LLC “Jāņa sēta”
PRIVACY POLICY

1. Scope and area of application of the privacy policy

1.1. This privacy policy notice (hereinafter also referred to as the Policy) has been drawn up pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the Regulation.

1.2. The aim of this Policy is to provide the personal data subject – identifiable natural persons (hereinafter referred to as the Data Subject, or You) – information on how the personal data processing controller – LLC “Jāņa sēta” (hereinafter referred to as the Controller) – collects, processes, stores, shares, erases and protects the personal data of natural persons. The Policy aims to protect the interests and freedoms of the Data Subject, ensuring at the same time that personal data are processed lawfully, fairly and transparently to the Data Subject.
1.3. For specific personal data processing cases, the Controller has worked out separate privacy policies about which the Controller provides information also in this Policy, for instance, the privacy policy for the purpose of staff selection. In the light of the above, this Policy shall be considered a general privacy policy, while the privacy policies that have been drawn up for specific personal data processing cases shall be considered special privacy policies. In case of contradictions, the terms of the special privacy policies are prevalent.

1.4. This notice is applicable to the processing of natural persons’ personal data regardless of the form and/or environment in which the natural person provides his or her data (in person, by visiting the premises, in verbal communication, in writing, by mail, by telephone, digitally or via other technical means of communication, including mass media, application software, etc.), as well as regardless of the source from which the person’s data are obtained or what systems the Controller uses to process the data.

 

2. Personal data processing controller and contact details

2.1. The personal data processing controller mentioned in this Policy is LLC “Jāņa sēta” (Unified Registration No. 40003426448), whose contact details are:
Address: Krasta iela 105a, Rīga, Latvija, LV-1019
Telephone. +371 67317540
Fax +371 67317541
E-mail kartes@kartes.lv

2.2. The personal data processing controller determines what data shall be collected, for what purposes, and how they are processed.

3. How will You be informed about personal data processing?

3.1. To ensure a transparent data processing, the Controller informs and explains what personal data are being processed as part of the Controller’s business operations and how they are being used. The aforementioned information is being provided in this Policy, and separate information shall be provided on websites where You will be asked to enter your personal data, for instance, our website www.kartes.lv as You register the Purchase.

4. What are the applicable laws and regulations?

4.1. Personal data shall be collected and processed pursuant to the following laws and regulations:
4.1.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the Regulation;

4.1.2. Personal Data Processing Law;
4.1.3. Other laws and regulations the Controller is subject to that are applicable to the processing and protection of personal data, for instance, the Law on Accounting or the Law on Information Society Services.

5. What is personal data?

5.1. Personal data is any information that relates to an identified or identifiable natural person (Data Subject). An identifiable natural person is a person that can be directly or indirectly identified, specifically referring to an identifier, for instance, the person’s name, surname, identification number, location data, online identifier or one or several factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

6. WHAT ARE THE PURPOSES (OBJECTIVES) OF PERSONAL DATA PROCESSING?

The Controller has defined the following purposes (objectives) of personal data processing as part of business operations:

6.1 Personal data are processed for the purpose of enabling business operations, conclusion of agreements and fulfilment of contractual obligations, as well as for the purpose of the Controller’s legitimate interests.

6.1.1. What personal data does the Controller process?
The categories of personal data the Controller processes depend on the concrete situation in which personal data are processed, i.e., the business operations carried out by the Controller, legislative requirements and the Controller’s legitimate interests in the given situation.

For instance, when the Data Subject expresses the wish to purchase one of our products at the www.kartes.lv store, we will ask You to indicate your name, surname, address of delivery and e-mail to which we will send information about Your order and a phone number that will be used for communication about Your order or specify delivery details, for instance, to agree the delivery time with the courier.

While processing Your order at www.kartes.lv, we also process the technical information relating to your visit on our website – we will save Your IP address, time of connection, No. of your device. For details, please see our cookie notice.

