Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The Personal Data Protection Law provides that personal data may be processed only if:

  • the data subject has given consent;
  • a contract to which the data subject is party is being concluded or performed;
  • the data controller has a legal obligation to process personal data;
  • processing is necessary in order to protect vital interests of the data subject;
  • processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to which personal data is disclosed; or
  • data processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party to which the personal data is disclosed, unless such interests are overridden by interests of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There are no generally applicable timelines for retaining records. Personal data may be processed only for as long as is required for the purposes of the processing.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, an individual has a right to access all information collected about him or her that is held by an organisation and to obtain information about parties which have accessed that personal data unless the personal data was accessed by law enforcement authorities or for the purposes of a criminal investigation.

Do individuals have a right to request deletion of their data?

Yes, if such personal data is incomplete or inaccurate in accordance with the purpose of the personal data processing. The data subject may also demand the correction of his or her inaccurate personal data.

Consent obligations
Is consent required before processing personal data?

Yes, unless data is processed on another basis permitted by law. 

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, but only if personal data is processed:

  • to fulfil a contract to which the data subject is party;
  • based on a law requiring the processing of personal data;
  • in order to protect the interests of the data subject;
  • when exercising the official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to which personal data is disclosed; or
  • to protect the legitimate interests of the data controller or a third party to which personal data is disclosed, unless such interests are overridden by interests of the data subject.

The processing of sensitive personal data (ie, personal data which indicates the race, ethnic origin, religious, philosophical or political convictions or trade union membership of a person, or provides information as to the health or sexual life of a person) is generally prohibited unless special exemptions provided by law apply.

What information must be provided to individuals when personal data is collected?

If data processing is based on consent, the individual must be provided with:

  • the name and address of the data controller; and
  • the intended purpose of the personal data processing.

If requested by the data subject, the data controller must provide the following information:

  • the possible recipients of the personal data;
  • the right of the data subject to gain access to his or her personal data and to correct such data;
  • whether providing an answer is mandatory or voluntary, as well as the possible consequences of failing to provide an answer; and
  • the legal basis for the processing of personal data.

If the data processing is based on law, the same rules apply as where data processing is based on consent, unless the law specifically authorises the processing of personal data without disclosing the purpose.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Personal Data Protection Law governs the transfer of data outside Latvia. If the data controller intends to transfer personal data to a state other than a member state of the European Union or the European Economic Area, before the transfer it must register personal data processing with the Data State Inspectorate (DSI) or assign and register with the DSI a data protection specialist.

Are there restrictions on the geographic transfer of data?

Yes, personal data may be transferred outside the European Union or European Economic Area if that state provides the same level of data protection as in Latvia (the adequate protection requirement). According to the DSI, approved states include Australia, Canada, Israel and the Isle of Man. Since October 6 2015 the safe harbour scheme is no longer considered to provide adequate protection.

The transfer of personal data to other states is permissible if the data controller undertakes to supervise the performance of the relevant protection measures, or at least one of the following conditions is complied with:

  • the data subject’s consent has been obtained;
  • the transfer of the data is necessary in order to fulfil an agreement between the data subject and the data controller, the personal data is required to be transferred in accordance with contractual obligations binding on the data subject or, taking into account a request from the data subject, the transfer of data is necessary in order to enter into a contract;
  • the transfer of data required and requested, pursuant to prescribed procedures, in accordance with significant state or public interests or for judicial proceedings;
  • the transfer of the data is necessary to protect the life and health of the data subject; or
  • the transfer of the data concerns personal data that is public or has been accumulated in a publicly accessible register.

The data controller’s supervision of the relevant protection measures as a pre-condition for the personal data transfer may be carried out by ensuring that:

  • the data controller enters into a contract regarding transfer of the data according to the contractual provisions set by the Cabinet of Ministers;
  • the data controller is bound by binding regulations of a company, containing principles for processing and protection of personal data, which guarantee the rights of data subjects and are approved by a personal data protection supervision institutions of an EU member state; or
  • the data controller enters into the contract in conformity with standard clauses of a contract regarding the transfer of personal data to third countries approved by the European Commission.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The key principle under the Personal Data Protection Law is that data processing be carried out with a legitimate aim, taking into account the purpose of processing, the period of processing and other criteria. The processing of personal data is permitted if:

  • the data subject has given his or her consent;
  • the processing of data results from contractual obligations of the data subject or, taking into account a request from the data subject, the processing of data is necessary in order to enter into the relevant contract;
  • the processing of data is necessary for a data controller to perform its legal duties;
  • the processing of data is necessary to protect important interests of the data subject, including life and health;
  • the processing of data is necessary in order to comply with public interest or to exercise functions of public authority for whose performance the personal data has been transferred to a data controller or transmitted to a third person; or
  • the processing of data is necessary in order to, in compliance with the fundamental human rights and freedoms of the data subject, exercise lawful interests of the data controller or of such third person to which the personal data has been disclosed.

The data controller is solely responsible for the compliance of the data processing with data protection laws, including processing carried out by third parties which receive the personal data from the data controller for processing. The restrictions on the geographic transfer of data also apply to the transfer of personal data to third parties for processing.

Click here to view the full article.