Page 1

Publisher: Saeima

Posted:

Type: law

Latvijas Vēstnesis, 132,

Accepted: 21.06.2018.

07/04/2018

Effective: 05.07.2018.

OP number: 2018 / 132.1

Displayed version: 04.06.2021. - ...

Amendments:
5/23/2019 Law / LV, 108, 30.05.2019. / Effective 31.05.2019.
06.05.2021. Law / LV, 97, 21.05.2021. / Enters into force 04.06.2021.

The Saeima has adopted and the State
the President promulgates the following law:

Personal Data Processing Law

Chapter I.
General terms

Article 1. Terms used in the law
The law uses Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on natural persons
protection of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General
Data Protection Regulation) (hereinafter referred to as the Data Regulation).

Article 2 Purpose of the law
The purpose of the law is to create legal preconditions for the protection of personal data (hereinafter - data) systems
at the national level, providing for the necessary institutions for this purpose, determining their competence and activities
basic principles, as well as regulating the activities of data protection specialists and data processing and free movement
rules.

Chapter II
Tasks and status of the State Data Inspectorate

Article 3. Data State Inspectorate
(1) The Data State Inspectorate (hereinafter - Inspectorate) is a direct administrative institution under the supervision of the Cabinet,
which is a data supervisory authority within the meaning of the Data Regulation and performs the tasks specified in the Data Regulation and this Law
processing.
(2) The purpose of the activities of the Inspectorate is to protect fundamental human rights and freedoms in the field of data protection.
(3) The Inspectorate is independent in its activities.
(4) The employees of the Inspectorate shall make decisions independently on the basis of their convictions and laws, observing

1/14

Page 2

equality of persons before the law and the courts, the presumption of innocence, truth and legality.
(5) The Cabinet shall exercise institutional supervision through the Minister of Justice. Monitoring does not apply to
the implementation of the tasks and rights assigned to the inspectorate, as well as the internal organization of the inspection, including
the issuance of internal regulatory enactments, preparation of inquiries and decisions which apply to the employees of the Inspectorate
(eg decisions on recruitment, dismissal, transfer and coordination of staff,
secondment, initiation, examination and application of disciplinary measures).
(6) The Inspectorate shall be financed from the State budget.
(7) The Inspectorate has a state budget account in the Treasury, a stamp with the image of the supplemented small state coat of arms and a full
the name of the inspection.

Article 4. Inspection tasks
(1) The Inspectorate shall perform the tasks specified in Article 57 of the Data Regulation, as well as the following tasks:
1) monitor the compliance of data processing with the requirements of regulatory enactments, also in cases where the controller is prohibited by law
to provide information to the data subject and a relevant submission has been received from the data subject;
2) promote the effectiveness of data protection;
3) ensure the data protection certification procedure;
4) ensure the qualification examination of data protection specialists and maintain the person who has passed the qualification examination
a list of data protection specialists;
5) in accordance with its competence, provide to the Saeima, the Cabinet of Ministers, local governments and other institutions
recommendations for the issuance or amendment of legislation, as well as participate in regulatory and development
in the development of draft planning documents and provides an opinion regarding the regulatory enactments prepared by other institutions and
draft development planning documents;
6) provide opinions regarding the compliance of data processing systems to be developed in public administration institutions with regulatory enactments
requirements;
7) provide an opinion to the national accreditation body regarding the compliance of the certification body with Article 43 of the Data Regulation.
and the inspection requirements established in accordance with Article 43 (3) of the Data Regulation; and
criteria;
8) cooperate with foreign data protection, information openness and availability monitoring and commercial
the supervisory authorities of the prohibition on sending a notification;
9) ensure that the data subject's request for information about himself or herself is forwarded to the European Judicial Cooperation Unit
unit (Eurojust) and the European Police Office (Europol);
10) represent the Republic of Latvia in international organizations and events in the field of data protection;
11) carry out research, analyze the situation, provide recommendations and opinions, as well as inform the public about current events
issues in their areas of competence;
12) perform the tasks specified in other regulatory enactments.
(2) The Inspectorate shall publish on its website information regarding legal persons in public law, their institutions and
violations of the requirements of the data regulation committed by officials, as well as other state institutions and the prevention thereof.

