1. Controller and contact details
1.1. The Personal Data Processing Controller is Rīga Stradiņš University (hereinafter referred to as RSU), uniform registration No. 90000013771, registered office: Dzirciema iela 16, Rīga, LV-1007.
1.3. RSU has assigned a Personal Data Protection Officer to inform and consult RSU staff in matters related to personal data processing, to monitor compliance with legislation applicable to personal data protection at RSU, to cooperate with the supervisory institution, and to advise Persons contacting RSU in matters related to data processing.
2. General provisions
2.2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as – Regulation);
2.2.2. Personal Data Processing Law of the Republic of Latvia;
2.2.3. RSU Internal Rules of Procedure, RSU Internal Rules and Regulations and other applicable laws and regulations in the field of privacy and data processing.
2.3.1. RSU students, applicants, employees (including potential, former and current), business partners and third parties receiving or transferring to RSU any information (including contact persons, payers etc.);
2.3.2. Visitors to RSU objects or territories, including locations where video surveillance is being conducted;
2.3.3. Users of the website maintained by RSU;
2.3.4. Persons whose personal data are processed in social networks in connection with RSU promotion activities (hereinafter collectively referred to as – Persons);
2.3.5. Participants of study, scientific or other events organised by RSU, for example, RSU annual ball;
2.3.6. Other personal data processing cases related to RSU activities.
2.5. RSU may establish additional regulations for certain types of data processing, of which Persons are informed of at the time of providing the relevant data.
3. Purposes of personal data processing
3.1. RSU processes personal data in accordance with applicable external and internal laws and regulations, including for the following purposes:
3.1.1. Addressing and selecting potential applicants, and designing students' personal file. Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.2. Ensuring the study process, including preparation of a study contract, preparation, awarding and accounting of diplomas, preparation, awarding and accounting of certificates, statements, awards, etc. Personal data processing is performed on a lawful basis;
3.1.3. Analysis and provision of study, scientific and administrative management processes. Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.4. Providing library’s and reading room’s services. Personal data processing is performed on the basis of law, contract;
3.1.5. Receiving services and preparing contracts, to fulfil the conditions of the concluded contracts and related regulatory enactments, incl. amendment of contracts. Personal data processing is performed on the basis of law, contract;
3.1.6. Establishing and providing employment relationships (including selection). Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.7. Compliance with the requirements of accounting regulatory enactments. Personal data processing is performed on the basis of law, contract and legitimate interest;
3.1.8. Serving and controlling payments, including payment of salaries, retrieval of study debts and recovery. Personal data processing is performed on the basis of law, contract and legitimate interest;
3.1.9. Ensuring the labour protection requirements of employees and students. Personal data processing is performed on the basis of law, contract;
3.1.10. Reviewing und processing applications, statements and complaints. Personal data processing is performed on the basis of law and legitimate interest;
3.1.11. Managing and controlling the rights of access. Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.12. Organising the process of health insurance for employees and students. Personal data processing is performed on the basis of contract, and legitimate interest;
3.1.13. Maintaining and improving the RSU website (cookies). Personal data processing is performed on the basis of legitimate interest;
3.1.14. Providing information to public administration institutions and subjects of operational activities in the cases and to the extent specified in external regulatory enactments. Personal data processing is performed on the basis of law;
3.1.15. RSU organisational management, planning and accounting (incl. document management, processes, services, information systems, ensuring the succession of the merchant, implementation of public relations and social responsibility). Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.16. Securing RSU infrastructure, services, information, employees, students and visitors, prevention of illegal or other threats, promotion of detection of criminal offenses, incl. ensuring security and property protection (video surveillance, access control systems). Personal data processing is performed on the basis of law, contract, the consent of the Person and vital and legitimate interest;
3.1.17. Scientific or academic research. Personal data processing is performed on the basis of law, contract, and the consent of the Person;
3.1.18. Preventing the risks to the health of students and staff, and for the provision of RSU study, scientific and administrative activities – processing of special categories or sensitive personal data, if there is a legal basis, and one of the special conditions for processing sensitive personal data specified in Article 9 of the Regulation. Personal data processing is performed on the basis of law, contract, the consent of the Person and legitimate interest;
3.1.19. Other specific purposes of which the Persons are informed prior to the provision of the data.
4. Legal basis for personal data processing
4.1. RSU processes personal data on the following legal grounds:
4.1.1. With the consent of the Data Subject (Article 6(1)(a) of the Regulation);
4.1.2. For the purpose of concluding and ensuring the performance of a contract (Article 6(1)(b) of the Regulation);
4.1.3. In order to comply with the obligations laid down in RSU binding regulatory enactments (Article 6(1)(c) of the Regulation);
4.1.4. To protect the vital interests of the Data Subject or of another natural person (Article 6(1)(d) of the Regulation);
4.1.5. To perform a task carried out in the public interest or in the exercise of official authority legally conferred on the Controller (Article 6(1)(e) of the Regulation);
4.1.6. In order to realise the legitimate interests of RSU arising from existing obligations or from a concluded contract or law (Article 6(1)(f) of the Regulation).
5. Acquisition of personal data, duration of storage and automated decision making
5.1. Obtaining personal data from Persons depends on the content of the transaction.
5.2. Personal data may be obtained in the following ways:
5.2.1. Clear and unambiguous consent of the Person has been obtained;
5.2.2. Information provided to the RSU by the Person themselves (or by an authorised person), to wit by, by contacting or cooperating with RSU, such as concluding contract, requesting information or applying for a specific issue or request, by visiting RSU facilities, communicating through information channels, including social networks, attending RSU events or supported activities, during which photographs or video recordings, of which information has been previously provided, may be taken;
5.2.3. In order to comply with the requirements laid down in regulatory enactments, to ensure long-term cooperation and credit risk management, RSU may also need to request data from publicly available registers;
5.2.4. When visiting the RSU website, cookies may be used, about which information is provided during the visit to the website;
5.2.5. From information systems auditing records (access time, activities performed, etc. in the information system).
5.3. RSU stores and processes personal data as long as at least one of the following criteria exists:
5.3.1. As long as the contract concluded with the Person is in force;
5.3.2. As long as RSU or the Person may exercise their legitimate interests in accordance with the procedures laid down in external regulatory enactments (for example, to submit objections or to bring / lead an action before the court);
5.3.3. As long as either party has a legal obligation to store the data;
5.3.4. As long as the consent of the Person to the relevant processing of personal data is in force, unless there is another legal basis for the processing of data.
5.4. Semi-automated decision making takes place:
5.4.1. Within the framework of the admission process, where the assessments of centralised examinations and entrance examinations laid down in the admission regulations are entered into the system, as well as the number of budget and tuition fee study places determined by the rector's decree. The admission system calculates the results of competitions using the Gale-Shapley algorithm;
5.4.2. Within the framework of the distribution of scholarships granted from the state budget, where students' assessments and indicators of scientific activity are entered into the system, as well as the number of scholarships available from the state budget. If the number of available scholarships is less than the number of student applications and the existing assessments and criteria are not sufficient to make a decision on awarding a scholarship, an electronic draw is carried out.
6. Recipients of personal data and transfer of personal data outside the European Union
6.1. RSU does not disclose personal data to third parties, except:
6.1.1. In the case and to the extent specified in regulatory enactments;
6.1.2. If the clear and unambiguous consent has been obtained from the Persons;
6.1.3. If the data must be transferred to a third party within the framework of the concluded contract in order to perform any function necessary for the performance of the contract or delegated by law;
6.1.4. Personal data may be transferred to cooperation partners with whom RSU has contractual relations and mutual obligations;
6.1.5. To law enforcement institutions in accordance with the procedures specified in regulatory enactments;
6.1.6. To RSU employees to perform their duties;
6.1.7. When fulfilling the requirements of a contract entered into with the Person, transferring only the amount of data that is necessary for the performance of a specific task or the provision of specific services;
6.1.8. To certified auditor, auditors or other personal data controllers;
6.2. The provision of information to the Ministry of Health, the Ministry of Education and Science, the Central Statistical Bureau, the State Audit Office, the State Revenue Service and other State administration institutions shall take place in the cases and to the extent specified in regulatory enactments and law.
6.3. In case it is necessary to transfer personal data outside the European Union, RSU will ensure the procedures laid down in the regulatory enactments for ensuring the level of processing and protection of personal data equivalent to that laid down in the Regulation.
7. Persons' Rights and obligations and the implementation procedure
7.1. In accordance with regulatory enactments, Persons have the right to request access to their personal data, as well as to request RSU to supplement, correct or delete it, or to restrict processing in relation to the Data Subject, or the right to object to processing, including the processing of personal data carried out on the basis of RSU's legitimate interests, as well as the right to data portability.
7.2. Persons may receive information about natural persons and legal persons that, during a specific period of time, have received information about the Person from the Controller. The information provided to the Person may not include state institutions that initiate criminal proceedings, are subjects of operational activities, or other institutions for which the law prohibits the disclosure of such information.
7.3. Persons are entitled to receive the following information if, in the case at hand, it applies to:
7.3.1. The company name or name and surname, and address of the Controller;
7.3.2. Contact information of the data specialist or RSU data processing officer;
7.3.3. Purpose, legal basis and type of personal data processing;
7.3.4. Legitimate interests of the Controller or a third party for video surveillance;
7.3.5. Recipients of personal data, or categories of recipients – if any;
7.3.6. Information that the Controller intends to transfer personal data to a third country or an international organisation;
7.3.7. Date on which the Data Subject’s personal data were last modified, deleted, or blocked;
7.3.8. Source of obtaining personal data, unless disclosure of such data is prohibited by law;
7.3.9. Period of time for which personal data will be stored or, if this is not possible, the criteria used in order to determine this period of time;
7.3.10. Availability of the right to ask that the Controller provide access to a Data Subject’s personal data, modify or delete them, restrict processing with regard to the Data Subject, or the right to object to processing, as well as the right to data portability;
7.3.11. The right to revoke consent at any time without affecting the legality of processing that is based on prior consent to such revocation;
7.3.12. The right to file a claim to a supervisory institution;
7.3.13. Whether information, or provision of personal data, is specified in accordance with a law or a contract, or the data is the precondition for concluding a contract, and information on whether the Data Subject is obliged to provide the personal data, and what consequences of not providing such data may arise;