 

6.1.2. What is the legal basis of personal data processing?
Personal data are processed with the aim to enable the Controller’s business operations, including conclusion and performance of a contract based on subparagraph b) of paragraph 1 of Article 6 of the Regulation – processing is necessary for the performance a of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

In cases where the parties have entered into an agreement (an order has been made), the Controller, pursuant to the Law on Accounting, applies subparagraph c) of paragraph 1 of Article 6 of the Regulation – processing is necessary for compliance with a legal obligation to which the controller is subject. Namely, a billing invoice is being prepared, transactions are registered.

In all cases where the parties have entered into an agreement (an order has been made), the Controller, pursuant to the Law on Accounting, applies subparagraph f) of paragraph 1 of Article 6 of the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The Controller applies subparagraph f) of paragraph 1 of Article 6 of the Regulation also to secure evidence to prove the circumstances of communication before the conclusion of a contract during its performance. For instance, to organize the Controller’s business operations and fulfilment of the contracts that has been concluded with You, communicate with You and/or state and/or municipal authorities, investigate cases where complaints have been received about the quality of a service/product, to conduct after-control, to improve the provision of services, as well as to secure evidence in case of complaints, claims or legal action. For the purpose of the Controller’s legitimate interests, we also process technical data relating to the visit of the website and circumstances in which the order has been placed. Such data processing is necessary to ensure a safe usage of the website and processing of the data entered therein.

 

6.1.3. What is the time period of data processing?
While providing services, the Controller complies with special laws and regulations stipulating the obligation to retain particular data. For instance, the Law on Accounting stipulates the obligation to keep information on transactions for five years. The Controller complies with the terms stipulated in laws and regulations. When providing services and selling goods, information is retained for all the time a service is being provided or a good is being sold, observing the limitation period for claims applicable to respective legal relations (for instance, 3 years for commercial transactions if one of the parties is a commercial operator). This provision is applicable to the mutual communication of the parties and, for instance, a telephone number that has been used to execute the order.

When the retention period for data expires, the personal data shall be irretrievably erased unless a complaint about interaction are received. In such cases the Controller, based on legitimate interest, can retain all or part of the information until the issue is fully resolved. (i.e., ten-year limitation period stipulated in the Civil Law or the date on which the court verdict comes into force).

Technical information on the accessing of the website will be retained for up to two weeks. Please see detailed information in the cooky policy.

6.1.4. Who does access information and to whom is it disclosed?
Recipients of personal data can be employees authorized by the Controller in accordance with the scope of their work duties and the requirements of laws and regulations.

Personal data can be transferred to the Controller’s processors such as suppliers of goods, debt collectors, legal services providers, couriers, payment institutions, financial advisors, auditors and other consultants in accordance with the terms of the contract concluded between the parties. Personal data can be disclosed to law enforcement authorities, court or other state or municipal authorities if the respective institutions are authorized to receive the requested information (for instance, the State Revenue Service may request information about You as a party of a transaction, etc.). To protect the Controller’s legitimate interests, personal data can be disclosed when taking legal action in court or other state institutions against the person who has infringed on the Controller’s legitimate interests.

Personal data shall not be transferred to a recipient in a country outside the European Union or the European Economic Area.

6.2. Retaining and recording of incoming and outgoing communication (e-mail, conventional mail) to ensure fulfilment of contractual obligations, fulfilment of the Controller’s obligations and pursuing the Controller’s legitimate interests.

6.2.1. What personal data does the Controller process?
When communicating with the Controller or submitting a complaint or proposal via the contact channels provided by the Controller (for instance, telephone, e-mail, conventional mail, etc.), written information relating to the particular document and the information contained therein, as well as the content, time and means of communication will be retained. In case You make a complaint about the fulfilment of contractual obligations, the Controller will need to identify the applicant or the person to whom the answer has to be provided. In such case, to pursue that purpose, the Controller can process personal data that include the name, surname and contact details of the Data Subject, information about the services/goods received, the person’s online identification data, including information related to the history of the use of services/purchases (analysis of the system’s auditing records) and other information related to the contract. Such information is recorded in documents and stored in the Controller’s data processing systems. The Controller is obliged and authorized to process the information identifying the Data Subject and information authenticating the person’s identity and right of representation (if the person represents other person) in contractual relations.