Article 5. Inspection rights
(1) The Inspectorate has the rights specified in Article 58 of the Data Regulation, as well as the following rights:
1) to perform an inspection of data processing (hereinafter - inspection) in order to determine the compliance of data processing with regulatory enactments
2/14

Page 3

requirements;
2) to carry out administrative violation proceedings;
3) in accordance with its competence, to request and receive free of charge from private persons in the specified amount and form,
public administration institutions and officials the information, documents or copies thereof necessary for inspection
and other materials, including restricted information;
4) to visit public administration institutions and legal and natural persons located in the territory of Latvia
production premises, warehouses, trade and other premises owned or used or used by them
non-residential premises in order to verify the compliance of the activities of the manager with regulatory enactments within the scope of its competence
requirements;
5) in accordance with their competence, to freely get acquainted with everything in the registers, information systems and databases
types of information and access it (regardless of the ownership of the information) in order to obtain the information needed for verification
information;
6) in accordance with its competence, to request and receive the information, documents and others necessary for the inspection
materials regarding the services provided to persons;
7) within the framework of the inspection, request and receive the opinion of an independent and objective expert;
8) in co-operation with other supervisory authorities and considering complaints of non-residents, provide answers in English;
9) to submit a claim to a court regarding violations of this Law or the Data Regulation.
(2) The powers of inspection officials shall be confirmed by a service certificate.
(As amended by the Law of 06.05.2021 , which enters into force on 04.06.2021. )

Chapter III
Organization of inspection activities

Article 6. Director of Inspection
(1) The Inspectorate shall be managed and represented by its director . The director of the Inspectorate has a commission established by the Cabinet of Ministers
on the recommendation for a term of five years appointed by the Cabinet. The same person may not be the director of the inspection
more than two consecutive terms.
(2) The director of the Inspectorate shall:
1) perform the functions of the head of a direct administrative institution specified in the State Administration Structure Law ;
2) establish advisory councils, as well as working groups for the evaluation of issues in the areas of competence of the Inspectorate;
3) participate in the meeting of State Secretaries, the Cabinet Committee and the Minister with the rights of an adviser
cabinet meetings;
4) appoint and dismiss officials and employees of the Inspectorate;
5) approve the regulations of the inspection;
6) determine the positions of officials and employees in the Inspectorate.
(3) The Cabinet shall announce an open competition for the position of the director of the Inspectorate, shall be determined by the Director of the Inspectorate
the conditions and procedure for the application of candidates for the position, as well as the procedure for the selection and evaluation of applicants.
(4) The selection of candidates for the position of the Director of the Inspectorate shall be performed by a commission headed by the Director of the State Chancellery. Commissions
consists of the Director of the State Chancellery, the Minister of Justice, the Ombudsman and the Chief of the Security Police. Inspections
no more than three such associations and foundations shall take part in the selection of candidates for the post of director in an advisory capacity;
3/14

Page 4

authorized representatives working in the field of human rights or data protection.
(5) The functions of the secretariat of the Commission shall be provided by the State Chancellery.
(6) The Director of Inspection is not subject to the provisions of other regulatory enactments regarding the activities of the head of an institution and its activities
evaluation of results, suspension and disciplinary liability, as well as the independence of the director of another inspectorate
restrictive legal provisions.

Article 7. Requirements for the Director of Inspection
The director of the Inspectorate may be a person who complies with the mandatory requirements for a civil servant specified in the State Civil Service Law
job requirements and:
1) has an impeccable reputation;
2) speaks at least two foreign languages;
3) has acquired data of professional qualifications and practical work experience appropriate for the performance of inspection tasks
defense and leadership;
4) is entitled to receive a special permit for access to a state secret;
5) has not acquired the status of a debtor in accordance with the Maintenance Guarantee Fund Law ;
6) to whom the insolvency proceedings of a natural person have not been declared or have passed since the date of termination thereof
five years.

Article 8. Termination of office of the Director of Inspection
The powers of the Director of Inspection shall terminate without special decision:
1) within one month from the day when he or she has submitted an application to the Cabinet regarding resignation from office;
2) upon expiry of the term of office specified by law;
3) upon entry into force of a ruling by which he or she has been punished for an intentional criminal offense;
4) due to his death.

Article 9. Dismissal of the Director of Inspection
(1) The Cabinet shall release the director of the Inspectorate from office before the expiry of his or her term of office if he or she:
1) has been elected or appointed to a position which is incompatible with the position of the director of the Inspectorate;
2) in the performance of his or her duties, has committed an intentional offense or negligence and has thus caused significant damage
country or person;
3) has not complied with the restrictions specified in the Law " On Prevention of Conflict of Interest in the Activities of State Officials "
and prohibitions and thus caused harm to the state or a person;
4) does not comply with the requirements set for the position of the director of the Inspectorate;
5) is unable to perform the duties of the position due to a state of health;
6) fails to perform his or her duties without a justifiable reason.
(2) The issue regarding the dismissal of the director of the Inspectorate upon the proposal of the Minister of Justice shall be evaluated by this Law
4/14

Page 5

Article 6 ce turtajā part of the commission. If the commission establishes that any of the provisions of Paragraph one of this Section exists
grounds for dismissal of the director of the Inspectorate, it shall prepare a relevant decision and send it to the Cabinet.
The procedure for the establishment, operation and decision-making of the Commission shall be determined by the Cabinet.

Article 10. Suspension of the powers of the Director of Inspection
(1) If a security measure related to deprivation of liberty has been applied to the director of the inspection or has been initiated against him or her
prosecution, the Minister of Justice suspends his powers until the acquittal takes effect
in the relevant criminal case or the criminal proceedings against him are terminated on a rehabilitative basis.
(2) During the period of suspension of the term of office of the director of the Inspectorate, the minimum monthly salary specified in the state shall be paid to him or her.
(3) If the director of the Inspectorate is found guilty of committing a criminal offense in accordance with the procedures prescribed by law, his or her
shall be deemed to have been removed from office with the date of suspension and remuneration for the period of suspension
does not pay. If the director of the inspectorate is acquitted or the criminal proceedings against him are terminated, he shall be paid
payment for the period of suspension of powers, unless there is another basis for dismissal specified in this Law.
(4) If criminal proceedings against the Director of Inspection are terminated on a non-rehabilitative basis, the issue of his
dismissal from office shall be evaluated by the commission referred to in Section 6, Paragraph four of this Law .

Article 11. Deputy Director of Inspection
(1) The deputy director of the Inspectorate shall be appointed by the Director of the Inspectorate.
(2) During the absence of the director of the Inspectorate, his or her duties shall be performed by the Deputy Director of the Inspection, and during this time
have the same powers as the Director of Inspections.
(3) In the cases provided for in Sections 8 , 9 and 10 of this Law , the Deputy Director of the Inspectorate shall act as the Director of the Inspectorate
duties until the Cabinet approves a new Director of Inspection or the Minister of Justice
renew the powers of the Director of Inspection. To date, the Deputy Director of Inspection has the same powers as
the Director of the Inspectorate.

Article 12. Inspection regulations
Inspection structure, internal operating rules, internal control system and its supervision, decision
the procedure for pre-inspection and post-inspection, as well as the content and form of the service card of an inspection official shall be regulated
inspection regulations. It is approved by the Director of the Inspectorate and published on the Inspectorate's website.

Article 13 Activity reports
Once a year, by 1 March, the Inspectorate submits an activity report to the Saeima, the Cabinet of Ministers, the Supreme Court,
European Commission and the European Data Protection Board and shall place it on its website.

Article 14. Prohibition of disclosure and obligation to provide information
(1) It is prohibited for employees employed by the Inspectorate, as well as experts invited by the Inspectorate to disclose information
(excluding publicly available information) obtained in connection with the performance of inspection tasks. This prohibition is
shall remain in force even after the termination of service or employment.
(2) When handing over information related to the performance of a task to an expert, the Inspectorate shall warn him or her of the prohibition to disclose it.
and the liability specified in regulatory enactments for unlawful disclosure of information.
(3) The Inspectorate shall inform the controller or processor regarding the involvement of the expert and the information provided to the expert.

Chapter IV
Procedures for carrying out inspections
5/14

Page 6

Article 15. Verification
(1) The inspection shall cover all types of activities carried out by the inspectorate to verify the compliance of the data processing with the Data Regulations and the
the requirements of other regulatory enactments, including a visit to a data processing site, obtaining information using all
legal methods and other necessary actions.
(2) Within the framework of the inspection, before visiting the data processing site, the Inspectorate shall inform the controller regarding the planned
the purpose, time and place of the visit and request the presence of an authorized representative of the controller. Authorized representative of the controller
non-presence is not an obstacle to the inspection.
(3) Within the framework of an inspection, inspection officials have the right in the presence of an authorized representative or employee of the manager
to visit the place of data processing, presenting a service card and informing about the subject and purpose of the inspection.
(4) Upon commencing the procedural activities specified in Paragraph one of this Section, the inspection official shall inform the controller or
authorized representatives and employees of the processor regarding their rights.
(5) In order to determine restricted access information for the information to be provided to the Inspectorate or any part thereof
status, the information provider shall specify the relevant documents and the determination of the relevant status
justification of the need.
(6) If the provider of information has not complied with the requirements of Paragraph five of this Section or a proposal for the specific information
to determine the status of restricted access information is unreasonable, the Inspectorate shall notify the information provider thereof.
(7) If the deficiencies referred to in Paragraph six of this Section are not eliminated within seven days from the notification of the inspection
the date of receipt, the information provided in accordance with the procedures specified in the Law on Information Transparency may be protected only as
information for the internal use of the institution. The Inspectorate shall notify the information provider thereof.
(8) The Inspectorate may request that a person whose information it is necessary to determine restricted access
the status of the information, a copy of the publicly available information, which shall not be included, shall be attached to that information
limited access information.

Article 16. Procedural protocol
(1) Officials of the Inspection of Procedural Activities specified in Section 15 of this Law shall be recorded in the protocol of procedural activities.
(2) The following shall be indicated in the protocol of procedural activities:
1) place and date of operation;
2) the legal basis for the activity;
3) the time when the activity has been started and completed;
4) the position, given name and surname of the performers of the activity;
5) the position, given name and surname of the recorder;
6) the position, given name and surname of the person - participant in the activity;
7) the course of activities and the established facts;
8) documents obtained in the course of the activity.
(3) Documents obtained in the course of procedural activities shall be appended to the minutes.
(4) A performer of a procedural activity shall acquaint the persons who participated in the relevant activity with the procedural activities
the content of the minutes and the annexes. Corrections and additions proposed by persons shall be recorded in the protocol of procedural activities.
(5) The protocol of the procedural activity as a whole and each page thereof shall be signed by the performer of the procedural activity,
6/14

Page 7

the recorder and all persons who participated in the activity. Only the protocol as a whole is electronically signed. Yes
the person refuses to sign, this shall be noted in the minutes, indicating the reason for the refusal.
(6) The performer of a procedural act shall issue a copy of the protocol to the person against whom the inspection has been initiated.

Chapter V.
Data protection specialist
Article 17. Requirements for a data protection specialist
The duties of a data protection officer may be performed by a person who complies with Article 37 (5) of the Data Regulation
criteria set out in The controller or processor may designate a person as data protection officer who shall:
is included in the list of inspection data protection specialists or another person in accordance with the procedures prescribed by law.

Article 18. List of data protection specialists
(1) In order to identify the data protection professionals who have passed the qualification examination and to ensure that:
information on data protection specialists is available, the Inspectorate maintains a list of data protection specialists.
Only those persons who have passed the qualification examination shall be included in the list of data protection specialists.
(2) The following data regarding a person shall be included in the list of data protection specialists:
1) given name, surname and personal identification code;
2) the date when the person is included in the list of data protection specialists;
3) electronic mail address.
(3) The data protection specialist shall immediately notify the Inspectorate in writing regarding the established errors and
amendments to the list of data protection specialists concerning him.
(4) The list of data protection specialists (except for the personal identification code) is publicly available on the website of the Inspectorate.
(5) The Cabinet shall determine the procedure for maintaining the list of data protection specialists.

Article 19 Data protection specialist qualification exam
(1) The qualification examination of a data protection specialist shall be organized by the Inspectorate.
(2) If a person passes the qualification examination of a data protection specialist, the director of the Inspectorate shall make a decision
on its inclusion in the list of data protection specialists.
(3) The procedure for application of applicants, the content of the qualification examination, the procedure for assessment and assessment, the fee for
the passing of the qualification examination and the procedure for the collection thereof, as well as the requirements for the maintenance of the professional qualification
determined by the Cabinet.

Article 20. Exclusion from the list of data protection specialists
(1) A data protection specialist shall be excluded from the data protection specialist in accordance with a decision of the director of the Inspectorate
list if:
1) he or she has submitted a relevant written request to the Inspectorate;
2) the court has established guardianship for him or her;
3) he or she has been deprived of the right to work as a data protection specialist by a court judgment or otherwise determined
7/14

Page 8

restrictions which prevent the performance of the relevant professional duties;
4) he or she is dead or has been declared missing;
5) he or she has not complied with the requirements provided for in the regulations of the Cabinet for the maintenance of professional qualifications.
(2) A person who has been excluded from the list of data protection specialists in accordance with Paragraph one, Clauses 1, 2 or 3 of this Section.
may be requested to be reinstated and re - entered by the inspectorate in the list of data protection specialists, if any
the reasons why the person was removed from the list have been eliminated. Data protection specialist qualification exam
for such a person if, from the date on which he or she was removed from the list of data protection specialists,
at least two years.

Chapter VI
Certification and Code of Conduct Monitoring Bodies

Article 21. Accreditation of the certification body
(1) The certification body shall be assessed, accredited and accredited in accordance with Article 43 (1) (b) of the Data Regulation
supervised by the national accreditation body in accordance with the regulatory enactments regarding conformity assessment and in accordance with
inspection requirements and criteria set out in Article 43 (3) of the Data Regulation.
(2) A certification body shall be accredited if an inspection opinion has been received regarding the compliance of the certification body with the data
the requirements of Article 43 (2) of the Regulation and the inspection requirements established in accordance with Article 43 (3) of the Data Regulation
and criteria.
(3) The national accreditation body within five working days after the accreditation of the certification body, accreditation
suspension or revocation of accreditation shall send to the Inspectorate the information referred to in Paragraph four of this Section regarding the certification
institution.
(4) The Inspectorate shall publish and update the following information regarding the certification authority on its website:
1) the name;
2) registration number;
3) contact information (legal address, telephone number, e-mail address);
4) the date and term for granting accreditation;
5) the date and term of suspension of accreditation;
6) the date of revocation of accreditation.
(5) In the case of changes in the information referred to in Paragraph four, Clause 1, 2 or 3 of this Section, the national accreditation
the authority shall, within five working days, inform the Inspectorate regarding changes in the information regarding the certification authority. Inspection of five
update the relevant information on its website within working days of receiving the information.
(6) Criteria and requirements for the accreditation of certification bodies referred to in Article 43 (3) of the Data Regulation and data
the criteria for issuing the certificate referred to in Article 42 (5) shall be approved by the Director of Inspection and no later than three
published on the inspection website within working days of the date of approval.
(7) The Inspectorate has the right to perform a certification procedure and issue a data certificate if no institution exists
accredited.

Article 22 Accreditation of the Code of Conduct Authority
(1) The Inspectorate shall issue a license for a period of five years in accordance with Article 41 (1) of the Data Regulation
a supervisory body that has appropriate knowledge of the subject matter of the code of conduct and monitors compliance with the code.
8/14

Page 9

(2) The Cabinet shall determine the requirements for the receipt of a license of a code of conduct supervisory institution, as well as
the procedures and cases for the issue, suspension and revocation of a license.
(3) The supervisory authority of a code of conduct shall pay a state fee for the issue of a license. The amount of the state fee
and the procedure for payment shall be determined by the Cabinet.
(4) The Inspectorate shall publish and update the following information regarding the supervisory authority of the Code of Conduct on its website:
1) the name;
2) registration number;
3) contact information (legal address, telephone number, e-mail address);
4) the date of granting the license;
5) the date of suspension or revocation of the license.
(5) In the event of changes in the information referred to in Paragraph four, Clauses 1, 2 or 3 of this Section, the Code of Conduct
the supervisory authority shall, within five working days after the entry into force of the changes, submit to the Inspectorate an application regarding
changes. The Inspectorate shall, within five working days after receipt of the application, update the relevant information in its own
website.

Chapter VII
Procedures for making, contesting and appealing decisions

Article 23 Decision-making
The Inspectorate, in taking the decisions set out in Article 58 of the Data Regulation, regarding the imposition of a legal obligation
the Administrative Procedure Law and, in relation to administrative penalties, the administrative violation procedure shall apply
regulatory enactments, insofar as this Law and the Data Regulation do not provide otherwise.
(As amended by the Law of 06.05.2021 , which enters into force on 04.06.2021. )

23 1 Article. Deadline for decision making in the administrative process
(1) The Inspectorate shall make a decision within six months from the date of initiation of the case.
(2) If due to objective reasons it is not possible to observe the six-month term, the Inspectorate may extend it temporarily until
for one year, counting from the date of initiation of the case.
(3) If a long-term establishment of facts is required in the case , as well as it is necessary to apply the consistency mechanism
in accordance with the provisions of Article 60 or 63 of the Data Regulation, the Inspectorate may, by reasoned decision, extend the decision
the time limit for acceptance in administrative proceedings for a period not exceeding two years from the date of initiation of the case.
(In the wording of the Law of 06.05.2021 , which enters into force on 04.06.2021 . )

