Privacy Policy

Our privacy notices

We care about the privacy of our external and internal stakeholders. In our relationships, we need to collect and process personal data for several purposes and ways. We do it only for specified, explicit and legitimate purposes and only when valid legal grounds exist.

Gren Group, including its subsidiaries, is committed to respecting privacy and complying with applicable
data privacy laws. Here you can learn more about how we do it.

Customers, Participants, Visitors

Gren Group, including its subsidiaries, is committed to respecting your privacy and complying with applicable data privacy laws.

This privacy notice describes how Gren processes your personal data. The notice applies when you use our products and services, participate in events organized by Gren, visit our premises or otherwise interact with us. This notice also applies if you are a business customer.

We may also provide you with additional product or service specific privacy information in the service or product specific terms, privacy supplement or other notices you may see while using our product or service, as well as when you participate in events organized by Gren or visit our premises.

Gren collects and processes various types of personal data, where applicable, such as:

  • Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your age, language, nationality, professional details, and additional details such as your interests or a segment group), your national identity number when required for verifying your identity, or photo and audiovisual material, if you participate in events organized by Gren or visit our properties.
  • Agreement & transaction data – such as information about your agreements, orders, purchases, payment status, and invoices; recorded and transcribed phone calls; subscriptions and opt-outs; and your other transactions with us such as service requests and messaging with our customer service.
  • Payment & credit data – such as your payment card information and bank account information that are needed for verifying payments or returning funds, credit worthiness.
  • Online data & identifiers – data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
  • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, security logs, and camera surveillance recordings.
  • Technical and consumption data – such as data related to the operation of a device or application, including the measurement of consumption and production of heat and electricity and other utilities, and data from smart devices, including data from any sensors (e.g. temperature).

The personal data which we process about you comes from different sources:

  • You – when you order or use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, participate in our events or visit our premises or otherwise interact with us.
  • Third parties – such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, and other data providers.
  • Gren Group companies – which share information for purposes mentioned below in section 6.

We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. We will use your personal data for the following purposes:

3.1. Service delivery & customer service

We collect and use personal data about you to process orders, deliver products and services, to provide customer service, and to manage payments, contracts and transactions.

The data needed for delivering services vary depending on the product or service in question. For example, online services may require the user to authenticate, whereas heating contracts require us to measure the consumption. Our customer service handles your requests and messages to serve you. Customer service may also offer you the optimal contract type that we calculate for you. We may communicate with you on contract related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media.

By using our online services, such as mans.gren.lv you have the ability to view and pay invoices, for the provision of this service you confirm the terms of use of the said portal and on the basis of the contract we will process the information available on the portal about your authentication information, information about invoices, payment-related information, as well as your contact information in cases where, within the framework of the concluded service agreement, Gren needs to contact you about the contract execution, payment of bills and other similar matters.

The basis for processing your data for service delivery and customer service is typically the contract. When required by law, we may ask for your consent to deliver certain services, for example, location based services.

The term of storage of personal data is determined in accordance with regulatory enactments. For example, information about invoices and their payment Gren has a legal obligation to keep for 10 years from the date of issue of the invoice. Transaction documents and the information contained therein are stored all the time while the transaction documents are valid and in accordance with the requirements of regulatory enactments regarding storage and archiving of documents confirming the transaction.

Information related to user accounts created on the mans.gren.lv portal is stored until the user has requested or deleted his user account himself and the deletion is complete.

Information and personal data related to customer service are stored for two years from the moment of submitting a request, question or complaint. In the event that an investigation has been initiated and/or legal proceedings are ongoing in relation to the matter, this information and personal data may be retained for one year after the end of the relevant investigation or proceedings.

 

3.2. Sales, marketing, and stakeholder communications

We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise our contacting is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer or professional relationship with us, and use traditional marketing channels (e.g. post, telephone, door-to-door), when allowed by local law. We also conduct lotteries and contests.

In addition to our own marketing and sales, we use sales and marketing partners who may contact you about our products and services based on their own customer lists, or sell our products and services at their own premises. In rare cases organization and documentation of public activities might be required by law, such as public consultation within the construction project.

Below you can read more about the different types of marketing.

3.2.1. Customer marketing. Customer marketing is electronic automated marketing that is sent without consent to existing customers and business customers in those countries where such practice is allowed.

To our consumer customers, who are currently ordering our products and services, we send regular offers and information about products and services that are relevant for the customer relationship. We send these communications to the contact address (phone or email) that you have given in connection with your relationship.

