PROVIDUS PRIVACY POLICY

 Objective of the PRIVACY POLICY

1. The Providus Privacy Policy seeks to provide information to natural persons / data subjects about the objective and scope of processing of personal data as well as the protection of such data and the duration of their processing.
2. Personal data is any information about an identified or an identifiable natural person. Definitions, explanations and information about types of data are included in the Data Categories annex.
3. Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Scope of Applicability

4. The Privacy Policy ensures privacy and the protection of personal data of:
   • Natural persons  that receive or transfer any information to Providus (including about contact persons, payers, etc);
   • Visitors of Providus offices and other premises;
   • Visitors of websites maintained by Providus;
   • Persons subscribing to Providus newsletters;
   • Persons attending meetings organized by Providus (in person and in absentia meetings, such as conference calls, online meetings, video conferencing and / or webinars) (hereinafter referred to as meetings);

Hereinafter all of the above are referred to as Data Subjects.

5. Providus shall protect Data Subjects’ privacy and personal data and shall respect Data Subjects’ right to legitimate processing of their personal data pursuant to the applicable law – the Personal Data Processing Law and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter – GDPR, as well as other applicable privacy and data processing rules and regulations.
6. The Privacy Policy shall apply to the processing of data irrespective of how and/or in which environment the Data Subject has provided his/her personal data (on the Providus webpage providus.lv, by e-mail, on paper or by phone) or in which systems they are processed.
7. Specific types, environments and purposes of data processing (for example, processing of cookies, etc.) may be subject to additional requirements that will be disclosed to the Data Subject when he/she provides the respective data to Providus.
8. Providus shall have the right to amend the Privacy Policy by placing the most recent version thereof on the Providus website. Providus shall keep previous versions of the Privacy Policy, which will also be available on its website.

DATA CONTROLLER

9. The personal data controller is Association ”Centre for public policy PROVIDUS” (hereinafter Providus), registration no. 40003613479, registered at Alberta street 13, Riga, LV-1010, previously and hereinafter referred to as Providus, acts as.
10. Any queries about the processing of personal data should be sent to info@providus.lv. Questions about the processing of personal data can be asked by sending an e-mail to this address or in person at Providus. Requests with regard to the enforcement of one’s rights can be lodged under Paragraph 24 of this document.

Legal Grounds for Processing Personal Data 

11. Providus shall process personal data of Data Subjects only on the basis of the following legal grounds:
    • Execution and performance of contracts – to enter into an agreement at the request of a Data Subject and to ensure its performance;
    • Compliance with applicable law – to ensure compliance with obligations laid down by applicable external rules and regulations;
    • Consent of a Data Subject;
    • Legitimate interests – to protect legitimate (lawful) interests of Providus arising from mutual obligations or an executed agreement between Providus and a Data Subject or from the applicable law.

PROVIDUS LEGITIMATE INTErESTS

12. The legitimate interests of Providus include:
    • Carrying out research activities and advocacy, including, but not limited to, monitoring the implementation of policies, analysing legislation, developing policy proposals, providing recommendations and opinions, organizing discussions and educational activities, preparing studies and research, and carrying out other research activities;
    • to inform the public (including members, council members and employees) about its activities;
    • Carrying out an economic activity;
    • Verification of Data Subjects’ identity before the concluding of an agreement;
    • Performance of contractual obligations;
    • Storage of Data Subjects’ applications and requests as well as notes on them, including applications and requests submitted verbally, by phone, online;
    • Performance analysis of Providus websites and development and implementation of their improvements;
    • Conducting surveys;
    • Organizing meetings;
    • Development and improvement of services;
    • Informing about activities, research issues, priorities by means of commercial communications;
    • Prevention of criminal offences;
    • Implementation of proper corporate management, financial accounting and analytics;
    • Ensuring efficiency of Providus management processes;
    • Improvement of the efficiency of services;
    • Improvement of the quality of services;
    • Management of payments;
    • Dealings with governmental and regulatory bodies and the court to protect its lawful interests and lawful interests of other persons;
    • Selection of employees, volunteers and trainees.

