Privacy Policy of the Companies of the “Latvijas dzelzceļš” Group (in force from 23.10.2025.)
General provisions
1. The purpose of the Privacy Policy of the companies of the “Latvijas dzelzceļš” Group (hereinafter referred to as the Privacy Policy) is to provide a natural person, such as a customer, party to a contract, authorized representative, contact person, applicant, visitor, participant in a procurement procedure, website user and other persons not listed in this Privacy Policy (hereinafter referred to as the Data Subject), with information on the purpose of, legal basis for, scope and terms of processing of personal data, personal data protection measures implemented by the companies of the “Latvijas dzelzceļš” Group (hereinafter referred to as the Group or company/companies of the Group), as well as the rights of the Data Subject in relation to the processing of personal data of the Data Subject.
2. The Privacy Policy applies to any Data Subject whose personal data are processed by the companies of the Group, regardless by what means and/or in what environment the Data Subject provides the personal data – in person, orally, in writing, by telephone, by electronic mail, on a website, within a video surveillance area or otherwise.
3. Terms used in the Privacy Policy – personal data, processing of personal data, data subject and other terms – are used within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation).
Information about Data Controller
4. Within the Group, the Data Controller is each company of the Group that determines, independently or jointly with other companies of the Group, the purposes and means of personal data processing. When processing personal data of the Data Subject, each company of the Group may be both the Data Controller and processor or joint controller.
5. Personal data are processed in the Group by the following Group companies:
5.1. SJSC “Latvijas dzelzceļš” – Reg. No. 40003032065, registered office: Emīlijas Benjamiņas Street 3, Riga; LV-1547;
5.2. “LDZ CARGO” Ltd. – Reg. No. 40003788421, registered office: Dzirnavu Street 147 k-1, Riga, LV-1050;
5.3. “LDZ apsardze” Ltd. - Reg. No. 40003620112, registered office: Zasas Street 5-3, Riga, LV-1057;
5.4. “LatRailNet” Ltd. – Reg. No. 40103361063, registered office: Pērses Street 8, Riga, LV-1011.
Each of the companies of the Group is independently responsible for personal data processing for its own purposes, for example, for the performance of contractual obligations, provision of services, etc.
Contact details
6. For the convenience of the Data Subject, companies of the Group have defined one type of contact details/communication in matters related to the processing of personal data and reporting possible personal data breaches: e-mail: datuaizsardziba@ldz.lv. By using this option or by contacting Emīlijas Benjamiņas Street 3, Riga, inquirers can ask additional questions about the processing of personal data. A request for exercising the Data Subject’s rights may be submitted in accordance with the procedures specified in Clause 17 of the Privacy Policy.
Purposes of personal data processing
7. Companies of the Group process individuals’ data for the following purposes:
7.1. Implementation of external legislation;
7.2. Ensuring operations of the companies of the Group;
7.3. Ensuring performance of the services of the companies of the Group – maintenance of railway infrastructure and provision of rail transport services, ensuring railway safety (including video and audio recording), investigation of railway accidents;
7.4. Provision of electricity services;
7.5. Ensuring civil protection and fire safety;
7.6. Conclusion and performance of contracts;
7.7. Ensuring service quality and control;
7.8. Maintenance of information and technical resources and systems necessary for the provision of services;
7.9. Identification of the Data Subject;
7.10. Communication with the Data Subject;
7.11. Human resource management – administration of recruitment and employment relations, staff training, monitoring of work processes, safety and quality;
7.12 Financial management – administration of invoices, other financial documents and management of company resources;
7.13. Collection of the Data Subject’s debts;
7.14. Organization and administration of public procurement;
7.15. Management of lease, rent, auction, sale of movable and immovable property;
7.16. Document management, record keeping, archiving;
7.17. Handling of applications/complaints lodged by the Data Subject and other documents;
7.18. Detection, prevention and investigation of criminal offences and breaches;
7.19. Management of the access control system, verification of passes;
7.20. Prevention of money laundering, terrorist financing and proliferation financing;
7.21. Sanctions screening;
7.22. Prevention of fraud, conflicts of interest;
7.23. Provision of information to public administration institutions in the cases and amounts laid down in external legislation;
