SIA “ZAB Skrastiņš un Dzenis”, registration number 40203314489, legal address: Blaumaņa Street 10-4, Riga, LV-1011, website: www.skdz.lv (hereinafter – the Office), while providing legal assistance to its Clients can act both as a data controller and as a data processor.
The Office is a controller within the meaning of Article 4 (7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – the Regulation) regarding any Personal Data of the Client that the Office has collected from the Client or regarding the Client, independently determining the purposes and means for the Processing of such Personal Data.
The Office is a processor within the meaning of Article 4 (8) of the Regulation regarding the Personal Data of a data subject that has been collected and provided by the Client to the Office for purposes related to the performance of the agreement for the provision of legal assistance (hereinafter – the Agreement) (e.g., Personal Data of other data subjects included in the documents provided by the Client). The Office shall process the Personal Data of other data subjects on behalf of the Client and in such a case, the Client shall certify that it has the authorization to provide other data subjects’ Personal Data to the Office and that the Personal Data of other data subjects have been collected and processed in accordance with the applicable data protection legislation. The Client shall be obliged to provide the Office with all necessary instructions for Processing Personal Data and to provide accurate and up-to-date Personal Data of other data subjects.
The privacy policy of the Office (hereinafter – Privacy Policy) provides information on how the Personal Data is processed by the Office when acting as controller within the meaning of the definition in Article 4 (7) of the Regulation.
This Privacy Policy is applicable when the Client visits Office’s premises, website, and/or uses, has used, or has expressed a desire to use legal Services provided by the Office, or if the Client is in any way associated with such Services, including before this Privacy Policy enters into force.
The Office implements and provides appropriate technical and organisational measures to ensure that the Client’s Personal Data Processing is consistent with the requirements of the regulatory enactments governing the Processing of Personal Data (including, but not limited to, the Regulation), and to protect Personal Data against unauthorised access, accidental or unlawful alteration, unauthorised disclosure of, loss, destruction, including implementing measures against risks arising from physical exposure and measures implemented by software means.
If the Client does not agree with the Privacy Policy or some of its terms, the Client shall not be required to provide Personal Data to the Office. In cases where the Client does not provide the Office with Personal Data necessary for the performance of the Agreement or Services, as well as for the performance of the obligations set out by law, the Office has a legal basis to refuse, in whole or in part, to provide the Services to the Client.
If the data provided by the Client has changed or if the Client’s information to be processed by the Office is inaccurate or incorrect, the Client has the right to request that information be changed, updated, or corrected. The Office does not assume responsibility for inaccurate, incomplete, or erroneous data submitted by the Client.
Definitions
Processing – any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means (including collection, use, recording, organisation, structuring, storage, alteration, disclosure, or other action-making Personal Data available, retrieval, destruction, etc.). The definition corresponds to the definition laid down in Article 4 (2) of the Regulation.
Office – SIA “ZAB Skrastiņš un Dzenis”, registration number: 40203314489, legal address: Blaumaņa street 10-4, Riga, LV-1011, website: www.skdz.lv, which acts as a Personal Data controller.
Client – any natural person (including a shareholder of a legal person, a member of the board, a representative of the company, or the true beneficiary) who visits the Office’s premises, website www.skdz.lv, and/or uses, has used, or has expressed a desire to use or relate to the Services provided by the Office.
Agreement – legal assistance agreement, concluded between the Office and the Client.
Services – provision of legal assistance to the Client.
Personal Data – any information regarding a natural person which, directly or indirectly, allows that person to be identified. The definition corresponds to the definition laid down in Article 4 (1) of the Regulation.
Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in force from 25 May 2018.
AML law – Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing of the Republic of Latvia, in force from 13 August 2008.
The categories of Personal Data, the legal basis for the Processing, the purposes of the Processing
The Office carries out the Client’s Personal Data Processing according to the following basis and purposes for the Personal Data Processing:
The categories and types of processed Personal Data
The legal basis for the Processing
The purposes of the Processing
Identification data (name, surname; personal identity number of the Republic of Latvia (if any); date of birth); information regarding the passport or identity card (document number; date of issue; issuing authority; issuing State);
contact details (address);
information about the true beneficiary of the Client. If the true beneficiary is a resident of Latvia: name, surname; personal identity number; date of birth; nationality; country of residence.
If the true beneficiary is a non-resident of Latvia: name, surname; date of birth; passport or identity card number and date of issue; State and institution that has issued the document; nationality; country of residence.
