Text consolidated by Valsts valodas centrs (State
Language Centre) with amending laws of:
23 May 2019 [shall come
into force on 31 May 2019];
6 May 2021 [shall come into force on 4 June 2021].
If a whole or part of a section has been amended, the
date of the amending law appears in square brackets at
the end of the section. If a whole section, paragraph or
clause has been deleted, the date of the deletion appears
in square brackets beside the deleted section, paragraph
or clause.
|
The Saeima 1 has adopted and
the President has proclaimed the following law:
Personal Data Processing Law
Chapter I
General Provisions
Section 1. Terms Used in this
Law
The terms specified in Article 4 of the Regulation (EU)
2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such
data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (hereinafter - the Data Regulation) are used in the
Law.
Section 2. Purpose of this Law
The purpose of this Law is to create legal preconditions for
setting up of a system for the protection of personal data
(hereinafter - the data) of a natural person at a national level
by providing for the institutions necessary for such purpose,
determining the competence and basic principles of operation
thereof, as well as regulating operation of data protection
officers and provisions of data processing and free movement.
Chapter II
Tasks and Status of the Data State Inspectorate
Section 3. Data State
Inspectorate
(1) The Data State Inspectorate (hereinafter - the
Inspectorate) is an institution of direct administration under
the supervision of the Cabinet which is a data supervisory
authority within the meaning of the Data Regulation and carries
out the tasks in the area of data processing specified in the
Data Regulation and this Law.
(2) The aim of the operation of the Inspectorate is to protect
fundamental human rights and freedoms in the area of data
protection.
(3) The Inspectorate shall be independent in the operation
thereof.
(4) Staff working in the Inspectorate shall take decisions
independently, on the basis of its convictions and laws, taking
into account that persons are equal before law and court,
presumption of innocence, verity and legality.
(5) The Cabinet shall implement institutional supervision
through the Minister for Justice. Supervision shall not refer to
the implementation of tasks and rights specified for the
Inspectorate, as well as internal organisational issues of the
Inspectorate, including issue of internal regulations,
preparation of a statement, and decisions which refer to the
staff working in the Inspectorate (for example, decisions to
appoint and remove the staff from the office, transfer the staff
and coordinate the transfer thereof, send the staff on official
travel, initiate, examine disciplinary matters, and apply
disciplinary sanctions).
(6) The Inspectorate shall be financed from the State
budget.
(7) The Inspectorate shall have the State budget account in
the Treasury, a seal with an image of the supplemented lesser
State coat of arms and the full name of the Inspectorate.
Section 4. Tasks of the
Inspectorate
(1) The Inspectorate shall carry out the tasks specified in
Article 57 of the Data Regulation, as well as the following
tasks:
1) supervise the conformity of processing of personal data to
the requirements of laws and regulations in cases where the
controller has been prohibited by law to provide information to a
data subject and a relevant submission has been received from the
data subject;
2) promote efficiency of data protection;
3) ensure data protection certification procedure;
4) ensure qualification check of data protection officers and
maintain a list of the data protection officers who have passed
the qualification examination;
5) provide recommendations to the Saeima, the Cabinet,
local governments and other institutions according to its
competence with regard to the issue or amending of laws and
regulations, as well as participate in the development of draft
laws and regulations and development planning documents, and
provide an opinion on draft laws and regulations and development
planning documents prepared by other institutions;
6) provide opinions on the conformity of data processing
systems to be created in the State administration institutions to
the requirements of laws and regulations;
7) provide an opinion to the national accreditation body on
the conformity of the certification body to the requirements of
Article 43(2) of the Data Regulation and in accordance with the
requirements and criteria of the Inspectorate laid down in
accordance with Article 43(3) of the Data Regulation;
8) cooperate with foreign supervisory authorities engaged in
data protection, openness of and access to information, and
prohibition to send a commercial communication;
9) ensure that an information request of a data subject
regarding himself or herself is forwarded to the European
Judicial Cooperation Unit (Eurojust) and European Police Office
(Europol);
10) represent the Republic of Latvia in international
organisations and events in the area of data protection;
11) carry out studies, analyse situation, provide
recommendations and opinions, as well as inform the public of
current issues in the areas of its competence;
12) perform tasks laid down in other laws and regulations.
(2) The Inspectorate shall publish information on its website
regarding violations of the requirements of the Data Regulation
which have been committed by legal persons governed by public
law, institutions and officials thereof, as well as other public
institutions, and elimination thereof.
