PRIVACY POLICY

I. GENERAL PROVISIONS

The Privacy Policy of UAB "Tankel Logistics" (hereinafter – Policy), establishes the general principles, nature, purposes, and scope of data processing of a natural person (hereinafter – the Data Subject) whose data is processed by Tankel Logistics, establishes organizational and technical data protection measures, the procedure for managing personal data security breaches, the procedure for performing data protection impact assessments, the procedure for engaging a personal data processor, and the procedure for implementing the Data Subject's rights.

The terms used in this Policy are:

2. 1.

Personal data – any information relating to an identified or identifiable natural person (data subject) or who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. 2.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2. 3.

Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

2. 4.

Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

2. 5.

Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

2. 6.

Other terms used in this Policy correspond to the terms defined in the General Data Protection Regulation and/or the Law on Legal Protection of Personal Data.

The data controller is Tankel Logistics (hereinafter – the Data Controller), company code 303269464, address Prūsų g. 10, Vilnius.

The requirements of this Policy are mandatory for:

4. 1.

The employer or the employer's representative of Tankel Logistics;

4. 2.

All employees of Tankel Logistics;

4. 3.

Data processors engaged by Tankel Logistics;

4. 4.

Other data controllers and persons who, based on a legitimate and justified basis, perform at least one data processing action or may perform it.

II. DATA PROCESSING PRINCIPLES, NATURE, PURPOSES AND SCOPE

Personal data must be:

5. 1.

processed lawfully, fairly, and transparently in relation to the data subject ('lawfulness, fairness, and transparency' principle);

5. 2.

collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation' principle);

5. 3.

adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimization' principle);

5. 4.

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy' principle);

5. 5.

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation' principle);

5. 6.

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ('integrity and confidentiality' principle).

Personal data at Tankel Logistics is processed for the following purposes:

6. 1.

internal administration purposes;

6. 2.

the purpose of providing cargo transportation services;

6. 3.

the purpose of using the website;

6. 4.

other purposes related to the stated purposes or a purpose, or a data processing purpose approved by order of the Director of Tankel Logistics.

When processing data for the purposes specified in paragraph 11 of the Policy, Tankel Logistics collects and processes the following personal data:

7. 1.

(personnel management, document management, use of material and financial resources): name(s), surname(s), personal identification number, date of birth, signature, personal social security number, citizenship, address, current account number, telephone number, email address, curriculum vitae, marital status, child(ren)'s date of birth, position; data on acceptance (transfer) to positions, dismissal from positions, length of service; data on education and qualifications; data on holidays; data on individual work schedules; data on wages, severance pay, compensations, benefits; information on worked hours; information on promotions and penalties, violations of job duties; data on employee performance evaluation; special categories of personal data related to health; Lithuanian Republic citizen's passport or personal identity card number, issue date, expiration date, issuing institution, document registration date and number; other personal data provided by the data subject.

7. 2.

(contract conclusion and execution): name(s), surname(s), telephone number, email address, data about the workplace, job position.

7. 3.

(to ensure the evaluation of the use of the Tankel Logistics website and to ensure its functioning): IP address, geographical location, browser type and version, operating system, referral source, duration of visit to the website, pages viewed, navigation paths on the website, as well as information about the periods and frequency of use of the services.

For the purposes specified in paragraph 11 of the Policy, the data processed by Tankel Logistics is stored for the appropriate term according to legal acts.

Cookies are small pieces of information that are automatically created when browsing a website and are stored on the Data Subject's computer or other terminal device. Cookies help the Data Controller to recognize (indirectly) the Data Subject as a previous visitor to a particular website, to save the browsing history, and to customize the content accordingly. Cookies also help to ensure the smooth operation of websites, allow monitoring of the duration and frequency of visits to websites, and collect statistical information about the number of website visitors.

