SKONTO MEDIJU GRUPA

PRIVACY POLICY

Last updated: July 9, 2025

The SKONTO MEDIJU GRUPA (hereinafter – SMG) Privacy Policy (hereinafter – the Policy) describes and provides information to identifiable natural persons (hereinafter – Data Subject or Data Subjects) about how SMG processes their personal data in the following cases:

when they visit venues of events organized by third parties where SMG performs its core business functions;
when they choose to participate in events organized by SMG (including but not limited to broadcasts, projects, social campaigns or activities, or when they agree to provide interviews or express their opinions);
when they choose to visit the websites: skontotev.lv, radioskonto.lv, radiotev.lv, radioskontoplus.lv, lounge-fm.lv, loungefm.lv, mediaresearch.lv, mediasurvey.lv, radio9.lv, skonto.lv (hereinafter – the websites) where SMG publishes information;
when they follow SMG on social media, including interactive engagement;
when they use SMG applications.
This Policy outlines measures taken to ensure the protection of the interests and freedoms of Data Subjects and guarantees that data is processed fairly, lawfully, and transparently.
The Policy applies to the processing of personal data regardless of the form or environment in which such data is submitted to SMG (e.g. entering premises where SMG operates, participation in contests, campaigns, surveys, voting, by phone, in person, via social media, etc.), and regardless of which SMG system (video, audio, digital environment, etc.) processes the data.

If the Policy is updated, the amendments shall take effect from the date specified in the relevant update notice. The most current version will be available on SMG websites under the section “Privacy Policy”.
The data processing principles described herein apply to the above-listed websites insofar as they relate to the content published on them. Information related to the functioning of those websites (especially the use of cookies) is provided in SMG's Cookie Policy.

1. Data Controller
1.1. The Data Controller is SKONTO MEDIJU GRUPA (SMG), which includes the following companies:

·        SIA “FitFM”, registration No. 40003725394 (LOUNGE FM);

·        SIA “Radio Skonto Vidzeme”, registration No. 44103073329 (Radio Skonto Plus);

·        SIA “Radio TEV”, registration No. 44103072732 (Radio TEV);

·        SIA “RADIO SKONTO LV”, registration No. 44103054510 (Radio Skonto);

·        SIA “RADIO JŪRMALA”, registration No. 40003561139.
(hereinafter – the Controller)
You can contact the Controller by sending an email to: birojs@smg.lv

2. Applicable Legal Acts
2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) (hereinafter – the Regulation).
2.2. The Law on the Processing of Personal Data of Natural Persons.
2.3. Other applicable legal acts governing the processing and protection of personal data, including regulations relevant to the Controller’s main activities – such as the Electronic Mass Media Law, the Law on the Press and Other Mass Media, etc.

3. Personal Data
3.1. Personal data refers to any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as name, surname, ID number, location data, online identifiers, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

4. Purposes of Personal Data Processing
The Controller, in carrying out its core activities, has identified several purposes for processing personal data. Below are the specific purposes for which the Controller provides more detailed information. For further questions, you may contact the Controller using the contact details provided in Section 1 of the Policy.

4.1. Data processing for the purpose of creating broadcasts and informing the public, by making such content available on various online platforms for an indefinite period.

What data is processed?
The categories of personal data depend on how and why the Controller obtained the data. In most cases, journalistic data processing principles apply — meaning the data subject has limited rights to request information, especially that which is not publicly available. The Controller may possess various categories of personal data, including sensitive information such as health or social circumstances.

What is the legal basis for processing?
Data is processed based on Article 6(1)(a) of the Regulation — if the person has given consent to participate in broadcasts or projects (and may withdraw consent at any time before or during recording). Also, under Article 6(1)(e) — for the performance of tasks in the public interest, and Article 6(1)(f) — to pursue the Controller’s legitimate interests (e.g., keeping notes, sources, and other documentation).

What is the data retention period?
The Controller plans to store the acquired and/or created content indefinitely. Materials will be retained in internal systems and, to the extent provided by the Controller, made publicly available for unlimited time and accessible by third parties.

Who can access and receive the data?
Authorized employees, data processors, law enforcement and supervisory authorities, and any third party accessing the content — either in real-time or via archive. If third parties receive data under contract, they may use it only for actions necessary to fulfill the contract (e.g., video editing).

