Last updated: March 29, 2024

 

TERMS

    1. The data controller, the operator of the website trustguru.lt (hereinafter referred to as the "Website") is UAB Trustguru, company registration number 305570263, mailing address Pylimo g. 41A, Vilnius, Republic of Lithuania, email address - info@trustguru.lt (hereinafter referred to as the "Operator").
    2. Through the Website, the Operator provides General Data Protection Regulation compliance and implementation assistant services (hereinafter referred to as "Services").
    3. Customers of the online store on the Website can be:
    4. Medical service providing companies;
    5. Other small and medium-sized enterprises (SMEs).
    6. These terms of use (hereinafter referred to as "Rules") regulate the rights of the Buyer and the Operator, mutual obligations, service price, payment procedure, liability of the parties, and other related terms.

GENERAL TERMS

    1. These Rules of UAB Trustguru and their annexes, once accepted by the Buyer (having acquainted with the Rules and marked the checkbox next to the statement "I have read the UAB Trustguru Terms of Use and agree with them"), are a legally binding document for both parties, establishing mutual obligations and rights.
    2. The Operator reserves the right to change, amend, or supplement these Rules at any time, taking into account the requirements of legal acts, the scope of services provided, and other circumstances. Buyers are informed of changes to the Rules by email.
    3. At any time, the Buyer can cancel the service subscription and delete their user account.
    4. By accepting these Rules, the Buyer confirms that they meet the requirements of item 3.
    5. The Operator has prepared a standardized GDPR compliance document package for the industry specified in 1.3, which is automatically generated based on the Buyer's responses in the "Audit" section. In the future, the Operator may prepare standardized GDPR compliance document packages for other industries. The Buyer, by accepting these Rules, if they do not meet the conditions specified in 1.3, assumes the risk associated with using the standardized document package.

PERSONAL DATA PROTECTION

    1. When using the services in the system, the Buyer must enter the email addresses and names (optional) of their employees, which will be processed in the system. In this area, the Operator acts as a data controller and operates in the interests of and according to the Buyer's instructions. Employee personal data provided by the Buyer will be processed as specified in Annex No. 1 to these Rules – the data processing agreement.
    2. All personal data provided by the Buyer are processed in accordance with the General Data Protection Regulation No. 2016/679, the Republic of Lithuania's Personal Data Legal Protection Act No. I-1374 of June 11, 1996, and other personal data protection legal acts.

SERVICES

    1. Services are provided to the Buyer only after purchasing an annual package, registering on the Website, and creating an account.
    2. If the Buyer purchases an annual or monthly plan for the first time, they can get a refund within 30 calendar days by contacting info@trustguru.lt if the service did not meet expectations. It should be noted that after a longer period, the money will not be refunded.
    3. After paying for the services and registering on the website, the Buyer is asked to answer a questionnaire about their data processing operations. Based on the provided answers, a document package will be generated for the Buyer, along with necessary actions to take. The Buyer remains responsible for providing accurate information.
    4. The Buyer cannot download the generated document package, but can review each document before starting to use them. All actions necessary for GDPR implementation (informing individuals, collecting consents, etc.) are performed through the Website.
    5. Before starting to use the documents, the Buyer familiarizes themselves with their content and begins to use them only if the content of the documents accurately reflects the Buyer's actual situation and fully corresponds to the Buyer's data processing operations. If the content of the documents does not reflect the Buyer's actual situation (for example, not all data recipients are mentioned), the Buyer must contact the Operator at info@trustguru.lt to make changes to the document content. The Operator will notify the Buyer of any changes made to the documents by email.
    6. After generating the document package, the Buyer must follow the steps indicated in the "GDPR GUIDE" section to implement all GDPR requirements.
    7. If there are changes to the details, the Buyer must contact the Operator by email at info@trustguru.lt to update the data.
    8. If the Buyer's company starts new operations and wants to change the responses to previously answered questionnaire items, they need to update the information in the support section or contact the Operator by email at info@trustguru.lt.
    9. The Operator sends notifications to the Buyer if changes occur in the system and further actions are needed, such as filling out newly appeared Audit questions, reviewing newly formulated documents resulting from GDPR changes or system improvements.

