annual report 2016 · pre-registration checking on video surveillance 4.2.3. checking on the...
TRANSCRIPT
Data State Inspectorate
Annual Report
2016
Riga 2017
2
TABLE OF CONTENTS
I BASIC INFORMATION
1.1. Legal status
1.2. Functions and the directions of the activities
1.3. Main tasks and priorities
1.3.1. Pre-registration checking in the risk areas
1.3.2. Recommendations on the transfer of personal data to countries that are
not European Union or European Economic Area countries
1.3.3. Cooperation with Personal Data Protection Authorities of other EU
Member States
II FINANCIAL RESOURCES AND AUTHORITY PERFORMANCE
2.1. State budget funding and spending
2.2. Paid services
2.3. Leadership and Performance Improvement Systems
III STAFF
IV COMMUNICATION WITH THE PUBLIC
4.1. Public information and education activities
4.2. Registration of personal data processing
4.2.1. Pre-registration checking on sensitive personal data processing, in
which information on personal health is processed
4.2.2. Pre-registration checking on video surveillance
4.2.3. Checking on the processing of personal data within which data transfers
are made outside the European Union
4.3. Registration of data protection specialists
4.4. Supervision of personal data processing
4.4.1. Video surveillance in public places and in private property
4.4.2. Processing of sensitive personal data in medical institutions
4.4.3. The use of children's personal data: in social networking, at schools and
the processing of children's personal data by children's parents
4.4.4. Processing of personal data in public information systems in the field of
re-use
3
4.4.5. Arrangement of information about apartment debts in public places or in
mailboxes non- sealed
4.4.6. Processing of personal data by mass media
4.4.7. Making copies of identity documents
4.4.8. Processing of personal data of officials
4.4.9. Sending commercial communications
V DSI PRIORITIES FOR 2017
4
I BASIC INFORMATION
1.1.Legal Status
In accordance with the Article 29 of Personal Data Protection Law
(hereinafter- PDPL), the Data State Inspectorate (hereinafter- the DSI) is subject to the
supervision of the Ministry of Justice and operates independently and permanently
fulfilling the functions specified in laws and regulations, takes decisions and issues
administrative acts in accordance with the law.
The aim of the DSI is to ensure the fundamental rights and freedoms of
natural persons, notably privacy with respect to processing of personal data. The
protection of personal data is a fundamental principle, which says that everyone may
control information about themselves, that is, to control or know how others use this
information. The protection of personal data is an integral part of the information
society that promotes public trust to state administration and participation in the
decision-making process.
The DSI commenced its work on 1 January 2001 in accordance with the Article
1 of the PDPL Transitional Provisions. The DSI functions and tasks are determined by
the Cabinet Regulations No.1415 "The Data State Inspectorate Regulations"
(hereinafter -the Regulations) of 10 December 2013.
1.2. Functions and the Directions of the Activities
According to the DSI Regulations:
1) performs monitoring and protection of processing personal data in
accordance with the regulations in area of personal data protection, biometric
data processing, human genome research and extrajudicial debt recovery;
2) provides transmitting of request to the European Union’s Judicial
Cooperation Unit (Eurojust), if the data subject requests information about
himself;
3) represents the Republic of Latvia in the Schengen Information System
Supervisory Authority, the Europol Joint Supervisory Authority, the Europol
Appeals Committee and in the Joint Supervisory Authority for the Customs
Information System, in the Article 29 Working Party of the Directive
No.95/46/EK of 24 October 1995 of the European Parliament and the Council
on the protection of individuals with regard to the processing of personal data
and the free movement of such data and in the Consultative Committee of the
Council of Europe Convention on the protection of personal data with regard to
personal data automatic processing;
4) issues the license for the operation of the Credit Information Bureau;
5) supervises the activity of the Credit Information Bureau.
To fulfil its functions, the DSI performs processing of personal data protection,
the data protection of natural persons, information society services, electronic
communications, electronic documents, biometric data, activities of Schengen
Information System, area of human genome research, security of information
technologies, extrajudicial debt recovery and performance of the credit information
bureaus stated in normative acts, tasks set out in law of the European Union and
international agreements, as well as represents the Republic of Latvia in international
organizations and activities in the field of data protection.
5
The DSI is a leading supervisory authority in area of personal data protection in
Latvia and in accordance with the DSI Bylaws- in the field of the data protection of
natural persons, information society services, electronic communications, electronic
documents, biometric data, activities of Schengen Information System, human genome
research, security of information technologies, extrajudicial debt recovery and in
supervising performance of the credit information bureaus stated in normative acts,
tasks set out in law of the European Union and international agreements.
In 2015, the DSI exercising their right in area of personal data protection, was
supervising the personal data processing compliance with the PDPL, both by the
applications received, as well as by initiating cases on topical public issues regarding
personal data protection.
The DSI also ensures supervision of the processing of personal data provided in
the Schengen Information System Act and represents the Republic of Latvia in the Joint
Schengen Information System Supervisory Authority, the Joint Europol Supervisory
Body, the Europol Appeal Committee and the Joint Customs Information System
Supervisory Authority (also ensured the conduct of inspections at the national level for
the above mentioned information systems) as well as the Working Party on Article 29
of Directive 95/46 / EC and the Advisory Committee of the Council of Europe
Convention on the Protection of Individuals with regard to Automatic Processing of
Personal Data, as well as other activities of the European Union and international
personal data protection authorities.
1.3. Main Tasks and Priorities
The main priorities for the reporting year were:
1) perform pre-registration checking in the identified areas of risk;
2) to develop a recommendation on the transfer of personal data to countries which are
not members of the European Union or the European Economic Area;
3) to ensure the organization of the annual meeting of the Baltic Data Protection
Authorities in Riga, promoting the strengthening of the level of protection of personal
data;
4) with regard to the new data protection reform, including Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of
individuals with regard to the processing of personal data and on the free movement of
such data and repealing Directive 95 / 46 / EC (General Data Protection Regulation),
adopted on April 27, 2016, which will be applied from May 25, 2018, to identify the
implementation of appropriate measures necessary for the implementation of this
reform, envisaging closer cooperation with other personal data protection authorities.
The report provides an overview of the progress made with regard to the
priorities set for the reporting year.
1.3.1. Pre-registration Checking in the Risk Areas
To ensure effective protection of personal data, the DSI, like other Member
States of the European Union, conducts pre-registration checking. The second
paragraph of Article 22 of the PDPL states that the DSI shall identify the processing of
personal data where could be risks for the rights and freedoms of the data subject. Such
processing of personal data is subject to pre-registration checking. Every year the DSI
determines risks of personal data processing, assessing the risks associated with the
6
processing of personal data, the number of violations in certain areas of personal data
processing, as well as foreign experience and information provided on significant risks
in certain areas. In total, in the year 2016, 756 pre-registration checking were carried
out and 522 pre-registration checks were carried out (522 pre-registration checking last
year), which is by 45% more than in the previous year of reporting period.
Because of pre-registration checking, controllers often choose to supplement
their employees' knowledge of PDPL requirements by attending paid seminars
organized by the DSI as well as analysing information provided within the DSI
recommendations.
In general, pre-registration checking allows the DSI to prevent potential
personal data breaches, thereby reducing the number of alleged offenses, which in turn
contributes to the protection of personal data in Latvia, promotes understanding of the
basic principles and practical aspects of personal data protection, reduces the number
of potential complaints in the DSI as a whole, and also provides information to data
subjects about the processing of personal data by the controller.
1.3.2. Recommendations on the Transfer of Personal Data to Countries
that are not European Union or European Economic Area Countries
Considering the current tendencies of economic globalization, more and more
different companies operate on the international level. In cases where the company is
international, various information, including personal data, is exchanged between
different countries of the world.
By ensuring the right of individuals to protect their privacy, including personal
data, the European Parliament and the Council of the European Union adopted
Directive 95/46 / EC on 24 October 1995. The data protection framework developed by
Directive 95/46 / EC, following the implementation of Directive 95/46 / EC, provided
similar level of protection of personal data in the Member States of the European Union
and the European Economic Area by unifying the legal provisions for data transfer
envisaged by national law. On the other hand, on May 25, 2018, direct application of
the General Data Protection Regulation will be launched, which provides introduction
of unified data protection provisions in all the Member States of the European Union,
including the conditions for the transfer of personal data to countries that are not
members of the European Union or the European Economic Area.
Currently, the national legislation of Latvia regarding the transfer of personal
data to countries that are not members of the European Union or the European
Economic Area is included in Article 28 of the PDPL.
The DSI has developed a Recommendation on the transfer of personal data to
countries outside the European Union or the European Economic Area with a brief
introduction on the transfer of information outside the European Union and aspects that
need to be addressed when transferring information to a country which is not a member
of the European Union or European Economic Area.