Section 5. Rights of the
Inspectorate
(1) The Inspectorate has the rights specified in Article 58 of
the Data Regulation, as well as the following rights:
1) to conduct inspection of data processing (hereinafter - the
inspection) in order to determine conformity of the data
processing to the requirements of laws and regulations;
2) conduct administrative offence proceedings;
3) to request and receive, according to its competence, to the
specified extent and in the form free of charge from private
persons, State administration institutions and officials the
information, documents or copies thereof and other materials
necessary for the inspection, including information of limited
accessibility;
4) to visit State administration institutions and production
facilities, warehouses, commercial and other non-residential
premises owned, possessed or used by legal and natural persons in
the territory of Latvia in order to verify conformity of the
operation of the controller to the requirements of laws and
regulations within the scope of its competence;
5) to become acquainted freely, according to its competence,
with all types of information available in registers, information
systems and databases and access it (irrespective of owner of the
information) in order to obtain the information necessary for the
inspection;
6) to request and receive, according to its competence, the
information, documents and other materials regarding services
provided to persons which are necessary for the inspection;
7) to request and receive an opinion of an independent and
objective expert within the scope of the inspection;
8) to provide answers in the English language when examining
complaints of non-residents in cooperation with other supervisory
authorities;
9) to bring an action before court for violations of this Law
or the Data Regulation.
(2) Authority of officials of the Inspectorate shall be
certified by a service identification document.
[6 May 2021]
Chapter III
Organisation of Operation of the Inspectorate
Section 6. Director of the
Inspectorate
(1) The Inspectorate shall be managed and represented by its
Director. The Cabinet shall appoint the Director of the
Inspectorate for a period of five years upon recommendation of a
commission established by the Cabinet. The same person may be the
Director of the Inspectorate for not more than two consecutive
terms.
(2) The Director of the Inspectorate shall:
1) perform the functions of the head of an institution of
direct administration laid down in the State Administration
Structure Law;
2) establish advisory councils, as well as working groups for
the examination of issues in the areas of competence of the
Inspectorate;
3) participate in the meeting of the State Secretaries,
meetings of the committees of the Cabinet, and Cabinet meetings
in an advisory capacity;
4) appoint and remove from the office officials and employees
of the Inspectorate;
5) approve by-laws of the Inspectorate;
6) determine offices of officials and employees in the
Inspectorate.
(3) The Cabinet shall announce an open competition for the
office of the Director of the Inspectorate, lay down conditions
and procedures by which candidates may apply for the office of
the Director of the Inspectorate, as well as the procedures for
selecting and evaluating candidates.
(4) Selection of the candidates for the office of the Director
of the Inspectorate shall be performed by a commission which is
chaired by the Director of the State Chancellery. The commission
shall be composed of the Director of the State Chancellery, the
Minister for Justice, the ombudsman and the Chief of the Security
Police. Authorised representatives of not more than three
associations and foundations which operate in the area of human
rights or data protection shall participate in the selection of
the candidates for the office of the Director of the Inspectorate
in advisory capacity.
(5) Functions of the secretariat of the commission shall be
ensured by the State Chancellery.
(6) Provisions laid down in other laws and regulations
regarding performance, assessment of results thereof, suspension
and disciplinary liability of the head of an institution, as well
as other legal norms restricting independence of the Director of
the Inspectorate shall not apply to the Director of the
Inspectorate.
Section 7. Requirements for the
Director of the Inspectorate
The Director of the Inspectorate may be a person who conforms
to the mandatory requirements for an official specified in the
State Civil Service Law and:
1) has an impeccable reputation;
2) is competent in at least two foreign languages;
3) has obtained a professional qualification appropriate for
the performance of tasks of the Inspectorate and practical work
experience in the area of data protection and position of a
head;
4) is entitled to receive a special permit for access to the
official secret;
5) has not obtained the status of a debtor in accordance with
the Maintenance Guarantee Fund Law;
6) for whom insolvency proceedings of a natural person have
not been declared, or five years have passed since the day of the
termination thereof.
Section 8. Termination of the Powers
of the Director of the Inspectorate
Powers of the Director of the Inspector shall terminate
without a special decision:
1) within a month from the day he or she has submitted a
notice of resignation from the office to the Cabinet;
2) upon expiry of the term of office specified in the Law;
3) upon entering into effect of a ruling by which he or she
has been punished for an intentional criminal offence;
4) as a result of his or her death.
Section 9. Removal of the Director
of the Inspectorate from Office
(1) The Cabinet shall remove the Director of the Inspectorate
from office prior to the expiry of the term of his or her office
if he or she:
1) has been elected or appointed to the office which is
incompatible with the office of the Director of the
Inspectorate;
2) has committed an intentional breach of law or negligence
during the performance of his or her duties, and thus caused
significant damage to the State or a person;
3) has failed to comply with the restrictions and prohibitions
specified in the law On Prevention of Conflict of Interest in
Activities of Public Officials, and thus caused damage to the
State or a person;
4) fails to comply with the requirements laid down for the
office of the Director of the Inspectorate;
5) fails to perform his or her office duties due to his or her
state of health;
6) fails to perform his or her duties without a justified
reason.
(2) The commission referred to in Section 6, Paragraph four of
this Law shall examine an issue regarding removal of the Director
of the Inspectorate from office on the basis of a proposal by the
Minister for Justice. If the commission establishes presence of
any of the grounds for removal of the Director of the
Inspectorate from office specified in Paragraph one of this
Section, it shall draw up a relevant decision and send it to the
Cabinet. The procedures for establishing the commission, as well
as for the operation and decision-taking thereof shall be laid
down by the Cabinet.
Section 10. Suspension of the Powers
of the Director of the Inspectorate
(1) If a security measure related to deprivation of liberty
has been applied to or criminal prosecution has been commenced
against the Director of the Inspectorate, the Minister for
Justice shall suspend his or her powers until the moment a
judgement of acquittal enters into effect in the relevant
criminal case or criminal proceedings are terminated against him
or her on the basis of exoneration.
(2) During the period of suspension of the powers of the
Director of the Inspectorate he or she shall be paid the minimum
monthly wage specified in the State.
(3) If the Director of the Inspectorate is found guilty of a
criminal offence under the procedures laid down in the law, he or
she shall be considered removed from office starting from the day
of the suspension of powers, and he or she shall not receive work
remuneration for the period of suspension of the powers. If the
Director of the Inspectorate is acquitted or criminal proceedings
are terminated against him or her, he or she shall receive work
remuneration for the period of suspension of the powers, unless
this Law stipulates other grounds for his or her removal from
office.
(4) If criminal proceedings are terminated against the
Director of the Inspectorate for reasons other than exoneration,
the issue regarding his or her removal from office shall be
examined by the commission referred to in Section 6, Paragraph
four of this Law.
Section 11. Deputy Director of the
Inspectorate
(1) The Deputy Director of the Inspectorate shall be appointed
by the Director of the Inspectorate.
(2) During the absence of the Director of the Inspectorate his
or her duties shall be performed by the Deputy Director of the
Inspectorate who has the same powers as the Director of the
Inspectorate in this period.
(3) In the cases provided for in Sections 8, 9, and 10 of this
Law the Deputy Director of the Inspectorate shall perform duties
of the Director of the Inspectorate until the moment the Cabinet
approves a new Director of the Inspectorate in office or the
Minister for Justice restores powers of the Director of the
Inspectorate. Until this moment the Deputy Director of the
Inspectorate shall have the same powers as the Director of the
Inspectorate.
Section 12. By-laws of the
Inspectorate
By-laws of the Inspectorate shall stipulate the structure,
internal operating rules, internal control system and monitoring
thereof, pre-control and post-control procedures of decisions of
the Inspectorate, as well as the content and form of service
identification document of an official of the Inspectorate. They
shall be approved by the Director of the Inspectorate and
published on the website of the Inspectorate.
Section 13. Reports on the
Operation
The Inspectorate shall, on an annual basis by 1 March, submit
a report on the operation to the Saeima, the Cabinet, the
Supreme Court, the European Commission, and European Data
Protection Board, as well as make it available on its
website.
Section 14. Prohibition of
Disclosure of Information and Obligation of Informing
(1) It shall be prohibited for the staff working in the
Inspectorate, as well as for the experts invited by the
Inspectorate to disclose information (except for the publicly
available information) which they have obtained with regard to
the performance of tasks in the Inspectorate. This prohibition
shall also be valid after termination of service or employment
relationships.
(2) When communicating the information related to the
performance of the task to an expert the Inspectorate shall
notify the expert of the prohibition to disclose it and the
liability provided for in laws and regulations for illegal
disclosure of information.
(3) The Inspectorate shall inform the controller or processor
of the involvement of an expert and the information communicated
to the expert.
Chapter IV
Procedures for Conducting Inspections
Section 15. Inspection
(1) Inspection shall include all types of activities which the
Inspectorate carries out in order to ascertain conformity of the
data processing to the Data Regulation and requirements of other
laws and regulations, including visiting of the place of data
processing, obtaining of information by using all legal methods,
and other necessary activities.
(2) Within the scope of the inspection prior to visiting of
the place of data processing, the Inspectorate shall inform the
controller of the purpose, time and place of the planned visit
and ask to ensure presence of an authorised representative of the
controller. Failure to ensure presence of an authorised
representative of the controller shall not constitute an obstacle
to conducting of the inspection.
