Introduction

The association “Baltic Centre for Media Excellence”, unified registration number 40008244518 (hereinafter also referred to as “the association” and “BCME”), is a non-governmental organization whose members are from Latvia, Estonia, and Lithuania (the Baltic states), as well as potentially from Denmark, Iceland, Norway, Finland, and Sweden (the Nordic countries), Germany, and other countries. BCME is independent and not subordinate to any governmental authority.

The objectives of BCME are to support quality media by promoting the training and improvement of knowledge and skills among journalists, other media professionals, and media organizations in the Baltic states and beyond, to support freedom of the press and freedom of expression, and to encourage professional exchange of ideas among journalists on media-related issues, including—but not limited to—journalistic ethics.

As part of its objectives, BCME also aims to identify, compile, and disseminate information regarding the training needs of relevant media and the available training opportunities in the Baltic states and elsewhere; to develop training programs specifically tailored for the media in the Baltic states; to create course modules designed for media in the Eastern Partnership countries and, in the context of historical cooperation, for Russian media; and to address other matters related to media training and education, as decided by the BCME General Assembly, the Board, or persons delegated by them, in accordance with point 2.2 of the association’s statutes dated September 3, 2018, and the applicable legal regulations in force.

Given the above and the fact that BCME operates in accordance with the highest standards of legality and professional ethics, the association has also developed and approved these personal data processing and protection regulations. In its operations, BCME places great importance on ensuring proper protection of personal data and implementing clear procedures that help safeguard the personal information of partners, clients, and employees, in accordance with the data protection framework established by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), as well as other applicable legal acts in the field of privacy and personal data processing.

1. Terms and Abbreviations

1.1. UNO – United Nations.

1.2. Processor – A natural or legal person, public authority, agency, or other structure which processes personal data on behalf of the controller.

1.3. Processing – Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, or otherwise making them available, alignment or combination, restriction, erasure, or destruction.

1.4. BCME – The Baltic Centre for Media Excellence, unified registration number 40008244518.

1.5. Biometric Data – Personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a person that allow or confirm the unique identification of that person, such as facial images or fingerprint data.

1.6. Data Regulation – Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.7. Data Subject Consent – Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or clear affirmative action, consent to the processing of their personal data.

1.8. EU – European Union.

1.9. Genetic Data – Personal data related to the inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of that person and result, in particular, from the analysis of a biological sample of that person.

1.10. Inspection – The Data State Inspectorate, according to Articles 3-16 of the Physical Persons Data Processing Law, the Regulation No. 1-1/3 “Data State Inspectorate Regulation” issued by the Director of the Data State Inspectorate J. Macuka on March 8, 2021 (effective as of March 10, 2021), based on Articles 12 and 33 of the Administrative Procedure Law.

1.11. IT – Information Technology.

1.12. Cross-border Processing – The processing of personal data that takes place in relation to activities carried out in more than one Member State by a controller or processor established in the EU; or processing that takes place in relation to activities carried out in the EU by a controller or processor established in a single Member State but that significantly affects or could significantly affect data subjects in more than one Member State.

1.13. Controller – As defined in Article 4(7) of the Data Regulation, the controller is a natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data; if such purposes and means are determined by EU or Member State law, the controller or the criteria for its appointment may be specified by EU or Member State law. In this context, the controller also refers to the organization “Baltic Centre for Media Excellence,” unified registration number 40008244518; legal address: Palasta Street 5-1, Riga, Latvia, LV-1050; email: info@bcme.eu; website: www.bcme.eu.

1.14. Personal Data – Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

1.15. Personal Data Breach – A security breach (also referred to as a “breach”) that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

1.16. Recipient – A natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether it is a third party. However, public authorities receiving personal data for the purpose of a specific investigation under EU or Member State law are not considered recipients; the processing of such data by these public authorities is subject to applicable data protection rules based on the processing purposes.

1.17. Constitution – The Constitution of the Republic of Latvia (adopted by the Latvian Constitutional Assembly on February 15, 1922, and effective as of November 7, 1922).

1.18. International Organization – As defined in Article 4(26) of the Data Regulation, an international organization is an organization and its subordinate structures that are subjects of international public law, or any other body established by an agreement between two or more countries or based on such an agreement.

1.19. Statutes – Statutes of the “Baltic Centre for Media Excellence,” unified registration number 40008244518, dated September 3, 2018.

1.20. Third Party – A natural or legal person, public authority, agency, or body which is not the data subject, controller, processor, or a person authorized to process personal data under the direct authority of the controller or processor.

