1.2. The policy applies to the processing of personal data of natural persons regardless of the form and/or environment in which the natural person provides personal data (by entering the territory and/or premises, by telephone, orally, etc.) and regardless in which Controller's systems (video, web, etc.) they are processed.
2.1. The Controller of personal data processing is a limited liability company PRIEŽAVOTI (unified reg. No. 40003463887, legal address: Annas Sakses iela 18-2, Riga, LV-1014, phone: (+371) 675 43 397, e-mail address: , website) (in this Policy – the "Controller").
3. Applicable legislation
3.1. Regulation (EU) 2016/679 (27 April 2016) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation").
3.2. Other applicable legislation in the field of processing and protection of personal data of natural persons including regulatory enactments governing information society services.
4. Purposes of processing personal data
4.1. The Controller processes personal data on the basis of these regulations as the responsible processor, mainly in order to prepare personalized offers to potential customers.
4.2. The Controller, as the responsible processor on the basis of a contract concluded with the data subject, processes the personal data necessary for the preparation of the contract to be concluded with the data subject, for the identification of the contracting party, for the performance of the contract and additional obligations arising from the contract (e.g., outsourcing – pressure impregnation of timber, delivery of orders by using services of carriers), for fulfilling legal obligations and settling legal issues and disputes. The following data is primarily processed within the framework of it: name, surname, personal identity number, address, phone number, email address of the customer and his/her representative.
4.3. The Controller as the responsible processor, in case of justified interest, processes personal data for the following purposes:
To maintain and analyse the customer base to improve the range of services and goods with the help of the results of the analysis in order to be able to offer the best and most personalized offers to customers;
● To deliver the Controller's advertising and information materials by e-mail (direct marketing).
The following data is primarily processed within the framework of it: name, surname, personal identity number or company data, address, phone number, e-mail address of the customer and his/her representative.
4.4. The Controller is constantly developing its offer of goods and services. In order to increase the quality of services offered to data subjects and to improve the experience, the Controller has the right to process other personal data in addition to those mentioned in these regulations. For the same reasons, the Controller may need to process the data for other purposes in addition to those specified in these regulations. If the need referred to in this clause arises, the Controller evaluates the lawfulness of the processing in question, ensures that the data subject is aware of the processing in question and the related rights in accordance with the requirements of the legislation. The Controller is constantly improving the Site to improve its using experience, so the Controller needs to know what information is important to visitors of the Site, how often they visit the Site, what devices and browsers they use, what region visitors come from and what content they like to read the most.
4.5. The Controller has implemented:
video surveillance to prevent or detect criminal offences in order to protect persons and property; to protect the legitimate interests of the Controller or a third party and to protect the vital interests of persons, including their life and health;
storing and registration of incoming and outgoing communication (e-mails, postal letters and other types) to ensure the protection of the legitimate interests of the Controller.
4.6. The purposes of processing of personal data mentioned in this policy are not to process special categories of data, such as data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data related to health or sexual orientation.
4.7. When processing personal data for purposes other than those specified in this Policy, the Controller informs the data subject separately of the individual conditions of its processing, subject to the provisions of Article 13 of the Regulation. In this Policy, the controller has divided data processing in order to fulfil, in particular, the provisions of Article 14 of the Regulation, i.e., personal data is not intentionally obtained from the data subject.
5. What personal data does the Controller process?
5.1. In addition to the above, the categories of personal data processed by the Controller depend on the Controller's services used by natural persons. For example,
a) when the data subject visits the premises of the Siguldas kokmateriāli store or its territory where video surveillance is carried out, his/her video image and the time when he/she visited the premises may be processed. Video surveillance is not carried out in areas where data subjects expect increased privacy, toilets, break room, etc. The video surveillance recording areas are focused on the entrance and the exit of the Controller's territory;
b) by contacting the Controller in writing, the content and time of the communication may be stored, as well as the information about the communication tool used (e-mail address, phone number, address);
5.2. Cookies are small files that, each time a visitor visits the Site, are stored by the browser on the visitor's computer in the amount specified in the visitor's browser settings. Some cookies are used to select and tailor the information and advertisements offered to the visitor based on the content the visitor has viewed in the past, thus making the use of the Site simple, convenient and personalized for the visitors. More information about cookies, their deletion and management, can be found on the website.
6. Legal basis for personal data processing
6.1. Video surveillance to prevent or detect criminal offences in order to protect persons and property; to protect the legitimate interests of the Controller or a third party and to protect the vital interests of persons, including their life and health; video surveillance is carried out on the basis of Article 6(1)(d) and (f) of the Regulation, i.e.,
the processing of personal data is necessary to protect the vital interests of the data subject or another natural person (for example, in video surveillance, where the processing of personal data is necessary for the protection of the life and health of a person related to the prevention and/or detection of criminal offences);
to ensure the legitimate interests of the Controller and third parties (for example, to prevent or detect criminal offences related to the protection of property, to provide evidence, to ensure the highest standards of customer service quality).
