SIA "The One" (Ltd.), registration No. 40203418528, legal address: Rasenes iela 5 - 2,
Upesciems, Garkalnes pag., Ropažu nov., LV-2137 ("us", "we", "our" or the “Company”) as the Data
Controller operates the website providing Customer contact Centre communication
system (the "Service").
This Privacy Policy informs you (the “User” or the “Customer”) of our policies regarding the
processing (collection, storage, use, disclosure, erasure etc.) of Personal Data when you visit our
website and / or use, has used or expressed a wish to use any of our Service or if you are in any way
connected with this Service, and the choices you have associated with that data. We use your Personal
Data to provide and to improve the Service, perform a contract and to fulfil legal obligations to which we
are the subject.
By using the Service, your Personal Data is processed in accordance with this Privacy Policy.
If the User does not agree with the Privacy Policy or certain provisions thereof, the User does not
have to provide Personal Data to the Company. In cases when the User does not provide the Company
with Personal Data necessary for the performance of the contract or Services, as well as for the
performance of legal obligations of the Company specified in regulatory enactments, the Company has
a legal basis to refuse to provide the User Services in whole or in part.
If the Personal Data provided by the User has changed or the information processed by the
Company about the User is inaccurate or incorrect, the User has the right to request to change, clarify
or correct this information. The Company shall not be liable for inaccurate or incomplete data submitted
by the User.
1.1. Data Controller
Data Controller means a person who (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any Personal Data are, or are to be,
processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.
Definition shall have the same meaning as in Article 4 (7) of GDPR.
1.2. Data Processor (or Service Providers or Sub-contractors)
Data Processor (or Service Provider or Sub-contractor) means any person (other than an
employee of the Data Controller) who processes the Personal Data on behalf of the Data Controller. We
may use the services of various Service Providers in order to process your Personal Data more
effectively. Definition shall have the same meaning as in Article 4 (8) of GDPR.
1.3. Data Subject
Data Subject is any living individual (natural person) who is the subject of Personal Data.
1.4. Cookies
Cookies are small pieces of data stored on a User’s device.
1.5. GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6. Personal Data
Personal Data means data about a living individual (natural person) who can be identified or
identifiable from those data (or from those and other information either in our possession or likely to
come into our possession). Definition shall have the same meaning as in Article 4 (1) of GDPR.
1.7. Third party
Third party means a natural or legal person, public authority, agency or body other than the data
subject, controller, processor and persons who, under the direct authority of the controller or processor,
are authorised to process Personal Data. Definition shall have the same meaning as in Article 4 (10) of
1.8. Usage Data
Usage Data is data collected automatically either generated by the use of the Service or from the
Service infrastructure itself (information that your browser sends whenever you visit our webpage or
when you access the Service by or through a mobile device, for example, your computer's Internet
Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you
visit, the time and date of your visit, the duration of a page visit, unique device identifiers and other
diagnostic data, the type of mobile device you use, your mobile device unique ID, the IP address of your
mobile device, your mobile operating system, the type of mobile Internet browser you use, unique
device identifiers and other diagnostic data).
1.9. User
The User is the individual using our Service. The User corresponds to the Data Subject, who is
the subject of Personal Data.
The Company processes the User's personal data in accordance with the following legal
basis and purposes for processing personal data:
Identification data (name;
personal identification number (if
any); date, month and year of
birth); passport or identity card
details (document number; date
of issue; issuing authority;
issuing country); contact details
Details of the Customer's
beneficial owner. If the beneficial
owner is a resident of Latvia:
name; personal identification
number; date, month and year
of birth; nationality; country of
permanent residence.
If the beneficial owner is a non-
resident of Latvia: name; date,
mon t h a n d year o f b i rth;
passport or identity card number
and date of issue; country and
issuing authority; nationality;
country of permanent residence.
The processing is necessary for
the performance of a task
carried out in the public interest
or in the exercise of official
authority vested by law in the
controller pursuant to Article 6(1)
(e) of the GDPR.
To comply with the requirements
of Article 2(2) of the International
and National Sanctions Law of
the Republic of Latvia and to
ensure risk management and
corporate governance of the
Identification and research data:
name, surname, personal
identification number, date,
month and year of birth; identity
document data (passport data,
I D c a r d d a t a a n d c o p i e s
thereof); marital status;
contact details: telephone
number, e-mail address, home
address; language of
financial data (name of bank,
account holder, current account
The processing is necessary for
the performance of pre-
contractual measures at the
request of the Customer (data
subject) and for the performance
of the contract.
To identify the Customer;
To perform the contract and to
ensure that the personal data is
up-to-date and correct by
checking and updating the data;
To communicate with the
Customer and generally
m a n a g e t h e C u s t o m e r
relationship and to provide and
administer the contract:.
Identifying data (name,
surname, personal identification
number, date, month and year of
birth, identification document);
contact details (telephone
number, e-mail address, home
Performance of the contract.
Commitment data (the
C u s t o m e r ' s c u r r e n t
commitments, duly performed
( h i s t o r i c a l ) c o m m i t m e n t s
(payment discipline), as well as
i m p r o p e r l y p e r f o r m e d
commitments (debts), including,
but not limited to, the basis,
a m o u n t , a n c i l l a r y c l a i m s ,
maturity, date of occurrence of
the commitment).
Performance of the contract.
To provide other existing or
pot e n t i a l c r e d i t o rs o f t h e
Customer with access to the
Customer’s credit information
(credit history) in the interest of
protecting their rights.
Identification data (name,
surname, date, month and year
of birth);
Contact details (telephone
number, email address, home
For administering personalised
offers and other benefits;
Direct marketing.
Contract documentation and
documentation related to the
service (including the
C u s t o m e r ' s f i l e ( e . g .
applications, requests,
complaints submitted by the
Customer; notices, warnings,
etc. sent to the Customer).
To comply with a legal obligation
to which the controller is subject
(document storage, archiving,
bookkeeping requirements;
requirements arising from the
Consumer Rights Protection
Law and other requirements set
out in regulatory enactments
that apply to the economic
activity of the controller).
Bookkeeping, record-keeping,
archiving, etc.
Identifying data (e.g. name,
surname, personal identification
number, declared address of
The legitimate interests of the
controller (establishment of a
right of recourse).
Establishing, defending,
assigning and providing
evidence against claims of non-
conformity of service, as well as
providing evidence against a
possible claim arising in delict.
Communication and device
data: data contained in
communications, emails, visual
images, video and/or audio
recordings, and other forms of
communication and interaction
Data collected when the
Customer visits the website,
mobile application or other
channels of communication;
data on habits, preferences and
satisfaction, such as usage
activity, services used, personal
preferences, survey responses,
customer satisfaction:
1) technical information (e.g.
device type, Internet Protocol
(IP ) addr ess an d I ntern et
Service Provider (ISP) used to
connect the device to the
Internet; registration information;
browser type and version; time
zone settings, browser plug-in
types and versions, operating
system and platform, screen
resolution, location, font
2) visit information, including full
URLs, clickstreams to, through
and from the website (including
date and time); services viewed
or searched for; reference/exit
pages, files viewed on the
website (e.g. HTML pages,
graphics, etc.); and (e.g. HTML
pages, HTML files, web pages
(e.g. HTML pages, HTML files,
web pages with HTML content,
etc.), page response times,
download errors, duration of visit
to certain pages, page
interaction information (such as
scrolling, clicks and mouse-
overs) and methods used to
navigate away from the page,
d a t e / t i m e s t a m p a n d / o r
clickstream data;
the telephone number used to
contact a representative of the
Contract performance and
service provision;
To protect the vital interests of
the Customer (personal data);
To meet the legitimate interests
of the Controller (performance of
management functions;
monitoring, improving and
developing the quality of service
provision and/or Customer
service; testing the website,
mobile application, digital
environment; information
security and improvement of
te c hn i cal s yst e ms a nd I T
infrastructure to prevent, limit
and investigate misuse or
unlawful use or disruption of
services, including fraudulent
activities; establishment of rights
of recourse);
C u s t o m e r c on s e n t t o t h e
processing of personal data
(including the use of cookies
when visiting the website);
Customer consent to automated
processing of personal data,
including profiling;
C u s t o m e r c on s e n t t o t h e
processing of personal data
(including direct marketing).
F o r g e n e r a l C u s t o m e r
Relationship Management and
access to and administration of
services: to provide services
and to ensure the timeliness and
accuracy of personal data by
checking and updating data;
Maintaining Customers file
I n f o r m a t i o n s e c u r i t y a n d
t e c h n i c a l s y s t e m a n d I T
infrastructure development;
Prevention or detection of
criminal offences in connection
with the protection of property
owned or used by the Controller
(including website security);
The performance of
management functions
(business strategy, sound risk
management and corporate
Monitoring, improving and
enhancing the quality of service
provision and/or Customer
service; measuring productivity;
Prevention of fraudulent use and
proper performance of services,
to sanction and control access
to and operation of digital
channels, to prevent
u n a u t h o r i s e d a c c e s s a n d
fraudulent use, and to ensure
information security;
To improve technical systems,
IT infrastructure, to adapt the
display of the service on devices
and to develop services, for
e x a m p l e : b y t e s t i n g a n d
improving technical systems and
IT infrastructure;
Preparation of personalized and
tailored information, provision of
a more user-friendly service:
!F o r a d m i n i s t e r i n g
personalised offers and
other benefits;
!Direct marketing.