The purpose of the DSI in developing the recommendation is to improve the
protection of personal data of citizens of the European Union by transferring them to
countries which are not members of the European Union or the European Economic
Area.
The text of the recommendation is available on the DSI website in electronic
format - http://www.dvi.gov.lv/lv/jaunumi/publikacijas/.
7
1.3.3. Cooperation with Personal Data Protection Authorities of other EU
Member States
The DSI provided representation of the Republic of Latvia in ensured in the
Unified Schengen Information System (SIS II) Supervisory Authority, the Unified
Fingerprint Comparison System (EURODAC) Supervisory Authority, the Unified Visa
Information System (VIS) Supervisory Authority, the Joint Europol Supervisory Body,
the Europol Appeal Committee, in the Technology Subgroup of Article 29 Working
Party of Directive 95/46 / EC, as well as other activities of the European Union and
international activities organised by personal data protection authorities. It also includes
participation in the European Conference on topical data protection issues, the Seminar
on the Protection of Personal Data in the Field of Financial Technologies, Insurance,
Medical Services and the New Data Protection Regulatory Perspective, the
Cybersecurity Forum, the Telecommunications Working Group Meeting.
In 2016, co-operation with the data protection authorities of the Baltic States
continued and was promoted. In view of the Baltic region's common heritage and
cooperation in the region's economic development, in 2012, an agreement was reached
on closer cooperation between the Baltic states also in the field of personal data
protection supervision, thus implementing unified personal data processing control
measures previously chosen business sector. On 26-27 June 2016, the DSI organized a
meeting of the Baltic Data Protection Supervisory Authorities in Riga, during which a
discussion of current issues in the field of personal data protection was held, as well as
the most significant changes regarding the new personal data protection reform were
also discussed.
In 2016, in collaboration with other institutions, the DSI ensured participation
of its experts in representation of the Republic of Latvia in Luxembourg, in Case
C-13/16 of the European Court of Justice on Riga Traffic in relation to decision of
Administrative Affairs Department of the Latvian Supreme Court submitted, which was
taken in proceeding on 30 December 2015 (Order Police Department of Riga Region
Administration of the State Police against Riga Municipal Corporation Ltd. "Riga
Traffic") for a preliminary ruling under Article 267 of the Treaty on functioning of the
European Union on interpretation of Article 7 , Paragraph f of Directive 95/46/ EC.
II FINANCIAL RESOURCES AND AUTHORITY
PERFORMANCE
2.1. State budget funding and spending
In 2016 the DSI budget was formed by a sub-programme 09.02.00 "Protection
of Personal Data of Natural Persons".
The DSI funding consists of two revenue sources:
1) grant from general revenues;
2) paid services and other own revenue.
Table 1 reflects the use of funding and the implementation of indicators in 2016
and their comparison with 2015.
8
Table 1. The basic budget programme
09.02.00 "Protection of personal data of
natural persons “, funding and use of the
state budget (in euro)
No. Financial indicators in 2015 (actual
implementation)
in 2016
approved
by law
actual
implementation
1. Financial resources for
covering expenses (total)
702 544 619 604 619 907
1.1. Grants 687 456 595 271 595 271
1.2. Paid services and other own
revenue
15 088 24333 24 636
1.3. Foreign financial assistance
1.4. Donations and gifts
2. Expenditure (total) 608 060 619 604 580 646
2.1. Maintenance costs (total) 524 863 567 165 532 703
2.1.1. Current expenditure 524 863 567 165 532 703
2.1.2. Interest expense
2.1.3. Subsidies, grants and social
benefits
2.1.4. Current payments to the
budget of the European
Community and
international cooperation
2.1.5. Transferts of maintenance
costs
2.2. Capital Expenditure 83 197 52 439 47 943
In the framework of the budget programme 09.02.00. "Data Protection of
Natural Persons", 580 646 EUR or 93,71% of the planned expenditure was acquired.
According to recourses, the Recommendation "Definition of Personal Data"
was repeatedly issued to the public in the field of personal data protection in 2016, the
Recommendation "Data processing in the field of video surveillance" was updated and
the Recommendation on the transfer of personal data to countries which are not
Member States of the European Union or the European Economic". In 2016 the DSI
did not do any research.
The performance indicators of the budget program are summarized in Table 2.
9
Table 2.
The budget programme 09.02.00
"Protection of personal data of
natural persons performance
indicators”
Performance
indicator
Planned
value
Actual
implementation
Explanation
The number of
inspections of
personal data
processing
500 600 The actual number of registered
inspections on personal data
processing has been decreased by
20%. The number of personal
data processing checks tends to
increase as people become more
and more aware of data
protection issues of individuals
and exercise their right to the
protection of their personal data.
Proportion of
personal data
protection
violations detected
(%) against total
number of
inspections done
15 22.3 The number of inspections of
personal data processing has
been increased, considering the
number of complaints of citizens
and the number of received
personal data processing
submissions.
The number of
recommendations
developed
2 2
Credit information
bureau fee and fee
for registering a
personal data
processing system
or making changes
to be recorded in
the PDPL
65 734 65 954 In 2016, one licence for the
operation of credit information
bureaus was issued.
Penalties applied
for breaches of
personal data
protection (euro)
14 940 8 122 The penalties were applied for 65
detected personal data breaches,
as well as for failure to provide
information to the DSI.
In total, in 2016, the DSI has exceeded the projected value of performance
indicators. Indicator- penalties for breaches of personal data have not been complied
with, as 11 cases are being prosecuted. In total in the reporting year, the contested
decisions of the DSI were appealed in court in 15 cases or 10% of the number of
decisions made. Statistics on complaints, application review and inquiries regarding
decisions made by the DSI in 2016 are summarized in Figure 1.
10
Figure 1
2.2. Paid Services
The DSI provides paid services in accordance with the Cabinet of Ministers
Regulations No. 992 "Price List for Data State Inspectorate Services" of September 24,
2013. In 2016 in total paid services were provided in the amount of 22 853,04 EUR.
Issuance of a registration certificate for personal data processing
In accordance with Article 22, Paragraph three of the PDPL, when registering
the processing of personal data, the DSI issues a decision on the registration of the
processing of personal data to the controller or his authorized representative.
The DSI issues the personal data processing registration certificate for a fee in
accordance with the price list of paid services approved by the Cabinet of Ministers
after receipt of the requests of persons referred to in Article 21 of the PDPL who wish
to initiate the processing of personal data or have registered the processing of personal
data.
In accordance with the Cabinet of Ministers Regulation No. 992 of September
24, 2013 "Price List for Data State Inspectorate Services", the fee for the issue of a
registration certificate for personal data processing is EUR 14.23. In 2016, 54 personal
data processing registration certificates were issued.
Filing and printing of the application for registration of personal data processing
The DSI advises the controllers on filling in the application for registration of
personal data processing, meeting face-to-face and printing a completed application for
the registration of personal data processing. In 2016 this fee service is provided to 41
controllers or their representatives. Fee for service 30,15 EUR.
Seminars organized in the field of data protection of natural persons
The DSI has organized paid seminars on personal data protection, registration
of personal data processing, personal data protection audit, video surveillance,
0
10
20
30
40
50
60
70
The result of thedecisions taken
Challenging decisionsmade by officials
Result of the contesteddecision - The decisionhas not been canceled
Appeal against thecontested decision before
the judicial authorities
Decisions taken in 2016 in cases of complaints, application review and initiatives
Warning Closure of the record Penalty
11
implementation of the General Data Protection Regulation and other personal data
protection issues. In 2016 the DSI organized seven seminars for 171 listeners in total.
The seminars were organized in Ogre, Cēsis, Jēkabpils, Ventspils and Riga. Fee for
service 48,24 EUR per participant.
Organization of a qualification examination of a Personal Data Protection
Specialist
In 2016 the DSI organized one examination of personal data protection
specialists by participation of 43 applicants. The service includes the preparation of the
examination questions and tasks, the preparation of individual answer sheets, the
organization of the examination and the evaluation of the results by the commission in
the composition of three persons, as well as the decision on the preparation of the test
results and issuing of certificates. Fee for service 293,01 EUR per applicant.
In 2016, 24 636 EUR were received from paid services (15 088 EUR in the
previous reporting period), which is by 63% more than in the previous reporting period.
2.3. Leadership and Performance Improvement Systems
To ensure the DSI as a supervisory institution in the field of protection of
personal data, development, fulfilment of objectives, as well as performance of the
functions and tasks of the DSI set in legislation of the Republic of Latvia and the
European Union, in 2016 an appropriate structure, approved personnel management
policy, updated guidelines were established on the principles for imposing sanctions on
administrative penalties.
