Controller – Youthments SIA (hereinafter referred to as the Company), reg.no. 41203058028, registered office Rīga, Aiviekstes iela 4B, LV-1019, website: www.youthments.com, e-mail: firstname.lastname@example.org.
Data subject – a natural person who can be directly or indirectly identified.
Client – any natural person (data subject) who uses, has used, or has expressed a wish to use any of the services provided by the Company or is in any other way related to them or has been provided with information to ensure the provision of the service.
Personal data – any information relating to an identified or identifiable natural person.
Data processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Third party – a natural or legal person, public authority, agency or body, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorized to process the data.
Consent – any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed.
Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
2. This Policy applies to data processing regardless of the format in which data are provided and processed (in person, on the internet, by e-mail, in paper form or by telephone).
3. The Company takes care of the clients’ privacy and personal data protection, respects the right to legal personal data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and other legislation applicable to privacy and data processing.
4. In its activities the Company:
4.1. protects the personal data of the data subject by implementing administrative, technical and physical security measures, to the extent that they are proportionate to the potential risks;
4.2. informs and explains what personal data is necessary to receive services and how they will be used;
4.3. the transfer of data to third parties shall be implemented in compliance with the applicable regulatory framework;
4.4. implements measures for regular training and information of its employees on personal data protection issues in order to reduce the probability of possible incidents;
4.5. implements internal control procedures to reduce the likelihood of security incidents and their consequences.
Purposes of personal data processing
5. The Company processes personal data for the following purposes:
5.1. securing and confirming the reservation;
5.3. sending pre-arrival e-mails and messages;
5.4. agreement drafting and conclusion;
5.5. preparation and signing of the deed;
5.6. registering arrival and departure;
5.7. customer service;
5.8. obtaining a credit card guarantee or deposit;
5.9. registering data in the Company’s reservation system;
5.10. review and processing of applications, complaints and claims;
5.11. settlement administration;
5.12. debt recovery and collection;
5.13. website maintenance and enhancement of its operation;
5.14. addressing potential Company’s customers;
5.15. advertising and distribution of services, or commercial purposes;
5.16. polling clients and performing satisfaction surveys;
5.17. internal administrative purposes and document identification and evaluation (eg. archiving of contracts, reservation forms and other documents);
5.18. returning lost or forgotten items;
5.19. processing and providing an answer to the client’s query, request or feedback;
5.20. organizing or providing premises for seminars or classes;
5.21. provision of information to state government bodies and operational activity subjects in the cases and to the extent specified in external legislation;
5.22. ensuring the operation of the Company, incl. security (preventing threats to the safety of the Company’s infrastructure, services, information, employees, tenants, visitors, and illegal or other threats, enabling detection of criminal acts at objects and on adjacent territory);
5.23. Company’s organizational management, planning and record-keeping;
5.24. accounting / finance and tax management;
5.25. other specific purposes about which clients are notified prior to providing data.
Legal basis for personal data processing
6. The Company processes personal data on the following legal basis:
6.1. conclusion and execution of an agreement – in order to conclude the relevant agreement and ensure its execution;
6.2. compliance with legislation – in order to comply with a duty or right specified in the applicable legislation;
6.3. data subject’s consent;
6.4. legitimate interests – to exercise legitimate interests of the Company arising from current obligations, a concluded agreement, or applicable legislation:
6.4.1. performing commercial activities;
6.4.2. ensuring fulfilment of obligations under an agreement;
6.4.3. saving applications and petitions, notes on them, including those made verbally or via websites;
6.4.4. producing and developing Company’s services;
6.4.5. advertising Company’s services by sending commercial messages;
6.4.6. sending other messages on the execution of an agreement, events significant to agreement execution, and polling Clients about services;
6.4.7. maintaining and enhancing the quality of the Company’s services;
6.4.8. administrating payments;
6.4.9. administrating missed payments;
6.4.10. contacting state government, operational action institutions, and courts in order to defend its legitimate interests;
6.4.11. informing the public about its activities.
Categories of personal data recipients
7. Personal data can be accessed, if necessary, by:
7.1. Company’s personnel;
7.2. data processors in accordance with the services they provide and only to the extent necessary, such as IT service providers / technical maintainers, delivery or courier service providers, as well as other persons involved in the provision of controller services;
7.3. state and local government institutions in cases specified in the applicable legislation, for example, law enforcement institutions, local governments, tax administrations, sworn bailiffs;
7.4. third parties, after careful consideration of the appropriate legal basis for such disclosure, such as debt collectors, courts, out-of-court redress bodies, bankruptcy or insolvency administrators, third parties who maintain registers;
8. Any other disclosure of personal data to third parties shall be subject to the clear and affirmative consent from the data subject.
