The goal of this policy is to provide information to natural person (data subject) on the purpose, scope and protection of personal data processing carried out by LLC Flora when processing personal data of data subjects.
1. Controller and its contact information
Controller – for the purpose of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – LLC Flora, uniform registration No. 41702000121, registered office at Tērvetes Street 85, Jelgava.
Contact information of the controller for issues related to personal data processing: firstname.lastname@example.org, Tērvetes Street 85, Jelgava, LV-3008.
You can contact us via provided communication channels to ask questions about personal data processing.
2. General matters
The controller ensures privacy and personal data protection of its Customers, respects Customers’ rights to legitimacy of personal data processing according to applicable laws and regulations of the Republic of Latvia.
Regarding specific types of data processing (for example, processing of cookies etc.), specific conditions may exist regarding what is the Customer notified on when he or she provide relevant data to the Controller.
3. Processing of Customer’s Personal Data
3.1 In order to process mutual transaction
In order to enter in mutual transaction upon the Customer’s application and ensure it is executed, the Controller processes Customer’s personal data based on Article 6(1)(b) of the General Data Protection Regulation.
Personal data processing for this purpose is carried out when:
– Customer expresses a wish (clicks the button “Request quote” or similar at the Controller’s website).
– Customer expresses a wish to buy (by sending a relevant e-mail over phone etc.) wooden windows, doors and other products, services.
– to enter in relevant agreement with the Customer and to perform it. If the personal data required for the goal under this clause is not provided, it will not be possible to enter in relevant transaction with the Customer and the Customer will not be able to receive the chosen product or service.
Processing is necessary for performing the measures before entering in relevant transaction (for example, Customer identification, document preparation), as well as during processing of the transaction (for example, Customer identification, ensuring service and improvements, Customer service, payment administering, sending of messages on progress of agreement and conditions essential for performance of the agreement) etc.
3.2. To ensure legitimate interests of the Controller
In order for the Controller to implement its legitimate interests related to its commercial activities as well as protection of property and employees, the Controller plans to process Customer’s personal data on the basis of Article 6(1)(f) of the General Data Protection Regulation.
Processing may be necessary to:
– ensure the Controller may conduct its business;
– promote quality improvement of product or service;
– ensure the product guarantee;
– provide customer service;
– improve customer service quality;
– review and process complaints;
– avoid unnecessary financial risks on its business activity (incl. to provide credit risk assessment during service sales and contract performance);
– recover and enforce debts;
– analyse functions of Controller’s website use, to elaborate and introduce improvements thereof;
– send other notifications related to performance of contract;
– to perform customer surveys about products and services and their user experience;
– to prevent fraud;
– to protect its property and staff;
– to address state administration and operative bodies and court in order to protect its legitimate interests.
Where Customer’s personal data are used for specific purposes in order to ensure Controller’s legitimate interests, the Customer will be notified individually, according to the procedure laid down in laws and regulations.
This processing is not necessary directly for contracting or performance thereof, however it is essential for Controller’s business activity, so that the Controller could ensure efficient company management processes as well as protect its property and staff.
3.3. According to a consent of the Customer as data subject
Where the Customer has agreed to processing of his or her data for one or more purposes, the personal data are processed based on Article 6(1)(a) of General Data Protection Regulation.
Based on Customer consent, the Controller may send commercial information on Controller’s products and services (which are not related to agreements signed by and between the Controller and Customer) to the Customer, provide news updates, invite to participate in surveys related to elaboration of improvements as well as in other cases.
The Customer is entitled to withdraw his or her consent at any time by sending a relevant notice to e-mail email@example.com.
The Controller will discontinue sending of said communications as soon as the Customer’s request is processed.
Request processing time may depend on technological possibilities, potentially up to three days.
Withdrawal of the consent does not affect data processing which was performed while the Customer’s consent was in force.
Consent withdrawal does not stop data processing carried out on the basis of other legal grounds.
4. Categories of personal data recipients
Persona data shall be processed by properly authorised Controller’s employees.
Some processing operations may be carried out by external companies properly contracted by the Controller.
The Controller does not disclose Customers’ personal data or any information obtained during validity period of contract unless it is required:
– within the framework of a contract to carry out a function necessary for performing the contract or delegated under the contract (i.e., to the bank for settlement purposes);
– according to explicit and evident consent of the Customer;
– in cases laid down in laws and regulations (i.e., in laws and Cabinet Regulations) according to the procedure and scope thereunder;
– for the protection of our legitimate interests of the Controller, for example, when turning to the court or other national authorities against a person who has infringed Controller’s legitimate interests.
5. Communication with Customer
The Controller shall communicate with the Customer when necessary via the contact info (telephone number, e-mail address, postal address as well as by using the app notifications) provided by the Customer.
The Controller shall perform contractual obligations on the basis of the contract signed (i.e., information about bills, scheduled operations, changes).
6. Transfer of data to third countries or international organisations
The Controller does not intend to transfer personal data to a third country (a country that is not a member state of the European Union or European Economic Area) or international organisation.
Should the Controller intend to transfer personal data to companies or organisations in third countries, the Controller shall provide procedures under laws and regulations to ensure the level of protection and processing of personal data.
7. Duration of personal data storage
The Controller shall store Customer’s data while any of the following criteria exist:
– agreement entered with the Customer, guarantees are in force;
– while the Controller or Customer may exercise their legitimate interests according to the procedure stated in laws and regulations (for example, to submit complaints or lodge a claim in a court);
– while there is a legal obligation to store data (for example, in Law On Accountancy);
– as long as the Customer’s consent for processing of relevant personal data is in force, unless there are other legal grounds for data processing.
Upon expiry of circumstances mentioned above, the Customer’s personal data are deleted.
8. Rights of data subject:
The Customer is entitled to receive statutory information regarding his or her data processing:
– updated information about the types of their personal data in possession of the Controller, purposes they are processed for by the Controller, information about categories of personal data recipients (unless the laws and regulations allow providing such information in particular cases), information about period of data storage, or criteria used to determine such period, as well as information about data source if personal data are not collected from data subject;
– in cases stated under laws and regulations the Customer is entitled to request editing of their personal data if the person believes that the Controller possesses outdated, inaccurate or incorrect information;
– The Customer is entitled to request their data to be deleted or object their processing if the Customer believes that personal data are processed illegally, they are no longer necessary for the purposes they were collected for or otherwise processed;
– Article 18 of the General Data Protection Regulation lists cases where the Customer is entitled to request the Controller to restrict data processing;
The Customer may submit a request to exercise their rights by sending a written request to the legal address of the Controller or with e-mail letter signed with a safe digital signature to firstname.lastname@example.org.
Customer’s request must indicate the preferable type of communication. The Controller will take into account the type of communication indicated by the Customer.
Once the request is received, the Controller will evaluate the grounds of the request and will execute it or provide a substantiated reply to the Customer not later than within one month of receiving the request.
The Controller shall ensure meeting of data processing and protection requirements in line with local laws and regulations and in case of Customer’s objection will take the necessary actions to solve the objection. However, failing to do so entitles the Customer to address the supervisory authority – State Data Inspectorate.