1. Terms used
1.1. Processing – any operation or complex of operations carried out with the Personal Data, carried out with or without automated means, for example, gathering, registration, structuring, systemizing, storage, configuration, transformation, specification, viewing, use, disclosure by sending, distribution or otherwise making available, anonymization, restriction, deletion, destruction.
1.2. Data Subject – identified or identifiable individual.
1.3. Personal Data – any information regarding the Data Subject.
1.4. Profiling – automated Personal Data Processing of any type used with the aim to assess the particular personal aspects related to the Data Subject, especially in order to analyse or estimate the aspects in relation to the Data Subject’s economic situation, personal desires, interests, loyalty, behaviour, location or movement.
1.5. Company – Vincit Advisory, SIA (unified registration No.: 40203042916, legal address: 23 Elizabetes St., Riga, LV-1010), Vincit Accounting, SIA (unified registration No.: 40103283479, legal address: 23 Elizabetes St., Riga, LV-1010).
1.6. Third country – a country that is not a member-state of the European Union / European Economic Area.
1.7. General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. General Provisions
2.2. Personal Data Processing is carried out by the Company in accordance with the requirements of the General Data Protection Regulation.
2.3. The Company ensures that the Personal Data are being processed lawfully, fairly and in a way clear to the Data Subject.
2.4. The Personal Data Processing carried out by the Company may have several legal grounds, for example, consent of the Data Subject to Personal Data Processing, contractual relationships of Data Subject and the Company, execution of the legal duty the Company is subject to in accordance with the requirements of applicable regulatory enactments, obeying and ensuring legitimate interests of the Company, etc.
2.5. Personal Data can be provided by Data Subjects, obtained in the course of rendering Company’s services, as well as from external sources (e.g. public or private registers) or third parties.
2.6. The Company may use services of other data processors for Personal Data Processing. In these cases, the Company shall take all the necessary measures to ensure that the data processors chosen by the Company are carrying out Personal Data Processing in accordance with applicable regulatory enactments and instructions of the Company.
3. Personal Data Processing purposes
3.1. Personal Data are being gathered for specific, clear and legitimate purposes and their further Processing shall not be carried out in ways incompatible to the abovementioned purposes.
3.2. The Company is carrying out Personal Data Processing for the following purposes:
3.2.1. execution of requirements of the regulatory enactments and identification purposes;
3.2.2. concluding, execution, amendments, novation and/or termination of contracts and other lawful transactions;
3.2.3. rendering services;
3.2.4. managing relationships with clients, partners, suppliers, service providers, agents, auditors, consultants, creditors, debtors, shareholders and persons related to them;
3.2.5. personnel management;
3.2.6. protection of interests of clients and the Company;
3.2.7. offering services and marketing purposes;
3.2.8. carrying out surveys and market analysis;
3.2.9. preparing statistics;
3.2.10. physical and information security;
3.2.11. risk management.
4. Personal Data categories
4.1. The Company mainly gathers and processes the following categories of Personal Data:
4.1.1. Person’s identification data (name, surname, personal identification number, date and place of birth, data of the identification document);
4.1.2. Person’s contact information (address, phone number, email, Skype, language of communication and other contact information);
4.1.3. Data on tax residency (e.g. citizenship, country of residence, taxpayer’s registration number, social security number);
4.1.4. Person’s financial and business information (e.g. information on the accounts in the credit and payment institutions, payments carried out, information about portfolio of financial instruments, copies of contracts and other types of documents and bills, information on their economic activity, origin of financial funds, income statements, loans and other obligations);
4.1.5. Family data (e.g. information about marital status and family members);
4.1.6. Data on education and occupation;
4.1.7. Data on affiliated persons (e.g. client’s or business partner’s representatives and/or authorised representatives or other affiliated persons);
4.1.8. Service-related data (e.g. about the concluded and/or terminated contracts, their amendments and novation, about acceptance certificates of the services, about the received claims or complaints);
4.1.9. Data obtained in the course of employment relationships with the employees of the Company (e.g. information about the salary, previous jobs, education, health etc.);
4.1.10. Client survey-related data (e.g. clients’ answers to survey questions);
4.1.11. Audio/visual data (e.g. recorded telephone conversations between the Company and the Data Subject, video surveillance camera footages recorded in the office and the surrounding territory of the Company).
5. Categories of Data Subjects
5.1. The Company is processing Personal Data of the Following Data Subjects:
5.1.1. clients of the Company (potential, current and former) and their affiliated persons (representatives, authorised representatives, beneficiaries, employees, etc.);
5.1.2. business partners of the Company (potential, current and former), suppliers (potential, current and former), service providers (potential, current and former), agents (potential, current and former), auditors (potential, current and former), advisors (potential, current and former), and their affiliated persons (representatives, authorised representatives, beneficiaries, employees, etc.);
5.1.3. creditors (potential, current and former), debtors (potential, current and former) of the Company and their affiliated persons (representatives, authorised representatives, beneficiaries, employees, etc.);
5.1.4. shareholders of the Company (potential, current and former) and their affiliated persons (representatives, authorised representatives, beneficiaries, employees, etc.);
5.1.5. officials of the Company (current and former);
5.1.6. employees (current and former) of the Company and candidates;
5.1.7. visitors of the office and the surrounding territory of the Company.
