Global
Finland Moldova Latvia Lithuania

General provisions

1.1. AS Grindeks (hereinafter - the Company) confirms that the highest security requirements are met and the privacy of data subjects is maximally protected against personal data that comes into the company's possession. The company invests resources and ensures that personal data is protected in its daily operations.

1.2. The purpose of this Privacy Policy (hereinafter - the Policy) is to provide information on how the Company processes the personal data of an identifiable natural person - the Data Subject (hereinafter - the Data Subject), which comes to the Company's disposal, in cases where the Data Subjects communicate with the Company using the available communication channels (phone, e-mail, mail), or visiting the Company's website or visiting the Company's premises and territory, as well as public events related to the Company's activities.

1.3. The policy provides information on how the Company obtains personal data on data volumes and data processing terms, on data protection, as well as informs the Data Subject about his rights and obligations.

1.4. When processing personal data, the Company complies with the laws and regulations in force in the Republic of Latvia, the laws and regulations of the European Union and other applicable laws and regulations in the field of privacy and data processing, incl. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data and which repeals Directive 95/46/EC (General Data Protection Regulation) (hereinafter - GDPR).

1.5. This Policy applies to every Data subject whose personal data is processed by the Company and is applicable to data processing regardless of the way in which the data came into the Company's possession. We provide additional information separately regarding issues affecting labor legal relations.

1.6. This Policy has been prepared in an effort to present the issues related to the protection of personal data in our Company in the simplest possible way, but individual definitions are used according to how they are provided in the GDPR:

personal data – any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be directly or indirectly identified, in particular by reference to an identifier such as the said person's name, surname, identification number, location data, online identifier or one or more physical, physiological, genetic, spiritual, economic, cultural or social identity factors;
processing - is any operation or set of operations performed on personal data or sets of personal data, with or without automated means, such as collection, registration, organization, structuring, storage, adaptation or transformation, retrieval, viewing, use, disclosure, sending , distributing or otherwise making them available, matching or combining, limiting, erasing or destroying;
controller – is a natural or legal person, public institution, agency or other body that alone or jointly with others determines the purposes and means of personal data processing;
supervisory authority – is an independent public authority established by a Member State in compliance with the requirements of Article 51 GDPR. In the Republic of Latvia - Data State Inspectorate.

1.7. In the policy, the Company has described the measures it has taken to ensure that the interest and freedoms of the Data Subject are protected, while ensuring that the data is processed in good faith, lawfully and in a transparent manner for the Data Subject.

2. Manager and contact information

2.1. The controller of personal data processing is AS Grindeks, unified registration no. 40003034935, legal address: Krustpils iela 53, Riga, LV-1057, telephone +371 67083205, e-mail: grindeks@grindeks.lv).

2.2. For questions or uncertainties related to this Policy or the processing of Personal data, please send an e-mail to: grindeks@grindeks.lv or contact the Company's legal address in person.

3. Types of personal data

3.1. The types of personal data processed by the Company depend on the Company's services used by the Data Subject or the activities performed by the Data Subject himself.

3.2. More often, the processed data is obtained when the Data subject receives, or when expressing a desire to the Company to receive, the services provided by the Company, to purchase the products produced by the Company. In this case, data could be processed:
– Person's name, surname;
– Personal code;
– Contact information;
– Information about the services received (Opinion of the Data Subject), etc.

    3.3. If the customer makes a claim about the quality of the product, the Company is obliged to consider such a complaint in accordance with the requirements of the regulatory enactments, which in turn determine the minimum amount of personal data that the complainant must provide in his complaint (e.g. name, surname, contact information), therefore the Company has the legal basis for processing such data and the relevant information is recorded in the Company's documents and stored in the Company's data processing system.

    4. Types of data processing, legal bases, storage terms and access rights

    4.1. Data processing based on a contract. When the data subject receives services (participating in training seminars organized by the Company) or purchases products manufactured by the Company (including receiving free product samples), it is considered that a contract has been concluded between the Company and the Data subject.