PROVIDUS’s purposes in processing personal data

13. Providus processes personal data for the following purposes:
    • Ensuring the operation of the organization:
      • Identification of Data Subjects;
      • Drafting and concluding of agreements;
      • Running of the research and advocacy activities;
      • Organizing and conducting of meetings;
      • to assess the access to sources of funding;
      • Reporting purposes;
      • Risk management activities;
    • Personnel selection activities;
    • For the provision of information to public administration institutions and subjects of operational activities in the cases and to the extent specified in external regulatory enactments.
    • Other specific purposes that will be disclosed to the Data Subject when he/she provides the respective data to Providus.

PERSONAL DATA PROCESSING PRINCIPLES

14. Providus shall process Data Subjects’ data by means of advanced technologies, considering the current risks to privacy, as well as organisational, financial and technical resources reasonably available to it.
15. Providus does not make automated decisions regarding Data Subjects.
16. To promptly ensure quality performance of an agreement with a Data Subject, Providus may authorise its cooperation partners to carry out certain service-related activities. Should the cooperation partners process personal data of Data Subjects at the disposal of Providus during the performance of such services, the cooperation partners shall be considered data processing operators (data processors) of Providus. The latter shall have the right to transfer personal data of Data Subjects to these cooperation partners to the extent needed for the performance of the services.
17. Providus cooperation partners (who act as personal data processors) shall ensure compliance with personal data processing and protection requirements as required by Providus and the applicable law and shall not use personal data for purposes other than the performance of the agreement with the Data Subject (on behalf of Providus).

Categories of Recipients of Personal data 

18. Providus shall not disclose personal data of the Data Subject or any information received during the provision of services or term of the agreement to any third parties, including information about any electronic communications, content or other services, unless:
    • The data has to be transferred to the respective third party under a contract to carry out a function needed for the performance of the contract or a function delegated by the law (for example, to a bank to make a payment or to provide IT system maintenance services);
    • to perform any function required for performance of the contract or delegated by law;
    • The Data Subject has given clear and unambiguous consent;
    • The data has to be provided to individuals as laid down in external rules and regulations, should they make a reasonable request, and pursuant to the said rules and regulations;
    • The data has to be provided pursuant to external rules and regulations to protect the lawful interests of Providus, for example, by lodging a claim in a court or other governmental body against a person who has infringed on the lawful interests of Providus.
19. Providus personal data shall not be transferred to third countries (that is, countries outside the European Association and the European Economic Area). In special cases, personal data may only be transferred to third countries or international organisations if the data controller and the processor have complied with the conditions laid down in the GDPR.

Protection of Personal Data

20. Providus shall protect Data Subjects’ personal data with physical and logical means of protection, relying on advanced technologies and considering current risks to privacy, as well as organisational, financial and technical resources reasonably available to Providus, including:
    • Data encryption during data transfer (AES, Kerberos, NTLMv2, IPSec encryption);
    • Firewalls;
    • Other means of protection depending on the current technological progress.
21. Providus shall protect Data Subjects’ personal data using the following physical security measures:
    • Protection of technical resources against the risk of physical impact on information systems;
    • Storage of paper documents in lockable cabinets;
    • Protection of the stored data from fire, flooding, voltage loss or overvoltage in the mains, theft of technical resources, non-compliant humidity and ambient temperature.

DURATION OF PERSONAL DATA STORAGE

22. Providus shall keep and process personal data of Data Subjects insofar as at least one of the following criteria exists:
    • An agreement with a Data Subject is in force;
    • Providus or the Data Subject may protect its legitimate interests under external rules and regulations (for example, bring claims or initiate/proceed with an action at the respective court);
    • One of the parties has a legal obligation to keep the data;
    • The Data Subject’s consent to the respective processing of personal data is in effect, unless another legal basis for the processing is in place.
23. After the circumstances referred to in Paragraph 22 expire, the Data Subject’s personal data is deleted.

The DatA subject’s Access to Personal Data

24. The Data Subject shall have the right to receive information laid down by the law in relation to the processing of his/her data.
25. Pursuant to the law, the Data Subject shall also have the right to ask Providus to provide access to his/her personal data as well as to amend, delete or supplement such data or to limit the processing of the said data; the Data Subject shall also have the right to object to the processing of data (including the processing of personal data carried out on the basis of legitimate (lawful) interests of Providus) as well as the right to the portability of data. This right can be enforced insofar as the processing of data does not derive from statutory obligations of Providus that are discharged for the public benefit.
26. The Data Subject may submit a request for the exercise of his/her rights:
    • In person in writing to the administration of Providus by producing an identity document;
    • By an e-mail signed with a secure electronic signature.
27. Having received a request from the Data Subject regarding the enforcement of his/her rights, Providus shall verify the Data Subject’s identity, review the request and satisfy it pursuant to the law.
28. Providus shall send a registered reply to the postal address indicated by the Data Subject or an e-mail signed with a secure electronic signature, taking into account, as far as possible, the Data Subject’s preferred means of communication.
29. Providus shall ensure compliance with data processing and protection requirements laid down by the law, and should a Data Subject raise an objection, Providus shall take reasonable action to resolve it. If Providus fails to resolve the objection, the Data Subject shall have the right to approach a supervisory body, namely, the Data State Inspectorate.

Processing of special categories of personal data

30. Special categories of personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade Association membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
31. Providus shall process special categories of personal data only if any of the grounds referred to in Article 9 (2) of the GDPR apply.

The DatA subjeCt’s Consent to Processing and Right of Withdrawal

32. The Data Subject may provide his/her consent to the processing of personal data on the basis of consent (for example, publishing of an image, advertisement, etc.) in Providus application forms, in Providus service portals/apps, on Providus and other websites (for example, newsletter subscription forms), or in person at Providus.
33. A list of categories of personal data that can be processed according to the Data Subject’s consent and other legal bases is available in the Data Categories annex.
34. The Data Subject shall have the right to withdraw his/her content at any time by means of the same method in which it was given or in person at Providus. In this case the processing of data on the basis of consent to the respective purpose shall not be continued.
35. Withdrawal of consent shall not affect processing activities that were completed when the consent was still valid.
36. By withdrawing consent, it is not possible to terminate the processing of data performed on the basis of other legal grounds.

COMMERCIAL COMMUNICATIONS AND COMMUNICATION in General

37. Providus shall communicate with the Data Subject using the contact details provided by him/her (telephone number, e-mail address, mailing address).
38. Providus shall maintain commercial communication regarding Providus and/or third-party services as well as other communication that is not related to direct provision of contracted services (for example, surveys) pursuant to the external rules and regulations or the Data Subject’s consent.
39. The Data Subject may consent to commercial communication with Providus in application forms and on Providus and other websites (for example, in news subscription forms).
40. The Data Subject’s consent to commercial communication shall be valid until its withdrawal (even after the expiry of the service contract). The Data Subject may withdraw his/her consent to further commercial communication by:
    • Sending an e-mail to info@providus.lv;
    • Expressing it in person at Providus;
    • Using the automated opportunity provided for opting out of receiving commercial communication and further notices by clicking on the opt-out link at the end of the relevant commercial communication (e-mail).
41. Providus shall cease sending commercial messages as soon as the Data Subject’s request is processed. Processing requests depends on technological capacity and may take up to three working days.
42. By providing an opinion during surveys and by leaving his/her contact details (e-mail, telephone), the Data Subject agrees that Providus may contact him/her, relying on the contact details provided in the context of the Data Subject’s evaluation.

Use of Websites and Processing of Cookies

43. Providus websites may use cookies. The terms and conditions that apply to the processing of cookies are described in the annex “Cookie Policy”.
44. Providus websites may contain links to websites of third parties that have their own personal data protection requirements and terms and conditions of use; Providus may not be held liable for any such requirements or terms and conditions.

processing online meetings data

45. Providus uses the Zoom, Microsoft Teams and Google Meet for online meetings, video conferences and webinars. The terms and conditions that apply to the processing of cookies are described in the annex “Data privacy notice for online meetings”.

Annex to the Privacy Policy of the

Association ”Centre for public policy PROVIDUS”