7.3.14. Whether automated decision making, including profiling, is in effect.
7.4. Persons can submit a request regarding the exercise of their rights:
7.4.1. In writing, in person at the Records Management and Archives Department in Rīga, 16 Dzirciema iela, LV-1007, by presenting a personal identification document;
7.4.2. Via e-mail in a free form to the official electronic address rsursu[pnkts]lv;
7.4.3. Via e-mail, by sending a request for the rights of the Data Subject (form LK-20), signed with a secure electronic signature, to the RSU e-mail address documentirsu[pnkts]lv;
7.4.4. By sending a request to the Unified portal of state and municipal services (www.latvija.lv), incl. by sending a request to the RSU official electronic address rsursu[pnkts]lv.
7.5. When receiving Persons' requests to exercise their rights in person, RSU verifies the Person’s identity, evaluates the request and fulfils it in accordance with the applicable legislation.
7.6. RSU’s response to the received request is sent by post to the specified contact address as a registered letter, issued in person, or sent to the e-mail address specified in the application, where possible, conforming to the response format specified by the Person, on condition that the Person has confirmed their identity.
7.7. If RSU has reasonable reasons to reject the Data Subject's request due to the circumstances specified in regulatory enactments, RSU will inform in writing about the refusal, justifying it accordingly.
7.8. The Person has the right to revoke the consent to the data processing at any time, in which case further data processing based on the prior consent will not be carried out for the specific purpose.
7.9. Revocation of consent does not affect data processing carried out at the time when the Person's consent was valid.
7.10. Revocation of consent may not suspend the processing of data carried out on other legal grounds.
7.11. RSU ensures compliance with personal data processing and protection requirements in accordance with the applicable legislation and, in the event of objections, performs reasonable actions to resolve an objection. In any case, Persons retain the right to contact a supervisory authority, i. e. the Data State Inspectorate or other law enforcement institutions.
7.12. Persons are obliged to provide RSU with information on changes in the personal data available to RSU within a reasonable period of time.
7.13. If necessary, Persons can apply to the Dean's office of their faculty (if the Person is an RSU student) or to the Head of their structural unit (if the Person is an RSU employee) for information on the exercise of their rights.
8. RSU obligations when processing personal data
8.1. When processing personal data, RSU provides the following:
8.1.1. Information to Persons in accordance with Articles 13 and 14 of the Regulation;
8.1.2. The possibility for the Person to modify his or her personal data if the personal data is inaccurate;
8.1.3. Taking technical and organisational measures to protect personal data against accidental, unauthorised or unlawful access, disclosure, rectification or loss;
8.1.4. To notify the Person without undue delay of personal data protection violations in order to prevent damage to the rights and freedoms of natural persons;
8.1.5. Personal data processing is performed only by those RSU employees who are entitled to perform it in accordance with the duties of the position;
8.1.6. If the purpose of personal data processing changes, RSU informs the Data subject about the change of the purpose of data processing before further processing and provides him or her with the necessary additional information.
9. Commercial notifications
9.1. RSU performs communication involving commercial notifications regarding the services of RSU and / or third parties, and other notifications not directly related to the provision of the agreed services (e. g., polling of Persons) in accordance with the provisions of the applicable legislation or in accordance with the Person’s consent.
9.2. Consent given by the Person to receive commercial notifications is valid until revoked (even after the termination of a contract, if one has been concluded). Persons can refuse further receipt of commercial notifications at any time by the following means:
9.2.1. By sending an e-mail to the official address rsursu[pnkts]lv;
9.2.2. In person, at the Records Management and Archives Department, 16 Dzirciema iela, Rīga;
9.2.3. In certain cases – in the manner and according to procedure specified in information provided prior to obtaining the Person’s consent.
9.3. RSU discontinues sending commercial notifications as soon as the Person’s request has been processed.
10. Ensuring remote online work and study process
10.1. RSU remote learning process is organised in e-learning environment Moodle or platform Zoom. The functionality of the e-learning environment provides a wide range of e-examination organisation possibilities (electronic tests, clinical case analysis, online essays, submission of written or audiovisual materials, etc.), as well as evaluation options, while the Zoom platform provides remote examination and / or lesson organisation.
10.2. RSU organises the remote online work process on Zoom, MS Teams and other platforms.
10.3. The legal basis for the processing of personal data for the organisation of remote online classes and work is Article 6(1)(e) of the Regulation (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority legally conferred on the Controller) and / or Article 6(1)(c) of the Regulation (processing necessary for compliance with a legal obligation to which the Controller is subject).
11. Other terms and conditions
11.2. The procedure by which the processing of personal data is organised at RSU is determined by approved internal regulatory enactments.