When receiving Personal data from the Customer, the Company acts as data manager within the meaning of the definition given in Article 4 (7) of the Regulation. The Company establishes and maintains appropriate technical and organizational measures to ensure the Customer's Personal Data Processing complies with the requirements of the laws and regulations governing the Personal Data Processing (including but not limited to the Regulation) and to protect Personal Data from accidental or unlawful destruction, deleting or losing, modifying, disclosing, or accessing, including measures against physical hazards and measures implemented by software.
If the data specified by the Customer has changed or the information on the Customer processed by the Company is inaccurate or incorrect, the Customer has the right to request this information to be changed, adjusted or corrected. The Company takes no responsibility for inaccurate, incomplete or incorrect data provided by the Customer.
Processing – any action or set of actions performed on Personal Data (including collection, use, registration, organization, modification, disclosure, destruction, storage or any other action making the Personal Data available, etc.). The definition corresponds to the definition in Article 4 (2) of the Regulation. Processing can be done either manually or using automated systems such as information technology systems.
Customer – any natural or legal person that visits the website of the Company: www.bioveikals.lv and uses, have used or has indicated that will use any of the Services provided by the Company in relation with the purchase of the goods, or is related to them in any way.
Agreement – distance agreement between the Company and the Customer.
Services – purchase of good available in the website of the Company www.bioveikals.lv.
Personal data – any information on natural persona which allows to directly or indirectly identify this person. The definition corresponds to the definition in Article 4 (1) of the Regulation.
Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in force since May 25 2018.
Company – Limited Liability Company “Simantik Trade”, Registration No. 40103994869, VAT Registration No. LV40103994869, legal address: Vites Street 4, Malpils District, Latvia LV-2152, website: www.bioveikals.lv , acting as a data manager of the Personal data.
Personal Data Categories, Legal Basis of Data Processing and Data Processing Purposes.
The Company performs Customer Personal Data Processing in accordance with the following Personal Data Processing legal basis and purposes:
Sources of Personal Data Acquisition.
Customer Personal Data may be collected directly from the customer or from the use of Services by the Customer.
Recipients of the Personal Data.
By providing Personal Data to the Company, the Customer agrees that the Company is entitled to receive and transfer Customer’s Personal Data to the data managers and third parties in order to perform the fulfillment of purpose of the Personal Data Processing including but not limited to:
- the Company is entitled to transfer the Personal Data necessary for the execution of payments and for the execution of the delivery to the authorized processors of the Company: Wordline Latvia Ltd. and Omniva Latvia Ltd.;
- to any auditor, revisor, financial adviser, legal adviser, attorney-at-law, sworn notary and / or sworn bailiff or other Data Processor selected and authorized by the Company;
- to the state and municipal authorities (such as law enforcement and financial investigation authorities, courts, out-of-court settlement bodies, bankruptcy or insolvency administrators);
- to recognized market and public opinion research companies (within the EU) - to conduct surveys and research on the Services offered by the Company;
- to other persons involved in the provision of the Company's Services, including payment institutions, banks, archiving, postal and courier service providers, etc.
The Company is also obliged to transfer the Personal Data to state or municipal institutions in the cases specified by regulatory enactments (e.g. to the Consumer Rights Protection Center, law enforcement and financial investigation institutions, courts, out-of-court dispute resolution bodies, insolvency administrators, etc.).
Territory of Personal Data Processing.
Personal Data are Processed within the European Union/ European Economic Area (ES/EEA). However, if Personal Data is transferred outside the European Union / European Economic Area (EU/EEA), the Company undertakes to take all necessary precautions to ensure the same security level for Personal Data as in the European Union/European Economic Area (EU / EEA), and appropriate guarantees in accordance with Article 46 of the Regulation. The Company will only transfer Personal Data if there is a legitimate basis for that, including sending Personal Data to a recipient who is (i) located in a country that provides an adequate level of protection of Personal Data, or (ii) in accordance with the instrument containing EU requirements for the transfer of Personal Data outside the EU.
