APPROVED

P.Zaļizko, Chairman of the Board of SIA “Olivia Clinic”

15 September 2020

SIA “Olivia Clinic” Privacy Policy

 

The Privacy Policy is intended to provide information to a natural person – the data subject – regarding the purpose, legality, scope, security and processing period of personal data during the collection and processing of personal data.

Data Controller and its Contacts:

  1. Personal data controller, in relation to the visitors of SIA “Olivia Clinic”; customers; website visitors, as well as candidates for vacancies who have submitted an application: SIA “Olivia Clinic”, unified registration No. 45403057303, registered address: Dīķa iela 44, Riga, LV-1004 (hereinafter – the Company).

 

  1. The Company’s contact information on issues related to the processing of personal data, including information on potential data protection violations, is datuaizsardziba@oliviaclinic.lv

 

  1. You may ask questions about personal data protection by using this contact information or visiting the registered address of the Company. The person may submit a request to exercise their rights as stipulated in Paragraph 24.

 

General Provisions

 

  1. Personal data is any information about an identified or identifiable natural person.

 

  1. The Privacy Policy applies to the protection of privacy and personal data in relation to the following groups (hereinafter together – the Customers):
    1. natural persons – candidates (applicants);
    2. Company’s customers (including potential, former and existing customers);
    3. visitors of the website maintained by the Company.

 

  1. The Company shall ensure the privacy and protection of the Customer personal data, shall comply with the Customer’s rights to legal processing of personal data under the applicable legislation – Personal Data Protection Law, Regulation of the European Parliament and of the Council No. 2016/679 (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter – the Regulation) and other applicable legal enactments in the area of privacy and data processing.

 

  1. The Privacy Policy is applicable to data processing regardless of the form and/or environment in which the Customer has provided personal data (in person, in the Company website, in paper form or by telephone).

 

Purposes of the Personal Data Processing

 

  1. The Company processes personal data for the following purposes:
    1. Provision of services:
      1. Customer (natural person) identification;
      2. preparation and conclusion of the contract;
      3. provision of services;
      4. development of new services;
      5. consideration of objections or claims;
      6. payment management;
      7. debt recovery and collection;
      8. website maintenance and improvement;
    2. business planning and analytics;
    3. Customer safety, protection of company property;
    4. In order to ensure the process of selection of employees and safeguard the legal interests of the Company in regard to recruitment:

8.4.1. to assess the candidate’s compliance with the requirements set by the Company for the specified vacancy;

8.4.2. to enter into an agreement with a candidate who meets the Company’s requirements;

8.4.3. to raise, enforce and defend the Company’s legal claims.

    1. For the legitimate purposes of the company :

8.5.1. to perform commercial activity;

8.5.2. to verify the identity of the Customer (natural person) before purchasing the services;

8.5.3. to ensure the fulfillment of contractual obligations;

8.5.4. to save the applications and submissions of the Customers regarding the provision of services;

8.5.5. to segment the Customer database for more efficient provision of services;

8.5.6. to design and develop services;

8.5.7. to send other reports on the progress of the performance of the contract and events important for the performance of the contract, as well as to conduct Customer surveys on services;

8.5.9. to prevent fraudulent activities against the Company;

8.5.10. to provide corporate governance, financial and business accounting and analytics;

8.5.11. to ensure efficient company management processes;

8.5.12. to ensure and improve the quality of services;

8.5.13. to administer payments;

8.5.14. to perform video surveillance for business security;

8.5.15. to inform the public about its activities.

 

  1. The Company may process the candidate’s personal data for recruitment purposes for the specific vacancy for which the candidate is applying or for future-oriented recruitment, if the candidate has agreed.

 

Legal Basis of Personal Data Processing

 

  1. The legal basis for the processing of personal data by the Company for the following purposes of personal data processing:

Provision of services:

Article 6 (1)(b) of the Regulation (the processing is necessary for the performance of a contract to which the data subject is party or in order to take action at the request of the data subject prior to the conclusion of the contract),

 

Article 6 (1)(c) of the Regulation (the processing is necessary for compliance with a legal obligation to which the controller is subject); and

Article 6 (1)(f) of the Regulation (the processing is necessary to ensure the legitimate interests of the controller).

Business planning and analytics:
Article 6 (1)(f) of the Regulation (the processing is necessary to ensure the legitimate interests of the controller).

Customer safety, protection of company property;
Article 6 (1)(f) of the Regulation (the processing is necessary to ensure the legitimate interests of the controller).

