Data State Inspectorate examines the obtaining and saving personal data by third persons


While the Ministry of Justice of the Republic of Latvia is working on the changes of national legislation for the application of the new General Data Protection Regulation, which entered into force on May 24th, 2016, the national Data State Inspectorate (the “DSI”) has recently examined several cases causing controversies among the public and touching important issues of security of personal data:

Among them is the DSI’s explanation about the use of data, taped on the car video recorders widely used among Latvian car drivers. DSI specified that **if the vehicle is equipped with the video recorder which’s performance causes personal data collection and processing, i.e. if the quality settings of video recorder allow to identify individuals through the filmed material, then a registration of the personal data processing shall be performed, since the Clause 5 of Section 21 of the Personal Data Protection Law applies: a video surveillance is being carried out and the collected material is being retained in a way of enabling access to this video fully or in separate parts. DSI also clarified that persons are entitled to transfer video records obtained by means of use of car video recorder or any other device, when performing video surveillance, to law enforcement bodies or other third persons only in cases, if legal ground to act so exists (Section 7 of the Personal Data Protection Law); however, one should take into account that if processing of personal data, when carrying out video surveillance, has been performed without registration in the DSI, then a person, whose data (for example, picture) were processed, may file a complaint with the DSI. The DSI turns attention to the fact that the legal ground for transfer of such data may be, for example, request by the State Police (such transfer of data would conform to Section 7 (3) of the Personal Data Protection Law).

(**excerpt from the article. See full article here:

DSI has also examined a case about the collection and retain of medical data of individuals performed by a legal entity which’s business is a maintenance of an information system – a medical data archive where the various medical institutions keep the results of made medical examination. The concerns of public about the security of private medical data and the suspected unauthorized access to such sensitive information appeared when an individual found out that this company has an access to his medical examinations  made in other medical institutions of several years, and he nor gave his consent to this company, nor he was warned that such data will be passed to a third person and retained by such company. Having examined the issue, DSI admitted that such company should be treated as a personal data operator who performs his activity on a basis of the agreements concluded with the medical institutions - personal data administrators. The notification of individuals about the delivery of information to a data operator by now is only an advisable measure of personal data administrator, what, however, will be revised starting from May, 2018 by the application of General Data Protection Regulation.


Changes in the national regulation regarding the personal identification numbers

One of the upcoming changes in the national regulation will enter into force on July 1th, 2017: the changes of the Population Register law will specify that personal identity number, which by now is being composed by eleven numbers first six of which refer to the day, month and the year of birth, and other five are being composed by a specific rules, will change, so the first two numbers will be “32” and other nine numbers from “0” to “9” will be automatically randomly generated. Thus, through the new personal identity numbers will not be possible to establish person’s age, so it will prevent the possible discrimination of an individual and provide for the security of such data. The individuals, who have a personal identity number composed by the previous rules, will have a single opportunity to require a new personal identity number compiled without the date of birth.


Article provided by: Jana Paņko, Latvia

External links:



Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.