Privacy policy
RULES FOR THE PROCESSING OF PERSONAL DATA
SECTION I
GENERAL PROVISIONS
1. The Rules for the Processing of Personal Data (hereinafter referred to as the "Rules") regulate the processing of personal data by MB Ethos Solutions, legal entity code 306689726, (hereinafter referred to as the "Company"), ensuring compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation – GDPR), as well as the provisions of the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the "ADTAĮ") and other legal acts regulating the processing and protection of personal data. 2. The purpose of these Rules is to establish the main organizational measures for personal data processing and security, as well as to define the Company's functions, rights, and obligations in processing personal data. 3. These Rules apply to the Company’s Employees, Data Processors appointed by the Company, and their employees who process personal data, regardless of their employment conditions. The Rules also apply to all experts (consultants) and other individuals appointed by the Company who, in the course of their duties, gain access to personal data processed by the Company. 4. The Company’s Data Protection Officer is responsible for overseeing the implementation of these Rules. The appointment of the person responsible for overseeing the implementation of the Rules does not eliminate the individual responsibility of each employee who: Processes personal data as part of their duties, Accesses personal data, or Learns of personal data in any capacity. Each such employee is responsible for complying with and implementing these Rules and ensuring the lawful processing of personal data. Company employees authorized to process personal data, as well as employees of data processors, must be familiarized with these Rules and are obligated to comply with them. 5. The Company’s Employees, in the course of performing their duties and processing personal data, must comply with the general principles of personal data processing, as well as the confidentiality and security requirements established in legal acts and these Rules. 5. The terms used in these Rules shall be understood as defined in the General Data Protection Regulation (hereinafter referred to as the "Regulation") and the Law on Legal Protection of Personal Data (ADTAĮ) and are specified as follows: 5.1. Personal Data – refers to any information about a natural person whose identity is either identified or can be identified (Data Subject). A natural person is considered identifiable if their identity can be determined directly or indirectly, particularly by reference to an identifier such as: Name and surname, Personal identification number, Location data, Online identifier, Or one or more characteristics specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. 5.2. Personal Data Security Breach – refers to any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, transmission, storage, or other processing of Personal Data, or unauthorized access to such data. 5.3. Personal Data Processing – refers to any operation or sequence of operations performed on personal data or sets of personal data, whether by automated or non-automated means. Such operations include, but are not limited to: Collection, recording, sorting, structuring, storage, adaptation, or modification; Retrieval, consultation, use; Disclosure by transmission, dissemination, or otherwise making available; Comparison or combination with other data; Restriction, deletion, or destruction. 5.4. Employee – refers to a person who has concluded an employment contract with the Company, including the Company’s manager. 5.5. Data Subject – refers to a natural person whose identity is identified or can be identified, and whose data is processed by the Company. 5.6. Records of Processing Activities – refers to a form maintained by the Data Protection Officer, which contains all relevant information about the personal data processed by the Company, including processing purposes, legal basis, and any other information required by applicable legal acts. If the information stated in the Company’s Records of Processing Activities differs from that provided in these Rules, the information in the Records of Processing Activities shall prevail. 5.7. Data Processor – refers to a natural or legal person, public authority, agency, or other entity that processes Personal Data on behalf of the Company. 5.8. Data Controller – refers to a natural or legal person, public authority, agency, or other entity that, alone or jointly with others, determines the purposes and means of data processing. 5.9. Candidate – refers to a natural person who wishes to undertake an internship and/or seek employment with the Company by concluding an employment contract. 5.10. Supervisory Authority – refers to the State Data Protection Inspectorate of the Republic of Lithuania. 5.11. Security Officer – refers to the Data Protection Officer (DPO) appointed under Section 4 of the General Data Protection Regulation (GDPR). If a DPO is not appointed, the Security Officer refers to another individual designated by the Company’s Manager through an official order, who is responsible for personal data protection within the Company. 5.12. Special Categories of Personal Data – refers to personal data that reveal a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. This category also includes genetic and biometric data used for the specific identification of a natural person, as well as health data and data concerning a natural person’s sex life or sexual orientation. 5.13. Third Party – refers to a legal or natural person, public authority, agency, or other entity, except for the Company, Employees, Data Subject, Data Processor, or persons authorized directly by the Company or the Data Processor to process Personal Data. 5.14. Third Country – refers to a country that is not a member of the European Union (EU) or the European Economic Area (EEA).SECTION II
GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
6. All personal data in the Company is processed in accordance with the principles established in Article 5(1) of the General Data Protection Regulation (GDPR), including: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality. 7. Personal data may only be processed for the specific purpose for which it was collected. If personal data is not necessary to achieve a particular purpose, it must not be processed. To achieve a specific purpose, the minimum amount of personal data necessary shall be processed. Personal data that is inaccurate in relation to its processing purpose must be immediately deleted or corrected. The Company takes all reasonable measures to ensure compliance with the principles set out in Article 5(1) of the GDPR. 8. Personal data shall be processed and stored no longer than the defined retention period, which must not exceed the duration necessary for the purposes for which the data is processed. 9. In the Company, personal data may only be processed if at least one of the lawful processing conditions set out in Article 6(1) of the GDPR is met. 10. The specific personal data being processed, their processing purposes, retention periods, and legal bases for processing are specified in the Records of Processing Activities, which employees are required to follow. 11. To ensure that personal data in the Company is stored only for the specified period, all personal data processed by the Company is recorded in the Records of Processing Activities. The retention periods for personal data are specified in the Records of Processing Activities. 12. Once the personal data retention period has expired, it may be extended if the Company determines that further retention is necessary, particularly in cases where personal data is required as evidence in: Pre-trial or other investigations, including those conducted by the State Data Protection Inspectorate (hereinafter – the "Inspectorate"); Civil, administrative, or criminal proceedings; Other cases as established by legal acts. 13. The Company processes Personal Data in accordance with the following principles: a) Lawfulness, fairness, and transparency – Personal data is processed lawfully, fairly, and transparently with respect to the Data Subject. b) Purpose limitation – Personal data is collected for specified, clearly defined, and lawful purposes and is not further processed in a way that is incompatible with those purposes. c) Data minimization – Personal data must be adequate, relevant, and limited to what is necessary for achieving the purposes for which it is processed. d) Accuracy – Personal data must be accurate and, where necessary, kept up to date. e) Storage limitation – Personal data must be stored in a form that allows the identification of Data Subjects for no longer than is necessary for the purposes for which the data is processed. f) Integrity and confidentiality – Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, through the implementation of appropriate technical and organizational measures. g) Accountability – The Company implements legal requirements for personal data protection, monitors compliance, and maintains records to demonstrate compliance with the General Data Protection Regulation (GDPR). 3.1. The Company processes Employees’ Personal Data based on the following key principles: a) The Employee is considered the weaker party in the employment relationship; therefore, their consent alone cannot be considered a sufficient legal basis for processing most types of personal data. b) The processing of the Employee’s Personal Data may be necessary for the execution of the employment contract and for the Company to fulfill its obligations. c) The Company, as an employer, may be subject to legal obligations that make the processing of Employee Personal Data unavoidable. d) If the Company claims a legitimate interest in processing Employee Personal Data, the purpose of data processing must be lawful. The chosen method and/or specific technology must be necessary, proportionate, and implemented with minimal impact. e) Personal data processing operations must comply with transparency requirements, and Employees must be clearly and comprehensively informed about the processing of their personal data, including the existence of any monitoring. f) Technical and organizational measures must be implemented to ensure the secure processing of Employees’ Personal Data.III. PROCESSING OF PERSONAL DATA WHEN THE COMPANY ACTS AS A DATA CONTROLLER AND A DATA PROCESSOR
14. The exhaustive list of Personal Data processed by the Company is provided in the Records of Processing Activities, which contain continuously updated information regarding: The purposes of personal data processing, The procedures, scope, and retention periods of personal data processing, Other information required under Article 30 of the General Data Protection Regulation (GDPR). The Security Officer is responsible for maintaining and updating the Records of Processing Activities. 15. The Company processes Personal Data based on at least one of the following legal grounds: 15.1. The Data Subject's consent; 15.2. The performance of contracts concluded by the Company, or actions taken at the Data Subject's request prior to entering into a contract; 15.3. Compliance with the Company’s legal obligations, including but not limited to legal obligations in the fields of labor law and social protection; 15.4. Ensuring the legitimate interests of the Company or a third party. 16. At the time of approval of these Rules, the Company processes Personal Data for the following purposes: 16.1. Selecting an Employee; 16.2. Concluding and executing an employment contract; 16.3. Granting paternity leave; 16.4. Granting parental leave; 16.5. Granting unpaid leave; 16.6. Granting unpaid study leave; 16.7. Granting an additional rest day for raising children; 16.8. Calculating and declaring employment-related taxes; 16.9. Identifying the Employee; 16.10. Maintaining contact with the Employee outside of working hours; 16.11. Terminating and formalizing the employment contract at the Employee’s request; 16.12. Terminating and formalizing the employment contract at the Employer’s initiative; 16.13. Terminating and formalizing the employment contract by mutual agreement; 16.14. Access control (monitoring Employees’ entry into Company premises); 16.15. Managing access to IT systems and office spaces necessary for work; 16.16. Protecting personal property (goods, equipment) from theft, damage, or other violations; 16.17. Registration for a free visit; 16.18. Registration for a paid one-time visit; 16.19. Membership registration; 16.20. Direct marketing (SMS, emails); 16.21. Access control to the sports club and client identification; 16.22. Contract conclusion, sale, and provision of services; 16.23. Work time and workload distribution; 16.24. Protection of confidential information and ensuring business continuity; 16.25. Conclusion and execution of contracts with corporate clients, including but not limited to ensuring the Company's legitimate financial interests, debt collection, or other creditor claims; 16.26. Fulfilling legal obligations related to the Company's business operations. 17. The Company’s data processing activities, when acting as a data processor, are recorded in the Records of Processing Activities Register. 18. The Company has the right to process the data of other data controllers only if the data controller has clearly defined and specified: The subject matter and duration of data processing; The nature and purpose of the data processing; The types of personal data and categories of data subjects; The obligations and rights of the data controller. 19. In cases where the Company processes data as a data processor, it must comply with the data controller's specified purpose, means, and other conditions of data processing. The Company must also process only the amount of data and for the duration as defined by the data controller. 20. The Company has the right to process personal data as a data processor only if at least one of the following legal grounds is met: 20.1. A contract with the data controller has been concluded. This may be a separate data processing agreement or specific data processing provisions included in another contract. 20.2. The obligation to process data is established by legal acts. 21. The Company shall not engage another data processor without the prior specific or general written consent of the data controller, except in cases where the selection of another data processor helps to safeguard the Company's legitimate interests. 22. When the Company engages another data processor to carry out a specific data processing activity on behalf of the data controller, the same data protection obligations that apply to the Company under legal acts and the data controller's instructions must be imposed on the new data processor through a contract or other legal act. In particular, the new data processor must be adequately ensured that appropriate technical and organizational measures are implemented so that data processing complies with the requirements of the GDPR. 23. In all cases, in addition to any additional obligations imposed by the data controller, the Company, when acting as a data processor, has the following obligations: 23.1. Process personal data only in accordance with documented instructions from the data controller, except in cases where processing is required by applicable legal provisions that apply to the Company. In such cases, before starting data processing, the Company must notify the data controller about this legal requirement, unless such notification is prohibited by law due to important public interest reasons. 23.2. Ensure that persons authorized to process personal data are committed to maintaining confidentiality. 23.3. Implement all necessary technical and organizational measures to ensure the security of processed data. 23.4. Comply with the conditions set out in these Rules regarding the engagement of another data processor. 23.5. Taking into account the nature of data processing, assist the data controller by implementing appropriate technical and organizational measures, as far as possible, to enable the data controller to fulfill its obligation to respond to requests related to the exercise of data subjects' rights. 23.6. Assist the data controller in fulfilling its obligations to report personal data security breaches and conduct data protection impact assessments, taking into account the nature of data processing and the information available to the Company. 23.7. Upon completion of the data processing-related services, delete or return all personal data to the data controller and erase any existing copies, except in cases where legal acts require the retention of personal data.IV. RIGHTS OF DATA SUBJECTS AND PROCEDURE FOR THEIR IMPLEMENTATION
24. Data subjects have all the rights established in Chapter III of the Regulation, the main ones being: 24.1. The right to be informed and to access the processed data, as well as to understand how they are processed; 24.2. The right to request the rectification of data; 24.3. The right to request the deletion of data; 24.5. The right to data portability; 24.6. The right to object to data processing; 24.7. The right not to be subject to automated decision-making and profiling. 25. The Company takes all necessary measures to ensure the protection of all data subjects' rights. The procedure for the implementation of data subjects' rights is established in: 25.1. The Regulation; 25.2. The Company’s Rules for the Implementation of Data Subjects' Rights.V. LEGAL GROUNDS, RETENTION PERIODS, AND STORAGE OF PERSONAL DATA
26. The Company processes personal data in accordance with the General Index of Document Retention Periods, approved by the Chief Archivist of Lithuania by Order No. V-100 of March 9, 2011, as well as the retention periods established in the Records of Personal Data Processing Activities, considering the purposes of personal data processing. In the event of discrepancies between the aforementioned legal act and the Records of Personal Data Processing Activities, the latter shall take precedence and must be followed. 27. Upon the expiration of the designated personal data processing period, personal data shall be destroyed in accordance with the procedures established by these Rules. Additionally, personal data shall be immediately destroyed if the data subject withdraws their consent for processing, objects to the processing of their personal data, and the Company has no other lawful basis for processing, or if the Company has reasonable grounds to suspect that the prevention of unlawful use of personal data is necessary. 28. Personal data may be retained for a longer period at the Company's discretion, in accordance with the procedures and conditions established by legal acts. For example, if there are grounds to believe that the personal data may be required for the investigation of a criminal offense committed on the Company's premises or in the building where the premises are located, or for another incident. In such cases, personal data shall be retained until a final decision is issued by the relevant law enforcement authorities or the court regarding the criminal offense, or until a decision or conclusion is reached by persons investigating or reviewing the incident (e.g., insurers in the case of natural disasters) or by other persons examining an event that caused damage to the Company. 29. Paper documents shall be destroyed in a manner that ensures the principle of confidentiality. Confidential records should be placed in confidential waste bins or sealed confidential bags, which are collected by companies specializing in document destruction services. 30. The deletion of electronic records is overseen by the Security Officer, with the assistance of an IT specialist, if necessary. Any computer equipment designated for destruction must also be disposed of under the supervision of an IT specialist to ensure that all storage media are physically destroyed. 31. Personal data is processed based on consent: 31.1. When it is explicitly provided for in these Rules, the Regulation, the Law on the Legal Protection of Personal Data (ADTAĮ), or other legal acts; 31.2. When, considering the purpose of data processing or the amount of data, the Company has no other legal basis to process personal data or to fully comply with other obligations established in the Regulation. If personal data, based on its scope and processing purposes, can be processed under at least one of the legal grounds established in the Regulation, additional consent from the data subject is not required. 31.3. When it best aligns with the Company’s interests and, in cases of increased risk, helps mitigate the risk of unlawful processing of personal data. 32. Data subject consents may be collected through the following methods: In writing, including electronically, such as by marking checkboxes, provided that a clear and effective reference is made to the Company's and/or state regulations governing data rights. Orally or through actions, if it is possible to prove that such consent was given and if the data subject’s actions clearly indicate their agreement with the proposed processing of their personal data. In all cases, written consent (including electronically obtained consent) is given priority. Other forms of consent may only be used if it is ensured that the fact of the data subject’s consent can be proven. The data subject’s silence or inaction shall not be considered as consent. 