The Rules of Processing of Personal Data

1. GENERAL PROVISIONS

 

1.1. The Rules of Processing of Personal Data (hereinafter the Rules) shall lay down the principles of processing of personal data by Stats4sport ApS filialas (hereinafter the Company), the rights of the data subject, the personal data security measures, the procedure of registration of the data controller in the Register of Personal Data Controllers and the procedure of provision of personal data.

1.2. The Rules have been developed in compliance with the European Union General Personal Data Protection Regulation and other legal acts, which regulate the processing and protection of personal data.

1.3. The concepts used in the present Rules shall have the same meaning as the concepts used in the European Union General Personal Data Protection Regulation.

1.4. The Director of the Company shall be responsible for the proper implementation of the present Rules and personal data protection measures.

1.5. Those who process personal data unlawfully, obstruct a person to have access to one’s own data or information about such data shall be liable in accordance with the procedure laid down by the legal acts.

 

2. PROCESSING OF PERSONAL DATA

 

2.1. The Company shall process personal data in compliance with the requirements laid down in the European Union General Personal Data Protection Regulation and implementing legislation and in accordance with the procedure laid down in the present Rules to the extent it does not contradict with the said Regulation, laws and other legal acts.

2.2. The employee authorized by the Company to process personal data shall preserve the secrecy of personal data when such data are not subject to publication. Such duty shall remain in effect even after the expiry of employment relations.

2.3. The Company shall ensure processing of personal data in compliance with the following principles:

2.3.1. personal data shall be collected for well-defined and lawful purposes, which shall be determined before the collection of personal data and later shall be processed in the manner compatible with such purposes; 

2.3.2. personal data shall be processed in the accurate and fair manner and without violation of the requirements laid down in the legal acts; 

2.3.3. personal data shall be accurate and, if required for the purposes of processing of personal data, shall be updated on the regular basis. Inaccurate or incomplete data shall be corrected, supplemented, destroyed or their processing shall be suspended; 

2.3.4. personal data shall be identical, proper and only to such an extent, which is necessary for their collection and further processing; 

2.3.5. personal data shall be kept in such a form, which permits identification of the data subject for no longer than is necessary for the purposes for which such data were collected and processed;

2.3.6. personal data shall be processed in compliance with the personal data processing requirements laid down in the European Union General Data Protection Regulation, Law on Legal Protection and other legal acts, which regulate the respective activities.

2.4. The Company shall have the right to process personal data only if:

2.4.1. the data subject intends to use the services provided by the Company and completes a registration form on the website of the Company or without creating any individual account, enters the data required for the provision of the service.

2.5.Personal data may be processed for direct marketing purposes if the data subject gives consent, except the cases laid down in the laws. The Company shall ensure a clear, free of charge and easily accessible possibility for the data subject to revoke the consent for the processing of personal data for the purposes of direct marketing. 

2.6. Personal data shall be stored for no longer than is necessary for the purposes of processing of the data. When the personal data are no longer necessary for the purposes of their processing, they shall be destroyed, except the data which are transferred to state archives.

 

3. DUTIES OF THE DATA CONTROLLER

 

3.1. The Company shall provide conditions for the data subject to implement the rights laid down in Section IV paragraph 4.1 of the present Rules.

3.2. The Company shall provide the data subject whose personal data are collected directly from the data subject, with the following information (except the cases when such information is already held by the data subject):

3.2.1. data about the Company and representative of the Company and data about the registered office of the Company;

3.2.2. the purposes for which the personal data of the data subject are processed;

3.2.3. duration of storage of the personal data;

3.2.4. other supplementary information (to whom and for what purposes the personal data of the data subject are provided; what personal data must be provided by the data subject, the consequences of non-provision of the data, the right of the data subject to have access to the personal data and the right to demand correction of the personal data, which are incorrect, incomplete or inaccurate) to the extent which is necessary to ensure the correct processing of personal data without violation of the rights of the data subject.

3.3. If the data is received by the Company not from the data subject, the Company shall notify the data subject about this before beginning the processing of the personal data. If the Company intends to provide the data to the third persons, the Company shall notify the data subject about this no later than before the moment, when such data are provided for the first time, except the cases when the laws or any other legal acts define the procedure of collection and provision of such data and the recipients of the data.

3.4. When the Company collects or intends to collect the personal data from the data subject and processes or intends to process them for the purposes of direct marketing, before providing the data of the data subject, the Company shall notify the data subject to whom and for what purposes the personal data of the data subject shall be provided.

3.8. The Company shall ensure that the data about the services provided by the Company are not stored longer than for a term of 10 years from the date of provision of such services and performance of the obligations.

 

4. RIGHTS OF THE DATA SUBJECT

 

4.1. The data subject shall have the following rights:

4.1.1. to know (be informed) about the processing of the personal data;

4.1.2. to have access to one’s own personal data and to know the manner in which they are processed;

4.1.3. to demand correction, destruction of the personal data or to suspend the acts of processing of the personal data, except the storage of the data, when the data are processed without compliance with the requirements laid down in the legal acts and the present Rules;

4.1.4. to disagree with the processing of one’s own personal data (to revoke the consent for the processing of the personal data).

