Privacy policy

1. General Information

1.1. The purpose of this privacy policy of SIA “BALTU KOKS” (hereinafter referred to as the Controller) is to provide individuals (hereinafter referred to as Data Subjects) with general information about the processing of personal data, its purpose, scope, and protection, as well as to inform Data Subjects of their rights and obligations.
1.2. The Controller processes personal data in compliance with the applicable laws of the Republic of Latvia, the European Parliament and Council Regulation (EU) 2016/679 on the protection of individuals regarding the processing of personal data, and the free movement of such data (General Data Protection Regulation, hereinafter GDPR), as well as other applicable legal acts related to privacy and data processing.
1.3. All terms used in this Privacy Policy are interpreted as per the GDPR.
1.4. The Controller needs to collect, process, and use certain types of information about Data Subjects to fulfill its functions and provide services in the most effective way.
1.5. his privacy policy applies to the privacy and protection of personal data for individuals who:
1.5.1. Are clients of the Controller who have received or are receiving services (forestry, logging services).
1.5.2. Sell or wish to sell real estate or timber to the Controller.
1.5.3. Have used, are using, or have expressed an interest in using the services offered by the Controller.
1.5.4. Have in any other way cooperated, are cooperating, or have expressed a desire to cooperate with the Controller (including participating in recruitment processes or sending letters to the Controller).
1.5.5. Are business partners of the Controller (individuals) or employees/authorized representatives of business partners (legal entities) responsible for fulfilling contractual obligations.
1.6. This privacy policy does not apply to the processing of personal data of the Controller’s employees.

2. Information about the Controller

2.1. The Controller for personal data processing is SIA “BALTU KOKS,” located at Vecā ostmala 10, Liepāja, LV-3401, phone +371 26456375, email: info@baltukoks.lv.
2.2. The Controller processes personal data as specified in this Privacy Policy.
2.3. The Controller may also process personal data as an authorized processor on behalf of other entities. The privacy rules, policies, or agreements of the respective Controllers may apply to such processing.

3. Data Protection Principles

3.1. The Controller observes the following principles when processing personal data:
3.1.1. Processes personal data to ensure appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
3.1.2. Processes personal data lawfully, fairly, and transparently to the Data Subject.
3.1.3. Collects personal data only for specific, clear, and legitimate purposes and does not process it further in a manner incompatible with those purposes unless required to fulfill legal functions or obligations.
3.1.4. Processes adequate, relevant, and necessary personal data to achieve processing purposes.
3.1.5. Ensures the accuracy of personal data and updates it when necessary.
3.1.6. Stores personal data only as long as needed for the purposes for which it is processed.

4. Purposes, Legal Basis, and Retention Period for Data Processing

4.1. The Controller processes the Data Subject’s personal data in compliance with the principles outlined in Section 3 and only when there is a legal basis to do so. The Controller processes personal data for the following purposes:
4.1.1. Provision of Direct Services
This includes the processing of incoming client applications (offers), the purchase of forests, timber, land, and logs, as well as the inspection and evaluation of real estate, making offers, entering into and fulfilling purchase contracts, and providing forestry services.

Categories of personal data processed within this purpose include:

• For client application (offer) handling, real estate inspection, and making offers: Property name, cadastral number, municipality, desired sale price, phone number, email, other initial information provided by the client, property information, and offered price.
• For signing and fulfilling real estate and timber purchase agreements: Name, surname, personal code, address, property information, signature, spousal information, bank account number, tax payment details, presence of an electronic signature, information available in land registers and cadastral systems.
• For providing forestry services: Name, surname, personal code, phone number, email, signature, and information about the forestry service provided.

Legal basis:

• Conclusion and execution of a contract (GDPR Article 6(1)(b)), as the processed data is necessary to enter into and fulfill contractual obligations with the client.;
• Fulfillment of legal obligations (GDPR Article 6(1)(c)), such as registering property in the land register, proving the origin of timber, etc.;
• Legitimate interests of the Controller (GDPR Article 6(1)(f)), to evaluate the property, prepare an offer, and maintain communication with the client.

Retention period:

The retention of received personal data is carried out for various periods until the specific purpose of data processing is achieved. For example, concluded real estate purchase agreements are stored permanently, concluded service agreements are stored for 10 years after the fulfillment of contractual obligations, received client applications are stored for 2 years, and data related to forestry service provision is stored for 20 years.

