Privacy Policy

1. Purpose and scope of the privacy policy

1.1. The Privacy Policy (hereinafter – the Policy) describes and provides information to identifiable natural persons (hereinafter – the Data Subject) how the Controller processes the Data Subject’s personal data, incl. if they have decided to visit the website maintained by the Controller www.kokubaze.lv, contact the Controller using the indicated telephone numbers or e-mail, have decided to visit the Controller’s company premises in order to familiarize themselves with current offers or receive services/purchased goods.
In this Policy the Controller has described measures to ensure that the interests and freedoms of the data subject are protected, while ensuring that the data is processed in good faith, lawfully and in a transparent manner for the data subject.

1.2. The policy applies to the processing of data of natural persons, regardless of the form and/or environment in which the natural person provides personal data (entering the territory and/or premises, by telephone, verbally, etc.) and in which systems of the Manager (video, audio, web etc.) they are processed.

1.3. If this Policy is updated (updated), all changes, as well as historical versions of the Policy for the last two months, will be published on the Controller’s website in the Privacy Policy section. In case you are interested in the revision of the Policy for a longer period, please contact the Manager using the contact information provided below. In any case, amendments to this Policy shall enter into force on the date specified in the notices of changes to this Policy.

2. Manager

2.1. The controller of personal data processing is the limited liability company “ImpExWood” (unified reg. No. 40003808554, contact information: Meža iela 8, Limbaži, LV4001, telephone: 280001142, e-mail address: info@impexwood.lv, website www.impexwood .lv) (in this Policy – ​​Controller).

3. Applicable legal acts

3.1. Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ( hereinafter – the Regulation), as well as the Law on the Processing of Personal Data of the Republic of Latvia.

3.2. Other applicable legal acts in the field of data processing and protection of natural persons, including laws and regulations regulating information society services.

4. Purposes of personal data processing

4.1. The controller processes personal data on the basis of these regulations as a responsible processor, mainly for the purpose of preparing sales offers for our products and services. The manager can also process personal data as a processor authorized by other persons (e.g. a representative of the manufacturer and service provider of the products to be sold, the transport service provider). The privacy regulations of the respective responsible processors may have been applied to the processing of the verifiable personal data of other responsible processors, which we recommend that you familiarize yourself with separately.

4.2. The controller, as the responsible processor, on the basis of the contract concluded with the data subject, processes personal data necessary for the preparation of the contract to be concluded with the data subject, the identification of the contract partner, the contract and additional obligations arising from the contract (e.g. sales guarantee, additional guarantee, withdrawals) for mutual enforcement, communication with state authorities (including, for example, the Department of Road Traffic and Safety), for the purpose of fulfilling legal obligations and for resolving legal issues and disputes. The following data are primarily processed within it: name, surname, personal identification number, address, telephone number, e-mail address of the customer and his representative, information about the vehicle and related services and the fulfillment of the relevant obligations.

4.3. The controller, as the responsible processor, processes personal data for the following purpose in the event of a justified interest:

• To maintain and analyze the customer base in order to improve the range of services and products and create better offers for customers with the help of analysis results;
• transferring to a company organizing customer satisfaction surveys;
• Manager for the delivery of advertising and information materials by mail or e-mail (direct marketing).

The following data are primarily processed within it: name, surname, personal identification number, address, telephone number, e-mail address, information about the vehicle and its related services .

4.4. The manager is constantly developing his offer of goods and services. In order to improve the quality of services offered to data subjects and improve their experience, the Manager has the right to process other personal data in addition to those mentioned in these regulations. For the same reasons, the Manager may need to process data for other purposes, in addition to those specified in these regulations. In the event of the need specified in this paragraph, the Controller evaluates the legality of the relevant processing, ensures that the data subject is aware of the relevant processing and the related rights in accordance with the requirements of legal acts

4.5. The manager has introduced:

• video surveillance with the aim of preventing or detecting criminal offenses related to the protection of persons and property, the protection of the legal interests of the Manager or a third party and the protection of vital interests of persons, including life and health;
• making audio recordings of telephone conversations with the aim of ensuring and improving the quality of the services provided by the Controller and the protection of the legal interests of the Controller;
• preservation and accounting of incoming and outgoing communication (e-mails, postal letters and other types) in order to ensure that the Controller’s legitimate interests are respected.
• Representation of events organized by the manager or its group of companies in the mass media and social networks to ensure recognition of the company, its group, as well as the brands of the represented manufacturers.
• The controller analyzes the visit history for the purpose of market research and analysis of the opinions of data subjects, as well as for statistics and the use of certain website functions and the display of website content according to the user.
  

