Last updated: May 16, 2024
1. Purpose and Scope of this Privacy Policy
The purpose of this Privacy Policy (hereinafter – the Policy) by SIA Request, registration number: 40203423105, legal address: Stabu iela 109 – 1, Riga, LV-1009, Latvia (hereinafter – the Controller) is to inform the Controller’s clients, potential clients, employees, cooperation partners and other persons about the Controller’s activities related to the processing and protection of personal data of natural persons who can be directly or indirectly identified (hereinafter – the Data Subject).
The Policy specifies what personal data of the Data Subject is processed, including obtained, transferred, corrected, stored, deleted, etc., the purposes of such data processing and the legal basis for such processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter – the Regulation), as well as the data retention periods and the rights of the Data Subject.
The Policy shall apply to the processing of personal data regardless of the form and/or medium in which the Data Subject provides or the Controller obtains the personal data (e.g. on the premises of the Controller, on the website, in writing, orally, electronically by email or telephone, on the Controller’s social network profiles, etc.).
The Controller shall have the right to make changes to the Policy at its sole discretion. The Policy is available on the Controller’s website – www.request.lv (hereinafter – the Website), as well as at the office and is applicable from the date of approval of the Policy.
2. Information About the Controller
The Controller is SIA Request (hereinafter – Request), registration number: 40203423105, legal address: Stabu iela 109 – 1, Riga, LV-1009, Latvia, email address: [email protected]
3. Categories of Personal Data, Categories of Data Subjects, Purposes of Processing and Legal Basis
The Controller will normally process the personal data of the following Data Subjects:
- Clients and their representatives;
- Potential clients and their representatives;
- Cooperation partners and their representatives;
- Company employees;
- Potential employees of the company.
The Controller shall process the data of natural persons lawfully, fairly and in a manner that is transparent to the Data Subject in order to:
- Provide services to clients;
- Ensure and improve the quality of the services provided by the Controller;
- Implement the Controller’s public relations and marketing activities;
- Administer the employment relationship;
- Comply with the obligations imposed on the Controller by law;
- Protect the Controller’s legitimate interests and the legitimate interests of the Data Subject. The legitimate interests of the Controller are: to carry out and administer its business activities, to verify the identity of the Data Subject before entering into a contract, to receive payments, to improve the quality of services, to analyze demand, to protect the rights and legitimate interests of the Controller and the Data Subject, etc.
The Controller will normally process the following categories of personal data:
- Name and personal identification number;
- Address, telephone number and email address;
- Bank account number and tax identification number;
- Photo, video recording;
- Information on employee education and health data (as part of compulsory health checks for staff).
The legal basis for the processing of natural persons’ data by the Controller may be:
- Article 6(1)(a) of the Regulation, which states that processing is lawful if the Data Subject has given his or her consent to the processing of his or her personal data for one or more specified purposes;
- Article 6(1)(b) of the Regulation, which states that processing is lawful if the processing is necessary for the performance of a contract to which the Data Subject is a party or for taking measures at the request of the Data Subject prior to entering into the contract;
- Article 6(1)(c) of the Regulation, which states that processing is lawful if the processing is necessary for compliance with a legal obligation to which the Controller is subject;
- Article 6(1)(f) of the Regulation, which states that processing is lawful if the processing is necessary for the pursuit of the legitimate interests of the Controller or of a third party, except where the interests or fundamental rights and freedoms of the Data Subject which require the protection of personal data override such interests, in particular where the Data Subject is a child;
- Article 9(2)(h) of the Regulation, which states that processing of health data is lawful if the processing is necessary for the assessment of the employee’s fitness for work on the legal basis of the law of the European Union or its Member States or pursuant to a contract with a health professional.
The Controller shall process the name, surname, address, telephone number, email address, bank account number and tax identification number for the purpose of providing services to its clients, fulfilling its statutory obligations based on Article 6(1)(b) and/or (c) of the Regulation.
The Data Subject’s contact details (name, surname, telephone number, email address) may be processed for the purpose of contacting or providing information to the Data Subject only in the interests of the Data Subject and in relation to the services for which the Data Subject has opted in on the legal basis of Article 6(1)(a) of the Regulation.
