Business partner privacy policy

We care about your privacy

Your trust is important to us. Our aim is that you feel safe when you share your personal data with us. Personal data is any information that can be used to identify an individual.

We take appropriate measures to ensure that your personal data always is safe with us and that the processing of your personal data is compliant with present data protection laws, our internal policies, guidelines and routines. We have also assigned a Data protection officer whose task is to monitor that we follow these laws, guidelines and routines.

It is important for us to be transparent with how we handle your personal data. In this information text, we therefore describe how and where we process personal data in the context of cooperation with us, through communication, procurement, agreements and other types of business interactions.

This information text is addressed to:

  • our business partners who are natural persons (such as self-employed persons);
  • the representatives or contact persons of our business partners;
  • contracted specialists or employees of our business partners.

Within this information text term “business partner” means any supplier, service provider, lessee, lessor and any other cooperation what you have with us.

If you (as a natural person or as a legal entity) intend to provide us with personal data about other individuals, you must provide a copy of this information text to the relevant individuals.

Depending on how you cooperate with us, e.g., if you are an external contractor or an applicant within procurement or one-time service provider or a construction company etc., the amount of data processing may vary. We process only the data necessary for the specific purpose.

Last edited
2025-05-22
Download
Previous version
2022-03-08
Download

Business partner privacy policy

We care about your privacy

Your trust is important to us. Our aim is that you feel safe when you share your personal data with us. Personal data is any information that can be used to identify an individual.

We take appropriate measures to ensure that your personal data always is safe with us and that the processing of your personal data is compliant with present data protection laws, our internal policies, guidelines and routines. We have also assigned a Data protection officer whose task is to monitor that we follow these laws, guidelines and routines.

It is important for us to be transparent with how we handle your personal data. In this information text, we therefore describe how and where we process personal data in the context of cooperation with us, through communication, procurement, agreements and other types of business interactions.

This information text is addressed to:

  • our business partners who are natural persons (such as self-employed persons);
  • the representatives or contact persons of our business partners;
  • contracted specialists or employees of our business partners.

Within this information text term “business partner” means any supplier, service provider, lessee, lessor and any other cooperation what you have with us.

If you (as a natural person or as a legal entity) intend to provide us with personal data about other individuals, you must provide a copy of this information text to the relevant individuals.

Depending on how you cooperate with us, e.g., if you are an external contractor or an applicant within procurement or one-time service provider or a construction company etc., the amount of data processing may vary. We process only the data necessary for the specific purpose.

  • Which categories of personal data do we collect and why

    Procurement

    We process your personal data in order to ensure tendering of goods and services for us and to be sure that business partner meets provisions of our requirements. In connection with the procurement of a new business partner, we need to process your personal data, e.g., to collect contact details as contact person or representative for the business partner prior to an inquiry or a procurement, to retrieve documentation, assess compliance with our standards, invite business partner to take part in procurement etc.

    Categories of personal data Legal basis Retention period
    Based on the particularities of each procurement process the following categories of personal data might be processed:
    • Identity information

    e.g., name, surname, username etc.

    • Company information

    e.g., name of the company, person’s job title etc.

    • Competence data, 

    e.g., professional experience, education, certifications, courses, language skills etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Additional information in relation to the respective procurement process requirements. This will depend on the type of procurement being undertaken
    		 Our legitimate interests to organize and coordinate competitive procurement process. See section “For how long are my personal data stored?”

    Manage cooperation with business partners

    We process your personal data in order to administer our cooperation directly or indirectly with you, e.g., to conclude and execute agreement,  incl. documentation proving authorization, to register your contact details in the business partners registers as representatives of respective entity, to manage business partners declarations, to administer agreement related documents (e.g. invoices, transportation documents, CMR, insurance) and process payments, to manage and archive agreements with business partners, to manage user accounts (e.g., supplier portal), to provide a forecast, to handle an order for a product or service from the company you work for, to handle order confirmations and complaints, to communicate with you regarding fulfilment of cooperation agreement and related changes, to evaluate and follow up our cooperation, e.g., to check that business partner maintains the necessary approvals and certifications, to monitor the quality of provided services.  In some instance we might agree with our business partner to extend the validity of specific documents, for example, insurance policies beyond the term required by law, such document will be retained until document is valid.

