Privacy Policy
(valid since 1 April 2023)

1. Terms used

1.1. Processing – any operation or complex of operations carried out with the Personal Data, carried out with or without automated means, for example, gathering, registration, structuring, systemizing, storage, configuration, transformation, specification, viewing, use, disclosure by sending, distribution or otherwise making available, anonymization, restriction, deletion, destruction.
1.2. Data Subject – identified or identifiable individual.
1.3. Personal Data – any information regarding the Data Subject.
1.4. Profiling – automated Personal Data Processing of any type used with the aim to assess the particular personal aspects related to the Data Subject, especially in order to analyse or estimate the aspects in relation to the Data Subject’s economic situation, personal desires, interests, loyalty, behaviour, location or movement.
1.5. General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6. Company – Fenomen, SIA, unified registration No.: 50203303631, legal address: 21A-11 Elizabetes St., Riga.
1.7. Company’s website – academy.taro.lv.
1.8. Third Country – a country that is not a member-state of the European Union / European Economic Area.

2. General Provisions

2.1. The aim of the Privacy policy is to explain to any individual the procedure in which the Company is processing Personal Data.
2.2. Personal Data Processing is carried out by the Company in accordance with the requirements of the General Data Protection Regulation.
2.3. The Company ensures that the Personal Data are being processed lawfully, fairly and in a way clear to the Data Subject.
2.4. The Personal Data Processing carried out by the Company may have several legal grounds, for example, consent of the Data Subject to Personal Data Processing, contractual relationships of Data Subject and the Company, execution of the legal duty the Company is subject to in accordance with the requirements of applicable regulatory enactments, obeying and ensuring legitimate interests of the Company, etc.
2.5. Personal Data can be provided by Data Subjects, obtained in the course of rendering Company’s services, as well as from external sources (e.g. public or private registers) or third parties.
2.6. Upon providing the services to the clients, the Company is processing the data submitted by the client in the interest of the client, and in the context of the General Data Protection Regulation the Company is the data processor.
2.7. The Company is a data controller in the context of the General Data Protection Regulation regarding fulfilment of their interests and duties provided by the law.
2.8. The Company may use services of other data processors and/or processing sub-contractors for Personal Data Processing. In these cases, the Company shall take all the necessary measures to ensure that the data processors chosen by the Company are carrying out Personal Data Processing in accordance with applicable regulatory enactments and instructions of the Company.
2.9. The Privacy Policy is available on the Company’s website.

3. Personal Data Processing purposes

3.1. Personal Data are being gathered for specific, clear and legitimate purposes and their further Processing shall not be carried out in ways incompatible to the abovementioned purposes.
3.2. The Company is carrying out Personal Data Processing for the following purposes:
3.2.1. providing services;
3.2.2. execution of requirements of the regulatory enactments;
3.2.3. identification purposes;
3.2.4. concluding, execution and termination of distance contract;
3.2.5. protection of interests of clients and the Company;
3.2.6. offering services and marketing purposes;
3.2.7. preparing statistics.

4. Personal Data categories

4.1. The Company mainly gathers and processes the following categories of Personal Data:
4.1.1. Person’s identification data (name, surname);
4.1.2. Person’s contact information (email address, phone number, language of communication and other contact information);
4.1.3. Service-related data (e.g., about the received claims or complaints).

5. Categories of Data Subjects

5.1. The Company is processing Personal Data of the Following Data Subjects:
5.1.1. clients of the Company;
5.1.2. business partners of the Company, its suppliers, service providers and their affiliated persons (representatives, authorised representatives, beneficiaries, employees, etc.);
5.1.3. shareholders of the Company (potential, current and former);
5.1.4. Company’s officials (current and former).

