VENDOR DATA PROTECTION INFORMATION NOTICE
The Vendor will provide to UAB “Biomapas” (registered office at Savanoriu Ave. 109, Kaunas, Lithuania, legal entity code 135750888 (hereinafter referred to as “Biomapas”)) and/or to Biomapas group affiliate companies (all together referred to as the “Biomapas Group”) his/her (when vendor is a natural person) or its representatives (when vendor is a legal entity) personal data. Biomapas, Biomapas Group and/or Biomapas contractor will collect, process and use personal data relating to the Vendor and/or its representatives as defined below.
The purpose of this Vendor Data Protection Information Notice (hereinafter – the “Notice”) is to inform Vendors and their representatives (when applicable) about data processing purposes, data processing and transfer procedures within and outside the Biomapas Group, and is without prejudice to applicable local data protection/privacy laws which prevail over this Notice. It supplements – but does not replace and is without prejudice to – any specific local notices, policies or procedures that have been distributed to or agreed on by the Vendor, if any, or that may be implemented in the future.
This Notice supplements global and local data protection policies, notices or guidance (hereinafter – “Additional Policies“) of Biomapas and/or Biomapas Group, which set out the principles that apply to the use of personal data throughout Biomapas. The lists and examples below are non-exhaustive and may not be fully representative for every Vendor of Biomapas Group. Wherever such Additional Policies are in any respect inconsistent with this Notice, this Notice shall only apply to the extent that it is consistent, or may be made consistent, with that Additional Policy.
The Data Protection Officer. The Data Protection Officer contacts: email: firstname.lastname@example.org; address: Savanoriu ave. 109, Kaunas, Lithuania. Any queries in relation to Vendor’s and/or its representatives’ personal data or enforcement of any of the below Vendor’s and/or its representatives’ rights shall be addressed to the Data Protection Officer via email as described in Section 7 of this Notice. Biomapas Rules on Personal Data Processing, orders, instructions and Data Protection Officer recommendations are mandatory to all the Vendors (and their representatives, if applicable) of Biomapas Group company or of Biomapas contractor (natural person engaging in service delivery to Biomapas client) if so instructed or indicated in written in any of the agreements with Vendor (e.g. there might be reference to Personal Data Processing Rules or such Rules might be attached as the Annex). All such Vendors and their representatives must address and coordinate all questions as well as transfer all requests of data subjects in relation to personal data processing performed by the Vendor on behalf of Biomapas or any company or Biomapas Group (including, but not limited to the processing performed by the Vendor under processing or sub-processing agreement concluded with any of Biomapas Group companies) to Biomapas Data Protection Officer. In such situation Vendor shall refrain from any action until response / instructions from Biomapas Data Protection Officer.
2. Collection, processing and use of Vendor’s Data
Biomapas, as data controller, via automated means may collect, process and use the following categories of Vendor’s and/or its representatives’ personal data (the extent of personal data will differ for each Vendor depending on the nature and scope of engagement):
- personal identification data (such as name, title, ID, citizenship, passport, visa, VAT or other assigned number),
- personal features (such as gender, birth date, language, driving license),
- contact details (such as address, phone and fax numbers, e-mail address, both home and work, ),
- electronic identification details (such as IP-address, cookies, etc.),
- social media data (information about the Vendor available via public sources and social media and communication with the Vendor via LinkedIn, etc.);
- organizational data (such as Vendor type, work location and code, electronic communication via email, websites, programs or databases),
- financial data (such as hourly rate, monthly rate, annual rate, number of payments, type of change, base amount, change date, change percentage),
- CV data, education and work history data (such as work and accomplishment history, data in education diplomas, certificates, etc.),
- contract data (such as data within the contract between Vendor and any of Biomapas Group companies (e.g. services agreement), agreements on confidentiality and non-compete, signature dates, end date, reason for termination, report data),
- prices, compensation information (such as amount, currency, number of payments per year),
- bonus and incentive information (such as details of applicable bonus and incentive plans),
- performance data (such as performance review data, data on performance of functions, data available in the quality assurance questionnaire),
- IT and other assets data (such as information related to material assets provided for function performance to the Vendor (entrance cards and data related to assignment of assets), passwords, system IDs, access rights, as well as data generated by the use of assets, facilities, properties and systems (data from Microsoft Office 365, One Drive, Yammer, CTMS system, ComplianceWire data, etc.), notably computer and telecommunication systems data, including, to the extent not prohibited by the applicable law, the logs and contents generated by such use as well as any data, files, documents or communications, whether electronic or not, created, sent, received, accessed or stored by the Vendor in such capacity); as well as, as the case may arise, the history of all those data as of the date of entry (together – “Vendor Data”).