Possible recipients of personal data:

• Authorized employees of the Controller, such as office administrators or other authorized staff as per competence.
• Processors engaged by the Controller, such as email service providers, IT system maintainers;
• Third parties – sworn notaries, the Land Registry Court, timber buyers

4.1.2. Recruitment Processes and Related Rights and Obligations

This includes the processing of submitted CVs and cover letters to evaluate suitability for vacant positions.

Categories of personal data processed within this purpose include:

  • Information contained in CVs and cover letters – Name, surname, contact information, previous work experience, educational background, and other information provided by the applicant.

Legal basis:

  • Fulfillment of legal obligations (GDPR Article 6(1)(c)), such as compliance with the Labor Law.
  • Legitimate interests of the Controller (GDPR Article 6(1)(f)), to evaluate the candidate’s suitability for the position.

Retention period

Personal data is stored for 4 months after the vacancy is filled or for 6 months with the applicant’s consent.

Possible recipients of personal data:

  • Authorized employees of the Controller, such as the office administrator and the head of the department where the vacancy is being filled;
  • Processors engaged by the Controller, such as email service providers, IT system maintainers;

4.1.3. Document Management, Handling of Incoming Documents, and Registration of Outgoing Documents

This involves organizing the circulation of received and outgoing documents, registering them, and preparing responses.

Categories of personal data processed within this purpose include:

  • Information included in the received document, such as name, surname, address, content of the submission. If the document is submitted by a legal entity, personal data of the preparer (if provided).

Legal basis:

  • Fulfillment of legal obligations (GDPR Article 6(1)(c)), when required by external legal acts, such as responding to data subject requests under Chapter III of the GDPR.
  • Legitimate interests of the Controller (GDPR Article 6(1)(f)), to review and respond to the submission.

Retention period

Received personal data is stored for 10 years.

Possible recipients of personal data:

  • Authorized employees of the Controller, such as office administrators or other authorized staff as per competence.
  • Processors engaged by the Controller, such as email service providers, IT system maintainers.

4.1.4. Execution of Business Transactions

This includes entering into cooperation agreements with legal or natural persons and related personal data processing.

Categories of personal data processed for this purpose include:

  • For agreements with legal entities – Name, surname, email, phone number, and signature of legal representatives or contact persons.
  • For agreements with natural persons – Name, surname, personal code, address, email, phone number, signature, payment information, and other contract-related data.

Legal basis:

  • Conclusion and execution of a contract (GDPR Article 6(1)(b)), as the processed data is necessary to fulfill the contract.
  • Legitimate interests of the Controller (GDPR Article 6(1)(f)), to execute contractual obligations and ensure communication regarding the contract.

Retention period

Personal data is stored for 10 years after contract fulfillment.

Possible recipients of personal data:

  • Authorized employees of the Controller responsible for contract execution;
  • Processors engaged by the Controller, such as email service providers, IT system maintainer;

4.1.5. Accounting in Compliance with Regulatory Requirements
This includes maintaining accounting records in compliance with legal requirements, tracking expenses and revenues, issuing invoices, recording transactions, and providing information to oversight authorities.

Categories of personal data processed within this purpose include:

  • Data contained in issued or received accounting records, such as name, surname, personal code, address, email, signature, payment information, and bank account details.

Legal basis:

  • For the conclusion and execution of a contract (GDPR Article 6(1)(b)), as the processed data is necessary to conclude and fulfill contractual obligations with the contracting party, which is a natural person.
  • For the fulfillment of legal obligations (GDPR Article 6(1)(c)), to ensure the compliance of accounting documents with the regulations governing bookkeeping, such as the Accounting Ac.

Retention period

Personal data is stored in accordance with the Accounting Act.

Possible recipients of personal data:

  • Authorized employees of the Controller, such as accountants and other authorized staff;
  • Processors engaged by the Controller, such as accounting system maintainers;

4.1.6. Video Surveillance

Within this data processing, the Controller conducts video surveillance for the following purposes: to protect property and prevent criminal activities, to ensure the protection of the legal interests of the company and third parties, and to obtain, preserve, and submit evidence to law enforcement authorities.

Categories of personal data processed within this purpose include:

  • During video surveillance, the following personal data may be processed: the appearance and actions of individuals within the surveillance area, and vehicle registration numbers.

Legal basis:

  • For the legitimate interests of the Controller (GDPR Article 6(1)(f)). The Controller has a legitimate interest in conducting video surveillance to protect its property, other material assets, and the legal interests of its employees. To implement these interests, the Controller is entitled to provide video recordings to supervisory authorities, such as the State Police, if a legal basis exists for such transfer and it is necessary for the protection of the Controller’s legal interests.

Retention period

Video surveillance recordings are stored for 14 days. This period may be extended if the recorded video material is necessary for implementing the Controller’s legitimate interests.

Possible recipients of personal data:

  • Authorized employees of the Controller;
  • Law enforcement authorities

4.1.7. Public Information about the Company’s Activities
Within the scope of this data processing, the Controller photographs or films events organized by the Controller or significant events in the Controller’s business to inform the public about the company’s operations and promote its services. As part of this data processing, photos and videos may be published on the Controller’s social media profiles, such as Instagram, Facebook, and LinkedIn.

Categories of personal data that may be processed for this purpose include:

  • Photographs, videos, and activities depicted therein. Published materials will not be associated with the Data Subject’s name, surname, or other identifying information.

Legal basis:

    • Implementation of the Controller’s legitimate interests (GDPR Article 6(1)(f)) to inform the public about the Controller’s services and significant business events and developments. Photographing and filming events also ensures that the Controller can document its activities to create an archive of significant events. Photos and videos are carefully reviewed before publication to ensure that the Data Subject’s privacy rights are not violated.

Retention period:

Published photos and video materials will be stored and publicly displayed for 5 years. In cases where the photos or videos have significant archival or historical value for the Controller’s business, these materials may be retained for a longer period until the purpose is achieved.

Possible recipients of personal data:

  • Authorized employees of the Controller (marketing specialists);
  • Any third party with lawful access to the published materials.

5. Transfer of Personal Data Outside the European Union or the European Economic Area

5.1. The Controller may transfer personal data outside the European Union and the European Economic Area.
5.2. If the Controller’s cooperation partners – processors entrusted by the Controller to process personal data on its behalf – process the client’s personal data outside the European Union or the European Economic Area, the Controller ensures that such service providers comply with the data security and technical requirements specified in Regulation No. 2016/679, other European Union and Latvian regulatory acts, and best practice guidelines. For example, when using Google email services, personal data may be transferred outside the European Union or the European Economic Area. Such a transfer is based on Article 45 of the GDPR, under which the European Commission has adopted a decision recognizing the data transfer to be adequate in cases where the organization has joined the EU-U.S. Data Privacy Framework. The adequacy decision is available: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

6. Data Subject Rights

6.1. The Data Subject has the right to submit a request to the Controller in person, presenting a personal identification document, or electronically by sending an email to info@baltukoks.lv with a securely signed electronic signature, to:
6.1.1. Request information about the processing of their personal data conducted by the Controller.
6.1.2. Request the supplementation or correction of their personal data, deletion or restriction of processing, and object to the processing of their personal data, as well as request data portability.
6.1.3. Withdraw consent for the processing of their personal data if the processing is based on the Data Subject’s consent. This does not affect the lawfulness of the processing carried out while the consent was in effect.
6.1.4. File a complaint regarding unlawful personal data processing with the Data State Inspectorate if the Data Subject has doubts.
6.1.5. In any case, exercise all rights granted to Data Subjects under Chapter III of the General Data Protection Regulation.
6.2. The Controller will review the Data Subject’s request and implement the Data Subject’s rights in accordance with the requirements of the applicable legal acts. The Controller will provide a response to the Data Subject’s request no later than one month from its receipt. In specific cases, the Controller may extend the response time by an additional two months, notifying the Data Subject of the extension.

7. Contacting the Controller

7.1. For any questions or uncertainties regarding the processing of personal data by the Controller, Data Subjects should contact the Controller using the contact information provided in Section 2.

8. Other Information

8.1. The Privacy Policy may be amended as necessary. The latest version of the Privacy Policy is published on the website at www.baltukoks.lv under the “Privacy Policy” section.
8.2. This Privacy Policy comes into effect on July 22, 2024.