Information on the processing of personal data
By means of the present notification we hereby aim to inform every individual about the purposes of personal data processing, the scope thereof, level of protection, the term and period of processing and the data subject’s rights in the processing of personal data which is carried out by us.
Table of Contents:
1. Terminology used
1.1. Data Controller, Controller, also – we: Limited liability company SIA “BSMS”, unified company registration No. 40003471367, registered office (legal address): Delu iela 4, Riga, LV-1004, Latvia, e-mail – firstname.lastname@example.org, phone No. – +371 26478686;
1.3. Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, on the basis of an identifier. An identifier may be e.g. the name, surname, identification number (personal number or code) of the identifiable person, his/her identifier in information systems or one or more factors of physical, physiological, genetic, mental, economic, cultural or social identity characteristics of the said natural person;
1.4. Subject, Data Subject, also – you: a living natural person whose Personal Data is processed by the Controller for the achievement of a certain purpose; the Data Subject may be, e.g., a visitor to the Website;
1.5. Processing of Personal Data: any activities with the Personal Data of the Data Subject, including, but not limited to, data collection, data storage, data transfer, data modification, data use and data deletion;
1.6. Purpose of data processing: the purpose which the Data Controller is intended to achieve by processing the Personal Data of the Data Subject;
1.7. Regulation: European General Data Protection Regulation No. 679/2016, applicable in all Member States from May 25, 2018;
1.8. Principle of accountability and/or transparency: The Controller’s ability to prove that he has complied with the requirements of the Regulation in the processing of Personal Data.
2. Version management
2.1. This new version of the Privacy Statement is supplemented by nuances related to the processing of the Data by the Controller, in particular, the purposes of the processing of Personal Data and the legal basis thereof. No other significant changes have been made that would change the scope of the Data Subject’s rights or freedoms.
3. Information relating to all data processing processes and purposes
3.1. Personal data protection specialist: The Controller has appointed a personal data processing specialist, contact information for data protection issues – e-mail: email@example.com, phone: +371 26478686
3.2. Data processors (data recipients):
3.2.1. Employees of the Controller, in accordance with their official duties arising from the employment relationship of employees with the Controller;
3.2.2. Outsourcing providers: persons who have a contractual relationship with the Controller that determines the procedure for the protection of personal data, such procedure determining that the Personal Data of the Data Subject may be processed only in accordance with the instructions provided by the Controller and may not be used for other purposes of Data Processing;
3.2.3. State and local government institutions, including law enforcement agencies: in accordance with regulatory enactments, institutions and authorities that ensure the fulfilment of a legal obligation and transfer Personal Data upon request, as well as in situations where the transfer of data is related to the legal interests of the Controller, for example, to raise, enforce or defend legal claims;
3.2.4. In special cases, about which the Data Subject will be informed during the additional data collection or acquisition process, a Joint Controller or Joint Data Controller may also be involved or appointed in the processing of the data – in situations where purpose of data processing together with the Controller also applies to another organization; of any such situation, the Data Subject shall be informed in detail before or after the data are collected in accordance with the requirements of the Regulation;
3.2.5. Third parties – in situations where the receipt of data is an unequivocal legitimate interest of these third parties or the Controller, for example, but not limited to, when entering an area to which access is restricted, data of the vehicle and its driver shall be transferred to ensure such access;
3.3. Type of data processing: The Controller uses technical resources and information systems to process Personal Data, however, in any situation where a decision has to be taken in relation to the Data Subject, this is always done by a person and the Controller does not make automated decisions within the meaning of the Regulation;
3.4. Transfer of data to a third country (a country that is not a member of the European Union or the European Economic Area): When processing personal data, the Controller does not typically transfer the data to a country that is not a member of the European Union or the European Economic Area. However, in certain cases, the transfer of data to a third country may be for the purpose of fulfilling an existing contractual obligation or with the consent of the individual Data Subject, or in other specific exceptional situations. Data Subjects will be specifically alerted to any specific situation in which data will be transferred to a third country on the basis of consent or other legal grounds for the transfer;
