lv en
About us Contacts
Use application
0
My Account
__Iestatījumi
Accessibility
Easy to read
Text size
100% 150% 200%
Color contrast
Refresh
lv en

Privacy Policy

I.    Purpose of the Privacy Policy

1.    The purpose of the Privacy Policy is to set out the principles of processing and protection of personal data by AS "Pasažieru vilciens" (hereinafter - the Company). 

2.    Ensuring the privacy of individuals is an integral part of the Company's activities, and the Company ensures the protection of individuals' personal information in its activities in accordance with the requirements of the laws and regulations, in particular the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

3.    As a major service provider, the Company's role is to maintain high standards of privacy protection in both internal and external processes and to be a model of good practice in every data processing process - and to be flexible in the face of a changing environment, adapting to the situation at any given moment, with the protection of individual privacy as paramount.

4.    Any individual who uses the Company's services or enters a facility owned by the Company or is a business partner or a representative of a business partner of the Company may acquire the status of a data subject if the Company processes the personal data of that individual in the specific legal situation.

II.    Personal data and the need for processing

5.    Personal data, as defined in the laws and regulations, means any information relating to an identified or identifiable data subject, while processing of personal data means any operation on personal data that begins with the collection or acquisition of data and ends with the erasure of data.

6.    The provision of the services provided by the Company is not possible without the processing of personal data, however, the Company has implemented and continues to improve the processes in place to minimise the amount of personal data processed, the complexity of the processing process and the duration of the processing.

7.    The provision of the services provided by the Company includes all processes related to the use of the passenger transport services provided by the Company, starting with obtaining information on the Company's website (www.vivi.lv) or app, purchasing train tickets (including the use of various reductions or discounts), controlling train tickets, communication and dispute resolution in relation to the services provided by the Company, as well as the protection of the Company's legitimate interests.

III.    Purposes of the collection, acquisition and use of personal data

8.    The personal data necessary for the use of the Company's services are usually collected directly by the Company from data subjects at the time of the establishment of a legal transaction, for example, when a person purchases the right to use a service provided by the Company or when the data subject is at a facility owned by the Company.

9.    Typical use of the Company's services requires identification data of the data subject (e.g. name, surname), information confirming the person's eligibility for discounts or reductions on tickets, the route chosen, the means of payment used, etc. 

10.     If information and communication services, including the Company's website (www.vivi.lv) or mobile app, are used to purchase services provided by the Company or to obtain information, the Company collects information such as IP address, browser type, usage statistics and other technical information, as well as provides audit trails of data subjects' activities, including for information security purposes.

11.     In situations where the data subject's personal data are collected while the data subject is at a facility owned by the Company, the data subject's data may be collected through the use of a stationary or mobile video surveillance system, in which case the data collected are related to the visual appearance of the data subject, as well as the actions (acts or omissions) of the data subject at the relevant point in time. 

12.     The personal data of a business partner or a representative of a business partner are collected from the data subject themselves or obtained from the business partner (legal entity) in connection with the conclusion and performance of a legal transaction and usually contain information identifying the data subject (e.g. name, surname, personal number), the facts giving rise to the right or status (e.g. position, extent of authorisation, specific role, etc.), as well as other essential details of a legal transaction (e.g. date and term of the legal relationship, contact information, special details, etc.).

13.     The personal data necessary for communication and dispute resolution include the identification of the data subjects, data relating to the specific situation (e.g. the nature of the issue or dispute), the date and time, and, if the situation is resolved by telephone, a recording of the communication.

IV.    Purposes of information transfer

14.     Access to personal data processed by the Company for the achievement of the Company's purposes is provided only to the Company's authorised persons (employees, outsourced service providers) who have a legal relationship with the Company (in the form of an employment contract or an outsourcing contract) and for whom access to personal data is absolutely necessary for the performance of the legal relationship.

15.     The Company transfers data to state administration bodies and officials only in the cases and to the extent provided for in the laws and regulations.

