PERSONAL DATA SECURITY RULES
Data controller (hereinafter – CATFLY) – means UAB „Rainė“, a company established under the laws of the Republic of Lithuania: address: Gedimino g. 45-7, LT-44239 Kaunas, Lithuania; registration code: 304456342, e-mail: email@example.com; website: www.catfly.com.
Rules – means these Personal data security rules which CATFLY adheres when performing Personal data controlling and processing actions.
Personal data – means any information relating to natural person – the Data subject, who is identified or directly or indirectly identifiable by using such identifiers as a an personal identification number, one or more factors specific to the physical, physiological, economic, cultural or social identity of that natural person.
Data processing – means any operation which is performed on Personal data such as: collecting, recording, organizing, storing, classifying, grouping, combining, altering (supplementing or correcting), transferring, publishing, using, logical and (or) arithmetical operations, searching, disseminating, destructing or other operation or set of operations.
Data processor – means natural or legal entity, public authority, agency or other body which processes Personal data on behalf of the Data controller.
Automated data processing – means data processing operations completely or in part performed by automated means.
Consent – means any freely given, voluntary expression of will of acceptance to Personal data processing of the Data subject.
Direct marketing – means the activity of offering goods or services to persons by post, telephone or other means of direct contact and (or) asking their opinion on the goods or services offered.
Services – means entertainment services provided by the Data controller or via Third-Party websites on the Website (quizzes, surveys, photo-mapping, etc.) for the provision of which Personal data is used.
Cookies – means files uploaded to Users computer, phone or tablet, or other device when the User visits the Website, and which can be used to identify the User to the Website.
User – means a natural person who uses the Services of CATFLY.
Data subject – means a User, who connected to the Website of CATFLY or uses the Services of CATFLY using Facebook Account, and who provided his Personal data and the Consent to CATFLY.
Website – means CATFLY controlled and administered website www.catfly.com, dedicated to provide CATFLY Services.
User Account – means a unique informational profile of the User who connected to CATFLY using Facebook Account thus submitted Personal data to CATFLY, where the User can access his Personal data which he has already submitted and perform other actions.
Facebook Account – means a User-controlled account created in the website www.facebook.com.
Third Party – means natural or legal person other than Data controller, User or Data subject.
Other definitions used in these Rules correspond to definitions established in Personal data legal protection law no. I-1374 of the Republic of Lithuania and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – GDPR).
The Rules come along with Terms of Services (hereinafter – TOS), accessible at: http://www.catfly.com/terms
The purpose of these Rules is to regulate the principles and procedures for collecting, processing and storing Personal data of the Data subjects, as well as establishing the rights of Data subjects, the potential risks for Personal data security breaches, Personal data protection measures and other matters related to the processing of Personal data.
The Rules are drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Personal data legal protection law no. I-1374 of the Republic of Lithuania and other legal acts regulating Personal data processing and protection.
CATFLY processes Personal data, in accordance with these Rules, for the following purposes:
For identifying the Users on the Website;
For the proper performance of contractual obligations which CATFLY assumes with the Data subject, i.e. provision of Services;
For direct marketing purposes.
CATFLY follows the following principles for data processing:
Personal data is collected for defined and legitimate purposes;
Personal data is processed accurately and conscientiously;
Personal data is processed only for legitimate interests;
Personal data may be constantly updated;
Personal data is stored no longer than it is required by the Regulation or other laws and legal acts;
Personal data is only processed by the employees that are authorized by the head of CATFLY.
Personal data provided by the Data subject is considered to be confidential information that may be disclosed to Third Parties only in the cases provided by the law;
CATFLY for direct marketing purposes uses only that Personal data provided by the Data subject that is provided voluntarily and expressly Consenting to the processing of Personal data for direct marketing purposes.
The Data subject must get acquainted with these Rules and read them before submitting his/her Personal data on the Website of CATFLY and issuing his/her Consent. CATFLY allows the Data subject to access these Rules at any time on the Website.
Information about the amendments and/or updates of these Rules is conveyed to the Data subject by e-mails, sent according to contact details provided by the Data subject. The Data subject shall have the right to withdraw the Consent if he/she does not agree with the amendments of the Rules, upon receiving the withdrawal of the Consent, CATFLY immediately destroys all of the Personal data of the Data subject in its possession.
