Privacy policy

1.1. The purpose of the document is to provide information to a natural person - a data subject, who is a potential or existing client, partner, job applicant in personnel selection announced by the State Joint Stock Company "Latvian State Radio and Television Centre" or other person whose personal data may come into the possession of the State Joint Stock Company "Latvian State Radio and Television Centre" in the course of its commercial activities, on the procedure for processing data of natural persons by the LVRTC.

1.2. The Privacy Policy applies to:

1.2.1. clients (including former and potential clients) of State Joint Stock Company "Latvian State Radio and Television Centre" and their representatives, business partners and their representatives, as well as third parties who process any personal data in connection with the provision and/or receipt of services;

1.2.2. visitors or State Joint Stock Company "Latvian State Radio and Television Centre" facilities and events where video surveillance or photography is carried out;

1.2.3. users of the Internet resources and mobile applications of the State Joint Stock Company "Latvian State Radio and Television Centre";

1.2.4. applicants in staff selection announced by the State Joint Stock Company "Latvian State Radio and Television Centre";

1.2.5. other natural persons whose personal data may come into the possession of the State Joint Stock Company "Latvian State Radio and Television Centre" within the framework of its commercial activities or in accordance with the procedure established by laws and regulations.

1.3. The Privacy Policy applies to the processing of personal data regardless of the form or medium in which the personal data are submitted: on the Internet resources of the State Joint Stock Company "Latvian State Radio and Television Centre", via mobile applications, on paper, in person, electronically or by telephone.

Processor

- Personal data processor. A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing

- Any action or set of actions performed on personal data with or without automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, retrieval, viewing, use, disclosure, transmission, distribution or otherwise making them available, harmonization or combination, restriction, deletion or destruction.

Data subject

- A natural person who can be identified, directly or indirectly.

eIDAS

- Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive No. 1999/93/EC

Data of specific categories

- Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation.

Customer

- A natural or legal person with whom the State Joint Stock Company "Latvian State Radio and Television Centre" has concluded a contract for the provision of specific services or who initiates the process for concluding such a contract.

LVRTC

- State Joint Stock Company "Latvijas Valsts radio un televīzijas centrs", unified registration No 40003011203, Zemitāna iela 9 k-3, Riga, Latvia, LV-1012

Namejs

- State Joint Stock Company "Latvia State Radio and Television Centre" document management system.

Site

- Physical environment in which the service provider's service-related resources are located.

Service provider

- State Joint Stock Company "Latvian State Radio and Television Centre", unified Registration No. 40003011203, Zemitāna iela 9 k-3, Riga, Latvia, LV-1012, acting as a provider of trust and electronic identification services

Personal data

- Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as his or her name, identification number, location data, an online identifier or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Certificate

- A public key of the user together with other information that is protected against falsification by using enciphering with a private key of the certification authority that has issued it.

Third party

- For the purposes of the General Data Protection Regulation, a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons under the direct authority of the controller or processor who are authorised to process personal data.

General Data Protection Regulation

- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.2. Terms not defined in this document are used in accordance with the General Data Protection Regulation, the eIDAS Regulation and other laws and regulations governing the protection of natural persons' data and the area of trust and electronic identification services.

3.1. LVRTC shall ensure that personal data are processed in accordance with the laws and regulations in force in the Republic of Latvia, the General Data Protection Regulation and other applicable legislation in the area of privacy and data processing.

3.2. LVRTC is aware of the importance of the individual's right to privacy and has implemented technical and organisational measures to process, control and protect personal data in accordance with the available technological, financial and organisational possibilities. LVRTC has evaluated and determined appropriate physical, technical, logical and organisational measures to reduce and protect security risks in order to ensure the security, integrity and privacy of personal data.

3.3. The data controller is the State Joint Stock Company "Latvian State Radio and Television Centre", unified reg. No 40003011203, registered office Zemitāna iela 9 k-3, Riga, Latvia, LV-1012

3.4. With regard to the processing of cookies, the data subject is informed at the time of visiting the relevant websites operated by the LVRTC. The LVRTC Cookie Policy is available on the LVRTC websites: www.lvrtc.lv and www.eparaksts.lv.

