Personal data processing notice of Latvijas Energoceltnieks ltd. To data subjects For staff data processing purposes
1. Information about the controller
The name of our organisation is SIA LatvijasEnergoceltnieks, registration number: 40103050565, legal address: Lubānas St. 43, Rīga, LV-1073.
We may be reached at: +371 67241260 or via the following e-mail address: lec@lec.lv
2. Contact details on personal data protection issues
If you should have any questions related to this notice or the processing of your personal data, please contact us using the contact details stated in the previous paragraph (Paragraph 1) or by contacting our Data Protection Officer via the following e-mail address: dati@lec.lv.
3. A general description of the personal data processing we perform
The purpose of this notice is to give you a general idea of how and why we process your personal data, however, we kindly ask you to keep in mind that other documents (e.g., the company’s regulations of an establishment, employment contract, or other internal company procedures and instructions) may contain additional information on the processing of your personal data.
Another purpose of this notice is to give persons whose personal data have been provided to us by our employees or candidates (e.g., data of relatives, referees, etc.) an idea of how their personal data will be processed.
This notice describes how we process the personal data of our employees, candidates, trainees, employee family members, contacts, or other persons whose data we may come into possession of with respect to personal data processing purposes.
Upon starting to work for us, we provide you with access to this notice. This is the latest version of the notice. We reserve the right to make amendments to the notice and bring it up to date at any time.
We are fully aware of the importance of keeping your personal data safe, therefore we will process your personal data in accordance with confidentiality requirements and take due care to ensure that the personal data that come into our possession are safe with us.
4. Why do we process your personal data and what are the lawful bases for the processing of your personal data?
We only process your personal data in a manner consistent with previously defined legitimate purposes, including:
a) to enable the employee selection process and to exercise the rights and obligations thereof
Within the scope of this purpose, we collect the candidates’ CVs and cover letters, contact the candidates and referees to obtain references, with the candidate’s consent, keep CVs for the purposes of other vacancies. We also keep personal data to protect our interests in lawsuits or respond to claims or actions brought against us in relevant institutions.
The minimum amount of personal data required to achieve the following purposes: to select and communicate with staff, we will need the candidate’s name, surname, contact details (e-mail, phone number), education and previous work experience; to receive references, we will need the name of the referee, their contact details, the reference on the employee; as well as we will need any other information that may be essential for assuming the respective post and finding the right candidate.
Lawful bases for the processing purposes:
- consent (General Data Protection Regulation ,Article 6, paragraph 1, point (a)) – with regard to the fact of submitting the CV and cover letter, and keeping the CV for the purposes of other vacancies;
- a contract to which the data subject is party (General Data Protection Regulation, Article 6, paragraph 1, point (b)) – with regard to the processing of personal data of the candidates who have been selected for the signing of a contract;
- compliance with a legal obligation (General Data Protection Regulation, Article 6, paragraph 1, point (c)) – in some cases, with regard to certain data types if normative acts stipulate mandatory requirements for the particular post;
- legitimate interests pursued by the controller (General Data Protection Regulation, Article 6, paragraph 1, point (f)) – with regard to the provision of evidence, in the event of a claim, or with regard to the extent of minimum information that may be required.
b) to enter into and perform an employment contract
Within the scope of this purpose, we collect information necessary to be included in the employment contract and its appendices, draw up an employment contract, identify you, verify the documents attesting to your education and qualifications, if necessary, we set up your personal e-mail address for work-related matters, as well as assign you a login and password to have access to the relevant information systems, we log your work time and completed tasks, calculate your salary and pay it into the bank account provided by you, we plan employee training and development, organise business trips and work outside Latvia, including the booking of plane or train tickets, booking of hotels and car rental services, acquisition of an A1 certificate, acquisition of a tax payer’s status in the country of employment, attendance of mandatory courses to obtain permits or certificates that enable entering and working on a construction site in a foreign country, if necessary for the execution of work duties, we share your personal data, including your position and contact details, with our collaboration partners and clients, as well as other employees, if necessary for the execution of work duties, we sign car loan rights agreements, we provide employees with materials needed for work, personal protective equipment, special clothing, we perform health checks and collect other information necessary for your employment.
