Candidate’s Personal Data Privacy Note

This candidate’s personal data processing note (the “Policy”) applies to RB Rail AS, reg. No 40103845025, legal address: Satekles street 2B, Rīga, Latvia, LV – 1050 (the “Employer”) and a natural person who has applied for the vacancy announced by the Employer (the “Candidate”).

The purpose of the Policy is to inform the Candidate about the processing of the Candidate’s personal data by Employer (including but not limited to inform about the legal basis and purpose for personal data processing) according to the Article 13 and 14 of Regulation (EU) 2016/679 (the “General Data Protection Regulation”), and to inform the Candidate of his/her rights in relation to data processing.

Data Controller 

The Employer informs that with regard to the processing of the Candidate’s personal data conducted by the Employer, the Employer is considered the Data controller of personal data within the meaning of the General Data Protection Regulation.

Contact information of the employer 

Regarding personal data processing issues, the Employer can be contacted using the following contact details:

Personal data

Personal data are any information about an identified or identifiable natural person, in this case the Candidate. The Employer shall process the personal data of the candidate only to the extent that is reasonably necessary, observing the requirements of the applicable regulatory enactments. 

For example, the Employer might process the following categories of personal data, for example:

 Identification data: name, surname, personal identification code, passport or identity card (ID card) number;

  • Contact information: address, e-mail, phone No;
  • Qualifying data: education, work experience, information included in the CV and the application;
  • Recommendations: identity and contact information of the current or former employer’s representative, content of the reference;
  • Data created during the recruitment (testing) process: results of tests, assignments, interviews and other information obtained during them;
  • Data created during Due diligence process: information from national security authorities on the Candidate’s suitability for the position, which is required in accordance with the regulatory enactments and legitimate interests binding on the Employer;
  • Reputation: Information characterizing the Candidate and information about the Candidate’s previous activities that are available in public resources and/or public databases, which are required in accordance with the Employer’s legitimate interests or the laws and regulations binding on the Employer;
  • Bank account number: If the job offer is offered to the Candidate, the bank account number must be provided in the draft employment contract;
  • Criminal record: information on the Criminal record of the Candidate’s suitability for the position, which is required in accordance with the regulatory enactments and legitimate interests binding on the Employer (only for foreign Candidate’s when Due diligence information is not obtained via national security authorities);
  • Video recording: Video surveillance is performed at the Employer’s premises and as a result of that video recordings are made;

 Other data: all other data submitted by the Candidate at his / her discretion in the selection process.

In certain recruitment processes the Employer investigates publicly available information (for example, SIA “Lursoft IT” – connection with other companies, information on insolvency etc., SRS EDS – tax debts, SIA “Creditreform Latvija” – information of debts, SIA “Paus Konsults” – information on debts, and other databases) and obtain feedback on the Candidate in order to conduct a study of the Candidate’s reputation. If the recruitment process involves recruitment of foreign nationals, the Employer has the right to request the Candidate to submit a Criminal Record statement on the Candidate’s criminal record.

In cases when the Candidate submits personal data that are not necessary and / or not in accordance with the selection process (for example, religious beliefs), the Employer deletes / obscures them as much as possible, etc.

Employer urges not to provide personal data that are not necessary for the selection process, such as information on race, ethnic origin, disability, pregnancy and marital status, information on religious, political or other beliefs, information on national or social origin, property or family status, sexual orientation or other types of personal data of sensitive nature.

Main purposes and legal bases for processing personal data

Purpose Personal Data Legal Basis
Selection Identification data,
contact information,
qualification data,
recommendations, data
generated during the
selection process, other
The candidate sends the application and CV
Legitimate interests of the Employer to recruit a person for a vacant job position
Detailed evaluation of the
Candidate and
his/her compliance
with the criteria set
by the Employer
Identification data,
contact information,
qualification data,
recommendations, data
generated during the
selection process, other
Legitimate interests of
the Employer, such as
selection of the most
suitable candidates to
ensure effective
Communication with
the Candidate
Contact information Consent:
The candidate sends the application
Legitimate interests of the Employer to communicate to the Candidate ensuring progress of the recruitment process
Preparation of
Identification data,
contact information,
bank account
Conclusion of a
contract and fulfillment
of legal obligations in
accordance with the
Labor Law
Comply with the
requirements of
regulatory enactments,
with regard to
employees, members of
the board and
supervisory board
Personal data specified
in legal acts, for
example, due diligence information, criminal records (for non-residents)
Employer’s legitimate
interests and fulfilment
of legal obligations
Preventing and detecting crimes against property and preserving evidence Video recording Employer’s legitimate
interests – physical
security management,
event investigation
To ensure that a dispute is resolved in the Employer’s best interests (if the dispute arises between the Employer and the Candidate) Identification data,
contact information,
qualification data,
recommendations, data
generated during the
selection process, other
Legitimate interest of the Employer in defending its interests in dispute settlement institutions

Recipients of personal data

The Employer may transfer the Candidate’s personal data to a third party that provides the Candidate’s testing, evaluation, research and other recruitment services; to the Candidate’s former employers to obtain information about the Candidate’s previous activities,
Candidate’s professional and social competencies; the authorities supervising the Employer’s activities and in cases provided by law also law enforcement authorities, such as the State Police, national security authorities.