6.2.2. What is the legal basis of personal data processing?
Information on the fact and content of communication is retained pursuant to subparagraph f) of paragraph 1) of Article 6 the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data. In cases where you have submitted a document containing an  inquiry, complaint or a proposal, the legal basis for data protection is this legal obligation (for instance, fulfilment of the provisions of consumer rights protection laws or the Regulation, as well as other laws and regulations applicable in solving the matter mentioned in the inquiry (proposal, complaint) pursuant to subparagraph c) of paragraph 1) of Article 6 the Regulation – processing is necessary for compliance with legal obligation to which the controller is subject. For the purposes of the legitimate interests pursued by the Controller and third persons (for instance, to investigate cases where complaints have been received about the quality of a service provided, as well as to secure evidence against possible claims), the legal basis for data processing is the legitimate interests pursued by the Controller. Correspondence is retained also for the purpose of systematization of the Controller’s business operations and for the following business purposes – to inform about the range of services, terms of the delivery of goods, etc.

6.2.3. What is the time period of personal data processing?
To achieve these objectives, the Controller will retain information for up to five years unless there is a need to use it longer for the purposes of the legitimate interests of the Controller (for instance, to secure evidence in case of a dispute).  In such cases information will be retained as long as the legal interests of the Controller or a third party exist.

If the accounting records are updated in connection with the received correspondence, the respective information is retained in accordance with the laws and regulations on accounting records, i.e., for 5 years.

After the end of the retaining period, personal data shall be irretrievably erased.

6.2.4. Who can access information and to whom is it disclosed?

Recipients of personal data can be employees authorized by the Controller in accordance with the scope of their work duties and requirements stipulated in laws and regulations, as well as providers of legal services, law enforcement, controlling, supervisory and inspecting authorities.

Personal data shall not be disclosed to recipients outside member states of the European Union or the European Economic Area.

6.3. Personal data processing for the purpose of displaying corporate information in the mass media, the website administered by the Controller and social networks with the aim to promote and raise the profile of a brand and its products.

6.3.1. What personal data does the Controller process?
The Controller’s information materials, events, news, photos of persons, video and audio recordings, events organized by the Controller and information on the Controller’s participation in events organized by cooperation partners can be published in various mass media, on the Controller’s website www.kartes.lv, the Controller’s social network accounts (for instance, facebook.com, Instagram.com, youtube.com), and saved in the Controller’s archive with the aim to promote the Controller’s brand and/or to chronicle the development of the Controller’s enterprise. In some cases, these materials can contain personal data (images, voice, information provided, time and date) of persons that have visited events organized by the Controller and have been captured in photos, recorded in video or audio formats, descriptions of events and interviews.

6.3.2. What is the legal basis of personal data processing?
Personal data are processed pursuant to subparagraph f) of paragraph 1) of Article 6 the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data. That means that displaying the events organized by the Controller or events in which the Controller takes part in mass media, on the Controller’s website www.kartes.lv, or social network platforms (for instance, facebook.com, Instagram.com, youtube.com), thus promoting the Controller’s brand and its products, is a legitimate interest pursued by the Controller.

When selecting information for publication in mass media, on the Controller’s website, or social network platforms, the Controller shall always make sure Your rights and freedoms as the Data Subject are not infringed upon. The Controller shall respect a person’s rights to privacy. The Controller is aware that they do not know all facts and circumstances pertaining the possible impact of said actions. Therefore, to ensure an ethical data processing, any person has the opportunity to contact the Controller and object to the display of their data on the Controller’s website or social network platforms. In such cases, the Controller has to be informed by sending an e-mail to the e-mail address provided in this Policy.

6.3.3. What is the time period of personal data processing?
Personal data are retained until the objective is achieved, i. e., as long as the information that has been made public with the aim of promoting the Controller, remains relevant and serves the purpose, except information that is stored permanently in the Controller’s archive. The Controller shall periodically revise the published information to ensure that information that no longer serves the purpose of data processing is regularly erased, except for the data processing necessary for the purpose of archiving.

