Teksta versija
LEGAL ACTS OF THE REPUBLIC OF LATVIA
home
 

Republic of Latvia

Cabinet
Regulation No. 216
Adopted 12 May 2015

Procedure for Drawing up and Submitting a Conformity Assessment of a Processing of Personal Data

Issued pursuant to
Personal Data Protection Law, Section 26, Paragraph 21

1. This Regulation prescribes:

1.1. conditions for a conformity assessment of a processing of personal data (hereinafter - the assessment);

1.2. procedures and time periods for drawing up and submitting the assessment to the Data State Inspectorate.

2. This Regulation shall apply to State and local government institutions and individuals that have been delegated with public administration tasks (hereinafter - institution).

3. Drawing up of the assessment shall be a documented process, and its aim is to evaluate the actual conditions for processing of personal data, and conformity thereof with the laws and regulations in the field of personal data protection. By assessing the actual conditions of data processing, the assessor shall interview persons that are involved in processing and protection of personal data, check the internal procedures, carry out visual assessment, and verify documents.

4. The assessment shall be drawn up in accordance with Annex to this Regulation:

4.1. prior to commencement of personal data processing for a new purpose of personal data processing;

4.2. prior to making the changes to the processing of personal data that affect the rights or interests of data subject in the field of personal data protection;

4.3. upon initiative of the institution;

4.4. upon request of the Data State Inspectorate.

5. In case abovementioned in Sub-paragraph 4.2 of this Regulation, the assessment may be drawn up after implementing changes to personal data processing, if:

5.1. any delay to make changes to personal data processing may cause immediate and critical risk to the rights or interests of the data subject;

5.2. any delay to make changes to personal data processing causes risk to information security;

5.3. changes have been made to laws and regulations that apply to processing of personal data. If changes to laws and regulations that apply to processing of personal data, for one data processing purpose are introduced several times during a year, the administrator has the right to perform an assessment once a year, by drawing up the assessment regarding the changes made during the year.

6. For every personal data processing purpose, a separate assessment shall be drawn up.

7. The assessment shall be drawn up by a personal data protection specialist or a person with a higher secondary level vocational or academic education and who has knowledge in the field of personal data protection, with at least one year of field experience in personal data protection or information technologies, or audit, or performing equivalent inspections (hereinafter - the assessor).

8. Institution shall have the right to invite an assessor who meets the requirements of Paragraph 7 of this Regulation.

9. When performing evaluation, the assessor has the right to invite specialists of the relevant field who do not meet the requirements of Paragraph 7 of this Regulation.

10. The institution shall provide the assessor and the specialist involved in assessment process abovementioned in Paragraph 9 of this Regulation with access to documents, information systems, technical resources, and facilities that are needed for performing the assessment.

11. The assessor and the specialist involved in assessment process in accordance with Paragraph 9 of this Regulation, shall provide a written commitment to not disclosing the information obtained during the assessment process, except in the cases laid down in the laws and regulations.

12. Based on the determined facts and the inspected documents, the assessor shall prepare a draft assessment within the time period laid down by the institution, and the institution, or its authorised official shall provide an opinion within 10 working days.

13. When evaluating the institution's opinion, the assessor, where appropriate, shall adjust the draft assessment and approve the assessment.

14. After approval of the assessment, the assessor shall draw up an assessment summary. The assessment summary shall state the following:

14.1. the name or given name and surname of the manager, and the given name, surname, and contact details of the assessor;

14.2. the basis and extent of the assessment;

14.3. time period the assessment was performed;

14.4. the purpose for personal data processing;

14.5. conclusions and found discrepancies;

14.6. recommendations and the term for rectification of discrepancies.

15. Within 10 working days of drawing up, the institution or its authorised official shall electronically submit the assessment summary to the Data State Inspectorate.

16. If the assessment includes recommendations for rectification of discrepancies, the institution or its authorised official shall notify the assessor after the discrepancies have been rectified.

