Security provisions for the processing of personal data in the survey for ‘Home Cafe Days’

I. General issues

1. These security provisions for the processing of personal data (hereinafter – Provisions) establish the procedure for the processing, security and protection of the survey data of visitors to the ‘Home Cafe Days’, which will take place from 14 July to 17 September 2023 throughout Latvia (hereinafter – Event), by the Investment and Development Agency of Latvia (hereinafter – LIAA).
2. LIAA’s personal data processing, which is not regulated in the Provisions, is regulated by LIAA’s Privacy Policy (available here: https://www.liaa.gov.lv/en/privacy-policy).
3. The terms used in the Provisions:
4. Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
5. Personal data – Participant’s name, surname, telephone number, e-mail address, other information provided in the visitor survey by which a person can be identified;
6. Participant – a person who has registered for entry by filling in the visitor survey;
7. Visitor – a natural person who attends the Event;
8. Third party – a natural or legal person, public person, agency, or body that is not a data subject.
9. The purpose of these Provisions is to provide the Participant with complete information on the purposes and legal basis of the processing of their personal data.

II. Purpose of processing personal data

1. The purpose of processing personal data is to:
2. ensure participation in the competition/draw and to ensure communication with the winners (name, surname, e-mail address, telephone number).

III. Personal data for registration at the Event

1. For the Event, the Participant registers on the visitor survey website (https://forms.office.com/Pages/ResponsePage.aspx?id=H_hwcWAX9USfLLt2HneR_EUGvYG9RqRGm7EWcDtyvYFUQ1JWRlhZUUJQVURHUzMzTDRON1dDMDA3Ry4u) provided by LIAA (hereinafter – Website), where the Participant enters his/her personal data confirming that he/she has read the Provisions. It is prohibited for the Participant to enter personal data of other persons, unless expressly provided for in these provisions;
2. When registering for the survey, the Participant provides the following personal data: [name, surname, e-mail address, telephone number];
3.  Minors under the age of 14 (inclusive) must be registered on the Website and their personal data must be provided by their legal representative (parent or guardian).

IV. Time limits for the collection, storage, and deletion of personal data

1. The collection and further processing of personal data within the Website is carried out from the moment of registration of the Participants until the end of the event and the end of the draw.
2.  Personal data shall only be stored and processed to the extent and for the time limit necessary for the fulfilment of the purposes specified in these Provisions:
3. the personal data indicated in Paragraph 7 of these Provisions – until 31 December 2027;
4. Upon individual request LIAA may transfer the Participant’s personal data (name, surname) to the Central Finance and Contracting Agency for supervisory purposes.

V. Consent of the Participant for the processing of personal data

1. The Participant submitting the personal data confirms that they have read the security Provisions, and also agreed to the processing of their personal data, observing the scope, purpose, and time limit specified in the Provisions;
2. If the Participant withdraws their consent to the processing of personal data, then all submitted personal data of the Participant shall be deleted, except for in cases where it is not possible to delete personal data for technical reasons or it requires a disproportionate effort.

VII. Rights of the Participant

1. Rights of the Participant:
2. to request information from LIAA at any time regarding the Participant, as defined in Article 10 of the Regulation;
3. to access the relevant data and receive the information specified in Article 15 of the Regulation by contacting LIAA;
4. to request LIAA to rectify, erase, or restrict the processing of personal data of the Participant, or the right to object to such processing in accordance with Article 12 of the Regulation.

IX. Duties of LIAA when processing personal data

1. Within the framework of personal data processing, LIAA provides:
2. information to the Participant in accordance with Article 13 of the Regulation;
3. carrying out of technical and organisational measures for the security and protection of personal data;
4. upon the receipt of an appropriate request from the Participant, rectification or deletion of the personal data provided by the Participant.
5. LIAA undertakes to notify the Participant without delay of a personal data breach, in the case if a personal data breach could pose a high risk to the rights and freedoms of a natural person.
6. LIAA reserves the right to correct these Provisions at any time.

X. Communication and procedures for exercising the Participant’s rights

1. The Participant can exercise his/her rights, including the right to object or ask LIAA questions, by writing to LIAA, Pērses iela 2, Riga, LV-1442 or e-mail: liaa@liaa.gov.lv.
2. If the personal data information provided by the Participant changes, the Participant has the right to request his/her personal data to be altered (corrected) by contacting LIAA.

XI. The processor that processes personal data on behalf of LIAA

1. In the course of the administrative organisation of the Event, LIAA may involve other processors if necessary (System maintainers, etc.) by concluding agreements with them, which will include a condition on compliance with these Provisions.
2. LIAA shall process the personal data of the Participant in accordance with the purpose of the processing specified in these Provisions, and:
3. will not collect, use, and disclose personal data of the Participant, unless the regulatory enactments provide for this, or it is necessary for the protection of the rights and interests provided for in the regulatory enactments;
4. when performing data processing, will implement the corresponding technical and organisational measures, in order to provide data protection;
5. will ensure that the persons who are authorised to process data have undertaken to comply with the confidentiality requirements;
6. will ensure the inaccessibility of data to third persons and will immediately provide information about cases where unauthorised or third parties had access to personal data;
7. will ensure that any natural person acting under the authority of LIAA and having access to personal data will not process the data without instructions from LIAA.
8. If LIAA engages other processors who process personal data in the administrative organisation of the event, LIAA may transfer the personal data entered on the Website to them.
9. In the course of the administrative organisation of the Event, the Processor may, if necessary, involve other Processors (design of application registration forms, manufacturers of identification cards, photographers, etc.) by concluding agreements with them, which will include a provision on compliance with these Provisions.
10. If another processor is involved, LIAA will ensure that this other processor is required to comply with these Provisions.

XI. Processing security requirements

1. Taking into account the state of the art, the cost of implementation, and the nature, scale, context, and purposes of the processing, as well as risks to the Participant’s rights and freedoms of different probability and severity, the controller and processor shall take appropriate technical and organisational measures to ensure an appropriate level of security.
2. The controller and the processor shall implement the mandatory technical protection of personal data by physical and logical means of protection, ensuring:
3. protection against a threat to personal data by physical action;
4. protection implemented by means of software, passwords, encoding, encryption, and other logical means of protection.
5. When processing personal data, the controller and the processor shall ensure:
6. access of authorised persons to the technical resources that are used for personal data processing and protection (including to personal data);
7. that media containing personal data are processed by persons authorised for such;
8. that the resources used in the processing of personal data are transferred by duly authorised persons.