6. Personal Data Receivers and Place of Processing

6.1. The Company submits Personal Data to the following data receivers:
6.1.1. Government institutions;
6.1.2. Credit institutions, payment service;
6.1.3. Members of the governing bodies, employees, representatives, authorized representatives of the Company;
6.1.4. Business partners, suppliers, service providers, and auditors of the Company;
6.1.5. Data processors that are carrying out Personal Data Processing at the instruction of the Company;
6.1.6. Other persons in accordance with the provisions of contract concluded between the Company and the Data Subject.
6.2. Submitting of Personal Data to data receivers (regardless of the residence of the data receiver – the Republic of Latvia, European Union, European Economic Area or beyond that) is subject to applicable regulatory enactments and/or an agreement concluded between the Company and the data receiver which implies non-disclosure and data exchange security provisions and/or disclosure takes place through access granted by third parties to the data necessary for providing the service.
6.3. Usually, Personal Data Processing takes place at the territory of the Republic of Latvia. The Company is entitled to transfer Personal Data to data receivers located in other member-states of the European Union and in the countries of the European Economic Area.
6.4. In certain cases, the Company, following the provisions of the General Data Protection Regulation and other applicable regulatory enactments, can send Personal Data to Third Countries or international organisations. Sending Personal Data to Third Countries or international organisations is possible based on:
6.4.1. the decision of the European Commission about that the particular Third Country, any territory of it or one or several regions, or the international organisation ensures sufficient level of protection; or
6.4.2. appropriate guarantees that are ensured in accordance with the provisions of the General Data Protection Regulation, standard data protection clauses adopted or approved by the European Commission, or binding regulations of the company, or action code approved in accordance with the provisions of the General Data Protection Regulations, together with the binding and lawfully executable obligations of the Third Country data administrator or processor to apply the appropriate guarantees, or the certification mechanism that is approved in accordance with the provisions of the General Data Protection Regulation, together with the binding and lawfully executable obligations of the Third Country data administrator or processor to apply the appropriate guarantees; or
6.4.3. that any of the provisions of Paragraph One of Article 49 of the General Data Protection Regulation has occurred, for example, the Data Subject has agreed to with the proposed sending of Personal Data after being informed about the implied risks such sending decision can cause to the Data Subject due to lack of sufficient protection level and appropriate guarantees, or the sending is necessary in order to initiate, fulfil or protect the lawful claims, as well as in cases when sending is necessary for fulfilment of an agreement between the Data Subject and the controller or to carry out measures before concluding an agreement, the sending is necessary for concluding an agreement between the controller and other individual or legal entity in the interest of the data subject or for fulfilment of such agreement, or sending is necessary if there are material reasons in the interest of the company.
6.5. Upon request, Data Subject can be provided with more detailed information about the sending of Personal Data to Third Countries or international organisations.
6.6. In the course of fulfilment of the agreement, the Company is using publicly available information search databases and engines, where it enters the information obtained from the client necessary for finding information, and such internet resources may be located beyond the European Union and the European Economic Area.

7. Rights of Data Subject

7.1. Regarding own Personal Data, the Data Subject as the following rights:
7.1.1. to receive information from the Company about whether their Personal Data is being or not being processed and if they are being processed, then to access their Personal Data and receive information about the purpose of Processing of the Personal Data being processed, category of Personal Data, Personal Data receivers, Personal Data storage terms, information about other sources of Personal Data, if the Personal Data were obtained from a third party, information about guarantees if the Personal Data are being sent to a Third Country or international organisation, as well as information about the rights of Data Subject;
7.1.2. to receive information about that whether the provision of Personal Data is related to the requirements of a contract or regulatory enactments, or provision of Personal Data is a condition for concluding a contract, as well as information about that the Data Subject is obligated to provide Personal Data and about the consequences of failing to provide such Personal Data;
7.1.3. to request their Personal Data to be corrected if they are imprecise, incorrect or incomplete;
7.1.4. to request their Personal Data Processing to be limited;
7.1.5. to object against Processing of their Personal Data;
7.1.6. to request their Personal Data to be deleted;
7.1.7. to revoke their consent to Processing of their Personal Data;
7.1.8. to submit a complaint to the State Data Inspectorate about the Processing of Personal Data carried out by the Company (contact information of the State Data Inspectorate is available at www.dvi.gov.lv).
7.2. The Company shall ensure the rights of the Data Subject in accordance with the requirements of the General Data Protection Regulation for ensuring such rights.

8. Profiling and automated decision-making

8.1. Your personal data shall not be used for automated decision-making.

9. Personal data protection and storage terms

9.1. The Company carries out and maintains appropriate administrative, technical and organisational measures in order to protect Personal Data from unintentional or unlawful destruction, loss, transformation, unauthorised disclosure or access to them.
9.2. The Company is storing Personal Data for not more than it is necessary for the purposes for which the particular Personal Data are processed. The term of storage of Personal Data is determined based on the applicable regulatory enactments or legitimate interests of the Company. After the expiration of the storage period of the Personal Data, they are deleted. If there are any obstacles for the deletion of the Personal Data (e.g. an order on prohibition to delete the Personal Data), then the storage of Personal Data should be ensured until elimination or cancellation of such obstacles.

10. Contact information of the Company

10.1. Data Subject is entitled to submit questions, requests, applications and complaints to the Company by sending them to Company’s email academy@taro.lv or to Company’s legal address.

11. Amendments to the Privacy Policy

11.1. The Company is entitled to amend the Privacy Policy unilaterally. The Company shall inform about the amendments in the Privacy Policy through its website by publishing the new version of the Privacy Policy, stating the date it becomes effective.
11.2. The Company has the right to inform the clients of the Company about the amendments in the Privacy Policy individually by sending a notification to email or via post or using other communication channels.