The National Cultural Centre of Latvia shall obtain personal data from data subjects, from third parties, as well as from the State administrative and local government institutions of the Republic of Latvia, including from public registers.
- Controller and its contact details
- 1. The controller of personal data processing is the National Cultural Centre of Latvia (hereinafter – manager), single registration No. 90000049726, legal address: Castle area 4-1, Riga, LV-1050, telephone: +371 67228985, website: https://www.lnkc.gov.lv/, e-mail: firstname.lastname@example.org.
- 2. The controller of the controller is Dagnia Baldina, certificate No 502. The contact information relating to the processing of personal data shall be: email@example.com, phone: +371 29419666.
- Applicable law
2.1. Regulation No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data (27 April 2016) (hereinafter referred TO AS VDAR).
2.2. Law on Personal Personal Data Processing (announced July 4, 2018).
2.3. Cabinet Regulation No. 442 of 28 July 2015 “procedures for ensuring compliance of information and communication technology systems with minimum safety requirements”.
- Purpose and purpose of processing personal data
The purpose and purpose of the processing of personal data shall be determined in the register of personal data processing. The controller shall provide the data subject with clear and comprehensible information on the purpose, purpose, type of processing, the duration of the data retention and the rights of the data subject and the modalities of their implementation when requesting personal data.
- Data retention time
The controller shall process personal data only as long as it is necessary for the purpose of processing personal data. The duration of the retention of personal data shall be determined on the basis of the laws and regulations governing the management of documents and archives, or by assessing the purpose and the necessity of the processing of the data. The procedures for storing, issuing and destroying documents shall be governed by the internal rules of the controller.
- Rights of the Data Subject
5.1. In accordance with the laws and regulations in force, the data subject shall have the following rights in the processing of his personal data:
5.1.1. Access rights: The data subject shall have the right to request confirmation from the controller of the processing of personal data of the data subject and to request disclosure of all processed personal data.
5.1.2. The right to correct – if the data subject considers that information regarding him or her is incorrect or incomplete, he or she has the right to request that the controller rectifies it.
5.1.3. Objections to processing on the basis of legitimate interests: the data subject has the right to object to the processing of personal data processed on the basis of the legitimate interests of the controller, except where the legislation determines the processing of such data.
5.1.4. Deletion — In certain circumstances, the data subject has the right to request the deletion of his personal data, except where the law determines the time limit for storing those data.
5.1.5. Processing limitation: In certain circumstances, the data subject has the right to restrict the processing of his personal data, except where the law determines the extent of the processing of the data.
5.1.6. Withdrawal of consent: where the processing of personal data of a data subject is based on the consent of the data subject, the data subject shall at any time have the right to withdraw such consent without prejudice to the legality of the processing carried out prior to the withdrawal of the data subject's consent.
5.1.7. Data portability: Where processing is based on the consent of the data subject or on contractual obligations of the data subject, and where such processing is carried out by automated means, the data subject may request from the controller that personal data relating to the data subject be provided in a structured, generally accepted and machine-readable format in order to enable the data subject to transmit such personal data to another controller or directly to another controller if technically possible.
5.1.8. A complaint – the data subject has the right to submit a complaint to the State Inspectorate.
- Data processing principles
6.1. The processing of personal data in a fair, lawful and transparent manner shall be carried out only in accordance with the intended purpose and the extent necessary.
6.2. The storage of personal data shall be ensured in a manner which allows the data subject to be identified within a specified period of time which does not exceed the period prescribed for the intended purpose of the data processing.
6.3. Personal data shall be accurate and, where necessary, updated, the controller shall take reasonable steps to ensure that inaccurate personal data, taking into account the purposes under which they are processed, are deleted or corrected without delay.
6.4. Personal data shall be stored in a manner which permits the identification of data subjects, no longer than necessary for the purposes for which the personal data concerned are processed, unless the laws and regulations determine otherwise.
6.5. Personal data shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by appropriate technical or organisational measures.
- Grounds for Legal Processing of Personal Data
7.1. The consent of the data subject, the data subject, has given his consent to the collection and processing of the data.
7.2. Before or after the conclusion of the contract, the processing of the data is necessary for the conclusion of the contract. This legal basis is applicable to the processing of data where it is intended to conclude a contract with the data subject and the processing of the relevant personal data directly derives from the execution of the contractual obligations.
7.3. Public interest: for example, audio, visual and audiovisual fixation for the preservation and development of intangible cultural heritage.
7.4. Legitimate interests of the controller: provision of services; identification of data subjects; management, accounting, records, archiving, internal process provision; handling of complaints and provision of support for services rendered; litigation, etc.
7.5. Legal basis – the laws and regulations in force, including, but not limited to, the State Administration Structure Law and Cabinet Regulation No. 931 of 18 December 2012, by-laws of the National Cultural Centre of Latvia.
- Processing of personal data of specific categories
For the processing of personal data of specific categories, the controller shall apply specific safeguards for the protection of such information (e.g. by limiting access to such information as far as possible). Special protection should be given to the processing of specific categories (sensitive) data.
9.1. Controllers shall process personal data only within the scope of their direct work duties and only to the extent necessary for the performance of such duties, not to be used for other purposes, in particular private purposes.
9.3. In the course of their direct duties, personal data may be transferred only to a co-operation partner who, on the basis of a written contract, carries out the processing of personal data on behalf of a controller. In such a case, personal data may be transferred only to the extent and purpose provided for in the written contract, provided that the contract contains data processing and protection requirements in accordance with the Regulation.
9.4. Controllers with permanent or regular access to personal data shall be regularly trained in relation to all essential aspects of data protection as well as such training shall be provided prior to the granting of access rights.
- Personal data security requirements
10.1. When working with data, in particular with personal data, the controller has put in place appropriate technical and organisational measures suitable for data protection purposes. These measures shall be determined by THE security policy of the controller and shall be respected by all staff and cooperation partners who carry out the processing of personal data on behalf of the controller.
10.2. The controller who processes personal data must report to the Data Protection Officer about potential threats to data security (floods, lightning, fire, power disruption, computer equipment operating incompatibility, temperature and humidity fluctuations, dust, theft, software equipment error, etc.). The controller shall provide a set of measures to prevent potential consequences in carrying out the instructions of the personal data protection specialist.
- Transfer of personal data
Personal data may be transferred to third parties in the cases specified in regulatory enactments or upon receipt of the consent of the data subject.
- Processing of data subject cookies
12.1. Cookies are small text files that are created and stored in a data subject's device (computer, tablet, or mobile phone) by visiting the Internet sites. The cookies “remember” user experience and basic information, thus improving the convenience of the site.
12.2. With cookies, common user habits and site usage history are processed, diagnosed problems and disadvantages in the operation of the site, collecting user habits statistics, and ensuring full and convenient use of the site's functionality.
In cases of questions and uncertainties, the data subject can communicate with the controller: Palace Area 4, Riga, LV-1365 or Personal Data Protection Officer: Dagnia Baldiņš, e-mail – firstname.lastname@example.org.
If the data subject is not satisfied with the reply received, he or she has the right to submit a complaint to the State Inspectorate (www.dvi.gov.lv).