6.3.4. Who can access information and to whom is it disclosed?
Recipients of personal data can be employees authorized by the Controller, users of the respective mass media, the Controller’s website www.kartes.lv and/or social network platforms (for instance, facebook.com, Instagram.com, youtube.com), processers, law enforcement and supervisory authorities. Data can be transferred also to execute an agreement concluded between the Controller and a third person (for instance, to a service provider for making photographs and/or video, audio recordings, producing, website administration, brand promotion, etc.).

The Controller informs that for the purpose of data processing, personal data are processed in the electronic environment on the social network platforms managed by the Controller (facebook.com, Instagram.com, youtube.com, etc.), and the processers chosen by the Controller (facebook.com, Instagram.com, youtube.com, etc.) shall be recognized as enterprises operating outside member states of the European Union and the European Economic Area, therefore, the Controller offers to read the privacy policies of these enterprises (for instance, facebook.com privacy policy: https://www.facebook.com/privacy/explanation, instagram.com privacy policy: : https://help.instagram.com/519522125107875) or to request the Controller to provide additional information on the terms of cooperation.

In compliance with data processing ethics, the Controller explains that, since the purpose of the given data processing is to publish information on the Controller’s events, the obtained materials will be made publicly accessible and any third person will be able to access them.

7. Rights of the Data Subject

7.1. How will the Data Subject be informed about the processing of their data?
The Data Subject is informed about personal data processing described in this Policy using a multilevel approach, which includes methods like posting this Policy or its parts on the Controller’s website www.karte.lv, or in some cases provding information in the form of an announcement or in some other way.

7.2. Rights to access personal data and edit them.
7.2.1. Pursuant to the provisions of the Regulation, the Data Subject is entitled to request access to the Data Subject’s personal data at the Controller’s disposal and receive the following information:

– What data of the Data Subject are at the Controller’s disposal;
– For what purposes the Controller processes these data;

– Categories of personal data recipients (persons to whom the personal data have been or will be disclosed, provided that laws and regulations allow the Controller to disclose such information in this particular case);

– Information about the time period for which the personal data will be retained or criteria used to set the data retention period.

7.2.2. If the Data Subject considers that the information at the Controller’s disposal is outdated, inaccurate or incorrect, the Data Subject is entitled to request an updating of his or her personal data.

7.2.3. The Data Subject is entitled to request that his or her personal data be erased or object to processing thereof if the person considers that the personal data have been processed illegally or that they are no longer serving the purpose for which they were obtained and/or processed (exercising the “rights to be forgotten).

7.2.4. The Controller informs that the Data Subject’s personal data cannot be erased if personal data processing is necessary in the following cases:

– For the Controller to protect vital interests, including life and health, of the Data Subject or other natural person;

– For Controller or a third person to exercise or protect legitimate (legal) interests;

– Data processing is necessary pursuant to laws and regulations to which the Controller is subject.
7.2.5. The Data Subject has the right to request that the Controller restrict the processing of the Data Subject’s personal data if any of the following circumstances exist:

– The Data Subject disputes the accuracy of the personal data – until the Controller checks the accuracy of the personal data;

– Data processing is illegal and the Data Subject objects to the deletion of personal data and instead demands that the usage of the data be restricted:

– The Controller no longer needs the personal data for processing but they are necessary for the Data Subject to make, exercise or defend legal claims;

– The Data Subject has objected to processing – until it is established whether the Controller’s legitimate reasons are prevalent over the Data Subject’s legitimate reasons.

7.2.6. If the processing of the Data Subject’s personal data is restricted pursuant to paragraph 7.2.5, such personal data shall only be processed with the Data Subject’s consent (excluding retainment), or with the aim to make, exercise or defend legal claims or to protect other natural or legal person’s rights or vital public interests.

