Personal data protection officer contacts:
Phone number : +37068700300
Email adress: firstname.lastname@example.org
PERSONAL INFORMATION MANAGEMENT RULES
Personal information management rules (hereinafter – the Rules) regulate the management of personal information at "NEO Finance" PJSC, by ensuring the following and implementation of the personal information legal protection law of the Republic of Lithuania, payment initiation service good practice principles prepared by the Bank of Lithuania, and other legislation that specify management and protection of the personal information.
Purpose of the Rules – provide main measures for the personal information management, technical measures for the exercising of the data subject's rights and organisational data protection measures, when managing the personal information automatically, as well as systematised files of personal information: lists, files, etc. in a non-automatised way.
Personal information manager is "NEO Finance" PJSC, its code of legal entity is 303225546, registered office address – Verkių g. 25C-1, Vilnius, the Republic of Lithuania. The Company is registered in the register of personal information managers, data manager identification code P5901 is assigned to the Company.
Data subject is a natural person, who intends to commence or who is already commenced business relations with data manager, or business relations have ended, but data of the data subject is managed by the data manager under the imperative provisions of the legislation, or who did not commence business relations with data subject at his own initiative, but data subject manages his personal information under the imperative provisions of the legislation.
The rules must be followed by all persons, who work under the employment agreements at "NEO Finance" PJSC (hereinafter the employees) and manage personal information at "NEO Finance" PJSC or to whom it becomes known during the performance of their duties, and other persons, who provide services on the contractual grounds, who can manage personal information.
Following of the personal information management and protection principles is ensured by "NEO Finance" PJSC manager, by taking respective measures (orders, instructions, recommendations).
The management of data subject's personal information is regulated by the law on the legal protection of personal information of the Republic of Lithuania, payment initiation service good practice principles prepared by the Bank of Lithuania, and other legislation that regulate the collection of such information, as well as these Rules.
MAIN PRINCIPLES, OBJECTIVES, TIMEFRAMES AND REQUIREMENTS OF THE PERSONAL INFORMATION MANAGEMENT
During performance of their duties and when managing personal information, employees of the data manager must follow the following principles of the personal information management and security:
Personal information is collected for the defined and lawful objectives that are specified in the legislation, and is managed in ways that are harmonised with these objectives;
during the collection and management of the personal information principles or expediency and proportionality are adhered to, excessive information is neither stored nor managed;
Personal information is managed accurately, honestly and lawfully;
Personal information must be accurate and constantly updated if that is needed for the management of the personal information;
Personal information is stored in such form that the identity of the data subjects could be identified for as long as that is needed for the purposes for which this information was collected and managed, i. e. until the complete fulfillment of obligations under the concluded agreements, also in other ways and for other durations that are specified in the provisions of the legislation of the Republic of Lithuania that is in effect;
Personal information is managed according to clear requirements of personal information management that are specified in the law on the legal protection of personal information of the Republic of Lithuania and other legislation that regulates the specific activity. Personal information is also managed with respect to the the payment initiation service good practice principles prepared by the Bank of Lithuania.
Purposes of the personal information management:
Prevention of money laundering and terrorist financing, implementation of know your customer (KYC) principle, proper evaluation of creditworthiness before the conclusion of agreements, debt management, proper provision of financing services, for the purposes of the protection and defence of lawful interests of "NEO Finance" PJSC;
Personal information managed by the data manager:
The following personal information of the data subjects is managed for the purposes specified in the sub-paragraph "a" of the paragraph 2 of the section II of the Rules: name, last name, personal code, date of birth, declared and factual place of residence (address), details of the data subject's identity verification documentation, information specified in the data subject's identification questionnaire, mobile phone number, email address, bank account number, credit amount, dates of debt occurrence and settlement, debt amount, number of overdue days, data of applications, credit history, obligations to finance institutions and other persons, insured and other income, sources thereof, information about the engagement in economic and other activity, received benefits of the state social insurance, marital status, number of under-age children and/or dependants, information about whether the capacity of data subject is restricted or not, other information about a person that is required for the proper provision of services to the data subject, as well as copies of all received documents, certifications of digital signature, copies thereof, information from data bases, etc. All aforementioned personal information of the legal entity's authorised representatives and/or beneficiaries (natural persons) can be managed. Prior to the commencement of business relations, this information is managed on the basis of the data subject's consent (paragraph 1 of the section 1 of LLPPI); after the commencement of business relations – on the grounds of the concluded agreement (paragraph 2 of the section 1 of LLPPI).
