1. Description and Document Purpose 
Privacy Policy applies to the visitors of the website www.quadigi.com, candidates/trainees participating in Quadigi selections for jobs/internships, persons applying to the Quadigi, Quadigi’s representatives of partners, service providers, suppliers and others. 

1.1 Terms and Definitions
Data Controller
The data controller determines the purposes for which and how personal data is processed. In this case, the data controller is Quadigi (company code 306067069, address Ukmerges st. 322-1, LT-12106 Vilnius, Republic of Lithuania, tel. No. + 370 5 2330974, e-mail: info@Quadigi.com, also referred to as the "Company"). 

Data Subject
A natural person whose personal data is processed by the Company. 

Personal data 
Any information about a natural person whose identity has been established or whose identity can be established (for example, name and surname, identification number, location data and internet identifier or one or more of that natural person's physical, physiological, genetic, mental, economic, cultural or social identities symptoms). A natural person whose personal data is processed by the Company. 

Data processing 
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

DPO 
Data Protection Officer. 

1.3 RESPONSIBILITIES
DPO is responsible for:  
• Ensuring processing of personal data is compliant with GDPR and internal data protection policies. 
‍
Company employees who are responsible for collecting, processing, destroying, storing personal data in the Company and/or accessing personal data in the course of their duties are responsible for: 
• Complying with GDPR and implemented requirements described in internal data protection policies. 

1.4 Related Documents 
‍GP-2 Data Classification, DP-1 Data Protection Policy, DP-2 Data Protection Incidents Policy  

2. PROCESS DESCRIPTION
‍
2.1 General information
‍Quadigi collects and processes personal data for the purposes set out in this Privacy Policy, on the basis of consent given by the data subject, in accordance with an agreement with the data subject, to comply with legal obligations, or where necessary for the purposes of legitimate interests pursued by the Company. 

2.2. Whose Personal Data Quadigi Collects? 
‍Quadigi collects personal data of: 
‍
• Employees (current and former). 
• Individuals who work with us (partners/external service providers). 
• Individuals who made inquiries to us. 
• Candidates/trainees for the job/traineeship. 
• Visitors of Company’s premises. 

2.3. How does Quadigi Receive Personal Data?  
‍Quadigi collects personal data, which data subject provides when: 
‍
• Concludes employment/service provision/joint activity/other agreements. 
• Provides through website. 
• Sends by e-mail or other communication channels.  
• Applies for vacancies through recruitment applications (jobs or internships).  
• Visits Company on site. 
• Or data is received from third parties. 

2.4. What Personal Data is Processed and for What Purpose?   
‍Employee personal data is processed for HR administration, payroll, legal compliance, performance management, workplace safety, and fulfilling employment obligations. More details are described in other internal data protection procedures.

The following personal data of partners/external service providers are processed for contract management, communication, invoicing, compliance checks, and maintaining business relationships: 
‍
• Name, surname, position, telephone number, e-mail address, bank account number, and data of the legal entity. 

It should be noted that Quadigi deletes redundant personal data provided by data subjects that are not necessary for making a request and receiving a response. The following personal data of candidates and trainees are processed to select new staff/trainees: 
‍
• Name, surname, CV, tel. no., e-mail, certificates, diploma, qualifications, work experience (previous jobs). 

To ensure the security of the Company’s assets and information security Company processes personal data, including video recordings collected by video surveillance (CCTV) (more details in DP-7 Video surveillance policy) and visitor data such as name, surname and visiting time, based on the Company’s legitimate interest. 

2.5. Legal Basis for Processing    
‍Legal basis for processing: 
‍
• Contract (service provision/joint activities). 
• Legitimate interest - to respond to your inquiries, provide the information you are asking us for, the rights to protect Company’s assets etc. 
• Fulfilment of obligations established by legal acts (fulfilment of the requirements of health care legal acts, accounting, archiving, etc.). 
• Consent (e.g. for the processing of personal data, participation in the selection of staff/trainees etc.). 

