Privacy Policy

Versija drukāšanaiVersija drukāšanai

LATVIAN STATE INSTITUTE OF WOOD CHEMISTRY
PRIVACY POLICY

(version 10.02.2020)

1. General provisions
1.1. The objective of this Privacy Policy is to provide a natural person (hereinafter: Data subject) with information on the purpose and on what legal basis the Latvian State Institute of Wood Chemistry (hereinafter referred to as the Institute) collects personal data, on the data volume and processing time limits, the protection of data, as well as to inform the Data subject of his/her rights and obligations.
1.2. When processing personal data, the Institute complies with the laws and regulations in force in the Republic of Latvia, as well as the regulation of the European Parliament and Council (EU) 2016/679 of 27 April, 2016 (hereinafter referred to as Regulation), on the protection of individuals with regard to the processing of personal data and the free movement of such data, thereby repealing the Directive 95/46/EC (General Data Protection Regulation), and any other applicable provisions of the laws and regulations in the field of data processing.
 

2. Terms
This Privacy Policy uses the following terms:

Personal data – any information relating to an identified or identifiable natural person;
Data subject – a natural person who can be identified directly or indirectly;
Processing – any activity carried out with personal data, such as collection, registration, organisation, structuring, storage, erasure, etc.
Personal data breach – a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
Data controller – a person who performs data processing and determines the purposes and means of processing personal data, as well as is responsible for processing personal data in accordance with the requirements of applicable laws and regulations.

Personal data controller is a derived public person "Latvian State Institute of Wood Chemistry", Reg. No. 90002128378, legal address: Riga, Dzerbenes iela 27, LV-1006, e-mail: koks@edi.lv (with the indication “To the data protection officer”).
 

3. Categories of personal data processed by the Institute
The Institute processes the following categories of natural persons’ data in electronic and paper format:
- Personal identification data (Name, Surname, personal identity number, ID card or passport data, birth data, personal image)
- Personal contact information (address, phone no., e-mail address, postal address)
     - Professional data (education, work experience, affiliation, position held)
- Financial data (bank account information)
- Communication data (incoming/outgoing communication, telephone calls, correspondence, its content, delivery status)
    - Special category data (health data)
 