    Categories of personal data Legal basis Retention period
    • Identity information, e.g., name, surname, username, personal code etc.
    • Contact details, e.g., email, phone number, address etc.
    • Company information, e.g., name of the company, person’s job title etc.
    • Competence data, e.g., professional experience, education, certifications, courses, language skills etc.
    • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
    • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
    • Demographic data, e.g., date of birth, gender, citizenship etc.
    • User generated personal data, e.g., information about activities within our information systems, behaviour in digital channels etc.
    • Information about situation, e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.
    • Location information, e.g., country, GPS coordinates, geo-fenced area etc. - in specific cases, e.g., regarding transportation and logistics services
    		 To conclude cooperation agreement and fulfil cooperation agreement with the business partner. Where applicable, also our legitimate interests regarding management of cooperation with business partner. See section “For how long are my personal data stored?”

    Communication with potential business partner

    We process your personal data as a contact person or representative of specific company in order to contact you for future cooperation between you, the company you represent and us.

    Categories of personal data Legal basis Retention period
    • Identity information, 

    e.g., name, surname, username etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information, 

    e.g., name of the company, person’s job title etc.

    • Competence data, e.g., professional experience, education, certifications, courses, language skills etc.
    • Other data necessary for cooperation with potential and existing business partner
    		 Our legitimate interests to communicate with you as representative or contact person of the company See section “For how long are my personal data stored?”

    Cooperation organization management

    We may process personal data to ensure convenient, simple and effective cooperation, incl. regarding access to information, systems or tools necessary for cooperation. For instance, we may record our trainings and meetings that you might participate in so that our other participants who need the content can also familiarize themselves with the content

    Categories of personal data Legal basis

    Retention period
    • Identity information, e.g., name, surname, username etc.
    • Information about situation, e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.
    • Audio-visual material, e.g., photo, movie, audio file, CCTV etc. Regarding participation in cooperation activities, also the following data:
    • Contact details, e.g., email, phone number, address etc.
    • Competence data, e.g., professional experience, education, certifications, courses, language skills etc.
    • Assessment information, e.g., tests etc.
    • User generated personal data, e.g., information about activities within our information systems, behaviour in digital channels etc.
    • Feedback data – e.g., if you choose to participate in a survey.
    		 Our legitimate interests regarding cooperation organization management See section “For how long are my personal data stored?”

     

    To fulfil legal requirements

    We process your personal data in order to fulfil legal obligations what are applicable to us according to legislation, e.g. record keeping obligations for invoices, management of transportation documents, CMR, obligations in relation with construction works etc. For example, to fulfil legal requirements we are required to process different insurance policies (e.g., including third party liability insurance) and such insurance policies can include your personal data.

    Categories of personal data Legal basis Retention period
    • Identity informatione.g., name, surname, username etc.
    • Contact details, e.g., email, phone number, address etc.
    • Company information, e.g., name of the company, person’s job title etc.
    • Data related to sanction lists, e.g., is person or company included in sanction lists etc.
    • Other information For fulfilment of legal obligation
    		 To fulfil our legal obligation See section “For how long are my personal data stored?”

    Access and security management

    We process your personal data in order to control access to our premises (offices, stores back-office, DCs, etc.) and restricted areas to protect our property, assets and our employees. E.g., to keep track who entered our premises, to issue to you key and keep track on your movement in our property, to assign appropriate gate where to deliver, to ensure access to our parking lots.

    Categories of personal data Legal basis Retention period
    •  Identity information, e.g., name, surname, username, registration number of the vehicle etc.
    • Contact details, e.g., email, phone number, address etc.
    • Company information, e.g., name of the company, person’s job title etc.
    • Information about situation, e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.
    • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
    • User generated personal data, e.g., information about activities within our information systems, behaviour in digital channels etc.
    • Audio-visual material, e.g., photo, movie, audio file, CCTV etc
    		 Our legitimate interest to protect our property, assets and our employees See section “For how long are my personal data stored?”

     

    If you visit our premises, e.g., offices, stores, distribution centers (DC), parking lot etc., please see our CCTV Privacy Policy - in Latvia / in Lithuania/ in Estonia.

    Manage, protect and develop our systems and services

    We process your personal data to manage, protect and develop our information systems and services. This includes, e.g., managing access to our information systems, providing support (offering support for IT issues), ensuring stable IT operations (making backup copies), troubleshooting. We also process data to improve and maintain secure systems and services to which you are granted access. This may include, e.g., creating user profiles and monitoring activities in our IT environment to protect against threats and unauthorized actions (e.g., recording time when you open our information system, logging changes to data made by you etc.).

