Statement of the State Agency of Medicines regarding processing of personal data

About us

Controller: State Agency of Medicines (hereinafter – Agency)
Registration number: 90001836181
Address: Jersikas Street 15, Riga, LV-1003.

Pursuant to the Cabinet of Ministers Regulation No. 536 of 31 July 2012 “Statutes of the State Agency of Medicines”, the Agency is a state institution under the supervision of the Minister for Health and its objective is to ensure qualitative and justified services related to evaluation of healthcare products, procurement and utilisation centres of human blood, tissues, cells and organs, as well as pharmaceutical activity companies according to the state and public interests in the field of healthcare.

By providing services to natural persons, state and municipal institutions, as well as foreign authorities the Agency performs the functions and tasks stipulated by the Pharmaceutical Law, Medical Treatment Law, law “On the Protection of the Body of Deceased Human Beings and the Use of Human Tissues and Organs in Medicine”, Law on the Legal Trade of Narcotic and Psychotropic Substances and Medicinal Products, and also Precursors and other legal acts.

In processing of personal data, the Agency complies with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – General Data Protection Regulation), as well as the Personal Data Processing Law.

We value your privacy and trust

By making this public statement, our objective is to provide clear and comprehensive information on how and why we use your personal information and give you reassurance about disclosing your personal data to us.

We take appropriate measures to ensure that your personal data are always safe with us and that processing of your personal data is done in accordance with the current data protection laws, our internal policies, guidelines and procedures. We have also appointed a data protection specialist whose task is to supervise compliance with the requirements of data protection regulations, guidelines and procedures.

We protect your personal information and maintain confidentiality in everything we do.

With this statement we provide information on what personal data we may process, how are we going to use this data and information regarding your rights and how you may contact us.

In case of any changes to the Agency’s personal data management, we plan on letting you know by publishing these changes in this statement.

What constitutes personal data?

Personal data is any information that may be used to identify an individual, for example: name, surname, identification number, address, phone number, gender, age, work experience, education, online identifier of an individual.

What is the legal basis for processing of personal data of natural persons?

We process personal data of natural persons pursuant to Article 6, Paragraph 1(c) of the General Data Protection Regulation in order to ensure compliance with the Agency’s legal obligation or pursuant to Article 6, Paragraph 1(e) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Agency.

In addition, we may process personal data pursuant to the following paragraphs of Article 6 of the General Data Protection Regulation:
-    Paragraph 1(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
-    Paragraph 1(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
-    Paragraph 1(d): processing is necessary in order to protect the vital interests of the data subject or of another natural person;
-    Paragraph 1(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Prior to processing of personal data, we assess the lawfulness of data processing activities.

What types of personal data do we process and why?

a)    Provision of services

In order to receive services, you provide the required personal data and verify that the submitted personal data are precise and accurate. We cannot guarantee provision of services, if you submit imprecise data.

b)    Public health interest

We process personal data to ensure that the submitted information may be clarified to allow more appropriate classification, pseudonymisation and analysis with the objective of minimising potential risk to public health. Special category personal data may be processed as part of:
-    Adverse drug reaction monitoring system;
-    Medical device vigilance;
-    Biovigilance and haemovigilance;
-    Compliance monitoring of clinical trials;
-    Processing of reports on adverse drug reactions observed within clinical trials;
-    Evaluation and surveillance of centres for procurement and utilisation of tissues, cells and organs, as well as granting permits for operation;
-    Surveillance of compliance with the requirements for procurement, testing, processing, storage and distribution of human blood and blood components.

The Agency follows the access minimisation principle in granting access rights to special category data – only select few Agency employees are granted the right to process special category data.

c)    Establishment and maintenance of civil service or employment

We process personal data in order to ensure human resources for provision of our services, as well as to fulfil the responsibilities and functions delegated to the Agency.

As part of staff member recruitment:

As part of staff member employment:

d)    Video surveillance

We perform video surveillance and process your personal data when you visit our place of operation (Jersikas Street 15, Riga) for the purposes of your personal safety and the safety of our employees and property. Video surveillance is performed in accordance with strict security and data protection regulations using appropriate technologies and equipment. Video surveillance records are stored in our systems for 30 calendar days.

e)    Organisation of seminars and meetings

We organise seminars and meetings for our clients and employees both in person and using remote communication tools and software.

In order to ensure broader availability of information, protocolling or to prepare publicity materials, a video or audio recording may be preformed or photographs may be taken.

We take measures to inform event participants prior to the event regarding the intended recording or photography, site and type of utilisation of the materials obtained, as well as the estimated storage time, so the participants may give their consent.

f)    Whistleblowing

We process submitted personal data in order to ensure proceedings related to submitted whistleblower reports, as well as communication with the whistleblower.

