Third Party Data Protection Rules

5.1. Personal data is all and any direct or indirect information about a natural person in relation to the Company’s customer or supplier. 
5.2. A customer and / or persons in relation hereto is a particular natural person, who has expressed a desire to acquire products distributed by the Company, or has acquired them, or is somehow otherwise related to the products distributed by the Company, i.e. the person is the representative of a customer, supplier, family member, guarantor, collateral provider, etc., the representative of a legal entity, shareholder, a member of a managing body, real beneficiary, etc.
5.3. Data processing is an operation performed with personal data (including collection, recording, keeping, amending, transfer, deleting, etc.
5.4. Data controller is the Company. 

6. The Company shall keep information about data subjects and their privacy. Collecting, using and keeping personal data, the Company complies with the General Data Protection Regulation, Law on the Legal Protection of Personal Data of the Republic of Lithuania and other law acts regulating personal data protection as well as the instructions and recommendations of competent authorities. 
7. In the event if a data subject/entity has any questions, requests or comments concerning the management of personal data performed in compliance with the Rules, any complaints or other issues in relation with the protection of personal data at the Bank, he/she may submit them by mail addressing to the Company:    J. Dalinkevičiaus Str. 2H, Naujoji Akmenė, e-mail: eternit@eternit.lt, telephone number +370 633 18881.
8. The Company shall ensure the confidentiality of personal data in compliance with the requirements of applicable law acts as well as shall ensure the implementation of the arrangement of appropriate technical and organisational measures designated to protect personal data against unlawful access, disclosure, accidental loss, alteration or destruction or any other unlawful processing/management.

9. The Company collects, uses, keeps and otherwise processes such information about data subjects, which is required for the following main objectives:   
9.1. To identify appropriately data subjects and to maintain business relationships (the following information shall be processed: given name, surname, personal identification number, a copy of a personal identity document, contact details (the address of the place of residence, e-mail address, telephone number, etc.); 
9.2. To supply a data subject or a legal entity in relation thereto with the products distributed by the Company (depending on the nature of the supply by the Company, the following additional information shall be collected: information about a bank account number);
9.3. To assess the solvency, creditability  of a data subject, his/her obligation performance risk, and, if the data subject or  a person related hereto is in debt, to manager such debt (the following information shall be collected: data about the previous performance of his/her financial obligations and other information relevant performing the assessment of his/her creditability and financial situation;
9.4. To notify a data subject about products distributed by the Company and to ask the subject’s opinion about the products distributed by the Company, their quality, including profiling for the purposes of direct marketing (the following information shall be collected: given name, surname, contact details, information about the previous acquisitions of the Company’s products); 
9.5. To ensure the safety of the health, life and property of a data subject and persons in relation thereto as well as the public order monitoring the view in such cases, where a data subjects comes to the filmed premises of the Company (video records shall be collected);   
9.6. To defend and protect the Company’s rights and interests – if this would be required in legal proceedings or exacting debts (the following information shall be collected: all abovementioned information, documents and the annexes thereto sent to the data subject or persons in relation to him/her, the amount of the debt, documents and any annexes hereto sent by data subjects or third parties (for example, notaries,  bailiffs, advocates, successors, spouses, etc.), pleadings, which include personal data). 
9.7. To perform the control of the quality of products distributed by the Company and to find out the opinion of data subjects. For this purpose, the Company may send questionnaires asking questions about the products;
9.8. To answer asked questions. The Company processes personal data, when people apply to the Company with questions and information by mail, e-mail or telephone on the basis of a consent or the requirements of law acts. 
10. The main categories of personal data and data processed by the Company for the abovementioned purposes and on the abovementioned grounds: 
10.1. Identity data – given name, surname, personal identity number, date of birth, etc. 
10.2. Contact details  – address, telephone number, e-mail address, etc. 
10.3. Data in relation to the concluding and performance of contracts received by the Company communicating with persons directly or using the means of remote communication (telephone, e-mail), etc.
10.4. Payment details  – payable amounts, unpaid debts, overpayment, payment history, etc.
10.5. Data of video records  – video data recorded in the Company's departments;
10.6. Cookie data – information about the location of a person with the accuracy of a city, behaviour on the Company’s website, etc. (more detailed information is presented below “Cookies and the use thereof”). 
10.7. Other data processed by the Company in compliance with and on the grounds of law acts. ++

