Posted on October 12, 2017 · Posted in News

On Thursday, October 12, at the meeting of the State Secretaries, a draft law “Personal Data Processing Law” developed by the Ministry of Justice was adopted, which stipulates the application of the General Data Protection Regulation (hereinafter – the Regulation) in Latvia. The application of the Regulation will start on 25 May, 2018, by setting the same rules for the protection of personal data throughout the European Union (EU).

Raivis Kronbergs, the State Secretary of the Ministry of Justice, emphasizing the importance of the new Law on the Processing of Personal Data, notes: “The Law on Personal Data Processing establishes clarity on how the General Data Protection Regulation will be applied in Latvia. As the basic principles of personal data processing remain unchanged, but the Regulation significantly extends the rights of each individual’s data, this is the right moment for each institution and company to assess whether the processing of personal data complies with the fundamental principles of personal data protection and to make every possible improvement to ensure proper protection of personal data “.

On 27 April 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC (General Data Protection Regulation), was adopted. At present, the scope of personal data protection is regulated by the Personal Data Protection Law, which will lapse as from the date of application of the Regulation.

Currently, the EU framework on personal data protection is not harmonized and is regulated in different ways in each Member State, so the Regulation provides for the modernization of the existing principles for the protection of personal data by establishing uniform rules on the protection of personal data, which would apply throughout the EU. At the same time, it is intended to maintain the basic principles that have been observed to date in the field of protection of personal data – improvement of the single market, effective observance of fundamental rights and freedoms of the individual.

The Regulation provides such improvements in the single market environment:

- Uniform conditions for the protection of personal data at EU level, relating to processing, maintenance, transfer to other companies and archiving.

- The application of the one stop agency principle for businessmen is ensured: companies will only have to cooperate with one data protection authority to provide a simpler and cheaper business in the EU.

-Uniform rules to all companies regardless of the country of their registration.

At the same time the Regulation sets out the obligation for Member States to set up a data supervisory authority with competence to supervise the provisions of the Regulation. In Latvia, the Data State Inspectorate (DSI) is established for such a supervisory authority, which, with the application of the Regulation should become an independent institution. The draft law includes provisions on the independence of the DSI, the competence, the rules for appointing the director, the powers of the staff, the decision-making procedure.

The Regulation also provides the institute of personal data protection specialist to be applicable to all Member States. Namely, it is mandatory to appoint a personal data protection specialist in the cases specified in order to allow the controller to choose a more appropriate data protection specialist who has sufficient knowledge to fulfill the duties of a data protection specialist. The draft law provides the procedure by which a person can obtain the status of data protection specialist and enter in the DSI list maintained by passing the exam.

The Regulation provides for the establishment of personal data protection certification mechanisms and data protection seals and marks to demonstrate that processing operations carried out by controllers and processors comply with the Regulation, taking into account the specific needs of micro, small and medium-sized enterprises. Taking into account the Regulation, the draft law provides for the procedure and rules that should be followed to obtain the status of a certification body and ensure the issuance of data protection certificates and seals. The draft law provides that the DSI can itself issue a data protection certificate or seal, as long as no license is issued to the certification body.

Similarly, to promote the proper application of the Regulation, taking into account the specific characteristics of the various processing industries and the specific needs of micro, small and medium-sized enterprises, the Regulation provides for the possibility for controllers to develop codes of conduct.

With regard to specific processing situations, the implementation of the obligation to the Member States imposed in the Regulation, the draft law contains provisions on specific processing situations that relate to the exercise of other fundamental rights of the individual, the derogations relating to processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, processing of classified data. The draft law provides for specific rules and exceptions for the processing of personal data for journalistic purposes and for academic, artistic or literary expression. The draft law also provides for a restriction on the direct provision of information society services to children (e.g., the use of social networks (, Facebook, etc.), the use of mobile applications), that is, determining that a child under the age of 13 requires a parent or guardians’ permission.

Article 83 Paragraph one of the Regulation provides that each supervisory authority shall ensure that the application of administrative fines imposed in accordance with this article is effective, proportionate and dissuasive in each particular case. Administrative penalties for violations of the Regulation are laid down in the Regulation and will not be included in the national regulations.

The Regulations state that each Member State may draw up rules on the extent to which administrative fines may be imposed on public authorities and bodies established in that Member State.

An informative video on data protection is available HERE.

The draft law is available HERE.

Alise Adamane

Public Relations Specialist

Communication and Technical Support Departments

Ministry of Justice

Phone: 67036920