PRIVACY POLICY

Gym Latvija SIA (‘Gym Latvija’ or ‘we’) values its clients (‘you’) feeling well and safe with us. This is why we will make sure to protect your personal data that we have access to.

The objective of this Privacy Policy is to explain to you the purposes for which we will collect and use your personal data, as well as your rights that pertain to your personal data.

This Privacy Policy applies to you if you are our client, whether you have signed a service agreement or not (e.g. visiting us during our open days), if you subscribe to our newsletter, if you have expressed interest in receiving our offer, or if you have submitted a request for information on our website.

1. Personal data controller

Gym Latvija SIA
Registration Number: 40203226256
Address: Ernesta Birznieka Upīša iela 21E, Rīga, LV-1011
E-mail: info@gymlatvija.lv

2. How do we process personal data?

The personal data that we use depend on what data you disclose to us. Certain data is required for us to provide our services and enter into an agreement with you – this data is marked with an asterisk (*) and is mandatory in both paper and electronic forms. Providing other information, such as adding your picture to your user account, is up to you.

Depending on the above circumstances, we may collect and process the following data:

Personal details: name and surname, personal identity number, date of birth, photo
Contact details: phone number, e-mail address, residence address, language of communication
Surveillance camera recordings: recordings by video surveillance cameras installed in our sports clubs to protect people and property
Service data: these data represent your activity in relation to the use of our services, e.g. purchase of products and services from Gym Latvija, information about possible breaches of agreements with us, etc.
Incoming and outgoing e-mail correspondence: with clients and potential clients
Payment instrument data: payment card number, type, validity period and CVV/CVC authentication code in an incomplete amount and in an indecipherable form

3. What are the purposes and legal grounds for our processing your personal data?

The processing of personal data has various purposes, and every processing activity must be based on specific legal grounds. Gym Latvija processes your personal data based on the following legal grounds:

3.1. Processing of data necessary to perform an agreement

We process data based on these legal grounds if it is necessary to conclude an agreement with you, or in order to carry out the activities necessary for signing an agreement, on your request.

3.2. Processing of data necessary for compliance with a legal obligation of Gym Latvija

In some cases, we must process your personal data because we are required to do so by applicable laws and regulations. If such processing is required by law, neither we nor you can affect the processing of your data.

3.3. Processing of data based on a legitimate interest of Gym Latvija

Legitimate interest means that, while we do not have to directly process your data to perform our contractual or legal obligations, the processing is still necessary. It may be necessary to improve our products and services, to your benefit, to protect our property, clients and employees using surveillance cameras, or to make business decisions on the basis of statistics. Because processing based on legitimate interest does not involve any legal obligation or contractual necessity to process your data, and because we do not request your consent for processing your data in this case, you have the right to request information about the processing, or to object to the processing if you believe that the processing of your data for the purposes specified in the table below infringes on your rights.

3.4. Data processing on the basis of your consent

In certain situations, we may need your consent to the processing of your personal data, e.g. for direct marketing and in other cases when we do not have any other legal grounds for the processing, but we would still like to process your data.

You may always revoke your consent (either in each case of consent individually, or all of them at once) via your user account in our client portal, or by sending us an e-mail message at info@gymlatvija.lv. If you revoke your consent, we will stop the processing of your data for the purposes, for which the consent was originally issued. Revocation of consent will not affect the legality of processing based on that consent prior to its revocation.

You may always prohibit us from sending you direct marketing offers and messages via e-mail and/or phone, by sending us a corresponding e-mail message to info@gymlatvija.lv, or by clicking on the unsubscribe link provided at the bottom of every direct marketing message.

The table below contains some of the purposes and the legal grounds for our processing your personal data.

Purpose of processing	Type of personal data	Legal basis for data processing
Pre-contractual activities (offer requests and replies to such requests)	Personal data, contact details	Fulfilment of the agreement
Payments (billing, receipt of payments)	Personal data, contact details	Fulfilment of the agreement
Establishment and maintenance of contractual relationships with clients (signing of agreements, provision of information on the performance of agreements)	Personal details, contact details, service data	Fulfilment of the agreement
Calculation and management of fees associated with the services used by the client	Personal details, service data	Fulfilment of the agreement
Management of events and circumstances that affect the provision of services to clients (provision of information, resolving complaints)	Personal data, contact details	Fulfilment of the agreement
Client identification	Personal data, contact details	Fulfilment of the agreement
Ensuring control of regular, automatic subscription payments to clients (invoice payment)	Payment instrument data (incomplete)	Fulfilment of the agreement
Accounting (including the storage of main accounting documents)	Personal data, contact details	Legal obligation
Reporting of personal data breaches to the Latvian Data State Inspectorate and the data subject	Personal details, contact details, service data	Legal obligation
Provision of replies to requests by public bodies and government agencies	Personal data, contact details	Legal obligation
Improvement of Gym Latvija services	Personal data, contact details	Legitimate interests
Circulation of data within the company	Personal details, contact details, service data	Legitimate interests
Use of video surveillance cameras in Gym Latvija sports clubs for protecting its property, employees, clients and data (see Section 8 for more information about the use of surveillance cameras)	Video surveillance recordings	Legitimate interests
Establishment and maintenance of relations with clients (replies to requests, general customer service, sharing of information)	Personal details, contact details, service data	Legitimate interests
General service statistics	Anonymised data	Legitimate interests
Provision of evidence against claims of inappropriate services and/or non-fulfilment of contractual obligations, as well as provision of evidence against any legal action that may occur due to any violation; Customer service improvement and supervision	Incoming and outgoing e-mail correspondence with clients and potential clients	Legitimate interests
Quality control and improvement of customer service	Payment instrument data (incomplete)	Legitimate interests
Direct marketing (e-mail, SMS)	Personal data, contact details	Consent

