Definition of Terms

Company – STNK, UAB, legal entity code 306995317, registered office address: Skroblų g. 12-152, Vilnius.

Employee – a person working in the company under an employment contract.

Manager – the company’s director.

Personal data – any information related to a natural person whose identity is known or can be directly or indirectly identified using such data as personal code, one or more characteristics of physical, physiological, psychological, economic, cultural, or social nature.

Policy – this Personal Data Protection Policy.

Purpose and Scope

The Personal Data Protection Policy is prepared and applied to protect the company’s employees, partners, and clients from illegal and harmful direct or indirect, intentional or unintentional actions of individuals while handling accessible personal data, as well as when using appropriate equipment to perform work functions.

This Policy must be applied in the company when processing personal data in any systems or media, whether related to internal business operations or external relations with any third parties. It also applies to employees using the provided equipment and tools during the performance of their duties.

Any data that may be recognized as personal data and becomes accessible to employees during their duties is considered confidential information belonging to the company and must be protected and not disclosed to other employees or individuals. Exception – such data may only be disclosed to employees who, according to company procedures and their job responsibilities, have the right to access such data. The company states that such data must be protected regardless of how it was received (printed or on any data storage device such as audio/video material, etc.).

Employee Responsibilities

All personal data and other information that may identify an individual shall be collected and processed only when necessary and to the extent required for an employee to perform their duties within their authorized scope and in accordance with legal data protection requirements, especially Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation).

Personal data accessed during the performance of duties is considered confidential and must be protected according to this Policy; it may not be disclosed without legal grounds. If an employee is unsure whether they can disclose personal data to another employee or individual, they must contact the manager or an authorized person for confirmation.

Each employee must comply with this Policy and applicable laws and regulations governing the collection, storage, and processing of personal data. Non-compliance with this Policy will be treated as a serious breach of duties and may result in disciplinary action or dismissal. The responsible employee may also be subject to administrative or criminal liability.

Use of Computer Systems

Any computer devices and electronic databases are accessible to employees based on their job responsibilities and the "need to know" principle. The company also emphasizes that access to a database does not mean an employee is authorized to view or use all the information in that database.

The company may use user IDs that are unique and identify a specific employee. Each employee is responsible for all actions performed with their ID account. Therefore, the main duty is to ensure that the employee’s ID is inaccessible to third parties, even other employees, unless otherwise specified by the company.

Passwords protecting computer systems and databases must be responsibly created so they are difficult to guess, do not contain personal data, and are changed regularly if needed. Each employee is personally responsible for the security of their password and compliance with this Policy and other company rules.

Except for specific exceptions, company-owned equipment and/or systems may not be used for purposes unrelated to work duties or business activities.

Security Measures

All personal data and related information collected and processed in any form (paper, electronic, etc.) are subject to the requirements of this Policy and applicable laws regarding data collection, processing, protection, and retention. Such documents must be stored securely at a location designated by the company for the period defined by law and/or the company.

Employees are not allowed to store any information related to personal data on their personal devices, except when temporarily required for specific work-related activities. All necessary confidential and personally identifiable information must be securely stored (locked files, etc.).

In accordance with applicable laws and rules, authorized company representatives may monitor and filter employees' internet access and activities.

Only company-approved systems and licensed software may be installed and used on company equipment. Permission from the company’s manager is required before downloading or installing any software on company devices for the reasons outlined in this Policy.

When employees access work-related company resources (e.g., CRM systems, email, online/remote databases) using personal home devices, they must follow this Policy as they would when using company-provided equipment. It is strictly prohibited to store any personal data or information on such devices – any processing must be done only through company-approved online or remote storage.

In all cases, it is strictly forbidden to use public access devices (e.g., internet cafes, libraries, etc.), unless it is an extremely important and urgent task and the employee receives explicit written permission to do so.

If an employee is granted access to a client's or partner's file storage system, they must use only the tools provided by the client or partner and follow the required information/data processing security rules (including encryption systems, passwords, data usage limitations, location restrictions, etc.).

When, at the company’s discretion, personal data and related information are no longer needed for business purposes, such data and information must be deleted, all copies destroyed, and relevant employees informed of their obligation to delete and destroy data no longer required for work functions. This obligation also applies automatically when the employee’s employment ends.

Security Incident Notification

All security incidents or threats related to personal data processing must be immediately reported to the manager. Measures must also be taken immediately to prevent possible harm, eliminate damage, and restore the previous security state.

If necessary, the manager is responsible for ensuring that data protection breaches are reported to authorities and affected individuals as required by applicable laws and/or EU regulations.

STNK, UAB PERSONAL DATA PROTECTION POLICY

No. 2025-702-1