Museum Reserve

Privacy Policy of the Audio Guide Mobile Application

The purpose of this privacy policy is to provide the user (hereinafter the “User") with information about the purpose, scope, duration of the personal data processing which will be processed in accordance with the applicable law - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("the Regulation"), as well as in compliance with other legislation governing privacy and data processing issues.

The Controller keeps the right to review and change this Policy at any time, particularly as a result of changes in services or applicable laws and regulations, and it is the User’s responsibility to regularly check this Policy.
  1. Data Controller and Contact Details
    • The Controller of the personal data is the Turaida Museum Reserve (hereinafter the “Controller”), unified registration No 90000012776), legal address: Turaidas iela 10, Sigulda, Siguldas novads, LV-2150, telephone: +371-67971402, website: http://www.turaida-muzejs.lv/
    • The Controler’s Data Protection Officer is Jurijs Višņakovs. The contact details related to the processing of personal data issues: das@idagentura.lv.
  1. Applicable Law:
    • Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR");
    • Law on Personal Data Processing (promulgated on 4 July 2018);
    • Cabinet Regulation No. 442 of 28 July 2015 "Procedures for Ensuring Compliance of Information and Communication Technology Systems with Minimum Safety Requirements".
  1. Purpose of processing personal data:
    • For establishing, recording, and maintaining internal processes, management of the document circulation, including:
      • Ensuring a reciprocal relationship between the museum and its target audience;
      • Records of the video-surveillance system;
      • Determination of the application user’s location in the territory of the Turaida Museum Reserve.
  2. Categories of personal data processed by the controller
  • The following personal data is processed for the security of the Controller's customers, visitors, and employees and for the protection of the Controller's property: 4.1.1. Website traffic data;
  • Audit trails of access control devices and alarm equipment with the employee, visitor, or subcontractor data;
  • Location of the data subject.
  1. Grounds for the collection and processing of personal data:
    • The consent of the data subject - the data subject has given his/her consent to the collection and processing of data;
    • The legitimate interests of the controller - provision of services; identification of data subjects; video surveillance for the security of employees, customers, and the controller.
  1. Sources of obtaining personal data of the data subject:
    • Data relating to the Controller's video and/or photo equipment;
    • Registration data of the data subject when registering on the mobile application “Audio Guide”.
  2. Data procession of data subject:
    • Identification of the data subject;
    • Storage of video surveillance data;
    • Determination of the location of the data subject.
  1. Processing of data subject cookies:
    • Cookies are small text files that are created and stored on the data subject's device (computer, tablet, or mobile phone) when visiting the Controller's Web sites. Cookies "remember" the User's experience and basic information, thereby improving the user-friendliness of the Web site;
    • Cookies are used to process overall User habits and Web site usage history, to diagnose problems and gaps in Web site performance, to collect statistics on the User habits, and to ensure full and convenient use of Web site functionality;
    • If the data subject does not wish to use cookies, he or she may delete them in the settings of his or her browser, although this may cause significant disruption and difficulty in using the Web site. It is possible to delete the stored cookies by deleting the stored cookie history in the browser’s settings section of the device.
  1. Data Retention:
    • From the moment of connection to the service until the moment of disconnection of the service in the mobile application.
    • Data from video surveillance systems shall be stored for 30 days.
  1. Sharing and disclosure of personal data of the data subject:
    • The data transfer to third countries is not intended.
    • The Controller may, in order to comply with regulatory enactments, share data of the data subject with State and Local Government Authorities, Law Enforcement Authorities, Court or other authorities.
    • The Data Controller will only release data to the extent required by applicable laws and regulations, including the GDPR and the Law on the Processing of Personal Data.
  1. Protection of personal data of the data subject:
    • The Controller shall protect the data subject's data against unauthorized access, accidental loss, disclosure, or destruction. To ensure this, the Controller shall use modern technological opportunities, taking into account existing privacy risks and organizational requirements, including the use of firewalls, intrusion, detection and analytical software, as well as SSL encryption and anonymization;
    • The Controller shall scrutinize all Processors and Sub-processors that process the personal data of data subject on the Controller's behalf; the Controller shall assess whether appropriate security measures are implemented, whether data processing is carried out as delegated by the Controller, whether it is carried out in accordance with applicable laws and regulations and data protection requirements and standards.
    • Processors and Sub-processors do not have the right to process the Controller's data for their purposes;
    • The Controller shall not be liable for any unauthorized access to personal data of data subject or their loss if they are not within the competence of the Controller, for example, due to the fault or negligence of the data subject.
  1. The logic of profiling:
    • The Controller shall not take any automated decisions, nor shall it carry out any profiling of personal data.
 Data subject's rights: In accordance with the applicable laws and regulations, the data subject has the following rights in the processing of his/her personal data: 
  • Right of access - the data subject has the right to request confirmation from the Controller as to whether the personal data of the data subject are being processed, as well as to request information on all personal data processed;
  • Right to rectification - if the data subject considers that information about him or her is incorrect or incomplete, he or she has the right to require that they are rectified by the Controller;
  • Objection to processing based on legitimate interests - the data subject has the right to object to the processing of personal data, processed on the basis of the legitimate interests of the Controller, except where the processing of such data is required by law;
  • Erasure - under certain circumstances, the data subject has the right to have his or her personal data erased, except where the law provides for a time limit for the retention of such data;
  • Restriction of processing - in certain circumstances, the data subject has the right to restrict the processing of his or her personal data, except where the scope of the processing is determined by law;
  • Data transfer - the data subject has the right to receive or transfer his or her personal data to another Personal Data Controller. This right includes only personal data provided to the Data Controller with the data subject's consent, on a contractual basis, or where the processing is carried out by automated means. The data subject may not exercise the right if the Controller is carrying out the processing task in the public interest or when exercising the official powers legally conferred on the Controller.
In order to exercise the above-mentioned rights, please submit a written application to the Controller or the Data Protection Officer - Jurijs Višņakovs. 
  1. Communication
In case of questions or concerns, the data subject may contact the Controller at the address: Turaidas iela 10, Sigulda, Siguldas nov., LV-2150 or the Data Protection Officer: Jurijs Višnakovs by e-mail: das@idagentura.lv If the data subject is not satisfied with the response, he or she has the right to lodge a complaint with the Data State Inspectorate of Latvia (www.dvi.gov.lv). The Controller shall be entitled to improve or update the Privacy Policy from time to time. The Controller will inform the data subject of any changes by publishing the current version of the privacy policy on the website http://www.turaida-muzejs.lv/.
    Turaida Museum Reserve