eParaksts signing extension
1. Purpose and Applicability of the Document
1.1. The purpose of the document is to provide information to a natural person - data subject who is a potential or existing customer, partner or another person whose personal data may become available to LVRTC within the framework of its commercial activities, regarding the procedures according to which LVRTC processes the data of natural persons.
2. Abbreviations and Terms
2.1. The following terms are used in this document:
2.1.1. Processor - processor of personal data. Natural or legal person, state institution, derived public person or its institution, which processes personal data on behalf of the controller in accordance with the provisions of laws and regulations
2.1.2. Processing - any activity or set of activities performed with personal data, with or without automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing, transmitting of data by distributing or otherwise doing so making them available, matching or combining, limiting, deleting or destroying them
2.1.3. Data subject - a natural person who can be directly or indirectly identified
2.1.4. eIDAS - Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
2.1.5. Customer - natural or legal person with whom the State Joint Stock Company “Latvia State Radio and Television Center” has entered into a contract on the provision of specific services or who initiates the process for concluding such a contract
2.1.6. LVRTC - State Joint Stock Company “Latvia State Radio and Television Center”, unified registration No. 40003011203, 14 Ērgļu Street, Riga, Latvia, LV-1012
2.1.7. Service provider - State Joint Stock Company “Latvia State Radio and Television Center”, unified registration No. 40003011203, 14 Ērgļu Street, Riga, Latvia, LV-1012
2.1.8. Personal data - any information related to an identified or identifiable natural person
2.1.9. Certificate - public key of the user, along with other information protected against forgery, using encryption with the private key of the issuing certification authority
2.1.10. Third party - legal entity that provides services to a natural or legal person that are only available after identification and/or age verification of the person
2.1.11. General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2.2. Terms not defined in this document are used in accordance with the General Data Protection Regulation, eIDAS Regulation and other laws and regulations governing the protection of personal data and the field of trust and electronic identification services.
3. General Provisions
3.1. LVRTC ensures that personal data is processed in accordance with the current laws and regulations of the Republic of Latvia, the General Data Protection Regulation and other applicable laws and regulations in the field of privacy and data processing.
3.2. LVRTC is aware of the importance of an individual’s right to privacy and has put in place technical and legal measures to process, control and protect personal data according to available technological, financial and organizational capabilities. LVRTC has evaluated and identified appropriate physical, technical, logical and organizational measures to reduce and protect security risks to ensure the security, integrity and privacy of personal data.
3.3. The controller of personal data is the State Joint Stock Company “Latvia State Radio and Television Center”, unified reg. No. 40003011203, legal address 14 Ērgļu Street, Riga, Latvia LV-1012, e-mail adress: email@example.com
4. Personal Data Categories
4.1. Personal identification data - name, surname, personal identification code/personal identification number.
4.2. Customer’s data - the following personal data is processed for customers of eParaksts signing extension: data of issued certificates (including name, surname, personal identification code/personal identification number), data on certificate carrier (if applicable).
4.3. Activities performed within the Internet resources maintained by LVRTC - IP address, auditation recordings, data accumulated by cookies.
4.4. Data of the portal www.eparaksts.lv - activities performed by customers on the portal and reports on Customer activities with Trust services, such as statistics on subscriptions performed.
5. Purposes of Personal Data Processing
5.1. LVRTC processes personal data for the following purposes:
5.1.1. To ensure the provision of services and fulfill the obligations specified in the contracts:
188.8.131.52. ensuring the operation of services, prevention of incidents and provision of technical support;
5.1.2. To ensure the development of services:
184.108.40.206. creation of new products and preparation of offers;
220.127.116.11. market analysis and business model development;
18.104.22.168. sending information to customers about improvements in the products provided or issues related to the use of the product.
5.1.3. For ensuring the maintenance of the services and processes if the appropriate extent required for the operation of LVRTC.
5.1.4. For the provision of information to public administration institutions and subjects of operational activities in the cases and to the extent specified in external laws and regulations.
5.1.5. To fulfill the obligations specified in laws and regulations and to ensure the realization of the legal interests of LVRTC.
5.1.6. For other specific purposes, of which the data subject is informed at the time he or she provides the relevant data to LVRTC.
5.2. Legal Base for Personal Data Processing
5.3. LVRTC processes personal data on the following legal bases:
5.3.1. conclusion and execution of the contract - to enter into the contract upon the customer’s application and ensure its execution;
5.3.2. compliance with laws and regulations - to ensure the fulfillment of obligations specified in the external regulatory enactment binding to LVRTC;
5.3.3. legal (legitimate) interests - to implement legal (legitimate) interests of LVRTC arising from the liabilities between LVRTC and the customer or from the contract concluded or the law;
5.3.4. consent of the data subject.
5.4. The legal (legitimate) interests of LVRTC are:
5.4.1. to carry out commercial activities;
5.4.2. to provide trust (certification) and electronic identification services;
5.4.3. to ensure the fulfillment of tasks delegated by the state;
5.4.4. to verify the identity of the customer before concluding the contract or starting to provide the service;
5.4.5. to ensure the fulfillment of contractual obligations;
5.4.6. to elaborate and develop goods and services;
5.4.7. to monitor the operation of services in order to identify technical problems, as well as illegal activities and prevent them;
5.4.8. to apply to public administration and operational activities authorities and institutions, as well as to a court for the protection of their legal interests.
5.5. The data subject is entitled to withdraw his or her consent at any time, and in this case the further processing based on the prior consent for the specific purpose will not take place.
