1.2. The Policy applies to the processing of personal data, irrespective of the form and / or medium in which the individual provides personal data (entering the territory and / or premises, telephone, verbal, etc.) and in which of the Management Systems (video, audio, web) etc.) are being processed.
2. The Manager
2.1. The Personal Data Controller is a SIA “VENTUM” (Reģ. Nr.: 41503050998, legal address: Muitas iela 3d, Daugavpils, LV-5401, Tel.: +371 293 83 382, E-mail: email@example.com, home page: www.fores.lv) (for the purposes of this Policy - the Manager).
3. Applicable law
3.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) ( 'the Regulation').
3.2. Other applicable legislation in the field of the processing and protection of personal data, including laws and regulations governing information society services.
4. Purposes of processing personal data
4.1. The manager has implemented:
- video surveillance for the purpose of preventing or detecting criminal offenses related to the protection of persons and property, the protection of the legal interests of the Controller or a third party, and the protection of vital interests of persons, including life and health;
- making audio recordings of telephone conversations for the purpose of ensuring and improving the quality of the services provided by the Controller and the protection of the Controller's legal interests;
- keeping and recording incoming and outgoing communications (emails, mails, etc.) to ensure that the legitimate interests of the Manager are respected.
- Presentation of events organized by the manager or a group of companies in the media and social networks to ensure the brand awareness of the company, its group and the manufacturers represented.
- The manager conducts a visit history analysis to conduct market research and analysis of data subjects' views, as well as to use statistics and some features of the site and display the content of the site according to the user.
4.2. The processing of personal data referred to in this policy is not intended to process specific categories of data, such as those based on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sexual orientation.
4.3. When processing personal data for purposes other than those set out in this Policy, the Controller shall inform the data subject individually, subject to the conditions set out in Article 13 of the Regulation. For the purposes of this Policy, the controller has outsourced data processing in order to comply, in particular, with the provisions of Article 14 of the Regulation, that is, personal data are not intentionally obtained from the data subject.
5. What personal data is processed by the controller?
5.1. The categories of personal data processed by the Controller depend on the nature of the Controller's services used by individuals. For example,
- When a data subject enters / enters the Controller Service Center, the premises or the area where the video surveillance is performed may process his video image and the time it visited the premises. Video surveillance is not performed in areas where data subjects expect increased privacy, rest areas, changing rooms, etc. CCTV recording areas are focused on corridors, entrances / exits, cars in their Flow Manager area.
- Calling the telephone numbers specified by the Manager will record the content of the communication as well as the caller's telephone. # unless the caller has taken steps to prevent it from being discovered.
- Communication with the Manager in writing may save the content and time of the communication as well as information about the communication tool used (email address, telephone number, skype username, etc., address).
- When attending events organized by the Manager or his / her group, visitors to the event may be photographed, videotaped and may be asked to provide interviews or views on the event, recording your name and any additional information you wish to provide. The materials in question may be used to create the Controller Archive and ensure brand awareness by posting video, photos on the social networks of the Controller, its group companies or represented manufacturers, as well as on any media. Also, especially if you have been invited to any of the events organized by the Manager or his / her group, you may additionally be required to provide information identifying you (name, surname, personal identification number, etc.) in order to ensure the safe operation of the event. ).
- The Manager conducts an analysis of the visit history using online identifiers as well as information that is deliberately left by the data subject (eg evaluation of service provided, website visit experience, movement, information about willingness to attend any events organized by the Controller, etc.) market research and opinion analysis.
6. What is the legal basis for the processing of personal data?
6.1. video surveillance for the purpose of preventing or detecting offenses relating to the protection of persons and property, the protection of the legal interests of the controller or of a third party, and the protection of the vital interests of persons, including life and health. Video surveillance is based on Article 6 (1) (d) and (f) of the Regulation, ie
- The processing of personal data is necessary to protect the vital interests of the data subject or other natural person (eg video surveillance where the processing of personal data is necessary for the protection of the life and health of the person involved in the prevention and / or detection of crime);
- For the legitimate interests of the controller and third parties (for example, to prevent or detect property offenses, to provide evidence, to ensure the highest standards of customer service quality).
