We, state joint stock company “Latvijas autoceļu uzturētājs” (hereinafter “LAU” or “we”), provide services. Protecting personal privacy is important to us. We invest resources and, in our daily operations, take care to ensure that personal data is protected.
The purpose of this Privacy Policy is to inform and explain how we protect and process the personal data that comes into our possession. This Policy helps you understand how and for what purposes personal data is processed, and explains the rights and obligations of data subjects.
When processing personal data, we comply with the laws and regulations in force in the Republic of Latvia, binding instructions and rules issued by competent authorities, as well as European Union legislation.
This Privacy Policy applies to every data subject whose personal data we process.
We have prepared this Privacy Policy to be as clear as possible. Before reading further, please note the following terms:
Anonymised data — information that can no longer be linked to a natural person because all elements identifying the person have been removed from the data set.
Personal data — any information relating directly or indirectly to a natural person.
Services — any type of services and goods that we offer and provide.
The information we obtain about a person depends on the nature of the transaction or cooperation. We also obtain information that is provided to us in any form of cooperation.
We may receive personal data in several ways, including:
- when the data subject or their authorised representative provides personal data to us, for example by contacting us, cooperating with us, entering into an agreement, using our Services, requesting information, submitting an application or request, visiting our structural units, or contacting us through our information channels;
- when data is generated while using our Services, for example by visiting or using our website or by calling us;
- when we receive data from other sources, for example when a person participates in an event organised by us where photographs or video recordings may be taken, provided that prior information has been given.
To comply with legal requirements, ensure long-term cooperation and manage credit risk, we may also need to request data from publicly available registers, including credit information and debtor databases.
The types of personal data may vary depending on the Service used or the cooperation involved. In general, we process the following categories of personal data:
Personal identification and contact data — data identifying a person, including contact and communication data, consent data, service and authorisation data, device data, visual data such as photographs and video recordings, identity document data and similar information.
Children’s data — data relating to minors. Where such processing is genuinely necessary, for example in connection with career days or similar events, we apply additional safeguards to ensure that the processing is appropriate.
We process personal data in order to provide Services, ensure cooperation, organise events and carry out other business and social activities related to our operations.
For personal data security purposes and to avoid re-identification, we prefer anonymised data processing where possible. However, the nature of a Service, cooperation or event often makes it necessary to process identifiable personal data.
In certain cases, when checking a person’s creditworthiness for the provision of specific Services, automated individual data processing may be carried out to assess the data subject’s ability to fulfil payment obligations. We may request information from external databases, including credit information and debtor registers. If we have doubts about the data subject’s ability to fulfil payment obligations, the provision of certain Services may be refused in whole or in part. However, the person always has the opportunity to provide information in another way to justify their ability to fulfil the obligations of the chosen transaction.
To promote the development of Services or to carry out other types of assessment, we compile statistics. We process personal data only for specific and necessary purposes, based on appropriate legal grounds, including the following:
Service quality control and opinion surveys. This purpose covers activities necessary to ensure service quality and to obtain opinions about service quality, for example surveys or telephone calls. Processing is carried out on the basis of law and contract.
Handling submitted questions and requests. This purpose covers communication between the data subject and us, including applications, submissions or any form of contact, such as by post, e-mail or telephone. Processing is carried out on the basis of law, contract or the submitted request.
Provision of Services and performance of contracts. This purpose covers the provision of services and the performance of concluded agreements or transactions. Processing is carried out on the basis of law and contract.
Payment administration. This purpose covers activities related to settlements with persons. Processing is carried out on the basis of law and contract.
Entering into or amending contracts. This purpose covers new applications for existing or new transactions. Processing is carried out on the basis of law and contract.
Debt recovery. This purpose covers activities related to debt recovery, including receiving, storing and processing data necessary for debt recovery, providing and entering information about debts and persons, including personal data, into debtor and credit information databases registered in accordance with applicable laws, and storing and transferring to third parties information submitted, transmitted or sent to the company, including personal data and transaction-related information, in order to ensure performance of the transaction and in cases where a person has not properly fulfilled the terms of the transaction. Processing is carried out on the basis of law, contract and legitimate interests.
Communication with clients. We respect every client’s right to give, withdraw or change their choices regarding receipt of information. Where a client has expressed a wish to receive information or provide an opinion about specific products or Services, personal data may be processed in order to provide the requested information. In such cases, the client’s consent is important. Processing is carried out on the basis of legitimate interests and the client’s consent.
Compliance with binding legal requirements. This purpose covers personal data processing required by laws and regulations, for example in accounting, tax and fee matters.
Security of the company’s infrastructure, services, information, employees, clients and visitors, prevention of unlawful or other threats, and support for the detection of criminal offences at sites and adjacent territories, including information systems. This purpose covers measures carried out using physical and logical security tools, including video surveillance, access control and other technical and organisational measures, to protect against physical threats and to provide protection through logical security measures. Processing is carried out on the basis of law, contract and legitimate interests.
Organisational management of the company, including record keeping, process management, service management, information system management, personnel records and public relations. This purpose covers measures related to good governance, ensuring traceability, control and improvement of internal processes. Processing is carried out on the basis of law and legitimate interests.
Accounting, financial and tax management. This purpose covers accounting records, tax payment, settlements and similar activities. Processing is carried out on the basis of law and contract.
Processing of personal data for internal administrative purposes within LAU. This purpose covers the processing of personal data within LAU structural units for internal administrative purposes, for example to prevent conflicts of interest and unlawful transactions. Processing is carried out on the basis of legitimate interests.
In all cases, we process personal data only to the extent permitted by the specific purpose of processing.
