Policy

Open Architecture Design SIA, registration No. 40003831902 (hereinafter – OAD), providing its services – architectural and interior design services – to Clients, can act both as a personal data controller and as a data processor.

OAD is a controller within the meaning of the definition provided for in Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – the Regulation) for any client's personal data obtained by OAD from or about the Client, independently determining the purposes and means of the processing of personal data.

OAD is a processor within the meaning of Article 4 (8) of the Regulation regarding the Personal Data of a data subject that has been collected and provided by the Client to OAD for purposes related to the contracts for provision of OAD services (hereinafter – the Contract) (for example, personal data of other data subjects included in the documents provided by the Client). OAD processes this personal data of other data subjects on behalf of the Client. In this case, the Client confirms that it has the authority to provide personal data of other data subjects to OAD, and that the personal data of other data subjects are collected and processed in accordance with the applicable data protection legislation. The Client is obliged to provide OAD with all the instructions necessary for the processing of personal data and to provide accurate and up-to-date personal data of other data subjects.

This Privacy Policy (hereinafter – Privacy Policy) provides information on how OAD as a Personal Data controller processes Personal Data within the meaning of the definition provided in Article 4 (7) of the Regulation. This Privacy Policy applies if the Client visits OAD premises, website and/or uses, has used or has expressed a wish to use the Services provided by OAD, or if the Client is in any way connected with these Services, including before the Privacy Policy takes effect.

OAD implements and ensures appropriate technical and organizational measures to ensure the compliance of the Processing of the Client's Personal Data with the requirements of the laws and regulations governing the processing of Personal Data and to protect Personal Data against unauthorized access, accidental or unlawful alteration, disclosure, loss, destruction, erasure, including measures against threats caused by physical exposure and measures implemented by software features.

If the Client does not agree with the Privacy Policy or some of its provisions, the Client is not required to provide Personal Data to OAD. In cases where the Client does not provide OAD with the Personal Data necessary for the performance of the Contract or Services, as well as for the fulfilment of the obligations specified in the regulatory enactments of OAD, OAD has a legal basis to refuse to provide the Services to the Client in whole or in part.

If the data provided by the Client has changed or the information about the Client processed by OAD is inaccurate or incorrect, the Client has the right to request that this information be changed, clarified or corrected. OAD is not responsible for inaccurate, incomplete or erroneous data provided by the Client. 

1. Definitions

Processing any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means (including collection, use, recording, organisation, structuring, storage, alteration, disclosure, or other action-making Personal Data available, retrieval, destruction, etc.). The definition corresponds to the definition laid down in Article 4 (2) of the Regulation. 

Client – any natural person (including, Client's (legal entity’s) shareholder, a member of the board, a representative of the company, the beneficial owner) who visits OAD premises, https://oad.archi and/or uses, has used, or has expressed a wish to use the Services provided by OAD or is in any way connected with them. 

Contract – a service contract concluded between OAD and the Client. 

OAD – Open Architecture Design SIA, registration No. 40003831902, which acts as a Personal Data controller.

Services – any services and products provided by OAD to the Client, including architectural and interior design services. 

Personal data – any information about a natural person that directly or indirectly allows to identify that person. The term corresponds to the definition set out in Article 4 (1) of the Regulation.

Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in force from 25 May 2018.

2. Categories of Personal Data, Legal Basis for Processing and Purposes of Processing

OAD processes the Client's Personal Data in accordance with the following grounds and purposes of Personal Data Processing:

Categories and types of Personal Data processed

Legal basis for processing

Purposes of processing

Identification data (name, surname; personal identity number of the Republic of Latvia (if any); date of birth; contact information (address); information about the Client's beneficial owner.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to point (e) of Article 6(1) of the Regulation.

In order to comply with the requirements of Section 2, Paragraph two of the Law on International Sanctions and National Sanctions of the Republic of Latvia and to ensure sound risk management of OAD.

Image of the Client when conducting video surveillance.

Processing is necessary to protect the vital interests (safety and health) of the Client and other natural persons and to exercise the legitimate interests of the OAD.

