November 2023

1. Governing Texts

The Personal Data Processing Law of 21 June 2018 ('the Law') was adopted, on June 21, 2018, by the Latvian Parliament ('the Parliament')  and it came into effect on July 5, 2018. The Law provides legal prerequisites for the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to be implemented in Latvia.

1.1. Key acts, regulations, directives, bills

Apart from the Law, the Government Regulations No. 620 the Data Protection Specialist Qualification Rules (only available in Latvian here), which were adopted on October 6, 2020, are relevant.

In addition, Government Regulations No. 488 Licensing Requirements for the Code of Conduct Monitoring Body (only available in Latvian here) entered into force on January 2, 2023, and related Accreditation Requirements for the Code of Conduct Monitoring Body (only available in Latvian here).

1.2. Guidelines

The Data State Inspectorate ('DVI') has adopted the following guidelines in relation to the GDPR:

• Guidance on Data Subject Rights (only available in Latvian here);
• Guidance on the Processing of Personal Data for Telemarketing Purposes (only available in Latvian here);
• Guidance on the Processing of Personal Data in the Field of Credit Information (only available in Latvian here);
• Guidelines on the Personal Data Processing in the Telemarketing Industry as a Data Processor (only available in Latvian here);
• Guidance on the Protection of Children Data at School (only available in Latvian here);
• List of Processing Operations Requiring Data Protection Impact Assessment Pursuant to Article 35(4) of the GDPR (only available in Latvian here);
• Various recommendations with respect to COVID-19 data processing regarding employees, customers, children, etc. (only available in Latvian here);
• Guidelines on the appointment of a data protection officer ('DPO') (only available in Latvian here) ('the DPO Guidelines');
• Frequently asked questions on the appointment of DPOs (only available in Latvian here);
• Notice on the appointment of a DPO (only available in Latvian here);
• Guidance on DPIAs (only available in Latvian here);
• Guide on conducting DPIAs (only available in Latvian here);
• Guidance on Cookies Placement on Webpages (only available in Latvian here);
•  Guidance in Personal Data Processing for Small and Medium Enterprises (only available in Latvian here);
• Guidance on Personal Data Processing During Pre-Election Period (only available in Latvian here)
• Guidelines on the Processing of Personal Data by Video Surveillance (only available in Latvian here);
• Recommendations on the right to publish information containing personal data in the media and on social networks (only available in Latvian here);
• Guidelines on the processing of personal data when making electronic payments (only available in Latvian here);
• Guidelines on the debt recovery service provider's rights when requesting data (only available in Latvian here);
• Guidelines on data processing for credit rating assessment (only available in Latvian here); and
• Guidelines on the processing of personal data for commercial purposes (only available in Latvian here).

In addition, the DVI has cooperated with professional organizations to develop guidelines for personal data processing in specific sectors, including in relation to processing in the electronic communications sector (only available In Latvian here) issued by the Latvian Information and Communications Technology Association. Also, in 2022 and 2023 telemarketing service providers and recipients of their services have been in focus of the DVI's preventive inspections.

Further to the above, the DVI has announced that previously adopted guidelines and recommendations are now being revised, but can be applied insofar as they do not contradict the provisions of the GDPR and the guidelines of the European Data Protection Board ('EDPB').

Furthermore, the EDPB has published the following Opinions:

• Opinion 14/2018 on the draft list of the competent supervisory authority of Latvia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) (25 September 2018);
• Opinion 38/2021 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) (20 November 2021); and
• Opinion 02/2023 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR (3 February 2023).

1.3. Case law

On April 2023, the Riga City Court rejected SIA "Tet"'s ('Tet') claim to annul the fine of €1,200,000 (the highest fine so far) imposed by DVI for breaches of the GDPR  (only available in Latvian here) ('Tet Decision') The fine was imposed for processing, recording and storing the personal data of persons whose identity was not verified,  The company denies guilt and has appealed the Court's decision.

2. Scope of Application

2.1. Personal scope

There are no national variations from the GDPR.

2.2. Territorial scope

There are no national variations from the GDPR.

2.3. Material scope

There are no national variations from the GDPR.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The DVI is the supervisory authority within the meaning of the GDPR and fulfills the respective tasks provided for in the GDPR and the Law (Section 3 of the Law).