The following personal information of the data subjects - natural persons and authorised representatives and/or beneficiaries of legal persons, is managed for the purposes specified in the sub-paragraph "b" of the paragraph 2 of the section II of the Rules: name, last name, phone number, and email address, and in exceptional cases: commentaries about the use of company services that are voluntarily submitted by the data subject. This information is managed only on the grounds of paragraph 1 of the section 1 of LLPPI.
Personal information is collected only according to the legislation. Such information can be collected by receiving it directly from the data subject or by officially requesting the required information from subjects that manage it and have the right to provide it, or by accessing under the agreements or legislation, the data bases, registers and information systems that accumulate individual information.
Employees have the right to collect, manage, transfer, store, destroy or use personal information in other way only when performing their direct functions of their job and only according to the legislation.
Employees are forbidden from collecting, managing, transferring, storing, destroying or manage personal information in other way and use personal information for personal objectives that are not work related.
Commentaries about the use of company services that are voluntarily submitted by the data subject can be published publicly on the web page of the company when having a written consent for that. Period for the validity of consent – no more than 5 years. Time frames specified in parts 1 and 2 of the section IV of these rules, do not apply to this personal information.
PROVISION OF PERSONAL INFORMATION
"NEO Finance" PJSC can submit personal information that it manages to be accessed by third parties, who have the right to obtain personal information granted by laws or other legislation, only for defined and lawful purposes.
Personal information can be submitted in the following ways: in writing, via means of electronic communications, by accessing the data bases or information systems that accumulate individual information, or in other way agreed by data managers.
Non-automated provision of personal information, when personal information is submitted not to the data subject itself, must be approved by "NEO Finance" PJSC manager, except in cases, when information is submitted to the supervision institution.
STORAGE AND DESTRUCTION OF PERSONAL INFORMATION
The personal information of the data subjects that is managed for the purposes specified in the sub-paragraph "a" of the paragraph 2 of the section II of the Rules is stored 10 (ten) years after the end of business relations, in cases of: proper execution of a transaction, debt settlement, and closing of the electronic funds account. If the transaction was not performed, personal information is stored no more that 1 (one) year from the date of its reception, except if there is a written request received from the data subject regarding the destruction of his personal information that is managed by "NEO Finance" PJSC. If such application is received, personal information is destroyed immediately and data subject is informed thereof. If it was refused to perform the transaction due to the implementation of the money laundering and terrorist financing prevention measures, personal information is stored for 10 years from the moment of refusal under the law on the prevention of money laundering and terrorist financing of the Republic of Lithuania.
Personal information for the purpose that is specified in sub paragraph "b" of the paragraph 2 of the section II of the Rules is stored for no longer than 1 (one) year from the end of business relations.
Employees, who are performing the functions of personal information management must protect the information and information files properly and safely and also avoid making of unneeded copies, in order to prevent accidental or unauthorised destruction, alteration or disclosure, and any unauthorised management of personal information. Copies of documents that specify personal information, must be destroyed in such a way that these documents could not be restored and identify contents thereof.
Copies of personal information can be stored electronically as well.
Personal information is stored for no more than it is required for the purposes of data management. The moment personal information is not needed anymore for its management purposes, it must be destroyed beyond restoration.
After the deadlines that are specified in the Rules are reached, personal information that is stored in the electronic format is destroyed automatically due to the programming peculiarities of the system. Personal information that is stored in physical format (e.g. documents with personal information) is destroyed by the employees of the Company by the use of technical means (e.g. secure document shredders). Destruction manifests in actions due to which the information cannot be restored.
During the destruction of personal information that is managed automatically, it is destroyed in the active, as well as in the passive data base at the same time.
ASSURANCE OF PERSONAL INFORMATION SECURITY
"NEO Finance" PJSC implements proper organizational and technical measures, intended to protect personal information from an accidental or unlawful destruction, alteration, disclosure, as well as from any other unauthorised management.
Data manager undertakes not to divulge personal information of the data subject to third parties, except to the employees of the data manager and auditors, if that is necessary according to the imperative provisions of the legislation. Prior to the performance of the data management functions, employees of the data manager are familiarised with these Rules, as well as all legislation that regulate data protection.
Employees of the data manager must follow the principle of confidentiality and keep in secret any information that is related to the personal information, that became known to them during the performance of ttheir duties, unless ssuch information would be public according to the provisions of laws and other legislation that is in effect.
