I. General provisions
- When processing personal data, the Managing Company shall observe the laws and regulations in force in the Republic of Latvia, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – GDPR), as well as other laws and regulations in the field of privacy and personal data protection.
- The Managing Company shall ensure the protection of personal data and their processing in a particularly thorough way. The protection of personal data of natural persons at the disposal of the Managing Company and ensuring the privacy are essential aspects for the Managing Company. Ensuring the protection of privacy is an important element to promote compliance with the Managing Company’s values.
6.1. natural persons – customers (including potential, former, and existing ones), potential employees, as well as third persons, who, due to provision of services to natural persons, transfer or receive any information (hereinafter – Customers);
6.2. visitors of the Managing Company’s Customer Service Centres, zonal divisions, administrative premises and other premises, including with regard to those visitors who are under video surveillance;
6.3. visitors of the websites and self-service vortal maintained by the Managing Company.
II. The controller and its contact information
- The controller of personal data processing: Managing Company, registration number 40103362321, legal address: Aleksandra Čaka iela 42, Riga, LV-1011, email address: firstname.lastname@example.org; website address: www.rnparvaldnieks.lv; customers self-service vortal: www.e-parvaldnieks.lv.
- For communication in matters related to the processing of personal data, as well as in order to inform about possible violations of data protection, please write to email address: email@example.com, make a call to the Info Line of the Managing Company by phone 8900 or personally apply to any of the Managing Company’s Customer Service Centres.
III. Purposes and categories of personal data processing
- The Managing Company processes the following personal data for the following purposes:
10.1. to ensure the statutory mandatory and other management-related actions (Article 6(c) of GDPR), to examine the customers’ applications and prepare a reply to them, as well as to check the questionaries and protocols submitted by owners of residential apartments and to implement a community’s decision, to identify a customer, to communicate with a customer or his/her authorised person, to prepare, enter into a management contract and a residential/non-residential premises lease contract and to prove the fact of entering into it, to maintain record-keeping and to keep records in the house file, to issue invoices, to administrate settlements, to provide information to the Credit Information Bureau, to provide information to state administration authorities in cases specified in legislation (Article 6(1)(b) of GDPR) – name, surname, personal identification number (other personal ID number), authorised person’s name, surname, personal identification number (other personal ID number), bank account, data on real estate owned by a natural person (address, cadastre number, area, date of acquisition of the ownership right / right to use and legal ground, date of expiration of the ownership right / right to use), declared and actual address of residence, information on bank account and contact information (phone number, e-mail), contract number, contract registration date, time of carrying out managing activities, number of persons declared in the immovable property, consumed amount of water, electricity, heat energy, gas etc., information on payments made (invoice number, date, sum, invoicing way, date of payment, debt amount, information on debt recovery/repayment) for the services provided by or via the Managing Company, on debt recovery and repayment, solvency verification data etc.; storage period – throughout the term of the contract or while a legal obligation remains in force and 10 years after it, or as long as it is necessary for the legitimate interests of the Managing Company or third parties to exist;
10.2. to ensure an organisation of a competition for personnel recruiting and to ensure its legal interests as far as they are related to personnel recruiting (Article 6(1)(c) of GDPR) – name, surname, personal identification number (other personal ID number), contact information, work experience, education (data of a document on education – place where education was obtained, type of education obtained or information on further training, date and place of issue of a document on education) – storage period is no longer than six months after the end of the competition, or as long as it is necessary for the legitimate interests of the Managing Company to exist;
10.3. to prevent or detect a criminal offence in the premises or territories owned, used, possessed or hold by the Managing Company or to detect an unlawful action in them, as well as to ensure the protection of the legal interests of the Managing Company and third parties in the event of their infringement and the protection of the vital interests of a person, including protection of life, safety and health (Article 6(f) of GDPR) – person’s appearance in a record of a video surveillance system, data on the person’s location and time in the relevant location under video surveillance, storage period is no longer than 10 days, or as long as it is necessary for the legitimate interests of the Managing Company to exist and be protected;
10.4. to improve the service quality and to protect the legal interests of the Managing Company (Article 6(f) of GDPR) – voice recording, date and time, information about the content of the conversation and personal data obtained when calling to the Managing Company’s Info Line phones – storage period is no longer than three months, or as long as it is necessary for the legitimate interests of the Managing Company to exist;
10.5. in order to control the quality of the provided services and to ensure their proper provision, as well as to prevent and detect criminal offenses, to protect property, person’s life, safety and health, to respect the interests of other individuals in society and to ensure public order (Article 6(f) of GDPR), personal data is additionally processed to respect the legitimate interests of the Managing Company;
10.6. in particular cases, based on the voluntary consent of the customer, for example, when sending reminders and notifications in the form of SMS messages and e-mails. According to Article 9(2)(a) of the GDPR, the Managing Company shall, with the customer’s explicit consent, processes the customer’s health data for the purpose of granting a discount on the contractual penalty and late payment interest in the event of entering into an agreement on paying debt in instalments. Where personal data is processed on the basis of the customer’s consent, the customer has the right to refuse the processing of his/her personal data at any time. The withdrawal of the consent shall not affect the lawfulness of the processing based on the consent given prior to withdrawal (Article 6(a) of GDPR);
10.7. for other purposes which the customer gets notified of at the moment of provision of the relevant personal data.