4.6. The purposes of data processing of the person mentioned in this policy are not to process data of special categories, for example, related to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data related to health or sexual orientation.

4.7. When processing personal data for other purposes, which are not specified in this Policy, the Controller informs the data subject separately about the individual conditions of their processing, observing the conditions of Article 13 of the Regulation. In this Policy, the controller has allocated data processing in order to fulfill, in particular, the conditions of Article 14 of the Regulation, that is, personal data is not obtained knowingly from the data subject.

5. What personal data is processed by the Controller?

5.1. In addition to the above, the categories of personal data processed by the Controller depend on the services of the Controller used by natural persons. For example,
a) when a data subject
enters/gets to the Controller’s service center, premises or its territory where video surveillance is carried out, its video image and the time when it visited the premises may be processed. Environmental monitoring is not carried out in areas where data subjects expect increased privacy, in rest areas, dressing rooms, etc. Video surveillance camera recording areas are focused on corridors, entrances/exits, their flow of cars in the Manager’s territory; no., unless the caller has taken measures to prevent it from being discovered;
c) when communicating in writing with the Manager, the content and time of the communication may be saved, as well as information about the communication tool used (e-mail address, phone, no. ., skype username, etc., address);
d) when attending events organized by the Manager or its group, event visitors may be photographed, recorded in video materials, and may also be asked to give interviews or an opinion about the course of the event, recording your name , surname and, if necessary, additional information that you would like to provide. The relevant materials can be used to create the Manager’s archive and ensure brand recognition by publishing video recordings, photographs on social networks of the Manager, its group companies or represented manufacturers, as well as in any mass media. Also, especially if you have received an invitation to one of the events organized by the Controller or its group, then in order to ensure the safe conduct of the event, additional information may be requested from you that identifies you (name, surname, personal identification number, etc. )
e) The Controller analyzes the history of visits using online identifiers, as well as the information deliberately left by the data subject (for example, evaluation of the service provided, experience of visiting the website, movement, information about the desire to attend one of the events organized by the Controller, etc. etc.) to conduct market research and opinion analysis.

6. What is the legal basis for the processing of personal data?

6.1 video surveillance with the aim of preventing or detecting criminal offenses related to the protection of persons and property, the protection of the legal interests of the Controller or a third party and the vital interests of persons, including life and health protection. Video surveillance is carried out on the basis of Article 6, Clause 1, subparagraphs d) and f) of the Regulation, i.e.

• The processing of personal data is necessary to protect the vital interests of the data subject or another natural person (for example, in video surveillance, if the processing of personal data is necessary to protect the life and health of a person, which are related to the prevention and/or detection of criminal offenses);
• To ensure the legitimate interests of the administrator and third parties (for example, to prevent or detect criminal offenses related to property protection, provide evidence, ensure the highest standards of customer service quality).

6.2. Making audio recordings of telephone conversations with the aim of ensuring and improving the quality of services provided by the Manager and protecting the legal interests of the Manager. Audio recording of telephone conversations is made (if made) based on Article 6, Clause 1, subparagraph f) of the Regulation, i.e. To ensure the legitimate interests of the administrator and third parties (for example, to investigate cases where complaints have been received about the quality of customer service, as well as to provide evidence against possible claims).

6.3. incoming and outgoing communications (e-mail (letters, postal letters and other types) are stored and recorded on the basis of Article 6, Clause 1, subparagraphs c) and f) of the Regulation.

• in order to ensure the fulfillment of the obligations of the Manager defined in the regulatory acts, that is, to list correspondence, in accordance with the nomenclature of the Manager and the requirements arising from the “Archives Law”;
• to ensure that the Controller’s legitimate interests are respected, for example (for example, to investigate cases where complaints have been received about the quality of customer service and also to provide evidence against possible claims).

6.4. Representation of events organized by the manager or its group of companies in the mass media and social networks to ensure recognition of the company, its group, as well as the brands of the represented manufacturers. In corporate events, personal data is processed on the basis of Article 6, Clause 1, subparagraphs a) and f) of the Regulation, i.e.

• The Controller is entitled to process personal data if the Data Subject himself has given his consent to the processing of his personal data for one or more specific purposes. The consent of a person is his free will and independent decision, which is given voluntarily, thus allowing the Controller to process personal data for the purposes specified in this Policy. A person’s consent is binding if it is given orally (for example, before the event and in this Policy, the person is provided with information that personal data will be processed and the person, by attending the event, giving interviews, deliberately taking photos and filming, agrees that his personal data will be used to achieve the goals specified in this Policy). The individual has the right to withdraw their previously given consent at any time using the contact information provided in this Policy. Withdrawal of consent does not affect the lawfulness of data processing carried out at the time when the person’s consent was valid. By withdrawing the consent, the processing of data, which is carried out on the basis of other legal bases, for example, on the basis of the legitimate interests of the Controller and third parties (group companies, car manufacturers), cannot be stopped.
• The controller has a legitimate interest in reflecting the events it organizes or the events in which it takes part in the mass media and social networks, thus ensuring the recognition of its brands or the brands it represents. When choosing which information to publish, the controller always applies the highest ethical standards, thus, trying to ensure that the rights and freedoms of data subjects will not be violated by publications. At the same time, the Controller is aware that it may not be aware of all the facts and circumstances, therefore, in order to ensure fair data processing, it does not prevent any of the data subjects from contacting the Controller at any time using the above information in order to object to the data processing.

6.5. The manager conducts the analysis of the history of visits to the website, social networks, in order to conduct market research and analysis of the opinions of data subjects, based on Article 6, paragraph 1, subparagraph f) of the Regulation, i.e.
The manager has a legitimate interest in conducting an analysis that shows whether can testify to the recognition of its brand or the brands it represents.

7. What is the period of personal data processing?

7.1. When choosing the criteria for storing personal data, the manager takes into account the following circumstances:

7.1.1. whether the period of storage of personal data is determined or follows from the regulatory enactments of the Republic of Latvia and the European Union;
7.1.2. for what period is it necessary to store the relevant personal data in order to ensure the realization and protection of the legitimate interests of the Controller or a third party;
7.1.3. until the consent given by the person to the processing of personal data has not been revoked and there is no other legal basis for data processing, for example to fulfill obligations binding on the Controller;
7.1.4. The manager needs to protect the vital interests of the Data subject or other natural person, including life and health.
7.1.5. video surveillance recordings with the aim of preventing or detecting criminal offenses related to the protection of persons and property, the protection of the legal interests of the Manager or a third party and the protection of vital interests of persons, including life and health, will be stored for a period not exceeding 30 days, unless the relevant video recording possibly illegal behavior or behavior that will possibly help the Manager or third parties to secure their legal interests will not be reflected. In this case, the relevant video recording can be retrieved and saved until the legal interest is ensured.
7.1.6. audio recordings of telephone conversations with the aim of ensuring and improving the quality of the services provided by the Controller and protecting the legal interests of the Controller will be stored for a period not exceeding sixty days, unless the corresponding audio recording does not reflect potentially illegal behavior or behavior that will possibly help the Controller or third parties to ensure their legal rights interests. In this case, the relevant audio recording can be retrieved and saved until the legal interest is secured.

7.2. the preservation and recording of incoming and outgoing communications (e-mails, postal letters and other types) in order to ensure that the Controller’s legitimate interests are respected, will be kept for a period not exceeding five years, unless the relevant communication reflects potentially illegal behavior or behavior that, if possible, will help the Manager or third parties to ensure their legal interests.

7.3. Representation of events organized by the manager or its group of companies in the mass media and social networks to ensure recognition of the company, its group, as well as the brands of the represented manufacturers. In order to ensure the historical development of the company, the Manager plans to store the obtained information independently. Also, in order to fulfill the principle of fair data processing, the Controller explains that, subject to the fact that the purpose of the data processing referred to in this paragraph is to make public information about the activities of the Controller, its group or represented producers, then the obtained materials will be publicly available and any third party will be able to access them .

7.4. The controller analyzes the visit history for market research and analysis of the opinions of the data subjects.

7.5. After the end of the storage period, personal data will be permanently deleted.

8. Who accesses the information and to whom is it disclosed?

8.1. The controller is obliged to provide information about the processed personal data:
8.1.1. law enforcement authorities, courts or other state and local government institutions, if it follows from the regulatory enactments and the relevant institutions have the right to the requested information, if it has been specifically requested;
8.1.2. if personal data must be transferred to the relevant third party within the framework of the concluded contract in order to perform some function necessary for the performance of the contract (for example, in the case of an insurance contract for the realization of the legitimate interests of the Manager; when a photographer performs photo work) or if it is necessary to improve better service and quality services to the client;< 8.1.3. in accordance with the clear and unambiguous request of the Data Subject;
8.1.4. for the protection of legal interests, for example, by applying to the court or other state institutions against a person who has violated the legal interests of the Manager.

8.2. Recipients of personal data can be employees authorized by the Controller, Processors, law enforcement and supervisory institutions.

8.3. The manager acts as a distributor of products and services. At the same time, the Manager may use subcontractors in the sale of its goods and services. Therefore, the transfer of personal data to our suppliers or subcontractors may be necessary or useful for data processing to the extent permitted by these regulations.

8.4. The manager will provide the personal data of natural persons only to the necessary and sufficient extent, in accordance with the requirements of regulatory acts and the justified objective circumstances of the specific situation.

8.5. Personal data specified in this Policy is not intended to be sent to a third country (a country that is not a member of the European Union or the European Economic Area), except for data processed in the electronic environment. In this case, the Processors selected by the Controller (google.com (google analytics), facebook.com, twitter.com, snapchat, etc.) are recognized as companies operating outside the European Union and European Economic Area member states, so the Controller invites familiarize yourself with the privacy policies of these companies or contact the Manager separately with a request to provide additional information on the conditions of cooperation.

9. How is the Data Subject informed about the processing of personal data?

9.1. The data subject is informed about the processing of personal data specified in this Policy using a multi-level approach, which includes the following methods:
notifications are placed in video surveillance locations, with which data subjects (pedestrians, drivers, visitors, employees, etc.) are warned that the Controller video surveillance takes place in the territory, providing basic information related to video surveillance, as well as informs about the possibilities to receive more detailed information;

• when calling the contact numbers specified by the Manager, the data subject is informed about the audio recording (if it is made), inviting them to familiarize themselves with additional information in this policy or to ask the Manager’s employee who is being called;
• when announcing information about the Manager’s events, the Manager provides basic information, inviting you to familiarize yourself with this Policy or ask the Manager before or during the event;
• when visiting the website, the Data Subject can get acquainted with the notification about which cookies are used, and is also invited to get acquainted with this Policy;

9.2. This Controller’s Policy is publicly available on the Internet on the Controller’s website www.skandimotors.lv and at the Controller’s customer service locations.

10. Rights of the data subject

10.1 The data subject has the right to request access to his personal data from the Controller and to receive detailed information about what personal data about him is at the disposal of the Controller, for what purposes the Controller processes this personal data, categories of recipients of personal data (persons , to whom personal data has been disclosed or to whom it is intended to be disclosed, unless the laws and regulations in a specific case allow the Controller to provide such information (for example, the Controller cannot provide the Data Subject with information about the relevant state institutions that are the promoters of criminal proceedings, subjects of operative activity or other institutions, about for which regulatory enactments prohibit the disclosure of such information)), information about the period for which personal data will be stored, or the criteria used to determine the said period.

10.2. If the Data Subject believes that the information held by the Manager is outdated, inaccurate or incorrect, the Data Subject has the right to request correction of his/her personal data.

10.3. The data subject has the right to request the deletion of his personal data or to object to the processing if the person believes that the personal data have been processed unlawfully or are no longer necessary in relation to the purposes for which they were collected and/or processed (implementing the principle of the right to be forgotten “).