3.5. Right to lodge a complaint:
3.5.1. In any situation where the Data Subject considers that the Controller has violated his/her rights in the processing of Personal Data, the Data Subject shall be entitled and have the right to complain to the supervisory authority of his/her own choice. The controlling authority of the controller operating in the territory of the Republic of Latvia is the State Data Inspectorate [Datu valsts inspekcija] (homepage thereof – www.dvi.gov.lv);
3.5.2. The Data Subject shall also have a separate right in relation to the processing of data in an unlawful manner and in other cases where the Data Subject has reason to believe that his/her rights have been violated, in accordance with the provisions of the Civil Procedure Act [Civilprocesa likums] of the Republic of Latvia ;
3.6. Rights of the Data Subject: In the cases specified in the Regulation, you, as the Data Subject, have certain rights which the Controller ensures as far as possible. Bear in mind! In some cases, some of your rights as those of a Data Subject may not be legally or practically enforceable, however, in any situation, you will receive a reasoned reply from the Controller within the time limits set out in the Regulation, which is one or three months from the submission of the application, depending on the situation. The rights of the Data Subject under the Regulation are as follows:
3.6.1. Access to Personal Data – as a Data Subject, you have the right to request confirmation from us whether we process your Personal Data and, in cases where this is done, to request access to the Personal Data processed. In order to exercise the above rights, you are required to submit a written application (note: here and below, in writing or written shall also mean comparable to a written application – e.g., electronically signed with a secure electronic signature);
3.6.2 .Correction of personal data – if you believe that the information we process about you is incorrect or incomplete, you have the right to ask us to correct your data. In order to exercise the above rights, you are required to submit a written application;
3.6.3. Withdrawal of consent – in cases where we process your personal data pursuant to your consent, you have the right to withdraw your consent to the processing of personal data at any time. In order to exercise the above rights, you are required to submit a written application; Please note that the processing of data which has taken place prior to the withdrawal of consent is not affected by the withdrawal of consent, and the processing in question may have given rise to a right to our legitimate interest or a legal obligation based on legal provisions, therefore, we may continue to process your personal data for other related purposes;
Bear in mind! Special warning about withdrawal of consent in situations where consent is given to the processing of cookies – you, as the Data Subject, have the right to delete cookies from your device at any time; such action shall be equivalent to withdrawal of consent; the Controller has no technical ability to delete cookies on your device. Detailed information about cookies can be found in section 4.2. Cookies;
3.6.4. Opposing or subjecting to processing on legal grounds – you have the right to object to the processing of Personal Data carried out by us on the basis of our legal interests (the legal basis for such processing of Personal Data) – in accordance with Clause 6, Section 1, Subclause f) of the Regulation. In order to exercise the above rights, you are required to submit a written application; Bear in mind! We will continue to process your data even if you object, if we have motivated reasons (such as active litigation) to continue processing the data, but you will receive a reasoned reply in any case.
3.6.5. Deletion of data – you have the right to request us to delete your personal data, however, this does not apply in cases where the law requires or allows us to retain data, as well as in situations where the processing of data is clearly necessary to fulfil the contractual obligations. In order to exercise the above rights, you are required to submit a written application;
3.6.6. Restrictions on processing – you have the right to request us to restrict the processing of your Personal Data. In order to exercise the above rights, you are required to submit a written application;
3.6.7. Data portability or transferability – you have the right to receive or transfer your personal data to another data controller (i.e., “data portability”). This right includes only the data you have provided to us with your consent or agreement, and in cases where processing is done by automated means. In order to exercise the above rights, you are required to submit us a written application.
