Personal Data Protection and Processing Rules

Paskelbtos Vilniaus arkivyskupijos asmens duomenų apsaugos ir tvarkymo taisyklės. Kviečiame susipažinti.

Approved
by Decree No. S-365 of 28 May 2018,
issued by the Metropolitan Archbishop of Vilnius,
Gintaras Grušas

Personal Data Protection and Processing Rules of the Archdiocese of Vilnius

 

CHAPTER I. GENERAL PROVISIONS

SECTION ONE. General Provisions
SECTION TWO. Terms and Definitions
SECTION THREE. Controllers and Processors
SECTION FOUR. General Requirements Personal Data Processing
SECTION FIVE. General Legal Grounds for Personal Data Processing

CHAPTER II. SPECIAL PROVISIONS APPLICABLE TO INDIVIDUAL CATEGORIES OF DATA SUBJECTS

SECTION SIX. Special Provisions on the Processing of Personal Data of Church Members and Individuals in Regular Contact with the Church for the Fulfilment of Its Purposes
SECTION SEVEN. Special Provisions on the Processing of Personal Data of Clergy, Members of Consecrated Life, Seminarians and Candidates for Religious Orders
SECTION EIGHT. Special Provisions on the Processing of Personal Data of Employees of the Church and of Legal Persons Belonging to the Church and of Special Categories of Personal Data
SECTION NINE. Special Provisions on the Processing of Personal Data of Persons Not Regularly Involved in Church Activities

CHAPTER III. RIGHTS OF DATA SUBJECTS

SECTION TEN. Right to Information in Relation to Data Processing
SECTION ELEVEN. Right to Request Rectification of Data
SECTION TWELVE. Right to Request the Registration of Annotations and Additions to Data
SECTION THIRTEEN. Right to Request Erasure of Data
SECTION FOURTEEN. Right to Restrict Processing of Data
SECTION FIFTEEN. Obligation to Notify

CHAPTER IV. STORAGE OF DATA

SECTION SIXTEEN. General Requirements for Data Storage
SECTION SEVENTEEN. Storage of Data Files, Books and Records
SECTION EIGHTEEN. Storage of Data in an Archive
SECTION NINETEEN. Storage of Data in a Digital Archive
SECTION TWENTY. Obligation to Notify of a Data Security Breach

CHAPTER V. DATA PROTECTION OFFICER

 

CHAPTER I

GENERAL PROVISIONS

SECTION ONE

GENERAL PROVISIONS

  1. Vilniaus arkivyskupijos asmens duomenų apsaugos taisyklių (toliau – Taisyklės) tikslas – sureguliuoti, kokiais būdais, priemonėmis bei procedūromis Katalikų Bažnyčia Lietuvoje užtikrina asmenų duomenų apsaugą pagal 2016 m. balandžio 27 d. Europos Parlamento ir Tarybos reglamentą (ES) 2016/679 dėl fizinių asmenų apsaugos, tvarkant asmens duomenis ir dėl laisvo tokių duomenų judėjimo (toliau – Bendrasis duomenų apsaugos reglamentas). Bendruoju duomenų apsaugos reglamentu gerbiamas ir nepažeidžiamas pagal galiojančią Lietuvos konstitucinę teisę nustatytas Bažnyčios statusas.
  2. Teisiniai santykiai tarp Katalikų Bažnyčios ir Lietuvos Respublikos yra reguliuojami Šventojo Sosto ir Lietuvos Respublikos Sutartimi dėl santykių tarp Katalikų Bažnyčios ir Valstybės teisinių aspektų, Šventojo Sosto ir Lietuvos Respublikos sutartimi dėl bendradarbiavimo švietimo ir kultūros srityje, Šventojo Sosto ir Lietuvos Respublikos sutartimi dėl kariuomenėje tarnaujančių katalikų sielovados, taip pat atitinkamomis Konstitucijos bei kitų teisės aktų nuostatomis.
  3. Bažnyčia ir jos juridiniai asmenys asmens duomenis tvarko pagal LR asmens duomenų apsaugos įstatymą (toliau – ADTAĮ) bei kitas galiojančias teisės nuostatas, ypač pagal Bendrąjį duomenų apsaugos reglamentą, nepažeidžiant LR Konstitucijos 43 straipsnyje įtvirtintos Bažnyčios teisės laisvai tvarkytis pagal savo kanonus ir statutus.
  4. Bažnyčia ir jos juridiniai asmenys tvarko asmens duomenis ir specialias asmens duomenų kategorijas tais tikslais ir pagrindais, kurie yra apibrėžti šiame dokumente.