Data category and examples

1. Personal identification data

- Name, surname, personal identification number/ identity number, date of birth if no personal identification number, number and expiry date of identity document, signature

2. Personal contact details

- Address, telephone number, e-mail address, official electronic address

3. Identification data of the representative of the client - legal person

- Name, surname, job title. Where the performance of the contract provides for the identification of the client's representative, also personal identification number/identity number or details of birth if the person has no personal identification number, details of identity document, contact details, signature.

4.Client data

- Application number and date of registration, contract number and date, date of entry into force, status, number and date of annexes to the contract, delivery address of the contract. In addition, the following personal data is processed for customers of trust (certification) and electronic identification services provided by LVRTC: previous personal identification number (if applicable), age (only in the cases stipulated by the regulatory enactments in order to ensure, based on the consent of the person, the verification of the age limit of the person for receiving the specified services or purchasing goods), personal status in the Information System of the Register of Natural Persons, data on issued certificates, data on the certificate carrier (if applicable), data on the activities performed during the use of the services (suspension, renewal, revocation of certificates, issuance of PIN envelopes, reissue of certificates, creation of electronic signatures, electronic identification activities) which are necessary to verify the validity of the certificate, the electronic signature or to provide the electronic identification service.

5. Service data

- Service name and service parameters (including but not limited to address, installation date, price, discount, discount expiry date).

6. Communication data

- Correspondence received/sent (regardless of type), content, delivery status, telephone calls, etc.

7. Payment data

- Bank name and account number, invoice number, date, amount, date of payment, amount of payment, amount of liability, notation of failure to pay within the time limit, amount of debt, debt recovery information.

8. Incident report data

- Submitter, report number, voice recording, e-mail, date of registration/resolution, type, description of the fault/incident and other data related to incident handling.

9. Video surveillance data

- Video image, photo recording and other data related to the video surveillance process (e.g. location identification, geographical coordinates, date, time) obtained during video surveillance at LVRTC sites when the data subject was within the video surveillance reception area.

10. Audio recording data

- Audio recordings of the helpdesk and customer service line, date and time,.

11. Photos and pictures

- Photograph, date when the photograph was taken.

12. Activities performed within the websites maintained by LVRTC

- IP address, audit logs, cookie data

13. Data of the portal www.eparaksts.lv

- Customer activity on the portal and reports on Customer activity on Trust and eID services, such as statistics on number of times the signature has been used.

14. Personal data of the applicant in the LVRTC recruitment process

- Name, surname, gender, date of birth, contact details, work experience, education (including courses and certificates), language skills and other information provided by the applicant to the LVRTC for the purpose of the recruitment procedure and to safeguard its legitimate interests as far as they are related to the recruitment process.

5.1. LVRTC processes personal data based on the following legal grounds:

5.1.1. conclusion and execution of the contract - to conclude and execute the contract at the customer's request;

5.1.2. compliance with regulatory enactments - to ensure compliance with the LVRTC's binding obligations under an external regulatory enactment;

5.1.3. legitimate interests - to pursue the legitimate interests of the LVRTC arising out of the obligations between the LVRTC and the customer or the concluded contract or the law;

5.1.4. the data subject's consent;

5.1.5. in the public interest.

5.2. The legitimate interests of LVRTC are to:

5.2.1. carry out commercial activities;

5.2.2. provide electronic communications services; 5.2.3. provide trust (certification) and electronic identification services;

5.2.4. ensure the performance of tasks delegated by the State and inform the public about these services;

5.2.5. verify the identity of the customer before entering into a contract or starting the provision of a service;

5.2.6. ensure compliance with contractual obligations;

5.2.7. design and develop goods and services;

5.2.8. send reports on the progress of the performance of the contract and on events relevant to the performance of the contract that have a direct impact on data subjects;

5.2.9. maintain and develop electronic communications networks;

5.2.10. monitor the operation of the services to detect and prevent technical problems and ensure the security of the service, as well as illegal activities;

5.2.11. apply to public administration and law enforcement authorities and bodies, as well as to the courts, to protect its legal interests.