4. Who can process your personal data in addition to Gym Latvija?

If this is necessary for the purposes of achieving the purpose of processing your personal data, we may share your data with the following third parties:

Other companies in our group: we may share your data with other companies in our group (all of which are located in the European Union) if this is necessary for making management decisions and advancing the activities of the group, as well as for using shared data systems.
Parties that provide us with their services: your data may become available to various parties that provide us with the following services: company software providers, IT management and maintenance service providers, e-mail server service providers, auditors, lawyers, data analysis software developers, data collection service providers.
Payment service providers: in order to fulfill the concluded Agreement with you and to provide you with Services, including for us to receive payment for the Service you have chosen and to provide the Service in accordance with the Agreement, our website contains links to third-party websites that process your personal data as independent controllers (including AS LHV PANK, that uses and processes the payment instrument data provided by you, including the payment card number, type, validity period and CVV/CVC authentication codes). We are entitled to withhold payments for Services automatically in accordance with the terms of the Agreement (including through the operator) without your separate consent, for the transfer of such fees (unless the payment terms of a specific Service provide for other payment procedures). The payment instrument data we have is in an incomplete amount and in an indecipherable form. Your payment instrument data in its full, usable volume is processed by AS LHV Pank as the independent controller and by its processor AS EveryPay, who process personal data in accordance with their privacy policies, which are available on their websites.
Extrajudicial debt recovery service providers: to protect our legal rights or in cases where You have not properly fulfilled your contractual obligations (for example, to persons who provide us with extrajudicial debt recovery services on the basis of an Agreement, including, but not limited to, SIA “Julianus Portfolio”, registration number 40203088409, etc.). If You do not fulfill your obligations under the Agreement, we have the right to provide information about your debt without your separate consent, by transferring your personal data for processing to extrajudicial debt recovery service providers – for inclusion in debt history databases, as a result of which the mentioned information will be processed in accordance with the applicable regulatory laws and the information will be transferred to third parties for the assessment of the Client’s creditworthiness or third party credit risk management. Your data from credit history and debt history databases will be disclosed to third parties.
To credit bureaus: if you do not fulfill your obligations under the Agreement, we have the right to provide information about your debt without your separate consent, transferring your personal data for processing to credit bureaus for inclusion in credit history databases, as a result of which such data will be processed in accordance with the applicable laws and regulations and the information will be transferred to third parties for the evaluation of the creditworthiness of third parties or for the management of credit risk of third parties. Your data from credit history and debt history databases will be disclosed to third parties.
Public bodies and government agencies (e.g. police, courts, Latvian Data State Inspectorate): we will only disclose your data to these organisations if we are legally bound to.

If we share your personal data with the above parties, we will ensure that your personal data are protected by signing a data protection agreement with these parties (except for public bodies and government agencies).

We will not store or share your data outside the European Economic Area.

5. How long will we store your personal data?

Your personal data will be stored for as long as required by applicable laws and regulations, and for as long as it is necessary to achieve the purposes for processing specified in this Privacy Policy. A few examples of data storage periods are provided below.

Storage period	Examples
1 month (after the beginning of the new recording)	Video surveillance recordings
6 months	Data about the persons who requested an offer or submitted other requests, and with whom no client agreements have been signed
10 years (after the expiration or termination of the agreement)	Data about client agreements and services, to protect us against possible claims, or to be able to file legal action to protect ourselves and our rights
5 to 10 years (after the expiration or termination of the agreement)	Main accounting documents (e.g. client agreements and invoices)
10 years (after the e-mail or audio recording date)	Incoming and outgoing e-mail correspondence with clients and potential clients
Until the revocation of consent to personal data processing	This includes the processing of data that takes place based on your consent, e.g. direct marketing offers or notifications sent via e-mail or SMS.
6 months after termination of the contractual relationship or until revocation	Payment instrument data in incomplete, undecipherable form

For more details about the storage of your personal data, send an e-mail request to info@gymlatvija.lv.

6. Security of your personal data

Gym Latvija has established the legal, organisational, physical and technical security measures necessary to protect your personal data. Examples of some of the measures we use include:

Physical measures: paper documents containing personal data are stored in locked rooms and cabinets that can only be accessed by specific employees for the purposes of their work; the data processing rooms and IT systems are sufficiently protected against fires, overheating, water and blackouts.