SECTION TWO

TERMS AND DEFINITIONS

  1. Data subject means a natural person whose personal data are processed.
  2. Personal data means any information about a natural person who has been identified or who can be identified (data subject); a natural person means a person who can be directly or indirectly identified in particular by reference to an identifier such as name and surname, national identification number, location data and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  3. Church law means the 1983 Code of Canon Law, the general and special laws promulgated in accordance with the Code of Canon Law and binding on the Church;
  4. Data subject’s consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
  5. Recipient means a natural or legal person, authority, agency or other institution provided with personal data, regardless of whether it is a third party. Public authorities which may receive personal data under national law in the context of a specific investigation are not considered as recipients; when processing those data, they shall comply with the purposes of the processing as set out in the data protection rules.
  6. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  7. Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
  8. Controller means the natural or legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes of the processing are laid down by law or regulation, the procedure for appointing the controller may be laid down in that law or regulation.
  9. Profiling means any form of automated processing of personal data where personal data is used to evaluate, analyse and/or predict certain personal aspects of a natural person, such as that natural person’s performance, economic situation, state of health, personal interests, hobbies, interests, trustworthiness, behaviour, location or movements.
  10. Special categories of personal data means data that reveal racial or ethnic origin, political opinion, religion or beliefs, or trade union memberships, also genetic and biometric data used for the specific purpose of identifying a natural person, data on health status and on person’s sexual life and sexual orientation (note: special categories of personal data are referred to as “special data” in the LLPPD).
  11. Other terms used in the Rules correspond to the terms used in the Code of Canon Law, the Law on Religious Communities and Associations of the Republic of Lithuania, the General Data Protection Regulation, and the LLPPD.

SECTION THREE

DATA CONTROLLERS AND PROCESSORS

  1. Data Controller and Processor

16.1. For the purposes of personal data protection, the Diocese shall be considered a data controller or a processor, depending on the nature of the personal data processed.

16.2. Other legal entities belonging to the Church shall be considered data controllers or processors for the purposes of personal data protection, depending on the nature of the personal data processed.

16.3. The relationship between the individual controller and the individual processor is governed by the rules of Church law binding on these entities. If the data is transferred to a foreign country, including the Vatican, it must be done with the knowledge of the controller. Any transfer of data to another country must take place only within the Church, unless otherwise required by law.

SECTION FOUR

GENERAL REQUIREMENTS FOR THE PROCESSING OF PERSONAL DATA

  1. Personal data must be:

17.1. processed fairly, lawfully and transparently in relation to the data subject (the principle of lawfulness, fairness and transparency);

17.2.  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes;

17.3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (principle of data minimisation);

17.4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of accuracy);

17.5. must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods only for the purposes provided for in Canon Law, including archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject (the principle of limitation of storage duration);

17.6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and also against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality).

  1. The controller is responsible for compliance with the above requirements and principles. The controller is also responsible for the proper observance of the requirements of Church law and cooperation with the competent Church and State authorities.

SECTION FIVE

GENERAL LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

  1. The processing of personal data in the activities of legal entities belonging to the Catholic Church is only permitted if:

19.1. data subject has given consent to the processing of their personal data for one or more specific purposes;

19.2. the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

19.3. the processing is necessary for compliance with a legal obligation to which the controller is subject;

19.4. the processing is necessary to protect the vital interests of the data subject or another natural person;

19.5. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

19.6. the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

  1. The processing of special categories of personal data, subject to all necessary safeguards, is only permitted in respect of baptised persons (members of the Church), including persons who have made a declaration of disaffiliation in accordance with the Church’s internal procedures (former members of the Church), as well as of persons who are in regular contact with the Church and who are contributing to the fulfilment of the Church’s purposes. These data may not be disclosed outside the Church without the written consent of the data subject.

CHAPTER II

SPECIAL PROVISIONS APPLICABLE TO INDIVIDUAL CATEGORIES OF DATA SUBJECTS

SECTION SIX

SPECIAL PROVISIONS ON THE PROCESSING OF PERSONAL DATA OF CHURCH MEMBERS AND INDIVIDUALS IN REGULAR CONTACT WITH THE CHURCH FOR THE FULFILMENT OF ITS PURPOSES

  1. Purposes and legal basis of data processing

21.1. Dioceses, as data controllers, through parishes as processors, process personal data, including special categories of data on current and former members of the Church and other natural persons who, although not members of the Church, participate in the fulfilment of the purposes set out in the Church’s canons. These data are processed for the purposes specified in Church law, to ensure the free operation and conduct of affairs of the Church in accordance with its canons and other legal provisions for archiving purposes, for the purposes of the statutory obligation to notify a marriage celebrated in the Church, and in accordance with the following legal grounds:

21.1.1. the processing of personal data is necessary in order to ensure the right of the Church to conduct its affairs freely in accordance with its canons and statutes (Church law), as enshrined in the Constitution of the Republic of Lithuania;

21.1.2. the processing of personal data is necessary for the fulfilment of the purposes set out in an international agreement concluded with the Holy See to which the Republic of Lithuania is a party;

21.1.3. processing is necessary for compliance with a legal obligation to which the controller is subject;

21.1.4. processing is necessary for the protection of individuals, their property and legitimate interests;

21.1.5. personal data are processed for archiving purposes, scientific, historical research or statistical purposes.

  1. Rights and obligations of the controller and processor

22.1. The processing of personal data must be carried out in accordance with the rights of the data subjects and the legitimate interests of the Church, in accordance with the provisions of Church law (including the provisions governing the celebration of the sacraments, participation in religious services, the practice of the faith, the notification of a marriage celebrated in the Church, etc.).

22.2. Personal data may be processed in a centralised system without the data subject’s explicit consent.

22.3. This category of personal data, including special categories of personal data, may only be used for the purposes set out in the Church law and for the internal use of the Church. No third party may obtain these data without the written consent of the data subject, except as provided for in point 22.4.

22.4. The personal data of the data subjects processed, including special categories of personal data, may be transferred, without the written consent of the data subject, between dioceses, parishes, including those located in other European Union countries or third countries, in accordance with the provisions of the Church law, for purposes such as the hearing of a case before an ecclesiastical tribunal, the celebration of the sacraments, studies in ecclesiastical scientific and educational institutions, and the exercise of the spiritual ministry.

22.5. Personal data in this category are stored and processed indefinitely.

22.6. The controller must include the following text in documents relating to this category of persons: “By signing this document, we confirm that we are aware of the purposes and grounds of processing, information about the processed data and the rights of the data subject as set out in the Rules for the Protection and Processing of Personal Data in the Catholic Church in Lithuania.”.

SECTION SEVEN

SPECIAL PROVISIONS ON THE PROCESSING OF PERSONAL DATA OF CLERGY, MEMBERS OF CONSECRATED LIFE, SEMINARIANS AND CANDIDATES FOR RELIGIOUS ORDERS

  1. Purposes and legal basis of data processing

23.1. The Church, as a controller of personal data, acting through individual processors, processes personal data, including special categories of personal data of persons in spiritual ministry, in accordance with the provisions of Church law. In accordance with the international agreement between the Holy See and the Republic of Lithuania on juridical aspects, the Church processes personal data for purposes consistent with the provisions of Church law on the following legal grounds:

23.1.1. the processing of personal data is necessary in order to ensure the right of the Church to conduct its affairs freely in accordance with its canons and statutes (Church law), as enshrined in the Constitution of the Republic of Lithuania;

23.1.2. the processing of personal data is necessary for the fulfilment of the purposes set out in an international agreement concluded with the Holy See to which the Republic of Lithuania is a party;

23.1.3. processing is necessary for the protection of individuals, their property and legitimate interests;

23.1.4. personal data are processed for archiving, historical and other scientific research purposes, as well as for statistical purposes.

  1. Rights and obligations of the controller and processor

24.1. In accordance with Church law, the controller has and retains a legitimate interest in processing these data even after the end of the person’s spiritual ministry, subject to the applicable provisions of Church law.

24.2. Personal data, including personal data of special categories of such persons, shall be processed and used only for the internal purposes of the Church. The personal data processed, including special categories of data, may only be provided to legal entities belonging to the Catholic Church and only for the purposes specified in the canons of the Church.

24.3. The personal data processed on these individuals, including special categories of personal data, may be transferred to third countries, provided that the conditions of lawfulness as defined in point 22.4 are met.

24.4. The processing of personal data relating to these persons, including special categories of personal data, may involve profiling.

24.5. The personal data processed in relation to these persons, including special categories of personal data, are obtained from the data subjects themselves. These data may be obtained from other persons only on a legitimate basis derived from Church law and exclusively for the purposes specified in Church law.