7.24. Management of public relations, branding and marketing activities;
7.25. Establishment and maintenance of international relations;
7.26. Development and maintenance of the Railway History Museum’s collections and scientific archives;
7.27. Other purposes of which the Data Subject may be informed separately;
7.28. Handling of civil, administrative and criminal cases in court.
Categories and types of personal data
8. Companies of the Group mostly process the following categories and types of personal data:
8.1. Identification data of the Data Subject – name, surname, personal number, date of birth, passport No./ID number, driving licence number, service or employment ID number, signature;
8.2. Contact details of the Data Subject – address, telephone number, email address;
8.3. Data of a cooperation partner’s contact persons – person indicated by the cooperation partner who is to be contacted – name, surname, position, telephone number, email address;
8.4. Due diligence data on a cooperation partner’s natural persons, processed in accordance with external legal requirements – for example, information confirming the absence of tax debts, beneficial ownership verification, checks confirming that these persons are not subject to national or international sanctions, etc.;
8.5. Contract data – contract number, date of signing, contractors, contact details, signature;
8.6. Data necessary to ensure the performance of a contract, for example, mandatory data on a product, the customer’s freight, its location, etc.;
8.7. Data on purchase of a service (goods) – service name, purchase date, invoice number, provision of service, price, payment method, receipt data, service delivery address, etc., insofar as these data are attributable to an identifiable natural person;
8.8. Archive data at the Railway History Museum and data on persons who access this information;
8.9. Location data – for example, data on the destination of freight; the location of transport or traction vehicles;
8.10. Communication data – date of communication, content, status of implementation;
8.11. Voice recording data – recordings of customer service phone calls, date and time;
8.12. Data on payments – current account number, bank account number, invoice number, date, amount, invoice receipt type, payment date, debt amount, debt collection information;
8.13. Video data at facilities of the companies of the Group – video recordings of images, movements, and activities of natural persons; movable property, for example, vehicle registration data; special categories of data, including visible health data (e.g., disability), racial/ethnic origin data, data concerning philosophical or religious beliefs of the Data Subject; recording date, time, and any recorded offences;
8.14. Access control data – visitor identification data, time of the visit;
8.15. Vehicle identification data – make, number plate, owner;
8.16. Photographs and images – photographs from events at the companies of the Group, date and place of photographs;
8.17. Actions performed on the website – visitor’s IP address, date, time, duration of the visit, downloaded data, viewed sections, actions performed on the portal;
8.18. Professional (employment) data, such as information on education, work experience, current employment, positions, professional activity;
8.19. Information about real estate and facilities (real estate, land parcel or building, construction project), for example, address, name, cadastral number, designation, land register data, cadastral data;
8.20. Data necessary for the establishment, management and termination of employment relationships concerning applicants, employees, trainees, former employees, etc.
Legal basis for processing of personal data
9. Companies of the Group process personal data of the Data Subject according to the following legal bases:
9.1. For entering into and performing a contract to which the Data Subject is a party or for taking steps at the request of the Data Subject prior to entering into a contract (point (b), paragraph 1, Article 6 of the Regulation), for example, telephone number or email indicated in the contract are used only for communication with the Data Subject;
9.2. For compliance with a legal obligation to which the companies of the Group are subject – compliance with external legislation, for example, in organizing railway services; maintaining the railway infrastructure and ensuring safety on the railway; ensuring that unauthorized persons or vehicles do not have access to the railway infrastructure and the Group’s facilities, thereby ensuring maintenance of public order and safe organization of railway traffic; performing registration and analysis of railway accidents; organizing accounting and record keeping, leasing real estate, etc. (point (c), paragraph 1, Article 6 of the Regulation);
9.3. For the purposes of the legitimate (lawful) interests pursued by the companies of the Group or third parties (point (f), paragraph 1, Article 6 of the Regulation). The legitimate interests of the companies of the Group include, for example:
9.3.1. Conducting a business;
9.3.2. Verifying the identity and legal capacity of the Data Subject prior to entering into a contract or during servicing the Data Subject – by telephone, electronically, in person;
9.3.3. Ensuring implementation of contractual obligations;
9.3.4. Sending messages or otherwise communicating progress of the performance of the contract and developments relevant to the performance of the contract;
9.3.5. Review of the Data Subject’s submissions, applications, complaints;
9.3.6. Administration of payments and debts;
9.3.7. Providing electricity trading services;
9.3.8. Providing security services;
9.3.9. Providing freight transport services by rail;
9.3.10. Providing services of the Railway History Museum;
9.3.11. Providing qualification improvement and training services, issuing certificates;