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under Article 6 (1) (e) of the Regulation.
To comply with the requirements of Section 2, Paragraph two, and Section 13.1 of the Law on International Sanctions and National Sanctions of the Republic of Latvia, by examining the information in the register maintained by the Financial Intelligence Unit: https://sankcijas.fid.gov.lv and in the website of the Ministry of Foreign Affairs: https://www.mfa.gov.lv/lv/sankcijas, and to ensure considerate risk management and management of the economic activity of the Office, in accordance with the internal procedures of the Office (Annex to the rules of the Internal Control System, “Sanctions Questionnaire for Natural Persons”; Annex to the rules of the Internal Control System, “Sanctions Questionnaire for Legal Persons”).
Identification data and research data: a personal identification document (copy) providing the following information:
– for a resident – name, surname, personal identity number, date of birth, personal photo, number and date of issue of the identification document, state, and institution issuing the document;
– for a non-resident – name, surname, personal identity number, date of birth, personal photo, number and date of issue of the identification document, state, and institution issuing the document;
Personal Data indicated in the “know your client” questionnaire. If the Client is a resident of Latvia: name, surname; personal identity number; date of birth; declared place of residence; habitual residence (if different from the declared place of residence); telephone; e-mail; occupation; position.
If the Client is a non-resident of Latvia: name, surname; personal identity number of the Republic of Latvia (if any); date of birth; information on the passport or identification card: number and date of issue of the identification document, state, and institution issuing the document; place of residence; phone number; e-mail address; occupation; position.
Name, surname, position held, address of correspondence, phone number, and e-mail address of the contact person (regarding the transaction).
Information about the true beneficiary of the Client. If the true beneficiary is a resident of Latvia: name, surname; personal identity number; date of birth; nationality; country of permanent residence; a way of earning income.
If the true beneficiary is a non-resident of Latvia: name, surname; date of birth; passport or identity card number and date of issue; state and institution issuing the document; nationality; country of permanent residence; a way of earning income.
Information about a politically significant person, a member of the family of a politically significant person, or a person closely associated with a politically significant person: the country of residence, the institution in which the person works; the position held.
Information on the planned transaction (purpose and nature of the planned transaction; the number of planned transactions (if applicable); amount of the planned transaction (if applicable); a form of payment within the planned transaction (cash/transfer) (if applicable); origin of the funds to be used in the planned transaction.
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under the first subparagraph of Section 5.2 of the AML law and Article 6 (1) (e) of the Regulation.
The Office does not provide the data subject with information on the Processing of data performed under the obligations set out in the AML law and which is related to money laundering, prevention, terrorism, and proliferation financing prevention, except publicly available data.
Personal Data shall be processed in order to meet the requirements of Section 10 of the Law on the Activity of Real Estate Agents and requirements of the AML law, when performing the Client research according to the AML law’s Section 11, Paragraph one, Clause 1 (before establishing the business relationship – before provision of continuous legal assistance), Clause 2 (before an occasional transaction – before provision of a specific legal assistance if (i) the amount of transactions of the Client or the total sum of several seemingly linked transactions is EUR 15 000 or more or is in a foreign currency which according to the exchange rate to be used in accounting at the beginning of the day of executing the transaction is equivalent to or exceeds EUR 15 000; (ii) transfer of funds is being made, including also the credit transfer, direct debt transfer, non-account holder money transfer, or transfer made by a payment card, electronic money instrument, mobile telephone, digital or another information technology device, and exceeds EUR 1000; (iii) foreign currency cash purchase or sale transaction is executed the amount of which or the total sum of several seemingly linked transactions exceeds EUR 1500), Clause 5 (if there are suspicions of money laundering, terrorism and proliferation financing or an attempt of such actions), Clause 6 (if there are suspicions that the previously obtained Client’s due diligence data is not true or appropriate), Clause 7 (if virtual currency is used in the transaction), Section 11.1, Paragraphs one and three (Client’s due diligence measures and risk factors) and Section 20 (supervision of business relationships and occasional transactions and liability of the subject of the law), in order to comply with Section 11.1, Paragraph 6 of the AML law (obtaining and documenting information on the purpose and intended nature of the business relationship), Section 11.1, Paragraph 7 (repeated Client’s due diligence), Section 12 (identification of natural persons and document check in the Register of Invalid Documents: https://www.latvija.lv/epakalpojumi/ep22), Section 13, Paragraph one, Clause 3 and Paragraph one prim, Clause 3 (identifications of legal persons, where, inter alia, natural persons representing a legal person must be identified), Section 14 (making of copies of personal identification documents), Section 18 (determination of the beneficial owner), Section 20 (supervision of business relationships), Section 25 (business relationship with a politically exposed person, a family member of a politically exposed person and a person closely associated to a politically exposed person, by checking the respective information in the database of politically significant persons held by the State Revenue Service: https://www6.vid.gov.lv/PNP) and Section 28 (contact information in order to request additional information) and in order to ensure considerate risk management and management of the economic activity of the Office, in accordance with the internal procedures of the Office (Internal control system rules, annex “Client questionnaire (for natural persons)”, annex “Client questionnaire (for legal persons)”).
Processing is carried out in cases where the Office, acting on behalf and for the benefit of the Client, provides legal assistance in the planning or execution of transactions, takes part in them, or carries out other business-related professional activities for the benefit of the Client in respect of any of the following transactions:
buying and selling of immovable property, shares of commercial company capital,
managing the Client’s money, financial instruments, and other funds,
opening or managing all kinds of accounts in credit institutions or financial institutions,
establishment, management, or provision of operation of legal persons or legal arrangements, as well as in relation to making contributions necessary for the establishment, operation, or management of a legal person or a legal arrangement;
provision of consultations or material assistance in tax matters or agent services in the provision of such assistance, regardless of the frequency of the provision thereof and the existence of remuneration;
in other cases in accordance with Section 2 of the AML law when the Office considers it necessary to prevent money laundering, financing of terrorism, and proliferation.
Client’s due diligence data: additional information about the Client and its true beneficiary; additional information on the planned nature of the transaction; additional information on the Client’s transactions and their conformity to the Client’s specified economic activity; information on the origin of the funds and welfare of the Client and its true beneficiary; information on the objective of the expected or carried out transactions.
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under the first subparagraph of Section 5.2 of the AML law and Article 6 (1) (e) of the Regulation.
The Office does not provide the data subject with information on the Processing of data performed under the obligations set out in the AML law and which is related to money laundering, prevention, terrorism, and proliferation financing prevention, except publicly available data.
Personal Data shall be processed to meet the requirements of Section 10 of the Law on the Activity of Real Estate Agents and requirements of the AML law when performing the Client’s enhanced due diligence:
under Section 22, Paragraph two of the AML law, upon establishing and maintaining the provision of legal assistance or executing occasional legal assistance with a Client who has not participated in the onsite identification procedure in person, except in the case when the following conditions are fulfilled:
the Office ensures adequate measures for mitigating the money laundering and terrorism and proliferation financing risks, including drafting of policies and procedures and carrying out staff training on the performance of remote identification
the Client identification, using technological solutions including video identification or secure electronic signature, or other technological solutions, is being performed to the extent and under the 3 July 2018 Regulations No. 392 of the Cabinet of Ministers of the Republic of Latvia.
under Section 22, Paragraph two of the AML law when establishing and maintaining the provision of legal assistance or executing occasional legal assistance with a Client who is a politically exposed person, a family member of a politically exposed person, or a person closely associated with a politically exposed person;
under Section 22, Paragraph two, and Section 25.1, Paragraph one of the AML law, when establishing or maintaining the provision of legal assistance or executing occasional legal assistance it is found that the Client is from a high-risk third country;
in other cases of provision of legal assistance or executing occasional legal assistance to the Client, if it is found that there is a high risk of money laundering, terrorism financing or proliferation, or the risk of circumvention of international or national sanctions,
to ensure considerate risk management and management of the economic activity of the Office, in accordance with the internal procedures of the Office (Internal control system rules, annexe “Client risk assessment form”).
Processing is carried out in cases where the Office, acting on behalf and for the benefit of the Client, provides legal assistance in the planning or execution of transactions, takes part in them, or carries out other business-related professional activities for the benefit of the Client in respect of any of the following transactions:
buying and selling of immovable property, shares of commercial company capital,
managing the Client’s money, financial instruments, and other funds,
opening or managing all kinds of accounts in credit institutions or financial institutions,
establishment, management, or provision of operation of legal persons or legal arrangements, as well as in relation to making contributions necessary for the establishment, operation, or management of a legal person or a legal arrangement;
provision of consultations or material assistance in tax matters or agent services in the provision of such assistance, regardless of the frequency of the provision thereof and the existence of remuneration;
in other cases, in accordance with Section 2 of the AML law, when the Office considers it necessary to prevent money laundering, financing of terrorism, and proliferation.
Information collected during the Client’s due diligence (Client’s case file on paper and electronically) (including Client’s identification data, a copy of the Client’s identification document);
Results of the Client’s due diligence, as well as available information obtained using electronic means of identification, and certification services within the meaning of Article 1 (10) of the Electronic Document Act under Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC or other technological solutions in the amount and according to the procedures specified by the Cabinet of Ministers of the Republic of Latvia;
Information on the Client, the Client’s declaration on the true beneficiary as well as the chain of its controlling entities;
Client’s declaration on the status of a politically exposed person, a family member of a politically exposed person, or a person closely associated with a politically exposed person;
Information on all the payments of the Client;
Information on the Client’s par domestic and international transactions, domestic and international occasional transactions, and such accounts;
Information on the source of funds and welfare of the Client and the Client’s true beneficiary;
Communication with the Client, including e-mail conversations;
The filled-out annexes of the Internal Control System;
Other documents obtained during the Client’s due diligence;
Information on the applications to the Financial Intelligence Unit, the State Revenue Service, and the State Security Service.
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under the first subparagraph of Section 5.2 of the AML law and Article 6 (1) (e) of the Regulation.
The Office does not provide the data subject with information on the Processing of data performed under the obligations set out in the AML law and which is related to money laundering, prevention, terrorism, and proliferation financing prevention, except publicly available data.
For the Office to ensure the obligation to keep documents following the procedures specified in Section 37, Paragraph two, and Paragraph four of the AML law.
Identification data (name, surname, personal identification number);
Information on a suspicious transaction (a description of a suspicious transaction (either planned, announced, consulted, initiated, postponed, or performed), identification of the persons involved in the transaction, amount, time, and place of a transaction, copies of documents certifying a transaction, where such documents are at the disposal of the Office; justification why the Office considers a transaction suspicious).
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under Article 6 (1) (e) of the Regulation.
The Office does not provide the data subject with information on the Processing of data performed under the obligations set out in Section 22.2 of the Law on Taxes and Fees except for publicly available data.
For the Office to identify the Client in accordance with the procedures specified in the Law on Taxes and Fees and to store information regarding the Services provided to the Client, as well as to provide information to the State Revenue Service regarding suspicious transactions in accordance with the procedures specified in Section 22.2 of the Law on Taxes and Fees.
Identification data (name, surname, personal identification number);
The case file on the Client
Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller under Article 6 (1) (e) of the Regulation.
For the Office to ensure the obligation to identify the Client to avoid conflict of interest, to keep accounts of the Client’s case files, and to comply with ethical principles (the sworn advocate may not engage in or support criminal activities), in accordance with the procedures specified in Clause 2.2, 8.1, and 9.1 of the code of ethics of Latvian Sworn Advocates, Section 11, 51, 59, and 65 of the Advocacy Law of the Republic of Latvia and Clauses 1.4 and 3.4 of the Terms of Record Keeping of Advocates.
The Client’s image that is processed during video surveillance.
Processing is necessary to protect the vital interests (safety and health) of the Client and other natural persons and to exercise the legitimate interests of the Office.
Ensuring public order and security;
Ensuring the safety and health of the Client and other natural persons (visitors and employees of the Office premises);
Ensuring the security of the Office’s premises and property;
Defending the legal claims and legitimate interests of the Office;
Securing evidence and detecting and preventing illegal activities.
Identification and research data: Client’s name, surname, personal identification number, date of birth, data on the identification document (passport data, ID data, and the respective copies of the documents); information on the true beneficiary, information whether the Client is/is not a politically exposed person, a family member of a politically exposed person, or a person closely associated with a politically exposed person;
Contact information: phone number, e-mail address, place of residence, the language of communication;
Data on the employment or economic activity (occupation, position held);
Financial data (name of the bank, account holder, number of the account).
Processing is performed at the request of the Client (data subject) prior to the conclusion of the Agreement, the performance of the Agreement, and the provision of the Services.
Identifying the Client and carrying out the KYC (“know your client”) procedure;
Communication with the Client and general management of the Office’s relations with the Client, as well as providing and administering access to the Services: providing the Services and ensuring that Personal Data is up-to-date and accurate by verifying and supplementing the data.
Client’s Personal Data in court proceedings (preparatory process for trial and trial)
Performance of the Agreement and provision of the Services.
Representing the Client, defending the client, and providing legal assistance in court.