6.2. Storing and registering of incoming and outgoing communication (e-mails, postal letters and other types) is carried out on the basis of Article 6(1)(c) and (f) of the Regulation:
in order to ensure the fulfilment of the obligations of the Controller specified in regulatory enactments, that is, to register correspondence in accordance with the Controller's classification and the requirements arising from the Archives Law;
in order to ensure that the legitimate interests of the Controller are respected (for example, to investigate cases where complaints have been received about the quality of customer service, as well as to provide evidence against possible claims).
6.3. The Controller carries out an analysis of the website, social network traffic history in order to conduct market research and analysis of the opinions of the data subjects on the basis of Article 6(1)(f) of the Regulation.
7. Period of personal data processing
7.1. The Controller takes into account the following circumstances when selecting criteria for storing personal data:
7.1.1. whether the term for storing of personal data is determined or arises from regulatory enactments of the Republic of Latvia and those of the European Union;
7.1.2. for what period of time the relevant personal data needs to be stored in order to ensure the realization and protection of the legitimate interests of the Controller or a third party;
7.1.3. until the consent of the person to the processing of personal data has been revoked and there is no other legal basis for the processing of data, for example, to fulfil the obligations binding on the Controller;
7.1.4. the Controller has to protect the vital interests of the Data Subject or another natural person, including their life and health;
7.1.5. video surveillance records to prevent or detect criminal offences related to the protection of persons and property, protection of the legitimate interests of the Controller or a third party and the protection of vital interests of persons, including their life and health, are kept for a period not exceeding 30 days unless a possibly unlawful action or action that may help the Controller or third parties ensure their legal interests is present in the video recording. In this case, the video in question can be retrieved and stored until the legal interest is ensured.
7.2. storing and registering of incoming and outgoing communication (e-mails, postal letters and other types) in order to ensure that the legitimate interests of the Controller are respected will be kept for a period not exceeding five years unless the communication in question shows a possibly unlawful action or an action that may help the Controller or third parties ensure their legal interests.
7.3. The Controller carries out an analysis of the visiting history in order to conduct market research and analyse opinions of the data subjects.
7.4. After the end of the storing period, personal data will be permanently deleted.
8. Availability and disclosure of information
8.1. The Controller is obliged to provide information on the processed personal data:
8.1.1. to law enforcement authorities, courts or other state and local government institutions if it arises from regulatory enactments and the relevant institutions have the right to the requested information and if it had to be specifically requested;
8.1.2. if the personal data has to be transferred to the relevant third party within the framework of the concluded contract in order to perform a function necessary for the performance of the contract (for example, impregnation of timber using outsourcing; using carrier services to ensure delivery of goods) or if it is necessary to improve the provision of services and the quality of services provided to the customer;
8.1.3. in accordance with a clear and unambiguous request by the Data Subject;
8.1.4. to protect the legitimate interests, for example, by bringing action in court or other state institutions against a person who has violated these legitimate interests of the Controller.
8.2. Recipients of personal data may be authorized employees of the Controller, Processors, law enforcement and supervisory authorities.
8.3. The Controller will provide personal data of natural persons only in the necessary and sufficient amount in accordance with the requirements of regulatory enactments and objective circumstances justified by the particular situation.
8.4. The personal data specified in this Policy is not intended to be sent to a third country (a country that is not a member state of the European Union or of the European Economic Area) except for data processed in electronic environment. In this case, the Processors chosen by the Controller (google.com (google analytics), facebook.com, linkedin.com, etc.) are recognized as companies operating outside the member states of the European Union and of the European Economic Area, so the Controller asks you to get acquainted with the privacy policies of these companies or ask the Controller separately for additional information on the terms of cooperation.
9. Informing the data subject about the processing of personal data
9.1. The data subject is informed about the processing specified in this Policy of personal data using a multi-level approach, which includes the following methods:
notices are placed at the video surveillance sites by which the Data Subjects (pedestrians, drivers, visitors, employees, etc.) are warned that video surveillance is carried out in the Controller's territory, providing basic information related to video surveillance, as well as informing about the way to receive more detailed information;
by visiting the website, the Data Subject can read the statement about what kind of cookies are used and is invited to read this Policy;
9.2. This Controller's Policy is publicly available on the Controller's website and at the Controller's retail store Siguldas kokmateriāli.
10. Data Subject rights
10.1 The Data Subject has the right to request access to his/her personal data from the Controller and to receive clarifying information on what personal data the Controller has about him/her, for what purposes the Controller processes this personal data, categories of recipients of personal data (persons to whom personal data has been disclosed or to whom it is intended to be disclosed if regulatory enactments in a particular case allow the Controller to provide such information (for example, the Controller may not provide the Data Subject with information on the relevant state institutions directing the criminal proceedings, persons performing investigative field work or other institutions about which the disclosure of such information is prohibited by regulatory enactments)), information on the period for which the personal data will be stored or the criteria used to determine that period.
10.2. If the Data Subject thinks that the information at the Controller's disposal is out of date, inaccurate or incorrect, the Data Subject has the right to request the correction of his/her personal data.
10.3. The Data Subject has the right to request that his or her personal data are deleted or to object to the processing if the person thinks that the personal data has been processed unlawfully or are no longer necessary for the purposes for which it was collected and/or processed (exercising the right "to be forgotten").
10.4. The Controller informs that the personal data of the Data Subject cannot be deleted if the processing of the personal data is necessary:
for the Controller to protect the vital interests of the Data Subject or another natural person, including their life and health;
to protect the Controller's property;
for the Controller or a third party to bring action, realize or defend legitimate (legal) interests;
for archiving purposes in accordance with regulatory enactments in force in Latvia that regulate archiving.
10.5. The Data Subject has the right to request that the Controller restricts the processing of the Data Subject's personal data if one of the following circumstances exists:
The Data Subject challenges the accuracy of the personal data – for the time during which the Controller can verify the accuracy of personal data;
The processing is unlawful and the Data Subject objects to deletion of personal data and instead requests a restriction on the use of the data;
The Controller no longer needs personal data for processing, but it is necessary for the Data Subject to bring action, realize or defend lawful claims;
The Data Subject has objected to the processing until it has been verified that the legitimate reasons of the Controller outweigh the legitimate reasons of the data subject.
10.6. If the processing of personal data of the Data Subject is restricted in accordance with clause 10.5, such personal data, with the exception of storing, is processed only with the consent of the Data Subject or in order to bring action, realize or defend lawful claims, or to protect the rights of another natural or legal person or important public interests.
10.7. Before removing the restriction on the processing of the personal data of the Data Subject, the Controller informs the Data Subject.
10.8. The Data Subject has the right to submit a complaint to the Data State Inspectorate if he/she thinks that the Controller has processed his/her personal data unlawfully.
10.9. The Data Subject may submit a request for exercising his or her rights in the following way:
in writing in person at the Controller's premises and presenting a personal identification document (for example, a passport or an ID card, etc.) because the Data Subject is obliged to identify himself/herself;
in the form of an e-mail and signing it with a secure electronic signature. In this case, it is presumed that the data subject has identified himself/herself by submitting a request signed with a secure electronic signature. At the same time, the Controller reserves the right to request additional information from the data subject in case of doubt if it considers it necessary;
via mail. In this case, the reply will be prepared and sent by a registered letter, thus ensuring that unauthorized persons will not be able to receive this mail. At the same time, the Controller reserves the right to request additional information from the data subject in case of doubt if it considers it necessary.
10.10. In addition, the Data Subject is obliged to specify as much as possible in his/her request the date, time, place and other circumstances that would help to carry out his/her request.
10.11. Upon receipt of a written request from the Data Subject on exercising his/her rights, the Controller:
10.11.1. verifies the identity of the person;
10.11.2. evaluates the request and:
if it is possible to carry out the request, such as viewing of a video material, then the Data Subject as the submitter of the request may receive a copy of the video material or other data;
if additional information is required to identify the Data Subject that requests information, the Controller may request additional information from the Data Subject in order to be able to correctly select the information (such as video surveillance or photographs) in which it is possible to identify the Data Subject;
the information has been deleted or the person that requests the information is not a Data Subject or the person cannot be identified, the Controller may reject the request in accordance with this Policy and/or regulatory enactments.
10.12. If the data subject has rejected processing of personal data, transfer of personal data or has requested a restriction of personal data processing or deletion of personal data, it may become impossible for the Controller to provide a service to the data subject in accordance with the agreement. In such a case, the Controller has the right to refuse to fulfil the obligations specified in the agreement and to provide the service and/or to unilaterally terminate the agreement concluded between the Controller and the data subject.
11. Personal data protection measures
11.1. The Controller ensures, continuously reviews and improves personal data protection measures to protect the personal data of natural persons against unauthorized access, accidental loss, disclosure or destruction. To ensure this, the Controller uses appropriate technical and organizational measures, including the use of firewalls, intrusion detection, analysis software and data encryption.
11.2. The Controller carefully verifies all service providers who process personal data of natural persons in the name and on behalf of the Controller, as well as evaluates whether cooperation partners (processors of personal data) use appropriate security measures to process personal data of natural persons in accordance with the Controller's authorization and requirements of regulatory enactments.
11.3. In case of a personal data security incident, if it poses possibly high risk to the data subject's rights and freedoms, the Controller will notify the Data Subject in question, if possible, or the information will be published on the Controller's website or in another possible way, such as using media (TV, social networks, etc.).