Term of storage of Personal Data.
The Company stores Personal Data in accordance with the purposes of the Personal Data, as well as the requirements of the Regulation and laws and regulations, for as long as any of the legal bases for Personal Data Processing exists, unless the applicable law provides for a longer storage period. Where the same Personal Data is processed for multiple purposes, such data shall be stored for the maximum applicable storing period.
The storing period of Personal Data processed may be based on Customer's (data subject's) consent (until revoked, unless other basis exists for the Personal Data Processing), on the Agreement, Company's legitimate interests or applicable laws (accounting and filing laws, civil law and the limitation period for claims, for example for provision of evidence against claims of non-compliance with the Service and/or fulfillment of the obligations under the Agreement, as well as for provision of evidence against the possible claim arising from the tort, there is a storage term of ten years from the day of the execution of Service or Agreement, etc.).
If any of the legal bases for the processing of Personal Data no longer exists, and the law does not provide for a longer storage period for Personal Data, the Company shall delete files containing Personal Data.
Automated decision making and profiling.
The Company carries out profiling in order to offer other Services to the Customer with whom the Agreement has already been concluded, through direct marketing (if the Customer so agrees). The legal basis for such Processing is the Company's legitimate interest in offering its Services to the market. Profiling does not have any legal consequences for the Customer and does not otherwise significantly affect it, as it does not affect the Agreement already concluded.
The following information is automatically collected for each visit to the Company's website:
1) technical information (e. g., device type, address of Internet Protocol (IP) and Internet Service Provider (ISP), used to connect the device with internet; registration information; type and version of the browser; time zone settings, browser plug-in types and versions, operating system and platform, screen resolution, location, font encoding;
2) information of the visit, including full URLs, click streams to, though, and from the website (including date and time); viewed and searched services; referrer / exit pages, files viewed on a website (e.g. HTML pages, graphics, etc.), page response times, download errors, specific page visit length, page interaction information (such as scrolling, clicks, and mouse redirects), and methods used to leave the page, date / time stamps and / or click stream data, and any telephone number used to contact the Company’s representative.
Automatic Personal Data Processing is performed in the website of the Company in order to assess certain personal features of the Customer and to improve Customer’s experience of using digital services, for example, adjusting the displaying of Services in Customer’s device and creating personalized offers for the Customer; performing Customer Data Analysis and Consulting; for the purposes of direct marketing; for the automated decision making, e.g. to ensure remote Services, including Service monitoring to prevent fraud. Automatic Personal Data Processing is based on the Company’s legitimate interests, fulfillment of legal obligations, fulfillment of the Agreement, or Customer’s consent.
Unless the Customer has restricted direct marketing in relation to himself, the Company may process Personal Data for the preparation of generic and personalized offers. Such marketing may be based on the Services used by the Customer and how the Customer acts in the digital channels of the Company. For the profiling based on personalized offers and marketing, that is performed in accordance with the legitimate interests of the Company, the Company ensures the option for Customers to choose and use of a convenient tool to manage their privacy settings.
The Company may also collect statistical data of the Customer, including for the for characteristic behavior. Statistical data for the creation of segments/profiles may be obtained from external sources as well and may be combined with the internal data of the Company.
Rights of the Customer (data subject).