Type	Description	Examples
Functional cookies	These Cookies are essential to enable you to move around the Orangesoft websites and use their features. These Cookies make sure you can view the websites and use them in a proper way. They also give you access to secured parts of the Orangesoft websites.	SID, PHPSESSID, wp-settings-X, wp-settings-time-X, etc.
Analytical cookies and other cookies	These Cookies help us improve all our websites, collect anonymous information about how visitors use our websites, collect information about the most visited pages and tell us whether and how many error messages were displayed.	1_P JAR, _ga, _gid, etc.
Third-party cookies	These Cookies help third parties to help track and manage the effectiveness of, for example, their websites, ads, number of visitors. More information about these Cookies may be available on the relevant third party’s website.	sb, fr, spin, wd, xs, etc.

10.

The data subject can configure their browser to accept all cookies, reject all cookies, or be notified when a cookie is sent. Each browser is different, so if you do not know how to change your cookie preferences, please refer to its help menu. The data subject's device operating system may have additional cookie controls. The data subject, if they do not want information to be collected with the help of cookies, must use the simple procedure available in many browsers, which allows them to refuse the use of cookies

11.

In some cases, deleting cookies may slow down internet browsing speed, limit the functionality of certain website features, or block access to the website.

12.

Please note that the Data Controller is not responsible for the content of such websites or their privacy practices. Therefore, if the Data Subject clicks on a link from the Data Controller's website to other websites, the Data Subject must separately familiarize themselves with their Privacy Policy.

III. RIGHTS, OBLIGATIONS AND FUNCTIONS OF THE DATA CONTROLLER AND DATA PROCESSORS

13.

The Data Controller performs the following functions:

13. 1.

ensures the implementation of the data subject's rights and fulfills the obligations of the data controller established in legal acts regulating the processing of personal data;

13. 2.

appoints persons responsible for the processing of personal data;

13. 3.

grants or authorizes the granting of access rights to process data;

13. 4.

prepares legal acts regulating the protection and processing of personal data, reviews the Policy at least once every two years, and initiates changes if necessary;

13. 5.

performs a risk assessment of personal data processing at least once every two years, prepares a report, and takes measures to eliminate or reduce the risk if necessary;

13. 6.

consults data processors on personal data processing and protection issues;

13. 7.

controls how data processors fulfill the personal data processing obligations and functions established in the Policy;

13. 8.

concludes service provision or work performance contracts with legal and natural persons for system maintenance, etc., including data processing in accordance with the procedure established in the Policy;

13. 9.

gives instructions to data processors regarding system operation and personal data processing;

13. 10.

receives all information related to system operation and personal data processing from data processors;

13. 11.

organizes employee training and qualification improvement in the field of personal data legal protection;

13. 12.

performs other functions necessary to implement the data controller's rights and obligations established in the Policy.

14.

The Company, for the organization and execution of its intended activities, has the right to engage natural and legal persons who contractually commit to perform various services and/or works for Tankel Logistics, therefore, the persons engaged in the performance of these services and/or works may need or may perform individual or isolated actions of personal data processing (hereinafter – Tankel Logistics engaged Data Processors).

15.

The requirements of the Policy are imperatively and directly binding on Tankel Logistics engaged Data Processors, ensuring confidentiality and security requirements. In this case, the company's engaged Data Processors must confirm in writing their acquaintance with the requirements of the Policy, and a separate written personal data processing agreement is not concluded. Tankel Logistics and the Data Processor have the right to conclude an additional written personal data processing agreement.

16.

The categories of Data Processors depend on the services and/or works performed, therefore, the rights, obligations, and functions of the Data Processors depend on this.

17.

