Šajā tīmekļa vietnē tiek izmantotas sīkdatnes. Turpinot lietot šo vietni, jūs piekrītat sīkdatņu izmantošanai. Uzzināt vairāk.
Teksta versija
LEGAL ACTS OF THE REPUBLIC OF LATVIA
home
 

The Saeima 1 has adopted and
the President has proclaimed the following law:

Personal Data Processing Law

Chapter I
General Provisions

Section 1. Terms Used in this Law

The terms specified in Article 4 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter - the Data Regulation) are used in the Law.

Section 2. Purpose of this Law

The purpose of this Law is to create legal preconditions for setting up of a system for the protection of personal data (hereinafter - the data) of a natural person at a national level by providing for the institutions necessary for such purpose, determining the competence and basic principles of operation thereof, as well as regulating operation of data protection officers and provisions of data processing and free movement.

Chapter II
Tasks and Status of the Data State Inspectorate

Section 3. Data State Inspectorate

(1) The Data State Inspectorate (hereinafter - the Inspectorate) is an institution of direct administration under the supervision of the Cabinet which is a data supervisory authority within the meaning of the Data Regulation and carries out the tasks in the area of data processing specified in the Data Regulation and this Law.

(2) The aim of the operation of the Inspectorate is to protect fundamental human rights and freedoms in the area of data protection.

(3) The Inspectorate shall be independent in the operation thereof.

(4) Staff working in the Inspectorate shall take decisions independently, on the basis of its convictions and laws, taking into account that persons are equal before law and court, presumption of innocence, verity and legality.

(5) The Cabinet shall implement institutional supervision through the Minister for Justice. Supervision shall not refer to the implementation of tasks and rights specified for the Inspectorate, as well as internal organisational issues of the Inspectorate, including issue of internal regulations, preparation of a statement, and decisions which refer to the staff working in the Inspectorate (for example, decisions to appoint and remove the staff from the office, transfer the staff and coordinate the transfer thereof, send the staff on official travel, initiate, examine disciplinary matters, and apply disciplinary sanctions).

(6) The Inspectorate shall be financed from the State budget.

(7) The Inspectorate shall have the State budget account in the Treasury, a seal with an image of the supplemented lesser State coat of arms and the full name of the Inspectorate.

Section 4. Tasks of the Inspectorate

(1) The Inspectorate shall carry out the tasks specified in Article 57 of the Data Regulation, as well as the following tasks:

1) supervise the conformity of processing of personal data to the requirements of laws and regulations in cases where the controller has been prohibited by law to provide information to a data subject and a relevant submission has been received from the data subject;

2) promote efficiency of data protection;

3) ensure data protection certification procedure;

4) ensure qualification check of data protection officers and maintain a list of the data protection officers who have passed the qualification examination;

5) provide recommendations to the Saeima, the Cabinet, local governments and other institutions according to its competence with regard to the issue or amending of laws and regulations, as well as participate in the development of draft laws and regulations and development planning documents, and provide an opinion on draft laws and regulations and development planning documents prepared by other institutions;

6) provide opinions on the conformity of data processing systems to be created in the State administration institutions to the requirements of laws and regulations;

7) provide an opinion to the national accreditation body on the conformity of the certification body to the requirements of Article 43(2) of the Data Regulation and in accordance with the requirements and criteria of the Inspectorate laid down in accordance with Article 43(3) of the Data Regulation;

8) cooperate with foreign supervisory authorities engaged in data protection, openness of and access to information, and prohibition to send a commercial communication;

9) ensure that an information request of a data subject regarding himself or herself is forwarded to the European Judicial Cooperation Unit (Eurojust) and European Police Office (Europol);

10) represent the Republic of Latvia in international organisations and events in the area of data protection;

11) carry out studies, analyse situation, provide recommendations and opinions, as well as inform the public of current issues in the areas of its competence;

12) perform tasks laid down in other laws and regulations.

(2) The Inspectorate shall publish information on its website regarding violations of the requirements of the Data Regulation which have been committed by legal persons governed by public law, institutions and officials thereof, as well as other public institutions, and elimination thereof.

