Information regarding processing of personal data of our business partners

We care about your privacy

Your trust is important to us. Our aim is that you feel safe when you share your personal data with us. Personal data is any information that can be used to identify an individual.

We take appropriate measures to ensure that your personal data always is safe with us and that the processing of your personal data is compliant with present data protection laws, our internal policies, guidelines and routines. We have also assigned a Data protection officer whose task is to monitor that we follow these laws, guidelines and routines.

It is important for us to be transparent with how we handle your personal data. In this information text, we therefore describe how and where we process personal data in the context of cooperation with us, through communication, procurement, agreements and other types of business interactions.

This information text is addressed to:

  • our business partners who are natural persons (such as self-employed persons); 
  • the representatives or contact persons of our business partners;
  • contracted specialists or employees of our business partners.

Within this information text term “business partner” means any supplier, service provider, lessee, lessor and any other cooperation what you have with us.

If you (as a natural person or as a legal entity) intend to provide us with personal data about other individuals, you must provide a copy of this information text to the relevant individuals.

  • Which categories of personal data do we collect and why?
    • Procurement

      We process your personal data in order to ensure tendering of goods and services for us and to be sure that business partner meets provisions of our requirements. In connection with the procurement of a new business partner, we need to process your personal data, e.g., to collect contact details as contact person or representative for the business partner prior to an inquiry or a procurement, to retrieve documentation, assess compliance with our standards, invite business partner to take part in procurement etc.

      Categories of personal data

      Legal basis

      Retention period

      Based on the particularities of each procurement process the following categories of personal data might be processed:

      • Identity information
      • Company and position
      • Education
      • Certification
      • Professional experience
      • Contact details

      Additional information in relation to the respective procurement process requirements. This will depend on the type of procurement being undertaken

      Our legitimate interests to organize and coordinate competitive procurement process.

      Your personal data is retained during the procurement and for a period of 3 years after the end of the procurement in order to satisfy our legitimate interest in managing and responding to legal claims and carry out internal audits.

    • Manage cooperation with business partners

      We process your personal data in order to administer our cooperation directly or indirectly with you, e.g., to conclude and execute agreement,  incl. documentation proving authorization, to register your contact details in the business partners registers as representatives of respective entity, to manage business partners declarations, to administer agreement related documents (e.g. invoices, transportation documents, CMR, insurance) and process payments, to manage and archive agreements with business partners, to manage user accounts (e.g., supplier portal), to provide a forecast, to handle an order for a product or service from the company you work for, to handle order confirmations and complaints, to communicate with you regarding fulfilment of cooperation agreement and related changes, to evaluate and follow up our cooperation, e.g., to check that business partner maintains the necessary approvals and certifications, to monitor the quality of provided services.  In some instance we might agree with our business partner to extend the validity of specific documents, for example, insurance policies beyond the term required by law, such document will be retained until document is valid.

      Categories of personal data

      Legal basis

      Retention period

      • Identity information
      • Contact details
      • Company and position
      • Certification, where applicable
      • Authorization data issued by us for information technology systems

      Our legitimate interests to conclude cooperation agreement and fulfil cooperation agreement with the business partner.

      Your personal data is preserved during the time that you are the contact person, representative, employee or contractor for the business partner and for a period of 3 years after replacement of respective person  in order to meet our legitimate interest in handling and responding to legal claims. Your personal data might be stored longer than indicated if your personal data is included in document what we need to retain for longer period. Then your personal data will be retained for the same period as the document itself.

      In cases where retention period for certain documents are set by national or international laws or regulatory enactments, we will comply with such requirements for applicable retention period.

      When there is mutual agreement to extend validity of specific documents, such documents will be retained until document is valid.
    • Communication with potential business partner

      We process your personal data as a contact person or representative of specific company in order to contact you for future cooperation between you, the company you represent and us.