    Categories of personal data Legal basis Retention period
    • Identity information e.g., name, surname, username, IP address etc.
    • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
    • Company information, e.g., name of the company, person’s job title etc.
    • Contact details, e.g., email, phone number, address etc.
    • User generated personal data, e.g., information about activities within our information systems, behaviour in digital channels etc.
    • Connection data, e.g., device type, operation systems and version, time zone, type of browser etc.
    • Communication data, e.g., metadata, content of e-mail, phone call, voice mail etc.
    • Other data that might be created by you in our IT environment and is necessary for the defined purpose
    		 Our legitimate interests in life-cycle management, protection and development of our systems and services See section “For how long are my personal data stored?”

    Fraud prevention and management of legal claims

    We may process your personal data to defend, establish and exercise legal claims, including to prevent fraud or criminal activity, misuses of our products or services.

    Categories of personal data Legal basis Retention period
    • Identity information, e.g., name, surname, username, registration number of the vehicle etc.
    • Contact details, e.g., email, phone number, address etc.
    • Company information, e.g., name of the company, person’s job title etc.
    • User generated personal data e.g., information about activities within our information systems, behaviour in digital channels etc.
    • Information about situation, e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.
    • Audio-visual material, e.g., photo, movie, audio file, CCTV.
    • Other data For management of legal claims
    		 Our legitimate interest See section “For how long are my personal data stored?”
  • From which sources do we collect personal data?

    Yourself

    We collect the personal data you provide to us, e.g., during our communications with you about the company you represent, for instance, as part of the procurement or contracting process, or as part of your response to our request for information about your goods, services or our cooperation in general. We may receive your personal data when, for instance, as part of our cooperation, you use third-party solutions to authenticate yourself online, register in e-services or sign electronic documents. In such a case a third party may act as a separate controller and their terms and conditions, and privacy policy might be applicable.

    Business partners

    We collect the personal data from company where you are employed or provide services to, for example, when company provides to us information who will be representing them, informs us who will be the certified specialist carrying out the job or performing delivery, who will visit our premises etc.

    Rimi Baltic group companies

    Rimi Baltic group companies cooperate with each other and can share your personal information with each other, for example, in connection with a procurement or a purchase of goods or services.

    Our parent company group

    Our parent company group might share to us information about you as the representative or contact person of their business partners.

    External persons

    We collect personal data that other external persons submit to us, for example, to get in touch with your company.

    Publicly accessible sources

    In some cases, we collect information that is publicly available, e.g., in public registers (e.g., Commercial register, Real estate register) or on social media to identify a representative of our business partner, to get in touch with you or company you represent, in connection with a procurement or to manage the business partner relationships, to check properties for possible real estate development projects.  For example, we might use public register to clarify your qualification for specific job, e.g., construction works, to identify the representative (i.e., chairman of the board, board member) who has authorization to sign agreements.

    Information systems

    We collect personal data from used technical systems, for example, audit logs of user accounts, access management systems etc.

  • Sharing of personal data

    Service providers

    We might share your personal data with companies that provide services to us, such as:

    • data hosting services;
    • information system development and maintenance services;
    • transportation service providers;
    • companies involved in related construction project;
    • procurement system service providers;
    • supplier management system service providers;
    • security companies that provide security services.

    These companies can only process your personal data according to our instructions and not use them for other purposes. They are also required by law and our cooperation agreement to protect your personal data.

    External advisors and insurance companies

    If it is necessary for the protection of our company´s rights and interests, we may transfer your personal data to insurance companies or external advisors, e.g., auditors, law firms or other independent advisors who act as separate data controllers and whose activities are regulated by law.

    Group companies

    We may share your personal data with relevant Rimi Baltic group companies if it is necessary for achieving defined purposes.

    Our parent company group

    We might share with our parent company group information about you as the representative or contact person of our business partner, if it is necessary for achieving defined purposes

    Law enforcement authorities, state and local government institutions

    To fulfil our legal obligation, we may transfer your personal data to law enforcement authorities, state and local government institutions upon their request and/or required so by law. We may also transfer your personal data to law enforcement authorities, state and local government institutions in order to meet our legitimate interest in establishing, claiming and defending legal claims and prevent fraud.

    Other companies

    We may share your data, e.g., name, surname, title, information about company you represent, your contact details and other necessary information for business cooperation with other companies who act as a separate data controller for relevant activities, for example, companies involved in related construction project, debt collection companies etc.

    As well we might share mentioned information to ensure that you can access respective premises what are under other company access control or receive needed keys.

    In some cases, when you have provided us services in construction or other area, for example, drafting of construction design, we might publish this document/information in procurement systems for procurement purposes to engage necessary other business partners. Such publication might include reference to the author of particular document, i.e., you, and can be seen by other companies.

    We might transfer your personal data to our business partners to fulfil their legal obligations, for example, to register individuals located at the construction site in state controlled electronic time recording system etc.