Section 5. Rights of the Inspectorate

(1) The Inspectorate has the rights specified in Article 58 of the Data Regulation, as well as the following rights:

1) to conduct inspection of data processing (hereinafter - the inspection) in order to determine conformity of the data processing to the requirements of laws and regulations;

2) to draw up administrative violation reports, examine administrative violation matters and impose administrative sanctions for violations over the examination of which it has jurisdiction;

3) to request and receive, according to its competence, to the specified extent and in the form free of charge from private persons, State administration institutions and officials the information, documents or copies thereof and other materials necessary for the inspection, including information of limited accessibility;

4) to visit State administration institutions and production facilities, warehouses, commercial and other non-residential premises owned, possessed or used by legal and natural persons in the territory of Latvia in order to verify conformity of the operation of the controller to the requirements of laws and regulations within the scope of its competence;

5) to become acquainted freely, according to its competence, with all types of information available in registers, information systems and databases and access it (irrespective of owner of the information) in order to obtain the information necessary for the inspection;

6) to request and receive, according to its competence, the information, documents and other materials regarding services provided to persons which are necessary for the inspection;

7) to request and receive an opinion of an independent and objective expert within the scope of the inspection;

8) to provide answers in the English language when examining complaints of non-residents in cooperation with other supervisory authorities;

9) to bring an action before court for violations of this Law or the Data Regulation.

(2) Authority of officials of the Inspectorate shall be certified by a service identification document.

Chapter III
Organisation of Operation of the Inspectorate

Section 6. Director of the Inspectorate

(1) The Inspectorate shall be managed and represented by its Director. The Cabinet shall appoint the Director of the Inspectorate for a period of five years upon recommendation of a commission established by the Cabinet. The same person may be the Director of the Inspectorate for not more than two consecutive terms.

(2) The Director of the Inspectorate shall:

1) perform the functions of the head of an institution of direct administration laid down in the State Administration Structure Law;

2) establish advisory councils, as well as working groups for the examination of issues in the areas of competence of the Inspectorate;

3) participate in the meeting of the State Secretaries, meetings of the committees of the Cabinet, and Cabinet meetings in an advisory capacity;

4) appoint and remove from the office officials and employees of the Inspectorate;

5) approve by-laws of the Inspectorate;

6) determine offices of officials and employees in the Inspectorate.

(3) The Cabinet shall announce an open competition for the office of the Director of the Inspectorate, lay down conditions and procedures by which candidates may apply for the office of the Director of the Inspectorate, as well as the procedures for selecting and evaluating candidates.

(4) Selection of the candidates for the office of the Director of the Inspectorate shall be performed by a commission which is chaired by the Director of the State Chancellery. The commission shall be composed of the Director of the State Chancellery, the Minister for Justice, the ombudsman and the Chief of the Security Police. Authorised representatives of not more than three associations and foundations which operate in the area of human rights or data protection shall participate in the selection of the candidates for the office of the Director of the Inspectorate in advisory capacity.

(5) Functions of the secretariat of the commission shall be ensured by the State Chancellery.

(6) Provisions laid down in other laws and regulations regarding performance, assessment of results thereof, suspension and disciplinary liability of the head of an institution, as well as other legal norms restricting independence of the Director of the Inspectorate shall not apply to the Director of the Inspectorate.

Section 7. Requirements for the Director of the Inspectorate

The Director of the Inspectorate may be a person who conforms to the mandatory requirements for an official specified in the State Civil Service Law and:

1) has an impeccable reputation;

2) is competent in at least two foreign languages;

3) has obtained a professional qualification appropriate for the performance of tasks of the Inspectorate and practical work experience in the area of data protection and position of a head;

4) is entitled to receive a special permit for access to the official secret;

5) has not obtained the status of a debtor in accordance with the Maintenance Guarantee Fund Law;

6) for whom insolvency proceedings of a natural person have not been declared, or five years have passed since the day of the termination thereof.

Section 8. Termination of the Powers of the Director of the Inspectorate

Powers of the Director of the Inspector shall terminate without a special decision:

1) within a month from the day he or she has submitted a notice of resignation from the office to the Cabinet;

2) upon expiry of the term of office specified in the Law;

3) upon entering into effect of a ruling by which he or she has been punished for an intentional criminal offence;

4) as a result of his or her death.

Section 9. Removal of the Director of the Inspectorate from Office

(1) The Cabinet shall remove the Director of the Inspectorate from office prior to the expiry of the term of his or her office if he or she:

1) has been elected or appointed to the office which is incompatible with the office of the Director of the Inspectorate;

2) has committed an intentional breach of law or negligence during the performance of his or her duties, and thus caused significant damage to the State or a person;

3) has failed to comply with the restrictions and prohibitions specified in the law On Prevention of Conflict of Interest in Activities of Public Officials, and thus caused damage to the State or a person;

4) fails to comply with the requirements laid down for the office of the Director of the Inspectorate;

5) fails to perform his or her office duties due to his or her state of health;

6) fails to perform his or her duties without a justified reason.

(2) The commission referred to in Section 6, Paragraph four of this Law shall examine an issue regarding removal of the Director of the Inspectorate from office on the basis of a proposal by the Minister for Justice. If the commission establishes presence of any of the grounds for removal of the Director of the Inspectorate from office specified in Paragraph one of this Section, it shall draw up a relevant decision and send it to the Cabinet. The procedures for establishing the commission, as well as for the operation and decision-taking thereof shall be laid down by the Cabinet.

Section 10. Suspension of the Powers of the Director of the Inspectorate

(1) If a security measure related to deprivation of liberty has been applied to or criminal prosecution has been commenced against the Director of the Inspectorate, the Minister for Justice shall suspend his or her powers until the moment a judgement of acquittal enters into effect in the relevant criminal case or criminal proceedings are terminated against him or her on the basis of exoneration.

(2) During the period of suspension of the powers of the Director of the Inspectorate he or she shall be paid the minimum monthly wage specified in the State.

(3) If the Director of the Inspectorate is found guilty of a criminal offence under the procedures laid down in the law, he or she shall be considered removed from office starting from the day of the suspension of powers, and he or she shall not receive work remuneration for the period of suspension of the powers. If the Director of the Inspectorate is acquitted or criminal proceedings are terminated against him or her, he or she shall receive work remuneration for the period of suspension of the powers, unless this Law stipulates other grounds for his or her removal from office.

(4) If criminal proceedings are terminated against the Director of the Inspectorate for reasons other than exoneration, the issue regarding his or her removal from office shall be examined by the commission referred to in Section 6, Paragraph four of this Law.

Section 11. Deputy Director of the Inspectorate

(1) The Deputy Director of the Inspectorate shall be appointed by the Director of the Inspectorate.

(2) During the absence of the Director of the Inspectorate his or her duties shall be performed by the Deputy Director of the Inspectorate who has the same powers as the Director of the Inspectorate in this period.

(3) In the cases provided for in Sections 8, 9, and 10 of this Law the Deputy Director of the Inspectorate shall perform duties of the Director of the Inspectorate until the moment the Cabinet approves a new Director of the Inspectorate in office or the Minister for Justice restores powers of the Director of the Inspectorate. Until this moment the Deputy Director of the Inspectorate shall have the same powers as the Director of the Inspectorate.

Section 12. By-laws of the Inspectorate

By-laws of the Inspectorate shall stipulate the structure, internal operating rules, internal control system and monitoring thereof, pre-control and post-control procedures of decisions of the Inspectorate, as well as the content and form of service identification document of an official of the Inspectorate. They shall be approved by the Director of the Inspectorate and published on the website of the Inspectorate.

Section 13. Reports on the Operation

The Inspectorate shall, on an annual basis by 1 March, submit a report on the operation to the Saeima, the Cabinet, the Supreme Court, the European Commission, and European Data Protection Board, as well as make it available on its website.

Section 14. Prohibition of Disclosure of Information and Obligation of Informing

(1) It shall be prohibited for the staff working in the Inspectorate, as well as for the experts invited by the Inspectorate to disclose information (except for the publicly available information) which they have obtained with regard to the performance of tasks in the Inspectorate. This prohibition shall also be valid after termination of service or employment relationships.

(2) When communicating the information related to the performance of the task to an expert the Inspectorate shall notify the expert of the prohibition to disclose it and the liability provided for in laws and regulations for illegal disclosure of information.

(3) The Inspectorate shall inform the controller or processor of the involvement of an expert and the information communicated to the expert.

Chapter IV
Procedures for Conducting Inspections

Section 15. Inspection

(1) Inspection shall include all types of activities which the Inspectorate carries out in order to ascertain conformity of the data processing to the Data Regulation and requirements of other laws and regulations, including visiting of the place of data processing, obtaining of information by using all legal methods, and other necessary activities.

