APPROVED
by the decision No.JALP-1.3./34-2021
of the Executive Board of the
Joint Stock Company LatRailNet
in a meeting held on 23 August 2021
min. No JALP-1.2./34-2021

REGULATIONS

Riga

23 August 2021                                                                                    No.JALP-7.3/03-2021

JSC "LatRailNet" privacy policy for natural persons

Issued on the basis of JSC "LatRailNet"
Regulations of May 9, 2018 No. JALP-7.3./02-2018
"JSC" LatRailNet "Personal data protection policy"
Paragraph 3

I. General Terms

  1. The purpose of the JSC "LatRailNet" (hereinafter - LRN) Regulations "JSC" LatRailNet "Privacy Policy for natural persons" (hereinafter - Privacy Policy) is to provide a natural person, such as a personnel selection applicant, customer, contractor, authorized representative, contact person, applicant, the participant of the procurement procedure, the user of the website and other persons not listed in this Privacy Policy (hereinafter - the Data Subject), with information on the purpose of personal data processing, legal basis of processing, processing volume, processing deadlines, protection measures taken by LRN, as well as Data Subject's rights concerning the processing of their personal data.
  2. The Privacy Policy applies to any Data Subject whose personal data is processed by LRN, regardless of the form and / or environment in which the Data Subject provides personal data - in person orally, on paper, by telephone, by email, on a website or otherwise. LRN, when processing the personal data of the Data Subject, may be both a controller of personal data and a processor or co-controller.
  3. The terms used in the Privacy Policy - personal data, personal data processing, Data Subject, controller, co-controller, data processor and other terms are used in relation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons on the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter "the Regulation").

II. Processing of personal data

  1. The processing of personal data in LRN takes place on the basis of the following legal acts in order to:

4.1. conclude a contract and perform one which the Data Subject is a party of, or take action at the request of the Data Subject before concluding the contract (Article 6, Paragraph 1 (b) of the Regulation), for example, telephone or e-mail information is used only to communicate with the Data Subject;

4.2. fulfill a legal obligation applicable to LRN - in compliance with the requirements of external legal acts, for example, organizing LRN services, accounting, record keeping (Article 6, Paragraph 1 (c) of the Regulation);

4.3. implement or defend the legitimate (lawful) interests of LRN or third parties (Article 6, Paragraph 1 (f) of the Regulation). The legitimate interests of LRN are, for example: to identify and verify legal capacity of the Data Subject before concluding the contract or during the provision of services to the Data Subject - by telephone, electronically, in person;

4.4. send reports or otherwise communicate on the progress of fulfillment of the contract and events relevant to the fulfillment of the contract;

4.5.review the Data Subject's submission, application, complaint;

4.6. administer payment and debt;

4.7.maintain the necessary information and technical system;

4.8. ensure the efficiency of service provision;

4.9.ensure and improve the quality of services;

4.10. provide training for trainees;

4.11. protect the vital interests of the Data Subject or another natural person;

4.12.  prevent corruption and crime;

4.13.inform the public about the operation of LRN;

4.14. promote the railway sector at various public events;

4.15. analyze the operation of LRN websites and Internet sites, develop and implement their improvement;

4.16.  in specific cases in accordance with the consent of the Data Subject;

4.17. to identify and verify legal capacity of the Data Subject before concluding the contract or during the provision of services to the Data Subject - by telephone, electronically, in person;

  1. Personal data is processed for the following purposes:

5.1.  to meet the requirements of external legal acts;

5.2. to ensure the operation of LRN;

5.3. LRN to ensure the provision and quality of services;

5.4. to conclude and fulfill contracts;

5.5. to ensure the operation of the necessary information and technical systems;

5.6.to ensure the quality of services;

5.7. to identify and communicate with the Data Subject;

5.8. to administer invoices and other financial documents;

5.9. for record keeping;

5.10. to review Data Subject's applications / complaints and other documents;

5.11. to prevent and investigate criminal offenses and violations;

5.12.to prevent fraud;

5.13.  to collect debt;

5.14.to provide information to public administration institutions in the cases specified in external legal acts;

5.15. to administer invoices and other financial documents.

  1. For issues related to personal data processing and reporting of possible personal data protection violations, please contact the legal address of LRN or use e-mail: latrailnet@ldz.lv, observing the provisions of Paragraph 16 of the Privacy Policy, or for issues related to personal data processing and reporting on possible personal data protection violations: e-mail: datuaizsardziba@ldz.lv.
  2. When processing data of the Data Subject, LRN uses the possibilities of modern technologies, taking into account the existing privacy risks and the organizational, financial and technical resources available to LRN, using at least the following security measures:

7.1. developed:

7.1.1. internal legal acts regarding the protection of personal data;

7.1.2. confidentiality rules for LRN employees;

7.2. controlled access to LRN premises, restricted access to existing information systems for ensuring LRN operation, such as secure passwords, intrusion protection and detection programs, data encryption mechanisms, etc .;

7.3. employee training on personal data processing protection issues;

