REGULATIONS ON PERSONAL DATA PROCESSING AT THE REGISTRANTS SERVICE SYSTEM MANAGED BY THE INTERNET SERVICE CENTRE OF KAUNAS UNIVERSITY OF TECHNOLOGY
1. Regulations on personal data processing at the Registrants Service System managed by the Internet Service Centre of Kaunas University of Technology (hereinafter – Regulations) regulate personal data processing for the natural persons who create their accounts (hereinafter – Registrants) in the self-service section of the website www.domains.lt (hereinafter – website).
2. Regulations are prepared in accordance with the Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Law on legal protection of personal data of the Republic of Lithuania and other normative legislation regulating personal data processing and document storage (hereinafter collectively referred to as current legislation);
3. Data controller who sets the purposes and measures of personal data processing when the Registrant creates and / or manages a second level domain (-s):
3.1. In .lt top-level domain, as well as while processing personal data of all Registrants for the purposes set in subparagraphs 9.1, 9.3 and 9.4 of these Regulations – data controller is Kaunas University of Technology, legal entity code 111950581, head office address K. Donelaičio str. 73, Kaunas (hereinafter – University);
3.2. In .eu top-level domain – data controller for the purpose set in subparagraph 9.2 of these Regulations is the European Registry for Internet Domains VZW, tax payer code BE 0864.240.405, head office address Woluwelaan 150, 1831 Diegem, Belgium, e-mail privacy@eurid.eu;
3.3. In .info top-level domain – data controller for the purpose set in subparagraph 9.2 of these Regulations is Identity Digital Limited , head office address 10500 NE 8th Street, Suite 750, Bellevue WA 98004, United States of America, e-mail privacy@identity.digital;
3.4. In .com or .net top-level domains – data controller for the purpose set in subparagraph 9.2 of these Regulations is VeriSign, Inc., tax payer identification code (EIN) 94-3221585, head office address 12061 Bluemont Way, Reston, VA 20190, USA, e-mail privacystatement@verisign.com; 3.5. In .org top-level domain – data controller for the purpose set in subparagraph 9.2 of these Regulations is the Public Interest Registry, tax payer identification code (EIN) 33-1025119, head office address 1775 Wiehle Avenue, Suite 102A, Reston, VA 20190, USA, e-mail privacy@pir.org.
4. University’s subdivision authorised to process the Registrants’ personal data on behalf of the data controllers is Internet Service Centre. Requests or notifications of the Registrants related to the personal data processing can be sent to the Internet Service Centre by e-mail hostmaster@domains.lt or by post to the address Studentų str. 48A, 51367 Kaunas.
5. Internet Service Centre performs the Registrants’ personal data processing in accordance with:
5.1. General principles and special standards stipulated in the current legislation;
5.2. Privacy policy provisions of the respective top-level domain that contains the Registrant’s second level domain (-s);
5.3. Provisions of the accreditation contracts with the Internet Corporation for Assigned Names and Numbers (ICANN), as well as with the registries of .eu, .info, .com, .net, .org top-level domains;
5.4. Service contract with the Registrant.
6. Personal data is collected from the Registrants who create their accounts in the self-service section of the website and specify their personal data therein: name and surname, personal identification code, VAT payer code (if the Registrant is value added tax payer), address, telephone, email address, data of technical contact, language.
7. Besides the personal data specified in paragraph 6 of these Regulations Internet Service Centre processes the Registrant’s unique identifiers for access to the account at the website and each case of registration and access to the account: unique identifier of the connected person, IP address that connects to the account, date, time, duration, connection result (successful, failure) and performed actions.
8. Legal framework for personal data processing:
8.1. Personal data processing is required for implementation of the service contract with the Registrant (the order placed by the Registrant), as well as for taking actions at the Registrant’s request before making of the service contract (when placing the order). Provision of personal data is a prerequisite for making of the service contract (placement of the order). The Registrant willing to use the services provided by the Internet Service Centre has to specify correct personal data in the scope defined in paragraph 6 of these Regulations while registering at the website; if he / she fails to provide them – he / she is not able to place orders and demand their implementation. If the Registrant is under the age of 14, service contract on his / her behalf is made by the parents or guardians. If the Registrant is 14-18 years of age, he / she can make the service contract only with the consent of the parents or guardians;
8.2. Registrant’s consent for his / her personal data to be published in WHOIS database with the information about his / her second level domain (-s). Registrant’s consent regarding the publishing of personal data is given voluntarily, it is not mandatory while using the services provided by the Internet Service Centre. If the Registrant is under the age of 16, consent regarding the publishing of personal data is given by his / her representatives, in accordance with the requirements of the current legislation.
