I. PERSONAL DATA PROCESSING POLICY
II. CONTROLLER AND HIS CONTACT INFORMATION
2. The personal data controller is the Company, legal address: Krišjāņa Barona iela 33a-3, Rīga, LV-1011, Latvija.
3. The contact information (email) of the Company on issues related to the processing of personal data, as well as for submitting data subjects' requests and messages regarding possible violations of data protection provisions: email@example.com.
III. GENERAL PROVISIONS
4. Personal data are any information relating to an identified or identifiable natural person.
5.1. natural persons – the customers of the Company (including potential, former and existing ones), their representatives, real estate owners and other related parties;
5.2. natural persons – the representatives of the Company's customers (legal entities), contacts;
5.3. visitors to the Company's premises, including those subject to video surveillance;
5.4. visitors of the websites maintained by the Company;
5.5. individuals whose personal data are being processed on social media platforms in connection with the events held by the Company.
6. The Company ensures the protection of customers' privacy and personal data, observes the customers' right to the lawful personal data processing in accordance with the applicable legislative acts – Personal Data Processing Law, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (hereinafter referred to as the “Regulation”) and other applicable privacy and data processing legislation.
8. In processing personal data, the Company observes the following basic principles of data processing:
8.1. lawfulness and fairness;
8.3. purpose limitation;
8.4. adequacy (data minimisation);
8.6. storage limitation;
8.7. integrity and confidentiality;
IV. PURPOSES OF THE PERSONAL DATA PROCESSING
9. The Company processes personal data for the following purposes:
9.1. provision and sales of services;
9.2. identification of a customer;
9.3. preparation and signing of a contract;
9.4. fulfillment of contractual obligations;
9.5. development of new services;
9.6. commercial purposes – for advertising and distribution of the services;
9.7. provision of customer service;
9.8. consideration of objections or claims;
9.9. administration of payments;
9.10. recovery and collection of debts;
9.11. maintenance and functionality improvement of websites and mobile applications;
9.12. business planning and analysis;
9.13. customer safety, protection of the Company's property;
9.14. other specific purposes.
10. The Company may also process the data for other purposes compatible with the initial purpose, ensuring the applicable rights of the data subject.
V. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
11. The Company processes the customer's personal data based mainly on the following legal grounds:
11.1. conclusion and execution of a contract – to enter into a contract following the customer's application and to ensure the execution of a contract (a contract also means a verbal agreement to purchase a service);
11.2. execution of legislative acts – to fulfil an obligation specified in external laws and regulations binding to the Company;
11.3. consent of the data subject;
11.4. in legitimate interests – to pursue the legitimate interests of the Company arising out of existing obligations or a contract entered into by and between the Company and the customer, or other legitimate interests of the Company or third party.
12. The legitimate interests of the Company are:
12.1. conduct of business;
12.2. verification of the customer's identity prior to providing certain services;
12.3. fulfilment of contractual obligations;
12.4. retention of the customers' applications and submissions regarding the provision of services;
12.5. development and improvement of services;
12.6. advertising of its services via commercial communications;
12.7. other communications regarding execution of the contract, both on the progress and relevant events, and also the customer surveys on services and their experience of use;
12.8. prevention of the fraudulent activities against the Company;
12.9. ensuring the efficiency of the corporate governance, financial and business accounting and analysis;
12.10. ensuring the efficiency of the business management processes;
12.11. provision and improvement of the quality of services;
12.12. administration of payments;
12.13. application of video surveillance for the security of the business;
12.14. information to the public about Company's activities;
12.15. other legitimate interests established by the Company.
VI. PERSONAL DATA PROTECTION
13. The Company protects customer data utilising the capabilities of modern technologies, considering the existing privacy risks and organizational, financial and technical resources reasonably available to the Company, including following security measures:
13.2. intrusion prevention and detection systems;
13.3. other protective measures in accordance with the possibilities provided by current technical developments.
14. Technological and organizational measures for information (including personal data) protection are established in internal regulations concerning information security and the use of information systems of the Company.
VII. CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
15. The Company does not disclose to third parties any customer's personal data or any information obtained during the provision of services and the validity period of the contract, inter alia, information regarding goods and services, except in accordance with the following principles:
15.1. by the customer's explicit and unambiguous consent;
15.2. by involving a personal data processor under the contract;
15.3. by the pursuit of the legitimate interests of the Company or third party (to whom the data will be transferred), ensuring proportionality to reconcile the rights and interests of the data subject, upon the substantiated request of the officials specified in the external legislative acts, in the manner and scope established by external legislative acts;
15.4. in cases stipulated by external laws and regulations, to protect the legitimate interests of the Company, e.g., when applying to a court or other state institutions against a person who has violated the legitimate interests of the Company.
VIII. TRANSFERS OF PERSONAL DATA
16. The Company does not transfer personal data to third parties, except to the extent that it is reasonably necessary for the conduct of business, ensuring that the relevant third parties maintain the confidentiality of personal data and provide appropriate protection.
17. The Company is entitled to transfer personal data to the Company's suppliers, subcontractors, strategic partners and other persons who help the Company and its customers in conduct of business, in order to implement the relevant partnership. However, in such cases, the Company requires the recipients of the data to confirm their intention to use the information received only for the purposes for which the data was transferred, and in compliance with the applicable legislative requirements.