III. Personal Data

  1. LRN mainly processes the following categories and types of personal data:

8.1.identification data of the Data Subject - name, surname, personal identification code, date of birth, passport No./ID number, signature;

8.2. contact information of the Data Subject - address, telephone number, e-mail address;

8.3. data of the contact person indicated by the cooperation partner - name, surname, telephone number, e-mail address;

8.4. contract data - contract number, date of signing, contractors, contract contact details, signature;

8.5. service (goods) purchase data - service name, purchase date, bill of lading number, type of service reception, price, payment method, receipt information, service execution address, etc .;

8.6. service data - service name, date, invoice number, type of service reception, price, payment type, etc.;

8.7. communication data - for example, date of communication, content, status of execution;

8.8. settlement data - current account number, bank account number, invoice number, date, amount, type of invoice reception, payment date, debt amount, debt collection information;

8.9. photos, pictures, videos - from the events of SJSC "Latvijas dzelzceļš" and SJSC "Latvijas dzelzceļš" Group companies;

8.10.professional data - for example, information about education, work experience, professional activity;

8.11.actions performed on the website - visitor's IP address, date, time, duration of the visit, downloaded data, viewed sections, actions performed on the webpage;

8.12. professional (employment) data, such as information on education, work experience, current employment, positions, professional activity.

  1. LRN does not make automated decisions regarding the Data Subject.
  2. LRN does not disclose the personal data of the Data Subject to third parties, except for:

10.1. to the persons specified in the cases provided for in external legal acts, within the limits of the specified procedure and to the specified extent;

10.2. by transferring personal data to the cooperation partner, if the relevant cooperation partner has to transfer the data within the framework of the concluded contract in order to fulfil a specific contract;

10.3. with the clear and unambiguous consent of the Data Subject;

10.4. in cases specified in external legal acts, for the protection of the legitimate (lawful) interests of LRN.

  1. LRN does not transfer personal data to countries outside the European Union and the European Economic Area, unless an agreement is concluded with the Data Subject for each specific case.

IV. Storage of personal data

  1. LRN does not store personal data for longer than is necessary for the purpose of data processing, as well as does not store it longer than the storage period specified in external legal acts. LRN stores and processes the personal data of Data Subjects as long as at least one of the following conditions exists:

12.1. as long as there is an obligation under external legal acts to store data, for example in compliance with the legislation governing the circulation of accounting, archives and other documents;

12.2. as long as the agreement concluded with the Data Subject is in force;

12.3. while LRN pursues its legitimate interests (for example, consideration of claims, protection of rights, settlement of issues, bringing a claim to court or observance of the statute of limitations, etc.).

  1. The personal data of the Data Subject is destroyed or deleted after the termination of the conditions referred to in Paragraph 12.
  1. LRN does not store personal data for longer than is necessary for the purpose of the processing or for longer than required by external legal acts. The duration of personal data storage is determined by various criteria, such as the requirements of external legal acts, technical possibilities for data storage, etc. LRN stores and processes the personal data of Data Subjects as long as at least one of the following conditions exists:

14.1. as long as there is an obligation to store data specified in external legal acts, for example, in performing the obligations specified in the accounting and Archives Law;

14.2.as long as the agreement concluded with the Data Subject is in force;

14.3. while LRN pursues its legitimate interests (for example, consideration of claims, protection of rights, settlement of issues, bringing a claim to court or observance of the limitation period, etc.).

  1. After the conditions referred to in Paragraph 14 cease, the personal data of the Data Subject are deleted, unless other legal acts state another term of storage.

V. Rights of the Data Subject

  1. The Data Subject has the right to receive the information specified in legal acts in connection with the processing of his / her data, to request their completion, correction, as well as deletion or restriction of processing in relation to the Data Subject or the right to object to the processing. When exercising their rights, the Data Subject must request to do so within a reasonable time, as well as in compliance with the working hours of LRN.
  2. The Data Subject may submit a request for the exercise of his or her rights:

16.1. in writing in person at LRN, presenting an identity document;

16.2. in electronic form (signed with a secure electronic signature) by sending it to the email address latrailnet@ldz.lv or datuaizsardziba@ldz.lv .;

16.3. by sending a written letter to LRN.

  1. Upon receipt of the Data Subject's request, LRN verifies the Data Subject's identity, evaluates the request and executes it in accordance with legal acts. Depending on each specific situation, LRN may ask the Data Subject to prove his / her identity with an identity document or otherwise.
  2. LRN provides a response to the Data Subject, taking into account the type of response indicated by the Data Subject.
  3. If the response to the Data Subject's request is sent by post, it is sent by registered mail; if the response is provided electronically, it is signed with a secure electronic signature.
  4. LRN ensures compliance with data processing and protection requirements in accordance with legal acts and in case of objections of the Data Subject takes the necessary actions to resolve it. If this fails, the Data Subject has the right to apply to the supervisory authority.
  5. The data subject has the right to receive free of charge information about his / her personal data processed by LRN.
  6. The receipt and / or use of information may be restricted in order to prevent adverse effects on the rights and freedoms of others (including LRN employees) or in cases where the provision of data is prohibited by external legal acts.
  7. If requests for information are manifestly unfounded or excessive, in particular due to their recurrence, LRN may charge a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action, or refuse to comply with the request.

