English (UK) 
Latviešu valoda State limited liability company
“Autotransporta direkcija”
Privacy policy
Issued in accordance with Regulation (EU) 2016/679
of the European Parliament and of the Council (April 27, 2016)
on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (hereinafter – the Regulation).
1. General Information
1. The state limited liability company “Autotransporta direkcija” (hereinafter referred to as ATD) is a capital company operating under the supervision of the Ministry of Transport is responsible for implementing a unified national policy in the field of passenger and freight transport. Its main activities focus on public transport – passenger transport by bus and train, the issuance of licenses for commercial freight and passenger transport, and the issuance of permits for international transport operations.
2. The entity acting as the controller in the personal data processing process is ATD, unified registration No. 40003429317, legal and office address indicated on the website: www.atd.lv in the section "About us" subsection "Contacts and details”.
3. The controller's contact details for issues concerning data processing are:
3.1. phone: +37167280485;
3.2. e-mail: info@atd.lv.
4. A personal data protection specialist participates in ensuring the compliance of ATD personal data processing. Contact details of the data protection specialist: phone: +37167356019, e-mail: DAS@atd.lv.
5. The purpose of the ATD privacy policy (hereinafter referred to as the Policy) is to provide information to the Customer and ATD employees and officials (hereinafter referred to as Employees) about the purpose, legal basis, scope, protection, and processing period of personal data during data collection and subsequent processing activities.
6. The policy applies to data processing regardless of the form or environment in which the ATD Customer or Employee provides personal data.
7. Every Employee must immediately report any incident that may constitute a data protection breach to the data protection specialist or to report it to another controller's contact information for issues concerning data processing. The reporter should describe the actual situation in an email or phone call and give as much detail as possible about the incident (what happened, what categories of personal data are affected, what could indicate a personal data breach, etc.).
8. The policy applies to the processing of customer personal data carried out by ATD and to the processing of personal data carried out by ATD in the field of personnel management.
9. Personal data is any information about an identified or identifiable person – an ATD Customer or Employee.
10. For the purposes of this policy, a customer is a natural or legal person who expresses a desire to purchase, purchases or could purchase, uses or could use the services provided by ATD; visits ATD premises and employees; uses the ATD website or electronic service portal https://e.atd.lv; concludes a business or other type of contract; is included in documents or notifications arising from a contract concluded with a legal entity or other legal entity (e.g., the person responsible for the performance of the contract) or other type of legal relationship (e.g., the contact person responsible for procurement, technical expert).
2. Principles of processing personal data of customers and employees
11. Legality, fairness, and transparency – personal data is processed in accordance with the requirements of regulatory enactments and, taking into account the legal basis for personal data processing, in good faith and by establishing measures to inform the Customer or Employee about the personal data processing that has been carried out.
12. Purpose limitation – personal data is collected only in accordance with pre-defined data processing purposes.
13. Data minimization – the amount of personal data to be processed is assessed and necessary to achieve the specified purpose.
14. Accuracy – personal data is as accurate as possible, and measures are put in place to ensure that personal data can be updated, corrected or deleted if necessary, considering the purposes for which it is processed. The term "erasure" also means the physical destruction or anonymization of data.
15. Storage limitation – deadlines or criteria are set for the storage of personal data in accordance with the procedure established by the ATD (for example, in accordance with the approved case nomenclature), the requirements of regulatory enactments (e.g., in the field of accounting, electronic communications, transport services, archives, as well as in relation to the statute of limitations), but no longer than is necessary to achieve the specified data processing purposes and to fulfill the legitimate interests and legal obligations of the ATD. After the end of the personal data storage period, the Customer's or Employee's data is deleted, destroyed or anonymized.
16. Integrity and confidentiality – the processing of personal data ensures the accuracy and security of personal data, including by assessing and implementing appropriate technical or organizational measures to reduce security risks and protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
3. Purposes and legal basis for processing personal data
17. ATD processes personal data for the following purposes:
17.1. providing services, including electronic services on the portal https://e.atd.lv, and administration;
17.2. performance and management of administrative tasks and duties assigned by the state;
17.3. ensuring the normal daily operation of the ATD in accordance with regulatory requirements and operational strategy, including in personnel management;
17.4. concluding economic agreements and monitoring their implementation;
17.5. for reviewing applications;
17.6. to provide information to third parties. ATD may transfer personal data to third parties in the following cases:
17.6.1. to perform the functions or tasks specified in external regulatory enactments, or to perform the tasks of the competent authority;
17.6.2. to persons specified in external regulatory enactments upon their justified request, in accordance with the procedure and to the extent specified in these regulatory enactments;
17.6.3. to protect the legitimate interests of the ATD or third parties;
17.6.4. in accordance with the clear and unambiguous consent of the Customer and the Employee.
