Skip to content

Privacy Policy

PROCESSING OF PERSONAL DATA AND INFORMATION SECURITY

POLICY
EXO-GDPR-POLIT
02.01.2023 Version 1.00

Riga 2023

Document identification

DOCUMENT ID:EXO-GDPR-POLIT-V1.00-02.01.2023
NAME OF THE DOCUMENTPROCESSING OF PERSONAL DATA AND INFORMATION SECURITY POLICY
DOCUMENT CODEEXOGDPRPOLIT  
VERSIONVersion 1.00 Launch on 02.01.2023 (abbreviated V1.00 02.01.2023)
CONFIDENTIALITYAll rights reserved under International Copyright Conventions. Reproduction of this document, either in whole or in part, by any means, electronic or mechanical, including photocopying, recording, transmitting, transcribing, storing in an electronic retrieval system, or translating into any other language, without prior written permission from Exonicus R&D, the copyright holder, is strictly prohibited. Exonicus R&D is the authorized Copyright Holder of this document. All trademarks mentioned in the text are the property of their respective owners and are used for reference purposes only.
©  Exonicus R&D, 2023. All rights reserved.

1. Term Definitions

The CompanySIA “Exonicus R&D”, registration number: 40203167060, legal address: 10 Tērbatas Street, Valmiera, Valmieras novads, LV-4202.
EmployeeAn individual who is employed by the company.
ManagementBoard, managing director, and/or any other person within the Company who is entrusted with management functions and authority.
PolicyThis Personal Data Processing and Information Security Policy.
Third partyAn individual, legal entity or other person who has no affiliation with the Company.

2. Principles Of Data Processing

The Company

  • will process personal data lawfully, fairly, and transparently to the data subject.
  • will processed personal data appropriately, in accordance with the necessary requirements to achieve the processing purpose.
  • will ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, by implementing appropriate technical and organizational measures.
  • ensures that personal data will only be kept for as long as necessary for processing purposes.
  • ensures that personal data is collected only for specified, explicit, and legitimate purposes and will not be further processed in a way that is incompatible with those purposes, except as necessary for the performance of our statutory functions and obligations.

3. Objective And Scope Of The Policy

3.1. The purpose of the Company’s Personal Data Processing and Information Security Policy is to protect the Company’s employees, partners and customers from unlawful or harmful direct or indirect, intentional or unintentional actions of persons when processing information and data that comes into their possession, as well as when using certain equipment for the performance of their job duties.

3.2. The Policy provides the data subject with information on the basis, purpose, scope, protection and duration of processing of personal data.

3.3. The Policy regulates the processing of information in any systems or on any media involved in the processing of data/information by the Company, regardless of whether the processing of data/information is related to the Company’s internal business operations or the Company’s external relationship with any third parties.

3.4. This Policy also regulates the use of the equipment and tools available to Employees of the Company in the performance of their duties.

3.5. The Policy may be in addition to any other policies, rules, procedures and/or guidelines adopted and implemented by the Company from time to time.

3.6. All personal data processing, information security system issues and information/data security issues not covered by this Policy should be addressed to the Board of Directors of the Company.

4. Information Classification

4.1. Any information/data made available to Employees in the performance of their duties, where such information/data relates to the Company and its business, customers or business partners, shall be considered proprietary and confidential information of the Company and, accordingly, shall be protected under applicable laws and regulations on the protection of confidential information, trade/trade secrets and personal data.
4.2. The Company shall classify information internally to ensure adequate protection of information and data. Information/data shall be protected whether such information has come into the Employee’s possession in the form of printed material, any data storage devices, audio/video material or in any other form.
4.3. The Company uses the following general classification of information:

CATEGORYDESCRIPTIONSCOPE OF APPLICATION (INCLUDING BUT NOT LIMITED TO)
Public informationInformation that can be processed and distributed within or outside the Company without any negative impact on the Company, any of its partners, customers and/or related parties.a) Public financial statements provided to public authorities;
b) Information available on public resources or otherwise in the public domain, unless it has become public because the Employee has violated information/data security requirements.
Inside informationAny use of the information in any form, if in violation of the requirements of applicable laws, regulations, this Policy or any other regulation adopted by the Company, may harm the interests of the Company and/or any of its Employees, partners, customers.a) Documents developed and/or prepared by any Employee, department of the Company;
b) Any catalogues (contact, information, etc.) created and/or used for the Company’s business purposes;
c) Any internal service reports, statements, certificates, conclusions drawn up for the purposes of the Company’s business.
Confidential informationAny information which is so essential to the Company, any of its customers and/or associates or related parties, the unauthorised disclosure of which may adversely affect the business, operations, reputation, status of the Company, its members/shareholders, customers and/or associates generally and such disclosure may result in serious harm to any of these parties.a) Policies, procedures, internal rules, management decisions;
b) Information designated to the Employee as a trade secret of the Company;
c) Other financial, human resources, legal, marketing information, sales procedures, plans and operations;
d) Business, production plans;
e) Personal identification data;
f) Information protected by a confidentiality agreement signed by each Employee;
g) Information protected by confidentiality agreements or cooperation agreements entered into by the Company in the course of its business.

5. Systems Involved In Data/Information Processing

5.1. Any information systems, including but not limited to computer hardware, software of any kind, operating systems, any storage environments, network accounts, electronic mail accounts, browser systems and any other technical basis and tools used in the Company’s business shall be considered the property of the Company.
5.2. Each Employee shall use such technical equipment and tools with due care and attention and only for purposes related to the Company’s business. The only exception to this is where the Company has provided the Employee with technical equipment (e.g. a mobile phone device) with the express consent to use it also for personal use. In the absence of such consent, the Employee shall be considered to be prohibited from storing personal data of any nature on the devices provided by the Company.

6. Legal Basis For Processing Personal Data

6.1. The Company processes personal data based on the following legal grounds:
6.1.1. For the purposes of contract conclusion and execution;
6.1.2. for the implementation of regulatory enactments;
6.1.3. in accordance with the data subject’s consent;
6.1.4. to pursue the legitimate interests of the Company arising out of the obligations between the Company and the Client or the concluded contract or law.

7. Purposes Of The Processing Of Personal Data

7.1. The Company processes personal data:
7.1.1. for customer identification;
7.1.2. for the preparation, conclusion, amendment, transfer and termination of contracts;
7.1.3. for customer service;
7.1.4. for the fulfilment of contractual obligations;
7.1.5. for the administration of settlements;
7.1.6. for debt recovery;
7.1.7. for the promotion and distribution of the use of the services;
7.1.8. for the preparation of reports
7.1.9. for record-keeping, planning and statistics;
7.1.10. to provide information to state administration authorities and subjects of operational activity in the cases and to the extent specified in the regulatory enactments in force in the Republic of Latvia.

8. Categories Of Recipients Of Personal Data

8.1. The Company shall not disclose to third parties the personal data of its customers or any information obtained during the provision of services and the term of the contract, including information about the services received, except:
8.1.1. where the third party concerned is required to provide the data within the framework of the concluded contract in order to perform a function necessary for the performance of the contract or delegated by law, e.g. to a bank for the purpose of settlement;
8.1.2. preparation and delivery of invoices to the client;
8.1.3. sending postal items to the client;
8.1.4. in accordance with the client’s clear and explicit consent;
8.1.5. to the persons provided for in the laws and regulations in force in the Republic of Latvia upon their justified request in accordance with the procedure and to the extent specified in the laws and regulations in force in the Republic of Latvia;
8.1.6. in the cases specified in the regulatory legal acts in force in the Republic of Latvia for protection of the Company’s legitimate interests, for example, by applying to court or other state institutions against a person who has infringed the Company’s legitimate interests.

9. Duration Of Personal Data Storage

9.1. The Company shall retain and process the personal data of its customers for as long as at least one of the following criteria applies:
9.1.1. the contract concluded with the client is valid;
9.1.2. as long as the Company or the Client may pursue its legitimate interests, for example, by bringing a legal action, in accordance with the procedure established by the laws and regulations in force in the Republic of Latvia;
9.1.3. for as long as one of the parties has a legal basis for keeping the data
9.1.4. as long as the customer’s consent to the processing of personal data is valid, unless there is another lawful basis for the processing.
9.2. Upon termination of the circumstances referred to in paragraph 9.1 of the Policy, the Client’s personal data shall be deleted. More detailed information on the retention periods of data held by the Company is available in the Company’s file nomenclature.

