Privacy Policy

 

1.3. This Policy applies to processing of personal data, irrespective of the form and / or environment in which the natural person provides the personal data (entering the territory and / or premises, via telephone, verbally, etc.) and in which of the Controller's systems (video, audio, web, etc.) they are processed.

1.4. In case this Policy is updated (amended), any changes, as well as any historical versions of the Policy over the last two months, shall be posted on the Controller's website under the Privacy Policy section. In any case, changes to this Policy shall enter into force on the date specified in the notices on the changes to this Policy.

2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter - Regulation).

2.2. Other applicable laws in the field of processing and protection of personal data, including regulations governing information society services.

3. Purposes of personal data processing

3.1. The Controller shall implement:

       a) A system of bookkeeping and document accounting of the orders of goods for the purpose of ensuring accurate provision of services, performance of contractual obligations and legitimate interests of the Controller;

       b) Preservation and publication of event documents and photo and / or video archives of events organised by the Controller and his business partners for the purpose of promoting the recognition of the Controller and its represented brands, as well as developing professional and educational quality standards in the fields of activities and interests of the Controller;

       c) Video surveillance for the purpose of preventing or detecting criminal offences related to the protection of persons and property, protection of legal interests of the Controller or any Third Party, and protection of vital interests, including life and health, of persons;

       d) Storage and tracking of incoming and outgoing communications (email, Whatsapp / Skype, mail) to ensure compliance with contractual obligations and legitimate interests of the Controller;

       e) The Controller shall perform visit history analysis of the website www.intrcars.eu/lv in order to conduct a market research and analysis of Data subjects’ views on using cookies;

       f) A platform in the social networks for informing customers, potential customers and business partners - with the purpose of communicating important news on operations of the Controller, commerce news, promotions and respecting legitimate interests of the Controller.

3.2. When processing personal data for purposes other than those set out in this Policy, the Controller shall inform the Data subject separately of the individual processing conditions, subject to the conditions of Article 13 of the Regulation. In this Policy the Controller has emphasised data processing for the purposes the conditions of Articles 13 and 14 of the Regulation.

4. What personal data is processed by the Controller?

4.1. Categories of personal data processed by the Controller depend on the services of the Controller used by individuals. For example, when a Data subject receives or expresses a wish to receive services provided by the Controller, to purchase materials and goods from the Controller, in accordance to the requirements of the regulations and legitimate interest of the Controller, the Controller has the obligation and the right to process the identifying information of the Data subject and information proving the identity of the person. In this case, for the purpose of providing services, the Controller may process the amount of personal data that includes name, surname, personal identification number, contact information, information on received and receivable services and assortment of goods, person's vehicle registration and identification data, including chassis number, national registration number (how often, what services are selected, what materials and goods are purchased, if and how many warranties, return and exchange of goods, method and terms of payment, late payments, etc.), and other relevant information is recorded in the documentation and stored in the data processing system of the Controller.

4.2. Upon receipt of services by the Data subject, personal data shall be processed in accordance with the agreement between the Parties.

4.3. When the Data subject enters / gets into the premises or area with the video surveillance of the Controller, the video image and time of when they have visited the premises may be processed. Video surveillance is not executed in areas where Data subjects expect increased privacy, in resting areas, changing rooms, etc. Recording scope of the video surveillance cameras is focused on corridors, entrance / exit, cars and their movement in the area of the Controller.

4.4. When communicating in writing with the Controller, the content and timing of the communication may be recorded, as well as information about the used communication tool (email address, phone number, Skype username, etc., address, information provided in the e-signup system).

4.5. At the events and venues organised by the Controller and his business partners, photo and video documentation of the event is conducted, interviews are recorded and, as a result, photo and video images of the participants can be processed by storing them in the Controller's archives, posting them on the website, social network accounts maintained by the Controller and in other informative materials of the Controller.

5. What are the legal grounds for processing personal data?

5.1. Processing of the data for the purpose of providing services is based on Article 6 (1) (b) and (c) of the Regulation, that is, processing is necessary for the performance of the contract to which the Data subject is party or in order to take steps at the request of the Data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the Controller is subject.  As well as, in certain cases, to provide legitimate interests of the Controller and Third Parties (for example, to investigate complaints about the quality of service, follow-up, to improve service delivery, and to provide evidence against possible claims) processing shall be conducted according to Article 6 (1) (f).

5.2. In contracts, settlement and accounting documents incorporated and other personal data processed by the Controller may also be used for other purposes, in the legitimate interest of the Controller or with the proper and specific consent of the Data subject, even if the original purpose of processing was different.

5.3. The video surveillance is based on Article 6(1) (d) and (f) of the Regulation, that is,  processing of personal data is necessary to protect the vital interests of the Data subject of other natural person (for example, in video surveillance, when processing of personal data is necessary for the protection of life and health of the person involved in the prevention and / or detection of criminal offences); for the legitimate interests of the Controller and Third Parties (for example, to prevent or detect criminal offences in relation to property protection, to provide evidence, to ensure the highest standards of customer service quality).

5.4. Incoming and outgoing communications (email, Whatsapp / Skype, mail) are stored and recorded on the basis of Article 6(1) (b) (c) and (f) of the Regulation.to ensure compliance with contractual obligations and legitimate interests of the Controller; To ensure compliance with the statutory obligations of the Controller, that is, to keep records of correspondence in accordance with the nomenclature of the Controller and requirements of the Archive Law, as well as to ensure respect of the legitimate interests of the Controller (for example, to investigate the complaints regarding the quality of customer service and merchandise and to provide evidence against possible claims).

5.5. The Controller shall conduct analysis of the website, social networks visit history in order to conduct market research and analysis of the Data subject's views on the basis of Article 6 (1) (f) of the Regulation, that is, The Controller has legitimate interest in conducting analysis that shows or may show whether his brand or his represented brands are recognisable, as well as conducting surveys by sending relevant information and offers to Data subjects.

6. What is the time period for processing personal data?

6.1. The Controller shall take into account the following circumstances when selecting the criteria for storage of personal data:

       a) Whether the storage period of personal data is determined by or pursuant to the legislation of the Republic of Latvia and the European Union;

       b) The period for which the personal data in question are to be stored in order to ensure the realisation and protection of the legitimate interests of the Controller or a Third Party;

       c) As long as the consent of the person to process personal data has not been withdrawn and no other legal grounds for data processing exist, for example, to fulfill the obligations incumbent on the Controller;

       d) The Controller must protect the vital interests, including life and health, of the Data subject or other natural person.

6.2. When providing services, the Controller shall comply with the specific regulations governing his obligation to store certain data. For more detailed information please contact the Controller, using the contact information mentioned above;

6.3. For services with a limited warranty period, information regarding service aspects will be stored for at least 3 years, subject to the limitation applicable to the legal relationship in question. The above-mentioned term applies also to processing of visual data (video) obtained for the purpose of recording the conformity of the goods.

6.4. Video surveillance records for the purpose of preventing or detecting criminal offences relating to the protection of persons and property, protection of legal interests of the Controller or Third Party and protection of vital interests of persons, including life and health, shall be stored for a period which does not exceed 30 days, unless the video recording in question reflects a possible unlawful conduct or a conduct which, possibly, might help the Controller or the Third Party to ensure their legal interests. In this case, the video in question may be retrieved and stored until the legal interest is ensured.

6.5. Storage and tracking of incoming and outgoing communications (email, Whatsapp, Skype, mail) in order to ensure legitimate interests of the Controller shall be stored for a period which does not exceed five years, unless the video recording in question reflects a possible unlawful conduct or a conduct which, possibly, might help the Controller or the Third Party to ensure their legal interests.

6.6. After the end of the storage period, personal data shall be permanently deleted unless a legal act, for example, the Archives Law, imposes an obligation to store.

7. Who has access to information and to whom it is disclosed?

7.1. The Controller has an obligation to provide information on the processed personal data:

       a) To law enforcement authorities, courts or other public and local authorities, where it is provided for by regulations, and the authorities concerned have the right to the requested information, if it had to be requested specifically;

       b) If the Third Party in question is required to transfer personal data in the context of a contract in order to carry out any function required for the performance of the contract (for example, in case of warranty, insurance contract; for execution of legitimate interests of the Controller) or, if it is necessary to improve a better service and provision of quality services to customer, by attracting service providers;

       c) Upon clear and unambiguous request by the Data subject;

       d) For protection of legitimate interests, for example, by bringing action before a court or other public authority against a person, who has prejudiced the legitimate interests of the Controller.