6.2. Making audio recordings of telephone conversations for the purpose of ensuring and improving the quality of the services provided by the Controller and the protection of the Controller's legal interests. Audio recording of telephone conversations is made (if any) on the basis of Article 6 (1) (f) of the Regulation, ie to serve the legitimate interests of the Controller and third parties (eg to investigate complaints about customer service quality, to secure evidence against potential claims).
6.3. Inbound and outbound communications (e-mails, mails and other) are maintained and recorded on the basis of Article 6 (1) (c) and (f) of the Regulation.
- to ensure compliance with the obligations of the Controller in accordance with its statutory acts, that is, to keep records of correspondence in accordance with the Controller's nomenclature and the requirements arising from the "Archive Law".
- to ensure that the legitimate interests of the Manager are respected, for example (for example, to investigate complaints about customer service quality and to provide evidence against possible claims).
6.4. Presentation of events organized by the manager or a group of companies in the media and social networks to ensure the brand awareness of the company, its group and the manufacturers represented. In corporate events, the processing of personal data is based on Article 6 (1) (a) and (f) of the Regulation.
- The controller is entitled to process personal data if the Data subject himself or herself has consented to the processing of his or her personal data for one or more specific purposes. A person's consent is his or her free will and autonomous decision made voluntarily, thereby permitting the Controller to process personal data for the purposes set out in this Policy. A person's consent is binding if it is provided verbally (for example, prior to the event and this Policy informs the person that personal data will be processed and that the person attending the event, interviews, used for the purposes stated in this Policy). A person has the right to revoke their prior consent at any time by using the contact information provided in this Policy. The withdrawal of consent shall not affect the lawfulness of the data processing carried out during the period for which the person's consent was valid. Withdrawal of consent may not interrupt the processing of data on other legal grounds, such as the legitimate interests of the Controller and third parties (group companies, automobile manufacturers).
- The manager has a legitimate interest in presenting the events or events in which he or she participates in the media and social networks, thereby ensuring the visibility of the brand or brands he represents. The controller always applies the highest ethical standards when choosing what information to publish, thus striving to ensure that the rights and freedoms of data subjects are not violated by the publications. At the same time, the Controller acknowledges that it may not be aware of all the facts and circumstances, and therefore, to ensure fair processing, does not prevent any data subject from contacting the Controller with the above information at any time to object to the processing.
6.5. The controller shall carry out an analysis of the website, the history of visits to social networks for the purpose of conducting market research and analysis of data subjects' views on the basis of Article 6 (1) (f) of the Regulation. The controller has a legitimate interest in its brand, or the brands it represents.
7. What is the time period for processing personal data?
7.1. The controller shall take into account the following circumstances when selecting criteria for the storage of personal data.
7.1.1. whether the term of storage of personal data has been determined or follows from the regulatory enactments of the Republic of Latvia and the European Union.
7.1.2.for what period the relevant personal data must be kept in order to ensure the realization and protection of the legitimate interests of the Controller or a third party.
7.1.3. until the consent of the individual to the processing of the personal data has been withdrawn and there is no other legal basis for the processing of the data, for example in order to fulfill the obligations incumbent on the Controller.
7.1.4. The controller needs to protect the vital interests, including life and health, of the Data Subject or other natural person.
7.1.5. video surveillance records for the purpose of preventing or detecting offenses relating to the protection of persons and property, the protection of the legal interests of the controller or of a third party and the protection of vital interests of persons, including life and health, for a period not exceeding 30 days; no unlawful conduct or conduct that may assist the Controller or any third party in their legal interest will be reflected. In this case, the video may be retrieved and stored until the legal interest is secured.
7.1.6. audio records of telephone conversations intended to ensure and improve the quality of the Services provided by the Controller and the Controller's Legal Interests will be retained for a period not exceeding sixty days unless the audio recording in question reflects any unlawful act or conduct that may assist the Controller or third parties interests. In this case, the audio recording in question may be retrieved and stored until the legal interest is secured.
