Privacy Policy
1. Privacy Policy Objectives and Scope of Application
1.1. Privacy Policy (henceforth – Policy) describes the procedures of providing information to an identified natural person (henceforth – Data Subject) as well as the processing of the Data Subject’s personal data by ‘Satva’, Limited Liability Company (henceforth – Administrator), i.a., if Data Subject has decided to visit the website www.ihriga.lv maintained by Administrator or to contact Administrator by using the phone numbers or the electronic communication channels provided by Administrator or to participate in an event organized by Administrator including visits to the premises of Administrator in order to perform an on site evaluation of the professional development educational courses delivered by Administrator as well as to utilize the educational services provided by Administrator;
1.2. Policy comprises measures that are necessary to be undertaken in order to provide protection of Data Subject’s interests and freedoms while ensuring ethical, lawful and transparent data processing on behalf of Data Subject;
1.3. Policy is applicable to natural person data processing procedures irrespective of the format and/or the medium through which the natural person has provided their personal data (by entering of the territory and/or premises, by phone, verbally etc.) as well as irrespective of Administrator’s selection of information systems (data registers, data processing software) that are used to process the personal data;
1.4. On occasion of the actualization of Policy, all the alterations as well as the historical editions that have been introduced over the period of 2 months prior to the initiation of the actualization are published on Administrator’s website under the Privacy Policy section.
2. Administrator Information
Personal data processing is implemented by Administrator, i.e., the ‘International House Riga-Satva’ Language Education Centre (henceforth – Educational Establishment) which is an educational institution founded by ‘Satva’ Limited Liability Company, business ID: 50103110141; legal address: Alfrēda Kalniņa St. 1A-24, Riga, LV-1050, Latvia; phone number: 67226641; email: ihriga@ihriga.lv. Personal data manager contact information: das@ihriga.lv.
3. Applicable Law
3.1. European Parliament and European Council Regulation (EU) 2016/679 (27th April, 2016) (henceforth – Regulation) on natural person protection with respect to personal data processing as well as concerning free circulation of the aforementioned data. Regulation cancels the Directive 95/46/EC (Data Protection Directive);
3.2. Natural Person Data Protection Law;
3.3. Education Law;
3.4. General Education Law;
3.5. Other applicable legislative acts concerning natural person data processing and protection, i.a., regulatory enactments established to regulate information society services.
4. Personal Data Processing Objectives
4.1. Administrator processes personal data with the main objectives to develop professional development and interest educational programmes for teenagers and adults. Administrator, in collaboration with one or several partner organizations and upon prior agreement (stating the respective responsibilities of the involved parties), may process the personal data on a cooperative basis;
4.2. Administrator processes personal data with the following objectives:
4.2.1. In accordance with the legal agreement that has been concluded with Data Subject, Administrator processes personal data that are necessary for the purpose of conducting agreement with Data Subject, i.e., to identify the agreement partner, to mutually implement the terms of the agreement or the supplementary obligations of the agreement, to communicate with governmental authorities (i.a., e.g., the Ministry of Education and Science of the Republic of Latvia), to uphold the terms of the legal commitments as well as to resolve legal disputes and legal disagreements. In accordance with the aforestated objectives, the following data are prioritized and processed: name and last name of the student and student’s representative, personal ID, address, phone number, email address, information regarding the services listed within the binding agreement as well as the respective liabilities. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph b) of Regulation;
4.2.2. Student data register maintenance and organization of the educational process. In accordance with the objective, the following data are prioritized and processed: name and last name of the student and student’s representative, personal ID, address, phone number, email address, former education notice. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph f) of Regulation as well as in accordance with the requirements of the Education Law and the General Education Law;
4.2.3. Education process analysis in order to upgrade the educational programme offer and to improve the educational programme quality as well as in order to develop better service range for the students. In accordance with the objective, the following data are prioritized and processed: gender, age, language level assessment. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph a) of Regulation;
4.2.4. Providing Student Satisfaction Survey data for the respective research company. In accordance with the objective, the following data are prioritized and processed: gender, age, educational programme and its duration, language level assessment results. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph a) of Regulation;
4.2.5. Delivering of Administrator’s advertising and informational materials via postal services or via email (direct marketing). In accordance with the objective, the following data are prioritized and processed: name and last name of the student and student’s representative, personal ID, address, phone number, email address, notice of the relevant educational programmes. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph a) of Regulation;