III STAFF
In the reporting period, the institution employed on average 21 officials and
employees (hereinafter- employee) including 15 females and 6 males. In 2016, the
average age of staff was 34 years. In 2016, employees by aged group 20-75 worked in
the DSI. This is summarized in Figure 2.
0
2
4
6
8
10
12
14
20-29 30-39 40-49 50-59 >60
13
2
3
2
1
Employees of the DSI by age group
12
Of the total number of posts filled by DSI, 99% of employees have higher
education. Distribution of education level of the DSI employees in 2016:
1) 1 employee - secondary education;
2) 13 employees - higher education;
3) 7employees - a master's degree.
In 2016, the employment relationship was terminated by 3 (three) officials and
1 (one) employee, in turn, 4 (four) civil servants were appointed to the post and
employment relationship was established with 6 (six) employees.
IV COMMUNICATION WITH THE PUBLIC
During the reporting year, the DSI in cooperation with the Administration
Department of the Ministry of Justice, provided public information and awareness
raising on the protection of individuals' data. Cooperation between the DSI and the
media takes place on a regular basis, noticing the urgency and complexity of the issue
of the processing and protection of personal data, which is influenced by the
development of information technology and the Internet environment.
4.1. Public information and education activities
To inform the society on data processing and protection of natural persons, the
DSI implements communication activities through such communication tools as:
1.Press releases;
2. The DSI homepage (http://www.dvi.gov.lv/lv/);
3. Social Twitter microblogging site (https://twitter.com/?lang=en);
4.Social Network Facebook (https://www.facebook.com/Datuvalstsinspekcija/);
5. Conferences, seminars.
In 2016, the DSI representatives gave an interview to printed media, radio and
television, both in writing and verbally. Replies to questions posed by citizens about
the issues that lie within the competence of the DSI were given.
Within the framework of the cooperation, the opinion was expressed to TV3
"Bez tabu”, LTV 1 "4. Studio ", the Program" Latvijas Radio 1 ", the Newspaper
"Latvijas Vēstnesis "and the Internet Portal "Latvian Law and the State". In total, 35
interviews / explanations were provided to the mass media about current issues of
processing and protection of personal data, including the General Data Protection
Regulation. The DSI communication with the mass media in 2016 is summarized in
Table 3.
Table 3.
Informing the society on data processing and
protection of natural persons, communication
with the mass media in 2016.
Source Number Topic- personal data protection issues
Newspaper 29 Explained: legal basis for the processing of
personal data; Video recorders; Audio
recording at the workplace; Video surveillance;
13
Personal data protection of medical documents;
The protection of the personal data of the
children; Searching for lost personal identity
document holders on social networks; The
public disclosure of personal data; Data
protection requirements - the right to be
"forgotten" and the permission for children to
register on social networks.
TV 16 Explanation was given on: video recorders;
Video surveillance; Video recording on the
phone; Crisis SMS sending and related
amendments to the Electronic Communications
Law; The publication of artists' data in the mass
media; Road Safety Directorate (Latv.-CSDD)
actions by issuing personal data upon request of
a solicitor; The protection of personal data by
the transfer of mobile phones to repair; Planned
changes in the type of personal code change.
Radio 4 Telephone interviews and answers to
journalists were provided on: video recorders;
Smart surveillance; The practice of persuading
mobile operators to switch operators;
Processing of personal data of individuals by
preforming loyalty cards; Registration of
prepaid cards in Latvia; Personal data
protection of medical documents; Crisis SMS
sending and related amendments to the
Electronic Communications Law; The local
government's right not to reveal the identity of
a person by acquiring municipal property.
Every working day, the DSI employees from 13:00 to 15.00 provides telephone
consultations explaining the norms of PDPL, promoting public awareness about the
processing and protection of personal data, as well as issues of registration of personal
data processing. In 2016, the DSI employees provided 2868 telephone consultations,
which is 239 telephone consultations per month on average. The DSI statistics on
telephone consultations provided in 2016 is summarized in Figure 3.
14
Figure 3.
In cooperation with the Latvian Certified Personal Data Protection Association,
the DSI has organized seminars on the processing of personal data. In total, the DSI
organized seven seminars in Cēsis, Ogre, Jēkabpils, Ventspils and Riga, attended by
171 participants.
In general representatives of the DSI participated in seven seminars, discussions
and conferences in 2016 and provided information on issues within the competence of
the institution, including the participation of DSI representatives in informational
meetings and working groups within the competence of the institution, providing
information on the legal aspects to be taken into account in respect of data protection,
on issues concerning the processing of personal data by journalists, on the safety of
patient data relating to the operation of the unified electronic health information system
and other questions concerning the processing and protection of data of natural persons.
In 2016, in cooperation with the Ministry of Justice, the DSI participated in the
Open Day "Themed Race", where pupils from Riga Secondary School, Ventspils
Secondary School No. 3 and Āgenskalns State Gymnasium were introduced to the DSI
and its functions.
4.2. Registration of Personal Data Processing
Article 21 of the PDPL stipulates that prior to the processing of personal data
processing, the controller shall record the processing of personal data in the DSI or
assign a natural person - a data protection specialist - if the controller:
1) provides for transfer of personal data to a state which is not a member of the
European Union or the European Economic Area;
2) provides for the processing of personal data by providing financial or
insurance services in the conduct of lotteries or raffles, market or public opinion
research, recruitment or assessment of staff as a type of business, providing debt
recovery services and credit information processing services as a type of business;
106
275 284
256267
234 234
294 285
196
250
185
0 0 0 00 0 0 00
50
100
150
200
250
300
350
TELEPHONE CONSULTATIONS IN 2016
15
3) performs sensitive personal data processing, except when the processing of
such data is carried out for the purposes of accounting, personnel accounting (labour
law) or by religious organizations;
4) processes personal data concerning criminal offenses, convictions and
penalties in administrative violation cases;
5) performs video surveillance while retaining personal data;
6) perform the processing of genetic data.
In 2016 the DSI has adopted 669 decisions on the registration of personal data
processing, 185 decisions on registration of changes in the processing of personal data,
69 decisions on the processing of personal data processing, 55 decisions on the
registration of personal data processing specialists, 5 decisions on the exclusion of a
personal data processing specialist from a person Data Processing Specialist's Register.
Compared to the previous reporting period, the number of registered personal data
processing has increased by 66.8%. This is due to the widespread mass media
information that it is necessary to record the processing of personal data (video
surveillance), which is carried out using video recorders. In 2016, the decisions taken
by the DSI in the processing of personal data and in the process of registration of
personal data specialists are reflected in Figure 4.
Figure 4
2531 31
71
88
51
64
79
5952 55
63
6 6 6 2 8 0 2 3 5 10 2 514 14 820 21
16 14 15 16 13 18 164 2 0 10 2 2 15 5 14 5 92 0 1 1 0 0 1 0 0 0 00
10
20
30
40
50
60
70
80
90
100
Decisions taken by the DSI in the process of registration of personal data processing and personal data protection
specialists in 2016
On registration of personal data processing
On registration of a personal data processing specialist
For making changes to personal data processing
On non-registration of personal data processing
The exclusion of a personal data processing specialist from the Register of Personal DataProtection Specialists
16
Upon receiving a controller's request, the DSI reviews the information provided,
requesting additional information and performing a pre-registration checking if
necessary.
When deciding on the registration of personal data processing, a DSI controller
issues a decision on the registration of personal data processing and makes an entry in
the public register of personal data processing available on the DSI website:
www.dvi.gov.lv/registri/pdas/.
In accordance with Article 22, Paragraph nine of the PDPL, for every
registration of the processing of personal data until the submission of the relevant
application to the DSI, a state fee is payable in accordance with the procedure and
amount specified by the Cabinet, in accordance with the Cabinet Regulation No. 813
of 27 November 2007 " The Data Processing Registration and the Registration Fee for
the Registration Changes to be fixed by the PDPL "is EUR 28.46 or EUR 56.91. State
and local government bodies do not pay state fees for processing or modifying
registration. In 2016, the state budget paid state fees of EUR 33 514.22 (EUR 22 363.66
in the previous reporting period), which is by 50% more than in the previous reporting
year.
To ensure effective protection of personal data, the DSI, like other Member
States of the European Union, conducts pre-registration checking. The second
paragraph of Article 22 of the PDPL states that the DSI shall identify the processing of
personal data which is likely to jeopardize the rights and freedoms of the data subject.
Such processing of personal data is subject to pre-registration verification. The DSI
determine each year the areas of personal data processing by assessing the risks
associated with the processing of personal data, the number of violations in certain areas
of personal data processing, as well as foreign experience and information provided on
relevant issues in specific areas.
