ePrivacy and GPDR Cookie Consent by Cookie Consent

Privacy Policy

JSC “REPHARM” is responsible for processing of the obtained personal information in accordance with the legal requirements of the European Union and the Republic of Latvia and the good practice guidelines.

This Privacy Policy is aimed to provide information about aspects of personal data processing.

Table of Contents

Definitions

TermDefinition
ControllerJSC “REPHARM”, unified registration No. 40103195532, registered office: Mūkusalas Street 41b, Riga, Latvia LV-1004.
Processoris a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.
Person (data subject)is a natural person who can be directly or indirectly identified.
Personal information any information about an identified or identifiable natural person.
Processingany operations, which are performed by the Controller with personal data (including collection, registration, storage, viewing, use, disclosure, transmission, deletion or destruction of personal data). 
Regulation No. 2016/679/ESRegulation (EU) 2016/679 of the European Parliament and of the Council (27.04.2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Privacy policythis Privacy Policy.
Personal dataany information that relates or could relate to the Person (for example, name, surname, addresses, telephone number, e-mail address of the Person).
Consentany consent freely and knowingly given by the Person thereby the Person consents to processing of his or her personal data for a specific purpose.
Data Protection Supervisory Authorityan institution that supervises compliance with Regulation No. 2016/679 / EU in the Republic of Latvia.

What is the Scope of the Privacy Policy?

This Privacy Policy applies to protecting the privacy and personal data with regard to any personal data processing operations performed by the Controller. 

The Privacy Policy applies to data processing regardless of the form and/or environment, in which the Person provides/ receives his/her personal data (through the Controller’s website, mobile applications, paper format or telephone) and in which Controller’s electronic information systems or paper files are processed.

Additional, specific rules may be laid down for certain data processing operations, and the Person is informed about when he/she provides the relevant personal data to the Controller.


Who processes personal data?

Controller of personal data is JSC “REPHARM”, unified registration number 40103195532, legal address: Mūkusalas Street 41b, Riga, Latvia, LV-1004.

In order to ensure its core business, the Controller engages/may engage Processors – companies that have the appropriate knowledge and abilities needed to provide specific services – and, if necessary, transfers or gives Processors access to personal data available to the Controller. Mutual legal relations between Controller and Processor are regulated by a written agreement. Processors may process personal data only in line with the controller’s instructions and may not use those for other purposes. In accordance with the legal requirements and the Controller’s Cooperation Agreement, a set of operations is defined for these companies to implement to ensure adequate security of privacy and personal data.

What kinds of personal data, for what purposes and on what basis does the Controller process and what is the storage period thereof?

Purpose Administrative Management, Planning and Accounting of Group Companies
Set (categories) of Personal Data Legal basis Description Storage period
Set of personal data depends on content of a document Ensures legitimate interests of the controller.[1]   Circulation of documents is arranged to ensure administrative management, planning and accounting of the companies belonging to the group.  As long as at least one of the following criteria exists: – there is a legal obligation to store data for a certain period of time in accordance with the legal regulations; – it is necessary to meet legitimate interests of the Controller; – it is necessary to meet the undertaken contractual obligations.
Purpose Evaluation of Applications in the Personnel Selection Process 
Set (categories) of Personal Data Legal basis Description Storage period
Identification data of applicant for a vacancy: name, surname.
Applicant’s contact information: telephone number, e-mail address, residence address.
Information about education acquired by applicant: name of the graduated educational institution, duration of studies, acquired education/ profession.
Information about applicant’s professional experience: job title, term of employment, position, duties to be done.
Other information provided by applicant in submitted CV and personal statement.
Consent of Applicant for a Vacancy.[2]   The Controller processes personal data submitted by an applicant for a vacancy (including those submitted through www.repharm.lv in section “Career” in order to ensure the personnel selection process, including to assess the applicant’s eligibility for the vacancy; to contact the applicant; to announce results of the competition and, if the applicant meets the vacancy’s criteria, to invite the applicant to interview. 

Personal data of applicant for a vacancy will be processed until completion of evaluation and selection of candidates for the vacancy. As soon as completion of the competition, personal data of applicants will be deleted or destroyed.
Processing of Applicant’s personal data may take for a longer time if Applicant consents to participate in other personal selection competitions of the Controller (to receive other job offers).
Applicant has a right to withdraw his/her consent to such personal data processing at any time.
Purpose Personnel Management
Set (categories) of Personal Data Legal basis Description Storage period
Employee identification data: name, surname; identity code.
Employee contact information: telephone number, e-mail address, residence address.
Information about employee’s education and professional experience.
Information about workflow at the Controller.
Consent of officials (board and council) to hold the office.[3]
Ensuring performance of a contract signed with the employee[4]
Organization and control of personnel management (including, to organize, ensure and evaluate performance of duties and responsibilities under the contract signed with the employee; to plan business and do analytics in the field of personnel management). As long as at least one of the following criteria exists: – there is a valid labour contract signed with an employee and it is necessary to meet the undertaken contractual obligations; – there is a legal obligation to store data for a certain period of time in accordance with the legal regulations – it is necessary to meet legitimate interests of the Controller.
Purpose Improved use of websites 
Set (categories) of Personal Data Legal basis Description Storage period
Cookies.
 
Consent of website visitor.[5]
Ensuring the legitimate interests of the controller.[6]
Website www.repharm.lv uses cookies.
Cookies are small text files that are created and stored on website visitor’s devices (computer, tablet, mobile phone, etc.) when they visit the Controller’s websites. Cookies “remember” experience and basic information of the website visitor as a user and, thereby, improve user-friendliness of the Controller’s website.  Cookies are used to process general user habits and statistics of website visitors, to identify problems and deficiencies in website’s operation, collect website statistics on search habits of website use and ensure entire and easy use of website’s functionality.
There are several types of cookies:  a) Necessary cookies (which are necessary for operation of the website). Use of these cookies does not require consent of a website visitor. b) Functional cookies (allow website to remember choices made by a visitor (e.g. username, language used, etc.), thereby improving and customizing homepage). c) Performance or analytical cookies (third party’s cookies) – collect information about how a visitor uses the Controller’s website; which sections of the website are visited most often; as well as, used to check for or receive error messages.   Necessary cookies are processed in order to ensure legitimate interests of the Controller, while functional and performance or analytical cookies are processed subject to consent of a website visitor.
If a website visitor does not want to allow use of cookies, the website visitor can do so in his/her browser settings, however, in such event, use of the website may be significantly disrupted and difficult. Stored cookies can be deleted in the browser settings of your device by deleting the history of stored cookies.
Necessary cookies are stored on the website visitor’s device until the web browser is closed (only during the browsing session, therefore, they belong to the session cookie category).
Functional cookies are stored on the visitor’s device at all times.
Performance or analytical cookies (identify visitor’s device only, but do not reveal visitor’s identity) are stored for 2 years. 

[1] Article 6 (1) (f) of Regulation No 2016/679/EU.
[2] Article 6 (1) (a) of Regulation No 2016/679/EU.
[3] Article 6 (1) (a) and (b) of Regulation No 2016/679/EU
[4] Article 6 (1) (b) of Regulation No 2016/679/EU.
[5] Article 6 (1) (a) of Regulation No 2016/679/EU.
[6] Article 6 (1) (f) of Regulation No 2016/679/EU.

How does the Controller obtain personal data?

The Controller obtains Personal Data from:

  • the very Person – a data subject (for example, through visiting the Controller’s websites; applying for participation in the personnel selection process), based on the Person’s consent;
  • third parties, in the cases, in the manner and to the extent provided by the legal regulations.

Is a Person obliged to provide his/her personal data?

Person is not obliged to provide his/her personal data, however, if the Person chooses not to provide the Controller with his/her personal data, it is unlikely that the Controller will be able to cooperate with the Person to achieve certain objectives.

Who is responsible for personal data relevance?

The Controller ensures accuracy and timely updating of personal data, correction or deletion thereof if personal data are incomplete or inadequate for the purpose of personal data processing.

The Controller believes that the Person himself/herself and third parties will provide the Controller with true information and accurate personal data, including, if, after the provision of personal data to the Controller, these data have become irrelevant, changes have been in the submitted personal data, the personal data will be updated if this meets objectives of personal data processing. 

Whom does the Controller transfer personal data to?

The Controller transfers personal data to:

  • cooperation partners (Processors or certain controllers) engaged in provision of services to the Controller; The Controller’s partners process personal data only in accordance with the controller’s instructions and those may not be used for other purposes; the Controller carefully evaluates partners before commencing cooperation;
  • in order to meet legal obligations, personal data are transferred to Persons specified by outside legal regulations (law enforcement institutions, courts or other government and local government institutions) if a written request is received and the legal ground for such personal data processing is established; Personal data are transferred in the manner and to the extent provided by the relevant legal regulations;
  • to third persons in the cases provided by the legal regulations for protection of the Controller’s legitimate interests.

Does the Controller transfer personal data outside the EU/EEA?  