24.6. Personal data in this category are stored and processed indefinitely.

24.7. The data controller must record such consent in the administrative file from the first time the person applies to become a member of the clergy: “By signing this document, we confirm that we are aware of the purposes and grounds of processing, information about the processed data and the rights of the data subject as set out in the Rules for the Protection and Processing of Personal Data in the Catholic Church in Lithuania.”.

SECTION EIGHT

SPECIAL PROVISIONS ON THE PROCESSING OF PERSONAL DATA OF EMPLOYEES OF THE CHURCH AND OF LEGAL PERSONS BELONGING TO THE CHURCH AND OF SPECIAL CATEGORIES OF PERSONAL DATA

  1. Purposes and legal basis of data processing

25.1. Legal entities of the Church are controllers of the personal data of their employees for the purposes of processing data relating to employment relationships, other corresponding relationships and social security:

25.1.1. where the processing of personal data is necessary for the performance of an employment contract to which the data subject is a party; at the request of the data subject, data relating to pre-contractual employment relationships may also be processed;

25.1.2. where the processing of personal data is necessary for the performance of a specific regulation binding on the Church or an international agreement to which the Republic of Lithuania is a party;

25.1.3. where the processing of personal data is necessary for the protection of persons, their life, health and property;

25.1.4. where data are processed for archiving, historical and other scientific research purposes, statistical purposes, they must be proportionate to the purpose pursued and must be in accordance with the essential provisions of the right to data protection. They must contain appropriate safeguards to protect the fundamental rights and interests of the data subject.

25.2. The processing of special categories of personal data shall be carried out on the basis of legal basis insofar as it is necessary for the proper performance of the obligations of the processor and the rights of the data subject in the areas of social security, labour law, health and other areas.

  1. Rights and obligations of the controller and processor

26.1. The personal data of the subjects being processed, including special categories of personal data, may not be disclosed to third parties or other recipients unless the data subject has given their written consent. This provision does not apply when personal data are provided to public authorities in accordance with the statutory procedure.

26.2. The controller, where it is the data subject’s employer, has the right to provide the following personal information of the data subject to third parties: job title, name, surname, place of work, work fax number, work e-mail address. The controller may only provide information of this nature to the extent that it is necessary and relevant to the performance of the data subject’s job duties. Such provision or disclosure must not violate the human dignity of the data subject or jeopardise their security.

26.3. The duration of the storage and processing of this category of personal data shall be determined in accordance with the legislation.

26.4. The controller must include the following text in employment contracts: “By signing this document, we confirm that we are aware of the purposes and grounds of processing, information about the processed data and the rights of the data subject as set out in the Rules for the Protection and Processing of Personal Data in the Catholic Church in Lithuania.”.

26.5. The controller shall not request a national identification number from the data subject, except where this information is necessary under the legislation in force in the Republic of Lithuania.

SECTION NINE

SPECIAL PROVISIONS ON THE PROCESSING OF PERSONAL DATA OF PERSONS NOT REGULARLY INVOLVED IN CHURCH ACTIVITIES

  1. Purpose and legal basis of data processing

27.1. This category of personal data, including special categories of personal data, is processed for the purposes of the Church’s pastoral, charitable, social, educational and developmental, community organisation and in accordance with the following legal grounds:

27.1.1. data subject has given consent to the processing of their personal data for one or more specific purposes;

27.1.2. the processing of personal data is necessary in order to ensure the right of the Church to conduct its affairs freely in accordance with its canons and statutes, as enshrined in the Constitution of the Republic of Lithuania;

27.1.3. the processing of personal data is necessary for the fulfilment of the purposes set out in an international agreement concluded with the Holy See to which the Republic of Lithuania is a party;

27.1.4. the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

  1. Rights and obligations of the controller and processor

28.1. Where the processing of personal data is based on the data subject’s consent and there are no other circumstances which clearly demonstrate that the data subject has given their consent to the processing of their personal data, personal data, including special categories of personal data, may be processed only with the written consent of the data subject and only to the extent and for the purposes set out in that written consent.

28.2. The controller shall ensure the protection of personal data provided to it, including non-disclosure, unless the data subject has given their written consent to the disclosure of their personal data.

28.3. The controller shall process only those personal data for which the data subject has given consent, and solely for the purposes to which the data subject has consented.

28.4. The controller shall have the right to transfer the personal data of the data subject to third parties only if the data subject has given their explicit consent.

