PRIVACY AND DATA PROTECTION POLICY

SIA “DSG Karjeri”
Reg. No. 40003747654
VAT reg. No. LV40003747654
Legal address: 36 Jelgavas Street, Riga, LV-1004
Office address: 2D Hipokrāta Street, Riga, LV-1079

This Privacy Policy, hereinafter – the Policy, describes the procedures by which SIA “DSG Karjeri”, reg. No. 40003747654, VAT reg. No. LV40003747654, legal address: 36 Jelgavas Street, Riga, LV-1004, office address: 2D Hipokrāta Street, Riga, LV-1079, hereinafter – the Company or SIA “DSG Karjeri”, processes personal data. The data are processed in accordance with this Policy, the technical and organisational requirements stated by the Company, the legitimate interests of the Company, the type of the service provided and the
contract concluded.
The actual address for the provision of services is determined in line with the type of the service and contract concluded. This Policy is applied if the data subject or its represented company, hereinafter – the Customer, uses, has used or has expressed the wish to use the services provided by the Company, or is visiting the territory of the Company, or is otherwise related to the economic activity of the Company, the services provided thereby, including in relationships with the Customer established before this Policy became effective.
This Policy and the necessary organisational and technical requirements are applied both in cases where the legal status of SIA “DSG Karjeri” is the processor and in cases where the legal status of SIA “DSG Karjeri” is the controller and also in cases where the legal status of SIA “DSG Karjeri” is the third party.

1. Definitions

Processing – any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Customer – any natural or legal person that uses, has used or has expressed the wish to use any services provided by SIA “DSG Karjeri” or is related to these services in any other way.

Personal data – any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Applicable Laws and Regulations

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter – the Regulation);

Law on the Security of Information Technologies;

Law On Subterranean Depths;

Environmental Protection Law;

Law On Land Privatisation in Rural Areas;

Construction Law;

Law on Forests;

Protection Zone Law;

Consumer Rights Protection Law;

Labour Law;

Commercial Law;

Law on Submissions;

Law On Accounting;

Law on the Annual Financial Statements and Consolidated Financial Statements;

Law On Taxes and Duties and also other regulatory enactments adopted pursuant to the respective laws, etc.

3. General Provisions

3.1. This Policy provides general information on the procedures by which the Company processes personal data. More detailed information on the processing of personal data is provided to the Customers by incorporating such information into the contracts and other documents related to the services provided by the Company and also by including such information on the website of the Company: https://dsg-karjeri.lv/ , and also any data subject has the right to contact the Company in order to clarify the matters that are of interest to the Customer and are related to his or her data processing.

3.2. Pursuant to the applicable laws and regulations, the Company ensures the confidentiality of personal data and has implemented appropriate technical and organisational measures to protect the data against unauthorised access, unlawful processing or disclosure, accidental loss, modification or destruction.

3.3. The Company is entitled to use the processors of personal data to ensure the processing of personal data. In such cases the Company takes the necessary measures to ensure that such processors of personal data carry out the processing of personal data in accordance with the instructions of the Company and in line with the applicable laws and regulations and the Company also requests the implementation of appropriate security measures.

3.4. In case the Company will update this Policy, any modifications and also the current version of the Policy will be published on the website of the Company: https://dsg-karjeri.lv/ , meanwhile the previous versions of this Policy can be accessed by contacting the Company.

3.5. In order to provide better and more appropriate products and services to the Customer and also in order to ensure, maintain, protect and improve the existing products and services, the Company shall process the data collected as the result of the provision of services.

4. Categories and Examples of the Personal Data of Customers

*No.*	*Data category*	*Examples*
1.	Personal identification data	given name, surname, personal identification number / ID, date of birth, passport number / ID number
2.	Personal contact information	address, telephone number, e-mail address
3.	Data of the contact persons of the customer	given name, surname, e-mail address, telephone number of the contact person
4.	Customer data	customer contract number, registration date of the customer, status, date of signature, type, annex number, annex date
5.	Service data	service name, service address, price, discount, validity period of the discount
6.	Profiling data of the customer	classification in the category, segment, sub-segment
7.	Data available on the website of the Service Provider upon applying for a service by the Customer or registration	service / goods which the Customer wishes to receive, user number, activities carried out, user names and passwords assigned to the Customer
8.	Communication data	incoming / outgoing communication, communication via phone, correspondence, content, delivery status
9.	Solvency verification data	status of the existence of an external debt, credit risk rating, solvency status
10.	Settlement data	payment system account number, bank account number, invoice number, date, amount, type of receipt of an invoice, payment date, amount of the debt, debt collection information
11.	Complaint data	complaint description, applicant, application number, e-mail, registration / resolution date, type
12.	Customer survey data	date of sending out the survey, date of the provision of a reply, survey questions and answers, unless the survey is anonymous
13.	Activities carried out on the website (www.dsg- karjeri.lv)	IP address, log files
14.	Video recordings	digital image of a person, vehicle number (in exceptional cases, upon establishing an infringement of one’s rights, by contacting national regulatory authorities, law enforcement authorities, information may be collected on a person who has visited the site of the Controller or on the owner of the vehicle), date and time

