RULES FOR PROCESSING OF DATA OF THE USERS
1. These Rules for Processing of Data of the Users of the Website https://domains.lt (hereinafter – Rules) establish the main principles and conditions for processing of personal data of the users, who create their accounts on the website https://domains.lt (hereinafter – Customers).
2. The Rules are prepared in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania and other normative legal acts regulating processing of personal data.
3. Manager of personal data of the website https://domains.lt is Kaunas University of Technology (hereinafter – KTU), legal entity code 111950581, address: K. Donelaičio str. 73, Kaunas. KTU structural unit authorised to process Customers' personal data in the accounts of the website https://domains.lt: Internet Service Centre of the Information Technology Services of Kaunas University of Technology (hereinafter – IPC), located at Studentų str. 48A, Kaunas city, fax (8 37) 30 06 43, email firstname.lastname@example.org.
4. IPC processes Customers' personal data under the service contracts that are concluded and being implemented in accordance with the following main principles:
4.1. Principle of defined purposes. Purposes of the processing of personal data are specified in p. 5 of the Rules. Personal data is not collected, processed and used for other purposes, including direct marketing.
4.2. Principle of direct data collection. Customers write (fill) their personal data in IPC information system when they create their accounts on the website https://domains.lt and later, when they change them. Customer informs IPC about changes of their name in a non-automatic way, providing a certifying document. Customers' personal data is not collected from other sources.
4.3. Principle of minimal scope. A complete list of the processed personal data is provided in p. 6 of the Rules. Minimal scope is determined by purposes of the processing of personal data. Customers‘ physical, physiological, economic, cultural or social attributes are not collected, processed and used.
4.4. Principle of accuracy of data. Processed personal data have to be identical, appropriate (correct, comprehensive) and constantly updated, because they are an object of "Whois" database of the corresponding top-level domain, which contains Customer's domain.
4.5. Principle of honest and legal data processing. Personal data are processed, when Customers are aware of the purposes of their collection, a list of data and other conditions, and when they express a consent regarding processing of their personal data.
4.6. Principle of confidentiality of data. Personal data are processed only by designated employees of IPC, who have a right to perform the following data processing actions: collection, storage, classification, clustering, non-automatic changes (supplement or correction) at Customer's request, provision to data receivers and publication in the corresponding "Whois" database under procedure and in the scope established by these Rules, use, search, deletion at the end of processing term. The employees, who process personal data, must protect the secrecy of personal data.
4.7. Principles of fixed-term data processing. Personal data are stored only as long as it is required for purposes of their processing. Customers' personal data are stored as long as they have an account on the website https://domains.lt, and during the period of 1 (one) year after termination of the account. At the end of this term, personal data are destroyed – they are deleted from databases and archives of databases managed by IPC so that it is not possible to restore them in usual ways. Accounting documents and other written documents prepared while performing Customers' orders are stored under terms established by the normative legal acts and then they are destroyed under established procedure.
PROCESSING OF DATA OF THE NATURAL PERSONS
5. Purposes of collection, processing and use of personal data:
5.1. Identification of and contact with Customer during provision of procedural and technical services related to creation and management of domains;
5.2. Processing and performance of the orders provided by Customer;
5.3. Customer's notification regarding a necessity to perform certain procedures in Customer‘s interests (for example, extend the domain's validity term) and provision of other relevant information, as much as it is related to creation and management of domains (for example, regarding changes of conditions and prices of service provision);
5.4. Internal administration, preparation of accounting documents and their provision to Customer;
5.5. Management of Customer's debts;
5.6. Provision of Customer's data to the administrator of the corresponding top-level domain, which contains Customer's domain;
5.7. Performance of IPC obligations arising from the concluded service contracts and under normative legal acts.
6. The following data of natural persons are collected, processed and used:
6.1. Name and surname;
6.2. Personal identification code;
6.4. Telephone number;
6.5. Email address (it is recommended for Customers to have an anonymous email address for contacts regarding the issues of creation and management of domains and for publication);
