I. INFORMATION ABOUT THE DATA MANAGER AND ITS CONTACT INFORMATION
1. The Aina Muceniece Virotherapy Foundation registered at the following legal address (11. novembra krastmala 29, Riga, LV-1050) is the manager of your personal data.
2. Contact information for questions regarding the processing of your personal data is as follows:
2.1. In writing: 11. novembra krastmala 29, Riga, LV-1050;
2.2. Online: http://www.virotherapyfoundation.org/en/
2.3. By e-mail: firstname.lastname@example.org ;
3. Contact information to report a possible violation of data protection regulations:email@example.com.
II. GENERAL INFORMATION
5. General characteristics of the personal data processing that has been performed:
5.1. The processing of personal data takes place in accordance with all confidentiality requirements while ensuring the security of the personal data within our possession;
5.2. The terms and conditions of the personal data processing referred to in this notice only apply to the processing of the personal data of individuals.
5.3. By using the websites of the Aina Muceniece Virotherapy Foundation or when becoming a client of the Aina Muceniece Virotherapy Foundation, the individual – data subject – has given permission to have their personal data processed and has accepted its terms and conditions.
6. Use of personal data
6.1. Personal data are collected to fulfil the contractual obligations and any binding legal obligations the Aina Muceniece Virotherapy Foundation has entered into as well as to complete any legitimate interests. In such cases, the acquisition of certain personal data is necessary to achieve a specific goal and the failure to produce such information may endanger the commencement of a business relationship or the completion of a contract.
6.2. In cases where the delivering of data is not mandatory, but its delivery may help to improve a specific service or offer more advantageous contractual conditions and/or offers, when collecting such data it will be noted that this data collection is voluntary.
III. PURPOSES OF PERSONAL DATA PROCESSING AND ITS LEGAL BASIS
7. The purposes of data processing
Personal data are processed in accordance with the abovementioned purposes, including:
7.1. The beginning of a service and its provision, as well as the completion and securing of a contractual agreement. To this end, it is necessary to identify a specific person, to ensure an offer and to prepare a contract, to get in contact should there be any questions regarding the completion of services and/or the completion of the contract (including billing), and, in certain cases, to ensure that no recovery of payments is made. For these purposes personal data are required to prepare contracts and to remain in contact with the client, such as identifying data as well as communication channel data (e-mail, telephone number, address).
The main legal bases to achieve these purposes are as follows:
- a) the signing and execution of a contract (Article 6, point 1, subsection (b) of the General Data Protection Regulation);
- b) compliance with a legal obligation (Article 6, point 1, subsection (c) of the General Data Protection Regulation);
- c) the legitimate interests of the company (Article 6, point 1, subsection (f) of the General Data Protection Regulation), for example, to identify or to communicate with the client and/or partner.
7.2. The requirements of the laws and regulations governing the execution of services or other acts required by those laws and regulations. For this purpose the group of companies is required to comply with both the requirements for the provision of services and the laws and regulations governing accounting, as well as the requirements specified in the Archive Law and other regulatory enactments. For this purpose, the following personal data processing is necessary: the name, surname, social security number, address and other potential information of the client and/or partner’s contact person.
The main legal bases to achieve these purposes are as follows:
Compliance with a legal obligation (Article 6, point 1, subsection (c) of the General Data Protection Regulation);
7.3. To provide news, services and offers of the group of companies. Based on the consent of the individual and their indicated manner of receiving information, information is provided regarding:
- services and activities of the company/group of companies;
- opportunities to express one’s opinions by participating in surveys;
- to send greetings on holidays and special occasions.
For this purpose the following personal data is required: the client’s name, surname, address, telephone number, e-mail address. The main legal bases to achieve these purposes are as follows:
- a) consent of the data subject (Article 6, point 1, subsection (a) of the General Data Protection Regulation);
- b) the legitimate interests of the company (Article 6, point 1, subsection (f) of the General Data Protection Regulation), for example, for the purposes of communication.
7.3.1. An individual has the right to revoke their consent for this purpose at any time, and the group of companies will no longer process the individual’s data for this purpose. The revoking of consent does not affect the processing of personal data which took place when the individual’s consent was still valid. Consent can be revoked online at: http://www.virotherapyfoundation.org/en/ or by calling +371 67809861.
7.4. Safeguarding or preventing a threat to the property interests or ensuring other legitimate interests of the group of companies or third parties. For this purpose, the group of companies must provide video surveillance in its territories, buildings and other properties, record telephone conversations, employ data processors to perform a variety of functions, when necessary sharing personal information with courts and other government institutions and exchanging information within the group of companies using the rights granted by laws and regulations to ensure its legitimate interests.
For this purpose, the following personal data processing is necessary: the name, surname, social security number, address and other potential information of the client and/or partner’s contact person. The main legal basis to achieve this purpose is as follows: The legitimate interests of the company (Article 6, point 1, subsection (f) of the General Data Protection Regulation), for example, for the purposes of discovering criminal offences.
IV. PERSONAL DATA PROCESSING AND PROTECTION
8. Personal data acquisition.
The group of companies acquires the personal data of individuals in one the following ways:
- a) during the process of entering into a contract with a specific individual;
- b) if a contract is signed with a third party, which indicates an individual as their contact person;
- c) from a specific individual who has submitted a written application, an e-mail or a telephone conversation;
- d) or in another manner in accordance with the legal basis of personal data processing.