    4.1.1. According to the GDPR, the legal basis for this processing is:
    Article 6, paragraph 1, subparagraph b) of the GDPR – processing is necessary for the performance of a contract, the contracting party of which is the Data Subject, or for taking measures at the request of the Data Subject before concluding the contract;
    GDPR Article 6, Clause 1, Clause c) - processing is necessary to fulfill a legal obligation attributable to the controller;
    Article 6(1)(f) of the GDPR – processing is necessary to comply with the legitimate interests of the controller or a third party, except if the interests of the data subject or the fundamental rights and fundamental freedoms that require the protection of personal data are more important than such interests, in particular if the data the subject is a child.

      4.1.2. The storage duration of such Data processing is determined in accordance with the purpose of data processing and the requirements of regulatory acts, taking into account the following circumstances:
      the data storage period is determined by the laws of the Republic of Latvia or the European Union (e.g. "Archives Law", "Accounting Law", etc.);
      Realization and protection of legitimate interests of the company and third parties;
      Protection of vital interests, including life and health, of the data subject or other natural person.

      4.1.3. In the case of products manufactured by the Company that have a specified lead time, information related to that product is retained throughout that time.

      4.1.4. Personal data, if there is no legal basis for their processing, is permanently deleted.

      4.1.5. Access rights to these data are limited and may be transferred to third parties without the Data Subject's consent in accordance with the requirements of regulatory acts, incl. according to the cases provided for by the GDPR:
      Law enforcement authorities, a court or another institution, if there is a legal basis to request information, where it is specifically indicated, for what purpose and on what legal basis personal data will be used;
      to third parties with whom the Company has concluded an agreement (data processors), provided that such an agreement includes data protection requirements, and the contractual partner undertakes data processing of the Data subject at an equivalent level of security;
      to third parties based on the legitimate interests of the Company, which are necessary for the improvement of the service and the provision of quality services;
      To the data subject, upon his written, clear and unambiguous request, identifying the aforementioned person;
      To a court or other supervisory body, based on the Company's legitimate interests, regarding a person who has violated the Company's legitimate interests.

      4.2. Data processing within video surveillance. The Company obtains personal data through video surveillance, the purpose of which is the prevention or detection of criminal offenses in connection with ensuring the protection of the legal interests of the Company and third parties in case of abuse and the protection of vital interests, life and health of individuals.

      4.2.1. According to the GDPR, the legal basis for this processing is:
      Article 6, paragraph 1, subparagraph d) of the GDPR – processing is necessary to protect the vital interests of the data subject or another person;
      Article 6(1)(f) GDPR – processing is necessary for the legitimate interests of the controller or a third party, except if the interests or fundamental rights and fundamental freedoms of the data subject, which require the protection of personal data, are more important than such interests, in particular if the data the subject is a child.

      4.2.2. The data of the Data Subject's natural person enters the Company's video recording system (height features, facial image, physical factors), which can be used to identify a specific natural person and the time when the person was in the Company's territory/premises.

      4.2.3. The data can come into the Company's possession when a person enters the filming area of ​​the video cameras, for which the person is previously warned with a warning sign and a notification that video surveillance is being carried out - in the Company's premises and in the area adjacent to it.

      4.2.4. If an image from which it is possible to identify the Data Subject is not obtained during video surveillance (for example, low resolution), then the provisions of this Policy relating to the protection of data of natural persons are not applicable.

      4.2.5. Video surveillance is not carried out in places where Data Subjects expect increased privacy (rest areas, dressing rooms, etc.) Video surveillance camera recording areas are basically focused on corridors, entrance/exit areas, building and territory perimeter and other high-risk areas.

      4.2.6. Video recordings are stored for 30 (thirty) days, unless the respective video recording contains possible illegal behavior or information that may help the Company or third parties to protect their legal interests. In this case, the relevant video recording will be saved until the realization of the legal interest.

      4.2.7. Video surveillance recording data can be classified as restricted access information and access to personal data contained in video recordings is limited to the Company's management or a designated employee, who will make a decision on whether to accept access requests from the data subject and third parties in accordance with the procedures set forth in the Company's Video Surveillance Regulations.