Technical measures: video surveillance; the computer workstations of all employees are secured with password-protected screensavers switched on when the employee leaves their workplace; it is ensured that our IT system refuses to accept new sign-in attempts and locks the user name, if the number of access attempts exceeds its limit; it is ensured that highly-vulnerable systems (e.g. laptops, smartphones) are sufficiently protected (with encryption and other measures).

Organisational measures: all IT system users are assigned roles and profiles; it is ensured that the access rights of an employee are revoked once that employee leaves Gym Latvija; it is ensured that rooms where personal data are processed cannot be accessed from public areas.

If we use external service providers for data processing, we conclude data protection agreements with them, requiring the service providers (i) to introduce appropriate measures ensuring the privacy and security of personal data, and (ii) to protect personal data in accordance with the requirements arising from applicable laws and regulations.

7. Your rights pertaining to your personal data

Right of access: you are entitled to know what data about you we store, for what purposes we process and to what parties we disclose these data; how long these data will be stored for; what your rights are in terms of restricting the processing as well as correcting, erasing or processing these data.

Right to rectification: you are entitled to make us correct your personal data if these data are inaccurate or incomplete. You may also correct these data yourself, via your user account.

Right to erasure: in certain conditions, you are entitled to request that your personal data be deleted, mostly if we no longer need these data, if you revoke your consent that you previously granted for the processing of your data, or if we have been processing your data illegally.

Right to restriction of processing: in certain conditions, you are entitled to prohibit or restrict the processing of your personal data for a specific period of time (e.g. if you have objected to the processing of these data).

Right to object: you are entitled to object to any processing of data based on legitimate interests of Gym Latvija, including any profiling, based on our legitimate interests. We will stop the processing of your personal data if you submit your objection to such processing, unless we have compelling and legitimate reasons to continue the processing, or if the processing is necessary to submit, pursue and protect legal action. You are also entitled to object to the processing of your personal data in relation to direct marketing at any time. Having received such an objection, we will cease the processing of your personal data for direct marketing.

Right to data portability: if the processing of your personal data is based on your consent or a contract between us, and if the data are processed automatically, you are entitled to access (in a structured, commonly used and machine-readable format) the data related to you that you have provided us with. You are also entitled to request that Gym Latvija directly transmit these data to another service provider, if this is technically feasible.

If you would like to use any of the above rights, please e-mail us at info@gymlatvija.lv. In order to reply to your question, we must first confirm your identity, to prevent unauthorised parties from accessing these data. We will answer your questions within 30 days.

8. Use of video surveillance

All Gym Latvija sports clubs use surveillance cameras to protect their staff and clients, as well as the property of Gym Latvija, its staff and clients, and to ensure the security of athletic activities. The surveillance cameras are also used to detect violations of the internal rules of Gym Latvija (including the incorrect use of sports club access cards).

The surveillance cameras are set up in the sports clubs such that they can monitor entrance gates, changing room entrances, gyms and recreation rooms. This means that clients in these zones can be recorded by these cameras. A summary of the provisions governing the video surveillance we conduct is provided below.

Legal grounds for using the camera: legitimate interest

Brief description of the surveillance system: fixed, digital, with zoom and without sound recording
The recordings may be shared with the Police and the State Border Guard
Who can access the surveillance system and its recordings – The head of Gym Latvija, customer relations coordinator, G4S security contractor
The recordings are stored for 1 month, after which they are overwritten by the video surveillance system.
The surveillance takes place 24 hours a day.
The surveillance includes recordings, which may be watched on request
The measures to protect the data obtained through video surveillance consist of storing the data on a hard drive located in the server room. The room can only be accessed by the persons specified above
Access rights: in order to allow access to the data collected via surveillance cameras, we require an application prepared in accordance with the description shown in Section 7. Please keep in mind when requesting access to such data that these data will only be stored for 1 month, and for the purposes of protecting the rights and interests of other individuals, they must be made unidentifiable in these recordings, which is why we cannot provide immediate access to such data. You will be required to cover the cost of making these other individuals unidentifiable in the recordings.

9. Right to submit a complaint to the Data State Inspectorate and the courts of the Republic of Latvia

We respect your privacy and seek to make sure that the processing of your personal data is clear and transparent. This is the reason we have developed this Privacy Policy. If you need more details about the processing of your personal data and the use of your rights, please contact us via e-mail, at info@gymlatvija.lv.

If you believe that the processing of your personal data violates the General Data Protection Regulation, you are entitled to report this to the Latvian Data State Inspectorate (info@dvi.gov.lv) and file action in court, to protect your rights and interests.

10. Final provisions

Gym Latvija may from time to time revise this Privacy Policy to update it, especially in the event of changes in the laws and regulations applicable to it, or if the activities we perform when processing personal data change. The latest version of this Privacy Policy is always available on our website.