Other legal actions performed at the request of the Client
Performance of the Agreement and provision of the Services.
Representing the Client, defending the client, and providing legal assistance.
Agreement documentation and documentation related to Services (including Agreement; Applications submitted by the Client, requests, complaints; notifications sent to the Client, warnings, etc.).
To fulfil a legal obligation applicable to the controller (requirements for document storage, archiving, accounting; requirements arising from the Consumer Rights Protection Law regarding entering into the Agreement, the receipt of the Services, and exercise of the right of withdrawal and other requirements specified in regulatory enactments relating to the economic activities of the Office as a controller).
Keeping accounts, storing documents, archiving, etc.
Identification data (name, surname, personal identification number, place of residence).
To pursue the Controller’s legitimate interests (establishing rights of claim).
Establishment, enforcement, protection, and transfer of claim rights, as well as securing evidence against claims for non-compliance of the Services, as well as for the provision of evidence against a potential claim arising from a delict.
Identification data (name, surname, personal identification number);
Contact information (phone number, e-mail address, place of residence).
Personal Data is processed in accordance with the Client’s consent to Processing their Personal Data.
Management, analysis, development, and improvement of Client relations;
Statistical and market research for analysis of the effectiveness of advertising and conducting surveys and studies concerning the Services offered by the Office.
Correspondence (communication) and device data: data in notifications, e-mails, visual images, video and/or audio recordings, and other correspondence and interaction data;
Data is collected when the Client visits the Office’s website or through other Office’s channels (Facebook, LinkedIn);
Data on habits, choices, and satisfaction, e.g., Service usage activity, Services used, personal settings, questionnaire replies, Client satisfaction:
technical information (e.g., device type, Internet Protocol (IP) address, and Internet Service Provider (ISP) used to connect the device to the Internet; registration information; browser type and version; time zone settings, browser plug-in types, and versions, operating system and platform, screen resolution, location, font encoding;
visit information, including full single resource URLs, clickstreams to, through, and from the website (including date and time); viewed or searched information; reference/exit pages, files viewed on the website (e.g. HTML pages, graphics, etc.), page response times, download errors, specific page visit duration the duration, page interaction information (such as scrolling, clicks, and mouse redirection) and methods used to leave the page, date/time stamp and/or clickstream data, and any phone number used to contact the Office’s representative.
Performance of the Agreement and provision of the Services;
To protect the Client’s vital interests (Personal Data);
To protect the legitimate interests of the controller (performance of management functions, Monitoring, developing, and improving quality of Services and/or Client service quality, testing of the website and digital environment; development of information security, technical and IT infrastructure, prevention of the misuse of Services, the proper execution of the Services, including the prevention of fraudulent actions; to establish claim rights);
Client’s consent to the Processing (inter alia, cookies are used when visiting the website).
Client’s consent to automated Processing of Personal Data, including profiling.
General management of Client relations, provision of access, and administration of the Services: providing the Services, ensuring that Personal Data is up-to-date and accurate by verifying and supplementing the data;
Keeping records on the Client’s case file;
Development of information security, technical and IT infrastructure;
Prevention or detection of criminal offences related to the protection of property owned or used by the Office (including the protection of the website);
Performance of management functions (business strategy, risk management, and business management);
Monitoring, developing, and improving quality of Services and/or Client service quality; assessing productivity;
Prevention of the misuse of Services, the proper execution of the Services, sanctioning and controlling access to and operation of digital channels, preventing unauthorised access and misuse, and ensuring the security of information;
Improving technical systems, IT infrastructure, adapting the display of the Service on devices, and developing Office Services, e.g., by testing and improving technical systems and IT infrastructure;
Preparing personalized and customized information; providing more user-adapted Services.
Sources for collecting Personal Data
The Client’s Personal Data may be obtained directly from the Client, from the Client’s use of the Services (when performing video surveillance, the Office records visual images; the Office saves e-mail communication, documents the Client’s interaction and communication with the Office) as well as from external sources, including public and private registers, databases and publicly accessible trusted websites (through KYC (“know your client”) procedure) and from third parties in the cases specified in regulatory enactments.
