1.1. The Personal Data Processing Controller is Rīga Stradiņš University (hereinafter referred to as RSU), uniform registration No. 90000013771, registered office: Dzirciema iela 16, Rīga, LV-1007.
1.3. RSU has assigned personal data protection officers to inform and consult RSU staff in matters related to personal data processing, monitor compliance with legislation applicable to personal data protection at RSU, cooperate with the supervisory institution, and advise persons contacting RSU in matters related to data processing.
2.1. Personal data refer to any information regarding an identified or identifiable natural person.
2.2.1. natural persons – students, employees, business partners and third parties receiving or transferring to RSU any information (including contact persons, payers etc.);
2.2.2. visitors to RSU objects or territories, including locations where video surveillance is being conducted;
2.2.3. users of the website maintained by RSU;
(hereinafter referred to as Persons).
2.3. Persons to legal personal data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the Regulation) and other legislation applicable to privacy and data processing.
2.5. RSU may specify additional provisions for certain types of data processing, providing notification to a Person at the time of provision of the relevant data.
3. RSU processes personal data for the following purposes
3.1. Addressing potential applicants. This purpose refers to attracting potential students or to attracting graduates of basic studies to apply for subsequent study grades. Personal data processing is performed on the basis of a Person’s consent and legitimate interest;
3.2. Selecting applicants. This purpose refers to the registration, record-keeping, assessment and matriculation of applicants (potential students). Personal data processing is performed on the basis of the law, a Person’s consent and legitimate interest;
3.3. Administration and maintenance of the study process. This purpose refers to personal data processing for the needs of planning, coordinating and administrating the study process, organising tests and assessments, issuing diplomas, maintaining communication etc. Personal data processing is performed on the basis of the law and an agreement (transaction);
3.4. Improving the study process. The purpose is enhancement of IT systems involved in the study process. Personal data processing is performed on the basis of the law and legitimate interest.
3.5. Provision of library services. This purpose refers to services rendered to library visitors and readers. Personal data processing is performed on the basis of the law and an agreement (transaction);
3.6. Provision of dormitory services. This purpose refers to dormitory services being rendered to students, staff and third parties. Personal data processing is performed on the basis of the law, an agreement (transaction) and legitimate interest;
3.7. Alumni association. This purpose refers to providing information to graduates regarding various RSU activities. Personal data processing is performed on the basis of consent and legitimate interest;
3.8. Scientific activity. This purpose refers to conducting studies outside the study process. Personal data processing is performed on the basis of the law, an agreement (transaction), consent and legitimate interest;
3.9. Providing services and ensuring agreement execution. This purpose refers to provision of services and execution of concluded agreements (transactions). Personal data processing is performed on the basis of the law and an agreement (transaction);
3.10. Agreement drafting, conclusion or amendment. This purpose refers to new applications for an existing or new transaction, including a study agreement or service agreement. Personal data processing is performed on the basis of the law or an agreement (transaction);
3.11. Drafting of bids within the framework of a public procurement tender, or evaluation of submitted bids. This purpose refers to potential conclusion of an agreement in the event that a procurement agreement is concluded. Personal data processing is performed on the basis of the law, an agreement (transaction) or a Person’s consent;
3.12. Fulfilment of agreement obligations and maintenance of services;
3.13. Advertising and distribution of services, or commercial purposes;
3.14. Review and processing of applications, complaints and claims;
3.15. Polling Persons and performing satisfaction surveys;
3.16. Settlement administration, debt recovery and collection. This purpose refers to activities performed within the framework of settlement with a Person. Personal data processing is performed on the basis of the law and an agreement (transaction);
3.17. Website maintenance and enhancement of its operation;
3.18. Provision of information to state government bodies and operational activity subjects in the cases and to the extent specified in external legislation;
3.19. Personal data processing for internal administrative purposes. This purpose refers to personal data processing for internal administrative purposes, e.g. to remedy a conflict of interest and prevent illegal transactions. Personal data processing is performed on the basis of legislation and legitimate interest;
3.20. Compliance with binding legislation. This purpose refers to personal data processing bases specified in the applicable legislation, e.g. accounting, taxation, fees and other fields;
3.21. Document identification and evaluation. The purpose of determining the archival value of documents and ensuring the creation, receipt, recording, classification, systemisation, assessment, control, storage and availability of public documents until transfer for storage to the RSU archive, and destruction of documents having no archival value.