7.2. retention and recording of incoming and outgoing communications (e-mails, mails, etc.) to ensure the Controller's legitimate interests will be retained for a period not exceeding five years, unless such communications reflect any unlawful act or conduct that possibly assist the Manager or third parties in securing their legal interests.
7.3. Presentation of events organized by the manager or a group of companies in the media and social networks to ensure the brand awareness of the company, its group and the manufacturers represented. To ensure the historical development of the company, the Manager intends to store the information obtained independently. Similarly, to comply with the principle of fair processing, the Controller clarifies that, subject to the fact that the purpose of the processing referred to in this paragraph is to disclose information about the activities of the Controller, its group or represented manufacturers, the resulting material will be publicly.
7.4. The manager conducts a visit history analysis to conduct market research and analysis of data subjects' views.
7.5. After the retention period, personal data will be permanently deleted.
8. Who has access to the information and to whom is it disclosed?
8.1. The controller is obliged to provide information on the personal data processed:
8.1.1.Law enforcement agencies, the court or other state and local government institutions, if it follows from regulatory enactments and the relevant authorities have the right to the requested information, if it should have been specifically requested.
8.1.2. If the relevant third party is required to transfer personal data within the framework of the contract to perform any function necessary for the performance of the contract (for example, in the case of an insurance contract for the realization of the legitimate interests of the Controller.
8.1.3. In accordance with the explicit and unambiguous request of the Data Subject.
8.1.4. For the protection of legitimate interests, such as legal action against a person who has violated the legitimate interests of the Administrator.
8.2. The recipients of personal data may be authorized officers of the Controller, Processors, law enforcement and supervisory authorities.
8.3. The controller will issue personal data of natural persons only to the extent necessary and sufficient, in accordance with the requirements of regulatory enactments and objective circumstances justified by the particular situation.
8.4. The personal data provided in this Policy are not intended to be transferred to a third country (a non-Member State of the European Union or the European Economic Area), except for data processed in an electronic environment. In this case, the Processors selected by the Manager ( google.com (google analytics),facebook.com , twitter.com , snapchat, etc.) are considered to be companies outside the European Union and Member States of the European Economic Area, so the Manager invites you to read the privacy policies of those companies or to contact the Manager separately for additional information information on the terms of cooperation.
9. How is the Data subject informed about the processing of personal data?
9.1. The data subject is informed of the processing of personal data specified in this Policy through a multi-level approach, which includes the following methods: - video surveillance posts display notices informing Data subjects (pedestrians, drivers, visitors, employees, etc.) of video surveillance, providing basic information related to video surveillance, as well as informing about the possibilities to receive more detailed information.
- Calling the contact persons listed on the Controller, informing the data subject of the audio recording (if any), requesting to consult additional information in this Policy or to ask the Controlling Officer to be contacted.
- When disclosing information about the Controller's Events, the Controller provides background information inviting them to familiarize themselves with this Policy or to ask the Controller before or during the Event.
- When visiting the Website, the Data Subject may become aware of a notice of what cookies are being used and are invited to become acquainted with this Policy.
9.2. This Manager's Policy is publicly available on the Manager's website at www.fores.lv and at the Manager's customer service points;
10. Rights of the data subject
10.1 The data subject shall have the right to request from the Controller access to his or her personal data and to obtain clarification of the personal data held by the Controller, the purposes for which the Controller processes such personal data, the categories of recipients have been disclosed or are intended to be disclosed, unless the law permits the Controller to provide such information in a particular case (for example, the Controller may not disclose to the Data Subject any relevant governmental bodies, criminal prosecutors, such information), the length of time for which the personal data will be stored or the criteria used to determine that period.
10.2. If the Data subject considers that the information available to the Controller is outdated, inaccurate or incorrect, the Data Subject has the right to request the correction of his / her personal data.