      4.2.8. The recipients of the data obtained during video surveillance can be authorized employees of the Company, invited personal data processors, employees of law enforcement authorities, other legal subjects, if their access rights are provided for in regulatory acts.

      4.3. Processing of data obtained during events organized by the company. In order to reflect the course of events organized by the company in the media and on the Internet - the company's website uses personal data - videos and photos with the aim of popularizing and promoting the recognition of the Grindeks brand, among industry specialists, as well as to the wider public. Personal data obtained during events organized by the company and its cooperation partners may be placed on the company's website, in informational materials, as well as published in the press.

      4.3.1. According to the GDPR, the legal basis for this processing is:
      Article 6(1)(f) of the GDPR – processing is necessary to meet the legitimate interests of the controller or a third party, except if the interests of the data subject or the fundamental rights and freedoms that require the protection of personal data are more important than such interests, in particular if the data the subject is a child. The company has a legitimate interest in reflecting the events it organizes, or events in which it participates as a participant, in order to promote and ensure the recognition of the Grindeks brand.

      4.3.2. The company has a legitimate interest in attracting public attention for the development of successful commercial activities and being a recognizable brand among pharmaceutical companies operating in the drug market.

      4.3.3. High ethical standards are observed in the publication of any information containing personal data, in an effort to ensure that the data is used in such a way that the rights and freedoms of the Data Subject are not violated.

      4.3.4. In the event that the Data Subject has claims against the processing of his personal data based on facts and circumstances of which the Company is not aware, he has every opportunity to contact the Company and object to the processing of the relevant data.

      4.3.5. The Company intends to keep the data of this category permanently, as part of the archive, which is a testimony of the relevant period of time and serves as historical information for future generations, how the Company has developed over time and how the range of services provided and manufactured products has increased.

      4.3.6. Recipients of the publicized information of the company's event may be third parties, therefore they may be available to an unlimited number of interested parties in the future.

      4.3.7. The data mentioned in this section can be accessed by any interested party who visits the Company's website, or if the publication is published in the press, then by any reader.

      4.4. Personal data obtained as a result of incoming and outgoing communication. As part of the company's commercial activity, there is constant communication with various natural and legal persons, which also contains information about personal data. In cases where the Data Subject has submitted a complaint or request, the Company is obliged to provide an answer in accordance with the procedure specified in the regulatory acts, therefore, it creates conditions when the Data Subject's personal data is also processed at the same time, such processing is based on the fulfillment of the Company's legal obligation.

      4.4.1. According to the GDPR, the legal basis for this processing is:
      GDPR Article 6, Clause 1, Clause c) - processing is necessary to fulfill a legal obligation attributable to the controller;
      Article 6(1)(f) GDPR – processing is necessary for the legitimate interests of the controller or a third party, except if the interests or fundamental rights and fundamental freedoms of the data subject, which require the protection of personal data, are more important than such interests, in particular if the data the subject is a child.

      4.4.2. The Company stores the relevant information for no longer than two years, unless the relevant information is necessary to ensure the protection of the Company's legitimate interests for a longer period of time, for example in the case of legal proceedings, or in situations where the Company's actions are evaluated by another state supervisory institution. In this case, the personal data of the Data Subject may be stored until the realization of the legitimate interest is completed.

      4.4.3. The recipients of this personal data can be authorized employees of the Company, engaged personal data processors, law enforcement and supervisory authorities, other legal subjects in accordance with the procedures specified in regulatory acts.

      5. Rights and obligations of the data subject

      5.1. The data subject has the right to receive the information specified in the regulatory acts in connection with the processing of his data or the restriction of processing in relation to the data subject himself, or the right to object to the processing (including the processing of personal data carried out on the basis of the legitimate interests of the Company). These rights are enforceable to the extent that data processing does not result from the Company's obligations, which are imposed on it by the current regulatory enactments, and which are carried out in the public interest. The data subject has the right to:

      5.1.1. request the Company access to your personal data;

        5.1.2. to receive information about what personal data the Company has about him and what is the purpose of processing this data; 5.1.3. what are the categories of recipients of personal data, i.e. persons to whom the data has been disclosed;

        5.1.4. information about the period of time for which personal data is stored, or the criteria used to determine said period of time.

