     |
You are here: Personal Data Protection Phare project |
|
Phare Programme
Twinning Project No. LV/2002/IB/OT-01 Data State
Inspection Kr.Barona 5-4, 1050 Riga, Latvia ▪ Tel.: +371
7814492 ▪ Fax.: +371 7223556
Final
Project Report
1 - Identification of the project Project no. and title: LV/2002/IB/OT-01
Data State Inspection Project partners: The administrative authority
of the represented
by the Data State Inspectorate (“Beneficiary
Country”) and The
Ludwig Boltzmann Institute of Human Rights, entitled to act in lieu of the public administration
of the Budget: 536.132,95 € Implementation period: 12 months, Legal duration: Date of notification: The project implementation started on This Final Report is submitted by the Project Leaders BC and MS. 2 – Executive summary The overall objective of this Twinning project has been to strengthen
the administrative capacity of the Data State Inspectorate (DSI) in Consequently, one of the main tasks of the project was to improve a
legal basis for a powerful supervision of personal data protection by the way
of installing a supervisory authority acting with complete independence in
exercising the functions entrusted to it. The initiative by the Cabinet of Ministers to amend the Latvian
Constitution, the Satversme, to strengthen inter alia, the
position of an independent yet powerful and effective Data State Inspectorate,
and the concerting of a legal draft with the Ministry of Justice to amend the
Personal Data Protection law (PDP law), were perspectives in the context of
this project. The special emphasise on the legal framework dimension, beside the
analysis of administrative structures and proceedings, shapes the
characteristic of the project. The project is composed of 4 components, which could be described in
terms of a summary ·
Accordingly, the work under Component 1 of the present
project was characterized by the drafting of proposals for the amendment to the
PDP law, as well as the concerting of these drafts with the Ministry of Justice
– the institution in charge of this process. ·
Component 2 was aimed at an “Improvement of the
operational base of the DSI” – hence, at a strengthened Data State
Inspectorate. ·
It was noted positively that the existing standard in
the area of data security is rather high, thus offering a good basis for the
drafting of a manual for these purposes (Component 3). ·
The material drafted under Component 4 is aimed at
providing targeted information to specific groups of readers and/or situations.
The project Steering Committee consisted of representatives of the DSI –
director and Project manager BC, the Latvian Ministry of Justice, the Latvian
Ministry of Finance, the Project leader MS and the RTA. 3 – Background Following the societal transformation of the late 1980’s and the early
1990’s, Latvia emancipated of Soviet occupation by tying up with the democratic
tradition of its interwar independence period and leaning on its Republican
Constitution dating from the year 1922, the Satversme. A proper balance between the individual freedom to process information
about others, on the one hand, and each person’s right to informational
self-determination, on the other, presupposes accurate legislation of the
substantive as well as in the procedural law. All norms of law must be fully
compatible with the acquis communautaire, i.e. with the above-mentioned
Directive. The following
topics should be mentioned: ·
Independence of
the supervisory authority and strengthening the administrative capacity of DSI As established by
Title 1 Article 1 of the Covenant, the Latvian PDP law has incompletely
transposed Article 28 of the Directive. Section 29 provides that the DSI shall
be an “institution of state administration” placed “under the jurisdiction of
the Ministry of Justice”. Its Director “shall be appointed and released from
his position by the Cabinet of Ministers pursuant to the recommendation of the
Minister of Justice”. As opposed to that, Article 28 of the Directive 95/46/EC
provides that the supervisory authorities “shall act in complete independence
in exercising the functions entrusted to them”. In line with pertinent
commentaries, the Commission interpreted and précised the understanding of the
term “complete independence” in its communiqués[h1][h2][h3], most recently,
in the letter of 5 July 2005 by Commission Deputy President Frattini
to the German Minister for Foreign Affairs Fischer (2003/4820 C[2005] 2098) the
understanding of the term “complete independence” was interpreted and précised.
The legal and factual putting in place of a supervising authority that
meets the aforementioned strict independence criteria within the framework of
the wording of the present Latvian Constitution would be at least problematic,
considering its Article 58: “58. The state administration
institutions shall be subordinated to the Cabinet of Ministers.” Therefore, on “The working group is of the opinion
that the DSI, or any other authority that may inherit its functions, must be
taken out of the hierarchical structure under the authority of the Cabinet of
Ministers.” (…) The amendments to the Article 58 of the
Satversme should be stated approximately in the following wording: “58. The administrative institutions
of the State shall be under the authority of the Cabinet of Ministers. Stand-alone institutions, that are not under the authority of the
Cabinet of Ministers in exercising the functions entrusted to them, may be
established by law in the areas of regulation of public utilities, financial
and capital markets supervision, and national broadcasting supervision, as well
as to ensure effective control of the public administration. Where this is necessary to fulfil their tasks, the power to take
externally directed administrative decisions may be delegated by law to these
institutions. The law foresees an effective mechanism to provide for the rule
of law. The administrative institutions of
the State operate according to the principles of good governance.” The proposed amended wording of the constitutional provision does not
specify the names of these institutions or the exact areas that they would
control. Still, there can be no doubt about the fact that the institution that
supervises personal data processing would belong to the number of those State
bodies that control the public administration. Essentially, the above mentioned
proposal for the amendment of Article 58 of the Latvian Constitution for the
first time would explicitly provide for the possibility of certain
administrative institutions of the State outside of the hierarchical structure
of the Cabinet of Ministers, among them those entrusted with the task to ensure
effective control of the public administration. ·
Substantive law concerning DP A constitutional guarantee for the protection of privacy rights can be
found in Article 96 of the Satversme: “96.
