     |
You are here: Personal Data Protection |
|
Phare Programme
Twinning Project No. LV/2002/IB/OT-01 Data State
Inspection Kr.Barona 5-4, 1050 Riga, Latvia ▪ Tel.: +371
7814492 ▪ Fax.: +371 7223556
Final
Project Report
1 - Identification of the project Project no. and title: LV/2002/IB/OT-01
Data State Inspection Project partners: The administrative authority
of the represented
by the Data State Inspectorate (“Beneficiary
Country”) and The
Ludwig Boltzmann Institute of Human Rights, entitled to act in lieu of the public administration
of the Budget: 536.132,95 € Implementation period: 12 months, Legal duration: Date of notification: The project implementation started on This Final Report is submitted by the Project Leaders BC and MS. 2 – Executive summary The overall objective of this Twinning project has been to strengthen
the administrative capacity of the Data State Inspectorate (DSI) in Consequently, one of the main tasks of the project was to improve a
legal basis for a powerful supervision of personal data protection by the way
of installing a supervisory authority acting with complete independence in
exercising the functions entrusted to it. The initiative by the Cabinet of Ministers to amend the Latvian
Constitution, the Satversme, to strengthen inter alia, the
position of an independent yet powerful and effective Data State Inspectorate,
and the concerting of a legal draft with the Ministry of Justice to amend the
Personal Data Protection law (PDP law), were perspectives in the context of
this project. The special emphasise on the legal framework dimension, beside the
analysis of administrative structures and proceedings, shapes the
characteristic of the project. The project is composed of 4 components, which could be described in
terms of a summary ·
Accordingly, the work under Component 1 of the present
project was characterized by the drafting of proposals for the amendment to the
PDP law, as well as the concerting of these drafts with the Ministry of Justice
– the institution in charge of this process. ·
Component 2 was aimed at an “Improvement of the
operational base of the DSI” – hence, at a strengthened Data State
Inspectorate. ·
It was noted positively that the existing standard in
the area of data security is rather high, thus offering a good basis for the
drafting of a manual for these purposes (Component 3). ·
The material drafted under Component 4 is aimed at
providing targeted information to specific groups of readers and/or situations.
The project Steering Committee consisted of representatives of the DSI –
director and Project manager BC, the Latvian Ministry of Justice, the Latvian
Ministry of Finance, the Project leader MS and the RTA. 3 – Background Following the societal transformation of the late 1980’s and the early
1990’s, Latvia emancipated of Soviet occupation by tying up with the democratic
tradition of its interwar independence period and leaning on its Republican
Constitution dating from the year 1922, the Satversme. A proper balance between the individual freedom to process information
about others, on the one hand, and each person’s right to informational
self-determination, on the other, presupposes accurate legislation of the
substantive as well as in the procedural law. All norms of law must be fully
compatible with the acquis communautaire, i.e. with the above-mentioned
Directive. The following
topics should be mentioned: ·
Independence of
the supervisory authority and strengthening the administrative capacity of DSI As established by
Title 1 Article 1 of the Covenant, the Latvian PDP law has incompletely
transposed Article 28 of the Directive. Section 29 provides that the DSI shall
be an “institution of state administration” placed “under the jurisdiction of
the Ministry of Justice”. Its Director “shall be appointed and released from
his position by the Cabinet of Ministers pursuant to the recommendation of the
Minister of Justice”. As opposed to that, Article 28 of the Directive 95/46/EC
provides that the supervisory authorities “shall act in complete independence
in exercising the functions entrusted to them”. In line with pertinent
commentaries, the Commission interpreted and précised the understanding of the
term “complete independence” in its communiqués[h1][h2][h3], most recently,
in the letter of 5 July 2005 by Commission Deputy President Frattini
to the German Minister for Foreign Affairs Fischer (2003/4820 C[2005] 2098) the
understanding of the term “complete independence” was interpreted and précised.
