Privacy Policy

 

1. The purpose of Rīgas karte Ltd Privacy Policy is to provide information to a natural person - data subject - regarding personal data processing purpose, amount, protection and terms during the data subject's personal data acquisition and processing, both as a data controller and data processor.
2. The Privacy Policy is applicable to data processing disregarding the form and/or media in which a Client of Rīgas karte Ltd provides his personal data on websites https://rigaskarte.lv; https://skolas.rigaskarte.lv/, https://www.rigacard.lv/, http://labklajiba.rigaskarte.lv/ and mobile application “Riga Card”, in a hard copy or electronically, and Rīgas karte Ltd systems where such data are processed.
3. As regards specific data processing types (e.g., cookies processing, etc.), media, purposes, additional specific terms may be set and the Client is notified thereof at the moment of providing the respective data to Rīgas karte Ltd.
4. Rīgas karte Ltd Privacy Policy is elaborated in line with requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and other applicable legislation in the privacy and data processing area.
5. The following definitions are used in Rīgas karte Ltd Privacy Policy:
5.1. The Company (both as a data controller and data processor) - Rīgas karte Ltd, unified registration No. 40003979933, legal address: Vīlandes iela 6-3, Rīga, LV-1010.
5.2. 'Data Subject' - an identifiable natural person that can be identified directly or indirectly, especially referring to an identifier (e.g., first name and last name, ID number, location data, and online identifier of the referred individual or one or several physical, physiological, genetic, mental, economic, culture or social identity factors characteristic to the referred natural person).
5.3. 'Processing'- means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
5.4. 'Processor means the natural or legal person, public authority, agency or other body which, processes personal data on behalf of the controller;
5.5. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
5.6. 'Data Subject's Consent'- is any freely given, conscious and unambiguous indication to the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
5.7. ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
5.8. 'Privacy Policy' - the privacy policy of Rīgas karte Ltd, the present policy;
5.9. General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5.10. 'Client' – a natural person who is expressing willingness to purchase, is purchasing or might purchase, use or might use the goods and/or services provided by the Company, user of websites or mobile applications, user of a paid parking space or a person who has entered or is going to enter into an agreement with the Company on receiving the services and/or buying/selling the goods.
5.11. 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
6. The Client's personal data are restricted access information and are processed according to the personal data processing purposes set by the Company, legal grounds and internal regulations.
7. The Company Privacy Policy is applicable to the Clients' personal data processing performed by the Company, and the following personal data are processed in relation thereof on the following legal grounds:
7.1. On website https://rigaskarte.lv - legal basis – data subject's consent, personal data to be processed: e-mail address;
7.2. On website skolas.rigaskarte.lv- legal basis – data subject's consent, personal data to be processed: guardian's given name and surname, personal identity number, ID document data, student's e-card number, payment details;
7.3. On website://www.rigacard.lv/lv - legal basis – data subject's consent, personal data to be processed: e-mail address;
7.4. On mobile application rigacard.lv- legal basis – data subject's consent, personal data to be processed: user's phone number; user's e-mail address, vehicle registration number;
7.5. Video surveillance ATM - legal basis - legitimate interest, personal data to be processed: data subject's video image.

II CONTROLLER AND HIS CONTACT INFORMATION
8. The Personal Data Controller is Rīgas karte Ltd, reg. No. 40003979933, legal address: Vīlandes iela 6-3, Rīga, Latvia, LV-1010.
9. In cases when the Company is the data processor, upon exercising the Data Subject's rights the Company provides the Personal Data Processing Controller contact information to the Data Subject.
10. The Personal Data Processing Controller contact information for issues related to the Personal Data processing is: (+371) 67 32 63 00, This email address is being protected from spambots. You need JavaScript enabled to view it.. Using this information or addressing at the legal address of the Company, questions regarding personal data processing can be asked. A request for exercising one's rights can be submitted according to Section VI of the present Policy.
11. The Data Protection Specialist's contact information is phone: (+371) 67 32 63 00, e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it..

III PRIVACY POLICY APPLICATION SCOPE
12. The Company can receive a person's identification information from Clients in different ways, including when the Company Client is visiting the Company websites, is using mobile application, registering in a website or in relation to other activities, services or resources available at the website. Clients are using the Company website anonymously, however, in certain cases, e.g., sending an e-mail to the Company through the website, the Client might be asked to indicate his/her e-mail address. The Company will only get personal identification information from Clients if the Client himself has freely expressed consent to provide such information. The Clients can always reject providing personal identification information, however in such cases it might be declined performing certain activities on the website.
13. At the moment of initiating interaction with the Company website the Company can also receive personal non-identifying information about the Client as a user.
14. Personal non-identifying information can be the browser name, computer type and technical information regarding the connection type with the Company website.
15. In case of blocking smartcards the Client's personal data (card number, full name) can be processed by phone.
16 The Company does not disclose to any third parties the Client's personal data or any information on service provision and information obtained during the agreement validity period, except:
16.1. Such data must be provided to the third party within the framework of a concluded agreement, to perform an activity required for implementation of the agreement (e.g., to a bank for payment settlement purposes or in order to provide a service);
16.2. According to Data Subject Consent of the Client;
16.3. According to the set legal grounds;
16.4. To the persons stipulated in normative acts and regulations on justified request thereof according to the procedure and in the amount stipulated in the normative acts and regulations;
16.5. In cases stipulated in normative acts and regulations for the purpose of the protection of the Company legal interests, e.g., by appealing to a court or other state institutions against a person who has infringed the Company legal interests.