(3) Within the scope of the inspection officials of the
Inspectorate have the right to visit the place of data processing
in the presence of an authorised representative or employee of
the controller by presenting a service identification document
and informing of the subject and purpose of the inspection.
(4) When engaging in procedural actions referred to in
Paragraph one of this Section an official of the Inspectorate
shall inform authorised representatives and employees of the
controller or processor of their rights.
(5) In order to determine a status of information of limited
accessibility for the information or any part thereof to be
provided to the Inspectorate, an information provider shall
precisely indicate the relevant documents and the grounds for the
need to determine the relevant status.
(6) If an information provider has failed to comply with the
requirements referred to in Paragraph five of this Section, or a
proposal to determine the status of information of limited
accessibility for the specific information is unfounded, the
Inspectorate shall communicate this to the information
provider.
(7) If the deficiencies referred to in Paragraph six of this
Section are not eliminated within seven days from the day of the
receipt of the communication from the Inspectorate, the provided
information may only be protected as information for internal use
by an institution in accordance with the procedures laid down in
the Freedom of Information Law. The Inspectorate shall
communicate this to the information provider.
(8) The Inspectorate may request that a person, who provides
information for which it is necessary to determine the status of
information of limited accessibility, appends to the said
information a copy of generally accessible information which does
not include information of limited accessibility.
Section 16. Minutes of a Procedural
Action
(1) Officials of the Inspectorate shall record the procedural
actions referred to in Section 15 of this Law in minutes of a
procedural action.
(2) The minutes of a procedural action shall indicate:
1) the place and date of the action;
2) legal basis of the action;
3) the time when the action was commenced and completed;
4) the position, given name, and surname of the performers of
the action;
5) the position, given name, and surname of the taker of the
minutes;
6) the position, given name, and surname of the persons -
parties to the action;
7) the course of the action and established facts;
8) the documents obtained in the course of the action.
(3) The documents obtained in the course of a procedural
action shall be appended to the minutes.
(4) The performer of a procedural action shall familiarise the
persons who participate in the relevant action with the content
of the minutes of such procedural action and annexes thereto. Any
corrections and supplements suggested by the persons shall be
recorded in the minutes of the procedural action.
(5) The performer of a procedural action, the taker of
minutes, and all the persons who participated in the relevant
action shall sign the minutes of the procedural action as a whole
and each page thereof separately. Only the minutes of the
procedural action as a whole shall be signed electronically. If a
person refuses to sign, this shall be recorded in the minutes by
indicating the reason for such refusal.
(6) The performer of a procedural action shall issue a copy of
the minutes to a person against whom the inspection has been
commenced.
Chapter V
Data Protection Officer
Section 17. Requirements for the
Data Protection Officer
Duties of the data protection officer may be performed by a
person who complies with the criteria specified in Article 37(5)
of the Data Regulation. The controller or processor may appoint a
person who, in accordance with the procedures laid down in this
Law, has been included in the list of data protection officers of
the Inspectorate, or another person as the data protection
officer.
Section 18. List of Data Protection
Officers
(1) For the purpose of identifying data protection officers
who have passed the qualification examination and ensuring that
information regarding data protection officers is accessible, the
Inspectorate shall compile a list of data protection officers.
The list of data protection officers shall only include the
persons who have passed the qualification examination.
(2) The list of data protection officers shall include the
following data on the person:
1) the given name, surname, and personal identity number;
2) the date when the person was included in the list of data
protection officers;
3) electronic mail address.
(3) A data protection officer shall immediately notify the
Inspectorate in writing of any established errors and amendments
to the data included in the list of data protection officers with
regard to him or her.
(4) The list of data protection officers (except for personal
identity number) is publicly available on the website of the
Inspectorate.
(5) The Cabinet shall lay down the procedures for maintaining
the list of data protection officers.
Section 19. Qualification
Examination of Data Protection Officer
(1) Qualification examination of data protection officer shall
be organised by the Inspectorate.
(2) If a person passes the qualification examination of data
protection officer, the Director of the Inspectorate shall take a
decision to include him or her in the list of data protection
officers.
(3) The Cabinet shall determine the procedures for applying of
applicants, the content and course of the qualification
examination, the procedures for evaluation thereof, the fee for
taking of the qualification examination, and the procedures for
collecting it, as well as the requirements for maintenance of
professional qualification.
Section 20. Exclusion from the List
of Data Protection Officers
(1) A data protection officer shall be excluded from the list
of data protection officers under a decision by the Director of
the Inspectorate in the following cases:
1) he or she has submitted a respective written request to the
Inspectorate;
2) the court has established trusteeship over him or her;
3) he or she has been deprived of the right to work as a data
protection officer by a court judgement or other restrictions
have been determined that prevent the performance of professional
duties;
4) he or she is dead or declared missing;
5) he or she has failed to comply with the requirements for
the maintenance of professional qualification specified in the
Cabinet regulations.