9.3.12. Providing and administering real estate rental and management services;
9.3.13. Providing and administering rent of movable property, incl. rolling stock;
9.3.14. Providing and administering rent of residential premises;
9.3.15. Maintenance of information and technical equipment, tools and systems necessary for the provision of services;
9.3.16. Ensuring efficiency of services, sale of goods, and shipments;
9.3.17. Ensuring and improving quality of services;
9.3.18. Training and employment of trainees;
9.3.19. Prevention of unfounded financial risks to business activity of the companies of the Group (incl. credit risk assessment before the sale of goods and services and during the performance of a contract);
9.3.20. Debt collection, protection of the interests of the companies of the Group in court and other state institutions;
9.3.21. Prevention of corruption and criminal offences, limiting conflict of interest situations;
9.3.22. Informing the public about the operations of the companies of the Group, managing brand identity and marketing activities;
9.3.23. Popularizing railway industry at various public events;
9.3.24. Analysis of the operation of the websites and Internet sites of the companies of the Group, developing and implementing necessary improvements.
9.4. For the protection of the vital interests of the Data Subject or another natural person, for example, by performing video surveillance (point (d), paragraph 1, Article 6 of the Regulation);
9.5. In individual cases, also with the Data Subject’s consent (point (a), paragraph 1, Article 6 of the Regulation);
9.6. For the processing of special categories of personal data pursuant to Article 9(2) of the Regulation, where such processing is required by binding external legislation.
Processing and protection of personal data
10. Companies of the Group process the Data Subject’s data using modern technology, taking into account the existing privacy risks and the organizational, financial, technical and other resources available to the companies of the Group, and taking at least the following security measures:
10.1. Adopt internal policies regarding the protection of the personal data of natural persons;
10.2. Confidentiality rules and obligations for employees of the companies of the Group;
10.3. Agreements governing the protection of personal data with the contracting parties;
10.4. Restricted/controlled access to property, administrative premises, information systems and storage media of the companies of the Group;
10.5. Educating and testing employees on personal data protection matters;
10.6. Various information technology protection measures are employed, such as firewalls, secure passwords, multi-level access control, intrusion protection and detection programs, data encryption mechanisms, audits are performed on a regular basis and automated scanning tools are used to periodically test and ensure continuous personal data security, data loss prevention systems are used, etc.
11. The companies of the Group do not use automated decision-making regarding the Data Subject.
Transfer/disclosure of personal data
12. The companies of the Group do not disclose personal data of the Data Subject to third parties, except:
12.1. To the persons specified in the cases provided for in external legislation, in the procedure and to the extent specified in the external legislation;
12.2. When transferring personal data to a cooperation partner as a data processor or joint controller if the data have to be transferred as part of a contract concluded with the relevant cooperation partner for the performance of the contract;
12.3. When the Data Subject has given explicit consent;
12.4. In cases provided in external legislation in order to protect the legitimate (lawful) interests of the companies of the Group.
Access to personal data by third-country entities
13. The companies of the Group do not transfer personal data to countries outside the European Union and the European Economic Area, except in individual and justified cases when it is necessary for the performance of a contract or the provision of a service (for example, in the course of international freight transportation).
In such cases, personal data are transferred only after an appropriate and adequate level of data protection has been ensured in accordance with applicable data protection legislation, ensuring in all instances that data processing outside the European Union and the European Economic Area is carried out in accordance with the highest standards of security, confidentiality and legality.
Period for which personal data are stored
14. The companies of the Group do not store personal data for longer than is necessary for the purpose of data processing or for longer than required by external legislation. The period for which personal data are stored is determined by various criteria, such as requirements of external legislation, technical capacities for data storage, contractual obligations, other commitments, etc. The companies of the Group store and process personal data of Data Subjects as long as at least one of the following conditions exists:
14.1. As long as stipulated by external legislation, for example, in performing obligations specified in the Law on Accounting, Labour Law, and Law on Archives;
14.2. As long as the contract with the Data Subject is in force;
14.3. As long as the companies of the Group pursue their legitimate interests (for example, review of claims, judicial remedy, settlement of disputes, lodging a lawsuit, statute of limitations, etc.);
14.4. Personal data obtained during video surveillance – detailed information is available in the Privacy Policy section “Information for Data Subjects about video surveillance performed by the companies of the Group”;
14.5. Audio recordings of the Data Subject’s calls to the Railway Inquiry Service, phone numbers 1181 and 80021181, are stored for not longer than 13 months.