4.   Purpose and basis of processing personal data
4.1. Evaluation and control of procurement applications
The legal basis for processing personal data of the applicant and the person associated with the applicant is the compliance with the legitimate interests of the controller (Article 6, paragraph 1, point (f) of the Regulation). The legitimate interest of the controller is the evaluation of the procurement applications submitted by the applicant according to the criteria in accordance with the procurement rules.
Potential recipients of personal data:
Authorised staff of the controller, who assess the purchasing compliance to the project, control of the procurement process; the procurement commission, and the commission’s secretary; in the cases specified in regulatory acts, state and local government institutions, for example, the Central Finance and Contracting Agency, the Procurement Monitoring Bureau, law enforcement agencies.
4.2. Ensuring the process of selection of employees and the realisation of the rights and obligations arising from it
Legal basis for processing personal data:
- enforcement of a legal obligation (Article 6, paragraph 1, point (c) of the Regulation), Labour law and other regulatory enactments regulating the employment legal relations)
- the legitimate interest of the controller (Article 6, paragraph 1, point (f) of the Regulation). Upon receipt of the applicant’s application, the controller shall arise a legitimate interest in processing the mentioned application, evaluating the information provided by it, organising the negotiation procedure, conducting negotiations and providing evidence, which justifies the legal conduct of the relevant process. If necessary, the information obtained during the selection process may be used to reflect the legal course of the relevant process.
Possible recipients of personal data: authorised employees of the controller.
4.3. Prevention or detection of criminal offences in connection with the protection of property and the protection of vital interests of persons, including life and health
To reach the objective, in the Institute’s premises and territory, visual data processing of the Data subjects (person’s image, as well as any other personal data, and the action taken, which is visible in the video surveillance area), i.e., video-surveillance is carried out. Video surveillance takes place in real time mode, and video recording is not saved.
In specific places subject to video surveillance, informative signs are installed.
Legal basis – observance of the legitimate interests of the controller and third parties, protection of the vital interests of the Data subject or other natural persons  (Article 6, paragraph 1, points (d) and (f) of the Regulation).
Potential recipients of personal data:
     - Authorised staff of the Institute for the issuance of a video surveillance record
     - Controller contracted processor, video surveillance system operator
4.4. Conclusion and performance of contractual obligations
Including, but not limited to the provision of the Data subject’s identification, contract preparation, conclusion and enforcement, review and processing of Data subject’s applications, preparation of contract financial documents.
Legal basis – Article 6, paragraph 1, point (b) of the Regulation.
Possible recipients of personal data: authorised employees of the controller, Data subject, State and local government authorities in the cases specified in regulatory enactments, if necessary law enforcement authorities.
4.5. Accounting
Legal basis – fulfilment of legal obligations under the legislation (Article 6, paragraph 1, points (a) and (c) of the Regulation, “Law on Accounting”, Regulations of the Cabinet of Ministers No. 585 of October 21, 2003 “Regulations on Conducting and Organising Accounting”).
Potential recipients of personal data:
Authorised employees of the controller for the preparation, sending or issuing of the bill, as well as for processing the received payments; State bodies, for example, the State Revenue Service, law enforcement authorities; if necessary, for the recovery of debt – the jury judicial executors, administrators of insolvency proceedings.
4.6. To investigate the whistle-blower report, ensuring adequate protection of the whistle-blower and ensuring communication with the whistle-blower
Legal basis – fulfilment of legal obligations under the legislation (Article 6, paragraph 1, point (c) of the Regulation, Article 7 of the Alarm lifting act)
Potential recipients of personal data:
At the request, the Data subject himself/herself, the controller’s authorised staff; in the cases where the message is not within the competence of the Institute, the recipient shall be the authority which has competence in considering such a report; the institution on request, if it is not necessary for protection of the whistle-blower or his relative.
4.7. Absorption of funds allocated by the European Union and/or other external financier, preparation, submission, monitoring and implementation of projects
To achieve the goal, the evaluation of the compliance of the submitted data of the persons involved with the requirements, conclusion of contracts, submission of project reports (including processed personal data) to supervisory authorities may be carried out.
Legal basis – compliance with the legitimate interests of the controller (Article 6, paragraph 1, point (f) of the Regulation).
Possible recipients of personal data: authorised employees of the controller, persons involved in the project implementation process, public authorities (e.g. Central Finance and Contracting Agency, State Education Development Agency, Procurement Monitoring Office, etc.), law enforcement authorities, third parties.

 

5. Duration of the storage of personal data
5.1. Personal data are stored only as long as necessary to achieve the purpose specified for the processing of works, except if the storage of data is not determined or permitted by applicable laws and regulatory enactments. The storage period is determined in the relevant processing regulatory document (Institute nomenclature).
5.2. The duration of data storage shall be determined taking into account:
- the term of validity of the concluded contract;
- the period of time during which the Data subject or the controller is entitled to realise his/her legitimate interests in accordance with the procedures laid down in regulatory enactments (for example, bringing a claim to court, etc.);
- the obligations to store data for a certain period of time, specified in external regulatory enactments;
- as long as the consent of the Data subject to the relevant processing of personal data is in force, if no other legal basis for the processing of data exists.
5.3. The applications submitted (sent) to the Institute for work (CV, motivation letters, and other attached documents), if employment legal relations are not established with the Data subject, are stored for 6 (six) months after receipt.
5.4. After the grounds for storing personal data have been lost, the data of the Data subject shall be deleted or destroyed, or transferred to the State Archive in accordance with the procedures laid down in regulatory enactments.
 

6. Protection of personal data
The Institute and the processors contracted by it ensure the confidentiality of personal data, as well as use modern technologies, take reasonably available organisational, technical and financial measures to ensure the protection of personal data against risks of varying degrees of probability and impact. The measures used in the field of data protection are regularly reviewed and improved.
 

7. Transfer of personal data
7.1. The Institute shall not disclose the personal data to any third parties, except that, if the transmission of personal data is envisaged to fulfill the concluded contract, provided the Data subject gives his/her explicit and unambiguous consent to the transfer of data or, if the regulatory enactments provide for the obligation to transfer personal data.
7.2. The Institute shall not transfer personal data to countries outside the European Union or the European Economic Area.
 