IX. GEOGRAPHIC TERRITORY OF PERSONAL DATA PROCESSING
18. The Company processes personal data in the European Union/European Economic Area (EU/EEA), however, in certain cases the data may be transferred and processed in non-EU/EEA countries.
19. The transfer and processing of personal data can be carried out outside the EU/EEA if there is a legal basis for that, namely, to fulfill a legal obligation, to conclude or execute a contract, or it is done with the data subject's consent, and necessary security measures have been taken. The latter may include, for example:
19.1. the concluded agreement, including standard contractual clauses issued by the European Commission or other regulations, a code of conduct, certification, etc. acts approved in accordance with the Regulation;
19.2. the recipient is located in a country outside the EU/EEA, but which, according to the decision of the European Commission, has ensured the necessary level of security for data protection.
X. RETENTION TIME FOR PERSONAL DATA
20. The Company determines the retention time for personal data, considering the following criteria:
20.1. personal data are retained at least for as long as it is necessary to achieve the purpose of their processing;
20.2. personal data are retained at least for the retention time periods specified by legislative acts;
20.3. personal data are retained at least for as long as a person can raise a claim and/or initiate legal proceedings against the Company, in order to ensure the retention of the proof.
21. After the aforementioned conditions cease to exist, the Company deletes or anonymizes the customer's personal data.
XI. RIGHTS OF THE DATA SUBJECT
22. The customer has the right to receive the information related to the processing of his data in accordance with the provisions stipulated in legislative acts.
23. In accordance with the legislative acts, the customer has the right to request from the Company access to and modification, rectification or erasure of his personal data, or restriction of processing concerning the customer, object against processing (including against the personal data processing carried out on the basis of legitimate interests of the Company) and also has the right to data portability. These rights shall be exercised in compliance with the restrictions specified by legislative acts.
24. The customer can submit a request for the exercise of his rights in the following ways:
24.1. in writing – at the address of the Company's office: K. Barona iela 33a - 3, Riga, LV-1011, Latvia or by postal delivery;
24.2. electronically – by sending a document signed with a secure electronic signature to the email address: firstname.lastname@example.org.
25. Upon receipt of the customer's request regarding the exercise of his rights, the Company verifies the customer's identity, evaluates and fulfills the request in accordance with legislative acts.
26. The Company issues a response to the customer in a reliable manner that ensures the customer's identity verification.
27. The amount of information provided to the data subject may be limited in order to prevent adverse impact on the rights and freedoms of other persons (including employees of the Company, other data subjects).
28. The Company undertakes to ensure the accuracy of personal data and relies on its customers, suppliers and other third parties, who transfer personal data, that the completeness and accuracy of the transferred personal data will be ensured.
XII. CUSTOMER'S CONSENT TO DATA PROCESSING AND WITHDRAWAL RIGHT
29. The customer has the right to withdraw his consent to the processing of data at any time in the same manner as it was given and/or by submitting a separate application. In this case, the further processing of data, which is based on the previously given consent for a particular purpose, will not be carried out.
30. Withdrawal of consent does not affect the data processing carried out at the time when the customer's consent was valid.
31. The data processing that the Company carries out on other legal grounds will remain unaffected by withdrawal of consent.
32. The use of photographs of students in information booklets, on the website, public use of such photographs in the premises of the Company or in any other manner is permitted after, in accordance with article 13 of the Regulations, the student's representative has been informed and no objection has been received against the use of photographs for the specified purpose.
XIII. COMMERCIAL COMMUNICATIONS
33. The Company carries out commercial communication regarding the Company's and/or third party services and other communications not related to the provision of directly contracted services (e.g. customer surveys) in accordance with external legislative acts or with the customer's consent.
34. The Company may carry out communication, inter alia, commercial communication, also by using the automatic call equipment or through electronic messaging systems.
35. The customer gives consent to receive commercial communications from the Company and/or its partners in person – in writing at the address of the Company's office, remotely – on the Company's website and in mobile applications, or in another place where the Company holds marketing events.
36. The consent given by the customer to receive commercial communications remains valid until the consent is withdrawn (also after the termination of the service contract). The customer at any time may refuse to receive further commercial communications in any of the following ways:
36.1. by sending an email to email@example.com;
36.2. by calling Company's Customer service +371 22832709;
36.3. by submitting a written application to the Company;
36.4. by using the automatic option provided in the commercial communication to unsubscribe from further communications by clicking on the Unsubscribe link at the bottom of the relevant commercial communication (email).
37. The Company stops sending commercial communication as soon as the customer's request is processed.
38. The customer agrees that the Company can communicate with him using the contact information (email address, telephone number) the customer provided when participating in the surveys, regarding the customer's assessment of the service quality provided.
XIV. WEBSITE TRAFFIC AND PROCESSING OF COOKIES
41. The Company's website may contain links to websites of third parties (partners of the Company), which establish their own regulations regarding the processing and protection of personal data, for the completeness and accuracy of such regulations the Company bears no responsibility thereof.
XV. FINAL PROVISIONS