Source of personal data
9. Company can obtain personal data in the following ways:
9.1. from the information provided in the reservation form filled out by the client on the Company’s website;
9.2. from the reservation system used by the client;
9.3. from the registration card and / or alien’s declaration form filled out on site;
9.4. from e-mail sent by the client to the Company;
9.5. from the chatbox used by the client on the Company’s website;
9.6. from the client’s phone call;
9.7. from the online messaging applications used by the client (for example, WhatsApp);
9.8. in the process of concluding an agreement;
9.9. on the website www.youthments.com, by using cookies;
9.11. by filling out surveys;
9.12. by submitting any kind of applications, making entries etc.;
9.13. from the video surveillance cameras in the Company’s territory and common areas;
9.14. from photos and videos of events and activities organized by the Company.
Disclosure of personal data beyond the European Union
10. If necessary to transfer personal data outside the European Union, the Company will perform procedures specified in the applicable legislation for ensuring a level of personal data processing and protection that is equivalent to the provisions of the Regulation.
Personal data retention term
11. Personal data are stored for as long as necessary for the accomplishment of the purposes specified in the Policy, unless longer retention is mandated or allowed by the applicable legislation.
12. The Company will store and process personal data for as long as one of the following criteria applies:
12.1. a concluded agreement is in effect;
12.2. in cases specified in the applicable legislation, to the extent and for the duration specified therein;
12.3. while either party has the legal obligation to retain the data;
12.4 while the data subject’s consent to the relevant personal data processing is in effect, unless another legal basis for data processing exists;
12.5. while the Company has legitimate interest.
13. At the end of a data retention period, personal data are deleted or destroyed.
Access to personal data of the data subject
14. Data subject may receive any information – as far as possible given reasonable resources – collected about them within any personal data processing system, including video surveillance.
15. In accordance with the applicable legislation, a client is entitled to request access to their personal data, and to request updating, rectification or deletion of processed data, or to restrict processing, and the right to object to processing, including personal data processing performed in accordance with the legitimate interests of the Company, as well as the right to data portability. These rights may be exercised insofar as data processing does not stem from Company’s obligations under applicable legislation and those performed in the interest of the public.
16. A client may submit a request regarding the exercise of their rights:
16.1. in writing, in person at 4B Aiviekstes Street, Riga, LV-1019, by presenting a personal identification document;
16.2. via e-mail to the address email@example.com, signed with a secure digital signature.
17. Upon receiving a client’s request to exercise one’s rights, the Company verifies the client’s identity, evaluates the request and fulfils it in accordance with the applicable legislation.
18. Company’s response to the received order is sent via e-mail to the specified contact address as a registered letter, issued in person, or sent to the e-mail address specified in the application, signed with a secure digital signature, conforming to the response format specified by the Client.
19. The Company ensures compliance with personal data processing and protection requirements in accordance with the applicable legislation and, in the event of objections, performs reasonable actions to resolve an objection. A client in any case retains the right to contact a supervisory authority, i.e. the Data State Inspectorate.
Consent to data processing and right to revoke consent
20. A list of categories of personal data that may be processed in accordance with the consent of the data Subject and other legal bases is available in the Data Categories appendix.
21. Consent given by a client to the receipt of commercial messages is valid until revoked (even after the termination of an agreement, if one has been concluded). A client may refuse further receipt of commercial notifications at any time by the following means:
21.1. sending an e-mail to the official e-mail address firstname.lastname@example.org;
21.2. in person at 4B Aiviekstes Street, Riga, LV-1019;
21.3. in certain cases – in the manner and according to procedure specified in information provided prior to obtaining the client’s consent.
22. Revocation of consent does not affect data processing performed while a client’s consent was in effect.
23. Upon revocation of consent, data processing performed with other legal basis cannot be discontinued.
24. The Company does not engage in profiling the clients.
25. The Company is entitled to make updates or amendments to its Policy, making it available to clients on the website or on paper within the Company’s premises.
Appendix No. 1
|Personally identifiable information||Name, surname, gender, personal identification code / ID, date of birth, country, passport series and number, issuing country, date of issue and expiry date, issuing authority.|
|Personal contact information||Address, telephone number, e-mail address.|
|Data subject’s contact person’s data||Name, surname, address, e-mail address, telephone number.|
|Reservation data||Selected apartment, date of arrival and departure, number of apartments, number of persons.|
|Data subject’s data||Contract number, date of registration and departure.|
|Data subject’s characterizing data||University, status, occupation, where the information about the Hotel was obtained.|
|Communication data||Incoming / outgoing communication type, number, e-mail address, date, content, channel, delivery status.|
|Card information||Card number, card expiry date, card security code|
|Billing information||Bank, account number, invoice number, date, amount, invoice receipt method, payment date, debt amount, debt collection information.|
|Objections data||Objection number, date of registration / resolution, type, description.|
|Survey data||Name of the survey, date of dispatch, date of reply, survey questions and answers provided.|
|Actions on the Hotel website||IP address, actions performed, length of action, web page section, date and time.|
|Photos and pictures||Photos from the events, date of the photos.|
|Video data||Video from events, surveillance camera video, recording date.|
|Access to data systems||Usernames, passwords and QR codes.|
|Consent information||Data subject’s consent note, date and time of consent, source.|