Notification on personal data processing

Your personal data controller is SIA „LG Capital”, registration number: 50203673881, registered office: Rīga, Aristida Briāna iela 6, LV-1001, e-mail: [email protected].

If you have any questions regarding this notice or the processing of your personal data, you may contact us using the communication channels listed above, or by reaching out to our Data Protection Officer at [email protected].

This notice explains how we process the personal data of our customers, prospective customers (including shareholders of AS “Latvijas Gāze”), website visitors, and other individuals whose personal data we may obtain in the course of our business activities.

By using our website or becoming our customer, we assume that you have read this notice and understood its contents. This is the current version of the data processing notice. We reserve the right to amend or update this notice from time to time as necessary.

The purpose of this notice is to provide you with a general overview of our data processing activities and purposes. Please note, however, that other documents (such as contracts, cookie policies, or the terms of use of the website lgcapital.lv, where applicable) may contain additional information regarding the processing of your personal data.

Please note that the personal data processing rules set out in this notice only apply to the personal data of natural persons.

In addition to these provisions, you can read the following additional personal data processing notices:

• Cookies Policy (available at https://www.lgcapital.lv/en/cookies).

We will only process your personal data for the legitimate purposes set out above, including the following:

a) For the initiation and provision of services, and for the performance of obligations under the contract (including any cooperation agreement)

For this purpose, we need to identify you, process information relating to your eligibility to enter into a business relationship with us, contact you regarding the provision of services and/or the performance of the contract, enforce outstanding obligations where necessary, and ensure the quality of our services.

For this purpose, and for the related sub-purposes described above, we may need to process at least the following categories of personal data: name, surname, personal identification number, e-mail address, contact address, bank account number, details of identification documents, and other relevant information as necessary.

The main legal bases used to achieve these purposes are the following:

• Entering into and performing a contract with the data subject (Article 6(1)(b) of the General Data Protection Regulation (hereinafter – GDPR)), for example, providing your account number in order to receive our services;
• The performance of a legal obligation (Article 6(1)(c) of the GDPR);
• The legitimate interests of the data controller (Article 6(1)(f) of the GDPR), such as communicating with you as our customer.

b) Compliance with the requirements set out in regulatory enactments relating to the provision of services, or with other applicable legal and regulatory requirements

For this purpose, we must comply with the requirements of accounting legislation, the Law on National and International Sanctions, EU Regulation No. 596/2014, and other applicable laws and regulations, as well as the requirements of the relevant supervisory authorities.

For this purpose, we may need to process personal data required for the performance of activities set out in applicable legislation, including responding to requests for information from public authorities or courts.

The main legal bases used to achieve these purposes are the following:

• The performance of a legal obligation (Article 6(1)(c) of the GDPR).

c) Protecting our legitimate interests and safeguarding the legitimate interests of our counterparties or of third parties

For this purpose, we may need to process your personal data in order to respond to applications, requests, submissions, and complaints. We may also need to defend our legal interests before public authorities or courts, for example, by disclosing information to such bodies where necessary.

For this purpose, we may also exchange information within our group of companies in order to fulfil the group’s strategic and economic objectives, manage risks, prepare group-wide reports, or conduct audits.

For this purpose, we may need to process your identification data, financial data, service usage data, and other relevant information as necessary.

The main legal bases used to achieve these purposes are the following:

• Legitimate interests of the controller (Article 6(1)(f) of the GDPR), for example – preserving and securing evidence in legal proceedings, preparing reports on economic indicators, and providing evidence for audits.

d) Ensuring the proper provision of services and cooperation with service providers and other business partners

For this purpose, we may need to maintain and improve our technical systems and IT infrastructure, implement technical and organisational solutions that may involve the use of your personal data (for example, through cookies) to ensure the proper provision of services, and process the personal data of the contact person designated by a business partner in order to ensure effective communication.

For this purpose, we may also maintain an audit trail of your online activities, create data backups, and implement other necessary measures.

The main legal bases used to achieve these purposes are the following:

• The legitimate interests of the data controller (Article 6(1)(f) of the GDPR).

We take appropriate measures to process your personal data in accordance with applicable law and to ensure that it is not accessed by third parties without a valid legal basis for processing.

As required, your personal data can be accessed by:

• Our employees or directly authorised persons who require such access to perform their work duties;
• Processors of personal data, in line with the services they provide and only to the extent necessary – for example, auditors, financial management and legal consultants, database administrators, security service providers (where engaged), and other service providers engaged by us;
• State and local authorities in cases provided for by law, for example, law enforcement bodies, municipalities, tax authorities, bailiffs, courts, and supervisory authorities;
• Third parties, where an appropriate legal basis for such data transfers exists, for example, courts, alternative dispute resolution bodies, insolvency administrators, and similar entities.