17. After discrepancies have been rectified, the assessor shall draw up a report, stating information on measures performed for rectification of discrepancies. This report shall be added to the assessment, and it shall be considered an integral part of the assessment. Within 10 working days of drawing up, the institution or its authorised official shall send the report to the Data State Inspectorate.

18. The assessment, report on rectification of discrepancies, and assessment summary are restricted access information.

19. The institution has the obligation to store no less than two last assessments per each purpose for personal data processing, summary thereof, and the report abovementioned in Paragraph 17 of this Regulation.

Prime Minister Laimdota Straujuma

Minister for Justice Dzintars Rasnačs

 

Annex
Cabinet Regulation No. 216
12 May 2015

Conformity Assessment of a Processing of Personal Data

I. General Description of Processing of Personal Data

Name of the institution  
Contact details  
Assessor (given name, surname)  
Contact details  
The time period the assessment was performed  
The basis for performing the assessment:

Mark

prior to commencement of personal data processing for a new purpose for personal data processing

prior to making the changes to the processing of personal data that affect the rights or interests of data subject in the field of personal data protection

upon own initiative

upon request of the Data State Inspectorate

What is the purpose for personal data processing?  
Is the purpose for personal data processing determined by the laws and regulations?

If the answer is "yes" - state the laws and regulations that stipulate data processing

yes

no

What personal data, e.g., given name, surname, personal identity number, are processed in order to reach the purpose stated in the above paragraph?

If sensitive personal data are processed, state them  
What form of personal data processing takes place - manual or automatic?  
Is sensitive personal data processing separated from processing of other personal data?

If the answer is "yes" - describe the provided procedure.

If the answer is "no" - state the reasons

yes

no

Are all the processed data required for reaching the purpose for personal data processing?

If the answer is "yes" - list these data and state the reason why they are required for reaching the purpose for personal data processing.

If the answer is "no" - state the reasons

yes

no

Can the purpose for personal data processing be reached by not processing the personal data at all or by processing them to a smaller extent? Provide the reason can

cannot

Please state the legal basis for processing of personal data in accordance with Section 7 of the Personal Data Protection Law.

If sensitive personal data are processed, state the basis in accordance with Section 11 of the Personal Data Protection Law

 
If the legal basis for processing personal data is a consent of the data subject, state the form (electronic, written, oral) and the time when consent of this data subject was obtained  
If sensitive personal data are processed, based on a consent of the data subject, state if this consent has been drawn up in writing.

If the answer is negative, provide the reason why the consent of the data subject has not been drawn up in writing

it is drawn up in writing

it is not drawn up in writing

Is the processing of personal data entrusted to an personal data processor? If the answer is "yes" - state the legal basis yes

no

Is the processing of personal data registered with the Data State Inspectorate? If the answer is "no" - state the reason yes

no

II. Risk Analysis in Relation to the Rights and Freedoms of the Personal Data Subject

1. Personal Data Processing in Accordance with the Purpose for Personal Data Processing

How often is the amount of personal data and compliance thereof with the purpose for personal data processing inspected?  
What are the procedures for periodic evaluation of the amount of personal data to be processed and compliance thereof with the reaching of the purpose for personal data processing? How often are these procedures revised?

If there are no procedures, please state the reasons and explain how it is ensured that the amount of processed personal data throughout its procession does not exceed the amount necessary for reaching the purpose for personal data processing

 
What procedures are in place for ensuring that the processing of personal data meets the requirements of personal data protection?  
Are there procedures in place for identifying the data subject, the information system user, third parties that process the personal data manually or via an information system?

If the answer is "yes" - describe the order or procedures

yes

no

2. Adequate Processing of Personal Data

How is the processing of correct (up-to-date, current) personal data ensured?  
Please state the document that lays down the procedures for how and how often the personal data are updated (adjusted)  
How often are checks done to verify if correct (up-to-date, current) data are processed? Please state the reason for the selected periodicity and if that ensures processing of only correct (up-to-date, current) personal data  
Has there been an evaluation of the losses that may be caused by processing data that are not current? yes

no

How are applications by data subject treated, and what are responses to them if the data subject believes that his/her processed personal data are not current? How are data subject's rights ensured to report processing of data that are not current?  

