Legality, MB (“Legality” or “we”) values the privacy and protection of personal data and adheres to the data processing principles set out in this privacy policy. We believe it is essential to ensure the integrity and confidentiality of personal data and to ensure that personal data is processed lawfully. This privacy policy explains how we collect and use personal data, including on our website www.sanctionsbridge.com.

1. Concepts and definitions

1.1 Personal data is any information relating to an identified or identifiable natural person (“data subject”); an identified or identifiable natural person is a person who can be identified directly or indirectly, in particular by an identifier such as name, personal identification number, location data and online identifier, or by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.

1.2 Processing of personal data means any operation or set of operations that is performed on personal data or sets of personal data, whether by automated means, such as collection, recording, sorting, organization, storage, adaptation or alteration, output, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination with other data, restriction, erasure or destruction.

1.3 “Controller” means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing; where the purposes and means of such processing are laid down by European Union or Member State law, the controller or specific criteria for its determination may be laid down by European Union or Member State law.

1.4 “Processor” means a natural or legal person, public authority, agency or other organization that processes Personal Data on behalf of the Controller.

1.5 “Third Party” means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or persons authorized to process personal data under the express instructions of the controller or processor.

1.6 A personal data breach is a security breach that results in the unintentional or unauthorized destruction, loss, alteration, unauthorized disclosure, unauthorized access or unauthorized transfer, unauthorized storage or unauthorized processing of personal data.

1.7 “Data Subject” means the person whose data is processed (e.g. a natural person customer, a website user or a contact person of a legal person customer).

1.8 GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2. Principles

2.1 Lawfulness and the personal data processors we use process personal data in accordance with the following principles:

2.1.1. lawfulness, fairness and transparency – the processing of the data subject’s data is lawful, fair and transparent;

2.1.2. purpose limitation – personal data is collected for specific, explicit and legitimate purposes and shall not be further processed in a manner incompatible with these purposes;

2.1.3. data minimization – personal data are adequate, relevant and necessary only for the purposes for which they are processed;

2.1.4. accuracy – personal data is accurate and up to date; we take reasonable steps to ensure that inaccurate personal data is deleted or corrected;

2.1.5. limitation of storage period – personal data shall be stored in a form that allows identification of the data subject for no longer than is necessary for the purposes of personal data processing, subject to applicable law;

2.1.6. integrity and confidentiality – personal data shall be processed in such a way as to ensure, through appropriate technical or organizational measures, adequate security of personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction or damage.

3. security of data processing

3.1 Legality takes necessary and appropriate organizational, physical and technological measures, taking into account the risks, to protect personal data. These measures include policies and procedures for data and IT infrastructure management staff, internal and external networks, as well as for the protection of all equipment and Nikitinas Legal’s headquarters.

3.2 Legality ensures that employees who process personal data are properly trained and informed.

3.3 Legality may use processors to process personal data, and we ensure that all our processors process personal data in accordance with our instructions, applicable law and all appropriate organizational and technological safeguards.

4. Legal basis for processing

4.1 Legality processes personal data for the purpose of entering into a contract (including a contract with customers who are data controllers), for the performance of a legal obligation, in the legitimate interests or on the basis of the data subject’s consent.

4.1.1 We process personal data for the purpose of securing the performance of a contract, if the contract has already been concluded and the purpose of the contract cannot be achieved without processing the personal data.

4.1.2. legal data processing obligations include processing of all personal data in accordance with relevant laws and regulations, such as the Labor Code of the Republic of Lithuania, the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, the Law on Audit of Financial Statements of the Republic of Lithuania, the Law on Accounting of the Republic of Lithuania, the Law on Joint Stock Companies of the Republic of Lithuania, the Civil Code of the Republic of Lithuania, EU legislation, etc.

4.1.3 We process personal data on the basis of legitimate interest to improve our services and to conduct and develop our business. We aim to ensure that our legitimate interests do not infringe the fundamental rights and freedoms of the data subject.

4.1.4 If the lawful basis for processing personal data is consent, we will only process the specific data for which the data subject has given consent. Consent is given freely, specifically and knowingly. Consent may be withdrawn by the data subject at any time and is revoked as easily as if it had been given.

5. Controller or data processor and data collection

5.1 Nikitinas Legal may act as a controller or processor for various data processing operations. In order to protect the privacy rights of data subjects, Nikitinas Legal respects the principle of confidentiality and strictly limits the disclosure of personal data.

5.2 Only authorized persons of Legality are entitled to modify and process personal data.

5.3 Legality processes personal data received from the data subject (i.e. the person who provided the personal data) directly or indirectly (via business customers).

6. Types of personal data “personal data of Legality, customers, employees, representatives, representatives, participants, members of bodies, third parties, employees, representatives, participants, members of bodies of affiliated companies – natural persons and representatives of legal entities whose data are necessary for the purposes specified in clause 7.

6.1 Personal identification data: name, personal identification number (ID number) and/or date of birth; identity card/passport data, signature.

6.2 Contact information: e-mail address, contact phone number, postal address (place of residence).

6.3. other personal data directly and/or indirectly obtained by us and processed by us for the purposes set out on page 7, such as number of children, marital status, salary, bank account number, assets, health status (in connection with the provision of accounting services to clients).