We take appropriate measures to ensure that the processing, protection and transfer of your personal data to processors are carried out in accordance with applicable law. We carefully select our personal data processors and, when transferring data, assess both the necessity of the transfer and the scope of the data to be shared. Transfers of personal data to processors are carried out in compliance with confidentiality obligations and requirements for secure processing.

At present, we cooperate with the following categories of personal data processors:

1. Outsourced accountants, auditors and legal advisers;
2. Owner/developer/technical maintainer of the IT infrastructure, database;
3. Other persons involved in the provision of our services.

As personal data processors may change from time to time, they are not listed individually in this document. If you wish to obtain this information, you may submit a reasoned request, and we will respond unless the provision of such information would prejudice our essential interests, for example, by disclosing trade secrets.

We do not transfer your data to countries outside the European Union or the European Economic Area.

Your personal data will be retained for as long as necessary to fulfil the purposes for which it is processed, and in accordance with applicable legal requirements.

When determining the retention period for personal data, we take into account applicable legal requirements, the performance of contractual obligations, your instructions (for example, where processing is based on consent), and our legitimate interests. If your personal data is no longer required for the specified purposes, we will delete or securely destroy it.

Here is a list of the most common retention periods for personal data:

• Personal data necessary for the performance of contractual obligations will be retained until the contract has been fully performed and the applicable retention periods have expired (see below);
• We will retain personal data that must be kept to comply with legal requirements for the periods specified in the relevant laws and regulations. For example, under the Accounting Law, supporting documents must be retained until they are no longer needed to establish the commencement and trace the progress of each economic transaction, but in any case, for no less than five (5) years;
• We will retain data in backup copies until a minimum number of newer backups have been created to ensure data recovery, after which the previous backup copies will be deleted;
• We will retain the data to demonstrate the fulfilment of our obligations for the duration of the general limitation periods for claims, in accordance with statutory time limits – five (5) to ten (10) years under the Civil Law, three (3) years under the Commercial Law, and other applicable limitation periods, including those set out in the Civil Procedure Law.

Updating of personal data
If there are any changes in the personal data recorded in the shareholders’ register of AS “Latvijas Gāze”, available online at https://info.ur.gov.lv/#/legal-entity/40003000642, the Applicant is obliged to inform AS “Latvijas Gāze” by completing the Shareholders’ Data Update Form, available here: https://lg.lv/uploads/documents/LG_akcionaru_anketa_LV_EN_012025.docx.

Your right to access and rectify your personal data
In accordance with the General Data Protection Regulation, you have the right to request access to your personal data held by us, request its rectification or erasure, request the restriction of its processing, object to its processing, and exercise the right to data portability, in the cases and manner provided for in the Regulation.

We respect your right to access and control your personal data. If we receive such a request, we will respond within the time limits set by law (normally within one month). Where a request requires more time to process, we will inform you accordingly. If appropriate, we will rectify or delete your personal data as requested.

You may obtain information about the personal data we hold about you, or exercise your other rights as a data subject, in any of the following ways:

• by submitting an application by post to us at the following address: Aristida Briāna iela 6, Rīgā, LV-1001;
• by submitting an application to our email address: [email protected], signed with a secure electronic signature.

Upon the receipt of your request, we will assess its content and our ability to identify you. Depending on the circumstances, we may ask you to provide additional information to confirm your identity, in order to ensure the security of your data and prevent disclosure to unauthorised persons.

Withdrawal of consent
If the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. In such a case, we will cease processing your personal data for the relevant purpose for which consent was given. However, please note that withdrawing consent does not affect the processing of personal data that is necessary to comply with legal obligations, to perform a contract, to pursue our legitimate interests, or that is otherwise based on other lawful grounds for processing under applicable law.

If you have any questions or concerns regarding our processing of your personal data, we encourage you to contact us first.

If you believe that we have not been able to resolve your issue and that we have infringed your rights to the protection of personal data, you have the right to lodge a complaint with the Data State Inspectorate. More detailed information can be found on the website of the State Data Inspectorate www.dvi.gov.lv.

We primarily collect your personal data in order to perform our contractual obligations, comply with legal requirements, and pursue our legitimate interests. In such cases, we need to obtain certain personal data for the relevant purposes. Failure to provide this data may prevent the establishment of a business relationship or the performance of a contract.

We may obtain your personal data in one of the following ways:

• from AS “Latvijas Gāze” to verify that you are eligible to use our services;
• in the process of entering into a contract with you, by obtaining data from you;
• on the website lgcapital.lv by using cookies;
• from you, if you submit any applications or emails to us;
• in certain cases, from third-party databases, e.g., when checking for national or international sanctions restrictions, etc.