Personal data processing security rules
On the organisation of the “Test Automation Hackathon” in Riga

I. General issues.

1. The Rules determine the procedure by which the Investment and Development Agency of Latvia (hereinafter – LIAA) provides the data processing, security and protection of moderators, experts, mentors and Participants (hereinafter collectively referred to as Participants) of the Test Automation Hackathon Event (8 October 2019) (hereinafter – the Event) in Riga. In order for LIAA to be able to ensure the course of the Event the LIAA has attracted the Association “Latvian IT Cluster” (reg. No. 40008121251), which on behalf of the LIAA carries out processing of personal data in accordance with these Rules (until the end of the Event).

2. Terms used in the Rules:
2.1. Processing – any operation or set of operations performed with personal data or sets of personal data, which is carried out with or without automated means, such as collecting, registering, organizing, structuring, storing, adapting or modifying, recovering, viewing, using, disclosing, transmitting, distributing or otherwise making them available, matching or combining, limiting, erasing or destroying;
2.2. Processor – Association “Latvian IT Cluster”, which on behalf of the LIAA carries out processing of personal data in accordance with these Rules;
2.3. Controller – the Investment and Development Agency of Latvia;
2.4. Personal data – Participant’s name, surname, e-mail address (place of work), photo and video recording material from which a Person is identifiable;
2.5. A third party – a natural or legal person, public entity, agency or entity other than the data subject.

3. The purpose of these rules is to provide the Participant with complete information about the purposes and legal basis for the processing of its personal data.

II. Purpose of personal data processing.

4. Personal data are collected and further processed in order to ensure the fulfilment of the task referred to in Paragraph 4.5 of the Cabinet Regulations No 857 “Regulations of the Investment and Development Agency of Latvia” (11 December, 2012) assigned to the LIAA, as well as to ensure participation of the Participant in the Event.
5. Objectives of personal data processing:
5.1. To ensure participation in the event (name, surname, e-mail address);
5.2. To ensure provision of organizational and operational information exchange of the event (name, surname, e-mail);
5.3. To ensure the publicity, promotion of the Event and public information (photo recording and filming during the Event).

III. Personal data registration at the Event.

6. The first collection of participants’ personal data is carried out by the processor by sending an invitation to participate in the Event, accompanied by these Rules and a statement of consent for the processing of data.
7. Upon receipt of the invitation from the processor, the Participant will familiarize itself with these Rules and if it agrees to them, upon entering the Event, signs an acknowledgement of consent for the processing of data.

IV. Terms of collection, storage and deletion of personal data.
8. Personal data collection is carried out until 8 October 2019.
9. Personal data is stored, processed only in the amount and in the time limit necessary for the fulfilment of the objectives specified in these Rules:
9.1. Name and surname – until 31 December 2033.
9.2. E-mail – until the end of the Event;
9.3. Video – permanently (creating a Controller’s event archive);
9.4. Photo recording materials (photos) – permanently (creating a Controller’s event archive).
10. The Controller transfers the Participant’s personal data (name, surname) to the Central Finance and Contracting Agency for supervisory functions.

V. Participant’s acknowledgement for the processing of personal data.
11. The Participant, acknowledging that has read the rules for the processing of personal data, confirms that has consented to the processing of its personal data in compliance with the amount, purpose and time limit specified in these Rules.
12. Without the transfer of the Participant’s personal data, the Controller cannot ensure the legitimate interests of the Controller and the Participant’s participation in the Event.
13. If the Participant withdraws its consent to the processing of personal data, the Controller and Processor will delete all personal data submitted, except in those cases where it is not possible to erase personal data for technical reasons or cause disproportionate effort (for example, in the case of already printed materials).

VI. Audio and audio-visual recording.
14. The Participant, acknowledging that has read the rules for the processing of personal data, confirms that the Participant has been informed that during the Event it can be photographed and filmed.
15. The Controller is entitled to use the materials produced as a result of a photo recording, in whole or in part, for any information about the course of the Event. The Participant is informed that the Controller will use this right freely in its discretion, including the right to transfer them to third parties. The Participant has the right to request information from the Controller about third parties who have been given the right to use video and photo-recording material.
16. The Participant may oppose the actions specified in this section and request to discontinue them only if the person in question is directly identifiable in the particular video or photograph and it is technically possible for the Controller to delete and/or use the particular photograph.

VII. Participant’s rights.
17. Participant’s rights:
17.1. At any time request the Controller information about the person specified in Article 13 of the General Data Protection Regulation;
17.2. To access the relevant data and receive the information specified in Article 15 of the General Data Protection Regulation by contacting the LIAA;
17.3. To request the Controller to correct, delete or limit personal data processing or to oppose such processing in accordance with Articles 17 and 21 of the General Data Protection Regulation.

VIII. LIAA duties in the processing of personal data.
18. Within the framework of personal data processing the LIAA ensures:
18.1. Information to the Participant in accordance with Article 13 of the General Data Protection Regulation;
18.2. The implementation of technical and organizational measures for the security and protection of personal data;
18.3. Upon receipt of an appropriate request from the Participant, correct or delete the personal data provided by it.
19. The Controller undertakes to inform the Participant without delay about personal data security breach in case the personal data breach could create a high risk for the rights and freedoms of natural persons.

IX. Communication and procedures for the exercise of the rights of the Participant.
20. The Participant may exercise its rights, including the right to object or to ask questions to the Controller in writing with the Controller’s representative Dace Dumbere-Bregže (e-mail: dace.dumbere@liaa.gov.lv, phone: 67039454);
21. If the personal data provided by the person changes, the person is entitled to request to correct (adjust) his/her personal data by contacting the Controller’s representative Dace Dumbere-Bregže (e-mail: dace.dumbere@liaa.gov.lv, phone: 67039454).

X. Processor who processes personal data on behalf of the LIAA.
22. The Processor carries out the processing of the Participant’s personal data in accordance with the processing objective specified in these Rules and:
22.1. Will not collect, use, or disclose the Participant’s personal data unless it is provided for by regulatory enactments or is not necessary for the protection of the rights, interests provided for in regulatory enactments;
22.2. Through data processing, will implement appropriate technical and organizational measures to ensure data protection;
22.3. Will ensure that persons authorized to process data are committed to respecting confidentiality;
22.4. Will ensure the unavailability of data to third parties and will promptly inform the Controller of cases when unauthorized persons or third parties have access to personal data.
22.5. Will ensure that any natural person acting under the direction of the Processor and who has access to personal data does not process it without instructions of the controller.
23. In the course of the administrative organization of the Event the Processor may, if necessary, engage other processors (identification card makers, photographers, etc.) by concluding contracts with them that will include a condition for compliance with these rules.
24. If the processor involves other processors for processing of the personal data in the administrative organization of the event, the processor may transfer the following personal data to them: name, surname. The processor gives the Controller access to personal data transferred to another processor.
25. If another processor is attracted, then the Processor ensures that this other processor will be required to comply with these rules.