        5.2. If the Data Subject believes that the information held by the Company is outdated, inaccurate or incorrect, the Data Subject has the right to request correction of his/her personal data.

        5.3. The data subject can submit a request for the exercise of his rights in writing:

        5.3.1. in person, presenting an identity document (because the Data Subject is obliged to identify himself);

        5.3.2. by sending the letter electronically via e-mail and signing with a secure electronic signature. In this case, it is assumed that the Data Subject has identified himself by sending such a request signed with a secure electronic signature;

        5.3.3. by registered mail. The response to such a request will be addressed to a specific Data Subject by registered mail, thus ensuring that the letter is received by the relevant Data Subject who is identified upon receipt of the shipment. In case of doubt or suspicion, the Company has the right to request additional information from the Data Subject that would allow it to be clearly identified (with the aim of preventing the data from reaching third parties).

        5.4. The company will send the response to the Data subject in the form of registered mail to the contact address indicated by him in a registered letter. If the Data Subject has indicated in the request that he wishes to receive the answer in electronic form, the answer will be provided electronically to the e-mail address indicated in the request.

        5.5. When processing the Data subject's request for the exercise of his rights, the Company verifies the identity of the Data subject, evaluates the request and fulfills it in accordance with the regulatory enactments.

        5.6. The Company examines submissions of data subjects in connection with the aforementioned rights free of charge. Consideration of the application may be refused or a reasonable fee based on administrative costs may be applied for it, if it is submitted obviously unfounded or excessively, as well as in other cases provided for by regulatory acts.

        5.7. The data subject can give consent to the processing of personal data, the legal basis of which is the data subject's consent, if necessary, in accordance with GDPR requirements, in person at the Company's legal address. In all other cases, when the Company realizes its legal rights by ensuring the requirements set forth in external regulatory acts, consent to the processing of personal data is not required from the Data Subject.

        5.8. The data subject has the right at any time to withdraw the consent given for data processing in the same way as it was given, this is in person at the Company's legal address, and in that case further data processing based on the previously given consent for the specific purpose will not be carried out in the future.

        5.9. Withdrawal of consent does not affect data processing carried out at the time when the consent of the Data Subject was valid (withdrawal of consent does not have retroactive effect). Withdrawal of consent cannot stop data processing carried out on the basis of other legal grounds.

        5.10. The data subject has the right to request the deletion of his personal data or object to its processing if he considers that the personal data has been processed unlawfully, or if it is no longer necessary in connection with the purposes for which it was collected and/or processed (implementing the GDPR "be forgotten" processing principle).

        5.11. The personal data of the data subject cannot be deleted if the processing of personal data is necessary for the following purposes:

        5.11.1. for the Company or a third party to build, exercise or defend its legitimate interests;

        5.11.2. to protect Company property;

        5.11.3. for the Company to protect the vital interests of the Data Subject or other natural person, including life and health;

        5.11.4. for the creation of an archive in accordance with the laws and regulations in force in the Republic of Latvia, which regulate the creation of archives.

        5.12. The Data Subject has the right to request that the Company restrict the processing of the Data Subject's personal data if at least one of the following circumstances exists:

        5.12.1. the data subject disputes the accuracy of the personal data - for the period during which the controller can check the accuracy of the personal data;

        5.12.2. the processing is unlawful and the data subject objects to the deletion of the personal data and instead requests the restriction of the use of the data;

        5.12.3. the controller no longer needs the personal data for processing, but it is necessary for the data subject to bring, exercise or defend legal claims;

        5.12.4. the data subject has objected to the processing in accordance with the GDPR until it has been verified that the legitimate reasons of the controller do not outweigh the legitimate reasons of the data subject.

        5.13. If the processing of personal data of the Data Subject is limited in accordance with Policy 5.12. point, such personal data is processed (does not apply to storage) only with the Data Subject's consent or for the purpose of defending legal claims or to protect the rights or important interests of another natural or legal person.

