I. Controller and its contacts
- The Controller of personal data processing regarding the seminar/event attendees; customers; website visitors, as well as candidates for vacancies who have submitted an application is SIA ”HORTIMED”, unified registration No. 40203047078, legal address: Elizabetes 2A – 2, Riga, LV-1010 (hereinafter referred to as the Company).
- Contact information of the Company in matters related to the processing of personal data, including reporting of possible data protection violations: firstname.lastname@example.org.
- Questions about the processing of personal data can be asked using this contact information or forwarding them to the legal address of the Company. A request for the exercise of rights can be submitted according to Clause 24.
II. General Provisions
- Personal data is any information referring to an identified or identifiable natural person.
5.1. natural persons – candidates (applicants);
5.2. visitors or seminars/events;
5.3. customers of the Company (including potential, former and current ones);
5.4. visitors to the websites maintained by the Company.
- The Company takes care of the Customers’ privacy and personal data protection, observes the Customers’ right to the lawfulness of personal data protection in accordance with the applicable laws and regulations – the Personal Data Protection Law, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the Regulation) and other applicable regulatory enactments regarding privacy and data processing.
III. Purpose of personal data processing
- The Company processes personal data for the following reasons:
8.1. Provision of services:
8.1.1. to identify the representative of the Customer (legal entity);
8.1.2. to prepare and to sign agreements;
8.1.3. to deliver services (fulfilment of contractual obligations);
8.1.4. to develop new services;
8.1.5. to review objections or claims;
8.1.6. for the administration of settlements;
8.1.7. for debt recovery;
8.1.8. to maintain websites and to improve their operation.
8.2. Business planning and analytics;
8.3. Customer safety, protection of company property;
8.4. To provide the organisation of the recruitment process and to safeguard its legal interests as far as it is related to the recruitment process:
8.4.1. to assess the candidate’s compliance with the requirements set by the Company for the specified vacancy;
8.4.2. to sign an agreement with the candidate, who meets the requirements of the Company;
8.4.3. to raise, to enforce and to defend the lawful claims of the Company.
8.5. For the legitimate purposes of the Company:
8.5.1. to conduct its business;
8.5.2. to verify the identity of the Customer (representative of the legal entity or authorised person, natural person) before purchasing services;
8.5.3/ to ensure the fulfilment of contractual obligations;
8.5.4. to save the Customer’s applications and submissions regarding the provision of services;
8.5.5. to segment the customer database for the more efficient provision of services;
8.5.6. to design and to develop services;
8.5.7. to send reports on the progress of the performance of the agreement and events relevant to the performance of the agreement, as well as to conduct Customer surveys about the services;
8.5.9. to prevent fraudulent activities against the Company;
8.5.10. to provide corporate governance, financial and business accounting and analytics;
8.5.11. to ensure efficient management processes of the Company;
8.5.12. to ensure and to improve the quality of services;
8.5.13. to administer payments;
8.5.14. to perform video surveillance for business security;
8.5.15. to inform the general public of its activities.
- The Company may process personal data of the candidates for recruitment purposes for a specific vacancy for which the candidate is applying or for future-orientated recruitment, if the candidate has consented to it.
IV. Legal grounds for personal data processing
- Legal grounds for the processing of personal data implemented by the Company for the following purposes of personal data processing:
10.1. Provision of services: Article 6 (1) Sub-Clause (b) (processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract); (c) (processing is necessary for compliance with a legal obligation to which the controller is subject); and (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller) of the Regulation.
10.2. Business planning and analytics: Regulation Article 6 (1) Sub-Clause (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller).
10.3. Customer safety, protection of company property: Regulation Article 6 (1) Sub-Clause (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller).
10.4. For the provision of the recruitment process: Article 6 (1) Sub-Clause (a) (the data subject has given consent to the processing of his or her personal data for one or more specific purposes); (c) (processing is necessary for compliance with a legal obligation to which the controller is subject); and (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller) of the Regulation; Section 33, 35, 38 of the Labour Law.