7.2. The recipients of personal data may be authorised officers of the Controller, Processors, law enforcement and supervisory authorities.

7.3. The Controller shall issue personal data of natural persons only to the necessary and sufficient extent, in accordance with the requirements of regulations and objective circumstances justified by the particular situation.

8. How is Data subject informed about the processing of personal data?

8.1. The Data subject is informed of the processing of personal data referred to in this Policy by using a multi-level approach, which includes the following methods:

       a) Notices are put in the areas of video surveillance warning Data subjects (pedestrians, drivers, visitors, employees, etc.) of video surveillance in the area of the Controller, providing basic information related to video surveillance, as well as informing about the possibilities to obtain more detailed information;

       b) By using the Controller's e-environment application forms, notices of this Privacy Policy are posted;

       c) When visiting the website, Data subject may get acquainted with the notice of what cookies are being used, and is also invited to familiarise himself / herself with the Policy in question.

This Policy of the Controller is publicly available on the Controller's website www.ugoauto.lv and at the Controller's customer service points

9. Data subject rights

9.1. The Data subject shall have the right to request from the Controller access to his / her personal data and to obtain information clarifying what personal data is held by the Controller, for what purposes the Controller processes such personal data, the categories of recipients of personal data (persons to whom personal data has been disclosed, unless regulations permit the Controller to provide such information in the particular case (for example, the Controller may not disclose to the Data subject information about relevant public authorities that are criminal prosecutors, investigators or other entities of which it is prohibited by regulations to disclose such information)), information about the time period, for how long the personal data shall be stored, or criteria used to determine that period.

9.2. If the Data subject considers that the information held by the Controller is outdated, inaccurate or incorrect, the Data subject has the right to request correction of his / her personal data.

9.3. The Data subject has the right to request deletion of his / her personal data or to object processing, if the person considers that the personal data have been processed unlawfully, or they are no longer necessary for the purposes for which they were collected and / or processed (in accordance with a principle of “the right to be forgotten”).

9.4. The Controller informs that the Data subject's personal data cannot be deleted if processing of personal data is necessary: for the Controller to protect the Data subject or other natural person's vital interests, including life and health, to protect the property of the Controller, for the Controller or a Third Party to bring, pursue or defend legal (lawful) interests; for archiving purposes according to regulations in force in Latvia which govern the construction of archives.

9.5. The Data subject has the right to request that the Controller limits processing of the Data subject's personal data, if one of the following circumstances exist:

       a) The Data subject disputes accuracy of the personal data - for a period within which the Controller may verify the accuracy of the personal data;

       b) Processing is unlawful, and the Data subject objects to deletion of the personal data and requests a restriction on the use of data instead;

       c) The Controller no longer needs personal data for processing, but they are necessary for the Data subject in order to bring, enforce or defend lawful claims;

       d) The Data subject has opposed to processing until it has been verified that the legitimate reasons of the Controller are more important than the legitimate reasons of the Data subject.

9.6. If processing of personal data of the Data subject is limited according to Article 10 (5), such personal data, other than storage, shall be processed only with a consent of the Data subject or in order to bring, enforce or defend legitimate claims, or to protect the rights of any other natural or legal person or important interests of society.

9.7. Prior to lifting the limitation on processing of personal data by the Data subject, the Controller shall inform the Data subject.

9.8. The Data subject has the right to lodge a complaint with the Data State Inspectorate if he / she considers that the personal data have been processed unlawfully by the Controller

9.9. The Data subject may submit a request for enforcement of his / her rights by:

       a) In writing in presence on the premises of the Controller, by presenting an identity document (for example, a passport or an ID card, etc.), as the Data subject is required to identify himself / herself;

       b) Electronically, by signing with a secure electronic signature. In this case, the Data subject is presumed to have identified himself / herself by submitting a request which is signed with a secure electronic signature. At the same time, the Controller reserves the right to request, in case of doubt, additional information to the Data subject if he considers it necessary.

       c) By post. In this case, the reply shall be prepared and sent by registered mail, thus ensuring that unauthorised persons will not be able to receive the mail. At the same time, the Controller reserves the right to request, in case of doubt, additional information to the Data subject if he considers it necessary.