6. Processing of Personal Data for the Provision of Trust and Electronic Identification Services Provided by LVRTC
6.1. In case the processing of customer’s personal data is performed to ensure the trust and electronic identification services provided by LVRTC, the following rules shall apply to the processing of customer’s personal data:
6.1.1. In case the processing of customer’s personal data is performed to ensure the trust and electronic identification services provided by LVRTC, the following rules shall apply to the processing of customer’s personal data:
22.214.171.124. Personal identification data is sent to TrustedX (eidas.eparaksts.lv) for natural person identification;
126.96.36.199. Customer’s certificate is sent to OCSP (Online Certificate Status Protocol ocsp.eparaksts.lv) for certificate status verification;
188.8.131.52. Customer’s certificate is sent to TSA (Timestamping Authority tsa.eparaksts.lv) for document signing.
6.1.2. if the customer creates an electronic signature, the customer’s certificate, which includes the customer’s name, surname and personal identification code, is attached to the electronically signed document and these data can be accessed by any person who has access to the customer’s electronically signed document;
6.1.3. if the customer, when using the electronic identification means issued by LVRTC, performs electronic identification for receiving a third party service or purchasing a product, which is available only after reaching the age specified in the laws and regulations, the customer’s name, surname and personal identification code included in the customer’s certificate and age based on the consent of the customer, are transferred to the third party for verification of the identity and age of the customer.
6.2. In order to ensure the provision of trust and electronic identification services provided by LVRTC in accordance with external laws and regulations, LVRTC receives personal data from the customer or another person who enters into the contract with LVRTC on the provision of trust services (for example, the customer’s employer).
6.3. The accuracy of personal data submitted to LVRTC is verified and changes in personal data are monitored by obtaining data from registers of national importance (e.g. the Population Register) in accordance with the procedures and to the extent specified in laws and regulations.
6.4. In case the customer’s data has changed, the customer must immediately notify LVRTC on the current data.
7. Transfer of Personal Data
7.1. Personal data is not transferred to third parties, except in cases when the data transfer is necessary to ensure the performance of the provided service (regardless of whether the service is provided on the basis of a contract or regulatory enactment), to ensure LVRTC legitimate interests (there exists a legal basis for transferring personal data or it is provided in the external laws and regulations) or there is obtained the consent of the data subject.
7.2. LVRTC may use approved personal data processors (cooperation partners providing services to LVRTC) to ensure the performance of the provided services. In such cases LVRTC shall take the necessary measures to ensure that such personal data processors process personal data in accordance with the instructions of LVRTC and in accordance with applicable laws and regulations, and demand appropriate security measures to be taken.
7.3. In cases when the customer performs electronic identification for a service provided by a third party using the LVRTC electronic identification provision platform, LVRTC informs the customer about the third party to whom the customer’s data will be transferred, the purpose of data processing and the amount of transferred data.
7.4. LVRTC does not transfer or make available personal data to recipients from third countries or international organizations. However, the transfer and processing of personal data outside the territory of the European Union and the European Economic Area may take place if there exists a legal basis for doing so, namely in order to fulfill a legal obligation, conclude or perform a contract. In this case LVRTC shall ensure that appropriate and relevant protection measures are implemented.
8. Duration of Personal Data Storage
8.1. Personal data is stored as long as the customer uses LVRTC services or does not withdraw his or her consent to data processing if personal data is processed on that basis. Longer personal data storage period is allowed in order to meet the requirements of laws and regulations regarding the minimum term of storage of documents or information or to protect the legitimate interests of LVRTC.
8.2. At the end of the storage period of documents or information, personal data are deleted, made inaccessible (archiving) or unidentifiable so that they can no longer be identified with a specific data subject.
9. Rights of the Data Subject
9.1. The data subject is entitled to request information from LVRTC, whether LVRTC processes the data subject’s personal data, on the legal basis of personal data processing, as well as to request access to personal data or to request the issuance of information on these personal data if direct access is not possible.
9.2. In case the data subject considers that the information available to LVRTC about the data subject is incorrect or incomplete, the data subject is entitled to request its correction, as well as to submit the correct data necessary for the provision of the service. LVRTC is entitled to request the presentation of a document proving changes in the personal data of the data subject if necessary, and the data subject must submit such a document.
9.3. The data subject is entitled to object to the processing of personal data processed by LVRTC on the basis of LVRTC’s legitimate interests. However, LVRTC will continue to process personal data even if the data subject objects to such processing, if LVRTC has the legal basis for the processing of such data.
9.4. The data subject is entitled to request LVRTC to delete personal data, however, this does not apply to cases when the storage of personal data is necessary to ensure compliance with the requirements of laws and regulations. When exercising the data subject’s right to deletion of personal data, LVRTC shall perform only such activities and to the extent permitted by laws and regulations or LVRTC’s legitimate interests, and to the extent technically possible.
9.5. The data subject is entitled to transfer his or her personal data to another data controller.
9.6. In order to exercise his or her rights, the data subject submits a written application to the LVRTC. In case the data subject is not satisfied with the response received, the data subject is entitled to apply to the Data State Inspectorate if he or she considers that the processing of personal data violates his or her rights and interests in accordance with the applicable laws and regulations.
10. Contact Details
10.1. The data subject may contact LVRTC regarding issues related to the processing of personal data in the following way:
10.1.1. in writing in person at the legal address of LVRTC 14 Ērgļu Street, Riga, Latvia, LV-1012, presenting an identity document;
10.1.2. electronically by signing the application with secure electronic signature and sending it to the e-mail firstname.lastname@example.org;
10.1.3. electronically by sending the application to the official electronic address.
10.2. Upon receipt of a data subject’s request for exercising his or her rights, LVRTC verifies the identity of the data subject, evaluates the request and executes it in accordance with internal and external laws and regulations.
10.3. LVRTC has appointed a personal data protection specialist. Using the contact details above, it is possible to ask the personal data protection specialist questions about the processing of personal data.