COOKIE POLICY

1. The Terms of Use of Cookies on the Providus website providus.lv describe the use of cookies by the Association ”Centre for public policy PROVIDUS”, registration no. 40003613479, registered at Alberta street 13, Riga, LV-1010, e-mail address: info@providus.lv, stating the purpose of the use of cookies as well as the right of users to change and choose the use of cookies according to their needs.
2. Cookies are small text files that website browsers (such as Internet Explorer, Firefox, Safari, etc.) save on a user’s end device (computer, mobile phone, or tablet), when the user opens a site, to identify the browser or information or settings kept in the browser. Thus, the website is able to save individual user settings and recognise and respond to this user later to improve overall user experience. The user may disable or restrict cookies; however, without cookies it is not possible to fully enjoy the functionality of various websites.
3. Depending on their functions and purpose, Providus uses strictly necessary cookies, functionality cookies, technological cookies and analytical cookies.
4. Strictly necessary cookies are needed for the user to freely visit and browse websites and enjoy full functionality, including the ability to receive information about services and purchase them. These cookies identify a device, but do not disclose the user’s identity; they do not collect or compile information either. A site cannot function smoothly without these cookies; for example, it cannot provide the information that a user needs or the services that he/she wishes to purchase from an online store or allow him/her to log in to a profile or request a service. These cookies are kept on a user’s device until the respective browser is closed.
5. A website uses functionality cookies to remember user settings and choices so that the site becomes more user-friendly. These cookies are permanently kept on the user’s device.
6. Analytics cookies compile information about the use of websites and their most popular sections, including the content that a user opens when he/she browses a site. This information is used for analytical purposes to determine what the users are interested in to improve the functionality of sites and make them more user-friendly. Analytics cookies identify a device, but do not disclose the user’s identity.
7. In some cases analytics cookies may be managed by third-party data processors (operators), for example, Google Adwords, on behalf of the site owner and according to the objectives indicated by him/her.
8. Providus uses cookies to improve user experience on its websites. This includes:
   • Ensuring website functionality;
   • Adjusting website functionality to user habits, including language, search requests, viewed content;
   • Gathering statistics about user flows in relation to the site – number, time spent viewing the page, etc.;
   • Authentication of users.
9. Detailed information about the cookies used on the Providus website:

10. Cookie data is not transferred for processing to non-EU or non-EEA states.
11. When Providus websites are visited, a window with a message that cookies are used on the website is displayed to the user.
12. By closing the window, the user confirms that he/she has read the information about cookies, their purpose, and cases when their data are transferred to third parties, and consents to them. Thus, cookies are used on the basis of user consent. If the user enters into an agreement on the website, cookies are needed to perform the agreement or for Providus to carry out its statutory duties or safeguard its lawful interests.
13. It is possible to disable or restrict cookies in the security settings of all browsers. But it should be noted that strictly necessary and functionality cookies cannot be disabled, as it is not possible to ensure full functionality of websites without them.
14. If the user has a question about the use of cookies, he/she can contact Providus at the following e-mail address: info@providus.lv.
15. The user has the right not to consent to the creation, storage and processing of such statistical data by manually disabling the use of the cookie handling mechanism in the browser at any time. You can change or delete your cookie settings in your web browser settings. We add links to cookie management information resources for the most popular browsers:

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Safari: https://support.apple.com/lv-lv/guide/safari/sfri11471/mac

Opera: https://help.opera.com/en/latest/web-preferences/

Edge: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy

Explorer: https://support.microsoft.com/en-us/help/278835/how-to-delete-cookie-files-in-internet-explorer[VV4]

16. More information on how to control cookies according to your device’s browser can be found at: aboutcookies.org .

Annex to the Privacy Policy of the

Association ”Centre for public policy PROVIDUS”

data privacy notice for online meetings

Purpose of Processing

1. The Providus uses Zoom, Microsoft Teams and Google Meet as tools to conduct online meetings, video conferences, online lectures and/or webinars (previously and hereinafter referred to as online meetings).Zoom is a service of Zoom Video Communications, Inc. which is based in the United States of America. Microsoft Teams is a service of Microsoft Corporation which is based in the United States of America. Google Meet is a service of Google LLC which is based in the United States of America.

Data Controller

2. Controller of data processing in the context of conducting online meetings is the Association ”Centre for public policy PROVIDUS”, registration no. 40003613479, registered at Alberta street 13, Riga, LV-1010, previously and hereinafter referred to as Providus.
3. As soon as you access the webpage of Zoom, Microsoft Teams or Google Meet, the provider of Zoom, Microsoft Teams or Google Meet is responsible for data processing.
4. You may also use Zoom, Microsoft Teams or Google Meet, when entering the respective meeting ID and possibly further login data directly in the Zoom, Microsoft Teams or Google Meet app. Here, too, the Zoom, Microsoft Teams or Google Meet webpage may be accessed.
5. If you cannot or do not want to use the Zoom, Microsoft Teams or Google Meet app, basic functions will be accessible through the browser version, which you also find on the Zoom, Microsoft Teams or Google Meet webpage.

