Information notice concerning the protection of personal data

Central Statistical Bureau of Latvia (hereinafter – the Controller), registration No 90000069830, postal address: Lāčplēša 1, Riga LV-1301

If you have any questions relating to this information notice concerning the protection of personal data (hereinafter – the Notice) or processing of your personal data, you may contact us through the communication channels provided by the Controller or contact our personal data protection officer at the e-mail address datuaizsardziba@csp.gov.lv.

Categories of data subjects covered by the Notice when recruiting personnel:

• people applying for a vacancy;
• people who have sent an application to the Controller on their own initiative;
• people providing feedback;
• trainees.

Purpose or aim of data processing

The Controller processes your personal data for recruitment purposes and to serve your legal interests in so far it is related to the recruitment:

• upon receipt of your application and CV, the Controller evaluates the information provided therein;
• verifies the compliance of the information provided with the requirements for the position;
• arranges and ensures interview (incl. contacts you before it) as well as takes other recruitment-related organisational measures;
• organises a remote or face-to-face job interview;
• contacts the feedback providers indicated;
• stores the documentation submitted with an aim to use it in another recruitment;
• stores the information obtained during the recruitment to defend own interests in any legal proceedings or settle claims;
• concludes an employment or traineeship agreement or appoints an official.

Personal data processed within the recruitment

Upon receipt of your application for a vacancy, the Controller, by complying with the principle of data minimisation, may process at least the following your personal data:

• all the information included in your CV and application letter (e.g., first name, surname, contact details, information about jobs and studies/trainings, language skills, additional knowledge/skills) or other documents;
• in case you are invited to a job interview, the information provided during it as well as the tests or any other examinations taken and the results thereof;
• information about the contacts who might provide feedback on your professional activities to date (if you choose to provide it) and the feedback given;
• information related to the compliance with the requirements of the position, e.g., your qualification, work experience, information regarding compliance with the requirements specified in regulatory enactments;
• information related to the organisation of the recruitment (e.g., on whether we have contacted you or not, notes on the possible time and progress of the meeting);
• information regarding the conformity of the state of health with the work to be performed.

If you are selected for the position, the Controller may need at least the following personal data to conclude an agreement:

• first name, surname, personal identity number, place of residence, telephone number, personal identification document details, starting date of employment, place of employment, educational attainment details, qualification details, description of work duties to be performed, position, contacts at work, citizenship, gender;
• remuneration amount, operating account details;
• health data (compulsory health examinations).

Legal basis for personal data processing

• Your personal data are processed by the Controller based on your consent in accordance with the Article 6 1) (a) of the GDPR. When applying for a specific position, the Controller receives and uses your personal data based on your consent (the consent is given through your activity – submission of documentation to the Controller).
• You are responsible for the veracity of all the information provided. By providing the contact details of the feedback providers, you are responsible for ensuring that you comply with the legal basis and other relevant requirements for providing personal data to the Controller.
• You have the right to withdraw your consent at any time by sending a request to the  e-mail address datuaizsardziba@csp.gov.lv or personals@csp.gov.lv.
• Upon receipt of your application, the Controller has a legal interest in processing it, evaluating the information provided therein, organising and conducting the interview, and providing the evidence to support the legal conduct of the relevant proceedings.
• In the event of a dispute, the information obtained during the recruitment may be used to reflect the legal conduct of the recruitment process in question (e.g., to investigate allegations against the recruitment and to provide evidence in the event of allegations). In that case, the Article 6 1) (f) of the GDPR – the legitimate interests of the Controller – serves as the legal basis for the processing of personal data.
• If you are nominated for the participation in the second recruitment round, based on the legitimate interests of the Controller, the Controller, within four months after the recruitment conclusion, may reconsider your candidacy also in other recruitments. If you do not want your candidacy to be considered in future recruitment undertaken by the Controller, please, indicate this when applying for the vacancy.
• If your application states a contact person for feedback, based on the legitimate interest thereof (Article 6 1) (f) of the GDPR), the Controller may contact that person to get this feedback on you. When contacting the contact person, the Controller will inform him/her about the reason for doing that, namely, your application for the vacancy.
• To process information regarding compliance with the position requirements, i.e. the existence of an interoperable COVID-19 vaccination or recovery certificate, the legal basis for processing personal data are formed by the Article 6 1) (c) of the GDPR, noting the exception stated in the Article 9 2) (g) on processing of specific categories of personal data if it is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
• In some cases, Article 6 1) (c), Article 9 2) (h) and Article 10 of the DGPR also constitute the legal basis for processing personal data of certain types and on certain position categories. E.g., in accordance with Section 7 of the State Civil Service Law when examining your right to fill the state official position or in accordance with Section 38 of the Labour Law as regards your state of health, professional training and assessment of ability to work, in so far as it is essential for the performance of the intended work.
• If a labour or traineeship agreement will be concluded with you or you will occupy the position of a state official, the Article 6 1) (b) of the GDPR will serve as the legal basis for such processing of the data – your willingness to conclude labour or traineeship agreement with the Controller.