IV. Legal basis for personal data processing
11. The Managing Company shall process personal data based on the following legal grounds:
11.1. to enter into a contract and to perform it – to enter into a contract for managing a residential house/non-residential premises, a residential/non-residential premises lease contract, to administer them as may be authorised by the Riga City Local Government, to enter into a contract with a service provider and a contract with a land plot owner for leasing the land plot that is functionally necessary for a residential house, or to implement a decision taken by a community of owners of apartments in a residential house, as well as to administer the account created by a customer on the customers self-service vortal.
11.2. to comply with laws and regulations – for compliance with an obligation to which the Managing Company is subject in accordance with laws and regulations;
11.3. to comply with the legitimate interests of the Managing Company, for example:
11.3.1. improvement of the service quality;
11.3.2. customer service quality control;
11.3.3. introduction of new services;
11.3.4. prevention of criminal offences and unlawful actions;
11.3.5. protection of its legal interests before state administration authorities and in operational institutions, and in court;
11.3.6. to collect a debt – by registering information about the debt and the debtor in the database of the Credit Information Bureau.
- Personal data of a customer is processed taking into account the existing privacy risks and the Managing Company’s reasonably available organisational, financial, and technical resources.
- Personal data may only be processed for a predefined purpose. As soon as the purpose of personal data processing ceases to exist, the Managing Company shall delete or anonymise personal data, taking into account the specified period for the storage of personal data.
- The definition of the purpose of the personal data processing shall always be unambiguous, expressed clearly and comprehensibly, as well as shall be corresponding to the personal data processing that in fact takes place.
- The Managing Company shall collect and process personal data only to the extent necessary for the purpose of its processing. If possible and justified, anonymised and/or pseudonymised data shall be used.
- As part of data collection, the Managing Company shall, upon request or in other cases in accordance with the provisions of laws and regulations, provide the customer with comprehensive information on the type, scope, and purpose of data processing.
- The Managing Company shall ensure the transparency of the carried out processing of personal data by making the following information available and understandable in an easy way: information about the processing of personal data, including the purpose of the personal data processing, the scope necessary to ensure the processing, information about data processing risks and customer’s rights and the ways to exercise them.
- The Managing Company shall ensure that personal data is processed and stored only for the period of time necessary to meet the purpose of processing this personal data. The periods of time for processing shall be determined taking into account the provisions of laws and regulations, the legitimate interests of the Managing Company, as well as other reasonable considerations, e.g., information on payments must be stored for at least five years in accordance with the requirements of laws and regulations, etc., unless storing a specific relevant information is necessary for a longer period of time in order to protect the legitimate interests of the Managing Company or a third party in a specific case because then this information can be stored until the relevant legitimate interest is given effect.
- Depending on the nature of personal data processing, the Managing Company shall take technical and organisational measures to minimise the risks of personal data processing. If the Managing Company in any way receives information about incorrect personal data which are being processed by the Managing Company, such data shall be immediately deleted or corrected to ensure the correctness of personal data. If the Managing Company detects a data protection violation, the Managing Company shall notify thereof a supervisory authority in accordance with the procedures and within time-limits specified in laws and regulations.
- If apps, services, and products are used to process personal data, the Managing Company shall take measures to minimise, as much as possible, the processing of personal data and ensure compliance with data protection principles by applying appropriate personal data protection measures by default, such as app data encryption.
- Personal data of a special category shall be processed only in a certain case and in strict compliance with the relevant applicable legal framework, in particular Article 9 of the GDPR. Where it is not possible to completely avoid the processing of a special category of personal data, the Managing Company shall apply special security measures to protect such data, for example by limiting access to such data as much as possible.
- The Managing Company shall not make automated decisions when processing personal data. Personal data held by the Managing Company shall always be processed by a human.
V. Protection of personal data
- The Managing Company shall protect customers’ personal data using modern technological capabilities, taking into account the existing privacy risks and the Managing Company’s reasonably available organisational, financial and technical resources, including using the following security measures:
23.2. data encryption when transmitting it;
23.3. intrusion protection and detection software;
23.4. other protection measures according to current technology development opportunities.
VI. Transfer of personal data and categories of recipients
- The Managing Company shall transfer personal data if there is a legal ground for transferring personal data.
- If there is a legal ground for this, the processing of personal data may be entrusted to a processor by entering into a written contract in accordance with GDPR requirements and if the following prerequisites are met:
25.1. the Managing Company itself is entitled to process this personal data;
25.2. the Managing Company has carefully selected a processor who has proven that the security and protection of personal data is ensured by using appropriate technical and organisational means. The processor may process personal data only in accordance with the Managing Company’s instructions.
- The processor, whom customer’s personal data are entrusted to, shall ensure the protection and processing of personal data in accordance with applicable laws and regulations and security standards.
- The Managing Company shall transfer customer’s personal data to a third party where it is required by laws and regulations or when it is necessary to protect the Managing Company’s legitimate interests, including, but not limited to, to a supervising law enforcement authority, investigation authority, prosecutor’s office, a sworn notary, a sworn bailiff, or the State Revenue Service.