3. COLLECTING, PROCESSING AND STORING PERSONAL DATA
Personal data is processed by manual and automated means using Personal data processing measures of CATFLY.
CATFLY shall only process Personal data that is transferred to it by the User following the registration to the Website of CATFLY or when the User uses the Services of CATFLY through www.facebook.com platform and Consents to the specific User’s Personal data on the www.facebook.com platform being transferred to CATFLY for the purposes of providing the Services.
For the purposes and in accordance with procedures established in these Rules CATFLY processes the following Personal data:
User’s first name and last name which are indicated on the www.facebook.com platform;
Date of birth;
User’s “Like” information on the www.facebook.com platform;
User’s commenting information on the www.facebook.com platform;
User’s sharing information on the www.facebook.com platform;
User’s photos on the www.facebook.com platform;
User’s friend list on the www.facebook.com platform;
User’s IP address;
Time and date of the signing in to Website of CATFLY by the User;
Software versions of the internet browser and operating system of the User.
CATFLY receives and collects Personal data in the following ways:
When a User registers/signs in to the CATFLY Website, using a Facebook Account, CATFLY receives the data from Facebook (www.facebook.com);
When a User uses the Services of CATFLY without separate registration on the Website, CATFLY receives the data directly from Facebook (www.facebook.com);
Data collected by methods specified in the clauses 3.4.1 - 3.4.2 is collected and processed only with prior Consent of Data subject (the User).
Personal data specified in the clauses 3.3.1 – 3.3.3 of these Rules CATFLY processes when the User registers at CATFLY Website or provides such data for the purposes of using the Services.
Personal data specified in the clauses 3.3.4 – 3.3.12 of these Rules is processed by CATFLY when the User, seeking to use the Services of CATFLY, through the platform of Third Party (www.facebook.com) Consents that the Third Party (www.facebook.com) in that specific case will transfer the relevant Personal data to CATFLY. CATFLY accepts and processes the specific Personal data only to the extent necessary to provide the specific Service. For the avoidance of doubt, CATFLY notes that various Services of CATFLY require varying scope of Personal data specified in the paragraphs 3.3.4 – 3.3.12 of these Rules, accordingly, the User, seeking to receive specific Service of CATFLY, for the purposes of receiving the Service in each specific case indicates the Personal data he/she is transferring through www.facebook.com data transfer interface and Consents for the Personal data transferring.
CATFLY shall only collect and process Personal data of the Data subject when it is in advance provided with User’s clearly indicated Consent that his/her Personal data would be processed in accordance with the procedure and legal grounds provided in these Rules. User’s Consent may be expressed in two following ways:
Consenting that for the purposes of providing the Services the User’s Personal data would be transferred and processed by CATFLY, when registering to CATFLY Website;
Consenting on the www.facebook.com platform that for the purposes of providing the Services User-specified Personal data would be transferred to CATFLY, when transferring Personal data through www.facebook.com platform or by using the Services of CATFLY through www.facebook.com platform.
The Data subject has the right at any time to address CATFLY and to withdraw his Consent for the processing of Personal data. CATFLY allows the Data subject to withdraw its Consent or to alter the scope of Personal data processed by CATFLY. This can be done by signing in to CATFLY Website or by altering the relevant privacy settings in Facebook Account. In this case, part of the Website’s features may not work.
The right to process Personal data is granted to the employee of CATFLY only by the decision of the head of CATFLY. An employee who is authorized to process Personal data shall:
Do not disclose, transfer and submit to any means where Personal data would be accessible to persons who are not authorized to process them and who are not entitled to receive Personal data in accordance with these Rules or relevant;
Uphold the secrecy of Personal data;
Immediately inform the head of CATFLY or his authorized person of any known circumstances that may endanger Personal data security;
Comply with the provisions of legal acts regulating Personal data protection.
Personal data in CATFLY database is stored for 3 (three) months from the time when the last active action was performed on User’s Account or from the last time when the User submitted his Personal data for the purpose of receiving the Services of CATFLY. Upon expiration of the data storage in the database term, the Personal data of the User shall be destroyed, except the cases stipulated by the relevant laws, where Personal data cannot be erased due to proper implementation of that laws or the realization of legitimate interests.