3.2. Main powers, duties and responsibilities

The DVI, in addition to the tasks specified in Article 57 of the GDPR, has the following competencies (Section 4 of the Law):

• supervising compliance of data processing with requirements of the relevant laws and regulations, including in cases where the controller is prohibited by law from providing information to a data subject and a respective application has been received from the data subject;
• facilitating data protection efficiency;
• ensuring the data protection certification procedure;
• ensuring verification of DPO qualification and maintaining a list of those who have passed the qualification exam;
• in compliance with its competence, submitting recommendations to the Parliament, Cabinet of Ministers ('the Cabinet'), municipalities, and other institutions, regarding issuing or amending laws and regulations, as well as participating in the development of draft laws and regulations and development planning documents, and providing an opinion about the draft laws and regulations and development planning documents prepared by other institutions;
• providing opinions on the compliance of data processing systems to be established in public administration institutions with the requirements of regulatory enactments;
• providing an opinion to the national accreditation institution about the compliance of the certification institution with the requirements of Article 43(2) of the GDPR and in accordance with the inspection requirements and criteria specified in Article 43(3) of the GDPR;
• cooperating with foreign supervisory authorities and supervising information transparency, availability, and the prohibition on sending commercial communications;
• ensuring that a data subject's information request about themself is transferred to the European Judicial Cooperation Unit ('Eurojust') and the European Police Office ('Europol');
• representing Latvia at international organizations and events on data protection;
• carrying out research and analysis, and providing recommendations and opinions, as well as informing the public about topical issues within the scope of its competence; and
• performing tasks specified in other laws and regulations.

On its website, the DVI shall publish information about violations of GDPR requirements committed by legal persons governed by public law, their institutions and officials, as well as other state institutions and their prevention (Section 4(2) of the Law).

In addition to powers provided by Article 58 of the GDPR, the DVI has the following powers (Section 5 of the Law):

• inspecting data processing operations to determine whether they comply with the requirements of the relevant laws and regulations;
• drafting protocols for administrative violations, reviewing administrative violation cases, and imposing administrative penalties for violations, which fall within its jurisdiction;
• in accordance with its competence, requesting and obtaining information, documents or their copies, and other materials, as well as information of restricted access, which are necessary for its inspection, from private organizations, state administration institutions, and officials (the provision of this information should be free of charge and the extent of this information is to be specified by the DVI);
• visiting state administration institutions and production facilities, warehouses, trade, and other non-residential premises located within the territory of Latvia and owned, possessed, or used by legal entities and natural persons in order to verify compliance of the controller's operations with requirements of the laws and regulations within the scope of its competence;
• freely inspecting and accessing all types of information in registers, information systems, and databases (irrespective of the owner of the information), to obtain the information needed for the inspection of the processing operations;
• requesting and receiving information, documents, and other materials about services provided to persons, as needed for the inspection of the processing operations;
• within the scope of the processing investigations, requesting and receiving opinions from independent and objective specialists;
• in cooperation with other supervisory institutions and upon reviewing non-residents' complaints, providing responses in English; and
• bringing claims to court on violations of the Law or the GDPR.

4. Key Definitions

There are no additional or specific definitions to the below terms apart from those provided in the GDPR.

Data controller: There are no variations, the GDPR definition applies.

Data processor: There are no variations, the GDPR definition applies.

Personal data: There are no variations, the GDPR definition applies.

Sensitive data: There are no variations, the GDPR definition applies.

Health data: There are no variations, the GDPR definition applies.

Biometric data: There are no variations, the GDPR definition applies.

Pseudonymisation: There are no variations, the GDPR definition applies.

5. Legal Bases

5.1. Consent

No national variations.

5.2. Contract with the data subject

No national variations.

5.3. Legal obligations

No national variations.

5.4. Interests of the data subject

No national variations.

5.5. Public interest

No national variations.

5.6. Legitimate interests of the data controller

No national variations.

5.7. Legal bases in other instances

Not applicable. 

6. Principles

No national variations; the principles provided in the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

No national restrictions.

7.3. Data processing records

No national restrictions.

7.4. Data protection impact assessment

The DVI has adopted the Latvia DPIA Blacklist ('the List'), which is based on Article 29 Working Party's ('WP29') Guidelines on DPIA and Determining Whether Processing is 'Likely to Result in a High Risk' for the Purposes of Regulation 2016/679 ('the WP29 Guidelines'). According to the DVI, the List complements and specifies the WP29 Guidelines.

The WP29 Guidelines highlight that Article 35(3) of the GDPR is a non-exhaustive list. The WP29 Guidelines also provide nine criteria to consider when determining whether the processing is likely to result in a high risk:

• evaluation and scoring;
• automated-decision making with legal or similar significant effect;
• systematic monitoring;
• sensitive data or data of a highly personal nature;
• data processed on a large scale;
• matching or combining datasets;
• data concerning vulnerable data subjects;
• innovative use or applying new technological or organizational solutions; or
• when the processing itself prevents data subjects from exercising a right or using a service or a contract.

