Triniti Jurex
What law(s) specifically govern personal data / information?
In Latvia Regulation (EU) 2016/679 General Data Protection Regulation–(GDPR) and the Personal Data Processing Law are the primary legal acts governing personal data protection.
Law “On the Processing of Personal Data of Natural Persons in Criminal Proceedings and Administrative Offence Proceedings” govern the processing of personal data which is performed by a competent authority in order to prevent, investigate, and detect criminal offences and administrative offences, impose and enforce criminal and administrative penalties, as well as to perform other activities related to administrative offence proceedings or criminal proceedings.
There is also other national legislation that regulates specific data protection requirements. Such regulations may be established in sector-specific legislation governing particular areas, such as the processing of patient data, consumer data, air passenger data, the operation of public authorities and the maintenance of public registers, anti-money laundering (AML), cybersecurity, electronic communications, and other specific sectors.
What are the key data protection principles in this jurisdiction?:
Data processing shall be conducted in compliance with the principles relating to data processing specified in Article 5 of the GDPR, including:
Lawfulness, fairness, and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy
Personal data shall be accurate and, where necessary, kept up to date.
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
The Data State Inspectorate of the Republic of Latvia. Detailed information about supervisory institution is available on https://www.dvi.gov.lv/lv.
Is there a requirement to register with a supervisory authority / regulator?
No, registration of a controller or processor usually is not necessary.
However, the Data State Inspectorate is responsible for issuing licenses for the operation of credit information bureaus and for joint customer research tools, whether open or closed, provided by companies. In such cases, licensing procedures must be carried out, which, among other things, include the registration of the data controller.
The Data State Inspectorate is also responsible for maintaining a list of experts who prepare audit reports for credit information bureaus. For an expert to be included on this list, registration procedures must be completed.
Is there a requirement to notify the supervisory authority / regulator?
The Data State Inspectorate shall be informed in the cases specified under the GDPR, including:
- prior consultation with the Data State Inspectorate may be required in the cases specified under the GDPR, where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate that risk according to Article 36 of GDPR;
- notification of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it according to Article 33 of GDPR;
- communicating the contact details of the data protection officer according to Article 37 of GDPR;
- alignment of a draft code of conduct according to Article 40 of GDPR;
- in case of transfers subject to appropriate safeguards according to Article 46 of GDPR; and
- approval of binding corporate rules according to Article 47 of GDPR).
Is it possible to register with / notify the supervisory authority / regulator online?
The Data State Inspectorate services are available online by using the public administration service portal Latvia.lv.”
Communication with the supervisory authority may be submitted electronically. Notifications regarding personal data breaches can be submitted using the online tool available at: https://pazinojums.dvi.gov.lv/.
What are the key data subject rights under the data protection laws of this jurisdiction?
In Latvia, data subjects enjoy all rights established under the GDPR, including:
Right to information
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. Pursuant to GDPR articles 13 and 14, data subjects have the right to be provided with information about the controller and certain details about processing their personal data.
Right of access
A data subject should have the right of access to personal data which have been collected concerning them, and to exercise that right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing (GDPR article 15).
Right to rectify errors
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them (GDPR article 16).
Right to deletion/right to be forgotten
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them when one of the grounds enlisted in GDPR article 17(1) apply (GDPR article 17).
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the occasions enlisted in GDPR article 18(1) apply.
Right to data portability
The data subject shall have the right to receive a copy of their personal data from a controller in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller or have the data transmitted directly between controllers, if the grounds established in GDPR article 20 are fulfilled.
Right to object to processing
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on either public interest (GDPR article 6(1), pt. e) or legitimate interest of the controller (GDPR article 6(1), pt. f), including profiling based on those provisions (GDPR article 21).
The data subject shall also have the right to object to processing related to direct marketing purposes (GDPR article 21(2) and (3)).
Right to withdraw consent
The data subject shall have the right to withdraw their consent at any time (GDPR article 7(3)).
Right to complain to the relevant data protection authority(ies)
Data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes the GDPR (GDPR article 77).
Right not to be subject to automated individual decision-making
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (GDPR article 22).
Above is a summary of the key data subject rights. Please note that the GDPR establishes some further conditions and limitations to these rights.
However, it should be noted that data subject rights may be restricted by Latvian national legislation.
