CUSTOMER PERSONAL DATA PROCESSING POLICY

We would like to inform you that since May 25, 2018, Latvia has been implementing the European Parliament and Council Regulation (EU) 2016/679 (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC, hereinafter referred to as the Regulation, which sets out the rules for the processing of personal data of natural persons.

SIA "VPLAB" has taken the necessary actions to comply with the requirements of the Regulation and ensure that the personal data of the customer, hereinafter referred to as the Customer, who uses the online store website store@vplab.com, hereinafter referred to as the Online Store, and purchases goods sold in the Online Store (in case of a purchase), hereinafter referred to as the Goods, are stored securely, processed legally, and only for the specified purposes of personal data processing.

To inform customers about what personal data SIA "VPLAB" collects and processes about them, the SIA "VPLAB" Customer Personal Data Processing Policy, hereinafter referred to as the Policy, has been developed and approved in this edition:

  1. Customer Personal Data Processing Policy

We inform that since May 25, 2018, Latvia has been implementing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the Regulation, which sets out the procedures for the processing of personal data of natural persons.

SIA "VPLAB" has taken the necessary measures to comply with the requirements of the Regulation and to ensure that the personal data of the customer, hereinafter referred to as the Customer, using the online store website store@vplab.com, hereinafter referred to as the Online store, and purchasing goods sold on the Online store, hereinafter referred to as the Goods (if purchased), are stored securely, processed lawfully, and only for the purposes of personal data processing specified.

In order for the Customers to be informed about what personal data SIA "VPLAB" collects and processes about them, SIA "VPLAB" Customer Personal Data Processing Policy, hereinafter referred to as the Policy, has been developed and approved in the following edition:

  1. Data Controller and Contact Information

1.1. The data controller is SIA "VPLAB", registration number 40203032621, legal address: Visbijas prospekts 7, Riga, LV – 1014, Latvia, hereinafter referred to as the Company. 1.2. For questions related to personal data processing, it is possible to contact the Company by sending an e-mail to store@vplab.com or by visiting the Company's office at Visbijas prospekts 7, Riga, LV – 1014, Latvia, hereinafter referred to as the Office, which is open every working day from 9:00 to 17:00.

  1. Data Collection and Categories

2.1. Personal data may be obtained from the Customer and/or, if necessary, from other sources, such as publicly available information. The categories of personal data that the Company may collect and process are listed in Appendix 1 of the Policy. 2.2. To dispel doubts, it is explained that only those personal data that are necessary to achieve the purposes specified in Section 3 of the Policy are collected and processed about the Customer. Only in rare cases will all personal data listed in Appendix 1 be collected and processed about the Customer.

  1. Purposes of Personal Data Processing

The Company processes the Customer's personal data for the following purposes:

3.1. To conclude and fulfill a distance contract (purchase contract). In order for the Company to sell the Goods available on the Online store to the Customer, the Company needs to process the following listed in Appendix 1:

  • Purchase data, hereinafter referred to as the Purchase data.

If the Customer does not want his/her Purchase data to be processed to achieve the purpose specified in Section 3.1 of the Policy, the Company will refuse to sell the Goods to the Customer. Such processing of personal data of the Customer is essential for the conclusion and complete performance of the distance contract (purchase contract), and, in accordance with the applicable regulatory acts that regulate online payments and accounting, the processing of the Customer's Purchase data is a legal obligation of the Company. 3.2. To enable the Customer to receive and use the services provided on the Online store, the Company needs to process the following listed in Appendix 1:

  • Registration data;
  • Online store usage data.

3.3. In order to provide an individual approach (to offer individual offers), save time, and to determine the Customer's favorite and most relevant Goods as a result of automated processing, as well as to provide the Customer with personalized offers, the Company needs to process the following information listed in Annex No. 1:

  • Customer's personalized data For the purpose of general and personalized offers, the Company sends news notifications to the Customer via email correspondence. The Customer has the right to unsubscribe from receiving the above-mentioned notifications at any time without prior notice. The Customer can unsubscribe from receiving notifications by sending an email to store@vplab.com or, if the Customer has registered in the Online Store, in their personal profile.

