Information on personal data processing

By means of this communication, we would like to inform about the purposes, scope, protection of processing of personal data, period of processing and the rights of the data subject when processing personal data.

 

Table of contents:

1. Terminology used.

2. Information related to each process and purpose of data processing.

3. Descriptions of the Personal Data processing processes, purposes and legal bases of data processing.

        3.1. Processing of the Personal Data related to a visit to (opening of) the Website.

        3.2. Cookies.

        3.3. Processing of data related to questions, proposals or complaints.

        3.4. Receipt of data for the purpose of ensuring economic activities.

        3.5. Processing of data related to ensuring legal and transparent cooperation.

        3.6. Data processing related to personnel recruitment.

        3.7. Other data processing carried out by the controller

4. Other information

1.   Terminology used

1.1. Controller: SIA Severstal Distribution, registration No. 40003001968, address: Starta iela 13, Riga, Latvia, e-mail address: ds.latvia@severstal.com

1.2. Website: Website maintained by the Controller https://distribution.severstal.com/  

1.3. Personal Data: any information that concerns any identified or identifiable natural person; an identifiable natural person is a person who can be directly or indirectly identified, based on an identifier. For example, an identifier may be the name, surname, identification number, identifier of the identifiable person in information systems, or one or more physical, physiological, genetic, mental, economic, cultural or social identity factors inherent to the mentioned natural person;

1.4. Data Subject: a living natural person whose Personal Data are processed by the Controller for the achievement of a specific purpose; for example, a Website visitor is the Data Subject;

1.5. Processing of Personal Data:  any activities with the personal data of the Data Subject, including, but not limited to, data collection, data storage, data transfer, data modification, data use and data erasure.

1.6. Purpose of Data Processing: the purpose which is intended to be achieved by the Controller by the processing of the Personal Data of the Data Subject.

1.7. Regulation: European General Data Protection Regulation No 679/2016 applicable to all Member States as from 25 May 2018.

 

2.   Information related to each process and purpose of data processing

2.1. Personal data protection officer: The Controller has designated a personal data protection officer Arnis Puksts, contact details for communication in data protection matters – privacy.lv@severstal.com (see the list of data protection officers certified in the Republic of Latvia at https://www.dvi.gov.lv/lv/media/229/download

 

2.2. Data processors (data recipients):

        2.2.1. Controller’s employees, in accordance with their job duties arising from the legal employment relationship between the employees and the Controller;

        2.2.2. outsourced service providers connected with the Controller by a contractual relationship establishing the personal data protection procedure – it provides that the Personal Data of the Data Subject may only be processed in accordance with the instructions provided by the Controller and may not be used for other Purposes of Data Processing;

        2.2.3. state and local government authorities, including law enforcement authorities, ensuring the fulfilment of the legal obligation in accordance with the regulatory enactments and transferring Personal Data upon a relevant request; as well as in situations where the transfer of data is related to the legal interests of the Controller, for example, for the establishment, exercise or defence of legal claims;

        2.2.4. in particular cases, of which the Data Subject will be informed additionally during the process of collection or acquisition of data, a joint controller may also be involved in the processing of the data – in situations where, together with the Controller, the Purpose of Data Processing also applies to another organisation.

        2.2.5. third parties in situations where the receipt of data is a clear legitimate interest of those third parties or the Controller, for example, but not limited to, in the case of deliveries to a place with limited access to the territory, the vehicle driver’s data are transferred to ensure the respective access.

 

2.3. Type of data processing: The Controller uses technical resources when processing Personal Data, however in any situation in which a decision is to be taken with respect to the Data Subject, it is always made by a person and the Controller does not take automated decisions within the meaning of the Regulation.

 

2.4. Transfer of data to a third country (a country other than a Member State of the European Union or the European Economic Area): The Controller is part of an international group of companies Severstal, whose technical resources are also maintained in a third country – the Russian Federation. It is therefore possible to transfer the Personal Data processed to a country other than a Member State of the European Union or the European Economic Area. Legal safeguards in exercising the rights of the Data Subject are ensured by agreements concluded between the Controller and the respective managers of technical resources in the third country, in accordance with standard data protection clauses approved by the European Commission. Similarly, in certain cases, data may be transferred to a third country for the purpose of carrying out activities prior to the establishment of contractual obligations or the fulfilment of existing contractual obligations or with a separate consent of the Data Subject. Data subjects will be specifically warned in situations where data are transferred to a third country based on contractual obligations or a consent.

 

2.5. Right to complain: In any situation in which the Data Subject considers that the Controller has infringed his or her rights when processing the Personal Data, the Data Subject is entitled to complain to the supervisory authority of his or her choice. The leading supervisory authority for the Controller operating in the territory of the Republic of Latvia is the State Data Inspectorate (website address – www.dvi.gov.lv).

 

2.6. Rights of the Data Subject: In the cases specified in the Regulation, you, as a Data Subject, have certain rights exercising of which is ensured by the Controller:

        2.6.1. Access to Personal Data – you as a Data Subject have the right to request approval from us (here and hereinafter “we” means the “Controller”) whether we are processing your Personal Data and, if we do, to request access to the processed Personal Data. For the exercise of the mentioned right, please submit an application in writing;

        2.6.2. Rectification of Personal Data – if you believe that information about you is incorrect or incomplete, you have the right to ask us to rectify your data. For the exercise of the mentioned right, please submit an application in writing;

        2.6.3. Withdrawal of consent – in cases where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent to the processing of personal data at any time. For the exercise of the mentioned right, please submit an application in writing.

Please note that the withdrawal of consent does not affect the processing of data prior to the withdrawal of consent, as well as the processing of data may have created a right for legitimate interest or an obligation to continue processing your Personal Data on the basis of the law;

Please note! Special warning about the withdrawal of consent in situations where consent is given to the processing of cookies – you, as a Data Subject, have the right to delete cookies from your equipment at any time; this is equivalent to a withdrawal of consent; the Controller has no technical means of deleting cookies in your equipment!

        2.6.4. Objecting to processing on the basis of legal interest – you have the right to object to the processing of personal data which we process on the basis of our legitimate interests (legal basis for such processing of Personal Data – pursuant to Article 6(1)(f) of the Regulation). For the exercise of the mentioned right, please submit an application in writing; Please note! We will continue to process your data even if you have objected to it if we have satisfactory motivated reasons to continue processing the data.

        2.6.5. Erasure of data – you have the right to demand from us to erase your Personal Data, however this does not apply to cases where the law requires us to store the data. For the exercise of the mentioned right, please submit an application in writing;

        2.6.6. Restriction of processing – you have the right to request us to restrict the processing of your Personal Data. For the exercise of the mentioned right, please submit an application in writing;

        2.6.7. Data portability – you have the right to receive or transfer your personal data to another controller (so-called “data portability”). This right only includes the data that you have provided to us on the basis of your consent or a contract, and in cases where processing is carried out by automated means. For the exercise of the mentioned right, please submit an application in writing to us.

 

2.7. Please note! In some cases, one of your rights as of a Data Subject may not be exercisable, however in any situation you will receive a motivated response from the Controller within the time limits laid down in the Regulation, which, depending on the situation, is one or three months from the date of submission.

 

2.8.  In our activities, we respect the principles of data protection provided for in the Regulation, in particular the principle of accountability:

        2.8.1. When collecting your personal data, we act as a diligent and careful owner should, and we process the data solely for the purposes of achieving specific purposes without transferring the data to any other person, unless there is a statutory or contractual situation which is duly documented;

        2.8.2. We regularly evaluate the Personal Data that have been collected and are stored, as well as have been obtained and transferred, and we make sure that the data categories and the data storage are in line with the need to achieve the respective purposes;

        2.8.3. We are focused on cooperation, therefore, we will make appropriate adjustments to the processing of Personal Data, as well as to the binding documentation and other aspects related to the processing of Personal Data, such as the Website menus, after we receive substantiated objections, proposals or other information from the Data Subject.

 

2.9. In order to ensure fair and transparent data processing, the Data Subject should note that:

        2.9.1. In each case of provision of the Personal Data, the Data Subject is obliged to only provide valid and authentic personal data and only such data that are relevant and necessary for fulfilment of the purposes of data processing, for example, in accordance with the values of the fields previously specified or the corresponding request;

        2.9.2. In case of changes in the respective data of the Data Subject during the period of cooperation or within a reasonable period of time thereafter, the Data Subject is obliged to inform the Controller of changes in the respective data categories;

 

2.10. Communication: if you, as a Data Subject, have any questions regarding the processing of your Personal Data, please contact the Controller using the Controller’s contacts specified above.

3.   Descriptions of the Personal Data processing processes, purposes and legal bases of data processing

3.1. Processing of the Personal Data related to a visit to (opening of) the Website

        3.1.1. Process: The Controller processes the Personal Data to ensure the functioning of the Website, including collects and stores technical information about the connection (e.g. connection IP address, connection date and time);

        3.1.2. Purpose and Legal basis: The legitimate interest of the Controller (Article 6(1)(f) of the Regulation) to maintain the Website, to inform the public of developments and cooperation possibilities relevant to the activities of the Controller and to ensure the safety of the Website – to discover, evaluate, detect and prevent technical problems or illegal actions of any third parties.

        3.1.3. Note! Taking into account the fact that any individual may visit the Website (including a child or a person with limited capacity), as well as any individual’s behaviour may harm the interests of the Controller, the Controller does not check the age of the particular visitor to the Website, but retains technical information on the connection and events related to the specific connection. The duration of storage does not exceed 10 years, since the rights to claim which the Controller obtains may be different, therefore the Controller applies the longest limitation period provided for in the regulatory enactments. The child’s parents or respective representatives appointed in accordance with the procedure provided for by the law are responsible for the illegal offence committed by a child or a person with limited capacity, while the administrative and criminal liability of children starts from the age of 14 years.

        3.1.4. Please note! The resources of the Controller are located in a country other than a Member State of the European Union or the European Economic Area, and any case of data processing related to the opening of the Website means the transfer of personal data to a third country!        

        

3.2. Cookies

        3.2.1. Detailed information about the processing of data by the Controller using the cookies mechanism is provided here: https://distribution.severstal.com/lat/about/cookie-policy/. General information:

        3.2.2. The Controller uses technically necessary cookies that are automatically installed to the Website visitor’s equipment – the legal basis is the legitimate interest of the Controller in ensuring the functioning of the Website;

        3.2.3. The Controller uses other cookies, including analytical, statistical and those necessary for marketing purposes. These cookies are only installed to the Website visitor’s equipment after the consent has been obtained.

        3.2.4. The Website visitor can delete cookies from their equipment at any time – in this case, when the mentioned conditions are met (3.2.1 and 3.2.2), cookies will be re-installed when the Website is visited.

 

3.3. Processing of data related to questions, proposals or complaints

The Data Subject, using the contact form available on the Website or other communication channels (such as e-mail), submits the relevant information or asks the Controller a question. When submitting the data, the following circumstances should be taken into account:

        3.3.1. legal basis – our legitimate interest (in accordance with Article 6(1)(f) of the Regulation) to find out your opinion to provide you a response or to be able to better adapt the Website, offers, communication, etc., to your wishes;

        3.3.2. contact details (name, surname, e-mail, phone) are needed to enable us to prepare a response to you, and to make it possible for you to exercise your rights as a data subject; the contact details provided by you will not be used for any other purposes;

        3.3.3. In a general case, we will respond to your question not later than within one month.

 

3.4. Receipt of data for the purpose of ensuring economic activities

The data subject as a customer or supplier of the Controller (or an employee, representative or contact person of a customer or supplier of the Controller, in relation to the job or other professional duties of the Data Subject) transfers Personal Data for the purpose of concluding a contract, making, receiving and executing orders for goods or services, submitting and examining proposals, claims or complaints, ensuring the delivery of goods, receiving information, asking a question, contacting about the issues related to the use of received services and in other similar situations.

Typically, data collection is carried out using e-mail, phones, and the Controller’s other official communication channels, such as MS Skype or MS Teams, as well as information input forms located on the Controller’s Website. When transmitting data for these purposes, the following criteria must be met: 

        3.4.1. The legal basis for data processing is the performance of contractual obligations or the wish of the data subject to conclude such a contract (e.g. a service contract, etc.) (including enter an actual contractual relationship in which the Parties have agreed on significant components of the transaction, namely the service, price, place and time of performance thereof), as well as the legitimate interest of the Controller to engage in business, acting in accordance with the situation:

                3.4.1.1. in situations where the Data Subject is a natural person, the processing of Personal Data is carried out to ensure the legitimate interests of the Controller (Article 6(1)(f) of the Regulation) and for the conclusion and execution of a legal transaction (Article 6(1)(b) of the Regulation);

                3.4.1.2. in situations where the Data Subject is a representative of a legal entity, the processing of the Personal Data is carried out to ensure the legitimate interests of the Controller and the companies represented by the Data Subject (Article 6(1)(f) of the Regulation), i.e. the processing of data is carried out to conclude a legal transaction as a result of it;

                3.4.1.3. in situations where the Data Subject is a contact person of a legal entity, the processing of the Personal Data is carried out on the basis of the Controller’s duty to perform the contract (Article 6(1)(b) of the Regulation), and of the mutual contractual relationship between the data subject and his or her employer or customer, for example, employment contract, royalty contract, contractor's agreement concluded with the legal entity concerned.

        3.4.2. To achieve the purpose of processing of these data, the following personal data are typically required from the Data Subject:

                3.4.2.1. person’s name, surname, contact details (address, phone number and e-mail) – these data will be used when communicating with the person concerned in relation to the provision of the services concerned, such as significant details in the provision of the service concerned, any changes, etc.;

                3.4.2.2. personal ID No., bank account and address – required for conclusion of a legal contract, as well as for the correct invoicing meeting the accounting requirements, particularly if the natural person has the status of a taxpayer, as well as in the specific cases provided for in regulatory enactments;

                3.4.2.3. if the Data Subject is a representative or a contact person of a legal entity, information about the legal entity, name, registration number, VAT payer's registration number, bank account and address is additionally required, however no personal ID No. is required;

                3.4.2.4. information about the product, service, delivery method, time and place, etc., is also processed to achieve this purpose.

 

                    Please note!

        3.4.3. To ensure the delivery or acceptance of the goods and in other similar cases, the information may be transferred to the third parties, including the parties located in a third country! Any transfer of data is always only carried out ensuring the interests of the Data Subject and in accordance with the requirements of regulatory enactments.

        3.4.4. Any data related to the establishment and performance of a contractual relationship may be transferred to the Controller’s auditors, insurers, credit institutions, advisers and other similar recipients, particularly in situations where a contract is terminated or not performed adequately.

   

3.5. Processing of data related to ensuring legal and transparent cooperation

Prior to establishing a business relationship and in the process of executing transactions, the Controller evaluates its counterparty for the purpose of avoiding transactions which by their nature may be related to financial, corruption, money laundering (AML), sanctions or reputation risks, including:

        3.5.1. “Know your customer” (KYC) procedures are carried out assessing the counterparty’s compliance with the principles of fair commercial practice, competition and business conduct;

        3.5.2. The creditworthiness, reputation and reliability of the customer (legal entity) is evaluated for the purpose of assessing the terms of payment for the transaction, the granting of the credit limit, its amount, etc.

        3.5.3. An evaluation of the counterparty and its beneficial owner (if they have a significant influence in the company concerned) is carried out to respect the implementation of international and national sanctions and other restrictions in the Republic of Latvia;

        3.5.4. Type of data acquisition –

                3.5.4.1. Obtaining data from the Data Subject or the legal entity related to the data subject.

                3.5.4.2. Obtaining data from various public registers (e.g. register of enterprises, public database of the tax service, etc.) and specialised information resources (e.g. credit information bureaus, collection databases, private detective bureaus, etc.)

                3.5.4.3. Obtaining data from the mass media and using internet search platforms (e.g. Google, Yandex, Bing, Yahoo, etc.)

        3.5.5. Legal basis – the Controller’s legitimate interest in leading a sustainable business by ensuring the compliance of the Controller with requirements of regulatory enactments and high ethical standards, as well as providing evidence to the controlling authorities.

        3.5.6. Important! The main purpose of the mentioned data processing is to assess the legal entity concerned, however the evaluation process also provides data on related natural persons.

        3.5.7. Types of personal data – all personal data referred to in sub-paragraphs of Paragraph 3.4 and the direct or indirect relation of the natural person to the legal entity, amount of shares or stocks and degree of influence/control in the organisation concerned.

         

3.6. Data processing related to personnel recruitment

When providing data for the purpose of applying for an announced vacancy or offering own candidacy to the Controller, if the vacancy concerned will be announced in the future (including applications for practical work) the following criteria should be met:

        3.6.1. The processing of personal data for the specified purpose will only be carried out if the Controller has received the respective application or the Data subject has submitted the respective application or created a profile on one of the websites of the Controller’s cooperation partners – a personnel recruitment company;

        3.6.2. The Controller may also receive information from a third party, usually an organisation promoting employment or organising practical work, such as the State Employment Agency or educational institutions;

        3.6.3. The Controller informs that the Controller may contact the data subject on a social network established for career development, such as LinkedIn, and will continue the communication to obtain the Data Subject’s consent for further data processing.

        3.6.4. In order to carry out the recruitment process, the Controller typically needs the following information:

                3.6.4.1. Name and surname of the Data Subject and/or the legal wards of the Data Subject, as well as contact details (examples of categories of Personal Data: e-mail address, phone number, social network account, physical location);

                3.6.4.2. Information on the education of the Data Subject (including completed courses, obtained certificates) or, in case of practical work, information on the qualifications to be obtained;

                3.6.4.3. Professional experience of the Data Subject or, in case of practical work, information on the necessary practical work programme;

                3.6.4.4. Vacancies (practical work places) for which the application is forwarded or which would be desirable;

                3.6.4.5. Other skills according to the vacancy, for which the Data Subject has applied, such as knowledge of languages, knowledge of information technologies, equipment, machinery handling skills and special rights to work with them, etc.