2.6. How does Quadigi Process Data on Social Media Sites?    
‍In addition to its website content, Quadigi also has an online presence within LinkedIn platform. LinkedIn Ireland Unlimited Company is generally the controller of personal data when data subject visits Quadigi LinkedIn company page. However, if data subject interacts with Quadigi’s LinkedIn page, LinkedIn evaluates these interactions to provide Company with statistics in anonymized form (so-called "page insights"). This concerns in particular interactions with followers, visitors, employees, and competitors. In particular, information such as job function, country, industry, seniority, company size, and employment status is evaluated. Quadigi receives the page insights only in anonymized form. It is not possible to conclude individual users from the information in the page insights. Further information on analysis data can be found here: LinkedIn Page analytics | LinkedIn Help 

The processing of personal data on Company’s site for the creation of page insights is carried out by Quadigi and LinkedIn as joint controllers. For users from the European Union, the legal basis for the processing of personal data is Company’s legitimate interest in the evaluation and the improvement of Company’s LinkedIn page based on the following Art. 6 (1) (f) GDPR. Data protection obligations between Quadigi and LinkedIn can be accessed at Page Insights Joint Controller Addendum 

2.7. Disclosure of Data     
‍Quadigi may disclose the information about data subject to employees or service providers if it is justifiable for the purposes defined in this Policy. In certain circumstances, Quadigi may be required to transfer personal data when: 
‍
a) must disclose information as required by the law, including when it is required to disclose personal data to a tax administrator and law enforcement authorities for crime prevention and detection. 
‍
b) must disclose personal data in connection with legal proceedings or to obtain legal advice, or such disclosure is necessary to establish, enforce, or defend our rights. 
‍
c) the information must be disclosed to protect the Company’s interests or the interests of others (for example, to prevent fraud). 
‍
d) the information must be disclosed to a third party that provides administrative or data processing services on the Company’s behalf. In such circumstances, Quadigi undertakes to take measures to ensure that third parties store personal data in the same way as Quadigi protects them and to notify the data subject of any changes to this Policy. 
‍
e) the information must be disclosed to a potential purchaser of the Company’s assets or organization. If personal data is transferred to a third country and/or international organization, Quadigi will inform the data subjects in advance with the right to agree/disagree and ensure that the data is transferred by the requirements of the applicable legal acts. 

2.8. Data Transferred to Countries Outside the EU or the EEA 
‍Processing of personal data by Quadigi takes place within the EU or the European Economic Area, However, sometimes it is necessary for the Company to transfer information to recipients in so-called "third countries". "Third countries" are countries outside the European Union or the Agreement on the European Economic Area in which it cannot be assumed without further ado that the level of data protection is comparable to that in the European Union. If the information transferred also includes personal data, Company will ensure before such transfer that the required adequate level of data protection is guaranteed in the respective third country or at the recipient in the third country. This may result in particular from a so-called "adequacy decision" of the European Commission, which establishes an adequate level of data protection for a specific third country as a whole. Alternatively, Company may also base the data transfer on the so-called EU standard contractual clauses agreed with a recipient or on a declaration of consent provided by data subject accordingly. 

Quadigi will be happy to provide data subject with further information on the appropriate and adequate safeguards for compliance with an adequate level of data protection upon request. Information on the so-called EU standard contractual clauses Standard Contractual Clauses (SCC) - European Commission and information on the adequacy decisions at Data protection adequacy for non-EU countries

2.9. Security of Personal Data 
‍Personal data processed by the General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other statutory requirements. When processing personal data, Quadigi implements organizational and technical measures that ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, or any other illegal processing. These measures include, where appropriate, access control, data encryption, confidentiality obligations and regular review of security practices. 

