ARČERS privacy and personal data protection policy

The Privacy policy is intended to provide information to a natural person – the data subject – regarding the purpose, scope, security and processing period of personal data during the collection and processing of personal data.

1.  Data controller and its contact information:

SIA “Arčers”

Office contact information:

Katlakalna iela 11, Riga, Latvija, LV-1073

Tel. +371 67810382

You can always contact us by e-mail arcers@arcers.lv

“Arčers” is responsible for the processing of personal data in the company pursuant to the legal bases and objectives specified in this policy, for example, but not limited to – the fulfillment of statutory (or legal) requirements; marketing; the provision and use of services, financial and other administrative and business management; customer and supplier relationship management; analysis and development of goods, services, customer and supplier relationships and business.

2.    Scope of the document:

Personal data is any information about an identified or identifiable natural person. The Privacy policy ensures the protection of privacy and personal data and is applicable to:

2.1. natural persons – customers, employees and other cooperation partners (including potential, former and current partners), as well as third parties who, in mutual cooperation with  “Arčers” receive or transfer to  “Arčers” any information (including contact persons, signatories, etc.);

2.2. visitors of  “Arčers” construction sites, office and other premises, including those where video surveillance is carried out;

2.3. visitors of websites and social media pages maintained by “Arčers”.

2.4. “Arčers” shall ensure the privacy and protection of the Customer personal data, shall comply with the Customer’s rights to legal processing of personal data under the applicable legislation – Personal Data Protection Law, Regulation of the European Parliament and of the Council No. 2016/679 (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Regulation) and other applicable legal enactments in the area of privacy and data processing.

2.5. The Privacy Policy applies to data processing regardless of the form and / or environment in which individuals provide or receive personal data to and from  “Arčers” ( “Arčers” website, social platforms, paper format or by telephone) and in what company systems or paper form they are processed.

2.6. With regard to specific types of data processing (for example, processing of cookies, etc.), environment, additional, specific rules may be set for purposes, of which the person shall be informed at the time of providing the relevant data to “Arčers”.

3.  Legal basis for personal (data subject) data processing:

3.1.The data subject has consented to the processing of his or her personal data for one or more specific purposes;

3.2.The processing is necessary for the performance of a contract to which the data subject is party or in order to take action at the request of the data subject prior to the conclusion of the contract;

3.3.  The processing is necessary for compliance with a legal obligation to which the controller is subject;

3.4.The processing is necessary for the protection of the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data outweigh such interests, in particular where the data subject is a child.

3.5. Information received from the data subject prior to the commencement of cooperation, conclusion of the contract, such as requests for information or offers, informative materials or requests for orders, etc .;

3.6. Legitimate interest in regard to direct marketing;

3.7. Ensuring compliance with the requirements of regulatory enactments when conducting business.

4.      Personal data is processed for the following purposes:

4.1.creation, management and development of customer relationship and customer (including their signatories, representatives) records system;

4.2.marketing, offering, brokerage, provision and performance of various construction services;

4.3.construction services performed by the data controller himself or by offering the services of cooperation partners;

4.4.assessment of creditworthiness and invoicing of cooperation partners, customers, supervision and collection of payments (their signatories, representatives);

4.5.communication with customers, business partners, including customer and supplier feedback and customer satisfaction surveys;

4.6.  working time accounting systems for data processing;

4.7. development of goods, services and business;

4.8.  detection, prevention and investigation of fraud and other criminal offenses;

4.9.  analysis and statistics for the above purposes.

5.      Consent of the data subject, where necessary:

5.1.  to find a data subject;

5.2.to publicly inform the public about what is happening in the company, about current events, and in accordance with the objectives set out in this privacy policy;

5.3.to allow the employee to use his / her personal (electronic) means of communication, such as mobile phones,

5.4.  to determine the benefits or advantages to which the data subject is entitled,

5.5.  for other purposes specified by laws and regulatory enactments;

5.6.The consent of the data subject to the processing of personal data, the legal basis of which is the consent, may be given electronically, by post or in person;

5.7.The data subject is entitled to revoke the consent to data processing at any time in the same manner as it was given, and in this case any further data processing based on the previous consent for the specific purpose will be discontinued.

5.8.The withdrawal of the consent will not affect the processing carried out at the time the Customer’s consent was in effect.

5.9.Withdrawal of consent may not interrupt the processing of data on other legal grounds.

6.  Data subjects and categories of personal data:

The data controller processes the data of its potential, current and previous customers, business partners and employees. The following personal data is processed for the purposes mentioned above in this policy:

6.1.basic information of the data subject, for example, name, surname, personal identification number, customer identifier, year of birth, gender, profession, address of residence, e-mail address, telephone number, preferred method of communication;

6.2.  marketing data; choices and interests related to, for example, the types of buildings and their

characteristics and locations; other interests and information provided by the data subject;

6.3.accounting data of the customer, cooperation partner, employees, for example, the term of cooperation and the procedure for the establishment and termination of legal relationships; data on service contracts, orders, their suspension and cancellation; customer feedback and complaints; communication with customers, partners and marketing research; other communication; data on payments and creditworthiness;

6.4.data of own and cooperation partners’ employees and other users of digital services, for example, registration data required for a digital account, for example, username, nickname, password and other identifiers; information about the use of the service, such as the use of service features and browsing information through the user’s digital account; information collected through cookies and other similar technologies, such as the Data Controller websites and pages browsed by the user, the device model, the individual device and / or the cookie identifier, the channel through which the service is accessed (web browser, mobile browser, application), browser version, IP address, session ID, session time and duration, screen resolution, and operating system; location data, such as coordinates calculated using GPS, WLAN access points, or mobile network base stations, provided that the user has given his or her explicit consent for this purpose;

6.5.data on social media usage, such as the Data Controller’s website, may include social media features such as a Facebook “Like” and “Share” buttons.