18. ATD processes the Customer's personal data based on the following legal grounds:
18.1. compliance with regulatory acts – to fulfill the legal obligations set out in external regulatory acts binding on ATD;
18.2. legitimate interests – to fulfill the obligations existing between ATD and the Customer, ATD and the Employee, the concluded contract or the legitimate interests of ATD specified in regulatory enactments;
18.3. conclusion and performance of a contract – to conclude a contract and ensure its performance;
18.4. in accordance with the consent of the Customer or Employee (Data Subject) – freely given, specific, informed and unambiguous action by which he or she, by means of a statement or clear affirmative action, gives consent to the processing of his or her personal data.
4. Processing and protection of personal data
19. Customer and Employee personal data is processed in accordance with confidentiality requirements and with care for the security of data held by ATD. As a controller, ATD uses various security measures to prevent unauthorized access to your data, disclosure of data, or other inappropriate use of personal data.
20. Proper data processing, storage, and data integrity with an appropriate level of security are ensured. ATD uses proportionate and appropriate physical, technical, and administrative procedures and means to protect the personal data collected and processed by ATD. The security measures implemented are continuously improved in accordance with the security requirements, taking into account the appropriate data protection security measures and to the extent necessary for the purposes of data processing.
21. We implement personal data protection through data encryption tools, firewall protection, and other data network security breach detection solutions.
22. ATD personal data processors shall ensure data confidentiality and implement appropriate technical and organizational measures to protect personal data from unauthorized access, unlawful processing, disclosure, accidental loss, dissemination or destruction, by taking appropriate data protection security measures and to the extent necessary for the purposes of data processing.
23. Personal data security measures are continuously improved and refined to increase the level of personal data protection.
24. The protection of personal data processing is carried out for:
24.1. personal data processed in information technology infrastructure (servers, local computer networks, and application software);
24.2. personal data transported in the data transmission network, if any, to ensure public order in public places, preventing disturbances and violations of public order, as well as preventing threats to personal safety;
24.3. other information systems used to ensure work, which are administered by institutions involved in ensuring the operation of the ATD;
24.4. developed, registered and circulating electronic documents containing personal data.
5. Sources of personal data collection
25. ATD obtains personal data from the Customer when performing tasks specified in regulatory enactments and providing services (for example, issuing digital tachograph cards (tachograph) cards, issuing driver certificates, registering taxi/light vehicle drivers, collecting payments, etc.). In the cases and in the manner specified in regulatory enactments, the ATD also obtains personal data from other Latvian state information systems and registers (e.g., the State Register of Vehicles and Drivers, the Register of Penalties, etc.), foreign information systems, state and local government institutions, etc.
26. ATD also obtains personal data of customers through the ATD electronic services portal https://e.atd.lv, etc.
27. ATD obtains personal data of Employees in the course of personnel management, including, but not limited to, establishing, maintaining, and terminating employment relationships, for example, selecting Employees, concluding employment contracts with the most suitable applicants/candidates, professional training and qualification improvement of Employees, overall management and administration of Employees, administration of social guarantees, examination of disciplinary cases, payment of wages, resolution of employment relationship issues, maintenance of personal files, document and archive management.
6. Video surveillance and audio recordings
28. The ATD conducts video surveillance with or without audio recording in the ATD Riga office building, including in the ATD customer service center hall, etc., as well as during online meetings.
29. Video surveillance is carried out primarily to:
29.1. ensure the protection of the legitimate interests of individual Customers and Employees by preventing violations of property rights and administrative procedural rights, possible fraud against persons, etc., as well as by identifying and preventing the presence of unauthorized persons;
29.2. monitor the activities of Employees in the performance of their duties, ensuring their legality and carrying out the tasks of public authority assigned to the ATD;
29.3 ensure the recording or preparation of minutes in the case of online meetings, using the video and/or audio recording function.
30. Information about video surveillance is communicated through warning signs placed before the video surveillance area, and online meeting participants are notified of any video and/or audio recording prior to its commencement.
31. Video surveillance is not carried out in rooms where a person expects a particularly high level of privacy (e.g., toilets, changing rooms).
32. When processing video surveillance data, the ATD, as the data controller, shall ensure that:
32.1. authorized persons have access to the technical resources used for the processing and protection of video surveillance data;
32.2. information carriers containing video surveillance data are moved, modified, transferred, copied, and otherwise processed by authorized persons;
32.3. processing of video surveillance data is carried out by authorized persons.
33. As the data controller, the ATD discloses video surveillance data in cases specified by law to state and local government institutions (police, etc.) that have been identified prior to the disclosure of the data.
7. Duration of personal data storage
34. The ATD stores and processes the personal data of the Customer and Employee as long as at least one of the following criteria applies:
34.1. if storing of the relevant data is required by regulatory enactments;
34.2. as long as it is necessary for the purposes for which the data was obtained, until the request or application of the data subject has been fully examined and/or fulfilled, or until the obligations arising from the concluded contract have been fulfilled, or as long as it is necessary for the performance of the service provided to the data subject;
34.3. as long as the ATD or the Customer and the Employee can exercise their legitimate interests in accordance with the procedure established by the applicable regulatory enactments (for example, to submit objections or to bring or pursue a claim in court);
34.4. as long as the consent of the Customer and the Employee to the relevant personal data processing is valid, if there is no other legal basis for data processing;
34.5. personal data obtained through video surveillance (video recordings) shall be stored for no longer than 30 days from the date of their acquisition.