Who will receive your personal data?

Your personal data will be received by:

• employees of the Controller participating in the recruitment (e.g. Personnel Management Division, departmental directors, section heads, etc.);
• under certain conditions (e.g., if a claim against the relevant recruitment is received), law enforcement or supervisory authorities (e.g., State Labour Inspectorate), a court, other institutions meeting the procedures specified in regulatory enactments (e.g., State Revenue Service), as well as data processors of the Controller;
• when a job interview is organised via online communication tools, in some cases your personal data may be transmitted through the service provider's information system.

Personal data are not intended to be transferred to recipients outside the European Union or European Economic Area.

Categories of data subjects covered by the Notice

In case of CSB partners and service providers outside the scope of official statistics production, the data subjects covered by the Notice are:

• persons referred to in the service and cooperation agreements;
• persons who have sent cooperation offers or correspondence to the Controller;
• employees of the cooperation partners;
• visitors to the Controller.

Purpose or aim of data processing

The Controller processes personal data for the following purposes:

• registration of guests in the guest register;
• examination and processing of the cooperation partner applications;
• receipt and sending of correspondence;
• conclusion and performance of cooperation agreements, including for settlements;
• engagement of a customer/supplier/partner;
• procurement, including in accordance with the Public Procurement Law and Law on International Sanctions and National Sanctions of the Republic of Latvia;
• improvement of the quality of work performed by the Controller’s employees;
• fulfilment of other statutory obligations.

Personal data processed

Upon receipt of your application for a vacancy, the Controller, by complying with the principle of data minimisation, may process at least the following your personal data:

• first name and surname – to register visitors;
• information on the contacts indicated by the cooperation partner in the agreement or when submitting the tender proposal, i.e., first name, surname, telephone number, e-mail address, position;
• information on the officials, true beneficiaries, owners of the cooperation partners, i.e., first name, surname, personal identity number, contact details;
• information that you provide by sending correspondence to the Controller, i.e., your first name, surname, e-mail address, correspondence address, details of other persons provided in the correspondence;
• data in the meeting record, i.e., face images, voice, information provided, behaviour;
• other information needed to ensure cooperation.

Legal basis for the processing of personal data

This legal basis is applied by the Controller in cases where no other legal basis is applicable. You have the right to withhold consent to the processing of your personal data at any time. Withhold of consent does not affect the lawfulness of data processing operations carried out over the period until the moment the consent was withdrawn.

This legal basis is applied by the Controller to execute the agreement between you and the Controller.

This legal basis is applied by the Controller in case the processing of personal data is provided for in an external regulatory enactment – law, Cabinet regulations, European Union legislation, e.g., Accounting Law, Civil Law.

1. Your consent (Article 6 1) (a) of the GDPR)

This legal basis is applied by the Controller in cases where no other legal basis is applicable. You have the right to withhold consent to the processing of your personal data at any time. Withhold of consent does not affect the lawfulness of data processing operations carried out over the period until the moment the consent was withdrawn.

2. Execution of an agreement (Article 6 1) (b) of the GDPR)

This legal basis is applied by the Controller to execute the agreement between you and the Controller.

3. Fulfilment of legal obligations (Article 6 1) (c) of the GDPR)

This legal basis is applied by the Controller in case the processing of personal data is provided for in an external regulatory enactment – law, Cabinet regulations, European Union legislation, e.g., Accounting Law, Civil Law.

