PERSONAL DATA PROCESSING POLICY

Approved and valid from 2018-05-25

1.  The Definitions used in this Personal Data Processing Policy have the following meanings:

1.1.  Personal Data - means any information about a natural person who is identified or whose identity is directly or indirectly identifiable (data subject), e. g. by name and surname, a personal identification number, location data and an online identifier or by physical, physiological, genetic, mental and other features.

1.2.  Person – means any natural person, whose Personal Data is being processed (data subject), e.g. a Potential Candidate, Candidate, Temporary Employee, Administrative Employee or any other natural person.

1.3.  Responsible Person – means a person responsible for the protection of Personal Data and appointed by the Controller, including a data protection officer (as defined under the GDPR). Email of the data protection officer appointed by the Controller: dpo@biuro.eu.

1.4.  GDPR – means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The GDPR is accessible here:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG

1.5.  Biuro Group is formed by these companies: UAB “Biuro Baltic”, UAB “Biuro”, UAB „Darbius“, UAB “Workis”, SIA “Biuro”, SIA „Biuro Latvia“, SIA „Starjobs“, OÜ „Biuro“, WORKIS OÜ, UAB “Biuro go”, UAB "Biuro MSP".

1.6.  Data Processing - means any automated or non-automated operation performed with regard to Personal Data, e. g. collection, recording, organisation, structuring, storage, adaptation or alteration, consultation, use, disclosure, restriction, erasure or destruction, etc.

1.7.  Potential Candidate – means a natural person, whose Personal Data is publicly accessible as a rule or published in various databases for job search or has been made accessible by the person himself by submitting his/her data in order to be contacted with a proposal to cooperate with the Controller, to participate in the selection procedure and depending on the results of the selection to be employed. Potential candidate who fills in his/her Personal data form becomes the Candidate.

1.8.  Candidate – means a natural person, who has been contacted already by and who has consequently agreed to cooperate with the Controller, and who has completed the required forms and provided his Personal Data necessary for the Controller to provide potential job offers and/or to invite to the selection procedure and – after successfully passing the selection procedure, to offer the conclusion of an employment contract.

1.9.  Temporary Employee – means a Candidate, who successfully passed the selection procedure and concluded a temporary employment agreement.

1.10.  Administrative Employee – means usually an administrative employee of the Controller working with Personal Data, however, they can be representatives, agents or persons performing orders of the Controller based on any other ground and having access to Personal Data.

1.11.  Breach - means a breach of Personal Data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

1.12.  Policy – means the Personal Data Processing Policy of Biuro Group.

1.13.  Supervisory Authority – means an independent public authority, established to supervise compliance with requirements for Data Processing, as well as to perform other rights and duties stated in GDPR. The lead Supervisory Authority is a State budget institution established in the Republic of Lithuania, the State Data Protection Inspectorate.

The link to the webpage of the State Data Protection Inspectorate is: www.ada.lt

1.14.  Processor – means any natural or legal person, which processes Personal Data on behalf of the Controller, i.e. which assists the Controller and performs the Controller’s orders.

1.15.  Controller – means any company of Biuro Group acting as Personal Data controller, which, alone or jointly with others, determines the purposes and means of Data processing. This definition refers, depending on the context, to any single company of Biuro Group or to all Biuro Group companies. Biuro Group acting as Personal Data controller, which, alone or jointly with others, determines the purposes and means of Data processing. This definition refers, depending on the context, to any single company of Biuro Group or to all Biuro Group companies.

2.  The purpose of the Policy is to define the main rules for the Data Processing performed by each company of Biuro Group as a Controller, ensuring compliance with and proper implementation of the GDPR and other applicable legal. Biuro Group as a Controller, ensuring compliance with and proper implementation of the GDPR and other applicable legal.