Personal Data may be obtained directly from the User (the User provides information by
completing submissions, through social media, by mail, by email, by telephone, or through any other
media or services), from the use of the Services (the email communications and documents including
interactions and communications with the Company), and from external sources, including public and
private registries, databases and publicly accessible trusted websites (through KYC ("know your
customer") procedures), and from third parties (credit and financial institutions, the National Revenue
Service and bailiffs) as mutually agreed or as required by law or regulation.
The Company will retain your Personal Data only for as long as is necessary for the purposes set
out in this Privacy Policy.
We will retain and use your Personal Data to the extent necessary to comply with our legal
obligations (for example, if we are required to retain your data to comply with applicable laws), resolve
disputes, and enforce our legal agreements and policies. The Company will also retain Usage Data for
internal analysis purposes.
Where the same personal data are processed for more than one purpose, they shall be kept for
the longer applicable retention period.
The storage period of the processed personal data may be based on the Customer's (data
subject's) consent (until revocation, if there is no other basis for processing the personal data), the
Contract (to provide evidence against claims of non-compliance with the service and/or performance of
the obligations under the Contract, as well as to provide evidence against a potential claim, arising from
a tort, the retention period is ten years from the date of performance of the service or the Contract), the
legitimate interests of the Controller or a legal obligation to which the Controller is a subject arising from
applicable laws and regulations (e.g. laws and regulations on accounting (basic accounting documents
to be kept for 10 years); laws and regulations on archiving of documents, etc. etc.).
If none of the legal grounds for processing personal data no longer exist and the normative acts
do not provide for a longer period of storage of personal data, the Controller shall delete the personal
Personal data is processed in the European Union / European Economic Area (EU / EEA).
However, if the Personal Data is transferred outside the EU / EEA, the Company undertakes to
take all necessary security measures to ensure the same level of security of Personal Data as in the EU
/ EEA, and appropriate guarantees in accordance with the provisions of Article 46 of the GDPR. The
Company shall transfer Personal Data to a third country or to an international organisation only if there
is a legitimate basis for it and appropriate safeguards have been put in place:
(a) the European Commission has decided in accordance with Article 45 of the GDPR that the
third country or organisation concerned ensures an adequate level of protection; or
(b) the controller or processor has provided adequate guarantees in accordance with Articles 46
or 47 of the GDPR: (i) binding corporate rules; (ii) standard contractual clauses adopted and approved
by the European Commission or the national supervisory authority; (iii) other ad hoc contractual
clauses, if approved by the competent national supervisory authority; (iv) an approved code of conduct
together with a binding and legally enforceable commitment by the third-country data controller or
processor to apply the relevant safeguards; (v) an approved certification mechanism together with a
binding and legally enforceable commitment by the third-country data controller or processor to apply
the relevant safeguards; or
(c) there is an exception set out in Article 49 of the GDPR ((i) the data subject has explicitly
consented to the proposed transfer, after having been informed of the possible risks of such transfers
for the data subject due to the absence of an adequacy decision and appropriate safeguards; (ii) where
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the
data subject between the controller and another natural or legal person; (iii) the transfer is necessary for
the establishment, exercise or defence of legal claims; (iv) where the transfer is necessary for important
reasons of public interest; (v) where it is necessary for the protection of the vital interests of the data
subject or of another natural person, where the data subject is physically or legally incapable of giving
Upon a written request, the User can receive more detailed information on the transfer of
Personal Data to countries outside the EU / EEA.
In the event of any onward transfer, the Company will comply with all other safeguards, in
particular the purpose limitation. The Company will take all steps reasonably necessary to ensure that
your Personal Data is treated securely and in accordance with this Privacy Policy and no transfer of
your Personal Data will take place to an organization or a country unless there are adequate controls in
place including the security of your Personal Data and other personal information.
When the Company receives and transfers your Personal Data to Data Processors who process
Personal Data on behalf of the Company, the Company shall take all necessary measures to ensure
that the Personal Data is processed by the Data Processors in accordance with the agreement or
regulatory enactments and documented Company instructions.