(2) A person who has been excluded from the list of data
protection officers in accordance with Paragraph one, Clause 1, 2
or 3 of this Section may request to renew him or her in the list,
and the Inspectorate re-includes him or her in the list of data
inspection officers if the reasons for which the person was
excluded from the list have been eliminated. Such person shall
take the qualification examination of data protection officer if
at least two years have passed since the day he or she was
excluded from the list of data protection officers.
Chapter VI
Certification Bodies and Supervisory Authorities of Code of
Conduct
Section 21. Accreditation of a
Certification Body
(1) Pursuant to Article 43(1)(b) of the Data Regulation, a
certification body shall be assessed, accredited and supervised
by the national accreditation body in accordance with the laws
and regulations regarding conformity assessment and in compliance
with the requirements and criteria of the Inspectorate specified
in Article 43(3) of the Data Regulation.
(2) A certification body shall be accredited if an opinion has
been received from the Inspectorate on the conformity of the
certification body to the requirements of Article 43(2) of the
Data Regulation and in accordance with the requirements and
criteria of the Inspectorate laid down in accordance with Article
43(3) of the Data Regulation.
(3) The national accreditation body shall, within five working
days after accreditation of a certification body, suspension or
withdrawal of accreditation thereof, send the information
regarding certification body referred to in Paragraph four of
this Section to the Inspectorate.
(4) The Inspectorate shall publish and update the following
information regarding certification body on its website:
1) the name;
2) the registration number;
3) the contact information (legal address, telephone,
electronic mail address);
4) the date and term of the granting of accreditation;
5) the date and term of the suspension of accreditation;
6) the date of the withdrawal of accreditation.
(5) In the case of changes in the information referred to in
Paragraph four, Clause 1, 2 or 3 of this Section the national
accreditation body shall, within five working days, inform the
Inspectorate of changes in the information regarding a
certification body. The Inspectorate shall, within five working
days after receipt of the information, update the relevant
information on its website.
(6) The criteria and requirements for accreditation of
certification bodies referred to in Article 43(3) of the Data
Regulation and the criteria for the issue of a certificate
referred to in Article 42(5) of the Data Regulation shall be
approved by the Director of the Inspectorate and published on the
website of the Inspectorate not later than within three working
days after the day of approval thereof.
(7) The Inspectorate has the right to conduct a certification
procedure and issue a data certificate if no body is
accredited.
Section 22. Accreditation of
Supervisory Authority of Code of Conduct
(1) The Inspectorate shall, in accordance with Article 41(1)
of the Data Regulation, issue a licence for five years to a
supervisory authority of code of conduct which has an appropriate
level of expertise in relation to the subject-matter of the code
of conduct and supervises implementation of the code.
(2) The Cabinet shall specify requirements for the receipt of
a licence for a supervisory authority of code of conduct, as well
as the procedures for issuing, suspending and withdrawing of the
licence and the relevant cases.
(3) A supervisory authority of code of conduct shall pay a
State fee for the issue of the licence. The amount of the State
fee and the procedures for paying thereof shall be determined by
the Cabinet.
(4) The Inspectorate shall publish and update the following
information regarding supervisory authority of code of conduct on
its website:
1) the name;
2) registration number;
3) the contact information (legal address, telephone,
electronic mail address);
4) the date of the granting of the licence;
5) the date of the suspension or withdrawal of the
licence.
(5) In the case of changes in the information referred to in
Paragraph four, Clause 1, 2 or 3 of this Section a supervisory
authority of code of conduct shall, within five working days
after the changes enter into effect, submit a submission
regarding changes to the Inspectorate. The Inspectorate shall,
within five working days after receipt of the submission, update
the relevant information on its website.
Chapter VII
Procedures for Taking, Contesting and Appealing Decisions
Section 23. Taking of Decisions
When taking the decisions referred to in Article 58 of the
Data Regulation, the Inspectorate shall apply the Administrative
Procedure Law with regard to the imposition of a legal
obligation, and the laws and regulations governing administrative
offence proceedings with regard to administrative penalties,
insofar as this Law and the Data Regulation do not prescribe
otherwise.
[6 May 2021]
Section 23.1 Term for
Taking Decisions in Administrative Proceedings
(1) The Inspectorate shall take the decision within six months
from the day of initiation of the case.
(2) If it is not possible to comply with the term of six
months due to objective reasons, the Inspectorate may extend it
for a period of up to one year, counting the term from the day of
initiation of the case.