4.2. Data processing for the purpose of ensuring accurate service delivery, contract fulfillment, and the protection of the Controller's legitimate interests.

What personal data is processed?
The categories of personal data processed by the Controller depend on the services used by individuals, their scope, and the terms of cooperation. For example, if a data subject receives or expresses interest in receiving services from the Controller, in accordance with Latvian law and the Controller’s legitimate interests, the Controller is obligated and entitled to process identifying information and data verifying the individual's identity.
Similarly, if a complaint is submitted regarding service quality, the Controller must review it and identify the complainant. In such cases, the Controller may process personal data such as name, surname, personal identification number, contact details, and information about received or requested services. This information is recorded in documentation and stored in the Controller’s data processing system. Personal data related to a service recipient is processed based on the agreement between the parties.

What is the legal basis for processing?
Processing is carried out based on Article 6(1)(b), (c), and (f) of the Regulation:
– to perform a contract to which the data subject is a party,
– to comply with a legal obligation applicable to the Controller,
– in some cases, to protect the Controller’s or third parties’ legitimate interests (e.g., investigating complaints, conducting service quality checks, or securing evidence in case of disputes).

What is the data retention period?
When providing services, the Controller follows Latvian legal acts that establish data retention obligations. For instance, the Law on Accounting requires transaction data to be stored for at least five years. After the legally defined period, the personal data is permanently deleted.

Who has access to the data and to whom is it disclosed?
Recipients may include authorized employees of the Controller, data processors, supervisory and law enforcement authorities, and third parties under contract — such as accountants, auditors, lawyers, or service improvement providers.

4.3. Coverage of events organized by the Controller and its partners in the media, on the website, and on social media to promote and raise awareness of the brands represented by the Controller or to inform the public about socially significant topics highlighted by the Controller.

What personal data is processed?
At events organized by the Controller or its partners, and in locations where photos, audio, or video recordings are made, participants' and visitors' images, voices, and audiovisual materials may be processed.
By participating in contests, games, surveys, promotions, and other activities announced on the Controller’s websites, the data subject agrees to the processing of their personal data for the purposes of:
– administering the activities,
– determining and announcing winners,
– identifying winners/participants during prize distribution,
– including names, surnames, and email addresses in the prize delivery records,
– maintaining a participant database,
– collecting information for marketing and tailored surveys (by gender, age, residence, etc.),
– compiling statistical data.
Event-related materials may be archived and shared on the Controller’s managed social networks, digital platforms, and informational materials.

What is the legal basis for processing?
Processing is based on Article 6(1)(a) and (f) of the Regulation:
– where the data subject has given consent for one or more specific purposes,
– to fulfill the legitimate interests of the Controller, such as brand promotion.
Consent is voluntary and may be given orally, especially when the person is informed of data collection (e.g., participating in a program recording, giving an interview, knowingly appearing in media).
The data subject has the right to withdraw consent at any time using the contact information provided in Section 1. The withdrawal does not affect processing that occurred while the consent was valid. Processing may continue based on other legal grounds, including the Controller’s and third parties’ legitimate interests.

What is the data retention period?
The Controller plans to retain the collected data permanently. Since the purpose is public dissemination of event information, the materials will remain publicly accessible and available to third parties.

Who has access to the data and to whom is it disclosed?
Data recipients may include the Controller’s authorized staff, data processors, supervisory and law enforcement authorities, and third parties under contracts — for example, for legitimate interest purposes (e.g., insurance), or to provide services (e.g., video editing), or to enhance the quality of event services.

4.4. Prevention or detection of criminal offenses related to property protection, ensuring the protection of the legal interests of the Controller and third parties in the event of violations, and the protection of vital interests of individuals, including life and health

What personal data is processed?
When a data subject enters or is present in the Controller’s premises or territory where video surveillance is in operation, the subject’s video image and the time of visit may be processed. Video surveillance is not conducted in areas where a person can expect increased privacy. Cameras are focused on hallways and entrances/exits.