9.10. The Data subject shall, as far as possible, specify in his / her request the date, time place and any other circumstances which would help meet his / her request.

9.11. Upon receipt of a written request from the Data subject to enforce his / her rights, the Controller shall:

       a) Verify the identity of the person;

       b) Consider the request if:

              • it is possible to provide the request, for example, watching video materials or listening to an audio recording, then the Data subject as the applicant may receive a copy of the video materials or audio recording, or other data.

              • additional information is necessary to identify the Data subject requesting the information, then the Controller may request additional information from the Data subject to be able to correctly select the information (for example, video surveillance or conversation recordings, photographs) in which the Data subject is identifiable.

              • the information has been deleted or the person requesting the information is not the Data subject or the person is not identifiable, then the Controller may reject the request in accordance with this Policy and / or regulations.

10. How is personal data protected?

10.1. The Controller shall ensure, constantly review and improve personal data protection measures in order to protect the personal data of natural persons from unauthorised access, accidental loss disclosure or destruction. In order to ensure this, the Controller shall use appropriate technical and organisational requirements, including using firewalls, intrusion detection, analysis software and data encryption.

10.2. The Controller shall carefully examine all service providers who process personal data on behalf of and directed by the Controller, as well as assess whether the business partners (processors of the personal data) apply appropriate safety measures to ensure that the processing of personal data of natural persons would be in compliance with the Controller's orders and regulatory requirements.

10.3. In the event of a personal data security incident, if it poses the highest possible risk to the rights and freedoms of the Data subject, the Controller shall, if possible, notify the Data subject in question, or the information shall be made public on the Controller's homepage or otherwise, as for example, through media (TV, radio, newspaper, social networks, etc.).

11. Your consent is the legal grounds for SIA "UGO AUTO”, as the data Controller, to process your personal data (email address, name, surname, company name, address) for sending informative materials to the communicated or this email address.

12. The legitimate interest of SIA "UGO AUTO” is to provide the highest quality and appropriate services, by giving as complete information as possible on current events, provided goods and services by SIA "UGO AUTO”. Accordingly, in order to provide you with the most relevant information about the service and product categories, your data may be profiled based on your participation in promotions organised by SIA "UGO AUTO”, the advantages you have enjoyed, the events you have attended, etc. To learn more about profiling by SIA "UGO AUTO”, please read the General Privacy Policy of SIA "UGO AUTO”.

13. You have the right to request access to your personal data and the correction or deletion thereof, or limitation of processing, or the right to object to the processing, as well as the right to data portability, and also to withdraw your consent at any moment and lodge the complaint with the supervisory authority, which is, in this case, the Data State Inspectorate.

14. Taking into account the nature, extent, context and purposes of the processing, was well as different degrees of probability and severity risks to the rights and freedoms of natural persons arising from processing, SIA "UGO AUTO” shall implement appropriate technical and organisational measures, both during the determination of the processing means and during the processing itself, designed to effectively implement data protection principles, for example, data minimisation, and to integrate into processing the necessary safeguards in order to meet legal requirements and protect the Data subject rights.

15. SIA "UGO AUTO” shall implement appropriate technical and organisational measures to ensure that, by default, only such personal data are processed which are necessary for the particular purpose of the processing. The above-mentioned obligation concerns the scope of personal data, their degree of processing, the period of storage and their availability. In particular, such measures shall ensure that, by default, personal data are not made accessible to an indefinite number of individuals without the involvement of a person.

16. By giving consent, the personal data of subjects shall be processed until the consent is revoked, at the same time, SIA "UGO AUTO” reserves the right to delete data at any moment if, in its opinion, it is not possible to achieve the purpose of data processing and the data in question are not necessary for another purpose where there are different legal grounds for achieving it. In this case, as a data subject, you will be notified individually via the contact information you provided.