1. General questions
1.2. As a controller, Maritime Administration shall perform the processing of personal data in accordance with General data Protection Regulation No. 2016/679 (hereinafter - GDPR), the personal data processing Law, the Maritime Administration and Maritime Safety Law, the Maritime Code, as well as other laws and regulations in force in Latvia.
1.4. In addition to this policy, information regarding the processing of personal data is included in contracts, regulatory enactments related to the performance of the functions of Maritime Administration and internal regulatory enactments of Maritime Administration. For specific data processing, additional, specific conditions may be laid down which will be notified to the person at the time of the provision of the relevant data.
1.5. Maritime Administration is aware that personal data are the property and value of the data subject and should therefore be processed in a confidential and secure manner.
1.6. Maritime Administration shall protect personal data through a variety of technical and organisational measures, taking into account the identified privacy risks under the influence of Maritime Administration and the organisational, financial and technical resources available to it.
2. Processing, purposes and legal bases of personal data
2.2. Personal data held by Maritime Administration shall be processed on its behalf only by authorised persons – employees of Maritime Administration or any of the processors contracted by Maritime Administration (the mandate for employees derives from employment contracts, orders, etc. internal laws and regulations, for processors - from contracts entered into with each other). Staff and contracted processors are obliged to comply with and ensure that the requirements for the processing and protection of personal data are complied with when processing data.
2.3. Maritime Administration shall, in accordance with the legal framework laid down in external laws and regulations, perform the functions of the delegated by State administration in the field of maritime administration and marine safety and, in the performance of its services, process different types of personal data mainly for the following purposes:
2.3.1. for the performance of delegated functions and tasks (registration of ships and yachts, supervision, control and security inspections of ships, shipping companies and ports, examination of competence of seafarers, certification and issue of documents certifying competence, maintenance of the seafarers' certification database, issue of special permits to merchants, recognition of medical practitioners of seafarers, etc.);
2.3.2. the management of documents and archives;
2.3.4. accounting and personnel management;
2.3.5. informing the public regarding his or her activities and promoting the profession of seafarer;
2.3.6. prevention or detection of criminal offences in relation to protection of property and protection of vital interests of persons, including life and health, as well as the security interests of the State.
2.4. Maritime Administration shall process personal data primarily on the basis of the following legal bases:
- fulfilment of legal obligations specified in regulatory enactments;
- fulfilment of the public interest - for the performance of tasks in the public interest or for the exercise of official powers laid down by the law;
In addition, the legal bases may be as follows:
- conclusion and performance of contractual obligations - the processing of data results from the contractual obligations of the undertaking or, subject to the request of the person, the processing of data is necessary for the conclusion of the relevant contract;
- consent - the data subject has given consent to the processing of his personal data for one or more specific purposes;
- respect for legitimate interests of the controller or third party - such a basis for the processing of personal data shall be permissible only if the interests or fundamental rights and freedoms of the person whose data are being processed are not significantly affected (this legal basis shall not apply to the processing of personal data by Maritime Administration in the performance of public administration tasks);
- Protection of vital interests - data processing is necessary to protect vital interests of a natural person, including life and health.
2.5. During the events organised by Maritime Administration, taking of photographic and video recordings may be performed – to inform public regarding Maritime Administration, ensuring visibility and creating a history archive. Before the event is held, the person is entitled to address Marine Administration event organizer with a request not to photograph or film it, and the event organizer will do everything possible to ensure such request is complied with. Personal data obtained during such a measure may be published and processed without a time limit, but notwithstanding that, the data subject has the right to request the deletion of his data and that request will be examined.
2.6. Video surveillance of the prevention or detection of criminal offences relating to the protection of property, the protection of the legal interests of the controller and the protection of vital interests of the person, including life and health, shall be carried out in the buildings and managed areas of Maritime Administration. Personal data obtained as a result of video surveillance shall be stored for 30 days from the time the video recording is made, after the expiry of this period the data shall be deleted if the data have not been previously requested or criminal offences have not been established. If data have been previously requested from competent State or local government institutions, or signs of a criminal offence or violation have been determined, data shall be stored as necessary.
3. Maritime Administration shall observe the following principles for data processing:
3.1. lawful and fair processing of data in a transparent manner to the data subject;
3.2. the processing is carried out for specific, clear and legal purposes and it is not treated in a manner incompatible with the purposes;
3.3. the amount of data is adequate - appropriate, not excessive, taking into account the purposes for which it is processed;
3.4. the data are accurate and up-to-date, as well as they are rectified or deleted in a timely manner, if the data are incomplete or do not conform to the purpose of processing personal data;
3.5. the data shall not be stored longer than is necessary for the purposes for which the relevant personal data are processed;
3.6. data shall be processed in compliance with the rights of data subjects;
3.7 data shall be processed in such a way that adequate security of personal data is ensured by appropriate technical or organisational measures. Data cannot be accessed by unauthorized persons.