In 2016, the following areas of risk were identified in the processing of personal
data:
1) processing of personal health information;
2) the processing of personal data in the context of the transfer of personal data
to a country outside the European Union or the European Economic Area, unless the
European Commission has established that a third country provides an adequate level
of protection in accordance with Article 25, Clause 6 of European Directive 95/46 / EC;
3) perform video surveillance while retaining personal data;
4) perform the processing of genetic data.
In 2016, 756 pre-registration checking were carried out and started (522 pre-
registration checking in the previous reporting year).
Comparison of the risks of personal data processing in this reporting period and
pre-registration checking in the risk areas with the previous reporting period:
No. Personal data processing risk
area
Number of pre-
registration
checking in 2016
Pre-registration
checking in 2015
1. Processing of personal health
information
143 129
2. Video surveillance 590 365
3. Personal data processing in the
context of the transfer of personal
data outside the European Union
23 28
4. Processing of genetic data - -
17
The statistics for pre-registration checking carried out by the DSI in 2016 are
summarized in Figure 5.
Figure 5.
To facilitate the registration of processing of personal data in the framework of
video surveillance, the DSI has updated a sample of registration application for the
purpose of processing - the prevention or disclosure of criminal offenses in connection
with the protection of property and the protection of vital human interests, including
protection of life and health, and has developed a sample application for registration for
natural persons - preventing or detecting criminal offenses related to the protection of
property and the protection of vital human interests, including life and health, as well
as the taking of evidence for insurance purposes. Accordingly, the above registration
application samples and the recommendations developed by the DSI are used by
controllers to find PDPL most appropriate solution for the processing of personal data.
Pre-registration checking, as in previous reporting periods, were performed on
initial assessment of the application received by the DSI for the registration of
processing of personal data and taking into account the information on the controller at
the disposal of other DSI, as well as the information published by the controller on the
Internet. In addition to the information specified in the application for registration of
personal data processing, the DSI controller is requested to provide information on the
processing of personal data, for example, internal data processing protection rules and
other documents defining processes for the processing and protection of personal data,
information on the amount of data processing and compliance of data security
requirements may be required. For example, when registering the processing of
personal data for the transfer of personal data outside the European Union, the DSI
requests copies of contracts with recipients of third-country data and evaluates the
contractual conditions for the protection of personal data (including access to personal
data, security of data processing and data transfer to third parties). The controller also
receives general information from the DSI on the processing and protection of personal
2932 32
5451
60
4942
6258
61 60
2 1 1 2 1 5 1 2 1 6 1 09 10 12 15 8 13 14 7 9 1218 16
Pre-registration Checking by the DSI in 2016
Perform video surveillance while retaining personal data
Transfer of personal data outside EU or EEZ
Processing of sensitive personal data
18
data in the framework of registration of personal data processing, thereby also
facilitating the provision of PDPL requirements for the processing and protection of
personal data.
Most pre-registration checking was carried out in connection with the
processing of personal data by video surveillance. During the previous reporting period,
follow-up was carried out, in which it was found that the controller did not correct the
deficiencies in the processing of personal data (cases where the controller did not
provide information to the data subjects or failed to comply with the requirements of
the PDPL). Also, the DSI has repeatedly asked the controllers to clarify the information
signs for video surveillance to comply with PDPL requirements. The issue of the terms
of storage of personal data processed during video surveillance is also topical, which is
assessed on a case-by-case basis. Compared to the previous reporting period, there has
been an increase in the number of controllers who, after reassessment, reduce the
storage life of personal data, and consider more carefully the processing of personal
data performed or planned as a whole.
During the reporting period, the number of complicated personal data
processing questions has increased, for which the DSI meetings are organized, giving
the controller the opportunity to provide additional information on the expected
processing of personal data, and find a solution for more appropriate protection of
personal data. One of the challenges in recent years is to find out who the personal data
processing controller is and who is the operator, taking into account the specifics of
different personal data processing cases. The issue of joint controller and division of
responsibilities accordingly is also actualized.
As indicated, on several occasions the relevance of the information provided by
the controllers was verified by performing checking at the places where personal data
was processed. As a result of the pre-registration checking, a decision is taken to
register processing of personal data in the DSI or not, or additional information from
the controller is requested to prevent the deficiencies of the PDPL identified during the
on-site inspection. As a result of pre-registration checking, controllers often chose to
supplement their employees' knowledge of PDPL requirements by visiting paid
seminars organized by the DSI as well as analysing the information provided in the
recommendations developed by the DSI.
4.2.1. Pre-registration Checking on Sensitive Personal Data Processing, in which
Information on Personal Health is Processed
The DSI has developed specific standard questions for pre-registration
checking, intended for additional assessment of sensitive data processing in respect of
the rights of the data subject, as well as the conformity of technical and organizational
solutions for processing with regulatory enactments. Pre-registration checking was
performed in private doctors' practice and in medical institutions - in health centres and
in several hospitals. The inspections included the processing of personal data by social
service providers as well as job placement service providers who were planning to
obtain sensitive personal data.
Medical institutions and doctors’ practice, seafaring providers, clinical research
providers and social service providers who register personal data processing in the DSI,
the legal basis is determined by special legislation - the Medical Law, the Patients' Law,
the Law on Social Services and Social Assistance, the Cabinet of Ministers Regulations
19
No.359 of July 1, 2003 "Regulations on Safety and Health Protection Requirements and
Medical Care on Ships" and other regulations.
The most significant weaknesses identified by the DSI in the processing of
personal data by controllers in regard to this risk area are:
1) there is no provision for the protection of internal data processing;
2) informing the relevant data subject about the processing of personal data is
not ensured;
3) training of employees regarding the safety of the system and procedures and
the protection of personal data is not ensured;
4) the distribution of access rights according to the competence of employees is
not respected;
5) control of access rights is not ensured;
6) no information is provided to data subjects about their right to correct and
delete their data.
The DSI asks controllers to prevent these violations and inform the DSI on
preventing violations.
4.2.2. Pre-registration Checking on Video Surveillance
In view of the increased use of video surveillance in both the public and private
sectors, besides, technological applications are being developed that monitor video
surveillance and increase their connectivity with other personal data processing
systems, the DSI has updated an application sample for processing personal data in the
framework of video surveillance, as well as special pre-registration standard
questionnaires for additional monitoring of video surveillance for specific site / area /
site surveillance, placement of information signs, informing staff, duration of record
keeping, access control to records (providing audit trails), etc.
In the pre-registration checking in this area, it has still been found that the
controllers largely fail to provide the data subject with information about the controller
and the intended purpose of processing the data in accordance with the requirements of
Article 8 of the PDPL, and that they store the video surveillance records for an
unreasonable amount of time.
In the reporting period, preventive checking was also initiated on the conduct
of video surveillance at points of sale by performing on-the-spot checks.
Compared to the previous reporting period, the total number of cases where
video surveillance is widely used in private and apartment houses, as well as in a vehicle
using video recorders has significantly increased. Also, during the reporting period, the
number of cases where video surveillance is recorded by natural persons has increased.
This is because the DSI has recently received a lot of complaints about video
surveillance carried out by neighbours, as well as taking into account mass media
information about registration of personal data processing by video surveillance, using
video recorders.
During the reporting period, the DSI pointed out to several controllers on the
need to reduce the amount of video surveillance area.
In the context of video surveillance, the DSI believes that in the Republic of
Latvia there is a need for appropriate regulation, especially in the field of labour
relations, in the protection of private property and apartment buildings, as well as the
use of unmanned aerial surveillance for video surveillance and video recorders.
The processing of personal data within the framework of video surveillance
requires in-depth attention, noticing the development of information technologies
20
(including data transfer and synchronization capabilities) and services offered on the
Internet (for example, online employee monitoring, profiling, facial recognition
software, etc.). In addition, each year the expenses of the controller for video
surveillance are reduced, therefore, in recent years this has become one of the most
common tools for personal data processing (for example, on-the-spot checks have
revealed that even in small settlements, merchants install video surveillance cameras
for their property, but do not assume any obligations on the processing of personal data
resulting from the PDPL, which also regards to the rights of the data subject).
The DSI thinks that this area is to be reconsidered in the area of risk through
pre-registration checking, also taking into account the fact that it is often found that the
data subject is not informed about the video surveillance performed, and the data
subject does not have the information to be able to determine the controller, who carries
out the specific video surveillance. Accordingly, in accordance with the PDPL, it is
difficult for the data subject to exercise his data subject's rights.
In addition to this, we inform that in May 2016 a joint inspection on the
compliance of personal data processing activities with the PDPL in in retail stores of
Ltd. "RIMI LATVIA", Ltd. MAXIMA Latvija and Ltd. "Prisma Latvija" was
completed by the Baltic Personal Data Protection Supervisory Authority, by evaluating
the data processing that is carried out in relation to potential employees and current
employees in these companies, including taking video surveillance. The results of the
inspections were discussed at the Baltic States Meeting held in Riga on 27-28 June
2016.