3.  First of all, while processing Personal Data, the Controller complies with the following GDPR principles: purpose limitation (Data Processing only in a manner that is compatible with the purposes originally determined); data minimization (only as much Personal Data as necessary); lawfulness, fairness and transparency; accuracy; storage limitation (kept for no longer than is necessary for the particular purpose); integrity and confidentiality, as well as  the principle of accountability (the Controller shall be able to demonstrate compliance with its obligations).

4.  All Administrative Employees must comply with the requirements foreseen under the Policy when processing Personal Data in the Controller’s databases, irrespective of how the Personal Data was received / collected. The same applies when they get to know Personal Date while performing their functions. Personal Data may be processed and used only by those Administrative Employees, for whom this is necessary to perform their functions and who have been familiarized with the Policy (i.e. who have been familiarized upon signature, when signing employment agreement.). Such Administrative Employees are entitled to familiarize themselves or to familiarize others with such documents and/or data only to the extent that is necessary to perform their functions.

5.  The implementation of the Policy and compliance with the above-mentioned Personal Data protection principles are ensured by the Head of the Controller together with the Responsible Persons, by establishing appropriate measures and supervising, whether proper measures are ensured.

The relevant list of Responsible Persons is accessible to each Controller via the database of Biuro Group.

6.  Personal data is processed by the Controller in pursuance of legitimate purposes and in the manner specified on each Controller’s website or mobile application. Detailed information about Data Processing will be processed and accessible in the internal database only to Responsible Persons. Information on Data Processing established under the GDPR will be provided to Persons in their native language in the form of a table: information on Personal Data, purposes, legal basis for the processing, categories of Persons, storage term, data processors and recipients, also other information if required (e. g. from where data is obtained when it is not obtained from the Person; if data is transferred to third country outside the EEA; consequences, where Personal data is not provided).

The table is available via the Controller’s website in the Section “Personal Data”.

7.  In exceptional cases, in which special categories of Personal data are processed, e.g. criminal records, health information, membership in trade unions, etc., Administrative Employees will verify additionally, whether all required actions are exercised and will perform additional actions (e.g. will get a separate consent for processing) and measures (e.g. avoid storage in the Controller’s database or any other programs used), should this be necessary.

Actions and their sequences for processing of special categories of Personal Data are described in internal process “Processing of Special Personal Data” of Biuro Group.

8.  Personal Data may be obtained directly from Persons and third parties by automatic or non-automatic means as specified in the table on Data Processing. Where Personal Data is provided by non-automatic means, Administrative Employees enter the collected data manually into the Controller’s database.

The table is available on Controller’s website in the section of “Personal Data”.

9.  Processed Personal Data may be transferred to other parties only according to the procedure set out in the GDPR or other applicable legal acts, and only in cases specified under this Policy or the table on Data processing. Personal Data may be transferred outside the boundaries of the European Union or the European Economic Area only if a sufficient level of Personal Data protection is ensured. The Controller uses Processors for Data Processing, i.e. providers of server and cloud computing services, which can operate outside the boundaries of the European Union and the European Economic Area. Accordingly, Personal Data may be transferred to third countries to the extent necessary for performance of Data Processing functions assigned to the Processor.

The table is available via the Controller’s website in the Section “Personal Data”.

10.  The Controller may provide Personal Data to courts, law enforcement authorities, bailiffs, notary offices, lawyers, lawyers' assistants, state and municipal authorities, companies, institutions and organizations, administrators of companies, where bankruptcy procedures are initiated, and to other similar subjects. Personal Data may be also provided to service providers if this is related to the provision of Controller’s services (e. g. financial or legal advice, updating of programs that process Personal Data and). Data is provided, when it is required in order to protect legal interests or to prevent, or, when according to the legal acts it is required in order to investigate criminal or illegal acts (e. g. information on traffic accidents, theft, damage caused is provided, etc.), as well as in other cases foreseen by legal acts. Data is provided only to the extent it is necessary.

Actions and their sequences for the provision of Personal Data are described in the internal process “Data transfer” of Biuro Group.

