DLA Piper Intelligence

Data Protection
Laws of the World

Law

Latvia
Latvia

Latvia has implemented the EU Data Protection Directive and the EU Directive on Privacy and Electronic Communications through the Personal Data Protection Law (last amended on 7 March 2014) and the Law on Electronic Communications (last amended on 1 January 2017).

There are also specific rules for electronic documents, biometrics, medical services, debt collections services, e-commerce and telecommunications which provide stronger protection for the personal data subject.

Last modified 26 Jan 2017
Law
Latvia

Latvia has implemented the EU Data Protection Directive and the EU Directive on Privacy and Electronic Communications through the Personal Data Protection Law (last amended on 7 March 2014) and the Law on Electronic Communications (last amended on 1 January 2017).

There are also specific rules for electronic documents, biometrics, medical services, debt collections services, e-commerce and telecommunications which provide stronger protection for the personal data subject.

Last modified 26 Jan 2017
Definitions

Definition of personal data

The Personal Data Protection Law defines personal data as any information related to an identified or identifiable natural person.

Definition of sensitive personal data

Sensitive personal data personal data which indicate:

  • the race
  • ethnic origin
  • religious
  • philosophical or political convictions
  • or trade union membership of a person
  • or provide information as to the health or sexual life of a person.
Last modified 26 Jan 2017
Authority

Data State Inspectorate

Blaumana Street 11/13 11
Riga
LV 1011
Latvia Phone: +371 67 223 131
Fax: +371 67 223 556

E mail: info@dvi.gov.lv

Office hours

Mon 8 12; 12.30 17.00
Tue 8 12; 12.30 17.30
Wed 8 12; 12.30 16.30
Thu 8 12; 12.30 16.30
Fri 8 12; 12.30 15.00

Last modified 26 Jan 2017
Registration

There is no obligation to register with the Data State Inspectorate ('DSI') before starting data processing unless the intent is:

  1. to transfer personal data to a state outside EU and EEA
  2. to process personal data when providing financial or insurance services, carrying out raffles or lotteries, market or public opinion researches, personnel selection or personnel assessment as the form of commercial activity, when providing debt recovery services and credit information processing services as the form of commercial activity
  3. to process sensitive personal data (with the exception in cases when sensitive personal data are processed for the purposes of accounting, within employment relationship or by religious organisations)
  4. to processes personal data in relation to the criminal offences, criminal records and penalties in administrative violations matters
  5. to carry out video surveillance and retain such data
  6. to process genetic (biometric) data of the person.

If the person intends to process the data which requires prior registration with the DSI, it is permitted not to register with the DSI if a personal data protection specialist (a natural person having required qualification) is assigned. In that case the personal data protection specialist must be registered with DSI indicating his/her contact information, the place of data processing and the term of his/her assignment.

If for intended data processing activities the registration is required and data protection specialist will not be appointed, then the data controller has to register with DSI by using a standard form, which includes information about:

  • the name and contact details of the data controller
  • the name and contact details of data controller's representative (if any)
  • the legal basis for the processing of personal data
  • the list of categories of personal data that are being processed
  • the purpose of the data processing
  • the categories of data subjects
  • the categories of recipients of personal data
  • the intended method of processing of personal data
  • the planned method of obtaining personal data
  • the place of processing of personal data
  • the holder of information resources or technical resources, as well as a person responsible for the security of the information system
  • technical and organisational measures ensuring the personal data protection
  • the type of personal data to be transferred outside EU/EEA.
Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement to appoint a data protection officer (defined as a personal data protection specialist under the Personal Data Protection Law). However, a data controller is exempt from registering data processing activities with DSI if the data controller has appointed a data protection officer ('DPO').