The minimum amount of personal data required to achieve the following purposes: to enter into a contract and identify a person, we will need the employee’s name and surname, personal code (or in the case of a foreigner – the date of birth), place of residence, phone number, e-mail; to fulfil contractual obligations, we will need to know the date upon which the working relationship started, the location, hours worked, work contact details, salary amount, wage rate, data attesting to the completion of work duties, employee assessment; to provide personal protective equipment, we will need clothing and shoe size; to verify education required for the position, we will need data attesting to the employee’s education and qualifications (primary education, speciality, certificates, diplomas, permits); to make wage payments, we will need your bank account number, the name of the bank; to assess an employee’s ability to do their job/to ensure appropriate working conditions, we will need health data; in some cases, to comply with the normative acts governing procurement when the contracting authority sets qualification criteria to candidates, we will need trade union membership data or data on ethnic origin.
Lawful bases for the processing purposes:
- a contract to which the data subject is party (General Data Protection Regulation, Article 6, paragraph 1, point (b));
- compliance with a legal obligation (General Data Protection Regulation, Article 6, paragraph 1, point (c)) – with regard to the information to be included in the employment contract and necessary qualification requirements;
- carrying out the obligations and exercising specific rights of the controller in the field of employment (General Data Protection Regulation, Article 9, paragraph 2, point (b)) – with regard to the processing of a special data category (e.g., health data);
- legitimate interests pursued by the controller (General Data Protection Regulation, Article 6, paragraph 1, point (f)) – to comply with the normative acts governing procurement when the contracting authority sets qualification criteria for candidates.
c) to comply with the provision of normative acts in the field of employment or provisions of other normative acts
Within the scope of this purpose, we must ensure compliance with the provisions of the Labour Law, Labour Protection Law and its binding Cabinet Regulations, the provisions of the Law on Accounting, the Law on Taxes and Duties, the provisions of the Archives Law, and the provisions of other normative acts. In some cases, we are obliged to share your personal data with public authorities (e.g., State Revenue Service, State Labour Inspectorate, sworn bailiffs, sworn auditors, investigative authorities, courts, supervisory bodies) based on the rights granted to them in the relevant normative acts.
The minimum amount of personal data required to achieve the following purposes: to employ staff and ensure compliance with the law, we will need your name, surname, personal code, residence address, position, signature, any information on you requested by public authorities; to ensure statutory health checks and investigation of accidents, we will need health data, data contained in the mandatory health checks card, diagnoses, blood test results, x-ray results, occupational disease data, data on disability, the doctor’s statement with recommendations, restrictions to lift weights or forced position; to employ staff and ensure compliance with the law, we will need work time records, trade union membership data in the event of a notice, deducted amounts by sworn bailiffs, employee data, an overview of mandatory state social insurance contributions, data on paid personal income tax, business trip order, report on advance payments, way bill, fuel consumption report, earnings, tax book data, information on dependent persons to make accurate tax calculations, information on children, such as the child’s age, name, and surname to ensure receipt of extra holidays, information on your blood donation activity to ensure a paid holiday, any documents warranting absence, and any other information required to be collected by normative acts.
Lawful bases for the processing purposes:
- compliance with a legal obligation (General Data Protection Regulation, Article 6, paragraph 1, point (c));
- carrying out the obligations and exercising specific rights of the controller in the field of employment (General Data Protection Regulation, Article 9, paragraph 2, point (b)) – with regard to the processing of special data category (e.g., health data).
d) to provide social support and proper working conditions to employees
Within the scope of this purpose, we may collect data to provide you with various fringe benefits, for example, extra holidays for certain events in your personal life, benefits, gifts, events, health insurance, bonuses; we may also collect data to improve your working conditions, award best employees, inform colleagues about your celebrations or absences, as well as publish photos from corporate events organised by the employer.
The minimum amount of personal data required to achieve the following purposes: to receive tax exemptions, social benefits, extra holidays, we will need your children’s personal data, i.e., name, surname, information on important events in your life, employee opinion surveys data, questionnaires and other forms of data; insurance-related information (including for relatives); information on your celebrations; information for company marketing and branding activities, event reflection (event photos/videos); to assess employees’ work abilities/provide appropriate working conditions, we will need health data.
Lawful bases for the processing purposes:
- consent of the data subject (General Data Protection Regulation, Article 6, paragraph 1, point (a) and Article 9, paragraph 2, point (a)) – for example, with regard to the publication of celebrations, provision of insurance (also for relatives);
- legitimate interests pursued by the controller (General Data Protection Regulation, Article 6, paragraph 1, point (f)), for example, the publication of event photos, provision of appropriate working conditions, improvement of employees’ social conditions;
- carrying out the obligations and exercising specific rights of the controller in the field of employment (General Data Protection Regulation, Article 9, paragraph 2, point (b)) – with regard to the processing of special category data (health data) to, for example, provide appropriate working conditions.
e) to prevent security risks and threats to our economic interests, and to ensure exercising of other essential legitimate interests of our organisation or a third party
Within the scope of this purpose, we must ensure video-surveillance of our territories, buildings, construction sites, enable operative action to prevent safety incidents at work or in the event of an accident – take emergency measures to mitigate consequences and investigate it, conduct alcohol, drug, other psychotropic substance breath tests to prevent intoxicated people from entering our company’s territories and construction sites and to prevent employees from performing their work duties under substance influence, thus ensuring control over the implementation of the company’s rules of establishment and safe environment to all employees. We also must prevent risks related to safety, quality deterioration, low employee morale, company reputation and client relationships, log staff work time, equip vehicles with GPS equipment to carry out company vehicle data analysis to assess and improve vehicle usage efficiency (e.g. by comparing mileage, planning routes and fuel consumption, or preventing the use of vehicles at unsanctioned times). We also employ personal data processors to secure various functions, exercise our rights contained in the normative acts to ensure the protection of our legitimate interests, log work time, record employee access to certain premises and information systems, control protection of commercial secrets and client personal data, for example, by controlling outgoing mail, verify the performance of employee duties, ensure compliance with quality management processes, in the event of a workplace accident, contact the contact person indicated by you and bring them up to date, in some cases, share your personal information with collaboration partners or clients, or prospective clients (in case of procurements) if it is necessary for us to be able to provide our services and your work is related to securing provision of those services, we also need to keep personal data to protect ourselves in case actions are brought against us, or other cases.
The minimum amount of personal data required to achieve the following purposes: to ensure safety oversight and protection of property, we will need video surveillance data; to employ staff and comply with the law, we will need the results of alcohol, drug, other psychotropic substance tests, data contained in the IT access control systems on the connection to and the use of information systems, your name, surname, signature, position, and contact details; in some cases, if risks are detected, we will need the outgoing e-mail content; to communicate in case of an emergency we will need to know the status, name, surname, phone number, and e-mail address of your contact person, as well as other data.
Lawful bases for the processing purposes:
- compliance with a legal obligation (General Data Protection Regulation, Article 6, paragraph 1, point (c));
- legitimate interests pursued by the controller (General Data Protection Regulation, Article 6, paragraph 1, point (f));
- legitimate interests pursued by a third party(General Data Protection Regulation, Article 6, paragraph 1, point (f)) – the employee’s contact person’s right to know about a workplace accident.
5.Who can access your personal data?
We make sure your personal data are processed in compliance with the current regulatory framework, and a third party, without a lawful basis for the processing your personal data, may not gain access to them.
Your personal data may, if necessary, be accessed by:
- our employees or directly authorised persons who need your personal data to perform their work duties, for example, accountants, direct managers, human resources department staff, or if the data is public, all employees;
- personal data processors for the provision of their services, but only to the extent necessary, for example, auditors, outsourced accountants and financial managers, legal consultants, database creators/technical maintainers, and other persons who are related to the provision of the services of the controller;
- state and municipal authorities in cases stipulated in the normative acts, for example, law enforcement agencies, municipalities, tax administrations, sworn bailiffs;
- third parties, provided there is a lawful basis for sharing such data, for example, debt collectors, courts, out-of-court dispute resolution institutions, insolvency administrators, third parties who maintain registers (e.g., population, debtor, or others).
6. Who do we collaborate with in relation to the personal data processing/What kind of personal data processors do we work with?
We make sure that the processing, protection, and sharing of your personal data with data processors is performed in compliance with the relevant regulatory framework. We choose personal data processors carefully and, in case of sharing your personal data, we very carefully evaluate the need and extent to which we share. We share personal data with a data processor in compliance with the confidentiality and secure processing requirements.
We may collaborate with the following personal data processors:
- outsourced accounting service providers;
- outsourced tax and legal advice providers;
- outsourced security service providers;
- video surveillance system maintainers;
- outsourced IT infrastructure maintenance service providers;
- outsourced document destruction service providers;
- tourism agencies;
- other processor categories if necessary
Personal data processors may change; should that happen, this notice will be amended accordingly.
7. Are your personal data transferred to countries outside the European Union (EU) or outside the European Economic Area (EEA)?
Generally, we do not transfer your personal data to countries outside the European Union (EU) or European Economic Area (EEA) unless the performance of your work duties requires it – when going to countries outside the European Union (EU) or European Economic Area (EEA), your personal data may be transferred to make plane/train ticket, hotel and car rental bookings and payments.
8. How long will your personal data be kept?
Your personal data will be kept for as long as the purposes for which they are processed require keeping them, as well as to ensure compliance with the relevant normative acts.
In order to determine the length of time your personal data are kept, we take into account the provisions of relevant normative acts, contractual obligations, your instructions (e.g., consent), as well as our legitimate interests. If your personal data are no longer needed to fulfil the processing purposes, they will be erased or destroyed.
Below you may see the most common timeframes for which your personal data are kept:
- personal data that we need to perform contractual obligations we keep until the completion of a contract or until other timeframes come to an end (see below);
- personal data that we need to keep to ensure compliance, we keep in accordance with the timeframes set out in the relevant normative acts, for example, the Law on Accounting stipulates that source documents must be stored until the day they are needed to determine the beginning of each economic transaction and track its progress, but no less than 5 years; employment contracts are kept for 75 years;
- data that prove settling of our obligations we keep in accordance with the general statutes of limitation set out in the respective normative acts – ten years in the Civil Law, two or three years in the Labour Law, as well as other timeframes, for example, the ones set out in the Civil Procedure Law and Labour Law in relation to bringing an action.
9. What are your rights as a data subject in relation to the processing of your personal data?
Updating of personal data
If there should be any changes in the personal data you have provided to us, for example, changes in your personal code, correspondence address, phone number or e-mail address, we ask you to contact us and provide us with the updated data so that we are able to achieve the processing purposes.
Your rights to access or rectify your personal data
Under the General Data Protection Regulation, you have the right to demand access to your personal data that we possess and demand rectification, erasure, processing restriction; you may also object to the processing of your personal data; and you also have the right to data portability.
We value your right to access and control your personal data, therefore, in case we receive an application from you, we will provide our reply in compliance with the timeframes set out in the normative acts (usually no later than within a month, unless there is a specific case requiring more time to prepare a reply), and, if possible, we will rectify or erase your personal data accordingly.
You may obtain information on your personal data or exercise your rights as a data subject in one of the following ways:
- by submitting an application in person and identifying yourself at our office located at this address: LubānasSt.43, Rīga, LV-1073, 2ndfloor,weekdays 08:00-17:00;
- by submitting an application by post to:SIA LatvijasEnergoceltnieks, Lubānas St. 43, Rīga, LV-1073.
- by submitting an application via our e-mail addresses: lec@lec.lv or dati@lec.lv, electronic signature recommended.
Upon the receipt of your application, we will evaluate the content and ways to identify you; depending on the situation we reserve the right to ask for additional means of identification in order to ensure protection of your personal data and disclosure of it to a competent person.
Consent withdrawal
If the processing of your personal data is based on consent granted by you, you have the right to withdraw it at any time, and we will no longer process your personal data for the purpose the consent was granted. However, keep in mind that the withdrawal of the consent may not affect the processing of your personal data when it is required by relevant normative acts, a contract, our legitimate interests, or other lawful bases applicable.
You may, however, object to the processing of your personal data if the processing is based on legitimate interests.
10. Where do you file a complaint in relation to the processing of your personal data?
If you have any questions or an objection with respect to the processing of your personal data performed by our organisation, we kindly ask you to get in touch with us.
If, however, we have not succeeded in resolving the issue, and you think that our organisation has infringed your rights with respect to the processing of your personal data, you have the right to file a complaint with the Data State Inspectorate.
11. Why do you have to provide us with your personal data?
We mainly collect your personal information in order to fulfil contractual obligations, legal obligations, or to exercise our legitimate interests. In these circumstances, we need to obtain certain information in order to achieve certain purposes, and non-disclosure of such information may prevent us from entering into a business relationship or performing a contract. If the processing purpose is to improve working conditions or your employment conditions, we will indicate that the sharing of your personal data is voluntary.
12. How do we come into possession of your personal data?
We may acquire your personal data in one of the following ways:
- from your submitted cover letter and CV for a vacancy or a work placement;
- from you directly upon signing a mutual contract;
- upon signing an agreement with a third party who has indicated you as a family member;
- from you if you submit an application, send an e-mail, or call us;
- in certain circumstances, from video-surveillance records and access control systems;
- in certain circumstances, from doctors as a result of medical checks.
13. Are your personal data used in automated decision-making?
We do not use your personal data in automated decision-making.