Republic
of Latvia
Cabinet
Regulation No. 216 Adopted 12 May 2015
|
Procedure for
Drawing up and Submitting a Conformity Assessment of a Processing
of Personal Data
Issued pursuant
to
Personal Data Protection Law, Section 26, Paragraph
21
1. This Regulation prescribes:
1.1. conditions for a conformity assessment of a processing of
personal data (hereinafter - the assessment);
1.2. procedures and time periods for drawing up and submitting
the assessment to the Data State Inspectorate.
2. This Regulation shall apply to State and local government
institutions and individuals that have been delegated with public
administration tasks (hereinafter - institution).
3. Drawing up of the assessment shall be a documented process,
and its aim is to evaluate the actual conditions for processing
of personal data, and conformity thereof with the laws and
regulations in the field of personal data protection. By
assessing the actual conditions of data processing, the assessor
shall interview persons that are involved in processing and
protection of personal data, check the internal procedures, carry
out visual assessment, and verify documents.
4. The assessment shall be drawn up in accordance with Annex
to this Regulation:
4.1. prior to commencement of personal data processing for a
new purpose of personal data processing;
4.2. prior to making the changes to the processing of personal
data that affect the rights or interests of data subject in the
field of personal data protection;
4.3. upon initiative of the institution;
4.4. upon request of the Data State Inspectorate.
5. In case abovementioned in Sub-paragraph 4.2 of this
Regulation, the assessment may be drawn up after implementing
changes to personal data processing, if:
5.1. any delay to make changes to personal data processing may
cause immediate and critical risk to the rights or interests of
the data subject;
5.2. any delay to make changes to personal data processing
causes risk to information security;
5.3. changes have been made to laws and regulations that apply
to processing of personal data. If changes to laws and
regulations that apply to processing of personal data, for one
data processing purpose are introduced several times during a
year, the administrator has the right to perform an assessment
once a year, by drawing up the assessment regarding the changes
made during the year.
6. For every personal data processing purpose, a separate
assessment shall be drawn up.
7. The assessment shall be drawn up by a personal data
protection specialist or a person with a higher secondary level
vocational or academic education and who has knowledge in the
field of personal data protection, with at least one year of
field experience in personal data protection or information
technologies, or audit, or performing equivalent inspections
(hereinafter - the assessor).
8. Institution shall have the right to invite an assessor who
meets the requirements of Paragraph 7 of this Regulation.
9. When performing evaluation, the assessor has the right to
invite specialists of the relevant field who do not meet the
requirements of Paragraph 7 of this Regulation.
10. The institution shall provide the assessor and the
specialist involved in assessment process abovementioned in
Paragraph 9 of this Regulation with access to documents,
information systems, technical resources, and facilities that are
needed for performing the assessment.
11. The assessor and the specialist involved in assessment
process in accordance with Paragraph 9 of this Regulation, shall
provide a written commitment to not disclosing the information
obtained during the assessment process, except in the cases laid
down in the laws and regulations.
12. Based on the determined facts and the inspected documents,
the assessor shall prepare a draft assessment within the time
period laid down by the institution, and the institution, or its
authorised official shall provide an opinion within 10 working
days.
13. When evaluating the institution's opinion, the assessor,
where appropriate, shall adjust the draft assessment and approve
the assessment.
14. After approval of the assessment, the assessor shall draw
up an assessment summary. The assessment summary shall state the
following:
14.1. the name or given name and surname of the manager, and
the given name, surname, and contact details of the assessor;
14.2. the basis and extent of the assessment;
14.3. time period the assessment was performed;
14.4. the purpose for personal data processing;
14.5. conclusions and found discrepancies;
14.6. recommendations and the term for rectification of
discrepancies.
15. Within 10 working days of drawing up, the institution or
its authorised official shall electronically submit the
assessment summary to the Data State Inspectorate.
16. If the assessment includes recommendations for
rectification of discrepancies, the institution or its authorised
official shall notify the assessor after the discrepancies have
been rectified.
17. After discrepancies have been rectified, the assessor
shall draw up a report, stating information on measures performed
for rectification of discrepancies. This report shall be added to
the assessment, and it shall be considered an integral part of
the assessment. Within 10 working days of drawing up, the
institution or its authorised official shall send the report to
the Data State Inspectorate.
18. The assessment, report on rectification of discrepancies,
and assessment summary are restricted access information.
19. The institution has the obligation to store no less than
two last assessments per each purpose for personal data
processing, summary thereof, and the report abovementioned in
Paragraph 17 of this Regulation.