When the Company receives and transfers your Personal Data to the Third parties (independent
Data Controllers), the Third parties, as independent Data Controllers, process the Personal Data in
accordance with their privacy policies, which are available on the website of the respective service
6.1. Legal Requirements
Under certain circumstances, the Company may be required to disclose your Personal Data if
required to do so by law or in response to valid requests by public authorities (e.g. Consumer Rights
Protection Centre, State Revenue Service, courts, government agency, out-of-court dispute resolution
institutions, insolvency process administrators, sworn bailiffs, etc).
The Company may disclose your Personal Data:
To comply with a legal obligation
To protect and defend the rights or property of the Company
To prevent or investigate possible wrongdoing in connection with the Service
To protect the personal safety of Users of the Service or the public
To protect against legal liability.
6.2. Service Providers (Sub-contractors)
The Company may employ third party companies and individuals to facilitate our Service
("Service Providers"), to provide the Service on the Company’s behalf, to perform Service-related
services or to assist us in analyzing how our Service is used.
The Company may disclose your Personal Data to the Service Providers including, but not limited
- companies in the same group as the Company and the authorities of the country of residence of
their shareholders/members, if so requested by such authorities;
- a person to whom (or through whom) the Company transfers or the Company intends to transfer
a right of claim arising under the contract (assignment);
- server providers and data storage providers selected by the Company; website and mobile
application operators; video surveillance system providers; tele-marketing, marketing and survey
service providers, email and SMS gateway service providers, online intermediaries and other third
parties involved in the provision of the services provided by the Company (incl, banks, archiving, postal
and courier service providers, etc.), ensuring that such parties will process the Customer's personal
data only to the extent and for the purposes (purposes) set out in this Privacy Policy;
- persons who, on behalf of the Company, carry out a statistical, market or public opinion study or
survey, if the disclosure of personal data is necessary for the purpose of carrying out the study or survey
in question;
- any accounting service provider, auditor, financial adviser, legal adviser, solicitor, notary public
and/or bailiff selected by the Company.
If the Customer fails to fulfil or performs its obligations under the contract, the Company shall be
entitled, without obtaining the Customer's separate consent, to provide information on the Customer's
debt by transferring the Customer's personal data for processing to credit reference bureaus for
inclusion in credit history databases and debt collection service providers for inclusion in debt history
databases, which will result in the processing of such data in accordance with the applicable regulatory
enactments and information being transferred to third parties for assessing the creditworthiness or
managing the credit risk of third parties. The Customer agrees that his/her data from credit and debt
history databases will be disclosed to third parties.
The Company shall also use the personal data received for the purpose of communication with
the Customer and for the purpose of establishing the Customer's credit history. The Company shall also
verify and update personal data in public registers and databases established in accordance with the
statutory regulations without obtaining the Customer's prior additional consent.
For the purpose of financial management by the Company, assessing the Customer's solvency
and checking the Customer's credit history, the Company shall process natural person data received
from third parties and supplement the natural person data processing systems under their control with
information obtained about the Customer from public registers (e.g, the Customer, the personal data
processing systems of state or local government institutions (e.g. from the Population Register, the
State Social Security Agency, the State Revenue Service, etc.) or other public sources, provided that
the provision of such information or the possibility to access it complies with the provisions of regulatory
These Service Providers have access to your Personal Data only to perform these tasks on our
behalf and are obligated not to disclose or use it for any other purpose.
6.3. Analytics (Sub-contractor)
We may use third-party Service Providers to monitor and analyze the use of our Service.
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website
traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared
with other Google services. Google may use the collected data to contextualize and personalize the ads
of its own advertising network.
You can opt-out of having made your activity on the Service available to Google Analytics by
installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics
JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits
For more information on the privacy practices of Google, please visit the Google Privacy
Terms web page
6.4. Behavioral Remarketing (Sub-contractor)
The Company uses remarketing services to advertise on third party websites to you after you
visited our Service. We and our third-party vendors use Cookies to inform, optimize and serve ads
based on your past visits to our Service.
Google Ads
Google Ads remarketing service is provided by Google Inc. You can opt-out of Google Analytics
for Display Advertising and customize the Google Display Network ads by visiting the Google
Ads Settings page.
Google also recommends installing the Google Analytics Opt-out Browser Add-on for your web
browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data
from being collected and used by Google Analytics.
6.5. Links to Other Sites
Our Service may contain links to other sites that are not operated by us. If you click on a third
party link, you will be directed to that third party's site. We strongly advise you to review the Privacy
Policy of every site you visit. We have no control over and assume no responsibility for the content,
privacy policies or practices of any third party sites or services.