3.4. In order to make the use of the Online Store as simple and convenient as possible, the Company independently analyzes its operations to improve its services, during which it needs to process the following information listed in Annex No. 1:

  • Cookies;
  • Analytical data.

3.5. To protect the interests of the Company and/or the Customer. In order to protect the interests of the Customer and/or the Company; to provide evidence for commercial transactions and other commercial communication (email storage, document storage, etc.); based on the performance of the contract; to prevent, limit, and investigate the unfair or illegal use of the Company's brand, services, or Goods, or intentional disruption; for internal training or to ensure service quality, the Company needs to process the following information listed in Annex No. 1:

  • Purchase data;
  • Online Store usage data.

3.6. To establish, exercise, defend, and transfer claims. In order to establish, exercise, defend, and transfer claims based on the performance of a distance contract (purchase contract) or to take action at the request of the Customer before the conclusion of a distance contract (purchase contract), or to fulfill a legal obligation, or to exercise the Company's legitimate interests in exercising claim rights, the Company needs to process the following information listed in Annex No. 1:

  • Purchase data;
  • Online Store usage data.

3.7. To fulfill legal obligations. In order to comply with applicable laws and international agreements, as well as to verify identity based on the performance of a distance (purchase) contract, or to take action at the request of the Customer before the conclusion of a distance (purchase) contract, or to protect the legal interests of the Company, the Company needs to process the following information listed in Annex No. 1:

  • Purchase data;
  • Online Store usage data.

3.8. Providing information to public institutions: to provide information to state administrative institutions and operational subjects in the volume and cases specified in the regulatory enactments, any of the Customer's personal data available to the Company (depending on the relevant request and its legal basis).

3.9. In case the Customer expresses any request or asks a question to the Company, any of the Customer's personal data listed in Annex No. 1 may be processed depending on the nature and purpose of the request and/or question.

3.10. For other specific purposes, which the Customer will be informed about at the time when they provide the relevant data to the Company.

3.11. The Company does not collect the browsing history of Customer's Internet browsers on third-party websites, and does not save such information. The Company does not send any personal data about the Customer's browsing history on the Internet Store to third parties, which could identify the Customer.

  1. Legal basis for processing personal data

The company processes the client's personal data on the following legal bases: 4.1. On the basis of a distance contract (purchase contract) between the client and the company: during the conclusion and execution of the contract, and also at the client's request before the conclusion of the contract. 4.2. On the basis of legal acts: to comply with national and international legal acts that are binding on the company. 4.3. On the basis of the client's consent. 4.4. In the legitimate interests of the company.

  1. Procedure for processing personal data

5.1. The company processes the client's data using modern technologies, taking into account the existing risks related to the privacy of individuals, and the reasonable technical, organizational and financial resources available to the company. 5.2. In order to ensure the qualitative and operational performance of the obligations under the contract concluded with the client, the company may authorize its partners to perform separate operations, such as delivery of goods, return of goods, etc. In the event that, in carrying out these operations, the company's partners process the client's personal data that is in the company's possession, such partners are considered processors (persons who process client data on behalf of the company), and the company has the right to transfer the client's personal data necessary for the performance of these operations to its partners. 5.3. The company's partners (in the role of processors) ensure compliance with the requirements for processing and protection of personal data in accordance with the company's requirements and legal acts. 5.4. The company's partners will not use personal data for purposes other than the performance of obligations under the contract concluded with the client on behalf of the company.

  1. Protection of personal data

6.1. The company protects the client's personal data using modern technologies, taking into account the existing risks related to the privacy of individuals, and the reasonable technical, organizational, and financial resources available to the company, including using the following measures for the security of personal data:

  1. Closed premises and denial of access to unauthorized persons;
  2. Use of firewall software;
  3. Data encryption during transmission (SSL encryption);
  4. Use of intrusion protection and detection software;
  5. Implementation of other security measures.
  1. Recipients of personal data

7.1. Client personal data processed by the company is not disclosed to third parties (including but not limited to information about purchased goods or services received in the online store), except in cases where:

  1. such data must be provided to the relevant third party in the context of a contract concluded with the client in order to perform a function necessary for the performance of the contract or delegated by law (for example, to a credit institution for payment purposes or to ensure the performance of services, such as delivery of the company's goods);
  2. the client has given clear and unambiguous consent;
  3. personal data must be provided to persons provided for in legal acts at their reasonable request, in the manner and scope provided for in legal acts;
  4. personal data must be provided to protect the legitimate interests of the company in accordance with legal acts, for example, by turning to legal service providers, debt collection companies, mediators, courts, or other state institutions against a person who has infringed the legitimate interests of the company.