To our business customers (employees of our current and prospective client companies and business partners, other stakeholders) we send offers and information about products, services, promotional events and services that are relevant for their professional role. We send these communications to the work contact address which we have received from the customer, their company, or a public source.

3.2.2. Consent based marketing. We send you automated electronic marketing and newsletters if you have agreed to subscribe to them. This marketing can contain information about any Gren group company products and services or about partner products and services. We may also collect marketing consent on behalf of our partners.

3.2.3. Traditional marketing channels. We may use traditional marketing channels (post, telephone, door-to-door) to contact you about our products or services and our partners’ products or services, unless you have blocked the use of your contact details.

3.2.4. Online advertising. We advertise our products and services online to users who visit our website or our partner’s website, by placing retargeting cookies or pixels on the sites that enable us (or a third party acting on our behalf) to show Gren ad to the same user in another network. In order to target you in social media, we may use your phone number or email address unless you have made a marketing block on them. For targeting in mobile applications, we may use data collected about your use of the application, and your CRM data. We also buy advertising services from external companies that target audiences relevant for Gren, with advertisements of Gren products and services, in which case Gren itself does not process the data.

3.2.5. What data is used to optimize sales & marketing (“Profiling”). For marketing and advertising, we use data that is collected during the customer relationship and from customer surveys; online behavioral data; and derived data that for example predicts the users’ interests. Based on these data, we are able to make marketing more relevant and effective, and send you more personalized offers. An example of derived data is a segment that tells us that the user is likely to live in a suburban area or a row house. You may also receive a targeted offer, for example because you have moved recently.

3.2.6. Stakeholder relations. We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their companies.

3.2.7.  Presentation of activities and promotion of activities. We organize various events on our own initiative, such as the annual celebrations of the CHP plant or, when required by law, for example, by organizing public consultations. During these events, photography and filming may take place with our legitimate purpose of reflecting and promoting the event on our website, social networks, etc. or by legal requirement to document such event.

 

3.3. Product and service development

We process personal data to improve and develop better services for our customers, to support our business decision making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use.

Data processing for our product and service development generally happens with de-identified data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview. We may occasionally use samples of real data, for example, to test the functioning of our systems.

3.4. Legal obligations

We process personal data to comply with our legal requirements, for example, accounting and tax laws, and anti-money laundering laws. The duration of the processing of personal data depends on the term of implementation of the obligations specified in regulatory enactments. For example, information related to invoices and transaction payments will be processed for 10 years from the date of entry into force of the prepared document. Other information related to the enforcement of legislation will be stored in accordance with the deadlines specified in the legislation.

3.5. Defense of legal rights & ensuring the security of our services and customers

We may process your personal data in order to defend, establish and enforce legal claims, including to prevent and/or stop fraudulent and illegal activities, to gather evidence of detected problems and to administer the situation, as well as to stop the misuse of our products or services.

We use personal data to defend and safeguard our rights and those of our customers. The basis for data processing for the defense of legal claims, debt collection, credit verification, information security and prevention of fraud and irregularities is usually legitimate interests. Personal data is used to ensure the security of our products and services, such as storing access logs and system backups, authenticating users, and preventing attacks.

Fraud prevention, security and management of legal claims may require any information and personal data mentioned in this privacy policy that you have previously provided to Gren.

In the case of legal claims, the data will be processed while the investigation, settlement and implementation of the legal requirement is ongoing. The data will be retained for three years after the decision to close the investigation or until the final execution of the court decision. Data, such as audit trails, are stored for information security purposes for up to 18 calendar months, unless the law provides for a longer retention period.

If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for performance or entering into a contract with us, we will ask for your consent.

You can always express your opinion or contest a decision based solely on automated processing, as well as to request a manual decision making process instead by contacting us.

Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for. For information on how long we hold your personal data for, please contact us.

Where applicable, we may share your personal data with:

Gren Group companies – Our Group companies may use your personal data for the purposes defined in this notice, based on legitimate interest to the extent permitted by applicable law, including for marketing their products and services to you.

Commercial partners – We disclose personal data to our commercial partners based on legitimate interest to the extent permitted by applicable law. Examples of such situations include:

  • Where you have purchased our products and services from a commercial partner, we often need to exchange data about you as part of managing that relationship and your purchase – for example to identify your order and for us be able to pay them.
  • Where you buy our commercial partner’s product or service through us, you make a contract for it with the commercial partner selling that product or service. Gren is only charging the amount directly to your bill as part of the arrangement with the seller. Gren may pass your personal data to such a commercial partner to complete your purchase and for us to be able to pay them.