1.21. Health Data – Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about their health condition.

1.22. The terms and legal definitions used in these regulations correspond to those in the Data Regulation, especially those in Article 4, as well as the terminology used in other applicable laws in the field of privacy and personal data processing.

2.  GENERAL PROVISIONS

2.1. Purpose of Personal Data Processing and Protection Rules

2.1.1. The purpose of these rules is to establish the internal procedure for the processing and protection of personal data in the association, in accordance with the principles of data protection, as well as to determine the relevant technical and organizational requirements. These rules specify the purposes for which BCME collects personal data, provide information about the volume of data and data processing periods, as well as the rights of data subjects and opportunities for cooperation in the field of personal data protection.

2.1.2. When processing personal data, BCME complies with the applicable legal acts of the Republic of Latvia, the Data Regulation, as well as other applicable regulatory legal acts in the field of privacy and personal data processing.

2.1.3. These rules apply to any natural person whose personal data is processed by BCME, and they apply to the processing of personal data regardless of the format in which the data subject or any other natural person has provided the personal data: through BCME’s website, by email, in paper format, or by phone.

2.1.4. BCME’s cookie policy is available on the association’s website in the “About Us” section under “Use of Cookies on the website bcme.eu.”

2.1.5. Identity and contact information of the data controller: the association “Baltic Centre for Media Excellence,” unified registration number 40008244518; legal address: Palasta Street 5-1, Riga, Latvia, LV-1050; email address: info@bcme.eu; website address: www.bcme.eu.

2.1.6. For contact with BCME’s data protection specialist, the email address info@bcme.eu is used. The association’s data protection specialist carries out the tasks referred to in Article 39 of the Data Regulation and provides general information about the processing of personal data by the association in accordance with these rules.

2.2. Data Processing Principles and Purposes

2.2.1. BCME processes personal data lawfully, fairly, and transparently (“lawfulness, fairness, and transparency”). Personal data is collected for specified, legitimate purposes, and further processing is not done in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under Article 89(1) of the Data Regulation is not considered incompatible with the original purposes.

2.2.2. In its professional activities, BCME ensures that the processing of personal data is adequate, relevant, and limited to what is necessary for the purposes for which the data are processed. The data are accurate and, where necessary, kept up to date; reasonable steps are taken to ensure that inaccurate personal data, considering the purposes for which they are processed, are erased or corrected without delay (“accuracy”).

2.2.3. Personal data at BCME are stored in a form that permits identification of data subjects, for no longer than is necessary for the purposes for which the data are processed. Personal data may be stored longer if they are processed only for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under Article 89(1) of the Data Regulation, provided that appropriate technical and organizational measures are taken to protect the rights and freedoms of the data subject.

2.2.4. BCME processes personal data in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

2.2.5. The association, as the data controller, is responsible for compliance with the personal data processing principles set out in sections 2.2.1, 2.2.2, 2.2.3, and 2.2.4, in accordance with the Data Regulation, the Personal Data Processing Act, and other relevant regulatory acts applicable to the association.

2.2.6. BCME processes the following types of personal data for the following purposes:

2.2.6.1. Name, surname, gender, date of birth, contact information, work experience, education (including courses and certificates), language skills, and other information that the data subject wishes to provide to the association – to ensure the conduct of personnel selection processes and to safeguard its legal interests related to personnel selection;

2.2.6.2. Name, surname, gender, date of birth, contact information – to ensure quality support for the media, promoting the training and improvement of knowledge and skills for journalists, other media professionals, and media organizations in the Baltic states and other countries;

2.2.6.3. The data subject’s photograph or video material, including voice, exclusively with the data subject’s consent, taken during training, knowledge and skills improvement conferences, and other events organized by BCME, used to achieve the objectives defined in the Statutes – to promote quality media, support the training of journalists, improve their knowledge and skills in the Baltic states and beyond, support press and speech freedom, and encourage professional discussions among journalists on media issues, including but not limited to journalism ethics (for distribution on the association’s website, social media, informational materials, press releases, etc.);

2.2.6.4. Name, surname, personal code, contact information – to comply with the reporting and accounting requirements for EU projects and international organizations, including other international non-governmental organizations and other internationally co-financed projects, and to prepare invoices, cooperation agreements, and other necessary documents;

2.2.6.5. Name, surname, personal code, address, contact information, and any other information provided voluntarily by the data subject, needed to fulfill the objectives set forth in the Statutes and with the data subject’s consent, send information about the association’s training and other relevant information according to their consent.

2.3. Legal Basis for Personal Data Processing

2.3.1. The overarching purpose for BCME’s personal data processing is to fulfill the goals defined in the association’s Statutes, supporting quality media by promoting the training and enhancement of knowledge and skills for journalists, other media professionals, and media organizations in the Baltic states and beyond, supporting press and speech freedom, fostering professional exchanges among journalists on media-related issues, including but not limited to journalism ethics, as well as identifying, compiling, and distributing information on the training needs and offerings of relevant media in the Baltic states and elsewhere. This includes the development of training programs tailored primarily for Baltic media, the creation of course modules intended for the Eastern Partnership, and addressing other media-related training and education issues, as determined by the BCME General Assembly, the Board, or those delegated by them, in accordance with Section 2.2 of the association’s Statutes and the legal framework outlined in the applicable regulations.

2.3.2. The purpose of processing personal data for staff recruitment and the protection of legal interests related to recruitment:

2.3.2.1. The processing of the data subject’s personal data as an applicant is necessary to fulfill obligations toward the association as well as legal interests and obligations related to the data subject, including the fulfillment of legal duties outlined in the Labor Law, the regulation of labor relations, tax, and accounting matters, and other legal requirements.

2.3.2.2. Upon receiving the data subject’s application as a candidate, BCME has a legitimate interest in processing the application, evaluating the information provided, organizing interview procedures, conducting interviews, and securing evidence to ensure the lawful conduct of the recruitment process. In case of dispute, information obtained during the recruitment process may be used to demonstrate the lawful conduct of the process, as well as, with the data subject’s consent, to use the data for potential future professional collaboration with BCME.

2.3.3. The purpose of processing personal data to support quality media by promoting training and skill enhancement for journalists, other media professionals, and media organizations in the Baltic states and other countries:

2.3.3.1. The processing of the data subject’s personal data is necessary to foster and ensure the high-quality promotion of:

2.3.3.1.1. The right to freedom of speech as outlined in Article 100 of the Constitution of the Republic of Latvia, which includes the right to freely acquire, retain, and disseminate information, express opinions, and promote understanding and support for the prohibition of censorship in the field of professional journalism, media, and media organizations (training activities);

2.3.3.1.2. The right to freedom of belief and expression as outlined in Article 19 of the Universal Declaration of Human Rights, which includes the freedom to adhere to one’s beliefs and the freedom to seek, receive, and disseminate information and ideas through any means, regardless of national boundaries, and to promote understanding and support for this in the field of professional journalism, media professionals, and media organizations (training activities);

2.3.3.1.3. The right to freely adhere to one’s beliefs and express opinions as outlined in Article 19 of the International Covenant on Civil and Political Rights, which includes the freedom to seek, receive, and disseminate various types of information and ideas across national borders, orally, in writing, through the press, or through artistic expressions, or by other means of one’s choice, promoting understanding and support for this in the field of professional journalism, media professionals, and media organizations (training activities);

2.3.3.1.4. The right to freedom of expression as outlined in Article 10 of the European Convention on Human Rights, which includes the right to hold opinions and receive and disseminate information and ideas without interference by public authorities and across national borders, promoting understanding and support for this in the field of professional journalism, media professionals, and media organizations (training activities);

2.3.3.1.5. The right to freedom of the press and other mass media as outlined in the Press and Other Mass Media Act, the Law on Public Electronic Media and Their Management, and other relevant regulations, promoting understanding and support for this in the field of professional journalism, media professionals, and media organizations (training activities).

2.3.4. The purpose of processing personal data – the data subject’s photograph or video, including voice, exclusively with the data subject’s consent, taken during training, skill-enhancing conferences, and other events organized by BCME to achieve the goals set in the Statutes – the data subject’s consent is the legal basis.

2.3.5. The purpose of personal data processing for fulfilling reporting and accounting obligations for EU and international organizations, including other international non-governmental organizations and other internationally co-financed projects, is legally based on the obligations outlined in the Accounting Law and the relevant regulatory acts in the fields of accounting and taxation.

2.3.6. The purpose of personal data processing – to send the data subject information about training within the association’s competence, as well as other relevant information to the data subject, according to their expressed consent, which is the legal basis for data processing.

2.4. Obligation to Inform the Data Subject

2.4.1. BCME informs the data subject about the processing of personal data:

2.4.1.1. Through written documentation on personal data processing and protection available on its website at www.bcme.eu, which can be provided in paper format or made accessible to a broader audience by placing it in the premises of the association or an event organized by the association, where the data subjects are present.

2.4.1.2. Through verbal communication, when the information is provided in person by an employee or representative of the association, or when automated or pre-recorded information is provided.

