Procedure for the Exercise of Data Subject Rights

1. General provisions

  1. The purpose of this Procedure is to establish the principles and process for exercising data subject rights at UAB “Maisto namai” (hereinafter – the “Company”).
  2. The implementation of data subject rights is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, GDPR) and the Law on Legal Protection of Personal Data of the Republic of Lithuania.
  3. The terms used in this Procedure correspond to those defined in the Regulation (EU) 2016/679.
  4. These rules are prepared in accordance with the Regulation (EU) 2016/679.

2. Right to information about data processing

  1. Information about the processing of personal data by the Company, as specified in Articles 13 and 14 of the Regulation (EU) 2016/679, is provided in writing at the time of data collection or in the Company’s published Privacy Policy.
  2. Information about the processing of data subjects’ personal data is provided at the time of receipt of the personal data.
  3. When personal data is not collected directly from the data subject, information about processing is provided:
    1. Within a reasonable period after obtaining the data, but no later than one month, considering the specific circumstances;
    2. If the data will be used to contact the data subject, no later than the first communication; or
    3. If the data will be disclosed to another recipient, no later than the first disclosure.

3. Right of access to data

  1. Data subjects have the right to access their personal data and to exercise this right easily and at reasonable intervals, to be informed about data processing and to verify its lawfulness.
  2. Upon request, the Company must provide:
    1. Information on whether the data subject’s personal data is being processed;
    2. Information specified in Article 15(1) and (2) of the Regulation (EU) 2016/679, if data is being processed;
    3. A copy of the processed personal data.
  3. The data subject may request a copy in a different format, subject to an administrative fee.

4. Right to rectification

  1. The data subject has the right to request the rectification of inaccurate or incomplete personal data, as per Article 16 of the Regulation (EU) 2016/679.
  2. The Company may request evidence to verify the inaccuracy or incompleteness of the data.
  3. If rectified data has been shared with recipients, the Company will inform them unless impossible or disproportionate effort is required. The data subject may request information about such recipients.

5. Right to erasure (“right to be forgotten”)

  1. The right to erasure is exercised in cases specified in Article 17 of the Regulation (EU) 2016/679.
  2. This right may not apply in cases outlined in Article 17(3) of the Regulation (EU) 2016/679.
  3. If erased data has been shared, recipients will be informed unless impossible or disproportionate effort is required. The data subject may request information about such recipients.

6. Right to restriction of processing

  1. The Company must restrict processing in cases specified in Article 18(1) of the Regulation (EU) 2016/679.
  2. Restricted data is stored, and the data subject is informed before the restriction is lifted.
  3. If restricted data has been shared, recipients will be informed unless impossible or disproportionate effort is required. The data subject may request information about such recipients.

7. Right to data portability

  1. The data subject has the right to have personal data transmitted directly from one controller to another, where technically feasible.
  2. The data subject may receive their data in a structured, commonly used, and machine-readable format and transmit it to another controller when:
    1. provided processing is based on consent or contract;
    2. provided processing is automated.
  3. This right does not apply to data processed non-automatically (e.g., paper files).
  4. Data may be provided online or on media such as CD, DVD, or other storage devices, using open formats (XML, JSON, CSV) with metadata.
  5. If third-party data is included, transfer is allowed only if the data is exclusively controlled by the requesting data subject and only for personal or household use.
  6. The data subject must specify whether the data should be sent to themselves or another controller.
  7. Only data provided by the data subject and processed by the Company is transferred. Derived or analyzed data (e.g., user profiles) is excluded.
  8. Exercising the right to data portability does not affect other rights. The data subject may continue to use Company services after data transfer.
  9. Data transferred under this right is not automatically erased. For erasure, a separate request must be submitted.

8. Right to object to data processing

  1. The data subject may object at any time to processing based on Article 21 of the Regulation (EU) 2016/679, including:
    1. Processing for direct marketing purposes; direct marketing is defined as any activity aimed at offering goods or services directly to individuals and/or seeking their opinion on the goods or services offered;
    2. Processing necessary for legitimate interests of the controller or a third party.
  2. If an objection is raised, processing continues only if there are compelling legitimate grounds or for the establishment, exercise, or defense of legal claims.

9. Right not to subject to automated decision-making, including profiling

  1. This right is not applicable to the data processing activities carried out by the Company.

10. Submission of requests to exercise data subject rights

  1. Requests must be submitted in writing, either in person, by mail, or electronically to the person responsible for data protection at the Company (email: hello@donecookin.com or the Company’s registered address). Oral requests are not considered.
  2. When contacting the data protection officer by mail, correspondence should be marked as intended for the data protection officer.
  3. Requests must be legible, signed, and include the data subject’s name, surname, address, and/or other contact details.
  4. In-person requests require proof of identity. This does not apply to requests for information under Articles 13 and 14 of the Regulation (EU) 2016/679.
  5. Requests by mail must include a certified copy of an identity document, except for information requests under Articles 13 and 14 of the Regulation (EU) 2016/679.
  6. Rights may be exercised by the data subject or a representative. If the application is submitted through a representative, depending on the method of submission, in addition to the above documents, the representative must provide their name, surname, address, and/or other contact details for communication, to which the representative of the person wishes to receive a response, and submit a document confirming representation (or a copy of the power of attorney certified in accordance with the procedure established by law).
  7. If there is any doubt about the identity of the data subject, the Company shall request additional information necessary to verify it. The Company shall make reasonable efforts to establish the identity of the person requesting access to personal data, as sanctions may be imposed for the unlawful disclosure of personal data to third parties.
  8. It is recommended to use the form provided in Annex 1 of these Rules.

11. Examination of requests

  1. Upon receiving a request, the Company must respond within one month, informing the data subject of actions taken. If delayed, the data subject is informed of the reasons and the right to lodge a complaint.
  2. If the request is submitted in violation of the procedure and requirements set forth in Chapter 10 of the Rules, it shall not be considered, and the data subject shall be informed thereof immediately, but no later than within 10 working days, stating the reasons.
  3. The data controller should be obliged to respond to requests from data subjects without undue delay and no later than within 1 (one) month, and to indicate the reasons if it does not intend to comply with any such requests.
  4. This period may be extended by another 2 (two) months, if necessary, depending on the complexity and number of requests. In such a case, the Data Subject must be informed in writing of such an extension within 1 (one) month of receipt of the request, stating the reasons for the delay.
  5. If it is decided not to take action on the data subject’s request, it is mandatory to immediately, but no later than within 1 (one) month of receiving the request, inform the data subject in writing of the reasons for not taking action (e.g., the person submitting the request did not specify their identity) and of the possibility of lodging a complaint with the supervisory authority. The data subject must be duly informed of the refusal to comply with their request.
  6. If, during the examination of the request, it is established that the data subject’s rights are restricted on the grounds specified in Article 23(1) of Regulation (EU) 2016/679, the data subject shall be informed thereof.
  7. The information requested by the data subject regarding the processing of personal data shall be provided in the same form as the data subject’s request was received (unless the data subject himself requested it to be provided in another form), i.e. if the request is submitted by electronic means (e.g. e-mail), the information shall be provided in the usual electronic form. The information requested by the data subject regarding the exercise of his or her rights shall be provided in the official language.
  8. Information and notifications shall be provided and other actions related to the exercise of data subjects’ rights shall be performed free of charge, except in cases where the data subject’s requests are manifestly unfounded or disproportionate, in particular due to their repetitive nature, in which case the Company may charge a reasonable fee for providing the information or communication or for taking the requested action (in which case the data subject shall be informed of the amount of the fee (e.g., for a CD, DVD or other media containing a copy of the video recording, preparation of documents, etc.) and the procedure for payment for the provision of data) or refuse to take action on the request. The amount of the fee shall not exceed the costs of providing the information or communication or taking the action. The Company shall determine and approve the amount of the fee, taking into account the labor and material costs required to provide the information or notification or to take the action.
  9. Whether a request is manifestly unfounded or excessive shall be assessed on a case-by-case basis. If a data subject’s request is manifestly unfounded or excessive, the burden of proof shall lie with the Company.
  10. In cases where the Company processes a very large amount of personal data, a request to provide information about all personal data processed for the entire period of processing may be considered disproportionate. However, even if a disproportionate request is received, it is recommended, first of all, to ask the data subject to clarify it, indicating the reason why the data subject needs to receive such a large amount of information, and if there is no such reason, to narrow down the scope of the personal data requested.
  11. The data subject has the right to complain about the company’s actions or inaction in implementing the data subject’s rights, either personally or through a representative of the data subject, as well as through a non-profit institution, organization, or association authorized by the data subject that meets the requirements of Article 80 of Regulation (EU) 2016/679, the State Data Protection Inspectorate (contact details at www.vdai.lrv.lt), as well as the competent court.
  12. In the event of material or immaterial damage resulting from a violation of the data subject’s rights, the data subject shall be entitled to compensation, which may be claimed in court competent to hear such disputes.
Download procedures for exercising the rights of data subjects
This website uses cookies. Cookies are used to collect information about visits to the website, improve its performance, and offer users relevant content and advertisements. For more information, please refer to our Cookie Policy. Read more.
Accept cookies