7.2.7. Before lifting the restrictions on the processing of the Data Subject’s personal data, the Controller informs the Data Subject.

7.2.8. The Data Subject has the right to file a complaint with the Data State Inspectorate if he or she considers that the Controller has processed his or her data illegally. The Data Subject is asked to first approach the Controller about the problem to resolve it fast if the Data Subject’s rights to personal data protection have been breached.

7.3. The right to withdraw consent
If the Controller processes personal data based on the Data Subject’s consent, the Data Subject has the right to withdraw the consent at any time by sending the withdrawal to the Controller as stipulated in paragraph 2 of the Policy. Upon receiving the withdrawal, the Controller shall not process the Data Subject’s personal data for the purposes regarding which the withdrawal of consent has been received. To ensure the Controller processes the data lawfully and fairly, the Controller, considering technological possibilities, shall contact You each time to offer an additional opportunity to refuse to receive further information. Note that the personal data processing purposes described in this Policy have other personal data processing purposes and the Controller does not base his or her actions on consent as the legal basis of data processing.

8. Procedure for the review of the Data Subject’s applications

8.1. If the Data Subject has any inquiries, claims, objections or complaints regarding the personal data processing carried out by the Controller, the Data Subject can submit to the Controller an inquiry about the exercise of his or her rights via the channels indicated in Section 2 of this Policy. If in doubt, the Controller reserves the right to request additional information from the Data Subject if the Controller deems it necessary.
8.2. The Controller shall review the Data Subject’s application, inquiry or complaint and prepare an answer that will be sent via a registered letter, thus making sure that unauthorized persons cannot receive this letter, or electronically. The channel for the provision of the answer shall be agreed with the Data Subject unless it is already explicitly clear and the proposed solution for the inquiry is acceptable to the Controller.

8.3. The Data Subject is obliged, as far as possible, to specify in the inquiry the time, location and other circumstances that could help to comply with the Data Subject’s request.

8.4. Upon receipt of the Data Subject’s inquiry about the exercise of his or her rights, the Controller:

8.4.1. Verifies the person’s identity;
8.4.2. Assesses the inquiry and takes the following steps:
– If the Controller is able to comply with the request, he or she does so in as short period of time as possible, and the Data Subject as the applicant can receive the requested information or data copy;

– If the Controller needs additional information to identify the Data Subject requesting information or to comply with the request, the Controller can ask the Data Subject to provide additional information (for instance, a specific date or time, use of services, data of a card or a purchase, etc., by which the Data Subject can be identified);

– If the information has been erased or the person requesting information is not the Data Subject, the request can be denied in accordance with this Policy and/or laws and regulations;

– In the case where the Controller receives an inquiry but the Data Subject has not given his or her contact details so the Controller could contact the Data Subject during the review of the inquiry and inform about the results thereof, the Controller shall prepare within a month a written answer that will be available at the address given in the Controller’s contact details. The letter will be retained and remain available to the Data Subject at the Controller’s office for up to two months of the submission of the inquiry.

9. What measures does the Controller take to ensure the protection of personal data?

9.1. The Controller regularly revises and updates personal data protection measures to protect the personal data of natural persons against unauthorized access, accidental loss, disclosure or destruction, using appropriate technical and organizational measures.

9.2. The Controller thoroughly examines all service providers that process personal data of natural persons on behalf and under instructions of the Controller. The Controller assesses whether the partners (personal data processers) ensure appropriate security measures, so that the personal data of natural persons are processes in accordance with the authorization given by the Controller, as well as laws and regulations.

9.3. In the case of personal data security incident that can pose a high risk to the Data Subject’s rights and freedoms, the Controller shall inform the Data Subject about it, using available contact details (if possible), post the information on the Controller’s website www.kartes.lv and/or the social networks administered by the Controller and/or otherwise (for instance, using mass media)

10. Final provisions

10.1. This Policy shall be periodically revised and updated. The current version of the Policy is effective as of the date given in the Policy. The current version of the Policy is posted on the website www.kartes.lv, and will be available also at the locations where the Controller conducts business.