2.10. Data Subject’s Rights  
‍This section contains information about the rights of data subjects in relation to the processing of personal data by Quadigi and how these rights may be exercised. If a data subject wishes to obtain more information about their rights or how to exercise them, they may contact Quadigi at: dataprivacy@quadigi.com.
‍
Quadigi shall provide information on actions taken in response to a request to exercise data subject rights without undue delay and in any event within one (1) month of receipt of the request. 
‍
Depending on the complexity and number of requests, this period may be extended by a further two (2) months. Quadigi may refuse to act on a request only in cases permitted by applicable law. 

2.10.1 Right to Withdraw Consent   
‍Where the data subject has provided consent to the processing of personal data, they have the right to withdraw such consent at any time by contacting Quadigi at: dataprivacy@quadigi.com

2.10.2 Right of Access to Personal Data   
‍The data subject has the right to obtain confirmation as to whether Quadigi processes their personal data and, where that is the case, to access such data. To exercise this right, the data subject may submit a request to: dataprivacy@quadigi.com

2.10.3 Right to Request Further Information    
‍Quadigi strives to provide clear and comprehensive information about the processing of personal data and will update this Privacy Policy as necessary. If the data subject has any questions regarding the processing of their personal data or requires additional information, they may contact Quadigi at: dataprivacy@quadigi.com

2.10.4 Additional Rights 
‍The data subject also has the following rights:

(a) To request the rectification of inaccurate personal data. Quadigi may request verification of the corrected data.
(b) To request the erasure of personal data. Quadigi will comply with such a request where:
• the personal data is no longer necessary for the purposes for which it was collected;
• the processing is unlawful; the personal data is not required for the establishment, exercise or defense of legal claims.
(c) To request restriction of processing of personal data:
• while the accuracy of the data is being verified; 
• where processing is unlawful but the data subject does not request erasure; 
• where Quadigi no longer needs the data but it is required by the data subject for legal claims; 
• while assessing whether Quadigi’s legitimate interests override the data subject’s rights. 
(d) To receive personal data provided to Quadigi and transmit it to another data controller (data portability).
(e) To object to the processing of personal data: 
• where processing is based on legitimate interests and such interests are overridden by the data subject’s rights; 
• where personal data is used for direct marketing purposes, in which case such data will no longer be used for that purpose. 

2.11 Data Retention Period  
‍Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. More detailed retention periods are defined in internal data deletion documentation. 

2.12 Complaints 
‍Quadigi takes the protection of personal data seriously and applies strict standards to the collection and use of personal data. Therefore, any complaints regarding the processing of personal data are handled with due care and attention. 

If the data subject believes that his/her rights are and/or may be violated, he/she should contact Quadigi immediately by email: dataprivacy@quadigi.com. Quadigi ensures that once the Company receives a complaint, Quadigi will contact you within a reasonable timeframe and inform of the progress of the complaint investigation and then about its findings. 

When the data subject contacts Quadigi to make a complaint, the Company only uses personal data to investigate and respond to complaints and to assess the quality of the services provided. Upon receiving a complaint against a member of the Company’s team, Quadigi may need to disclose the identity of that person. The data subject can indicate that he/she does not want personally identifiable information to be disclosed and Quadigi will endeavour to comply with the request. 

However, dealing with a complaint anonymously may not always be possible. 

If the data subject finds the results of the investigation not satisfactory, he/she can submit a complaint directly to the State Data Protection Inspectorate. The data subject also has the right to lodge a complaint with the supervisory authority in the Member State in which he/she has habitual residence, place of work or the place where the alleged infringement was committed. 

3.13 Responsibility
‍The data subject is responsible for the confidentiality of personal data, as well as the accuracy, correctness, and comprehensiveness of the data provided to Quadigi. If the data provided changes, the data subject must immediately notify Quadigi by email. Quadigi will not be liable, in any event, for any damages caused to the data subject by the fact that he/she has indicated incorrect or incomplete personal data or has not informed Quadigi of any changes.