Vendor Data may also include, to the extent applicable, sensitive information such as health data, criminal record data, data whether Vendor and/or its representatives is (or threatened to be) debarred in Vendor’s local jurisdiction or elsewhere in the world from delivering services for which Vendor is hired for.
Biomapas may get Vendor Data from the Vendor and/or its representatives directly, from persons interacting with the Vendor at Biomapas or Biomapas Group (e.g. performance evaluation data) as well as third parties (public bodies, e.g. tax inspectorate, law enforcement agencies, courts, bailiffs, police).
Terms and conditions for data processing. Vendor data may be collected, stored, maintained including transferred, both digitally and in a material medium, by any means such as email and internet connection which are selected considering the nature of the data processed, ensure safe handling and prevent unauthorised access to Vendor Data as defined by this Notice or Additional Policies.
3. Purposes of collection, processing and use of Vendor Data
Biomapas uses Vendor Data (to the extent required) for the following purposes: vendor management, goods and/or service delivery to Biomapas Group; Vendor service management; service quality assurance; corporate reporting; compensation/corporate administration and planning; management of IT-systems assigned to Vendors; organisational management and communications (such as developing organizational charts and international directories, finance cost allocation); regulatory compliance.
More specifically, these purposes may include:
- to better meet Biomapas and Biomapas Group’s business needs and to enhance resource planning;
- to design, evaluate, and administer compensation, benefits, rewards and other programs (such as bonuses, expense reimbursements, travel expenses and reimbursement);
- to provide resource management information to the Biomapas Group’ local and headquarter management, including any relevant information to actual or potential business partners and/or investors;
- to provide tax systems with data necessary to generate payments to Vendors and to ensure accurate compliance with governmental reporting requirements;
- to track Vendors’ performance;
- to record, review and use the Vendor’s work products;
- to support any claim or defence before any jurisdictional, police, and/or administrative authority, arbitration or mediation panel as well as to identify and prevent business risks;
- to cooperate with – or to inform – law enforcement or regulatory authorities to the extent required by law or justified by the Biomapas Group’s interests;
- to cooperate with consultants representing Biomapas Group interests;
- to designate, evaluate, and implement contract on provision of services or goods concluded with the Vendor;
- to manage Vendor’s contact list;
- to conduct auditing, accounting, financial, and economic analyses;
- to facilitate business communications, negotiations, transactions, conferences, travel (including travel planning), service delivery and compliance with contractual and legal obligations; to prepare for, facilitate, execute, or otherwise support any transaction or potential transaction involving all or a portion of the business of the Biomapas Group;
- to protect company assets (including information systems support, firewall monitoring and anti-spam and anti-virus protection) and confirming compliance with company policies and procedures;
- to facilitate the Biomapas and/or the Biomapas Group’s compliance with their legal obligations; and
- to implement resources solutions at the Biomapas Group’s level in order to achieve all the above-listed purposes.
Legal basis for Vendor Data processing. Biomapas will process Vendor Data, where such processing is reasonably necessary for the performance of the contract, concluded with the Vendor; reasonably necessary for compliance with a legal obligation to which Biomapas or Biomapas group is subject to; or is within Biomapas’ legitimate business interests (e.g. in order to protect Biomapas or Biomapas Group confidential information or commercial secrets, to prevent infringement of legal acts, including infringements for which the Vendor is liable, in order to ensure performance of Biomapas business activities) and in some instances upon receipt of Vendor’s consent (if applicable on the case by case basis).
The collection of the Vendor Data by Biomapas is usually mandatory and if it is not provided, Biomapas will be unable to satisfy its legal obligations. Where the collection of any Vendor Data is not mandatory, Biomapas will inform the Vendor of this prior to collection, as well as the implications of failing to provide Vendor Data.
4. Transfer of Vendor Data to Biomapas Group companies, to third parties and service providers
Since Biomapas engages in cross-border business, Biomapas, Biomapas Group company or Biomapas contractor may transfer Vendor Data to Biomapas Group companies, Biomapas contractors or other Biomapas Vendor (e.g. legal service provider), business partner or client residing in the European Economic Area (“EEA”) and outside EEA. Only a limited number of individuals within Biomapas Group companies’ finance, information technology or other departments as well as certain managers will receive access to following categories of Vendors Data, including personal identification data, contact details, organizational data, financial data, compensation information, performance data, IT and other data. Access will be provided on a need-to-know basis and for abovementioned Biomapas business purposes.
Biomapas and upon its request any company of Biomapas Group or Biomapas contractor may contract with third party service providers as part of their normal business operations in connection with finance, accounting or other administrative functions, information technology support (e.g., software maintenance and data hosting). Biomapas and any company of Biomapas Group will (i) diligently choose such third-party service providers, and (ii) ensure that such third-party service providers adopt adequate technical and organizational security measures to safeguard the Vendor Data and use the Vendor Data only as instructed by Biomapas and appropriate company of Biomapas Group and for no other purposes.
For the purposes listed under Section 3 above, Biomapas, Biomapas Group company or Biomapas contractor may also need to make the Vendor Data available to other vendors of the Biomapas Group such as professional advisors such as attorneys, financial advisors; banks; insurance companies; other external data processors; potential or existing investors and acquirers; courts, law enforcement and/or regulatory authorities, notaries, third parties and/or their advisors; which recipients may be located inside or outside the EEA, including in countries which do not adduce the same level of protection of personal data as in the EEA. Furthermore, Biomapas is authorized to disclose Vendor Data in case of inspections performed by competent regulatory authorities or client audits.
Biomapas will only carry out personal data transfers outside the EEA where Biomapas is confident that the level of protection applied to Vendor Data will be similar as if it had remained within the EEA. In such case where Vendor Data is transferred outside the EEA, Biomapas will apply proper protection measures (e.g. Biomapas will apply appropriate internal rules or approved Standard Contractual Clauses) in order to ensure that Vendor Data is adequately protected against unauthorized processing in such countries.
5. Vendor Data retention period
The Vendor Data will not be kept for longer than necessary for the purposes for which they were collected in accordance with the applicable law. For the purpose of performance of the contract concluded between Biomapas and the Vendor, Biomapas will process Vendor Data during the validity of the contract concluded by and between the Vendor and Biomapas and for a certain period after its termination pursuant to legal acts applicable for the contractual relationship with the Vendor as well as regulate services provided by the Vendor. Unless legal acts provide to the contrary, Vendor Data processed by electronic means will be stored for 3 years after termination of contractual relationship while personal data contained in contractual documentation (contracts, signed notifications, consents, other documents to be stored in relation to the performance of the contract concluded with the Vendor and etc.) will be stored (archived) after termination for the term determined by legislation.
For further information and exact storage terms for specific Vendor Data processing purposes, the Vendor should contact Biomapas Data Protection Officer (contact details are available above in the preamble of this Notice).
6. Confidentiality obligations of the Vendor
The Vendor undertakes during the contractual relationship with Biomapas, Biomapas Group company or Biomapas contractor and for unlimited period thereafter to keep in secret the Biomapas commercial secrets or other confidential information as well as personal data of any data subject (“Information”) received while performing Vendor’s functions / providing services / supplying goods or in relation thereto and not to disclose or use it for his own or other persons’ interests (except for the Biomapas or with its authorisation). Information can be stored in paper or electronic documents in computers, software devises, cloud and in any other media.
The Vendor must not process personal data in an illicit manner. Personal data may only be processed if consent or a legal regulation permits the processing or if the processing of is based on other legal ground. Main principles for the processing of personal data are summarized below:
- to process personal data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- to collect personal data for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes (‘purpose limitation’);
- to ensure, that personal data always will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- to ensure, that personal data processed is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data, that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- to keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
The Vendor receives such Information from Biomapas solely for the purpose of evaluation, discussions and negotiations concerning or in connection with establishing, management and administration of the contractual relationship with Biomapas as well as performance of the function / provision of services by the Vendor under the contract concluded with Biomapas (“Purpose”).
By entering into contractual relationship with Biomapas, the Vendor confirms that it/he/she is aware and undertakes:
- to process only such Information as (s)he considers necessary for the Purpose and not to use the Information in contradiction with the interests of Biomapas or Biomapas Group or without clear permission or instruction from Biomapas (e.g. to destroy, modify, copy, transmit, publish, etc. the Information or any part thereof for Vendor’s benefit or for the benefit of a third person);
- to use it only for the Purpose and for no other purpose and in particular, but without prejudice to the generality of the foregoing, (i) not to make any commercial use thereof or use the Information to compete with the Biomapas or any business carried out by Biomapas or Biomapas Group and (ii) not to use the same for the benefit of itself or for any third party except as otherwise agreed in writing;
- to maintain the Information in strict confidence as well as physical samples thereof, provided verbally, electronically, in writing or by any other means, directly or indirectly by Biomapas or Biomapas Group or any persons related to Biomapas Group, whether or not provided prior to the signature date hereof. However, this obligation shall not apply to any part of the Information: (i) which prior to the time of disclosure is in the public domain; or (ii) which after disclosure becomes part of the public domain by publication or otherwise through no fault of the Vendor provided; (iii) which is made available to the Vendor by a third party, provided however that such information was not made available in breach of any obligation of confidence or non-use owed by the Biomapas, Biomapas Group or third party, directly or indirectly to the Vendor;
- to notify the Biomapas promptly upon becoming aware of any unauthorized disclosure, reproduction, use or loss of all or any part of the Information.
- to apply to the Information no lesser security measures and degree of care than those which are applied by Biomapas Group to secure confidential or proprietary information and which are providing adequate protection of such information from unauthorized disclosure, copying or use in strict compliance with internal legal acts of Biomapas Group, including, but not limited to Biomapas’ Rules on Personal Data Processing;
- to refrain from copying documents or files containing Information and shall not transfer it to unauthorized persons, without prior written permission of Biomapas. Unauthorized copying or transmission is strictly forbidden;
- to notify immediately Vendor’s contact person at Biomapas and Biomapas Data Protection Officer about any suspicious situation which might endanger the security of the Information;
- to notify immediately Vendor’s contact person at Biomapas and Biomapas Data Protection Officer about all requests from any natural or legal person (private or public) for Information (including personal data) or in connection therewith and to follow instructions received from Biomapas Data Protection Officer (if no instructions received – instructions received from Vendor’s contact person at Biomapas);
- to comply with Vendor’s confidentiality obligations when using Biomapas’ or Biomapas Group’s information systems;
- to process personal data according to the rules of the General Data Protection Regulation, that with the signature hereof the Vendor confirms being aware of and acquainted with, the national law applicable for the legal protection of personal data and other applicable legal acts, signed personal data processing and/or subprocessing agreements as well as according to the rules of Biomapas and Biomapas Group.
If the Vendor is required by law to disclose any of the Information, (s)he shall be entitled to do so provided that, only that part of the Information which is legally required to be disclosed is disclosed and prior to such disclosure sufficient notice of the same is given to Biomapas in order that it may seek a protective order or other appropriate remedy.
Upon termination of the contractual relationship between the Vendor and Biomapas, Biomapas Group company or Biomapas contractor or at any time upon written request of Biomapas, Biomapas Group company or Biomapas contractor, the Vendor will promptly return all Information including, without limitation, physical samples, documents, copies, summaries, analyses or extracts thereof and any other material received from the Biomapas or any company of Biomapas Group or created by the Vendor for the Purposes together with the written confirmation certifying that the Vendor has done so. The Vendor is prohibited to retain copies of the Information or any part thereof and shall so certify. All verbally disclosed Information shall be held subject to these confidentiality obligations of the Vendor.
Any breach of these Vendor’s obligation may result in the liability provided for in the applicable legal acts. A breach may also constitute a breach of the obligations arising out of the contract between the Vendor and Biomapas or specific confidentiality obligations of the Vendor. Civil claims for damages may also result from breaches of these Vendor’s obligation. The Vendor receiving the Information shall be responsible for any breach of its confidentiality obligations established in this Section of the Notice and in the event of breach shall compensate all the damages it has caused to Biomapas, Biomapas Group and/or the third party.
Any confidentiality agreements arising from Vendor’s contractual relationship to Biomapas, Biomapas Group company or Biomapas contractor or separate agreements on confidentiality remain unaffected by Vendor’s obligations hereunder.
7. Rights of the Vendor
The Vendor and/or its representatives (if applicable), has a right to withdraw any of his/her consents for Vendor Data processing (at any time, without affecting the lawfulness of processing before the consent given for data processing was withdrawn), to know (to be informed) about the processing of Vendor Data, to access Vendor Data held about him/her and obtain a copy of Vendor Data, to have inaccurate data corrected or to have Vendor Data erased and to restrict or object processing of Vendor Data for legitimate reasons. The Vendor has the right to data portability and to lodge a complaint with the State Data Protection Inspectorate as well as other competent authority in the country of Vendor’s residence.
The Biomapas does not take decision upon automatic processing of Vendor Data, including profiling.
- Acknowledgment of Notice receipt
BY CONCLUDING CONTRACT WITH BIOMAPAS AND PROVIDING SERVICES / SUPPLYING GOODS HEREUNDER, YOU CONFIRM THAT YOU HAVE MADE YOURSELF ACQUAINTED WITH THIS VENDOR DATA PROTECTION NOTICE AND HAVE UNDERSTOOD IT AND THAT YOU HAD THE OPPORTUNITY TO ASK BIOMAPAS ANY QUESTIONS ABOUT YOUR PERSONAL DATA AND THAT YOU HAVE RECEIVED ALL THE NEEDED ANSWERS IN DETAIL.