Rights, obligations, and functions of Data Processors:

17. 1.

ensures the implementation of the legal acts adopted by the personal data controller, the General Data Protection Regulation, and the Law on Legal Protection of Personal Data requirements;

17. 2.

ensures that personal data is processed only by those persons who need it to perform their working functions and only to the extent necessary to achieve the intended purposes;

17. 3.

ensures the implementation of the data subject's rights under the conditions and procedures provided for in the Policy and in accordance with the procedure established in the General Data Protection Regulation and/or the Law on Legal Protection of Personal Data and other legal acts;

17. 4.

ensures that technical and organizational data protection measures are implemented by directly applying the requirements established in Chapter 5 of the Policy, and ensures compliance with such measures and requirements;

17. 5.

ensures the confidentiality of personal data;

17. 6.

when intending to engage third parties (other Data Processors for a part of their services or works) for processing, the Data Processor must obtain prior written consent from the company;

17. 7.

provides the data controller or the person responsible for data security with proposals regarding the legal regulation of data processing, regarding personal data processing actions, regarding the improvement of organizational and technical measures.

IV. TECHNICAL AND ORGANIZATIONAL DATA PROCESSING MEASURES

18.

The company implements the organizational and technical personal data security measures specified in the Policy, designed to protect personal data, regardless of the nature of the processing, from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing.

19.

In order to protect personal data from accidental or unlawful destruction, alteration, disclosure, from any other unlawful processing, the following infrastructural, administrative, and telecommunications (electronic) measures must be applied:

19. 1.

Proper placement and maintenance of technical equipment, maintenance of information systems, network management, ensuring internet security, and other information technology measures;

19. 2.

Strict compliance with fire safety service established norms;

19. 3.

Proper work organization and other administrative measures;

19. 4.

Risk assessment of information systems data processing;

19. 5.

Implementation of necessary data security measures, taking into account risk assessment results;

19. 6.

Performing information system functionality and data integrity and readiness tests.

20.

Employees who process personal data of natural persons must adhere to the principle of confidentiality and keep secret any information they have become acquainted with in the performance of their duties. This obligation remains valid after transferring to other positions in the company or upon termination of employment or contractual relations.

21.

Employees can process personal data automatically only after they are granted access rights to the relevant information system.

22.

Access to personal data can only be granted to the person whose functions require personal data. Upon termination or change of employment relations, the employee's access rights to registers and other programs are revoked.

23.

Employees can transfer documents containing personal data only to those employees or persons who, according to their duties or separate assignments, have the right to work with personal data.

24.

Employees performing the functions of Data Subject data processing must prevent accidental or unlawful processing, must store documents properly and securely (avoiding unnecessary accumulation of copies with Data Subject data, etc.). Copies of documents containing Data Subject data must be destroyed in such a way that these documents cannot be restored and their content recognized.

25.

Employees whose computers store personal data of natural persons must use passwords on their computers; "guest" type, i.e., unprotected by passwords, users are prohibited. A password-protected screen saver must also be used on these computers.

26.

Password requirements:

26. 1

They must consist of at least 8 characters, of which at least one must be a number and a letter;

26. 2.

They cannot coincide with the personal data of employees or their family members;

26. 3.

They are stored and can only be known by employees working with specific computers;

26. 4.

They cannot be stored publicly and cannot be accessible as a whole.

26. 5.

Passwords must be changed when necessary (employee change, threat of hacking, etc.).

27.

Employee computers storing files with personal data of natural persons cannot be freely accessible from other network computers. The antivirus software of these computers must be constantly updated.

28.

Without necessity, files with interested parties' data should not be duplicated digitally, i.e., creating file copies on local computer disks, portable media, remote file storage, etc.

29.

The company ensures the use of secure protocols and/or passwords when Personal Data is transmitted over external data transmission networks.

30.

Security control and deletion of personal data on external data carriers and in email after their use is ensured by transferring them to databases.

31.

Personal data (documents containing personal data or their copies) on external data carriers and in email must be deleted immediately after their use and/or transfer to storage locations, but no later than within 5 working days.

32.

The following security measures are implemented in information systems and computer networks:

32. 1.

Records of logins to personal data are recorded: files accessed, actions performed with personal data (entry, viewing, modification, deletion, and other Personal Data processing actions). These records must be stored for at least 1 year;

32. 2.

The electronic log of user logins to the database(s) is reviewed at least once every 1 month, and review reports are provided to the data controller;

32. 3.

