[co-authors: Sarmis Spilbergs and Mikijs Zīmecs, Ellex Klavins]

Latvia

In this chapter:

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

• Personal Data Processing Law (“PDPL”)
  • Date in force: 5 July 2018
  • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The Law On the Rights of Patients provides that health data must not be disclosed even after the death of the patient. Furthermore, under Latvian law, personal data of the deceased person will be protected if such personal data could relate to or affect living persons.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

There are no specific rules governing this issue.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

There are no specific rules governing this issue.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject's valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

There are no specific rules on processing this category of data.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Under the Human Genome Research Law, consent is required from any person donating their genetic material. For example, consent (provided in writing) is required where tissue samples are taken from a data subject, to prepare and supplement the description of their state of health or genealogy, to include data in the genome database, for use in genetic research and for statistical purposes, or to transfer any of the aforementioned data to recipients located outside Latvia.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

See Q5(b) above.

———

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Under the Labour Law, a job interview may not include questions by the employer which do not apply to the performance of the intended work or are not related to the suitability of the employee for such work, as well as any questions which are directly or indirectly discriminatory. This includes questions concerning previous convictions, which may not be asked except in cases where this may be of essential importance with respect to the work to be performed, for example, where processing of data related to criminal convictions or offences by the employer is only permitted if such obligation is provided by law.

———

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

There are no specific exemptions to the right to be provided information.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The right of access is limited where processing is carried out for the purposes of national security, State protection, public safety, activities in the field of criminal law, as well as for purposes relating to taxation or financial market participant supervision and macroeconomic analysis. For example, State institutions, such as those guiding criminal proceedings and investigations, or relating to national security, are exempt from the right of access.

Certain provisions of the GDPR are not applicable to data processing for official publications. For example, the sole official bulletin, titled “Latvijas Vēstnesis”, publishes enacted and amended laws and regulations, and information regarding revoked powers of attorney and other legal matters. In cases where data are processed for official publications, certain data subject rights are excluded, such as the right to erasure. However, the DPA may erase such data where it considers that the rights of the data subject outweigh the public interest.

As to data processing for statistical purposes, archival purposes in the public interest, scientific or historical research purposes, certain data subject rights are limited or not applicable.

Regarding freedom of speech and information, data processing is permitted specifically for journalistic purposes, if carried out with the aim of publishing information for reasons of public interest, or for academic, artistic or literary purposes in accordance with other national regulations.

———

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

Impact Assessments are only required in accordance with the provisions of the GDPR. Furthermore, the DPA has issued guidelines indicating for which types of data processing activities it is necessary to carry out an Impact Assessment.

———

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs are not subject to secrecy obligations under national law.

———

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

Q15/ DPAs

(a) Details of the DPA(s).

• Name of DPA: Datu valsts inspekcija (Data State Inspectorate)
  • Address: Blaumaņa Street 11/13-15, Riga, LV-1011, Latvia
  • Website: dvi.gov.lv/en

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

There is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

Under the PDPL, the DPA can provide answers in English when examining complaints of non-residents in cooperation with DPAs in other jurisdictions.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Decisions of the DPA may be appealed to the director of the DPA, in accordance with the procedure laid down in administrative procedural law.

The decision of the director of the DPA may be appealed to the courts, in accordance with the procedures laid down in administrative procedural law.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

There are no specific rules on this issue.

———

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

There are no specific rules regarding fines for public authorities.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The Latvian Criminal Law imposes criminal liability for the following offences:

• illegal activities involving personal data, where these activities have caused substantial harm;
• a controller or a processor who carries out the aforementioned activities for the purposes of vengeance, acquisition of property or blackmail; and
• a person influencing a controller, a processor or a data subject using violence, threats, abuse of trust, bad faith or deceit in order to perform illegal activities involving personal data.

———

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The PDPL sets out that a person has the right to process data for the purposes of academic, artistic or literary expression in accordance with the laws and regulations, as well as for journalistic purposes, if this is done with the aim of publishing information for reasons of public interest.

Respectively, if data is processed for the purposes mentioned above, the GDPR (except for Art. 5 GDPR) does not apply, if the following criteria are met:

• the data processing is conducted to exercise rights to freedom of expression and information by respecting the right of a person to private life, and it does not affect interests of a data subject which require protection and whose interests override the public interest;
• the data processing is conducted for the purpose of publishing information for reasons of public interest; and
• the compliance with the provisions of the GDPR is incompatible with or prevents the exercise of the rights to freedom of expression and information.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Data processing is permitted specifically for academic, artistic or literary purposes in accordance with other national laws and regulations. When processing data for the purposes of academic, artistic or literary expression, the GDPR (except for Art. 5 GDPR) does not apply if the following conditions are met:

• the data processing is conducted while respecting the person’s right to private life, and it does not affect the interests of a data subject who requires protection and whose interests override the public interest; and
• compliance with the provisions of the GDPR is incompatible with or prevents the exercise of the rights to freedom of expression and information.

———

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

There are no specific provisions governing this issue.

———

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

National laws permit the processing of the following types of data in an employment relationship:

• processing relating to enforcement of rules regarding permitted job interview questions; and
• processing relating to an employer’s duty to ascertain employee membership in a trade union prior to giving notice on termination of the employment contract.

Furthermore, an employer cannot process employee personal data related to criminal convictions except in situations when the law regulating the employee’s specific employment position allows for such processing.

In addition, an applicant has a duty to provide information to the employer regarding the state of his or her health to assess whether the person is fit to fulfill the relevant work duties.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

There are no specific safeguards of this nature.

———

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

The national law provides derogations from the GDPR regarding the use of vehicle dash cameras and CCTV.

Under the PDPL, the GDPR does not apply where data is processed by natural persons using automated data recording systems in road traffic, or for personal or household purposes. It is prohibited to disclose the records obtained in road traffic to other persons and institutions, unless one or more of the legal bases specified in the GDPR is satisfied.

Further, the GDPR does not apply to any data processing conducted by natural persons using automated CCTV facilities for personal or household purposes. Surveillance of public space on a large scale, or cases when technical aids are used for structuring of information, will not be treated as data processing for personal or household purposes.

Regarding the provision of notice, the law states that if the controller uses a notice to inform data subjects of CCTV, the notice must indicate, at a minimum, the name, the contact information of the controller and the purpose for data processing, as well as an indication of the possibility to obtain further information specified in Art. 13 GDPR.

———

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are currently no legal challenges ongoing.

———

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA has issued some material fines for violations. So far the fines have not exceeded €7,000 and are mostly issued for repeated refusals to provide information about data processing to data subjects and to DPA, e.g., for infringing the obligations to answer to data subjects’ requests.

———

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued several guidelines regarding different data protection issues, e.g., CCTV, prior to the GDPR entry into force.

In 2018, the DPA issued guidelines on Impact Assessments (available only in Latvian, see here).

———

[View source.]