10.5. Legitimate interests of the company: General Data Protection Regulation Article 6 (1) Sub-Clause (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller).
V. Personal data processing
- The Company processes Customer data using the capabilities of modern technologies, taking into account the existing privacy risks and the organisational, financial and technical resources that are available to the Company.
- The Company may apply automatic decision making in regard to the Customer. The Customer shall be separately notified of such actions by the Company in accordance with the applicable laws and regulations.
- Automated decision making that creates legal consequences for the Customer (for example, approving or rejecting the Customer’s application) can only take place by concluding or performing an agreement between the Company and the Customer or by unequivocal consent given by the Customer.
VI. Personal data protection
- The Company protects the Customer’s data using modern technologies, taking into account the existing privacy risks and the reasonably available organisational, financial and technical resources of the Company, including the following security measures:
14.2. Intrusion protection and detection programmes;
14.3. Other protection measures in accordance with the current possibilities of technical development.
VII. Categories of personal data recipients
- The Company shall not disclose any personal data of its Customers or any information obtained during the provision of services and during the term of the agreement to third parties, including information about the services received, except:
15.1. subject to the clear and unambiguous consent of the Customer;
15.2. to the persons provided for in the external regulatory enactments upon their justified request, in accordance with the procedures and to the extent as specified in the external regulatory enactments;
15.3. in the cases provided for by the external regulatory enactments, for the protection of the Company’s legal interests, for example, when filing claims to courts or other state institutions against the person who has violated the Company’s legal interests.
VIII. Transfer of personal data
- The Company shall not transfer personal data to third parties, except to the extent necessary for the reasonable conduct of business, ensuring that the relevant third parties observe the confidentiality of the personal data and ensure appropriate protection.
- The Company has the right to transfer Personal Data to the suppliers, subcontractors, strategic partners of the Company and other parties, who assist the Company in its business activities in order to implement the relevant cooperation. However, in such cases the Company will require these recipients to only use the received information for the purposes for which these data have been provided, and in accordance with the requirements of the applicable regulatory enactments.
IX. Access to personal data by third country entities
- The Company shall not transfer personal data to third countries (outside the European Union and the European Economic Area).
X. Duration of storage of personal data
- The Company stores and processes the Customer’s personal data for as long as at least one of the following criteria exists:
19.1. only as long as the agreement signed with the Customer is valid or the service is being provided to the Customer;
19.2. the data are required for the purpose for which they were collected;
19.3. until the Customer’s application is fully reviewed and/or executed;
19.4. while the Company or the Customer is able to implement their legitimate interests (for example, submit objections or bring an action in court) in accordance with the procedures specified in external regulatory enactments;
19.5. there is a legal obligation for the Company to store the data;
19.6. as long as the Customer’s consent to the processing of their data is still valid, unless there are other legal grounds for the processing of the data.
- After the circumstances referred to in Clause 19 cease to exist, the Customer’s personal data shall be deleted. Audit records are kept for at least one year from the date of their preparation.
- The Company shall store and process the personal data submitted by the applicant for 6 (six) calendar months after the end of the recruitment process or as long as the Customer’s consent to the processing of their data is still valid, unless there are other legal grounds for the processing of the data, and the data shall be deleted after this term.
XI. Access to personal data and other rights of the Customer
- The Customer may receive the information pertaining to the processing of the Customer’s personal data specified in the regulatory enactments.
- In accordance with regulatory enactments, the Customer also has the right to request access from the Company to his/her personal data, as well as to request the Company to supplement, correct or delete or restrict processing in relation to the Customer, or the right to object to processing (including against the processing of personal data implemented for the legitimate interests of the Company), as well as the right to data portability. This right is exercised insofar as the processing of data does not result from the obligations of the Company imposed by the applicable regulatory enactments and which are performed in the public interest.
- The Customer may submit a request for the exercise of his/her rights in the following way:
24.1. in written form at the Company’s office in Riga (address: Elizabetes street 2A-2, Riga, LV1010, Latvia) or using the postal service;
24.2. by e-mail, by signing the document with a secure electronic signature and by sending it to the e-mail address: email@example.com.
- Upon the receipt of the Customer’s request for the exercise of its rights, the Company verifies the identity of the Customer, evaluates the request, and executes it in accordance with the regulatory enactments.
- The Company sends a response to the Customer by post to the contact address provided by him/her in a registered letter or via e-mail with a secure electronic signature (if the application was submitted with a secure electronic signature), considering the type of response stated by the Customer.
- The Company ensures the fulfilment of data processing and protection requirements in accordance with the regulatory enactments, and in the case of the Customer’s objections, performs useful actions to resolve the objection. However, if this fails, the Customer has the right to apply to the Data State Inspectorate.
- The Customer has the right to receive one copy of its personal data processed by the Company free of charge.
- The receipt and/or use of the information referred to in Clause 28 of this document may be restricted to prevent adverse effects to the rights and freedoms of other persons (including the employees of the Company).
- The Company undertakes to ensure the accuracy of the personal data and relies on its customers, suppliers and other third parties, who transfer the personal data to ensure the completeness and accuracy of the transferred personal data.
XII. Customer’s consent to personal data processing, and the right to revoke it
- The Customer consents to the processing of personal data, the legal basis of which is consent (for example, to receive commercial communications, analysis of personal data, to receive loyalty cards) in writing in person at the office of the Company, on the website and mobile applications of the Company or another place, where marketing activities are organised.
- The Customer has the right to revoke the consent provided for data processing at any time in the same way as it has been provided and/or in accordance with the procedure specified in Clause 24. In such case, further processing based on the prior consent for the specific purpose no longer takes place.
- Revocation of consent does not affect the data processing that was carried out when the Customer’s approval was still in effect.
- Revocation of consent does not interrupt any data processing carried out on other legal grounds.
XIII. Commercial information
- The Company shall communicate commercial information about the services of the Company and/or third parties and other communication not related to the direct provision of the agreed services (e.g., customer surveys) in accordance with external regulatory enactments or in accordance with the Customer’s consent.
- The Customer consents to the receipt of commercial communications by the Company and/or its cooperation partners in writing in person at the office of the Company, on the website or mobile applications of the Company or at another place, where the Company organises marketing activities.
- The Customer’s consent to receive commercial communications shall be valid until revoked (also after termination of the service agreement). The Customer may revoke their consent to receiving any further commercial communications at any time in any of the following ways:
37.1. by sending an e-mail to: firstname.lastname@example.org;
37.2. by submitting a written application at the office of the Company;
37.3. by using the automated option provided in the commercial communication to unsubscribe from receiving further notifications by clicking on the link for unsubscribing at the end of the relevant commercial communication (e-mail).
- The Company ceases the sending of commercial communications, as soon as the Customer’s request is processed. The processing of the request depends on technological capabilities and may take up to 3 days.
- By expressing their opinion in surveys and providing their contact information (e-mail, telephone), the Customer agrees that the Company may contact them using the provided contact information regarding the assessment provided by the Customer.
XIV. Photo and video capturing
- Customers (seminar and event attendees) are informed that in some cases, when the work of the Company is covered in mass media or in the media of the Company (the website, Facebook, Twitter, LinkedIn accounts of the Company), photos and videos of the Company’s event visitors may be processed and the legal basis for the processing of such data is the protection of legitimate interests, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh such interests, and in particular if the data subject is a child.
- Prior to the relevant event, the Company shall inform the participants of the event about the planned processing of personal data in accordance with the requirements of Article 13 of the Regulation, including information on the processing of personal data in invitations and before entering the venue.
XV. Website visits and handling of cookies
- Cookies may be used on the website of the Company:
42.1. Cookies are files that websites store on the computers of the users to recognise the users and make it easier for them to use the site. Internet browsers may be configured to alert the visitor about the use of the cookies and to choose whether the visitor agrees to accept them. Not accepting the cookies will not prevent the Customer from using the website, but it may restrict the Customer’s ability to use the website;
XVI. Other provisions