Procedure for the Implementation of Rights of the Data Subjects

1. General Provisions

1.1. The purpose of the procedure for the implementation of rights of the data subjects (the ‘Procedure’) at MB „Lumius“, legal entity number 304227411, with its office address at A. Goštauto g. 8-136, Vilnius, the Republic of Lithuania (the ‘Company’) is to establish the procedure and the principle of implementation of rights of the data subjects at the Company.

1.2. Rights of the data subject shall be implemented pursuant to Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘Regulation (EU) No 2016/679’) and the Republic of Lithuania Law on Legal Protection of Personal Data.

1.3. Terms used in the procedure match the terms used in Regulation (EU) No 2016/679.

1.4. The rules have been prepared pursuant to Regulation (EU) No 2016/679.

2. Right to Receive the Information about the Data Processing

2.1. Information about the processing of personal data of the data subject carried out by the Company indicated in Articles 13 and 14 of Regulation (EU) No 2016/679 shall be provided verbally or in writing at the time of receipt of personal data, or in the Privacy Policy published on the Company websites.

2.2. Information about the processing of personal data of the data subjects shall be provided at the time of receipt of personal data.

2.3. Where the personal data are not collected from the data subject directly, information about the processing of personal data of this data subject shall be provided as follows:

2.3.1. within a reasonable period after obtaining the personal data, but at the latest within 1 (one) month, having regard to the specific circumstances in which the personal data are processed;

2.3.2. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

2.3.3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

3. Right of Access

3.1. The data subject should have the right to access the personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order for the data subject to be aware of, and verify, the lawfulness of the personal data processing. Every data subject should have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, and, where possible, the period for which the personal data are processed, as well as the recipients of the personal data.

3.2. Having received the data subject’s request with regard to implementation of their right to access their personal data, the Company shall submit the following:

3.2.1. information whether the personal data of the data subject are processed;

3.2.2. information related to the processing of personal data provided in Article 15(1) and (2) of Regulation (EU) No 2016/679 if the personal data of the data subject are processed;

3.2.3. copy of the processed personal data.

3.3. The data subject shall have the right to request to provide a copy of processed personal data in other form than provided by the company; however, a fee for this may be charged based on administrative costs.

4. Right to Rectification

4.1. Pursuant to Article 16 of Regulation (EU) No 2016/679, the data subject shall have the right to demand the rectification of any inaccurate personal data processed and the completion of any incomplete personal data.

4.2. In order to verify that the processed personal data of the data subject are inaccurate or incomplete, the Company may request the data subject to submit the evidence thereof.

4.3. Where the personal data of the data subject (rectified according to the data subject’s request) have been transferred to data recipients, the Company shall notify these data recipients thereof, unless this proves impossible or involves disproportionate effort. The data subject shall have the right to request the information on these data recipients.

5. Right to Erasure ('Right to Be Forgotten')

5.1. Right of the data subject to erasure (‘right to be forgotten’) shall be implemented in cases provided in Article 17 of Regulation (EU) No 2016/679.

5.2. Right of the data subject to erasure (‘right to be forgotten’) may be not implemented in cases provided in Article 17(3) of Regulation (EU) No 2016/679.

5.3. Where the personal data of the data subject (erased according to the data subject’s request) have been transferred to data recipients, the Company shall notify these data recipients thereof, unless this proves impossible or involves disproportionate effort. The data subject shall have the right to request the information on these data recipients.

6. Right to Restriction of Processing

6.1. In cases provided in Article 18(1) of Regulation (EU) No 2016/679, the Company must implement the right of the data subject to the restriction of processing.

6.2. Personal data the processing of which has been restricted shall be stored, and the data subject shall be notified using the means of electronic communication prior to the revocation of such restriction.

6.3. Where the personal data of the data subject (the processing of which has been restricted according to the data subject’s request) have been transferred to data recipients, the Company shall notify these data recipients thereof, unless this proves impossible or involves disproportionate effort. The data subject shall have the right to request the information on these data recipients.

7. Right to Data Portability

7.1. In exercising their right to the personal data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7.2. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

7.2.1. the processing is based on the consent or agreement;

7.2.2. the processing is carried out by automated means.

7.3. The data subject shall have no right to the portability of personal data processed in files organised using non-automated means, for example, in paper files.

7.4. Personal data may be submitted via the internet or recorded on a CD, DVD or other data storage drive. The Company may submit personal data using open formats, such as XML, JSON, CSV, along with the respective metadata.

7.5. In cases where the transmitted personal data contain the data of third parties, the Company, in order to avoid the negative impact on their interests, may transmit the personal data only in cases where they are controlled exclusively by the data subject whose request is being implemented, and only for personal or household needs.

