Data Protection and Personal Privacy Law In Latvia

Latvia’s Personal Data Processing Law of 21 June 2018 is a data privacy law that was recently passed in 2018. As Latvia is a member of the European Union, Latvia’s Personal Data Processing Law of 21 June 2018 was passed for the purpose of implementing provisions of the EU’s GDPR law into Latvian law. More specifically, “the purpose of this Law is to create legal preconditions for setting up of a system for the protection of personal data (hereinafter – the data) of a natural person at a national level by providing for the institutions necessary for such purpose, determining the competence and basic principles of operation thereof, as well as regulating the operation of data protection officers and provisions of data processing and free movement.”

What are the differences between Latvia’s Personal Data Processing Law of 21 June 2018 and the EU’s GDPR law?

Latvia’s Personal Data Processing Law of 21 June 2018 does vary from the EU’s GDPR law in certain respects, particularly as it pertains to the requirements of data controllers and processors. To illustrate this point further, certain categories of personal data, such as personal data that is collected or processed in the context of scientific or research-related purposes, are exempt from the provisions of the Personal Data Processing Law of 21 June 2018. Alternatively, the law also exempts the processing of personal data that is used in the context of public interest, “in order to create, collect, evaluate, preserve and use national documentary heritage.” Additionally, as is the case with many other data privacy laws, personal data pertaining to criminal offenses or convictions are also exempt from the provisions of the Personal Data Processing Law of 21 June 2018.

Conversely, another major difference between the two laws is the age of consent as it relates to the collection and processing of data from data subjects. Under the EU’s GDPR law, the age of consent regarding such activities is set at 16. However, provisions under the EU’s GDPR law allow for EU members to lower the age of consent concerning the collection or processing of personal data when implementing the law in their respective jurisdictions. To this end, Latvia’s Personal Data Processing Law of 21 June 2018 establishes the legal age of consent for data collection and processing at the age of 13, and all children younger than 13 will subsequently need approval from their parents or legal guardians prior to providing their personal data for collection or processing.

What are the rights of data subjects under the Personal Data Processing Law of 21 June 2018?

The rights of Latvian citizens under the Personal Data Processing Law of 21 June 2018 are largely the same as those provided to other citizens residing within other EU member states. These rights include:

• The right to be informed- Latvian citizens have the right to be informed of certain details related to the collection and processing of their personal data.
• The right to access- Latvian citizens have the right to access any personal data they have submitted for collection or processing.
• The right to rectification- Latvian citizens have the right to request that a data controller or processor rectify personal data pertaining to them.
• The right to erasure- Latvian citizens have the right to request that a data controller or processor erase personal data pertaining to them.
• The right to object or opt-out- Latvian citizens have the right to object to or opt-out of the collection or processing of their personal data.
• The right not to be subject to automated decision making- Latvian citizens have the right not to be subjected to automated data processing decisions that could lead to adverse consequences for said citizens.

In terms of the enforcement of Latvia’s Personal Data Processing Law of 21 June 2018, the Data State Inspectorate, or the Inspectorate for short has the authority to impose disciplinary actions against data controllers and processors within the country who fail to comply with the provisions of the law. These fines include:

• A fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.
• A fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.

The passing of Latvia’s Personal Data Processing Law of 21 June 2018 in accordance with the provisions of the EU’s GDPR law effectively guarantees the data protection and personal privacy rights of the nation’s citizens. Such forms of legislation have become more and more commonplace during the 21st century, as online communication has come to change the world in ways that were never possible before. Due to this undeniable fact, many countries around the world will inevitably pass similar laws in the future. In this way, the EU continues to set the global standard for data protection and personal privacy as it concerns legislation.