  1. Retention period of personal data

8.1. The company retains and processes customer personal data as long as at least one of the following criteria is met:

  1. while a contract with the customer is in force;
  2. while there is a legal obligation for the company to retain the data;
  3. while the company or the customer can exercise their legitimate interests in accordance with the procedures established in regulatory enactments (for example, to submit objections or file or defend a claim in court);
  4. while there is valid consent from the customer for the relevant personal data processing, provided that there is no other legal basis for data processing. 8.2. After all the deadlines for customer personal data processing mentioned in Policy 8.1 have expired, the customer's personal data is irretrievably deleted.
  1. Access to personal data and other customer rights

9.1. The customer has the right to receive the information specified in regulatory enactments regarding the processing of their personal data. Most of the customer's information is already placed in the customer's private account on the company's online store and the company's online store website, which the customer uses for receiving company services and goods, and where the customer can personally ensure the correctness of their personal data and manage them if necessary, including correcting, deleting, or changing them. 9.2. In accordance with regulatory enactments, the customer also has the right to request access to their personal data from the company, as well as request the company to supplement, correct, or delete them, or to restrict the processing of the customer's data, or to object to the processing, as well as the right to data portability (transfer to other data controllers). These customer rights are exercised to the extent that the processing of personal data does not arise from the company's lawful obligations and is performed in the interests of the company. 9.3. The customer can submit a request for the exercise of their rights:

  1. in writing in person at the company's office, presenting a personal identification document (passport or ID card);
  2. by email, by sending the request to the company's email address: store@vplab.com. The relevant request must be signed with a secure electronic signature, but such a requirement is not mandatory for the customer if the company has sufficient information to ensure that the received email with the request is from the customer (for example, the email is mentioned as contact information in the customer's online store account, order form). 9.4. Upon receiving the customer's request for the exercise of their rights, the company verifies the customer's identity, evaluates the request, and fulfills it in accordance with regulatory enactments. 9.5. The company sends a response to the customer by mail in a letter addressed to the customer's specified contact address or signed with a secure electronic signature and sends it to the customer's email (taking into account the customer's preferred method of receiving the response). 9.6. The company ensures compliance with the requirements for data processing and protection in accordance with regulatory enactments. If the customer has raised objections against the company, the company takes necessary actions to resolve the customer's objections. However, if it fails, the customer has the right to turn to the relevant supervisory authority (in the Republic of Latvia, it is the Data State Inspectorate).

10. Client's consent for processing of personal data and the right to withdraw it

10.1. The client can give consent for the processing of personal data (for example, but not limited to, receiving individually tailored advertisements and offers) by authorizing it in the online store, on the website of the online store (for example, subscription forms for news), in-person at the company's office, or by sending an email to store@vplab.com. 10.2. The client has the right to withdraw their consent for the processing of personal data at any time in the same manner in which it was given, either in-person at the office, by authorizing it in the online store, or by sending an email to the company's email address: store@vplab.com. When sending a withdrawal of consent to the aforementioned company email address, the withdrawal of consent must be signed with a secure electronic signature, but this requirement is not mandatory for the client if the company has sufficient information to verify that the received email with the withdrawal of consent is from the client (for example, the email is listed as contact information in the client's online store account, order form). 10.3. Upon receiving the client's withdrawal of consent, the company will no longer process the client's personal data for the specific purpose that was based on such consent. 10.4. The withdrawal of consent does not affect the legality of the processing of the client's personal data that was carried out during the period when the consent was in effect. 10.5. To avoid doubt, it should be clarified that withdrawing consent for the processing of personal data does not apply to the processing of the client's personal data that the company carries out based on other legal grounds (for example, based on a concluded distance contract (purchase agreement)).