15. After the circumstances referred to in Clause 14 cease to exist, personal data of the Data Subject are deleted, unless external legislation provides for a different storage period.
Rights of the Data Subject
16. The Data Subject has the right to obtain, according to the relevant legal acts, information regarding the processing of his or her data, including the right to request a company of the Group to access his or her personal data, as well as to request that the data be completed, rectified or deleted, or that the processing be restricted regarding the Data Subject, or object to the processing.
17. The Data Subject may submit a request for exercising his or her rights:
17.1. In writing by visiting a company of the Group in person and presenting identification;
17.2. By electronic mail – by signing the mail with a secure electronic signature and sending it to the following email address: info@ldz.lv.
18. Upon receiving the Data Subject’s request, the company of the Group verifies the Data Subject’s identity, assesses the request and complies therewith in accordance with the relevant legal acts. In order for the Data Subject to receive information about him or herself, the company of the Group needs to identify you as the Data Subject, as the companies of the Group cannot provide information to a person without making sure that we provide the information specifically to you. Depending on the situation, the companies of the Group may ask the Data Subject to prove his or her identity with an identification or otherwise.
19. The Data Subject must take into account the working hours of the companies of the Group.
20. The companies of the Group respond to the Data Subject, taking into account the manner of receiving a response indicated by the Data Subject.
21. If the reply is sent by post, it is sent as registered mail, addressed to the person whose personal data have been requested. If the reply is provided electronically, it is signed with a secure electronic signature (if the application has been submitted with a secure electronic signature).
22. The company of the Group ensures the fulfilment of data processing and protection requirements in accordance with the relevant legal acts and, in case of the Data Subject’s objection, takes the necessary action to remedy the objection. If this fails, the Data Subject has the right to apply to the supervisory authority – the Data State Inspectorate, Elijas Street 17, Riga, LV-1050.
23. The Data Subject has the right to receive information about his or her personal data processed by the company of the Group, free of charge.
24. Receiving and / or using personal information may be restricted in order to prevent adverse effects on the rights and freedoms of other persons (including employees of the companies of the Group) or in cases where the provision of data is prohibited by external legislation.
25. Where requests for information are manifestly unfounded or excessive, in particular because of their repetitive character, the company of the Group may either: a) charge a reasonable fee based on administrative costs related to the provision of information or communication, or the performance of the requested action, or b) refuse to act on the request.
Website visits and cookie processing
26. The websites of the companies of the Group may use cookies.
27. Cookies are files that websites (hereinafter referred to as the Website) transfer to users’ computers in order to identify the user and facilitate the use of the website. Internet browsers can be configured to alert the visitor to the use of cookies and allow the visitor to choose whether he or she agrees to accept them. Not accepting cookies will not prevent a visitor from using the Website, but this may restrict the visitor’s ability to use the Website, for example, this may reduce performance speed of the Website. Detailed information about cookies, the Cookie Policy, can be found on the Website of each company of the Group, as the cookies used may differ from Website to Website.
Information for Data Subjects about video surveillance performed by the companies of the Group
28. The purpose of video surveillance is to enhance safety and security in the relevant area subject to video surveillance, including by recording accidents, protection of railway infrastructure objects, enforcing traffic safety on public railways, including on rolling stock, monitoring access to the Group’s buildings and areas adjacent thereto, rolling stock, and ensuring safety and security of facilities, employees and visitors, as well as property of the Group and documents and information stored at the Group’s facilities. Certain components of the video surveillance system may be used in investigation of violations of the rules and procedures of the Group. The video surveillance system enables prevention and, if necessary, investigation of public order crimes and security breaches in the area surveilled, reconstruction of the course of events, prevention of potentially dangerous situations or unauthorized physical access, including unauthorized access to enclosed and protected premises and areas, the information technology infrastructure of the Group, as well as prevention of theft or physical interference. The Group pays particular attention to video surveillance at level crossings. In cases where violations of traffic regulations near railway tracks are detected, the Group provides such data to the State Police with the aim of promoting safe crossing of railway tracks.