2.4.1.3. Information provided “in the real world” – the association can use visible signs with information, public notices, public information campaigns, or announcements in newspapers or the media for the convenience and awareness of data subjects.

2.4.2. If the data subject’s personal data is collected from the data subject, BCME, as the controller, provides the following information at the time of data collection:

2.4.2.1. The identity and contact information of the controller and, where applicable, the representative of the controller;

2.4.2.2. Where applicable, the contact information of the data protection officer;

2.4.2.3. The purposes for which the personal data are intended, as well as the legal basis for processing;

2.4.2.4. The legitimate interests of the controller or a third party, if the processing is based on Article 6(1)(f) of the GDPR (processing is necessary for the legitimate interests of the controller or a third party, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms which require protection of personal data, particularly when the data subject is a child);

2.4.2.5. Processing is necessary for the legitimate interests of the controller or a third party, except where the data subject’s interests or fundamental rights and freedoms that require protection of personal data outweigh such interests, particularly if the data subject is a child;

2.4.2.6. The recipients or categories of recipients of the personal data, if any;

2.4.2.7. Where applicable, information that the controller intends to transfer personal data to a third country or international organization, and information on whether there is an adequacy decision by the European Commission, or – in the case of transfers under Articles 46 or 47 or the second part of Article 49(1) of the GDPR – reference to appropriate or suitable safeguards and information on how to obtain a copy of the data or where it has been made available.

2.4.3. In addition to the information provided under point 2.4.2 of these regulations, BCME provides the following additional information to the data subject at the time of data collection, which is necessary to ensure fair and transparent processing:

2.4.3.1. The period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;

2.4.3.2. The data subject’s rights to request access to their personal data and to rectify or erase it, or to restrict processing concerning the data subject, as well as the right to object to processing, and the right to data portability;

2.4.3.3. If processing is based on Article 6(1)(a) of the GDPR (the data subject has given consent to the processing of their personal data for one or more specific purposes) or Article 9(2)(a) of the GDPR (processing of special categories of personal data with the data subject’s consent and the legal basis for processing such data in the respective country), the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

2.4.3.4. The right to lodge a complaint with a supervisory authority;

2.4.3.5. Information on whether the provision of personal data is required by law or contract, or if it is a condition for entering into a contract, and information on whether the data subject is obliged to provide personal data and the consequences of failing to provide such data;

2.4.3.6. If there is automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the anticipated consequences of such processing for the data subject.

2.4.4. If the controller intends to process personal data for a different purpose than the one for which it was collected, it informs the data subject about the new purpose and provides all relevant additional information as described in point 2.4.3 of these regulations. These points 2.4.2, 2.4.3, and 2.4.4 do not apply if and to the extent that the data subject already has the relevant information.

2.4.5. If the personal data are not obtained from the data subject, the controller provides the following information to the data subject:

2.4.5.1. The identity and contact details of the controller and, where applicable, the controller’s representative;

2.4.5.2. Where applicable, the contact details of the data protection officer;

2.4.5.3. The purposes for which the personal data are intended, as well as the legal basis for processing;

2.4.5.4. The categories of personal data concerned;

2.4.5.5. The recipients or categories of recipients of the personal data, if any;

2.4.5.6. Where applicable, information that the controller intends to transfer personal data to a third country or international organization, and information on whether there is an adequacy decision by the European Commission, or – in the case of transfers under Articles 46 or 47 or the second part of Article 49(1) of the GDPR – reference to appropriate or suitable safeguards and information on how to obtain a copy of the data or where it has been made available.

2.4.6. In addition to the information provided in point 2.4.5 of these regulations, BCME provides the following additional information to the data subject at the time of data collection, which is necessary to ensure fair and transparent processing:

2.4.6.1. The period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;

2.4.6.2. The data subject’s rights to request access to their personal data and to rectify or erase it, or to restrict processing concerning the data subject, as well as the right to object to processing, and the right to data portability;

2.4.6.3. If processing is based on Article 6(1)(a) of the GDPR (the data subject has given consent to the processing of their personal data for one or more specific purposes) or Article 9(2)(a) of the GDPR (processing of special categories of personal data with the data subject’s consent and the legal basis for processing such data in the respective country), the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

2.4.6.4. The right to lodge a complaint with a supervisory authority;

2.4.6.5. Information on whether the provision of personal data is required by law or contract, or if it is a condition for entering into a contract, and information on whether the data subject is obliged to provide personal data and the consequences of failing to provide such data;

2.4.6.6. If there is automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the anticipated consequences of such processing for the data subject.