33. In all cases where personal data is processed based on the data subject’s consent, the Company must collect and retain evidence that the data subject has provided consent in the prescribed form and content. 34. When personal data is processed based on consent, only the data specified in the consent is processed, solely for the purposes stated in the consent, and only the processing operations (actions) outlined in the consent are performed. If there is a change in the scope of processed data, the purpose of processing, or the processing operations, additional consent must be obtained for such data processing, or there must be another legal basis for processing personal data as established in these Rules or the Regulation. 35. Consent may serve as a legal basis for personal data processing if it meets the following requirements: It is given freely by the data subject. When assessing whether consent has been given freely, the following circumstances are taken into account: • Whether the execution of a contract is conditioned on the data subject providing consent for the processing of personal data that is not necessary for the performance of that contract (in such cases, consent is not considered to be given freely). • Whether the data subject is coerced into giving consent, lacks a real choice, is under pressure, cannot genuinely control the granting of consent and their personal data, or may face direct or indirect negative consequences if consent is not given (in such cases, consent is not considered to be given freely). • If consent is inextricably linked to conditions that the data subject cannot negotiate or modify, it is presumed that such consent is not given freely. In such cases, the Company takes additional measures to rebut this presumption and ensure that consent is given voluntarily. • If there is a clear imbalance of power between the Company and the data subject, making it likely that consent, given the specific circumstances of the case, may not be truly voluntary. In such cases, the Company takes additional measures to ensure that consent is given freely. • If consent is linked to multiple data processing purposes or multiple processing operations (actions), data subjects must be given the opportunity to consent only to specific purposes or operations, rather than all of them collectively, unless they are directly interrelated. Otherwise, consent shall not be considered freely given. 36. Consent must be specific and explicit. Consent is considered specific and explicit if it meets the following requirements: 36.1. The specific and lawful purpose of personal data processing is clearly and comprehensively stated; 36.2. The specific personal data to be processed for the stated purposes are identified. 36.3. The data processing operations (actions) to be performed based on consent are specified; 36.4. The data subject is given the opportunity to consent only to specific data processing purposes, if consent is given for multiple purposes, as well as only to specific data processing operations (actions). 36.5. The data subject has given consent after being properly informed. To meet this requirement, before signing the consent, the data subject must be provided with the information specified in Article 13 of the Regulation and informed of their right to withdraw consent at any time. This information may be provided in writing, orally, or through audiovisual messages, but in all cases, it must be presented in a manner that allows the Company to prove that the data subject was informed and that the provided information complies with the content requirements established in Article 13 of the Regulation. 36.6. Consent must be an unambiguous expression of the data subject's will to have their data processed. Consent must be given through active actions. 36.7. Consent must be written in clear, simple, and understandable language for the data subject. 36.8. Consent must always be obtained before carrying out the data processing operations (actions) for which consent is being collected. 37. The data subject has the right to withdraw their consent at any time. Once the data subject withdraws consent, the processing of personal data for the purposes and operations (actions) that were based on that consent must cease, except in cases where another legal basis for data processing exists under these Rules or the Regulation. The conditions for withdrawing consent must be equivalent to those for giving consent. The withdrawal process must not be made more difficult, nor should any additional conditions be imposed. The withdrawal of consent must not result in negative consequences for the data subject, including a reduction in service quality. The withdrawal of consent does not affect the lawfulness of the data processing carried out before the withdrawal. The data subject must be informed of these provisions before providing their consent. 38. The Company takes measures to ensure that consents, as far as possible, considering the purpose and scope of personal data processing, are valid for a defined period. 39. Consent remains valid until it is withdrawn by the data subject or until the expiration of the validity period specified in the consent. 40. Consent and the personal data specified in it shall be retained for three years from the date of withdrawal of consent, expiration of its validity period, or from the Company’s decision to cease processing personal data for the purposes specified in the consent, unless legal acts establish a different retention period. If consent data is used as evidence in a pre-trial or other investigation, including an inspection by regulatory authorities, a civil, administrative, or criminal case, or in other cases provided by law, personal data may be retained for as long as necessary for these purposes and shall be immediately destroyed when no longer needed. 41. Employees must ensure that the consents obtained by the Company from data subjects comply with the requirements of these Rules. 42. Legal Obligation as a Basis for Personal Data Processing: 42.1. The Company processes personal data to fulfill its legally mandated obligations, including but not limited to those in the fields of labor law and social security, as established by applicable legal regulations. 42.2. The purposes, scope, retention periods, and other conditions of personal data processing are determined by applicable legal acts. 43. Legitimate Interest as a Basis for Personal Data Processing: 43.1. When the Company processes personal data based on legitimate interest, the purpose of the data processing must be lawful, and the method or technology used for processing must be necessary to achieve the Company's interests. Additionally, personal data processing must be proportionate to the business needs, meaning that the processing must be aligned with the specific objective being pursued. 