Aptauja ilgs līdz 23. oktobrim.
Regulations Regarding Licensing and Supervision of Credit BureausIssued pursuant to I. General Provisions1. This Regulation prescribes: 1.1. the requirements for a joint stock company to comply with in order to receive a licence for the operation as a credit bureau (hereinafter - licence), including claims for civil liability insurance; 1.2. the procedures for issuing, suspending, re-registering, and cancelling a licence, renewing a suspended licence, and making amendments to the licence; and 1.3. the procedures for paying the State fee for issuing of a licence and re-registration thereof and the annual State fee for the supervision of operation of a credit bureau, as well as the amount of the abovementioned State fees. 2. Prior to taking of a decision to issue, re-register, suspend, or cancel the licence, the Data State Inspectorate is entitled to provide instructions to a joint stock company or credit bureau regarding measures to be taken in the field of its operation in order to ensure conformity of the joint stock company or credit bureau and its operation with the requirements of this Regulation. 3. Within three working days after taking of the decision, but not later than one working day before entering into effect of the decision, the Data State Inspectorate shall post the following information on its website: 3.1. information regarding the credit bureau, which has received the licence, indicating information regarding the activities for the performance of which the licence has been issued; and 3.2. information regarding re-registration, suspension, cancellation of the issued licence or renewal of the suspended licence, as well as regarding amendments made to the licence. II. Requirements in Respect of Receipt, Validity of the Licence, and Civil Liability Insurance4. In order to receive a licence, as well as during the term of validity of the licence, a joint stock company must conform to the following general requirements: 4.1. it has been registered in accordance with the procedures laid down in the laws and regulations regarding commercial activities in the Republic of Latvia or another Member State of the European Union or European Economic Area (if the joint stock company has not been established in Latvia, it has registered a subsidiary in Latvia); 4.2. it has a registered processing of personal data or a specialist in the field of the protection of personal data in accordance with the laws and regulations regarding the protection of the personal data of a natural person. A joint stock company may submit an application to receive the licence concurrently with an application for the registration of the processing of personal data or the specialist for the protection of personal data; 4.3. it has no tax debts (including debts of mandatory State social insurance contributions) in total exceeding 150 euro; 4.4. it has not been prohibited from performing commercial activities in the field of financial services; 4.5. its licence has not been cancelled within the past three years, except the case, when the licence has been cancelled upon request of the joint stock company itself; and 4.6. it has not been punished within the past year for a significant administrative violation in the field of commercial activities or in the field of the protection of personal data. 5. In order to receive the licence, as well as during the term of validity of the licence, stockholders (founders), members of the council and of the board of directors of the joint stock company shall conform to the following requirements: 5.1. each stockholder (founder), who owns more than five per cent of the shares of the joint stock company, has good reputation; 5.2. members of the council and of the board of directors have good reputation, education necessary for the performance of their professional duties, and professional experience of three years in performing similar duties; 5.3. members of the council and of the board of directors have not been convicted for committing an intentional criminal offence (regardless of extinguishing or setting aside the criminal record); 5.4. if a criminal case for committing an intentional criminal offence has been initiated against the members of the council and of the board of directors, it has been terminated on a vindicatory basis; 5.5. members of the council and of the board of directors have not been punished within the past year for an administrative violation in the field of commercial activities or in the field of protection of personal data. 6. If a joint stock company has not been established in Latvia and has registered a subsidiary for the supply of services, the requirements that refer to the members of the council and of the board of directors of the joint stock company shall refer also to the person or persons managing the activity of the subsidiary in Latvia. 7. The requirements in respect of civil liability insurance of a joint stock company: 7.1. a joint stock company shall have a valid civil liability insurance contract during the entire term of validity of the licence, and it shall conform to the following requirements: 7.1.1. civil liability of the credit bureau for direct damages to third persons incurred due to its action or inaction in relation to the processing of credit information shall be the insurance object; 7.1.2. the minimum liability limit - 50 000 euros per year, and self-risk does not exceed 1500 euros per one insurable event; and 7.2. after disbursement of the insurance compensation to the third person, the credit bureau shall renew the minimum liability limit of the civil liability insurance within five working days. 8. Security and organisational management of information systems and processing of personal data (hereinafter - the system) of a joint stock company shall be provided in accordance with the laws and regulations regarding the protection of personal data and the Latvian National Standard, LVS ISO/IEC 27001:2014 L "Information technology. Security techniques - Information security management systems - Requirements", and this shall be certified by an external audit report (hereinafter - the audit report) in which conformity of the joint stock company with requirements of this Regulation is assessed. 