Everyone has the right to the inviolability of a private life, place of
residence and correspondence.” The Latvian Constitution provides a substantive guarantee for
informational self-determination and is therefore fully in line with the
requirements of the EU acquis, in particular, the requirements of
Directive 95/46/EC in that respect. ·
Notification and registration The PDP law currently provides that nearly all data processing
operations in the public as well as in the private sector are subject to the
notification procedure. This has led to a situation that the DSI, in the
four-and-a-half years of its existence has registered nearly 12.000 data
processing operations. The Latvian PDP Law and the Administrative Procedure Law
give the registration the character of an administrative act (“application for
registration” [Sec 22 para 3]; “certificate of registration” [Sec. 22 para 3];
“refusal to register [Sec. 23]; “cancellation of a certificate” [Sec. 29 para 4
no. 5]; “unregistered systems shall cease operations” [Transitional provision
No. 2]). Despite of the perspective of adaptation of the legal framework,
strengthening the administrative capacity of the DSI was a special emphasis of
the project as clearly stressed in the Covenant (Component 2). 4 - Summary
of the twinning activities during the reporting period General
Remarks Originally, the project start was planned for implementation in End of
2003. Unfortunately, due to the demanded replacement of the originally
designated Project Leader MS and RTA MS, and due to the change of Latvia’s
status from accession country to member state (with a moratorium on final
contracting [EDIS]), the project began with a delay of about one year on 10
September 2004. Since the deadline for disbursement was On 15 September 2004, the new RTA, Mr. Thomas Giesen, arrived in Latvia
and introduced himself at the Data State Inspectorate, and in the following
days, also at the Administrative Office (Ministry of Finance), at the Central
Financing and Contracting Agency (Ministry of Finance), and in the Ministry of
Justice. On The first Steering Committee
was held on Component 1 Guaranteed Results Strengthened Secondary legal acts, defining powers, rights, and functions of the DSI
according to the EC Directive 95/46 analyzed and necessary amendments proposed; Component 1 of the project targeted at an “Improvement of the legal base
of the DSI”. It consisted of 3 activities. ·
Activity 1.1: “Preparation of a gaps analysis regarding the Latvian
data protection legislation” Time schedule: September 2004 – April 2005 Carried out: started on 9. November 2004 finished
on The Covenant defines the objective of this activity as follows: “The PAA assistant will translate the Latvian
legislation concerning data protection issues that is not already translated
into English. The MS experts will prepare an in-depth analysis of Latvian data
protection legislation and compare it to the data protection acquis. The main
focus will lie on the requirements of the acquis regarding the independence of
the DSI and its Director. Furthermore the analysis will serve to evaluate the
current Latvian data protection legislation in respect of the efficiency and
practicability of the implementation, taking into account the experience with
the implementation of the data protection acquis in STE Mr. Christian
Schnoor, who worked four working days (WDs) from 9 November until 12 November,
prepared a gaps analysis regarding the Latvian data protection legislation,
with an emphasis on the question of independence of the supervisory authority.
He undertook a comparison of the Latvian data protection legislation to the
relevant EU acquis. Mr.