2.4.7. The controller provides the information described in points 2.4.5 and 2.4.6 of these regulations:

2.4.7.1. Within a reasonable period after the personal data has been obtained, but no later than one month, taking into account the specific circumstances in which the personal data are processed;

2.4.7.2. If the personal data are to be used for communication with the data subject – no later than when the first communication with that data subject takes place; or

2.4.7.3. No later than when the personal data is disclosed for the first time, if they are to be disclosed to another recipient.

2.4.8. If the controller intends to process personal data for a different purpose than the one for which it was collected, the controller informs the data subject about the new purpose and provides all relevant additional information as described in point 2.4.6 of these regulations.

2.4.9. The provisions of points 2.4.5, 2.4.6, 2.4.7, and 2.4.8 do not apply if and to the extent:

2.4.9.1. The information is already in the possession of the data subject;

2.4.9.2. It turns out that providing such information is not possible or would require disproportionate efforts; especially concerning processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with the conditions and guarantees set out in Article 89(1) of the GDPR, or to the extent that the obligations set out in point 2.4.5 of these regulations would prevent or significantly hinder the achievement of the processing objectives. In such cases, the controller takes appropriate measures to protect the data subject’s rights, freedoms, and legitimate interests, including making the information publicly available;

2.4.9.3. The collection or disclosure is expressly provided for by EU or EU Member State law applicable to the controller and which provides for specific conditions for data protection, including the legal basis for processing personal data; or

2.4.9.4. The processing is necessary to maintain the confidentiality of personal data in accordance with the duty to preserve official secrets, regulated by EU or Member State laws, including a statutory obligation to maintain confidentiality.

2.5. Ensuring the Rights of the Data Subject

2.5.1. The data subject has the right to receive confirmation from BCME as to whether or not personal data concerning them is being processed, and if so, the data subject has the right to access the relevant data and receive the following information:

2.5.1.1. The purposes of the processing;
2.5.1.2. The categories of personal data concerned;
2.5.1.3. The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations;
2.5.1.4. Where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
2.5.1.5. The fact that the data subject has the right to request from the controller the correction or deletion of their personal data, or the restriction of processing, or to object to such processing;
2.5.1.6. The right to lodge a complaint with a supervisory authority;
2.5.1.7. All available information about the data source if the personal data was not collected from the data subject;
2.5.1.8. The fact that automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Data Regulation, exists, and – at least in the specified cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.5.2. If personal data is transferred to a third country or an international organization, the data subject has the right to receive information about the appropriate safeguards applied in relation to the data transfer in accordance with Article 46 of the Data Regulation.

2.5.3. BCME provides a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject requests the information electronically, and unless the data subject requests otherwise, the information will be provided in a widely used electronic format. The right to obtain the copy mentioned in this subparagraph shall not adversely affect the rights and freedoms of other persons.

2.5.4. The data subject has the right to request that the association rectify any inaccurate personal data without undue delay. Considering the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, including by providing a supplementary statement.

2.5.5. The data subject has the right to request that BCME erase their personal data without undue delay (the right to “be forgotten”), and the association, as the controller, is obliged to erase personal data without undue delay if the conditions set out in Article 17 of the Data Regulation are met.

2.5.6. In accordance with the provisions of Article 18 of the Data Regulation, the data subject has the right to request that the association, as the controller, restrict the processing of personal data, and in accordance with Article 19 of the Data Regulation, the data subject has the right to data portability to another controller.

2.5.7. The association, as the controller, informs each recipient to whom personal data has been disclosed about any rectification or deletion of personal data or restriction of processing carried out in accordance with Articles 16, 17, and 18 of the Data Regulation, unless this proves impossible or involves disproportionate effort. BCME will inform the data subject about such recipients if requested by the data subject.

3. TECHNICAL AND ORGANIZATIONAL REQUIREMENTS

 

3.1. Processing, Protection, and Storage of Personal Data

3.1.1. For the protection of data subjects’ data, BCME uses various technical and organizational security measures. BCME stores data securely, and it is accessible only to a limited number of people, specifically authorized personnel.

3.1.2. The recipients of personal data are BCME and its authorized persons, the data subject themselves, processors, law enforcement or supervisory authorities, and the court in the cases and procedures stipulated by legal regulations.

3.1.3. The period for which personal data will be stored or, if this is not possible, the criteria used to determine that period:

3.1.3.1. Information obtained during the personnel selection process is stored, fully or partially, for no longer than 2 (two) years for job applicants, to safeguard the association’s legal interests. In the event that the association receives complaints about the specific personnel selection process, all information processed during the personnel selection process will be retained for as long as necessary for that process.