11. The Company processes personal data in compliance with the provisions of the General Data Protection Regulation as well as the requirements of other law acts and basing on the following legal grounds:
11.1. Performing concluded contracts and / or in order to undertake actions to conclude a contract with a data subject or any person in relation hereto;
11.2. Pursuing legitimate interests of the Company, for example, getting information from joint data bases of debtors, in order to assess the solvency, creditability and obligation performance risk of a data subject or any person related to him/her, if the data subject or the related person would be in debt, to manage such debt; considering arising disputes and claims in legal proceedings in order to ensure the safety of the health, life of  Company’s employees, the Company’s customers and the Company’s assets as well as the public order monitoring a view, etc.  
11.3. Implementing legal obligations applicable to the Company, where various legal obligations provided for by law acts are imposed on the Company, which are mandatory to the Company.   
11.4. On the basis of a consent of the data subject, i.e. the Company processes as many data, as the subject allows to the Company giving his/her consent to process his/her personal data for particular purposes, for example, to send him/her marketing offers. 

12. The Company shall process personal data received directly from a data subject or a person in relation to him/her, where it is related to products distributed by the Company as well as when it is allowed by law acts and, as required due to any reasons, - outsourcing the information.
13. The Company shall get data from:
13.1. The State Enterprise “Centre of Registers“ or other persons managing registers provided for by law acts;
13.2. The company UAB “Creditinfo Lietuva“;
13.3. The State Social Insurance Fund Board under the Ministry of Social Security and Labour;
13.4. The State Tax Inspectorate under the Ministry of Finances;
13.5. Bailiffs, notaries, courts, other law enforcement authorities; 
13.6. The Company’s customers, suppliers, when they present data of data subjects, when a data subject is the representative, employee, incorporator, shareholder, participant, etc. of such legal entities.

14. The Company shall disclose information about data subjects or any part thereof to the following persons, when such disclosure is allowed by law acts and when it is necessary due to other legitimate reasons:
14.1. To personal data processors or controllers, who process joint debtors' data files, or whose performance is related to the exaction, administration or using of debts;
14.2. To law enforcement authorities, courts, other institutions considering disputes;
14.3. Notaries, bailiffs, advocates, consultants, auditors, service providers invoked by the Company for the supply of services necessary to the Company or such institutions apply to the Company performing their functions assigned to them by laws;   
14.4. To third parties, who install, administer or otherwise manage software used by the Company; 
14.5. Printing and/or postal service providers, where this is related to printing and/or sending of the Company’s notices;
14.6. To persons, whose activities are related to the archiving and storage of contracts and other documents; 
14.7. To persons who have presented security measures securing the performance of their obligations (guarantors, warrantors, pledgers);
14.8. To other third parties (intermediaries) processing personal data on behalf of the Company or under cooperation contracts concluded with the Company;
14.9. Potential or existing successors of the Company’s business or any part thereof or their authorised consultants or persons. 

15. The Company shall not transfer any personal data outside the European Economic Area (The European Economic Area consists of all the Member States of the European Union and Iceland, Liechtenstein and Norway).

16. The Company keep personal data not longer than it is required to achieve the objectives of the processing of personal data or such period of time, which is specified/allowed by law acts, for example:
16.1. Personal data shall be kept as long as a data subject or a person related to him/her purchases products distributed by the Company and 10 years after the person ceases to purchase products distributed by the Company. 
16.2. For the purposes of direct marketing (offering advertising or any other special offers), personal data shall be kept until the data subject expresses his/her non-consent or not longer than relationships between the Company and the data subject or a person in relation to him/her would continue;  
16.3. We keep video records up to 14 days.

17. The Company does not perform any automatized decision taking in respect of data subjects and any profiling of data subjects.  

18. When a data subject is the Company’s customer/supplier or a person related to him/her and he/she has not expressed any objections, the Company shall have a right to apply to the data subject using his/her or the person’s related to him/her contact details with the purpose to present information and advertising material about products distributed by the Company and the quality thereof to the data subject by e-mail, text messages by phone, via social networks, media channels and other similar channels of electronic communication.
19. The Company may process personal data for the purposes of the organisation of the performance of actions, competitions or events in order to ensure the Company’s communication with the participants of such actions, competitions or events, to select winners and to notify them about prizes or to supply with any other relevant information;
20. A data subject shall have a right to unsubscribe at any time having clicked a link intended for that purpose in the Company’s newsletter or any other information sent by the Company as well as applying to the Company’s e-mail address published in the Rules.