- The Managing Company shall not disclose to third parties personal data of the customer or any information obtained during the provision of services and during the term of a contract, including information about the goods and services received, except for cases:
28.1. where data must be transferred to the relevant third party under the concluded contract in order to perform any function which is necessary for the performance of the contract or which is delegated by law, e.g., for extrajudicial debt collection, audits and inspections, for printing, sorting and delivery of invoices, warnings, reminders, etc., and to other service providers;
28.2. where an explicit and unequivocal consent has been given by the customer;
28.3. cases specified in laws and regulations in order to protect the Managing Company’s legitimate interests, for example, when applying to the court or other institutions against a person who has violated the Managing Company’s legitimate interests;
28.4. in accordance with the legitimate interests of the Managing Company or a third party, under the procedure and to the extent specified in laws and regulations, for example, to a customers care service, for system maintenance, and other service providers who provide services related to data processing.
- The employee of the Managing Company who processes personal data in the Managing Company shall ensure respecting the confidentiality of personal data. Personal data shall be available to a limited group of Managing Company’s employees, insofar as it is necessary for the performance of their direct work obligations. The Managing Company shall not transfer personal data outside the European Union or the European Economic Area.
- The Managing Company shall notify the customer without undue delay of a breach of personal data protection, if the breach could pose a high risk to the rights and freedoms of natural persons.
- When transferring personal data, the Managing Company shall implement appropriate technical and organisational measures in accordance with the GDPR.
VII. Customer’s rights
- The customer has the right to receive all information about the processing of his/her personal data in the Managing Company. Part of the information is included in the Managing Company’s customers self-service vortal, where an authorised customer can verify the correctness of his/her personal data and, if necessary, manage it, including modify it.
- The customer has the right to access his/her data, receiving confirmation of whether or not personal data is being processed in relation to the customer, to request that data should be supplemented, corrected or deleted, or that its processing should be restricted, or to object to data processing. The Managing Company shall prepare information on the processing of the customer’s personal data in accordance with the customer’s request no later than within one month after receiving the customer’s request. These rights can be exercised unless data processing does not arise from the Managing Company’s obligations arising from the applicable laws and regulations. In the event that, due to the complexity and extensive volume of the request, it is not possible to provide the information within one month from the date of receipt of the request, the Managing Company may extend the deadline for providing the information for another two months, notifying the customer of the reasons for the extension.
- The customer has the right to request the deletion of his/her personal data or object to data processing in any of the events mentioned below, but not only:
34.1. personal data is no longer necessary for the purpose for which it was received or processed;
34.2. the customer withdraws his/her consent which was the basis for data processing and there is no other legal ground for such processing;
34.3. processing of personal data is carried out for direct marketing purposes;
34.4. data processing is carried out for scientific or historical research purposes or for statistical purposes.
34.5. the customer objects to the processing of the following data:
34.5.1. the basis for processing is the legitimate interests of the Managing Company and there are no legitimate reasons that would be more important than the customer’s interests;
34.5.2. personal data has been processed unlawfully;
34.5.3. personal data must be deleted to ensure that the legal obligation of the Managing Company is fulfilled as may be defined in the laws and regulations applicable to the Managing Company.
- The Managing Company has the right to refuse to delete personal data if the processing of this data is required:
35.1. to ensure that the legal obligation of the Managing Company, as may be defined in the laws and regulations applicable to the Managing Company, is fulfilled;
35.2. to carry out debt collection activities or ensure protection.
- The customer has the right to restrict (restriction of personal data processing means that personal data will be stored but will not be processed in other ways; the Managing Company informs the customer when the restriction of data processing will be stopped) processing of his/her personal data in the following cases:
36.1. the customer disputes the accuracy of the processed personal data – in such a case, data processing is limited for a period of time during which the Managing Company can check the accuracy of personal data;
36.2. if the basis for personal data processing is the legitimate interests of the Managing Company and the customer objects to processing of personal data – in such a case, processing of personal data is limited for a period of time until it has been checked whether the legitimate interest of the Managing Company is more important than the legitimate reason of the customer;
36.3. the customer objects to the deletion of unlawfully processed personal data and instead requests restriction of data use;
36.4. the Managing Company no longer needs personal data to be processed, but it is needed for the customer to establish, exercise or defend legal claims, e.g., to bring an action.
- The Managing Company shall process personal data in accordance with laws and regulations. Upon receiving customer’s objections regarding processing of personal data, it shall take necessary actions to assess the objections and to eliminate the identified inconsistencies. The Managing Company shall provide answers to questions related to data processing, as well as to customer requests and applications by sending them electronically, by mail to the contact address specified by the customer, in the vortal, or using another way as may be specified by the customer. Where the Managing Company does not remedy the inconsistency indicated in the customer’s objections and the customer has reason to believe that processing of the customer’s personal data which is carried out by the Managing Company does not comply with laws and regulations, the customer has the right to apply to the supervisory authority – the Data State Inspectorate (www.dvi.gov.lv).
VIII. Final provision