Backup copies of personal data, if made, are stored in a different room or geographical location than the active (operating) database;

32. 4.

Personal data stored in backup copies, archives, and external data carriers are encrypted;

32. 5.

Personal data transmitted by email is encrypted or password-protected;

33.

The responsible employee appointed by the director must ensure:

33. 1.

Control of unauthorized persons' entry into server rooms, using a coded door locking system and a general security alarm system;

33. 2.

Protection of the internal computer network.

34.

Employees must organize their work in such a way as to limit as much as possible the possibility for other persons (other employees, interns, voluntary trainees, or other third parties) to learn about the processed personal data. This provision is implemented by:

34. 1.

Not leaving documents with processed personal data or a computer used to open files with personal data unattended, so that the information contained therein could be read by employees who do not have the right to work with specific personal data, interns, or other persons;

34. 2.

Storing documents in such a way that they (or their fragments) cannot be read by random persons;

34. 3.

If documents containing personal data are transferred to other employees, departments, institutions through persons who do not have the right to process personal data, or by mail or courier, they must be transferred in a sealed opaque envelope. This clause does not apply if the mentioned messages are delivered to interested parties personally and confidentially.

V. DATA PROVISION AND DATA RECIPIENTS

35.

Data is provided to the Data Subject in accordance with the procedure established in Chapter 7 of the Policy.

36.

Tankel Logistics provides data of Data Subjects to data recipients only without violating the requirements enshrined in legal acts and ensuring the confidentiality of personal data under a concluded contract or a one-time justified request from the data recipient.

37.

In the case of one-time data provision, when providing personal data at the request of the data recipient, Tankel Logistics prioritizes data provision by electronic communication means, protecting the data with a password.

38.

The provision of personal data to state and municipal institutions and establishments, when these institutions and establishments receive personal data according to a specific request to perform control functions established by laws, is not considered data provision to data recipients.

39.

Data may be provided by the decision of the Tankel Logistics responsible person to a pre-trial investigation institution, prosecutor, or court for administrative, civil, criminal cases under their jurisdiction, or to other institutions or establishments in other cases established by laws.

VI. DATA SECURITY BREACH MANAGEMENT AND RESPONSE PROCEDURE

40.

Employees of the Data Controller or Data Processor who have access rights to data and who notice personal data security breaches (inaction or actions that may cause or cause a threat to data security) must inform the Data Controller's appointed person responsible for data security and/or their immediate supervisor and/or the Data Protection Officer.

41.

If the personal data security breach poses a risk to the rights and freedoms of Data Subjects, the Data Protection Officer or another employee appointed by the Director of Tankel Logistics must immediately, but no later than within 72 hours, notify the State Data Protection Inspectorate of the incident. In case of an extremely high risk to the rights and freedoms of Data Subjects, information about the incident must also be immediately provided to the Data Subjects. If it is not possible to inform all Data Subjects due to their large number or other reasons, the Data Protection Officer and/or the Data Controller discuss and decide to provide this information through public information channels (press, television, etc.).

42.

In the notification to the State Data Protection Inspectorate and Data Subjects regarding the personal data security breach, the nature of the personal data incident must be briefly described, indicating the approximate number of Data Subjects whose personal rights and freedoms may have been violated, the contact details of the 1 Data Protection Officer or other responsible employee, a brief description of the likely consequences of the incident, and the measures that the company is taking/will take to eliminate the negative consequences associated with the incident.

VII. PROCEDURE FOR IMPLEMENTING THE DATA SUBJECT'S RIGHTS

43.

The Data Subject has the following rights:

43. 1.

to know (to be informed) about the processing of their data;

43. 2.

to access their data and how it is processed;

43. 3.

to object to the processing of their data;

43. 4.

to demand the destruction of their data or the cessation, except for storage, of their data processing actions when the data is processed in violation of the provisions of laws and other legal acts;

43. 5.

to demand the transfer of data to another data controller;

43. 6.

to lodge a complaint with the supervisory authority;

43. 7.

to have other rights provided for in legal acts.