In all three Baltic States, one of the biggest issues is the storage of personal data
and the disproportionate processing of personal data.
This sectoral inspection has been implemented in all the Baltic States for the
fifth year in accordance with Article 28 (6) of Directive 95/46 / EC, which requires the
EU Member States' national data protection supervisory authorities to work together to
promote the protection of personal data in the Member States of the European Union.
The conduct of such inspections at the level of the European Union is considered to be
a good practice in the field of supervision of the protection of personal data.
4.2.3. Checking on the Processing of Personal Data within which Data Transfers
are Made outside the European Union
The DSI has developed specific standardized questions for pre-registration
checking for such data processing that involves the transfer of data outside the European
Union for additional consideration regarding the rights of the data subject and the
conformity of technical and organizational solutions of processing with regulatory
enactments. For these inspections, to make sure that the controller in accordance with
the second paragraph of Article 28 PDPL supervises relevant protection activities, if
the controller himself does not verify compliance with those requirements, the DSI
request the submission of copies of contracts for the transfer of personal data to assess
their compliance with the Regulations No. 634 "Regulations on the Mandatory
Coverage of Personal Data Transfer Contracts" of the Cabinet of Ministers of August
16, 2011 or standard contractual clauses approved by the European Commission on the
transfer of personal data to a country that is not a Member State of the European Union
or the European Economic Area.
Conducted pre-registration checking within the framework of this risk area, as
in the previous reporting period, it was assessed whether the controller provides
informing data subject on transfer of data to a country outside the European Union or
21
the European Economic Area, or provide the right of access to information about
himself or provides the rights of the DSI to carry out checking with regard to the
processing of personal data in third countries. As a result of the inspections, it was
found that controllers often do not indicate the fact that personal data is intended to be
transferred to sub-operators (or operator's operators) and, consequently, controllers do
not impose appropriate data security and protection requirements to sub-operators.
The DSI considers that this area is re-incorporated into the risk area during the
pre-registration checking, taking into account current uncertainty on how to organize
the transfer of personal data to a country outside the European Union or European
Economic Area to ensure adequate protection of personal data according to the PDPL
and European Union law.
4.3. Registration of Data Protection Specialists
As a result of the globalization process, economic processes today do not have
a geographical boundary that limits the application of relevant laws, including
protection of personal data, because there is no universal standard for the processing
and protection of personal data that would be binding on all countries. Therefore, the
personal data protection self-regulation approach can help to address these potential
inaccuracies to apply commonly the requirements of personal data protection and
privacy. One of these self-regulation mechanisms is the personal data protection
specialist in each company or institution. The first personal data specialist institute was
introduced in Germany in 1977 for the private sector as an additional self-regulatory
mechanism to help those responsible for the protection of personal data
(controllers) to ensure that their activities comply with the requirements of the law.
Personal data protection specialists are present in several EU Member States and it is
considered that the personal data protection specialist promotes the trust of clients and
employees in the processing of personal data by an organization / institution that will
be provided in accordance with the requirements of the law and the principles of
personal data protection good practice.
In order to facilitate the protection of personal data, the head of institution or
company may assign a specific employee to be responsible for the protection of
personal data, may use outsourced capabilities in relation to both the processing and
protection of personal data and the appointment of a personal data protection specialist
(the data protection specialist qualification is granted by the DSI after the particular
person has passed the examination in the DSI; the data protection specialist is not a
mandatory requirement in the regulatory enactments). However, a person responsible
for the processing of personal data is the head of the company or institution.
Personal data protection specialists since the introduction of this institute in
Latvia in 2007 have opted for both public sector institutions and private sector
representatives, and their main task is to provide support and advice to the authorities
or the company's leadership in the issues of processing and protecting personal data,
including problems solving in this field. In order to become a personal data protection
specialist, the individual is requested to have higher education in law science or
information technology.
In 2016, 52 controllers have registered personal data protection specialists (42
in previous year). Compared to the previous reporting period, the number of registered
personal data processing has increased by 23.8%. Controllers apply for personal data
protection specialists in the DSI who have acquired the qualifications of a personal data
protection specialist. The DSI is obliged to examine an application for the registration
22
of a specialist within 15 days from the day it was received. The registration of personal
data protection specialists in the DSI is free of charge.
4.4. Supervision of Personal Data Processing
In 2016, the DSI has carried out 600 inspections to ensure the supervision and
protection of personal data processing in accordance with legislation regulating data
protection, biometric data processing, human genome research and extrajudicial
recovery of personal data.
Checking were carried out in such areas as:
1) video surveillance in public places and private property;
2) processing of sensitive personal data in medical institutions;
3) the use of children' personal data: in social networks, schools and processing
of children personal data by parents;
4) processing of personal data in state information systems;
5) observance of the rights of data subjects;
6) placement of information about apartment debts in common areas or in mail
boxes in a non-sealed way;
7) processing of personal data by mass media;
8) copying of identity documents;
9) processing of personal data of officials;
10) sending commercial communications.
The DSI officials conducted 81 on-the-spot video surveillance in 2016 (74
checking upon applications (complaints) and initiative, as well as 7 self-initiating
checking by authorities in legal entities processing locations) and 519 checking in other
supervised areas.
4.4.1. Video Surveillance in Public Places and in Private Property
According to the DSI, in accordance with the judgment of 11 December 2014
in Case C 212/13 František Ryneš v Urad pro ochranu osobmch udajai, Article 3 (2)
of Directive 95/46 / EC must be interpreted as the use of a video surveillance camera
system, which carries out a visual record of persons stored in a circulating recording
device, a hard disk, which a natural person has installed at his or her family home with
the aim of protecting the property, health and life of the homeowners, but also the public
space is monitored by this system, for the purposes of this provision, is not data
processing solely for personal or household purposes. Consequently, in the light of the
foregoing, and also on the basis of Article 21 (5) of the PDPL, prior to the processing
of personal data, the controller must register the processing of personal data in the DSI
or appoint a natural person, a data protection specialist, if the controller carries out
video surveillance while retaining personal data (video recordings).
The DSI points out that, no matter whether video surveillance registration is to
be performed in the Inspectorate or not, the controller must perform video surveillance
as processing of personal data in accordance with PDPL requirements.
In accordance with Article 2 (3) and (4) of the PDPL, personal data is any
information relating to an identified or identifiable natural person, while the processing
of personal data is any activity related to personal data, including the collection, storage,
use, transfer.
Video surveillance is the processing of personal data within the meaning of
Article 2, Paragraph 4 of the PDPL.
23
The processing of personal data, video surveillance, must be carried out in
accordance with the PDPL, Article 7 of which provides that the processing of personal
data is permitted if there is a legal basis for doing so - there is at least one condition of
Article 7 of the PDPL. In addition to ensuring the legal basis for the processing of
personal data, Article 10, Paragraph one, Clause 2 of the PDPL must also be observed,
according to which processing of personal data may be carried out only in accordance
with the intended purpose and to the extent required.
According to Article 2, Clause 9 of the PDPL, the controller - a natural or legal
person, a state or local government institution is responsible for the compliance of the
personal data processing (video surveillance) with the PDPL, which defines the
purposes and means of processing personal data.
In addition to the foregoing, the DSI points out that, in the course of video
surveillance, in accordance with the first Paragraph of Article 8 of the PDPL, the
controller is obliged to inform the data subjects about the processing of personal data -
those persons whose personal data processing is carried out. The controller is obligated
to ensure fulfilment of the requirements of the first Paragraph of Article 8 of the PDPL
- to ensure that the video surveillance recordings contain all the information referred to
in the first Paragraph of Article 8 of the PDPLL - the controller's name, address,
purpose.
The above requirements apply to both video surveillance in private and public
spaces.
In the field of video surveillance in 2016, the DSI issued 6 administrative acts
with the obligation to place information signs that alert the data subjects about their
video surveillance in the respective area.
4.4.2. Processing of Sensitive Personal Data in Medical Institutions
Based on mass media information reported that a privately-owned company
Ltd. DATAMED, likely, carries out illegal processing of personal data of ill patients,
and also on the basis of Article 55 (2) of the Administrative Procedure Law, the DSI
conducted an investigation on the compliance of this activity with the PDPL.
In the framework of this investigation, the DSI examined 10 (ten) Latvian major
medical treatment institutions on their assessment of the conformity of personal data
processing with the requirements specified in the regulatory enactments regulating data
protection of natural persons, while storing sensitive personal data in patients' databases
of Ltd. DATAMED. Several unconformities to the PDPL have been identified during
the inspection.
