Purpose, scope and users

“GoPlay”, hereinafter referred to as “Gym365.lv”, seeks to comply with the applicable Personal Data Protection laws of the Gym365.lv countries. This Policy sets out the basic principles for the processing of personal data by Gym365.lv for customers, suppliers, business partners, employees and others and identifies the duties of its departments and employees during the processing of personal data.

This Policy applies to the Gym365.lv and its directly or indirectly subordinate dependent companies established in the European Economic Area (EEA) or processing the personal data of data subjects in the EEA.

The users of this document shall be all employees, legal and natural persons who cooperate with the Gym365.lv and/or work for the Gym365.lv.

Reference Documents

EU General Data Protection Regulation (VDAR) 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC). Applicable to each country in which the Gym365.lv is represented, THE laws and regulations governing the application of THE CONTRACT shall apply. Employee Personal Data Protection Policy, Data retention Policy, Data Audit and Processing Activities Guidelines, Procedures for Data Object Requests Access to Their Data, Data Protection Impact Assessment Guidelines, IT Security Policy, Access Control Policy, IT Department Security Procedures, Device Use Policy, Mobile Devices and Remote Work Policy policy, Anonimisation and pseudo-imification Policy, Encryption Use Policy, Recruitment Notification Procedures.

Definitions

The following definitions of terms used in this document from Article 4 of the General Data Protection Regulation of the European Union:

Personal data:

Any information relating to an identified or identifiable natural person (“Data subject”) who may be identified directly or indirectly, in particular by reference to an identifier, such as the given name, surname, identification number, location data, online identifier or one or more of the physical, physiological, genetic characteristics of that person, factors of economic, cultural or social identity;

Sensitive personal data:

Personal data which, by their nature, are particularly sensitive in relation to fundamental rights and freedoms and therefore deserve special protection, since the context of their processing could pose a serious risk to fundamental rights. This includes personal data revealing race or ethnicity, political beliefs, religious or philosophical beliefs, trade union membership, genetic data, biometric data enabling the unique identification of a natural person, health data or personal sex or sexual orientation.

Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: Natural or legal person, public authority, agency or other body processing personal data on behalf of the controller.

Processing: Any activity or set of activities carried out with or without automated means, such as collection, registration, organisation, structuring, storage, adaptation or transformation, recovery, viewing, use, disclosure by sending, distributing or otherwise making them available, matching or combining, containing, deleting or destroying, dispensation.

Anonymizing: The irreversible anonymisation of personal data, which makes it impossible for the controller or any other person to identify the person concerned within a reasonable time and at reasonable costs and the amount of technological security. The principles of processing personal data do not apply to anonymized data because they are no longer personal data.

Pseudo-imisation: Processing of personal data carried out in such a way that it is no longer possible to link personal data to a particular data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that personal data are not linked to an identified or identifiable individual. Pseudo-imisation decreases, but does not completely eliminate, the possibility of linking personal data to the data subject. Since pseudo-nationalised data are still personal data, pseudo-imised data processing should be carried out in accordance with the principles of the processing of personal data.

Cross-border processing of personal data: Processing of personal data relating to activities carried out in the European Union at the premises of the controller or processor in more than one Member State, where the controller or processor is established in more than one Member State; or processing of personal data relating to activities carried out in the Union by the controller or processor in one place of business; in a location which has a significant impact or is likely to have a significant impact on data subjects in more than one Member State.

Supervisory authority: An independent public authority established by a Member State pursuant to Article 51 of the EU VDAR.

Managing supervisory authority: A supervisory authority whose primary responsibility is to engage in cross-border data processing activities, such as where a data subject submits a complaint concerning the processing of his or her personal data; that authority shall include the obligation to receive cross-border data processing infringement statements, to be informed of unsafe data processing activities and shall have full rights to carry out its obligations to ensure compliance WITH EU vdar rules.

The responsibility of each “local supervisory authority” shall be to take care of personal data protection issues in its territory and to supervise any data processing activities carried out in that territory which affect data subjects or which are carried out by a controller or processor in or outside the European Union, where such data processing relates to a data subject resident in the territory of that institution. Their responsibility and rights include investigating and imposing administrative measures and penalties, promoting public awareness of the risks, rules, security measures and rights associated with the processing of personal data, and obtaining access to all premises of the controller and processor, including any data processing equipment and means.

“GoPlay” Ltd: Gym365.lv and its dependent companies in the EU and EEA territories.

Sales office: Any Gym365.lv-dependent company which has registered its activity in the EU or EEA.

Gym365.lv Data Privacy Team: A group of high-level trained professionals working in Gym365.lv whose composition may change with time, but which always includes seconded persons from the Legal and IT departments and can be contacted at any time when writing to the following e-mail: info@Gym365.lv

Gym365.lv Data Protection: Designed persons from each EEA State in which the Gym365.lv is represented. In most cases, they are human resources and IT managers working in these countries, but they may also be representatives of other departments. Those working in this Gym365.lv are high-level trained personal data processing professionals. For the contact details of specific data guards, please send an appropriate request to the following e-mail: info@Gym365.lv

Basic principles for the processing of personal data

The principles of data protection generally describe the basic obligations of the organisations processing personal data. Article 5(2) of THE VDAR provides that “the controller shall be responsible for compliance with the principles and may demonstrate it”.

4.1. Legality, integrity and transparency

Personal data must be processed legally, in good faith and in a transparent manner by the data subject.

4.2. Purpose limits

Personal data must be collected for specific, clear and legitimate purposes and shall not be further processed in a manner incompatible with those purposes.

4.3. Minimizing data

Personal data must be adequate, relevant and include only what is necessary for their processing purposes. Where possible, Gym365.lv should be anonymized and pseudo-nationalised in order to reduce the risk to the data subjects concerned.

4.4. Accuracy

Personal data must be accurate and, if necessary, updated; reasonable measures must be taken to ensure that inaccurate personal data are deleted or corrected in good time, taking into account the purposes for which they are processed.

4.5. Limitation of the storage period

Personal data must be kept only for as long as necessary for the purposes for which they are processed.

4.6. Integrity and privacy

Gym365.lv should take appropriate technical and organisational measures taking into account available technologies and other security measures, implementation costs and the likelihood and extent of the risk of personal data to process personal data in a manner that ensures adequate security of personal data, including protection against accidental or unlawful destruction, loss, modification, unauthorised disclosure or access.

4.7. Responsibility

Controllers must act in accordance with the principles described above and be able to demonstrate it.

Inclusion of data protection in the business

In order to demonstrate compliance with data protection principles, the organisation should include data protection in its business.

5.1. Communications to data subjects

(See the “Fair Processing Guidelines” section.)

5.2. Selection and consent of data subjects

(See the “Fair Processing Guidelines” section.)

5.3. Collection

Gym365.lv should aim to collect the smallest possible amount of personal data. If personal data are collected from a third party, the Gym365.lv Data Privacy Team must ensure that personal data are collected legally.

5.4. Use, storage and deletion

The purposes, methods, storage limits and period of use of personal data must comply with those specified in the Privacy Notice. Gym365.lv should take care of the accuracy, integrity, confidentiality and appropriateness of personal data for processing purposes. Appropriate personal data security measures should be used to prevent personal data breaches and to prevent personal data from being stolen or used improperly for purpose or misuse. The Gym365.lv Data Privacy Team shall be responsible for meeting the requirements set out in this section.

5.5. Disclosure to third parties

Whenever the Gym365.lv delegates the processing of personal data to a third party (supplier or business partner) on its behalf, the Gym365.lv Data Privacy Team should ensure that this data processor uses security measures appropriate to the risks associated with the processing of personal data. For this purpose, the Gym365.lv Data Handler'S VDAR compliance questionnaire should be used.

Gym365.lv should require such a supplier or business partner to certify contractually that the same level of data protection will be ensured. The supplier or business partner should process personal data only in order to fulfil its contractual obligations against the Gym365.lv or to comply with the instructions of the Gym365.lv, but for no other purpose. When the Gym365.lv processes personal data jointly with an independent third party, the Gym365.lv must clearly indicate its and third party obligations in the relevant contract or in another legally binding document, such as the Gym365.lv in the form of a Personal Data Processing Agreement.

5.6. Cross-border transfer of personal data

Prior to the transmission of personal data outside the European Economic Area (EEA), appropriate safeguards should be used, including the Agreement on the transmission of data (in accordance with the requirements of the European Union) and, if necessary, the relevant Data Protection Authority should be authorised. The recipient of personal data must respect the principles for the processing of personal data laid down in the Procedures for the transmission of data to another country.

5.7. Access rights of data subjects

In the performance of data controller functions, the Gym365.lv Data Privacy Team shall be obliged to provide data subjects with a reasonable access mechanism to access their personal data and to allow them to update, rectify, delete or transmit their personal data if required or required by law. The access mechanism is described in detail in the Procedures by which the data subject requests access to his or her data.

5.8. Data portability

Data subjects shall have the right to request and obtain a copy of their data provided to us in a structured format and to transmit this data to another controller. the Gym365.lv Data Privacy Team is obliged to ensure that such requests are processed within one month, that they are not excessive and that they do not affect the personal data rights of others.

5.9. The right to be forgotten

the Gym365.lv is obliged to delete the personal data of the Data Subject if it so requests. When the Gym365.lv performs the function of the Data controller, the Gym365.lv Data Privacy Team must take the necessary steps (including technical measures) to inform third parties that use or process the data that they must comply with this request.

Fair treatment guidelines

Personal data should only be processed when explicitly authorised by the Gym365.lv Data Privacy Team.

The company should decide whether to carry out an assessment of the impact on data protection for each data processing operation in accordance with the guidelines for Gym365.lv Data Audit and Processing Activities.

6.1. Communications to data subjects

During or before the collection of personal data for the purposes of using such data for any processing operation, including the sale of products or services or marketing activities, the Gym365.lv Data Privacy Team and the Gym365.lv Data Protection obligation in each country of the European Economic Area (EEA) where the Gym365.lv is represented, to make the following information available to data subjects:,