The appointed DPO has the obligation to organise, control and supervise the compliance of data processing with the legal requirements. The DPO keeps a register with data and upon request of data subject or DSI it must disclose the information about:

  • the name and contact details of the data controller
  • the name and contact details of data controller's representative (if any)
  • the legal basis for the processing of personal data
  • the list of categories of personal data that are being processed
  • the purpose of the data processing
  • the categories of data subjects
  • the categories of recipients of personal data
  • the intended method of processing of personal data
  • the planned method of obtaining personal data
  • the place of processing of personal data
  • the holder of information resources or technical resources, as well as a person responsible for the security of the information system
  • technical and organisational measures ensuring the personal data protection
  • the type of personal data to be transferred outside EU/EEA.
Last modified 26 Jan 2017
Collection & Processing

The Personal data protection law defines data processing as any operations carried out regarding personal data, including data collection, registration, recording, storing, arrangement, transformation, using, transfer, transmission and dissemination, blockage or erasure. According to the Personal Data Protection Law personal data may be processed only if:

  • the data subject has given his consent
  • a contract to which the data subject is party is being concluded or performed
  • it is a legal obligation of the data controller under laws to process personal data
  • processing is necessary in order to protect vital interests of the data subject
  • processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed
  • processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data is disclosed, unless such interests are overridden by interests of the data subject.

Moreover, the data controller has to ensure that:

  • all personal data is processed fairly and lawfully
  • all personal data is collected for specific, explicit and legitimate purposes and are subsequently processed in accordance with these purposes
  • all personal data collected is adequate, relevant, and non excessive in view of the purposes for which they are collected
  • all personal data is accurate, comprehensive and, when necessary, kept up to date
  • all personal data is retained for no longer than is necessary for the purposes for which it is processed.

For the processing of sensitive personal data further restrictions apply. Where sensitive personal data is processed, a different, exhaustive list of specific conditions applies. With regard to sensitive data, the legitimate interest in confidentiality will not be infringed in the following circumstances:

  • where the data subject has given explicit consent to the use of the data
  • where the use of the data without obtaining consent is authorised or required by labour or employment law, regulating the protection of such personal data
  • where processing or disclosure is necessary to safeguard the vital interests of the data subject, and the data subject is legally or physically unable to give consent
  • where data is necessary to reach the non commercial goals of non profit organisations and such data related to the scope of their activities and members and such data are not disclosed to third persons
  • where the use of the data is required for medical prevention, medical diagnostics, health care or treatment, or for the administration of medical services
  • where the use of the data is necessary for the enforcement, exercise or protection of persons legal interests at court
  • where the use of the data is required for the provision of social assistance and it is performed by the provider of social assistance services
  • where the use of the data is necessary for the establishment of the national documentary heritage and it is performed by the Latvian national archives and accredited private archives
  • where the processing of the data is necessary for statistical research, which is performed by the Central Statistics Bureau
  • where the data was clearly made public by the data subject
  • where the processing of the data is necessary when performing state administration functions or establishing state information systems laid as required by law
  • where the data is necessary when the person is claiming the indemnity in accordance with the insurance contract
  • where the patient's data recorded in medical documents are used in a research in conformity to the Law On the Rights of Patients.
Last modified 26 Jan 2017
Transfer

Personal data may be transferred to another state if that state ensures the same level of data protection as is in effect in Latvia. There are no restrictions on data transfers inside the EU and EEA as well as in a few other countries – a list accepted by the European Commission and the DSI (the so called 'white list').

Transfer to other jurisdictions is permissible if the data controller would perform supervision regarding the performance of the relevant protection measures in compliance with Latvian law, ie written data transfer agreement is needed, or at least one of the following conditions is fulfilled:

  • the express consent of the data subject for the transfer is obtained
  • the transfer of the data is necessary to fulfil an agreement between the data subject and the data controller, the transfer is needed for data subject's contractual obligations or the data subject has requested the transfer in order to enter into a contract
  • when there is a significant state or public interest, or the transfer is required for judicial proceedings
  • the transfer of the data is necessary to protect the life and health of the data subject
  • if transferable, the data is public or has been accumulated in a publicly accessible register.

The DSI will grant its approval if, in the specific case, adequate protection can be evidenced. This may be achieved by:

  • including terms and conditions in the written agreement that are provided in the Cabinet of Ministers Regulations No 634 of 16 August 2011 'Terms for mandatory provisions to be included in personal data transfer agreements'
  • If data controller ensures that it is bound by Corporate Rules
  • by including EU model clauses in the written agreement.

In any case, prior to transferring data outside the EU/EEA the relevant data processing activities need to be registered with the Data State Inspectorate, unless the data controller has not previously appointed and registered with the Data State Inspectorate a personal data protection specialist

Last modified 26 Jan 2017
Security

Under Personal Data Protection Law it is the obligation of the data controller and processor to implement appropriate technical and organisational measures, depending on the technological state of the art and the cost incurred in execution, to protect personal data against accidental or intentional destruction or loss, unauthorised disclosure or access and against all other unlawful forms of processing.

The law does not contain a list of specific measures to be adopted by data controller or processor. However in 2014 DSI has published guidelines 'Security of personal data processing' where it lists various measures (eg anti virus software, password protection, data encryption, regular trainings of the employees, etc) that would increase the security and ensure adequate level of protection.

Last modified 26 Jan 2017
Breach Notification

Breach notification

The Electronic Communications Law provides the obligation for the providers of electronic communications services to immediately notify the DSI about the occurred breach of security. Within 30 days from the notification, the provider of electronic communications services must inform the DSI about:

  • the types of personal data, categories of data subjects and data amount in respect of which personal data protection breach has occurred
  • technical and organisational protection measures and means that were in place at the moment of the breach
  • the measures taken to mitigate the consequences of the breach
  • the consequences of the breach
  • technical and organisational measures implemented after the breach
  • carried investigation of the breach
  • any third persons that are informed of this breach
  • the fact whether the data subjects in respect of which the breach of personal data protection has occurred have been informed thereof.

Other data controllers that are not providers of publicly available electronic communications services do not have an obligation to notify individuals or DSI of the occurred data security breach.

Mandatory breach notification

The providers of publicly available electronic communications services have the mandatory obligation to notify DSI about the personal data security breach. No other data controllers or processors have this obligation.

Last modified 26 Jan 2017
Enforcement

The violation of data protection rules or breach of the rights of data subject is punishable offence under Latvian Administrative violations code. For the data processing without registration (if required) the DSI may impose fine up to EUR 11,000 with or without the confiscation of the objects used to commit the violation.

For not providing information to the DSI or to the data subject, or for providing false information a fine up to EUR 7,100 may be imposed.

For illegal actions with personal data (including collecting, organising, classifying, editing, storing, using, transferring, disclosing, blocking or erasing of the personal data) a fine up to EUR 11,400 with or without the confiscation of the objects used to commit the violation may be imposed. If the offence is committed with regard to sensitive data or repeatedly a fine up to EUR 14,000 may be imposed.

In addition, the individual affected by the breach of the Personal Data Protection Law is also entitled to claim a 'due compensation' which may include pecuniary and moral damages.

There are some criminal sanctions established for unlawful actions with personal data if it has caused serious harm, has been done by the controller or processor with the purpose of blackmailing, with a purpose to gain monetary benefit or for the revenge. However, with respect to usual data processing activities these are enforced in extremely rare cases.

Last modified 26 Jan 2017
Electronic Marketing

The Personal Data Protection Law does not specifically address (electronic) marketing. However the use of personal data for marketing purposes falls within the scope of the law. The provisions on electronic marketing are also included in the Law On Information Society Services, which requires prior express consent of the person before using his/her contact information (eg e mail address, phone number) for electronic marketing purposes. This is also stressed in the guidelines provided by DSI.

According to the provisions of the Law On Information Society Services no consent is required if the data has been obtained in the course of the sale of goods or provision of services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of his/her personal data and the recipient has not previously declared that he or she does not want to be contacted.

Last modified 26 Jan 2017
Online Privacy

Specific issues of online privacy are regulated in the Electronic Communications Law and the Law on Information Society Services.

The Law on Information Society Services states that the storage of information received, including cookies or similar technologies, is permitted, provided that the consent of the person has been received after he or she has received clear and comprehensive information regarding the purpose of intended storage and data processing. Therefore with regard to cookies Latvian law supports an opt in approach.

As to location data, the Electronic Communications Law permits the processing of location data only to ensure the provision of electronic communications services or if the express prior consent is obtained. Moreover, the person whose location data is being processed has the right to revoke his/her consent or to suspend it at any time, notifying the relevant electronic communications merchant of this revocation or requested suspension.

The processing of location data for other purposes without the consent of a user or subscriber is permitted only if it is not possible to identify the person utilising such location data or if the processing of location data is necessary for the Emergency services.

Last modified 26 Jan 2017
Contacts
Kaupo Lepasepp
Kaupo Lepasepp
Partner
T +372 6 400 900
Mihkel Miidla
Mihkel Miidla
Senior Associate, Head of Technology & Data Protection
T +372 6 400 959
Last modified 26 Jan 2017