(2) Within the scope of the inspection prior to visiting of the place of data processing, the Inspectorate shall inform the controller of the purpose, time and place of the planned visit and ask to ensure presence of an authorised representative of the controller. Failure to ensure presence of an authorised representative of the controller shall not constitute an obstacle to conducting of the inspection.

(3) Within the scope of the inspection officials of the Inspectorate have the right to visit the place of data processing in the presence of an authorised representative or employee of the controller by presenting a service identification document and informing of the subject and purpose of the inspection.

(4) When engaging in procedural actions referred to in Paragraph one of this Section an official of the Inspectorate shall inform authorised representatives and employees of the controller or processor of their rights.

(5) In order to determine a status of information of limited accessibility for the information or any part thereof to be provided to the Inspectorate, an information provider shall precisely indicate the relevant documents and the grounds for the need to determine the relevant status.

(6) If an information provider has failed to comply with the requirements referred to in Paragraph five of this Section, or a proposal to determine the status of information of limited accessibility for the specific information is unfounded, the Inspectorate shall communicate this to the information provider.

(7) If the deficiencies referred to in Paragraph six of this Section are not eliminated within seven days from the day of the receipt of the communication from the Inspectorate, the provided information may only be protected as information for internal use by an institution in accordance with the procedures laid down in the Freedom of Information Law. The Inspectorate shall communicate this to the information provider.

(8) The Inspectorate may request that a person, who provides information for which it is necessary to determine the status of information of limited accessibility, appends to the said information a copy of generally accessible information which does not include information of limited accessibility.

Section 16. Minutes of a Procedural Action

(1) Officials of the Inspectorate shall record the procedural actions referred to in Section 15 of this Law in minutes of a procedural action.

(2) The minutes of a procedural action shall indicate:

1) the place and date of the action;

2) legal basis of the action;

3) the time when the action was commenced and completed;

4) the position, given name, and surname of the performers of the action;

5) the position, given name, and surname of the taker of the minutes;

6) the position, given name, and surname of the persons - parties to the action;

7) the course of the action and established facts;

8) the documents obtained in the course of the action.

(3) The documents obtained in the course of a procedural action shall be appended to the minutes.

(4) The performer of a procedural action shall familiarise the persons who participate in the relevant action with the content of the minutes of such procedural action and annexes thereto. Any corrections and supplements suggested by the persons shall be recorded in the minutes of the procedural action.

(5) The performer of a procedural action, the taker of minutes, and all the persons who participated in the relevant action shall sign the minutes of the procedural action as a whole and each page thereof separately. Only the minutes of the procedural action as a whole shall be signed electronically. If a person refuses to sign, this shall be recorded in the minutes by indicating the reason for such refusal.

(6) The performer of a procedural action shall issue a copy of the minutes to a person against whom the inspection has been commenced.

Chapter V
Data Protection Officer

Section 17. Requirements for the Data Protection Officer

Duties of the data protection officer may be performed by a person who complies with the criteria specified in Article 37(5) of the Data Regulation. The controller or processor may appoint a person who, in accordance with the procedures laid down in this Law, has been included in the list of data protection officers of the Inspectorate, or another person as the data protection officer.

Section 18. List of Data Protection Officers

(1) For the purpose of identifying data protection officers who have passed the qualification examination and ensuring that information regarding data protection officers is accessible, the Inspectorate shall compile a list of data protection officers. The list of data protection officers shall only include the persons who have passed the qualification examination.

(2) The list of data protection officers shall include the following data on the person:

1) the given name, surname, and personal identity number;

2) the date when the person was included in the list of data protection officers;

3) electronic mail address.

(3) A data protection officer shall immediately notify the Inspectorate in writing of any established errors and amendments to the data included in the list of data protection officers with regard to him or her.

(4) The list of data protection officers (except for personal identity number) is publicly available on the website of the Inspectorate.

(5) The Cabinet shall lay down the procedures for maintaining the list of data protection officers.

Section 19. Qualification Examination of Data Protection Officer

(1) Qualification examination of data protection officer shall be organised by the Inspectorate.

(2) If a person passes the qualification examination of data protection officer, the Director of the Inspectorate shall take a decision to include him or her in the list of data protection officers.

