Privacy Policy
UA
LT
Updated: 2025-01-30
The company MB Bearitstudio (company code: 307042574, address: Verkių g. 39-384, Vilnius) receives and processes the following data for the purposes of providing services (Computer programming activities), communication and location determination and execution:
  1. The name, surname, address, telephone number, e-mail address of the Company's employee, history of contacting the Company (information transmitted, for example, by telephone or e-mail).
  2. Name of the company or institution, legal entity code, address, contact telephone number, contact email address, history of contacting the Company (information transmitted, for example, by telephone or email).
  3. The company's patients' names, surnames, addresses, contact telephone numbers, and other transmitted information.
  4. The location of the Company's employees who use the "Atvykis" app and grant location tracking permission in the app itself, both when using the App and when it is running in the background, after turning off the app. The location of the Company's employees is determined, collected and processed for the following purposes:
    4. 1. To track work-related movements and confirm their presence at the workplace;
    4. 2. To accurately determine the time and location of their arrival and departure from the workplace;
    4. 3. To automatically confirm their presence at the workplace;
    4. 4. To ensure working time accounting
    4. 5. To inform about successful location recording, errors and technical malfunctions in the app, and to remind you about important events or changes.

    The location data of the Company's employee will not be used for any other purposes.

    Notifications will help ensure the smooth operation of the app and will allow you to be informed about important events.