6.4 Internet data: website session data, cookies, log data and IP addresses.

7. Purposes of personal data processing

7.1 The purposes of processing personal data specified in Section 6 of this Privacy Policy are:

7.1.1. provide audit and internal audit services in accordance with the Law on Audit of Financial Statements of the Republic of Lithuania and other relevant legal acts;

7.1.2. provide accounting services in accordance with the Law on Accounting of the Republic of Lithuania and other legal acts and applicable standards;

7.1.3. to provide consulting services (legal, tax, financial) in accordance with the current legislation;

7.1.4. offer tax, legal, financial and other business consulting, accounting and auditing services;
7.1.5. send out newsletters and conduct customer satisfaction surveys (for marketing purposes);

7.1.6. manage buy and sell accounts;

7.1.7. make purchases and orders (goods, services);

7.1.8. internal management (policies, labor contracts, events, etc.);

7.1.9. fulfill obligations under contracts with partners;

7.1.10 fulfill all legal obligations and related actions.

8. Storage of personal data

8.1 Legality stores personal data only as long as necessary to achieve the purpose for which the personal data is processed, unless otherwise provided for by applicable law. Specific retention periods for documents and personal data contained therein shall be set forth in the documentation plan approved by the Head of Legality, which shall be regularly updated taking into account the applicable law and Legality’s internal procedures.

9. Third parties and data processors

9.1 Personal data may only be transferred if the conditions for transfer to third countries or international organizations set out in Chapter V of the GDPR and other laws governing the protection of personal data are met, i.e. if an adequate level of protection of the transferred personal data is ensured.

9.2 Notwithstanding any access restrictions, Legality will provide personal data to an organization or person(s) who have the right to request the data under the law (e.g. police, court, supervisory authority, etc.).

10. Rights of the data subject, information for the data subject

10.1 Categories of recipients/recipients: IT, service providers, public authorities, partners.

10.2 Source of origin of the data subject’s data: legal person (e.g. employer, partner, customer), publicly available information sources (e.g. websites, institutional public databases).

10.3 We do not use automated decision-making to process personal data of the data subject.

10.4 The Data Subject has the right to contact us at info@sanctionsbridge.com with a request:
• information and access to processed personal data;
• correction of your personal data;
• deletion of your personal data;
• limiting the processing of your personal data;
• providing your personal data in a structured, machine-readable format.

10.5 Requests made by a data subject must include: information that will enable us to identify you as the data subject; the action requested; and the personal data in respect of which the action is requested.

10.6 We will process the Data Subject’s request within 20 working days of receipt and inform the Data Subject of the action taken in response to the request.

10.7 You (the data subject) will be informed in the form in which the request was made. If you believe that your rights have been violated due to our processing of your personal data, you have the right to contact the supervisory authority – the State Data Protection Inspectorate; company code 188607912; address –  Juozapavičiaus g. 6, 09310 Vilnius; tel. (8 5) 271 2804, 279 1445; fax. (8 5) 261 9494; e-mail ada@ada.lt.

11. personal data breach

11.1 All data controllers are required to notify the National Data Protection Inspectorate of data breaches where there is a serious risk to the security of personal data.

11.2 Personal data breaches must be reported to the State Data Protection Inspectorate of the Republic of Lithuania within 72 hours.
The notice must state:
– The nature of the data breach, categories of data subjects and their approximate number, categories of personal data records and their approximate number;
– The name and contact details of the Data Protection Officer or other contact person who can provide additional information;
– Describes the possible consequences of a breach of personal data confidentiality;
– A description of the measures taken or expected to be taken by the controller to address the personal data breach;
– Other information in accordance with applicable law and Nikitinas Legal’s internal procedures.

11.3 In cases where there is a serious risk to the security of personal data, Legality, as the controller of personal data, shall notify the data subject (if technologically feasible) and/or another controller of personal data (e.g., a legal entity that has lawfully transferred personal data to Legality, which also acts as the controller of personal data) of the personal data breach. The notification must contain the information specified in clause 11.2. The notification must be sent to the data subject electronically within 48 hours of the security breach, but no later than the deadline specified in clause 11.2.

11.4 Legality, as a processor of personal data, shall notify the controller who transferred the personal data of security breaches of personal data when there is a serious risk to the security of the personal data. The notification must include the information specified in clause 11.2. The notification must be sent to the data subject electronically within 48 hours of the security breach, but no later than the deadline specified in clause 11.2, or in accordance with written instructions provided to us by the controller of the personal data (personal data processing agreement).

12. Cookies

12.1 The website www.sanctionsbridge.com, operated by Legality, uses cookies to improve the user experience on the website and enhance the user experience.

12.2 A cookie is a small text file that is automatically stored on a user’s device by a web browser.

12.3 We use cookies to collect personalized and aggregated statistics about the number of visitors to the site and site usage information to make our site more user-friendly.

12.4 You can refuse or block cookies on your device, but this may mean that the website will not function properly and all services may not be available. To refuse or block cookies you will need to change your browser settings.

13. Changes to the Privacy Policy

13.1 Personal privacy is important to Legality and we regularly update this privacy policy. “The latest version of this privacy policy is always available on the Legality website.

14. Other provisions

14.1 Liability for violations in the field of personal data processing shall be incurred in the manner prescribed by law. Each party shall be liable for damages resulting from its unlawful actions.

14.2 All disputes between the Parties shall be settled by negotiations. If it is impossible to settle a dispute through negotiations, disputes shall be settled in the courts of the Republic of Lithuania in the manner prescribed by the legislation of the Republic of Lithuania.

14.3 Where Legality acts as a controller of personal data, this Policy, internal documentation and applicable law shall apply. If Legality acts as a processor of personal data (e.g. provides accounting, consulting services to a client on behalf of that client), it is necessary to follow the written instructions provided by the personal data controller (client), which must not contradict the applicable law and internal procedures.

15. Contact information

15.1 If you have any questions or suggestions relating to the processing of personal data, please contact the Data Controller using the contact details provided:
Legality, MB
Rokiškio g. 2-2, LT-01125
Vilnius, info@sanctionsbridge.com