LIMITED LIABILITY COMPANY CLT PROFI PRIVACY POLICY
Purpose and Scope of the Privacy Policy
Privacy Policy (hereinafter the Policy) describes and provides information to the identifiable individuals (hereinafter the Data Subject) on how Limited Liability Company CLT Profi (hereinafter the Controller) processes personal data of the Data Subject if the Data Subject has applied to become an employee of Limited Liability Company CLT Profi, wishes to receive services or purchase goods by concluding an agreement, attend events organised by the Controller or its cooperation partners, has or plans to visit the Controller’s premises and adjacent area, contact the Controller by using the specified telephone numbers or other communication channels (e-mail, mail), has submitted a complaint or proposal, as well as visit social networks administered by the Controller.
In this Policy, the Controller has described the measures that ensure the protection of interests and freedoms of the Data Subject by simultaneously ensuring that the data are processed in good faith, legally and in a manner transparent for the Data Subject.
The Policy applies to the processing of personal data, regardless of the form and/or the environment in which the individual provides personal data (by entering the territory and/or premises, by telephone, verbally, etc.) and in which systems of the Controller (video, audio, web, etc.) they are processed.
If this Policy is updated, the amendments to this Policy shall take effect on the date specified in the Notices of Changes to this Policy. In order to ensure transparent and honest data processing, the current version of the Policy will be posted on the Controller’s website www.cltprofi.com, under the Privacy Policy section and the Controller’s office at the office administrator.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the Regulation).
Personal Data Processing Law.
Other laws and regulations applicable in the area of personal data processing and protection.
Purposes of personal data processing
In conducting business, the Controller has set a number of purposes of personal data processing, presented separately herebelow:
With the purpose of providing the Controller’s recruitment processes and legitimate interests; What personal data are processed by the Controller Categories of personal data that are processed by the Controller depend on the personal data submitted by the Data Subject to the Controller. For example, all information contained in the Data Subject’s CV, such as: name, surname, birth data, address of residence, previous work experience and education/training, language knowledge and usage, additional knowledge/skills, interests/hobbies, phone number, e-mail address, photograph or other information identifying the Data Subject, as well as information obtained from previous workplaces that have provided feedback on the Data Subject if the Data Subject has explicitly authorised contact with relevant previous employers. In case the Data Subject is summoned for a job interview, the information provided during the job interview, the completed tests and other tasks shall be considered as personal data of the Data Subject. What is the legal basis for personal data processing? Data processing in order to ensure recruitment of staff is carried out based on Article 6, paragraph 1, subparagraphs a) and f) of the Regulation, i.e.: a) The Controller is entitled to process personal data if the Data Subject himself or herself has provided consent to his or her personal data processing for one or several purposes. The consent of the Data Subject is his or her free will and an independent decision which is provided voluntarily, thus allowing the Controller to process personal data for the purposes set forth in this Policy. Consent of the Data Subject shall be binding if it is provided verbally (for example, before the CV is submitted and the Data Subject is provided with information in this Policy that the personal data processing will be carried out when submitting the CV), and the Data Subject agrees to the use of his or her personal data for the achievement of the objectives provided for in this Policy. The Data Subject has the right to revoke his or her consent given previously at any time by using the contact information indicated in this Policy. Revocation of consent does not affect the lawfulness of such data processing that was carried out while the consent of the person was effective. By revoking consent, data processing which is carried out on the basis of other legal grounds, for example, on the basis of legitimate interests of the Controller and third parties, cannot be discontinued. b) upon receiving your CV and/or application, the Controller shall have a legitimate interest in processing your CV and/or application by assessing the information provided, organising the interview procedure and collecting evidence to reflect the legal basis for the relevant recruitment process. In case of dispute, the information obtained during the recruitment process may be used to reflect the legal basis for the relevant recruitment process (for example, to investigate cases of complaints about the recruitment process and to provide evidence for complaints and claims). What is the duration for personal data processing? When selecting criteria for the storage of personal data, the Controller shall take into account the conditions specified below: a) whether the time period for personal data storage is determined or arising from the laws and regulations of the Republic of Latvia and the European Union; b) how long it is needed to store personal data in order to ensure the implementation and protection of legitimate interests of the Controller or the third party; c) until the consent of the Data Subject to process personal data is withdrawn and there is no other legal basis for data processing, for example, to comply with the obligations binding upon the Controller; d) it is necessary for the Controller to protect the essentially important interests of the Data Subject or other individual, including the life and health thereof.