        5.14. The Company informs the data subject before lifting the restriction on the processing of the personal data of the data subject.

        6. Protection of personal data

        6.1. The Company constantly provides and improves data protection measures to protect the Data Subjects' personal data from unauthorized access, accidental loss, disclosure or destruction. The Company has taken into account the specific risks posed by data processing, in particular the accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

        6.2. The company uses appropriate technical and organizational requirements, incl. firewalls, intrusion prevention, analysis and data encryption software.

          6.3. The company carefully examines all cooperation partners who, with the Company's authorization, process personal data on its behalf, and also evaluates whether the cooperation partners (personal data processors) are able to provide appropriate security measures so that the processing of personal data takes place in accordance with the Company's authorization and the requirements of binding regulatory acts .

          6.4. The Company takes measures to ensure that any person working under the Company and having access to personal data does not process it without the Company's instructions, except when the said person is required to do so in accordance with the requirements of regulatory acts.

          6.5. The company ensures compliance with data processing and protection requirements in accordance with regulatory enactments. In the event that a violation of Personal Data Protection has occurred and this could pose a high risk to the rights and freedoms of the Data Subject, as well as there are no exceptions specified in Article 34, Clause 3 of GDPR, the Company shall notify the Data Subject of the violation of Personal Data Protection without undue delay.

          6.6. In case of claims by the data subject, the Company will take all necessary steps to resolve the claim through mutual negotiations, but if this fails, the data subject always has the right to appeal to the supervisory authority - the Data State Inspectorate.

          7. Use of the company's website and cookies

          7.1. Company websites may use cookie technology for the following purposes:

          7.1.1. improve the experience of using websites, ensure their operation and functionality;

            7.1.2. provide the Data Subject with the opportunity to freely visit and browse websites, using all the options they offer, including obtaining information about the services offered by the Company;

            7.1.3. determine the most visited sections of websites by obtaining statistical data on websites and the number of visitors to its sections, time spent, etc., using Google Analytics;

            7.1.4. display advertising information tailored to the needs of the website visitor;

            7.2. Cookies only identify the Data Subject's device, but do not reveal the Data Subject's identity in any form.

            7.3. The Company's website may contain links to the websites of other service providers (third parties), which have their own terms of use and personal data protection, for which the Company is not responsible.

            7.4. The data subject has the right to refuse further processing of his data at any time, except if there is no other legal basis for the processing of the data or the regulatory acts do not provide otherwise.

            8. Communication with the Data Subject

            8.1. The Company communicates with the Data Subject using the contact information provided by the Data Subject (phone number, e-mail address or postal address).

            8.2. The Company communicates about the fulfillment of contractual obligations on the basis of the concluded contract and in accordance with the contact information specified in the contract.

              8.3. In other cases, the Company communicates with the Data Subject based on the request submitted by the Data Subject, observing the preferred form of communication indicated by the Data Subject and/or the requirements of regulatory acts.

              9. Final provisions

              9.1. The company has the right to amend the Policy.

              9.2. If this Policy is updated (updated), the changes will take effect on the date specified in the updated Policy.

                9.3. To ensure transparent and fair data processing, the latest version of the Policy is always published on the website.

                9.4. The data subject is obliged to get acquainted with this Policy, as well as to introduce it to every person who is related to this data subject and whose interests may thus be affected by the data processing processes of this person. The company expects that all personal data that is submitted does not harm the interests of others.

                9.5. If this Policy has been translated into other languages, the Latvian text is decisive in case of contradictions.

                9.6. This Policy applies from 2019.

                OVER-THE-COUNTER MEDICINE. CONSULT YOUR DOCTOR OR PHARMACIST ABOUT TAKING MEDICINES. READ THE
                INSTRUCTIONS OR APPROPRIATE INFORMATION ON PACKAGE CAREFULLY BEFORE USE. UNJUSTIFIED USE OF MEDICINES
                IS HARMFUL FOR YOUR HEALTH.