6.6. Data of contact person (-s);
6.7. Login IP addresses;
6.8. Language, used for receipt of services;
6.9. Natural persons can additionally indicate their fax number or VAT Payer Code at their own discretion.
7. Taking into consideration the specificities of the registration of domain names, Customers must ensure by the concluded service contracts that their personal data specified in the account of the website https://domains.lt are accurate and updated. If personal data are not identical or appropriate (made-up name or surname, non-existent address, inoperative email, non-existent telephone number, etc.), the administrator of the corresponding top-level domain can apply the procedure of domain suspension and/or removal and IPC can terminate the service contract.
8. Customer are responsible for the accuracy of the data of their specified contact person (-s) and legitimacy of their use. If a contact person requires removal of his/her data or that data are inaccurate, Customer is considered to be a contact person.
9. Customers have a right to get acquainted with their processed personal data in the account of the website https://domains.lt and change them (supplement or correct).
10. Customers, who get acquainted with their personal data and determines them to be incorrect, incomprehensive or inaccurate, can correct the data themselves by logging into their account on the website https://domains.lt (using provided identifiers), as specified in the concluded service contracts or apply to IPC, which corrects the incorrect, incomprehensive or inaccurate personal data within 5 (five) working days from the date of the receipt of the request with supporting documents at the latest. In case of automatic data processing, a personal correction of the personal data by Customer, who is logged in his/her account, is preferred. In case of changes in Customer's name, this data is changed in a non-automatic way by IPC within 5 (five) working days after receipt of the certifying document from Customer at the latest.
11. Customers' consent regarding processing of their personal data under these Rules is expressed by their actions: they have to mark "I agree for my data to be processed and used for performance of the orders, provided to the administrator of the corresponding top-level domain and published in "Whois" database under provisions approved by IPC" when creating an account on the website https://domains.lt and then click "Create an account".
12. It is mandatory for the personal data of Customer, as a holder and owner of the registered domain name, to be provided to the administrator of the corresponding top-level domain, which contains Customer's domain (data receiver) under established Internet self-regulation practices. When Customer aims to create and manage his/her own domain under an order placed to IPC, Customer's data is provided to the following data receivers, including the foreign ones, with Customer's consent and in his/her interests:
12.1. If Customer's domain is in the .lt top-level domain – they are published in .lt "Whois" database at https://www.domreg.lt/whois
in the following scope (besides technical information about the domain and public details of the service provider): Customer's initials and email address, unless Customer wishes to publish more detailed personal data and expresses this request in the order to IPC.
12.2. If Customer's domain is established in .eu top-level domain – they are provided to the administrator ("EURid vzw") under its established policy "Domain Name Whois Policy" and published in .eu "Whois" database at https://eurid.eu
in the following scope (besides technical information about the domain and public details of the service provider): Customer's email address and the language used for receipt of services, unless Customer wishes to publish more detailed personal data and expresses this request in the order to IPC.
12.3. If Customer's domain is created in .com
top-level domains – they are provided to the data repository of the Internet Corporation for Assigned Names and Numbers ICANN ("Iron Mountain Inc.") and published in the respective top-level domain "Whois" database in the scope determined by its administrator.
12.4. Customers' personal identification codes are not provided to the mentioned data receivers, publicly available or used for marketing purposes.
13. Taking into consideration the provisions of data provision and publishing laid out in p. 12 of the Rules, Customer's consent for IPC to collect, process and use his/her personal data in defined ways and conditions is a fundamental condition for Customer to create and manage domain. A given consent cannot be revoked, the actions of data processing cannot be stopped and the personal data cannot be destroyed as long as there is at least one Customer's domain serviced by IPC. During this period Customer's requirement to terminate the actions of processing of his/her personal data, to destroy, remove from the account of the website https://domains.lt and/or not publish them in the respective "Whois" database is reasonably declined; if Customer provides a repeated requirement – it is considered as an order for removal of the domain and a statement regarding termination of the service contract (this procedure is performed within 5 (five) working days from the date of the receipt of the repeated requirement). Thus, removal of the domain is a way to remove personal data from the respective "Whois” database, and removal of the domain (-s) serviced by IPC, change of service provider or termination of the service contract with IPC is a way to terminate data processing in the account of the website https://domains.lt; at the same time Customer's account on the website https://domains.lt is deleted.