44.

The Data Subject's right to know about the processing of their personal data is implemented in the following order:

44. 1.

by informing them against signature by providing them with this Policy.

44. 2.

when the Data Subject contacts Tankel Logistics in accordance with the procedure established in this chapter of the Policy.

44. 3.

by providing the Data Subject with information (except in cases where the Data Subject already has such information):

44. 4.

its name, legal entity code, and registered office;

44. 5.

the contact details of the officer, if any;

44. 6.

for what purposes and on what legal basis the Data Subject's Personal data is processed;

44. 7.

the data recipients, their categories;

44. 8.

the data storage period or the criteria applied to determine that period;

44. 9.

other additional information (data acquisition sources, what Personal data the Data Subject is obliged to provide and what are the consequences of not providing the data, about the Data Subject's right to access their personal data and the right to demand the correction of incorrect, incomplete, inaccurate Personal data), as far as it is necessary to ensure the fair processing of Personal data without violating the Data Subject's rights.

45.

The Data Subject, wishing to access their data, demanding to correct, destroy their data, or stop their data processing actions, must submit a request (hereinafter – the Request) to Tankel Logistics in writing, physically or by electronic communication means that allow proper identification of the person. Together with the Request, the Data Subject must provide their personal identity document, and if the Data Subject's representative submits it by law or assignment, they must also provide the representative's personal identity document with a document justifying the representation, which are submitted as originals or copies certified in accordance with the law (hereinafter – the Attachments).

46.

The Data Subject's right to access their data is implemented in the following order: when the Data Subject properly submits the Request with the necessary Attachments to Tankel Logistics, then the Data Subject is given the opportunity to access the data in Tankel Logistics premises no later than within 30 calendar days from the date of the Data Subject's request or, at the Data Subject's request, information is provided from what sources and what personal data of theirs has been collected, for what purpose it is processed, to which data recipients it is provided or has been provided at least in the last 1 year, if requested, a copy of the record is provided on a write-once compact disc.

47.

The Data Subject's right to demand the correction, destruction of their personal data, or the cessation, except for storage, of their data processing actions when the data is processed in violation of the provisions of the law and other legal acts, is implemented in the following order:

47. 1.

when the Data Subject properly submits the Request with the necessary Attachments to the company, then the company immediately, but no later than within 5 working days, checks the legality and fairness of the Data Subject's data processing free of charge and immediately destroys illegally and unfairly collected data or stops such data processing actions, except for storage;

47. 2.

the data controller, having stopped the Data Subject's data processing actions at the Data Subject's request, stores the data whose processing actions have been stopped until they are destroyed (at the Data Subject's request or after the data storage period expires), other processing actions with such data can only be performed:

47. 3.

or the purpose of proving the circumstances under which the data processing actions were stopped;

47. 4.

if the Data Subject gives written consent to continue processing their data;

47. 5.

if it is necessary to protect the rights or legitimate interests of third parties;

47. 6.

the data controller immediately, no later than within 5 working days, notifies the Data Subject about the destruction or non-destruction of the Data Subject's Data or the cessation of data processing actions performed at their request;

47. 7.

the Data Subject's data is destroyed or their processing actions are stopped according to the documents confirming the Data Subject's identity and their personal data, after receiving the Data Subject's written request.

48.

The company ensures that when Data Subjects exercise their right to data portability, only data that is processed on the basis of a contract or consent and is processed by automated means is transferred.

49.

The data controller has the right to refuse to implement the Data Subject's rights on reasonable grounds, in the presence of conditions, circumstances, and principles provided for in the General Data Protection Regulation and/or the Law on Legal Protection of Personal Data.

50.

The company's refusal to implement the Data Subject's rights can be appealed in accordance with the procedure established by the legal acts of the Republic of Lithuania.

51.

The Data Subject's rights are implemented free of charge, except for the costs of making a copy of the record.