3.22. Preventing threats to the safety of the RSU infrastructure, services, information, employees, students, visitors, and illegal or other threats, enabling detection of criminal acts at objects and on adjacent territory. This purpose refers to activities performed using physical and logical means of security, including video surveillance, access pass regime, and other technical or organisational measures for ensuring protection against the threats of physical influence and protection implemented via logical means Personal data processing is performed on the basis of an agreement and legitimate interest;
3.23. RSU organisational management, planning and record-keeping (including records, accounting for processes, services, information systems, persons, ensuring commercial inheritance, public relations and social responsibility). This purpose refers to activities involving integrated management, including nationally and internationally recognised principles of corporate governance, ensuring audit trailing, monitoring and enhancement of internal processes. Personal data processing is performed on the basis of the law, legitimate interest and a Person’s consent;
3.24. Accounting/finance and tax management. This purpose refers to accounting, tax payments, settlements etc. Processing is performed on the basis of the law and an agreement (transaction);
3.25. Other specific purposes about which Persons are notified prior to providing data;
3.26. In any of the aforementioned cases, RSU only processes personal data as far as the relevant purpose of the processing allows it.
4. How RSU receives personal data
4.1. Information obtained by RSU regarding a Person is dependent of the content of a transaction. Information provided within the framework of any sort of cooperation is also received.
4.2. Information provided to RSU by a data subject (Person) themselves, i.e. by the data subject or their authorised representative contacting or cooperating with RSU, e.g. by concluding an agreement, requesting information or submitting an application for the purpose of reviewing a certain matter or agreement, visiting RSU objects, communicating via information channels, including social networks, attending events held or activities supported by RSU during which photos may be taken or video footage may be recorded, with prior notification to such effect.
4.3. In order to comply with the provisions of the applicable legislation, ensure long-term cooperation and credit risk management, RSU may have to request data from publicly available registers as well.
4.4. While visiting the RSU website, cookies may be used, with appropriate information to this effect provided during a visit to the website;
4.5. IT system audit trails.
5. Legal basis for personal data processing
5.1. conclusion and execution of an agreement – in order to conclude the relevant agreement and ensure its execution;
5.2. compliance with legislation – in order to comply with a duty or right specified in the applicable legislation;
5.3. data subject’s consent;
5.4. legitimate interests – to exercise legitimate interests of RSU arising from current obligations, a concluded agreement, or applicable legislation:
5.4.1. performing commercial activities;
5.4.2. ensuring fulfilment of obligations under an agreement;
5.4.3. saving applications and petitions, notes on them, including those made verbally or via websites;
5.4.4. producing and developing study programmes and services;
5.4.5. advertising studies or other services by sending commercial messages;
5.4.6. sending other messages on the execution of an agreement, events significant to agreement execution, and polling Persons about services;
5.4.7. maintaining and enhancing the quality of studies and other services;
5.4.8. administrating payments;
5.4.9. administrating missed payments
5.4.10. contacting state government, operational action institutions, and courts in order to defend its legitimate interests;
5.4.11. informing the public about its activities.
6. Personal data processing and protection
6.1. RSU processes and protects personal data using state of the art technologies, considering applicable privacy risks and reasonably available organisational, financial and technical resources.
6.2. Personal data processing at RSU is performed only by persons subordinated to the controller, which are entitled to perform such in accordance with their job descriptions.
6.3. In order to ensure quality, timely maintenance of execution of credit obligations, RSU may authorise its business partners to handle certain service provision activities, such as employee health insurance services. If, in the course of providing such services, business partners process personal data available to RSU, the relevant business partners are considered personal data processors and RSU is entitled to transfer the data necessary for performing such activities to its business partners to the extent necessary for the performance of such activities.
6.4. RSU business partners having personal data processor status ensure compliance with personal data processing and protection requirements in accordance with the applicable legislation, and do not use the personal data for other purposes except the fulfilment of obligations under concluded agreements, upon the assignment of RSU.
7. Categories of personal data recipients, i.e. persons to whom data are disclosed
7.1. RSU does not disclose to third parties any personal data or information obtained during the study process, provision of services, activities, or agreement execution, including information on the nature, essence etc. – except:
7.1.1. in the cases and to the extent specified in the applicable legislation;
7.1.2. if a third party must receive data within the framework of a concluded agreement, in order to perform some function necessary for the execution of the agreement or delegated by law (e.g. bank settlement, some provided service);
7.1.3. if clear and affirmative consent has been received from the data subject;
7.1.4. to persons specified in the applicable legislation, upon their reasonable request, in accordance with the procedure and to the extent specified in such;
7.1.5. in cases specified in the applicable legislation, for the protection of legitimate interests of RSU, such as while contacting a court or other state institution.