The photo and/or video image, name, surname is processed for the purpose of the public relations and/or marketing purposes of the Controller on the legal basis of Article 6(1)(a) of the Regulation.
The Controller shall process name, surname and education data for the purpose of assessing the Data Subject’s eligibility for an open vacancy on the legal basis of Article 6(1)(a) of the Regulation.
Employees’ health data is processed for the purpose of assessing the employee’s fitness for work on the legal basis of Article 9(2)(h) of the Regulation.
4. Duration of Storage of Personal Data
Personal data shall be stored in accordance with the procedure and duration established by the laws and regulations of the Republic of Latvia, the consent of the Data Subject, the concluded contract or the legitimate interests of the Controller, as well as if there is another legal basis.
5. Transfer of Personal Data Outside the European Union or the European Economic Area
The processed personal data will not be transferred outside the European Union or the European Economic Area, nor will it be transferred to any international organization, unless the Data Subject has given his or her consent.
6. Categories of Recipients of Personal Data
Where there is a legal basis to do so, personal data may be transferred to authorities, banks, insurance companies, the Controller’s software providers, hosting service providers, social network providers, personal data processors engaged by the Controller, business partners, courier or postal service providers, etc.
7. Security of Processing of Personal Data
The Controller shall ensure that personal data is processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organizational measures.
8. Data Subject’s Access to Personal Data
The Data Subject shall have the right to obtain confirmation from the Controller as to whether or not personal data is being processed in relation to the Data Subject and, if so, the Data Subject shall have the right to access the relevant data and to obtain the information referred to in Article 15(1)(a) of the Regulation.
The Data Subject shall have the right to request, on the basis of a reasoned request, that the Controller rectifies inaccurate personal data of the Data Subject without undue delay. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by providing a supplementary statement.
The Data Subject shall have the right, in accordance with the provisions of Article 17 of the Regulation, to obtain the erasure of personal data concerning him or her by the Controller without undue delay where one of the circumstances specified in that Article applies.
The Data Subject shall have the right to obtain restriction of processing by the Controller where one of the circumstances specified in Article 18 of the Regulation applies.
The Data Subject shall have the right to withdraw his or her consent to the processing of his or her personal data, if such consent has been given.
In order to facilitate the processing of the Data Subject’s requests, the Data Subject is advised to contact the Controller in writing (physically signed document or electronic document signed with an e-signature or equivalent signature), sending the relevant document to the Controller’s legal address or email address as specified in Section 2 of this Policy.
The Data Subject shall also have the right to lodge a complaint with the Data State Inspectorate of the Republic of Latvia if the Data Subject considers that the Controller infringes the Data Subject’s rights and legitimate interests in the field of data protection of natural persons. The complaint may be submitted by post, by email (documents signed with a secure electronic signature should be sent to: [email protected]), or in person at the Data State Inspectorate of the Republic of Latvia, address: Elijas iela 17, Riga, LV-1050, Latvia.
9. Jurisdiction-Specific Notices
- California Consumer Privacy Act (CCPA) Notice: For residents of California, additional rights and disclosures under the California Consumer Privacy Act (CCPA) are provided. Please refer to the CCPA Notice available on the Controller’s website (www.request.lv/privacy-policy/ccpa-notice) for detailed information regarding the rights and practices applicable to California residents.
- Personal Information Protection and Electronic Documents Act (PIPEDA) Notice: For residents of Canada, additional rights and disclosures under the Personal Information Protection and Electronic Documents Act (PIPEDA) are provided. Please refer to the PIPEDA Notice available on the Controller’s website (www.request.lv/privacy-policy/pipeda-notice) for detailed information regarding the rights and practices applicable to Canadian residents.
10. Closing Remarks
This Privacy Policy may be amended as necessary, with the current version of the Policy being published on the Controller’s website.
This Privacy Policy is also available on the Latvian language version of the Controller’s website (www.request.lv/lv/privatuma-politika). In the event of any inconsistency or conflict between the English and Latvian versions, the Latvian version (www.request.lv/lv/privatuma-politika) shall prevail in all respects.
In case of any questions regarding the processing of personal data, the Controller may be contacted by sending an official letter to the Controller’s legal address: Stabu iela 109 – 1, Riga, LV-1009, Latvia or by email: [email protected]