3. Storage of Personal Data in Accordance with the Purpose for Personal Data Processing

How are periods determined for storing personal data (e.g., in accordance with the laws and regulations, a contract, data subject's consent)?

State the reasons for period selection

 
If the period for storage of personal data is determined by a law or regulation, indicate it  
If the period for storage of personal data is not determined by an outside law or regulation, please state how often the periods for storage of personal data are revised  
If processing of personal data is not required for reaching the purpose for personal data processing:  
1. How is personal data processing evaluated for determining which data should be deleted? 1.
2. Who is responsible for evaluating personal data for determining which data and when should be deleted? 2.
3. Is there an automated system implemented for receiving reports that indicate the necessity to delete personal data? 3.
Are there guidelines in place regarding deletion of personal data? yes

no

4. Personal Data Disclosure

Are there any internal regulations for regulating the procedures for disclosing personal data within the institution and to third parties? yes

no

Please state the procedures for ensuring the employees of the institution are informed regarding disclosure of personal data  
Please state the procedures for determining if the personal data may be disclosed to third parties (e.g., how the requester is identified). What is evaluated when deciding on disclosing personal data?  
Is and in what form is information stored regarding cases of disclosing personal data?  

5. Ensuring the Rights of a Data Subject

5.1. Informing a Data Subject on Processing of the Subject's Personal Data

Are the personal data obtained from the data subject? yes

no

Is the data subject notified regarding processing of the subject's personal data, regardless of whether the personal data are obtained from the data subject?

If the answer is "yes" - please state in what cases the data subject is notified regarding processing of the subject's personal data and what kind of information is provided.

If the answer is "no" - please state why the data subject is not notified

yes

no

Does the data subject have an opportunity to obtain information regarding the parties that have obtained information regarding the data subject?

If the answer is "yes" - please state the period for which such information is provided.

If the answer is "no" - please state why the information is not provided

yes

no

Please state how often and within what period the data subject has the right to obtain information regarding processing of the subject's personal data. State the reason for determining the term and frequency  
Is there a fee for providing information, if the data subject requests the information regarding processing of the subject's personal data more than twice a year? How large is the fee? yes

no

Does the data subject have the rights to limit the processing of the subject's personal data, including in accordance with Section 16 and 19 of the Personal Data Protection Law?

If the answer is "yes" - please state how the rights of the data subject are ensured.

If the answer is "no" - state the reasons

yes

no

Is the information regarding the data subject received from third parties?

If the answer is "yes" - please state the procedures for receiving information and the legal basis for receiving such information

yes

no

5.2. Rights of a Data Subject to Access the Subject's Personal Data

Does the data subject have rights to access the subject's personal data?

If the answer is "yes" - please describe the procedures for ensuring the data subject has rights to access the subject's personal data.

If the answer is "no" - please state why the data subject's access rights are not ensured

yes

no

How is the finding of person's data ensured by the data subject's request?  
Is information provided to the data subject upon the data subject's request regarding the processing of personal data?

If the answer is "yes" - please state the procedures for providing information

yes

no

Does the administrator have the right to deny access to the personal data for the data subject?

If the answer is "yes" - please state in what cases

yes

no

Is there automatic decision making performed based on the processed personal data? In what cases does the administrator review such decisions? yes

no

6. Transferring of Personal Data to Countries that are not Member States of the European Union or European Economic Area, or to Countries that have not obtained the Commission's Opinion Regarding an Adequate Level of Data Protection

Are personal data transferred to a country that is not a Member State of the European Union or European Economic Area, or to an international organisation?

If the answer is "yes" - please state the reason for such processing of personal data, the country to which the data are transferred, and the types of personal data that are transferred

yes

no

Are there internal rules for transferring personal data to countries that are not Member States of the European Union or European Economic Area?