3.1.3.2. The data subject’s name, surname, gender, personal code, contact information, and other information as provided by these regulations – for no longer than 1 (one) year or a longer period if required by special regulatory legal requirements, consent has been given by the data subject, or in accordance with the requirements of these regulations.

3.1.3.3. The criteria for determining the storage period of personal data are as follows:

3.1.3.3.1. As long as the data subject or the association can exercise their legitimate interests under external regulatory legal acts (for example, dispute resolution, legal protection, addressing issues, filing claims in court, or observing the statute of limitations, etc.);

3.1.3.3.2. As long as either party has a legal obligation to store the data. After the criteria mentioned in this subparagraph are no longer applicable, personal data is deleted or destroyed, or transferred for storage to the state archive in accordance with the requirements of regulatory legal acts.

3.2. Technical Measures for Data Protection

3.2.1. Taking into account the level of technology, implementation costs, and the nature, scope, context, and purposes of processing, as well as the various possibilities and severity levels of risks to the rights and freedoms of natural persons, BCME implements appropriate technical and organizational measures to ensure a security level appropriate to the risk, including, where applicable, among other things:

3.2.1.1. Pseudonymization of personal data (replacing any information that could identify a person with a pseudonym or value that prevents direct identification of the person) and encryption;

3.2.1.2. The ability to ensure the continuous confidentiality, integrity, availability, and resilience of processing systems and services;

3.2.1.3. The ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;

3.2.1.4. Regular testing, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure processing security.

3.2.2. In its operations, BCME implements the technical protection of personal data using physical and logical protection measures, ensuring protection against threats from physical impacts and protection, including through software tools, passwords, encryption, cryptography, and other logical security measures.

3.2.3. The association takes measures to ensure that any physical person acting under the controller’s or processor’s authority and having access to personal data does not process the data without the controller’s instructions.

3.2.4. In the case of taking photographs and videos, BCME organizes events (training, conferences, seminars, and other events):

3.2.4.1. The association places an informational notice in the event venue and premises before the data subject enters the area where photography or filming will take place. The controller informs the data subject about the processing of personal data, placing the information sign in a visible location, indicating the purpose of processing personal data, the name and contact information of the controller, the legal basis, and information about where more detailed information on personal data processing can be found; or

3.2.4.2. Informational materials (invitation, press release, poster, etc.) about the event include a notice that photography and filming will take place;

3.2.4.3. The event participant’s questionnaire includes a specific checkbox where the visitor agrees to the processing of their personal data during the event;

3.2.4.4. At larger events and conferences, a separate area within the venue is designated where visitors who do not wish to be photographed or filmed can sit and gather. Special attention is given when children participate in the event—photography and filming require parental consent in such cases.

3.2.5. The association may maintain a public photo and video archive, for example, on the association’s Facebook page, but photographs and video materials must be taken considering all the previously mentioned aspects: event participants are informed about photography and filming and do not object to the use of photographs and videos for publicity purposes; signs about photography and filming are placed in the venue; notices in media and invitations indicated that photography and filming will take place during the event.

3.2.6. Personal data is stored and processed according to the association’s internal IT rules on an appropriate system server or in another manner that complies with the Data Regulation requirements. If wireless data transmission is used, security measures must be ensured (e.g., if a wireless network is intended for use by specific end devices, it is crucial to bind the MAC addresses of these end devices to the wireless router and prevent other devices from connecting to the router) to avoid interruptions in data transmission, ensure the data is stored for the required period, and prevent data from being intercepted.

3.2.7. BCME ensures the physical security of personal data records obtained so that unauthorized persons cannot access them, such as applying individual passwords to employees’ computers and systems. The responsible person organizes regular IT maintenance to ensure high-quality functionality of IT systems and software. Data backups must be ensured with the same security and protection level as the primary data.

3.2.8. Access to personal data and its lawful disclosure must be ensured in a manner that identifies the person who viewed or was provided with the personal data, as well as the identity of such recipients of the personal data.

3.2.9. If other persons (e.g., cooperation partners, processors, cloud storage, CRM tools) are involved in personal data processing, the association ensures control over each party’s theoretical and practical access to personal data. In such cases, the rights and obligations of each party in data protection are evaluated and contractually and technically specified according to the provisions of the Data Regulation.

3.2.10. Taking into account the level of technology, implementation costs, and the nature, scope, context, and purposes of processing, as well as the various possibilities and seriousness of risks to the rights and freedoms of natural persons resulting from processing, the controller implements appropriate technical and organizational measures, both for the identification of processing tools and during the processing itself, to effectively apply data protection principles, such as data minimization, and to integrate necessary guarantees to fulfill the Data Regulation requirements and protect the data subject’s rights.