10. Customer’s Consent To Data Processing And Right To Withdraw It

10.1. The Client may give consent to the processing of personal data, the legal basis of which is consent, in person at the Company’s registered office at 10 Tērbatas Street, Valmiera, LV-4202, Latvia, or by writing to the e-mail address info@exonicus.eu.
10.2. The Client has the right to withdraw the consent given for data processing in the same way as it was given – at the Company’s registered office at 10 Tērbatas Street, Valmiera, LV-4202, Latvia, or by writing to the e-mail address info@exonicus.eu. Withdrawal of consent shall not affect the processing of data carried out at the time when the customer’s consent was given.
10.3. The Client’s consent is not required and its withdrawal shall not affect the processing of data carried out on other legal grounds, for example, on the basis of a concluded contract.

11. Employees’ Responsibilities

11.1. Any information/data which comes into the possession of an Employee in the course of the Employee’s duties shall be treated and used in confidence subject to its protection under this Policy and shall not be disclosed to any third party until and unless notified by Management that such information has become public or has otherwise been reclassified as information which is no longer protected under this Policy.
11.2. All personal data and other information which can identify a individuals shall be collected and processed only if and to the extent necessary for the performance of the Employee’s duties, provided that such activities are carried out within the scope of the powers conferred on the Employee and in accordance with statutory data protection requirements (in particular, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (2016. (EU) 2016/616 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)).
11.3. Any data requests and/or requests for processing of data received by the Employee in the course of the Employee’s duties from data owners who are individuals shall be promptly forwarded to Management for further consideration.
11.4. All Employees are obliged to comply with this Policy and with the requirements of applicable local, regional or international laws and regulations that provide for the processing and protection of information/data.

12. Employee Data Processing

12.1. During the validity of the Employee’s employment contract, the Company as the employer shall have the right to transfer the Employee’s personal data to the Company or its service companies if it is necessary for the organisation or performance of the Employee’s duties.
12.2. The Company as an employer has the right to publish the Employee’s personal data (e.g. name, surname, e-mail address, telephone number, date of birth) on the Company’s registered office.
12.3. The Company shall have the right to prepare and compile an annual leave schedule, which may include information about the Employee’s planned leave dates, as part of its work organisation planning and available resources. Such leave schedule may be published for information purposes at the registered office of the Company.
12.4. Other types of Employee Data, the consent to their collection and the conditions for their collection may be agreed separately between the Company and the Employees.

13. Access And Security Management

13.1. Employees may access any devices available to Employees as necessary for the purposes of and within the scope of their respective duties and responsibilities. The right to access any system does not imply that the Employee is authorised to view or use all information contained in that system.
13.2. The User IDs used are unique and identify a particular Employee. Each Employee is responsible for all activities related to his/her personal ID account, therefore, the primary responsibility is to ensure that the Employee’s ID is not accessible to any third parties and even not to other Employees, unless otherwise specified by the Company.
13.3. System security passwords shall be created with due care, provided that they cannot be easily remembered, do not contain personal data and are changed regularly (at least every 3 (three) months). Each Employee shall be personally responsible for the compliance of his security password with this Policy and any other rules of the Company.
13.4. An Employee shall only have access to confidential information/data if such authority is provided for in the Employee’s Contract of Employment and/or if the Company has granted such authority to the Employee.

14. Security Measures

14.1. All data and information collected and processed in any form (printed, electronic, etc.) shall be subject to the requirements of this Policy and any applicable laws and regulations regarding the collection, processing, protection and storage of data/information, and such documents shall be stored in a secure location designated by the Company with such retention period as required by applicable law and/or specified by the Company.
14.2. Employees are prohibited from storing any confidential information on their personal devices, except for information that is temporarily required for a specific work-related activity. All necessary confidential and personally identifiable information must be stored only on a Company IT personnel approved, personalised device that the Company has assigned to employees for the performance of their work tasks. Any downloading of such data to personal devices should be avoided and should only be done if reasonably necessary in connection with processing the information for work purposes.
14.3. Any mobile, portable devices (including laptops, tablets, smartphones and other handheld devices) and any cloud storage of information must be approved by the Company’s IT personnel and properly secured to prevent unauthorised access.
14.4. Only systems and software licensed and authorised by the Company may be installed and used on equipment and tools used by the Company. Before downloading or installing any software on devices owned and used by Employees for the purposes described in this Policy, permission must be obtained from IT personnel.
14.5. Where Employees use personal (home) devices to access the Company’s corporate resources (e.g. Customer Relationship Management (CRM) software, email, online/cloud databases), Employees are required to comply with the requirements of this Policy in the same way as if they were using equipment provided by the Company. Consequently, the storage of any data and information related to the Company on the device is prohibited.
14.6. In any case, the use of public access devices (e.g. internet cafes, libraries, etc.) is strictly prohibited unless it is critically and urgently necessary in connection with the work and Management has given its express consent to such action.
14.7. In the event that the Employee is granted access to the Company’s client’s or business partner’s file storage system, the Employee shall use the client’s or business partner’s access tools and follow the instructions provided regarding secure information/data handling requirements (including the use of encryption systems, passwords, data usage restrictions, use of designated locations, etc.).
14.8. As soon as, in the opinion of the Company, the protected data/information is no longer necessary for the Company’s business, such data/information shall be deleted, all copies thereof destroyed and the Employees involved in the processing of the information/data concerned shall be informed accordingly of their obligation to delete/destroy and return to the Company the information/data no longer necessary for the performance of their duties and, in particular, to return to the Company, delete and destroy copies if the employment relationship with the Employee concerned is terminated.
14.9. No information/data referred to in this Policy shall be sent, forwarded or otherwise provided to any Third Party unless and only to the extent necessary for the performance of the Employee’s job duties. In the event that data is transferred or provided to Third Parties, it is imperative that data protection is ensured and all appropriate security measures are taken.
14.10. The Company shall audit the systems used for information/data processing in order to control the continuous compliance with this Policy and applicable regulatory requirements.

15. Prohibited Activities

15.1. Except as specifically exempted, under no circumstances and under no conditions shall any equipment, systems or tools belonging to the Company, its customers or business partners be used for purposes unrelated to the Employee’s job duties or the Company’s business.
15.2. The following activities are strictly prohibited, without exception:
15.2.1. infringement of any person’s or the Company’s rights protected by intellectual property rights, including but not limited to the installation, copying, distribution or storage of any illegal software, online platforms, any other electronic content not licensed for use by the Company on any of the Company’s systems or equipment;
15.2.2. unauthorised copying of copyrighted material;
15.2.3. violating the rights of any person by the excessive and unnecessary collection and processing of the personal data of that subject;
15.2.4. access to data, server or account for purposes unrelated to the Company’s business or the Employee’s job duties;
15.2.5. exporting software, technical information, encryption software or technology in violation of applicable international or national laws and regulations and/or the Company’s instructions;
15.2.6. export of any data or information of proprietary and/or confidential value to the Company if such export is not necessary in the course of the Company’s business or the Employee’s duties and/or if it violates the Company’s internal rules, applicable laws and regulations;
15.2.7. revealing the password of the Employee’s account to other persons and allowing other persons to use such account;
15.2.8. making fraudulent offers of products, goods or services using the Company’s account;
15.2.9. the implementation of security breaches or interruptions in network communications. Such security breaches include, but are not limited to, accessing data where the Employee is not the intended recipient or logging into a server or account that the Employee is not expressly authorised to access, unless such access rights have been granted to the Employee in connection with that Employee’s participation in a particular Company project;
15.2.10. the use of any program/script/command or the sending of any message with the intent to interfere with a user’s work session by any means.

16. Reporting Security Incidents

16.1. All information/data processing security incidents or suspected incidents shall be reported immediately to the Management, who shall take all appropriate measures to prevent the potential damage, remedy the effects of the damage and restore the previous security situation
16.2. Where appropriate, Management shall be obliged to ensure further reporting of a data/information security breach to the authorities and to the individuals involved as required by applicable laws and regulations and/or European Union law.