    We may share your data, e.g., with the company you represent, e.g., when it is necessary regarding fulfilment of cooperation agreement or when legitimate interests exist, for instance, in a case of a legal claim, e.g., dispute, compensation case or complaint, in order to be able to protect legitimate interests within the context of cooperation.

    Other companies acting as separate data controllers are obliged to ensure data processing and protection in accordance with regulatory enactments and their privacy policy may apply.

  • Where do we process your personal data?

    We always aim to process your personal data within EU/EEA.

    In certain cases, your personal data might be transferred or processed in a country outside of EU/EEA. For example, in case of international transportation deliveries, we transfer your personal data to service provider in the respective country in order to enable successful delivery of goods in accordance with CMR Convention.

    For instance, for IT and other support, we may use service providers accessing personal data from countries outside the EU/EEA. We may use service providers that are based in a variety of countries outside the EU/EEA and transfers depend on the time of the day (follow-the-sun).

    When your data is processed outside the EU/EEA by one of our service providers, we always ensure that there are sufficient technical and organizational safeguards in place in order to ensure that the recipients process the data in a secure way.

    When we transfer your personal data to a country outside the EU/EEA, we use either the standard contractual clauses or an adequacy decision as a transfer mechanism. In rare cases our service provider who acts as data processor may transfer the personal data to a sub-processor outside the EU/EEA with Binding Corporate Rules as a transfer mechanism. Countries with an adequacy decision can be found here and the standard contractual clauses issued by the European Commission can be found here.

    You can request and receive information about the countries where your personal data is processed and the introduced personal data safeguards by providing written request to us

  • For how long are my personal data stored?

    Procurement

    In procurement process your personal data is retained during the procurement and for a period of 3 years after the end of the procurement in order to satisfy our legitimate interest in managing and responding to legal claims and carry out internal audits.

    Management of cooperation with business partner

    Your personal data in relation to management of cooperation with business partner is preserved during the time that you are the contact person, representative, employee or contractor for the business partner and for a period of 3 years after replacement of respective person in order to meet our legitimate interest in handling and responding to legal claims. Your personal data might be stored longer than indicated if your personal data is 9 included in document what we need to retain for longer period. Then your personal data will be retained for the same period as the document itself.

    When a retention period is specified by national or international laws or regulations, we will comply with such requirements for the specified retention period.

    When there is mutual agreement to extend validity of specific documents, such documents will be retained until the document is valid.

    Communication with potential and existing business partner

    For business communication purposes your personal data is preserved while you are the contact person or representative for the business partner and for a period of 3 years after our last communication (regarding potential cooperation) or 3 years after the end of existing agreement

    Cooperation organization management

    Only for the time necessary for the defined purpose. Recordings are only stored for as long as the content is relevant and necessary

    To fulfil legal obligations

    Wherever we have legal obligation to process your personal data your personal data is retained for the time necessary in relation to the respective legal obligation.

    Access and security management

    Personal data recorded in visitor registration systems and journals will be retained no longer than 1 year.
    Personal data recorded in paper or in other form regarding register of issuance and return of keys will be retained for the whole periods the key is issued to the person.

    Manage, protect and develop our systems and services

    Your data can be retained in backups for no longer than 3 months after your access to our IT environment is terminated. Records of your activities in IT environment, including your user profile and data related to profile needed to provide authorization and authentication services, as well as all your access rights and IT change requests are deleted not later than 18 months after your access to our IT environment is terminated, unless the law requires different retention time. Your data are removed from any support requests at the latest after 13 months after ticket creation date if the ticket is submitted using IT support system managed by us. Your data in technical security systems used to protect our network and IT solutions are retained for 24 months since record creation

    Fraud prevention and management of legal claims

    If data are necessary for management of legal claim, then data will be retained until clarification of identified issue or completion of respective investigation, settlement and full implementation of legal claim. If violation of law or internal guidelines, instructions or other documents or procedures were not discovered during the investigation, data will be retained for one year after the decision to close investigation. If violation of law or internal guidelines, instructions or other documents or procedures were discovered, data will be retained for three years after the decision to close investigation or final implementation of court decision (in case implementation of court decision takes longer than three years). Regarding business partner sanctions checks, data will be stored for 3 years after the end of business relationships with the said partner, unless the law requires different retention time. I

    n the end of set out retention periods we will in a secure way erase or de-identify your personal data so it can no longer be connected to you.

  • Your rights

    Data protection laws give you a number of rights with regards to the processing of your personal data.
    If you want to use the rights indicated below, you should provide as accurate information as possible about the service you or your company provided or about the precise connection with us that you had (e.g. name of the company you work for and who works with us, name of the contract signed with us, date when service was provided, etc.) as well as provide self-identifying information so that we can identify you and recognize it in the systems or documents.

    Access to personal data

    You are entitled to request confirmation from us if we process personal data relating to you, and in such cases request access to the personal data we are processing about you. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Rectification of personal data

    Furthermore, if you believe that information about you is incorrect or incomplete, you have the right to correct it yourself or ask us to do it.

    Withdrawal of consent

    To the extent that we process your personal data based on your consent, you are entitled to, at any time, withdraw your consent to the personal data processing. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Objection against processing based on a legitimate interest

    You are entitled to object to personal data processing based on our legitimate interests. However, we will continue to process your data, even if you have objected to it, if we have compelling motivated reasons for continuing to process data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Erasure

    Under certain circumstances, you have rights to ask us to delete your personal data. However, this does not apply if we are required by law to keep the data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Restriction of processing

    Under certain circumstances, you are also entitled to restrict the processing of your personal data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Data portability

    Finally, you have the right to receive or transmit your personal data further to another data controller (“data portability”). This right solely covers only data what you have provided to us based on you consent or on a contract and where processing is carried out by automated means. To carry out mentioned right please contact our contact person mentioned in your contract with us.

  • Who do I contact if I have any questions?

    f you have any questions about the processing of your personal data, please feel free to contact us through the contact person mentioned in your contract with us or contact our Data Protection Officer. If you are not satisfied with the response you received, you are entitled to file a complaint to the Data Protection Authority: In Latvia: Data State Inspectorate (https://www.dvi.gov.lv/) or in Estonia: Data Protection Inspectorate (https://www.aki.ee/) or in Lithuania: State Data Protection Inspectorate( https://vdai.lrv.lt/).

    Contact details of company in charge of handling your personal data

    Each Rimi Baltic group company acts as a separate controller regarding processing of personal data. In certain cases, e.g., when common activities are organised for a common purpose, for instance, on pan-Baltic level, Rimi Baltic group companies may act as joint controllers. Rimi Baltic group companies are responsible for processing your personal data in accordance with this Privacy Policy and with the applicable data protection laws.

    In relation to joint processing, Rimi Baltic group companies have therefore entered into an arrangement for the protection of personal data among themselves and each Rimi Baltic group company involved acting as a joint controller in respect of its own processing of personal data is responsible for establishing a lawful basis; providing necessary personal data processing information, incl. on joint processing; ensuring data subject rights and, when necessary, cooperating among themselves to ensure response to the request received; implementation of appropriate technical and organizational security measures; taking appropriate measures in case of a personal data breach etc. You may exercise your rights in respect of and against each of the joint controllers. In order to ensure that any request can be handled as swiftly as possible, contact details of Rimi Baltic group company that is a contact point for you are mentioned below.

    Towards you the company in charge of handling your personal data is respective company with who you or company you represent cooperates with. It can be one of these companies:

    In Latvia:

    SIA Rimi Latvia, reg. No. 40003053029,
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 409
    Email: info.lv@rimibaltic.com

    SIA Rimi Baltic, reg. No. 40003592957
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 529
    Email: info@rimibaltic.com

    SIA Plesko Real Estate, reg. No. 40003516351
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 409
    Email: relv@rimibaltic.com

    In Lithuania:

    UAB Rimi Lietuva, reg. No. 123715317
    Legal address: Spaudos g. 6-1, Vilnius, Lietuva, 05132
    Phone number: +370 5 2461057
    Email:info.lt@rimibaltic.com

    UAB “Hakonlita”, reg. No. 125018861,
    Legal address: Spaudos g. 6-1, Vilnius, Lietuva, 05132
    Phone number: +370 5 2461057
    Email:info.lt@rimibaltic.com

    In Estonia:

    Rimi Eesti Food AS, reg. No. 10263574
    Legal address: Saue tee 10, Laagri, 76401, Harju maakond, Eesti
    Phone number: +372 605 6333
    Email:info.ee@rimibaltic.com 12

    Kinnisvaravalduse AS, reg. No. 10434202
    Legal address: Saue tee 10, Laagri, 76401, Harju maakond, Eesti
    Phone number: +372 605 6333
    Email:info.ee@rimibaltic.com

    Contact details of the Data Protection Officer

    Email: RimiDPO@rimibaltic.com
    You also can contact our Data protection officer by sending a letter to us at the above-mentioned address and addressing it to the Data protection officer.

Last modified on: May 22, 2025