29. In order to achieve the purpose of video surveillance, the following conditions are observed: the Group observes the right to privacy and generally accepted ethical norms when performing video surveillance – the video surveillance system covers the immediate vicinity of the Group’s buildings, stations, level crossings, railway bridges, rolling stock and other facilities in the territory of Latvia, but not a larger area than necessary for attaining the purpose of the video surveillance system, unless national security interests dictate otherwise. Special signs are placed at the Group’s facilities to inform Data Subjects that video surveillance is being carried out.
30. The basis for processing is laid down in points (d) and (e), paragraph 1, Article 6, and point (g), paragraph 2, Article 9 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
31. Information storage duration – information obtained as a result of video surveillance is stored for up to 2 months, or longer if required by law. At the end of this period, the data are automatically deleted unless the data have been requested or a criminal offence or violations have been identified. If the data have previously been requested by the relevant state or municipal authorities or a criminal offence or violation has been identified, the data are stored as long as necessary. In certain cases, video material may be used in employee training as illustrative material.
32. Data protection officer’s information – datuaizsardziba@ldz.lv, telephone 8002 1181.
33. Categories of data processed as a result of video surveillance – video recordings of images, movements, and activities of natural persons; movable property, for example, vehicle registration data; special categories of data, including visible health data (e.g., disability), racial/ethnic origin data, data concerning philosophical or religious beliefs expressed by the Data Subject; recording date, time, place of recording, recorded offences.
34. Recipients or categories of recipients of personal data – companies of “Latvijas dzelzceļš” Group transfer data/video material obtained as a result of video surveillance only in the following cases and on the following conditions, provided that any of the following legal grounds apply:
34.1. To pre-trial investigation authorities, bodies performing operational activities, state security institutions, prosecutor’s office (for obtaining evidence in criminal cases), courts (for obtaining evidence in pending cases);
34.2. To the companies of the Group for attaining the purposes of the processing of data, based on an agreement or the internal regulations of “Latvijas dzelzceļš” Group;
34.3. To the State Police in the event violations of the Road Traffic Regulations have been recorded at level crossings;
34.4. To Data Subjects on the basis of a written application;
34.5. To legal persons on the basis of a valid application or contract.
35. The data are not transferred to third countries or international organizations.
36. Rights of the Data Subjects:
36.1. By submitting a written request, the Data Subject has the right to obtain all information collected about him or her in the video surveillance system, unless disclosure of such information is prohibited by law or the information has already been deleted in accordance with the internal regulations of “Latvijas dzelzceļš” Group;
36.2. The Data Subject has the right to receive the above information free of charge, or receive a substantiated refusal to provide information, within one month from the date of submission of the request;
36.3. The Data Subject has the right to rectification and erasure of data, restriction of processing, and data portability – to the extent technically and legally possible in each particular case;
36.4. The Data Subject has the right to lodge a complaint with the supervisory authority – the Data State Inspectorate, if violations in the processing of personal data have been established.
37. Data Subjects should take into consideration that “Latvijas dzelzceļš” Group reserves the right not to release material obtained during video surveillance in cases when such release of data:
37.1. Would affect other data subjects and there would be no technical possibility to provide the information without infringing the rights of other data subjects;
37.2. Would affect provision of information from video surveillance systems at critical infrastructure facilities;
37.3. Requires an excessive amount of time, staff or financial resources due to their size or complexity.
Information for Data Subjects on the processing of personal data by the companies of the Group during personnel selection
38. The Group processes individuals’ data for the following purposes:
38.1. Selection of personnel for a specific job;
38.2. Selection of personnel for future vacancies;
38.3. To ensure transparency of the personnel selection process and the ability to prove it to the auditors, ensuring availability of facts proving the validity and legality of the decisions taken during the personnel selection process;
38.4. To obtain evidence proving, in case of possible complaints and disputes, the legality of the relevant selection process.