VI. Information to data subjects about the processing of personal data by LRN during personnel selection

  1. LRN processes personal data for the following purposes:

24.1. selection of board members / employees for the specific vacancy;

24.2. selection of employees for future vacancies;

24.3. to ensure the transparency of the personnel selection process and to be able to prove it to the auditors, ensuring clear facts for the validity and legality of the decisions taken in the selection process;

24.4. to provide evidence in case of possible complaints and in case of disputes to reflect the legal course of the relevant selection process.

  1. The following personal data are processed in the personnel selection process:

25.1. identification data - name, surname;

25.2. contact information - e-mail address, telephone number, declared or residential address;

25.3. information on previous work experience;

25.4. information regarding the applicant's knowledge and skills (additional requirements may be set for certain categories of applicants, for example, the existence of a driving license, documents certifying proficiency in the state language, etc.);

25.5. education and training data;

25.6. other information contained in the application documents (application letter, CV, certificates, etc.).

  1. Each specific recruitment competition specifies the amount of data that must be submitted in order for the applicant to participate in the personnel selection process.
  2. LRN reserves the right to delete received personal data that is not necessary for the evaluation of application vacancies.
  3. Legal basis for personal data processing and duration of data storage when performing personnel selection:

28.1. Article 6, Paragraph 1 (a) - consent of the applicant, Article 6, Paragraph 1 (f) - legitimate interest of LRN;

28.2. consent when applying for a specific position or positions:

  • when applying for a specific position or positions, LRN receives and uses the applicant's personal data on the basis of the applicant's consent (consent is provided by the applicant's active activity - submission of application documents to LRN) only in competitions for the position or positions selected by the applicant and stores it for one year;

28.2.2. the consent referred to in this paragraph may be revoked at any time by the applicant upon request. In this case, all personal data submitted by the applicant on the basis of the specific consent are deleted;

28.2.3. In the case of this Paragraph, personal data is stored for one year to enable the Group to defend its legitimate interests and provide evidence in case of possible complaints and disputes to reflect the legal process of the selection process and to provide full documentation for the audit to demonstrate the transparency of the selection process and the validity and legitimacy of the decisions taken. The retention period of the submitted data is reviewed once a year.

  1. Consent also for other job competitions in the future and for storing the applicant's data in LRN applicants database:

29.1.if the candidate is not selected for the position in LRN for which he / she has previously applied, but wants his / her application and the data submitted by the him / her to be stored and used in other competitions by LRN, the candidate has the opportunity to indicate in the application that he / she wants to give his / her consent. In this case, LRN may store and use the applicant's personal data for 1 (one) year from the moment of announcing the vacancy. The legal basis for the storage and use of such personal data is the applicant's consent and the possibility to participate in future LRN job competitions without announcing job competitions publicly;

29.2. the applicant has the right not to give the consent referred to in this paragraph and, if it has been given, it may be revoked at any time thereafter upon request. In this case, all personal data submitted by the applicant on the basis of the specific consent are deleted;

  • in the case of this Paragraph, personal data are stored until the revocation of the given consent or for 1 year from the moment of announcing the vacancy, if there has been no revocation, so that LRN can use personal data in other competitions or vacancies.
  1. The Applicant has the right to submit the personal data of other persons to LRN only in exceptional cases, for example, by submitting the personal data of the person who provides or could provide feedback on the applicant's previous work experience. In such cases, the applicant, as controller, is responsible for complying with the legal basis for the submission of these personal data and other applicable requirements. LRN always reserves the right not to accept personal data that has not been requested.

VII. Website visits and cookie handling

  1. The LRN website may use cookies. Cookies are files that websites (hereinafter - the Website) place on users' computers in order to identify the user and make it easier for the user to use the Website.

32.Internet browsers can be configured to alert the visitor to the use of cookies and to allow them to choose whether the visitor agrees to accept them. Not accepting cookies will not prevent a visitor from using the Website, but it may restrict the visitor's ability to use the Website, such as limiting the performance of the Website. More information about cookies can be found on the LRN website.

VIII. Final provisions

  1. The Privacy Policy may be amended by making it available to the Data Subject by posting the relevant information on LRN website.

34.LRN retains the previous versions of the Privacy Policy and they are available on LRN website.

  1. In its activities, LRN applies the provisions of the "Privacy Policy of natural persons of the Companies of the Latvijas dzelzceļš Group" insofar as they are applicable to LRN. ".
  2. The Regulations of JSC "LatRailNet" of 7 August, 2019 No. JALP-7.3./05-2019 "JSC" LatRailNet "Privacy Policy for natural persons" are declared invalid as of 23 August 2021.
  3. LRN retains the previous versions of the Privacy Policy and they are available on LRN website.

The document contains a timestamp and is signed with a secure electronic signature by:
Director of Legal and Administrative Affairs J.Šulcs - see certificate