Privacy policy for the processing and protection of personal data

1. GENERAL PROVISIONS

1.1. The Privacy Policy regulates the basic principles, rules and procedures for the protection and processing of personal data that are used by the Malnava College (COLLEGE) to process personal data.

1.2. Personal data in the COLLEGE are processed in accordance with the conditions laid down in Regulation No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and in the Personal Data Processing Law, which are aimed at the security of personal data, in the external regulatory enactments (laws regulating the field, regulations of the Cabinet of Ministers, etc.) and in the general regulations of the COLLEGE.

1.3. COLLEGE processes personal data in compliance with the person's right to the lawfulness of personal data processing and the person's interests to protect his or her privacy.

1.4. In order to exercise its rights and obligations and perform its functions arising from the regulatory enactments and to provide services in the most efficient way, COLLEGE needs to process and use certain types of information (data) about natural persons. Depending on the service requested or provided, or the function to be performed, personal data may be processed within the meaning of the General Data Protection Regulation.

1.5. Controller and its contact information:

1.6. Place of personal data processing: the processing of personal data by COLLEGE is performed at Kļavu ielā 17, Malnavā, Malnavas pagastā, Ludzas novadā, Latvia.

1.7. Personal data protection specialist: in order to receive an explanation regarding the processing of personal data performed by COLLEGE or to submit a complaint, a person may

contact COLLEGE data protection specialist Anita Mozga by e-mail: anita.mozga@malnavaskoledza.lv.

1.8. With this personal data processing and protection policy, COLLEGE wishes to emphasize its strong commitment to the protection of personal data and points out that in all your communication and cooperation with COLLEGE, it will strive to ensure the security of the processed personal data.

2. AIM

2.1. The aim of the privacy policy is to provide a natural person (data subject) with information on the purpose, scope, protection and term of processing of personal data during the acquisition

of data and processing of the data subject's data.

2.2. The Privacy Policy is designed to apply the principles set out in the COLLEGE on the processing and protection of personal data to the extent that they do not conflict with the regulatory enactments and the general provisions of the COLLEGE, to maintain a high level of personal data processing quality, and to ensure a fair, transparent and comprehensible process of the personal data processing.

3. PURPOSES OF THE PERSONAL DATA PROCESSING

3.1. The processing of personal data is necessary for the COLLEGE to be able to perform its functions and tasks specified in the regulatory enactments (laws, regulations of the Cabinet of Ministers, etc.), including personnel management, concluding contracts, financial and accounting management, maintaining systematic document circulation, public procurement accounting and administration. Processing means any activity performed regarding data, including data collection, recording, structuring, retrieval, storage, destruction, etc. (in accordance with Article 4, Paragraph 2 of the GDPR).

3.2. Personal data may be archived in the COLLEGE for evidence, historical purposes or for research or statistical purposes.

3.3. When processing personal data for certain purposes, the principles of personal data processing and protection are observed in all data processing stages.

4. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

4.1. COLLEGE processes personal data only if the processing has an appropriate purpose and legal basis.

4.2. COLLEGE processes personal data (legal basis):

4.2.1. to comply with the legal obligation;

4.2.2. to fulfil a task, which is performed to exercise the official powers legally conferred on the Controller;

4.2.3. for the performance of the contract or for taking measures at the request of the data subject before concluding the contract;

4.2.4. if the natural person has consented to the processing of his or her personal data for one or more specific purposes.

5. CATEGORIES OF PERSONAL DATA

5.1. Personal data means information related to an identified or identifiable natural person, such

as a person's name, surname, personal identification number, date of birth, contact information

(to ensure effective communication), information we ask for in order to provide the person with

relevant services, etc. (in accordance with Article 4, Paragraph 1 of the GDPR).

5.2. In order to establish a business relationship or to make decisions related to a business relationship, or to ensure the performance of other COLLEGE tasks, Personal Data may be obtained from the data subject himself or from third parties – external sources, databases, registers and public sources used by COLLEGE.