All information obtained from the Data Subject applying for vacancies and/or providing additional information, for example, during the interview, shall be fully or partially stored in the Controller’s database for a maximum of six months in order to ensure the legitimate interests of the Controller. With respect to the data minimising principle, the Controller undertakes to delete the relevant information upon achieving the legitimate interest. If the Controller receives complaints about the respective recruitment process, all information processed within the scope of the recruitment process shall be retained until the complaint is reviewed and the final court judgement becomes effective and enforced. After expiry of the storage period personal data will be permanently deleted. Who can access the information and to whom is it disclosed? Personal data recipients may be employees authorised by the Controller, Processors, law enforcement and supervisory authorities. a) The Controller has a duty to provide information on the personal data processed to law enforcement institutions, the court, state and local government institutions if it arises from laws and regulations and the institutions concerned are entitled to the information request; b) if personal data should be transferred to the third party concerned under a concluded agreement in order to perform a function necessary for the performance of the agreement (e.g. staff interviews conducted by recruitment companies; for the implementation of legitimate interests of the Controller); c) according to a clear and unambiguous request of the Data Subject; d) to protect legitimate interests, such as when going to court, to state or local government institutions against a person that has violated such legitimate interests of the Controller. With the purpose of providing accurate services, fulfilment of contractual obligations and ensuring the legitimate interests of the Controller; What personal data are processed by the Controller Categories of personal data that are processed by the Controller depend on the services of the Controller used by the Data Subject. For example, upon the Data Subject receiving or expressing the desire to receive the services of the Controller, to purchase services from the Controller according to the legal requirements and the legitimate interests of the Controller, the Controller has the duty and the right to process information identifying the Data Subject and information certifying identity of the Data Subject. For example, if you return an item or make a complaint about its quality, the Controller shall review your complaint, for which the Controller needs to identify the complainant or the person for whom to prepare a reply. In this case, in order to achieve the goal of service provision, the Controller can process the amount of personal data, which includes the name, surname, personal identification number and contact information, and information on the received and receivable services, and range of products, etc.; information is documented and stored in the Controller’s data processing systems. Upon the Data Subject receiving services or purchasing goods, personal data are processed in accordance with the agreement entered into by and between the Parties. What is the legal basis for personal data processing Data processing in order to ensure the provision of services or sell goods is carried out based on Article 6, paragraph 1, subparagraphs b), c) and f) of the Regulation, i.e. processing is necessary for the performance of the agreement that the Data Subject is a party of or in order to take measures at the request of the Data Subject prior to entering into the agreement; processing is necessary for compliance with the legal obligation applicable to the Controller. As well as, in some cases, in order to ensure the legitimate interests of the Controller and third parties (for example, to investigate cases where complaints about the quality of service or goods sold have been received, to carry out follow-up controls in order to improve service provision as well as to ensure evidence against possible claims). What is the duration for personal data processing? When selecting criteria for the storage of personal data, the Controller shall take into account the conditions specified below: a) whether the time period for personal data storage is determined or arising from the laws and regulations of the Republic of Latvia and the European Union; b) how long it is needed to store personal data in order to ensure the implementation and protection of legitimate interests of the Controller or the third party; c) until the consent of the Data Subject to process personal data is withdrawn and there is no other legal basis for data processing, for example, to comply with the obligations binding upon the Controller; d) it is necessary for the Controller to protect the essentially important interests of the Data Subject or other individual, including the life and health thereof. Upon providing services or selling goods, the Controller complies with the special laws and regulations governing its obligation to retain certain data, for example, the Law on Accounting establishes the obligation to keep records of transactions for a period of five years; subject to the above, the Controller shall observe the periods specified in the regulatory enactments. Upon providing services or selling goods that have a defined claim submission deadline, information on the aspects of service provision will be retained for at least 2 years, subject to the limitation period applicable to the legal relationship concerned. If you want to learn detailed information, please contact the Controller by using the contact details specified. After expiry of the storage period personal data will be permanently deleted. Who can access the information and to whom is it disclosed? Personal data recipients may be employees authorised by the Controller, Processors, law enforcement and supervisory authorities. The Controller has a duty to provide information on the personal data processed: a) to law enforcement institutions, the court, state and local government institutions if it arises from laws and regulations and the institutions concerned are entitled to the information request; b) if personal data should be transferred to the third party concerned under a concluded agreement in order to perform a function necessary for the performance of the agreement (e.g. in the event of a warranty, insurance agreement; for the implementation of legitimate interests of the Controller), or if there is a need to improve the quality of services by involving service providers – subcontractors; c) according to a clear and unambiguous request of the Data Subject; d) to protect legitimate interests, such as when going to court, to state or local government institutions against a person that has violated such legitimate interests of the Controller.
