HORTUS Digital Privacy Policy

The protection of Your personal data is important to us, which is why we have developed this Privacy Policy (hereinafter – the Policy) to ensure fair and lawful processing of Your personal data in a transparent manner and to inform You of Your rights and obligations in connection with the processing of Your personal data.

1. Purpose and Scope of the Privacy Policy

1.1. The purpose of this Policy is to provide the natural person – the Data Subject (hereinafter – the Data Subject or You) with information about the purpose, legal basis, scope, and retention period of personal data processing carried out by us as the Controller, ensuring that the processing of personal data is transparent to You as the Data Subject.

1.2. The Privacy Policy has been developed taking into account Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation), the Personal Data Processing Law, and other applicable regulations in the field of privacy and the processing and protection of personal data of natural persons.

1.3. This Policy applies to the processing of personal data of natural persons regardless of the form and/or environment in which the natural person provides personal data (entering the territory and/or premises, by telephone, verbally, by post, by email, etc.) and regardless of the source of the personal data, as well as regardless of which Controller systems (audio, website, etc.) they are processed in.

1.4. Given that the company continuously develops its activities and improves, we may from time to time amend and supplement this Privacy Policy. If this Policy is updated, the amendments shall take effect on the date indicated in the notices of changes to this Policy. To ensure transparent and fair data processing, the current version of the Policy will be published on the Controller’s website at http://www.hortusdigital.com/ in the privacy policy section and at the Controller’s office or structural unit. The Controller retains previous versions of the Privacy Policy, which are available upon request.

2. Controller Information and Contact Details

2.1. The controller of personal data processing as defined in this Privacy Policy is SIA “Hortus Digital” (unified reg. no. 40003513478, contact information: Gunāra Astras iela 8b, Riga, LV-1082, tel. 67339292, email: gdpr@hortusdigital.com, website: www.hortusdigital.com).

3. How You Will Be Informed About the Processing of Your Personal Data

3.1. To promote transparent data processing, the Controller informs and explains in its operations what personal data is processed in the course of the Controller’s economic activities and how it will be used. This information is provided in this Privacy Policy.

3.2. When processing personal data for purposes not specified in this Privacy Policy, as well as to clarify information on individual data processing conditions, the Controller may inform You as the data subject separately (for example, by placing notices in email communications or by organizing competitions on social media platforms or the website administered by the Controller). Information may also be provided to You by the Controller’s staff, either verbally or by requesting You to review information set out in specific documents.

4. Purposes of Personal Data Processing

In the course of its commercial activities, the Controller has identified several purposes for personal data processing, which we invite You to review individually:

4.1. Personal Data Processing for Staff Recruitment and the Protection of the Controller’s Legitimate Interests

What personal data does the Controller process?

The categories of personal data processed by the Controller depend on the personal data submitted by the Data Subject to the Controller.

• All information included in the CV submitted by the Data Subject (e.g., first name, surname, date of birth, residential address, employment and educational history, language skills and their application, additional knowledge/skills, interests/hobbies, phone number, email address, photograph, or other identifying information), while the Controller encourages You as a candidate to submit only information that demonstrates Your professional abilities.
• All information You have included in Your submitted cover letter or attached as annexes thereto.
• Information from persons who have provided references about You (if You have explicitly authorized contact with those persons).
• If You are invited to a job interview, information provided during the interview, completed tests, and other assessment tasks.

What is the legal basis for personal data processing?

Personal data will be processed for the Controller’s staff recruitment and protection of legal interests. The legal basis for personal data processing may vary:

• The Controller is entitled to process Your personal data because You, by expressing Your wish to apply for the advertised vacancy, have expressed a desire to enter into an agreement with the Company (Article 6(1)(b) of the Regulation).
• If You have expressed Your wish to apply for future vacancies, the Controller will continue processing Your personal data based on Your consent (Article 6(1)(a) of the Regulation).
• The Controller has a legitimate interest in processing Your CV and/or application to secure evidence of the lawful conduct of the recruitment process (Article 6(1)(f) of the Regulation).

What is the personal data retention period?

• All information will be retained for no longer than six months from the end of the specific recruitment process.
• If You have consented to be considered for future vacancies – the period does not exceed one year from the moment of receiving consent.
• If the Controller receives a complaint about the recruitment process, the information will be retained until the final settlement enters into force.

After the retention period expires, personal data will be irreversibly deleted.

Who has access to the information and to whom is it disclosed?

Recipients of personal data may be authorized employees of the Controller, within the scope defined by their job responsibilities. In the event a complaint is received, information may be passed to legal service providers, law enforcement or supervisory authorities, as well as to the court.

Personal data is not intended to be transferred to recipients outside the European Union or European Economic Area.

4.2. Personal Data Processing for the Controller’s Economic Activities, Conclusion of Contracts and Performance of Contractual Obligations, and Protection of the Controller’s Legitimate Interests

What personal data does the Controller process?

The categories of personal data depend on the specific situation and the economic activities carried out by the Controller. The Controller has the obligation and right to process information identifying You (first name, surname, personal identification number, contact information) and other important additional information. When receiving Services, Your personal data is processed in accordance with the agreement concluded between the Parties, as well as payment information (bank account, information about the credit institution, payments made, and services received).

What is the legal basis for personal data processing?

• Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract or to take steps prior to entering into a contract.
• Article 6(1)(c) of the Regulation – processing is necessary to comply with a legal obligation applicable to the Controller.
• Article 6(1)(f) of the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party.

What is the personal data retention period?

The Controller complies with special regulations that establish an obligation to retain certain data (for example, the Accounting Law establishes an obligation to retain information about transactions for five years). For services with a warranty period, information will be retained throughout the entire service provision period and in observance of the limitation period for transactional claims.

After the retention period expires, personal data will be irreversibly deleted.

Who has access to the information and to whom is it disclosed?

Recipients of personal data may be authorized employees of the Controller, providers of accounting or legal services, and audit service providers.

Personal data is not intended to be transferred to recipients outside the European Union or European Economic Area.

The Controller is obliged to provide information about processed personal data to law enforcement authorities, courts, or other state and municipal institutions where required by law.

4.3. Retention and Recording of Incoming and Outgoing Communications (Email, WhatsApp, Skype, Postal Mail) to Ensure Performance of Contractual Obligations and Protection of the Controller’s Legitimate Interests

What personal data does the Controller process?

When using the various means of contacting the Controller (telephone, email, post, website, Skype, WhatsApp), written information related to the specific letter, complaint, or suggestion and the information reflected therein will be retained, as well as the content of the communication, its time, and information about the communication tool used.

What is the legal basis for personal data processing?

The retention of information about the fact and content of communication is carried out on the basis of Article 6(1)(f) of the Regulation – for the protection of the legitimate interests of the Controller and third parties.

What is the personal data retention period?

The Controller will retain the relevant information for a period not exceeding five years, unless the information needs to be used for the protection of the Controller’s legal interests for a longer period.

After the retention period expires, personal data will be irreversibly deleted.

Who has access to the information and to whom is it disclosed?

Recipients of personal data may be authorized employees of the Controller, legal service providers, law enforcement, supervisory, and oversight authorities.

Personal data is not intended to be transferred to recipients outside the European Union or European Economic Area.

4.4. Retention and Publication of Documentation, Photo, and Video Archives of Events Organized by the Controller and Its Partners on the Controller’s Website, in Media, and on Social Networks, with the Aim of Promoting and Enhancing the Visibility of the Controller and the Brands It Represents

What personal data does the Controller process?

At events organized by the Controller and its partners (public exhibitions, training sessions, marketing and public relations events, product promotions, and lotteries), photo and video recordings of event attendees and recordings of participant interviews are made. Photo and video images of event attendees may be processed by storing them in the Controller’s archives, publishing them on the website, social networks, and other informational and/or marketing materials.

What is the legal basis for personal data processing?

Personal data processing is carried out on the basis of Article 6(1)(f) of the Regulation – the Controller has a legitimate interest in documenting its organized events, thereby ensuring visibility and promotion.

The Controller does not prevent any data subject from contacting at any time to object to the processing of their data.

What is the personal data retention period?

The Controller intends to retain the obtained information indefinitely.

Who has access to the information and to whom is it disclosed?

The obtained materials will be publicly accessible. Recipients of personal data may be authorized employees of the Controller, Processors, law enforcement, supervisory, and oversight authorities.

Regarding personal data in the digital environment, the Controller informs that the Processors it has selected (google.com, facebook.com, YouTube, etc.) operate outside the European Union and European Economic Area member states.

