1. General rules.
1.1. JSC “Grindeks” (hereinafter – Company) certifies that the highest security requirements are followed regarding personal data coming at disposal of the company and privacy of data subjects is subject to maximum protection. The company invests resources and takes care of personal data in its day-to-day operations.
1.3. The Policy provides information on how the Company obtains personal data on data volumes and processing times, on data protection, and informs the Data Subject about his/her rights and obligations.
1.4. When processing personal data, the Company complies with the laws and regulations being in force in the Republic of Latvia, European Union legislation and other applicable laws and regulations within the area of privacy and data processing, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter GDPR).
1.5. This Policy applies to any Data Subject whose personal data is processed by the Company and is subject to data processing irrespective of the way Data have been made available to the Company. Regarding issues concerning employment relationships, we provide additional information separately.
1.6. This Policy is designed to make it as easy as possible to present the issues related to the protection of personal data in our Company, however some definitions are used in accordance with how they are provided in the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR. In the Republic of Latvia –
Data State Inspectorate.
1.7. In the policy, the Company has described the measures taken to ensure that the data subject’s interests and freedoms are protected, while ensuring that the data is processed in a fair, lawful and transparent for the Data subject manner.
2. Controller and contact information
2.1. Controller of processing of personal data is JSC “Grindeks”, unified registration no. 40003034935, registered address: Krustpils Street 53, Riga, LV-1057, telephone +371 67083205, e-mail: firstname.lastname@example.org).
2.2. For questions or uncertainties regarding this Policy or the processing of personal data, please send an email to: email@example.com or personally address the Company’s legal address.
3. Types of personal data
3.1. The types of personal data processed by the Company depend on the Company’s services used by the data subject or the activities of the data subject itself.
3.2. More frequently processed data are obtained upon data subject acquiring or expressing a wish to receive the services provided by the Company or to purchase Company’s products. In this case, the data could be processed:
3.3. If the client claims the quality of the product, the Company is obliged to consider such a complaint in accordance with the requirements of laws, which in turn determine the minimum amount of personal data that the complainant has to indicate in his / her complaint (e.g. name, surname, contact information), thus the Company has the legal basis for processing such data and the relevant information is recorded in the Company’s documents and stored in the Company’s data processing system.
4. Types of data processing, legal bases, storage periods and access rights
4.1. Contract-based data processing. Upon data subject receiving services (by participating in training seminars organized by the Company) or purchasing the products produced by the Company (including receiving free samples of products), it is considered that a contract has been concluded between the Company and the data subject.
4.1.1. According to GDPR, the legal basis for this processing is:
4.1.2. The term of such data processing storage is determined in accordance with the purpose of the data processing and regulatory requirements, taking into account the following conditions:
4.1.3. With regard to the products manufactured by the Company with a defined sales time, the information related to such production is retained all this time.
4.1.4. Personal data, if there is no legal basis for their processing, are permanently deleted.
4.1.5. Access rights to these data are limited and they may be transferred to third parties without the consent of the data subject in accordance with the requirements of laws, incl. according to cases provided by GDPR:
4.2. Data processing within video surveillance. The company acquires personal data through video surveillance, the purpose of which is to prevent or detect criminal offenses in connection with the protection of the Company’s and third parties’ legal interests in case of harassment and protection of vital interests, life and health of persons.
4.2.1. According to GDPR, the legal basis for this processing is:
4.2.2. Company’s video recording system enters the data subject’s natural person data (height features, facial image, physical factors) by which it is possible to identify a specific natural person and the time when the person was in the Company’s territory / premises.
4.2.3. The data may come at the disposal of the Company from the moment the person enters the video camera’s filming area, about which the person is previously warned by a warning sign and notice that video surveillance is being performed at the Company’s premises and adjacent area.
4.2.4. If no video from which it is possible to identify the data subject (e.g., low resolution) is captured during video surveillance, then the provisions of this Policy relating to the protection of personal data of natural persons are not applicable.
4.2.5. Video surveillance is not performed in areas where data subjects expect increased privacy (in rest areas, changing rooms, etc.). The bases of the video surveillance recording area are focused on corridors, entrance / exit areas, perimeter of buildings and territory and other high-risk areas.
4.2.6. Video recordings are stored for 30 (thirty) days unless the video footage does not reflect any wrongful conduct or information that may help the Company or third parties protect their legal interests. In this case, the relevant video record will be kept until the legal interest is realized.
4.2.7. Video surveillance record data shall be classified as restricted access information and access to personal data contained in video records is limited to the Company’s management or designated employee who will decide whether to accept access requests from the data subject and third parties in accordance with the Company’s Video Surveillance Rules.
4.2.8. Recipients of video surveillance data may be authorized employees of the Company, external data controllers, law enforcement officers, other rightholders if their access rights are provided for in legislation.