Without prejudice against sector-specific regulations, the Personal Data Processing Law establishes the following restrictions on data subject rights:
- Data subject does not have the right to receive the information specified in Article 15 of the Data Regulation if it is prohibited to disclose such information in accordance with the laws and regulations regarding national security, national protection, public safety and criminal law, as well as for the purpose of ensuring public financial interests in the areas of tax protection, prevention of money laundering and terrorism financing or of ensuring of supervision of financial market participants and functioning of guarantee systems thereof, application of regulation and macroeconomic analysis;
- Articles 16, 17, 18, 19, 20, and 21 of the GDPR shall not be applied, if the data processing is conducted in accordance with the laws and regulations for the ensuring of an official publication;
- If data are processed for statistical purposes, the rights of a data subject specified in Articles 15, 16, 18, and 21 of the Data Regulation shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes;
- If data are processed for archiving purposes in the public interest in order to create, collect, evaluate, preserve and use national documentary heritage, the rights of a data subject specified in Articles 18, 19, 20, and 21 of the GDPR shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes;
- If data are processed for scientific or historical research purposes in the public interest, the rights of a data subject specified in Articles 15, 16, 18, and 21 of the GDPR shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes;
- When processing data for journalistic purposes, provisions of the GDPR (except for Article 5) shall not be applied if all legal conditions set out in legal enactments are present; and
- When processing data for the purposes of academic, artistic or literary expression, provisions of the GDPR (except for Article 5) shall not be applied if all legal conditions set out in legal enactments are present.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, according to GDPR art 37, the controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
According to the explanation provided by the Data State Inspectorate, the appointment of a Data Protection Officer (DPO) is mandatory in cases where a company’s business activity is directly related to the processing of personal data on a large scale. In such cases, the company is obliged to involve a DPO in the organisation of processes. For example, in the context of large-scale data processing, the obligation to appoint a DPO arises for:
- A company whose core activity is profiling individuals for the purpose of assessing their creditworthiness;
- A security company that uses video surveillance of publicly accessible areas as an integral part of its services;
- A company analysing customer behaviour (e.g., tracking which products a customer has viewed or purchased) to deliver targeted marketing communications;
- A person conducting customer research for the purposes of anti-money laundering;
- A mobile application processing users’ geolocation data for its operator;
- Companies compiling customer data within loyalty programs;
- Persons monitoring customer well-being, physical fitness, or health data via wearable devices;
- Companies processing information collected from Internet of Things devices (e.g., smart meters, connected cars, home automation devices, etc.).
Furthermore, the appointment of a DPO is mandatory for companies whose activities involve the processing of special categories of personal data on a large scale. For example, the obligation to appoint a DPO arises for political parties, hospitals, religious communities, dating applications and websites, trade unions, and companies providing and/or using biometric data processing (such as facial biometric matrices, fingerprint data, etc.) for core business purposes.
The Regulation also emphasises the obligation for public authorities—including ministries, their supervisory bodies, municipalities, and municipal institutions, and other organisations performing delegated public tasks—to appoint a DPO.
The above examples do not constitute an exhaustive list of organisations required to appoint a DPO. The supervisory authority has indicated that involving a DPO in matters related to personal data protection should be considered good practice and is recommended for all organisations, including cases where the appointment of a DPO is not explicitly required by binding legislation.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, according to GDPR art 35 (1), where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
According to GDPR art 35 (3), a data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
Does this jurisdiction have any specific data breach notification requirements?
In the event of a personal data breach, the controller shall notify the Data State Inspectorate thereof immediately, however not later than within 72 hours after having become aware of the breach. If the controller has not complied with the specified period, upon notifying the Data State Inspectorate of a personal data breach, it shall also inform of the reasons for exceeding the time period.
What restrictions apply to the international transfer of personal data / information?
The international transfer of personal data/information is regulated by GDPR articles 44-50.
Transfer of personal data/information to the countries of European Economic Area (“EEA”) countries (Norway, Iceland, Lichtenstein) is equated to countries with an adequate level of data protection, i.e the transfer procedure is analogous to transfers within the European Union.
Transfers to countries that have received a decision from the European Commission on the adequacy of the level of data protection are analogous to transfers within the European Union (GDPR article 45(3)). A list of countries is available on the European Commission's website.
Transfers to the remaining countries not listed above are transfers to countries with an insufficient level of data protection and require additional safeguards or may take place in exceptional circumstances (GDPR articles 46-49). Very generally put, the safeguards can be following:
- Personal data can be transferred to countries with an insufficient level of data protection using safeguards enlisted in GDPR article 46(2). The safeguards can be either a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard contractual clauses, legally binding documents between public sector bodies or codes of conduct, or an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country. These safeguards do not need specific authorisation from the competent supervisory authority.
- Personal data can be transferred to countries with an insufficient level of data protection using safeguards enlisted in GDPR article 46(3). This requires prior special authorisation from the competent supervisory authority. The safeguards can be either contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. Before issuing an authorisation decision, the competent supervisory authority will seek the opinion of the European Data Protection Board in order to apply the consistency mechanism set out in the GDPR.
- In the absence of an adequacy decision pursuant (GDPR article 45(3)), or of appropriate safeguards pursuant to (GDPR article 46), a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on the conditions established in GDPR article 49, such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defense of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
In Latvia, data protection is governed by the GDPR, which has cross-border applicability. Pursuant to the GDPR.
- GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (GDPR article 3(1)).
- GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union (GDPR article 3(2)).
Latvian national legislation is aligned with the GDPR, and the data protection requirements set out therein apply to controllers as defined under the GDPR.
What rules specifically deal with marketing?