7.2. Personal data may be disclosed to business partners, merchants with which RSU has concluded agreements and has mutual obligations. For instance, maintenance of services, ensuring delivery (including delivery of packages, agreements, including couriers and mail etc.), service quality assurance (including pollsters etc.), security and protection (business partners providing support for ensuring the security of employees, customers, visitors, objects and infrastructure, including physical security services etc.) and ensuring management (business partners for the management of organisational, financial and accounting processes, including auditors, event organisers etc.).
7.3. Personal data may be disclosed to potential business partners within the framework of public procurement procedure, with which RSU intends to conclude cooperation agreements and undertake mutual obligations.
7.4. Supervisory bodies, law enforcement institutions and rescue services – in accordance with the applicable legislation.
7.5. Third parties. For instance, natural persons or legal entities, public institutions, agencies or entities that are not data subjects, controllers or processors.
7.6. Personal data may be disclosed (transferred) to a third party in connection with transfer of companies, any merger, sale of assets, transfer of Service provision to another merchant etc.
8. Disclosure of personal data beyond the European Union
8.1. If necessary to transfer personal data outside the European Union, RSU will perform procedures specified in the applicable legislation for ensuring a level of personal data processing and protection that is equivalent to the provisions of the Regulation.
9. Personal data retention term
9.2. RSU will store and process personal data for as long as one of the following criteria applies:
9.2.1. a concluded agreement is in effect;
9.2.2. in cases specified in the applicable legislation, to the extent and for the duration specified therein;
9.2.3. while either party has the legal obligation to retain the data;
9.2.4. while the data subject’s consent to the relevant personal data processing is in effect, unless another legal basis for data processing exists;
9.2.5. while RSU has legitimate interest.
9.3. At the end of a data retention period, personal data are deleted or destroyed.
10. Rights and obligations of a Person (data subject)
10.1. A Person (data subject) may receive any information – as far as possible given reasonable resources – collected about them within any personal data processing system, including video surveillance.
10.2. Person may receive information about natural persons and legal entities that, during a specific period of time, have received information about a person from the controller. The information provided to a person may not include state institutions that initiate criminal proceedings, subjects of operational activities, or other institutions the disclosure of such data about which is prohibited by law.
10.3. A Person is entitled to also receive information if, in the case at hand, it applies to:
10.3.1. the company name or name and surname, and address, of the controller;
10.3.2. the confidential information of the data specialist or RSU data processing officer; purpose, legal basis and type of personal data processing;
10.3.3. purpose, legal basis and type of personal data processing;
10.3.4. legitimate interests of the controller or a third party for video surveillance;
10.3.5. recipients of personal data, or categories of recipients – if any;
10.3.6. information about the controller’s institution to transfer personal data to a third country or an international organisation;
10.3.7. date on which the data subject’s personal data were last modified, deleted, or blocked;
10.3.8. source of personal data, unless disclosure of such data is prohibited by law;
10.3.9. period of time for which personal data will be stored or, if this is not possible, the criteria used in order to determine this period of time;
10.3.10. availability of the right to ask that the controller provide access to a data subject’s personal data, modify or delete them, restrict processing with regard to the data subject, or the right to object to processing, as well as the right to data portability;
10.3.11. the right to at any time revoke consent without affecting the legality of processing based on consent prior to such revocation;
10.3.12. the right to file a claim with a supervisory institution;
10.3.13. whether information, or provision of personal data, is specified in accordance with a law or an agreement, or as the precondition for concluding an agreement, and information on whether the data subject is obliged to provide the personal data, and what consequences of not providing such data may arise;
10.3.14. whether automated decision-making, including profiling, is in effect.
10.4. In accordance with the applicable legislation, a Person is entitled to request access to their personal data, and to request updating, rectification of deletion of processed data, or to restrict processing, and the right to object to processing, including personal data processing performed in accordance with the legitimate interests of RSU, as well as the right to data portability. These rights may be exercised insofar as data processing does not stem from RSU’s obligations under applicable legislation and those performed in the interest of the public.
10.5. A Person may submit a request regarding the exercise of their rights:
10.5.1. in writing, in person at Dzirciema iela 16, Rīga, LV-1007, by presenting a personal identification document;
10.5.2. via e-mail to the address rsursu[pnkts]lv, signed with a secure digital signature;
10.6. Upon receiving a Person’s request to exercise one’s rights, RSU verifies the Person’s identity, evaluates the request and fulfils it in accordance with the applicable legislation.
