Limited Liability Company
“MOTOFAVORĪTS”
Privacy Policy
1. Purpose and scope of Privacy Policy
1.1. The Privacy Policy (hereinafter referred to as the Policy) describes and provides information to identifiable natural persons (hereinafter referred to as the Date Subject) on how the Controller processes personal data of Data Subjects, if they have decided to visit the website www.motofavorits.lv maintained by the Controller, contact the Controller using the indicated telephone numbers or have decided to visit an event organised by the Controller or a company from its group, including have visited the premises of the Controller or a company from its group to see in person the latest offers or receive services/purchase goods. In this Policy, the Controller has described the measures to ensure that interests and freedoms of the data subject are protected, at the same time ensuring that the data are processed fairly, lawfully and transparently for the data subject.
1.2. The Policy applies to the processing of personal data of natural persons regardless of the form and/or the environment, in which the natural person provides his or her personal data (entering the territory and/or premises, by phone, orally, etc.) and which Controller’s systems (video, audio, web, etc.) process them.
1.3. If this Policy is updated, all the changes will be published on the Controller’s website under Privacy Policy. If you are interested in historical versions of the Policy, please contact the Controller using the contact details below. In any case, amendments to this Policy enter into force on the date specified in the notices of changes to this policy.
2. Controller
2.1. The personal data processing Controller is Limited Liability Company “MOTOFAVORĪTS” (unified reg.No.40003588773, contact details: Kārļa Ulmaņa gatve 21, Riga, LV-1004, telephone: 67606062, e-mail: info@motofavorits.lv, website www.motofavorits.lv) (hereinafter in this Policy referred to as the Controller).
3. Applicable law
3.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the Regulation).
3.2. Other applicable law in the area of processing and protection of personal data, including regulatory enactments governing information society services.
4. Purposes of processing of personal data
4.1. The Controller has introduced:
- video surveillance with a view to preventing or detecting criminal offences related to the protection of persons and property, the protection of the legitimate interests of the Controller or a third party and the protection of the vital interests of persons, including life and health;
- audio recording of telephone conversations with a view to ensuring and improving the quality of the services provided by the Controller and the protection of the legitimate interests of the Controller;
- saving and registration of incoming and outgoing communications (e-mail, postal letters and other types) in order to ensure that the legitimate interests of the Controller are respected.
- demonstration of the events organised by the Controller or a company from its group in mass media and social networks to ensure the visibility of the company, its group and the brands of manufacturers it represents.
- the Controller shall perform an analysis of the history of the visit in order to carry out market research and analysis of opinions of data subjects, as well as for the use of statistics and some website functions and to show the content of the website in a way relevant for the user.
4.2. The purposes of the processing of personal data referred to in this Policy is not to process special categories of personal data, such as relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual orientation.
4.3. When processing personal data for purposes other than those specified in this Policy, the Controller shall inform the data subject separately of the individual conditions for their processing, subject to the conditions laid down in Article 13 of the Regulation. In this Policy, the Controller has distinguished processing of data, in particular, to meet the conditions of Article 14 of the Regulation, i.e. personal data are not collected knowingly from the data subject.
5. What personal data are processed by the Controller?
5.1. The categories of personal data processed by the Controller depend on the Controller’s services used by the natural persons. For example,
a) when the data subject enters/accesses the Controller’s service centre, premises or territory, where there is video surveillance, the video image of the data subject and the time he or she has visited the premises may be processed. There is no video surveillance in the areas where data subjects expect to have increased privacy, in recreational areas, locker rooms, etc. The areas, where video surveillance cameras are recording, are concentrated in hallways, entrances/exits, cars, their flow in the Controller’s territory;
b) when calling the phone numbers specified by the Controller, the communication content, as well as the caller’s number will be recorded, unless the caller has taken steps to ensure that it is not revealed;
c) when communicating with the Controller in writing, the content and the time of the communication, as well as information on the communication tool used (e-mail address, telephone number, skype username, etc., address) may be kept;
d) when visiting events organised by the Controller or a company from its group, visitors of the event may photographed, filmed in video materials, and may be asked to give interviews or provide opinions about the event by recording their name, surname and additional information he or she may wish to provide, if necessary. These materials may be used for creating a Controller’s archive and ensuring brand awareness, by publishing the video recordings, photos in social networks of the Controller, companies from its group or represented manufacturers, as well as in any other mass media. Also, especially if you have received an invitation to any event organised by the Controller or its group, then in order to ensure that the event is safe you may be asked to provide additional information identifying you (name, surname, personal code, etc.).
e) The Controller shall analyse the history of visits using online identifiers, as well as information deliberately left by the data subject (for example, an assessment of the service provided, the website visiting experience, movements, information on the willingness to visit an event organised by the Controller, etc.) in order to carry out market research and analyse opinions.
6. What is the legal basis of processing of personal data?
6.1. video surveillance with a view to preventing or detecting criminal offences related to the protection of persons and property, the protection of the legitimate interests of the Controller or a third party and the protection of the vital interests of persons, including life and health. Video surveillance is carried out on the basis of Article 6(1)(d) and (f) of the Regulation, i.e.
- processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person (for example, video surveillance, where the processing of personal data is necessary for the protection of the life and health of a person in relation to the prevention and/or detection of criminal offences);
- for the purposes of the legitimate interests pursued by the Controller or by third parties (for example, to prevent or detect criminal offences related to property protection, to provide evidence, to ensure the highest standards of customer service quality).
6.2. Audio recording of telephone conversations with a view to ensuring and improving the quality of the services provided by the Controller and the protection of the legitimate interests of the Controller. Audio recording of telephone conversations is made (if it is made) on the basis of Article 6(1)(f) of the Regulation, i.e. For the purposes of the legitimate interests pursued by the Controller or by third parties (for example, to investigate cases, when complaints are received concerning the quality of customer service and to provide evidence against potential claims).
6.3. Saving and registration of incoming and outgoing communications (e-mail, postal letters and other types) is carried out on the basis of Article 6(1)(c) and (f) of the Regulation.
- for compliance with a legal obligation to which the Controller is subject, that is to register correspondence in accordance with the Controller’s nomenclature and the requirements arising from the Archives Law;
- for the purposes of the legitimate interests pursued by the Controller (for example, to investigate cases, when complaints are received concerning the quality of customer service and to provide evidence against potential claims).
6.4. Demonstration of events organised by the Controller or a company from its group in mass media and social networks to ensure the visibility of the company, its group and the brands of manufacturers it represents. At corporate events processing of personal data is carried out on the basis of Article 6(1)(a) and (f) of the Regulation, i.e.
- the Controller is entitled to process personal data, if the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes. The consent of the person shall be his or her free will and his or her own decision, which shall be given on a voluntary basis, thereby allowing the Controller to process personal data for the purposes set out in this Policy. The consent of the person shall be binding if it is given orally (for example, prior to the event and in this Policy information is provided to the person concerning the processing of personal data and by visiting an event, giving interviews, being knowingly photographed and filmed the person agrees that his or her personal data will be used for the purposes set out in this Policy). The person has the right to withdraw his or her prior consent at any time, using the contact details specified in this Policy. The withdrawal of consent shall not affect the legality of such processing of data carried out at the time when the person’s consent was in force. The withdrawal of consent cannot stop the processing of data on the basis of other legal bases, for example on the basis of the legitimate interests of the Controller and third parties (group companies, carmakers).
The Controller has a legitimate interest in presenting the events organised by it or the events, in which it takes part, in mass media and in social networks, thereby ensuring the visibility of its brands or brands it represents. When choosing to publish any information, the Controller shall observe the highest ethical standards at all times, in order to ensure that publications do not violate the rights and freedoms of data subjects. At the same time, the Controller is aware that it may not be aware of all the facts and circumstances, so that, in order to ensure fair data processing, it does not prevent any data subject from contacting the Controller at any time, using the information provided above, so that he or she can object to data processing.
6.5. The Controller shall carry out an analysis of the history of visits to the website, social networks for the purpose of conducting market research and the analysis of opinions of data subjects on the basis of Article 6(1)(f) of the Regulation, i.e. The Controller has a legitimate interest in carrying out an analysis that shows or may show visibility of its brand or the brands it represents.
7. What is the period of processing of personal data?
7.1. The Controller shall take into account the following conditions when selecting the criteria for the storage of personal data
7.1.1. whether the term of storage of personal data is specified or arises from the regulatory enactments of the Republic of Latvia and the European Union;
7.1.2. for which period it is necessary to keep the relevant personal data in order to ensure exercising and protection of the legitimate interests of the Controller or a third party;
7.1.3. while the consent provided by the person for the processing of personal data is in place and there is no other legal basis for the processing of data, for example, in order to perform the duties the Controller is subject to;
7.1.4. The controller needs to protect the vital interests of the Data Subject or other natural person, including life and health.