Ensure public order and security; to ensure the safety and health of the Client and other natural persons (visitors and employees of OAD premises); to ensure the safety of the premises and property of OAD; to defend the legal claims and legitimate interests of OAD; provide evidence and detect and prevent illegal activities.

Identification and research data: Client's name, surname; identity number; date, month and year of birth; data of the identity document; information about the beneficial owner; information on whether the Client is a politically exposed person or a family member of a politically exposed person, or a person closely associated with a politically exposed person; contact data: phone number, e-mail address, address of residence; language of communication; data on employment (occupation; position held); financial data (bank name, account holder, current account number).

The processing is necessary for taking measures at the request of the Client (data subject) prior to entering into the Contract, for the performance of the Contract and for the provision of Services.

To identify the Client and perform the KYC ("know your Client") procedure; for communication with the Client and general Client relationship management and provision and administration of access to Services: to provide the Services and to ensure the topicality and correctness of personal data by verifying and supplementing the data.

Contract documentation and Service-related documentation (including the contract; applications, requests, complaints submitted by the Client; notices, warnings, etc. sent to/received from the Client).

To comply with legal obligations applicable to the controller (requirements for storage, archiving, accounting of documents; requirements arising from the Consumer Rights Protection Law in relation to the conclusion of the Contract, receipt of the Service and exercise of the right of withdrawal and other requirements specified in regulatory enactments that apply to the economic activity of OAD as a controller).

Accounting, documentation storage, archiving, etc.

Identification data (name, surname, personal identity number, declared address of residence).

To comply with the legitimate interests of the controller (establishment of the right to claim).

Establishment, enforcement, protection, and transfer of claim rights, as well as securing evidence against claims for non-compliance of the Services, as well as for the provision of evidence against a potential claim arising from tort.

Identification data (name, surname, personal identity number); contact data (phone number, e-mail address, address of residence).

Personal data is processed in accordance with the Client's consent to the processing of their personal data.

Client relationship management, analysis and service development and improvement; for statistical and market research purposes, to analyze the effectiveness of advertisements and to conduct surveys and studies relating to the Services offered by OAD.

Correspondence (communication) and device data: data contained in notifications, e-mails, visual images, video and/or audio recordings, as well as other communication and interaction data; data collected when the Client visits OAD website or communicates through other OAD channels (Instagram, Facebook, LinkedIn, Vimeo); data about habits, preferences and satisfaction, such as activity of using the Services, Services used, personal settings, answers to survey questions, Client satisfaction:1) technical information (such as device type, Internet Protocol (IP) address and Internet service provider (ISP) used to connect the device to the Internet; registration information; browser type and version; time zone settings, browser plug-in types, and versions, operating system and platform, screen resolution, location, font encoding; (2) information about the visit, including full Uniform Resource Locators (URLs), clickstreams to, through and from the website (including date and time); the information viewed or searched for; referring/exit pages, files viewed on the website (e.g. HTML pages, graphics, etc.), page response times, download errors, the duration of a certain page visit, page interaction information (e.g. scrolling, clicks and mouse redirection) and methods used to leave the page, date/time stamp and/or clickstream data, and any phone number used to call an OAD representative.

Performance of the Agreement and provision of the Services; to protect the Client’s vital interests (Personal Data); to protect the legitimate interests of the controller (performance of management functions, Monitoring, developing, and improving quality of Services and/or Client service quality, testing of the website and digital environment; development of information security, technical and IT infrastructure, prevention of the misuse of Services, the proper execution of the Services, including the prevention of fraudulent actions; to establish claim rights); Client’s consent to the Processing (inter alia, cookies are used when visiting the website). Client’s consent to automated Processing of Personal Data, including profiling.