Our commercial partners include, for example substation maintenance vendor electricity grid companies, debt recovery agencies, insurance companies, consumer electronics retailers, electric charging station operators, banks, law firms, online advertising partners. In accordance with information above, Gren can name the following partners:

Please be aware, that information about partners above, is subject to frequent change.

Consent, contract or request. We may share your personal data if we have your consent to do so. Some of our products and services allow you to share your personal data with others. We may also share your personal data with a third party when this is required to  fulfill our obligations under contract with you or to fulfill a request by you. As an example, we will disclose your address to the postal, courier or installation service to be able to deliver a product or service which you have ordered.

Our subcontractors. We use subcontractors to provide services. Such subcontractors may have access to your personal information and are processing it on our behalf but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical service providers that process personal data include for example network construction partners, telemarketing and sales partners, payment and invoicing partners, and IT software & service providers.

Acquisitions and divestments. If we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings and law. We will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.

Some of our service providers and group companies operate internationally, which means that data occasionally could be located or transferred to the other country, including outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission.

You can obtain more information about the transfers by contacting us.

Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

When you use our services or visit our websites, Gren can collect data about your devices using cookies and other similar technologies. Our website may also include cookies and other similar technologies used by third parties. You can get more information about how to manage cookies and online data use by reading our cookie policy.

Below, you can see your rights regarding personal data that Gren processes about you. If you have any question about your rights or want to exercise them, please contact us. Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.

Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.

Right to correct personal data – You can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.

Right to data portability – You are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.

Right to deletion We will delete the data at your request, if it is no longer legitimately needed.

Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.

Right to object to the processing – You have the right to object to the processing of your personal data on Gren legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Gren may reject your request if there is a compelling reason for continuing the processing.

Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.

To opt out from electronic marketing communications and customer surveys: If you no longer want to receive marketing messages from Gren, you can choose to opt out at any time. The easiest way is to click the link at the end of the marketing message.

To opt out from telephone and postal marketing: If you no longer want to receive marketing calls or postal marketing from Gren, you can inform the customer service representatives.

To manage cookies and to opt out from targeted online advertising: If you want to manage cookies on our websites or to opt-out from targeted online advertising, use the controls set out in our cookie policy.

Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us. To opt out from such marketing or to exercise your other rights, you will need to contact the specific marketing partner directly.

How to lodge a complaint: If we do not take action in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us.

Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.

Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us.

Further questions and comments regarding your privacy can be addressed to our e-mail [email protected] or:

Gren Eesti
Niidu 24
80047 Pärnu
Estonia

Gren Tartu
Sõrba 54/1
50106 Tartu
Estonia

Gren Viru
Puru tee Sõrba 79
31023 Ahtme district, Kohtla-Järve, Estonia

Gren Latvija
Pasta 47
Jelgava, LV-3001
Latvia

Gren Jelgava
Pasta 47
Jelgava, LV-3001
Latvia

Gren Lietuva
J. Jasinskio g. 16B,
LT-03163
Lithuania

Consultant and Vendor

Gren Group, including its subsidiaries, is committed to respecting your privacy and complying with applicable data privacy laws.

This privacy notice describes how Gren Group and its subsidiaries processes your personal data. This notice applies to the processing of your personal data in the context of consultant or vendor relationship.

We may also provide you with additional privacy information in supplements or other notices regarding particular system, product or service.

Gren collects and processes various types of personal data, where applicable, such as:

  • Personal detailsincluding your contact details (such as your name, address, phone number, and email address), demographic data (such as your age, language, nationality, professional details) and your identification-related information where needed (e.g. national ID number, passport number).
  • Administrative information – such as your resumé and competences, information about previous assignments or projects where you have been involved, where applicable, the results of background checks, credit information, photographs, accident records, project time and attendance management and information about work-related equipment and services that you use in connection with working with us, including, e.g. recorded and transcribed phone calls, recordings of trainings, messaging, and information you publish about yourself in internal and external channels.
  • Financial data– such as your bank account information, travel and other expenses, insurance information, tax numbers.
  • Online data & identifiers– data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
  • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security logs, facility entry logs, and CCTV camera recordings.

The personal data which we process about you comes from different sources:

  • You and your employer – We receive information directly from you and the company with which you are working.
  • Third parties – We may receive information from third parties, such as national authorities (e.g. police and other enforcement agencies).
  • Gren Group companies, which share information for purposes mentioned below in section 7.