Employees from whose computers data bases and local network areas, where personal information is stored, can be accessed, must use passwords. Passwords must be changed no less than every 3 (three) calendar months, and their confidentiality must be ensured. It is determined by separate rules.
After employment relations end, the rights and possibilities of the employee's access to the personal information are revoked. Employee's ability to access data bases, where personal information is stored and/or kept, can be terminated and/or restricted by the order of the manager of "NEO Finance" PJSC.
The following entries of the employees, who manage personal information, access of the personal information data bases are recorded: login identifier, date, time, duration, login result (successful, unsuccessful), files that were accessed, actions that were performed with the personal information (entry, review, alteration, destruction, copying). These entries are stored for no less than 1 (one) year.
Supervision of the system administrator is performed by the manager of "NEO Finance" PJSC.
Protection from malware is ensured in computerised work stations. Installed anti-virus programs are constantly updated.
If the backups of personal information are made, they are stored in the different geographic location than the active (functioning) data base, and lost personal information is restored from back ups. In case of their critical loss of personal information, time of its restoration and persons, who performed these actions, are registered Details of this procedure are specified in the Business continuity plan.
When data recipients transfer the data over the external data transfer networks, this information must be transferred by using a secure https protocol or a special software.
Evaluation of the risk presented by the personal information is performed by identifying the probabilities and risk of threats, with respect to the integrity, accessibility and confidentiality of data according to every objective of the personal information management.
If employees notice breaches of personal information protection, signs of criminal activity, non-functioning personal information protection assurance measures, they must immediately notify of that "NEO Finance" PJSC manager.
Security of the premises, where the personal information is stored, is ensured by limiting the access of the unauthorised persons to the respective premises by locking them and installing an alarm system.
MANAGEMENT OF THE PERSONAL INFORMATION OF PAYMENT INITIATION SERVICE USER
1. During the performance of payment initiation services, "NEO Finance" PJSC must additionally adhere to the following principles:
1.1. Personal information is used only for the clearly defined and lawful purpose to provide payment initiation service, according to the payment initiation service good practice principles prepared by the Bank of Lithuania;
1.2. The user of the payment initiation service can use payment initiation service only, when he actively confirms that the information about him that was received during the provision of payment initiation service, would be used for the performance of the operation of the payment initiation service;
1.3. Asks the user of the payment initiation service to provide only the information that is needed for the provision of the payment intiation service.
2. Personalised security features of the payment initiation service user can be accessible only to the user himself and to the issuer of his security features.
3. "NEO Finance" PJSC undertakes:
3.1. Do not store non-publishable information of the payment initiation service user, i. e. any information that could be used for fraud and that include personalised security features.
3.2. Not to divulge the personal information of the user of the payment initiation service to third parties.
3.3. Not to use the personal information of the user of the payment initiation service for objectives other than the provision of the payment initiation service.
4. "NEO Finance" PJSC confirms that the program measures that it uses are programmed in such way that the information of the payment initiation service user could not be stored or kept, as well as to manage it in any other way.
5. Payment information of the payment initiation service user is not included into the contents of the information that are stored for 10 (ten) years, as it is specified in the paragraph 1 of the section IV of the Rules.
DATA SUBJECT'S RIGHTS AND TERMS OF THEIR EXERCISING
After data subject presents a document that verifies its identity, it gets the right to:
familiarise with his personal information that is managed by "NEO Finance" PJSC and to receive the information about the sources from which his personal information and what kind of information was collected, for what purpose it is managed, and to whom it is presented, as well as claiming your right to data portability;
to demand to correct or destroy his personal information or suspend actions of Personal information management, except for storage, when Personal information is managed without following the provisions of the law on the legal protection of personal information and other laws;
to refuse that his personal information be managed for the purposes of the direct marketing without specifying the motives for the refusal;
refuse that his personal information would be managed for lawful interest that is pursued by the Company or a third party to whom his personal information is presented by specifying the motives for refusal.
At the request of the data subject, "NEO Finance" PJSC must notify the data subject about the termination of his personal information management actions or a refusal to terminate the actions of the personal information management.
These Rules come into effect on the day of their approval and are valid till their annulment or amendment by the order of the Company manager.
Amendment or invalidation of any provision of these Rules due to the amendment or invalidation of the imperative provisions of the legislation, do not affect the validity of the other provisions of the Rules. In such case, instead of the void provisions, the legislation is followed directly.
These Rules must be reviewed no less than once per calendar year, and amended, in case of the amendment of the imperative legislation.