9. Personal data is processed while the Internet Service Centre provides services to the Registrants who create and / or manage a second level domain (-s) for the following purposes:
9.1. Registrant’s identification and contacting while providing procedural and technical services related to creation and / or management of domains, processing and performance of the Registrant’s orders, Registrant’s notification about the necessity to perform certain procedures in the Registrant’s interests (for example, extend the domain’s expiration term) and notification of other relevant information as much as it is related to creation and / or management of domains (for example, changes of terms and prices of service provision), preparation of accounting documents and their provision to the Registrant, management of the Registrant’s settlements, performance of other service provider’s obligations under the contract or current legislation;
9.2. Processing of the registry data of the respective top-level domain that contains the Registrant’s second level domain according to the requirements of the registry of that domain;
9.3. Preparation of statistical reports;
9.4. Archive management.
10. Registrants’ personal data can be provided to the data recipients of the following categories:
10.1. University’s employees who need the data to receive and perform specific orders;
10.2. Competent state institutions that have a right to receive personal data according to the current legislation;
10.3. Interested persons (or their representative lawyers) under the individual inquiries based on the necessity of defence of their legitimate interests while submitting claims against the Registrant regarding the use of a protected designation, second level domain’s subordination (concluded transactions) or regarding content of the website managed by the Registrant, if the Registrant failed to reply to the forwarded e-mail within 15 calendar days;
10.4. The registry of the respective top-level domain for the purpose of data processing;
10.5. Data repositories in the European Union and third countries. The Registrant can learn about the personal data transferred to the data repositories by applying to the Internet Service Centre.
11. Personal data retention period: 10 (ten) years, because claims / lawsuits regarding the Registrant’s second-level domain (-s) name (-s) or performed procedures can be submitted within a 10 (ten) year general period of limitation defined by Article 1.125 (1) of the Civil Code of the Republic of Lithuania. At the end of this term, Registrant’s personal data are destroyed – they are deleted from the archives so that it is not possible to restore them in usual methods. Accounting documents and other written documents prepared while performing orders are stored for the purposes of archiving under the terms defined by the current legislation.
12. The Registrant has a right to request the following from the Internet Service Centre:
12.1. To get acquainted with his / her processed personal data. The Registrant can get acquainted with the processed personal data individually by logging into his / her account on the website or apply to the Internet Service Centre;
12.2. Current the processed personal data. The Registrant can correct (update) the processed personal data individually by logging into his / her account on the website or apply to the Internet Service Centre;
12.3. Delete the processed personal data or restrict their processing if he / she does not use the services provided by the Internet Service Centre and data retention period has ended.
13. The Registrant has a right to disagree for his / her personal data to be published in WHOIS database and revoke his / her consent, if it was given, at any time. In such a case Internet Service Centre performs any actions within its power to make sure that a respective data controller implements the above-mentioned Registrant’s right.
14. The Registrant has a right to data portability.
15. The Registrant has a right to submit a complaint to the State Data Protection Inspectorate regarding the actions or omissions related to his / her personal data processing.
16. Responses are provided to the Registrants free of charge in the same form as the received request or notification within 30 (thirty) calendar days from the date of receipt of the request or notification.
17. For insurance of effective control of the processing of personal data, continuous processing of personal data and their restoration after the incident, the University implements regular organisational and technical measures for data security.
18. Website uses “public” and “rn” temporary cookies (so-called session cookies) that remain after connection and are automatically removed when the user closes the Internet browser. It ensures a possibility to save the actions performed or options applied by the user while browsing in the website (for example, entered name of the registered user, password, choice of language, font size, etc.), to avoid the need to enter or select them repeatedly while browsing the website’s pages. Some Internet browsers can be configured so that the cookies are not recorded in the user’s terminal device. However, in such a case, some options of the website can function incorrectly until the user changes them manually each time he / she browses in this website. Website does not use long-term, tracking, third persons’ and other cookies.
19. University has a right to change these Regulations partially or completely. Regulations are reviewed at least once per 2 (two) years and updated, if needed. Appendixes to or amendments of these Regulations come into force on the date of their publication on the website. If the Registrant disagrees with appendixes to or amendments of these Regulations, he / she has a right to change the registrar and notify the Internet Service Centre regarding deletion of his / her account on the website within 30 (thirty) calendar days from the date of publication of the new edition of these Regulations. If the Registrant fails to notify regarding deletion of the account during the determined period, it is considered that he / she agrees with application of the new edition of the Regulations.
20. Regulations are amended, supplemented or repealed under the order of the University’s Rector.