11.  The Controller may use Processors. The Processor’s activities and obligations are governed by the contract between the Controller and the Processor, except in cases, in which Data Processing is performed in accordance with legal act, that is binding on the Processor. At the discretion of the Controller, Data Processing issues may also be regulated in an Annex to the master agreement on service provision or any other type of contract concluded between the Controller and the Processor (i.e. signing a separate agreement is optional).

Actions and their sequences for the engagement of the Processor are described in the internal process “Engagement of the Processor” of Biuro Group.

12.  Technical and organizational security measures are implemented. The Controller at its discretion chooses and implements appropriate organizational (e.g. drafting of the Policy, control of its implementation, password-secured access to computers, to the computer-network and to the database) and technical (use of antivirus programs, installation of indoor alarms, physical control of persons’ access to the property, etc.) measures. While performing their activities, the Controller and its Administrative Employees constantly consider the existing risks and seek to reduce or to avoid them to the extent possible.

A detailed list of organizational and technical measures implemented is provided in Annex No. 1 "The list of technical and organizational measures implemented".

13.  Administrative Employees must maintain confidentiality and keep secret of Personal Data, of which they learned while performing their functions, unless according to the applicable legal acts: such information is publicly accessible, or the Person has consented to such disclosure, or, where it is necessary for the prevention of criminal or other illegal acts, as well as in other cases. This obligation remains in effect also after the termination of the employment contract or any other type of contract between the Controller and the Administrative Employee. For this purpose, agreements on confidentiality may be additionally signed with the Administrative Employee.

14.  If Administrative Employees, who perform Data Processing functions (including employees, who only familiarize themselves with Personal Data), discover or suspect a Breach of Personal Data security or provisions of this Policy, they must immediately notify the Responsible Person on such Breach or suspicion (within 1 hour after discovery, if possible). Following his notice, the Administrative Employee must take the measures ordered by the Responsible Person (or Head of the Controller) in order to avoid the potential Breach or to remedy an occurred Breach. In case of a Breach, the Controller shall immediately notify the Supervisory Authority about the Breach, if possible within 72 hours from the moment of discovery and may notify the Person.

Actions and their sequences for notifying about a (potential) Breach are described in the internal process “Notice on breach” of Biuro Group.

15.  A Person has all rights established under GDPR, including the right to know (to be informed) about his/her Personal Data Processing, to access his/her Personal Data and information, and how it is processed, to receive information about the sources and the kind of collected data , the purpose of processing, the recipients to which data is provided, the right to rectification, destruction, restriction or termination of Personal Data Processing (except storage).In case of non-compliance with the Policy, GDPR or any other applicable legal acts, the Person is also entitled to withdraw his/her consent to process his/her Personal Data, to request to erase processed data, to data portability and to lodge a complaint with the Supervisory authority.

16.  The Person may at any time exercise his/her rights listed in this Policy by written request, submitted in person, via post or via electronic means (e-mail dpo@biuro.eu). Such request upon receipt by the Controller (its Administrative Employee) is handled free of charge within 30 days and either satisfied (if the Controller finds that the request is justified) or rejected giving reasons for such decision.

Actions and their sequences when handling the requests related to the Person’s rights are described in the internal process “Rights of Data subjects” of Biuro Group.

17.  If the Person believes that his/her rights related to Data processing, were violated, he/she can lodge a complaint with the lead Supervisory Authority. In any case, with regard to the violation of his/her rights, a Person may also address the concerned Supervisory Authority at his/her state of residence, which will transfer the claim to or investigate it together with the lead Supervisory Authority following the procedure established under the GDPR.

18.  When the Personal Data is no longer necessary for the processing purposes, they are erased by automatic means or when Person submits a valid request to erase Personal Data, the Personal Data is erased according to the procedure established by the Controller in a way that its restoration or the recognition of the content would not be possible.

Actions and their sequences on how Personal data is erased are described in the internal process “Rights of Data subjects” of Biuro Group.

