1. The personal data controller is Mrs. Agita Daukste (dba GatewayBaltic), registered office at, Kursu street 17 – 3, LV-1006, Riga, Latvia Reg nr: 40003703819, a sole proprietorship doing business under the Trade Act and not registered in the Commercial Register (“Controller“).
2. The Controller processes personal data of customers and partners who are natural persons (“data subjects”). With regard to processing of their personal data, data subjects may contact the Controller at the following e-mail address firstname.lastname@example.org.
3. The Controller will process identification and contact details of data subjects and data collected by the Controller in performance of contracts concluded with data subjects (“contract“).
4. The Controller shall process personal data of a data subject for the purposes of:
4.1. performance of contract, under Article 6 (1) (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”);
4.2. Compliance with a legal obligation of the Controller established by a legally binding legal regulation pursuant to Article 6 (1) (c) GDPR (e.g. the obligation of the Controller to keep accounting and tax documents)
4.3. Identification, exercise or defense of legal claims of the Controller pursuant to Article 6 (1) (f) GDPR;
4.4. Sending of marketing communications pursuant to Article 6 (1) (f) GDPR based on to the legitimate interest of the Controller consisting in direct marketing.
5.. Personal data will only be processed for the time necessary with regard to the purpose of their processing. With respect to the above:
5.1. for the purpose under par. 4.1 above, personal data will be processed until termination of contractual obligations. The possibility of the Controller to further process personal data (to the extent necessary) for the purposes under par. 4.2, 4.3 and / or 4.4 above remains unaffected.
5.2. for the purpose under par. 4.2 above, personal data will be processed for the duration of the applicable legal obligation of the Controller;
5.3. for the purpose under par. 4.3 above, personal data will be processed until the end of the 4th calendar year following the end of the warranty period under the contract (if quality has been guaranteed in the contract), but at least until the end of the 5th calendar year following the termination of the contractual obligations. In case of commencement and continuation of judicial, administrative or other proceedings, in which the rights or obligations of the Controller in relation to the corresponding data subject are dealt with, the period of processing of personal data for the purpose referred to in par. 4.3 above shall not end before the termination of such proceedings.
5.4. for the purpose of sending marketing communications under par. 4.4 above, personal data will be processed until the data subject requests to be excluded from such use.
6. Personal data for which the purpose of their processing has ceased shall be disposed of (by shredding or by other means to ensure that they will not be made available to unauthorized persons) or made anonymous no later than by the end of the calendar quarter after lapse of the period of processing referred to in par 5 above.
7. The Controller is entitled to transfer personal data to recipients with whom it has concluded a contract on the processing of personal data and who will process personal data for the Controller as its processors. The Controller may, depending on the location of these recipients, transfer personal data to a third country (i.e. outside the EU) or to an international organization, including supplementary information under Article 13 (1) f) GDPR, to the extent of contact data collected for purposes related to a project/activity for a non-EU customer and where the data subject is informed thereof in communication with the Controller.
8. In connection with the processing of their personal data, data subjects have a number of rights, including the right to request from the Controller access to their personal data (subject to Article 15 GDPR), their rectification or erasure (subject to Article 16 or Article 17 GDPR), or restriction of their processing (subject to provisions of Article 18 of the GDPR), and to object to processing (subject to Article 21 of the GDPR), as well as rights to data portability (subject to Article 20 GDPR).
9. If a data subject believes that its personal data are being processed in violation of the law, it has the right to contact the Controller with a request for remedy. If the data subject’s request is found legitimate, the Controller shall ensure immediate remedy. This is without prejudice to the subject’s right to file a complaint directly with the Office for Personal Data Protection.
10. Providing personal data by a data subject is a contractual requirement. There is no legal obligation for a data subject to provide personal data, but the Controller needs such data for conclusion and performance of contract.