Within the framework of the inspection, it was found that two medical treatment
institutions did not register changes in the DSI in accordance with the fourth Paragraph
of Article 22 of the PDPL, that is, the data processing operator DATAMED of these
two medical institutions was not registered.
Taking into account the above mentioned, the DSI found that two medical
treatment institutions did not comply with the requirements of the fourth Paragraph of
Article 22 of the PDPL and therefore committed an administrative violation for which
administrative liability is provided for in the second Paragraph of Article 204.9 of the
Administrative Violation Code of the Republic of Latvia (hereinafter - AVC). In
accordance with the procedure established by the AVC, a decision was taken regarding
the prosecution and the administrative penalty for two medical treatment institutions.
Article 14 of the PDPL provides that personal data controller may be entrusted
to the personal data operator by entering into a written agreement. The personal data
24
operator may process personal data entrusted to him only in the amount specified in the
contract, in accordance with the objectives and in accordance with the instructions of
the controller provided that they do not conflict with the regulatory enactments. The
personal data operator performs the security measures specified by the controller prior
to the processing of personal data processing to protect the personal data processing
system in accordance with the requirements of this Law.
Within the framework of the inspection, it was found that the written agreements
concluded by the four medical treatment institutions with the personal data operator
included general conditions regarding the data subject's access rights and access to his
sensitive personal data. Taking into account the above mentioned, the DSI invited these
representatives of medical institutions and Ltd. DATAMED to clarify the conditions of
the concluded contracts in accordance with the requirements specified in Article 14 of
the PDPL. Both representatives of medical institutions and personal data provider Ltd.
"DATAMED" have taken note of the instructions of the DSI and specified the
contracted agreements in accordance with the requirements of the Inspectorate.
4.4.3. The Use of Children's Personal Data: in Social Networking, at Schools and
the Processing of Children's Personal Data by Children's Parents
Legal framework for the filming and taking photographs of children and use of
children's data
In the framework of 2016, several dozens of applications and complaints from
natural and legal persons were received, as well as anonymous information on the
processing of personal data of the children (parents, classmates, schools and their
employees, relatives and other persons).
The taking of photographs and filming is the processing of personal data within
the meaning of Paragraph 2 of Article 4 of the PDPL. Consequently, processing,
photographing and filming of personal data must be carried out in accordance with the
PDPL.
The controller has the right to process the data subject's personal data (in the
form of taking photographs or filming), if such action has one of the legal bases
specified in Article 7 of the PDPL. The fact that there is no consent does not mean that
illegal processing of personal data is being carried out. Without the consent of the data
subject, processing of their data (filming, photographing the data subject and publishing
these materials) may be carried out if there is any other legal basis set out in Section 7
of the PDPL. The above-mentioned condition should also be observed in the processing
of personal data in public places.
With regard to taking photographs of minors, it should be taken into account
that Article 177 of the Civil Code provides that the child is under the parental
guardianship until reaching the age of majority, therefore, parental consent should be
sought for the purposes of photographing the child's personal data. The same regards to
schools.
Paragraph 2 of Article 2 of the PDPL states that the consent of the data subject
is a freely, clearly expressed declaration of will by the data subject that allows the data
subject to process his or her personal data in accordance with the information provided
by the controller in accordance with Article 8 of this Law.
In accordance with Article 2, Paragraph 9 and Article 10, Paragraph one, Clause
1 of the PDPL, the controller must prove the lawfulness of his actions - to prove that
the consent for the acquisition of personal data existed. Accordingly, consent is
25
desirable to be submitted in writing, since the verbally agreed consent of the controller
cannot be proved if the data subject indicates the opposite.
On June 25, 2015, the Department of Administrative Cases of the Supreme
Court of the Republic of Latvia made a decision in case No. SKA-864-15 on the issue
of the publication of their children's photos and their responsibility, which sets out and
analyses the legal aspects to be taken into consideration.
Processing of persons data, including children, in the form of audio recordings
In 2016, in the area of protection of the rights of the children, the DSI conducted
two inspections, which identified the following.
The person who carries out the audio recording shall be deemed to be the
controller of personal data within the meaning of Clause 9, Paragraph 2 of Article 2 of
the PDPL.
The controller must process personal data in accordance with the provisions of
Article 7 of the PDPL, for example if data processing is necessary for the controller to
perform statutory duties (Article 7, Paragraph 3 of the PDPL
Taking into account the explanation mentioned in the Opinion 29/2013 of the
Working Party 29 of the Directive 95/46 / EC 29 of July 2013 "On Limitation of the
Purpose", Article 10, Paragraph one, Clause 2 of the PDPL is to be interpreted as
meaning that processing of personal data is only be carried out if this action has lawful
and honest goal, if this goal is achievable by processing of concrete personal data, if
the benefit of reaching the target is greater than the data subject personal data
processing result caused by the interference, if personal data are processed to the extent
of purpose, if the goal cannot be achieved by other less restrictive means.
In addition to ensuring the legal basis, (in addition to observance of Articles 7
and 11 of the PDPL) the controller must ensure personal data processing compliance
with Article 10, Paragraph 1 of the PDPL - the controller is obliged to ensure fair and
lawful processing of personal data. Consequently, within the processing of personal
data the controller must act in good faith in accordance with other statutory procedures,
rights and obligations as personal data processing legality provide not only observance
of the PDPL, but also other external regulatory acts, which may provide an exception
to the application of PDPL.
In addition to complying with Articles 7., 11, and Article10, Paragraph one of
the PDPL, the processing of personal data within the meaning of PDPL shall also
comply with other PDPL rules. In accordance with the first Paragraph of Article 8 of
the PDPL before conducting an audio recording in the processing of personal data, the
controller must provide the data subject with the information specified in Article 8,
Paragraph one of the PDPL - the controller's name or surname and address, the intended
purpose of processing personal data, unless this information is not already at the
disposal of the data subject. Upon the request of the data subject, the manager must also
provide the data subject with the information specified in Article 8, Paragraph two of
the PDPL.
The DSI indicates that the PDPL does not provide a prohibition or authorization,
or a specific regulation for audio recording in public places or other specific places
(such as a pre-school educational establishment). Consequently, the assessment of these
criteria must be carried out in each specific case of processing personal data, taking into
account the circumstances of each particular case, including what the data subject is,
his role, the conditions under which and the place where the audio was recorded, the
purpose for which the audio recording is performed, in what amount and/or for which
26
purpose the audio recording is transferred to third parties or is made public (if it is
done).
In accordance with Article 2 (3) and (4) of the PDPL, any activity with the
information relating to an identified or identifiable natural person is the processing of
personal data. Consequently, audio recording is the processing of personal data within
the meaning of PDPL, if a particular natural person - the data subject within the meaning
of Paragraph 1 of Article 2 of the PDPL - is identifiable by the records obtained or other
information obtained or disclosed (for example, after recording in the audio recording).
Within the framework of the two inspections, the DSI also attracted the
Ombudsman of the Republic of Latvia (hereinafter - Ombudsman) with the request to
give an opinion on compliance with Article 96 of the Satversme (Constitution) and
other fundamental human rights established in the Satversme in the inspected cases.
Within the framework of the inspection, the Ombudsman expressed his views
on the recording of the negotiations, indicating the following.
The recording of conversations without consent itself, without assessing the
particular situation, could not be regarded as a violation of the right to privacy. In
particular, it is not enough to make an abstract finding that an unlawful recording of the
person's conversations took place, but the specific circumstances, such as under what
circumstances (or the person had reasonable privacy reliance), were to be assessed;
what was the purpose for recording person's conversation (whether there was a
legitimate aim and proportionality was respected); what was the context of the
conversation (whether the rights of a person to a deeply personal privacy protection of
details have been violated by disclosing them to a wide range of people); how the
recorded material was used (for the protection of which interests it was used). In
addition, it is necessary to assess whether there was other evidence available to prove
the existence of the infringement as effectively as possible and whether there was
excessive provocation of the person recorded.
Similarly, the Ombudsman indicated that when the employee was secretly
engaged in recording his employer's interview without informing the employer of its
performance, so that this record could later be used as evidence, for example, in the
State Labour Inspectorate or the court for the protection of his rights as an employee,
in some cases and under certain circumstances would be justifiable.
In view of the above, it can be concluded that, in some cases, the recording of
secret personal conversations without informing the person about its execution, so that
this record could later be used as evidence, for example, in the State Labour
Inspectorate or the court, for example, in order to ensure the protection of employees'
rights, including the possible existence of a mobbing presence at the workplace, is
justified by the failure to comply with the requirements of Article 8, Paragraph one of
the PDPL.
