Privacy policy

Limited Liability Company
“Autofavorīts”

1. The goal and scope of the privacy policy

1.1. Privacy policy (further in text – Policy) is a described and provided information to identifiable individual personas (further in text – Data subject) as a Controller processes the Data subject data if they have chosen to visit the Controller maintained website www.autofavorits.lv, to contact the Controller by using the specified phone numbers, or have decided to attend any of the Controller’s or its group enterprise events, including the workspace utilized by the Controller or the Controller’s group enterprise to get acquinted with the topical offers, or to receive services/purchased goods.

In this Policy, the Controller has described measures to ensure that the interests and freedoms of the data subject are protected, while ensuring that their data is processed fairly, lawfully and in a way that is transparent to the data subject.

1.2. The policy applies to the processing of personal data, regardless of the form and / or environment in which the individual provides the personal data (entering the premises and / or workspace, by phone, orally, and the like), and in which Controller’s systems (video, audio, web, and the like) they are processed.

1.3. If this Policy is updated, any changes will be posted on the Controller's website in the Privacy Policy. In case you are interested in historical versions of the Policy, please contact the Controller using the contact information below. In any case, amendments to this Policy will be effective as of the date specified in the notice of changes to this Policy.

2. Controller

2.1. The controller of personal data is the limited liability company “AUTOFAVORĪTS” (unified reg. Nr. 40003222622, contact information: Valgale street 2a, Riga, LV-1029, phone number 67670000, e-mail: auto@autofavorits.lv, website www.autofavorits.lv) (in this Policy – Controller).

3. Applicable law

3.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) ( hereinafter referred to as the Regulation).

3.2. Other applicable legislation in the field of processing and protection of personal data, including legislation governing information society services.

4. The purposes of personal data processing

4.1. The Controller has established:

  • video surveillance for the purpose of preventing or detecting criminal offenses in connection with the protection of persons and property, the protection of the legitimate interests of the Controller or a third party and the protection of the vital interests of persons, including life and health;
  • the performance of audio recording of telephone conversations for the purpose of ensuring and improving the quality of the services provided by the Controller and the protection of the legal interests of the Controller;
  • the storage and accounting of incoming and outgoing communications (e-mails, postal letters and other types) in order to ensure the observance of the legitimate interests of the Controller.
  • Coverage of events organized by the Controller or its group companies in the media and on social networks in order to ensure the brand awareness of the company, its group and the represented manufacturers.
  • The controller performs an analysis of the visit history in order to conduct market research and analysis of the views of data subjects, as well as to use statistics and certain features of the
  • website and to display the content of the website according to the user.

4.2. The processing of personal data covered by this policy is not intended to process specific categories of data, such as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data relating to health or sexual orientation.

4.3. When processing personal data for purposes other than those specified in this Policy, the Controller shall inform the data subject separately of the individual conditions of their processing, subject to the provisions of Article 13 of the Regulation. In this Policy, the controller has separated the processing of data in order to fulfill, in particular, the provisions of Article 14 of the Regulation, i.e. personal data are not intentionally obtained from the data subject.

5. What personal data does the Controller process?

5.1. The categories of personal data processed by the Controller depend on the services of the Controller used by individuals. For example:
a) When a data subject enters the Controller's service center, premises or its territory where video surveillance is performed, its video image and the time when it has visited the premises may be processed. Video surveillance is not performed in areas where data subjects expect increased privacy, recreation areas, changing rooms, and the like. CCTV recording areas are concentrated on corridors, entrances / exits, cars in the flow of the Controller's territory;
b) When calling the phone numbers specified by the Controller, the content of the communication will be recorded, as well as the caller's phone number will be stated, unless the caller has taken steps not to disclose it;
c) When communicating with the Controller in a written manner, the content and timing of the communication may be saved, as well as information about the communication tool used (e-mail address, phone number, Skype username and the like, address);
d) When attending events organized by the Controller or its group, event attendees may be photographed, videotaped, and may be asked to provide interviews or opinions on the event, recording your name and, if necessary, additional information you wish to provide. Relevant materials may be used to create the Controller's archive and brand awareness by publishing a video, photographs on the social networks of the Controller, its group companies or represented manufacturers, as well as in any media. Also, especially if you have received an invitation to one of the events organized by the Controller or its group, you may be required to provide additional information identifying you in order to ensure the safe running of the event (name, surname, personal code, and the like);
e) The controller analyzes the visit history using online identifiers as well as information intentionally provided by the data subject (for example, an assessment of the service provided, the experience of visiting the website, movement, information on the desire to attend one of the events organized by the Controller and so on) for the purpose of market research and opinion analysis.

6. What is the legal basis for the processing of personal data?

6.1. Video surveillance for the purpose of preventing or detecting criminal offenses relating to the protection of persons and property, the protection of the legitimate interests of the controller or of a third party and the protection of the vital interests of persons, including life and health. Video surveillance is carried out on the basis of the Regulation 6 article 1 subparagraphs d) and f) , i.e.

  • The processing of personal data is necessary to protect the vital interests of the data subject or another individual (e.g. video surveillance where the processing of personal data is necessary for the protection of the life and health of a person related to the prevention and / or detection of criminal offenses);
  • To safeguard the legitimate interests of the controller and third parties (for example, to prevent or detect criminal offenses related to the protection of property, to provide evidence, to ensure the highest standards of customer service quality).

6.2. Audio recording of telephone conversations in order to ensure and improve the quality of services provided by the Controller and to protect the legal interests of the Controller. Audio recording of telephone conversations is performed based on Regulation 6 article 1 subparagraphs d) and f), i.e. To safeguard the legitimate interests of the controller and third parties (for example, to investigate complaints about the quality of customer service and to provide evidence of possible claims).

6.3. Incoming and outgoing communications (e-mails, letters and other) are stored and recorded on the basis of Regulation 6 article 1 subparagraphs c) and f), i.e.:

  • in order to ensure the fulfillment of the obligations specified in the regulatory enactments of the Controller, that is, to list correspondence in accordance with the nomenclature of the Controller, and the requirements arising from the “Archives Law”;
  • to ensure that the legitimate interests of the Controller are respected (for example, to investigate cases where complaints about the quality of customer service have been received, as well as to provide evidence against possible claims).

6.4. Coverage of events organized by the controller or its group companies in the media and on social networks in order to ensure the brand awareness of the company, its group and the represented manufacturers. In corporate events, the processing of personal data is based on Regulation 6 article 1 subparagraphs a) and f), i.e.:

  • The controller is entitled to process personal data if the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes. The consent of a person is his or her free will and an independent decision, which is provided voluntarily, thus allowing the Controller to process personal data for the purposes specified in this Policy. A person's consent is binding if it is given orally (for example, before the event and in this Policy, the person is informed that personal data will be processed and the person attends the event, gives interviews, takes pictures and agrees that their personal data will be processed, used to achieve the objectives set out in this Policy). The person has the right to withdraw their prior consent at any time using the contact information provided in this Policy. Withdrawal of consent shall not affect the lawfulness of data processing carried out at the time when the person's consent was valid. Withdrawal of consent may not interrupt the processing of data on other legal grounds, such as the legitimate interests of the Controller and third parties (group companies, car manufacturers).
  • The controller has a legitimate interest in covering the events it organizes or participates in, in the media and on social networks, thus ensuring the recognition of its brand or the brand it represents. The controller always applies the highest ethical standards when choosing to publish information, thus seeking to ensure that the rights and freedoms of data subjects are not infringed by the publications. The controller is aware that he may not be aware of all the facts and circumstances and therefore, in order to ensure fair processing, does not prevent any data subject from contacting the controller at any time with the above information in order to object to the processing of data.

6.5. The controller performs an analysis of the website, social network traffic history to conduct market research and analysis of data subjects' views based on Regulation 6 article 1 subparagraph f), i.e. the controller has a legitimate interest in carrying out an analysis that shows whether its brand or the brands it represents can be recognized.

7. What is the processing period for personal data?

7.1. The controller shall take into account the following circumstances when selecting the criteria for the storage of personal data:

7.1.1. whether the term for storage of personal data has been determined or follows from the regulatory enactments of the Republic of Latvia and the European Union;

7.1.2. for what period of time the relevant personal data need to be stored in order to ensure the realization and protection of the legitimate interests of the Controller or a third party;

7.1.3. until the consent of the person to the processing of personal data has been revoked and there is no other legal basis for the processing of the data, for example in order to fulfill the obligations binding on the Controller;

7.1.4. the Controller needs to protect the vital interests of the Data Subject or another individual, including life and health.