(3) The Cabinet shall determine the procedures for applying of applicants, the content and course of the qualification examination, the procedures for evaluation thereof, the fee for taking of the qualification examination, and the procedures for collecting it, as well as the requirements for maintenance of professional qualification.

Section 20. Exclusion from the List of Data Protection Officers

(1) A data protection officer shall be excluded from the list of data protection officers under a decision by the Director of the Inspectorate in the following cases:

1) he or she has submitted a respective written request to the Inspectorate;

2) the court has established trusteeship over him or her;

3) he or she has been deprived of the right to work as a data protection officer by a court judgement or other restrictions have been determined that prevent the performance of professional duties;

4) he or she is dead or declared missing;

5) he or she has failed to comply with the requirements for the maintenance of professional qualification specified in the Cabinet regulations.

(2) A person who has been excluded from the list of data protection officers in accordance with Paragraph one, Clause 1, 2 or 3 of this Section may request to renew him or her in the list, and the Inspectorate re-includes him or her in the list of data inspection officers if the reasons for which the person was excluded from the list have been eliminated. Such person shall take the qualification examination of data protection officer if at least two years have passed since the day he or she was excluded from the list of data protection officers.

Chapter VI
Certification Bodies and Supervisory Authorities of Code of Conduct

Section 21. Accreditation of a Certification Body

(1) Pursuant to Article 43(1)(b) of the Data Regulation, a certification body shall be assessed, accredited and supervised by the national accreditation body in accordance with the laws and regulations regarding conformity assessment and in compliance with the requirements and criteria of the Inspectorate specified in Article 43(3) of the Data Regulation.

(2) A certification body shall be accredited if an opinion has been received from the Inspectorate on the conformity of the certification body to the requirements of Article 43(2) of the Data Regulation and in accordance with the requirements and criteria of the Inspectorate laid down in accordance with Article 43(3) of the Data Regulation.

(3) The national accreditation body shall, within five working days after accreditation of a certification body, suspension or withdrawal of accreditation thereof, send the information regarding certification body referred to in Paragraph four of this Section to the Inspectorate.

(4) The Inspectorate shall publish and update the following information regarding certification body on its website:

1) the name;

2) the registration number;

3) the contact information (legal address, telephone, electronic mail address);

4) the date and term of the granting of accreditation;

5) the date and term of the suspension of accreditation;

6) the date of the withdrawal of accreditation.

(5) In the case of changes in the information referred to in Paragraph four, Clause 1, 2 or 3 of this Section the national accreditation body shall, within five working days, inform the Inspectorate of changes in the information regarding a certification body. The Inspectorate shall, within five working days after receipt of the information, update the relevant information on its website.

(6) The criteria and requirements for accreditation of certification bodies referred to in Article 43(3) of the Data Regulation and the criteria for the issue of a certificate referred to in Article 42(5) of the Data Regulation shall be approved by the Director of the Inspectorate and published on the website of the Inspectorate not later than within three working days after the day of approval thereof.

(7) The Inspectorate has the right to conduct a certification procedure and issue a data certificate if no body is accredited.

Section 22. Accreditation of Supervisory Authority of Code of Conduct

(1) The Inspectorate shall, in accordance with Article 41(1) of the Data Regulation, issue a licence for five years to a supervisory authority of code of conduct which has an appropriate level of expertise in relation to the subject-matter of the code of conduct and supervises implementation of the code.

(2) The Cabinet shall specify requirements for the receipt of a licence for a supervisory authority of code of conduct, as well as the procedures for issuing, suspending and withdrawing of the licence and the relevant cases.

(3) A supervisory authority of code of conduct shall pay a State fee for the issue of the licence. The amount of the State fee and the procedures for paying thereof shall be determined by the Cabinet.

(4) The Inspectorate shall publish and update the following information regarding supervisory authority of code of conduct on its website:

1) the name;

2) registration number;

3) the contact information (legal address, telephone, electronic mail address);

4) the date of the granting of the licence;

5) the date of the suspension or withdrawal of the licence.

(5) In the case of changes in the information referred to in Paragraph four, Clause 1, 2 or 3 of this Section a supervisory authority of code of conduct shall, within five working days after the changes enter into effect, submit a submission regarding changes to the Inspectorate. The Inspectorate shall, within five working days after receipt of the submission, update the relevant information on its website.