Impersonalized and aggregated Personal data, i.e. such data that makes it impossible to identify a specific Data subject, as well as other data that cannot be linked to any specific person, may for statistical purposes be stored in CATFLY database indefinitely, depending on the needs of CATFLY.
TRANSFERRING PERSONAL DATA
CATFLY transfers Personal data only to the following categories of the data recipients:
For legal entities and organizations that ensure appropriate protection of Personal data and undertake to use Personal data transferred by CATFLY for lawful and legitimate purposes only;
For legal entities with whom CATFLY has concluded respective service contracts and for which only impersonalized and aggregated Personal data is transferred from which the recipient of the data could not identify the identity of the specific Data subject;
Authorities which have the right to receive Personal data and have submitted a document issued and valid in accordance with procedure established by legal acts of the Republic of Lithuania, which undoubtedly confirms the right of the recipient of the data to collect and process Personal data;
To Data subjects, when receiving a written request from the Data subject to provide the data about that Data subject which is possessed and processed by CATFLY.
CATFLY uses Google Analytics services to analyze User behavior on CATFLY Website. CATFLY informs that the Personal data of the User, who has given the Consent for Personal data processing, may be transferred to the operator of Google Analytics – Google Inc.; registration code: 0001288776; address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America.
CATFLY uses Facebook’s, a social networking website’s, plugin, which allows Facebook to receive information that the User has started using CATFLY Services. CATFLY informs that the Personal data of the User, who has given the Consent for Personal data processing, may be transferred to the operator of www.facebook.com – Facebook Inc.; registration code: 0001326801; address: 1601 Willow Road, Menlo Park, CA 94025, United States of America.
CATFLY indicates that it does not use and disclose to any Third Parties special categories of Personal data, related to Data subject’s health, racial origin, religious beliefs and political opinions, except the cases where such disclosure is required by the authorities and is based on the relevant laws or when the Data subject explicitly directs CATFLY to disclose special categories of Personal data to Third Parties.
CATFLY uses OPEND (http://www.useopend.com/), Advertising Technology platform which sends targeted advertising communications they deem to be relevant within accepted data categories. Data uploaded to OPEND becomes fully anonymized and encrypted on upload and they never see any Personal data. The following sectors are the industry types that the Users can expect to receive Third Party products, information, services or special offers from: Automotive, Broadband, Call Centre, Charity, Competition & Prize Draw, Daily deals, Dating, Debt, Education, Fashion and clothing, Finance (short term loans, pension reviews, car finance, investments, equity release, credit cards, investment & savings, claims companies, mortgages), Fitness, FMCG, Freebie Sites, Gaming, Gambling, Gardening, Government, Health & Well-being, Beauty, Home & Lifestyle, Mobility, Home Improvement, Home Furnishings, Household, IT/Technical, Insurance (Life, Home, Automotive, General, Health, Private Medical, Travel, Pet, Personal & Other), Legal Services (Injury Claims), Leisure, Lottery & Sweepstakes, Magazine Subscriptions, Mail Order, Market Research, Music, Online Bingo, Online retail, Pensions, Pharmaceutical, PPI, Premium Rate, Property, Product Testing, Publishing/Media, Reclaim (Flight Delay, PPI), Retail, Sport, Stores, Surveys, Telecoms, Toiletries/Cosmetics, Tracing, ID & Fraud, Travel (Holidays, Hotel, Airlines, Travel booking, Car hire, Parking, Caravans, Holiday homes, Time share), Utilities, Vehicle Test Driving.
Personal data may also be transferred to Third Parties in other cases stipulated in the laws or other legal acts of the Republic of Lithuania.
In all cases when transferring Personal data to Third Parties CATFLY shall ensure that Personal data processor or other subject receiving Personal data is capable of ensuring appropriate Personal data protection with accordance to the requirements of GDPR.
USER (AS THE DATA SUBJECT) RIGHTS AND THEIR IMPLEMENTATION
Data subject shall have the right at any time to address CATFLY with a request regarding providing the information about Data subject’s Personal data being processed. Upon the request of the Data subject, CATFLY, by post or by e-mail, within 20 calendar days provides the Data subject with Personal Data he requested and which is in CATFLY possession.
Among other things, the Data subject shall have the right be provided with the information on where the Personal data is collected from, what Personal data is being processed and what is the purpose of the processing.
