Personal Data Processing Policy

The purpose of the policy is to provide the order in which the Company carries out personal data processing, ensures personal data protection and safety, ensures Data Subjects with information about the purposes and legal grounds of personal data processing, as well as ensures Data Subjects with the information about the Company’s and its hired personal data processors and other persons involved in personal data processing.

1.Under this policy, the Company shall be deemed data controller.

2.The Company shall process personal data in compliance with the GDPR requirements.

3.Processing of personal data performed by the Company may have several legal grounds, for example, a person's consent to data processing, contractual relationship between a person and the Company, performance of the legal obligation relating to the Company according to the applicable legal acts or ensuring of compliance with the Company’s legitimate interests.

4.When submitting a written application to the Company, a data subject has the right to access to, request rectification or restrict the processing of his/her data, withdraw his/her consent and object to processing of data performed by the Company, as well as the right to data portability.

5.In certain cases, an individual's rights may not be exercised or may be restricted, if this is justified by the Company’s legitimate interests.

6.Data processing purposes

6.1.Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

6.2.The Company performs processing of data for the following purposes:

6.2.1.compliance with legal acts and identification of individuals;

6.2.2.management of relationship with clients, creditors, debtors, partners and other related persons;

6.2.3.satisfaction of creditors' claims;

6.2.4.provision of services;

6.2.5.ensuring physical and information security;

6.2.6.protection of the Company’s and clients’ interests;

6.2.7.risk management;

6.2.8.personnel management.

7.Categories of data subjects

7.1.Categories of individuals whose personal data are processed by the Company:

7.1.1.the Company’s clients (existing and former), creditors, debtors and persons related to them (representatives, authorised persons, beneficiaries, employees etc.);

7.1.2.the Company’s employees (existing and former) and candidates;

7.1.3.business partners, agents, suppliers and service providers, advisors and persons related to them (representatives, authorised persons, beneficiaries, employees, etc.);

7.1.4.visitors of the Company’s offices and areas adjacent to them.

8.Categories of data

8.1.Personal data of the following categories can be provided by data subjects themselves, can be obtained during the use of the Company’s services by the client, as well as from third parties (for example, public and private registers):

8.1.1.an individual’s identification data (name, surname, personal identity number, date and place of birth, identification document data);

8.1.2.an individual’s contact details (postal address, phone, email, Skype name, IP address, etc.);

8.1.3.audio / visual data (for example, records of phone conversations of the Company and clients, records of surveillance cameras placed in objects belonging to the Company and areas adjacent to them);

8.1.4.data of related persons (for example, representatives and authorised persons of clients, family members of employees and other related persons);

8.1.5.data which are obtained under employment relationships with the Company’s employees (for example, information on salary, previous places of employment, education etc.).

9.Categories of data processors and data recipients

9.1.For one or more purposes of data processing, the Company is entitled to agree with the processor by signing an agreement in writing and transferring a part of personal data to him. The processor shall bear responsibility for the safety of the processed data and their compliance to the determined purpose.

9.2.The Company may disclose personal data to the following recipients of data:

9.2.1.members of management bodies, employees, representatives, authorised persons of the Company;

9.2.2.public institutions, public officials, investigatory authorities, courts, prosecutor's office, subjects of operational activities, orphans' courts, notaries, law enforcement officials, judicial and investigatory authorities of other member states and foreign countries, tax authorities, arbitration courts, out-of-court dispute resolution bodies — financial market participants (stock exchanges, depositories, business partners of the Company or clients, etc.);

9.2.3.the Company’s cooperation partners, agents, suppliers and service providers, auditors, advisors.

10.Automated processing and decision-making

10.1.In certain cases, the Company performs profiling and decision-making if this is stipulated by applicable legal acts, or this is necessary to perform a previously concluded agreement with the client, or such processing of personal data is justified by the Company’s legitimate interests.

11.Data storage volume and periods

11.1.The Company shall store personal data no longer than it is reasonably required for the purposes for which particular personal data are processed. Personal data storage periods shall be determined based on applicable legal acts or the Company’s legitimate interests.

11.2.The data about the clients shall be stored as long as the Company has an agreement with the client on rendering services. Upon termination of the agreement between the Company and the client, the said data shall be stored for more 10 years thus executing the Company’s duty to store the corroborative document in accordance with the provisions of regulatory enactments about accounting, statue of limitations and the possibility that the client may which to enter into another service-provision agreement with the Company again.