We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. Typically, the legal basis for data processing in the supplier relationship context is our legitimate interest to administer our contact persons’, project workers’ or consultants’ information for work-related matters. In addition, we have certain legal and contractual obligations that require us to process personal data. Consent may be used in certain specific situations.

We will use your personal data for the following purposes:

  • Supplier & consultant relationship management

We process personal data to manage a professional relationship with our business partners. This involves contacting our stakeholders and arranging events.

  • Managing work orders and assignments, evaluation, and general administration

We process personal data of consultants in order to administer their work and assignments. We provide consultants with work-related tools, training and services, manage travel and expense claims and project hours, conduct contract performance evaluation, and manage insurances and payments. Personal data is also processed in supplier contract management, for example when signing non-disclosure agreements.

  • Service development & reporting

We process personal data to improve and develop our internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed phone calls in certain operations for training and service quality improvement. We also have internal reporting processes that utilize personal data.

  • Legal obligations

We process personal data to comply with our legal obligations, for example, to comply with tax, accounting, securities, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Gren.

  • Ensuring security, safety and legal rights

We use personal data to ensure the security and safety of our information, facilities, products, services, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. We also process personal data for defending legal rights, including preventing and investigating fraud, industrial espionage and other crime.

If we use automated decision-making with legal or similarly significant effects on you, we will inform you about it in advance. If such automated decision-making is not authorized by legislation, not necessary for the performance or entering into a contract with us, we will ask for your consent.

Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for. Where processing is based on legal obligation or consent, the processing is stopped once the legal obligation is not applicable anymore or consent has been withdrawn. Where processing is based on contractual relationships, the processing ends when certain contractual obligations cease to be in force, however, the contract and related personal data can be retained for up to 10 years. For more specific information on how long we hold your personal data for, please contact us.

Where applicable, we may share your personal data with:

Gren Group companies. Our Group companies may use your personal data for the purposes defined in this notice, based on legitimate interest to the extent permitted by applicable law.

Your employer. We may share your personal data for the purposes defined in this notice with the company with which you are legally employed by, based on our legitimate interest, to the extent permitted by applicable law.

Authorized third parties. We may share your personal data with authorized third parties, based on our legitimate interest, to the extent permitted by applicable law. In such cases, Gren will ensure there is a genuine need to share your personal data. Authorized third parties include, for example, Gren’s customers, travel agencies, banks, telecom operators, insurance scheme providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or other third-party suppliers.

Our subcontractors. We use subcontractors to provide services to us. Such subcontractors may have access to your personal information and process it on our behalf, but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example IT software and service providers.

Acquisitions and divestments. If we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings and law. We will disclose your data to certain competent authorities, such as government agencies responsible for tax collection, statistical information or to the police, other law enforcement agencies, to the extent required under mandatory law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.

Some of our service providers and group companies operate internationally, which means that data occasionally could be located or transferred to the other country, including outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting us.

Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

When you use our services or visit our websites, Gren can collect data about your devices using cookies and other similar technologies. Our website may also include cookies and other similar technologies used by third parties. You can get more information about how to manage cookies and online data use by reading our Cookie policy.

Below, you can see your rights regarding personal data that Gren processes about you. If you have any question about your rights or want to exercise them, please contact us. Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.

  • Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
  • Right to correct personal data – You can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.
  • Right to data portability – You are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
  • Right to deletion We will delete the data at your request, if it is no longer legitimately needed.
  • Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.
  • Right to object to the processing – You have the right to object to the processing of your data on Gren legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Gren may reject your request if there is a compelling reason for continuing the processing.
  • Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.
  • How to lodge a complaint: If we do not take action in accordance with your requests, we will Inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us.

Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.

Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us.

Further questions and comments regarding your privacy can be addressed to our e-mail [email protected] or:

Gren Eesti

Niidu 24

80047 Pärnu

Estonia

Gren Latvija

Pasta 47

Jelgava, LV-3001

Latvia

Gren Lietuva

Jasinskio g. 16B,

LT-03163

Lithuania

Job Applicants

Gren Group, including its subsidiaries, is committed to respecting your privacy and complying with applicable data privacy laws.

This privacy notice informs you about how Gren processes your personal data. This notice applies to the processing of your personal data in the context of recruitment and resourcing activities.

We may also provide you with additional privacy information in supplements or other notices regarding particular system, product or service.