5.3. The categories of personal data processed by the COLLEGE depend on the defined tasks of the COLLEGE and the services provided. COLLEGE mainly, but not exclusively, processes the following categories of personal data for the purposes set out in this policy:

• 5.3.1.Personal identification data – name, surname, personal identification code/ID, date of birth,
• 5.3.2.passport No./ID number, signature;
• 5.3.3.Personal contact information – address, telephone number, e-mail address;
• 5.3.4.Details of contact persons – name, surname, e-mail address, telephone number of the contact person;
• 5.3.5.Contract details – contract number, date of signing/ approval, type of service, address of the service, number of the annex, date of the annex;
• 5.3.6.Transaction details – transaction number, date, transaction name, type;
• 5.3.7.Communication data – type of incoming/ outgoing communication, number, date, registrant, content, channel, delivery status;
• 5.3.8.Product purchase data – name of the product, date of purchase, number of consignment note, method of receipt of the product, price, method of payment;
• 5.3.9.Billing details – payment processor data, settlement system account number, payer's data, bank account number, invoice number, date, amount, invoice receipt type, payment date, payment type, check number, payment order number, debt amount, debt collection information;
• 5.3.10.Photos, videos and pictures – photos from public events, date the photos were taken.

5.4. COLLEGE does not request from a person and does not process more information than is

necessary to achieve the specified purpose, thus observing the principle of data minimization. The amount of personal data required for certain purposes is determined by national laws and regulations, in other cases, COLLEGE itself evaluates what information to request from the data subject in order to ensure the achievement of the purpose, while observing the principle of data minimization.

6. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

6.1. COLLEGE discloses the data of data subjects in compliance with the COLLEGE data processing purposes specified in the principles. Recipients of personal data may be authorized employees of the Controller, data subject, processors of personal data, local government and state institutions (for example, the State Employment Agency, the State Revenue Service,

investigative authorities, courts, etc.).

6.2. COLLEGE is obliged to provide data of data subjects in the cases provided for in the regulatory enactments, in a certain procedure and to a certain extent (for example, for investigative institutions, courts, bailiffs, etc.), including for the protection of COLLEGE legitimate interests.

6.3. COLLEGE discloses the data of data subject to personal data processors and the third parties only to the extent that is reasonably necessary for the relevant purpose of the subject's data processing.

6.4. Transfer of personal data to the third countries:

6.4.1. Personal data will be stored and processed in the European Union and the European Economic Area.

6.4.2. In certain cases, in compliance with the requirements of regulatory enactments, COLLEGE may transfer personal data to the countries outside the European Union and the European Economic Area, respectively ensuring the level of personal data processing and data protection specified in regulatory enactments and equivalent to the General Data Protection Regulation.

6.5. COLLEGE will exchange your personal data with organizations or service providers that provide sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way that the processing will comply with the requirements of personal

data protection legislation and ensure the protection of the data subject's rights. These organizations or service providers shall be able to fulfil the obligations laid down in the legislation on the protection of personal data. These warranties and conditions are set forth in

agreements with organizations and the third parties.

6.6. COLLEGE will not use personal data for commercial shipments, unless the person has

expressed a consent to COLLEGE to do so.

7. PERIOD OF RETENTION OF PERSONAL DATA

7.1. COLLEGE will store personal data for no longer than is necessary to achieve the relevant

purpose of personal data processing.

7.2. The COLLEGE retains personal data for as long as one of the following criteria exists:

7.2.1. the term of storage of personal data is determined or follows from the regulatory

enactments of the Republic of Latvia and the European Union;

7.2.2. personal data must be stored for a certain period of time in order to ensure the

realization and protection of the legitimate interests of the Controller or a third party;

7.2.3. until the consent of the person to the processing of personal data has been withdrawn

and there is no other legal basis for the processing of the data.

7.3. At the end of the storage period, personal data will be permanently deleted, unless there is

an obligation to keep them in accordance with the regulatory enactments.

8. PROTECTION OF PERSONAL DATA

8.1. COLLEGE ensures, constantly reviews and improves personal data protection measures to protect personal data from unauthorized access, accidental loss, disclosure or deletion. To ensure this, COLLEGE uses up-to-date, modern technical and organizational requirements, taking into account existing privacy risks and the organizational, financial and technical resources reasonably available to COLLEGE.

8.2. COLLEGE carefully inspects all service providers who process personal data in the name and on behalf of the controller, as well as assesses whether cooperation partners (processors of

personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the controller delegation and regulatory requirements.

