Privacy Policy

The data controller of personal data is SIA "DFI Group," registration number 40203286166, legal address: Rīga, Limbažu iela 4 k-2 - 38, LV-1005. Contact information for questions related to personal data processing: info@jewerla.com. You can inquire about personal data processing using this contact information or by contacting SIA "DFI Group" at its actual address: Rīga, Sarkandaugava, Viestura prospekts 65.

Personal data is any information related to you as a natural person, such as:

- Name, surname, phone number, email address, or residential address.

- Personal and vehicle registration number, car model, or insurance details.

- Bank account number, credit card number, and its expiration date.

- Information about your health status, blood type, or medical history.

- Passport details: number, personal identification number, height, nationality, or signature.

- Information about your income, owned property, and financial flows.

- Ethnicity, political views, religious beliefs, sexual orientation, trade union membership.

- Physical appearance, photo, video material, biometric data, and other personal information.

To fulfill our obligations to you as a customer, employee, or partner, SIA "DFI Group" needs to process your personal data. Your personal data will be collected and processed only in cases and to the extent necessary to achieve specific, clearly defined, and lawful purposes. SIA "DFI Group" is committed to respecting individuals' rights to the lawful processing and protection of personal data, as well as complying with the requirements of applicable legislation on the processing of personal data.

SIA "DFI Group"processes personal data in accordance with Section 7(2) of the Personal Data Protection Law – data processing is derived from contractual obligations, as well as, upon request, data processing is necessary to conclude a relevant contract. We also process personal data in accordance with Section 7(6) of the Personal Data Protection Law – data processing is necessary to realize our legitimate interests while respecting individuals' fundamental rights and freedoms. In certain cases, we have the right to process personal data based on the individual's consent, as provided by Section 7(1) of the Personal Data Protection Law.

The personal data processing policy has been developed in accordance with the requirements of the European Parliament and Council Regulation (EU) 2016/679 (27 April 2016) on the protection of natural persons regarding the processing of personal data and the free movement of such data.

### 1. Methods of Obtaining Personal Data

SIA "DFI Group" typically obtains personal data directly from the individual – from employees, customers, and/or partners. Occasionally, we obtain information from other sources, such as public or private institutions and registers. Strict requirements are set for access to and processing of sensitive personal data. During collaboration with SIA "DFI Group" including communication with us in all technically and physically possible ways, we may obtain your personal data in the following ways:

- Processing information provided by the individual: name; surname; personal identification number; gender; residential/correspondence address; email address; mobile phone number; date of birth, and data relevant to the fulfillment of mutual contractual obligations.

- Collecting data that includes, but is not limited to: location data, audit logs, data flows, and any other communication information.

- Collecting data provided by the individual when filling out any forms and information fields, including participating in surveys, discussions, and expressing opinions.

### 2. Legal Basis and Purpose of Data Processing

The legal basis for personal data processing is Section 7(2) of the Personal Data Protection Law – data processing is derived from contractual obligations. The legal basis for personal data processing is also Section 7(6) of the Personal Data Protection Law – data processing is necessary to realize our legitimate interests while respecting fundamental rights and freedoms. SIA "DFI Group" also processes personal data when required by legal acts (including the European Parliament and Council Regulation (EU) 2016/679 (27 April 2016) on the protection of natural persons regarding the processing of personal data and the free movement of such data), as well as – when the individual has given consent.

2.1. The obtained personal data will be electronically recorded and may be used for the following purposes:

- To verify the identity of the individual for the purpose of establishing contractual obligations;

- To communicate with the individual, including to inform about any changes;

- To ensure and improve the quality of service delivery;

- To fulfill SIA "DFI Group" obligations towards employees, customers, partners;

- For statistical research purposes;

- For other purposes related to contractual relationships.

Processing of sensitive personal data requires separate consent.

This applies to personal data related to an individual's health status. We will seek our employees' consent to process sensitive personal data regarding health status for the purpose of concluding an insurance contract and fulfilling the obligations set forth therein, submitting insurance claim applications, requesting information, and conducting oversight by medical institutions or other third parties.

### 3. Processing and Disclosure of Personal Data

3.1. SIA "DFI Group" is authorized to disclose personal data to SIA "DFI Group" service providers and partners who assist SIA "DFI Group" in realizing its legitimate interests. When transferring data, SIA "DFI Group" undertakes to ensure that the recipient of the data complies with the same personal data storage security measures as SIA "DFI Group""

3.2. Disclosure of information to third parties may occur in the following cases:

- Information about an employee may be disclosed to a third party if SIA "DFI Group" sells a company or part of it;

3.3. Personal data may be processed, stored, and transferred to third parties in the manner and to the extent provided in the mutual agreement and this Policy.

3.4. To the extent possible, upon receiving a corresponding request, SIA "DFI Group" will ensure the deletion of personal data from SIA "DFI Group" and SIA "DFI Group" engaged third parties' databases if these data are no longer necessary for the purposes for which they were collected, including the realization of contractual and legal rights.

### 4. Data Storage and Transfer

SIA "DFI Group" is obliged to maintain data confidentiality.

The personal data we collect about employees, partners, and customers are stored both in paper format and in our information system. Personal data is stored as long as it is necessary for the data processing purpose for which it was obtained. In practice, personal data is stored as long as there is a reason to believe that claims may be made in connection with our contractual relationships. Personal data that is no longer necessary for the specific purpose is deleted. The provided information is stored on secure servers, and in printed form – in locked cabinets. SIA "DFI Group"protects the client's data using modern technological capabilities, taking into account existing privacy risks and SIA "DFI Group" reasonably available organizational, financial, and technical resources.

### 5. Rights to Information and Data Correction

5.1. According to the Personal Data Protection Law, SIA "DFI Group" is obliged to disclose to the employee information about the data SIA "DFI Group" holds about the employee, as well as about the physical or legal persons who have requested and received information about the employee from SIA "DFI Group" during a specified period, except for cases provided by law. The employee has the right to free access to this information.

5.2. Under the applicable laws, an individual also has the right to request access to their personal data from SIA "DFI Group" as well as to request SIA "DFI Group" to supplement, correct, or delete it, or to restrict processing, or to object to processing (including processing of personal data carried out based on SIA "DFI Group"legitimate interests), as well as the right to data portability. These rights are exercisable to the extent that data processing does not derive from SIA "DFI Group"obligations imposed by applicable laws and performed in the public interest.

5.3. An individual may submit a request for the exercise of their rights: in written form in person, by presenting an identity document; by email, signed with a secure electronic signature;

5.4. Upon receiving a request for the exercise of rights, SIA "DFI Group" verifies the individual's identity, evaluates the request, and fulfills it according to applicable laws.

5.5. SIA "DFI Group" sends the response to the individual by mail to the provided contact address in a registered letter, taking into account, as far as possible, the individual's indicated preferred method of receiving the response.

5.6. SIA "DFI Group" ensures compliance with data processing and protection requirements in accordance with legal acts and, in the event of objections, takes appropriate actions to resolve the objection. However, if this is unsuccessful, the individual has the right to apply to the supervisory authority – the Data State Inspectorate.