Transfer of data to third countries

The Employer is not transferring the Candidate’s personal data outside the European Union/European Economic Area.

Data sources

Sources of personal data:

  • The Candidate independently submits his / her personal data to the Employer, e.g., via CV, application letter or e-mail;
  • Feedback on the Candidate from previous employers with prior permission of the Candidate;
  • Information on social networks, such as LinkedIn, about the Candidate’s business and employment goals;
  • Recruitment companies;
  • Publicly available databases, social networks and other news sources;
  • Law enforcement agencies.

Term of storage of personal data

Personal data is stored until:

  • the specified purpose of processing is achieved;
  • an obligation imposed by the regulatory framework on the Employer to process and / or store personal data has been fulfilled;
  • If processing is based on consent, personal data are processed for as long as the consent given is valid and not revoked.

Usually, the Employer keeps the Candidate’s personal data for 6 months after closing the respective vacancy, unless the Employer and the Candidate have agreed that the Candidate’s data could also be used for other vacancies or where there are reasonable grounds to believe that the use of the personal data will be necessary to resolve the dispute.

After the establishment of employment or other civil law relations, the Candidate’s personal data may be stored for a longer period of time and the Employer’s internal regulations and the requirements of external regulatory enactments shall apply to their processing. For instance:

  • in Latvia in accordance with the Cabinet of Ministers Regulations of 13 November 2018 No. 690  “Regulations on documents certifying the course of work or service of a person and education, which have archival value, and the terms of their storage” documents on the establishment, amendment and termination of employment relations termination, the documents equated to them and their registers, which are necessary for the administration of legal employment relations, shall be kept for a period of 75 years; in Lithuania the Index of Terms of General Documents Storage establishes that the employment contract should be stored for no less than 50 years after employment termination; for personal files, it is 10 years after employment termination; payroll records should be kept for 10 years; in Estonia most of the employment documents shall be kept for 10 years after employment termination.
  • in Latvia in accordance with the Accounting Law justification documents for employee’s calculated monthly salary (wages) with a breakdown by years and months, the retention period is 10 years; in Lithuania the retention period for accounting documents is 10 years; in Estonia in accordance with the Accounting Act contracts which are necessary for reconstructing business transactions during audits shall be preserved by the accounting entity for seven years as of the end of the corresponding financial year.

Security of personal data

The Employer shall ensure, constantly review and improve security measures to protect the Candidate’s personal data from unauthorized access, accidental loss, disclosure or destruction.  To implement this, the Employer uses modern technologies, technical and organizational requirements, including the use of firewalls, antivirus programs, data encryption.

In the event of a Candidate’s personal data security incident, if it poses the highest possible risk to the Candidate’s rights and freedoms, the Employer will immediately notify the Candidate, if possible, or the information will be published on the Employer’s Internet site or otherwise.

Which laws and regulations are applicable?

The following regulatory enactments are applicable to processing of Candidate’s personal data during the selection process:

  • General Data Protection Regulation;
  • Law on the processing of physical personal data;
  • various special legal norms (for example, Labor Law, etc.).

Candidate ‘s rights

The regulatory framework in the field of data protection gives the Candidate several rights to influence the processing of the Candidate’s personal data. In order to exercise this right, the Candidate must:

  • submit a written application to the Employer in person, presenting an identity document (passport or identity card (ID card)) to the Employer or;
  • send an application signed with a secure electronic signature to [email protected].

After receiving the application, the Employer identifies the Candidate, making sure that the Candidate is existing person and the same that has presented application and provides the Candidate with an answer to the request within one month.

The candidate has all the rights guaranteed by the General Data Protection Regulation, such as:

  • the right to access personal data and receive information on processing;
  • the right to request the rectification of incorrect, inaccurate or incomplete personal data, to restrict their processing;
  • the right to request deletion of personal data;
  • the right to data portability;
  • the right to file a complaint with the national data protection authority (Latvia – Data State Inspectorate (; Lithuania – State Data Protection Inspectorate (; Estonia – Data Protection Inspectorate (;
  • the right to withdraw consent. The candidate has the right to withdraw his or her consent to the processing of his or her personal data if the basis for the processing of personal data is consent. To revoke the consent, the Candidate shall use the contact information of the Employer provided in this Notice. If the Candidate withdraws his / her consent to the processing of his / her personal data necessary to assess the Candidate’s compliance with the requirements of the advertised vacancy and the Employer’s recruitment criteria, this may affect the Candidate’s evaluation results and the Employer will not be liable for such consequences.

Should you be willing to familiarize with the text of  the General Data Protection Regulation, it is available online at:

The Employer has the right to make additions to this Policy by publishing the current version on its website.