Chapter VII
Procedures for Taking, Contesting and Appealing Decisions

Section 23. Taking of Decisions

When taking the decisions referred to in Article 58 of the Data Regulation, the Inspectorate shall apply the Administrative Procedure Law with regard to the imposition of a legal obligation, and the laws and regulations governing administrative violation proceedings (procedure) with regard to administrative violations, insofar as this Law and the Data Regulation do not prescribe otherwise.

Section 24. Contesting and Appealing Decisions of the Inspectorate

(1) An administrative act issued by or actual action of an official of the Inspectorate may be contested in accordance with the procedures laid down in the Administrative Procedure Law by submitting a respective submission to the Director of the Inspectorate.

(2) An administrative act issued by or actual action of the Director of the Inspectorate may be appealed in accordance with the procedures laid down in the Administrative Procedure Law. Appeal of an administrative act of the Director of the Inspectorate shall not suspend operation of such act.

Chapter VIII
Data Processing and Rights of a Data Subject

Section 25. General Provisions for Data Processing

(1) Data processing shall be permitted if at least one of the grounds specified in Article 6(1) of the Data Regulation is present. Requirements referred to in Article 6(2) and (3) of the Data Regulation for the data processing necessary for the performance of a legal obligation applicable to the controller, a task which the controller carries out in the public interest, or for the exercise of official powers vested in the controller, have been specified in the laws and regulations governing the relevant area.

(2) It shall be allowed to process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data of a natural person for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, if at least one of the grounds referred to in Article 9(2) of the Data Regulation is present or data processing is provided for in external laws and regulations in accordance with Article 9(4) of the Data Regulation.

(3) Data processing shall be conducted in compliance with the principles relating to data processing specified in Article 5 of the Data Regulation, including those which stipulate that data are to be collected for specified, explicit and legitimate purposes and only to the extent necessary for the achievement of the purposes of data processing. It shall be allowed to process data for purposes other than those for which data were collected initially, if such data processing is not prohibited and any of the grounds for the data processing specified in the Data Regulation is present or data processing according to the Data Regulation is compatible with the initial purposes.

(4) Other requirements of the Data Regulation, this Law and laws and regulations governing the relevant area shall also be complied with in the data processing.

Section 26. Restrictions of the Rights of a Data Subject

(1) Rights of a data subject may also be restricted in cases provided for in other laws and regulations which are not referred to in Sections 27, 28, 29, 30, 31, 32, 34, and 36 of this Law in accordance with Article 23 of the Data Regulation.

(2) In accordance with the procedures laid down in the Civil Procedure Law, a claim for prevention of a delict shall, if the delict has been inflicted as a result of breach of the requirements of the Data Regulation, be brought not later than five years after the day of infliction of the delict but if the delict is sustained - from the day of cessation of the delict.

Section 27. Restriction of the Right of Access by a Data Subject

(1) A data subject does not have the right to receive the information specified in Article 15 of the Data Regulation if it is prohibited to disclose such information in accordance with the laws and regulations regarding national security, national protection, public safety and criminal law, as well as for the purpose of ensuring public financial interests in the areas of tax protection, prevention of money laundering and terrorism financing or of ensuring of supervision of financial market participants and functioning of guarantee systems thereof, application of regulation and macroeconomic analysis.

(2) In accordance with Article 15 of the Data Regulation, the information to be provided to a data subject may not include a reference to public institutions which are persons directing criminal proceedings or bodies performing operational activities, and other institutions regarding which disclosure of such information is prohibited by law.

(3) A data subject may receive information regarding recipients or categories of recipients of its data to which data have been disclosed over the last two years.

Section 28. Data Processing in the Official Publication

(1) Articles 16, 17, 18, 19, 20, and 21 of the Data Regulation shall not be applied, if the data processing is conducted in accordance with the laws and regulations for the ensuring of an official publication.

(2) A publisher of an official publication shall erase the data published in the official publication on the basis of the following:

1) the decision of the Inspectorate;

2) the reasoned decision of the controller who confirms that publishing of such data in the official publication fails to comply with provisions of the Data Regulation.

(3) The Inspectorate may take a decision to erase the data published in the official publication, if violation of the right of a data subject to private life is greater than the benefit of the public from invariability of the official publication.