 The Data Controller may receive a comment or link that the user shares from the Data Controller’s website on Facebook; the Data Controller may also receive the user’s public profile data on Facebook and any information that the Facebook user shares using the Data Controller’s services. Your interactions with these features are subject to the company’s privacy policy that provides this function, such as Facebook: https: // www.facebook.com/about/privacy/update?ref=old_policy

6.6.Personal identification numbers are processed only for the purposes permitted by law, if it is important to identify the data subject, for example, in case of EDLUS use, also in case of entering the construction site.

7.        Regular sources of information:

7.1.Personal data is collected directly from the data subject when the data subject registers or uses the service; sends their or contact person’s information or makes a request for any information; shows interest in cooperation; places an order; enters into a contract; participates in events or otherwise communicates with the data controller in person, by telephone or digitally.

7.2.Personal data may also be received from the data subject’s direct employer, its representative in the case of use of the electronic working time accounting system, as well as by submitting a list of employees on the construction site on the basis of Cabinet Regulation No. 92.

7.3.Personal data may also be collected and updated through business and other websites, public and private registers, public authorities, postal operators, public telephone directories, direct marketing and other data intermediaries and other similar public and private registers.

8.      Disclosure and transfer of data:

8.1. The data controller may disclose personal data to other companies whose services the data controller uses and makes available to its own or its partners’ employees, for example in the case of the use of an electronic working time accounting system.

8.2. The data shall not be disclosed to other persons, except when required by the legal or contractual obligations of the data controller or at the request of the controlling authorities.

8.3. The data controller may outsource the provision of information technology, marketing, communication and other functions. In this case, the data controller may transfer personal data to these external service providers to the extent necessary for the provision of their services. These external service providers process personal data on behalf of the data controller and must comply with the data controller’s instructions, this privacy policy and the data controller ensures that the personal data are processed in accordance with legal requirements by concluding agreements with appropriate provisions.

8.4. Personal data is not regularly transferred outside the European Union (EU) or the European Economic Area (EEA). However, if there is a need to transfer data outside the EU or the EEA, the Data Controller ensures that the country to which the data is transferred is approved by the European Commission as having an adequate level of privacy protection or uses the standard clauses approved by the European Commission.

9.      Data protection and retention:

9.1. Access to personal data is restricted to those persons who need to process the data as part of their work or other duties. Digital data is protected by firewalls, passwords and other technical means. All data is stored in locked rooms that are protected by physical means of access control.

9.2. After the termination of the customer relationship, personal data is stored for the duration of the contractual and legal rights and obligations, as well as until the end of the retention and liability periods, in accordance with, for example, the Archives Law, Taxes and Duties Law, Construction Law, Consumer Protection Law , the Law On Accounting, the Civil Law and the Civil Procedure Law.

9.3. At the expiry of the relationship between customers and partners, the Data Controller may retain anonymised data, as well as the above-mentioned basic information (except for the personal identification number), and the data subject’s marketing data for direct marketing purposes.

10.    Data subject’s access, rectification and other rights:

10.1.  Data subjects have the right to know what kind of personal data about a particular subject are collected and processed by the data controller. At the request of the data subject, we will correct, delete or supplement any incorrect, unnecessary, incomplete or outdated personal data.

10.2.  Data subjects have the right to prohibit the use of data for direct advertising and other forms of direct marketing, as well as to prohibit the use of data in surveys and market research.

10.3.  Data subjects may also withdraw the consent they have given, object to the processing of the data or restrict its processing in cases provided for by law, and they have the right to lodge a complaint with the supervisory authority.

10.4.  Requests can be submitted using the contact information listed in section 1 above. The data controller may need to ask for additional information to confirm the identity of the data subject. The data controller shall ask the data subject to specify, including to extend, the time limit for data processing, including termination of processing.

11.  Principles of organization of data protection:

11.1.                     The organization of data protection, security policy and other binding documents shall be developed and reviewed by the designated data protection officer at least once a year;

11.2.                     The costs of limiting data security risks and ensuring business continuity are commensurate with the potential losses that could occur in the event of these risks.

11.3.                     The controller promotes the data subject’s awareness of the responsibilities for ensuring the protection of information systems by obliging the data subject to get acquainted with the security policy and other binding documents, as well as by conducting regular training of employees at least once a year.

11.4.                      The controller shall inform the data subject of security events and incidents which may jeopardize the security of the data subject’s personal data within 72 hours of the detection of the incident.