IV PERSONAL DATA PROCESSING PURPOSES AND LEGAL BASIS
17. The Company processes the Client's personal data for the following purposes:
17.1. Providing services and selling goods, i.e., for client identification, ensuring and/or maintaining service functioning, service improving, new service development, promoting use of new services, reviewing and processing objections, payment administration, maintaining and improving operation of websites and mobile applications;
17.2. Business planning and analytics i.e., for statistics and business analysis, planning and record keeping, drawing up reports, in the framework of risk management activities.
18. The Company process the Client's data on the basis of the following legal grounds, but not limited to:
18.1. According to the Company Client - Data Subject's Consent;
18.2. In the legitimate interests - in order to exercise the Company's legitimate interests arising from the liabilities existing between the Company and Client or from an agreement or a law;
18.3. Legal obligation.
19. The legitimate interests of the Company are the following:
19.1. To perform commercial activity;
19.2. To provide smartcard maintenance services;
19.3. To provide e-wallet services;
19.4. To ensure maintenance and servicing of a paid parking system;
19.5. To keep Clients' applications and submissions regarding service provision, other applications and submissions, notes on them, incl., made in written and/or electronic form.
19.6. To analyze usage of the Company websites and mobile applications, develop and introduce improvements;
19.7. To ensure the Company administration, financial and business accounting and analytics;
19.8. To ensure functioning of a unique electronic access system;
19.9. To ensure normal everyday operation of the Company according to the requirements of laws and regulations, Company values and operation strategy.
20. The Company processes the Client data in accordance to up-to-date technology, taking into account the existing privacy risks and reasonably available organizational, financial and technical resources of the Company.

V PERSONAL DATA STORAGE PERIOD
21. The Client's data are stored according to the storage periods determined by the Company according to internal and external normative acts and regulations.
22. The Client data storage period is determined according to the periods stipulated in the normative acts and regulations for the purpose of ensuring the legitimate interests of the Company or performing agreements. For example, movement data or service usage data of the personalized smartcard on registrations made over the last six months are stored in the personal data processing system.
23. The Client's data are stored until the Client or the Company can exercise their legitimate interests (e.g., appeal to a court).
24. After expiry of the Client data storage period stipulated in the normative acts and regulations or expiration of the legitimate interests the Client's data shall be deleted.

VI ACCESS TO PERSONAL DATA AND OTHER CLIENT'S RIGHTS
25. The Client is entitled to submit personal data proceeding request under general procedure, asking to provide an explanation, which personal data of Data Subject are processed and which personal data shall be restricted. Such a request is satisfied if it is legally grounded and technically possible. Other data receivers will also be notified regarding the data restriction requirements.
26. The Client is entitled to receive information regarding his/her personal data processing, as well as requesting the Company to add, amend, delete or restrict processing of such data related to the Client, or object such processing or data transfer rights. Such rights can be exercised as long as the data processing does not arise from the Company's duties under the enforced normative acts and regulations and performed in the interests of the Company.
27. The Client has a right to submit a request regarding exercising of his/her rights to the Company:
• In writing, by addressing a letter to the legal address of the Company: Vīlandes str. 6-3, Riga, Latvia;
• By e-mail, sending an official written application that is signed using a safe electronic signature, to the Company's e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it.;
28. Upon receiving the Client's request of exercising his or her rights, the Company verifies the Client's identity, assessed the request and satisfies it according to the enforced normative acts and regulations, as far as it is technically possible. The Company replies to the Customer by sending a letter to the contact address indicated by the Client, taking into regard the form of receiving a reply indicated by the Client.
29. The Client is entitled to withdraw his consent to data processing and request the right 'to be forgotten'. The consent withdrawal does not affect the data processing performed when the Client's consent was valid. Referring to the consent, the data processing performed on the basis of other legal grounds will not be suspended.
30. A reply containing personal data or reply regarding exercising his or her own rights shall only be given to the Client is he or she has submitted a written application and has been identified in one of the following ways:
30.1. In case of Client identification, the Client arrives at the Company legal address: Vīlandes str. 6-3, Riga, Latvia, and informs an employee of the Company that he/she wants to receive his personal data and has arrived for identification in presence.
30.2. The Client presents an identity document to the Company employee.
31. If the Client has any complaints or questions regarding the Client Privacy Policy or the Client has discovered a potential Personal data protection breach, then the Client contacts the Company by the communication channels indicated in the Data Controller contact information provided in Section I of this Privacy Policy.
32. The Company ensures implementation of the data processing and protection requirements in line with the normative acts and regulations, and in case of Client's objections takes useful measures to solve such objections. In case of failure to achieve that the Client is entitled to address a supervising body - Data State Inspectorate.

 

VII COOKIES POLICY AND OTHER TERMS
33. The Company websites may use cookies. The Cookies Policy is enclosed to this Privacy Policy.
34. The Company is entitled to making additions to this Privacy Policy by making the updated version thereof available to the Client by posting on the Company website https://rigaskarte.lv.