Section 29. Data Processing for Statistical Purposes

If data are processed for statistical purposes, the rights of a data subject specified in Articles 15, 16, 18, and 21 of the Data Regulation shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes.

Section 30. Data Processing for Archiving Purposes in the Public Interest

(1) If data are processed for archiving purposes in the public interest in order to create, collect, evaluate, preserve and use national documentary heritage, a data subject shall exercise the rights specified in Articles 15 and 16 of the Data Regulation in accordance with the laws and regulations governing the area of archives.

(2) If data are processed for archiving purposes in the public interest in order to create, collect, evaluate, preserve and use national documentary heritage, the rights of a data subject specified in Articles 18, 19, 20, and 21 of the Data Regulation shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes.

Section 31. Data Processing for Scientific or Historical Research Purposes

If data are processed for scientific or historical research purposes in the public interest, the rights of a data subject specified in Articles 15, 16, 18, and 21 of the Data Regulation shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes.

Section 32. Data Processing Related to Freedom of Expression and Information

(1) A person has the right to process data for the purposes of academic, artistic or literary expression in accordance with laws and regulations, as well as to process data for journalistic purposes, if this is done with the aim of publishing information for reasons of public interest.

(2) When processing data for journalistic purposes, provisions of the Data Regulation (except for Article 5) shall not be applied if all of the following conditions are present:

1) data processing is conducted to exercise rights to freedom of expression and information by respecting the right of a person to private life, and it does not affect interests of a data subject which require protection and override the public interest;

2) data processing is conducted for the purpose of publishing information for reasons of public interest;

3) compliance with the provisions of the Data Regulation is incompatible with or prevents the exercise of the rights to freedom of expression and information.

(3) When processing data for the purposes of academic, artistic or literary expression, provisions of the Data Regulation (except for Article 5) shall not be applied if all of the following conditions are present:

1) data processing is conducted by respecting the right of a person to private life, and it does not affect interests of a data subject which require protection and override the public interest;

2) compliance with the provisions of the Data Regulation is incompatible with or prevents the exercise of the rights to freedom of expression and information.

Section 33. Conditions for a Child's Consent in Relation to Information Society Services

If, in accordance with Article 8 of the Data Regulation, the consent of a data subject is necessary for the direct provision of information society services but the data subject is a child, his or her consent shall be considered basis for the data processing and processing of his or her data shall be lawful, provided that the child is not below 13 years of age or, in the case of a child who has not yet reached 13 years of age, the consent is given by his or her parent or legal guardian.

Section 34. Data Processing in the Area of Criminal Law

Data processing for the purposes other than those initially intended shall be permissible in the area of criminal law:

1) in accordance with the laws and regulations which introduce the application of the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;

2) to use the data in administrative or civil proceedings, as well as in the activity of public officials authorised by law if it is related to the prevention, detection, investigation or prosecution of criminal offences, enforcement of criminal penalties, proceedings regarding criminally acquired property, compulsory measures of medical or correctional nature or coercive measures for legal persons or the course and enforcement of examination de novo of valid rulings;

3) to prevent immediate significant threat to public security;

4) if a data subject has given his or her consent to data processing.

Section 35. Rights of a Data Subject in Relation to Data Processing in the Eurojust and Europol

(1) A data subject has the right to submit a request to the Inspectorate for processing of his or her data or for inspection of processing of his or her data in the Eurojust or Europol.

(2) The Inspectorate shall, upon receipt of the request referred to in Paragraph one of this Section, immediately, but not later than within a month from the day of the receipt thereof, forward the request to the Eurojust or Europol respectively for examination, and inform a data subject about it.

Section 36. Video Surveillance Conditions

(1) Requirements of this Law and the Data Regulation shall not apply to data processing which natural persons conduct by using automated data recording facilities in road traffic, for personal or household purposes. It shall be prohibited to disclose the records obtained in road traffic to other persons and institutions, except for the cases when any of the grounds for data processing specified in the Data Regulation is present.

(2) Requirements of this Law and the Data Regulation shall not apply to data processing which natural persons conduct by using automated video surveillance facilities for personal or household purposes. Surveillance of public space on a large scale or cases when technical aids are used for structuring of information shall not be considered as data processing for personal or household purposes.