39. The following personal data are processed during the personnel selection process:
39.1. Identification data – name, surname;
39.2. Contact details – email address, telephone number, registered or actual address;
39.3. Information on past work experience;
39.4. Information on the Applicant’s qualifications and skills (additional requirements may be set for certain categories of applicants, for example, whether he or she has a driving license, documents certifying proficiency in the state language, etc.);
39.5. Data based on special legal provisions applicable to certain categories of positions, for example, data on compliance with the requirements of the Law on Official Secret or compliance with the requirements set by the National Security Law. In such instances, Applicants are provided with additional information;
39.6. Information from the Applicant’s past employees;
39.7. Information from the mass media and social media – for the purpose of obtaining information about the candidate’s reputation;
39.8. Education and training data;
39.9. Other information from the application documents (application letter, CV, certificates, etc.).
40. For each personnel selection competition, the Controller indicates the scope of data to be submitted, the submission of which is mandatory for the Applicant to participate in the personnel selection process.
41. The Group reserves the right to delete personal data received that are not necessary for the evaluation of applications.
42. Legal basis for the processing of personal data and data storage period:
42.1. The legal basis for the processing of personal data by the Group is laid down in point (a), paragraph 1, Article 6 of the Regulation - CONSENT of the applicant, point (f), paragraph 1, Article 6 – legitimate interests of the companies of the Group, and point (c), paragraph 1, Article 6 – legal obligation of the companies of the Group to ensure transparency of the selection process for members of the Management Board and of the Council; information required on the basis of the National Security Law and the Law on Official Secret that is relevant for specific categories of positions.
42.2. Consent when applying for a specific position or positions:
42.2.1. When a candidate applies for a specific position or positions in the Group, the companies of the Group receive and use the Applicant’s personal data on the basis of the Applicant’s consent (consent is provided by the Applicant’s actions – submission of application documents to a company of the Group) only for competitions for a specific position or positions that the Applicant has applied for, the data are stored for one year after the vacant position is announced;
42.2.2. The Applicant has the right to revoke his or her consent referred to in this clause at any time by sending a request to datuaizsardziba@ldz.lv. In this case, all personal data submitted by the Applicant on the basis of the specific consent will be deleted, while the Applicant’s request for data erasure will be retained;
42.2.3. In the cases referred to in this clause, personal data are stored for one year to enable the Group to protect its legitimate interests and provide evidence in the event of a complaint or a legal dispute to prove the legality of the selection process, as well as to ensure full documentation for the audit to demonstrate transparency of the selection process and validity and legitimacy of the decisions taken. The storage period for the data submitted is reviewed once a year.
43. Consent also for other competitions in the future and for storing the Applicant’s data in the database of applicants of the companies of the Group:
43.1. If an Applicant is not selected for a position in the Group for which he or she applied, but wants the Group to keep the application and the data submitted by the Applicant and use them in other competitions, the Applicant has the opportunity to indicate in the application that he or she wishes to give his or her consent for storage of the data submitted. In this case, a company of the Group may store and use the Applicant’s personal data for 1 (one) year from the moment the vacancy is announced. The legal basis for the storage and use of such personal data is the Applicant’s consent and the possibility to participate in future job competitions of the companies of the Group without announcing the job competitions publicly;
43.2. The Applicant has the right not to give his or her consent referred to in this clause; if consent has been given, it can be revoked at any time by sending a request to datuaizsardziba@ldz.lv. In this case, all personal data submitted by the Applicant on the basis of the specific consent will be deleted, while the Applicant’s request for data erasure will be retained;
43.3. In the cases referred to in this clause, personal data are stored until the given consent is revoked or for 1 year from the moment the vacancy is announced so that the companies of the Group can use the personal data for other competitions or vacancies.
44. Submission of other personal data
44.1. The Applicant has the right to submit to a company of the Group personal data of other persons only in exceptional cases, for example, by submitting personal data of a person who gives or could give a reference for the Applicant’s past work experience. In such cases the Applicant, as a controller, is responsible for complying with the legal basis for submitting these personal data to the Group and other applicable requirements. The Group always reserves the right not to accept personal data it has not requested.
Other provisions
45. The Privacy Policy may be amended and extended, and such amendments and extensions are made available to the Data Subject by posting relevant information on the websites of the companies of the Group.
46. The companies of the Group keep the previous versions of the Privacy Policy and they are available on the websites of the companies of the Group.