5.3. The data subject may give consent to the processing of personal data in LVRTC service application forms, LVRTC Internet resources, in person, to a person (institution, partner) who, on behalf of LVRTC, provides an application for trust and electronic identification services provided by LVRTC, as well as by agreeing to participate in events and competitions organised by LVRTC or by applying for a staff recruitment announced by LVRTC.

5.4. The data subject shall have the right to withdraw consent at any time, in which case no further processing of the data based on the consent previously given for the specific purpose will be carried out.

5.5. Withdrawal of consent shall not affect the processing of data carried out at the time when the customer’s consent was valid.

5.6. Withdrawal of consent may not interrupt the processing of personal data carried out on the basis of other legal grounds, including the performance of a legal obligation to which the LVRTC is subject.

LVRTC processes personal data on the following legal bases:

1.1 conclusion and execution of the contract - to enter into the contract upon the customer’s application and ensure its execution;

1.2 compliance with laws and regulations - to ensure the fulfillment of obligations specified in the external regulatory enactment binding to LVRTC;

1.3 legal (legitimate) interests - to implement legal (legitimate) interests of LVRTC arising from the liabilities between LVRTC and the customer or from the contract concluded or the law;

1.4 consent of the data subject;

1.5. public interest;

2. The legal (legitimate) interests of LVRTC are:

2.1 to carry out commercial activities;

2.2 to provide electronic communication services;

2.3 to provide trust (certification) and electronic identification services;

2.4 to ensure the fulfillment of tasks delegated by the state;

2.5 to verify the identity of the customer before concluding the contract or starting to provide the service;

2.6 to ensure the fulfillment of contractual obligations;

2.7 to elaborate and develop goods and services;

2.8 to send reports on the progress of the execution of the contract and events relevant to the execution of the contract;

2.9 to ensure the maintenance and development of electronic communication networks;

2.10 to monitor the operation of services in order to identify technical problems, as well as illegal activities and prevent them;

2.11 to apply to public administration and operational activities authorities and institutions, as well as to a court for the protection of their legal interests.

3. The data subject may provide consent to the processing of personal data in LVRTC service application forms, LVRTC Internet resources, in person, to the person (institution,partner) who provides application for receiving trust and electronic identification services provided by LVRTC on behalf of LVRTC, as well as by agreeing to participate in LVRTC in the announced personnel selection competition.

4. The data subject is entitled to withdraw his or her consent at any time, and in this case the further processing based on the prior consent for the specific purpose will not take place.

5. Withdrawal of consent shall not affect data processing operations carried out while the customer’s consent was in force.

6. Withdrawal of consent may not suspend the processing of personal data carried out on other legal grounds, including in order to fulfill legal obligation applicable to LVRTC.

1. In the event that the processing of customer personal data is carried out for the provision of trust and electronic identification services provided by the LVRTC, the following provisions shall apply in addition to the processing of customer personal data:

1.1. if the customer, using electronic identification means issued by the LVRTC, performs electronic identification for receiving a third party service, the customer's name, surname and personal identification number included in the customer's certificate are transferred to the third party for verification of the customer's identity only with the customer's consent;

1.2. if the customer creates an electronic signature, the customer's certificate containing the customer's name and personal identification number is attached to the electronically signed document and may be consulted by any person who has access to the customer's electronically signed document;

1.3. if a customer, using electronic identification means issued by the LVRTC, performs electronic identification for the receipt of a third party service or for the purchase of a product, which is available only after reaching the age specified in the laws and regulations, the customer's name, surname and personal identification number included in the customer certificate and age are transferred to a third party for verification of the customer's identity and age compliance, based on the customer's consent.