General management of Client relations, provision of access, and administration of the Services: providing the Services, ensuring that Personal Data is up-to-date and accurate by verifying and supplementing the data; Keeping records on the Client’s case file; Development of information security, technical and IT infrastructure; Prevention or detection of criminal offences related to the protection of property owned or used by the Office (including the protection of the website); Performance of management functions (business strategy, risk management, and business management); Monitoring, developing, and improving quality of Services and/or Client service quality; assessing productivity; Prevention of the misuse of Services, the proper execution of the Services, sanctioning and controlling access to and operation of digital channels, preventing unauthorized access and misuse, and ensuring the security of information; Improving technical systems, IT infrastructure, adapting the display of the Service on devices, and developing Office Services, e.g., by testing and improving technical systems and IT infrastructure; Preparing personalized and customized information; providing more user-adapted Services.

3. Sources of Personal Data Acquisition

The Client's Personal Data may be obtained directly from the Client, from the Client's use of the Services (for example, OAD stores e-mail communication and documents of the Client's interaction and communication with OAD) and from external sources, including public and private registers, databases and publicly available reliable websites, and from third parties in the cases specified in regulatory enactments.

4. Recipients of Personal Data

The Client is informed that to carry out the Processing of Personal Data specified above for the achievement of the specified purposes (objectives), OAD receives and transfers the Client's Personal Data to personal data processors who process personal data on behalf of OAD and to third parties (independent data controllers), including, but not limited to:

When OAD receives and transfers the Personal Data of the Client to processors who process Personal Data on behalf of OAD, OAD shall take all necessary steps to ensure that the Processing of Personal Data by data processors is carried out under the Agreement, regulatory enactments and documented OAD’S instructions.

When OAD receives and transfers the Client's Personal Data to third parties (independent data controllers), third parties, as an independent controller, process Personal Data in accordance with its own privacy policy, which is available on the website of the relevant service provider.

OAD is also obliged to transfer Personal Data to state or local government institutions in the cases specified in regulatory enactments (for example, the State Revenue Service, the Financial Intelligence Service, the State Security Service, the State Police, and other law enforcement agencies and financial investigation institutions, courts, out-of-court dispute resolution bodies, insolvency practitioners, sworn bailiffs, etc.).

5. The Territory of Processing Personal Data

Personal Data is transferred to a third country or to an international organization only in cases where:

a) the European Commission has decided, in accordance with Article 45 of the Regulation, that the third country or organization concerned ensures an adequate level of protection,

b) the controller or processor has provided appropriate safeguards pursuant to Article 46 or 47 of the Regulation, or

c) the conditions laid down in Article 49 of the Regulation exist. 

In the event of any subsequent transfer, the OAD shall respect all other guarantees, in particular the purpose limitations.

OAD also informs that OAD website uses Google Analytics, a program of Google Inc., which uses cookies that are stored on the Client's device and allows them to analyze how the Client uses the respective website. The information generated by these cookies about the Client's use of this website is sent to Google servers in the USA and stored there. The client's IP address is truncated in the territory of the European Union or the European Economic Area by means of IP-anonymization and may only in exceptional cases be transferred for processing to Google servers located in the USA. Google uses this information to evaluate the Client's use of the website, to prepare reports on the activities on the respective website for website operators and to provide other services related to the website and the use of the Internet. Under no circumstances does Google associate the IP address received here with any other information held by Google. If necessary, Google may provide this information to third parties if required to do so by law or if third parties process this data on behalf of Google.

6. Term of storage of personal data

OAD stores Personal Data in accordance with the purposes (objectives) of Personal Data, as well as in accordance with the requirements of the Regulation and regulatory enactments, as long as any of the legal bases for the Processing of Personal Data exists, if the applicable legislation does not provide for a longer storage period. If the same Personal Data is processed for multiple purposes, that data is stored for the longest applicable storage period. 

The storage period of the processed Personal Data may be based on the consent of the Client (data subject) (until its withdrawal, if there is no other basis for the Processing of Personal Data), the Contract (provision of evidence against claims regarding non-compliance of the Service and/or fulfilment of contractual obligations, as well as provision of evidence against a possible claim arising from tort, the storage period is ten years from the date of performance of the Service or the Contract), OAD's legitimate interests or a legal obligation applicable to the controller, arising from the applicable laws and regulations (e.g., laws and regulations regarding archiving of documents, laws and regulations regarding accounting, etc.).