3.7. We comply with the data protection principles enshrined in the Regulation, in particular the Principle of accountability and/or transparency::
3.7.1. When collecting your personal data, we act as a prudent and caring owner and process the data only for the specific purposes, without passing the data on to any other person, unless there is a statutory or contractually established situation that is being duly documented;
3.7.2. We regularly evaluate the Personal Data collected and stored, as well as the data obtained and transmitted, and make sure that the categories of data and the storage of the data are in accordance with the need to achieve the respective purposes;
3.7.3. We are always cooperation-oriented, therefore, upon receipt of reasonable objections, suggestions or other information from the Data Subject, we will make appropriate adjustments to processing of the Personal Data, as well as to the binding documentation and other processes related to the processing of Personal Data, such as menus on the Website;
3.8. In order to ensure fair and transparent data processing, we invite the Data Subject to note the following:
3.8.1. In any case of provision of Personal Data, the Data Subject is obliged to provide only valid and true personal data and only such data that are relevant and necessary for the purposes of data processing, for example, according to the indicated field values as described above or the corresponding request;
3.8.2. In the event that the relevant Data Subject’s data (any categories of data, such as name, address, position, and other information) change during the mutual cooperation or within a reasonable period of time thereafter, the Data Subject shall be obliged to inform the Controller of any changes in the relevant data categories;
3.9. Communication: if you, as the Data Subject, have any questions about the processing of your Personal Data, please contact the Controller using the Controller’s contacts above.
4. Descriptions of personal data processing processes, purposes of data processing and legal bases thereof
4.1. Processing of Personal Data related to visiting (opening) the Website
4.1.1. Process: The Controller processes the Personal Data in order to ensure the operation of the Website and the ability of the Controller to manage the processes taking place on the Website, including collecting and storing technical information about the connection (e.g., connection IP address, connection date and time);
4.1.2. Purpose and legal basis: The legitimate interest of the Controller (Clause 6, Section 1, Subclause f) of the Regulation) to maintain the Website, to inform the public about developments relevant to the Controller’s activities and to ensure the security of the Website – to detect, evaluate, determine and eliminate technical problems or illegal actions of third parties;
4.1.3. Note! Due to the fact that the Website may be visited by any individual (including a child or a person with a disability), as well as the actions of any individual may harm the interests of the Controller, the Controller does not verify the age of a particular visitor to the Website, but retains technical information about the connection and events associated with that particular connection to the Website. The duration of storage does not exceed 10 years, as the rights of claim that arise for the Controller may be different and various, thus the Controller applies the longest limitation period specified in regulatory enactments. The parents of the child or the relevant representatives appointed in accordance with the procedures prescribed by law shall be liable for an offence committed by a child or a person with limited legal capacity. Children that have reached the age of 14 are subject to administrative and criminal liability independently (on their own).
4.2.1. General explanation of cookies
Cookies are small files that are downloaded to a user’s device via a website when the content of that website is being downloaded. The need for cookies is, on the one hand, to technologically ensure the operation of the website and, on the other hand, to better understand the user experience and the use of content on the Website. As described below, cookies are grouped according to their functional importance into those that are functionally necessary, i.e., those without which it is not possible to actually ensure the operation of the Website, and the cookies without which the Website will operate, but for one of the parties – the Website visitor or the Administrator, it will not be possible to fully obtain or understand the experience or statistics of the use of the Website. The main difference between the above groups of cookies is that any cookies that are not functionally required are only downloaded to the
4.2.2. Necessity and functions of cookies
220.127.116.11. Functional cookies – functionally and technically necessary cookies, without which the full operation of the Website would not be possible. Websites do not have their own memory and do not maintain usage session statuses, i.e., when a user browses different sections of a website, the user is not recognized as the same user; Cookies allow the website to recognize the user. The main function of cookies is to allow the web server to receive information about the user’s session, thus optimizing the user’s experience of using the Website. Functional cookies also include cookies that ensure the operation of the cookie mechanism itself, i.e., the Controller has no other option to obtain the consent or non-consent of the Website user to download cookies other than through the cookie management tool. As the operation of the cookie management tool requires cookies, while the management of consent is required by law in the case of non-functional cookies, the operation of the cookie management tool is considered to be cookies necessary (functional) for the operation of the Website. Detailed list of functional cookies:
|gatsby-gdpr-google-analytics||Provide a consent management mechanism for the use of non-functional cookies.||1 year (12 months)||The legitimate interest to maintain the website – in accordance with Clause 6, Section 1, Subclause f) of the Regulation|
18.104.22.168. Non-Functional Cookies – necessary to help analyse the use of the Website, such as to understand visitor activity on the Website. The website uses so-called third-party analytical cookies, which are used to collect, store and analyse information through the website’s analytics service provided by Google Analytics and Meta Corporation (previously – Facebook). They allow the Controller to analyse visitors and adjust the Website accordingly to make the Website as efficient as possible, such as:
22.214.171.124.1. to obtain so-called “demographic” data, thus understanding the profile of visitors to the Website over a period of time and, for example, tailoring different information campaigns to the required target audience;
126.96.36.199.2. to find out content and traffic data, i.e., which sections the website visitors have visited the most and which sections they have spent the most time on – this provides a better understanding of the structure of the Website, as well as how to better present relevant information to the public so that it can reach its target audience as effectively as possible;
188.8.131.52.3. To find out the sources of traffic to the Website, thereby tailoring relevant advertising campaigns to reach the public more effectively, as well as measuring the effectiveness of new advertising campaigns.