1.4. In order to ensure the provision of trust and electronic identification services by the LVRTC in accordance with external regulatory enactments, the LVRTC receives personal data from the customer or another person who enters into an agreement with the LVRTC for the provision of trust services (for example, the customer's employer).

1.5. The accuracy of personal data submitted to LVRTC is verified by obtaining data from the Register of Natural Persons in accordance with Section 2 Clause 2, Section 6 Sub-clauses 2.2-2.3, Section 7 Clause 8 of the Law on Electronic Identification of Natural Persons and Section 17 Clause 2 of the Law on Electronic Documents.

1.6 In the event that the customer's data has changed, the customer shall immediately notify the LVRTC of the updated data.

1. Personal data shall not be transferred to third parties, except in cases where the transfer of data is necessary for the performance of the service provided (regardless of whether the service is provided on the basis of a contract or a regulatory enactment), for the legitimate interests of the LVRTC (there is a legal basis for the transfer of personal data or it is provided for by external regulatory enactments) or the consent of the data subject has been obtained.

2. Personal data may be transferred to external auditors and compliance authorities in accordance with the requirements of laws and regulations or for the purposes of legitimate interests.

3. LVRTC may use approved personal data processors (business partners providing services to LVRTC) to ensure the performance of the services provided. In such cases, the LVRTC shall take the necessary measures to ensure that such personal data processors process personal data in accordance with the LVRTC's instructions and in compliance with applicable laws and regulations and shall require the implementation of appropriate security measures.

4. In cases where a customer provides electronic identification for a service provided by a third party using the LVRTC electronic identification provision platform, the LVRTC shall inform the customer about the third party to which the customer's data will be transferred, the purpose of the data processing and the amount of data transferred.

5. LVRTC shall not transfer or make available personal data to recipients from third countries or international organisations. However, the transfer and processing of personal data outside the territory of the European Union and the European Economic Area may take place where there is a legal basis for doing so, namely for the performance of a legal obligation or the conclusion or performance of a contract. In this case, the LVRTC shall ensure that appropriate and adequate safeguards are implemented in accordance with Chapter 5 of the General Data Protection Regulation.

1. The period for which the personal data will be stored by the LVRTC or, if this is not possible, the criteria used to determine that period:At the end of the storage period of documents or information, personal data are deleted, made inaccessible (archiving) or unidentifiable so that they can no longer be identified with a specific data subject.

1.1. Personal data is stored as long as the customer uses LVRTC services or does not withdraw his consent to data processing if personal data is processed on this basis. A longer period of storage of personal data is allowed in order to fulfill the requirements of regulatory enactments regarding the minimum period of storage of documents or information or to protect the legitimate interests of LVRTC.

1.2. All information obtained during the recruitment process will be stored for a maximum of six months after the end of the recruitment process in order to protect the legal interests of the LVRTC. In the event that LVRTC receives complaints about the specific recruitment process, all information processed during the recruitment process will be retained for as long as necessary to resolve the situation.

1.3. Phone call records will be kept for 18 months. The said time is sufficient for the LVRTC to carry out an analysis of the quality of consultations/responses. In the event of a conflict situation, records of telephone conversations are kept for as long as necessary to resolve the situation.

1.4. Contracts of natural persons for receiving trust and electronic identification services are stored for 10 years after the contract expires or certificates expire or are canceled;

1.5. Video surveillance recording data is stored from 14 to 180 days, unless another processing purpose arises (for example, in connection with a criminal investigation);

1.6. In LVRTC information systems, audit records are stored for at least 18 months in accordance with the requirements of regulatory acts.

1.7. In order to fulfill a legal obligation applicable to LVRTC, all information is stored for as long as it is necessary to achieve the purpose of personal data processing in accordance with the applicable regulatory enactments.

2. After the expiration of the document or information storage period, personal data is deleted, made unavailable (archiving) or de-identified so that it can no longer be identified with a specific data subject.

1. Communication on commercial announcements about LVRTC services and other announcements not related to the provision of direct services (for example, notification of customers) shall be made by LVRTC in accordance with external laws and regulations or on the basis of the customer’s consent.