The legal and factual putting in place of a supervising authority that
meets the aforementioned strict independence criteria within the framework of
the wording of the present Latvian Constitution would be at least problematic,
considering its Article 58: “58. The state administration
institutions shall be subordinated to the Cabinet of Ministers.” Therefore, on “The working group is of the opinion
that the DSI, or any other authority that may inherit its functions, must be
taken out of the hierarchical structure under the authority of the Cabinet of
Ministers.” (…) The amendments to the Article 58 of the
Satversme should be stated approximately in the following wording: “58. The administrative institutions
of the State shall be under the authority of the Cabinet of Ministers. Stand-alone institutions, that are not under the authority of the
Cabinet of Ministers in exercising the functions entrusted to them, may be
established by law in the areas of regulation of public utilities, financial
and capital markets supervision, and national broadcasting supervision, as well
as to ensure effective control of the public administration. Where this is necessary to fulfil their tasks, the power to take
externally directed administrative decisions may be delegated by law to these
institutions. The law foresees an effective mechanism to provide for the rule
of law. The administrative institutions of
the State operate according to the principles of good governance.” The proposed amended wording of the constitutional provision does not
specify the names of these institutions or the exact areas that they would
control. Still, there can be no doubt about the fact that the institution that
supervises personal data processing would belong to the number of those State
bodies that control the public administration. Essentially, the above mentioned
proposal for the amendment of Article 58 of the Latvian Constitution for the
first time would explicitly provide for the possibility of certain
administrative institutions of the State outside of the hierarchical structure
of the Cabinet of Ministers, among them those entrusted with the task to ensure
effective control of the public administration. ·
Substantive law concerning DP A constitutional guarantee for the protection of privacy rights can be
found in Article 96 of the Satversme: “96.
Everyone has the right to the inviolability of a private life, place of
residence and correspondence.” The Latvian Constitution provides a substantive guarantee for
informational self-determination and is therefore fully in line with the
requirements of the EU acquis, in particular, the requirements of
Directive 95/46/EC in that respect. ·
Notification and registration The PDP law currently provides that nearly all data processing
operations in the public as well as in the private sector are subject to the
notification procedure. This has led to a situation that the DSI, in the
four-and-a-half years of its existence has registered nearly 12.000 data
processing operations. The Latvian PDP Law and the Administrative Procedure Law
give the registration the character of an administrative act (“application for
registration” [Sec 22 para 3]; “certificate of registration” [Sec. 22 para 3];
“refusal to register [Sec. 23]; “cancellation of a certificate” [Sec. 29 para 4
no. 5]; “unregistered systems shall cease operations” [Transitional provision
No. 2]). Despite of the perspective of adaptation of the legal framework,
strengthening the administrative capacity of the DSI was a special emphasis of
the project as clearly stressed in the Covenant (Component 2). 4 - Summary
of the twinning activities during the reporting period General
Remarks Originally, the project start was planned for implementation in End of
2003. Unfortunately, due to the demanded replacement of the originally
designated Project Leader MS and RTA MS, and due to the change of Latvia’s
status from accession country to member state (with a moratorium on final
contracting [EDIS]), the project began with a delay of about one year on 10
September 2004. Since the deadline for disbursement was On 15 September 2004, the new RTA, Mr. Thomas Giesen, arrived in Latvia
and introduced himself at the Data State Inspectorate, and in the following
days, also at the Administrative Office (Ministry of Finance), at the Central
Financing and Contracting Agency (Ministry of Finance), and in the Ministry of
Justice. On The first Steering Committee
was held on Component 1 Guaranteed Results Strengthened Secondary legal acts, defining powers, rights, and functions of the DSI
according to the EC Directive 95/46 analyzed and necessary amendments proposed; Component 1 of the project targeted at an “Improvement of the legal base
of the DSI”. It consisted of 3 activities. ·
Activity 1.1: “Preparation of a gaps analysis regarding the Latvian
data protection legislation” Time schedule: September 2004 – April 2005 Carried out: started on 9. November 2004 finished
on The Covenant defines the objective of this activity as follows: “The PAA assistant will translate the Latvian
legislation concerning data protection issues that is not already translated
into English. The MS experts will prepare an in-depth analysis of Latvian data
protection legislation and compare it to the data protection acquis. The main
focus will lie on the requirements of the acquis regarding the independence of
the DSI and its Director. Furthermore the analysis will serve to evaluate the
current Latvian data protection legislation in respect of the efficiency and
practicability of the implementation, taking into account the experience with
the implementation of the data protection acquis in STE Mr. Christian
Schnoor, who worked four working days (WDs) from 9 November until 12 November,
prepared a gaps analysis regarding the Latvian data protection legislation,
with an emphasis on the question of independence of the supervisory authority.
He undertook a comparison of the Latvian data protection legislation to the
relevant EU acquis. Mr.
Schnoor drafted a proposal for the amendment to the Latvian Constitution and to
Art.29 and 30 of the Latvian Personal Data Protection Law (PDP law). The draft
was submitted to Director DSI, who further submitted it to the Ministry of
Justice. STE Mr. Thomas
Mauersberger, who worked 10 WDs from 22 November until 3 December, prepared a synopsis of regulations in 11
other EU Member States with regard to the independence of the supervisory
authority. He also undertook an analysis of data protection regulations in the
field of security services, police, and secret services. STE Ms. Elisabeth Duhr,
who worked five working days (WDs) from 23 May to Results achieved: Written analysis
with recommendations was prepared and the Project Leader BC approved its
reception according the Project Covenant. ·
Activity 1.2: “Preparation
of recommendations and proposals for the improvement of the Latvian data
protection legislation” Time schedule: September 2004 – September 2005 Carried out: started on 22.11.2004 finished
27.9.2005 The Covenant defines the objective of this activity as follows: “The above gaps analysis on
the Latvian data protection legislation will be discussed at a workshop and
presented to the Latvian experts. In close co-operation with their Latvian
colleagues, the MS experts will prepare recommendations and proposals for
amendments of the Latvian Legislation which are necessary to eliminate possible
inconsistencies in the current legislation with the acquis and streamlining the
legal base for an efficient implementation. Therefore a special focus will lie
on the strengthening of the legal base of the DSI, especially regarding the
independence of the DSI and its Director. A reasoning for the proposed legal
amendments will be prepared, providing background information for the
responsible political and legislative organs.” STE Mr. Tino
Naumann, who worked 10 WDs from 22 November until 3 December, prepared an
in-depth analysis of inconsistencies in the present Latvian PDP law from the
point of view of the EU acquis in matters other than
independence, including proposals for necessary legal amendments. He also
undertook an analysis of data protection regulations in the field of Electronic
Communications Law. Just like Mr. Schnoor’s study of the PDP law, his scrutiny
of the Electronic Communications Law resulted in suggestions for amendments to
the relevant law. These suggestions were discussed at a meeting in the Ministry
of Transport, Communications Department, between Mr. Naumann and the RTA
Assistant, Mârcis Gobiòð, and Ms Iveta Zeidaka, Deputy Head of the Department,
and Ms Ingrîda Gailume, Head of the General and International Issues Division. STE Ms. Elisabeth Duhr, who worked 5 WDs from 6 December to 10 December
(but see section 3 penultimate paragraph, above), undertook an in-depth
analysis of the existing Latvian regulations in the field of notifications,
including rather detailed recommendations for a simplification of the procedure,
as well as other relevant aspects. STE Mr. Gerd Wippermann, who worked 5 WDs from 13 December to 17
December (but see section 3 penultimate paragraph, above), drafted an
alternative amendment of the PDP law (without amendment of the Constitution) on
the basis of the draft law on the Ombudsman by the Chancelary of the State
President. STE Mr. Tino Naumann
worked another 5 WD from 7 February until STE Mr. Christian Schnoor,
who worked 5 WDs from 10 January until STE Mr. Thomas Mauersberger,
who worked 5 WDs from 5 February until The STEs Ms. Duhr as well as Mr. Schnoor, Naumann, Mauersberger, and
Wippermann have worked 35 WDs on the issue. STE Dr. Tino Naumann
worked 5 WDs from 24 April until STE Mr. Thomas Mauersberger,
who worked 5 WDs from 24 April until STE Prof. Dr. Hans-Ullrich
Paeffgen, who worked 4 WDs from 17 May until STE Klaus Leroff, who worked 5 working
days (WDs) from 6 June to 10 June 2005, worked on the draft proposals for the
amendment to the Personal Data Protection Law (PDP law), with a emphasis on the
Data Supervisor’s interrelation with the Latvian Parliament. STE Professor Dr. Marie-Theres Tinnefeld worked 10 WDs
from 18 July until 29 July 2005, and drafted the final report for this
activity, which includes further recommendations and proposals to the Latvian
PDP law concerning the question of informed consent, transfer of personal data
within the EU as well as to third countries, on the interrelation between data
protection and freedom of scientific research, as well as on the interrelation
between data protection and freedom of the media, and with regard to certain
sectoral laws (Electronic Communications Law, Law on Police, Investigatory
Operations Law, and other laws on security authorities). STE Dr. Christian Schnoor completed the
activity during his last secondment to STE Wolfgang
Kilian and STE Nikolaus Forgó worked on completion of proposals for the
Electronic Communication Law amendments and the final draft proposal for PDP
law. Results achieved: Recommendations
and proposals for the improvement of the Latvian data protection legislation were
elaborated and the Steering Committee of the project in general approved it on ·
Activity 1.3: “Preparation
of comments on the Latvian data protection legislation” Time schedule: May 2005 – September 2005 Carried out: started on 12.April 2005 finished
on 19. August 2005 The Covenant defines the objective of this activity as follows: “Based on the under 1.1. elaborated analysis, MS
experts will prepare comments on the Latvian data protection legislation
reflecting also the most important decisions of the European Court of Justice,