4.5. Customer, Potential Customer, and Partner Information Platform on Social Networks, with the Aim of Informing About Important Updates in the Controller’s Activities, Commercial News, Promotions, and Compliance with the Controller’s Legitimate Interests, as well as Sending Commercial and Informational Notifications

What personal data does the Controller process?

If You have consented to receive commercial notifications, they will be sent to Your email address, addressing You by first name, surname, and the name of the company You represent. If You have chosen to follow on social networks, we may contact You using social media platforms. Prior to sending commercial communications, the Controller may conduct an analysis of the existing cooperation.

What is the legal basis for personal data processing?

• Your consent (Article 6(1)(a) of the Regulation) – You have the right to withdraw Your consent at any time.
• The Controller’s legitimate interest in providing information about services and products (Article 6(1)(f) of the Regulation).

What is the personal data retention period?

The Controller takes into account:

• whether the personal data retention period is defined in applicable regulations;
• the period for which data needs to be retained for the realization of the Controller’s or a third party’s legitimate interests;
• until the consent provided by the person has been withdrawn.

Upon giving Your consent, Your personal data will be processed until Your consent is withdrawn.

Who has access to the information and to whom is it disclosed?

Recipients of personal data may be authorized employees of the Controller, marketing service providers, and other processors. In the event a complaint is received, information may be passed to law enforcement or supervisory authorities, as well as to the court.

5. General Information on Data Subject Rights

How will the data subject be informed about the processing of their personal data?

The data subject is informed about the personal data processing described in this Policy through a layered approach, which includes methods such as publishing this Policy on the Controller’s website, as well as in certain cases through notices at the time of data collection.

What are my rights as a data subject?

• The data subject has the right to request access from the Controller to their personal data and to receive clarifying information about what personal data the Controller holds, for what purposes the Controller processes this data, the categories of personal data recipients, and information about the retention period.
• If the data subject considers the information to be outdated, inaccurate, or incorrect, the data subject has the right to request rectification of their personal data.
• The data subject has the right to request erasure of their personal data or to object to processing if the data has been processed unlawfully or is no longer necessary (the right to be forgotten).
• Personal data cannot be erased if processing is necessary:
  • to protect the vital interests of the data subject or another natural person;
  • for the Controller or a third party to establish, exercise, or defend legitimate interests;
  • in accordance with regulations binding on the Controller.
• The data subject has the right to request restriction of personal data processing if:
  • the data subject contests the accuracy of the personal data;
  • the processing is unlawful and the data subject objects to erasure;
  • the Controller no longer needs the data, but it is required by the data subject for the establishment of legal claims;
  • the data subject has objected to processing.
• Where processing is restricted, such data may only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims.
• Before lifting the restriction, the Controller will inform the data subject.
• The data subject has the right to lodge a complaint with the Data State Inspectorate. The Controller encourages You to first contact us at: gdpr@hortusdigital.com
• The data subject may submit a request to exercise their rights:
  • in written form in person at the Controller’s premises, presenting an identity document;
  • by email, signed with a secure electronic signature (to gdpr@hortusdigital.com);
  • by sending by post to the Controller’s contact address.
• The data subject is obliged to specify in their request the date, time, place, and other relevant circumstances.
• Upon receipt of the request, the Controller will verify the person’s identity and evaluate the request.

What measures does the Controller apply to ensure personal data protection?

• The Controller ensures, continuously reviews, and improves personal data protection measures using appropriate technical and organizational means.
• The Controller carefully vets all service providers who process personal data on the Controller’s behalf.
• In the event of a personal data security incident, the Controller will notify the relevant Data Subject using the available contact information or by publishing information on the website.

6. Use of Cookies

6.1. Our website uses cookies to ensure the functioning of the website, improve the user experience, and analyze visitor statistics.

6.2. We use the following categories of cookies:

• Necessary cookies – ensure the basic functions of the website (e.g., saving cookie settings). These cookies cannot be disabled.
• Analytics cookies – help understand how visitors use the website (Google Analytics). Data is processed in anonymized form.
• Marketing cookies – used to show You more relevant content and advertisements.

6.3. You can manage cookie settings at any time by clicking “Customize” in the cookie notice or by changing your browser settings.

6.4. The cookie retention period depends on their type – from the end of the session to 2 years.