3.8. data shall not be transferred to other organisations, institutions or States without safe and adequate protection.
4. Automated decisions
Decisions of Maritime Administration regarding the processing of personal data shall not be taken in an automated manner, the processing of data shall provide for human participation in the decision-making process of the data processing.
5. Duration of retention of personal data
5.1. The Maritime Administration shall store and process personal data as long as at least one of the following criteria exists:
5.1.1. there is an obligation specified in regulatory enactments to store data;
5.1.2. the data are necessary for the purpose for which they have been received (for example, entering into and performance of contractual obligations, provision of services, etc.);
5.1.3. in accordance with the procedures specified in regulatory enactments the Maritime Administration or data subject may exercise his or her legitimate (lawful) interests (for example, to submit objections, to bring or maintain a claim in court, etc.);
5.2.4 the consent of the data subject to the relevant processing of personal data shall be valid if there is no other lawful basis for the processing of the data.
5.2. After the referred to criteria are not applicable, personal data shall be deleted or destroyed or transferred for storage to the State archives in accordance with the requirements of regulatory enactments.
6. Recipients of personal data
6.1. Personal data could be communicated, as necessary:
6.1.2. personal data controllers according to the services provided by them and only to the extent necessary, for example, auditors, external consultants of the undertaking, database developers/technical operators, other persons who are related to the provision of services to Maritime Administration and within the framework of which it is not possible to do without data processing. Maritime Administration shall carefully select the service providers who are required to process personal data as part of the provision of the service. Maritime Administration shall include, when concluding contracts with controllers of personal data, the requirements for the processing and protection of personal data arising from the GDPR, as well as indications that the data cannot be processed by processors for purposes other than the provision of the Maritime Administration Service.
6.1.4. in individual cases - persons who request information in accordance with the legal framework for restricted access information, carefully assessing whether there is an appropriate legal basis for such transfer of data.
6.2. Maritime Administration shall process personal data in the territory of the European Union and the European Economic area. However, given the international nature of the maritime sector, in certain exceptional cases, on the basis of the regulatory framework binding on Maritime Administration, there may be cases where data are to be transmitted outside the European Union and the European Economic area or to an international organisation.
7.1 in accordance with the provisions of the GDPR, the data subject has the right to request access to his personal data, to request rectification, erasure, restriction of processing, to object to the processing of data and to the portability of data in the cases and in accordance with the procedures laid down in the GDPR.
7.2. Where the processing of personal data is based on the consent of the data subject, the data subject shall have the right to withdraw it at any time and Maritime Administration shall no longer process the personal data of the data subject processed on the basis of consent for that purpose. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of consent before withdrawal. Withdrawal of consent shall not interrupt the processing of data on other legal grounds.
7.3. If the data subject has any objections regarding the processing of his or her personal data, the data subject shall be invited to refer the matter to the Maritime Administration. The Maritime Administration shall, in the event of objections from the data subject, take the appropriate steps to resolve the objection. However, failing this, the data subject shall have the right to apply to the national data Inspectorate. Sample submissions for the data State Inspectorate and other related information may be found on the website of the data State Inspectorate (http://www.dvi.gov.lv/lv/datu-aizsardziba/privatpersonam/iesniegumu-paraugi/).
8. Request from the data subject
8.1. In order to execute the data subject's request as effectively as possible, data subjects are invited to use the request form.
· by registered mail, addressing - SIA “Maritime Administration of Latvia”, Riga, Trijadibas Street 5, LV-1048.
· personally, by submitting the SIA “Maritime Administration of Latvia” in writing to the administrator of the Bureau on the 5, 2 nd floor of Trijadibas Street, presenting a personal identification document;
· personally, by submitting in writing the SIA “Maritime Administration of Latvia” to the Registry of Seamen, Catherine Street 2A, 2 nd floor of the Service Secretary, presenting a personal identification document;
· signing with a secure electronic signature and sending to an electronic mail address - ljalja.lv.
8.3. Maritime Administration shall evaluate and execute the request of the data subject within one month from the receipt of the request. If further information is required from the data subject, it will be requested as soon as possible if the relevant information can be provided, albeit in response to the data subject's request as soon as possible. Given the complexity of the request, its execution time may be extended for a further two months. In such a case, Maritime Administration shall inform the data subject of the extension of the request and the reasons for the delay within one month of receipt of the request. If, in assessing the data subject's request, Maritime Administration concludes that the data subject's request is manifestly unfounded or excessive, Maritime Administration may, by providing the data subject with an appropriate explanation, request reasonable remuneration taking into account the administrative costs associated with carrying out the requested action or refuse to comply with the request.