16.     The Company does not sell, rent or otherwise disclose the processed personal data to third parties without a specific purpose and an appropriate legal basis, which may be, for example, the consent of the data subject or other demonstrable legal basis.

17.     The Company's typical data processing is carried out within the territory of the European Union and it does not transfer personal data to a country that is not a member of the European Economic Area. 

V.    Data protection measures

18.     The Company implements various technical and organisational information protection measures, as well as continuously improves its risk management processes and protection measures to ensure the security of personal data processed by the Company, such as to protect personal data from unauthorised access, alteration, disclosure or destruction. 

19.     In situations where the Company itself has established facts or received information from an external source about an alleged or actual data breach (incident), a detailed investigation of the event is carried out immediately and, if suspicions are confirmed, the supervisory authority, the Data State Inspectorate, and the affected data subjects are informed in accordance with the procedure established by the laws and regulations, and measures are taken to reduce the damage to the rights and interests of the data subject.

20.     The Company documents the technical and organisational measures taken by the Company in accordance with the principle of accountability set out in the laws and regulations, and regularly trains the Company's employees on the nuances of data protection and respect for the rights and freedoms of data subjects.

21.     The Company regulates its organisational measures by internal regulatory enactments, which are regularly improved in the light of current best practice, changes in the laws and regulations of the European Union or the Republic of Latvia, binding interpretations of the application of the laws and regulations and recent decisions of the Court of Justice of the European Union or national courts.

VI.    Rights of the data subject

22.     Data subjects are informed of the Company's data processing in the most effective manner possible before the Company obtains or collects the personal data of the individuals concerned, for example, by means of notices posted at the facilities owned by the Company, information on the Company's website, etc. The Company improves the information provided to data subjects, taking into account, inter alia, suggestions or complaints made by data subjects. 

23.     The Company ensures the right of data subjects to access, rectify, erase or restrict the processing of personal data processed by the Company; however, in certain situations the Company may have legitimate arguments for restricting the rights of the data subjects concerned. In any event, the Company always provides a reasoned response to data subjects' requests.

24.     In order to ensure the exercise of data subjects' rights, the Company has implemented various communication channels, such as the i-point (vilciens@info.vivi.lv). 

25.     The Company's designated Data Protection Officer can be contacted by email at datuaizsardziba@vivi.lv.

26.     Reports related to a personal data breach or alleged unlawful activity by the Company or persons related to the Company (employees, business partners) are always assessed by the Company's designated Data Protection Officer.

27.     The Company's Data Protection Officer prepares an annual report on the Company's compliance with this Privacy Policy, which is submitted to the Company's Supervisory Board. The report covers compliance with the main data protection principles for the public - proportionality (processing of data only to the extent and for the period necessary to achieve the purposes of the processing), lawfulness (there is a legal basis for the processing and the Company has carried out the processing activities in a timely manner, such as an impact assessment of the processing or an assessment of the proportionality of the processing where the legal basis for the processing is a legitimate interest of the Company), transparency (how effectively the Company informs data subjects about the processing of their data), accountability (adequate documentation of the processes and activities related to the processing). The Company may additionally conduct an independent internal or external audit of the data protection organisation of the Company.

VII.    Other Privacy Policy compliance information and changes to the Privacy Policy

28.     Detailed information on the Company's data processing activities can be found in the information on data processing published on the Company's website.

29.     The Company is interested in the lawful processing of personal data at all stages of processing, and therefore regularly reviews the Privacy Policy and its scope and periodically updates the Privacy Policy, taking into account changes in laws and regulations or the application of laws and regulations. The current version of the Privacy Policy is published on the Company's website.

Cookie Consent

We use cookies and similar methods to recognize visitors and remember their preferences. We also use them to measure ad campaign effectiveness, target ads and analyze site traffic.

By tapping 'accept,' you consent to the use of these methods by us and third parties. You can always change your tracker preferences by visiting our Cookie Policy Page.

Manage your cookies: