Approved by the Rector of DU
16 January 2019 Order No. 4-4/5
Manager and contact details
Contact details of the Data Protection Specialist
2. DU personal data protection specialist is Andrei Radionov. Contact details for data protection: tel. +371 65421198, e-mail address: andrejs.radionovs [at] du.lv.
3. Using this contact information or by addressing the legal address of Daugavpils University, you can ask a question and receive advice on the processing of personal data.
4.1. European Parliaments and Councils 27 April 2016 Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the Regulation);
4.2. Latvian Personal Data Processing Law;
4.3. DU agenda regulations and other applicable laws and regulations.
5.1. DU visitors, including those subject to video surveillance
5.2. DU students and employees, including potential, former and current;
5.3. DU website visitors
5.4. Persons whose personal data is processed on social media in connection with DU promotional activities.
7.1. personal data – any information relating to an identified or identifiable person;
7.2. “processing” means any operation or set of operations on personal data or on sets of personal data carried out with or without automated means.
7.3. manager – is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be laid down in Union or Member State law;
7.4. processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Purposes of personal data processing
8. Personal data at DU is processed in accordance with applicable laws and regulations.
9. Personal data is processed in accordance with external regulatory enactments, including for one of the following purposes:
9.1. identification of data subjects;
9.2. admission of the data subject to studies, work and registration of a personal file;
9.3. employment contract, study contract, computer network access resource subscription contract, etc. concluding commitment agreements with DU;
9.4. recording of working time ;
9.5. fulfillment of the provisions of the concluded agreements and related regulatory enactments;
9.6. provision of study, scientific and administrative management processes;
9.7. Certificate, confirmation, diploma and award preperation allocation and accounting;
9.8. provision of library and reading room services;
9.9. compliance with the requirements of the regulatory enactments regulating accounting
9.10. servicing and control of payments, including payment of salaries, recovery and recovery of study debts;
9.11. drawing up statements and other documentation in accordance with the requirements specified in regulatory enactments;
9.12. Organization of DU events;
9.13. informing data subjects about DU processes and events
9.14. granting and controlling access rights to DU information systems and premises
9.15. ensuring study and work safety provisions;
9.16. quality control of provided services;
9.17. organization of health insurance for employes;
9.18. security and property protection purposes (video surveillance, access control systems);
9.19.ensuring co-operation with co-operation partners, state and local government institutions, public organizations, including transfer / receipt of information necessary for ensuring co-operation;
9.20. provision of information in the cases and to the extent specified in regulatory enactments and law.
Legal basis for the processing of personal data
10. DU shall process the personal data of data subjects on the following legal bases:
10.1. with the consent of the data subject (Article 6 (1) (a) of the Regulation);
10.2. for the conclusion and execution of the contract – the conclusion and enforcement of the contract (Article 6(1)(b) of the Regulation);
10.3. for the fulfillment of regulatory enactments – in order to fulfill the obligations specified in the binding regulatory enactments of the DU (Article 6 (1) (c) of the Regulation);
10.4.to carry out tasks in the public interest (Article 6 (1) (e) of the Regulation).
Acquisition of personal data, storage duration and automated decision-making
11. Personal data is obtained from the data subject:
11.1. submitting documents for studies at DU;
11.2. as a result of a contractual obligation;
11.3. performance of contractual obligations;
11.4. providing them to DU himself;
11.5. when the data subject is in an event organized by DU or in the territory of DU, which is equipped with video surveillance;
12. The DU shall store and process the personal data of the data subjects as long as at least one of the following criteria is met:
12.1. as long as the contract concluded with the data subject is valid;
12.2. while the DU or the data subject may exercise his or her legitimate interests in accordance with the procedures specified in external regulatory enactments (for example, to submit objections or bring or bring an action in court) ;
12.3. as long as there is a legal obligation for either party to retain the data;
12.4. 30 days or more have not elapsed (in cases where an investigation is being carried out or a written request for information from law enforcement authorities has been received) since the beginning of the recording of the data subject recorded in the relevant video camera;
12.5. as long as the data subject’s consent to the relevant processing of personal data is valid, unless there is another lawful basis for the processing.
13. After the circumstances referred to in paragraph 12 have ceased to exist, the personal data of the data subjects shall be deleted.
14. Audit records may be kept for at least one year from the date on which they were made.
15. Automated decision making is not performed at DU.
Recipients of personal data
16. Personal data may be transferred to recipients, for example:
16.1. law enforcement authorities in accordance with the procedures specified in regulatory enactments;
16.2. staff members of the manager for the performance of their duties;
16.3. Daugavpils University information system holder and processor – University of Latvia (Reg. No. LV90000076669, Raina Boulevard 19, Riga, LV-1586).
16.4. fulfilling the requirements of a contract concluded with the data subject, transferring only the amount of data that is necessary for the performance of a specific task or the provision of specific services;
16.5. auditors or other processors of personal data;
16.6. provision of information to the Ministry of Education and Science, the Central Statistical Bureau, the State Revenue Service and other public administration institutions in the cases and to the extent specified in regulatory enactments and law;
16.7. The leading institutions of the European Union, as well as other institutions involved in the supervision of the EU for the fulfillment of the duties specified in regulatory enactments.
Protection of personal data
17. DU protects the data subjects’ data using the capabilities of modern technology and the organizational, financial and technical resources available to DU, including the following security measures:
17.1. modern IT security tools (antivirus software, firewalls);
17.2. video surveillance, security services ;
17.3. other protection measures in accordance with the current technical development possibilities.
Rights, obligations and implementation procedures of the data subject.
18.Data subjects have the right to receive the information specified in regulatory enactments in connection with the processing of his or her data.
19. Data subjects have the right, in accordance with regulatory enactments, to request the DU’s access to their personal data, as well as to request DU to supplement, correct or delete them, or to restrict the processing in relation to the data subject, or the right to object to the processing. This right shall be exercised in so far as the processing of the data does not result from the obligations imposed on it by the laws and regulations in force in the public interest.
20. The data subject can access his / her personal data using the DUIS personal data viewing system (https://luis.lu.lv/du/) or the E-study system (https://estudijas.du.lv/).
21. Data subjects have the right to withdraw their consent to the processing at any time,> in which case further processing based on their prior consent will not be carried out for that purpose, but the withdrawal of consent does not affect the processing carried out while the consent was valid.
22. The data subject has the right to request that the controller delete the personal data of the data subject without delay in accordance with Article 17 of the Regulation.
23. The data subject is obliged to provide the controller with correct personal data information, as well as, report and request the controller to correct or delete the data if the personal data has changed.24. Personu datu apstrādes pārkāpumu gadījumā, datu subjektam ir tiesības iesniegt sūdzību Datu valsts inspekcijai vai tiesībsargājošām struktūrām.
25.In order for the data subject to be able to exercise his or her rights, it is necessary to send an application addressed to the data controller electronically signed with a secure electronic signature or signed by hand in person. In order to be able to identify the identity of the applicant in person, the applicant will be asked to show a identity document (passport, ID card).
26. Upon the receival of a request from a data subject regarding the exercise of their rights, DU shall verify the identity of the data subject, evaluate the request and execute it within the time period specified in regulatory enactments.
27. DU will send a reply to the data subject by post to the given contact address by registered letter or by email taking into account, the method of reply indicated by the data subject.
28. if DU has reasonable grounds to reject the data subject’s request due to the circumstances specified in the regulatory enactments, DU will inform in writing about the refusal, justifying their decision.
29. The data subject may apply to the dean’s office of his / her faculty (if the data subject is a DU student) or to the head of his / her structural unit (if the data subject is an employee of DU) for more detailed information on the exercise of his / her rights.
Responsibilities of the controller when processing personal data
30. As part of the processing of personal data, the Controller shall ensure:
30.1. Information to the data subject in accordance with Articles 13 and 14 of the Regulation contained in this Policy;
30.2. The possibility for the data subject to correct the personal data provided by him or her if the personal data is inaccurate
30.3.the performance of technical and organizational measures to protect personal data against accidental, unauthorized or unlawful access, disclosure, corecttion or loss
30.4. to notify the data subject without undue delay of personal data breaches in order to prevent damage to the rights and freedoms of the person.
30.5. The processing of personal data shall be performed only by persons under the supervision of the controller who are entitled to perform it in accordance with the duties of their work;
30.6. If the purpose of processing the personal data changes, the controller shall, prior to further processing, inform the data subject of the change of purpose of the processing and provide him or her with the necessary additional information.
31. The controller has entered into a written or electronically signed agreement on the processing of the relevant data with the data controllers participating in the processing of personal data of the data subjects in accordance with the data processing purposes specified in this Policy.
Access to personal data by third party entities
32. In cases where the personal data of data subjects are accessed by processors or service providers located in third countries (ie countries outside the European Union and the European Economic Area), the DU shall ensure the procedures specified in regulatory enactments to ensure the level of processing and protection of personal data.
Website visits and cookie handling