In order to protect the interests of natural persons, we continuously develop our security processes and measures. These measures include the protection of personnel, information and technical resources, IT infrastructure, internal and public networks, as well as buildings, territories and other real estate of structural units. Within these measures, we ensure an appropriate level of information protection to prevent unauthorised access to personal data.
The exchange of personal data may be necessary in certain cases where there is a specific purpose. For example, we may need to provide personal data to the following categories of recipients:
Cooperation partners — companies with which LAU has concluded cooperation agreements and has mutual obligations. These may include partners involved in the provision of services, delivery, service quality control, surveys, security and protection, legal assistance, organisational management, financial management, accounting, auditing, event organisation and similar processes.
Institutions and companies involved in debt recovery or credit supervision — including debt recovery companies, credit assessment companies, bailiffs, administrators and other persons involved in debt recovery or credit supervision processes.
Supervisory authorities — for example market supervision authorities, law enforcement authorities and rescue services, in accordance with applicable laws and regulations.
Third parties — for example natural or legal persons, public authorities, agencies or bodies that are not data subjects, controllers or processors.
We also process anonymised data that is not related to a specific natural person and does not make it possible to identify a data subject. Such data may be used for other purposes and transferred to other persons.
We ensure the confidentiality of personal data by applying security measures in accordance with applicable laws and regulations.
We store personal data only for as long as necessary to achieve the purposes set out in this Privacy Policy, unless longer storage is required or permitted by applicable laws and regulations. When determining the retention period, we use criteria provided by applicable laws, for example review of claims, protection of rights, handling of questions, limitation periods and other relevant circumstances. We also take into account the rights of natural persons, for example by determining the storage period during which transaction-related claims may be submitted.
There are no direct restrictions on the retention of anonymised data; however, we also store such data only to the necessary extent and for the necessary period.
Cookies allow us to identify the most visited parts of the website, including which parts of the website visitors use and how long they stay there.
Unless otherwise provided by law, a person has the right at any time to object to further processing of their personal data. However, in such a case, especially if the data is technically necessary, we may not be able to provide the Service to the same extent as before.
More information about cookies is available in our Cookie Policy.
Data subjects have the following rights:
- to access information about the data we hold about them, to the extent that this does not conflict with laws and regulations and does not unjustifiably affect the rights of other persons. Information about oneself may be obtained through any channel provided by us that allows the person to be identified, including by visiting our structural units;
- to request access to their personal data, correction or completion of the data where necessary, deletion of the data, restriction of processing, or to object to processing in cases provided by law, as well as the right to data portability. Please note that correction, deletion, restriction, termination or portability of data may result in partial or complete suspension of services or processes in an irreversible manner. If a person chooses to receive information remotely, for example by post, e-mail or to another addressee, the applicant is responsible for the security of the chosen method of receipt and for the actions of persons acting on the applicant’s behalf;
- to request a copy of the personal data being processed, provided that this does not adversely affect the rights and freedoms of other persons. LAU may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject;
- to withdraw consent at any time in an easy manner. Giving or withdrawing consent is the person’s free choice and does not impose additional mandatory obligations. However, if a person decides to withdraw consent, the data processing related to that consent will no longer be provided and certain possibilities may no longer be available to the same extent. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal;
- to contact us and supervisory authorities regarding data processing matters. If assistance is needed to obtain more information about this Privacy Policy, data processing aspects or applicable data protection laws, we invite you to contact us so that we can carefully review the matter and respond. In any case, a natural person always has the right to submit a complaint to the Data State Inspectorate, the data protection supervisory authority in Latvia.
We review requests from data subjects related to the above rights free of charge. The review of a request may be refused or a reasonable fee may be charged if the request is manifestly unfounded or excessive, or in other cases provided by law. A request may be submitted in person at LAU, by post, by e-mail or through other communication channels, ensuring that the person can be identified as the relevant data subject and that the substance and justification of the request can be verified.
Data subjects are expected to:
- inform us within a reasonable period about changes in the data provided. It is important to us that the information in our possession is true and up to date;
- provide additional information where necessary. In communication and cooperation, we may request additional information in order to make sure that communication or cooperation is taking place with a specific natural person. This is necessary to protect the data of that person and other persons, so that it is clear that the person is the relevant data subject and that information disclosed in the course of communication or cooperation is disclosed only to that person and does not infringe the rights of others. For example, when a person wishes to obtain information about themselves by sending us a request, it is important for us to verify that the request has been signed and submitted by that person. Accordingly, we may request additional identifying information. If the person does not provide additional information or if we have doubts about the identity of the requester, we may postpone the review of the request until we are satisfied that the request has been made by the relevant person;
- read this Privacy Policy before starting cooperation with us and inform every person related to the data subject whose interests may be affected by the processing of that person’s data. This Privacy Policy is an integral part of the services we provide. We expect that the data provided to us does not affect the interests of other persons. Where a person is entitled, under applicable terms, to grant access to or jointly use Services with another person, that person is responsible for informing the other persons about the data processing carried out within the relevant processes and the obligations arising from it. Where data directly relates to another person, for example in the event of a change of data subject, the person must inform us without delay. Until the persons are fully identified, the data is attributed to the relevant natural person as the data subject.
As we continuously improve and develop our operations, we may periodically amend and supplement this Privacy Policy. We therefore invite you to regularly review the current version of the Privacy Policy. It is available through our communication channels, including our website. When we make changes to this Policy, we will inform users by publishing a notice on the LAU website.
If you have any questions or uncertainties regarding this Privacy Policy or the processing of personal data, please contact us using the contact information below or contact our data protection specialist.
VAS “Latvijas autoceļu uzturētājs”
Krustpils iela 4
Riga, LV-1073
Latvia
Information phone: +371 67249238
E-mail: [email protected]
Data protection specialist: [email protected]