The recipients of Personal Data
The Client is informed that for the purposes (objectives) of Processing the Personal Data described above, the Office collects and transfers the Client’s Personal Data to controllers Processing Personal Data on behalf of the Office and to third parties (independent controllers), including but not limited to:
courts, arbitration tribunals, Enterprise Register, state and local government authorities, sworn bailiffs, and sworn notaries to fulfil the obligations set out by the Agreement and to provide the Services;
server providers and data storage service providers chosen by the Office; website maintenance service providers; video surveillance system providers; e-mail service providers; banks; archiving, postal, and courier service providers, and other third parties involved in the provision of the Services provided by the Office, ensuring that the persons concerned will process the Client’s Personal Data only to that extent and for the purposes (objectives) of the Processing of Personal Data set out in this Privacy policy;
any accounting service provider, auditor, revident, financial adviser, legal counsel, sworn advocate, sworn notary, and/or sworn bailiff selected by the Office.
When the Office receives and transfers the Personal Data of the Client to processors who process Personal Data on behalf of the Office, the Office shall take all necessary steps to ensure that the Processing of Personal Data by data processors is carried out under the Agreement, regulatory enactments and documented Office’s instructions.
When the Office collects and transfers the Client’s Personal Data to third parties (independent data controllers), third parties shall process Personal Data as an independent controller according to their own privacy policies, which shall be available on the home page of the relevant service provider.
In cases specified in regulatory enactments the Office also has obligations to transfer Personal Data to state or local government authorities (e.g., the Latvian Council of Sworn Advocates, the State Revenue Service, the Financial Intelligence Unit, the State Security Service, the State Police, and other law enforcement authorities and financial investigation authorities, courts, out-of-court dispute resolution authorities, insolvency administrators, sworn bailiffs, etc.).
The territory of Processing Personal Data
A transfer of Personal Data to a third country or an international organisation may take place in cases where:
the European Commission has decided, under Article 45 of the Regulation, that the third country or organisation concerned ensures an adequate level of protection.
the controller or the processor has provided appropriate safeguards according to Article 46 or 47 of the Regulation, i.e.: (i) binding corporate rules; (ii) standard data protection clauses adopted by the European Commission, or standard data protection clauses adopted by a member state’s supervisory authority and approved by the European Commission; (iii) other ad hoc agreement clauses, if they have been approved by the respective state’s supervisory authority; (iv) approved code of conduct with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; (v) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
conditions laid down in Article 49 of the Regulation are met (where the transfer of Personal Data is necessary for raising, exercising, or defending a legal claim in specific administrative, regulative, or court proceedings; where it is necessary for the performance of an Agreement between the data subject and the controller; where it is necessary to protect the vital interests of the data subject or other natural person; where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; where there are other conditions laid down in Article 49 of the Regulation.
In the event of any subsequent transfer, the Office shall respect all other guarantees, in particular the purpose limitations.
The Office also informs that that Google Inc program Google Analytics, which uses cookies stored on the Client’s device to analyse how the Client uses the website, is being used on the Office’s website. The information on how the Client uses the website generated from the cookies is sent to a Google server in the United States of America and stored there. The Client’s IP address, via IP-anonymisation, is truncated within the territory of the European Union or the European Economic Area and may only be released for Processing on Google servers located in the United States of America in exceptional cases. Google uses this information to evaluate how the Client uses the website to prepare activity reports for website providers and to provide other services related to the use of the website and the Internet. Under no circumstances shall Google associate the IP address received here with any other information available to Google. Google may, if necessary, provide this information to third parties if it is statutory or if a third party is Processing the data on behalf of Google.
The term for storing Personal Data
The Office stores Personal Data in conformity with the purposes (objectives) of Processing the Personal Data, as well as in accordance with the requirements of the Regulation and the regulatory enactments, for as long as any legal basis for the Processing of Personal Data exists, provided that the applicable regulatory enactments do not provide a longer storage period. If the same Personal Data is processed for several purposes, the data shall be stored for the longest applicable storage period.
The storage period of the processed Personal Data may be based on the consent of the Client (data subject) (until its revocation, if there is no other basis for the Processing of Personal Data), based on the Agreement (for securing evidence for any claims relating to the non-compliance of the Services and/or the fulfilment of obligations under the Agreement, as well as for the securing evidence for any potential claims arising from a delict the term of data storage shall be ten years from the date of provision of the Services or execution of the Agreement), based on the legitimate interests of the Office or the legal obligations of the controller arising from the applicable laws and regulations (Section 37, paragraph two of the AML law provides that all information obtained during the course of the Client due diligence, information on transactions of the Client, communication with the Client including e-mail conversations, shall be stored by the Office for five years after termination of the business relationship); regulatory enactments regarding keeping the accounting (basic accounting documents shall be stored for ten years); regulatory enactments regarding the archiving of documents, etc.).