11.3.Visual data shall be preserved no longer than for 4 weeks (28 days) after they were recorded. After this term runs out the data should be erased, except the cases when preservation of the recorded footage is requested by any law enforcement institution for investigation of any felony, or the Company, upon detecting the markers of any felony, or upon detecting any threat to the Company’s property, the life, health or property of the Company’s employees, has specifically saved the footage as an evidence to be used by the Company to protect its rights and interests in accordance with the procedures provided in the regulatory enactments.

11.4.The Company reserves the right to erase specific information before the expiry of the set period if this is not prohibited by the applicable legal acts.

12.Rights of data subjects

12.1.The Company shall ensure the following rights of data subjects:

12.1.1.a subject's data may be processed on the basis of his/her consent or some other legitimate basis;

12.1.2.a subject has the right to receive information on the processing of personal data performed by the Company and exercise of data subjects’ rights;

12.1.3.a subject has the right to receive a confirmation if his/her data are not processed;

12.1.4.a data subject has the right to access his/her data and receive information on the purpose and legal basis of data processing, category of data, recipient of data, storage period, information on other sources of data if personal data are obtained from third parties, set profile (in case of profiling), and guarantees, if the data have been sent to a third party or international organisation;

12.1.5.a subject has the right to receive information on whether the provision of personal data is related to the law or an agreement, whether the provision of data is a precondition for the conclusion of an agreement, as well as information that the subject is required to provide personal data, and consequences in case such data are not provided;

12.1.6.a subject has the right to be informed about automated decision-making, including profiling, and its consequences;

12.1.7.a subject has the right to be informed about a new purpose of data processing in advance;

12.1.8.a subject has the right to object to data processing and withdraw his/her consent to data processing;

12.1.9.a subject has the right to request rectification of data if data are incorrect;

12.1.10.a subject has the right to data portability;

12.1.11.a subject has the right to request erasure of data if this does not contradict the RL and EU laws;

12.1.12.to file a claim to the RL Data State Inspectorate about the use of personal data if the data subject believes that his/her rights and interests are violated in accordance with the regulatory enactments applicable to Personal Data Protection;

12.1.13.to be informed if regarding his/her personal data there has a data protection breach occurred that may cause high risk to the rights and freedoms of the data subject.

12.2.The Company ensures fulfilment of the said data subject’s rights to the data subject that the Company has properly identified.

13.Personal data protection

13.1.The Company ensures personal data confidentiality and takes the necessary technical and organisational measures in order to ensure protection of personal data against risks of various level of possibility and impact (e.g. unauthorised access, unlawful processing, accidental destruction and/or loss) regarding the rights and freedoms of the Data subjects given the existing technical levels, industry practices, costs of implementation and the type, volume and purposes of personal data processing.

13.2.The Company is regularly reviewing the security measures carried out and updates the technical means and organisational measures used.

14.Data residency

14.1.The Company shall process data in the territory of RL.

14.2.Transmission of personal data to third parties (irrespective of the data recipient's residency — RL, EU, EEA or outside it) is regulated by the legal acts of RL or an agreement between the Company and a third party, which includes non- disclosure and secure exchange provisions.

14.3.Transfer of data to third countries and international organisations is possible based on:

14.3.1.the decision made by the European Commission regarding the level of protection of a third country's data;

14.3.2.relevant guarantees (for example, applying binding corporate rules or standard data protection clauses adopted by the European Commission);

14.3.3.exceptional legal grounds.

15.Use of data subject’s rights and communication with the Company

15.1.Data subject can submit questions, requests and complaints to the Company via email to This email address is being protected from spambots. You need JavaScript enabled to view it. or sending a letter to New Hanza Capital, AS at 28A Pulkveža Brieža Street, Riga, LV-1045, Latvia.

15.2.Upon communication with the data subject, the Company has the right to carry out additional measures for identification and documentation of the fact of identification of the data subject, as well as for documentation of the fact of the provided information or any other action done.

15.3.The Company has the right to refuse to fulfil the subject rights in cases provided by the regulatory enactments, as well as in case the data subject groundlessly refuses to provide his/her identification information.

16.Availability, validity and amendments to the Policy

16.1.The Policy is available on the Company’s website www.pillarliving.lv.

16.2.The Policy is in force since 25 May 2018.

16.3.The Company has the right to amend the Policy unilaterally. The Company shall inform about the amendments to the Policy on the Company’s website www.pillarliving.lv (by publishing the text of the Policy).