18.1.  Administrative Employees directly serving / working with Persons are responsible for explaining them their rights related to Data Processing and protection. Administrative Employees are liable for breaching the Policy in accordance to the procedure established by the legal acts.

18.2.  Instructions related to Data Processing included in the internal processes of Biuro Group, other information available to the Administrative Employees in relation to Data processing as well as the information published via websites and mobile applications of Biuro group companies form integral part of this Policy. Biuro Group, other information available to the Administrative Employees in relation to Data processing as well as the information published via websites and mobile applications of Biuro group companies form integral part of this Policy.

19.  Controllers may also perform video surveillance.  Processing of video data of Persons is regulated by a separate document.

20.  This Policy must be periodically, at least every 2 years, reviewed and updated if necessary. The current version of the Policy is published. The Policy, its amendments and supplements are approved by the Head of one of the Controllers – the Head of UAB “Biuro Baltic” and become mandatory in Biuro Group companies. The amended Policy enters into force on the next day after its approval. Administrative Employees are familiarized with this Policy when undersigning the employment contract, and they will be obliged to familiarize themselves with the amendments and supplements of the Policy by constantly verifying, whether new amendments or supplements of the Policy have been approved.

ANNEXES:

Annex No. 1: Table “Personal Data”.

Annex No. 2: The List of Implemented Technical and Organizational Measures.

 