9. Personal data access.
The group of companies takes appropriate measures to process personal data in accordance with all applicable laws and regulations and to ensure that third parties who have no legal basis to process specific personal data do not gain access to this personal data.
When necessary, the following can gain access to personal data:
- a) employees of the group of companies or authorised personnel who require access to complete their duties;
- b) personal data controllers in accordance with their given services and only to the extent necessary to fulfil their duties, such as auditors, financial and legal consultants, database developers/maintainers, other persons involved in providing services;
- c) state and local government institutions when required by law, such as law enforcement agencies, supervisory authorities, local governments, tax administrations, sworn bailiffs;
- d) third parties, after carefully assessing whether there is a legal basis for such a transfer of data, such as business partners and other third parties.
V. DURATION OF PERSONAL DATA STORAGE, CONDITIONS AND UPDATES
10. Personal data storage
10.1. personal data is stored for as long as storage is necessary to complete its processing, as well as in accordance with the requirements of the applicable laws governing data storage. When assessing the duration of personal data storage, the group of companies shall take into account the requirements of applicable laws and regulations, aspects of contractual obligations, instructions by the individual (for example, in the case of consent) and the legitimate interests of the company. If the personal data are no longer required for certain purposes, they are deleted or anonymized.
10.2. The most common conditions for the storage of personal data:
- the completion of contractual obligations – the necessary personal data are stored until the contract is completed and the data storage time period has concluded;
- personal data to be stored in order to comply with legal requirements – data are stored in accordance with the time limits specified in laws and regulations, for example, the “Law on Accounting” specifies that supporting documents must be stored until the date when they are necessary to establish the beginning of each economic transaction to its conclusion, but no less than five years;
- data, which prove the fulfilment of contractual obligations of the group of companies are stored in accordance with storage limitation laws and regulations governing time periods for data storage — 10 years stipulated by Civil Law, three years by the Law on Commerce and other limits designated by other laws and regulations.
VI. DATA ACCESS AND RETURN
11. Personal rights regarding data processing.
11.1. Updating personal data
If there has been a change in the personal data provided by the data subject, such as changes in social security numbers, contact addresses, telephone numbers or email addresses, the data subject should contact the group of companies and submit the most current data in order for the group to complete the relevant personal data processing.
11.2. The right of individuals to access and correct their data
In accordance with the provisions of the General Data Protection Regulation, any person has the right to access personal data held by the group of companies, to request correction, deletion, restriction of processing, to object to the processing of his personal data, has data transfer rights in certain cases specified in the General Data Protection Regulation, as well as the right to withdraw their consent to the processing of personal data.
The company respects the right of the person to access and control his or her personal data, therefore, upon receipt of a request by an individual, the company will reply to this request within the time limits specified by laws and regulations (usually no later than one month, unless there is a specific request that requires a longer period of time to prepare a reply), and, if possible, will correct or delete the personal data.
An individual may obtain information about his or her personal data held by the group of companies or exercise other rights as a data subject in one of the following ways:
- 1) by submitting an application in person and identifying yourself at the office of the group of companies;
- 2) by sending a submission via e-mail;
- 3) by sending the relevant submission to the e-mail address firstname.lastname@example.org, which we recommend you sign with a secure electronic signature.
Upon receipt of the submission or application, the group of companies will assess its content and the possibility of identifying the individual and, depending on the situation, will retain the possibility of asking the person to identify himself further in order to ensure the security of his data and its disclosure to the individual concerned.
12. Transfer of personal data outside the European Union (EU) or European Economic Area (EEA) countries.
The group of companies ensures the storage of personal data within the EU and the territory of the EEA, but in certain circumstances personal data may be transferred for processing outside of the EU and EEA to ensure certain services. Any such transfer of personal data is subject to the requirements of the General Data Protection Regulation.
12.1. When sending personal data outside the EU and the EEA, the group of companies meet at least one of the following conditions:
- the data are transmitted to a country, which the European Commission has recognized as a nation providing a sufficient level of personal data protection;
- personal data are sent to a country or an international organisation which provides appropriate guarantees between public authorities or institutions;
- consent has been received from the individual whose personal data will be sent;
- the transfer of personal data is necessary for the execution of an agreement between the group of companies and an individual;
- the transfer of personal data is necessary to conclude a contract between a person, the group of companies and other individuals or legal entities or to execute a contract;
- the transfer of personal data is necessary for the purpose of bringing, implementing or defending legal requirements (for example, for the purpose of legal proceedings).
VII. DATA PROCESSING COMPLAINTS
13. Complaints related to the processing of personal data
13.1. Regarding questions or objections concerning data processing performed by the group of companies, we invite you to contact: (+371 67809861, 11. novembra krastmala 29, Riga, LV-1050, email@example.com).
13.2. If an individual believes that the group of companies is unable to resolve the issue or problem and the individual’s right to personal data protection has been violated, they have the right to file a complaint with the Data State Inspectorate. Samples of applications for the Data State Inspectorate and other related information can be found on the website of the Data State Inspectorate.