In accordance with the first Paragraph of Article 3 of the United Nations
Convention on the Rights of the Children (hereinafter - the Convention), in all activities
concerning children, whether these activities are carried out by public authorities or
private bodies dealing with social welfare issues, judicial, administrative or legislative
bodies, the primary consideration should be in the interests of the child.
The explanation of the first Paragraph of Article 3 of the Convention states that
this provision imposes certain obligations to Member States:
1) the obligation to ensure that the interests of the child are properly integrated
and consistently assessed in any activity carried out by a public authority, in particular
in all implementing measures and administrative and judicial processes that have a
direct or indirect impact on children;
27
2) an obligation to ensure that all decisions of the courts and administrative
authorities concerning children, as well as policies and legislation, show that the
interests of the child are considered first and foremost. This means that it is necessary
to describe how the child's interest has been tested and assessed and how important it
was at the time of the decision making.
The word combination for "primary consideration" states that other factors
should not be considered as important as the interests of the child. However, the first
Paragraph of Article 3 of the Convention concerns to very different situations, its
application should be flexible. The interests of the child assessed and identified may
conflict with the interests or rights of others (for example, other children, societies,
parents, etc.). More meaning should be given to what is best for the child. This means
that the court and other institutions must make their decisions based on what is in the
best interests of the child, in order to protect their decisions and actions and ensure the
best interests of the child.
In view of the above, it can be concluded that the recording of the audio
recordings of the parents' and/or educational establishments of children without
informing the data subjects about their performance, so that this record can later be used
as evidence, when appealing to the court for the protection of the rights of the child or
other children's rights protection institutions, is justifiable action, not meeting the
requirements of the first Paragraph of Article 8 of the PDPL.
At the same time, the DSI draws attention to the fact that Article 3, Paragraph
three of the PDPL states that this law does not apply to the processing of personal data
carried out by natural persons for personal or domestic and family purposes, and
personal data is not disclosed to third parties.
4.4.4. Processing of Personal Data in Public Information Systems
in the Field of Re-use
At the end of 2015, the DSI officials found that electronic copies of the Register
of Enterprises (hereinafter - the Register) were handed over for re-use to re-users at the
decision of the State Police containing personal data of the victim on the attachment of
the property to criminal proceedings.
The Registry is responsible for the personal data held by the Registry and its
transfer to third parties in accordance with Article 2, Paragraph 9, Article 10, Paragraph
1, Article 25 of the PDPL, Section 25.
Paragraph 8 of Article 2 of the PDPL provides that sensitive personal data shall
include personal data indicating the person's race, ethnic origin, religious, philosophical
and political beliefs, membership of trade unions, and information on personal health
or sexual life.
Considering that the decision for attachment to a property reflects the nature of
the criminal offense, which contains an indication that a person has been subjected to
sexual abuse, the information contained in the decision must be regarded as sensitive
personal data.
Consequently, in the course of the 2016 inspection, it was concluded that the
Register to hand over to third parties a decision on the attachment of a property
containing sensitive personal data of the underage victim, including sensitive data, did
not comply with Article 7, Article 10, Paragraph 1, Clause 2 and Article 11 of the PDPL.
28
4.4.5. Arrangement of Information about Apartment Debts in Public Places or in
Mailboxes Non- sealed
Based on the information that the house managers information on the debts of
the apartment locates in common areas or mailboxes in unsealed manner, the DSI
conducted a series of inspections and found that such action is not appropriate to Article
7 and Article 10, Paragraph 2 of the PDPL.
Article 14, fourth Paragraph of the Residential House Management Law
provides the apartment house manager's obligation to inform the apartment owners of
individual apartment owner's activity or inactivity, however, this obligation to disclose
information about a particular apartment owner, who carried out the activity or
inactivity (including the basic task management acquired liabilities failure), which
affect or may affect other apartment owners' interests (for example, not paying for
management and public services, which may result in termination of the provision of
services) (that is, to disclose personal data), the manager arises only after the receipt of
a residential house separate request from the owner to provide unambiguous and
complete information on the relevant issue (that is, upon receipt of a request for
information on who is directly the owner or owners of the apartment and what amount
owes for management and public services). In addition, Article 14, fourth Paragraph of
the Residential House Management Law provides the disclosure to the apartment
owners only, not to any third party, for example, the tenant of the apartment, the
apartment owner's family member, or other person in the apartment. Consequently,
placing bills into owners’ mailboxes, which on the other side of the bill contains
information on number of apartment of house owners and debt amount of co-ownership
management process, the situation appears where personal data may be transferred to
third parties - the apartment tenants, apartment owner's family members, or other
persons in the apartment who have access to the mailbox. To avoid violating personal
data protection requirements, information obligations can be implemented by informing
the apartment owners of the offending in a general meeting (except in cases where the
participation of persons who are not owners of the apartment and have not received a
mandate to represent owners of apartments). The amount of information to be provided
should be sufficient (personal name, surname, type of violation or amount of debt and
apartment ownership number) so that the general meeting can decide on further actions
and authorize the manager, for example, to bring legal proceedings.
4.4.6. Processing of Personal Data by Mass Media
The DVI by receiving various types of complaints from individuals, has found
that mass media, exercising freedom of expression, with a aim to inform the society
about events in the society and in the country, often violate Article 10, Paragraph one,
Clause 2 of the PDPL requirements.
According to Article 1 of the PDPL, the purpose of this Law is to protect the
fundamental rights and freedoms of natural persons, in particular privacy, with regard
to the processing of personal data. Article 5 of the PDPL provides that Articles 7, 8, 9,
11 and 21 of this Law shall not apply if personal data have been processed for
journalistic purposes in accordance with the Law "On the Press and Other Mass Media",
artistic or literary needs unless otherwise provided by law. Consequently, if the
activities of a journalist are carried out in accordance with the Law "On the Press and
Other Mass Media", the processing of personal data does not require any legal basis for
the processing of personal data established by PDPL. However, this does not mean that
29
journalists and the media do not have binding personal data protection requirements,
for example, the journalist is bound by the fundamental principles of data processing
contained in Article 10 of the PDPL, namely that data processing must be fair and
lawful and personal data must be processed only in accordance with the intended
purpose and the target amount.
Paragraph 12 of the Council of Europe Parliamentary Assembly Resolution
Nr.1165 (1998) "The right to privacy" dedicated to the media interference in the private
life of public persons, provides that the rights guaranteed in Article 8 of the European
Human Rights and Fundamental Freedoms apply to the protection of privacy of
individual from mass media interference.
European Human Rights Court's considers crucial significance on ensuring a
reasonable balance between privacy and freedom of expression, depends on whether
the published article or photograph (video material) provide a significant contribution
to the public discussion. Consequently, information about the activities of an official
outside the time of performance of duties is to be assessed from the point of view of the
legal interest of the society. The curiosity of an individual or group of people, as well
as the commercial interest of a newspaper or a publication, cannot be regarded as a
legitimate interest of the public and ca not serve as justification for the limitation of the
right of the official to a private life outside the service life.
4.4.7. Making Copies of Identity Documents
At least once in a life a person faces with a situation where another natural
person, in the conclusion of any legal transaction, or a legal person, including an
employer, with the aim of concluding an employment contract, asks for a copy of a
personal identification document or makes it himself.
Article 2, Paragraph four of the Law on Identity Documents establishes that the
passport and identity card are the property of the Republic of Latvia. In its turn, Article
10, Paragraph one of this Law provides the rights of the passport holder to confirm his
identity by presenting the relevant document. Thus, the Law on Identity Documents
does not provide a full discretion of the passport holder with the passport issued to him,
but provides for certain activities for which the passport holder is entitled to take a
passport. Consequently, a third party, such as a service provider, is not entitled to
require a passport holder to take such passport operations (for example, request a copy
or photograph of a passport), which the legislator has not explicitly provided in an
external regulatory enactment.
Consequently, the DSI points out that, regardless of the customer gives his
passport for copying, expresses verbally to copying the passport, and agrees to the copy
of the passport that the photocopy of the document was made in the presence of him for
submission to the public, such consent cannot be considered as free and unambiguous,
and consequently, does not complies with Article 2 (2) and Article 7 (1) of the PDPL.
Thus, the only possible legal basis for obtaining and storing a passport copy or
passport image (taking picture of it) would be Article 7 (3) of the PDPL. The right to
obtain and hold a copy of a personal identification document are assigned to those
subjects mentioned in Article 3 of the Law on Prevention of Laundering of Proceeds of
Crime and Terrorist Financing, i.e., credit institutions, as well as entities specified in
the Law on Higher Education.