10.7. RSU’s response to the received order is sent via e-mail to the specified contact address as a registered letter, issued in person, or sent to the e-mail address specified in the application, signed with a secure digital signature, where possible conforming to the response format specified by the Person.
10.8. RSU ensures compliance with personal data processing and protection requirements in accordance with the applicable legislation and, in the event of objections, performs reasonable actions to resolve an objection. A person in any case retains the right to contact a supervisory authority, i.e. the Data State Inspectorate.
10.9. A Person is obliged to, within a reasonable period of time, provide RSU with information on changes in the personal data available to RSU.
11. Consent to data processing and right to revoke consent
11.1. If Personal data processing takes place on the basis of consent to personal data processing, a Person is entitled to revoke consent to the data processing at any time, in the same way in which it has been given, and in such case any further data processing based on consent previously given for the relevant purpose will no longer be performed.
11.2. Revocation of consent does not affect data processing performed while a Person’s consent was in effect.
11.3. Upon revocation of consent, data processing performed with other legal basis cannot be discontinued.
12. Commercial notifications
12.1. RSU performs communication involving commercial notifications regarding the services of RSU and/or third parties, and other notifications unrelated to providing directly agreed-upon services (e.g. polling of Persons) in accordance with the provisions of the applicable legislation or in accordance with a Person’s consent.
12.2. Consent given by a Person to the receipt of commercial messages is valid until revoked (even after the termination of an agreement, if one has been concluded). A Person may refuse further receipt of commercial notifications at any time by the following means:
12.2.1. sending an e-mail to the official address rsursu[pnkts]lv;
12.2.2. in person, at 16 Dzirciema iela, Rīga;
12.2.3. in certain cases – in the manner and according to procedure specified in information provided prior to obtaining the Person’s consent.
12.3. RSU discontinues the sending of commercial messages as soon as a Person’s request is processed.
13. Visits to websites and processing of cookies
13.2. The RSU website may include links to the websites of third parties that have distinct usage and personal data protection terms, for which RSU is not accountable.
13.4. Strictly necessary cookies. These cookies are required for a user to freely visit and browse a website and use the options it provides, including receipt of information about available services, and purchase of services. These cookies identify a user’s device but do not disclose the user’s identity, do not collect or compile information. Without these cookies, a website cannot function fully, e.g. serve the requested services or process a service application. These cookies are stored on a user’s device until the browser is closed.
13.5. Functional cookies. A website uses functional cookies in order to remember the settings and choices set by the user, allowing them to use the website with greater convenience. These cookies are stored on the user’s device permanently.
13.6. Analytics cookies. Analytics cookies gather information about how the user interacts with a website, what sections are visited more often, and what content the user chooses while browsing the website. The information is used for analysis, determining what interests website users have, and allowing enhancements to a website’s functionality by making it more convenient. Analytics cookies identify the user’s device but do not disclose the user’s identity. In some cases, certain analytics cookies are managed by third parties – processors (operators) such as Google Adwords – on behalf of the website owner and in accordance with the owner’s instructions.
13.7. Targeting (advertising) cookies. Targeting (advertising) cookies are used in order to gather information on the websites visited by a user and offer certain services of RSU or its business partners that might interest a specific user, or to address appropriate offers based on the interest shown by a given user. Such cookies are generally placed by third parties, such as Google Adwords, with the website owner’s consent and based on their stated purpose. Targeting cookies are stored on a user’s device permanently.
13.8. Cookies are useful for improving website user experiences:
13.8.1. supporting website features;
13.8.2. adapting website features to a user’s habits – language, search queries, content browsed previously;
13.8.3. receiving statistical data on the flow of visitors to a page – number of visitors, time spent on a page etc.;
13.8.4. user authentication;
13.9. Unless specified otherwise, cookies are stored until the action for the purpose of which they have been collected is completed, and then deleted.
13.10. Cookie information is not transferred for processing outside the European Union and the EEA.
14. Miscellaneous provisions
14.1. RSU does not engage in profiling of natural persons. Partly automated decision-making takes place:
14.1.1. within the framework of the matriculation process, where assessments for centralised examinations or entrance testing are entered into the system along with the number of subsidised and paid seats. The system calculates the outcomes of competitions based on the Gale-Shapley algorithm;
14.1.2. within the framework of allocating scholarships granted from the state budget, where the assessments of students and research activity indicators are entered into the system, along with the number of state budget scholarships available. If the available number of scholarships is lower than the number of applications by students, and current assessments and criteria are not sufficient for making a decision on granting a scholarship, electronic drawing of lots is performed.