic means, unless the data subject requests otherwise.

    • If the Company does not act on the data subject's request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for its failure to act and of the possibility of lodging a complaint with the supervisory authority (the State Inspectorate for Data Protection) and of exercising the right to a remedy.

    • Requests from the data subject relating to the exercise of his/her rights under the GDPR shall be processed free of charge. Where the data subject's requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, the Company shall:

      • charge a reasonable fee, taking into account the administrative costs of providing the information or the notifications or actions requested; or

      • refuse to act on the request.

    • The Company's employees shall ensure that the data subject's rights are properly exercised and that all necessary information is provided to the data subject in a clear, comprehensible and acceptable form.

    • The procedure for the exercise of the Data Subject's right is detailed in the Data Subject's Rights Procedure adopted by the Company. This procedure is published on the Company's website.

  5. ACCESS TO PERSONAL DATA

    • Access to personal data shall be granted, modified and deleted in the Company in accordance with the Company's Information Security Regulations and other internal documents of the Company.

    • Roles and responsibilities relating to the processing of personal data shall be clearly defined and allocated.

    • Each role in relation to the processing of personal data shall be assigned specific access control rights on a 'need to know' basis, i.e. each role or user should only be granted the level of access to personal data that is necessary for the performance of his/her tasks.

  6. SECURITY OF PERSONAL DATA

    • The security of personal data covers three main aspects:

      • confidentiality - protection against unauthorised disclosure;

      • data integrity - protection against unauthorised or accidental modification;

      • Data availability - ensuring that information is available when it is needed.

    • The purpose of personal data security is to ensure appropriate and effective management of the security of personal data and to avoid disruption of operations due to breaches of data confidentiality, integrity and availability. Other information security objectives may be identified in the course of the Company's evaluative analysis.

    • The requirements for the security of personal data and the procedures for their implementation are set out in the Company's Information Security Regulations and other internal documents;

      • in accordance with the Company's business objectives and operational requirements;

      • assessing the security risks of personal data;

      • in accordance with the requirements and expectations of the interested parties as expressed in the legislation governing the security of personal data, in data provision or other contracts, and in the external and internal exchange of information (letters, e-mails, etc.);

    • The implementation of the security requirements for personal data processed by the Company shall be ensured through the consistent planning, implementation, evaluation and improvement of the personal data security management system.

    • The Company undertakes to:

      • taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity to the rights and freedoms of natural persons posed by the processing, implement appropriate technical and organisational measures to ensure a level of security commensurate with the risks, including, inter alia, where appropriate:

        • pseudonymisation and encryption of personal data;

        • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of data processing systems and services;

        • the ability to restore conditions and access to personal data in a timely manner in the event of a physical or technical incident;

        • a regular process of checking, evaluating and assessing the effectiveness of the technical and organisational measures to ensure the security of processing.

      • Take measures to ensure that any subordinate who has access to personal data does not process it, unless instructed to do so by the Company, unless that person is required to do so by law.

      • set objectives for the management of personal data security;

      • comply with all personal data security obligations regulated by the legislation and contracts of the Republic of Lithuania;

      • enable the Company's employees to improve their knowledge in the field of information security;

    • The Company continuously improves the performance of personal data security by implementing the personal data security policy and objectives through internal audits, identification of non-compliances, corrective actions and evaluative analysis.

    • The security of personal data and their processing shall be documented in the Company's Information Security Policy and/or other internal documents.

    • In accordance with the general policy on the security of personal data, the Company's Information Security Regulations and/or other internal documents shall provide for specific policies and procedures relating to the protection of personal data (e.g. access control, facilities management, resource management, etc.).

    • The Personal Data Security Policy, including these Rules and the Information Security Regulations, shall be reviewed and, if necessary, updated at least once a year.

  7. ROLES AND RESPONSIBILITIES

    • The roles and responsibilities of the Company's employees in relation to the processing of personal data shall be separately defined and allocated in the Company's Information Security Regulations or other internal documents.

    • The Company's employees who have access to personal data are prohibited from processing personal data, unless the Company has given explicit instructions to process it, and in the absence of such instructions, personal data may only be processed in compliance with the requirements of law.

    • Employees of the Company shall comply with the requirements set out in Clause 3 of the Rules in the performance of their duties and in the processing of personal data, or in the course of their duties after becoming aware of personal data.

    • The Company's employees who make changes to the Company's systems or procedures relating to the processing of personal data shall assess whether there is a need to make any changes to these Rules or to other internal documents of the Company relating to the processing of personal data, and, if it is found that there is a need to do so, shall prepare drafts of such documents and submit them to their line manager. Changes to the Company's systems or procedures relating to the processing of personal data may only be implemented from the time when the changes to these Rules or other internal Company documents relating to the processing of personal data come into force.

  8. MANAGEMENT OF PERSONAL DATA SECURITY INCIDENTS

    • A personal data security incident is defined as a personal data breach that intentionally or unintentionally results in:

      • the destruction, loss or alteration of personal data processed by the Company;

      • disclosure of personal data without the Company's authorisation;

      • access to personal data by unauthorised persons without the Company's authorisation.

    • The procedures for managing and responding to security breaches are set out in the Information Security Regulations.

    • Where a personal data breach is likely to result in a significant risk to the rights and freedoms of natural persons, the Company shall, without undue delay, notify the data subject in writing of the personal data breach in accordance with Article 34 of GDPR. If it is not possible to inform all data subjects due to the large number of data subjects or for other reasons, the Company may decide to publish this information through the means of public information (press, television, the Company's website, etc.);

  9. DESTRUCTION OF DATA

    • Personal data shall be destroyed by the Company at the end of their retention period or at the request of the data subject.

    • The personal data shall be destroyed by deleting them from the database and from a backup copy made electronically by automatic copying of the personal data into an archive stored in a service station.

    • Paper documents and copies thereof containing personal data shall be manually destroyed by an authorised employee of the Company in such a way that they cannot be retrieved at a later date and their content cannot be identified.

  10. FINAL PROVISIONS

    • The employees of the Company shall be made aware of these Rules by signature.

    • The Company's employees shall be provided with training, information events or briefings on the Company's personal data protection requirements at least once a year at their own discretion.

    • These Rules shall be reviewed, revised and updated in the event of changes in legislation, structural, technological or other changes in the Company that affect or may affect the processing of personal data, and in other necessary cases, but in any case at least every 1 (one) year.