      Categories of personal data

      Legal basis

      Retention period

      • Identity information
      • Contact details
      • Company and position
      Our legitimate interests to communicate with you as representative or contact person of the company

      Your personal data is preserved during the time you are the contact person or representative for the business partner and for a period of 3 years after our last communication.

    • To fulfil legal requirements

      We process your personal data in order to fulfil legal obligations what are applicable to us according to legislation, e.g. record keeping obligations for invoices, management of transportation documents, CMR, obligations in relation with construction works etc. For example, to fulfil legal requirements we are required to process different insurance policies (e.g., including third party liability insurance) and such insurance policies can include your personal data.

      Categories of personal data

      Legal basis

      Retention period

      • Identity information
      • Contact details
      • Company and position
      • Other information required to fulfil legal requirements.

      To fulfil our legal obligation

      Your personal data is retained for the time necessary in relation to the respective legal obligation.

    • Access and security management

      We process your personal data in order to control access to our premises (offices, stores back-office, DCs, etc.) and restricted areas to protect our property, assets and our employees. E.g., to keep track who entered our premises, to issue to you key and keep track on your movement in our property, to assign appropriate gate where to deliver.

      Categories of personal data

      Legal basis

      Retention period

      • Identity information
      • Contact details
      • Host
      • Company and position
      • Information about who and when accessed premises, including time and place of arrival and departure)
      • Car plate registration number, where applicable
      Our legitimate interest to protect our property, assets and our employees

      Personal data recorded in visitor registration systems and journals will be retained no longer than 1 year.

      Personal data recorded in paper or in other form regarding register of issuance and return of keys will be retained for the whole periods the key is issued to the person.
    • Manage, protect and develop our systems and services

      We process your personal data in order to manage, protect and develop our systems and services, e.g., to troubleshoot, log, develop, test and improve our systems and services.

      For the purposes to identify potential threat and fraud or illegal activities and to protect systems and data from unauthorized changes and maintain consistency we log (“audit logs”) your activities (e.g. accessed portal, made changes to data etc.) within our systems to which access to you is granted.

      Categories of personal data

      Legal basis

      Retention period

      • Your – as user activities within our systems (e.g. information about who and when accessed IT environment and activities in IT environment)
      • Authorization data issued to you by us for information technology systems
      • Identity information
      • Contact details
      • IP address

      Our legitimate interests in life-cycle management, protection and development of our systems and services

      Information about activities in IT environment will be retained for 18 months. Information about incidents, problems in IT environment will be retained for 2 years.

    • Fraud prevention and management of legal claims

      We may process your personal data to defend, establish and exercise legal claims, including to prevent fraud or criminal activity, misuses of our products or services.

      Categories of personal data

      Legal basis

      Retention period

      • Identity information
      • Contact details
      • Company and position
      • Other information in relation to legal claim
      Our legitimate interest Till investigation, settlement and implementation of legal claim. If violation of law or internal guidelines, instructions or other documents or procedures were not discovered during the investigation, data will be retained for one year after the decision to close investigation. If violation of law or internal guidelines, instructions or other documents or procedures were discovered, data will be retained for three years after the decision to close investigation or final implementation of court decision (in case implementation of court decision takes longer than three years).
  • From which sources do we collect personal data?
    • Yourself

      We collect the personal data you provide to us directly, either during our communications with you about the company you represent, as part of the procurement or contracting process, or as part of your response to our request for information about your goods, services or our cooperation in general.

    • Business partners

      We collect the personal data from company where you are employed or provide services to, for example, when company provides to us information who will be representing them, informs us who will be the certified specialist carrying out the job or performing delivery, who will visit our premises etc.

    • Rimi Baltic group companies

      Rimi Baltic group companies cooperate with each other and can share your personal information with each other, for example, in connection with a procurement or a purchase of goods or services.

    • ICA Gruppen AB group companies

      ICA Gruppen AB might share to us information about you as the representative or contact person of their business partners.