If none of the legal bases for the Processing of Personal Data longer exists, and regulatory enactments do not provide for a longer period of storage of Personal Data, OAD shall delete files containing Personal Data.

7. Automated decision-making and profiling

Profiling is any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 

The following information is automatically collected for each visit to OAD website:

- technical information (such as device type, Internet Protocol (IP) address, and Internet Service Provider (ISP) used to connect the device to the Internet; registration information; browser type and version; time zone settings, browser plug-in types and versions, operating system and platform, screen resolution, location, font encoding); 

- visit information, including full Uniform Resource Locators (URLs), clickstreams to, through and from the website (including date and time); information viewed or searched for; reference/exit pages, files viewed on the website (e.g. HTML pages, graphics, etc.), page response times, download errors, duration of visits to certain pages, page interaction information (such as scrolling, clicks and mouse redirection) and methods, used to leave the page, date/time stamp and/or clickstream data, and any phone number used to call to contact an OAD representative.

Automatic processing of personal data on OAD website is carried out in order to evaluate certain personal characteristics of the Client and improve the experience of using the Client's digital services, for example, by adjusting the display of the Services on the device used; Client Data analysis and consulting. Automatic processing of personal data is based on the legitimate interests of OAD (risk management and transaction monitoring fraud prevention), fulfilment of legal obligations, performance of the Contract or the Client's consent. 

OAD may also collect statistical data about the Client, t.sk. on the characteristic behavior. Statistical data for creating segments/profiles can also be obtained from external sources and can be combined with OAD internal data.

8. Video surveillance

OAD uses CCTV cameras at the entrance to OAD office. OAD carries out video surveillance based on legitimate interests and in order to protect the vital interests (safety and health) of the Client and other natural persons (OAD visitors and employees).

The Personal Data that is processed during video surveillance is visual images and video materials.

Purpose of the video surveillance: to ensure public order and security; to ensure the safety and health of the Client and other natural persons (OAD visitors and employees); to ensure the safety of the premises and property of OAD; to defend the legal claims and legitimate interests of OAD; provide evidence and detect and prevent illegal activities.

Personal data processed in connection with video surveillance carried out by OAD will be stored for no longer than necessary, with a maximum retention period of 1 (one) month from the moment of recording, unless another purpose of processing arises (for example, in connection with a criminal investigation). 

9. Rights of the data subject

The data subject has the following rights: 

- to receive information whether OAD processes the Personal Data of the data subject and, if so, to access them and obtain information in accordance with Article 15 of the Regulation, how they are processed and to whom they are transferred;

- request the correction of the Personal Data if it is inappropriate, incomplete or incorrect;

- object to the Processing of the Personal Data if the use of Personal Data is based on the legitimate interests of OAD, including profiling for direct marketing purposes (for example, for receiving marketing offers or participating in surveys), unless the Controller indicates compelling legitimate reasons for the Processing that are more important than the interests, rights and freedoms of the Client (data subject), or in order to establish, exercise or defend legal claims;

- request the erasure of the Personal Data, for example, if Personal Data is processed on the basis of consent, if the data subject has withdrawn his or her consent. This right does not apply if the Personal Data, the deletion of which is requested, is also processed based on another legal basis, such as the Contract or obligations arising from the relevant regulatory enactments or in other cases specified in the Regulation, when there is a legal basis for the Processing of Personal Data;

- restrict the Processing of the Personal Data in accordance with applicable laws and regulations, for example, at the time when OAD is assessing whether the data subject has the right to have his or her data erased;

- to receive the Personal Data (data portability) which it has provided and which is processed on the basis of consent and performance of the Contract in written form or in one of the most commonly used electronic formats and, if technically possible, to transfer such data to another service provider; 

- to withdraw the consent to the Processing of the Personal Data if the Personal Data is submitted to OAD on the basis of the data subject's consent (withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal); 

- to not be subject to fully automated decision-making, including profiling, if any, where such fully automated decision-making has legal effects or, in a similar sense, significantly affects the data subject. This right does not apply if the taking of a decision is necessary in order to conclude or execute a Contract with the data subject, if the decision-making is permitted in accordance with the applicable laws and regulations or, where the data subject has given his or her explicit consent; 

- submit complaints regarding the processing of Personal Data to the Data State Inspectorate (www.dvi.gov.lv) if the data subject considers that the Processing of his or her Personal Data violates his or her rights and interests in accordance with the applicable laws and regulations.