Customer has the following rights:
- To receive information, whether the Company processes the Personal Data of the Customer (data subject) and, if so, to access the Data and obtain information in accordance with Article 15 of the Regulation, on how the Data is processed and where are they transferred;
- To request the correction of Customer’s Personal Data if it is inappropriate, incomplete or incorrect;
- To object against the Processing of Customer’s Personal Data, if the use of Personal Data is based on legitimate interests of the Company including profiling for the purposes of direct marketing (e.g., to receive marketing offers or participation in surveys), except if the Manager invokes compelling legitimate reasons for the Processing that are more important than the interests, rights and freedoms of the Customer (data subject) or to raise, enforce or defend lawful claims;
- To request the deletion of the Customer’s Personal Data, for example if Personal Data is processed on the basis of consent and if the Customer (data subject) has withdrawn his/her consent. This right shall not apply if the Personal Data for which the deletion is requested is also processed on another legal basis, such as a Agreement or obligations under the relevant laws or regulations, or in other cases provided for in the Regulation where there are legitimate basis for Processing the Personal Data;
- To restrict the processing of your Personal Data in accordance with applicable laws and regulations, for example, within the period while the Company is evaluating whether the Customer (data subject) has the right to delete his/her Personal Data;
- To receive own Personal Data (data transferability), that Customer has provided and that is being processed on the basis of a consent and the performance of an Agreement in a written form or via any of commonly used electronical formats and, if possible, to transfer such data to other service provider;
- To revoke the consent to the processing of Customer’s Personal Data if the Personal Data is provided to the Company on the basis of the Customer's (data subject's) consent (the revocation of consent does not affect the legality of the Processing based on the consent prior to revocation);
- Not to be subjected to fully automated decision making, including profiling, if such decision making has legal consequences or which significantly affects the Customer (data subject) in a similar way. This right shall not apply if the decision making is necessary for the conclusion or performance of the Agreement with the Customer (data subject), if the decision is permitted under applicable law or if the Customer (data subject) has given its explicit consent;
- To submit complaints about the processing of Personal Data to the Data State Inspectorate (www.dvi.gov.lv) if the Customer considers that the Processing of Personal Data violates its rights and interests in accordance with the applicable laws and regulations.
Contact details of the Company and identification of the Customer.
In order to ensure the protection of the Personal Data, the personal identification in communication with the Customer will be performed according to the following criteria. In order to expedite electronic and telephone service, we kindly ask the Customer to make timely contact information renewal.
Upon receipt of the Customer's request for data provision or other exercise of the Customer’s rights, the Company shall verify the Customer’s identity. For this purpose, the Company is entitled to ask the Customer to provide Personal data for comparison if they comply with the Data held by the Company. When performing this verification, the Company is entitled to send a control notification to the phone number or e-mail address of the Customer and ask for the authorization. If the control procedure is failed (e.g., Customer’s submitted data do not comply with the Data held by the company or the Customer hasn’t performed authorization after sending the text message or e-mail notification), the Company will be forced to determine that the Customer is not a data subject of the requested data and will be forced to reject the request submitted by the Customer. Upon receipt of Customer’s request for enforcement of any Customer rights and successful verification procedure specified above, The Company shall be obliged to provide to the Customer without delay, but in any event not later than within 1 (one) month from the receipt of the Customer’s request and completion of the verification procedure, information on the activities performed by the Company related to the Customer’s request. Taking into account the complexity and number of requests, the Company is entitled to extend the period of 1 (one) month for a further 2 (two) months, informing the Customer thereof by the end of the first month and indicating the reasons for such extension. If the Customer's request is submitted by electronic means, the Company will also respond by electronic means unless this is impossible (e.g., due to large amount of information) or if the Customer has requested otherwise. The Company is entitled to refuse to satisfy the Customer’s request providing a reasoned reply by informing the Customer thereof in writing if the circumstances specified in the legal enactments are established. If the Customer’s (data subject’s) requests are obviously unreasonable or excessive, in particular because of their regular repetition, the Company, as manager, may either: (a) require a reasonable charge, considering the administrative costs related to the provision information or performing the requested action; or (b) refuse to comply with the request.
In case of questions or uncertainties related to the processing of Personal Data or where the Customer wishes to revoke his/her consent to the processing of his/her Personal Data, the Company kindly asks to contact by writing to the e-mail address: [email protected] or via post by writing a letter to the Company’s address: Limited Liability Company “Simantik Trade”, actual address: Geraniju Street 11, Riga, LV-1067.