(3) If lengthy establishment of facts is necessary, and also
it is necessary to apply the consistency mechanism in accordance
with the provisions of Article 60 or 63 of the Data Regulation,
the Inspectorate may, by a reasoned decision, extend the term for
taking the decision in administrative proceedings for a period
not exceeding two years from the day of initiation of the
case.
[6 May 2021]
Section 24. Contesting and Appealing
Decisions of the Inspectorate
(1) An administrative act issued by or actual action of an
official of the Inspectorate may be contested in accordance with
the procedures laid down in the Administrative Procedure Law by
submitting a respective submission to the Director of the
Inspectorate.
(2) An administrative act issued by or actual action of the
Director of the Inspectorate may be appealed in accordance with
the procedures laid down in the Administrative Procedure Law.
Appeal of an administrative act of the Director of the
Inspectorate shall not suspend operation of such act.
Chapter VIII
Data Processing and Rights of a Data Subject
Section 25. General Provisions for
Data Processing
(1) Data processing shall be permitted if at least one of the
grounds specified in Article 6(1) of the Data Regulation is
present. Requirements referred to in Article 6(2) and (3) of the
Data Regulation for the data processing necessary for the
performance of a legal obligation applicable to the controller, a
task which the controller carries out in the public interest, or
for the exercise of official powers vested in the controller,
have been specified in the laws and regulations governing the
relevant area.
(2) It shall be allowed to process data revealing racial or
ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and genetic data, biometric
data of a natural person for the purpose of uniquely identifying
a natural person, data concerning health or data concerning a
natural person's sex life or sexual orientation, if at least one
of the grounds referred to in Article 9(2) of the Data Regulation
is present or data processing is provided for in external laws
and regulations in accordance with Article 9(4) of the Data
Regulation.
(3) Data processing shall be conducted in compliance with the
principles relating to data processing specified in Article 5 of
the Data Regulation, including those which stipulate that data
are to be collected for specified, explicit and legitimate
purposes and only to the extent necessary for the achievement of
the purposes of data processing. It shall be allowed to process
data for purposes other than those for which data were collected
initially, if such data processing is not prohibited and any of
the grounds for the data processing specified in the Data
Regulation is present or data processing according to the Data
Regulation is compatible with the initial purposes.
(4) Other requirements of the Data Regulation, this Law and
laws and regulations governing the relevant area shall also be
complied with in the data processing.
Section 26. Restrictions of the
Rights of a Data Subject
(1) Rights of a data subject may also be restricted in cases
provided for in other laws and regulations which are not referred
to in Sections 27, 28, 29, 30, 31, 32, 34, and 36 of this Law in
accordance with Article 23 of the Data Regulation.
(2) In accordance with the procedures laid down in the Civil
Procedure Law, a claim for prevention of a delict shall, if the
delict has been inflicted as a result of breach of the
requirements of the Data Regulation, be brought not later than
five years after the day of infliction of the delict but if the
delict is sustained - from the day of cessation of the
delict.
Section 27. Restriction of the Right
of Access by a Data Subject
(1) A data subject does not have the right to receive the
information specified in Article 15 of the Data Regulation if it
is prohibited to disclose such information in accordance with the
laws and regulations regarding national security, national
protection, public safety and criminal law, as well as for the
purpose of ensuring public financial interests in the areas of
tax protection, prevention of money laundering and terrorism
financing or of ensuring of supervision of financial market
participants and functioning of guarantee systems thereof,
application of regulation and macroeconomic analysis.
(2) In accordance with Article 15 of the Data Regulation, the
information to be provided to a data subject may not include a
reference to public institutions which are persons directing
criminal proceedings or bodies performing operational activities,
and other institutions regarding which disclosure of such
information is prohibited by law.
(3) A data subject may receive information regarding
recipients or categories of recipients of its data to which data
have been disclosed over the last two years.
Section 28. Data Processing in the
Official Publication
(1) Articles 16, 17, 18, 19, 20, and 21 of the Data Regulation
shall not be applied, if the data processing is conducted in
accordance with the laws and regulations for the ensuring of an
official publication.
(2) A publisher of an official publication shall erase the
data published in the official publication on the basis of the
following:
1) the decision of the Inspectorate;
2) the reasoned decision of the controller who confirms that
publishing of such data in the official publication fails to
comply with provisions of the Data Regulation.
(3) The Inspectorate may take a decision to erase the data
published in the official publication, if violation of the right
of a data subject to private life is greater than the benefit of
the public from invariability of the official publication.