5. Legal Basis for Data Processing

5.1. Conclusion and execution of a contract – in order to enable the Company to conclude and fulfil a contract with the Customer, to ensure quality provision of a service regardless of whether a written contract has been concluded with the Customer and also in ensuring customer service the Company must collect and process specific personal data which are collected prior to the conclusion of a contract or during the validity period of a contract which has already been concluded (Article 6(1) (b) of the Regulation).

5.2. Legitimate interests of the Company – taking due account of the interests of the Company, based upon the provision of quality services and timely support to the Customer, the protection of the rights of the Company, the Company has the right to process the personal data of the Customer to the extent it is objectively required for the Company and sufficient for the purposes of this Policy. The processing of personal data by carrying out video surveillance at the sites of the Company and adjacent territories thereof, and direct marketing whereby new and/or customised offers of the products and services of the Company are made to the Customer shall be regarded as the legitimate interests of the Company (Article 6(1) (f) of the Regulation).

5.3. Fulfilment of legal obligations – the Company is entitled to process personal data in order to comply with statutory requirements and also in order to respond to the legitimate requests by the state and municipal authorities (Article 6(1) (c) of the Regulation).

5.4. Consent of the Customer – the Customer as the subject of personal data gives consent to the collection and processing of personal data for specific purposes. The consent of the Customer is expressed freely and it is an independent decision that can be provided any time, thereby allowing the Company to process the personal data for specific purposes. The consent of the Customer is binding upon the Customer if provided in writing or through the website of the Company designed for the application for the service (www.dsg-karjeri.lv). The Customer is entitled to revoke his or her consent provided previously any time through the specified communication channels with the Company. The submitted changes will become effective within three working days. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 6(1) (a) of the Regulation).

5.5. Protection of vital interests – the Company is entitled to process personal data in order to protect the vital interests of the Customer or another natural person, e.g., if processing is necessary for humanitarian purposes, in the event of natural disasters and for monitoring human-caused epidemics and their spread or in emergency humanitarian situations (acts of terrorism, cybercrimes, technogenic disasters, etc.) (Article 6(1) (d) of the Regulation).

5.6. The exercise of official authority or public interest – the Company is entitled to process data in order to complete a task required for public interest or implementing the legitimate official authority vested in the Company (Article 6(1) (e) of the Regulation). In such cases the basis for the processing of personal data is stipulated in laws and regulations.

6. Purposes of Data Processing

6.1. For the purposes of general customer relations management and sale of services, provision and administration of access products and services, to conclude and execute a contract with the Customer, to ensure updated and accurate data, verifying and supplementing data.

6.2. The Company processes personal data to ensure quality, timely and convenient servicing of the Customer during the contractual term:

6.2.1. to manage the customer relations (including remotely), to ensure conclusion of contracts and to implement processes related thereto;

6.2.2. to verify the creditworthiness of the Customer, to offer the Customer new and more advanced products and services;

6.2.3. to communicate with the Customer, to review the complaints of the Customer and to provide support (including technical support) in relation to the provided services;

6.2.4. to ensure more efficient cash flow, including administering the payments and debts of the Customer;

6.2.5. to register services that the Customer is interested in, to manage the existing services and to generate statistics or reports.

6.3. The Company carries out the processing of personal data to contribute to the development of the sector and to offer new services to the Customer.

6.4. The Company processes personal data by carrying out video surveillance at the sites of the Company and adjacent territories thereof for the purpose of recording the visitors of the territory, potential persons posing a threat to the sites in order to prevent a criminal offence.

7. Rights of the Data Subject

The data subject has rights with regard to the processing of his or her data classified as personal data pursuant to the applicable laws and regulations. In general, such rights are as follows:

7.1. The right to request rectification of personal data if such data are non-compliant, incomplete or incorrect.

7.2. The right to object to the processing of personal data, provided that there is a legal basis for doing so, including to object the profiling of personal data.

7.3. The right to request erasure of personal data, if, for instance, personal data are processed based on consent and the Customer has revoked his/her consent. These rights are not applicable, if personal data that are requested to be erased are processed also on a different legal ground, e.g., on the basis of a contract or obligations arising from the respective laws and regulations or their retention is prescribed in the applicable laws and regulations.

7.4. The right to restrict the processing of personal data pursuant to the applicable laws and regulations, e.g., while the Company assesses whether the Customer is entitled to request erasure of his or her data.