The DPIA Guidelines set out that the controller can consider that a processing meeting two criteria would require a DPIA to be carried out. However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA.

Pursuant to the List, controllers, whose main or only place of establishment is the territory of the Republic of Latvia, will be required to conduct DPIAs at least in the following cases:

• for the processing of personal data relating to criminal convictions and offenses or related security measures;
• for the processing of personal data for scientific or historical purpose without the consent of the data subject when in conjunction with at least one of the criteria stated in the WP29 Guidelines;
• when the provision of the information referred to in Article 19 of the GDPR to the data subject proves impossible;
• for the processing of genetic data for the purpose of uniquely identifying a natural person when in conjunction with at least one of the criteria stated in the WP29 Guidelines;
• for surveillance carried out in at least one of the following cases:
  • when carried out on a large scale;
  • when carried out at the workplace; or
  • when directed at vulnerable data subjects (e.g. data subjects in health care, social care, imprisonment institutions, prisons, educational institutions, and places of work);
• for the data processing carried out through the use of innovative technologies, mechanisms, or new procedures when in conjunction with at least one of the criteria stated in the WP29 Guidelines;
• for the processing of personal data involving measures for systematic monitoring of employee activities;
• for large-scale tracking of data subjects, including lifestyle apps or logistic companies;
• when using the location data of a data subject, when in conjunction with at least one of the criteria stated in the WP29 Guidelines;
• for data processing when information society services are offered directly to a child;
• for large-scale automatic personal data processing and processing based on profiling;
• where the purpose of data processing is to combine data from various sources for matching, comparison, and re-use purposes; and
• for biometric data processing for the purpose of uniquely identifying a natural person, when in conjunction with at least one of the criteria stated in the WP29 Guidelines.

The DVI has published a DPIA template (only available to download in Latvian here). The DVI also introduced a DPIA Tool to facilitate DPIAs within organizations and can be used to integrate with other tools and systems already in use. Finally, the DVI has not issued a list of activities that do not require a DPIA ('Whitelist').

7.5. Data protection officer appointment

The Law provides the Government with competence to adopt rules for DPO applications and examinations. However, Section 17 of the Law allows data controllers and processors to appoint any person as a DPO (and not necessarily someone who has formally gained the DPO status pursuant to the Law).

For the purpose of identifying DPOs who have passed the qualification examination and ensuring that information regarding DPOs is accessible, the DVI must compile a list of DPOs. The list of DPOs must only include the persons who have passed the qualification examination (Section 18(1) of the Law).

The list of DPOs shall include the following data on the person (Section 18(2) of the Law):

• the given name, surname, and personal identity number;
• the date when the person was included in the list of DPOs; and
• an electronic mail address.

The list of DPOs (except for their personal identity number) is publicly available on the website of the DVI (Section 18(4) of the Law), and can be accessed, only available in Latvian, here. In this regard, the Government must lay down the procedures for maintaining the list of DPOs (Section 18(5) of the Law).

Notably, the qualification examination of DPOs must be organized by the DVI and if a person passes the qualification examination of DPO, the Director of the DVI must make a decision to include them in the list of DPOs (Section 19(1) and (2) of the Law).

The Government must determine the procedures for applications by applicants, the content and course of the qualification examination, the procedures for evaluation thereof, the fee for taking the qualification examination, and the procedures for collecting it, as well as the requirements for the maintenance of the professional qualification (Section 19(3) of the Law).

According to Section 2 of the DPO Guidelines, the DPO should have the following qualifications:

• higher education in social law and information technology;
• certification as a DPO;
• work experience in the field of personal data protection;
• knowledge of personal data protection, as well as other areas of their responsibility issues;
• experience in drafting internal legislation and documents in the field of professional competence;
• ability to develop internal legislation and other documents for personal data in the field of defense matters within their competence;
• analytical thinking, ability to independently plan and organize the work, accept decisions and responsibilities, as well as successful cooperation with other departments, public authorities, and businesses;
• ability to advise other employees and provide information on competence quickly existing issues; and
• skills to work with computers, and public information sources.

A DPO must immediately notify the DVI in writing of any established errors and amendments to the data included in the list of DPOs with regard to themselves (Section 18(3) of the Law).