9. The audit report shall be prepared: 9.1. prior to the receipt of the licence; 9.2. once in 12 months from the day of the receipt of the licence; and 9.3. upon request of the Data State Inspectorate. 10. The audit report shall be prepared by an expert included in the list drawn up by the Data State Inspectorate and published on its website based on the following requirements specified for the experts (hereinafter - the expert): 10.1. he or she has technical capabilities, necessary knowledge, and at least five-year experience in establishing conformity of security of information systems, equipment, and procedures, processing and protection of personal data with the requirements of laws and regulations and common guiding principles of the best practice; 10.2. he or she is legally and financially independent from the joint stock company and its direct stockholders, from indirect stockholders of the joint stock company that control more than five per cent of the shares, from other Latvian or foreign merchants that are in one group of companies with the joint stock company, and from the Data State Inspectorate; 10.3. he or she does not produce and supply information systems and other information technologies that are used to provide information of the credit bureau. 11. If during an audit the expert establishes that the joint stock company has intentionally provided false information, which may affect the operation of the credit bureau, the expert shall notify the Data State Inspectorate thereon. 12. The expert shall ensure non-disclosure of the information obtained during the audit (except information that is accessible to the public). III. Issuing and Re-registration of the Licence13. In order to receive the licence, a joint stock company shall submit an application to the Data State Inspectorate. The application shall contain the following information (attaching the documents certifying it): 13.1. information regarding the applicant (name, registration number, legal address, contact telephone, and electronic mail address of the joint stock company); 13.2. a list of the stockholders who own more than five per cent of the shares of the joint stock company; 13.3. if a member of the council or the board of directors of the joint stock company is a foreigner - a statement on criminal and administrative history issued by an institution of the country of permanent place of residence of the person, which maintains information regarding criminal record in accordance with the laws of the relevant state. The statement must have been issued not earlier than three months prior to the day of submitting the application for the receipt of the licence; 13.4. if the application is submitted by a foreign joint stock company that has registered a subsidiary in Latvia - a statement certified by a tax administration institution or a competent authority of the relevant state that the joint stock company has no tax debts (including debts of mandatory State social insurance contributions) in total exceeding 150 euros; 13.5. information that includes at least the following data: 13.5.1. a connection diagram of the computer network for the usable devices and servers; 13.5.2. a list of server data storage installations and network devices (indicating the name of the models); 13.5.3. a list of usable software with versions thereof; 13.5.4. an address of location of devices; 13.6. system security policy, safety and operational rules; 13.7. a documentation of risk assessment. It shall include also the following information: 13.7.1. the scope of application of the system; 13.7.2. the impact of the identified risks on the system performance (including assessment of the possibility of risk occurrence, material and non-material damages), impact on the system availability, confidentiality of data; 13.7.3. the following information shall be additionally indicated in case of system security violation: 13.7.3.1. contrary measures to prevent such violations; 13.7.3.2. means of protection that shall be used if security violations in respect of the information system occur recurrently; 13.7.3.3. a list of residual risks; 13.7.3.4. a list of the necessary improvements (in priority sequence); 13.8. the audit report; 13.9. information certifying the conformity of the joint stock company with the requirements referred to in Sub-paragraphs 5.1 and 5.2 and Paragraph 7 of this Regulation; 13.10. information regarding the types of sources of credit information, how the joint stock company plans to obtain credit information, as well as regarding categories of recipients of credit information; 13.11. a certification that processing of personal data, information systems, devices, and procedures comply with this Regulation and the Law On Credit Bureaus. The abovementioned certification shall be issued by the joint stock company that determines the objectives and means of processing of personal data and is liable for the processing of personal data; 13.12. if the joint stock company or any element that is necessary for its operation (for instance, devices or infrastructure) is located outside the Republic of Latvia - a document certifying that the Data State Inspectorate will be able to supervise the credit bureau in respect of the operation conducted outside the territory of the Republic of Latvia, affecting the work of the credit bureau in Latvia, or the elements outside the Republic of Latvia. 14. The Data State Inspectorate shall obtain the following information in order to take a decision to issue the licence: 14.1. from the State Revenue Service - the information referred to in Sub-paragraph 4.3 of this Regulation; 14.2. from the Enterprise Register - updated information regarding the joint stock company, its members of the board of directors and of the council; 14.3. from the Register of Punishments maintained by the Information Centre of the Ministry of the Interior - the information referred to in Sub-paragraphs 4.4, 4.6, 5.3, 5.4, and 5.5 of this Regulation; 14.4. other information from the institutions referred to in this Paragraph or other institutions, which is necessary in order to evaluate the conformity of the joint stock company with the requirements of this Regulation. 