the European Court of Human Rights as well as the Austrian and German Courts. The comments will be translated into Latvian. These
comments on the Latvian data protection legislation will serve as an important
tool for the future day-to-day work of all institutions involved in data
protection. The main aim of these comments will be to give examples from the
Case Law of the European Court of Justice and national MS courts especially on
the interpretation and implementation of unclear and vague terms of the data
protection legislation.” STE Prof. Dr. Hans-Werner
Laubinger, who worked 4 WDs from 12 April until STE Ms. Elisabeth Duhr,
who worked five working days (WDs) from 30 May to STE Ms. Elisabeth Duhr, who worked five
working days (WDs) from 15 August to Results achieved: Comments on the Latvian data protection legislation
were elaborated and approved by the Project Leader BC. Component 2 Guaranteed Results Elaborated and implemented DSI capacity development
strategy; Data
subject and data processors informed on data protection issues Means for
information of data subject developed: Elaborated strategic plan on information of society
functioning; Elaborated
publications on rights of data subject on rights and obligations of systems
controllers, on sensitive data protection and on legal acts accessible to all
levels of society and to all levels of administration; Workshop and seminars on personal data protection
organised; Conference on
Personal data protection for data protection specialists from 2.2. Means for
information of data controllers processing as state administrations and
institutions as civil enterprises developed: Seminars on safe
and legal personal data processing systems and personal data processing
organised (in particular respect of security administration and social welfare
administration); Component 2
targeted at an “Improvement of the operational base of the DSI”. It consists of three activities. ·
Activity 2.1: "Preparation
of a development strategy for the DSI" Time schedule: May 2005 – September 2005 Carried out: started on 29. March 2005 finished
on 17. August 2005 The Covenant defines the objective of this activity as follows: “Experts from MS
Data Protection Authorities will analyse the tasks of the DSI and evaluate,
based on the experience and needs of Data Protection Authorities in the MS,
provided at a workshop, the current and expected future work load of the DSI,
taking into account the Latvian circumstances. Based on this
analysis, the MS experts in co-operation with the Latvian experts will prepare
a development strategy and resources needs forecast of the DSI, indicating the
staff, number of employees and their qualification, budget, equipment etc.
needed by the DSI to fulfil its tasks in a long term. Regarding the
required staff, the development strategy will include recommendations on staff
relationship, in-house training and staff motivation. In the workshop
with its various topics (organisational issues, the internal information procedures
of the DSI, the management of claims and complaints, the registration of
notifications) the STEs will represent different approaches.” STE Mr. Klaus Leroff,
who worked 10 WDs from 29 March until STE Mr. Peter Paul Klein,
who worked 5 WDs from 11 April until Results achieved: On the basis of
the existing DSI development
strategy a proposal for improvements was elaborated. It was in general approved
by the project Steering Committee on ·
Activity 2.2: "Preparation of manuals
for the DSI on internal information flow, register of notifications and
management of claims and complaints" Time schedule: January
2005 – September 2005 Carried out: started on 31 January2005 finished
on 12 August 2005 The Covenant defines the objective of this activity as follows: “MS Experts will analyse the current practice of the
DSI regarding the ·
internal information flow by means of the
unitary internal information system ·
the management of claims and complaints ·
keeping of a register of notifications These analyses will mainly focus on an efficient and
grass-roots handling of the above tasks. Based on the above analyses and the experience of
Data Protection Authorities of the MS provided at a workshop, manuals will be
prepared to support the day-to-day work of the DSI regarding the above issues,
and to increase efficiency.” STE Mr. Andreas Schneider, who was in STE Ms. Claudia Golembiewski, who worked 5
WD’s from 27 June to 1 July 2005, STE Dr. Tino Naumann, who worked 10 WD’s from 27 June to 8 July 2005,
STE Dr. Eva Souhrada, who
worked 5 WD’s from 4 July to 8 July 2005, and STE Mr. Thomas Mauersberger, who also worked 5 WD’s from 4 July to 8
July 2005 elaborated written manuals to support the day-to-day work regarding
internal information flows, the management of claims and complaints and the
notifications. These manuals were submitted to the Project Leader BC and will
be translated into Latvian according to the Project Covenant. Results achieved: Manuals for the DSI on internal information flow,
notifications and management of claims and complaints were elaborated by
experts and their reception was approved by the Project Leader BC according the
Project Covenant. ·
Activity 2.3: “Study
trips to Austrian and German Data Protection Institutions” Time schedule: April 2005 – September 2005 Carried out: started on finished
on 7 September 2005 The Covenant defines the objective of this activity as follows: “During a study trip to Austrian and German data protection institutions, the key staff of the DSI will get familiar with the methods of implementing data protection legislation in EU MS. The inst |