2. The Customer may consent to the receipt of commercial announcements in LVRTC service application forms or in LVRTC Internet resources.

3. The Customer’s consent to receive commercial announcements is valid until revoked (also after the termination of the service contract).

4. The Customer may at any time withdraw from receiving further commercial announcements, using the automated option provided in the commercial announcement to withdraw from receiving further announcements or in writing in accordance with the procedure specified in Clause 12.1.

5. LVRTC stops sending commercial announcements as soon as the received customer request to opt out of such announcements is processed.

1. The data subject is entitled to request information from LVRTC, whether LVRTC processes the data subject’s personal data, on the legal basis of personal data processing, as well as to request access to personal data or to request the issuance of information on these personal data if direct access is not possible.

2. In case the data subject considers that the information available to LVRTC about the data subject is incorrect or incomplete, the data subject is entitled to request its correction, as well as to submit the correct data necessary for the provision of the service. LVRTC is entitled to request the presentation of a document proving changes in the personal data of the data subject if necessary, and the data subject must submit such a document.

3. The data subject is entitled to object to the processing of personal data processed by LVRTC on the basis of LVRTC’s legitimate interests. However, LVRTC will continue to process personal data even if the data subject objects to such processing, if LVRTC has the legal basis for the processing of such data.

4. The data subject is entitled to request LVRTC to delete personal data, however, this does not apply to cases when the storage of personal data is necessary to ensure compliance with the requirements of laws and regulations. When exercising the data subject’s right to deletion of personal data, LVRTC shall perform only such activities and to the extent permitted by laws and regulations or LVRTC’s legitimate interests.

5. The data subject is entitled to transfer his or her personal data to another data controller.

6. In order to exercise his or her rights, the data subject submits a written or electronic application to the LVRTC. In case the data subject is not satisfied with the response received, the data subject is entitled to apply to the Data State Inspectorate if he or she considers that the processing of personal data violates his or her rights and interests in accordance with the applicable laws and regulations.

1. The data subject may contact LVRTC regarding issues related to the processing of personal data in the following way:

1.1 in writing in person at the legal address of LVRTC Zemitāna street 9, 3rd building, 4th floor, Riga, Latvia, LV-1012, presenting an valid identity document;

1.2 electronically by signing the application with secure electronic signature and sending it to the e-mail ;

1.3 electronically by sending the application to the official electronic address.

2. Upon receipt of a data subject’s request for exercising his or her rights, LVRTC verifies the identity of the data subject, evaluates the request and executes it in accordance with internal and external laws and regulations.

3. LVRTC has appointed personal data protection specialist. Using the contact details above, it is possible to ask the personal data protection specialist questions about the processing of personal data.

1. Privacy Policy is available on the LVRTC websites: lvrtc.lv and www.eparaksts.lv.

2. LVRTC is entitled to unilaterally amend the Privacy Policy. The amendments come into force on the date set by the LVRTC Board, but not earlier than 30 (thirty) days from the posting of the respective notice on the LVRTC websites lvrtc.lv and www.eparaksts.lv.

3. If the customer has not submitted a written notice to LVRTC by the date of entry into force of such amendments, the customer shall be deemed to have agreed to these amendments and they are applicable in the legal relationship between LVRTC and the customer.

1.The Privacy Policy is drafted in Latvian. The Privacy Policy may be translated and made available in other languages. In the event of any inconsistencies between translations of the Privacy Policy, the Latvian version of the Privacy Policy shall always prevail. 2. The Privacy Policy shall be amended in the event of changes in laws, regulations or other internal normative documents of LVRTC, as well as in the event of improvement of the LVRTC quality management system. 3. Amendments to the Privacy Policy are managed by the Corporate Governance Department. 4. The Privacy Policy shall enter into force upon its approval at a meeting of the Board in accordance with the procedure set out in the resolution of the Board and by the LVRTC Council. 5. The current version of the Privacy Policy is stored in Namejs.