4.3. Processing of data obtained from events organized by the Company. For the presentation of events organized by the Company in the media and on the Internet – personal data – video and photo images are used in the website of the Company with the purpose of popularizing and promoting the brand “Grindeks” among the specialists of the industry, as well as to the wider public. Personal data obtained during events organized by the Company and its cooperation partners may be placed on the Company’s website, in information materials, as well as in the press.
4.3.1. According to GDPR, the legal basis for this processing is:
4.3.2. The company has a legitimate interest in attracting public attention to successful business development and being a recognizable brand among pharmaceutical companies operating in the pharmaceutical market.
4.3.3. The publication of any information containing personal data respects high ethical standards, seeking to ensure that the use of the data takes place in a manner that does not violate the data subject’s rights and freedoms.
4.3.4. In the event that the Data Subject has a complaint against the processing of his / her personal data on the basis of facts and circumstances not known to the Company, he / she has every opportunity to contact the Company and object to the processing of the relevant data.
4.3.5. Company plans to keep this category of data permanently as part of the archive, which is a testimony to the relevant period and serves as historical information for future generations on how the Company has evolved over time and how the range of services and products manufactured has increased.
4.3.6.The recipients of the information published by the Company at the events may be third parties, so it may be available to an unlimited number of interested persons in the future.
4.3.7. The data in this section may be accessed by anyone interested in visiting the Company’s website or, if published in the press, by any reader.
4.4. Personal data obtained from incoming and outgoing communications. Within the framework of the Company’s business activities, there is a constant communication with various natural persons and legal entities, which also contains information about personal data. In cases where the data subject has filed a complaint or request, the Company is obliged to provide a response in accordance with the procedures specified in laws, thus, it creates circumstances when also data subject’s personal data are simultaneously processed, such processing is based on fulfilment of the Company’s legal obligation.
4.4.1. According to GDPR, the legal basis for this processing is:
4.4.2. Company shall keep the relevant information for no longer than two years unless the relevant information is necessary to ensure the protection of the Company’s legitimate interests over a longer period of time, such as in legal proceedings or in situations where the conduct of the Company is assessed by another national supervisory authority. In this case, the data subject’s personal data may be stored until the completion of the legitimate interest.
4.4.3. Recipients of such personal data may be authorized employees of the Company, personal data controllers, law enforcement and monitoring authorities, other rightholders in accordance with the procedures specified in legislation.
5. Rights and obligations of the data subject
5.1. The data subject has the right to receive the information specified in legislation regarding the processing of his/her data or the restriction of processing regarding the data subject himself, or the right to object to the processing (including to the processing of personal data based on the legitimate interests of the Company). This right shall be exercised insofar as the processing does not derive from the Company’s obligations under the applicable laws and regulations and which are made in the public interest. The data subject has the right:
5.1.1. to request the Company to provide access to his/her personal data;
5.1.2. to receive information about what personal data Company has at its disposal and the purpose of the processing of such data;
5.1.3. to receive information on the categories of recipients of the personal data, i.e. the persons to whom the data have been disclosed;
5.1.4. to receive information on the period how long the personal data are stored or the criteria used to determine that period.
5.2. If the Data Subject considers that the information in the Company’s possession is obsolete, inaccurate or incorrect, the data subject shall have the right to request the rectification of his / her personal data.
5.3. The data subject may submit a request for the exercise of his/her rights in writing:
5.3.1. in person upon presenting an identity document (because the data subject is obliged to identify himself);
5.3.2. by sending a letter electronically via email and signing with a secure electronic signature. In this case, it is assumed that the data subject has identified himself / herself by sending such a request signed with a secure electronic signature.
5.3.3. by registered mail. The response to such a request will be addressed to a specific data subject using a registered item, thus ensuring that the letter is received by the relevant data subject identified at the receipt of the mail. In case of doubt or suspicion, the Company has the right to request further information from the data subject, which would allow unmistakable identification (with the purpose of not disclosing the data to third parties).
5.4. Company will send a reply to the data subject by registered mail to the contact address indicated by him/her in a registered letter. If the data subject has indicated in the request that he/she wishes to receive the reply in electronic form, the reply will be provided electronically to the e-mail address indicated in the request.
5.5. When processing the data subject’s request for the exercise of their rights, the Company verifies the identity of the data subject, assesses the request and executes it in accordance with legislation.
5.6. Applications submitted by data subjects in relation to the above rights the Company shall process free of charge. The examination of the application may be rejected or a reasonable fee may be applied based on administrative costs if it has been presented in manifestly unfounded or excessive manner, as well as in other cases provided by the law.
5.7. The data subject may provide its consent to the processing of personal data, the legal basis of which under provisions of GDPR is subject to the consent of the data subject, if any, at the Company’s registered office. In all other cases, when the Company exercises its legal rights to ensure compliance with external laws, consent to the processing of personal data is not required for the data subject.