Reflecting events organised by the Controller and its cooperation partners in the media and social networks with the aim of advertising and promoting the recognition of the Controller’s brand; What personal data are processed by the Controller? Photos and videos of participants and visitors of the events organised by the Controller and its cooperation partners, and the venues thereof, may be processed by storing them in the Controller’s archives, posting them on the website, social networks administered by the Controller and other informative materials of the Controller. What is the legal basis for personal data processing? With a view to reflect the events organised by the Controller and its cooperation partners in media and social networks in order to promote the Controller, personal data processing shall be carried out on the basis of Article 6, paragraph 1, subparagraph f) of the Regulation, i.e. The Controller has a legitimate interest to demonstrate the measures organised by it or the measures in which it participates in mass media and social networks, thus ensuring the recognition of the brands represented by it. The Controller, when selecting what information to publish, shall always apply the highest ethical standards, thus trying to ensure that the rights and freedoms of the Data Subject will not be infringed by publications. Concurrently, the Controller shall be aware that it is, possibly, not informed about all of the facts and circumstances; therefore the Controller shall, in order to ensure fair data processing, not prevent the Data Subject from contacting the Controller at any time by using the indicated information in order to enable it to object to data processing. Concurrently, the Controller explains that if you participate in various public events, such as by giving interviews, having your photo or video taken, it will first of all assume that you have no objection that the relevant information will be published. What is the duration for personal data processing? The Controller plans to keep the information obtained for an unlimited amount of time. Likewise, in order to comply with the principle of fair data processing, the Controller explains that, given the fact that the purpose for data processing is to publish information about the Controller’s events, the material obtained will be publicly available and accessible to any third parties. Who can access the information and to whom is it disclosed? Personal data recipients may be employees authorised by the Controller, Processors, law enforcement and supervisory authorities. If personal data should be transferred to the third party concerned under a concluded agreement in order to perform a function necessary for the performance of the agreement (e.g. in the event of an insurance agreement; for the implementation of legitimate interests of the Controller; for the service provider to be able to perform video editing), or if there is a need to improve customer service or the quality of services provided to the visitors of an event. The Controller informs that its selected Processors (google.com (google analytics), facebook.com etc.) shall be considered as non-European Union and non-European Economic Area companies, therefore the Controller recommends reading the privacy policies of these companies or submit to the Controller a request for additional information on the terms of the cooperation.
Prevention or detection of criminal offences relating to the protection of property, ensuring the legitimate interests of the Controller and third parties in case of violations, and protection of vital interests of persons, including life and health; What personal data are processed by the Controller? When the Data Subject enters the Controller’s premises or area where video surveillance is carried out, the footage and the time of the visit of the premises and/or area may be processed. Video surveillance shall not be performed in areas where Data Subjects expect increased privacy, in resting areas, changing rooms, etc. Video surveillance camera recording areas shall be focused on corridors, entrances/exits, cars, their flow in the Controller’s area. What is the legal basis for personal data processing? Video surveillance shall be conducted with the aim of preventing or detecting criminal offences relating to the protection of persons or property, ensuring the legitimate interests of the Controller and third parties and protection of vital interests of persons, including life and health. Video surveillance shall be carried out on the basis of Article 6, paragraph 1, subparagraphs d) and f) of the Regulation, i.e. Data processing is necessary for the Controller to protect the vital interests of the Data Subject or of another individual, including life and health (for example, video surveillance where the processing of personal data is necessary for the protection of the life and health of a person related to the prevention and/or detection of criminal offences); to ensure the legitimate interests of the Controller and third parties (for example, to prevent or detect criminal offences related to property protection, to provide evidence in case of dispute). What is the duration for personal data processing? Video surveillance records aimed at preventing or detecting criminal offences relating to the protection of persons and property, ensuring the legitimate interests of the Controller and third parties and protecting vital interests of persons, including life and health, shall be stored for a period not exceeding 30 days, unless the video footage concerned shows any unlawful actions or actions that may help the Controller or third parties to ensure their legal interests. In this case, the video surveillance record may be retrieved and retained until the legal interest is secured. Who can access the information and to whom is it disclosed? Personal data recipients may be employees authorised by the Controller, Processors, law enforcement and supervisory authorities.