10.3. The data subject has the right to request the deletion of his / her personal data or to object to the processing if he / she considers that the personal data have been processed illegally or are no longer necessary for the purposes for which they were collected and / or ").
10.4. The controller informs that the personal data of the data subject cannot be deleted if the processing of personal data is necessary:
- For the Controller to protect the vital interests, including life and health, of the Data Subject or other natural person;
- Protect the property of the Manager;
- For the Manager or a third party to raise, pursue or defend legal (legal) interests;
- For archiving purposes in accordance with the regulatory enactments in force in Latvia governing the creation of archives.
10.5. The Data Subject shall have the right to request the Controller to restrict the processing of the Data Subject's personal data in any of the following circumstances:
- The data subject disputes the accuracy of the personal data - for a period within which the Controller may verify the accuracy of the personal data;
- Processing is unlawful and the Data Subject objects to the deletion of personal data and requests a restriction on the use of the data instead;
- The controller no longer needs personal data for processing, but they are necessary for the Data Subject to raise, enforce or defend lawful claims;
- The data subject has objected to the processing until it has been verified that the legitimate reasons of the controller are more important than the legitimate reasons of the data subject.
10.6. If the processing of personal data of the Data subject is restricted in accordance with Article 10.5. Subject to paragraph 1, such personal data, other than storage, shall be processed only with the consent of the Data subject or for the purpose of raising, enforcing or defending legitimate claims, or to protect the rights of any other natural or legal person, or
10.7. Prior to lifting the restriction on the processing of personal data by the Data Subject, the Controller shall inform the Data Subject.
10.8. The data subject has the right to lodge a complaint with the Data State Inspectorate if he / she considers that the personal data have been processed unlawfully by the Controller.
10.9. The data subject may submit a request for the exercise of his / her rights in the following ways:
- In writing in person at the Controller's premises, presenting an identity document (such as a passport or ID card, etc.), as the Data Subject is obliged to identify himself or herself;
- By e-mail with a secure electronic signature. In this case, the data subject is presumed to have identified himself / herself by submitting a request signed with a secure electronic signature. At the same time, the Controller reserves the right to request, in case of doubt, additional information to the data subject if it deems it necessary.
- By mail. In this case, a reply will be prepared and sent by registered mail, thus ensuring that unauthorized persons will not receive the post. At the same time, the Controller reserves the right to request, in case of doubt, additional information to the data subject if it deems it necessary.
10.10 In addition, the Data Subject shall, as far as possible, specify in his or her request the date, time, place and any other circumstances that would assist his or her request.
10.11. Upon receipt of a written request from the Data Subject regarding the exercise of their rights, the Controller shall:
10.11.1. Verifies the identity of the person.
10.11.2. Shall consider the request if: - a request can be provided, such as watching videos or listening to an audio recording, then the Data Subject as the requester may receive a copy of the video or audio recording or other data. - additional information is required to identify the Data Subject requesting the information, then the Manager may request additional information from the Data Subject to be able to correctly select the information (eg, video surveillance or conversation recordings, photographs) in which the Data Subject is identifiable. - the information has been deleted or the person requesting the information is not a Data subject or the person is not identifiable, then the Controller may decline the request in accordance with this Policy and / or the law.
11. How is personal data protected?
11.1. The controller shall ensure, continually review and improve personal data protection measures to protect the personal data of natural persons from unauthorized access, accidental loss, disclosure or destruction. To this end, the Manager shall use appropriate technical and organizational requirements, see through firewalls, intrusion detection, analysis software and data encryption.
11.2. The controller carefully examines all service providers that process personal data on behalf of the controller and on behalf of the controller, as well as assesses whether the cooperation partners (controllers) apply appropriate security measures to ensure that the processing of personal data of individuals is in accordance with the Delegation and regulatory requirements.
11.3. In the event of a personal data security incident, if it poses the greatest possible risk to the rights and freedoms of the data subject, the Controller will notify the Data Subject concerned, if possible, whether the information will be made public on the Controller radio, newspaper, social networks, etc.).