        3.6.5. The legal basis for data processing is the processing of data in the process necessary to be able to conclude an employment contract as a result of the evaluation of the applicant – pursuant to Article 6(1)(b) of the Regulation. Note that applying for a vacancy does not guarantee that a respective employment contract will be concluded between the Controller and the Data Subject, however data processing is a mandatory criterion for establishing the legal employment relationship in case of a positive recruitment process!

        3.6.6. Periods of data processing:

                3.6.6.1. For the purpose of basic data processing – for the recruitment of personnel or practical work – the period of data processing is the achievement of the specific objective, which, in a typical case, means the conclusion of the process of personnel recruitment or practical work;

                3.6.6.2. Additional purposes

                        a) ensuring the legitimate interest of the controller for possible judicial or out-of-court proceedings, (the legal basis for the processing of Personal Data is Article 6(1)(f) of the Regulation in the context of Section 34(1) of the Labour Law), the duration of the processing is 5 months or, if the legal proceedings have commenced, – until the end of the proceedings (note: in case where the Data Subject has submitted an application at his or her own discretion, and not responding to a specific job or practical work place announcement, the mentioned period will begin from the time of submission of personal data);

                        b) in case where the Controller is unable to offer a respective vacancy, practical work place or another candidate has proved more appropriate, the processing of Personal Data will be carried out for 3 (three) months from the closing date of the announced vacancy (practical work place), unless the data subject has objected to such data processing (the legal basis for the processing of Personal Data is Article 6(1)(f) of the Regulation, for the purpose of filling vacant jobs effectively;

                        c) For the establishment of an employment relationship or a practical work relationship – information will be processed on the basis of the periods for the processing of data specified in the Labour Law and other regulatory enactments so that the controller can perform the duties provided for in the law.

            

3.7. Other data processing carried out by the controller (general information, detailed information is available by writing a request of the data subject)

No.

Description of process

Data processing purposes and processed personal data

Legal basis for data processing

3.7.1.                

Carrying out the video surveillance of the territory and premises

a) Control of access to the territory and protection of property rights

b) Protection of life and health of employees and third parties;

c) Carrying out service checks on the behaviour of employees or third parties.

Processed personal data:

Visual data of behaviour of every person (visitor, customer, customer’s representative, employee) (video recording).

The legitimate interest of the Controller (Article 6(1)(f) of the Regulation) – to protect the property and to discover the perpetrator or the offender;

and Article 6(1)(d) of the Regulation – protection of vital interests of the data subject

3.7.2.      

Personnel management and accounting organisation

a)   Personnel recruitment

b)   Establishment and maintenance of a legal employment relationship

c)   Determination of advantages and benefits provided for in regulatory enactments and maintenance and ensuring of others processes motivating employees and improving working conditions

d)   Financial accounting by processing such personal data as:

1.      information identifying the employees,

2.      information on job duties,

3.      absence,

4.      business trips,

5.      evaluation of employees,

6.      account in a payment institution,

7.      received remuneration,

8.      calculated taxes and benefits,

9.      issued and paid invoices,

10.   debts,

11.   etc.

A mutual contract between the Controller and the Data Subject (Article 6(1)(b) of the Regulation), performance of legal duties of the Controller (Article 6(1)(c) of the Regulation), the legitimate interest of the Controller (Article 6(1)(f) of the Regulation) – to ensure an efficient working environment and financial resource management system

3.7.3.      

Record-keeping and maintenance of an archive

a)   Maintenance of a record-keeping system and organisation of the record-keeping process

b)   Maintenance of an archive and archiving of documents (as well as transfer to other archives)

c)   Destruction of documents

d)   Categories of processed personal data: any, depending on the nature of the particular information unit, such as:

Legitimate interest of the Controller in organising its activities (Article 6(1)(f) of the Regulation)

3.7.4.      

Ensuring support in the Controller’s basic activities

a)     Conclusion and maintenance of service contracts;

b)   Registration of services and collection of payment for them;

c)   and other services

Performance of the contractual obligations between the Controller and the Data Subject or establishment of a mutual contractual relationship observing the will expressed by the Data Subject (Article 6(1)(b) of the Regulation)

 

4. Other information

4.1. This information notice may be amended as necessary. The current version of information notice is published on this Website.

4.2. Information related to the use of cookies is available here: https://distribution.severstal.com/eng/about/cookie-policy/

4.3. Last updated on 3 August 2021

 

Note! If you find that the Website is not operational fully or partly, does not operate properly, requests to perform uncharacteristic actions (e.g., but not limited to, install software or a part thereof on the visitor’s computer), please contact the Controller immediately!