Data Controller and Contact Information
The data controller for the processing of personal data is the medical facility SIA MedBeautyLab,
registration number: 40203679079,
address: Cēsu iela 31k-3, Riga,
email address: info@medbeautylab.lv
contact information: phone +371 27 677 888, email info@medbeautylab.lv

Introduction

• The purpose of this Privacy Policy is to inform individuals—hereinafter referred to as the Patient/Employee or collectively as the Data Subject—about how the medical institution, SIA MedBeautyLab, hereinafter referred to as the Controller, processes the data of individuals, including the purposes of processing, the scope of data, security measures, as well as the rights and obligations of the Patient/Employee as a data subject
• In the course of data processing, the Controller complies with the applicable legislation of Latvia and the provisions of the European Union, in particular, Regulation (EU) (EU) 2016/679 of 2016 (General Data Protection Regulation, GDPR), which replaces Directive 95/46/EC, hereinafter referred to as the Regulation, as well as other relevant legal acts in the field of privacy and data protection

Collection of Personal Data
The controller may obtain the Patient’s personal data from:

• the Patient themselves, other healthcare providers, medical records, the E-veselība system or other government systems, and insurance companies

The Controller may obtain an employee’s personal data from:

• the employee themselves, previous employers or references (with the employee’s consent), public registries and government agencies, medical institutions, education and qualification documents, certificates or registries confirming professional competence, internal evaluations, and performance reviews

Scope of Personal Data

• The Controller processes data necessary to uniquely identify the relevant individual (first name, last name, personal identification number, year of birth, address, phone number, and/or email address)
• When providing its services, the Controller processes health data (including taking photographs to monitor treatment progress), which is considered a special category of personal data in accordance with the provisions of the Regulation
• In the case of employees, the Controller also processes the following data: employment contract details, information regarding the performance of work duties, documents regarding education and qualifications, time records, salary, information regarding occupational safety and medical examinations, as well as other data necessary to ensure labor-law relationships in accordance with applicable regulations.

Purposes of processing personal data and legal basis

Processing of Personal Data and Protection of Personal Data

• The Controller processes personal data using modern technological capabilities, taking into account existing privacy risks and the organizational, financial, and technical resources available to the Controller.
• The Controller does not use automated decision-making, including profiling.
• The Controller ensures the protection of personal data by utilizing modern technological capabilities and by carefully assessing potential privacy risks and the resources available to it in an organizational, economic, and technical context. 

Transfer of Personal Data
Recipients of personal data:

• The data subject themselves
• Insurance companies that cover or administer the costs of services
• Medical institutions, laboratories, and providers of diagnostic and consulting services with whom we collaborate in the provision of services, as part of the medical care process, or during medical examinations at the facility
• Other institutions specified in Article 10 of the Patient Rights Act
• Government agencies and organizations (e.g., National Health Service (NVD), State Tax Service (VID), State Social Insurance Agency (VSAA), State Labor Inspectorate (VDI)) to the extent and in the manner prescribed by regulations
• Law enforcement and supervisory authorities (e.g., the police, courts, the State Data Inspectorate) – only if required by law

Personal data is not transferred to third countries or international organizations

Retention Period for Personal Data

• The Controller stores and processes personal data for as long as at least one of the purposes of processing personal data remains valid.
• The retention period depends on the purpose of processing personal data and does not exceed the period established by law.
• Personal data provided by the data subject on the basis of their consent is retained by the Controller until the purpose of data collection is achieved or until the data subject withdraws their consent
• Employee data is stored in accordance with the timeframes established in the Labor Code and other regulatory acts (e.g., retention periods for personnel files, time sheets, occupational safety documentation, etc.)

The Patient’s Rights as a Data Subject

• Right of access. The data subject has the right to access their processed personal information.
• Right to rectification or erasure of personal data. The data subject has the right to request that the Controller promptly delete their personal data in the following cases:
• the personal data is no longer necessary in relation to the purpose for which it was collected
• the data subject withdraws their consent on which the data processing was based, and there is no other legal basis for such processing
• The right to object to the processing of personal data and to restrict it. The data subject may object to the processing of data if the Controller processes the data subject’s personal data unlawfully or in violation of regulatory requirements
• The right to withdraw consent to the processing of personal data. The data subject has the right to withdraw consent to the processing of their personal data if the basis for data processing is the data subject’s consent, but this does not affect the lawfulness of processing activities carried out while consent was in effect
• The right to lodge a complaint with the supervisory authority—the State Data Protection Inspectorate.

Processing of Personal Data When Purchasing a Gift Card Online

• When you purchase a gift card on the Controller’s website, the Controller processes the following personal data: first name, last name, email address, phone number, gift card amount, date and time of purchase, as well as payment identification data (e.g., transaction number, payment method). Payment card data (e.g., card number) is processed solely within the payment service provider’s system in accordance with its terms and is not stored by the Controller.
• Personal data is processed to ensure the purchase, issuance, and delivery of the gift card, as well as the administration of payments and accounting records. The legal basis for this processing is Article 6(1)(b) and Article 6(1)(c) of the Regulation.
• Personal data obtained in connection with the purchase of gift cards may be transferred to the Controller’s accounting service provider, as well as to a payment service provider (e.g., a bank or payment processing company) that handles card transactions. These recipients process personal data only to the extent necessary to provide the service and in accordance with applicable data protection laws.
• Personal data collected during the purchase of a gift card is retained for as long as necessary to fulfill the relevant transaction and to ensure the Controller’s rights and obligations, as well as in accordance with the document retention periods specified in accounting and tax regulations.

Use of Cookies on the Website www.medbeautylab.lv

• The controller does not collect any personal information from visitors to its website through the use of cookies.

Document approved: December 1, 2025
Document version: 1.1