14. Customer, as a holder and owner of the registered domain name, is responsible for the content and name of the domain. Therefore, Customer's personal data can be provided at the interested person‘s request (one-time data receiver), whose rights are allegedly violated by creation and management of the domain, or the authorised person's authorised representative; the purpose of the use of Customer's personal data, the basis for their provision and receipt and the scope of requested personal data have to be specified in the request.
15. Customer's personal data can be disclosed at the requirement of the state institutions that have a right to receive personal data under normative legal acts.
16. IPC has to provide a reasoned refusal to perform Customer's request for implementation of his/her rights related to the processing of personal data, established by normative legal acts. After receipt of Customer's request, IPC must provide a reply within 30 (thirty) days after Customer's application at the latest. If Customer provides a written request, IPC provides a written reply.
17. Customers, who provide IPC with the document certifying their identity or confirms their identity under procedures established by normative legal acts or using electronic means of communication that enable identification of the person, have a right to receive information which of their personal data are collected and the sources they are collected from, the purpose of their processing, which data receivers they are provided to and have been provided to during the last 1 (one) year. After receipt of such Customer's inquiry, IPC replies under procedures established by normative legal acts, if the data related to Customer is processed, and provides a requested data within 30 (thirty) calendar days after Customer's application at the latest. At Customer's request such data are provided in written. IPC provides such data to Customer free of charge once per calendar year. When the data are provided for a payment, an amount of the payment cannot exceed the expenses of data provision.
PROCESSING OF DATA OF THE LEGAL ENTITIES THAT ARE CUSTOMERS
18. Purposes and conditions for processing of data of the legal entities are essentially the same as the ones specified in Chapter II of the Rules, with the following exceptions:
18.1. The following data of legal entities are collected, processed and used:
18.1.1. Name of the legal entity;
18.1.1. Code of the legal entity;
18.1.3. Head office address;
18.1.4. VAT payer code;
18.1.5. Telephone number;
18.1.6. Email address;
18.1.7. Data of contact person (-s);
18.1.8. IP addresses of DNS servers;
18.1.9. Number of bank account (not mandatory data);
18.1.10. Fax number (not mandatory data).
18.2. While collecting, processing and using data of legal entities, IPC can perform their inspection according to the information published in the state registers and other public data files.
18.3. All data of legal entities are provided to the administrator of the corresponding top-level domain, which contains Customer's domain and can be published in "Whois" database.
DATA SECURITY MEASURES
19. For insurance of effective control of the processing of personal data, continuous processing of personal data, restoration of its information system and authorised use of personal data, IPC implements the following data security measures:
19.1. Administrative – safe processing of data files and their archives, introduction of these Rules to IPC employees, regular risk assessment, control of compliance with these Rules;
19.2. Technical and software protection – maintenance of working places, use of passwords and locks, protection of IPC information system and databases against unauthorised disclosure of personal data, their copying, changing or destruction, protection against cyber-attacks, computer viruses and other malware by installation and updating of adequate measures for arising threats;
19.3. Computer network protection – filtering of undesirable data packages.
20. Kaunas University of Technology has a right to change these Rules partially or completely; they are reviewed at least once per 2 years and updated, if needed. Appendixes to or amendments of these Rules come into force on the date of their publication on the website https://domains.lt. If Customer disagrees with appendixes to or amendments of these Rules, he/she has a right to notify IPC regarding deletion of his/her account within 30 (thirty) calendar days from the date of publication of the new edition of these Rules. If Customer fails to notify regarding deletion of the account during the determined period, it is considered that he/she agrees with application of the new edition of the Rules for processing of Customer's personal data.