7.1.5. video surveillance recordings with a view to preventing or detecting criminal offences related to the protection of persons and property, the protection of the legitimate interests of the Controller or a third party and the protection of the vital interests of persons, including life and health will be kept for a period not exceeding 30 days unless the relevant video recording shows potentially illegal actions or actions which are likely to help the Controller or third parties to ensure their legitimate interests. In this case, the relevant video recording may be retrieved and kept until the legitimate interests are ensured.
7.1.6. recordings of telephone conversations with a view to ensuring and improving the quality of the services provided by the Controller and the protection of the legitimate interests of the Controller will be kept for a period not exceeding sixty days unless the relevant audio recording shows potentially illegal actions or actions which are likely to help the Controller or third parties to ensure their legitimate interests. In this case, the relevant audio recording may be retrieved and kept until the legitimate interests are ensured.
7.2. incoming and outgoing communications (e-mail, postal letters and other types) in order to ensure that the legitimate interests of the Controller are respected will be kept for a period not exceeding five years unless the relevant communication shows potentially illegal actions or actions which are likely to help the Controller or third parties to ensure their legitimate interests.
7.3. Demonstration of events organised by the Controller or a company from its group in mass media and social networks to ensure the visibility of the company, its group and the brands of manufacturers it represents. In order to ensure historical development of the company, the Contractor is planning to keep the obtained information on a permanent basis. Similarly, in order to comply with the principle of fair data processing, the Controller explains that in view of the fact that the purpose of the data processing referred to in this paragraph is to make public the information about the events of the Controller, its group or the manufacturers represented, the obtained materials will be publicly available and any third party will be able to access them.
7.4. The Controller shall carry out an analysis of the history of visits for the purpose of conducting market research and the analysis of opinions of data subjects.
7.5. After the end of the storage period, personal data will be permanently erased.
8. Who has access to the information and to whom is it disclosed?
8.1. The controller shall be liable to provide information on the personal data processed:
8.1.1. to law enforcement authorities, courts or other state and local government authorities, if this arises from regulatory enactments and the relevant authorities have the right to the requested information, if it has had to be requested specifically;
8.1.2. if personal data should be transferred to the relevant third party within the scope of a contract in order to perform a function necessary for the performance of contracts (for example, in the case of an insurance agreement, for the implementation of the legitimate interests of the Controller; the photographer performing photographic work) or, if it is necessary to provide better services and provide quality services to the customer;
8.1.3. based on a clear and unambiguous request by the Data Subject;
8.1.4. for the protection of legitimate interests, for example, by appealing to a court or other state authorities against a person who has infringed these legitimate interests of the Controller.
8.2. The recipients of personal data may be authorised employees of the Controller, Processors, law enforcement and supervisory authorities.
8.3. The Controller will issue personal data of natural persons only in the necessary and sufficient amount, in conformity with the requirements of regulatory enactments and the justified objective circumstances of the particular situation.
8.4. The personal data referred to in this Policy are not intended to be sent to a third country, (a country other than a Member State of the European Union or European Economic Area), with the exception of data processed in an electronic environment. In this case, the Processors selected by the Controller (google.com (google analytics), facebook.com, twitter.com, snapchat, etc.) should be recognised as undertakings operating outside the Member States of the European Union and the European Economic Area, and therefore the a Controller urges to read privacy policies of these companies or to contact the Controller separately to the Supervisor with a request for additional information on the conditions of cooperation.
9. How is the Data Subject informed about the processing of personal data?
9.1. The Data Subject shall be informed about the processing of personal data specified in this Policy using a multi-level approach, which includes the following methods: - notices shall be placed in video surveillance sites, which warn Data Subjects (pedestrians, drivers, visitors, employees, etc.) that there is video surveillance in the Controller’s territory, providing basic information relating to video surveillance, as well as information on the possibilities of obtaining more detailed information;
- by calling the contact phones specified by the Controller, the data subject shall be informed that there is audio recording (if any), inviting to read additional information in this Policy or to ask the Controller’s employee who is being called;
- when informing about the Controller’s activities, the Controller shall provide basic information, inviting to read this Policy or ask the Controller before or during the event;
- when visiting the website, the Data Subject may read the notice on the cookies used and is invited to read with this Policy;
9.2. This Controller’s Policy is publicly available on the Controller’s website www.motofavorits.lv and in the customer service places of the Controller;
10. Rights of the data subject
10.1. The Data Subject has the right to request from the Controller access to his or her personal data and to receive clarifying information regarding what personal data on him or her are at the Controller’s disposal, for which purposes the Controller processes such personal data, categories of recipients of personal data (persons to whom personal data are disclosed or intended to be disclosed, provided that the regulatory enactments allow the Controller in that particular case to provide such information (for example, the Controller may not provide the Data Subject with information regarding the relevant national authorities which are drivers of criminal proceedings, entities subject to operational activities or other institutions, on which regulatory enactments prohibit the disclosure of such information)), information regarding the period for which personal data will be stored, or the criteria used for determining the said period.
