Print   

UNOFFICIAL TRANSLATION

The Saeima  has adopted and

the President has proclaimed the following law:

Amended by Law of 24 October 2002.

If a whole or part of a section has been amended, the date of the amending law appears in square brackets at the end of the section. If a whole section, paragraph or clause has been deleted, the date of the deletion appears in square brackets beside the deleted section, paragraph or clause.

Personal Data Protection Law

Chapter I

General Provisions

Section 1.  

The purpose of this Law is to protect the fundamental human rights and freedoms of natural persons, in particular the inviolability of private life, with respect to the processing of data regarding natural persons (hereinafter – personal data).

Section 2.  

The following terms are used in this Law:

1) data subject – a natural person who may be directly or indirectly identified; [24.10.2002]

2) consent of a data subject – a freely, unmistakably expressed affirmation of the wishes of a data subject, by which the data subject allows his or her personal data to be processed according to information delivered by a system controller in compliance with Section 8 of the present Law; [24.10.2002]

3) personal data – any information related to an identified or identifiable natural person;

4) personal data processing – any operations carried out regarding personal data, including data collection, registration, recording, storing, arrangement, transformation, utilisation, transfer, transmission and dissemination, blockage or erasure;

5) personal data processing system – a structured body of personal data recorded in any form that is accessible on the basis of relevant person identifying criteria; [24.10.2002]

6) operator of personal data – a person authorised by a system controller, who carries out personal data processing upon the instructions of the system controller;

7) recipient of personal data – a natural or a legal person to whom personal data are disclosed;

8) sensitive personal data - personal data which indicate the race, ethnic origin, religious, philosophical or political convictions, or trade union membership of a person, or provide information as to the health or sexual life of a person;

9) system controller – a natural or a legal person who determines purposes of personal data processing system and means of processing; [24.10.2002]

10) third person – any natural or legal person except for a data subject, a system controller, a personal data operator and persons who have been directly authorised by a system controller or a personal data operator. [24.10.2002]

Section 3.  

(1) This Law applies, with exceptions set out in this Section, to processing of all types of personal data and to any natural and legal person if:

1) system controller is registered in the Republic of Latvia;

2) data are processed outside the borders of the Republic of Latvia,  in territories belonging to the Republic of Latvia in accordance with  international treaties;

3) equipment is located within the territory of the Republic of Latvia, which shall be used for processing of personal data.

(2) In cases mentioned in paragraph 3), part one, of this Section a system controller shall appoint an authorized person-in-charge of following the present Law.

(3) This Law does not apply to information systems established by natural persons wherein personal data are processed for personal or household and family purposes and wherein the collected personal data are not disclosed to other persons.

[24.10.2002]

Section 4.  

Protection of personal data declared to be official secret matters shall be regulated by the present Law with exceptions specified in the Law on Official Secrets.

[24.10.2002]

Section 5.  

(1) Sections 7, 8, 9 and 11 of this Law shall not apply if personal data are processed for journalistic, artistic or literary purposes, and it is not prescribed otherwise by law.

(2) In applying the provisions of Paragraph one of this Section, regard shall be had to the rights of persons to inviolability of private life and freedom of expression.

Chapter II

General Principles for Personal Data Processing

Section 6.  

Every natural person has the right to protection of his or her personal data.

Section 7.  

Personal data processing is permitted only if not prescribed otherwise by law, and at least one of the following conditions exist:

1) the data subject has given his or her consent;

2) the personal data processing results from contractual obligations of the data subject or, observing request of the data subject, the data processing is necessary for conclusion of the corresponding contract; [24.10.2002]

3) the data processing is necessary to a system controller for performance of his / her obligations established in the law; [24.10.2002]

4) the data processing is necessary to protect vitally important interests of the data subject, including life and health;

5) the data processing is necessary in order to ensure that the public interest is complied with, or to fulfil functions of public authority for whose performance the personal data have been transferred to a system controller or transmitted to a third person; and

6) the data processing is necessary in order to, complying with the fundamental human rights and freedoms of the data subject, exercise lawful interests of the system controller or of such third person as the personal data have been disclosed to.

Section 8.  

(1) When collecting personal data from a data subject, a system controller has an obligation to provide a data subject with the following information unless it is already available to the data subject:

1) the designation, or name and surname, and address of the system controller and personal data operator;

2) the intended purpose and basis for the personal data processing.

(2) To a  request of the data subject a system controller has an obligation to provide also the following information:

1) the possible recipients of the personal data;

2) the right of the data subject to gain access to his / her personal data and make amendments thereto;

3) whether providing a reply is mandatory or voluntary, as well as possible consequences of failure to reply.

(3) Paragraph one of this Section is not applicable, if the law allows personal data processing without disclosure of its purpose.

[24.10.2002]

Section 9.  

(1) If personal data have not been obtained from the data subject, a system controller is obliged, when collecting or for the first time disclosing such personal data to third persons, to provide the data subject with the following information:

1) the designation, or name and surname, and address of the system controller and personal data operator;

2) the intended purpose of the personal data processing.

(2) To a request of the data subject a system controller has an obligation to provide also the following information:

1) the possible recipients of the personal data;

2) categories and the source of the personal data;

3) the right of the data subjects to gain access to his / her personal data and make amendments thereto.

(3) Paragraph two of this Section is not applicable if:

1) the law provides for the processing of personal data not informing the data subject thereon;

2) when processing personal data for scientific, historical or statistical research, or establishment of state archives fund the informing of the data subject requires inordinate effort or is impossible., informing the data subject requires unreasonable efforts or is not possible

[24.10.2002]

Section 10.  

(1) In order to protect the interests of a data subject, a system controller shall ensure that:

1) the personal data are processed fairly and lawfully; [24.10.2002]

2) the personal data are only processed in accordance with the intended purpose and to the extent required therefor; [24.10.2002]

3) the personal data are stored so that the data subject is identifiable during a relevant period of time, which does not exceed the time period prescribed for the intended purpose of the data processing; and

4) the personal data are accurate and that they are updated, rectified or erased in a timely manner if such personal data are incomplete or inaccurate, in accordance with the purpose of personal data processing.

(2) Personal data processing for purposes other than those originally intended is permissible if it does not violate the rights of the data subject and is carried out for the needs of scientific or statistical research only in accordance with the conditions mentioned in Section 9 and Section 10, Paragraph one of this Law.

(3) Paragraphs 3 and 4 of Part one of this Section shall not relate to processing of personal data for establishment of the Latvia State Archives Fund in accordance with procedure provided in regulatory enactments. [24.10.2002]

Section 11.  

The processing of sensitive personal data is prohibited, except in cases where:

1) the data subject has given his or her written consent for the processing of his or her sensitive personal data;

2) special processing of personal data, without requesting the consent of the data subject, is provided for by regulatory enactments which regulate legal relations regarding employment, and such regulatory enactments guarantee the protection of personal data;

3) personal data processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express their consent;

4) personal data processing is necessary to achieve the lawful, non-commercial objectives of public organisations and their associations, if such data processing is only related to the members of these organisations or their associations and the personal data are not transferred to third parties;

5) personal data processing is necessary for the purposes of medical treatment, rendering health care services or administration thereof and distribution of medical remedies; [24.10.2002]

6) the processing concerns such personal data as necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings.

7) processing of personal data is necessary for rendering social aid and is performed by a provider of social aid services; [24.10.2002]

8) processing of personal data is necessary for establishment of the Latvia State Archives Fund is performed by state archives and institutions having the right of a state depository approved by the Director General of the State Archives; [24.10.2002]

9) processing of personal data is necessary for statistical research carried out by the Central Statistics Board; [24.10.2002]

10) processing relates to personal data published by the data subject him/herself. [24.10.2002]

Section 12.  

Personal data, relating to criminal actions, previous conviction in criminal cases, court proceedings in criminal cases or closed court sessions on civil cases, shall only be allowed for processing by persons and in cases provided by the law.

[24.10.2002]

Section 13.  

(1) A system controller is obliged to disclose personal data in cases provided for by law to officials of State and local government institutions. The system controller shall disclose the personal data only to such officials of the State and local government institutions as he or she has identified prior to the disclosure of such data.

(2) Personal data may be disclosed on the basis of a written application or agreement, stating the purpose for using the data, if not prescribed otherwise by law. The application for personal data shall set out information as will allow identification of the applicant for the data and the data subject, as well as the scope of the personal data requested.

(3) The personal data received may be used only for the purposes for which they are intended.

Section 13^1.

Personal identity (classification) numbers shall only be allowed for processing when :

1) consent of the data subject is obtained;

2) processing of personal identity (classification) numbers follows from the purpose of personal data processing;

3) processing of personal identity (classification) numbers is necessary for provision of further anonymity of the data subject;

4) written permit from the State Data Inspection is obtained. [24.10.2002]

Section 14.  

(1) A system controller may entrust personal data processing to a personal data processor provided a written contract is entered into between them.

(2) A personal data operator may process personal data entrusted to him / her only within the scope determined in the contract and in accordance with the purposes therein provided and directions of a system controller if such doe not contradict regulatory enactments. [24.10.2002]

(3) Prior to commencing personal data processing, a personal data processor shall perform safety measures determined by the system controller for the protection of the system in accordance with the requirements of this Law.

Chapter III

Rights of a Data Subject

Section 15.  

(1) In addition to the rights mentioned in Sections 8 and 9 of this Law, a data subject has the right to obtain all information that has been collected concerning himself or herself in any system for personal data processing, unless the disclosure of such information is prohibited by law in the sphere of national security, defense and criminal law. [24.10.2002]

(2) A data subject has the right to obtain information concerning those natural or legal persons who within a prescribed time period have received information from a system controller concerning this data subject. In the information to be provided to the data subject, it is prohibited to include State institutions, which administer criminal procedures, investigating operations authorities or other institutions concerning which the disclosure of such information is prohibited by law.

(3) A data subject also has the right to request the following information:

1) the designation, or name and surname, and address of the system controller;

2) the purpose, scope and method of the personal data processing;

3) the date when the personal data concerning the data subject were last rectified, deleted or blocked; [24.10.2002]

4) the source from which the personal data were obtained unless the disclosure of such information is prohibited by law; and

5) the processing methods utilised for the automated processing systems, concerning the application of which individual automated decisions are taken.

(4) A data subject has the right, within a period of one month from the date of submission of the relevant request (not more frequently than two times a year), to receive the information specified in this Section in writing free of charge.

Section 16.  

(1) A data subject has the right to request that his or her personal data be supplemented or rectified, as well as that their processing be suspended or that the data be destroyed if the personal data are incomplete, outdated, false, unlawfully obtained or are no longer necessary for the purposes for which they were collected. If the data subject is able to substantiate that the personal data included in the personal data processing system are incomplete, outdated, false, unlawfully obtained or no longer necessary for the purposes for which they were collected, the system controller has an obligation to rectify this inaccuracy or violation without delay and notify third parties who have previously received the processed data of such.

(2) If information has been retracted, a system controller shall ensure the accessibility of both the new and the retracted information, and that the information mentioned is received simultaneously by recipients thereof..

Section 17.

Section 15 and 16 of this Law are not applicable if the processed data are used only for the needs of scientific and statistical research or for establishment of the Latvia State Archives Fund in accordance with  regulatory enactments and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject. [24.10.2002]

Section 18.  

 If the data subject disputes an individual decision which is taken only on the basis of automatically processed data and is creating, altering, fixing or terminating legal relations, a system controller shall be liable to review it. A system controller may reject revision of such decision if the latter was taken basing on the law or a contract made with the data subject.

[24.10.2002]

Section 19.  

A data subject has the right to object to the processing of his or her personal data if such will be used for commercial purposes.

Section 20.  

A data subject has the right to appeal to the State Data Inspection the refusal of a system controller to provide the information mentioned in Section 15 of this Law or perform the activities mentioned in Section 16 of this Law.

Chapter IV

Registration and Protection of a Personal Data Processing System

Section 21.  

(1) All State and local government institutions, and other natural persons and legal persons which carry out or wish to commence carrying out personal data processing, and establish systems for personal data processing, shall register such in accordance with the procedures prescribed in this Law unless otherwise prescribed by law.

(2) Registration procedure specified in the present Law shall not apply to personal data processing for the needs of bookkeeping and registration of staff unless personal data are accumulated in electronic form, as well as to personal data processing systems established by religion organizations of confessions mentioned in the Civil Law. [24.10.2002]

Section 22.  

(1) The institutions and persons mentioned in Section 21 of this Law which wish to commence personal data processing and establish a system for personal data processing shall submit an application for registration to the State Data Inspection which includes the following information:

1) the designation (name and surname), registration code, address and telephone number of the institution or person (system controller);

2) the name, surname, personal identity number, address and telephone number of a person authorised by the system controller;

3) the legal basis for the operation of the personal data processing system;

4) the type of personal data to be included in the system, the purposes for which it is intended and the scope of personal data to be processed;

5) the categories of data subjects;

6) the categories of recipients of personal data;

7) the intended method of personal data processing;

8) the planned method of obtaining personal data and a mechanism for the control of their quality;

9) other data processing systems which will be connected with the system to be registered;

10) what personal data connected systems will be able to obtain from the system to be registered, and what data the system to be registered will be able to obtain from connected systems;

11) the method for transferring data from the system to be registered to another system;

12) the identification codes of natural persons as will be used by the system to be registered;

13) the method for exchanging information with the data subject;

14) the procedures whereby a personal data subject is entitled to obtain information concerning himself or herself and other information mentioned in Sections 8 and 9 of this Law;

15) the procedures for supplementing and updating of personal data;

16) technical and organisational measures ensuring the protection of personal data; and

17) what personal data will be transferred to other states.

(2) The State Data Inspection evaluates and specifies personal data processing systems where a pre-registration examination has to be made. [24.10.2002]

(3) When registering a personal data processing system, the State Data Inspection shall issue a certificate of registration of the personal data processing system to a system controller or to a person authorised by him or her.

(4) Prior to changes being made to the information mentioned in Paragraph one of this Section, they shall be registered in the State Data Inspection.

Prior to making amendments to the personal data processing system, such amendments have to be filed with the State Data Inspection in cases when changes are made of:

1) the system controller or personal data operator;

2) location of personal data processing system;

3) types of personal data or purpose of the personal data processing;

4) holder of information  resources or technical resources, as well as person-in-charge of security of information system;

5) data processing systems wherewith the corresponding system is linked;

6) type of personal data processing;

7) types of personal data which will be transfered to other countries. [24.10.2002]

(5) Should changes take place in technical and organizational means for protection of the personal data processing system which essentially influence protection of the system, then information thereon has to be submitted to the State Data Inspection within one year. [24.10.2002]

(6) For each registration of personal data processing system or each registration of amendments mentioned in part four of this Section, a  state fee has to be collected in accordance with  procedure and amount established by the Cabinet of Ministers. [24.10.2002]

Section 23.  

The State Data Inspection may refuse to register a personal data processing system, if:

1) all of the information mentioned in Section 22 of this Law is not submitted; or

2) on inspection of the personal data processing system, violations are determined.

Section 24.  

(1) The State Data Inspection shall include the information mentioned in Section 22 of this Law (except for information mentioned in paragraph 16 of same Section) in the register of personal data processing systems. The register is a component part of national information system.

(2) Information concerning the registered personal data processing systems shall be published in accordance with the procedures prescribed in regulatory enactments.

Register mentioned in part one of this Section shall not include information on registered personal data processing systems, activity of which is governed by the Law on Official Secrets and the Law on Operative Activity.

[24.10.2002]

Section 25.  

(1) A system controller and a personal data operator have an obligation to apply the necessary technical and organisational measures to protect personal data and prevent their illegal processing. [24.10.2002]

(2) A system controller shall control the form of personal data entered in the personal data processing system and the time of recording and is responsible for the actions of persons who carry out personal data processing.

Section 26.  

(1) The mandatory technical and organisational requirements for the protection of personal data processing systems shall be determined by the Cabinet.

(2) Each year government and local government institutions shall submit to the State

Data Inspection an opinion on internal audit of personal data processing systems (including system risk analysis, as well) and a report on measures taken in the sphere of information security. [24.10.2002]

Section 27.  

(1) Natural persons involved in personal data processing shall make a commitment in writing to preserve and not, in an unlawful manner, disclose personal data. Such persons have a duty not to disclose the personal data even after termination of legal employment or other contractually specified relations.

(2) A system controller is obliged to record the persons mentioned in Paragraph one of this Section.

(3) When processing personal data, a processor of the personal data shall comply with the instructions of the system controller.

Section 28.  

(1) Personal data may be transferred to another state if that state ensures a level of data protection corresponding to the relevant level of the data protection effective in Latvia. [24.10.2002]

(2) Exceptions from compliance with the requirements of Paragraph one of this Section are allowed if a system controller undertakes to perform supervision over fulfilment of relevant protective measures and at least one of the following conditions is met: [24.10.2002]

1) the data subject has given consent to the transfer of the data to another state;

2) the transfer of the data is required to fulfil an agreement between the data subject and the system controller, or the personal data are required to be transferred in accordance with contractual obligations or also, considering request of the data subject, transfer of data is necessary for conclusion of a contract; [24.10.2002]

3) the transfer of the data is required and requested, pursuant to prescribed procedures, in accordance with significant state or public interests, or is required for judicial proceedings;

4) the transfer of the data is necessary to protect the life and health of the data subject; or

5) the transfer of the data concerns such personal data as are public or have been accumulated in a publicly accessible register.

(3) The State Data Inspection performs evaluation of personal data protection level in accordance with part one of this Section and gives a written consent for transfer of personal data. [24.10.2002]

Section 29.  