10.4. The Controller informs that the personal data of the Data Subject cannot be deleted if the processing of personal data is necessary:

• for the Controller to protect the vital interests of the Data Subject or other natural person, including life and health;
• to protect the Controller’s property;
• for the Manager or a third party to raise, implement or defend legal (legal) interests;
• for archiving purposes in accordance with the laws and regulations in force in Latvia, which regulate the creation of archives.

10.5. The data subject has the right to request that the Controller restricts the processing of the data subject’s personal data if one of the following circumstances exists:

• The data subject disputes the accuracy of the personal data – for the period during which the Controller can verify the accuracy of the personal data;
• the processing is illegal and the Data Subject objects to the deletion of the personal data and instead requests the restriction of the use of the data;
• The Controller no longer needs the personal data for processing, but it is needed by the Data Subject to bring, exercise or defend legal claims;
• The data subject has objected to the processing until it has been verified that the legitimate reasons of the controller do not outweigh the legitimate reasons of the data subject.

10.6. If the processing of personal data of the Data Subject is limited in accordance with 10.5. paragraph, such personal data, except for storage, are processed only with the Data Subject’s consent or in order to raise, implement or defend legal claims, or to protect the rights of other natural or legal persons, or important public interests.

10.7. Before canceling the limitation of personal data processing of the Data subject, the Manager informs the Data subject.

10.8. The data subject has the right to submit a complaint to the State Data Inspectorate if he believes that the Controller has processed his personal data illegally.

10.9. The data subject can submit a request for the exercise of his rights in the following way:

• in written form in person at the Controller’s premises, presenting a personal identification document (e.g. passport or ID card, etc.), as the Data Subject is obliged to identify himself;
• in the form of electronic mail, signing it with a secure electronic signature. in this case, it is presumed that the data subject has identified himself, by submitting a request signed with a secure electronic signature. At the same time, the Manager reserves the right to request additional information from the data subject in case of doubt, if he considers it necessary.
• by mail. in this case, the reply will be prepared and sent by registered mail, thus ensuring that unauthorized persons cannot receive this shipment. At the same time, the Manager reserves the right to request additional information from the data subject in case of doubt, if he considers it necessary.

10.10. In addition, the Data Subject is obliged to specify the date, time, place and other circumstances in his request as much as possible, which would help fulfill his request.

10.11. After receiving a written request from the Data Subject for the exercise of their rights, the Controller:
10.11.1. ascertains the identity of the person;
10.11.2. evaluate the request if:

• can provide a request, for example viewing video footage or listening to an audio recording, then the Data Subject as the requester can receive a copy of the video footage or audio recording or other data.
• additional information is needed to identify the Data Subject who requests the information, then the Controller may ask the Data Subject for additional information in order to be able to correctly select information (for example, video surveillance or conversation recordings, photographs) in which the Data Subject can be identified.
• information has been deleted or the person requesting the information is not a Data Subject or the person is not identifiable, then the Controller may reject the request in accordance with this Policy and/or regulatory enactments.

10.12. If the data subject has refused the processing of personal data, the transfer of personal data or has requested the limitation of processing of personal data or the deletion of personal data, it may become impossible for the Manager to provide the service to the data subject in accordance with the contract. In such a case, the Manager has the right to refuse to fulfill the contractual obligations and provide the service and/or unilaterally terminate the contract concluded between the Manager and the data subject.

11. How is personal data protected?

11.1. The controller provides, constantly reviews and improves personal data protection measures to protect the personal data of natural persons from unauthorized access, accidental loss, disclosure or destruction. To ensure this, the Manager uses appropriate technical and organizational requirements, including using firewalls, intrusion detection, analysis software and data encryption.

11.2. The Manager carefully checks all service providers that process personal data of natural persons on behalf and on behalf of the Manager, as well as evaluates whether cooperation partners (personal data processors) apply appropriate security measures so that the processing of personal data of natural persons takes place in accordance with the Manager’s delegation and the requirements of regulatory acts.

11.3. In the event of a personal data security incident, if it will create a possible risk to the rights and freedoms of the data subject, the Controller will notify the respective Data Subject, if possible, or the information will be made public on the Controller’s website or in another possible way, such as through the media (TV, radio, newspaper, social networks, etc.).