    In order for the "Atvykis" app to work properly in the background and track the location of the Company's employee, battery optimization must be disabled. This is necessary because:
    4. 6. Battery optimization may stop location tracking;
    4. 7. This may prevent accurate recording of its working time;
    4. 8. The app must run in the background to ensure accurate time tracking.
  5. I confirm that I have been informed of my right to:
    1. Know (be informed) about the processing of my personal data;
    2. Get acquainted with my personal data and how they are processed;
    3. Require correction, clarification or supplementation of my incorrect or incomplete personal data;
    4. Withdraw this consent at any time, without affecting the lawfulness of data processing based on consent until the consent is withdrawn;
    5. Object to data processing;
    6. For any questions regarding the processing of personal data, please contact vytautas@bearitstudio.lt by e-mail;
    7. With a complaint, contact the State Personal Data Protection Inspectorate by e-mail: ada@ada.lt.
I am also informed that my personal data may be transferred to third parties, such as: state institutions and institutions, other persons performing functions assigned to them by law (for example, the State Tax Inspectorate, SODRA, law enforcement institutions).
Personal data is processed and stored in accordance with the procedure established by the General Data Protection Regulation, the Law of the Republic of Lithuania on the Legal Protection of Personal Data, and other legal acts regulating the protection of personal data.
Data Controller
MB Bearitstudio, as a data processor, in implementing the requirements of the General Data Protection Regulation (hereinafter referred to as the GDPR), must use only those partners who ensure that appropriate technical and organizational data security measures will be implemented in such a way that data processing complies with the requirements of the GDPR and the protection of the rights of data subjects is ensured.
  1. Nature of services provided to the Company:
    IT services.
  2. Will [supplier] process special categories of personal data?
    No.
  3. Data subjects whose personal data will be processed by [supplier]:
    Company employees, Company clients/patients, additional information to be specified by company employees.
  4. Please indicate the country(ies) in which personal data is stored, processed or transferred:
    Lithuania, Germany (AWS data center).
  5. What security measures does [supplier] take when transferring personal data within the European Economic Area?
    Only secure data transmission protocols are used, data is encrypted, and only top-level third-party services are used: Amazon WebServices, Heroku hosting.
  6. What security measures does [supplier] take when transferring personal data outside the European Economic Area?
    No data is transferred outside the European Union.
  7. Personal data processing activities are registered and regularly updated (including processing purposes, categories of data subjects, categories of personal data processed, categories of recipients, etc.):
    Yes.
  8. I confirm that measures have been implemented to enable subjects to exercise the rights established by the GDPR:
    Right to access personal data: YES
    Right to request rectification of data: YES
    Right to request erasure of personal data: YES
    Right to restrict processing of personal data: YES
    Right to data portability: YES
    Right to object to processing of personal data: YES
  9. What is the expected period of personal data processing?
    The data will be destroyed after the expiry of the personal data processing period (term); the data will be deleted upon the Data Controller's request to delete the processed personal data; upon request, the data will be transferred to the Data Controller. The term of data processing is set out in the Master/Data Processing Agreement.
  10. Ensuring compliance with the GDPR:
    Measures we take to implement measures to ensure the security of personal data: [supplier] has implemented the recommendations of the State Data Protection Inspectorate on "Implementation of appropriate organizational and technical data security measures for personal data controllers and processors" (Annex 1).
  11. Have you assessed the compliance of subprocessors with the requirements of legal acts governing the protection of personal data?
    YES.
  12. Do you include provisions in contracts with subprocessors that regulate the processing of personal data and ensure the protection of [suppliers'] personal data?
    YES.
  13. An Information Security Policy has been approved and implemented, updated at least once a year:
    YES
  14. Where the controller has confirmed that the processor may use sub-processors, the processor must ensure that the sub-processor is subject to the same data protection requirements as those specified in the data processing contract between the controller and the main processor. The processor must ensure that any sub-processor complies with its data protection obligations. The processor must therefore audit the sub-processor.
Appendix 1
Organizational measures
  1. Roles and responsibilities related to the processing of personal data are allocated and defined in accordance with the security policy, the revocation of employees' rights and obligations is clearly defined, and appropriate procedures for the transfer or assignment of roles and responsibilities are applied:
    YES.
  2. Each role related to the processing of personal data is assigned specific access control rights, based on the "need to know" and/or "need to use" principles:
    YES.
  3. The organization has a regularly reviewed and updated IT resource register, its management is assigned to a specific person:
    YES.
  4. A security incident response plan, roles and responsibilities, and a contact person are established to ensure the prompt and effective management of incidents related to the security of personal data. The entire organization is familiarized with this plan, personnel are informed of the responsibility to immediately report information security incidents and the contact person to whom the incident should be reported. Personal data security breaches are recorded (documented), and a procedure for reporting personal data security incidents to management, competent authorities, and data subjects is established:
    YES.
  5. There are basic procedures in place to ensure the necessary continuity and availability of personal data processing in IT systems:
    YES.
  6. The organization has procedures and measures for the transfer of personal data in place and applied:
    YES.
  7. The employment contract or other document clearly sets out roles, responsibilities and obligations related to the personal data security policy applied in the organisation. The responsibilities and obligations after the end of the employment relationship (e.g. confidentiality; return/destruction of personal data) are also clearly set out:
    YES.
  8. It is ensured that all employees understand their responsibilities and obligations related to the processing of personal data and understand the consequences of a breach of the personal data security policy. All employees are informed about the security requirements of IT systems related to their daily work, employees related to the processing of personal data are regularly trained on data security requirements and responsibilities:
    YES.
  9. The organization ensures that the organization's personal data security policy is followed and implemented in the remote workplace:
    YES.
  10. It is ensured that the personal data processed in the organization can only be physically accessed in a manner established and permitted by the organization. Physical protection of the environment and premises containing the IT systems infrastructure from unauthorized access has been implemented. It is also ensured that no freely accessible network devices or unused network cables are left:
    YES.
  11. The physical security policy is documented as part of the personal data security policy:
    YES.
  12. The organization implements a clean "desk" and "screen" policy. End devices are protected, e.g., by passwords, PIN codes, biometric data or other security measures. Personal data is not left freely accessible, visible in the workplace:
    YES.
  13. Before any data medium is removed, all data on it is destroyed using dedicated software. If this is not possible (e.g. DVD media), the data medium is physically destroyed without the possibility of recovery:
    YES.
  14. Paper and portable data carriers (e.g. DVD media) on which personal data was stored and collected are destroyed using dedicated shredders or other mechanical means:
    YES.
Technical measures
  1. An access control system has been implemented that applies to all users of the IT system, it must allow the creation, approval, review and deletion of user accounts; using a common user account ensures that all users of the common account have the same rights and responsibilities; an authentication mechanism is in place to allow access to the IT system (minimum requirement - user login name and password), the password is created taking into account a certain level of complexity and stored using a form of encryption, the access control system can detect and prevent the use of passwords that do not meet the level of complexity:
    YES.
  2. Mobile and portable device administration procedures are established and documented, clearly describing the appropriate use of such devices, including personal devices, if the organization allows their use. Mobile and portable devices that will be used to work with information systems are registered and authorized before use and have a sufficient level of access control procedures, as are other equipment used to process personal data:
    YES.
  3. Antivirus software is installed. Antivirus software databases must be updated at least once a day. Users do not have privileged rights to install, remove, or administer unauthorized software. Critical operating system security updates are installed regularly and promptly:
    YES.
  4. Database and application servers are configured to operate using separate accounts with the lowest operating system privileges assigned; they process only those personal data that are necessary for work that meets the purposes of data processing:
    YES.
  5. IT systems used to process personal data have technical log records showing all access information to personal data, they have time stamps and are protected against possible damage, falsification or unauthorized access, the timekeeping mechanisms used in IT systems are synchronized according to a common time reference source:
    Not applicable.
  6. When access to the IT systems used is via the Internet, an encrypted communication channel is used, i.e. cryptographic protocols (e.g. TLS/SSL):
    YES.
  7. Backup and data recovery procedures are defined, documented and clearly linked to roles and responsibilities, an appropriate level of physical environmental and premises security is ensured for media, the backup process is monitored to ensure completeness and completeness, full data backups are made regularly:
    YES.
  8. All significant changes to IT systems are monitored and recorded by a specific person (e.g. IT or security specialist):
    YES.
  9. The software used in the IS complies with software security best practices, security best practices applied in software development, software development structures, and standards. Specific security requirements related to the specifics of the organization's activities are defined in the initial stages of software development, programming standards and good practices ensuring data security are followed, and after software development, testing, and verification, starting with the system's installation and operation, basic security requirements are already met.
Contacts

Turite klausimų?
Mes turime atsakymus!

Užsiregistruoti video skambučiui
vytautas@bearitstudio.lt
+370 655 51 620‬
MB Bearitstudio
Į.k.: 307042574
Verkių g. 39-384, LT-09109 Vilnius
UAB Revolut Bank
A/S: LT63 3250 0964 2465 9343
Dėkojame, Jūsų žinutė išsiųsta!
Patikrinkite, ar teisingai suvesti duomenys.
© Atvykis, 2025
Privatumo politika