According to the Whistleblowing Law, a whistleblower is a natural person who provides information on a possible violation which may harm the public interests if the person considers this information to be true and it has become known to him or her while fulfilling the work duties or establishing legal relations related to the fulfilment of work duties.  The purpose of this law is to promote whistleblowing on violations in public interests and ensure the establishment and operation of whistleblowing mechanisms, and also due protection of whistleblowers. We ensure processing and protection of whistleblower data according to the law.

g)    Provision of informative materials

We inform you regarding the news and updates published in the “News” section of Agency’s website.

h) Cookies

Cookies are small text files that are created and saved on the device of the internet user (computer, tablet, mobile phone, etc.) when the user visits our website. Cookies “remember” your experience and basic information, thus, increasing the convenience of browsing our website.

Cookies allow processing of website browsing history data, diagnosing problems and deficiencies in site operation, collecting user behaviour statistics, as well as ensuring complete and convenient use of site functionality.

If you do not want to allow use of cookies, you may discontinue it by changing the settings of your internet browser. However, in this case there might be disruptions or difficulties in using our website. You may delete cookies in the settings of your internet browser by deleting cookie history.

See our cookie policy here.

How and in which areas do we process personal data?

We process the personal data received by the Agency both electronically and manually in the following areas:
-    Authorisation and evaluation of clinical research;
-    Marketing authorisation of medicinal products;
-    Quality control of medicinal products and water;
-    Issuance of permits for distribution of medicinal products;
-    Issuance of permits for distribution of narcotic and psychotropic plants, substances, medicinal products and precursors;
-    Evaluation and licencing of pharmaceutical activity;
-    Assessment of cost-effectiveness and health technologies;
-    Authorisation of medical technologies;
-    Maintenance of information regarding medical device manufacturers and authorised representatives;
-    Evaluation and issuance of permits for procurement and utilisation centres of tissues, cells and organs;
-    Compliance evaluation of hospital blood banks, blood establishments and State Blood Donor Centre;
-    Vigilance;
-    Preparation and publication of medicinal product consumption statistics;
-    Financial and material resource management;
-    Human resource management;
-    Assurance of physical security;
-    Assurance of public events and publications;
-    Management of applications, proposals, requests and complaints submitted by natural and legal persons.

Where do we receive personal data from?

We receive your personal data from the following sources:
-    Data submitted by you prior to receipt of our services;
-    Data received from visiting our place of operation (e.g., video surveillance data);
-    Data received from visiting our website;
-    Data submitted by you in order to ask a question, file a claim or a complaint, including cases not related to our services or areas of operation;
-    Data submitted by you in order to inform us regarding a product or service as part of marketing information distribution;
-    Data submitted by you in order to sign and implement a contract for provision of services;
-    Data from companies and institutions that:

• Are involved in the provision of your selected service (e.g., information centre of the Ministry of Internal Affairs, Enterprise Register, State Revenue Service, Health Inspectorate);
• Provide services to us and you are involved in the service provision;
• Participate in the selection of service providers and you may be involved in the service provision;

-    Data submitted by you as part of staff recruitment;
-    Data submitted by you for establishment and maintenance of employment relations.

To whom do we transfer your personal data?

We transfer your personal data to:

a)    Service providers and collaboration partners

In order to fulfil our obligations and duties stipulated by legal acts, we transfer your personal data to companies and institutions that provide services to us or are involved in the provision of the service you have selected, for example, to the Ministry of Health, information centre of the Ministry of Internal Affairs, Ministry of Finance, State Revenue Service, State Audit Office, State Employment Agency, Procurement Monitoring Bureau, Enterprise Register, Ministry of Environmental Protection and Regional Development, State Regional Development Agency, National Archives of Latvia, etc.

We carefully check every service provider that processes your personal data on our behalf. We evaluate whether our collaboration partners (personal data processors) implement appropriate security measures in order to ensure that processing of your personal data is compliant with our tasks, guidance, instructions and requirements of normative acts. These companies are not entitled to utilise your personal data for any other purpose than service provision for us and the use stipulated by the requirements of legal acts.

Conditions for processing of personal data are agreed upon in a mutual contract.

b)  Law enforcement authorities, state and municipal institutions

In order to fulfil the obligations stipulated by legal acts, we transfer your personal data to law enforcement authorities (for example, the police, the court, state and municipal institutions upon their request, as well as to protect our legal interests).

c) Collaboration partners or service providers outside of the European Union and European Economic Area (EU/EEA)

We always try to process your personal data within the European Union and the European Economic Area (EU/EEA) ensuring that all the relations between you and the Agency are governed by the legal acts of the Republic of Latvia, as well as the relevant legal acts of the European Union.

Transfer and processing of personal data outside of the EU/EEA may be carried out if legally justified, i.e., in order to comply with the requirements of normative acts, sign or fulfil a contract, or if you have given your consent for it and the appropriate security measures are in place.

How long do we store your personal data?

All personal data obtained from you are stored as long as you use our services or until you withdraw your consent, if your personal data is processed based upon your consent. Personal data may be stored for longer if required for fulfilment of requirements of legal acts regarding the minimal time period for storage of documents or information or to protect our legal interests.