35. When conditions arise that determine that there is no longer a legal basis for further storage of Customer and Employee data, such personal data shall be deleted or destroyed in compliance with applicable regulatory requirements .
8. Commercial announcements
36. Communication regarding commercial announcements about ATD services and other announcements not related to the provision of directly agreed services (e.g., customer surveys) shall be carried out by ATD in accordance with external regulatory enactments or with the customer's consent.
37. The Customer may give their consent to receive commercial communications from ATD in their application for ATD services or on the ATD electronic services portal https://e.atd.lv,. By leaving their contact information (e-mail, phone number), the Customer agrees that ATD may contact them using the contact information provided.
38. The customer's consent to receive commercial communications shall remain valid until it is revoked. The customer may opt out of receiving further commercial communications at any time.
39. ATD will stop sending commercial communications as soon as the customer's request to opt out has been processed. The processing time for the request depends on the deadlines set out in external or internal regulations or service terms and conditions.
9. Cookie processing
40. A cookie is a small text file that is stored on the Customer's computer or portable device when the Customer visits a website. The purpose of processing cookies is to save Customer settings, ensure the functioning of ATD websites, and collect anonymous analytical data (Customer visit statistics) to improve service quality.
41. Cookies are used to process website usage history data, diagnose problems and deficiencies in website operation, collect statistics on user habits, and ensure full and convenient use of website functionality.
42. Each Customer can check and control cookie and privacy settings in their browser, including deleting them from the browser by clearing the browsing history from all websites visited by the Customer.
10. Exercising the rights of the data subject
43. A person may submit a data request in accordance with the general procedure, asking for an explanation of what data about them is being processed and which data needs to be restricted. Such a request will be fulfilled if it is legally justified and technically feasible.
44. A person has the right to receive information about the processing of their personal data, to object to it, to request correction (including deletion), as well as to withdraw their consent to data processing and request to be "forgotten." The withdrawal of consent does not affect data processing carried out while the person's consent was valid. However, withdrawal of consent cannot affect the processing of personal data that is necessary to comply with regulatory requirements or that is based on a contract, legitimate interests, or other grounds for lawful data processing specified in regulatory enactments.
45. In implementing the above, ATD will only correct or "forget" data to the extent permitted by ATD's legitimate interests, legal obligations, or other legal grounds, if technically possible.
46. A response containing personal data or a response regarding the exercise of one's rights shall be provided to the Person only if the person has submitted a written request and has been identified in one of the following ways:
46.1. In the case of in-person identification, the person arrives at the ATD Customer Service Center or Secretariat at 30 Vaļņu Street in Riga and informs the ATD employee that they wish to receive their personal data and have arrived for in-person identification. The person presents an identity document to the ATD employee.
46.2. in the case of electronic identification, the person submits an official written application to the ATD, signed with a secure electronic signature, on the ATD electronic services portal https://e.atd.lv,, where the Customer's electronic authentication is performed, or by sending the application from the person's official electronic address.
47. Taking into account the complexity of the request included in the application, the ATD may extend the response period in accordance with Article 12(3) of the Regulation and the Application Law for a further two months, informing the applicant of the reasons for the delay and the extension of the deadline.
48. The ATD shall provide a response regarding the non-fulfillment of the request included in the application within one month of receiving the request in accordance with Article 12(4) of the Regulation, informing the applicant of the reasons for the failure to act and that the applicant has the right to lodge a complaint with the Data State Inspectorate or a court.
49. If the person's requests are manifestly unfounded or excessive, or if the person refuses to identify themselves or provide additional information to identify themselves, the ATD shall refuse to comply with the request in accordance with Article 12(5)(b) of the Regulation.
11. Right to lodge a complaint regarding data processing
50. In order to resolve any disagreements or ambiguities as quickly as possible, if a person has complaints or questions regarding the Privacy Policy, has identified a possible personal data breach or security incident, or has concerns about a possible breach, everyone is invited to first contact the DPO using the communication channels specified in the data controller's contact information or the data protection specialist's contact information, as specified in Section I of the Privacy Policy. The ATD will respond in accordance with the procedure specified in regulatory enactments, taking into account the specified response channel.
51. If a person considers that the processing of personal data by ATD violates their interests and rights in accordance with applicable regulatory enactments, they have the right to submit a complaint to the data supervisory authority – the State Data Inspectorate, which, as the supervisory authority of the Republic of Latvia, is obliged to examine the person's complaint, investigate the matter to the extent necessary and inform the complainant within a reasonable time about the progress of the case and the results of the investigation. Sample applications to the State Data Inspectorate and other related information can be found on the State Data Inspectorate website https://www.dvi.gov.lv/lv/.
12. Closing matters
52. The Policy shall enter into force on the day following its approval by the ATD Members' Meeting.
53. With the entry into force of the Policy, the "VSIA "Autotransporta direkcija" Personal Data Protection Policy" No. 2.20/12, approved by Decision No. 4/1 of the ATD Board on June 22, 2018, shall cease to be in force.