3.2.11. The association implements appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific processing purpose is processed. This obligation applies to the volume of collected personal data, the degree of processing, the storage period, and the availability of the data. Specifically, such measures ensure that, by default, personal data is not made available to an indefinite number of natural persons without the involvement of the data subject.

3.3. Training Program or Plan for Employees

3.3.1. BCME systematically and at least once per calendar year ensures the successful implementation of training for its employees and direct representatives in the area of personal data processing and protection.

3.3.2. The obligation outlined in point 3.3.1 of these regulations may be implemented in cooperation with the Inspectorate, BCME employees, and direct representatives, using the training functionalities available on the Inspectorate’s website at www.dvi.gov.lv.

4. RESPONSIBILITY OF THE PARTIES INVOLVED IN THE DATA PROCESSING PROCESS

 

4.1. If two or more controllers jointly determine the purposes and means of processing, they are joint controllers. Joint controllers shall clearly define their respective responsibilities to fulfill the obligations set forth by the Data Regulation, especially regarding the exercise of data subject rights and the joint controllers’ respective obligations to provide the information specified in Articles 13 and 14 of the Data Regulation (information that must be provided if personal data is obtained from the data subject and if the data is not obtained from the data subject); controllers shall define their duties through mutual agreement, unless and to the extent that the relevant controllers’ obligations are defined under EU or EU Member State laws applicable to the controllers. The agreement may specify a contact point for data subjects.

4.2. The agreement mentioned in point 4.1 of these regulations properly reflects the respective roles of the joint controllers and their relationships with the data subjects. The main content of the agreement shall be made available to the data subject. Regardless of the terms of this agreement, the data subject can exercise their rights with respect to and against each controller.

4.3. In cases where the processing is carried out on behalf of the controller, BCME shall use only those processors that provide sufficient guarantees that appropriate technical and organizational measures will be implemented so that the processing complies with the requirements of the Data Regulation and ensures the protection of data subject rights.

4.4. Processing carried out by a processor is governed by a contract or another legal act in accordance with EU or EU Member State laws, binding on the processor and the controller, which specifies the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data, the categories of data subjects, and the duties and rights of the controller. The contract or other legal act includes the conditions provided in Article 28 of the Data Regulation.

4.5. BCME cooperates with the Inspectorate upon request and as necessary in the execution of its tasks.

5. MANAGEMENT OF PERSONAL DATA PROTECTION BREACHES

5.1. Types of Breaches and Detection

5.1.1. In the event that, despite implemented security measures, there is accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been sent, stored, or otherwise processed, a personal data protection breach has occurred. Breaches can be categorized according to the three widely recognized principles of information security:

5.1.1.1. Confidentiality incident – where there has been unauthorized or accidental disclosure or access to personal data;

5.1.1.2. Integrity incident – where unauthorized or accidental changes to personal data have occurred;

5.1.1.3. Availability incident – where there has been accidental or unauthorized loss of access to personal data, or personal data has been destroyed.

5.1.2. The controller’s (and also the processor’s) actions in the case of each individual breach are related to the possible risks to the rights and freedoms of individuals that may occur as a result of the breach. Therefore, for each identified breach, immediately after or simultaneously with logical technical steps (e.g., addressing the causes of unlawful access), an assessment of the potential risks to the rights and freedoms of the affected individuals must be carried out.

5.2. Breach Assessment and Notification

5.2.1. If it is determined that the breach may pose a high risk to the rights and freedoms of an individual:

5.2.1.1. The association must notify the affected individuals without undue delay (Article 34 of the Data Regulation);

5.2.1.2. The association must notify the Inspectorate of the breach within 72 (seventy-two) hours in accordance with the procedures set out in Article 33 of the Data Regulation. If notification is delayed, the reasons for the delay must be explained;

5.2.1.3. The causes of the breach must be thoroughly investigated, and measures must be taken to prevent repeated breaches in the long term.

5.2.2. If it is determined that the breach is likely to pose risks to the rights and freedoms of an individual:

5.2.2.1. The association must notify the Inspectorate of the breach within 72 (seventy-two) hours in accordance with the procedures set out in Article 33 of the Data Regulation. If notification is delayed, the reasons for the delay must be explained;

5.2.2.2. The causes of the breach must be thoroughly investigated, and measures must be taken to prevent repeated breaches in the long term.

5.2.3. If it is determined that the breach is unlikely to pose a risk to the rights and freedoms of an individual, the causes of the breach must be thoroughly investigated, and measures must be taken to prevent repeated breaches in the future.

