The discussions around the national law on personal data processing
Many discussions and concerns were also caused by the Article 26 of the Draft Law allowing the authorities of national Data State Inspectorate, without any warning and upon receipt of the decision of the court judge, to enter, in the presence of police, the non-residential premises, apartments, buildings or other objects of immovable property which are in ownership, possession or in use of a data controller or processor, and to perform coercive screening or inspection, to receive any and all documents (including the information on electronic devices) and even the rights to seal such premises for 72 hours to ensure the preservation of evidence.
Currently the Criminal Law already stipulates criminal liability for the illegal activities involving personal data of natural persons, if such activities have caused substantial harm, they have been performed by a personal data processing administrator or operator for the purpose of vengeance, acquisition of property or blackmail, or for influencing a personal data processing administrator or operator, or the data subject, using violence or threats, or using trust in bad faith, or using deceit in order to perform illegal activities involving personal data of a natural person. Thus, the search measures of Draft Law, as described above, could be performed under certain circumstances as a part of criminal proceedings by the corresponding authorities conducting the criminal proceedings, and the actions described in the Draft Law would therefore be recognized as unnecessary and disproportionate to the aims of GDPR.
The Article 30 of the National Personal Data Protection Law, which implemented the Directive 95/46/EC in year 2000, stipulates that the authorities of national Data State Inspectorate have the rights to freely enter any non-residential premises where processing of personal data is located, and in the presence of a representative of the administrator (i.e. the representative of the data controller), to carry out necessary inspections or other measures in order to determine the compliance of the procedure of processing of personal data with the law. Such limited rights of the Data State Inspectorate seemed much more appropriate and proportionate to the controller’s interests.
However, the limits of the applicable legislation are decisive: the GDPR increases the essential requirements for control so high, that the legislator wants to have as many options to protect the legal interests described in GDPR, as he can. However, taking into account the discussions and concerns mentioned above, the Ministry of Justice has promised to review this Article of Draft Law one more time.
Article provided by: Jana Panko (Lawyer, Njord Law Latvia)
References
- http://saeima.lv/lv/aktualitates/saeimas-zinas/26748-saeima-konceptuali-atbalsta-personas-datu-apstrades-likuma-projektu
- http://titania.saeima.lv/LIVS12/saeimalivs12.nsf/0/4ABF3226A1B92C18C22582780027DBC3?OpenDocument
- https://likumi.lv/ta/en/en/id/4042-personal-data-protection-law
- https://likumi.lv/ta/en/en/id/88966-the-criminal-law
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org