Prime Minister Laimdota Straujuma
Minister for Justice Dzintars Rasnačs
Annex
Cabinet Regulation
No. 216
12 May 2015
Conformity
Assessment of a Processing of Personal Data
I. General Description of Processing
of Personal Data
Name of the institution |
|
Contact details |
|
Assessor (given name,
surname) |
|
Contact details |
|
The time period the assessment
was performed |
|
The basis for performing the assessment:
Mark
prior to commencement of personal data processing for a new
purpose for personal data processing
prior to making the changes to the processing of personal
data that affect the rights or interests of data subject in
the field of personal data protection
upon own initiative
upon request of the Data State Inspectorate
|
What is the purpose for personal
data processing? |
|
Is the purpose for personal data processing determined by
the laws and regulations?
If the answer is "yes" - state the laws and regulations
that stipulate data processing
|
yes
no
|
What personal data, e.g., given
name, surname, personal identity number, are processed in
order to reach the purpose stated in the above
paragraph? |
•
•
•
•
|
If sensitive personal data are
processed, state them |
|
What form of personal data
processing takes place - manual or automatic? |
|
Is sensitive personal data processing separated from
processing of other personal data?
If the answer is "yes" - describe the provided
procedure.
If the answer is "no" - state the reasons
|
yes
no
|
Are all the processed data required for reaching the
purpose for personal data processing?
If the answer is "yes" - list these data and state the
reason why they are required for reaching the purpose for
personal data processing.
If the answer is "no" - state the reasons
|
yes
no
|
Can the purpose for personal
data processing be reached by not processing the personal
data at all or by processing them to a smaller extent?
Provide the reason |
can
cannot
|
Please state the legal basis for processing of personal
data in accordance with Section 7 of the Personal Data
Protection Law.
If sensitive personal data are processed, state the
basis in accordance with Section 11 of the Personal Data
Protection Law
|
|
If the legal basis for
processing personal data is a consent of the data subject,
state the form (electronic, written, oral) and the time when
consent of this data subject was obtained |
|
If sensitive personal data are processed, based on a
consent of the data subject, state if this consent has been
drawn up in writing.
If the answer is negative, provide the reason why the
consent of the data subject has not been drawn up in
writing
|
it is drawn up in writing
it is not drawn up in writing
|
Is the processing of personal
data entrusted to an personal data processor? If the answer
is "yes" - state the legal basis |
yes
no
|
Is the processing of personal
data registered with the Data State Inspectorate? If the
answer is "no" - state the reason |
yes
no
|
II. Risk Analysis in Relation to the
Rights and Freedoms of the Personal Data Subject
1.
Personal Data Processing in Accordance with the Purpose for
Personal Data Processing
|
How often is the amount of
personal data and compliance thereof with the purpose for
personal data processing inspected? |
|
What are the procedures for periodic evaluation of the
amount of personal data to be processed and compliance
thereof with the reaching of the purpose for personal data
processing? How often are these procedures revised?
If there are no procedures, please state the reasons and
explain how it is ensured that the amount of processed
personal data throughout its procession does not exceed the
amount necessary for reaching the purpose for personal data
processing
|
|
What procedures are in place for
ensuring that the processing of personal data meets the
requirements of personal data protection? |
|
Are there procedures in place for identifying the data
subject, the information system user, third parties that
process the personal data manually or via an information
system?
If the answer is "yes" - describe the order or
procedures
|
yes
no
|
2.
Adequate Processing of Personal Data
|
How is the processing of correct
(up-to-date, current) personal data ensured? |
|
Please state the document that
lays down the procedures for how and how often the personal
data are updated (adjusted) |
|
How often are checks done to
verify if correct (up-to-date, current) data are processed?
Please state the reason for the selected periodicity and if
that ensures processing of only correct (up-to-date, current)
personal data |
|
Has there been an evaluation of
the losses that may be caused by processing data that are not
current? |
yes
no
|
How are applications by data
subject treated, and what are responses to them if the data
subject believes that his/her processed personal data are not
current? How are data subject's rights ensured to report
processing of data that are not current? |
|
3. Storage
of Personal Data in Accordance with the Purpose for
Personal Data Processing
|
How are periods determined for storing personal data (e.g.,
in accordance with the laws and regulations, a contract,
data subject's consent)?