What is the legal basis for data processing?
Video surveillance is carried out to prevent or detect criminal activity, protect persons and property, ensure the legal interests of the Controller or third parties, and safeguard vital interests, including life and health.
Processing is based on Article 6(1)(d) and (f) of the Regulation:
– it is necessary to protect the vital interests of the data subject or another natural person (e.g., life or health risks),
– it is necessary for the legitimate interests of the Controller or a third party (e.g., crime prevention, gathering evidence).

What is the data retention period?
Video recordings are stored for no longer than 30 days unless they contain potential evidence of unlawful actions or incidents that may help protect the legal interests of the Controller or third parties.
In such cases, recordings may be extracted and stored until those interests are safeguarded—e.g., for at least one year after a final decision has come into force and has been executed.

Who has access to the data and to whom is it disclosed?
Authorized employees of the Controller, data processors, and law enforcement or supervisory authorities may access the data.

4.5. Retention and logging of incoming and outgoing communication (emails, postal letters, messages via social media platforms, etc.) to fulfill the Controller’s obligations and legitimate interests
What personal data is processed?
When contacting the Controller in writing, information related to the message, request, or application is stored. Although the Controller recommends using official communication channels, communication may also occur via websites or social media, and in such cases, the Controller may obtain additional information visible in the data subject’s profile.

What is the legal basis for processing?
The storage of communication content and records is based on Article 6(1)(f) of the Regulation – to protect the legitimate interests of the Controller or third parties (e.g., in complaint investigations or to gather evidence).

What is the data retention period?
Data is stored for up to two years unless required for a longer period to protect the Controller’s legal interests (e.g., in case of a dispute).

Who has access to the data and to whom is it disclosed?
Authorized staff of the Controller, processors, law enforcement, supervisory authorities, and courts.

 
4.6. The Controller’s personnel recruitment and the protection of related legal interests
What personal data is processed?
All information provided in the data subject’s CV: name, personal ID code, gender, citizenship, address, employment and education history, language skills, additional skills, hobbies, phone number, email address, Skype ID, photo, and other identifying information, as well as references (if the subject gave permission). Also includes interview notes, test results, etc.

What is the legal basis for processing?
The individual voluntarily applies for a position or asks to be included in the candidate database. This gives the Controller the right to process personal data to evaluate applications and ensure lawful recruitment. Data may also be used as evidence in disputes.

What is the data retention period?
Data is stored for up to 6 months after the specific job competition ends. If the candidate wishes to be included in the Controller’s job seeker database, data is kept for up to 1 year. In case of a complaint, all data is kept until the complaint is resolved or a final court decision is issued.

Who has access to the data and to whom is it disclosed?
Controller’s authorized employees process the data according to their duties and in compliance with data protection rules. In case of complaints, data may be shared with supervisory or law enforcement authorities and courts.

5. Informing the Data Subject About the Processing of Their Personal Data

5.1. The Data Subject is informed about the personal data processing specified in this Policy using a multi-level approach, which includes the following methods:
a) Notices are placed in video surveillance areas informing Data Subjects (pedestrians, drivers, visitors, employees, etc.) that video surveillance is taking place in the Controller’s territory, providing basic information and guidance on where to obtain further details;
b) When visiting the Controller’s website, the Data Subject can view a notice about the use of cookies and is invited to review this Policy;
c) This Policy is publicly available on the Controller’s websites;
d) At public events where photos or video materials may be taken to promote the Controller or its represented brands, the information indicated in this Policy will be displayed at data processing locations.

 
6. Data Subject Rights

6.1. The Data Subject has the right to request access to their personal data from the Controller and obtain information about what personal data the Controller holds, the purposes for processing, the categories of recipients (i.e., individuals or organizations to whom data has been or may be disclosed—excluding those cases where regulatory acts prohibit such disclosure, e.g., criminal investigation authorities), the data retention period, or the criteria used to determine that period.

6.2. If the Data Subject believes that the information held by the Controller is outdated, inaccurate, or incorrect, they have the right to request correction of their personal data, clearly specifying which data should be corrected and what the current information is.

6.3. The Data Subject has the right to request deletion of their personal data or object to processing if they believe it is unlawful or no longer necessary for the purposes for which it was collected and/or processed (the “right to be forgotten”). The request must specify which data should be deleted and include justification. Note that deletion may not always be possible.