43.2. Before processing personal data based on legitimate interest, a specific legitimate interest assessment must always be conducted. The legitimate interest assessment determines: The purpose of personal data processing, The lawfulness of the processing, The means and methods of processing, and The impact on the data subject and their rights. The procedure for conducting a legitimate interest assessment is outlined in the Legitimate Interest Assessment Procedure, which is approved by the Company’s management. The Security Officer is responsible for conducting the legitimate interest assessment for each data processing operation where processing is based on legitimate interest. 44. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES 44.1. The rules and procedures for processing personal data for direct marketing purposes within the Company are outlined in the Records of Data Processing Activities and the Company’s Privacy Policy (hereinafter referred to as the Privacy Policy). The Privacy Policy is approved by an order of the Company’s management. 44.2. The use of electronic communication services, including the sending of email messages for direct marketing purposes, is permitted only with the prior consent of the data subject, except in cases where: The Company processes the email addresses of its existing customers, These customers have not objected to receiving direct marketing messages, and The messages promote the same or similar goods or services as those previously purchased from the Company. Detailed guidelines for conducting direct marketing are provided in the Direct Marketing Guidelines, which are approved by an order of the Company’s management. 44.3. Any form of communication (e.g., sending emails, making phone calls) for the purpose of obtaining consent to send direct marketing offers is prohibited if the data subject’s consent has not already been obtained beforehand. It is strictly forbidden to send emails or make phone calls asking the data subject whether they agree to receive direct marketing offers. The data subject’s prior consent for the use of personal data for direct marketing purposes must be obtained through other means, such as: Expressing consent on a website (if such an option is available), Entering into a contract, or Filling out various forms. 44.4. If personal data is processed for direct marketing purposes, the data subject must have the right to object to such processing. If consent has already been given, the data subject must be able to withdraw it at any time, free of charge, regardless of whether it concerns initial or further data processing. The data subject must be clearly informed about this right. 44.5. Upon receiving a data subject’s withdrawal of consent or objection to the processing of personal data, the Company must immediately delete the data subject’s personal data and cease sending direct marketing messages. This right may be restricted if the processing of personal data is necessary: To comply with a legal obligation imposed by European Union or national law applicable to the Company, and/or To establish, exercise, or defend legal claims. In any case, the withdrawal of consent and/or objection to data processing does not affect the lawfulness of processing carried out before the withdrawal. 45. SPECIFICS OF EMPLOYEE PERSONAL DATA PROCESSING 45.1. Employee personal data is processed on the following legal bases: Conclusion and execution of an employment contract or any other agreement concluded with the employee; Legal basis for civil service relationships; Fulfillment of legal obligations established by applicable laws; Legitimate interest of the Company or third parties, such as: Protection of the Company’s material assets; Improvement of employee productivity and communication; Protection of confidential information; Safeguarding of personal data for which the Company is responsible; Protection of property and interests; Ensuring the rights and security of employees and other parties. 45.2. The Company may only process employee personal data that is necessary for: Concluding and executing an employment contract, a civil service relationship, or any other agreement with the employee; Fulfilling the Company's legal obligations as established by applicable laws; Protecting a specific legitimate interest of the Company. The purposes of employee data processing are specified in the Records of Data Processing Activities. 45.3. The Company is prohibited from processing excessive employee personal data that is unrelated to employment, civil service, or the exercise of employee rights. Additionally, employee personal data must not be disclosed to third parties, except in cases established by the Regulation or applicable laws. 45.4. It is prohibited to process the personal data of job applicants or employees related to criminal convictions and offenses, except in cases where such personal data is necessary to: Verify whether the person meets the legal requirements established by laws and/or implementing regulations for holding a specific position or performing specific work; Apply legal liability in accordance with the procedures established by applicable laws. 45.5. Personal data of a job applicant related to their qualifications, professional skills, and work-related characteristics may be collected from: A former employer or state and municipal institutions where the applicant was previously employed under an employment contract, after informing the applicant in advance; A current employer or state and municipal institution where the applicant is currently employed under an employment contract, only with the applicant's consent. 45.6. Publicly available personal data about job applicants or employees may be collected only to the extent necessary and only if directly relevant to the job or civil service position and its associated responsibilities. Applicants must be informed about this possibility in the job posting or the announcement regarding recruitment for civil service positions. 45.7. The personal data of a job applicant who was not selected for the position shall be retained for no longer than 3 months from the moment the applicant was notified that they were not hired or were not selected for a civil service position. Such personal data may be retained for a longer period only if: The applicant provides consent that meets the requirements established in these Rules, or Another legal basis for extended data retention arises. 45.8. After the termination of employment or civil service relations, new data about the former employee may only be collected if there is a legal basis for doing so and only to the extent necessary to achieve the specific lawfully justified purpose. Employees must be informed about such data collection. 45.9. An employee may use a Company-provided computer, email account, and other Company-owned devices, equipment, information and communication technologies, and software only for work-related purposes and solely to perform job functions. Employees are strictly prohibited from using Company-provided computers, phones, and other equipment for personal purposes, as well as from storing personal information or personal data on these devices. 45.10. Employees with remote access to the Company’s infrastructure must take all necessary measures to ensure the security and confidentiality of information and data. The Company is responsible for assisting employees in fulfilling this obligation. 