5.8. The data subject shall have the right at any time to revoke the consent given to the processing of data in the same way as it was given, that is, in person at the Company’s registered office, in which case further processing of data based on the prior consent given for the particular purpose will no longer be performed.
5.9. The withdrawal of consent shall not affect the processing of data at the time when the data subject’s consent was valid (the withdrawal of consent is not retroactive). Withdrawal of consent may not result in interruption of data processing carried out on the ground of other legal bases.
5.10. The data subject shall have the right to request the deletion of his/her personal data or to object to their processing, if he/she considers that the personal data have been processed illegally or if they are no longer necessary for the purposes for which they were collected and / or processed (exercising data processing principle under GDPR ‘to be forgotten’).
5.11. Personal data of the data subject cannot be deleted if the processing of personal data is necessary for the following purposes:
5.11.1. in order for the Company or a third party to establish, exercise or defend its legitimate interests;
5.11.2. to protect the Company’s property;
5.11.3. to protect the vital interests of the data subject or other natural person, including life and health;
5.11.4. to create the archive in accordance with the laws and regulations of the Republic of Latvia regulating the establishment of archives.
5.12. The data subject shall have the right to require the Company to restrict the processing of the data subject’s personal data if there is at least one of the following circumstances present:
5.12.1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
5.12.2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
5.12.3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
5.12.4. the data subject has objected to processing pursuant to GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
5.13. If the processing of the data subject’s personal data is restricted in accordance with Article 5.12 of this Policy, such personal data shall be processed (not applicable to storage) only with the consent of the data subject or in order to protect legitimate claims or to protect the rights or important interests of another natural or legal person.
5.14. The Company shall inform the data subject prior to the lifting of the restriction of the data subject’s personal data processing.
6. Protection of personal data
6.1. Company continuously provides and enhances data protection measures to protect the data subjects’ personal data from unauthorized access, accidental loss, disclosure or destruction. The Company has taken into account the specific risks of data processing, in particular the destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
6.2. Company uses appropriate technical and organizational requirements incl. firewalls, intrusion recovery, analysis and data encryption software.
6.3. Company thoroughly inspects all cooperation partners who, with the authorization of the Company, process the data of natural persons on its behalf, as well as evaluate whether the cooperation partners (personal data controllers) are able to provide adequate security measures for the processing of the data of natural persons in accordance with the Company’s authorization and binding legislation.
6.4. Company takes measures to ensure that any person acting under the authority of the Company who has access to personal data does not process them without the instructions of the Company, unless such person is required to do so by law.
6.5. Company ensures compliance with data processing and protection requirements in accordance with laws. In the event of a personal data protection violation that could pose a high risk to the data subject’s rights and freedoms, and in the absence of exceptions under Article 34 (3) of GDPR, the Company shall, without undue delay, notify the data subject of a personal data breach.
6.6. In the event of data subject’s claim, the Company will take all necessary steps to resolve the claim by mutual negotiation, but in case of failure, the data subject will always have the right to address the supervisory authority – the Data State Inspectorate.
7.1.1. to improve site’s experience, operation and functionality;
7.1.2. to enable the data subject to visit and browse the website freely, using all the opportunities it offers, including information about the services offered by the Company;
7.1.3. to identify the most visited sections of a website by obtaining statistics about the website and the number of visitors to their sections, time spent, etc.;
7.1.4. to display customized advertising information for a website visitor.
7.2. Cookies identify only the data subject’s equipment but do not disclose the identity of the Data Subject in any form.
7.3. The Company’s website may contain links to websites of other service providers (third parties) that have their own usage and personal data protection rules for which the Company is not responsible.
7.4. The data subject shall have the right at any time to refuse further processing of his/her data, unless there is other legal basis for processing the data or it is otherwise provided by law.
8. Communication with the data subject
8.1. Company communicates with the data subject using the contact details (telephone number, e-mail address or postal address) provided by the data subjects.
8.2. Company performs communication regarding contractual obligations on the basis of the entered contract and pursuant to the contact information specified in the contract.
8.3. In other cases, the Company communicates with the data subject on the basis of a request submitted by the data subject, following the type of communication specified by the data subject and / or regulatory requirements.
9. Final provisions
9.1. Company has the right to amend the Policy.
9.2. If this Policy is updated, the amendments will take effect on the date specified in the updated Policy.
9.3. To ensure transparent and honest data processing, the latest version of the Policy is always posted on the website.
9.4. The data subject is obliged to acquaint himself / herself with this Policy, as well as to acquaint with it any person associated with this data subject and whose interests may thus be affected by the data processing processes of that person. The Company expects that any personal data submitted will not interfere with the interests of other persons.
9.5. If this Policy is translated into other languages, the Latvian text shall prevail in case of inconsistency.
9.6. This Policy is applicable from 2019.