4.2.6. Publicity of events organized by Administrator with the objective to promote Educational Establishment. Upon participating in events organized by Administrator or its partners, the visitors of the event may be photographed, filmed as well as invited to provide short interviews or to present their impressions of the event. On such occasions, the name and the last name of the participant as well as additional information that has been explicitly disclosed by the participant may be registered. The respective materials may be used to build Administrator’s archive as well as to promote Administrator’s brand by publishing the video materials and photographs on Administrator’s social media or any mass information media. Additionally, especially on occasion the participant has received an official invitation to an event organized by Administrator, in order to ensure safety and security measures during the event, additional information may be requested to identify the participant by their name, last name etc. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraphs a) and f) of Regulation;
4.2.7. Prevention or detection of unlawful acts respective to the security of persons or property. Video surveillance is operated with the objective of the protection of the legal interest of Administrator or third parties as well as the protection of person interest of crucial importance, i.a., protection of life and health interests on Administrator’s premises and on the territories adjacent to the premises. Upon Data Subject’s entering/locating themselves on Administrator’s premises or on Administrator’s territory where video surveillance is operative, Data Subject’s image as well as the time of entering the premises may be processed. Video surveillance is not operated in areas of increased privacy concern to Data Subject such as but not limited to lounges, dressing rooms etc. Video surveillance camera recording scope is focused on hallways, entrances/exits, cars and traffic flow on Administrator’s territory. Video surveillance is operated in accordance with the Article 6, Paragraph 1, Subparagraphs d) and f) of Regulation;
4.2.8. Audio recording of phone conversations with the purpose to ensure and to improve the quality of the services provided by Administrator as well as to ensure Administrator’s legal interest. Upon conducting calls to the phone contact numbers provided by Administrator, the communication content may be recorded and the caller’s phone number may be registered unless the caller has taken measures to prevent detectability. Phone conversations are recorded (if they are recorded) in audio format in accordance with the Article 6, Paragraph 1, Subparagraph f) of Regulation. The phone communication is recorded with the additional purpose of performing investigations on occasion complaints have been received regarding customer service quality as well as to accumulate evidence against such potential claims;
4.2.9. Storing and registering the incoming and outgoing communication (email messages, postal letters etc.) with the purpose of ensuring Administrator’s legal interest. Upon entering into written communication with Administrator, the contents as well as the time of the communication exchange may be stored in addition to the information concerning the selected communication channel. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraphs c) and f) of Regulation. Processing is justified with the obligation by Administrator to deliver the services listed within the legal enactments, i.e. to register correspondence relevant to Administrator’s nomenclature and relevant to requirements stated within the Archives Law. Processing is also implemented with the purpose of providing evidence on occasion a complaint has been raised;
4.2.10. Analysis of the history of website visitation statistics may be processed with the purpose of performing marketing analysis and Data Subject opinion analysis as well as to use the statistics tool and other website features. Additionally, processing is implemented in order to personalize the content in accordance with the user’s preferences. Administrator performs visitation history analysis with the use of online identifiers as well as the information deliberately submitted by Data Subject (e.g., service evaluations, website browsing experience, traffic, information regarding the user’s willingness to attend an event organized by Administrator etc.) in order to perform marketing analysis and opinion analysis. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph f) of Regulation. Processing is also implemented with the purpose of analyzing the brand recognition of Educational Establishment;
4.2.11. Protection of the information systems managed by Administrator against threat is ensured through registering user’s device identifier, TCP/IP address, data and time as well as file manipulations. Processing is executed in accordance with the Article 6, Paragraph 1, Subparagraph f) of Regulation. Processing is implemented with the purpose of investigating deliberate attacks against Administrator’s information systems;
4.3. Special category data (race or ethnic origin, political views, religious or philosophical convictions, trade union membership, health status or data related to sexual orientation) processing is forbidden with the exception of the conditions listed in the Article 9, Paragraph 2, Subparagraphs b) and h) of Regulation that authorize the processing of special category data with respect to:
4.3.1. Health status of Administrator’s employees (mandatory health examination card, sick-leave certificates);
4.3.2. Trade union membership of Administrator’s employees before terminating the contract of employment upon prior notice;
4.3.3. Environmental and educational accessibility provision for students with special needs;
4.4. In order to improve the quality of the educational services provided for Data Subject as well as the quality of the experience, Administrator has the right to process personal data additional to the data categories and conditions stated within these terms. Similarly, Administrator may need to process data for purposes other than those listed in these terms. On occasion a necessity to perform the processing activities has arisen in accordance with the terms stated in this subparagraph, Administrator evaluates the legal terms of the respective processing conditions as well as informs Data Subject on the respective processing incident and the respective rights in accordance with the legislative acts;
4.5. Upon processing personal data for purposes other than those stated within this Policy, Administrator is obliged to separately inform Data Subject on the specific conditions of the respective processing in accordance with the requirements stated in the Paragraph 13 of Regulation.
5. Personal Data Processing Term
5.1. Upon selecting data storage term criteria, Administrator is obliged to consider the following conditions:
5.1.1. Data storage term stipulated within the legislative acts of the Republic of Latvia and the European Union;
5.1.2. Term of storage of the specific personal data with the purpose of ensuring the protection and the effecting of the legal interest of Administrator or third parties;
5.1.3. Data may be stored until the person’s compliance with the personal data processing terms has been revoked on occasion other legal justifications of data processing are not in effect, e.g., in order to comply with Administrator’s binding obligations;
5.1.4. Administrator is obliged to protect Data Subject’s or other natural person’s interests of vital importance, i.a., life and health interests;
5.1.5. Video surveillance recordings are stored for 30 days unless the respective video recording demonstrates a potentially unlawful act or any other act that may serve the purpose of ensuring the legal interest of Administrator or third parties. On such occasion, the respective video surveillance recording may be retrieved and stored until the resolution of the legitimate concern;
5.2. Incoming and outgoing communication (email messages, postal letters etc.) are stored and registered for 5 years unless the respective communication demonstrates a potentially unlawful act or other act that may serve the purpose of ensuring the legal interest of Administrator or third parties;
5.3. Information regarding events organized by Administrator that has been publicized on mass information media and social networks may be stored indefinitely;
5.4. Website visitation history analysis is stored for 1 year in order to perform marketing analysis as well as Data Subject opinion analysis;
5.5. Recipient contact information used in order to deliver Administrator’s advertising and informative materials via postal services or via email (direct marketing) is stored indefinitely until Data Subject’s compliance with the personal data processing has been revoked;
5.6. Information relevant to the student educational process organization is stored for 10 years;
5.7. Information relevant to personal data requests is stored for 2 years;
5.8. Event registry is stored for 1 year in the personal data processing information systems;
5.5. After the end of the storage term Administrator evaluates the respective legal interest. On occasion justification to store the data after the expiration of the storage term has not been determined, the data is irreversibly removed.
6. Personal Data Importers
6.1. Administrator is obliged to provide information regarding the processed personal data:
6.1.1. To criminal justice agencies, court or any other governmental or municipal authorities on terms that the request to access the data has been compliant with the legislative acts and the respective authorities have the right to access the requested information (on terms the information has had to be requested specifically);
6.1.2. On occasion personal data must be provided to a third party within the terms of the contract in order to perform a function relevant to the binding agreement (e.g., to a photographer upon soliciting the photographer’s services) or if the quality of the services provided for the customers must be improved;
6.1.3. In response to an explicit and definite data access request by Data Subject;
6.1.4. In order to ensure protection of legal rights, for example, appealing to court or to any other governmental institution against a person who has violated Administrator’s legal interest;
6.2. Personal data recipients may be the designated representatives of Administrator, data processing Importers, criminal justice agencies and safety oversight entities;
6.3. Administrator may use subcontractor services with the purpose of selling Administrator’s services. Thereby, in order to perform data processing in accordance with the terms stated within Policy and within rates compliant to these terms, it may be necessary or it may be useful to provide personal data access to Administrator’s suppliers or subcontractors;
6.4. Administrator provides access to natural person personal data in rates that are considered necessary and sufficient in accordance with the requirements stated in the legislative acts as well as in accordance with the justified objective circumstance of the respective conditions;
6.5. It is prohibited to send the personal data listed within Policy to a third country (a country that is not a member state of the European Union or the European Economic Area) with the exception of data that have been processed in the electronic environment. On such occasion, Importers selected by Administrator (Google.com (Google Analytics), Facebook.com, Twitter.com, Snapchat etc.) have been legally recognized as companies operating outside of the European Union and the European Economic Area member states, therefore, Administrator requests Data Subject to read the Privacy Policy statements of the respective companies or to file a specific request with Administrator in order to provide additional information regarding the terms of collaboration.