State the reasons for period selection
|
|
If the period for storage of
personal data is determined by a law or regulation, indicate
it |
|
If the period for storage of
personal data is not determined by an outside law or
regulation, please state how often the periods for storage of
personal data are revised |
|
If processing of personal data
is not required for reaching the purpose for personal data
processing: |
|
1. How is personal data
processing evaluated for determining which data should be
deleted? |
1. |
2. Who is responsible for
evaluating personal data for determining which data and when
should be deleted? |
2. |
3. Is there an automated system
implemented for receiving reports that indicate the necessity
to delete personal data? |
3. |
Are there guidelines in place
regarding deletion of personal data? |
yes
no
|
4.
Personal Data Disclosure
|
Are there any internal
regulations for regulating the procedures for disclosing
personal data within the institution and to third
parties? |
yes
no
|
Please state the procedures for
ensuring the employees of the institution are informed
regarding disclosure of personal data |
|
Please state the procedures for
determining if the personal data may be disclosed to third
parties (e.g., how the requester is identified). What is
evaluated when deciding on disclosing personal data? |
|
Is and in what form is
information stored regarding cases of disclosing personal
data? |
|
5.
Ensuring the Rights of a Data Subject
|
5.1.
Informing a Data Subject on Processing of the Subject's
Personal Data
|
Are the personal data obtained
from the data subject? |
yes
no
|
Is the data subject notified regarding processing of the
subject's personal data, regardless of whether the personal
data are obtained from the data subject?
If the answer is "yes" - please state in what cases the
data subject is notified regarding processing of the
subject's personal data and what kind of information is
provided.
If the answer is "no" - please state why the data
subject is not notified
|
yes
no
|
Does the data subject have an opportunity to obtain
information regarding the parties that have obtained
information regarding the data subject?
If the answer is "yes" - please state the period for
which such information is provided.
If the answer is "no" - please state why the information
is not provided
|
yes
no
|
Please state how often and
within what period the data subject has the right to obtain
information regarding processing of the subject's personal
data. State the reason for determining the term and
frequency |
|
Is there a fee for providing
information, if the data subject requests the information
regarding processing of the subject's personal data more than
twice a year? How large is the fee? |
yes
no
|
Does the data subject have the rights to limit the
processing of the subject's personal data, including in
accordance with Section 16 and 19 of the Personal Data
Protection Law?
If the answer is "yes" - please state how the rights of
the data subject are ensured.
If the answer is "no" - state the reasons
|
yes
no
|
Is the information regarding the data subject received from
third parties?
If the answer is "yes" - please state the procedures for
receiving information and the legal basis for receiving
such information
|
yes
no
|
5.2.
Rights of a Data Subject to Access the Subject's Personal
Data
|
Does the data subject have rights to access the subject's
personal data?
If the answer is "yes" - please describe the procedures
for ensuring the data subject has rights to access the
subject's personal data.
If the answer is "no" - please state why the data
subject's access rights are not ensured
|
yes
no
|
How is the finding of person's
data ensured by the data subject's request? |
|
Is information provided to the data subject upon the data
subject's request regarding the processing of personal
data?
If the answer is "yes" - please state the procedures for
providing information
|
yes
no
|
Does the administrator have the right to deny access to the
personal data for the data subject?
If the answer is "yes" - please state in what cases
|
yes
no
|
Is there automatic decision
making performed based on the processed personal data? In
what cases does the administrator review such decisions? |
yes
no
|
6.
Transferring of Personal Data to Countries that are not
Member States of the European Union or European Economic
Area, or to Countries that have not obtained the
Commission's Opinion Regarding an Adequate Level of Data
Protection
|
Are personal data transferred to a country that is not a
Member State of the European Union or European Economic
Area, or to an international organisation?
If the answer is "yes" - please state the reason for
such processing of personal data, the country to which the
data are transferred, and the types of personal data that
are transferred
|
yes
no
|
Are there internal rules for transferring personal data to
countries that are not Member States of the European Union
or European Economic Area?
If the answer is "yes" - describe the principles of
these rules.
If the answer is "no" - please state why such rules are
not developed
|
yes
no
|
III. Personal Data Protection and
Security Precautions
IV. Recommendations for
Rectification of Discrepancies
Conclusions and detected
discrepancies |
|
Recommendations for
rectification of discrepancies |
|
Time period for rectification of
discrepancies |
|
Assessor |
|
|
|
|
(given name, surname,
signature)
|
|
(date)
|
Minister for Justice Dzintars Rasnačs
Translation © 2016 Valsts valodas centrs (State
Language Centre)