processing of data

6. Various types of data are processed when using Zoom, Microsoft Teams or Google Meet. The amount of data depends on which data you enter in advance or during the participation of an online meeting.
7. The following personal data are subject to processing:
   • User data: name, surname, phone number (optional), email address, password (if “single-sign-on” is not used), profile picture (optional), department (optional);
   • Meeting metadata: topic, description (optional), participant IP address, device/hardware information;
   • During recording (optional): video files of all video, audio and presentation recordings; audio files of all audio recordings; text files of the online-meeting chats;
   • Text, audio and video data: You potentially have the possibility to use chat, Q&A and polls during the online meeting. The data entered there is processed for the purpose of making it visible and possible to protocol. To enable the display of video and the rendering of audio, corresponding data will be collected from the microphone of you device and any video cameras of your device for the duration of the meeting. You can turn off the camera or microphone in the Zoom, Microsoft Teams or Google Meet application at any point of the meeting.
   • To participate in an online meeting, you have to enter your name and surname. This name does not have to be your “real” name and/or surname, but can also be a nickname.

Scope of Processing

8. The Providus uses Zoom, Microsoft Teams or Google Meet to conduct online meetings. If we want to record online meetings, we will transparently inform you about this and – if required – ask you for permission. In case of a recording, this further will be signified in the Zoom, Microsoft Teams or Google Meet app.
9. Chat content will be logged and recorded by default but may not be logged when necessary. Chat content may optionally be published after the meeting.
10. For the purpose of recording and reworking webinars, we may also log the questions posed by participants.
11. If you are a registered user of Zoom, Microsoft Teams or Google Meet, reports of online meetings (meeting metadata, phone dial data, questions and answers in webinars, polls in webinars) may be stored at Zoom, Microsoft Teams or Google Meet for up to one month. Afterwards online meeting recordings may optionally be stored within Providus’s internal cloud.
12. Automated decision-making within the scope of Article 22 GDPR is not deployed.

Legal basis of data processing

13. As long as personal data of employees of Providus is processed, the legal basis of data processing is execution and performance of contracts.
14. If in the context of using Zoom, Microsoft Teams or Google Meet personal data is not required for the establishment, conduct, or termination of employment, legitimate interest of the Providus is the legal basis of data processing. In these cases legitimate interest of the Providus is the effective conduct of online meetings.
15. In all other cases where online meetings are conducted in the context of a contractual relationship the legal basis of data processing is performance of a contract.
16. If no contractual relationship is present, the legal basis of data processing is legitimate interests. Here too, interest of the Providus is the effective conduct of online meetings.

Disclosure of Data

17. Personal data processed within the context of the participation in online meetings are generally not passed on to third parties as long as they are not explicitly intended for disclosure. Please note that contents from online meetings like in physical meetings are often meant to communicate information with members, interested or third parties and are therefore meant for disclosure.

Data processing outside the European Association

18. Zoom, Microsoft Teams or Google Meet is a service delivered by a provider from the USA. Processing of personal data is therefore also conducted in a third country. We have concluded a data processing agreement with Zoom, Microsoft Teams or Google Meet which meets the requirements of Article 28 GDPR.
19. An appropriate data privacy level is guaranteed by the “privacy shield” certification of Zoom Video Communications, Inc., Microsoft Corporation, Google LLC, as well as by the conclusion of the so called EU standard contractual clauses.

DATA SUBJECT rights

20. You have the right to gain access to your stored personal data. You can contact us to gain access at any point. In case of an information inquiry, we ask for your understanding that we might ask for proof of identity to verify that you are the person you impersonate. Further, you have the right to correction or of erasure or of limitation of processing, as long as this is provided for by the legal basis. Finally, you have a right of objection towards processing within the scope of legal provisions. A right to data portability is also within the scope of data protection regulations.

STORAGE DURATION

21. As a matter of principle, Providus deletes personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual obligations. In the case of statutory storage obligations, deletion shall only be considered after the expiry of the respective storage obligation.

Right of appeal to a supervisory authority

22. You have the right to complain about our processing of personal data to a supervisory authority for data protection Data State Inspectorate of the Republic of Latvia accessible at dvi.gov.lv .

Annex to the Privacy Policy of the

Association “Centre for public policy PROVIDUS”

Data Categories

[i] Consent — clear expression of the Data Subject’s will, given freely, allowing Providus to process his/her personal data pursuant to the information it provides.