Our Service does not address anyone under the age of 13 ("Children"). We do not knowingly
collect personally identifiable information from anyone under the age of 13. If you are a parent or
guardian and you are aware that your Children has provided us with Personal Data, please contact us.
If we become aware that we have collected Personal Data from children without verification of parental
consent, we take steps to remove that information from our servers.
The Company has established necessary legal, organizational, physical and technical security
measures to protect your Personal Data against unauthorised access, accidental or unlawful alteration,
disclosure, loss, destruction, erasure, including measures against threats caused by physical exposure
and measures implemented by means of software. Some examples of the measures we use:
Physical measures - paper-based documents containing Personal Data are stored in locked
rooms and cabinets to which only certain employees have access for fulfilling their job duties; data
processing rooms and IT-systems are sufficiently protected against fire, overheating, water, current
instability and power outages.
Technical measures - all employee work computers are protected with password protected
screensavers when the employee leaves; it is ensured that the IT- system does not accept new login
attempts and locks the username if certain number of access attempts has been exceeded; it is ensured
that especially vulnerable systems (e.g. laptops, smartphones) are sufficiently protected (using
encryption or other means).
Organizational means - all IT system Users are assigned roles and profiles; it is ensured that
access rights are deleted when an employee leaves the Company; it is ensured that there is no access
from publicly used rooms to rooms where Personal Data is being processed.
In case we use external companies for providing services, which include data processing, we
conclude data protection agreements with such Service Providers obligating them to: a) take
appropriate measures to ensure confidentiality and security of the Personal Data and ii) process
Personal Data in accordance with the applicable legal requirements.
Right to be informed and Right of access
If you wish to be informed what Personal Data we hold about you and receive a copy of the
Personal Data we hold about you, please contact us. Please note that we may ask you to verify your
identity before responding to such requests.
Right to rectification
You have rights to request updating any personal information about you if it is inaccurate or
Right to erasure
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to
have Personal Data erased and to prevent processing in specific circumstances: (i) where the Personal
Data is no longer necessary in relation to the purpose for which it was originally collected/processed; (ii)
the Personal Data is processed in relation to the offer of information society services to a child; (iii)
when you withdraws consent; (iii) the Personal Data was unlawfully processed (i.e. otherwise in breach
of the GDPR); (iv) when the individual objects to the processing and there is no overriding legitimate
interest or other legal basis for continuing the processing; (v) the Personal Data has to be erased in
order to comply with a legal obligation.
Right to restrict processing
You have rights under certain circumstances to request to ‘block’ or suppress processing of
Personal Data for a certain period (e.g. if you have objected to Personal Data processing). When
processing is restricted, we are permitted to store the Personal Data, but not further process it.
Right to object
You have the right to object to such data processing which is based on the Company’s legitimate
interest incl. profiling based on our legitimate interest. We shall stop processing your Personal Data
when you present an objection, unless we can demonstrate compelling legitimate grounds for the
processing or processing is needed for the establishment, exercise or defense of legal claims. You also
have the right to object at any time to processing of your Personal Data concerning for direct marketing.
Upon receiving such objection, we shall stop processing your Personal Data for direct marketing.
Right to data portability
In case processing the Personal Data is based on your consent or on a contract between us and
Personal Data is processed automatically, you have the right to access Personal Data concerning you
which you have given to us in a structured, generally usable and in machine readable form. You have
rights to move, copy or transfer Personal Data easily from one IT environment to another in a safe and
secure way. We will provide all Personal Data in a structured way using open formats like CSV.
Right to withdraw your consent
You have right to withdraw your consent where the personal data is provided to the Company on
the basis of your consent (withdrawal of consent does not affect the lawfulness of processing based on
consent prior to the withdrawal);
Right to not be subject to fully automated decision-making, including profiling
You have right not to be subject to fully automated decision-making, including profiling, where
such decision-making has legal effects or similarly significantly affects you (data subject). This right shall
not apply if the decision-making is necessary for entering into or performance of a Contract with the
Customer (data subject), if the decision-making is permitted under applicable laws or regulations or if
the Customer (data subject) has given its explicit consent.
Right to contact us, submit a complaint to the Data State Inspectorate of Republic of
Latvia and the court
If you believe that processing of your Personal Data violates the GDPR requirements, you have
the right to turn to the Data State Inspectorate of Republic of Latvia ( and the courts to
protect your rights and interests.
We may update our Privacy Policy from time to time. We will notify you of any changes by posting
the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our
Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy
Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this
Privacy Policy are effective when they are posted on this page.