4. Legitimate interests of the Controller or third party (Article 6 1) (f) of the GDPR)

This legal basis is applied by the Controller for predefined purposes under which processing of the data is necessary to pursue the legitimate interests of the Controller, e.g., increase work quality of the employees.

Who will receive your personal data?

In case of CSB partners and service providers outside the scope of official statistics production, your personal data will be received by:

• authorised employees of the Controller;
• under certain conditions and in the presence of a certain legal basis, the law enforcement and supervisory authorities, Controller's data processors and other recipients.

Personal data are not intended to be transferred to recipients outside the European Union or European Economic Area.

Categories of data subjects covered by the Notice

The data subjects covered by the Notice are persons entering the CCTV camera receiving area (employees of the Controller, customers, visitors, bystanders, and others).

Purpose or aim of data processing

The Controller processes personal data acquired from video surveillance for the following purposes:

• to ensure security of visitors, employees, premises and property of the Controller;
• to comply with the legal requirements and protect legitimate interests of the Controller;
• to detect and prevent illegal activities;
• to ensure the protection of your vital interests, including life and health.

Personal data processed

Upon receipt of your application for a vacancy, the Controller, by complying with the principle of data minimisation, may process at least the data captured by CCTV cameras, e.g., face image, information on the number plate of a vehicle, behaviour, location, time when and person(s) with whom you were in the location.

Legal basis for the processing of personal data

Personal data are processed by the Controller based on the legitimate interests of the Controller or third party – Article 6 1) (f) of the GDPR. This legal basis is applied by the Controller for predefined purposes under which processing of the data is necessary to pursue the legitimate interests of the Controller, e.g., ensure security of the property and detect illegal activities in a timely manner.

Who will receive your personal data?

Your personal data will be received by:

• authorised employees of the Controller;
• police or other law enforcement authorities;
• data processors of the Controller, e.g., a security company.

Personal data are not intended to be transferred to recipients outside the European Union or European Economic Area.

In Latvia, the Data State Inspectorate monitors compliance with the laws and regulations in the field of personal data protection. More information is available on the Data State Inspectorate website (available in Latvian).

Principles for data retention

• Data processing rights are protected through monitoring functions of the information system access rights.
• Servers used for data processing are located in the computer centre protected by access control and security systems. Registers containing personal data are separated from public information networks by taking suitable technical security measures.
• Paper documents are stored in locked cabinets located in premises with access control.
• The people processing personal data, based on the Controller's internal regulations, are obliged to respect the confidentiality and, in this regard, have signed a confidentiality agreement.
• File backups are made on regular basis.
• The Controller has appointed a data protection officer. The officer maintains a personal data processing register and monitors processing of personal data performed by the Controller.

Principles for data processing

With regard to the information security, the Controller processes your personal data by respecting the following principles:

• lawfulness, decency and transparency;
• data minimisation;
• accuracy;
• integrity and confidentiality;
• accountability;
• the Controller does not make automated decisions concerning you.

Access rights

You have the right to access your personal data and receive information about processing of your personal data from the Controller. You may use the Controller’s contact details to ask for the information on the processing of your personal data if the information provided in this Notice does not seem sufficient.

The right for corrections

If you find any inaccuracies in your personal data, you have the right to require the Controller to correct them by sending a respective request to the Controller.

The right to erase the data

You have the right to request the Controller to delete your personal data if:

• personal data are no longer necessary for the purposes they were processed for and defined in the Notice;
• you withhold your consent on the basis whereof your personal data were processed;
• the personal data were processed unlawfully;
• you have objected to the data processing and the legitimate reasons of the Controller do not outweigh your legitimate reasons;
• personal data shall be erased in accordance with regulatory requirements.
• in some cases, we will not be able to comply with your request to delete personal data. This applies to the cases where the Controller is obliged to process your personal data in accordance with regulatory enactments. Similarly, data erasure is not possible where processing of personal data is necessary, e.g., to rise, process or defend legitimate claims. In those cases, the right to request the deletion of own personal data is limited.

The right to restrict processing of personal data

You have the right to request the Controller to restrict processing of your personal data if:

• you believe that the data are processed unlawfully or inaccurately;
• you believe that data processing is unlawful, but do not want to delete this personal data.
• you have objected to the data processing and until it is verified whether the legitimate reasons of the Controller do not outweigh your legitimate reasons;
• the Controller no longer needs your data for a specific purpose, but you need it to raise, process or defend your legitimate claims.