The controller does not transfer personal data outside the European Union and the European Economic Area. 

If partners of the Controller – Processors authorized by the Controller to process personal data on behalf of the Controller, process those outside the European Union and the European Economic Area, the Controller shall ensure that the relevant service providers comply with the data security and technical requirements set forth by the Regulation No. 2016/679, other regulations of the European Union and the Republic of Latvia and good practice guidelines.

What are rights of the Person (data subject) with regard to processing of personal data by the Controller?

As far as compliance with legal requirements regulating privacy and personal data protection, the Controller shall ensure rights of the Person subject to a written request of the Person (data subject):

RightsDescription
Access own personal data A person has the right to receive confirmation from the Controller as to whether the personal data are processed or not; and, if processed, to access to own personal data and receive the following information about:  purpose of the data processing; categories of personal data;  recipients of personal data;  storage period of personal data or criteria for establishing the storage period.
Modify own personal dataA Person has the right to request the Controller to correct his/her data if the Person stated that the information about the Person at the Controller’s disposal is incorrect or incomplete.
Delete own personal dataA Person has the right to request deletion of his/her data, and the Controller shall comply with this request without delay if at least one of the following conditions exists: the data are no longer necessary for the purposes for which they were collected or otherwise processed; A person cancels his/her consent to data processing, if there is no other legal ground for processing thereof; if data processing is justified by legitimate interests of the Controller or a third party, provided that there is no overriding legal ground for processing; A person objects to processing of his/her data for direct marketing purposes; if data have been processed unlawfully; in order to meet legal obligations of the Controller under the legal regulations; if personal data were collected for provision of information society services.
Limit processing of own personal data  A Person has the right to request to limit processing of personal data about the Person available to the Controller. 
Object to processing of own personal data  A Person has the right to object to processing of personal data, which is based on the Controller’s legitimate interests.

Request of a Person as a Data Subject (hereinafter referred to as the request) must be in writing or in form that can be considered as a written form in accordance with the legal regulations, for example, an electronic document signed with a secure electronic signature and time stamp.

How long will the Controller have to process the Person’s request?

The Controller will respond to a Person’s request without undue delay, but not later than within one month from the date of the Person’s request. Where necessary, taking into account the scope of the Person’s request, the Controller has the right to extend that period by two months. In this case, the Controller will inform the Person of the reasons for extension and delay within one month from the date of the request.

How will the Manager provide information at the Person’s request?

The Manager will respond to the Person’s request, taking into account, as far as possible, the Person’s choice of receipt of responding to request. 

What to do if the Person considers that the Controller has violated the Person’s rights while processing personal data?

The controller ensures processing of personal data in accordance with the requirements specified in Regulation No. 2016/679/EU, other legal regulations of the European Union and the Republic of Latvia and the Privacy Policy. Where a Person considers that the Controller has violated the Person’s right to personal data by protection by processing his/her personal data, the Person has the right to submit a complaint to the Controller, the Data Protection Supervisory Authority or submit a claim to the court in accordance with the legal regulations.

How is the personal data protection ensured?

The Controller guarantees non-disclosure and security of personal data by applying modern technologies, taking into account the existing privacy risks and administrative, financial and technical resources reasonably available to the Controller, including by ensuring physical and environmental security of personal data; restricting access to personal data (access to personal data is only for employees authorized by the Controller, who need those when performing duties); sending personal data in encrypted form; ensuring security of computer network, personal devices; data backup, etc. safeguards, thereby ensuring protection of personal data against unauthorized access, use or disclosure.

The Processors authorized by the Controller to process personal data, are carefully evaluated before commencing cooperation, and informed about the set of measures they must take to ensure processing, confidentiality and protection of personal data in accordance with the legal requirements. The Processors shall meet requirements for personal data processing and protection in accordance with the legal requirements and Cooperation Agreement of the Controller. 

Contact information 

For questions related to personal data processing (including to provide a feedback or object to personal data processing), please, contact the Controller or Data Protection Officer of the Controller:

  • JSC “REPHARM”, registered office: Mūkusalas Street 41b, Riga, Latvia, LV-1004; phone 67815842, e-mail address: info@repharm.lv;
  • data protection officer e-mail address: dpo@repharm.lv.

How does the Controller keep information on personal data processing updated?

In order to keep a Person always informed of the personal data processing updates, the Controller shall ensure regular revision and update of this Privacy Policy in accordance with requirements of the legal regulations. The Controller encourages the Person to get acquainted, from time to time, with the current version of the Privacy Policy on the Controller’s website: www.repharm.lv.