6. Personal Data Receivers and Place of Processing
6.1. The Company submits Personal Data to the following data receivers:
6.1.1. State institutions, including but not limited to the Financial Intelligence Service, investigation authorities, prosecutor’s office, operational activity agents, tax administration, credit register holders, Register of Enterprises, Office of Citizenship and Migration Affairs, municipality institutions, sworn notaries, law enforcement officers, orphan’s courts, courts, arbitration courts, out-of-court dispute settlement agents, other competent state institutions;
6.1.2. Credit institutions, payment service, insurance service, investment service providers, financial service intermediaries, exchanges, depositories and other participants of the financial market;
6.1.3. Members of the governing bodies, employees, representatives, authorised representatives of the Company;
6.1.4. Persons related to the Company;
6.1.5. Business partners, suppliers, service providers, agents, auditors, advisors of the Company;
6.1.6. Data processors that are carrying out Personal Data Processing at the instruction of the Company;
6.1.7. Other persons in accordance with the provisions of contract concluded between the Company and the Data Subject.
6.2. Submitting of Personal Data to data receivers (regardless of the residence of the data receiver – the Republic of Latvia, European Union, European Economic Area or beyond that) is subject to applicable regulatory enactments and/or an agreement concluded between the Company and the data receiver which implies non-disclosure and data exchange security provisions.
6.3. Usually Personal Data Processing takes place at the territory of the Republic of Latvia. The Company is entitled to transfer Personal Data to data receivers located in other member-states of the European Union and in the countries of the European Economic Area.
6.4. In certain cases, the Company, following the provisions of the General Data Protection Regulation and other applicable regulatory enactments, can send Personal Data to Third Countries or international organisations. Sending Personal Data to Third Countries or international organisations is possible based on:
6.4.1. the decision of the European Commission about that the particular Third Country, any territory of it or one or several regions, or the international organisation ensures sufficient level of protection; or
6.4.2. appropriate guarantees that are ensured in accordance with the provisions of the General Data Protection Regulation, standard data protection clauses adopted or approved by the European Commission, or binding regulations of the company, or action code approved in accordance with the provisions of the General Data Protection Regulations, together with the binding and lawfully executable obligations of the Third Country data administrator or processor to apply the appropriate guarantees, or the certification mechanism that is approved in accordance with the provisions of the General Data Protection Regulation, together with the binding and lawfully executable obligations of the Third Country data administrator or processor to apply the appropriate guarantees; or
6.4.3. that any of the provisions of Paragraph One of Article 49 of the General Data Protection Regulation has occurred, for example, the Data Subject has agreed to with the proposed sending of Personal Data after being informed about the implied risks such sending decision can cause to the Data Subject due to lack of sufficient protection level and appropriate guarantees, or the sending is necessary in order to initiate, fulfil or protect the lawful claims.
6.5. Upon request, Data Subject can be provided with more detailed information about the sending of Personal Data to Third Countries or international organisations.
7. Rights of Data Subject
7.1. Regarding own Personal Data, the Data Subject as the following rights:
7.1.1. to receive information from the Company about whether their Personal Data is being or not being processed and if they are being processed, then to access their Personal Data and receive information about the purpose of Processing of the Personal Data being processed, category of Personal Data, Personal Data receivers, Personal Data storage terms, automated decision-making, including Profiling, and its consequences, information about other sources of Personal Data, if the Personal Data were obtained from a third party, information about guarantees if the Personal Data are being sent to a Third Country or international organisation, as well as information about the rights of Data Subject;
7.1.2. to receive information about that whether the provision of Personal Data is related to the requirements of a contract or regulatory enactments, or provision of Personal Data is a condition for concluding a contract, as well as information about that the Data Subject is obligated to provide Personal Data and about the consequences of failing to provide such Personal Data;
7.1.3. to request their Personal Data to be corrected if they are imprecise, incorrect or incomplete;
7.1.4. to request their Personal Data Processing to be limited;
7.1.5. to object against Processing of their Personal Data;
7.1.6. to request their Personal Data to be deleted;
7.1.7. to revoke their consent to Processing of their Personal Data;
7.1.8. to not be subject of the decision that is based only on automated Processing, including the Profiling, which regarding the Data Subject causes legal consequences or has similar significant impact on the Data Subject. These provisions are not applicable if the decision is necessary for conclusion or fulfilment of a contract concluded between the Data Subject and the Company, or is based on an explicit consent of the Data Subject, or is allowed in accordance with the applicable regulatory enactments;
7.1.9. to transferability of their Personal Data regarding those Personal Data which the Data Subject has submitted to the Company in a structured, regularly usable machine-readable format;
7.1.10. to submit a complaint to the State Data Inspectorate about the Processing of Personal Data carried out by the Company (contact information of the State Data Inspectorate is available at www.dvi.gov.lv).
7.2. The rights of the Data Subject are ensured by the Company in accordance with the provisions of the General Data Protection Regulation for execution of these rights.
8. Profiling and automated decision-making
8.1. In certain cases the Company is carrying out automated decision-making, including the Profiling, if it is provided by the applicable regulatory enactments or necessary for concluding or execution of an agreement between the Data Subject and the Company, or there is an explicit consent received from the Data Subject.
9. Personal data protection and storage terms
9.1. The Company carries out and maintains appropriate administrative, technical and organisational measures in order to protect Personal Data from unintentional or unlawful destruction, loss, transformation, unauthorised disclosure or access to them.
9.2. The Company is storing Personal Data for not more than it is necessary for the purposes for which the particular Personal Data are processed. The term of storage of Personal Data is determined based on the applicable regulatory enactments or legitimate interests of the Company. After the expiration of the storage period of the Personal Data, they are deleted. If there are any obstacles for the deletion of the Personal Data (e.g. an order on prohibition to delete the Personal Data), then the storage of Personal Data should be ensured until elimination or cancellation of such obstacles.
10. Contact information of the Company
10.1. Data Subject is entitled to submit questions, requests, applications and complaints to the Company by sending them to email email@example.com or via post to 23 Elizabetes Street, Riga, LV-1010 (Vincit Advisory, SIA / Vincit Accounting, SIA).