8.3. In the case of a personal data security incident, if it poses the highest possible risk to the data subject's rights and freedoms, COLLEGE will notify the relevant data subject, if possible, and the Data State Inspectorate, or the information will be published on the controller's website or in another possible way such as using mass media.

9. RIGHTS OF THE PERSON

9.1. The data subject has the right to request COLLEGE information about his/her personal data and to receive clarifying information about what personal data about him/her is available to COLLEGE, for what purposes personal data are processed, what are categories of recipients of personal data (persons to whom personal data are disclosed or intended to disclose, unless the legal enactments allow COLLEGE to provide such information in a particular case), information on the period for which the personal data will be stored, or the criteria used to determine that period.

9.2. The data subject has the right to request the correction of his/her personal data if he/she considers that the information available to the COLLEGE is outdated, inaccurate or incorrect.

9.3. The data subject has the right to request a restriction on the processing of his/her personal

data, the deletion of his/her personal data, or to object to the processing if the person considers

that the personal data are incorrect, processed unlawfully or no longer necessary for the purposes for which they were collected and/or processed (implementing the principle – the data subject's right to “be forgotten”), insofar as the data processing does not result from the obligations of the COLLEGE imposed on it by the applicable regulatory enactments.

9.4. The data subject is entitled to exercise other rights arising from the subject's data protection

legislation.

9.5. If the data subject establishes that his/her rights have been violated during the processing of the data subject's data, the data subject is entitled to submit a request to the COLLEGE or the Personal Data Operator (if any) to stop such violation.

9.6. If the data subject considers that the processing of personal data violates his/her rights and

interests in accordance with the regulatory enactments, the data subject has the right at any time to file a complaint in the Data State Inspectorate at Blaumaņa Street, 11/13-15, Rīga, LV1011, Latvia, or the court.

9.7. The data subject has the right to address an issue of interest related to the processing of his/her data, including a data protection breach:

9.7.1. in writing in person at COLLEGE;

9.7.2. in the form of electronic mail, signing with a secure electronic signature and sending to

the e-mail address: info@malnavaskoledza.lv.lv with a note “To: Data protection specialist”. 10. FINAL PROVISIONS

10.1. No automated decision making is performed regarding the processing of personal data. 10.2. Website visits and use of cookies on the website:

10.2.1. COLLEGE website may use cookies. Cookies are used to improve the quality of the content, for more convenient use and adaptation to the needs of users, to facilitate the use of the website, remember the screen settings specified by the user, record whether you have already been notified that cookies are used on the www.malnavaskoledza.lv.lv website. Information on the use of cookies can be found on the relevant website.

10.2.2. A cookie is a small text file that is sent to a user's computer or mobile device when they visit a website. Cookies act as a memory for a specific website, allowing the website to remember the user's computer the next time you visit, including the settings specified by the user. Cookies are not used to personally identify you.

10.2.3. COLLEGE websites may contain links to third party websites, which have their own terms of use and personal data protection regulations, for which COLLEGE is not responsible.

10.3. Photo, video, audio and audiovisual fixation:

10.3.1. In order to inform the visitors of COLLEGE, as well as other interested parties about the activities and events taking place in COLLEGE, photo images, video, audio and audiovisual fixation can be performed during the activities and events.

10.3.2. Information on the performance of photo, video, audio or audiovisual recordings at events organized by COLLEGE is provided in posters about the planned event, in inscriptions at the venues of the events or otherwise, depending on the nature of the event.

10.3.3. Photographs taken or audio, video and audiovisual recordings made may be placed on websites, in the press and other media, presentations, including printed materials, on social network profiles (e.g. Facebook, YouTube), etc.

10.3.4. In cases where the processing of personal data requires the consent of a person, an COLLEGE employee or his/her authorized representative may address the person directly and request his/her permission to record the person in photographic, audio, video or audiovisual form and to disclose this fixation to public. In situations where a person allows a photo, audio, video or audiovisual fixation to be made and disclosed to public, it is considered that the person has provided his/her consent to the processing of his/her personal data (disclosure of his/her photo, audio, video or audiovisual fixation). In certain cases, the person's consent may be required in writing.

10.4. COLLEGE has the right to make additions to the Privacy Policy by making the current version available to the Person on the website www.malnavaskoledza.lv.lv.