28.5. The controller shall process personal data only for the period necessary to achieve the purposes of the processing of personal data.

28.6. The controller shall not request a national identification number from the data subject, except where this information is necessary under the legislation in force in the Republic of Lithuania or for the purposes of the processing of personal data.

CHAPTER III

RIGHTS OF DATA SUBJECTS

SECTION TEN

RIGHT TO INFORMATION IN RELATION TO DATA PROCESSING

  1. The data subject shall have the right to obtain confirmation from the controller as to whether personal data concerning them are being processed and, where that is the case, shall have the right to access the personal data and the following information:

29.1. purposes of the processing of personal data;

29.2. the categories of personal data processed;

29.3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;

29.3. where possible, the period for which the personal data will be stored; or, if that is not possible, the criteria used to determine that period;

29.5. the right to request from the controller the rectification or erasure of personal data, restriction of the processing of personal data concerning the data subject, or to object to such processing;

29.6. the right to lodge a complaint with a supervisory authority;

29.7. any available information about their sources where the personal data are not collected from the data subject;

29.8. if personal data are transferred to a church public legal entity outside the Republic of Lithuania, the data subject shall have the right to be informed of the appropriate security measures related to the transfer of data.

  1. The controller must provide a copy of the personal data processed to the data subject upon request.
  2. Any person shall have the right to request and receive, in person or through a duly authorised representative, certificates, extracts or copies of personal data processed. Data which are not obtained from the applicant and which are confidential by law or Church law, or which cannot be distinguished from data of third parties, are confidential and shall not be disclosed to the applicant.
  3. The controller may charge a reasonable fee to cover the costs of issuing the documents referred to in point 31.

SECTION ELEVEN

RIGHT TO REQUEST RECTIFICATION OF DATA

  1. The data subject shall have the right to request the controller to rectify in a timely manner the personal data concerning them if such data are incorrect.
  2. The request for rectification must be made in writing to the controller, either in person or through an authorised representative, accompanied by documents certifying the authorisation.
  3. If the controller refuses the request for rectification, it must inform the applicant in writing that they may resubmit the request to the local ordinary.
  4. Correction of acts and facts relating to the canonical status of persons can only be made with the permission of the local ordinary.

SECTION TWELVE

RIGHT TO REQUEST THE REGISTRATION OF ANNOTATIONS AND ADDITIONS TO DATA

  1. Taking into account the purpose of the processing, the data subject shall have the right to request the inclusion of an annotation or a declaration in the data file for legitimate reasons.
  2. The request for additional data shall comply with the conditions set out in point 39.
  3. The annotation, which is made in the margin of the record, is an integral part of the document. Its content must be transcribed on each extract or copy of the document.
  4. The controller shall notify the applicant in writing of the inclusion of the annotation.
  5. If a request for annotation or additions is denied, the request shall be recorded and stored in an annex to the relevant data file. In the event of a refusal to grant a request for annotation or additions to data, the controller shall notify the person concerned in writing, who may resubmit the request to the local ordinary.

SECTION THIRTEEN

RIGHT TO REQUEST ERASURE OF DATA

  1. The data subject shall have the right to request the controller to erase the personal data without undue delay and the controller shall erase the personal data without undue delay in one of the following circumstances:

42.1. where personal data are no longer necessary to achieve the purposes for which they were collected or otherwise processed;

42.2. where the data subject has withdrawn the consent on which the processing is based and there are no other legal grounds for the processing;

42.3. where the personal data have been unlawfully processed.

  1. When the controller has made personal data public and is obliged to erase it, it shall, taking into account the available technology and implementation costs, take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested the controllers to erase all links to, or copies or replications of, these personal data.
  2. The provisions set out in points 42 and 43 shall not apply if the processing is necessary: 1) for the purpose of exercising the right to freedom of expression and information; 2) for compliance with a legal obligation imposed on the controller requiring the processing of data or for the performance of a task carried out in the public interest or in the exercise of a public authority vested in the controller; 3) for archiving purposes in the public interest, for the purpose of historical and other scientific research, or for statistical purposes, where the right referred to in sub-point 1 would make it impossible to achieve the objectives of the processing, or would significantly impede the attainment of those objectives; 4) for the establishment, exercise or defence of legal claims;
  3. The right to request erasure does not apply in cases where the data relate to sacraments conferred or otherwise refer to the canonical status of the person. Information on the request for erasure of this type of data must be included in the data file. The controller is obliged not to use the data contained in the request without the permission of the local ordinary.

SECTION FOURTEEN

RIGHT TO RESTRICT PROCESSING OF DATA

  1.  The data subject has the right to request the controller to restrict processing in the following cases:

46.1. where the data subject contests the accuracy of the data for a period of time within which the controller can verify that accuracy;

46.2. where the processing of personal data is unlawful and the data subject does not agree to the erasure of data, requesting limiting their use instead;

46.3. where the controller no longer needs personal data for the processing purposes, but the data subject needs them for the establishment, exercise or defence of legal claims;

46.4. where the processing is restricted by point 46, except for storage, processing may be carried out only with the consent of the data subject or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of substantial public interest of the European Union or a Member State.

  1. The controller shall inform the data subject who has requested the restriction of processing pursuant to point 46 before erasing the data subject’s data.

SECTION FIFTEEN

OBLIGATION TO NOTIFY

  1. The controller shall notify each recipient to whom personal data have been disclosed of any rectification, erasure or restriction of processing of such data, unless this would not be possible or would involve a disproportionate effort. At the request of the data subject, the controller shall inform the data subject of those recipients.

CHAPTER IV

STORAGE OF DATA

SECTION SIXTEEN

GENERAL REQUIREMENTS FOR DATA STORAGE

  1. Personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality).
  2. Taking into account the level of development of technology, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons of varying degrees of likelihood and severity, the controller and the processor shall put in place appropriate technical and organisational measures in order to ensure a level of security commensurate with the risks.
  3. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
  4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless they are required to do so by the European Union or Member State law.
  5. When entering into a written or other contract with a natural or legal person who is a third party and who, in the performance of the contract, may become aware of the personal data of data subjects processed by the controller, the controller shall be obliged to enter into a confidentiality agreement with them.

SECTION SEVENTEEN

STORAGE OF DATA FILES, BOOKS AND RECORDS

  1. Data files, books and records must be stored in a designated secure room to which only the controller, processor or their authorised persons have access.
  2. In the absence of a room complying with the above-mentioned requirements, data files, books and records shall be stored in a lockable cabinet in a room belonging to the controller or the processor, taking all necessary measures to prevent access to personal data by unauthorised persons.

SECTION EIGHTEEN

STORAGE OF DATA IN AN ARCHIVE

  1. Particular attention must be paid to the security of archives and to controlling access to the data.
  2. The archive must be fitted with a locking system and protected against theft and unauthorised intrusion.
  3. The controller, processor or a person authorised by them must ensure that the archive is not accessible to outsiders.

SECTION NINETEEN

STORAGE OF DATA IN A DIGITAL ARCHIVE

  1. Data in digital archives must be processed using licensed software. Access to data in digital archives must be password-protected.
  2. The controller must ensure the security of the data transmitted by means of measures to prevent access by third parties.
  3. Devices and media containing personal data must be kept in locked premises and protected against unauthorised access.

SECTION TWENTY

OBLIGATION TO NOTIFY OF A DATA SECURITY BREACH

  1. The processor shall notify the controller upon becoming aware of a personal data breach.
  2. The controller, having become aware of a personal data breach, shall notify the supervisory authority thereof without undue delay, but in any case within 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
  3. Where a personal data breach is likely to result in a serious risk to the rights and freedoms of data subjects, the controller shall notify the personal data subject of the breach. The data subject does not need to be notified if any of the following conditions are met:

64.1. the controller has adequately protected the personal data that have been compromised and has ensured that the personal data are incomprehensible to an unauthorised person, e.g. by encryption;

64.2. the data controller has taken measures to ensure that the rights and freedoms of data subjects are not seriously jeopardised in the future;

64.3. notification to the data subject would require a disproportionate effort. In such a case, instead of notifying the data subject individually, public communication or other effective means of information shall be provided.

CHAPTER V

DATA PROTECTION OFFICER

  1. The controller and processor shall ensure that the data protection officer is involved in an appropriate and timely manner in all matters relating to the protection of personal data.
  2. The data protection officer shall be bound by the secrecy or confidentiality of the performance of their tasks in accordance with the law of the European Union or a Member State of the Union.
  3. The data protection officer may perform other tasks and duties. The controller or processor shall ensure that there is no conflict of interest in the performance of these and similar tasks and duties.

Archdiocese of Vilnius http://www.vilnensis.lt/vilniaus-arkivyskupijos-asmens-duomenu-apsaugos-ir-tvarkymo-taisykles/