    • External persons

      We collect personal data that other external persons submit to us, for example, to get in touch with your company.

    • Publicly accessible sources

      In some cases, we collect information that is publicly available, e.g., in public registers or on social media to get in touch with you or company you represent, in connection with a procurement or to manage the business partner relationships.  For example, we might use public register to clarify your qualification for specific job, e.g., construction works, to identify the representative (i.e., chairman of the board, board member) who has authorization to sign agreements.

    • Information systems

      We collect personal data from used technical systems, for example, audit logs of user accounts, access management systems etc.

  • Sharing of personal data
    • Service providers

      We might share your personal data with companies that provides services to us, such as:

      • data hosting services;
      • information system development and maintenance services;
      • transportation service providers;
      • companies involved in related construction project;
      • procurement system service providers;
      • security companies that provide security services.

      These companies can only process your personal data according to our instructions and not use them for other purposes. They are also required by law and our cooperation agreement to protect your personal data.

    • Group companies

      We may share your personal data with relevant Rimi Baltic group companies if it is necessary for achieving defined purposes.

    • ICA Gruppen AB group companies

      We might share to ICA Gruppen AB companies’ information about you as the representative or contact person of our business partner.

    • Law enforcement authorities, state and local government institutions

      To fulfil our legal obligation, we may transfer your personal data to law enforcement authorities, state and local government institutions upon their request and/or required so by law. We may also transfer your personal data to law enforcement authorities, state and local government institutions in order to meet our legitimate interest in establishing, claiming and defending legal claims and prevent fraud.

    • Other companies

      We may share your name, surname, title, information about company you represent, your contact details, with other companies who act as separate data controller, for example, companies involved in related construction project who are separate data controller for specific activities, auditor companies, insurance companies, debt collection companies, legal service providers.

      As well we might share mentioned information to ensure that you can access respective premises what are under other company access control or receive needed keys.

      In some cases, when you have provided us services in construction or other area, for example, drafting of construction design, we might publicise this document/information in procurement systems for procurement purposes to engage necessary other business partners. Such publication might include reference to the author of particular document, i.e., you, and can be seen by other companies.

      We might transfer your personal data to our business partners to fulfil their legal obligations, for example, to register individuals located at the construction site in state controlled electronic time recording system.

  • Where do we process your personal data?

      We always aim to process your personal data within EU/EEA.

      In certain cases, your personal data might be transferred or processed in a country outside EU/EEA. For example, in case of international transportation deliveries, we transfer your personal data to service provider in respective country in order to enable successful transportation of goods in accordance with CMR convention. To ensure that your personal data are protected at all times, we make sure that the adequate safeguards are in place, for example, whether the country in question ensures an adequate level of protection of personal data. We also enter into a data processing agreement with the service provider and impose an obligation on it to protect the data to the same level as we do. You can request and receive information about the countries where your personal data are processed and the introduced personal data safeguards by providing written request to us.

  • For how long are my personal data stored?
    • Procurement

      In procurement process your personal data is retained during the procurement and for a period of 3 years after the end of the procurement in order to satisfy our legitimate interest in managing and responding to legal claims and carry out internal audits.

    • Management of cooperation with business partner

      Your personal data in relation to management of cooperation with business partner is preserved during the time that you are the contact person, representative, employee or contractor for the business partner and for a period of 3 years after replacement of respective person in order to meet our legitimate interest in handling and responding to legal claims. Your personal data might be stored longer than indicated if your personal data is included in document what we need to retain for longer period. Then your personal data will be retained for the same period as the document itself. When there is mutual agreement to extend validity of specific documents, such documents will be retained until document is valid.

    • Communication with potential business partner

      For business communication purposes your personal data is preserved during the time you are the contact person or representative for the business partner and for a period of 3 years after our last communication.

    • To fulfil legal obligations

      Wherever we have legal obligation to process your personal data your personal data is retained for the time necessary in relation to the respective legal obligation.

    • Access and security management

      Personal data recorded in visitor registration systems and journals will be retained no longer than 1 year.

      Personal data recorded in paper or in other form regarding register of issuance and return of keys will be retained for the whole periods the key is issued to the person.

    • Manage, protect and develop our systems and services

      Information about activities in IT environment will be retained for 18 months. Information about incidents, problems in IT environment will be retained for 2 years.

    • Fraud prevention and management of legal claims

      If data are necessary for management of legal claim then data will be retained till clarification of identified issue or completion of respective investigation, settlement and full implementation of legal claim. If violation of law or internal guidelines, instructions or other documents or procedures were not discovered during the investigation, data will be retained for one year after the decision to close investigation. If violation of law or internal guidelines, instructions or other documents or procedures were discovered, data will be retained for three years after the decision to close investigation or final implementation of court decision (in case implementation of court decision takes longer than three years).

      In the end of set out retention periods we will in a secure way erase or de-identify your personal data so it can no longer be connected to you.

  • Your rights

      Data protection laws give you a number of rights with regards to the processing of your personal data.

      If you want to use the rights indicated below, you should provide as accurate information as possible about the service you or your company provided or about the precise connection with us that you had (e.g. name of the company you work for and who works with us, name of the contract signed with us, date when service was provided, etc.) as well as provide self-identifying information so that we can identify you and recognize it in the systems or documents.

    • Access to personal data

      You are entitled to request confirmation from us if we process personal data relating to you, and in such cases request access to the personal data we are processing about you. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    • Rectification of personal data

      Furthermore, if you believe that information about you is incorrect or incomplete, you have the right to correct it yourself or ask us to do it.

    • Withdrawal of consent

      To the extent that we process your personal data based on your consent, you are entitled to, at any time, withdraw your consent to the personal data processing. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    • Objection against processing based on a legitimate interest

      You are entitled to object to personal data processing based on our legitimate interests. However, we will continue to process your data, even if you have objected to it, if we have compelling motivated reasons for continuing to process data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    • Erasure

      Under certain circumstances, you have rights to ask us to delete your personal data. However, this does not apply if we are required by law to keep the data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    • Restriction of processing

      Under certain circumstances, you are also entitled to restrict the processing of your personal data. To carry out mentioned right please contact our contact person mentioned in your contract with us.

    • Data portability

      Finally, you have the right to receive or transmit your personal data further to another data controller (“data portability”). This right solely covers only data what you have provided to us based on you consent or on a contract and where processing is carried out by automated means. To carry out mentioned right please contact our contact person mentioned in your contract with us.

  • Who do i contact if i have any questions?

      If you have any questions about the processing of your personal data, please feel free to contact us through our contact person mentioned in your contract with us or contact our Data protection officer. If you are not satisfied with the response you received, you are entitled to file a complaint with the Data Inspectorate.

    • Contact details of company in charge of handling your personal data

      Towards you the company in charge of handling your personal data is respective company with who you or company you represent cooperates with. It can be one of these companies:

      SIA Rimi Latvia, reg. No. 40003053029,
      Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
      Phone number: +371 6 7045 409
      Email: info.lv@rimibaltic.com

      SIA Rimi Baltic, reg. No. 40003592957
      Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
      Phone number: +371 6 7045 529 
      Email: info@rimibaltic.com

      SIA Plesko Real Estate, reg. No. 40003516351
      Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
      Phone number: +371 6 7045 409
      Email: relv@rimibaltic.com

      SIA Deglava Real Estate, reg. No. 40003785181
      Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021
      Phone number: +371 6 7045 409
      Email: relv@rimibaltic.com

    • Contact details of the Data Protection Officer

      Email: RimiDPO@rimibaltic.com  

      You also can contact our Data protection officer by sending a letter to us at the above-mentioned address and addressing it to the Data protection officer.