After expiry of the data storage period, we delete the information and your personal data in a secure manner or archive the data, if deletion may affect the integrity of information for which a longer storage period is required. We reserve the right to delete or irreversibly anonymize your data sooner, if the legal basis for use of this data ceases to exist or if the data are no longer required for further service provision or fulfilment of obligations delegated to the Agency.

We are not responsible for storage or deletion of data located on your end device (to delete cache and cookies use the relevant settings of your internet browser).

How do we protect your personal data?

We ensure and continuously review and improve security measures with the aim of protecting your personal data from unauthorised access, unintentional loss, disclosure or destruction. In order to ensure this, we use modern technologies, technical and organisational requirements, including firewalls, intrusion detection, analysis software and data encryption.

What are your rights?

As a data subject you have general rights stipulated by General Data Protection Regulation and other applicable legal acts including the following:

a)    Access to personal data

You have the right to request information from us whether we process personal data related to you and, if so, request access to this personal data or information regarding personal data if direct access is not foreseen.
In order to receive information regarding processing of your personal data, please complete the “Request for information regarding personal data processing” (the sample form is available on Agency’s website - here), sign it using an e-signature and send it via  e-mail to personas.dati@zva.gov.lv or sign it manually and submit it to the Agency in person at Jersikas Street 15, Riga, or send it via postal mail.

b)   Correction of personal data

You have the right to request to correct or supplement your information if you consider that it is inaccurate or incomplete.

Please note that prior to corrections or supplementation of the data we may be required to identify the relation of the applicant to the record to be corrected, therefore, we invite you to inform us regarding the necessary changes in writing or by visiting the Agency in person during working hours at Jersikas Street 15, Riga.

c)    Withdrawal of consent

As far as we process your personal data based on your consent, you have the right to withdraw your consent for processing of personal data at any time by submitting a free form application addressed to the Agency by sending it via e-mail to personas.dati@zva.gov.lv, if signed with an e-signature, or by submitting it at the Agency in person during working hours or sending via postal mail to Jersikas Street 15, Riga, if signed manually. Withdrawal of consent does not affect the legality of processing of personal data based on consent provided prior to withdrawal, as well as processing of personal data on a different legal basis.

d)   Objection to processing based on legal interests

You have the right to object to processing of personal data the we process based on our legal interests, however, this is not applicable to cases where processing of data is stipulated by legal acts. In order to invoke the aforementioned right, please submit a written application by sending via e-mail to personas.dati@zva.gov.lv, if signed with an e signature, or by submitting it at the Agency in person during working hours or sending it via postal mail to Jersikas Street 15, Riga, if signed manually.

e)    Deletion

In certain circumstances you have the right to request us to delete your personal data. However, it is not applicable to cases where data storage is stipulated by legal acts. In order to invoke the aforementioned right, please submit a written application by sending it via e mail to personas.dati@zva.gov.lv, if signed with an e-signature, or by submitting it at the Agency in person during working hours or sending it via postal mail to Jersikas Street 15, Riga, if signed manually.

f)  Limitations to processing

In certain circumstances you have the right to limit processing of your personal data. Please note that if you request limiting the processing of your personal data, it may affect your ability to receive our services. In order to invoke the aforementioned right, please submit a written application by sending it via e-mail to personas.dati@zva.gov.lv, if signed with an e-signature, or by submitting it at the Agency in person during working hours or sending it via postal mail to Jersikas Street 15, Riga, if signed manually.

g)  Prevention of processing infringement

You have the right to file a claim regarding prevention of data processing infringement, if the infringement has occurred as a result of violation of the requirements of the regulation. In accordance with the procedure stipulated by the Civil Procedure Law, a claim may be filed no later than five years after the occurrence of the infringement or in cases of prolonged infringement – no later than five years after cessation of the infringement.

Which legal acts regulate personal data processing on our website?

Operation of our website is compliant with the legal acts of the Republic of Latvia, as well as the relevant applicable legal acts of the European Union.

What regulates personal data processing on other websites linked from the Agency’s website?

Agency’s website may contain links to third party websites (homepages) subject to their own conditions for use and personal data protection for which the Agency is not be responsible.

Who can I contact in case of queries?

If you have any questions, comments or requests related to the Agency’s procedure for personal data management or processing of your personal data, please contact us via e-mail at personas.dati@zva.gov.lv.

If you are not satisfied with the response or you believe that your rights have been violated, you are entitled to submit a complaint regarding processing of personal data to the supervisory institution “Data State Inspectorate”.

How can I contact the personal data controller and the data protection specialist?

You can contact the Agency and its data protection specialist via e-mail: personas.dati@zva.gov.lv.

Information regarding other forms and channels for communication is available on the Agency’s website, section “Contacts”.

Contents of this statement have been approved by the order No. 1-6/79 of the State Agency of Medicines on 26.04.2021.

Last reviewed: 26.04.2021