Section 29. Data Processing for
Statistical Purposes
If data are processed for statistical purposes, the rights of
a data subject specified in Articles 15, 16, 18, and 21 of the
Data Regulation shall not be applied, insofar as they may render
impossible or seriously impair achievement of the specific
purposes, and derogations are necessary for the achievement of
such purposes.
Section 30. Data Processing for
Archiving Purposes in the Public Interest
(1) If data are processed for archiving purposes in the public
interest in order to create, collect, evaluate, preserve and use
national documentary heritage, a data subject shall exercise the
rights specified in Articles 15 and 16 of the Data Regulation in
accordance with the laws and regulations governing the area of
archives.
(2) If data are processed for archiving purposes in the public
interest in order to create, collect, evaluate, preserve and use
national documentary heritage, the rights of a data subject
specified in Articles 18, 19, 20, and 21 of the Data Regulation
shall not be applied, insofar as they may render impossible or
seriously impair achievement of the specific purposes, and
derogations are necessary for the achievement of such
purposes.
Section 31. Data Processing for
Scientific or Historical Research Purposes
If data are processed for scientific or historical research
purposes in the public interest, the rights of a data subject
specified in Articles 15, 16, 18, and 21 of the Data Regulation
shall not be applied, insofar as they may render impossible or
seriously impair achievement of the specific purposes, and
derogations are necessary for the achievement of such
purposes.
Section 32. Data Processing Related
to Freedom of Expression and Information
(1) A person has the right to process data for the purposes of
academic, artistic or literary expression in accordance with laws
and regulations, as well as to process data for journalistic
purposes, if this is done with the aim of publishing information
for reasons of public interest.
(2) When processing data for journalistic purposes, provisions
of the Data Regulation (except for Article 5) shall not be
applied if all of the following conditions are present:
1) data processing is conducted to exercise rights to freedom
of expression and information by respecting the right of a person
to private life, and it does not affect interests of a data
subject which require protection and override the public
interest;
2) data processing is conducted for the purpose of publishing
information for reasons of public interest;
3) compliance with the provisions of the Data Regulation is
incompatible with or prevents the exercise of the rights to
freedom of expression and information.
(3) When processing data for the purposes of academic,
artistic or literary expression, provisions of the Data
Regulation (except for Article 5) shall not be applied if all of
the following conditions are present:
1) data processing is conducted by respecting the right of a
person to private life, and it does not affect interests of a
data subject which require protection and override the public
interest;
2) compliance with the provisions of the Data Regulation is
incompatible with or prevents the exercise of the rights to
freedom of expression and information.
Section 33. Conditions for a Child's
Consent in Relation to Information Society Services
If, in accordance with Article 8 of the Data Regulation, the
consent of a data subject is necessary for the direct provision
of information society services but the data subject is a child,
his or her consent shall be considered basis for the data
processing and processing of his or her data shall be lawful,
provided that the child is not below 13 years of age or, in the
case of a child who has not yet reached 13 years of age, the
consent is given by his or her parent or legal guardian.
Section 34. Data Processing in the
Area of Criminal Law
Data processing for the purposes other than those initially
intended shall be permissible in the area of criminal law:
1) in accordance with the laws and regulations which introduce
the application of the Directive (EU) 2016/680 of the European
Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data
by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, and on the free movement of
such data, and repealing Council Framework Decision
2008/977/JHA;
2) to use the data in administrative or civil proceedings, as
well as in the activity of public officials authorised by law if
it is related to the prevention, detection, investigation or
prosecution of criminal offences, enforcement of criminal
penalties, proceedings regarding criminally acquired property,
compulsory measures of medical or correctional nature or coercive
measures for legal persons or the course and enforcement of
examination de novo of valid rulings;
3) to prevent immediate significant threat to public
security;
4) if a data subject has given his or her consent to data
processing.
Section 35. Rights of a Data Subject
in Relation to Data Processing in the Eurojust and Europol
(1) A data subject has the right to submit a request to the
Inspectorate for processing of his or her data or for inspection
of processing of his or her data in the Eurojust or Europol.
(2) The Inspectorate shall, upon receipt of the request
referred to in Paragraph one of this Section, immediately, but
not later than within a month from the day of the receipt
thereof, forward the request to the Eurojust or Europol
respectively for examination, and inform a data subject about
it.
Section 36. Video Surveillance
Conditions
(1) Requirements of this Law and the Data Regulation shall not
apply to data processing which natural persons conduct by using
automated data recording facilities in road traffic, for personal
or household purposes. It shall be prohibited to disclose the
records obtained in road traffic to other persons and
institutions, except for the cases when any of the grounds for
data processing specified in the Data Regulation is present.
(2) Requirements of this Law and the Data Regulation shall not
apply to data processing which natural persons conduct by using
automated video surveillance facilities for personal or household
purposes. Surveillance of public space on a large scale or cases
when technical aids are used for structuring of information shall
not be considered as data processing for personal or household
purposes.
(3) If the controller uses an informative note to inform data
subjects of video surveillance, the said note shall indicate at
least the name, contact information of the controller, purpose
for data processing, as well as include an indication of the
possibility to obtain other information specified in Article 13
of the Data Regulation.
Section 37. Audit Trails
(1) Within the meaning of this Section, audit trails shall be
registered data available for analysis regarding specific events
in the information system (for example, data regarding access to
the information system, input, amendment, erasure and sending of
data).
(2) If an obligation is imposed on the controller to ensure
storage of audit trails of the system, they shall be stored for
not longer than one year after making of an entry, unless laws
and regulations or nature of processing stipulates otherwise.
(3) The controller has the right not to submit the information
referred to in Article 15 of the Data Regulation to the data
subject if the controller no longer has audit trails at his or
her disposal in which the information requested by the data
subject is available.
(4) The controller does not have an obligation to save
information in audit trails for the sole purpose of meeting
request of the data subject.
Chapter IX
Administrative Offences in the Field of Data Protection and
Competence in Administrative Offence Proceedings
[6 May 2021]
Section 38. Illegal Activities with
Personal Data and Failure to Fulfil the Obligations of the
Controller or Processor
(1) For any illegal activities of a legal person governed by
public law with personal data, a warning or a fine of up to two
hundred units of fine shall be imposed on an official.
(2) For the failure to fulfil the obligations of the
controller or processor in the authority of a legal person
governed by public law, a warning or a fine of up to two hundred
units of fine shall be imposed on an official.
[6 May 2021]
Section 39. Competence in
Administrative Offence Proceedings
Administrative offence proceedings for the offences referred
to in Section 38 of this Law shall be conducted by the
Inspectorate.
[6 May 2021]
Transitional Provisions
1. With the coming into force of this Law the Personal Data
Protection Law (Latvijas Republikas Saeimas un Ministru
Kabineta Ziņotājs, 2000, No. 9; 2002, No. 23; 2007, Nos. 3,
8; 2008, No. 7; 2009, No. 14; Latvijas Vēstnesis, 2010,
No. 78; 2012, No. 104; 2014, No. 38) is repealed.
2. Until the moment when the law comes into force which
introduces in Latvia the requirements of Directive (EU) 2016/680
of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing
of personal data by competent authorities for the purposes of the
prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, and on the free
movement of such data, and repealing Council Framework Decision
2008/977/JHA, but not later than by 1 October 2019 with regard to
the processing of personal data by competent authorities for the
purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal
penalties, Section 2, Section 3, Paragraphs one and four,
Sections 4, 6, 7, 8, and 9, Section 10, Paragraphs one, two,
three, and four, Section 11, Clauses 3, 6, 10, and 11, Sections
12, 13, and 14, Section 15, Paragraphs one and two, Paragraph
three, Clauses 1, 2, 3, 4, and 6, Paragraphs four and five,
Sections 16 and 20, Section 21.1, Paragraphs one,
three, and four, Section 21.2, Paragraph one, Section
25, Paragraph one, Section 27, Section 28, Paragraph one,
Paragraph two, Clauses 3 and 4, Section 29, Paragraph one,
Paragraph three, Clauses 1, 2, and 4, Paragraph four, Clauses 1,
2, 3, 6, 7, and 8, Section 30, Paragraph one, and Section 31 of
the Personal Data Protection Law shall be applicable.
[23 May 2019]
3. The Director of the Data State Inspectorate appointed until
the day this Law comes into force shall perform functions of the
Director of the Inspectorate until the moment when a new Director
of the Inspectorate is appointed in accordance with the
procedures laid down in Section 6 of this Law, but not longer
than until 31 December 2019.
4. Persons, whose data are included in the register of data
protection officers of the Data State Inspectorate prior to the
day this Law comes into force and who are not excluded from this
register, shall be included in the list of data protection
officers, if they submit a respective written request to the
Director of the Inspectorate within six months from the day this
Law comes into force.
5. By 1 June 2024, the Cabinet shall assess effectiveness of
the regulation regarding qualification examination of data
protection officers contained in this Law and submit an
assessment regarding a possibility to renounce this examination
to the Saeima.
[6 May 2021]
This Law shall come into force on the day following its
proclamation.
The Law has been adopted by the Saeima on 21 June
2018.
President R. Vējonis
Rīga, 4 July 2018
1 The Parliament of the Republic of
Latvia
Translation © 2022 Valsts valodas centrs (State
Language Centre)