ANNEX NO. 1

to the Personal Data Processing Policy

PURPOSE OF DATA PROCESSING PD SUBJECTS PERSONAL DATA LEGAL GROUND STORAGE TERM (CRITERIA)
To contact the Person searching for job, present job offers, which could be interesting to the Person and invite for the interview Potential Candidates Personal Data provided online and publicly available in job search databases or provided otherwise by the Persons (e.g. comments to published job offer): branch, candidate source, comments in CRM before the interview, email, gender, year of birth, anticipated interview date, language knowledge, name, surname, phone numbers, salary expectations, SMS history, status change, job ad, CV, CRM ID, attributes, qualification, certificates, abilities. Processing is necessary for purposes of legitimate interests pursued by the Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the Person, which require protection of Personal Data. Legitimate interest in this case is the rendering of personalised service to and communication with the Persons. The Controller is willing to provide the Services to the Potential Candidates (including, but not limited to provide job offers, invite to selection procedures, etc.) and this is also necessary in order to perform the Controller’s business activities. 6 months
To render services to the Persons – the Candidates – in particular assistance in job search, selection of job offers possibly suitable to the Candidates, active search for open positions offered by the Controller’s partners and notification about open positions Candidates Mainly the Personal Data collected directly from the Persons will be processed: name, surname, address, language knowledge, birthdate, branch, comments in CRM, previous employment history, information on available personal car, email, sources from which candidate has learned about Biuro job offers, gender, qualification, certificates, abilities, mobile phone number, phone numbers, photo, content of references, salary expectations, SMS communication history (between the Controller and the Person), CV, job applied for, status change, work experience, disability, attributes, CRM ID, copy of medical certificate (if required for the position), upon your choice Facebook, Google profile ID as well as Facebook, Google profile photos for identification purposes, Personal ID in order to confirm that you can sign the contract using electronic signature, training test results, city, rating from previous employers. Processing is necessary for the performance of a contract to which the Person is a party, or in order to take steps at the request of the Person prior to entering into a contract. 2 years after filling of the Personal Data in the form or 2 years after the conclusion of the employment contract (disregarding whether the employment term is limited or unlimited, if employment lasts less than 2 years the term will be newly calculated from conclusion day of the new contract). Optional, upon choice of the Person (checked when filling the form) - for the extended term – term of the employment plus 2 years from the termination of the employment.
To inform about new services, business news, events, improvements of provided services and similar information Candidates / Employees / Potential clients / Clients Personal Data necessary to contact the Person will be processed: name, surname, contact details (email and mobile phone number). The Person has given consent to the processing of his or her personal data for this specific purpose. For the term of the concluded contract. In cases, where Personal Data of the Candidates is processed, the term of the contract on service provision between the Controller and the Candidate will be considered as 2 years after filling of the Personal Data in the form, 2 year after the conclusion of the employment contract (disregarding whether the employment term is limited or unlimited) or upon choice of the Person for the term of the employment plus 2 years from the termination of the employment (optional).
To perform the employment contract Employees / Administration Employees Most of the Personal Data is collected from the Person directly, however, some Personal Data may be collected from other sources (third parties): name, surname, address, assignment information, language knowledge, bailiffs’ cases, birthdate, branch, city, comments in CRM, compulsory health certificate, CV, addresses, employment contract data and data necessary to perform the employment contract (including non-taxable amount, social insurance number, vacation dates, termination date, etc.), certificates, foreigner, gender, IBAN, CRM ID, marital (family) status and children data (if applicable), phone numbers, assigned ID in Client’s system, personal ID, photo, professional qualification, salary expectations, sanitary book, SMS communication history, , attributes, preferred schedules, maternity leave vacation date , training test results, signature, disability, residence in local country, residence permit in local country, disability, pension insurance, residence in local country, information about business trips (dates, term, information on accommodation, amounts to be paid, etc.).
Third Person’s Personal Data (optional under condition, that the Employee provides proper consent of such third Person for his/her Personal Data processing): name and surname, personal code (ID) and account number.
Processing is necessary for the performance of a contract to which the Person is party or to take steps at the request of the Person prior to entering into a contract As a rule, during the term of employment contract, however some of the listed Personal Data may be stored for a longer, for the term indicated in the legal acts for archiving the purpose.
Pre-contractual relationship, demand research as well as in order to implement rights and perform obligations under the contract concluded Potential clients / Clients Potential suppliers / suppliers Personal Data required for contacting and communicating during the pre-contractual relationship and during the term of the contractual relationship: name, surname, position name, mobile phone number, email, workplace address, skype contact, comments in CRM, financial or bank information, signature, email communication history, name of company. Legitimate interest: before conclusion of the contract – rendering of personalised service and communications with potential clients. The Controller intends to provide services to potential clients (including, but not limited to offer potential candidates to open positions) and this is also necessary to perform the Controller’s business activities.
Legitimate interest: Controller is willing to receive services from potential suppliers (including, but not limited to receive offers from potential suppliers, to contact them for services) and this is also necessary to perform Controller’s business activities.
3 years after last contact with the potential client or potential supplier. In cases, where contract is concluded - 10 years after contract termination, unless a longer term for archiving purpose is indicated in the legal acts.


DATA SOURCES: The Personal Data may be collected directly from the Persons or from any third parties possessing Personal Data listed in the table above (e.g. job search databases, bailiff data, state and municipal authorities, previous employers, etc.).
STATISTICS AND ARCHIVING PURPOSES: Personal Data listed in the table above may be processed for archiving purposes in the public interest or for statistical purposes compliant with the processing purposes listed in the table above. The further processing of Personal Data for archiving purposes in the public interest or for statistical purposes is carried out, as the Controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of Persons, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data.
DATA RECIPIENTS AND PROCESSORS:
When providing services to any Person or third parties, the Controllers are obliged to transfer Personal Data to third parties.
However, apart from the provision of the Controller’s services, services of certain third parties are used to ensure the functionality of the services are (e.g. cloud storage providers). It is necessary to transfer Personal Data to these third-party service providers, so that these third parties are able to provide their services. These third-party services providers are to be considered data processors. The Personal Data that will be transferred to these third-service providers will be limited to the minimum that is required to ensure the provision of third-party services. All third-party service providers to whom the Controller transfers the Personal Data will follow the Controller’s instructions with respect to how they process Personal Data.
The main categories of data recipients are the following: Biuro group companies; Controller’s suppliers (may be separate data controllers or processors depending on a case by case situation); Clients; debt collectors; public authorities.