10.2. If the Data Subject believes that the information at the Controller’s disposal is out of date, inaccurate or incorrect, the Data Subject shall have the right to request rectification of his or her personal data.
10.3. The Data Subject has the right to request erasure of his or her personal data or to object to the processing if the person believes that the personal data have been processed unlawfully or they are no longer necessary for the purposes for which they were collected and/or processed (exercising the principle related to the right “to be forgotten”).
10.4. The Controller shall inform that the personal data of the Data Subject cannot be erased if the processing of the personal data is required:
- for the Controller to protect the vital interests of the Data Subject or other natural person, including life and health;
- to protect the Controller’s property;
- for the Controller or a third party to establish, exercise or defend the legitimate (legal) interests;
- for archiving purposes in accordance with applicable regulatory enactments of the Republic of Latvia governing the creation of archives.
10.5. The Data Subject has the right to ask the Controller to restrict processing of personal data of the Data Subject where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required to the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
10.6. Where processing of personal data of the Data Subject has been restricted under paragraph 10.5, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
10.7. The Controller shall inform the Data Subject before cancelling a restriction to process personal data of the Data Subject.
10.8. The data subject shall be entitled to lodge a complaint to the Data State Inspectorate, if he or she believes that the Controller has processed his or her personal data illegally.
10.9. The Data Subject may submit a request for the exercise of his or her rights in the following way:
- in person in writing in the premises of the Controller, by presenting a personal identification document (e.g. passport or ID card, etc.), as the Data Subject is obliged to identify himself or herself;
- by e-mail, signing it with a secure electronic signature. In this case, it is presumed that the data subject has identified himself or herself, with the submission of the request signed with a secure electronic signature. At the same time, the Controller shall reserve the right to request, in the event of doubt, additional information from the data subject if it deems it necessary.
- by post. In this case, the reply will be prepared and sent using a registered letter, so that unauthorised persons are not be able to receive the consignment. At the same time, the Controller shall reserve the right to request, in the event of doubt, additional information from the data subject if it deems it necessary.
10.10. Moreover, the Data Subject shall be obliged to specify in its request to the extent possible the date, the time, the place and other circumstances which would help to meet his or her request.
10.11. Upon receipt of a written request from a Data Subject concerning the exercise of his or her rights, the Controller shall:
10.11.1. verify the identity of the person;
10.11.2. evaluate the request, if: - the request may be met, for example, by viewing video materials or listening audio recordings, then the Data Subject as the applicant may receive a copy of the video or audio materials or other data. - additional information is necessary in order to identify the Data Subject, who requests information, the Controller may ask the Data Subject for additional information in order to be able to correctly select information (e.g. video surveillance or conversation records, photographs) where the Data Subject is identifiable. - the information has been erased or the person requesting information is not identifiable, a Data Subject or the person is not identifiable, then the Controller may reject the request in accordance with this Policy and/or regulatory enactments.
11. How are personal data protected?
11.1. The Controller shall ensure, constantly review and improve personal data protection measures to protect personal data of individuals from unauthorised access, accidental loss, disclosure or destruction. To this end, the Controller shall use appropriate technical and organisational requirements, including firewalls, intrusion detection, analysis software and data encryption.
11.2. The Controller shall carefully check all service providers who process personal data of natural persons in the name and on behalf of the Controller, as well as assess whether the cooperation partners (processors) use appropriate security measures to ensure that the processing of personal data is carried out in conformity with the delegation by the Controller and the requirements of regulatory enactments.
11.3. In the event of a personal data security incident, if this creates a high risk to the rights and freedoms of the data subject, the Controller will notify the Data Subject concerned, if possible, or the information will be published on the website of the Controller or in any other way possible, such as the use of mass media (TV, radio, newspaper, social networks, etc.).