Last updated on January 18, 2022
The Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Principles of Personal data Processing and Protection shall be observed in all processes of Data Processing, including when servicing existing and potential customers, recruiting new employees and managing information about existing employees, entering into cooperation agreements, initiating new processes and introducing new services, improving data processing technologies, transferring documents for archiving, destroying documents after expiration of storage period.
Personal data is a term defined by the Regulation concerning all types of information that can help to identify Private person using this information or using this information together with other information in Company’s possession (or together with the data Company has access to).
The following Personal data may be processed by Company: Name, Surname, contact information, tax residence, citizenship; information necessary for the contract preparation and conclusion, the provision of services (fulfillment of contractual obligations), customer servicing, and personnel needs, information about users of the Website (cookies, IP address).
Company requests and processes Personal data only when there is a certain purpose and legal basis for the processing.
Personal data can be obtained by Company in various ways, for example, when: (i) conducting a potential customer identification; (ii) entering into contractual relations with Private person and performing contractual obligations; (iii) receiving a letter or e-mail message from a Private person; (iv) Website is being used by a Private Person; (v) using information about Private person from Internet resources, requesting information about Private person from various registers, and from other publicly available sources; (vi) reviewing applications in response to job advertisements, when recruiting new employees;
Excluding cases in which we receive your confirmation for the use of your Personal data for other purposes, or when Personal data processing will be necessary in order to protect the Company’s legitimate rights (based on paragraphs a) and f) of the first section of article 6 of the Regulation).
Legal basis for processing of Personal Data
We comply with the principles established by the Regulation namely, personal data:
- Are processed legally, honestly and “transparently“ by us;
- are collected for certain, explicit and legitimate purposes and are not processed further in a way that is incompatible with these purposes (“purposes limitation“);
- Are adequate, appropriate and limited to what is necessary for the purposes for which they are processed (“data minimization“);
- Are accurate and, if necessary, updated; every reasonable step should be taken to ensure that personal data which were inaccurate, taking into account the purposes for which they were processed, were erased or corrected without delay (“accuracy“);
- Are stored in a form that allows identification of users no longer than it is necessary for the purposes for which personal data are processed; (“limitation of storage“);
- Are processed in a way that provides proper protection of personal data, including protection from unauthorized or illegal processing, as well as from accidental loss, destruction or damage using appropriate technical or organizational measures (“integrity and confidentiality“).
The legal basis for processing of Personal data may be the following:
- Provision of services, establishment and performance of contractual obligations (Company processes the data for the conclusion and performance of the contract. Examples of data processing in terms of this legal basis: Company requests all necessary information for the conclusion of the contract (legal basis also applies if the contract is not concluded for some reason); Company transfers information to banks in order to ensure payment execution). Processing of Personal data shall be carried out on the basis of law and contract (transaction).
- Compliance with the legal obligation (the relevant activity is governed by the provisions of applicable regulatory enactments of the EU or Latvia).
- Compliance with public interest or exercise of official authority (the relevant activity is governed by the provisions of applicable regulatory enactments of the EU or Latvia).
- Protection of the vital interests of Private person or a third party (data processing is carried out, for example, with the purpose to protect life or health of Private person).
- The legitimate interests of Company (for the purpose of implementing the lawful (legitimate) interests of Company arising from the existing obligations or from the concluded contract, or from the law: (i) to engage in commercial activities; (ii) to ensure fulfilment of the contractual liabilities; (iii) to maintain applications and submissions regarding the provision of services, other applications and submissions, comments regarding the same, including those made verbally and at Website; (iv) to develop and improve services; (v) to advertise products and services; (vi) to send reports regarding the progress of the contract performance and relevant events for the contract performance; (vii) to ensure and improve the quality of services; (viii) to administer payments; (ix) to administer outstanding payments; (x) to apply to the state administration authorities, to the bodies performing operational activities, and to the courts for protection of its legal interests; (xi) to inform the public regarding their activities.
- The consent of a Private person (the consent of Private person is used as a legal basis, for example, for marketing purposes. Private person has a free choice to give its consent to data processing or not. Private person has the right to withdraw this consent at any time).
Personal Data Recipients
Company does not request from Private person and does not process more information than is necessary to achieve the certain purpose, thus observing the so-called principle of data minimization. The amount of Personal data required for a number of purposes is determined by the regulatory enactments of Latvian Republic. In other cases, Company itself estimates what information should be requested from Private person in order to be able to achieve the purpose (for example, to provide the certain service), while observing the principle of data minimization.
Company ensures that access to Personal data is restricted to those employees who need it for the performance of their duties.
To minimize the risk of a Personal data breach, Company monitors personal data processing activities, records every incident effecting data protection and takes measures to prevent any further data breaches. Company carries out training of its employees, improves Information Systems and documents circulation procedures.
We may from time to time involve third parties for the processing of Personal data for the purposes indicated above, provided that such processing will be governed by contractual arrangements in the form prescribed by law. Personal data may also be disclosed to the appropriate governmental, regulatory or executive body in case it is prescribed or permitted by law.
Duration of Personal Data Storage
Personal data is processed for no longer than is necessary to achieve the certain purpose.
The durations of Personal data storage are established taking into account the purpose of Personal data processing and its legal basis, and as long as at least one of these criteria exists:
- The consent of the Private person to the Private data processing is in force;
- The Controller needs to fulfill its contractual obligations;
- The Controller has a legal responsibility to keep the data;
- The Controller needs to realize its legitimate interests.
You Have the Rights to:
Private person has the following rights regarding the processing of his or her information:
- To receive information on the type, purpose and legal basis of their data processing;
- To access their data and obtain approval for their data processing. Upon receipt of Private person request for information on Personal data processing, Company may request Private person to specify in more detail to which information and to which data processing activities the request relates;
- To rectify their data if it is incorrect or inaccurate;
- To erase their data or “right to be forgotten“, for example, if the data is no longer necessary in relation to the purposes for which it was collected or if Private person has withdrawn his/her consent on which the processing is based;
- Restrict data processing, for example, the accuracy of the Personal data is contested by Private person, Private person no longer needs the Personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims, etc.;
- To object to processing of data (on grounds relating to Private person’s particular situation) if processing is based on Company’s legitimate interests or public interest. The right to object cannot be realized if the legal basis for processing is the consent of Private person, the establishment and performance of contractual relations, fulfilment of a legal obligation, protection of vital interests of the data subject or third parties;
- Right to data portability or transfer in order to store or to enable the reuse of data, for example, by transferring to another service provider. The right cannot be realized for absolutely all information.
- File a complaint to the supervising authority about a possible violation of the Regulation.
Company shall examine Private persons’ requests without undue delay and, in any case, inform Private person about the actions performed within a month. Company may extend the period of examination of the claims for another two months on a reasonable basis (for example, large number of requests or complexity of requests).
Profiling is automatic Personal data processing of any kind. The Controller does not engage in this practice.