6.4. The Data Subject has the right to restrict the processing of specific data if they are unsure whether the data is being processed lawfully. The request should include the reason for restricting the processing.

6.5. The Data Subject has the right to object to data processing in certain cases based on individual circumstances.

6.6. The Data Subject has the right to data portability, allowing them to request transfer of their personal data to another controller or to receive it themselves in a structured format, specifying the scope of the data.

6.7. Data will not be deleted if processing is necessary:
a) to protect the vital interests of the Data Subject or another individual, including life and health;
b) to protect the property of the Controller;
c) for the establishment, exercise, or defense of legal claims by the Controller or a third party;
d) for archiving purposes in accordance with Latvian legal requirements governing archiving.

6.8. The Data Subject has the right to request restriction of their data processing if one of the following applies:
a) The Data Subject contests the accuracy of the data—processing may be restricted while the accuracy is verified;
b) Processing is unlawful, and the Data Subject objects to erasure and instead requests restriction;
c) The Controller no longer needs the data for processing, but it is required by the Data Subject for legal claims;
d) The Data Subject has objected to processing, pending verification of whether the Controller’s legitimate interests override those of the Data Subject.

6.9. If processing is restricted under point 6.8, the personal data may only be processed (except for storage) with the Data Subject’s consent, for legal claims, to protect another person’s rights, or for important public interest.

6.10. Before lifting the processing restriction, the Controller will inform the Data Subject.

6.11. The Data Subject has the right to file a complaint with the Data State Inspectorate if they believe their personal data has been processed unlawfully. However, the Controller encourages contacting them first at birojs@smg.lv to seek a resolution as quickly as possible if a data protection violation is suspected.

6.12. The Data Subject can exercise their rights by submitting a request:
a) via email, signed with a secure electronic signature. In such cases, the Data Subject is presumed to be identified. The Controller reserves the right to request additional information if needed. Requests should be sent to birojs@smg.lv.

6.13. The Data Subject should specify the date, time, location, and other circumstances that would help process their request.

6.14. Upon receiving a written request, the Controller will:
a) verify the identity of the requester;
b) evaluate the request:

If it can be fulfilled (e.g., video footage can be provided), the Data Subject may receive a copy of the footage or other data;
If additional information is needed to identify the Data Subject, the Controller may ask for it;
If the data has been deleted or the requester cannot be identified as the Data Subject, the request may be denied in accordance with this Policy or applicable laws.
6.15. The Controller may reject the request if:
a) it is not clearly formulated;
b) the requester cannot be identified;
c) the Controller has already responded to a similar request;
d) the requested information is excessive or disproportionate;
e) the request is unfounded (not applicable to the Controller or lacking justification);
f) Latvian law prohibits the Controller from disclosing the information or requires retaining the data.

6.16. Personal Data Protection

a) The Controller ensures, continuously reviews, and improves personal data protection measures to protect the personal data of individuals from unauthorized access, accidental loss, disclosure, or destruction. To achieve this, the Controller uses appropriate technical and organizational requirements, including the use of firewalls.
b) The Controller carefully examines all service providers processing personal data of individuals on behalf of and under the instruction of the Controller and evaluates whether cooperation partners (data processors) apply adequate security measures to ensure that the processing of personal data of individuals takes place in accordance with the Controller's mandate and the requirements of the normative acts of the Republic of Latvia.
c) In the event of a personal data security incident that may pose a potentially high risk to the rights and freedoms of the data subject, the Controller will notify the relevant Data Subject if possible, or the information will be published on the Controller’s website or by other possible means such as through the media (TV, radio, newspapers, social networks, etc.).
d) The Controller does not process personal data of users under the age of 16 without the explicit consent of a parent or legal guardian unless applicable laws provide otherwise. The Controller does not knowingly collect or process children’s data without proper consent, and if such information becomes known to the Controller, it is immediately deleted. Responsibility for any submission of minors’ data without appropriate consent fully lies with the party submitting the data.

 
7. Controller's Details:
SIA "RADIO SKONTO", registration number 40003115418, legal address: Krišjāņa Valdemāra Street 100, Riga, LV-1013, email: birojs@smg.lv.