7.5. The right to receive information on whether the Company processes the personal data of the Customer and, if so, to access such data in accordance with the procedures prescribed by the Regulation.

7.6. The right to receive his or her personal data that the Customer has provided to the Company and that are processed based on consent and contract in writing, or in another commonly used electronic formats and, if possible, to transfer such data to another company (data portability).

7.7. The right to withdraw consent for the processing of his or her personal data.

7.8. Not to be subjected to completely automatised decision-making, including profiling, if such decision-making has legal consequences or similar significant impact on the Customer.

7.9. The right to submit complaints about the use of personal data to the Data State Inspectorate (www.dvi.gov.lv) if the Customer believes that the processing of his or her personal data violates his or her rights and interests pursuant to the applicable laws and regulations.

The data subject, upon submitting any request, if the request applies to its personal data, shall ensure the following:

– the request must be submitted in writing by drawing up an official letter;

– it is necessary to identify oneself;

– it is necessary to indicate a precise address whereto a reply can be sent by the Company.

The Company is entitled to request additional information in order to unmistakably identify the person.

The Company has the obligation to assess the validity of the request submitted by the data subject. If the Company establishes that the request submitted by the data subject is valid and technically feasible, the Company shall issue the requested data to the data subject.

8. Cookies

Cookies are small text files created and stored on the device of the Customer (computer, tablet, mobile phone, etc.) after the Customer visits the websites of the Company. Cookies ‘remember’ the user experience and basic information and thereby improve the user experience on the website of the Company. The Company does not use cookies for the purposes included within the framework of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

We use functional cookies in order to ensure accessibility to our website. More detailed information on cookies:

In detail
Name	Service Provider	Purpose	Period	Type
pll_language	WP SYNTEX (Austria)	Retains the language selection by the user when browsing the website.	1 year and 20 days	Functional
NID	Google	Retains the selected browsing data	1 year and 20 days	Functional

9. Storage Period

Personal data shall be processed for as long as it is necessary to achieve the objectives of such processing. Storage period can be based on a contract concluded with the Customer, legitimate interests of the Company or applicable laws and regulations (e.g., laws on accounting, anti-money laundering, period of limitation, civil rights, etc.).

10. Ways of Obtaining Personal Data

The Company obtains the personal data of the Customer when the Customer:

– concludes a contract with the Company and provides the information necessary for concluding such contract, purchases and uses the products or services of the Company;

– visits the territory of the Company, a video recording is made by using the video surveillance devices of the Company and, where necessary, is identified;

– requests from the Company further information on the product purchased by the Customer or contacts the Company in relation to a complaint or the information request, identifying the Customer;

– enters information on the website of the Company;

– the Company may process the personal data of the Customer received from third parties in accordance with the applicable laws and regulations.

11. Data Protection

11.1. The Company ensures, constantly reviews and improves protection measures in order to protect the personal data against unauthorised access, accidental loss, disclosure or destruction. In order to ensure the use of advanced technology by the Company, technical and organisation requirements, including taking a responsible attitude towards the rights of the employees of the Company to access personal data, the Company shall install firewalls in its systems, ensure regular change of passwords, etc.

11.2. The Company carefully verifies all the service providers that process the personal data of the Customer in the name and on behalf of the Company and also assesses whether co-operation partners (processors of personal data) apply appropriate safety measures to ensure that the customer data would be processed in accordance with the delegated task of the Company and the requirements laid down in laws and regulations. Co-operation partners are not allowed to process the personal data of the Customer for their own purposes.

11.3. The Company does not take any responsibility for any unauthorised access to personal data and/or loss of personal data if it does not depend on the Company, e.g., due to the fault and/or negligence of the Customer.

12. Processing Territory

12.1. Personal data are usually processed in the European Union/ European Economic Area (EU/EEA); however, in certain cases the data can be transferred and processed in countries outside the EU/EEA.

12.2. Transfer and processing of personal data outside EU/EEA can be performed upon legal basis, namely, to execute a legal obligation, to conclude or fulfil a contract or in accordance with consent of the Customer and if appropriate safety measures have been implemented. Appropriate safety measures include, for instance:

– agreement has been concluded, including EU contract standard clauses or other approved regulations, code of conduct, certifications, etc. approved in line with the General Data Protection Regulation;

– in the country that is not a member of the EU/EEA where the recipient is located appropriate data protection level is ensured in accordance with the decision of the European Commission.

12.3. Upon request, the Customer can obtain detailed information on the transfer of personal data to countries outside EU/EEA.

13. Contact Information

13.1. Both the Customer and the data subject may contact the Company concerning any matters related to the processing of personal data by writing to the legal address of the Company or by emailing to birojs@dsg-karjeri.lv.

Approved in Riga,

Board of SIA “DSG Karjeri”