A person must be excluded from the list of DPOs under a decision by the Director of the DVI in the following cases (Section 20(1) of the Law):

• they have submitted a respective written request to the DVI;
• a court has established trusteeship over them;
• they have been deprived of the right to work as a DPO by a court judgment or other restrictions have been determined that prevent the performance of professional duties;
• they are dead or declared missing; or
• they have failed to comply with the requirements for the maintenance of professional qualifications specified in the Cabinet regulations.

A person who has been excluded from the list of DPO in accordance with Section 20(1)1, 2, or 3 of the Law may request to renew them in the list, and the DVI re-includes them in the list of DPOs if the reasons for which the person was excluded from the list have been eliminated. Such person shall take the qualification examination of DPO if at least two years have passed since the day they had been excluded from the list of DPOs (Section 20(2) of the Law).

Notification

The DVI published a form for the notification of the DPO (only available to download in Latvian here).

7.6. Data breach notification

There are no applicable variations/exemptions on the data breach notification obligation.

7.7. Data retention

According to Section 37(2) of the Law, if an obligation is imposed on the controller to ensure the storage of audit trails of the system, they shall be stored for no longer than one year after the making of an entry, unless laws and regulations or the nature of processing stipulate otherwise.

Further, there are different laws and regulations providing for specific information/document retention terms in the field of employment, work and health safety, tax payments, and accountancy documents, though these legal acts do not primarily consider data protection issues (i.e., the retention periods are primarily set to ease the work of the State authorities).

7.8. Children's data

Pursuant to Article 8 of the GDPR, the age at which information society services may be offered directly to a child has been set at 13 years (Section 33 of the Law).

As the Law does not regulate other specified data processing activities with regard to children, usually a person will be able to grant valid consent to the processing of their personal data starting from 18 years of age.

7.9. Special categories of personal data

With respect to the processing of special categories of data, the Law only refers to the legal bases for the processing of such data provided in the GDPR.

Section 34 of the Law provides that data processing for purposes other than those initially envisaged is, in the field of criminal law, acceptable where such processing is carried out:

• in accordance with legal acts implementing the requirements of the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680);
• in order to use the data in administrative or civil litigation, as well as to fulfill functions of officials of state institutions authorized by law if these functions are connected with the prevention, investigation, and prosecution of criminal offenses, proceedings regarding criminally acquired property, compulsory measures of medical or correctional nature or coercive measures for legal persons, or the course and enforcement of examination de novo of valid rulings;
• to prevent immediate threats to public security; or
• if the data subject has consented to the data processing.

7.10. Controller and processor contracts

Yes, the requirements for content for such agreements are provided in Article 28 of the GDPR.

8. Data Subject Rights

8.1. Right to be informed

According to Section 27 of the Law, the data subject is not entitled to obtain the information specified in Article 15 of the GDPR, if disclosure of such information is prohibited under laws and regulations in the areas of national security, state defense, public safety, and criminal law, as well as to ensure the public financial interests in tax protection, the prevention of money laundering and terrorism financing, the supervision of financial market participants and operation of their guarantee schemes, and the application of resolution and macroeconomic analysis.

The information to be provided to the data subject under Article 15 of the GDPR shall not include any reference to state institutions that manage criminal procedures or bodies performing operational activities, and other institutions if disclosure of such data about them is prohibited by law.

Furthermore, Section 27 of the Law states that the data subject can obtain information about recipients or categories of recipients of his/her data, to whom the data have been disclosed within the last two years of the request.

8.2. Right to access

No national variations.

8.3. Right to rectification

No national variations.

8.4. Right to erasure

No national variations.

8.5. Right to object/opt-out

No national variations.

8.6. Right to data portability

No national variations.

8.7. Right not to be subject to automated decision-making

No national variations.

8.8. Other rights

No national variations.

9. Penalties

Administrative

The Law does not include any provisions on administrative sanctions, thus those of Article 83(4) and (5) of the GDPR apply.

Criminal sanctions

With regard to criminal sanctions, Section 145 of the Criminal Law of 17 June 1998 (as amended), titled 'Illegal Activities Involving Personal Data of Natural Persons', provides that:

• for illegal activities involving the personal data of a natural person, if it has caused substantial harm, the applicable punishment is the deprivation of liberty, for a period of up to two years or temporary deprivation of liberty, or probationary supervision or community service, or a fine from three to 1,000 statutory monthly minimum salaries (at the time of writing, the minimum salary is $660);
• for illegal activities involving the personal data of a natural person, if they have been performed by a personal data controller or processor, for the purpose of vengeance, acquisition of property, or blackmail, the applicable punishment is the deprivation of liberty for a period of up to four years or temporary deprivation of liberty, or probationary supervision or community service, or a fine from 10 to 2,000 statutory monthly minimum salaries; and
• for influencing a personal data controller or processor or the data subject, using violence or threats or using trust in bad faith, or using deceit in order to perform illegal activities involving the personal data of a natural person, the applicable punishment is the deprivation of liberty for a period of up to five years or temporary deprivation of liberty, or probationary supervision or community service, or a fine from 10 to 2,000 statutory monthly minimum salaries.

