In this newsflash, we have compiled information on the new draft Personal Data Processing Law (Draft Law) announced at the state secretaries’ meeting on 12 October 2017. The aim is to establish legal preconditions for implementing the General Data Protection Regulation in Latvia.
The media have been reminding everyone that from 25 May 2018 Latvia must apply the EU Regulation on general protection of data (Regulation) with its new requirements as to personal data protection. The Regulation applies to all of us, as does any Latvian law. Once the Regulation comes into effect, it will replace the current Personal Data Protection Law.
Status and rights of the Data State Inspectorate (Inspectorate)
The Inspectorate will no longer be a state institution under the supervision of the Ministry of Justice. Rather, it will be an independent institution with a director appointed by the parliament (Saeima). From now on, the Inspectorate will be empowered to access places where personal data are processed, for example, a company's office, and to require documents and explanations in order to check whether data processing complies with the requirements of the Regulation.
Under the Regulation, each Member State may lay down its own rules on how the Inspectorate imposes administrative penalties on state institutions for personal data processing infringements. Since the governing principle in Latvia is that a state institution cannot punish another state authority, the Draft Law foresees administrative liability for individual officials rather than for a state institution itself. Administrative penalties for infringements of the Regulation applicable to the private sector are set out in the Regulation and will not be included in the Draft Law.
Certification of data protection specialists and codes of conduct
The Draft Law lays down a procedure for testing knowledge in the personal data protection field and explains how an employee may obtain certified status as a personal data protection specialist. Compared with the current legal framework, the procedure for doing so is slightly eased.
An industry that carries out uniform or similar data processing may develop a code of conduct that can be applied by all controllers in that industry, thereby ensuring uniform and effective application of the Regulation’s rules. The Draft Law sets procedures for approving codes of conduct. This framework could be relevant to associations from different industries.
Specific situations in personal data processing
The Draft Law includes specific provisions and exceptions covering data processing for journalistic, academic, artistic or literary expression. Data processing for these purposes requires an assessment of the balance between the rights to privacy and freedom of expression. In particular, this involves assessing whether the interests of a data subject in protecting their privacy do not outweigh the right of an individual to receive information, and thus whether publication of certain information may cause negative consequences for the data subject or injure their interests in any other way.
Processing a child’s personal data
Under the Regulation, in relation to the offer of information society services directly to a child (eg, social networks, and smart-phone and smart-device applications), the consent of the subject will serve as grounds for processing. Under the Regulation, processing the personal data of a child is lawful where a child is at least 16 years old. Where a child is below the age of 16, consent should be given by a parent. However, Member States may set a lower age for requiring parents’ consent. In this case, Latvia has chosen to set the lowest age threshold in the Draft Law, that is, 13 years.
According to the Draft Law, its requirements do not apply to personal data processing using automated data recording devices (video registers) of road traffic, or to data processing carried out by physical persons using automated video surveillance devices for personal and household needs, except when public space surveillance is carried out. Although the Draft Law does not say so directly, it is likely that the purpose of these provisions is basically to confirm that data processing in these cases is not subject to the requirements of the Regulation because the Draft Law does not contain specific requirements for video surveillance.