10. Cookies

OAD website uses cookie technology "Cookies", which collects information about the Client, including whether the Client has previously visited the website, whether the Client is a new user and what information the Client has viewed on the website. The use of cookies helps to improve the Services provided, for example, by allowing you not to re-enter information that has already been entered. The use of cookies helps to record the number of visitors and collect statistics and information about how users use the Services in order to improve the quality of websites, applications and Services, as well as to create user-tailored content.

11. Third-party systems we use to ensure the proper provision of services:

- Google inc. Google Analytics, more information about the terms of service provided by these tools and their privacy policy can be found on the website: Google Analytics Privacy (https://policies.google.com/privacy?hl=lv);- Google inc. Firebase Analytics, more about the terms of service provided by these tools and their privacy policy can be found at: Firebase analytics Privacy (https://firebase.google.com/policies/analytics/).

12. Contact details of OAD and identification of the Data Subject

In order to ensure the protection of Personal Data, in communication with the Data Subject, personal identification will be carried out according to the following criteria: 

Upon receipt of a request from the Client regarding the provision of Personal Data or the implementation of other Client’s rights, OAD shall verify the identity of the Client. For this purpose, OAD is entitled to request the Client to indicate Personal Data and compare whether the data provided by the Client coincides with the relevant Personal Data held by OAD. In carrying out this comparison, OAD is entitled to send a control notification to the telephone or e-mail specified by the Client (in the form of a text message or an e-mail letter), requesting the Client to authorise it. If the verification procedure is not successful (e.g., the data provided by the Client does not match the Personal Data held by OAD or the Client has not made authorization after the sent text message or e-mail letter), OAD will be forced to find that the Client is not the subject of the requested Personal Data and will be forced to reject the request submitted by the Client. Upon receipt of the Client’s request for the exercise of any of the Client’s rights and the successful completion of the verification procedure referred to above, OAD shall undertake without delay, but in any event not later than within 1 (one) month from the date of receipt of the Client’s request and the end of the verification procedure, to provide the Client with information on the activities carried out by OAD under the request submitted by the Client. Given the complexity and number of requests, OAD has the right to extend the 1 (one) month period for a further 2 (two) months, informing the Client by the end of the first month and stating the reasons for such extension of the term. If the Client’s request is submitted electronically, OAD will also provide the reply electronically, except in cases where it is not possible (e.g. due to a large amount of information) or if the Client has requested to reply in another manner. OAD is entitled to refuse to act on the Client’s request if the circumstances specified in the regulatory enactments are met, providing a motivated response and informing the Client thereof in writing. If the Client’s (data subject’s) requests are manifestly unfounded or excessive, particularly due to their regular repetition, OAD as a controller can either: a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or b) refuse to act on the request.

In case of questions or uncertainties regarding issues related to the Processing of Personal Data or in cases where the Data Subject wishes to withdraw his or her consent to the processing of his or her Personal Data, OAD asks to be contacted by writing to:

- e-mail address: info@oad.archi or
- OAD legal address: Open Architecture Design SIA, Daugavgrivas street 23, Riga, LV-1048, Latvia.

13. Validity and amendments to the Privacy Policy

The Privacy Policy for Clients is available on OAD website https://oad.archi. OAD has the right to unilaterally amend the Privacy Policy at any time in accordance with the applicable laws and regulations by notifying the Client of the relevant amendments by publishing an updated Privacy Policy on the website https://oad.archi.