Gren collects and processes various types of personal data, including:

  • Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your language and nationality).
  • Recruitment information – such as your application and resume, interview information, video interviews, references from previous employers and other third party references, information about your competences, qualifications, skills, work experience, and education. As we take steps prior to entering into a possible employment contract, we may also collect results of the necessary health, drug, background (including security check), psychometric, and aptitude tests and depending on the position for which you are applying, and where necessary for the recruitment activities.
  • Identification information – such as proof of identity and your national identity number.
  • Online data & identifiers – data that is collected with cookies or similar technologies about your use of services, including your IP address, cookie ID and mobile device ID.

The personal data which we process about you comes from different sources:

  • You, when you submit us your data including application or resume or when you otherwise interact with us.
  • Third parties, such as recruitment agencies, your references and previous employers, medical or health check providers and authorities or other parties providing background checks. We will obtain your consent for such collection when required by applicable law.
  • Gren Group companies, which share information for purposes mentioned below in section 6.

We will use your personal data for predefined purposes based on legitimate interest and legal obligation.  Also, we may use your personal data based on your consent in addition to reliance on legitimate interest (this especially if additional consents are needed under applicable law).

The main purposes for which we process personal data are listed below:

  • Recruitment and resourcing: We use your personal data to contact you, for instance, to inform you about the status of your application or to obtain additional information. We also use your personal data to set up and conduct interviews and assessments, evaluations, reference, background checks as permitted by applicable law.
  • Creating an employee record: If Gren hires you, the personal data you have given during the application process may become part of your employee record and be used to manage your career at Gren.
  • Service development and analytics: We may use your personal data to improve and develop our recruitment processes and other related services, and to create analytics. We endeavour to use de-identified data when possible.
  • Security of our services and others: Personal data is used for ensuring the information security of our services and systems.
  • Legal obligations: We process personal data to comply with our legal obligations.

If we use automated decision-making, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for performance or entering into a contract, we will ask for your consent.

Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for. Records from recruitment phase will not be stored for longer than one year, however, in case of disputes the information can be stored and processed till dispute is finally settled with a final decision of the court or until the statute of limitations expires. If Gren hires you, your personal data may become part of your employee record. For more information on how long we hold your personal data, please contact us.

Where applicable, we may share your personal data with:

  • Gren Group companies.  Our Group companies may use your personal data for the purposes defined in this notice based on legitimate interest to the extent permitted by applicable law.
  • Third parties. Gren may share your personal data with authorized third parties who process personal data for Gren for the purposes described in this Statement. These may include recruitment consultants or agencies, test providers, IT software & service providers, and others who help us fill vacancies and assess the suitability of job applicants. These authorized third parties are not permitted to use your personal data for any other purposes. We require them to act consistently with this Statement and to use appropriate measures to protect your personal data.
  • Acquisitions and divestments. If we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.
  • Authorities, legal proceedings and law. We will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation legal proceedings or at the request of an authority on the basis of applicable law or court order or in connection with a trial or authority process or as otherwise required or permitted by law.

Some of our service providers and group companies operate internationally, which means that data occasionally could be located or transferred to the other country, including outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting our privacy team by using privacy request form.

Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

When you use our services or visit our websites, Gren can collect data about your devices using cookies and other similar techniques. Our website may also include cookies and other similar technologies used by third parties. You can get more information about how to manage cookies and online data use by reading our Cookie policy.

Below you can see the list of your rights regarding personal data that Gren process about you. If you have any questions about your rights or want to exercise them, please use our privacy request form. Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.

  • Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
  • Right to correct personal data – You can ask information about you to be corrected if it is not accurate or needs to be updated.
  • Right to data portability – You are able to obtain and reuse the personal data you provided to us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been consent.
  • Right to deletion We will delete the data at your request if it is no longer legitimately needed.
  • Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.
  • Right to object to the processing – You have the right to object to the processing of your personal data on Gren legitimate interests such as developing of our recruitment process.
  • Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.

How to lodge a complaint. If we do not take action in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us by using privacy request form. If you still not pleased with the handling, you can contact the national data protection authority.

Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.

Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us.

Further questions and comments regarding your privacy can be addressed to our e-mail [email protected] or:

Gren Eesti

Niidu 24

80047 Pärnu

Estonia

 

Gren Latvija

Pasta 47

Jelgava, LV-3001

Latvia

 

Gren Lietuva

J. Jasinskio g. 16B,

LT-03163

Lithuania