News

29.05.2018

The discussions around the national law on personal data processing

The Latvian legislator is facing delays with the adaptation of the national Law on Personal Data Processing (the Draft Law). On April 12, the Latvian Parliament, the Saeima, has conceptually supported the Draft Law in the first sitting. The date of the second sitting is unknown yet, however, the table of proposals submitted until April 20 (the final deadline) is pretty long, and the most of proposals relate to the duties and functions of the Data State Inspectorate along with the certification of the data protection officer appointed by the data controller (i.e. should it be a person included in an official list of a Data State Inspectorate, or the data controller may choose any person in accordance with the requirements of GDPR).

Many discussions and concerns were also caused by the Article 26 of the Draft Law allowing the authorities of national Data State Inspectorate, without any warning and upon receipt of the decision of the court judge, to enter, in the presence of police, the non-residential premises, apartments, buildings or other objects of immovable property which are in ownership, possession or in use of a data controller or processor, and to perform coercive screening or inspection, to receive any and all documents (including the information on electronic devices) and even the rights to seal such premises for 72 hours to ensure the preservation of evidence.

Currently the Criminal Law already stipulates criminal liability for the illegal activities involving personal data of natural persons, if such activities have caused substantial harm, they have been performed by a personal data processing administrator or operator for the purpose of vengeance, acquisition of property or blackmail, or for influencing a personal data processing administrator or operator, or the data subject, using violence or threats, or using trust in bad faith, or using deceit in order to perform illegal activities involving personal data of a natural person. Thus, the search measures of Draft Law, as described above, could be performed under certain circumstances as a part of criminal proceedings by the corresponding authorities conducting the criminal proceedings, and the actions described in the Draft Law would therefore be recognized as unnecessary and disproportionate to the aims of GDPR.

The Article 30 of the National Personal Data Protection Law, which implemented the Directive 95/46/EC in year 2000, stipulates that the authorities of national Data State Inspectorate have the rights to freely enter any non-residential premises where processing of personal data is located, and in the presence of a representative of the administrator (i.e. the representative of the data controller), to carry out necessary inspections or other measures in order to determine the compliance of the procedure of processing of personal data with the law. Such limited rights of the Data State Inspectorate seemed much more appropriate and proportionate to the controller’s interests.

However, the limits of the applicable legislation are decisive: the GDPR increases the essential requirements for control so high, that the legislator wants to have as many options to protect the legal interests described in GDPR, as he can. However, taking into account the discussions and concerns mentioned above, the Ministry of Justice has promised to review this Article of Draft Law one more time.

 

Article provided by: Jana Panko (Lawyer, Njord Law Latvia)

 

References 

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT