Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Personal data processing must meet certain technical and organisational requirements set by the Cabinet of Ministers Regulations on Mandatory Technical and Organisational Requirements for Personal Data Protection. Under Latvian law there are no specific requirements for certain categories of personal data, and no regulatory requirements for cloud service providers. The data controller must adopt internal regulations for the processing of personal data, in order to classify the personal data protection pursuant to the value and confidentiality level of the data.

The law also provides that personal data must be protected by passwords and encryption, and states which information must be stored on the receipt and transfer of personal data:

  • the time of transfer;
  • the parties involved; and
  • the data processed.

Further, in its internal data processing regulations the data controller must determine the length of the password and the rules for its creation. However, the minimum length of the password is eight letters. The technical protection of personal data must be ensured by physical and other means (eg, passwords or encryption). The data controller must also ensure, for example, that:

  • personal data is accessed only by authorised persons;
  • certain information is stored when a personal data transfer takes place; and
  • internal personal data protection regulations are drafted.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

No, only electronic communications merchants have a mandatory obligation to notify individuals in the event of a breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes, in the event of a breach the electronic communications merchant must notify the Data State Inspectorate of the circumstances and type of breach immediately. The merchant must keep the information regarding the type of the breach, its consequences and actions taken, as well as information on when and to whom it has provided data regarding the breach, for 18 months.

Click here to view the full article.