Preservation and records of incoming and outgoing communications (emails, letters by mail, requests occasionally received by the social network profiles administered by the Controller) to ensure the performance of contractual obligations and ensuring the legitimate interests of the Controller. What personal data are processed by the Controller? Using the various options to communicate with the Controller in writing, the information related to the particular letter, request, application shall be retained. Despite of the fact that the Controller calls for the use of official means of communication, there may be situations when you have chosen to communicate with the Controller via social networking platforms. In these cases, you should expect additional information to be available to the Controller on the relevant social network. What is the legal basis for personal data processing Retention of information on the communications fact and content is carried out on the basis of Article 6, paragraph 1, subparagraphs c) and f) of the Regulation, i.e. in cases where you have filed a claim or complaint resulting in an obligation on the Controller to examine your request, the legal basis for the processing is the legal obligation, while, in order to ensure the legitimate interests of the Controller and third parties (for example, to investigate cases where complaints about the quality of service have been received, well as to ensure evidence against possible claims), the legal basis for the processing are the legitimate interests of the Controller. What is the duration for personal data processing? To achieve the objective, the Controller shall keep the relevant information for a period not exceeding two years, unless the relevant information is used to ensure the Controller’s legal interests for a longer period of time (for example, in case of dispute – for preservation of evidence). In this case, the relevant documents, records will be retained until the legal interest is secured. Who can access the information and to whom is it disclosed? Personal data recipients may be employees authorised by the Controller, Processors, law enforcement and supervisory authorities.
How is a data subject informed regarding personal data processing?The Data Subject shall be informed regarding personal data processing indicated in this Policy by using a multi-level approach, which contains the following methods: a) signs are placed around video surveillance sites alerting Data Subjects (pedestrians, drivers, visitors, employees, etc.) of video surveillance in the Controller’s area, providing basic information about video surveillance, as well as informing about the option to obtain detailed information; b) when visiting the website, the Data Subject can research a statement about what cookies are used as well as is invited to research this Policy; c) this Policy is publicly available on the Controller’s website and the Controller’s office at the office administrator. d) in public events where photos and videos may be taken with the intention of promoting the brands represented by the Controller, the information specified in this Policy will be displayed at the data processing sites.
Rights of the Data Subject.
A Data Subject has the right to request the Controller provide access to his/her personal data and receive detailed information on what personal data are available to the Controller, for what purposes the Controller is processing personal data, the categories of personal data recipients (persons to whom personal data are disclosed or to whom they are intended to be disclosed, unless laws and regulations allow the Controller to provide such information in a particular case (for example, the Controller may not provide information to the Data Subject regarding the relevant state authorities which are persons directing the criminal procedures, subjects of investigatory operation or other authorities, the data of which are prohibited to be disclosed by regulatory enactments), information regarding the period during which the personal data will be stored, or criteria used for the determination of such period.
If the Data Subject considers that the information at the disposal of the Controller is out-of date, incorrect or wrong, the Data Subject has the right to request the correction of his or her personal data.
The Data Subject has the right to request the deletion of his or her personal data, or to object to the processing thereof, if the Data Subject considers that data have been processed illegally, or they are not necessary anymore in relation to the purposes for which they have been collected and/or processed (upon implementing the right of the principle “to be forgotten”).