(3) If the controller uses an informative note to inform data subjects of video surveillance, the said note shall indicate at least the name, contact information of the controller, purpose for data processing, as well as include an indication of the possibility to obtain other information specified in Article 13 of the Data Regulation.

Section 37. Audit Trails

(1) Within the meaning of this Section, audit trails shall be registered data available for analysis regarding specific events in the information system (for example, data regarding access to the information system, input, amendment, erasure and sending of data).

(2) If an obligation is imposed on the controller to ensure storage of audit trails of the system, they shall be stored for not longer than one year after making of an entry, unless laws and regulations or nature of processing stipulates otherwise.

(3) The controller has the right not to submit the information referred to in Article 15 of the Data Regulation to the data subject if the controller no longer has audit trails at his or her disposal in which the information requested by the data subject is available.

(4) The controller does not have an obligation to save information in audit trails for the sole purpose of meeting request of the data subject.

Transitional Provisions

1. With the coming into force of this Law the Personal Data Protection Law (Latvijas Republikas Saeimas un Ministru Kabineta Ziņotājs, 2000, No. 9; 2002, No. 23; 2007, Nos. 3, 8; 2008, No. 7; 2009, No. 14; Latvijas Vēstnesis, 2010, No. 78; 2012, No. 104; 2014, No. 38) is repealed.

2. Until the moment when the law comes into force which introduces in Latvia the requirements of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, but not later than by 1 July 2019 with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, Section 2, Section 3, Paragraphs one and four, Sections 4, 6, 7, 8, and 9, Section 10, Paragraphs one, two, three, and four, Section 11, Clauses 3, 6, 10, and 11, Sections 12, 13, and 14, Section 15, Paragraphs one and two, Paragraph three, Clauses 1, 2, 3, 4, and 6, Paragraphs four and five, Sections 16 and 20, Section 21.1, Paragraphs one, three, and four, Section 21.2, Paragraph one, Section 25, Paragraph one, Section 27, Section 28, Paragraph one, Paragraph two, Clauses 3 and 4, Section 29, Paragraph one, Paragraph three, Clauses 1, 2, and 4, Paragraph four, Clauses 1, 2, 3, 6, 7, and 8, Section 30, Paragraph one, and Section 31 of the Personal Data Protection Law shall be applicable.

3. The Director of the Data State Inspectorate appointed until the day this Law comes into force shall perform functions of the Director of the Inspectorate until the moment when a new Director of the Inspectorate is appointed in accordance with the procedures laid down in Section 6 of this Law, but not longer than until 31 December 2019.

4. Persons, whose data are included in the register of data protection officers of the Data State Inspectorate prior to the day this Law comes into force and who are not excluded from this register, shall be included in the list of data protection officers, if they submit a respective written request to the Director of the Inspectorate within six months from the day this Law comes into force.

5. By 30 June 2021 the Cabinet shall assess effectiveness of the regulation regarding qualification examination of data protection officers contained in this Law, and submit an assessment regarding a possibility to renounce this examination to the Saeima.

This Law shall come into force on the day following its proclamation.

The Law has been adopted by the Saeima on 21 June 2018.

President R. Vējonis

Riga, 4 July 2018

 


1 The Parliament of the Republic of Latvia

Translation © 2018 Valsts valodas centrs (State Language Centre)

 
Document information
Status:
In force
in force
Issuer: Saeima Type: law Adoption: 21.06.2018.Entry into force: 05.07.2018.Theme:  Documents, recordkeeping, data protectionPublication: "Latvijas Vēstnesis", 132 (6218), 04.07.2018. OP number: 2018/132.1
Language:
Related documents
  • Changes legal status of
  • Annotation / draft legal act
  • Explanations
  • Other related documents
300099
05.07.2018
84
0
Saite uz tiesību aktuAtsauce uz tiesību aktu
 
0
Vēstnesim 100 About Likumi.lv
News archive
Useful links
Contacts
For feedback
Terms of service
Privacy policy
Cookies
RSS logo
Latvijas Vēstnesis "Everyone has the right to know about his or her rights."
Article 90 of the Constitution of the Republic of Latvia
© Official publisher "Latvijas Vēstnesis"
ISO 9001:2008 (quality management system)
ISO 27001:2013 (information security) Kvalitātes balva