7.6. The data subject who contacts the Company regarding the right to portability must indicate whether their personal data should be transmitted to the data subject personally or to another controller.

7.7. Data subject’s request shall be implemented by transmitting only the data related to the data subject that have been submitted to their controller and are processed by the Company. This shall not include personal data obtained by processing and analysing the information and fixed data provided by the data subject directly, for example, a user profile created on the basis of analysed data.

7.8. The data subject may use their right to personal data portability without making any prejudice to any other right (this provision shall be also applicable to all other rights established in the General Data Protection Regulation). The data subject shall have the right to continue using services provided by the Company and enjoy benefits provided by the same even after the personal data transmission operation.

7.9. Personal data transmitted pursuant to the request of the data subject shall not be automatically erased. Where the data subject so requires, they must contact the controller regarding the implementation of the right to erasure (‘right to be forgotten’).

8. Right to Object

8.1. Pursuant to Article 21 of Regulation (EU) No 2016/679, data subject, on grounds relating to their particular situation, shall have the right to object against the processing of their personal data by the Company:

8.1.1. where personal data are processed for the purposes of direct marketing; direct marketing means the activity when persons are made direct offers of goods and services and/or asked to provide feedback on the offered goods or services;

8.1.2. where the processing of personal data is necessary for the implementation of legitimate interests of the controller or third party.

8.2. If the data subject objects to the processing of personal data, such processing shall be carried out having made a reasoned conclusion that the grounds for the processing override the interests, rights and freedoms of the data subject or where the personal data are required for the establishment, exercise or defence of legal claims.

9. Right to Demand Not to Be Subject to a Decision Based Solely on Automated Processing, Including Profiling

9.1. Pursuant to Article 22 of Regulation (EU) No 2016/679, the data subject shall have the right to demand not to be subject to a decision based solely on automated processing and such decision to be reconsidered if it produces legal effects concerning the data subject or similarly significantly affects the data subject.

9.2. Right of the data subject not to be subject to a decision based solely on automated processing shall be restricted in cases provided in Article 22(2) of Regulation (EU) No 2016/679.

9.3. Should the data subject request to reconsider the decision based solely on automated processing, the controller shall perform the extensive assessment of all important data including the information submitted by the data subject.

10. Submission of the Request for the Implementation of Rights of the Data Subject

10.1. The data subject shall have the right to contact the Company for the implementation of the rights of data subject in writing, by submitting their requests personally, by post or using electronic means to the Data protection officer via e-mail dpo@lumifish.com or at the address of the office of the Company.

10.2. In order to ensure the confidentiality established in Article 38(5) of Regulation (EU) No 2016/679, in cases where the data protection officer is contacted by post, the envelope must be addressed to the data protection officer.

10.3. Request for the implementation of rights of the data subject must be legible, signed, must contain name, surname, address and/or other contact details of the data subject for communication purposes or for replying to the request for the implementation of rights of the data subject.

10.4. Where the request for the implementation of rights of the data subject has been submitted in writing personally, the data subject must confirm their identity by submitting the ID document. Failure to do so will prevent the rights of the data subject from implementation. This provision shall not be applicable in cases where the data subject has requested to provide information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) No 2016/679.

10.5. Where the request for the implementation of rights of the data subject has been made in writing by post, it shall be accompanied by a copy of ID document approved pursuant to the procedure provided in the legal acts. This provision shall not be applicable in cases where the data subject has requested to provide information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) No 2016/679.

10.6. The data subject may exercise their rights personally or through a representative. In cases where the request has been submitted by the representative, in consideration of the method of submission thereof, the representative shall submit, along with the aforementioned documents their name, surname, address and/or other contact details for the maintaining of communication or provision of the reply, as well as submit the representation document (or a copy of authorisation approved pursuant to the procedure set out in the legal acts).

10.7. Should there be any doubts as to the identity of the data subject, the controller shall request additional information required for the verification thereof. The Company shall use reasonable efforts to verify the identity of the person submitting the request to access the personal data because the respective sanctions may be applicable in case of unlawful disclosure of personal data to third parties.

10.8. When submitting a written request for the implementation of rights of the data subject, it is recommended to use the request form provided in Annex 1 to the Rules.

11. Examination of the Request for the Implementation of Rights of the Data Subject

11.1. Having received the request of the data subject, the data subject will be provided with the information about the actions taken with respect of the received request no later than within 1 (one) month as of the receipt of request. In cases of delays in the provision of information, the data subject shall be notified of the same within the indicated period, provided the reasons for delay and informed about the possibility to file a complaint with the State Data Protection Inspectorate.

11.2. In cases where the request has been submitted in violation of the procedure and requirements set out in Section 10 of the Rules, it shall not be examined and the data subject shall be notified thereof without delay and in any event within 5 (five) working days indicating the respective reasons thereof.

11.3. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within 1 (one) month and to give reasons where the controller does not intend to comply with any such requests.

11.4. This period may be extended by 2 (two) further months where necessary, taking into account the complexity and number of the requests. In this case, the data subject must be informed of any such extension in writing within 1 (one) month of receipt of the request, together with the reasons for the delay.

11.5. If it has been decided not to take action on the request of the data subject, the data subject shall be informed in writing without delay and in any event within (1) one month of receipt of the request of the reasons for not taking action (e.g., the person submitting the request failed to specify their identity) and on the possibility of lodging a complaint with the supervisory authority. The data subject shall be properly informed about the refusal to grant the request.

11.6. The data subject shall be notified if in the course of examination of the request it is established that the rights of the data subject are restricted on the grounds provided in Article 23(1) of Regulation (EU) No 2016/679.

11.7. Information about the processing of personal data requested by the data subject shall be submitted in the same form as the received request of the data subject (unless otherwise requested by the data subject), i.e. if the request has been submitted by electronic means (e.g., by e-mail), the information shall be provided in a commonly used electronic form. Information according to the request for the implementation of rights of the data subject shall be submitted in the national language.

11.8. Information and notifications shall be submitted and other actions related to the implementation of rights of the data subjects shall be carried out free of charge, except in cases where requests of the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, and in such case the company may charge a reasonable fee for the provision of information or submission of a notification, or the performance of requested actions and the payment procedure for the submission of data) or refuse to act on the request. Fee amount shall not exceed the amount of costs of provision of information or notification, or performance of actions. The Company shall set and approve the fee amount in consideration of labour and material costs required for the provision of information or notification or the performance of actions.

11.9. Assessment shall be made in each separate case if the request is manifestly unfounded or excessive. In cases where the request of the data subject is manifestly unfounded or excessive the Company shall bear the burden of demonstrating the same.

11.10. In cases where the Company processes a very large amount of personal data, the request for the provision of information about all processed personal data for the entire processing period may be considered excessive. Nevertheless, even if a request of excessive nature has been received, first it is recommended to ask the data subject to specify it by indicating the reason why the data subject needs to obtain such a large amount of information, and in the absence of such reason, to narrow down the scope of requested personal data.

11.11. A complaint with regard to actions or inaction of the Company in the process of implementation of rights of the data subject may be filed with the State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, te Republic of Lithuania, e-mail ada@ada.lt, website www.ada.lt, or a competent court by the data subject themselves or the representative thereof, as well as by a non-profit institution, organisation or association authorised by the data subject complying with the requirements of Article 80 of Regulation (EU) No 2016/679.

11.12. Should the data subject incur any material or non-material damage due to the infringement of rights of the data subject, the data subject shall have the right to a compensation and may claim it by bringing court action in the court competent to settle such disputes.





Annex 1

to the Procedure for the Implementation of Rights of the Data Subject

(Name and surname of the data subject)

(Address and/or other contact details (phone number or e-mail address (indicated at applicant's discretion))

(Representative and basis of representation if the request is submitted by the data subject’s representative)




MB „Lumius“
Legal entity number: 304227411
Address: A. Goštauto g. 8-136, Vilnius, the Republic of Lithuania



REQUEST FOR THE IMPLEMENTATION OF RIGHT(S) OF THE DATA SUBJECT



(Date)



(Location)




1. I hereby request to implement the following right(s) of the data subject: (Check the appropriate box):
▢ Right to receive the information about data processing
▢ Right of access
▢ Right to rectification
▢ Right to erasure (‘right to be forgotten’)
▢ Right to restriction of processing
▢ Right to data portability
▢ Right to object
▢ Right to demand not to be subject to a decision based solely on automated processing, including profiling
2. Please indicate your specific request and provide as much information as possible to enable the proper implementation of your right(s) (for example, if you wish to obtain a copy of personal data, please indicate the specific data you wish to obtain (for example, a copy of email of x day of x month of 2020); if you want to rectify your data, please indicate the specific personal data which are inaccurate; if you object against processing of your personal data, please provide the arguments for your objection and indicate the specific processing of data you object against; if you wish to exercise the right to data portability, please indicate with regard to which data you wish to implement this right and if you wish to transmit them to your device or to another controller, and if the latter, please indicate this controller):














ATTACHMENTS:


1.


2.


3.


4.


5.





(Date)



(Signature)



(Name, surname)