Schnoor drafted a proposal for the amendment to the Latvian Constitution and to
Art.29 and 30 of the Latvian Personal Data Protection Law (PDP law). The draft
was submitted to Director DSI, who further submitted it to the Ministry of
Justice. STE Mr. Thomas
Mauersberger, who worked 10 WDs from 22 November until 3 December, prepared a synopsis of regulations in 11
other EU Member States with regard to the independence of the supervisory
authority. He also undertook an analysis of data protection regulations in the
field of security services, police, and secret services. STE Ms. Elisabeth Duhr,
who worked five working days (WDs) from 23 May to Results achieved: Written analysis
with recommendations was prepared and the Project Leader BC approved its
reception according the Project Covenant. ·
Activity 1.2: “Preparation
of recommendations and proposals for the improvement of the Latvian data
protection legislation” Time schedule: September 2004 – September 2005 Carried out: started on 22.11.2004 finished
27.9.2005 The Covenant defines the objective of this activity as follows: “The above gaps analysis on
the Latvian data protection legislation will be discussed at a workshop and
presented to the Latvian experts. In close co-operation with their Latvian
colleagues, the MS experts will prepare recommendations and proposals for
amendments of the Latvian Legislation which are necessary to eliminate possible
inconsistencies in the current legislation with the acquis and streamlining the
legal base for an efficient implementation. Therefore a special focus will lie
on the strengthening of the legal base of the DSI, especially regarding the
independence of the DSI and its Director. A reasoning for the proposed legal
amendments will be prepared, providing background information for the
responsible political and legislative organs.” STE Mr. Tino
Naumann, who worked 10 WDs from 22 November until 3 December, prepared an
in-depth analysis of inconsistencies in the present Latvian PDP law from the
point of view of the EU acquis in matters other than
independence, including proposals for necessary legal amendments. He also
undertook an analysis of data protection regulations in the field of Electronic
Communications Law. Just like Mr. Schnoor’s study of the PDP law, his scrutiny
of the Electronic Communications Law resulted in suggestions for amendments to
the relevant law. These suggestions were discussed at a meeting in the Ministry
of Transport, Communications Department, between Mr. Naumann and the RTA
Assistant, Mârcis Gobiòð, and Ms Iveta Zeidaka, Deputy Head of the Department,
and Ms Ingrîda Gailume, Head of the General and International Issues Division. STE Ms. Elisabeth Duhr, who worked 5 WDs from 6 December to 10 December
(but see section 3 penultimate paragraph, above), undertook an in-depth
analysis of the existing Latvian regulations in the field of notifications,
including rather detailed recommendations for a simplification of the procedure,
as well as other relevant aspects. STE Mr. Gerd Wippermann, who worked 5 WDs from 13 December to 17
December (but see section 3 penultimate paragraph, above), drafted an
alternative amendment of the PDP law (without amendment of the Constitution) on
the basis of the draft law on the Ombudsman by the Chancelary of the State
President. STE Mr. Tino Naumann
worked another 5 WD from 7 February until STE Mr. Christian Schnoor,
who worked 5 WDs from 10 January until STE Mr. Thomas Mauersberger,
who worked 5 WDs from 5 February until The STEs Ms. Duhr as well as Mr. Schnoor, Naumann, Mauersberger, and
Wippermann have worked 35 WDs on the issue. STE Dr. Tino Naumann
worked 5 WDs from 24 April until STE Mr. Thomas Mauersberger,
who worked 5 WDs from 24 April until STE Prof. Dr. Hans-Ullrich
Paeffgen, who worked 4 WDs from 17 May until STE Klaus Leroff, who worked 5 working
days (WDs) from 6 June to 10 June 2005, worked on the draft proposals for the
amendment to the Personal Data Protection Law (PDP law), with a emphasis on the
Data Supervisor’s interrelation with the Latvian Parliament. STE Professor Dr. Marie-Theres Tinnefeld worked 10 WDs
from 18 July until 29 July 2005, and drafted the final report for this
activity, which includes further recommendations and proposals to the Latvian
PDP law concerning the question of informed consent, transfer of personal data
within the EU as well as to third countries, on the interrelation between data
protection and freedom of scientific research, as well as on the interrelation
between data protection and freedom of the media, and with regard to certain
sectoral laws (Electronic Communications Law, Law on Police, Investigatory
Operations Law, and other laws on security authorities). STE Dr. Christian Schnoor completed the
activity during his last secondment to STE Wolfgang
Kilian and STE Nikolaus Forgó worked on completion of proposals for the
Electronic Communication Law amendments and the final draft proposal for PDP
law. Results achieved: Recommendations
and proposals for the improvement of the Latvian data protection legislation were
elaborated and the Steering Committee of the project in general approved it on ·
Activity 1.3: “Preparation
of comments on the Latvian data protection legislation” Time schedule: May 2005 – September 2005 Carried out: started on 12.April 2005 finished
on 19. August 2005 The Covenant defines the objective of this activity as follows: “Based on the under 1.1. elaborated analysis, MS
experts will prepare comments on the Latvian data protection legislation
reflecting also the most important decisions of the European Court of Justice,
the European Court of Human Rights as well as the Austrian and German Courts. The comments will be translated into Latvian. These
comments on the Latvian data protection legislation will serve as an important
tool for the future day-to-day work of all institutions involved in data
protection. The main aim of these comments will be to give examples from the
Case Law of the European Court of Justice and national MS courts especially on
the interpretation and implementation of unclear and vague terms of the data
protection legislation.” STE Prof. Dr. Hans-Werner
Laubinger, who worked 4 WDs from 12 April until STE Ms. Elisabeth Duhr,
who worked five working days (WDs) from 30 May to STE Ms. Elisabeth Duhr, who worked five
working days (WDs) from 15 August to Results achieved: Comments on the Latvian data protection legislation
were elaborated and approved by the Project Leader BC. Component 2 Guaranteed Results Elaborated and implemented DSI capacity development
strategy; Data
subject and data processors informed on data protection issues Means for
information of data subject developed: Elaborated strategic plan on information of society
functioning; Elaborated
publications on rights of data subject on rights and obligations of systems
controllers, on sensitive data protection and on legal acts accessible to all
levels of society and to all levels of administration; Workshop and seminars on personal data protection
organised; Conference on
Personal data protection for data protection specialists from 2.2. Means for
information of data controllers processing as state administrations and
institutions as civil enterprises developed: Seminars on safe
and legal personal data processing systems and personal data processing
organised (in particular respect of security administration and social welfare
administration); Component 2
targeted at an “Improvement of the operational base of the DSI”. It consists of three activities. ·
Activity 2.1: "Preparation
of a development strategy for the DSI" Time schedule: May 2005 – September 2005 Carried out: started on 29. March 2005 finished
on 17. August 2005 The Covenant defines the objective of this activity as follows: “Experts from MS
Data Protection Authorities will analyse the tasks of the DSI and evaluate,
based on the experience and needs of Data Protection Authorities in the MS,
provided at a workshop, the current and expected future work load of the DSI,
taking into account the Latvian circumstances. Based on this
analysis, the MS experts in co-operation with the Latvian experts will prepare
a development strategy and resources needs forecast of the DSI, indicating the
staff, number of employees and their qualification, budget, equipment etc.
needed by the DSI to fulfil its tasks in a long term. Regarding the
required staff, the development strategy will include recommendations on staff
relationship, in-house training and staff motivation. In the workshop
with its various topics (organisational issues, the internal information procedures
of the DSI, the management of claims and complaints, the registration of
notifications) the STEs will represent different approaches.” STE Mr. Klaus Leroff,
who worked 10 WDs from 29 March until STE Mr. Peter Paul Klein,
who worked 5 WDs from 11 April until Results achieved: On the basis of
the existing DSI development
strategy a proposal for improvements was elaborated. It was in general approved
by the project Steering Committee on ·
Activity 2.2: "Preparation of manuals
for the DSI on internal information flow, register of notifications and
management of claims and complaints" Time schedule: January
2005 – September 2005 Carried out: started on 31 January2005 finished
on 12 August 2005 The Covenant defines the objective of this activity as follows: “MS Experts will analyse the current practice of the
DSI regarding the ·
internal information flow by means of the
unitary internal information system ·
the management of claims and complaints ·
keeping of a register of notifications These analyses will mainly focus on an efficient and
grass-roots handling of the above tasks. Based on the above analyses and the experience of
Data Protection Authorities of the MS provided at a workshop, manuals will be
prepared to support the day-to-day work of the DSI regarding the above issues,
and to increase efficiency.” STE Mr. Andreas Schneider, who was in STE Ms. Claudia Golembiewski, who worked 5
WD’s from 27 June to 1 July 2005, STE Dr. Tino Naumann, who worked 10 WD’s from 27 June to 8 July 2005,
STE Dr. Eva Souhrada, who
worked 5 WD’s from 4 July to 8 July 2005, and STE Mr. Thomas Mauersberger, who also worked 5 WD’s from 4 July to 8
July 2005 elaborated written manuals to support the day-to-day work regarding
internal information flows, the management of claims and complaints and the
notifications. These manuals were submitted to the Project Leader BC and will
be translated into Latvian according to the Project Covenant. Results achieved: Manuals for the DSI on internal information flow,
notifications and management of claims and complaints were elaborated by
experts and their reception was approved by the Project Leader BC according the
Project Covenant. ·
Activity 2.3: “Study
trips to Austrian and German Data Protection Institutions” Time schedule: April 2005 – September 2005 Carried out: started on finished
on 7 September 2005 The Covenant defines the objective of this activity as follows: “During a study trip to Austrian and German data
protection institutions, the key staff of the DSI will get familiar with the
