Latvia has adopted the Law on Personal Data Processing

31.07.2018

The national Law on Personal Data Processing (the National Law) has entered into force on July 5th, 2018, which made Latvia the first Baltic state who adopted its own national legislation based on the General Data Protection Regulation (GDPR).

Powers of supervisory authority

The National Law inter alia regulates the powers of the national supervisory authority – the Data State Inspectorate (the DSI) and most importantly, the powers to perform the inspections, including all activities to establish whether the data processing complies with the requirements of GDPR and other laws, including the right to visit the place of data processing and obtain information by using all lawful methods and all other necessary actions. Before performing the inspection, the DSI shall inform the controller about the purpose, time and place of the visit and shall ask the representative to be present. However, the absence of the representative cannot be an obstacle for a performance of the inspection.

The National Law thus does not include the controversial wording of the Draft Law which allowed the DSI, without any warning and upon receipt of the decision of the court judge, to enter, in the presence of police, the non-residential premises, apartments, buildings or other objects of immovable property which are in ownership, possession or in use of a data controller or processor, and to perform coercive screening or inspection, to receive any and all documents (including the information on electronic devices) and even the right to seal such premises for 72 hours to ensure the preservation of evidence.

It is also important that similar to previous law, the DSI shall maintain the powers to arrange the qualification test for the Data protection officer as well as examine whether the persons have met the requirements for the maintenance of professional qualification. The more specific requirements shall be specified by the Regulations issued by the Cabinet of Ministers, which have not been developed yet.

General rules on data processing and the limitations

The National Law confirms the position of the Draft law that the child’s consent in relation to information society services shall be considered as lawful, if the child is at least 13 years old, or if the child is younger than 13 years – the consent shall be given by his parent or lawful guardian.

The dashcams used by natural persons for private needs shall not be an object of the National law and the GDPR, therefore the requirement to register dashcams with DSI no longer exists; the data from dashcams shall not be disclosed to other persons and institutions, except if there are grounds specified in the GDPR.

The National law also specifies the minimum information regarding video surveillance to be provided to data subjects on informative signs, i.e. the sign shall include at least the name, contact information of the controller and the purpose of data processing, as well as an opportunity to receive other information specified in Article 13 of the GDPR.

The National Law requires that audit trails (log files) – the registered data on the specific events in the information systems - shall be saved for a period not exceeding one year after the record has been made, if no otherwise stated in any other law or results from the nature of the processing. The National Law does not regulate the duties to secure the storage of log files, such duties shall remain regulated by other applicable laws. The controller has no duty to provide to the data subject the information stipulated in the Article 15 of the GDPR, if no audit trails with the information requested are available. The controller has also no duty to keep the information of the audit trails just to satisfy the data subject’s request.

Administrative and Civil proceedings in case of infringement

The DSI shall take its decisions in accordance with the Administrative Procedure law or the legal acts regulating the process of administrative violations. The administrative acts and actual actions made by the DSI shall be contested within the administrative proceedings.

In case of infringement of civil rights, if the violation has resulted from the breach of requirements of the GDPR, the claim, in accordance with the Civil Procedure Law, shall be lodged within five years after the violation has occurred, or, in case of a long lasting violation – from the day of ceasing the violation.

 

Article provided by: Jana Panko, NJORD Law Latvia

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.