SETTLEMENT FOR SERVICES

    1. The Buyer pays the Operator an annual fee of 421.08 Euros for the annual package and provision of Services. This amount consists of - 348.00 Euros service charge for the annual plan and 73.08 Euros VAT.
    2. The Buyer's annual plan is valid for exactly 12 months from the purchase date. Upon extension of the plan, an invoice is issued and sent to the email address registered on the Website or another agreed-upon method.
    3. If the Buyer fails to pay this fee by the end of the service period, the Operator reserves the right to terminate all or part of the services provided to the Buyer.
    4. The Operator reserves the right to offer discounts to individual users or their groups.
    5. The Operator offers a one-month (29 Euros) discount by using a unique discount code, which can be provided by system users. By using the code or link, the discount will be granted both to the new Buyer and the existing User. For the existing User, the discounts are accumulated and will be applied when deciding to extend the Annual plan.
    6. The Operator reserves the right to change the anticipated pricing, notifying the Buyer at least three months before the actual price change.

BUYER'S RIGHTS AND OBLIGATIONS

    1. The Buyer has rights related to his personal data protection as stipulated in the Operator's privacy policy. To exercise the rights specified in this privacy policy, the Buyer should contact the Operator using the contact details mentioned in the privacy policy or these Rules.
    2. The Buyer has the right to refuse the service subscription and delete his account at any time.
    3. The Buyer has the right to change the password of his account.
    4. The Buyer undertakes to comply with these Rules, other terms of use indicated on this website, and the legal requirements of the Republic of Lithuania while using the Website.
    5. The registered Buyer undertakes not to disclose to third parties the login data to his account. If the Buyer loses or discloses his account login data to third parties, he must immediately notify the Operator using the contact details mentioned in these Rules.
    6. Other legal acts may provide additional rights and obligations for the Buyer not specified in these Rules.

OPERATOR'S RIGHTS AND OBLIGATIONS

    1. The Operator reserves the right to suspend or terminate certain functions of the Website, change the layout of account management elements.
    2. If, due to external factors (e.g., changes in legislation, etc.), the conditions for providing the Operator's services change significantly, the Operator has the right to change the scope and method of services provided, suspend or terminate certain services or parts thereof, and also impose additional charges for services or parts of them.
    3. The Operator commits to inform the Buyer about significant suspension, termination, or changes in the provision of Services. The Buyer is informed via the email address provided or other specified contact methods.
    4. The Operator commits to ensuring a proper level of security for the Buyer's personal data provided and process them according to the Privacy policy, as well as the legal acts of the Republic of Lithuania and the European Union.
    5. The Operator may be granted other rights or obligations according to the laws of the Republic of Lithuania.

LIABILITY

    1. The Buyer is responsible for his actions performed using the Website. The Buyer assumes responsibility for consequences arising from the inaccuracy or incorrectness of the data provided, as well as for following or not following the recommendations given.
    2. A Buyer registered on the Website is responsible for safeguarding his login data and/or disclosing it to third parties. If third parties use the Website's services by logging in with the Buyer's login data, the Operator considers such a person as the Buyer, and the Buyer is responsible for all actions of that third party performed on the Website.
    3. To the extent not contrary to legal acts, the Operator is exempted from any liability when losses arise due to the Buyer not familiarizing himself with these Rules, Privacy policy, and/or other documents.
    4. In case the Operator breaches the provisions of these Rules, he is liable for the damage or losses suffered by the Buyer that arise as a foreseeable consequence of the breach. Damage or losses are considered foreseeable if they are an obvious result of the Operator's breach.
    5. In case of damage, the culpable party compensates for the direct losses suffered by the other party.

SENDING NOTICES

    1. According to the procedure stipulated in these Rules and the Privacy policy, the Operator sends all notices intended for the Buyer to the email address provided by the Buyer.
    2. The Buyer sends all notices and questions to the Operator using the contact details provided in these Rules.
    3. Notices sent by email are considered to be delivered in writing.

FINAL PROVISIONS

    1. These rules are formulated in accordance with the legal acts of the Republic of Lithuania.
    2. All legal relationships arising from these Rules are subject to the law of the Republic of Lithuania. Any dispute arising from these Rules is resolved through negotiations. If no agreement can be reached, the dispute is resolved in the competent court of the Republic of Lithuania.

 

 

Annex No. 1 to the Terms of Use

DATA PROCESSING AGREEMENT

ABBREVIATIONS

Unless otherwise expressly provided in this Agreement, capitalized terms have the meanings set out below or as defined in the Terms:

Individual (Data Subject)

 

A person (natural person) whose data is processed;

 

Personal Data

any information related to an Individual who can be identified;

 

Data Processor

 

Operator, as defined in the Terms;

 

Data Controller

 

Buyer, as defined in the Terms;

 

Another Data Processor

 

A third party engaged by the Data Processor, which carries out the instructions of the Data Processor and processes Personal Data on behalf of the Data Controller.

 

Applicable Data Protection Laws

any national or international data protection laws or regulations applicable during the term of this Agreement, depending on the specific case, to the Data Controller or Data Processor. "Applicable Data Protection Laws" include the European Union's General Data Protection Regulation (GDPR).

 

Processing

any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction;

 

  1. PERSONAL DATA PROCESSING

    1. The Data Processor processes personal data on behalf and in the interests of the Data Controller, providing Services in accordance with the Rules.
    2. The data processing period is from the acceptance of the Rules until the deletion of the account or the moment when the Buyer has not logged into their account for 2 years and has not deleted it.
    3. The personal data processing by the Data Processor is regulated by this Agreement, the instructions of the Data Controller, and the Applicable Data Protection Laws, which are binding on both the Data Processor and the Data Controller. The Data Processor, in processing personal data under this Agreement, complies with all Applicable Data Protection Laws, recommendations of the State Data Protection Inspectorate, and other competent authorities. The Data Processor refrains from any actions that would lead the Data Controller to violate the Applicable Data Protection Laws.
    4. The purposes of personal data processing, processing operations, categories of individuals and personal data, storage requirements, and also categories of recipients to whom personal data may be transferred without separate consent of the Data Controller, are set out in Section 6 of this Agreement.
    5. The Data Processor, when processing personal data under this Agreement, adheres to all Applicable Data Protection Laws and recommendations of the State Data Protection Inspectorate or other competent authorities. In the event of contradictions between the terms of this Agreement, the instructions of the Data Controller, Applicable Data Protection Laws, and recommendations of the State Data Protection Inspectorate or other competent authorities, the Data Processor immediately informs the Data Controller and resolves the conflict in the following priority order:
      1. Applicable Data Protection Laws;
      2. The terms of this Agreement;
      3. Instructions from the Data Controller;
      4. Recommendations of the State Data Protection Inspectorate or other competent authorities.
    6. The Data Processor immediately informs the Data Controller if there are no instructions for personal data processing in a specific situation, or if the instructions violate this Agreement or Applicable Data Protection Laws, and requests such instructions to be provided.
    7. The Data Processor assists the Data Controller in fulfilling his statutory duties under Applicable Data Protection Laws, including but not limited to the Data Controller's obligation to respond to individuals' requests to access the information held about them and to request correction, blocking, or deletion of personal data.
    8. The Data Processor refrains from any actions that would lead the Data Controller to violate Applicable Data Protection Laws.
    9. If individuals, competent authorities, or any third parties request the Data Processor for information on processed personal data as specified in this Agreement, the Data Processor informs the Data Controller of such a request. The Data Processor in no way acts on behalf of or as a representative of the Data Controller, and without prior instructions from the Data Controller, cannot transfer or disclose personal data or other information related to personal data processing to third parties. If, under Applicable Data Protection Laws or other regulations, the Data Processor is required to disclose personal data processed on behalf of the Data Controller, the Data Processor must immediately inform the Data Controller of the request to disclose personal data.
    10. Without the prior instructions of the Data Controller, the Data Processor may not transfer or disclose personal data or other information related to personal data processing to third parties, except for the categories of recipients specified in Section 6 of this Agreement and individuals who are granted the right to obtain personal data from the Data Processor by law.

OTHER DATA PROCESSORS

    1. The Data Processor informs the Data Controller about the intended use of another Data Processor or its replacement, and gives the Data Controller the right to disagree with the use or replacement of another Data Processor. Regardless of the Data Controller's consent, the Data Processor remains fully responsible to the Data Controller for personal data processing.
    2. The Data Processor ensures that all other engaged Data Processors give written consent or include such consent in a contract committing to adhere to the respective personal data processing rules as set out in this Agreement.
    3. The Data Controller may request the Data Processor to conduct an audit of another Data Processor, or provide confirmation that such an audit has taken place and provide information confirming the other Data Processor's compliance with Applicable Data Protection Laws. The cost of such an audit is borne by the Data Processor.
    4. The Data Processor remains fully responsible to the Data Controller for the obligations of another Data Processor.

TRANSFER TO THIRD COUNTRIES

    1. Without prior explicit permission from the Data Controller, the Data Processor may not transfer personal data outside the EEA. If the Data Controller approves such a transfer of personal data, the parties transferring the data determine mandatory data protection measures according to Applicable Data Protection Laws.
    2. Under justified circumstances, the Data Controller may revoke the permission to transfer personal data to third countries as mentioned in point 4.1. In this case, the Data Processor immediately stops the transfer of personal data to third countries and provides written confirmation of termination.

INFORMATION SECURITY AND CONFIDENTIALITY

    1. The Data Processor, in order to assist the Data Controller in fulfilling legal obligations, including but not limited to, implementing data security measures and carrying out an assessment of the impact on data protection, ensures that appropriate technical and organizational measures have been taken to protect Personal Data and follows all data security policies and instructions specified by the Data Controller. The measures should ensure an appropriate level of security, taking into account:
      1. existing technical capabilities;
      2. cost of measures;
      3. specific risks associated with the processing of Personal Data; and
      4. processing of special category Personal Data.
    2. The Data Processor must ensure an adequate level of personal data security. The Data Processor protects Personal Data from destruction, alteration, unauthorized disclosure, or unauthorized access. Personal data is also protected from all other illegal Personal Data Processing methods. Considering the state of technological development, implementation costs, and the nature, scope, context, and purposes of Personal Data Processing, as well as the various likelihoods and severity of risks to the rights and freedoms of natural persons, the Data Processor implements appropriate technical and organizational measures to ensure risk-appropriate security, including, inter alia, where necessary:
      1. pseudonymization and encryption of Personal Data;
      2. the ability to ensure the continuous confidentiality, integrity, availability, and resilience of Personal Data Processing systems and services;
      3. the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      4. a regular process of testing, assessing, and evaluating the effectiveness of technical and organizational measures ensuring the security of Personal Data Processing.
    3. In implementing technical and organizational measures as specified in point 5.2, the Data Processor applies these or other appropriate technical and organizational security measures:
      1. physical access protection. Unattended premises of the Data Processor with computer equipment and personal information must be kept locked to protect Personal Data from unauthorized use, exposure, or theft;
      2. a data recovery process to restore Personal Data from backups;
      3. permission control, under which access to Personal Data is possible through a technical permission control system. Permissions are only valid for individuals who need Personal Data to perform direct job functions. Usernames and passwords must be private and cannot be passed on to other entities. There should also be procedures for assigning and revoking permissions;
      4. the ability to log access to Personal Data. Conditions must be created for a retrospective review of such logins in databases. The Data Processor must review the databases and report to the Data Controller;
      5. secure communication when external data transmission links are protected using technical functions ensuring access permission, as well as content encryption in transit on data transmission channels outside systems controlled by the Data Processor;
      6. processes to ensure secure destruction of Personal Data when fixed or changeable media are no longer used for their intended purpose;
      7. entering into confidentiality agreements with service providers who provide maintenance and care for the equipment used to store Personal Data;
      8. supervision of service providers in the premises of the Data Processor. Media containing Personal Data must be removed from the premises if maintenance is not possible.
    4. If the Data Processor becomes aware of any unauthorized access to Personal Data or another security incident (Data Security Breach), he must take all necessary actions and report it to the Data Controller without undue delay, if possible, and in any case no later than 24 hours after becoming aware of the breach. The notification should at least include:
      1. a description of the nature of the Personal Data breach, including, if possible, the categories of affected Persons and approximate number, as well as the categories of Personal Data records and approximate number;
      2. the name and surname (name) and contact details of the data protection officer or another contact person who can provide more information;
      3. descriptions of the likely consequences of the Personal Data breach for the Persons;
      4. descriptions of the measures taken or proposed by the Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible negative effects.
    5. Without the prior written consent of the Data Controller, the Data Processor undertakes not to disclose the processed Personal Data to any third parties, except for other Data Processors involved as specified in this Agreement.
    6. The Data Processor must ensure that access to Personal Data is granted only to those employees for whom it is necessary due to the direct performance of their job functions under this Agreement. The Data Processor ensures that such employees adhere to confidentiality obligations to the same extent as the Data Processor under this Agreement.