  1. Commercial notifications

11.1. Communication regarding commercial notifications about the company's goods and/or services and other unrelated notifications (such as advertisements, customer surveys) is carried out by the company in accordance with the external regulatory acts or with the client's consent. 11.2. The client can give consent to receive commercial notifications from the company by authorizing it in the online store, on the online store's website (for example, subscription forms for news), or by sending an email to store@vplab.com. 11.3. The client's consent to receive commercial notifications is valid until it is withdrawn (even after the termination of the distance contract (purchase agreement)). The client can withdraw their consent to receive further commercial notifications at any time using one of the methods indicated in clause 10.2. of this Policy. 11.4. The company will stop sending commercial notifications as soon as the client's request is processed. The processing of the request depends on technological capabilities, which may take up to seven business days. 11.5. By expressing their opinion in surveys and leaving their contact information (email, phone), the client agrees that the company can contact them regarding the client's evaluation using the contact information provided by the client.

  1. Communication with the Client

12.1. The Company communicates with the Client using the contact information provided by the Client (primarily phone number and email address). 12.2. The Company communicates with the Client regarding the execution of the concluded distance contract (purchase agreement) on the basis of that contract (for example, coordinating the delivery method and time of the Goods, coordinating information about payments, changes in the Order, etc.).

  1. Visits to the Online Store and Cookie Processing

13.1. Cookies may be used in the online store. More information about the use of cookies is available in the Cookie Processing Policy.

  1. Validity and Changes to the Policy

14.1. This Policy is available at the Company's Office and in the online store at store@vplab.com. Upon the Client's separate request, the Policy can be issued in a separate copy at the Office address or sent to the Client's email address. 14.2. The Company is unilaterally entitled to change this Policy by notifying Clients of the respective changes in the Company's online store, by email, or in any other way at the Company's discretion. 14.3. The Company retains previous versions of the Policy, which are available in the Company's online store. 14.4. This Policy comes into force on May 2, 2019, and replaces the previously approved Privacy Policy.

 

Appendix No. 1

SIA "VPLAB" Customer Personal Data Processing Policy

Categories of personal data

 


Nr.


category of personal data

Types of personal data


Comments


1.              

Purchase data

Name, surname, email, phone number, delivery address of the Product, method of delivery of the Product, method of payment, payment details (including but not limited to bank account number), name and surname of a third party who receives the Product(s) (if the Client does not receive it themselves), and the reason for authorization.

The delivery address of the Goods is only provided if the delivery method chosen when placing the Order is a courier service that delivers the Goods to a specific address.

In the event that a third party receives the Goods on behalf of the Customer, the Customer, by agreeing to the Policy, confirms that such third party agrees to the processing of their personal data and that the Customer has informed them accordingly.

2.

Registration data

Name, surname, phone number, date of birth, gender, delivery address for goods, payment card information, PayPal, Paysera, Stripe account information.

The mentioned data will be collected and processed from the Client if the Client chooses to register on the Company's online store at store@vplab.com.

3.              

Data on the use of online store services.

Name, surname, email, phone number, IP address, history of the client's publicly expressed opinions about the products sold in the online store, history of communication between the client and the company (including email correspondence), data left in the shopping cart, history of survey responses given in the online store, client's order/purchase data, order history, payment history.

 


4.              

Cookies

History of actions on the online store.

 


5.              

Analytical data.

History of orders/purchases, browsing history on the online store, payment history, history of communications between the company and the customer (including email exchanges), customer reviews, responses given during surveys.

Taking into account that the Company wants the online store and purchasing process to be as simple and convenient as possible for the customers, the Company independently conducts analysis and monitoring of its operations, during which we analyze and process the aforementioned personal data of the customer.

 

6.             

 

Personalized data.

Name, surname, phone number, email, product delivery address, history of product delivery methods, history of payment methods, history of browsing in the online store, history of orders/purchases, IP address.