Data subject when exercising his rights established on articles 5.1 and 5.2 of these Rules, shall have the right to be provided the Personal data associated with him in a systematized, commonly-used and computer-readable format. This data is provided to the Data subject free of charge.
Data subject shall have the right to obtain the rectification of false, incomplete and/or inaccurate Personal data of his and/or suspend the Personal data processing actions of such data, provided that the Data Subject determines that his Personal data is false, incomplete and/or inaccurate and Data Subject cannot rectify such data himself, or if he determines that Personal data is processed unlawfully and not in a good faith.
Data subject shall have the right to object to Personal data processing for the purposes of direct marketing. The right to object can be exercised by notifying CATFLY by post, e-mail or in the preferences of User’s Account.
Data subject has the right to object the Personal data processing and/or to obtain the erasure of Personal data (“the right to be forgotten”). Once received the request of the Data subject for the erasure of all of his Personal data CATFLY within 20 calendar days destroys the all of the Data subject’s Personal data in their possession and deletes the User Account of the Data subject on the Website.
CATFLY has the right to refuse to comply with Data subject’s request for the erasure of the Personal data or restriction of processing of Personal data, if it cannot terminate Personal data processing and erase Personal data due to obligations set in the relevant legal acts or due to lawful instructions of relevant authorities.
Data subject can exercise all of his rights established in these Rules by notifying CATFLY (by post: Gedimino g. 45-7, LT-44239 Kaunas, Lithuania; or by e-mail: firstname.lastname@example.org) and providing a personal identity document. In some cases, requests may be denied should they be of a repetitive nature, exaggerated or completely unfounded. The right to object that his Personal data would be used for the purposes of direct marketing Data subject can exercise in his User Account on the Website.
CATFLY ensures all other rights, guarantees and interests of the Data subject which are provided by applicable laws.
With regards to the fact that CATFLY is active not exclusively to the territory of the European Union, CATFLY does not guarantee that non-European Union citizens or residents who use the Services outside of the European Union will have access to the rights granted by these Rules.
If the User expresses Consent to the use of his/her e-mail address for direct marketing purposes, CATFLY may send e-mails and newsletters to the User.
If the User no longer Consents to his/her data being processed for the purposes of direct marketing, the User has the right to withdraw his Consent for Personal data processing for the purposes of direct marketing in the preferences of his User Account, as well as sending CATFLY a notification by post or by e-mail.
PERSONAL DATA PROTECTION IMPLEMENTATION MEASURES
CATFLY implements appropriate organizational and technical measures in order to protect Personal data from accidental or unlawful destruction, alteration, disclosure and any other unlawful processing. To ensure Personal data protection CATFLY implements or intends to implement the following Personal data protection measures:
Administrative (secure processing of documents and computer data and their archiving, as well as regulating the organization of work for different areas of activity, introducing personnel to the requirements of Personal data security before and after employment or in similar relations and etc.;
Hardware and software security (administration of servers, information systems and databases, maintenance of working areas and CATFLY premises, maintaining the security standards for the servers where databases are stored and etc.);
Communications and computer network protection (common use data, programs, firewalling) and etc.
CATFLY stores all the User Personal data in the “Google Cloud Storage” data storage server or in other properly secured remote server. CATFLY ensures that the security of the remote server where Personal data is stored is secured by the following means:
Access to data cache where Personal data is stored is provided with use of two-factory authentication method, when the person logging in has to submit unique password or nickname and to confirm his identity by using other device attributed only to him (f.e., electronic signature is associated with a particulars persons phone). Access to server data is granted only to CATFLY employees or authorized persons;
all of the data in the server or data storage device is encrypted;
data backups of the server are periodically performed;
the server records and stores the history of all logins and data processing operations and include, among other things, the information on specific individuals who were logged on to the server;
CATFLY shall only use those remote server services that ensure appropriate compliance with GDPR and offer appropriate data protection measures.
All the Personal data processed by CATFLY which is transferred to it in non-digital medium (i.e. in the form of documents), is stored in accordance with the following security regulations:
Documents containing Personal data shall be transferred only to specific CATFLY employees who require said documents for carrying out their job functions or carrying out instructions by the head of CATFLY.
CATFLY shall not assign job functions and issue instructions related to Personal data processing to employees who are not properly acquainted with these Rules and other mandatory local legal acts regulating internal data security of CATFLY and have not signed the non-disclosure agreement on confidential information.