8. Rights and obligations of the Data subject
The Data subject has the following rights and obligations regarding the processing of his/her data:
8.1. To receive information specified in regulatory enactments regarding the controller and the processing carried out;
8.2. To withdraw the consent to the processing of personal data at any time, if the basis for processing is consent, by sending a withdrawal of the consent to the Institute’s e-mail address or by submitting it to the Institute’s legal address. The withdrawal of the consent shall not affect the processing of data carried out at the time when the Data subject’s consent was in force. Similarly, data processing based on other legal bases cannot be interrupted.
8.3. To receive information regarding the personal data processed by the controller in accordance with the procedures specified in regulatory enactments, to request their correction, deletion, restriction of processing, to object to the processing of one’s personal data.
8.4. The mentioned rights of the Data subject shall be exercised, so far as the processing of the data does not derive from the Institute’s obligations imposed on it by the laws and regulations in force and which are performed in the public interest.
8.5. The Data subject may submit a request for the exercise of his/her rights in written form onsite upon presentation of an identity document, or in electronic mail, signing it with a secure electronic signature.
8.6. The Institute, after verification of the Data subject’s identity, shall evaluate the request in accordance with the laws and regulations, and transmit the reply within 1 (one) month to the address indicated by the Data subject by registered mail or by electronic mail, signing with the safe electronic signature. Applications and claims are considered free of charge. However, the examination of the applications may be refused or a reasonable payment may be applied for it, if they are submitted manifestly unfounded or require disproportionate resources, as well as in other cases specified in regulatory enactments. The Institute is also entitled to refuse to comply with the request of the Data subject if the Data subject unreasonably refuses to provide information identifying him/her.
8.7. In the case of questions or claims regarding data processing, the Data subject has the right to submit a claim to the Institute or to apply to the Supervisory Authority – the Data State Inspectorate.
8.8. The Data subject is obliged to comply with the conditions contained in this Privacy Policy, as well as to acquaint any other Data subject with this policy, if the interests of this Data subject may be affected during the Institute’s personal data processing processes.
 

9. Website of the Institute and use of cookies
9.1.  On the Institute's website www.kki.lv cookies are used.
When visiting the website of the Institute, a window with a notification that cookies are used on the website is shown to the user. By closing this message window or also continuing to use the website, the user (the Data subject) confirms that he/she has read the information about the cookies and the conditions for their use. If the user wants to opt out of using cookies, this can be done in the security settings of the web browser by choosing which cookies to accept, but which ones to delete. However, it is important to know that, by refusing mandatory, functional and analytical cookies, ensuring of the full use of the website is not possible.
Additional information about cookies is available on the website: www.aboutcookies.org.
9.2.  The following cookies are used on the Institute's website:
9.2.1. Mandatory cookies. It is necessary for the smooth operation of the internet website, so that the internet website would be able to remember, which user has expressed his/her consent to use the cookie, as well as to provide the user with the necessary (required) information. Mandatory cookies are able to identify the user’s device (computer, mobile phone, tablet computer), but do not collect information about the user and his/her identity, nor collect information that is used for sale or marketing. Mandatory cookies are stored on the user’s device for the entire period of use of the site until the time of use is completed.
9.2.2. Functional cookies. With functional cookies, the browser remembers the user’s settings and the choices made so that the user can use the internet site more conveniently and fully. Functional cookies are permanently stored in the user’s device.
9.2.3. Analytical cookies. These cookies collect information about how the user uses the browser, identify the frequently used sections and content that the user chooses. The information obtained is used for analysis purposes to find out what interests the browser users, and also to improve its functionality. Analytical cookies identify only the user's equipment without disclosing the user's identity.
9.3. Cookies are stored as long as the action is executed, for what purpose they are collected, but then deleted. Cookie information is not transferred for processing outside the European Union and the EEA.
9.4. The Institute’s website may contain links to the websites of other controllers that have their own terms of use and personal data protection, for which the Institute does not bear responsibility.
 

10. Closing issues
10.1. The Data subject shall implement his/her communication with the controller using the Institute’s contact details specified in Paragraph 2 of this Privacy Policy, with the indication “to the data protection officer”.
10.2. The Institute is entitled to unilaterally amend the Privacy Policy at any time in accordance with the current laws and regulations by publishing the current version on the Institute’s website.