45.11. The continuous monitoring or inspection of a Company-provided computer, email account, or other Company-owned devices, equipment, information and communication technologies, and software assigned to an employee is prohibited. Work tools and equipment provided by the Company—including email accounts, computers, mobile phones, and any personal data, other data, or information stored on them—may only be inspected if all of the following conditions are met: 45.12. Video surveillance and audio recording in employee workplaces may only be conducted if: It is necessary to ensure the safety of individuals, property, or public security due to the nature of the work; and Other means or measures are insufficient and/or inappropriate for achieving these objectives. Video surveillance and audio recording may not be used solely for the purpose of monitoring work quality or performance. Employees must be informed about video surveillance and audio recording in a specific location by means of a visible sign placed in a clearly noticeable area. 46. PROCESSING OF PERSONAL DATA ON THE WEBSITE AND SOCIAL MEDIA ACCOUNTS 46.1. Information related to the collection, use, access, and processing of personal data, as well as the scope of data processing, is provided by the Company to data subjects in its Privacy Policy. 46.2. When the Company publishes employee personal data on its website or social media accounts, it must obtain the employee's prior consent, except in cases where the personal data is processed for internal administrative purposes. 47. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA 47.1. The Company is not permitted to process special categories of personal data, except in the following cases: • The data subject has explicitly consented to the processing of such personal data for one or more specified purposes, except in cases where exceptions are provided by law; • The processing of special categories of personal data is necessary for the Company or the data subject to fulfill obligations and exercise specific rights in the field of employment and social security law; • The processing of special categories of personal data is necessary to protect the vital interests of the data subject or another natural person when the data subject is physically or legally incapable of giving consent. • The personal data being processed has been explicitly made public by the data subject; • The processing of special categories of personal data is necessary for the establishment, exercise, or defense of legal claims; • The processing of special categories of personal data is necessary for reasons of substantial public interest; • The processing of special categories of personal data is necessary for public interest purposes in the field of public health, aimed at ensuring high standards of healthcare. • 47.2. Special categories of personal data must be encrypted. 48. PROCESSING OF PERSONAL DATA FOR THE PROTECTION OF THE COMPANY'S RIGHTS AND INTERESTS 48.1. In order to protect its interests, the Company may transfer personal data to: A court, A company conducting pre-litigation debt recovery and representing the Company’s interests, A bailiff, Legal representatives of the Company, or Other persons representing the Company’s interests. 49. PROCESSING OF PERSONAL DATA WHEN THE COMPANY ACTS AS A DATA PROCESSOR 49.1. In the course of its activities, the Company may also act as a Data Processor when it processes personal data on behalf of and in accordance with the instructions of a Data Controller. 49.3. When processing personal data transferred by the Data Controller, the Company’s employees must always ensure the lawfulness of the intended actions, in accordance with: The agreement concluded between the Company and the Data Controller, and The data processing restrictions and procedures specified in that agreement. 49.4. Employees responsible for processing personal data within the Company must take measures to prevent accidental or unlawful processing of personal data, including: Safeguarding documents and data files, and Avoiding unnecessary duplication of personal data.DATA PROTECTION IMPACT ASSESSMENT (Numbering Continued)
49.5. In cases where, considering the category of personal data and data subjects, as well as the nature, scope, context, and purposes of data processing, there is a high risk to the rights and freedoms of data subjects, the Company must conduct a Data Protection Impact Assessment (DPIA) before initiating data processing operations. 49.6. A Data Protection Impact Assessment (DPIA) must be conducted when: 49.6.1. The data processing operation falls under the List of Data Processing Operations Requiring a Data Protection Impact Assessment, as approved by the Director of the State Data Protection Inspectorate by Order No. 1T-35 (1.12.E) of March 14, 2019, titled "On the Approval of the List of Data Processing Operations Requiring a Data Protection Impact Assessment" (hereinafter referred to as the List of Data Processing Operations), where a DPIA is mandatory. 49.6.2. The data processing operation does not fall under the List of Data Processing Operations for which a DPIA is mandatory, but the Company determines that the processing operation, based on the criteria set out in Section 79 of these Rules, may pose a high risk to the rights and freedoms of data subjects. 49.6.3. There is a change in the conditions under which data processing operations (actions) are carried out, and such changes may result in a high risk to the rights and freedoms of data subjects. 49.6.4. In other cases as specified in these Rules. 49.7. Whether a data processing operation (action) poses a high risk to the rights and freedoms of data subjects shall be assessed on a case-by-case basis, considering the following criteria: 49.7. Whether a data processing operation (action) poses a high risk to the rights and freedoms of data subjects shall be assessed based on the following criteria: 49.7.1. Systematic monitoring of personal data or data subjects; 49.7.2. Processing of sensitive or highly personal data, such as special categories of personal data; 49.7.3. Large-scale data processing, taking into account: 43.3.1. Systematic monitoring of personal data or data subjects; 43.3.2. Confidential data or highly personal data, such as special categories of personal data; 43.3.3. Large-scale data processing (including the number of related data subjects, the volume of processed data, the diversity of processed data, the duration and continuity of data processing activities, and the geographical scope of data processing). 43.3.4. Linking and combining data sets; 43.3.5. Data related to vulnerable data subjects (e.g., children, employees, vulnerable individuals requiring special protection, and other segments where an unequal relationship between the data subject and the data controller may be established); 43.3.6. The application of new technologies or organizational solutions; 43.3.7. Restriction of data subjects’ ability to exercise their rights, access services, or enter into contracts due to data processing; 43.3.8. Other circumstances indicating a potentially significant risk to the rights and freedoms of data subjects. 43.4. The more criteria established herein that apply to a specific data processing operation (actions), the higher the likelihood that the data processing operation (actions) may pose a significant risk to the rights and freedoms of data subjects. In all cases, the necessity of conducting a data protection impact assessment is determined in consultation with the Company's Data Protection Officer. 43.5. A data protection impact assessment must be conducted before the implementation of data processing operations (actions). 44. PERSONAL DATA SECURITY MEASURES 44.3. ORGANIZATIONAL AND TECHNICAL SECURITY MEASURES 44.3.2. In order to ensure the protection of personal data, the Company implements or plans to implement the following personal data protection measures: • Organizational measures (informing employees about documents regulating data security, periodic review and, if necessary, updating of documents regulating data security, controlled enforcement of these regulations, etc.); • Technical security measures; • Physical security measures. 44.3.3. In addition to other measures, the Company implements the following organizational security measures: • The Company's manager approves the Procedure for the Use of Information and Communication Technologies and the Monitoring and Control of Employees in the Workplace; • The Company's manager approves the Data Protection Impact Assessment Procedure; • The Company's manager approves the Legitimate Interest Assessment Procedure. • A registry of IT resources used for processing personal data (hardware, software, and network infrastructure) is maintained and reviewed and updated at least once every six months. • All changes to the Company's IT systems are monitored and recorded by the Security Officer or another person designated by order of the Company's manager. • Where possible, the development of the software used by the Company is carried out in a dedicated environment that is not connected to IT systems used for processing personal data. • The Company has a detailed incident response and remediation procedure, as well as a business continuity plan, both approved by the Company's manager. 44.3.4. In addition to other measures, the Company implements the following technical security measures: • A centralized tool is used to manage computer workstations; • Updated antivirus software is continuously installed, and its deployment is centrally controlled; • A mobile device management (MDM) solution is implemented on mobile devices, ensuring separation between work and personal environments, mandatory device encryption, and compliance checks; • Mandatory antivirus software is installed on mobile devices. • All laptops are encrypted; • Regular backups of laptops are performed; • USB blocking solutions are implemented, and in cases where USB devices are used, only encrypted devices are permitted. • Only one controlled cloud application is used; • When connecting via the internet, data transmission is encrypted using cryptographic protocols (TLS/SSL); • Data traffic to and from the IT system is monitored and controlled using firewalls and intrusion detection systems; • Access to IT systems is permitted only from pre-authorized devices. • Mandatory backup of IT systems processing data is performed, including periodic testing of backups, mandatory backup storage in an external data center, encryption of backups, and backup of Office 365 data; • A centralized logging system is implemented; • A computer network and IT resource topology is established, with all external IP addresses identified; • Video footage is stored in an encrypted storage system. 44.4. REQUIREMENTS FOR EMPLOYEES PROCESSING PERSONAL DATA 44.4.2. Access to personal data may only be granted to an employee who requires the data to perform their job functions. An employee automatically loses the right to process personal data upon the termination of their employment relationship with the Company. 44.4.3. Employees may only perform actions with personal data that they have been authorized to carry out. 44.4.4. An employee processing personal data is required to: (i) Comply with the fundamental requirements for personal data processing and security, as established in the Law on Legal Protection of Personal Data of the Republic of Lithuania, these Rules, the General Data Protection Regulation (GDPR), and other applicable legal acts; (ii) Adhere to the confidentiality agreement provisions; (iii) Follow the organizational and technical personal data security measures established in these Rules and other policies set by the Company. (iv) Not disclose, transfer, or enable access to personal data by any means to any person who is not authorized to process personal data; (v) Stay informed about developments and issues related to personal data protection and, when possible, enhance their qualifications in the field of personal data legal protection. 44.4.5. For the purpose of ensuring proper personal data processing, the Company must provide data processing training for all employees who process personal data as part of their job functions. Training must be conducted at least once per calendar year. 44.5. ACCESS CONTROL 44.5.2. Access rights to the Company's information systems that process personal data are approved by order of the Company's manager, based on the Security Officer's recommendation. These rights are assigned considering each employee's job duties and responsibilities. The Security Officer must ensure that only employees who have been granted permission to use the Company's information systems processing personal data have access only to the specific personal data covered by their access authorization (access data control). In cases where deviations from the Company manager’s approved access rights policies are necessary, or when it is required to temporarily substitute a specific employee, access rights may be granted by the Security Officer, upon the recommendation of the direct supervisor of the employee in question. 44.5.3. When granting access to information, the Company adheres to the following principles: (i) Need-to-know principle – Permission to access information may only be granted when it is necessary for the performance of job duties; (ii) Least privilege principle – The permissions granted to users must be limited to those necessary for the intended purpose of using the information; (iii) Separation of duties principle – Decisions regarding access rights must be made with consideration of potential conflicts of interest. 44.5.4. IT administrator functions must be performed using a separate dedicated account, which cannot be used for daily user activities. 44.6. PERSONAL DATA SECURITY BREACH 44.6.2. The Security Officer continuously monitors the compliance of the Company's personal data processing activities with these Rules and applicable legal regulations. 