15. The Data State Inspectorate shall take a decision to issue the licence or to refuse to issue the licence within one month from the day all the information and documents referred to in Paragraphs 13 and 14 of this Regulation is received. 16. If all the documents referred to in this Regulation have not been attached to the application or the information referred to in Paragraphs 13 and 14 of this Regulation has not been provided, or the information provided is incomplete or inaccurate, or the documents have not been drawn up in accordance with the requirements of laws and regulations, or additional information is needed for taking of a decision, the Data State Inspectorate shall inform the joint stock company thereof in writing, indicating the deadline by which the joint stock company shall submit the relevant documents or information and shall respectively extend the time period for taking the decision referred to in Paragraph 15 of this Regulation. 17. After evaluating the information at the disposal thereof, the Data State Inspectorate shall take a decision to refuse to issue the licence in the following cases: 17.1. the joint stock company, its stockholders, members of the council or of the board of directors do not conform to the requirements of this Regulation; 17.2. the joint stock company has not provided the relevant documents or information until the term indicated by the Data State Inspectorate; 17.3. the information received does not convince the Data State Inspectorate of it being able to conduct supervision in accordance with the procedures and in the extent provided for in the Law On Credit Bureaus; 17.4. payment of the State fee for issuing of a licence for the operation of the credit bureau has not been settled. 18. After evaluating the information at the disposal thereof, the Data State Inspectorate is entitled to take a decision to refuse to issue a licence in the following cases: 18.1. the joint stock company has provided false information, and it affects compliance of the joint stock company with this Regulation; 18.2. the documents submitted for the receipt of the licence or information indicated therein does not comply with the requirements referred to in the laws and regulations, but it has no significant impact on compliance of the joint stock company with this Regulation. 19. The licence may be issued as an electronic document if the joint stock company has expressed such request. 20. The Data State Inspectorate shall indicate the day of entry into effect of the licence in the decision to issue the licence. 21. In order to re-register the licence, the credit bureau shall submit an application on re-registration of the licence to the Data State Inspectorate not earlier than four months and not later than two months prior to expiry of the term of validity of the licence. The Data State Inspectorate shall review the application for the re-registration of the licence within the same term and according to the same procedures that were applied to the application for receipt of the initial licence. 22. If any of the documents or information is at the disposal of the Data State Inspectorate with its full and updated content, a certification that there are no changes in the documents or information that was previously submitted to the Data State Inspectorate may be submitted instead of the relevant documents or information. IV. Changes in the duration of the Licence, Suspension of Operation and Cancellation of the Licence23. If the information indicated in the licence (name or legal address of the joint stock company) issued to the credit bureau is changed in the duration of the licence, the credit bureau shall submit an application to the Data State Inspectorate on the necessary amendments to the licence within three working days after the relevant changes enter into force. Documents certifying the facts referred to therein shall be attached to the application. 24. The Data State Inspectorate shall take a decision to make amendments to the licence or to refuse to make amendments to the licence within 10 working days after receipt of the information referred in Paragraph 23 of this Regulation. If additional information or verification of information is necessary, the time period may be extended by 30 days. 25. If any changes are introduced in terms of ensuring compliance with the requirements referred to in Chapter II of this Regulation or in the documents or information referred to in Paragraph 13 of this Regulation in the duration of the licence, the credit bureau shall submit information regarding the relevant changes by attaching documents and information certifying such changes to the Data State Inspectorate within 30 days from the day of the occurrence of such changes. If there are changes in terms of ensuring the implementation of system safety and organisational management, which does not affect personal data protection and information security, the credit bureau shall submit such information to the Data State Inspectorate within one year. 26. As for changes in respect of the information that has been previously submitted to the Data State Inspectorate and that affect conformity with the requirements referred to in Sub-paragraph 4.1 of this Regulation, changes to the documents or information referred to in Sub-paragraphs 13.2 and 13.12 of this Regulation, the credit bureau shall inform the Data State Inspectorate thereon at least 15 days prior to their entering into effect. 27. If a person wishes to become a stockholder of a credit bureau with a share of at least five per cent of the equity capital of the credit bureau, a member of the council or of the board of directors, the person shall give a one-month prior notice to the Data State Inspectorate thereon and shall submit all the necessary documents that certify his or her compliance with the requirements of this Regulation in respect of the stockholder, member of the council or of the board of directors of the credit bureau. 28. Within one month after receipt of all the necessary documents, the Data State Inspectorate shall provide an opinion to the person who wishes to become a stockholder of a credit bureau with a share of at least five per cent of the equity capital of the credit bureau, a member of the council or of the board of directors, whether he or she conforms to the requirements of this Regulation in respect of the stockholder, member of the council or of the board of directors. 