For any criminal offenses, a coercive measure might be applied also to a legal person governed by private law, including any state or local government capital company, as well as a partnership, if a natural person has committed the offense in the interests of the legal person, for the benefit of the person, or as a result of insufficient supervision or control, acting individually, or as a member of the collegial body of the relevant legal person:

• on the basis of the right to represent the legal person or act on the behalf thereof;
• on the basis of the right to take a decision on behalf of the legal person; and
• in implementing control within the scope of the legal person.

For a legal person one of the following coercive measures may be imposed:

• liquidation;
• restriction of rights;
• confiscation of property; or
• recovery of money.

Civil liability

Pursuant to Article 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.

Latvian law does not contain any specific rules in this respect, thus, in case the person would like to claim damages for the breach of their rights under the GDPR, they, pursuant to Section 1775 of the Civil Law of 1 September 1992 (as amended) ('the Civil Law') most likely will have to prove:

• illegal action of some person;
• the fault of such a person;
• existence of damages and the exact amount of the damages; and
• the causal link between the illegal action and damages.

Further, in case the data subject would like to claim non-material damages (compensation for caused moral harm) then pursuant to Section 1635 of the Civil Law, the person most likely will be obliged to prove:

• illegal action of some person;
• the fault of such a person;
• existence of moral harm (the Civil Law defines moral harm as physical or mental suffering, which is caused as a result of unlawful acts committed to the non-financial rights or non-financial benefit delicts of the person who suffered the harm); and
• the causal link between the illegal action and damages.

However, even though in this case the person still must claim the exact amount of compensation, the person is not required to substantiate it, since, pursuant to Section 1635 of the Civil Law, the amount of compensation for moral harm shall be determined by a court at its own discretion, taking into account the seriousness and the consequences of the moral harm.

9.1 Enforcement decisions

In 2019 DVI imposed monetary fines in nine cases. The amount of fines varied from €300 to €150,000.

The DVI announced, on 29 August 2019, that it had imposed a fine of €7,000 on a merchant who had been providing services on an online store for the violation of Article 17 of the GDPR (the DVI's press release is available, only in Latvian, here, while the EDPB's press release is available here).

As to the case in which a fine of €150,000 was imposed, it is only publicly known that it was related to breaches of transparency and accountability principles. The complaint was submitted by a Spanish national in relation to data protection breaches which took place in Latvia.

In 2020 DVI imposed monetary fines in 11 cases. The amount of fines varied from €200 to €65,000.

The fine of €65,000 was imposed on the Latvian company SIA Lursoft IT, which offers the service of easily obtaining information from various public registers. DVI considered that SIA Lursot IT has published also the information (i.e. part of the information included in the companies' registration files maintained by the Latvian Enterprise Register), which is not publicly available. Further, the company has published information about the old insolvency process of natural persons (pursuant to law such information can be made available to the public only up to one year after the insolvency process of the natural person has been terminated). The amount of the fine was determined taking into account the number of affected data subjects, the amount of the published data, the volume of the turnover of the company and that the company did not follow DVI's request to temporarily suspend the publication of the data while it is analyzed whether the data processing at issue complies with legal acts (the DVI's press release is available, only in Latvian, here).

In 2021, DVI has imposed monetary fines in six cases.

In 2022, DVI has imposed monetary fines in 12 cases. The amount of fines varied from €200 to €1,200,000.

The fine of €1,200,000 was imposed on Tet, a Latvian technology and entertainment services company. DVI considered that Tet had breached the provisions of the GDPR by providing a service to a customer who had not signed a contract, thus the company had processed the data of a person whose identity had not been verified. Tet invoiced for the service by logging the personal data. In this way, the company processed personal data without a legal basis. After not receiving the payment, the Tet transferred the personal data to a debt collection company. The fine imposed by the DVI is currently the largest fine ever imposed for breaches of GDPR not only in Latvia, but also in the Baltics. Tet appealed the decision to a court, where it was rejected. Tet appealed against the judgment.