If the answer is "yes" - describe the principles of these rules.

If the answer is "no" - please state why such rules are not developed

yes

no

III. Personal Data Protection and Security Precautions

Are there protection provisions for processing personal data? yes

no

What are procedures for informing the employees on the duty not to disclose personal data (including after ending employment-, service-, or other legal relations)? How is adherence to this duty controlled?  
The person responsible for information resources, technical resources, and personal data protection  
What personal data protection measures are taken for the information technologies?  
Please describe the protection measures that are implemented after an unauthorised or illegal access to personal data that have been automatically or manually processed  
Does the processing of sensitive personal data have higher level of data protection?

If the answer is "yes" - describe the laid down level of protection

yes

no

Are there safety rules for the information systems in the institution? yes

no

Are there responsible persons appointed for security management and implementing of information systems? yes

no

Is there risk analysis carried out for information systems in the institution? yes

no

Does the institution have developed information system access control procedures?

If the answer is "yes" - how does the institution manage the accounts of information system users?

yes

no

What are the requirements for user account passwords and other protection tools?  
Have any duties been laid down for the information system users? What are they? yes

no

Does the institution provide safety training to the employees who perform data processing in information systems? How often is the training done, what is its content? yes

no

Does the institution perform conformity inspection before putting into service an information system?

If the answer is "yes" - please indicate the procedures for performing such inspection

yes

no

Has the institution developed procedures for maintaining its information system? yes

no

Is the logging and monitoring of events of the information system ensured in the institution?

Describe the procedures

yes

no

Does the institution provide data back-up copies and inspection?

Describe the procedures

yes

no

Does the institution use external information systems that are connected to the institution's information systems?

If the answer is "yes" - what are the procedures and conditions in accordance with which co-operation with other institutions is established?

yes

no

What technologies and tools are used for connecting systems?  
Can the information systems of the institution be accessed remotely?

If the answer is "yes" - what are the procedures and conditions for the remote access?

yes

no

Does the institution have procedures for managing and using external storage devices? yes

no

Is there data encryption used in the information systems?

If the answer is "yes" - describe it

yes

no

Are the level of confidentiality and potential risks of information evaluated, before disclosing it to the public? yes

no

Has the institution developed procedures for managing incidents? yes

no

Has the institution developed procedures for rectification of detected discrepancies? yes

no

IV. Recommendations for Rectification of Discrepancies

Conclusions and detected discrepancies  
Recommendations for rectification of discrepancies  
Time period for rectification of discrepancies  

 

Assessor  
 

(given name, surname, signature)

 

(date)

Minister for Justice Dzintars Rasnačs

 


Translation © 2016 Valsts valodas centrs (State Language Centre)

 
Document information
Title: Kārtība, kādā sagatavo un iesniedz personas datu apstrādes atbilstības novērtējumu Status:
No longer in force
no longer in force
Issuer: Cabinet of Ministers Type: regulation Document number: 216Adoption: 12.05.2015.Entry into force: 15.05.2015.End of validity: 05.07.2018.Publication: Latvijas Vēstnesis, 93, 14.05.2015. OP number: 2015/93.6
Language:
LVEN
Related documents
  • Has ceased to be valid with
  • Issued pursuant to
  • Annotation / draft legal act
  • Explanations
  • Other related documents
274002
15.05.2015
87
0
  • Twitter
  • Facebook
  • Draugiem.lv
 
0
Latvijas Vestnesis, the official publisher
ensures legislative acts systematization
function on this site.
All Likumi.lv content is intended for information purposes.
About Likumi.lv
News archive
Useful links
For feedback
Contacts
Mobile version
Terms of service
Privacy policy
Cookies
Latvijas Vēstnesis "Everyone has the right to know about his or her rights."
Article 90 of the Constitution of the Republic of Latvia
© Official publisher "Latvijas Vēstnesis"