29. The Data State Inspectorate is entitled to take a decision to suspend the operation of the licence of a credit bureau for a time period of up to six months in the following cases: 29.1. the credit bureau, its stockholders, members of the board of directors or of the council do not conform to the requirements referred to in Chapter II of this Regulation; 29.2. the credit bureau has not repeatedly submitted the requested documents and information to the Data State Inspectorate for conducting an examination of the credit bureau or does not cooperate with the Data State Inspectorate; 29.3. operation of the credit bureau does not comply with the requirements of the Law On Credit Bureaus, the requirements of this Regulation, or the requirements of the laws and regulations regarding the protection of personal data or a decision of the Data State Inspectorate, which is binding to the credit bureau, is not fulfilled within the set term; 29.4. the amount of overdue taxes, duties or other mandatory payments of the credit bureau exceeds 150 euros and the delay in payment term thereof exceeds one month following the end of the payment term; 29.5. the annual State fee for the supervision of the operation of the credit bureau has not been paid. 30. If the credit bureau has eliminated the violations established in the decision of the Data State Inspectorate to suspend the operation of the licence, the Data State Inspectorate shall take a decision to renew the licence within 10 working days after the day the credit bureau or other institution has submitted all the necessary information, which certifies the elimination of the violation, to the Data State Inspectorate. If additional information or verification of information is necessary for taking of a decision, the time period may be extended by 30 days. After renewal of the licence, it shall be valid by the end of the term of validity of the initial licence. 31. Immediately after taking of the decision to renew the suspended licence, the Data State Inspectorate shall issue a notification drawn up in written form to the credit bureau. 32. The Data State Inspectorate shall take a decision to cancel the licence in the following cases: 32.1. within one year after the Data State Inspectorate has taken a decision to issue the licence, the credit bureau has not launched operation of the credit bureau or has temporarily suspended the operation of the credit bureau for a time period that exceeds six months in duration. This period of time shall not include the period of time when the decision to suspend the operation of the licence of the credit bureau taken by the Data State Inspectorate is in force; 32.2. the credit bureau has submitted an application with a request to cancel the licence; 32.3. the credit bureau has been declared insolvent or a decision of stockholders to initiate liquidation proceedings has been taken; 32.4. a court decision has been rendered or information in respect of the termination of the operation of the credit bureau has been included in the Commercial Register; 32.5. operation of the licence has been temporarily suspended and the credit bureau during this period of time has not eliminated the violations that were the reason for suspending the operation of the licence. 33. If, within one year after the Data State Inspectorate has taken a decision to issue the licence, the credit bureau has not launched operation of the credit bureau or has temporarily suspended the operation of the credit bureau for a time period that exceeds six months in duration, it shall give a written notice to the Data State Inspectorate thereon without delay. 34. The Data State Inspectorate is entitled to take a decision to cancel the licence in the following cases: 34.1. a significant breach of the laws and regulations regarding the operation of the credit bureau, other commercial activities, or protection of personal data has been established; 34.2. the credit bureau recurrently within one year does not execute a decision or instruction of the Data State Inspectorate; 34.3. the credit bureau has intentionally provided false information to the Data State Inspectorate regarding the conformity with the requirements referred to in Chapter II of this Regulation. 35. The day of the entering into effect of a decision to suspend or cancel the licence shall be indicated in the decision taken by the Data State Inspectorate. V. Amount and Procedures for Payment of the State Fees36. The amount of the State fee for issuing of a licence shall be 9100 euros. The amount of the State fee for the re-registration of a licence shall be 4550 euros. The relevant fee shall be paid prior to submitting the relevant application to the Data State Inspectorate. 37. The amount of the annual State fee for the supervision of the operation of a credit bureau shall be 16 220 euros. The relevant fee shall be paid within one month after issuing of the licence and each forthcoming year by the date the licence has been issued. 38. The provider of services of a credit bureau shall pay the State fee through the intervention of a credit institution or such institution, which has the right to provide payment services, indicating the payment purpose - the State fee for the issuing or re-registration of a licence or for the supervision of the operation of the credit bureau. 39. The State fee shall be transferred to the revenue account of the State basic budget in the Treasury. 40. If the Data State Inspectorate refuses the issuing or re-registration of a licence, the State fee referred to in Paragraph 36 of this Regulation shall not be returned. 41. If the licence is cancelled, the State fee paid by the joint stock company for the issuing or re-registration of a licence or for the supervision of the operation of the credit bureau shall not be returned. Prime Minister Laimdota Straujuma Minister for Justice Dzintars Rasnačs
Translation © 2016 Valsts valodas centrs (State Language Centre) |
Document information
Title: Kredītinformācijas biroju licencēšanas un uzraudzības noteikumi
Status:
In force
Language: Related documents
|