Modified on
2022-03-08
Download

Business partner privacy policy

We care about your privacy

Your trust is important to us. Our aim is that you feel safe when you share your personal data with us. Personal data is any information that can be used to identify an individual.

We take appropriate measures to ensure that your personal data always is safe with us and that the processing of your personal data is compliant with present data protection laws, our internal policies, guidelines and routines. We have also assigned a Data protection officer whose task is to monitor that we follow these laws, guidelines and routines.

It is important for us to be transparent with how we handle your personal data. In this information text, we therefore describe how and where we process personal data in the context of cooperation with us, through communication, procurement, agreements and other types of business interactions.

This information text is addressed to:

  • our business partners who are natural persons (such as self-employed persons);
  • the representatives or contact persons of our business partners;
  • contracted specialists or employees of our business partners.

Within this information text term “business partner” means any supplier, service provider, lessee, lessor and any other cooperation what you have with us.

If you (as a natural person or as a legal entity) intend to provide us with personal data about other individuals, you must provide a copy of this information text to the relevant individuals.

  • Which categories of personal data do we collect and why

    Procurement

    We process your personal data in order to ensure tendering of goods and services for us and to be sure that business partner meets provisions of our requirements. In connection with the procurement of a new business partner, we need to process your personal data, e.g., to collect contact details as contact person or representative for the business partner prior to an inquiry or a procurement, to retrieve documentation, assess compliance with our standards, invite business partner to take part in procurement etc.

    Categories of personal data Legal basis Retention period
    Based on the particularities of each procurement process the following categories of personal data might be processed:
    • Identity information

    e.g., name, surname, username etc.

    • Company information

    e.g., name of the company, person’s job title etc.

    • Competence data, 

    e.g., professional experience, education, certifications, courses, language skills etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Additional information in relation to the respective procurement process requirements. This will depend on the type of procurement being undertaken
    Our legitimate interests to organize and coordinate competitive procurement process. See section “For how long are my personal data stored?”

    Manage cooperation with business partners

    We process your personal data in order to administer our cooperation directly or indirectly with you, e.g., to conclude and execute agreement,  incl. documentation proving authorization, to register your contact details in the business partners registers as representatives of respective entity, to manage business partners declarations, to administer agreement related documents (e.g. invoices, transportation documents, CMR, insurance) and process payments, to manage and archive agreements with business partners, to manage user accounts (e.g., supplier portal), to provide a forecast, to handle an order for a product or service from the company you work for, to handle order confirmations and complaints, to communicate with you regarding fulfilment of cooperation agreement and related changes, to evaluate and follow up our cooperation, e.g., to check that business partner maintains the necessary approvals and certifications, to monitor the quality of provided services.  In some instance we might agree with our business partner to extend the validity of specific documents, for example, insurance policies beyond the term required by law, such document will be retained until document is valid.

    Categories of personal data Legal basis Retention period

    Identity information, e.g., name, surname, username etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information, 

    e.g., name of the company, person’s job title etc.

    • Competence data, 

    e.g., professional experience, education, certifications, courses, language skills etc.

    •  Authentication information, 

    e.g., information on electronic signature, a password, a secret question, a verification code etc.

    To conclude cooperation agreement and fulfil cooperation agreement with the business partner. See section “For how long are my personal data stored?”

    Communication with potential business partner

    We process your personal data as a contact person or representative of specific company in order to contact you for future cooperation between you, the company you represent and us.

    Categories of personal data Legal basis Retention period
    • Identity information, 

    e.g., name, surname, username etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information, 

    e.g., name of the company, person’s job title etc.

    Our legitimate interests to communicate with you as representative or contact person of the company See section “For how long are my personal data stored?”

    To fulfil legal requirements

    We process your personal data in order to fulfil legal obligations what are applicable to us according to legislation, e.g. record keeping obligations for invoices, management of transportation documents, CMR, obligations in relation with construction works etc. For example, to fulfil legal requirements we are required to process different insurance policies (e.g., including third party liability insurance) and such insurance policies can include your personal data.

    Categories of personal data Legal basis Retention period
    • Identity information

    e.g., name, surname, username etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information, 

    e.g., name of the company, person’s job title etc.

    • Other information required to fulfil legal requirements.
    To fulfil our legal obligation See section “For how long are my personal data stored?”

    Access and security management

    We process your personal data in order to control access to our premises (offices, stores back-office, DCs, etc.) and restricted areas to protect our property, assets and our employees. E.g., to keep track who entered our premises, to issue to you key and keep track on your movement in our property, to assign appropriate gate where to deliver, to ensure access to our parking lots.

    Categories of personal data Legal basis Retention period
    •  Identity information, 

    e.g., name, surname, username, registration number of the vehicle etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information, 

    e.g., name of the company, person’s job title etc.

    • Information about situation, 

    e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.

    Our legitimate interest to protect our property, assets and our employees See section “For how long are my personal data stored?”

    Manage, protect and develop our systems and services

    We process your personal data in order to manage, protect and develop our systems and services, e.g., to troubleshoot, log, develop, test and improve our systems and services.
    For the purposes to identify potential threat and fraud or illegal activities and to protect systems and data from unauthorized changes and maintain consistency we log (“audit logs”) your activities (e.g. accessed portal, made changes to data etc.) within our systems to which access to you is granted.

    Categories of personal data Legal basis Retention period
    •  Identity information, 

    e.g., name, surname, username, registration number of the vehicle etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    Company information, e.g., name of the company, person’s job title etc.

    • Information about situation, 

    e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc.

    Our legitimate interest to protect our property, assets and our employees See section “For how long are my personal data stored?”

    Fraud prevention and management of legal claims

    We may process your personal data to defend, establish and exercise legal claims, including to prevent fraud or criminal activity, misuses of our products or services.

    Categories of personal data Legal basis Retention period
    •  Identity information, 

    e.g., name, surname, username etc.

    • Contact details, 

    e.g., email, phone number, address etc.

    • Company information

    e.g., name of the company, person’s job title etc.

    • Other information in relation to legal claim
    Our legitimate interest See section “For how long are my personal data stored?”
  • From which sources do we collect personal data?

    Yourself

    We collect the personal data you provide to us directly, either during our communications with you about the company you represent, as part of the procurement or contracting process, or as part of your response to our request for information about your goods, services or our cooperation in general.

    Business partners

    We collect the personal data from company where you are employed or provide services to, for example, when company provides to us information who will be representing them, informs us who will be the certified specialist carrying out the job or performing delivery, who will visit our premises etc.

    Rimi Baltic group companies

    Rimi Baltic group companies cooperate with each other and can share your personal information with each other, for example, in connection with a procurement or a purchase of goods or services.

    ICA Gruppen AB group companies

    ICA Gruppen AB might share to us information about you as the representative or contact person of their business partners.

    External persons

    We collect personal data that other external persons submit to us, for example, to get in touch with your company.

    Publicly accessible sources

    In some cases, we collect information that is publicly available, e.g., in public registers (e.g., Commercial register, Real estate register) or on social media to identify a representative of our business partner, to get in touch with you or company you represent, in connection with a procurement or to manage the business partner relationships, to check properties for possible real estate development projects.  For example, we might use public register to clarify your qualification for specific job, e.g., construction works, to identify the representative (i.e., chairman of the board, board member) who has authorization to sign agreements.

    Information systems

    We collect personal data from used technical systems, for example, audit logs of user accounts, access management systems etc.

  • Sharing of personal data

    Service providers

    We might share your personal data with companies that provide services to us, such as:

    • data hosting services;
    • information system development and maintenance services;
    • transportation service providers;
    • companies involved in related construction project;
    • procurement system service providers;
    • supplier management system service providers;
    • security companies that provide security services.

    These companies can only process your personal data according to our instructions and not use them for other purposes. They are also required by law and our cooperation agreement to protect your personal data.

    Group companies

    We may share your personal data with relevant Rimi Baltic group companies if it is necessary for achieving defined purposes.

    ICA Gruppen AB group companies

    We might share to ICA Gruppen AB companies’ information about you as the representative or contact person of our business partner

    Law enforcement authorities, state and local government institutions

    To fulfil our legal obligation, we may transfer your personal data to law enforcement authorities, state and local government institutions upon their request and/or required so by law. We may also transfer your personal data to law enforcement authorities, state and local government institutions in order to meet our legitimate interest in establishing, claiming and defending legal claims and prevent fraud.

    Other companies

    We may share your name, surname, title, information about company you represent, your contact details, with other companies who act as separate data controller, for example, companies involved in related construction project who are separate data controller for specific activities, auditor companies, insurance companies, debt collection companies, legal service providers.
    As well we might share mentioned information to ensure that you can access respective premises what are under other company access control or receive needed keys.
    In some cases, when you have provided us services in construction or other area, for example, drafting of construction design, we might publicise this document/information in procurement systems for procurement purposes to engage necessary other business partners. Such publication might include reference to the author of particular document, i.e., you, and can be seen by other companies.
    We might transfer your personal data to our business partners to fulfil their legal obligations, for example, to register individuals located at the construction site in state controlled electronic time recording system.

  • Where do we process your personal data?

    We always aim to process your personal data within EU/EEA.

    In certain cases, your personal data might be transferred or processed in a country outside of EU/EEA, when processing is performed by our engaged service provides. For example, in case of international transportation deliveries, we transfer your personal data to service provider in the respective country in order to enable successful delivery of goods in accordance to CMR Convention. To ensure that your personal data are protected at all times, we make sure that the adequate safeguards are in place, for example, whether the country in question ensures an adequate level of protection of personal data. We also enter into a data processing agreement with the service provider and impose an obligation on it to protect the data to the same level as we do. You can request and receive information about the countries where your personal data are processed and the introduced personal data safeguards by providing written request to us.

  • For how long are my personal data stored?

    Procurement

    In procurement process your personal data is retained during the procurement and for a period of 3 years after the end of the procurement in order to satisfy our legitimate interest in managing and responding to legal claims and carry out internal audits.

    Management of cooperation with business partner

    Your personal data in relation to management of cooperation with business partner is preserved during the time that you are the contact person, representative, employee or contractor for the business partner and for a period of 3 years after replacement of respective person in order to meet our legitimate interest in handling and responding to legal claims. Your personal data might be stored longer than indicated if your personal data is included in document what we need to retain for longer period. Then your personal data will be retained for the same period as the document itself. When there is mutual agreement to extend validity of specific documents, such documents will be retained until document is valid.

    Communication with potential business partner

    For business communication purposes your personal data is preserved during the time you are the contact person or representative for the business partner and for a period of 3 years after our last communication.

    To fulfil legal obligations

    Wherever we have legal obligation to process your personal data your personal data is retained for the time necessary in relation to the respective legal obligation.

    Access and security management

    Personal data recorded in visitor registration systems and journals will be retained no longer than 1 year.
    Personal data recorded in paper or in other form regarding register of issuance and return of keys will be retained for the whole periods the key is issued to the person.

    Manage, protect and develop our systems and services

    Information about activities in IT environment will be retained for 18 months. Information about incidents, problems in IT environment will be retained for 2 years.

    Fraud prevention and management of legal claims

    If data are necessary for management of legal claim then data will be retained till clarification of identified issue or completion of respective investigation, settlement and full implementation of legal claim. If violation of law or internal guidelines, instructions or other documents or procedures were not discovered during the investigation, data will be retained for one year after the decision to close investigation. If violation of law or internal guidelines, instructions or other documents or procedures were discovered, data will be retained for three years after the decision to close investigation or final implementation of court decision (in case implementation of court decision takes longer than three years).

    In the end of set out retention periods we will in a secure way erase or de-identify your personal data so it can no longer be connected to you.

  • Your rights

    Data protection laws give you a number of rights with regards to the processing of your personal data.
    If you want to use the rights indicated below, you should provide as accurate information as possible about the service you or your company provided or about the precise connection with us that you had (e.g. name of the company you work for and who works with us, name of the contract signed with us, date when service was provided, etc.) as well as provide self-identifying information so that we can identify you and recognize it in the systems or documents.

    Access to personal data

    You are entitled to request confirmation from us if we process personal data relating to you, and in such cases request access to the personal data we are processing about you. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Rectification of personal data

    Furthermore, if you believe that information about you is incorrect or incomplete, you have the right to correct it yourself or ask us to do it.

    Withdrawal of consent

    To the extent that we process your personal data based on your consent, you are entitled to, at any time, withdraw your consent to the personal data processing. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Objection against processing based on a legitimate interest

    You are entitled to object to personal data processing based on our legitimate interests. However, we will continue to process your data, even if you have objected to it, if we have compelling motivated reasons for continuing to process data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Erasure

    Under certain circumstances, you have rights to ask us to delete your personal data. However, this does not apply if we are required by law to keep the data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Restriction of processing

    Under certain circumstances, you are also entitled to restrict the processing of your personal data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    Data portability

    Finally, you have the right to receive or transmit your personal data further to another data controller (“data portability”). This right solely covers only data what you have provided to us based on you consent or on a contract and where processing is carried out by automated means. To carry out mentioned right please contact our contact person mentioned in your contract with us.

  • Who do i contact if i have any questions?

    If you have any questions about the processing of your personal data, please feel free to contact us through our contact person mentioned in your contract with us or contact our Data protection officer. If you are not satisfied with the response you received, you are entitled to file a complaint with the Data Inspectorate.

    Contact details of company in charge of handling your personal data

    Towards you the company in charge of handling your personal data is respective company with who you or company you represent cooperates with. It can be one of these companies:

    SIA Rimi Latvia, reg. No. 40003053029,
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 409
    Email: info.lv@rimibaltic.com

    SIA Rimi Baltic, reg. No. 40003592957
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 529
    Email: info@rimibaltic.com

    SIA Plesko Real Estate, reg. No. 40003516351
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 409
    Email: relv@rimibaltic.com

    SIA Deglava Real Estate, reg. No. 40003785181
    Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
    Phone number: +371 6 7045 409
    Email: relv@rimibaltic.com

    Contact details of the Data Protection Officer

    Email: RimiDPO@rimibaltic.com
    You also can contact our Data protection officer by sending a letter to us at the above-mentioned address and addressing it to the Data protection officer.

Last modified on: March 8, 2022