The right to object to data processing

Based on the legitimate interests identified in the Notice, you have the right to object to the processing of your personal data at any time. The Controller has the right to continue processing your personal data if the Controller points to compelling legitimate reasons that outweigh your interests, rights and freedoms, or to raise, process or defend legitimate claims.

The right to withheld consent

In cases where you have given consent to the processing of certain personal data, you have the right to withheld it at any time, however such withdrawal of consent does not affect the lawfulness of the processing that is based on the consent given prior to revocation. You can withhold your consent by using the contact details provided in the Notice.

The right to portability

You have the right to portability of data in the cases and under procedures laid down in laws and regulations.

The right to lodge a complaint

You have the right to lodge a complaint with the Controller as well as Data State Inspectorate if you believe that the Controller has violated your rights or has failed to protect your personal data sufficiently. However, before contacting the Data State Inspectorate, please, contact the Controller.

Certain rights of data subjects in producing official statistics are not based on the DGPR and Personal Data Processing Law.

When evaluating personal data retention period, Controller complies with the requirements of regulatory enactments, conditions for the performance of contractual obligations, instructions of the data subject (if data are processed based on the data subject consent), as well as the legal interests of the Controller.

Criteria applied for personal data retention period

The Controller applies the following criteria when defining personal data retention period:

• the personal data retention period is set by or arises from the laws and regulations of the Republic of Latvia and the European Union;
• an agreement concluded between you and the Controller in force;
• in so far it is necessary to satisfy and protect legitimate interests of the Controller;
• until your consent to the processing of personal data is revoked.

Three months after the expiry of the personal data retention period at the latest, the data shall be deleted, destroyed or anonymised in a secure manner so that can no longer be linked to a particular data subject, unless the Controller has a legal obligation to keep retaining such data based on regulatory framework for archives and statistics.

Data obtained when producing official statistics:

• the Controller retains personal data in accordance with the requirements of the Statistics Law and Archives Law as well as external and internal laws and regulations issued on the basis thereof;
• the Controller defines the data retention period based on the official statistics production needs.

Data obtained during recruitment:

• information obtained when you were applying for the vacancy and during recruitment will be retained in whole or in part for a maximum of four months starting from the moment the respective recruitment was concluded;if you have submitted your application on own initiative, the information provided will be retained for four months from the date of its submission or until your consent is withdrawn;
• if a complaint is received regarding the respective recruitment, all the information obtained during it may be retained until the complaint is examined and resolved (e.g., when the relevant court judgement comes into effect);
• after the end of the retention period, personal data will be permanently deleted if no other legal basis for the processing of personal data arises for the Controller.

Data obtained from video surveillance:

• the data obtained from video surveillance are retained in archives for a maximum of 30 days, after which are deleted, except in cases where an incident has occurred;
• if an incident has occurred, video surveillance data are retained until the investigation thereof is concluded (e.g., until the court judgement comes into effect);
• videos extracted from the archive are retained in the Controller’s internal system for a maximum of two years (in cases where a conflict, vandalism acts, etc. are detected) if the justification for extending the period is not found.

Data obtained during calls to assistance numbers +371 80000098 and +371 80008811 as well as online chat discussions at https://e.csp.gov.lv:

• phone call records and chat conversation archive are stored for one year;
• if a complaint is received about the service provided via assistance number or chat, the phone call records and chat conversation archive are retained until the complaint is resolved.

Privacy policies on the technical means used by the Controller:

• Current privacy policy used in the platform Zoom is explained in the Zoom Privacy Statement.
• Privacy policy used in the Microsoft Teams is explained in Microsoft blog about their commitment to privacy and security in Microsoft Teams.

The privacy policies of the developers of these platforms demonstrate that they respect the key principles of personal data processing laid down in the GDPR and other legislation, thereby ensuring compliance with the GDPR.

The data subject request shall be submitted in one of the following ways:

• in person by presenting a personal identification document;
• electronically by signing the request with a secure electronic signature. Electronic requests shall be sent to the e-mail address pasts@csp.gov.lv;
• via official electronic address or e-address.

The Controller has a right to amend this Notice. Any amendments to the Notice will be communicated by the Controller on its website.

Updated on: