The purpose of the Personal Data Protection Policy of JSC “Cēsu alus” (hereinafter also – “the Policy”) is to ensure the right of a natural person (Data Subject) to the secure and appropriate processing of personal data when obtaining and processing the data of this person, to provide this natural person with information on the purpose, scope, protection of the processing of personal data as well as the rights of a natural person and the time limit for the processing of data.
1. The Controller and its contact details
Personal Data Controller
JSC “CĒSU ALUS” (hereinafter – “CĒSU ALUS”)
Registration No. 40003030721
Legal address: Aldaru laukums 1, Cēsis, Cēsu novads, LV-4101
2. How can your data get into CĒSU ALUS and how does this Policy apply to them?
2.1. For the purposes of this Policy, as in Regulation 2016/679 of the European Parliament and of the Council (hereinafter – “the Regulation”), the term “personal data” means any information relating to an identified or identifiable natural person (“the data subject”).
2.2. The policy applies to ensuring the protection of privacy and personal data with respect to:
2.2.1. natural persons – employees, consumers, participants in shares and lotteries (including potential, former and current), as well as third parties who, in relation to the sale of goods or the provision of services to a natural person (employee, consumer, participant in shares and lotteries), receive or transfer to CĒSU ALUS any information about a natural person (personal data subject);
2.2.2. natural persons – service providers, incl. the contracted authors and contact persons of buyers of CĒSU ALUS products (wholesalers, retailers), suppliers of various raw materials and supplies, and service providers;
2.2.3. visitors to CĒSU ALUS production department, offices and other premises, including those subject to video surveillance; users of voice line (telephone line) services (voice recordings);
2.2.4. natural persons – users of mobile applications who have agreed to receive commercial information, allowing the use of geolocation (GPS, Wi-fi, Bluetooth) functions;
2.2.5. users of online services – visitors to websites and mobile applications maintained by CĒSU ALUS,
(hereinafter – Customers).
2.3. The policy applies to data processing regardless of the form and/or environment in which the Customer provides personal data (when entering into a contract or on the CĒSU ALUS website or mobile applications, in paper format or by telephone) or the way in which CĒSU ALUS obtains them (contact persons of partners, winners and participants of lotteries and promotions, CCTV cameras) and in which electronic systems of the Company or in paper format they are processed.
2.4. CĒSU ALUS cares about the Customer privacy and protection of personal data, and respects the right of Customer to the legality of the processing of personal data in accordance with the applicable law.
2.5. For specific types of data processing (e.g. cookie processing, etc.), environment and purposes, additional specific terms and conditions may be set, of which the Customer is informed at the moment when he provides the relevant data to CĒSU ALUS.
3. Purposes of processing of personal data (how CĒSU ALUS could use your data) and the basis
3.1. To the extent permitted by law, CĒSU ALUS may process personal data for the following possible purposes:
3.1.1. Identification of the customer;
– preparation and conclusion of the contract;
– establishing employment relationships;
– delivery of goods, placing orders, acceptance of goods, organization of logistics, other communications (fulfilment of contractual obligations);
– customer service;
– consideration and processing of recommendations and objections;
– customer relationships, loyalty building, satisfaction measurements;
– accounting administration;
– maintenance and improvement of websites and mobile applications.
3.1.2. compliance with the rules governing the legal relationship of employment;
3.1.3. meeting and ensuring the requirements of the quality system;
3.1.4. organization of effective processes of company management, financial and business accounting and analytics;
3.1.5. organization and provision of commercial activities (performance of contracts, including performance control);
3.1.6. communication with the Customer, including providing customer feedback (feedback, suggestions, applications, submissions, including provided orally, calls to call centres, websites, etc.; reports on the progress of the contract and events relevant to the contract);
3.1.7. analysis of the functioning of CĒSU ALUS home pages, websites and mobile apps, with a view to developing and implementing improvements in both the functioning of the sites and services, marketing activities, etc.;
3.1.8. provision of information to public administration institutions and subjects of operational activities in the cases and to the extent specified in external laws and regulations;
3.1.9. other specific purposes for which the Customer is informed prior to the submission of the relevant data to CĒSU ALUS.
3.2. In order to fulfil the obligation to provide information stipulated by the Regulation (Article 13 of the Regulation), CĒSU ALUS prepares a Declaration on the Processing of Personal Data for each purpose (register) of data processing or a related group of processing actions, in which the Customer can receive accurate information about the processing operations.
3.3. When the information provided to the Customer at the beginning of the Data collection changes, CĒSU ALUS makes every effort to notify the Customer of such changes as soon as possible and, if necessary, to renew the Customer’s consent in accordance with the changes before further processing.
3.4. CĒSU ALUS does not make automated decisions regarding the Customer.
4. The Customer’s personal data is processed only if the processing is legally justified by:
4.1. conclusion and execution of an agreement – to conclude an agreement at the request of the Customer and ensure its execution;
4.2. fulfilment of laws and regulations – to fulfil the obligation specified in the external laws and regulations binding on CĒSU ALUS;
4.3. consent of the Customer – data subject;
4.4. legal (legitimate) interest – to realize the legitimate (lawful) interests of CĒSU ALUS or third parties arising from the obligations existing between CĒSU ALUS and the Customer or the concluded agreement or law.
5. Protection of personal data
5.1. CĒSU ALUS protects the Customer’s data by using today’s technological possibilities, taking into account the existing privacy risks and the reasonably available organizational, financial and technical resources of CĒSU ALUS.
5.2. CĒSU ALUS has introduced internal regulations for security, incident prevention and reporting.
5.3. Unfortunately, no data transmission is 100% secure, so if you have any concerns or suggestions for improvement, please let us know immediately.
6. Categories of recipients of personal data
6.1. CĒSU ALUS does not disclose to third parties the Customer’s personal data or any information obtained during the provision of services and the operation of the contract, with the exception of the transfer of certain Data to the following persons:
6.1.1. other companies of the OLVI GROUP (the largest shareholder in CĒSU ALUS and its subsidiaries) for internal administrative purposes;
6.1.2. the relevant third party, if the data are to be transferred to it within the framework of a contract in order to perform any functions necessary for the performance of the contract or delegated by law (for example, to the bank within the settlement to pay for the performed work, service, materials);
6.1.3. those to whom the data is given in accordance with the explicit and unambiguous consent of the Customer;
6.1.4. those who provide services instead of / on behalf of CĒSU ALUS;
6.1.5. those who assist in our business, such as website hosting and development, debt collection and customer service, those who assist in marketing activities;
6.1.7. persons specified in laws and regulations upon their justified request, in accordance with the procedures and to the extent specified in laws and regulations;
6.1.8. in cases specified in laws and regulations, for the protection of the legitimate interests of CĒSU ALUS, for example, by applying to a court or other state institutions against a person who has infringed the lawful interests of CĒSU ALUS.
6.2. When transferring data, CĒSU ALUS undertakes to ensure that the recipient of the data observes the same or stricter security measures for the processing of personal data as CĒSU ALUS.
6.3. Your personal data may be processed, stored and transferred to third parties in the manner and to the extent specified in this Policy, in the agreement(s) between you and us and the consent you give to us from time to time.
6.4. Access to personal data by third country entities
6.4.1. In certain cases, in compliance with the requirements of laws and regulations, personal data at CĒSU ALUS may be accessed in third countries (i.e. countries outside the European Union and the European Economic Area) by developers or service providers (within the meaning of the Regulation – transmission to third countries) in the capacity of data processor (operator) or, in Olvi group, in the capacity of a data controller, using the contact details of the suppliers to fulfil the contractual obligations.
6.4.2. In such cases, CĒSU ALUS provides the procedures specified in laws and regulations for ensuring a level of personal data processing and protection equivalent to that specified in the Regulation and for informing the Customers or obtaining the relevant consent.