(1) Supervision over personal data protection shall be carried out by the State Data Inspection which shall be under jurisdiction of the Ministry of Justice, shall be acting independently in execution of functions provided in Law, shall make decisions and issue administrative acts in accordance with  the law. The State Data Inspection shall be an institution of state administration, functions, rights and duties of which shall be established by the law. The State Data Inspection shall be managed by a director who shall be appointed and released from his or her position by the Cabinet pursuant to the recommendation of the Minister for Justice. [24.10.2002]

(2) The State Data Inspection shall act in accordance with by-laws approved by the Cabinet. Every year the State Data Inspection shall submit a report on its activities to the Cabinet and shall publish it in the newspaper Latvijas Vetsnesis .

(3) The duties of the State Data Inspection in the field of personal data protection are as follows:

1) to ensure compliance of personal data processing in the State with the requirements of this Law;

2) to take decisions and review complaints regarding the protection of personal data;

3) to register personal data processing systems;

4) to propose and carry out activities aimed at raising the efficiency of personal data protection and submit reports on compliance of personal data processing systems created by government and local government institutions with requirements of regulatory enactments; [24.10.2002]

5) together with the Office of the Director General of the State Archives of Latvia, to decide on the transfer of personal data processing systems to the State archives for preservation thereof;

6) accredit persons wishing to perform system auditing of personal data processing systems of government and local government institutions in accordance with  procedure established by the Cabinet of Ministers. [24.10.2002]

(4) In the field of personal data protection, the rights of the State Data Inspection are as follows:

1) in accordance with the procedures prescribed by regulatory enactments, to receive, free of charge, information from natural persons and legal persons as is necessary for the performance of functions pertaining to inspection;

2) to perform inspection of a personal data processing system; [24.10.2002]

3) to require that data be blocked, that incorrect or unlawfully obtained data be erased or destroyed, or to order a permanent or temporary prohibition of data processing; and

4) to bring an action in court for violations of this Law.

5) cancel a certificate of personal data processing registration if violations were established when inspecting the personal data processing system; [24.10.2002]

6) impose administrative punishments for violations in personal data processing in accordance with  procedure provided by the law; [24.10.2002]

7) carry out inspection with the purpose to determine compliance of personal data processing with requirements of regulatory inactments in cases when the law bars the system controller from information delivery to the data subject and the corresponding application was received from the data subject. [24.10.2002]

Section 30.  

(1) In order to perform the duties mentioned in Section 29, Paragraph three of this Law, the director of the State Data Inspection and employees of the State Data Inspection authorised by the director have the right: [24.10.2002]

1) to freely enter any non-residential premises where personal data processing systems are located, and in the presence of a representative of the system controller carry out necessary inspections or other measures in order to determine the compliance of the personal data processing procedure with law;

2) to require written or verbal explanations from any natural or legal person involved in personal data processing;

3) to require that documents are produced and other information is provided which relate to the personal data processing system being inspected;

4) to require inspection of a personal data processing system, or of any facility or information carrier of such, and to determine that an expert examination be conducted regarding questions subject to investigation;

5) to request assistance of officials of law enforcement institutions or other experts, if required, in order to ensure performance of its duties; [24.10.2002]

6) to prepare and submit materials to law enforcement institutions in order for offenders to be held to liability, if required;

7) make up a report on administrative violation in personal data processing. [24.10.2002]

(2) The officials of the State Data Inspection involved in registration and inspections shall ensure that the information obtained in the process of registration and inspections is not disclosed, except information accessible to the general public. Such prohibition shall also remain in effect after the officials have ceased to fulfil their official functions.

Section 31.  

Decisions by the State Data Inspection may be appealed to a court.

 If, in violating this Law, harm or losses have been caused to a person, he or she has the right to receive commensurate compensation.

Transitional provisions

1. Chapter IV of this Law, “Registration and Protection of a Personal Data Processing System”, shall come into force on January 1, 2001.

2. The institutions and persons mentioned in Section 21 of this Law, which have commenced operations before the coming into force of this Law, shall register with the State Data Inspection by March 1, 2003. After expiry of this term, unregistered systems shall cease operations. [24.10.2002]

3. Amendments to Section 4 shall come into force with July 1, 2003 while amendments to Part one of Section 29 shall come into force with January 1, 2004. [24.10.2002]

4. Personal data processing systems until now not obliged by the law to be registered with the State Data Inspection shall be registered until July 1, 2003. [24.10.2002]

This Law has been adopted by the Saeima on 23 March 2000.

President

V. Vike-Freiberga

Riga, 6 April 2000