Documents containing Personal data in no case can be stored in the premises of CATFLY that intended for common use or premises which have unrestricted access.
CATFLY employees or authorized persons may not, in any case, leave the documents containing Personal data in a single room with other persons who are not mandated by CATFLY to perform Personal data processing actions.
CATFLY employees are not permitted to remove the documents from CATFLY premises, which contain Personal data or copies of such data, unless it is necessary for the proper performance of job functions or for carrying out CATFLY obligations or existing contracts. The extraction of documents containing Personal data from the CATFLY premises must in all cases be reported to the head of CATFLY.
CATFLY employees who carry out Personal data processing functions are required to properly safeguard documents and data files and to avoid making copies of any Personal data. CATFLY document copies containing Personal data may be made only if it is unavoidable due to security requirements and according to objectives of these Rules and must be destroyed immediately after the copies of the documents become redundant. Copies or storage devices of the documents must be destroyed in such a way that they would be impossible to restore.
CATFLY personnel, who process Personal data, may only perform Personal data processing actions using the computers or intelligent devices, which are owned by CATFLY and are intended for performing work related tasks, and which have licensed and secure software installed in them. All of the computers or intelligent devices, used for Personal data processing by CATFLY employees, must be protected by passwords which must be changed at least once in every 3 months and must consist of a combination of at least 8 symbols with lower case and upper case letters and numbers.
CATFLY employees and authorized persons have no right to transfer computers or any other intelligent devices that are used in Personal data processing, except in cases provided in these Rules or according to the laws of the Republic of Lithuania, to any Third Parties. CATFLY employees or authorized persons are not entitled to disclose their unique login names and passwords to any Third Parties.
CATFLY periodically, but at least once a year, performs the testing of managed IT systems, including databases, which test reliability, resistance to overload, resistance to cyber-attack, viruses and other threats to system reliability of CATFLY servers and information systems. During the testing of CATFLY controlled systems, Personal data is not used.
The processing of the Personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that Consent is given by the holder of parental responsibility over the child.
CATFLY processes the Personal data of children younger than 16 years old only where the Consent is given by the holder of parental responsibility over the child in an appropriate form, as it is provided under the provisions of GDPR, for the Personal data processing on their Facebook account, which is used to sign in to CATFLY or to use CATFLY Services.
When CATFLY determines that the User, who is under 16 years old, has submitted Personal data without the Consent of the holder of parental responsibility over the child or by indicating the wrong age, CATFLY, from the moment that such information is discovered, will take reasonable steps to immediately erase the Personal data of this User. In this case, CATFLY may delete the User Account.
PERSONAL DATA PROTECTION BREACH AND INFORMING
Personal data security breach – means an act or omission that results or may result in undesirable consequences as well as are in conflict with the stipulations provided by the legislation regarding Personal data security. The degree of impact, damage and the consequences of Personal data protection breach in each case shall be determined by the head of CATFLY or by a commission established by its authorized person.
In the event of Personal data security breach, CATFLY shall immediately, but no later than within 48 hours of becoming aware of Personal data security breach, notify the State data protection inspectorate and the Data subjects, except the cases where the breach of Personal data security does not pose a real risk to the rights and freedoms of the User and the Data subjects.
In cases where the breach of Personal data protection is not due to force majeure cases (lightning, flood, fire and etc.) and is a direct consequence of human action, when CATFLY becomes aware of the breach of Personal data protection, it immediately notifies the relevant law enforcement authorities regarding possible criminal offence committed.
Compliance monitoring of these Rules is carried out by the head of CATFLY or by a person authorized by him. The Rules are renewed and, if necessary, updated at least once in a calendar year. The updates or amendments of these Rules come into effect from the moment of their publication, i.e. from the date they were posted on CATFLY Website. In the event that User does not agree to the amendments of the Rules, he/she has the right to refuse the Services of CATFLY and/or exercise the rights granted to the User by these Rules.
CATFLY employees, who are authorized to process Personal data of the User, confirm in writing that they are introduced with these Personal data security Rules.
CATFLY employees, who violate Personal data legal protection law of the Republic of Lithuania, other legal acts regarding Personal data processing and protection or these Rules, are liable under the laws of the Republic of Lithuania.