7. Information Provided to Data Subject Regarding Personal Data Processing
7.1. Data Subject is informed on the personal data processing terms stated within Policy via a multilevel framework that is comprised of the following methods:
7.2. Notices are placed in video surveillance areas that serve to inform Data Subject (pedestrians, car drivers, visitors, employees etc.) on the implementation of video surveillance on Administrator’s territory as well as to provide essential information regarding the video surveillance procedures and the opportunities to receive further details;
7.3. Upon conducting calls to the contact phone numbers provided by Administrator, Data Subject is formally informed on the recording of the conversation in audio format (if the conversation is recorded);
7.4. Upon publicizing information regarding events organized by Administrator, Administrator provides essential information during the event or prior to the event by publicizing the information on website or by displaying an informative notice near the premises where the event is to be held;
7.5. Upon visiting the website, Data Subject can read the notice on the use of cookies. Data Subject is also encouraged to read the terms of Policy;
7.6. Upon entering data in application forms or polls, Data Subject is provided concise information regarding the objectives of personal data processing;
7.7. Administrator’s Policy is publicly accessible on the internet, specifically, on Administrator’s website www.ihriga.lv as well as the customer service sites operated by Administrator.
8. Data Subject Rights
8.1. Data Subject has the right to request access to their personal data which must be, correspondingly, provided by Administrator as well as to receive particularizing information on what personal data, specifically, is stored and used by Administrator, for what purpose the data is processed by Administrator as well as on personal data Importer categories (persons that the personal data have been disclosed to or that would receive access to the personal data in the future (on occasion Administrator has the legal right to specify the aforementioned information in accordance with the legislative acts; for example, Administrator does not hold the right to disclose information to Data Subject regarding the respective governmental institutions that are involved in criminal process procedures or that are subjects of operative actions as well as any other institutions protected by legislative acts against the disclosing of the aforementioned information)). Data Subject may also request information regarding the personal data storage term or the criteria applied in determining the personal data storage term;
8.2. On occasion Data Subject considers the information stored and used by Administrator to be outdated, imprecise or incorrect, Data Subject has the right to request corrections of their personal data;
8.3. Data Subject has the right to demand the removal (deletion) of their personal data or to object against the processing of their data if Data Subject deems the personal data processing to have been performed in an unlawful manner or if the data is no longer relevant to the original purpose of data collection and/or processing (through evoking the legal principle of ‘the right to be forgotten’).
9. Personal Data Protection Technical and Administrative Measures
9.1. Administrator resolves to provide, to regularly revise and to update the personal data protection measures in order to protect natural person personal data against unauthorized access, accidental data loss, data disclosure or data destruction. In order to ensure the protective measures, Administrator observes the respective technical and administrative requirements, i.a., the use of firewalls, penetration detection, analytic software and data coding;
9.2. Administrator carefully inspects the legitimacy of the service providers that, on behalf of Administrator and upon Administrator’s request, are involved in natural person personal data processing. Administrator also evaluates the security measures applied by Administrator’s partners (personal data processors) in order to ensure the compliance of the natural person personal data processing with Administrator’s delegated conditions and the terms of legislative acts;
9.3. On occasion of personal data security incident, if the incident entitles high enough risk to Data Subject rights and freedoms, if possible, Administrator resolves to notify Data Subject on the incident or publicizes the respective information on Administrator’s website or via any other relevant media, e.g., through the use of mass media (TV, radio, newspaper, social networks etc.). On such occasions, the Data State Inspectorate is also informed by Administrator.