ANNEX NO. 2

to the Personal Data Processing Policy

Approved and valid from 25 May 2018

TECHNICAL AND ORGANISATIONAL MEASURES
The Controller ensures that the latest standards for security and data protection are met, including the protection of Personal Data and confidential data. Current technologies and associated processes, policies and audits ensure that the protective measures are complied with and continually improved. Further details on the technical and organisational measures that have been implemented for data protection purposes are following (but not limited to):

  1. Access control (building / offices / data centre) - to prevent the unauthorized access to data processing systems where Personal Data is processed:
    • Alarm system
    • Photoelectric sensors / Movement detectors
    • Key Management (Issuance of keys, etc.)
    • Chip card / Transponder locking system are used in some access places
    • Manual locking system (Limited usage for key employees to be used in the event of a failure in the access control systems
    • CCTV at entry points (Vilnius office and data centre in Vilnius)
    • Security locks
    • Careful selection of cleaning staff
    • A separate, specific and documented access control for data centres and server rooms for authorized persons is implemented. Access by authorized persons is documented by name and surname. For the data centres, separate access control systems are implemented
  2. Access Control (systems) - to prevent the use of data processing systems by unauthorised persons:
    • Assignment of user rights
    • Assignment of passwords
    • Authentication with username / password
    • Use of SoftwareFirewalls
    • Creation of user profiles
    • Additional measures:, patch management, minimum requirements for password complexity and forced password changes, use of virus scanners
    • Assignment of user profiles to IT systems
    • Use of central smartphone administration (for example: remote wiping of smartphone)
    • Use of a software firewall (office clients)
  3. Access Control (data) - to ensure that authorised users of a data processing system may only access the data for which they are authorised, and to prevent Personal Data from being read while the data is in use, in motion, or at rest without authorisation:
    • Creation of an authorization concept
    • Number of administrators reduced to “absolute necessary”
    • Logging of application access, especially during the entry, modification and deletion of data
    • Secure media sanitization before re-use
    • Use of shredders or services (if possible with privacy seal)
    • Management of rights by system administrators
    • Password policy including password length, password change management
    • Secure storage of data carriers
  4. Transfer control - to ensure that Personal Data cannot be read, copied or modified during electronic transmission or during transportation or storage to disk:
    • Documentation of recipients of data and the time periods for the provision of data including agreed deletion times
    • TLS encryption of all communications (Web-Client, APIs, mobile Apps)
  5. Input control - to ensure that it is possible to ensure, subsequently control, and determine if and by whom, Personal Data has been entered, changed or removed on data processing systems:
    • Traceability of input, modification and deletion of data by individual user names (not user groups) in areas which, according the discretion of the Controller, are related to higher risk of breach.
    • Granting of rights for the input, modification or the deletion of data based on an authorization concept
    • Storage of forms, through which data has been acquired during automated processing
  6. Order control - to ensure that Personal Data which is processed by request of the data owner by a data processor, shall only be processed as instructed by the data owner:
    • Contractor selection via history review (in particular regarding data security)
    • Written instructions to the contractor (for example, by DPA) (GPDR)
    • Effective control rights over data processors have been agreed
    • Obligation of the contractor’s employees to maintain data confidentiality (GPDR)
    • Ensure the secure destruction of data after termination of the contract
    • Continual review of contractors and their activities
  7. Availability control - to ensure that personal data is protected against accidental destruction or loss:
    • Uninterruptible power supplies (UPS)
    • Fire and smoke detection systems
    • Testing of data recovery
    • Secure off-site storage of data backups
    • In flood areas, server rooms are above the water border
    • Air conditioning in server rooms
    • Creation of a backup & recovery concept
    • Server rooms not located under sanitary installations
    • Two data centres in an active/active configuration

 

© 2012-2020 BIURO.