30
4.4.8. Processing of personal data of officials
The DVI has also carried out some inspections in 2016 on the compliance of
PDPL with filming, taking photographs and data processing by officials in the public
domain. In the view of the European Court of Human Rights (ECHR), the concept of
private life includes elements such as the name of a person or a person's image.1 The
aim of Article 8 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms is protecting an individual from arbitrary interference with
public authority2. Portraying a person without his consent without assessing a particular
situation cannot be considered as a violation of the right to privacy3. In performing his
official duties, an official carries out the functions of the institution and exercises state
power.
With regard to an official who carries out the functions of the institution and
exercises public authority, it is pointed out that, according to the ECHR's findings, one
who acts on his own initiative in the field of public law, cannot claim the same treatment
as an individual entitled to anonymity4. Public rights to obtain information under certain
circumstances may also apply to certain aspects of the private life of public persons.5
The ECHR has indicated that there is a difference between the right to privacy of
politicians, officials and private individuals.6 Taking into account the above mentioned,
the DSI indicates that officials, including bailiffs, have the right to the protection of
their personal data, while these rights are narrower in comparison with the private
individual.
The need to restrict the right of a person, to acquire information and express
opinions must be convincing, that is, there must be a real public interest.7 It is also in
the public interest to prevent or stop the unlawful conduct of an official, regardless of
the time it takes place. Consequently, if a private person records any such activity
(unlawful) in any way, it should initially inform the superior officer or authority
responsible for conducting investigations of this kind of events on a subordinate basis.
In the view of the ECHR, the crucial role of ensuring a reasonable balance
between the protection of privacy and freedom of expression lies in whether the
published article or photo (video) contributes to a public debate.8 Information about the
activities of an official outside the time of performance of duties is to be assessed from
the point of view of the company's legal interests. The curiosity of an individual or
group of people, as well as the commercial interest of a newspaper or a publication,
cannot be regarded as a legitimate interest of the public and cannot serve as justification
for the limitation of the right of the official to a private life outside the service life.
In the light of the above, it is important to distinguish whether a person's actions
in filming the activities of officials during the performance of his duties do not threaten
third parties access to restricted information. ____________________________________________________________________
1-Judgment of the European Court of Human Rights of 21 February 2002 in Schüssel v Austria 2.p. 2-Judgment of the European Court of Human Rights, March 26, 1985 in Case X and Yv. The Netherlands, 23rd 3-Judgment of the Department of Civil Cases of the Supreme Court of the Republic of Latvia, February 28, 2013 in
case SKC-11/2013 7.3.pkt. 4-Judgment of the European Court of Human Rights of 24 September 2004 in Von Hannover v. Germany, Judge
Zupaniciča's separate thoughts 5-Judgment of the European Court of Human Rights of 18 May 2004 in EditionsPlon v. France 43.p. 6-Judgment of the European Court of Human Rights of 16 November 2004 in Karhuvaara andIltalehti v. Finland
20.p. 7-Judgment of the European Court of Human Rights of 6 February 2001 in Tammer v. Estonia 59th and 60th 8-Judgment of the European Court of Human Rights of 24 September 2004 in Von Hannover v. Germany, p. 69
and 76
31
4.4.9. Sending Commercial Communications
In 2016, the DSI officials have carried out 22 inspections on sending unsolicited
commercial communications, as well as regular consultations to data subjects about the
right to waive the receipt of unwanted commercial communications, and instructions
for controllers to ensure the legal transmission of commercial communications, were
provided.
Article 1, Paragraph 3 of the Information Society Services Law states that any
notice in an electronic form intended to promote, directly or indirectly, goods or
services or to promote the image of an entrepreneur, organization or person engaged in
a commercial, economic or regulated professional activity is commercial statement.
The DSI draws attention to the fact that the legal basis for the transmission of
commercial communications is set out in Article 9 of the Information Society Services
Law. It explains that the commercial communication to an individual's electronic mail
address is allowed if the consent of this person is obtained or if all the conditions of
Article 9, Paragraph two of the Information Society Services Law exist, in addition, if
conditions of Article 9, Paragraph four of the Information Society Services Law are
observed. In turn, the commercial notification to the legal entity's electronic mail
address is allowed without prior consent, however, pursuant to Article 9, Paragraph
four of this Law, that is, if a valid e-mail address is used to which the recipient of the
commercial communication could send a request to terminate the communication, and
if this refusal is taken into account. In addition to the above, it is also essential to ensure
the requirements of Article 8 of the Information Society Services Law for the content
of a commercial communication.
If, by sending a commercial communication, one of the requirements of Article
9 of the Information Society Services Law is violated, such action shall be considered
a violation of the prohibition on the commercial communication and, in accordance
with Article 204.16 of the AVC, it is administratively punishable by giving an warning
or imposing a fine on natural persons from 140 EUR to 500 EUR, and for legal entities
- from 700 EUR to 7 100 EUR.
The DSI has developed the Recommendation "Sending Commercial
Communications", which explains the legal transmission of commercial
communications, as well as provides an explanation of where the electronic mail
address should be recognized as a legal entity / institution or of an individual. The
Recommendation is available at the website of the DSI
http://www.dvi.gov.lv/en/latvijas-normativie-akti/rekomendācijas-vadlinijas/.
At the same time, the DSI points out that, in accordance with Article 16,
Paragraph one of the PDPL, the data subject has the right to request that the controller
supplement or correct his personal data, or stop processing them or destroy them if
personal data has been processed illegally. The data subject has the right, within a
month from the date of submission of the relevant request, to receive a reasoned
response in writing to the prosecutor. In turn, in the event that the controller does not
fulfil the obligations of PDPL, the data subject has the right to challenge the refusal of
the DSI controller to perform the activities specified in Article16 of this Law, adding
documents confirming that the controller refuses to perform or does not perform his
statutory duties.
32
V DSI PRIORITIES FOR 2017
Pre-registration checking in risk areas:
1) the processing of information about personal sensitive personal data;
2) the processing of personal data within the framework of which transfers of
personal data to a country other than the Member State of the European Union or the
European Economic Area occur, unless the European Commission has established that
a third country provides an adequate level of protection in accordance with Article 25
Paragraph 6 of Directive 95/46 / EC;
3) performs video surveillance while retaining personal data;
4) perform the processing of genetic data.
The DSI will continue to participate in the discussions, ensuring representation
of the Republic of Latvia mainly in the activities defined by European Union or
international law, including the Supervisory Authority of the Single Schengen
Information System (SIS II), the Supervisory Authority for the Unified System for the
Comparison of Fingerprints (EURODAC), the Uniform Visa Information System
(VIS), the Joint Customs Information System Supervisory Authority, as well as the
Working Group 29 of Directive 95/46 / EC, the newly established Europol Supervision
Institution Working Group, as well as other activities of the European Union and
international personal data protection authorities. In this way, promoting the exchange
of current information and experience on different current international issues of
personal data processing between countries.
In 2017, the Lithuanian Personal Data Protection Authority will organize an
annual meeting of the Baltic Data Protection Authorities in Vilnius, Lithuania, with the
aim to discuss current issues in the field of personal data protection, respectively on the
results of the unified inspection carried out in 2016. It will also be discussed on a joint
inspection in the commercial sector of the Baltic States.
The DSI will also start participating in new initiatives such as the Data
Protection Metrics Group of the International Commissioner for Data Protection and
Privacy Conference, which involves not only the representatives of the European Data
Protection Authorities, but also representatives from other continents of the world, thus
gaining and expanding their experience in data protection and privacy issues on a much
larger scale and supporting the efforts of other international partners in this area.
The DSI plans to participate in the Schengen evaluation visit in the field of data
protection, which will take place from 19 to 23 June 2017 in Portugal.
In regard to the implementation of the General Data Protection Regulation and
the commencement of its application by May 25, 2018, the DSI will continue to identify
the implementation of the appropriate measures necessary for the implementation of
this reform, foreseeing closer cooperation with other state and local government
institutions, as well as foreign personal data protection institutions.
According to the General Data Protection Regulation, one of the tasks of the
DSI is to raise public awareness and understanding of the risks involved in the
processing of personal data, with a particular focus on activities that are specific to
children. In order to promote public awareness and awareness, the DSI plans to carry
out a social campaign in 2017 by promoting the most significant risks in the field of
processing personal data of minors - the free and confident consent of the data subject
and the protection of the data of minors on websites and social networks; which will
change with the implementation of the General Data Protection Regulation and the
related issues.
33
In order to ensure the implementation of the General Data Protection Regulation
in the regulatory enactments of the Republic of Latvia, the task of the DSI is to give an
opinion to the Ministry of Justice on the implementation plan and draft law of the
General Data Protection Regulation.
In order to facilitate efficient, easy-to-understand and easy communication and
prompt availability of services, the DSI plans to launch the "First, consult!" principle.
For the application of the General Data Protection Regulation, the DSI intends
to strengthen the capacity of supervisory functions, in the area of control measures, to
increase control quality measures through structural reforms.