4.2. While implementing the sight laid down in Section IV paragraph 4.1.2 of the present Rules the data subject may address the Company and obtain information about the sources from which the Company received the personal data, what personal data were collected, for what purposes they are processed and to which data recipients they are provided or were provided at least once during the last year. Such information shall be provided to the data recipient, when the employees of the Company identify the data subject. Having received an enquiry of the data subject about the processing of the data, the Company shall respond whether the personal data related with the data subject are processed and shall provide the data requested by the data subject no later than within 30 (thirty) calendar days from the date of receipt of the request of the data subject. At the request of the data subject, such data shall be provided in writing. Such data shall be provided to the data subject free of charge 1 (one) time per calendar year. When provision of the data is subject to remuneration, the amount of such remuneration shall not exceed the costs of provision of the data incurred by the Company.

4.3. If, having examined the personal data, the data subject establishes that the personal data are incorrect, incomplete or inaccurate, the data subject may address the Company and the Company shall immediately verify the data and shall correct the data, which are incorrect, incomplete or inaccurate and (or) suspend the acts of processing of such data, except the storage of the data, at the request of the data subject.

4.4. If, having examined the personal data, the data subject establishes that they are processed unlawfully and unfairly, and addresses the Company, the Company shall immediately verify the lawfulness, fairness of processing of the data free of charge, and at the written request of the data subject, shall destroy the data, which have been collected unlawfully and unfairly or shall suspend the acts of processing such data, except the storage of the data.

4.5. After the suspension of the acts of processing of the data, the respective data shall be stored for as long as is necessary to correct or destroy them (at the request of the date subject or after the expiry of the term of storage of the data). Other acts of processing of such data may be performed only:

4.5.1. for the purposes of proving the circumstances due to which the acts of processing of the data were suspended;

4.5.2. if the data subject gives consent for the further processing of the personal data;

4.5.3. if it is necessary to protect the rights or lawful interests of the third persons.

4.6. The Company shall immediately notify the data subject about the correction, destruction of the data or suspension of the acts of processing of the data performed or not performed at the request of the data subject. 

4.7. The data shall be corrected and destroyed or the acts of their processing shall be suspended on the basis of the documents identifying the data subject, upon receipt of the request of the data subject.

4.8. If the employees of the Company have doubts regarding the correctness of the data provided by the data subject, they shall suspend the processing of such data, and shall verify and adjust such data. Such data may be used only for the purposes of verification of their correctness. 

 

5. PERSONAL DATA SECURITY MEASURES

 

5.1. The Company shall implement the proper organizational and technical measures for the purposes of protection of personal data against any accidental or unlawful destruction, modification, disclosure and any unauthorized processing.

5.2. The Company shall apply the following personal data security measures: 

5.2.1. the premises shall be protected against any unauthorized access, and the personal data shall be protected against any accidental destruction or loss;

5.2.2. unauthorized persons shall be prohibited from accessing the premises where the personal data are processed or used. If any other persons have access to the premises, it shall be ensured that such persons do not have any possibility to have access to the personal data or any other related information stored there and copy such data or information; 

5.2.3. access to and processing of the personal data shall be granted only to the limited number of persons. Unauthorized persons shall be prohibited from using the personal data processing systems.

5.2.4. the employees of the organization have clear division of functions regarding the processing of the data; 

5.2.5. it shall be ensured that the persons authorized to use the data processing system could have access only to such data with which they are authorized to work, and that the personal data could not be read, copied, modified or removed during the processing, use or recording;

5.2.6. when leaving the place of work, the computers shall be turned off and the information containing the personal data shall be kept in the place inaccessible to the third persons;

5.2.7. during the disclosure of the personal data in the electronic form or during their transportation or storage in a data medium, it shall be ensured that they could not be read, copied, modified or removed without permit, that it could be possible to check and establish to which institutions the personal data shall be disclosed with the help of the data disclosure equipment;

5.2.8. no information pertaining to the personal data shall be disclosed by telephone to any other person;

5.2.9. the processing of the personal data shall be performed only with the help of the certified hardware and software;

5.2.10. anti-virus software shall be installed and updated periodically;

5.2.11. the username and password shall be required at the time of the user’s login to the system;

5.2.13. all media shall be stored safely locked when they are not used. The data in each medium (printed material, compact discs, usb devices, etc.), which is not used, shall be completely deleted and (or) destroyed physically or transferred to the archives;

5.2.14. no software shall be installed without the permit of the Director of the Company;

5.2.15. all works related with the installation and modification of the data processing systems and computer networks shall be performed by competent specialists;

5.2.16. in order to protect the personal data against loss or unauthorized modification, they shall be copied. In the event of detection of any data breaches, they shall be restored from the copies. The storage of copies shall be subject to the same procedure as laid down in the present Rules;

5.2.17. the Company shall regularly perform assessment of the risk related with the processing of the data.

5.3. If the Company authorizes the data processor to process the personal data, the Company shall choose such data processor, which shall have sufficient possibilities and resources to guarantee the required technical and organizational personal data protection measures and to ensure compliance with such measures. By authorizing the data processor to process the personal data the Company shall require that the processing of the data is performed only in accordance with the instructions given by the Company. The relations between the Company and the data processor shall be regulated in a written agreement, except the cases when such relations are laid down by the laws or other legal acts. 

 

6. PROVISION OF PERSONAL DATA

 

6.1. The personal data processed by the Company may be provided to other data recipients:

6.1.1. on the multiple basis – under the agreement of provision of personal data concluded between the Company and the data recipient. 

6.1.2. on the single basis – at the request of the data recipient and only in the cases specified in the legal acts. The request should specify the purpose of use of the data. 

6.2. In the event of provision of the data on the multiple basis, the Company and the data recipient shall conclude an agreement on the provision of data, which shall specify the purpose, terms and conditions as well as the procedure of use of the personal data.

 

7. FINAL PROVISIONS

 

7.1. The present Rules shall become effective on 24 May 2018.