7.1.5. video surveillance records for the purpose of preventing or detecting criminal offenses relating to the protection of persons and property, the protection of the legitimate interests of the controller or of a third party and the protection of vital interests, including life and health, shall be kept for a period not exceeding 30 days, unless the video in question reflects allegedly unlawful conduct or conduct that is likely to assist the Controller or third parties in securing their legal interests. In this case, the video in question can be retrieved and stored until the legal interest is assured;

7.1.6. audio recordings of telephone conversations intended to ensure and improve the quality of the services provided by the Controller and the protection of the controller's legal interests will be kept for a period not exceeding sixty days, unless the audio recording reflects allegedly unlawful conduct or conduct, which, possibly, can assist the controller or third parties in safeguarding their legal interests. In this case, the video in question can be retrieved and stored until the legal interest is assured;

7.1.7. the storage and accounting of incoming and outgoing communications (e-mails, postal letters and other types) in order to ensure the observance of the legitimate interests of the Controller will be kept for a period not exceeding five years, unless the audio recording reflects allegedly unlawful conduct or conduct, which, possibly, can assist the controller or third parties in safeguarding their legal interests.

7.2. Coverage of events organized by the controller or its group companies in the media and on social networks in order to ensure the brand awareness of the company, its group and the represented manufacturers. In order to ensure the historical development of the company, the Controller plans to store the obtained information indefinetely. Similarly, in order to comply with the principle of fair processing, the controller shall explain that, given that the purpose of the processing referred to in this paragraph is to publish information on the activities of the Controller, his group or the manufacturers represented, then the resulting materials will be publicly available and accessible to any third party.

7.3. The controller performs an analysis of the visit history in order to conduct market research and analyze the views of data subjects.

7.4. At the end of the storage period, personal data will be permanently deleted.

8. Who has access to the information and to whom is it disclosed?

8.1. The controller is obliged to provide information on the processed personal data:

8.1.1. law enforcement authorities, the court or other state and local government institutions, if it follows from regulatory enactments and the relevant institutions have the right to the requested information, if it has had to be specifically requested;

8.1.2. if the personal data must be transferred to the relevant third party within the framework of the concluded contract in order to perform any function necessary for the performance of the contract (for example, in the case of an insurance contract meant for the realization of the legitimate interests of the Controller; photographer doing photographic work) or if it is necessary to improve the provision of better service and quality services to the customer;

8.1.3. in accordance with a clear and unambiguous request of the Data Subject;

8.1.4. protection of legitimate interests, for example, by applying to a court or other state institution against a person who has violated the legitimate interests of the Controller.

8.2. Recipients of personal data may be authorized employees of the Controller, Processors, law enforcement and supervisory authorities.

8.3. The controller will issue personal data of individuals only in the necessary and sufficient amount, in accordance with the requirements of regulatory enactments and objective circumstances justified by the specific situation.

8.4. The personal data specified in this Policy is not intended to be transferred to a third country, (a country that is not a member of the European Union or the European Economic Area) except for data processed in an electronic environment. In this case, the Controller’s selected Processors (google.com (google analytics), facebook.com, twitter.com, snapchat, and the like) are recognized as companies operating outside the European Union and the Member States of the European Economic Area, therefore, the Controller encourages you to review the privacy policies of these companies or apply separately to the Controller with a request to provide additional information on the conditions of cooperation.

9. How is the Data Subject informed about the processing of personal data?

9.1. The data subject is informed about the processing of personal data specified in this Policy via a multi-level approach involving the following methods:

  • notices with data subjects are placed in the video surveillance locations (pedestrians, drivers, visitors, staff, etc.) warns that video surveillance is taking place in the Controller's territory, providing basic information related to video surveillance, as well as inform about the possibilities to receive more detailed information;
  • by calling the contact numbers specified by the Controller, the data subject is informed about the performance of the audio recording (if it takes place), inviting to get acquainted with additional information in this policy or asking the employee of the Controller who is being called;
  • when announcing information about the Controllers's activities, the Controller provides basic information, inviting to get acquainted with this Policy or asking the Controller before or during the event;
  • by visiting the website, the Data Subject may get acquainted with the statement about which cookies are used, as well as is invited to get acquainted with this Policy;

9.2. This Controller's Policy is publicly available on the Controller's website www.autofavorits.lv and at the Controller's customer service points;

10. Rights of the data subject

10.1. The data subject has the right to request the Controller's access to his or her personal data and to receive clarifying information about what personal data about him or her is held by the Controller, the purposes for which the controller processes this personal data, the categories of recipients of personal data (persons to whom personal data have been disclosed or to whom they are intended to be disclosed, unless regulatory enactments in a particular case permit the Controller to provide such information (for example, the Controller may not provide the Data Subject with information on relevant state institutions that are the promoters of criminal proceedings, subjects of operational activities or other institutions for which the regulatory enactments prohibit the disclosure of such information)), information on the period for which the personal data will be stored or the criteria used to determine that period.

10.2. If the Data Subject considers that the information available to the Controller is out of date, inaccurate or incorrect, the Data Subject has the right to request the correction of his or her personal data.