44.6.3. In the event of any personal data security breach that may result in harm to the data subject, including bodily injury, material or non-material damage, such as loss of control over personal data, restriction of rights, discrimination, identity theft or fraud, financial loss, unauthorized removal of pseudonymization, reputational harm, loss of confidential or professionally privileged data, or any other economic or social damage, the Company must notify the Supervisory Authority and/or the affected data subject without undue delay, and, if possible, no later than 72 hours from the time the breach was discovered. The notification must comply with the requirements and procedures established in the Personal Data Security Breach Response Procedure, approved by the Company’s manager, and must be submitted using the notification form recommended by the Supervisory Authority. 44.6.4. In the event of an electronic information security incident, the Company's Data Processing Information System Business Continuity Management Plan, approved by the Company’s manager, must be followed. 45. RECORDS OF DATA PROCESSING ACTIVITIES 45.3. The Company maintains records of data processing activities. 45.4. The records of data processing activities contain up-to-date information regarding the personal data processed within the Company. 45.5. Upon request from the Supervisory Authority, the Company must provide the records of data processing activities without delay. 46. SECURITY OFFICER 46.3. The Security Officer is appointed by order of the Company’s manager. 46.4. The Security Officer is responsible for ensuring the Company's compliance with legal regulations governing data protection. 46.5. Employees and data subjects have the right to directly contact the Security Officer regarding any issues related to the processing of their personal data. 46.6. In cases where the Security Officer is temporarily unable to perform their duties, they are substituted by the Company’s Human Resources Manager. 47. LIABILITY 47.3. The Company’s manager and/or employees authorized by the manager to process personal data in the Republic of Lithuania, who violate the requirements set forth in the Law on Legal Protection of Personal Data of the Republic of Lithuania, other legal acts regulating the processing and protection of personal data, or these Rules, shall be subject to liability measures prescribed by the laws of the Republic of Lithuania. 48. FINAL PROVISIONS 48.3. Supervision of compliance with these Rules and, if necessary, their review is entrusted to the Security Officer. The Rules are reviewed (and updated if necessary) annually or whenever legal regulations governing the processing and protection of personal data change.INFORMATION NOTICE ON PERSONAL DATA PROCESSING 1. Who is responsible for processing your personal data? MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r., is responsible for the processing of your personal data. The company's data is collected and stored in the Kaunas branch of the Register of Legal Entities of the Republic of Lithuania. For matters related to personal data protection, you can contact the Data Protection Officer via email at info@teisesprincipas.lt. The entity responsible for information protection is MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r.. 2. What is personal data, and for what purposes and legal bases does MB Ethos Solutions process your personal data? Personal data refers to any information collected by the Company about a Data Subject, which can be used to identify them and is stored electronically or by other means. Personal data includes any information, such as the Data Subject’s name, surname, and address, collected by the Company for the purposes specified in this Privacy Policy or in a separate Data Subject’s consent or agreement with the Company.
Data Processing Information
| Purpose of Data Processing | Processed Personal Data | Legal Basis for Data Processing | Data Retention Period |
|---|---|---|---|
| Registration on the website/application | Name, surname, phone number, date of birth, address, gender, email, health information. | Contract performance | 5 years. If services are purchased – 10 years. Health data is retained until the contract expires and is then immediately destroyed. |
| Contract conclusion, service sales, and provision | Name, surname, phone number, email address, residential address, date of birth, purchase-related information (purchase date, service description, price, discount applied). | Contract performance | 10 years. |
PRIVACY POLICY
1. What does Privacy Policy mean? This Privacy Policy (hereinafter referred to as the "Privacy Policy") provides you with information on how MB Ethos Solutions (hereinafter referred to as the "Company") processes your personal data obtained through the following means: (i) in the course of executing the Company's contracts; (ii) when you engage in active interactions on the Company's social media accounts; (iii) in the context of the Company's direct marketing activities; (iv) when participating in the Company's recruitment processes; (v) to ensure the protection of confidential information and business continuity; (vi) from shareholders (natural persons) and members of management bodies; (vii) to fulfill contracts concluded between the Company and counterparties – legal entities; (viii) to ensure the protection of property and individuals. All the aforementioned individuals whose data is processed by the Company are hereinafter referred to as "Data Subjects." The Privacy Policy also establishes certain obligations for Data Subjects that must be adhered to when visiting the website Ethostherapy.co.uk (hereinafter referred to as the "Website"). 2. About the Company MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r., is a company whose data is collected and stored in the Register of Legal Entities of the Republic of Lithuania. The contact email of the Data Protection Officer is info@teisesprincipas.lt. The entity responsible for information protection is MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r. 3. What is Personal Data? 3.1. Personal data refers to any information collected by the Company about a Data Subject that can be used to identify the Data Subject and is stored electronically or by other means. 3.2. Personal data includes any information, such as the Data Subject's name, surname, address, and other details collected by the Company for the purposes specified in this Privacy Policy or in a separate Data Subject’s consent or agreement with the Company. 4. Execution of Contracts| Purpose of Data Processing | Processed Personal Data | Legal Basis for Data Processing | Data Retention Period |
|---|---|---|---|
| Contract conclusion | Name, surname, phone number, date of birth, personal identification number, address, gender, email, health information, identity-confirming document. | Performance of a contract | 5 years. If services are purchased – 10 years. Identity-confirming data is stored until the purchased gym membership expires, after which it is immediately destroyed. |
| Contract execution | Name, surname, phone number, date of birth, personal identification number, address, gender, email, information about physical fitness, health, identity-confirming document. | Performance of a contract | 5 years. If services are purchased – 10 years. Identity-confirming data is stored until the purchased gym membership expires, after which it is immediately destroyed. |