7. Duration of the storage of personal data, within the limits of the need
7.1. CĒSU ALUS stores and processes the Customer’s personal data as long as at least one of the following criteria exists:
7.1.1. only as long as the agreement entered into with the Customer is in force;
7.1.2. as long as, in accordance with the procedures specified in external laws and regulations, CĒSU ALUS or the Customer may exercise his or her legitimate interests (for example, to submit objections or bring an action before a court);
7.1.3. as long as one of the parties has a legal obligation to keep the data;
7.1.4. as long as the consent of the Customer to the relevant processing of personal data is in force, if there is no other legitimate basis for the processing of data.
7.2. When the circumstances referred to in clause 7.1 cease, the Customer’s personal data is deleted.
8. Children’s data
8.1. CĒSU ALUS calls on parents to educate their children in the cautious use of Internet resources and to prevent them from disclosing their data on Internet sites without parental consent, as well as to protect, as far as possible, access to sites where Data may be collected.
8.2. When organizing lotteries or other marketing events, CĒSU ALUS does not request children’s data without parental consent.
8.3. If you are under 18 years of age, please turn to your parents, agree on the type and scope of Data submission, and ensure parental consent for the processing of your Data.
9. Website visits and cookie handling
10. Access to personal data and other rights of the Customer
10.1. The customer has the right to receive the information specified in laws and regulations in connection with the processing of his data.
10.2. The Customer has the right to request access to his personal data from CĒSU ALUS, as well as to request data addition, correction or deletion, or restriction of data processing in relation to the Customer, or to object to the processing of data (including the processing of data on the basis of the legal (legitimate) interests of CĒSU ALUS.
10.3. The Customer can submit a request to exercise his rights:
10.3.1. in writing by post to the legal address of CĒSU ALUS: Aldaru laukums 1, Cēsis;
10.3.2. by e-mail, signing with a secure electronic signature and sending the e-mail to the address: PersonasDati@cesualus.lv;
10.3.3. in person, in prior agreement with the contact person regarding the time of the meeting.
10.4. Upon receipt of the request, CĒSU ALUS verifies the Customer’s identity, evaluates and executes the request in accordance with laws and regulations.
10.5. CĒSU ALUS may reject requests that endanger the privacy of others or are unreasonable or repetitive, or would require a disproportionate effort.
10.6. CĒSU ALUS sends the reply to the Customer by letter or by e-mail to the contact address specified by the Customer.
10.7. CĒSU ALUS ensures the fulfilment of data processing and protection requirements in accordance with laws and regulations and, in the event of objections from the Customer, takes appropriate action to resolve the objection. However, if this fails, the Customer has the right to contact the supervisory authority – the Data State Inspectorate.
11. Customer’s consent to data processing and the right to withdraw it
11.1. To process data for which there is no other legal basis for processing, but which is necessary to achieve a legal purpose of CĒSU ALUS (e.g. to apply for news, opportunity to submit electronic CV, apply for lottery, analyse target audience’s habits of product use, prepare and send commercial announcements, individual advertisements, etc.), the Customer may give consent in CĒSU ALUS portals / applications electronically or in person at CĒSU ALUS legal address.
11.2. The Customer has the right to withdraw consent to the processing of data at any time in the same way and at the same place where it was given, that is, on the relevant website or in person at the legal address of CĒSU ALUS, and in that case no further processing based on the prior consent for the specific purpose will take place. In any case, the Customer has the right to withdraw his consent by submitting a written application to CĒSU ALUS.
11.3. Withdrawal of consent does not affect data processing performed at the time when the Customer’s consent was valid.
11.4. Withdrawal of consent may not suspend the processing of data which has another legal basis.
12. Changes in the Policy
12.1. CĒSU ALUS has the right to make additions to the Personal Data Protection Policy, making the current version available on the CĒSU ALUS website.
12.2. CĒSU ALUS retains the previous versions of the Personal Data Protection Policy and they are available on the CĒSU ALUS website. In relation to Customers whose rights may be limited by such changes in breach of the requirements of Article 13 of the Regulation, CĒSU ALUS provides an individual notification procedure in accordance with the requirements of the Regulation.