10.3. The data subject has the right to request the deletion of his or her personal data or to object to the processing if the person considers that the personal data have been processed unlawfully or are no longer necessary for the purposes for which they were collected and / or processed (implementing the principle of the right to be "forgotten").

10.4. The controller informs that the personal data of the Data Subject cannot be deleted if the processing of personal data is required:

  • for the controller to protect the vital interests of the Data Subject or another including, including life and health;
  • to protect the Controller's property;
  • for the Controller or a third party to raise, implement or defend legitimate (legal) interests;
  • for the purposes of archiving in accordance with the regulatory enactments in force in Latvia, which regulate the creation of archives.

10.5. The Data Subject has the right to request that the Controller restricts the processing of the Data Subject's personal data, if one of the following circumstances occurs:

  • The data subject disputes the accuracy of personal data - for the time during which the Controller can check the accuracy of personal data;
  • the processing is unlawful and the Data Subject objects to the deletion of personal data and requests instead that the use of the data would be restricted;
  • the Controller no longer needs personal data for processing, but they are necessary for the Data Subject to raise, enforce or defend lawful claims;
  • the Data subject has objected to the processing until it has been verified that the legitimate reasons of the controller outweigh the legitimate reasons of the data subject.

10.6. If the processing of the Data Subject's personal data is restricted in accordance with 10.5., such personal data, with the exception of storage, shall be processed only with the consent of the Data Subject or for the purpose of raising, enforcing or defending a lawful action, or for the purpose of protecting the rights of another individual or legal person, or an important societal interest.

10.7. Before lifting the restriction on the processing of personal data of the Data Subject, the Controller shall inform the Data Subject.

10.8. The data subject has the right to submit a complaint to the Data State Inspectorate if it considers that the controller has processed his or her personal data unlawfully.

10.9. The data subject may submit a request for the enforcing of his or her rights in the following ways:

  • in writing in person at the premises of the Controller, presenting an identity document (for example, passport or ID card, etc.) because the Data Subject has an obligation to identify himself;
  • in the form of an electronic mail, signing it with a secure electronic signature. In this case, the data subject is presumed to have identified himself or herself by submitting a request signed with a secure electronic signature. At the same time, the Controller reserves the right to request additional information from the data subject in case of doubt, if it deems it necessary.
  • via postal service. In this case, the reply will be prepared and sent by registered letter, thus ensuring that unauthorized persons will not be able to receive the item. At the same time, the Controller reserves the right to request additional information from the data subject in case of doubt, if it deems it necessary.

10.10. In addition, the Data Subject is obliged to specify in his request, as much as possible, the date, time, place and other circumstances that would help to fulfill his request.

10.11. Upon receipt of a written request from the Data Subject for the exercise of his / her rights, the Controller shall:

10.11.1. verify the identity of the individual;

10.11.2. evaluate the request if:

  • it is possible to provide a request, such as watching video or listening to an audio recording. The Data Subject may receive a copy of the video or audio recording or other data as the requester of data;
  • additional information is required to identify the Data Subject requesting the information. Then the Controller may request additional information from the Data Subject in order to be able to select the information correctly (for example, video or conversation recordings, photos) in which the Data Subject is identifiable.
  • if the information has been deleted or the person requesting the information is not a Data Subject or the person is not identifiable. Then the Controller may reject the request in accordance with this Policy and / or regulatory enactment.

11. How is personal data protected?

11.1. The controller shall ensure, continuously review and improve personal data protection measures to protect the personal data of natural persons against unauthorized access, accidental loss, disclosure or destruction. To ensure this, the Controller uses appropriate technical and organizational requirements, including the usage of firewalls, intrusion detection systems, analysis software and data encryption.

11.2. The Controller carefully checks all service providers who process personal data of natural individuals in the name and on behalf of the controller, as well as evaluates whether the cooperation partners (processors of personal data) apply appropriate security measures so that the processing of personal data of individuals takes place in accordance with the delegation of the Controller and the requirements of regulatory enactments.

11.3. In the event of a personal data security incident which poses a possible high risk to the data subject's rights and freedoms, the Controller will notify the relevant Data Subject if it possible, or the information will be published on the Controller's website or in another possible way, for example with the usage of mass media (TV, radio, newspaper, social media, and the like).

 

 

We inform you that on websites of the Ltd “Autofavorīts”, cookies are used. We use cookies to optimize website performance and improve your user experience. By continuing to use this site, you acknowledge that you agree to the use of cookies and our Cookies Policy.

I AGREE READ MORE