In addition to GDPR, certain marketing regulations are also regulated by national legislation, such as the Law on Information Society Services, Law on Lotteries of Goods and Services, Advertising Law, Unfair Commercial Practices Prohibition Law, and others.
Do different rules apply to business-to-business and business-to-consumer marketing?
As in a business-to-business marketing model personal data are used less frequently than in a business-to-consumer model the rules are different. In business-to-consumer marketing model consumer protection regulation apply.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The sending of commercial information to natural persons electronically, including the transmission of commercial information, in particular by calls, text messages, or multimedia messages, is regulated by legal acts. Latvian national legal acts also regulate the dissemination of commercial communications. Commercial communication is any message sent electronically that is intended to directly or indirectly advertise goods or services, or to promote the image of a trader, organisation, or person engaged in commercial, economic, or regulated professional activities.
It is prohibited to use automated calling systems (terminal equipment) without human intervention (automatic calling machines), electronic mail or facsimile machines (fax) for sending a commercial communication by using which individual contact is possible with a service recipient if the service recipient has not given prior free and explicit consent.
A service provider who, within the framework of their commercial transactions, has acquired electronic mail addresses from service recipients may use them for other commercial communications provided that:
- commercial communications are sent for similar products or services of the service provider;
- a service recipient has not initially objected to the further use of the electronic mail address; or
- a service recipient is explicitly given free of charge opportunity to refuse from the further use of electronic mail address on the occasion of each further receipt of a commercial communication (by submitting a submission or sending a electronically).
Communication of other types by using publicly available electronic communications services for sending commercial communication may occur if the service recipient has given prior free and explicit consent, except for the cases referred to in Paragraphs one and two of this Section.
It is prohibited to use electronic mail or communication of other type by using publicly available electronic communications services for sending a commercial communication if an invalid electronic mail address, invalid phone or fax number is used to which the service recipient might send a request to cease such communication or if the refusal of the service recipient from further receipt of commercial communications is not taken into account.
What rules specifically deal with cookies?
In Latvia, there is no specific regulation on the use of cookies; therefore, GDPR requirements must be observed.
The European Data Protection Board (EDPB) has issued guidance about using cookies, such as the Report of the work undertaken by the Cookie Banner Taskforce, and Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.
What are the consequences of non compliance with data protections laws (including marketing laws)?
In Latvia, the imposition of fines regarding non-compliance with data protection regulation is governed by the GDPR provisions. The Data State Inspectorate has developed a mechanism for determining the amount of fines (available at: https://www.dvi.gov.lv/lv/media/289/download?attachment).
If a person (data controller or processor) fails to comply with a decision of the Data State Inspectorate, the Inspectorate is entitled to impose on the violator a fine as provided in Article 83 of the GDPR. Administrative fines of up to €10,000,000, or in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher, pursuant to paragraph 2, shall be imposed for violations of the following provisions:
- obligations of the controller and processor under Articles 8, 11, 25–39, 42, and 43;
- obligations of certification bodies under Articles 42 and 43;
- obligations of supervisory authorities under Article 41(4).
Administrative fines of up to €20,000,000, or in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher, pursuant to paragraph 2, shall be imposed for violations of the following provisions:
- principles of processing, including consent requirements, in accordance with Articles 5, 6, 7, and 9 of GDPR;
- data subject rights under Articles 12–22 of GDPR;
- transfer of personal data to a recipient in a third country or international organisation under Articles 44–49 of GDPR;
- all obligations pursuant to national law adopted under Chapter IX of GDPR;
- failure to comply with a supervisory authority’s order or a temporary or definitive restriction on processing or data circulation under Article 58(2), or failure to provide access in violation of Article 58(1).
Pursuant to Article 145 of the Criminal Law regarding unlawful actions involving personal data:
- Unlawful actions with personal data causing significant harm shall be punished by imprisonment for up to two years, or by short-term imprisonment, probation supervision, community service, or a fine;
- Unlawful actions with personal data committed by a data controller or operator for revenge, financial gain, or blackmail shall be punished by imprisonment for up to four years, or by short-term imprisonment, probation supervision, community service, or a fine;
- Influencing a data controller, operator, or data subject through violence, threats, abuse of trust, or deceit in order to commit unlawful actions with personal data shall be punished by imprisonment for up to five years, or by short-term imprisonment, probation supervision, community service, or a fine.
Additional administrative liability may also be imposed for violations of the rules on the dissemination of commercial communications and other special legal provisions. Liability is specified in each applicable special legal act.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA (GDPR article 27).
The minimum age a data subject must reach in order to give valid consent to the processing of their own personal data is 13 in Latvia.
What upcoming data protection developments should multinational organisations be aware of?
In Latvia, work is underway on the development and improvement of legal acts, including, among other things, the incorporation of data protection requirements.
In Latvia, the Cybersecurity Law and its subordinate regulations are in force, establishing minimum cybersecurity requirements. Although the law does not directly regulate data protection, this legal act sets out cybersecurity obligations that may be binding for companies, including technical measures relevant to data protection.