21. Cookies are small text files stored on the browser of a data subject's device (such as a computer, cell phone, tablet) when the data subject is browsing the Company's website. Cookies help collect and analyse site traffic statistics, maintain or improve website functionality, enhance security, etc. Other technologies for storing information in the data subject's browser or device may also be used to achieve these goals.
22. For more information about our Cookie Policy click the link: https://www.eternit.lt/lt-lt/privacy-policy#slapuku-naudojimas
22.1 Pursuing to improve, accelerate and make more convenient the using of the website, the Company uses cookies.  Cookies are small files that are sent and installed on the site's visitor's computer. The information installed is used by the Company to identify the person and monitor site traffic statistics. 
22.2 Cookies used on the website are the following: ASP.NET_SessionId – where the statuses of visitors’ sessions performing queries are stored, _ga, _gat, _gid – Google Analytics records traffic information and other unclassified cookies..
22.3 Cookies are used on the website, when a person accepts the use of cookies while browsing the website. A person may cancel his/her consent at any time by changing his / her web browser settings, but in this case, some of the functions of the website may not work. 
22.4 Three types of cookies may be used on the Company’s website:
• Strictly necessary cookies: such cookies are necessary, they, such as access to safe enable a person to move around the website and use its features, such as to secure website areas. 
• Performance cookies (for the purposes of statistics): these cookies collect information about how visitors use a certain website e.g. which pages are the most visited, and if visitors experience any errors. These cookies don't collect any information that could identify a visitor of the website – all the information collected is of general nature, therefore anonymous and is only used to help to improve how the website works, understand what interests the users of the website and measure how effective advertising is. 
• Marketing: These cookies register the behaviour of returning visitors on a website, creating an identification number that is used to display targeted advertisements.
• Unclassified.

23. The General Data Protection Regulation and other law acts provide rights to a data subject, foresee cases, when it is possible to use them, describe the procedures, which must be complied with, and exemptions, when a data subject would not be able to do that. If the law acts allow, a data subject can:
23.1. Get a confirmation stating whether the Company processes the data subject’s personal data, request to get access to the processed data; 
23.2. request for the correction of inaccurate, incorrect personal data of the data subject or to supplement such data, the data are not complete;
23.3. request to delete the data subject’s personal data, if the Company uses such data unlawfully;  
23.4. request to limit/restrict the processing of the data subject’s personal data;
23.5. express his/her disagreement concerning the processing of personal data, when the Company processes personal data referring to lawful interests, or where the data are processed for direct marketing purposes;
23.6. request to transfer (get) in a generally used electronic form such data, which were presented to the Company by the data subject under a contract or expressed consent and which are processed using automated means by the Company;
23.7. revoke given consents concerning the processing of personal data;
23.8. appeal with a complaint to the State data Protection Inspectorate (refer to www.ada.lt), if the data subject considers that his/her data were processed infringing the requirements of the General Data Protection Regulation and other law acts.  

24. A data subject may implement his rights presenting a particular request to the Company using the contact details specified in the Rules. 
25. In order to enable the Company to assess the request of the data subject and give him a response, the Company may have to ask from the data subject some particular information, i.e. to prove his/her identity presenting a personal identity document, in order to be able to ensure the right of the data subject to get access to his personal data or to exercise his/her other rights. This is a security measure designated to ensure that any personal data would not be disclosed to any unauthorised third parties. 

26. The Company shall present information about the actions, which they took upon the receipt of the request of the Data Subject concerning the exercising of his/her rights or shall explain the reasons of the refusal to take actions not later than within 1 month from the date of the receipt of the data Subject’s request (even if the response is negative). The period for the presenting of the requested information may be extended for 2 more months, as required, in consideration of the complexity and number of requests. 
27. The Company may refuse to consider a request received from a data subject concerning the exercising of his/her rights or may charge a respective fee for this, in the event if the request is obviously unjustified or excessive as well as in other cases provided for by law acts.    

28. The Rules shall be amended putting them into a new wording.