Personnel selection competition:

Article 6 (1)(a) of the Regulation

(the data subject has consented to the processing of his or her personal data for one or more specific purposes),

Article 6 (1)(c) of the Regulation (the processing is necessary for compliance with a legal obligation to which the controller is subject); and

Article 6 (1)(f) of the Regulation (the processing is necessary to ensure the legitimate interests of the controller);

Section 33, 35, 38 of the Labour Law.

The legitimate interests of the Company:
Article 6 (1)(f) of the General Data Protection Regulation (the processing is necessary to ensure the legitimate interests of the controller).

 

Personal Data Processing

 

  1. The Company processes the Customer’s personal data by using modern technological capabilities in line with the existing privacy risks and access to organizational, financial and technical resources.

 

  1. The Company may make automated decisions regarding the Customer. The Customer shall be informed about such activities of the Company separately in accordance with the regulatory enactments.

 

  1. Automated decision-making that has legal consequences for the Customer (for example, approval or rejection of the Customer’s application) may be performed only during the conclusion or performance of the contract between the Company and the Customer, or on the basis of the Customer’s explicit consent.

 

Protection of Personal Data

 

  1. The Company shall protect the Customer’s personal data by applying modern technological capabilities in line with the existing privacy risks and the organisational, financial and technical resources reasonably available to the company, including by using the following safety measures:
    1. Firewall;
    2. Intrusion protection and detection programs;
    3. Other protection measures in line with the state-of-the-art technical capabilities.

 

Categories of Personal Data Recipients

 

  1. The Company does not disclose to third parties the Customer’s personal data or any information obtained during the provision of services and the term of the agreement, including information about the services received, except:
    1. in accordance with the Customer’s explicit and unambiguous consent;
    2. to parties pursuant to external regulatory enactments, upon their reasonable request, according to the procedure and scope described in the external laws and regulations;
    3. in the cases provided in the external regulatory enactments for the protection of the legitimate interests of the Company, for example, when bringing an action before the court or other public authority against a person who has violated such legitimate interests.

Personal Data Transfer

  1. The Company does not transfer Personal Data to third parties, except to the extent necessary for the reasonable conduct of business, ensuring that the relevant third parties maintain the confidentiality of Personal Data and provide appropriate protection.

 

  1. The Company has the right to transfer Personal Data to the Company’s suppliers, subcontractors, strategic partners and others who assist the Company in its business in order to implement the relevant cooperation. However, in such cases, the Company requires the recipients of the data to undertake to use the information received only for the purposes for which the data were transferred and in accordance with the requirements of applicable laws and regulations.

 

Third-country Access to Personal Data

 

  1. The Company does not transfer personal data to third countries (outside the European Union and the European Economic Area).

 

Personal Data Storage Period

 

  1. The Company shall store and process Customer’s personal data while at lease one of the following criteria applies:
    1. only as long as the service is provided;
    2. the data are necessary for the purpose for which they were collected;
    3. while the Company or a Customer may implement their legitimate interests pursuant to the external laws and regulations;
    4. as long as the Company has a legal obligation to store the data;
    5. as long as the consent of the Customer to the relevant processing of data is valid, unless there are other legitimate grounds for personal data processing.

 

  1. After the circumstances referred to in Paragraph 19 expire, the Customer’s personal data is deleted. Audit records are kept for at least one year from the date of the audit.

 

  1. The Company shall store and process the personal data submitted by the applicant for 6 (six) calendar months after the end of the selection or until the applicant’s consent to the relevant personal data processing is valid, if there is no other legal basis for data processing, and after this period, the personal data is deleted.

 

 

Access to Personal Data and Other Rights of the Customer

 

  1. The Customer is entitled to receive the information pursuant to the provisions of the law regarding the processing of their data.

 

  1. According to the law, the Customer has the right to request the Company the access to their personal data, as well as to request the Company to supplement, correct or delete the data or limit the processing in regard to the Customer, or the right to object to processing (including personal data processing carried out on the basis of the legitimate interests of the Company), as well as the right to data portability. These rights are enforceable in so far as the data processing is not subject to the obligations of the Company under the applicable laws and regulations and which are performed in the public interest.

 

  1. The Customer may submit a request to exercise their rights as follows:
    1. in writing at the Company’s office in Riga (address: Dīķa iela 44, Riga, LV-1004) or by using the postal service;
    2. electronically by signing with a secure electronic signature and sending to the e-mail: datuaizsardziba@oliviaclinic.lv

 

  1. Upon receiving the Customer’s notice on the exercising of rights, the Company shall verify the Customer’s identity, assess the request and execute it in accordance with the laws and regulations.

 

  1. The Company’s response shall be sent to the Customer by post to the contact address indicated by him or her in a registered letter or to an e-mail with a secure electronic signature (if the application is submitted with a secure electronic signature), taking into account the Customer’s preferred manner of response.

 

  1. The Company ensures the execution of data processing and protection requests pursuant to the laws and regulations and in the event of Customer’s objections shall take reasonable actions to resolve the issue. However, if this fails, the Customer has the right to apply to the Data State Inspectorate.

 

  1. The Customer has the right to receive one copy free of charge with his or her personal data processed by the Company.

 

  1. The receipt and / or use of the information referred to in Paragraph 28 of this document may be restricted in order to prevent adverse effects on the rights and freedoms of other persons (including the Company’s employees).

 

  1. The Company undertakes to ensure the accuracy of the Personal Data and relies on its Customers, suppliers and other third parties who transfer the Personal Data to ensure the completeness and accuracy of the transferred Personal Data.

 

Customer’s Consent to Data Processing and the Right to Withdraw

 

  1. The Customer consents to the processing of personal data, the legal basis of which is consent (for example, receipt of commercial communications, analysis of personal data, receipt of loyalty cards) in writing at the Company’s reception desk, the Company’s website and mobile applications or other place where marketing activities are organized.

 

  1. The Customer has the right to revoke the consent given for data processing at any time in the same way as it was given and / or in accordance with the procedure specified in Paragraph 24. In such a case, further processing based on the prior consent for the specific purpose will no longer take place.

 

  1. The withdrawal of the consent will not affect the processing carried out at the time the Customer’s consent was in effect.

 

  1. Withdrawal of consent may not interrupt the processing of data on other legal grounds.

 

Commercial Communications

 

  1. Commercial communications regarding services of the Company and/or third parties and other communications that are not directly related to service provision (for example, Customer surveys) shall be carried out by the Company pursuant to the external laws and regulations or on the basis of the Customer’s consent.

 

  1. The Customer consents to the receipt of commercial communications by the Company and / or its partners in writing, in person, at the Company’s office, on the Company’s website and mobile applications or elsewhere where the Company organizes marketing activities.

 

  1. The Customer’s consent to receiving commercial communications is valid until its withdrawal (also after the termination of the service contract). The Customer may at any time opt out of further commercial communications in one of the following ways:
    1. by sending an e-mail to the address: datasaizsardziba@oliviaclinic.lv
    2. by submitting a written application to the Company’s reception desk;
    3. by using the automated opt-out option included in the commercial communication to opt out from receiving further communications by clicking the opt-out link at the end of the relevant commercial communication (e-mail);

 

  1. The Company shall stop sending commercial communications as soon as the Customer’s request is processed. The processing of the request depends on the technological possibilities, which can take up to three days.

 

  1. By expressing their opinion in surveys and leaving their contact information (e-mail, telephone), the Customer agrees that the Company may contact them by using the contact information provided in connection with the assessment the Customer has made.

 

Photography and Filming

 

  1. Customers are notified that in certain cases, when the Company’s work is covered in the mass media or the Company’s media (Company’s website), photos or videos of the visitors of the Company’s events may be processed and the legal basis for such processing is to protect the legitimate interests of the Company, unless the interests of the data subject or fundamental rights and freedoms which require the protection of personal data take precedence over such interests, in particular where the data subject is a child.
  2. Prior to the relevant event, the Company shall inform the participants of the event about the planned processing of personal data in accordance with the requirements of Article 13 of the Regulation, placing information on the processing of personal data in invitations and before the entrance to the venue.

 

Website and Cookies

 

  1. Cookies can be used on the Company’s website –
    1. Cookies are files that websites place on users’ computers in order to identify the user and make it easier for the user to use the website. Internet browsers can be configured to alert the customer to the use of cookies and allow the customer to choose whether to accept them. Failure to accept cookies will not prevent the customer from using the website, but it may restrict the customer’s ability to use the website;
    2. The Company’s websites may contain links to third party websites, which have their own terms of use and personal data protection, for the completeness of which the Company is not responsible.

 

 

Other Provisions

 

  1. The Company has the right to make changes and additions to the Privacy Policy, as well as to make it available to the Customer, to publish it on the Company’s website.

 

  1. The Company retains the previous versions of the Privacy Policy and they are available on the website.