5.3. Incident Recording Register and Processing Activity Register

5.3.1. The association documents all personal data protection breaches, specifying facts related to the personal data breach, its consequences, and corrective actions taken. This documentation allows the Inspectorate to verify compliance with Article 33 of the Data Regulation.

5.3.2. If necessary, the association ensures the creation of a personal data processing register to ensure the transparency of the personal data processing carried out. Such a register must be created by all companies and organizations that employ more than 250 (two hundred fifty) persons. If fewer than 250 (two hundred fifty) persons are employed, the creation of a register is not mandatory unless the organization’s data processing is regular, involves special categories of data (e.g., information about a person’s political beliefs), or includes personal data on criminal convictions and offenses, or poses risks to the rights and freedoms of individuals.

6. ASSESSMENT OF IMPACT ON DATA PROTECTION

 

6.1. If the type of processing, especially using new technologies and considering the nature, volume, context, and purposes of the processing, could result in a high risk to the rights and freedoms of individuals, the controller must carry out an assessment before processing to evaluate how the planned processing activities will affect personal data protection. A single assessment can address a set of similar processing activities that present similar high risks.

6.2. According to Article 35(4) of the Data Regulation, on December 18, 2018, the Inspectorate approved a list of processing activities for which a data protection impact assessment (DPIA) must be conducted. Based on this list and its scope of activities, the Association ensures compliance with the obligation set out in subparagraph 6.1 of this regulation.

7. APPOINTMENT OF A DATA PROTECTION SPECIALIST

 

7.1. The data protection specialist is a person with specific knowledge in data protection law and the practical application of data protection. Their primary role is to provide an independent opinion on the compliance of the Association’s planned or already implemented personal data processing activities with the Data Regulation and other relevant legal acts using their specialized knowledge.

7.2. The controller ensures that the data protection specialist is properly and promptly involved in all matters relating to personal data protection. Regardless of the recommendations provided by the data protection specialist, the Association is responsible for personal data processing and related matters, but the data protection specialist is directly accountable to the senior management of the controller or processor.

7.3. Data subjects, including the employees of the Association, may contact the data protection specialist regarding any issues related to the processing of their personal data and the exercise of their rights under this regulation. The data protection specialist is bound by confidentiality or secrecy requirements in relation to their tasks, as stipulated in EU or national legislation.

7.4. The data protection specialist may perform other tasks and duties. The controller ensures that none of these tasks and duties create a conflict of interest. The tasks of the data protection specialist are specified in Article 39 of the Data Regulation.

7.5. The Association may appoint a data protection specialist on the basis of an employment contract or an outsourcing agreement:

7.5.1. A specialist who has passed the data protection specialist qualification exam and is included in the list of data protection specialists maintained by the Inspectorate;

7.5.2. A specialist who is not included in the list but has appropriate practical and theoretical knowledge in the field of data protection.

7.6. Following the appointment or dismissal of the data protection specialist, the Association is obliged to inform the Inspectorate of the appointment or dismissal in the manner prescribed by the relevant regulations, providing the specialist’s name, surname, and contact details (at least a phone number or email address). When appointing a data protection specialist, their contact details must also be made available to the data subjects whose data the organization processes.

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS

 

8.1. The person who transfers personal data to a third country must ensure that appropriate guarantees for personal data protection are in place and that data subjects have the possibility to exercise their data subject rights and have access to effective legal remedies.

8.2. BCME ensures appropriate guarantees by including the requirements for personal data protection within a legally binding document (such as a contract, agreement, etc.) for both parties (both the data sender and the data recipient). This document should clearly specify the procedure for exercising data subject rights and the legal remedies available to the data subject.

8.3. A request from another country’s authorities or courts to disclose personal data is binding if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or one of its member states. According to information available to the Inspectorate, in such cases, the request to disclose personal data must be pursued through specific legal assistance channels, and a private individual’s request to disclose personal data will be received through the appropriate national authority or court.

8.4. The transfer of personal data may only occur in exceptional circumstances if the association meets at least one of the conditions for “Derogations in Special Situations” under Article 49 of the Data Regulation. These derogations can only be used in special situations. In any case, the association must strive to implement appropriate protective measures and use these exceptions only when such appropriate guarantees cannot be provided. Data protection authorities strictly interpret Article 49 of the Data Regulation, so the exception cannot serve as a basis for the long-term processing of personal data.

9. FINAL PROVISIONS

BCME has the right to make changes and additions to these regulations, and if necessary, publish these regulations on the association’s website under the “About Us” section, sub-section “Personal Data Protection.”