If there is no longer any legal basis for the Processing of Personal Data and the regulatory enactments do not provide for a longer term for the storage of Personal Data, the Office shall delete files containing Personal Data.
Automated decision-making and profiling
Profiling means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
For each visit to the Office’s website, the following information is automatically collected:
technical information (e.g., device type, Internet protocol (IP) address, and Internet service provider (ISP), which is used to connect the device to the Internet; sign-in information; browser type and version; time zone settings, browser plug-in types and versions, operating system and platform, screen resolution, location, font encoding);
visit information, including full single resource URLs, clickstreams to, through, and from the website (including date and time); viewed or searched information; reference/exit pages, files viewed on the website (e.g. HTML pages, graphics, etc.), page response times, download errors, specific page visit duration the duration, page interaction information (such as scrolling, clicks, and mouse redirection) and methods used to leave the page, date/time stamp and/or clickstream data, and any phone number used to contact the Office’s representative.
Automatic Processing of Personal Data on the Office’s website is carried out to assess certain personal characteristics of the Client and to improve the Client’s experience of the use of the digital services, for example by adjusting the display of the Services on the device used; for the purpose of analysing the Client’s data. Automatic Processing of Personal Data is performed based on the legitimate interests of the Office (risk management, transaction monitoring, fraud prevention), the necessity to fulfil legal obligations, the performance of the Agreement, or the consent of the Client.
The Office may also collect statistical data regarding the Client, including typical behaviours. Statistical data for the establishment of segments/profiles can also be derived from external sources and can be combined with Office’s internal data.
Video surveillance
The Office uses video surveillance cameras at the entrance of the Office.
The Personal Data that is processed during video surveillance are visual images and video material.
The Office carries out video surveillance based on its legitimate interest and to protect the vital interests (security and health) of the Client and other natural persons (the Office’s visitors and employees).
The purposes of video surveillance are: to ensure public order and security; to ensure the safety and health of the Client and other natural persons (visitors and employees of the Office); to ensure the security of the Office’s premises and property; to protect the Office’s legal claims and legitimate interests; to secure evidence and to detect and prevent illegal activities.
Personal Data processed in connection with the video surveillance carried out by the Office will be kept for a maximum period of 1 (one) month from the time of recording unless another purpose of Processing arises (e.g., in connection with a criminal investigation).
The Client’s (data subject’s) rights
The Client has the following rights:
to receive information on whether the Office processes the Client’s (data subject’s) Personal Data, and if the Office does, to access the data and receive information under Article 15 of the Regulation on how the data is processed and to whom the data is transferred;
to request the rectification of his/her Personal Data if the data is inadequate, incomplete, or incorrect;
to object to the Processing of the Personal Data, if the Processing of the Personal Data is based on the Office’s legitimate interests, including profiling for direct marketing (e.g., for sending marketing offers or participating in surveys), except in cases where the controller refers to convincing legitimate reasons for Processing which are more important than the interests, rights, and freedoms of the Client (data subject), or to raise, execute or defend legal claims;
to request the erasure of the Personal Data, e.g., if the Personal Data is processed based on consent and the Client (data subject) has revoked his/her consent. This right cannot be exercised if the Personal Data the erasure of which is requested is also processed on another legal basis, such as obligations arising from the Agreement, the relevant regulatory enactments, or other cases laid down in the Regulation where there is a legitimate basis for the Processing of Personal Data;
to restrict the Processing of the Personal Data under the applicable regulatory enactments, e.g., during the time when the Office assesses whether the Client (data subject) has the right to erase his or her Personal Data;
to receive the Personal Data (data portability) which the data subject has provided on a basis of consent and execution of the Agreement, and which is processed in a written form or in commonly used electronic formats and where it is technically possible to transfer such data to another service provider;
withdraw the consent for the Processing of the Personal Data if the Personal Data has been collected by the Office based on the consent of the client (data subject) (the withdrawal of such consent does not affect the legality of the Processing based on consent prior to the withdrawal);
not to be subject to a decision based solely on automated Processing, including profiling, where such decision-making has legal consequences or significantly affects the Client (data subject) similarly. This right cannot be exercised if the decision is necessary for the conclusion or execution of an Agreement with the Client (data subject) if the decision is permitted by the applicable regulatory enactments or if the Client (data subject) has given his or her explicit consent;
to submit complaints regarding the Personal Data Processing to the Data State Inspectorate (www.dvi.gov.lv), if the Client considers that the Processing of his/her Personal Data infringes his/her rights and interests in accordance with the applicable laws and regulations.
Cookies
The Office’s website uses cookies that collect information about the Client, including whether the Client has previously visited the website, whether the Client is a new user, and what information the Client has viewed on the website. The use of cookies helps improve the services the Office provides, e.g., allowing the Client not to re-enter information that has already been entered. The use of cookies also helps to register the number of visitors and collect statistics and information about how users use services to improve the quality of websites, apps, and services as well as create custom content.
Third-party systems used by the Office to ensure proper provision of services:
Google inc. tools Google Analytics un Google Play Store, more information on the terms of service provided by these tools and their privacy policy can be found on the websites: Google Analytics Privacy (https://policies.google.com/privacy?hl=lv) and Terms of Service (https://marketingplatform.google.com/about/analytics/terms/gb/);
Google inc. tool Firebase Analytics, more information on the terms of service provided by the tool and its privacy policy can be found on the website: Firebase analytics Privacy (https://firebase.google.com/policies/analytics/)
Apple inc. tool Apple AppStore, more information on the terms of service provided by the tool and its privacy policy can be found on the website: Apple App Store Privacy (https://www.apple.com/lae/privacy/).
Contact information of the Office and identification of the Client
To ensure the protection of the Client’s Personal Data, while communicating with the Client, the Office will carry out personal identification in the following manner. To speed up electronic and telephone service, we suggest the Client ensure a timely and regular updating of its contact information.
Upon receipt of a request from the Client regarding the provision of Personal Data or the implementation of other Client’s rights, the Office shall verify the identity of the Client. For this purpose, the Office is entitled to request the Client to indicate Personal Data and compare whether the data provided by the Client coincides with the relevant Personal Data held by the Office. In carrying out this comparison, the Office is entitled to send a control notification to the telephone or e-mail specified by the Client (in the form of a text message or an e-mail letter), requesting the Client to authorise it. If the verification procedure is not successful (e.g., the data provided by the Client does not match the Personal Data held by the Office or the Client has not made authorization after the sent text message or e-mail letter), the Office will be forced to find that the Client is not the subject of the requested Personal Data and will be forced to reject the request submitted by the Client. Upon receipt of the Client’s request for the exercise of any of the Client’s rights and the successful completion of the verification procedure referred to above, the Office shall undertake without delay, but in any event not later than within 1 (one) month from the date of receipt of the Client’s request and the end of the verification procedure, to provide the Client with information on the activities carried out by the Office under the request submitted by the Client. Given the complexity and number of requests, the Office has the right to extend the 1 (one) month period for a further 2 (two) months, informing the Client by the end of the first month and stating the reasons for such extension of the term. If the Client’s request is submitted electronically, the Office will also provide the reply electronically, except in cases where it is not possible (e.g. due to a large amount of information) or if the Client has requested to reply in another manner. The Office is entitled to refuse to act on the Client’s request if the circumstances specified in the regulatory enactments are met, providing a motivated response and informing the Client thereof in writing. If the Client’s (data subject’s) requests are manifestly unfounded or excessive, particularly due to their regular repetition, the Office as a controller can either: a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or b) refuse to act on the request.
In case of any questions or unclarities relating to the Processing of Personal Data or in cases where the Client wishes to withdraw his/her consent for the Processing of his/her Personal Data, the Office kindly asks the Client to contact the Office by sending a respective message:
– to the Office’s e-mail address: info@skdz.lv, indicating “Protection of Personal Data”.;
– to the Office’s legal address: SIA “ZAB Skrastiņš un Dzenis”, Blaumaņa street 10-4, Riga, LV-1011, indicating “Protection of Personal Data”.
Validity and amendments of the Privacy Policy
The Privacy policy is available for Clients at the Office’s website: www.skdz.lv. The Office shall be entitled to unilaterally amend the Privacy Policy at any time in accordance with the applicable laws and regulations by notifying the Client of the relevant amendments by publishing an updated Privacy Policy on the website www.skdz.lv.
Disclaimer: This is a translation of the Office’s Privacy policy, the original of which is drafted in the Latvian language. In case of any discrepancies between the text of the Privacy policy in Latvian and English languages, the text in the Latvian language shall prevail.
© 2017 Skrastiņš & Dzenis. All rights reserved. Blaumana street 10, LV-1011 Riga, +371 67226696, info@skdz.lv