The Controller shall give notification that personal data of the Data Subject may not be deleted if the processing of personal data is needed: a) for the Controller to protect the vital interests of the Data Subject or of another individual, including life and health; b) to protect the property of the Controller; c) for the Controller or a third party to bring, exercise or defend lawful (legal) interests; d) for archiving purposes in accordance with applicable laws and regulations governing the building of archives.
The Data Subject has the right to request that the Controller restricts the processing of personal data of the Data Subject if any of the following circumstances exist: a) accuracy of the personal data is contested by the Data Subject – for a period enabling the Controller to verify the accuracy of personal data; b) the processing is unlawful, and the Data Subject objects to the erasure of the personal data and requests the restriction of their use instead; c) the Controller does not need personal data for processing anymore, however they are necessary for the Data Subject in order to bring, exercise or defend lawful claims; d) the Data Subject has objected to processing while it is not verified whether legitimate reasons of the Controller are more important than legitimate reasons of the Data Subject.
If the processing of personal data of the Data Subject is restricted in accordance with Paragraph 5, such personal data, except for storage, shall only be processed with consent of the Data Subject or in order to bring an action, exercise or defend lawful rights, or in order to protect the rights of another individual or legal entity, or important public interests.
Before revocation of the restriction of personal data processing of the Data Subject, the Controller shall inform the Data Subject.
The Data Subject has the right to file a complaint with the Data State Inspectorate if the Data Subject believes that the Controller has processed personal data unlawfully. However, the Controller proposes contacting it first via e-mail: [email protected], to find a solution quickly if your right to personal data protection has been violated.
The Data Subject may submit a request regarding the implementation of his or her rights in the following way: a) in writing in person, in the premises of the Controller by presenting a personal identification document (such as passport or ID card), because the Data Subject has a duty to identify himself or herself; b) in the form of electronic mail, by signing it with a secure electronic signature. In such case it is presumed that the Data Subject has identified himself or herself by submitting a request, which is signed with a secure electronic signature. Concurrently, the Controller shall reserve the right to request additional information from the Data Subject in the event of doubt, if the Controller considers it necessary; Electronic applications shall be sent to e-mail: [email protected]; c) by using a mail consignment. In such case a reply will be drawn up and sent by using a registered letter, thus securing that unauthorised persons may not receive such consignment. Concurrently, the Controller shall reserve the right to request additional information from the Data Subject in the event of doubt, if the Controller considers it necessary.
The Data Subject is obliged to clarify in his or her request as soon as possible, the date, time, place and other circumstances that could help to execute his or her request.
After the receipt of a written request of the Data Subject regarding exercising his or her rights, the Controller shall: a) verify the identity of a person; b) assess the request, if: the request, for example, viewing video materials may be granted, then the Data Subject, as a submitter of the request, may receive a copy of the video material or other data; additional information is necessary in order to identify the Data Subject who is requesting the information, the Controller may request additional information from the Data Subject in order to be able to select the information correctly (for example, visitation times, use of services, purchased goods) where the Data subject may be identified; the information is deleted or the person who requests the information is not the Data Subject or the person may not be identified, the Controller may reject the request in accordance with this Policy and/or laws and regulations; in case the Controller receives a request, but you have not indicated your contact information so that the Controller can contact you when examining your request and inform you about the result of the examination of your request, the Controller shall prepare a written reply within one month, which will be available at the Controller’s office. The relevant reply letter will be kept in the Controller’s office for a maximum of two months from the date of the request.
How are the personal data protected?
The Controller ensures, reviews on a regular basis and improves the personal data protection measures in order to protect personal data of the Data Subject from unauthorised access, accidental loss, disclosure or destruction. In order to ensure this, the Controller shall use corresponding technical and organisational requirements, including firewalls.
The Controller shall carefully check all service providers that process personal data of the Data Subjects on behalf of and in accordance with the assignment of the Controller, and also assesses whether service providers use appropriate security measures in order for the processing of personal data of the Data Subjects to be performed in conformity with the delegation of the Controller and the requirements of laws and regulations.
In the event of a personal data security incident, if it will cause a potentially high risk to the rights and freedoms of the Data Subject, the Controller shall notify the relevant Data Subject thereof, if it will be possible, whether the information will be published on the website of the Controller or in another possible way for example by using the media (TV, radio, newspaper,social networks etc.).