IMPORTANT Despite the many benefits to the Controller, non-functional cookies will only be downloaded from the Website to the respective terminal or device (of you, the visitor of the Website) if you have given your consent using the selected option.
The Website uses the following non-functional cookies:
|_ga||The cookie is set by Google Analytics and used to distinguish visitors to the site (anonymously – without collecting user-identifying information)||2 years||Acceptance – in accordance with Clause 6, Section 1, Subclause a) of the Regulation|
|_gid||The cookie is set by Google Analytics and used to distinguish visitors to the site (anonymously – without collecting user-identifying information)||24 hours||Acceptance – in accordance with Clause 6, Section 1, Subclause a) of the Regulation|
|_gat_gtag_UA_*||The cookie is set by Google Analytics and does not contain any user information. It is used to limit requests (in order to prevent duplicate requests which are in fact equal)||1 minute||Acceptance – in accordance with Clause 6, Section 1, Subclause a) of the Regulation|
4.2.3. Additional information about analytical cookies
Note! Consent to the use of analytical cookies is also consent to the transfer of certain data related to the analytical service to a third party, namely – Google Inc., and, depending on and considering the technology used, consent to the transfer of personal data, such as IP addresses, to a third country, the United States.
4.2.4. Consent and its legal significance
4.2.5. Cookie management options
184.108.40.206. The website visitor shall be entitled to change his/her choice and withdraw his/her consent to the use of non-functional cookies at any time. Note! The mechanism of operation of cookies is designed in such a way that the Controller (Website) cannot interfere with the operation of the user’s terminal (device) and in any way influence the cookies therein: the Website can merely install the cookies. Therefore, in order to revoke the consent, the user must delete the cookies on his/her own, taking into account the following:
220.127.116.11. First of all, the non-functional cookies that have been previously approved for use must be deleted and in the case of the Website these are: _ga, _gid, _gat_gtag_UA_*;
18.104.22.168. Secondly, it is mandatory to delete the functional cookies that are associated with the cookie management tool, otherwise the Website will automatically re-install the non-functional cookies anew! Cookie management tool cookie: gatsby-gdpr-google-analytics
Note! After deleting the cookies required for the operation of the cookie management tool, if you visit the Website, it will again offer the opportunity to consent to the use of non-functional cookies.
The functionality of deleting cookies depends on the web browser used by the user, therefore it is not possible to provide the Controller with a uniform description of the sequence of actions for deleting cookies. In case of questions, please contact the Controller or the data protection specialist appointed by the Controller in accordance with the contacts indicated in the Information on the processing of personal data!
4.2.6. Additional information about cookie management
Note! The choices and any actions taken apply only to the specific web browser on the particular user’s terminal (device) and not to the specific individual entirely. If an individual uses multiple terminals (devices), multiple web browsers then every action has to be taken in each of them, in the same manner actions (i.e., consent or non-acceptance of a non-functional cookie) in each individual terminal (device) or web browser does not affect the choices and actions of another terminal (device) and web browser. Then, if multiple individuals use the same web browser on an access account on the same terminal (device), the choices made by each individual will affect the choices made by the other individuals, for example, everyone has the ability to delete installed cookies, choose to set new cookies, and the Controller has no technological ability to influence it. Consequently, the user must meet the level of a skilled user and independently manage his/her terminal equipment and the software installed on it, as well as access to the user accounts of the terminal equipment.
4.3. Processing of data related to communication about applying for a product or service, as well as to making questions, suggestions or complaints.
The Data Subject submits relevant information or asks the Data Controller using the contact form on the Website or other communication channels (e.g., the e-mail). The following circumstances must be taken into account when submitting data:
4.3.1. legal basis – our legitimate interest (Clause 6, Section 1, Subclause f) of the Regulation) to conduct the relevant type of business activities, providing communication with customers, as well as to find out your opinion in order to give you an answer or to be able to better adapt the Website, offers, communication etc., to your wishes and expectations;
4.3.2. contact information (name, surname, e-mail, telephone) is necessary for us to be able to prepare an offer or answer for you, as well as for you to be able to exercise your data subject’s rights. The contact information you provide will not be used for other purposes;
4.3.3. In general, we will answer to your question no later than within one month.
4.4. Data processing related to recruitment and HR purposes
When providing data for the purpose of applying for a vacancy or offering the Candidate his/her candidacy in case the relevant vacancy is announced in the future (also applies to internship applications), the following criteria shall be ensured:
4.4.1. The processing of personal data for the specified purpose will be performed only if the Controller has received a relevant application from the Data Subject;
4.4.2. The Data Controller may also receive information from a third party, usually an employment promotion or traineeship organization, such as the State Employment Agency [Nodarbinātības valsts aģentūra] or training institution;
4.4.3. The Data Controller informs that it can address the data subject on a social network for career development, such as on LinkedIn, and the communication will continue with the Data Subject’s consent to further processing.
4.4.4. The Data Controller typically needs the following information to complete the selection process:
22.214.171.124. Name and surname of the Data Subject and/or the Data Subject’s legally guarded person, as well as contact details (examples of personal data categories: e-mail address, telephone number, social networking account, address, etc.);
126.96.36.199. Information on the education of the Data Subject (incl. completed courses, obtained certificates), or in case of traineeship – information on the qualification to be obtained;
188.8.131.52. Professional experience of the data subject or, in the case of a traineeship or internship, information on the required internship programme;Vacancies (internships) for which the application is being made or which would be desirable;
184.108.40.206. Other skills according to the vacancy for which the Data Subject has applied, such as language skills, knowledge of information technology, operation skills of equipment, devices and special rights/licences to work with them, etc.
4.4.5. The legal basis for data processing is the processing of data within the process necessary to conclude an employment contract with the candidate while evaluating him/her – in accordance with Clause 6, Section 1, Subclause b) of the Regulation. Please bear in mind that applying for a vacancy does not guarantee that the relevant employment contract will be concluded between the Data Controller and the Data Subject, however, data processing is a necessary criterion for establishing an employment relationship in the event of a positive selection process!
4.4.6. Time-frames for data processing:
220.127.116.11. For the purpose of basic data processing – selection of staff or a trainee – the deadline for data processing is the achievement of a specific purpose, which typically means the end of the process of selection of staff or a trainee;
18.104.22.168. Additional purposes:
22.214.171.124.1. Ensuring the legitimate interest of the controller in possible judicial or extrajudicial proceedings (legal basis for processing the Personal Data is Clause 6, Section 1, Subclause f) of the Regulation in context with Clause 34, Section 1 of the Labour Act [Darba likums] of the Republic of Latvia), the duration of processing is 5 months or, if the said proceedings have begun, until the end of such proceedings (note: in case the Data Subject has sent the application according to his/her own choice, instead of referring to a specific advertisement for a vacant position or internship, the mentioned reference period will start from the moment of sending the personal data);
126.96.36.199.2. in case the Data Controller will not be able to offer a suitable vacancy, internship place, or another candidate will have proven to be more suitable, the processing of Personal Data will be performed 3 (three) months from the end of the announced vacancy (internship place) and the competition there to (legal basis for processing the Personal Data is Clause 6, Section 1, Subclause f) of the Regulation) in order to be able to fill personnel vacancies effectively; important! In this case, the processing is never implemented “by default” and the data subject always has the possibility to object to such processing;
188.8.131.52.3. For the establishment of an employment or internship relationship – information will be processed on the basis of the data processing deadlines specified in the the Labour Act [Darba likums] of the Republic of Latvia and other regulatory enactments, so that the Controller can fulfil the obligations specified by law.
4.5. Other data processing performed by the controller (general information; detailed information is available upon submission of the data subject’s request to the Controller)
|No.||Description of the process||Purposes of data processing and personal data processed||Legal basis for data processing|
|Video surveillance of the territory and premises||Control of access to the territory and protection of property rights; Processed personal data: Visual data (video recording) of everyone (visitor, customer, customer representative, employee) in regard to activities/behaviour.||Legitimate interest of the Data Controller (Clause 6, Section 1, Subclause f) of the Regulation) – to protect the property as well as to discover the perpetrator of the infringement or the damage carried out; and Clause 6, Section 1, Subclause e) of the Regulation – ensuring the public interest; legal bases can be applied individually or together, depending on the specific situation. The legitimate interest of the Data Controller to protect the property as well as to discover the perpetrator of the infringement or damage (Clause 6, Section 1, Subclause f) of the Regulation) – ensuring and protecting the public interests (Clause 6, Section 1, Subclause e) of the Regulation). The legal bases can be applied individually or together, depending on the specific situation.|
|Organization of personnel management (HR) and accounting||Establishment and maintenance of employment relationsDetermination of benefits and relief specified in regulatory enactments and maintenance and provision of other processes related to motivation of employees and improvement of their working conditionsKeeping financial records by processing personal data such as: employee identification information,information on job responsibilities,information on absence,information on business travels,employee evaluation,account data at the financial institution, remuneration received,calculated taxes and benefits,invoices issued and paid,debts, etc.||Mutual agreement between the Controller and the Data Subject (Clause 6, Section 1, Subclause b) of the Regulation), Performance of the Controller’s legal obligations (Clause 6, Section 1, Subclause c) of the Regulation), The legitimate interest of the Data Controller to ensure an efficient work environment and financial resources management system (Clause 6, Section 1, Subclause f) of the Regulation)|
|Record keeping and archive maintenance||Maintenance of the record keeping system and organization of the record keeping processArchive maintenance and archiving of documents (as well as transfer to other archives)Discarding the documents Categories of personal data processed: any, depending on the nature of the item of information in question, for example: documents with Data Subject’s data, such as employment contract, application, authorization issued.||The Data Controller’s legitimate interest in organizing the activity (Clause 6, Section 1, Subclause f) of the Regulation)|
|Provision of support for the Controller’s business operations, as well as other services provided by the Controller||Concluding and maintaining service contracts;Accounting for services and collection of payments therefor;Training, seminars, educational activities;as well as other services||Fulfilment of contractual obligations between the Controller and the Data Subject or establishment of a mutual contractual relationship in accordance with the expressed will of the Data Subject (Clause 6, Section 1, Subclause f) of the Regulation)|
|Informing the public about current events and ensuring the visibility of the Data Controller or a specific event/activity||Ensuring the visibility of the Data Controller or a specific event/activity;||Data Controller’s legitimate interest in ensuring visibility, informing the public about current events and specific events/activities (Clause 6, Section 1, Subclause f) of the Regulation)|
5. Other provisions
5.1. This information notice is subject to change as necessary. The current version of the information notice is published on this Website.
5.2. Last update on May 1st, 2022
5.3. Note! If the user finds that the Website is not operating (fully or partially), if it malfunctions, requires atypical actions (such as, but not limited to, installing programs or parts thereof on the visitor’s computer), please contact the Data Controller immediately.
5.4. The Data Controller reserves the right to make changes to the present notification. If any of the rights of the Data Subject are or may be significantly affected by the changes, the new version of the notification shall contain references to the specific changes.