DATA PROCESSING SPECIFICS

    1. When processing Personal Data provided by the Data Controller, the Data Processor processes them in accordance with these Data Processing specifics:

      Purposes of Data Processing

       

      For acquainting with data protection documents by email, data storage

      Categories of Processed Personal Data

       

      Contact data, identification data

      Categories of Data Subjects

       

      Data Controller's employees, interns

      Processing Operations

       

      Sending emails, data storage

      Duration of Storage

       

      Until the account on the Website is deleted

       

      Security Measures

       

      Employee data is protected by a password known only to the account manager.

      Other Data Processors

       

      Email sending provider - sendgrid.com;

      Payment collection provider - paysera.lt; Stripe.

TERM

    1. This data processing agreement comes into effect from the moment of its acceptance and the acceptance of the Rules.
    2. The provisions of this Agreement apply as long as the Data Processor processes Personal Data on behalf of and in the interests of the Data Controller.
    3. The Agreement ends when the Data Controller deletes their account or does not log into their account for 2 (two) years, even if it is not deleted.
    4. Upon the termination of this Agreement, the Data Processor deletes or returns all Personal Data to the Data Controller and ensures that any other Data Processor has acted likewise.
    5. Upon request from the Data Controller, the Data Processor informs the Data Controller via email about the measures taken after the data processing completion.

APPLICABLE LAW AND DISPUTE RESOLUTION

    1. This Agreement is governed and interpreted according to the substantive law of the Republic of Lithuania.
    2. Any dispute or claim arising from this Agreement is settled through negotiations or in the courts of the Republic of Lithuania, according to the residence of the Data Controller.

COMPENSATION

    1. The Data Processor has no right to compensation while fulfilling the obligations set out in this Agreement.

LIABILITY

    1. In addition to compensation for a breach that may arise from non-compliance with this Agreement and/or other contracts, the Data Controller has the right to receive compensation from the Data Processor for all costs, taxes, and penalties according to the Applicable Data Protection Laws, if the Processing, done by the Data Processor or its appointed other Data Processors, resulted in damage.
    2. The Data Controller has the right to take measures necessary to check whether the Data Processor can fulfill its obligations under this Agreement and whether the Data Processor has actually taken measures to ensure such compliance. The Data Processor commits to provide all necessary information to the Data Controller proving adherence to the obligations set out in this Agreement, and allows for an audit, including on-site checks, conducted by the Data Controller or another auditor appointed by the Data Controller. If non-compliance with Data Protection regulations is found, which could have caused damage to the Data Controller, the costs of such an audit are borne by the Data Processor.

OTHER PROVISIONS

    1. If the Data Controller reasonably and prudently requires, the Data Processor must implement additional technical and organizational security measures or implement Processing changes without additional costs. The Data Processor is informed about any instructions from the Data Controller related to security and Personal Data Processing, clarified within a reasonable time, so the Data Processor can make the necessary procedure changes.
    2. The Data Processor cannot transfer the execution of this Agreement without the confirmation of the Data Controller.

NOTIFICATIONS

    1. All notifications from one party to the other are sent using the methods specified in the Rules.