methods of implementing data protection legislation in EU MS. The institutions
to be visited will be selected jointly with the Beneficiary according to
necessity for and fields of interests of the participating Latvian experts;
they will include the Austrian Data Protection Commission at the Federal
Chancellery and the Data Protection Commission of Saxony. Topics covered during
the study trips will include practical issues regarding data processing and the
prior checking as well as management of the institutions visited and the
co-operation between the institutions.” A study trip to The programme that
was prepared by the Ludwig-Boltzmann-Institute of Human Rights and by the
Project Leader MS and conveyed valuable experience from the day-to-day work of
the Austrian colleagues. An evaluation form for the study trip was submitted to
the Project Manger BC on 12 July. A secondment of
Ms. Balode and Ms. Plûmiòa to the German Federal Data
Protection Commissioner in During a two days visit to the Independent Centre for Privacy Protection
Schleswig-Holstein (ICPP) from 6 September to Results achieved: An introduction to the working methods of various
institutions in the field of data protection on site was received during the
study trips; reports on the study trips were prepared. Component 3 Guaranteed
results: Component 3 of the
project targeted at an “Improvement of DSI capacity in respect of inspections
of personal data processing systems”. It consisted of 1
activity. ·
Activity 3.1: “Preparation
of a manual on auditing the security of personal data processing systems” Time schedule: December
2004 – September 2005 Carried out: started on finished
on The Covenant defines the objective of this activity as follows: “The MS experts will analyse the current
practice of DSI regarding auditing the security of information systems (incl. personal data processing systems). Considering the results of this analysis
and based on the best practice of the EU MS, international standards (ISO
17799, ISO15408) a draft manual will be prepared in cooperation with the
experts of DSI. During the workshop draft manual will be
discussed with the experts of DSI as well as how to implement the best practice
of auditing the security of information
systems (incl. personal data processing systems). Following
the workshop, the MS experts in co-operation with Latvian experts will improve
the manual on auditing the security of information
systems (incl. personal data processing systems), with the aim to
overcome the identified potential shortcomings and increase efficiency of the
DSI. This manual is intended to be approved by
the Project Leader CC/ Director of the DSI for further use of the DSI. The
manual will be translated into Latvian. During the implementation of this activity
the STEs coming from different institutions will represent different
approaches.” STE Mr. Roman
Maczkowsky, who was in STE Mr. Thomas Probst, who was in Latvia from 21 to 25 February 2005 (5
WD), worked together with Mr. Maczkowsky on further preparation of the manual
on auditing the security of
personal data processing systems. STE Mr. Roman Maczkowsky, who was on a mission to Results achieved: A manual on auditing the security of personal data
processing systems-Focusing on European Union Member States practice and taking
into account specific requirements and circumstances in Component 4 Guaranteed
Results Component 4 of the
project targeted at “Information and awareness raising concerning data
protection.” It consisted of five activities. ·
Activity 4.1: “Development of a public
awareness strategy for the general public” Time schedule: February
2005 – September 2005 Carried out: started on 16.February 2005 finished
23.August 2005 The Covenant defines the objective of this activity as follows: “The MS experts will analyse the current practice
regarding information campaigns for the general public in The strategic plan for an awareness campaign will be
approved by the Project Leader CC/ Director of DSI for implementation.” STE Ms. Kotschy has been at the DSI from 16 until STE Ms. Kirsten Ruhnke, who worked 2 WD’s
from 22 August to Results achieved: public awareness strategy on the basis of the current DSI strategy was elaborated. The
Project Leader BC according the Project Covenant approved its reception. ·
Activity 4.2: “Development of an awareness
strategy for data controllers and processors (date protection in security
administrations police, district attorneys, intelligence services) as far as it
concerns the European law” Time schedule: April 2005 – September 2005 Carried out: started on 8.August 2005 finished on 12.August 2005 The Covenant defines the objective of this activity as follows: “The
MS experts will analyse the current practice regarding information campaigns
for data controllers and processors in The strategic plan for an awareness campaign among
data controllers and processors will be approved by the Steering Committee for
implementation.” STE Professor Dr.Dietmar Jahnel, who worked 5 WD’s
from 8 August to Results achieved: strategy for public awareness raising campaign was
prepared. It was in general approved by the project Steering Committee on ·
Activity 4.3:
”Creation of material for an awareness campaign among data controllers and workshops
/ training for data controllers / processors and judges” Time schedule: May
2005 – September 2005 Carried out: started on finished
on The Covenant defines the objective of this activity as follows: “Based
on the under 4.2. developed strategy, the MS experts and the DSI experts will
create concepts for a brochure including checklists on data protection issues
for the day-to-day-work of data controllers. MS experts will conduct training and information
seminars for data controllers, processors by using the prepared information
material. DSI experts will participate in these seminars and support the MS
experts. All participants of these seminars will receive evaluation sheets, in
order to review the acceptance of the training provided and adjust the training
if appropriate. In a debriefing workshop, the DSI experts
participating in these seminars and the MS experts holding these seminars will
analyse the above evaluation sheets and develop recommendations to increase the
quality of the training and information provided for data controllers and, if
necessary, adjust the information material.” STEs Mr. Philip Scholz, who worked 3 WD’s from
15 August to 17 August 2005, Mr. Gregor
Scheja, who worked 4 WD’s from 22 August to 25 August 2005 and Mr. Lukas Gundermann, who worked 10 WD’s
from 15 August to 26 August 2005 created material for awareness campaigns among
data controllers. A workshop on “Latvian Data Protection Law
and coming changes and International Data
Protection Law” was
successfully carried out at 25 August by Mr. Lukas Gundermann and Mr. Gregor
Scheja. Results achieved: a brochure and
material for awareness campaigns among data controllers was elaborated and
training provided for data controllers and processors. ·
Activity 4.4: “Creation of
material for an awareness campaign among the general public” Time schedule: February
2005 – September 2005 Carried out: started on finished
on The Covenant defines the objective of this activity as follows: “Based
on the under 4.1. developed strategy, the MS experts and the DSI experts will
create concepts for leaflets on the rights of data subjects under Latvian and
EU legislation and the role of the DSI for the general public concerning social
welfare. The information material prepared will be presented
to the Project Leader CC/ Director of DSI for approval for further general
use.” STE Mr. Bernhard Bannasch,
who worked 5 WDs from 21 February until On the basis of
the work of STE Mr. Bannasch in February, the STEs Ms. Theresa Philippi and Mr. Nils Leopold (both 5 WD from 1 to 5
August) created material for the raising of public awareness among the general
public. The results of the STEs’ work were presented to the Steering Committee
and then translated into Latvian. Results achieved: The brochure for the awareness campaigns among the
general public was elaborated. ·
Activity 4.5: “Seminars for Judges” Time schedule : May
2005 – September 2005 Carried out: started on finished
on The Covenant defines the objective of this activity as follows: “Two
one day seminars for judges will be carried out by an MS Expert, who is Judge,
to raise awareness among Latvian Judges in respect of the court as data
controller and to make the Latvian Judges familiar with the most important case
law concerning the implementation of the data protection acquis. The first seminar will be on the obligations of th
courts as data controlers, respectively data protection at courts. The second seminar will be on the most prominent data
protection case law of the ECJ and selected MS courts.” The STEs Professor
Dr. Nikolaus Forgó and Professor
Dr. Wolfgang Kilian prepared
and carried out a one-day seminar for judges and other lawyers on 6 September
2005 to increase awareness and knowledge in the field of data protection based
on the acquis communautaire, and in particular, on the case law of the
European Courts and the EU Member State Courts. The STE Mr. Manfred Krause prepared and
carried out a one-day seminar only for Latvian judges on Results achieved: two seminars (together more than 100 persons) were organized. 5 -
Evaluation of the Twinning project 5.1
Benchmarks In the following chapter the benchmarks as
defined by the Covenant will be verified and compared to the project results.
The working results referred to below are listed in Detail in Chapter 7. Component
1 “Improvement of the legal base of the DSI” Activity 1.1: Preparation of a gaps analysis regarding the Latvian data
protection legislation Benchmark: A
written gaps analysis identifying potential shortcomings of the Latvian
legislation especially in respect of the independence of the DSI and its
Director and obstacles for an efficient implementation of the acquis was
prepared and approved by the project Leader CC. ü
Done Written
results: documents
No 1-No 3 according to list of annexes Worked on in
Quarter 1, Quarter 2 Activity
1.2: Preparation of recommendations and proposals for the improvement of the
Latvian data protection legislation Benchmark:
Recommendations and proposals for
amendments to the Latvian data protection legislation, including amendments
regarding the independence of the DSI and its Director were approved by the
Steering Committee and submitted to the Latvian Council of Ministers for approval,
supported with a written reasoning for the proposed amendments providing back
ground information. ü Done Written
results: documents No
4-No 9 according to list of annexes Worked on in
Quarter 1, Quarter 2, Quarter 3, Quarter 4 Activity
1.3: Preparation of Comments on the Latvian data protection legislation Benchmark: Comments on
the Latvian data protection legislation were prepared, providing an
interpretation and implementation guideline in the light of the case law of the
European Court of justice and selected decisions of MS courts and authorities.
The comments were translated into Latvian. ü Done According to the Project Covenant the comments were submitted for
translation. Written
results: document
No 10 according to list of annexes Worked on in
Quarter 3, Quarter 4 Component
2 “Improvement of the operational base of the DSI” Activity
2.1: Preparation of a development strategy for the DSI Benchmark: A
comprehensive development strategy for the DSI, including a forecast of the
resources needs of the DSI in the future was prepared and approved by the
Steering Committee. ü Done Written
results: document No 11
according to list of annexes Worked on in
Quarter 3, Quarter 4 Activity
2.2: Preparation of manuals for the DSI on internal information flow, register
of notifications and management of claims and complaints. Benchmark: Manuals
for the day-to-day work of the DSI regarding - internal information flow - management of claims and complaints - keeping a register of notifications were prepared, approved by the
project Leader CC and translated into Latvian. ü Done
According to
the Project Covenant the comments were submitted for translation. Written
results: documents
No 12-No 17 according to list of annexes Worked on in
Quarter 2, Quarter 4 Activity
2.3: Study trip to Austrian and German Data Protection Institutions Benchmark: Key
staff of the DSI got familiar with the working methods of MS data protection
Institutions and received training on practical skills. After the study trip the PAA and the
participating Experts prepared a report on which information received during
the study trip is useful for the DSI and should be taken into account in
respect of the day to day work of the DSI. ü Done Written results: documents No 18 according to
list of annexes Carried out
in Quarter 3, Quarter 4 Component
3 “Improvement of DSI capacity in respect of inspections of personal data
processing systems” Activity
3.1: Preparation of a manual on auditing the security of personal data
processing systems Benchmark: Written
manual for the day-to-day work of the DSI on auditing the security of personal
data processing systems, translated into Latvian and approved by the Project
Leader CC/ Director DSI. ü Done Written results: document No 19 according to
list of annexes Worked on in
Quarter 2, Quarter 3, Quarter 4 Component
4 “Information and awareness raising concerning data protection.” Activity
4.1: Development of a public awareness strategy for the general public Benchmark: A
written strategy for a public awareness campaign for the general public was
prepared, based on existing awareness campaigns / material in ü Done
According
to the Project Covenant the comments were submitted for translation. Written
results: documents
No 20-No 22 according to list of annexes Worked on in
Quarter 2, Quarter 4 Activity 4.2: Development of an awareness strategy
for data controllers and processors (date protection in security
administrations police, district attorneys, intelligence services) as far as it
concerns the European law Benchmark: A written strategy for a public awareness
campaign for data controllers and processors was prepared, based on existing
awareness campaigns / material in ü Done Written
results: document No
23 according to list of annexes Worked on in
Quarter 4 Activity 4.3: Creation of material for an awareness campaign
among data controllers and workshops / training for data controllers /
processors and judges Benchmark: Based on the under 4.2. prepared awareness
campaign strategy, brochure and information to be published were produced for
data controllers. This
brochure and this information were translated into Latvian. During workshops
data controllers and processors received training on their duties under Latvian
and EU legislation and the prepared information material was introduced. ü Done According to the
Project Covenant the comments submitted for translation. Written
results: document
No. 24- No 26 according to list of annexes Worked on in
Quarter 4 Activity 4.4: Creation of material for an awareness
campaign among the general public (in particular respect of a development of an
awareness strategy for data protection in social welfare administrations) Benchmark: Based on the under 4.1. prepared awareness campaign strategy, the
brochure to be published was produced for the general public. This brochure was
translated into Latvian. ü Done According to the
Project Covenant the comments were submitted for translation. Written
results: documents
No 27 – No 32 according to list of annexes Worked on in
Quarter 2, Quarter 4 Activity 4.5: Seminars
for Judges Benchmark: A minimum of 10 Latvian Judges received
training and information on data protection at court and the case law of the
ECJ and MS courts on the implementation of the data protection acquis. ü Done Worked on in
Quarter 4 
6
Conclusions and recommendations 6.1 Conclusions As an overall
conclusion it can be stated that the legislation regarding personal data
protection issues is generally in line with the acquis communautaire but improvements of practice and amendments to
the law would be necessary. One of the most
important challenges will be the providing of the independent data protection
supervision in the sense of the EU acquis. An analysis which
was carried out by several STEs revealed some uncertainties of the PDP Law
which should be taken into account when next amending the law. Already during
the project implementation phase some recommendations were forwarded to the
Ministry of Justice which had started to work on the amendments to the
legislation regarding the personal data protection issues meanwhile. The other
recommendations will be submitted to the Cabinet of Ministers via the Ministry
of Justice. According to the
overall objective of the current Twinning project, the administrative capacity
of the Data State Inspectorate (DSI) was strengthened by information, analyses,
proposals and discussions in order to implement the data protection acquis. Data security
issues are playing a more and more important role in connection with data
protection and it was noted positively that the existing standards in the area
of data security are rather high in It was also a
focus of the project to raise awareness of the importance of data protection in
All texts which
were elaborated within the project and should be translated have been submitted
for translation by the DSI. After the translation the project materials would
be available on the website of the DSI. The workshops
foreseen in the Activities 1.2., 2.1., 2.2., 4.1., 4.2. were not carried out
since both the Project Leaders agreed to transfer the Short term experts’ work
for other important activities (see the Side letters). As far as the
Final Report refers to the approvals of the Project Leader BC and the Steering
Committee it does mean that the approval is given in general regarding the
results and the outcomes of the project. The Project Leader BC, the Project
Leader MS and the Steering Committee are not responsible for the opinions of
the experts, especially in details. 6.2
Recommendations
The work under
Component 1 was characterized by the drafting of proposals to amendments to the
PDP law and of the Electronic Communication Law, because the laws in their
present version do not measure up to the standard of the acquis concerning the requirement of independence of the
supervisory authority. Regarding this point there are following
recommendations: - To reach this standard it should be considered to amend
the Art. 58 of Satversme. - The PDP and the Electronic Communication Law should
be amended in order to reach compliance. - The overall objective is to install a fully
independent supervisory authority for personal data protection in line with the
requirements of the acquis. - Proposals for the amendments to Art 58 of Satversme
and to PDP and Electronic Communication Law can be found in annex No 4-No 6.
Component 2 aimed
at improving the operational base of the DSI. A development strategy from June
2004 based on 4 global targets and appending activities and milestones already
exists. Regarding this point there are following recommendations: - The basic targets are to ensure supervision of
personal data protection in accordance with the requirements of the PDP Law as
well as those of the European Union. - Above all the DSI should continue the development to
a reliable and competent assistant in the fields of privacy protection and
freedom of information and to increase effectiveness and quality in the
execution of the functions delegated to DSI. - The development strategy, elaborated on the bases of existing DSI strategy,
was proposed by the short term expert can be found in annex No 11. Furthermore
manuals for the day to day work of the DSI regarding internal information flow,
management of claims and complaints and register of notification were elaborated.
Regarding this point there are following recommendations: - Concerning the manual on internal information flow
organisation, legal requirements for the DSI can be found in annex No 15. - Since the Administrative Violations Code does not
foresee explicitly the differentiation between the levels of fines in the
future the fines could be further adopted taking into account a differentiation
between formal and substantive infringements. - For the future data protection
supervision institution it could be considered to solve some types of cases
without administrative decision. - An important goal also for the future should be the prevention of
infringements before imposing fines. - The existing development strategy of DSI was supplemented in order to
provide information on specialisation of the employees. - Concerning the technical aspect it would be useful
to make more information available on the Internet website of the DSI and also
to publish anonymized decisions of the DSI. - Regarding to the manual for the register of
notification, some forms for the notification of automatic personal data
processing information were elaborated.
It was noted
positively that the existing standards in the area of data security are rather
high, which offered a good basis for the drafting of a manual for these
purposes. However, it has to be mentioned: - For technical requirements in this field see the
Manual on auditing the security of personal data processing systems (annex No
19).
To promote the
awareness of data protection issues among the general public, as well as among
data controllers and data processors it was necessary to draft PR material,
like brochures - the material drafted under Component 4 is aimed at providing
information to specific groups of readers and/or situations. Regarding this
point there are following recommendations: - It is necessary to improve the public relations
measures and create ready to read information on the DSI and its tasks. - There should be at least one employee who is
responsible for the awareness campaigns and public relations as it is now. - A brief guideline of recommendations can be found in annex No 20-No 22. - Concerning the development of an awareness strategy
for data controllers and processors it would be necessary to establish a data
protection curriculum for people who are interested to apply for the position
of a data protection official. In this curriculum the rights and obligations of
the data controllers and processors should be explained, and examples should be
given how certain types of data protection relevant situations have been dealt
with in - The Internet should be involved in the process of
providing information. Therefore the webpage of the DSI should cover different
aspects on data protection. - Also an e-learning platform could be developed. - For elaborated information see the brochures in annex No 24. Furthermore,
material for the general public in the field of social welfare and social
security was elaborated. Regarding this point there are following
recommendations: - Awareness rising for data protection issues within
the population should be based on the existence of procedural and
organisational provisions in order to enable the inhabitants to address his or
her individual complaint both to the controller and to the supervisory authority.
- The two Latvian legal acts of social policy, namely
the Law on Social Services and Social Assistance and the Support for Unemployed
Persons and Persons Seeking Employment Law lack references to data protection
issues. For specific recommendations see annex No 27. Submitted by: …………………………………. ……………………………………. Ms. Signe Plûmiòa Dr.
Friedrich Lachmayer Director of the Project Leader BC Project
Leader MS Approved by: …………………………………. Mr. Bçrziòð Deputy State Secretary on General Issues Senior Programme Official ……………………………………… Ms.Ruta Konstante Director of Department of EU and International Affairs Administrative Office of the Ministry of Finance
Ludwig Boltzmann Institut für Menschenrechte
This publication has been produced with the assistance of the European
Union. The contents of this publication can in no way be taken to reflect the
views of the European Union. [1] The text of the
conception can be found at the website of the Ministry of Justice:
http://www.tm.gov.lv/lv/tiesibu_akti/politikas_planoshanas_dokumenti.html |
| ||
Data State Inspection || Copyright | Privacy Statement | Site Map | Webmaster |
||
| ||
Riga, Blaumana 11/13 - 15, LV-1011, Latvia | Phone 67223131, fax 67223556, info@dvi.gov.lv |
||