Article 24 Contestation and appeal of inspection decisions
(1) An administrative act or actual action issued by an official of the Inspectorate may be contested in the Administrative Procedure
in accordance with the procedures prescribed by law, by submitting a relevant application to the Director of the Inspectorate.
(2) An administrative act or actual action issued by the Director of the Inspectorate may be appealed against the Administrative Procedure Law
the procedures specified. An appeal against an administrative act of the Director of the Inspectorate shall not suspend its operation.

Chapter VIII
9/14

Page 10

Data processing and data subject 's rights
Article 25 General rules on data processing
(1) Processing of data is permitted if there is at least one of the grounds set out in Article 6 (1) of the Data Regulation. Data
the requirements of Article 6 (2) and (3) of the Regulation concerning the processing to be carried out in order to comply with the data subject's obligations
a legal obligation, a task performed by the controller in the public interest or to be lawfully exercised by the controller
official powers have been granted are specified in the regulatory enactments regulating the relevant field.
(2) Data revealing the racial or ethnic origin, political opinions, religious or philosophical background of a natural person
belief or membership of trade unions, and genetic data, biometric data
for the unique identification of a person, health data or data on the sexual life or sexual orientation of a natural person
processing is permitted if there is at least one of the grounds set out in Article 9 (2) of the Data Regulation or the processing
provided for in an external regulatory act in accordance with Article 9 (4) of the Data Regulation.
(3) The processing of data shall respect the principles of data processing set out in Article 5 of the Data Regulation, including those which stipulate that the data
obtained for specific, clear and legitimate purposes and only to the extent necessary for the purposes of the processing.
to achieve. Processing of data for a purpose other than that for which the data were originally obtained is permitted if such data
the processing is not prohibited and is one of the grounds for processing specified in the Data Regulation or the processing of data in accordance with the data
Regulation is compatible with the original purposes.
(4) Other data regulations, this Law and regulatory enactments regulating the relevant field shall also be observed in data processing
requirements.

Article 26 Restrictions on the rights of the data subject
(1) The rights of a data subject may also be restricted in other cases provided for in regulatory enactments which are not referred to in this
Articles 27 , 28 , 29 , 30 , 31 , 32 , 34 and 36 of the Law , pursuant to Article 23 of the Data Regulation.
(2) In accordance with the procedures specified in the Civil Procedure Law , a claim regarding the prevention of infringement if the infringement has arisen pursuant to data regulation.
infringement shall be brought no later than five years after the date on which the infringement occurred, but
long - from the date of termination of the infringement.

Article 27. Restriction of the data subject 's right of access
(1) The data subject is not entitled to receive the information specified in Article 15 of the Data Regulation if this information is prohibited
to disclose in accordance with regulatory enactments national security, national defense, public security and
criminal law in order to safeguard the financial interests of the public through tax protection
prevention of money laundering and terrorist financing or the supervision of financial market participants
the functioning of guarantee schemes, the application of resolution and macroeconomic analysis.
(2) Pursuant to Article 15 of the Data Regulation, the indication of the country is prohibited in the information to be provided to the data subject
institutions which are the facilitators of criminal proceedings or the subjects of operational activities and other institutions for which such
disclosure of information is prohibited by law.
(3) A data subject may receive information regarding the recipients or categories of recipients of his or her data to whom the data have been disclosed
in the last two years.

Article 28 Data processing in the official publication
(1) Articles 16, 17, 18, 19, 20 and 21 of the Data Regulation shall not apply if the processing is carried out in
regulatory enactments to ensure official publication.
(2) The publisher of the official publication shall delete the data published in the official publication on the basis of:
1) the decision of the inspection;
2) a reasoned decision of the controller confirming that the publication of these data in the official gazette does not comply with the data regulations
rules.
10/14

Page 11

(3) The Inspectorate may take a decision regarding the deletion of data published in the official gazette if the data subject 's right to
the invasion of privacy is greater than the public benefit from the invariability of the official publication.

Article 29 Data processing for statistical purposes
Where data are processed for statistical purposes, the rights of the data subject under Articles 15, 16, 18 and 21 of the Data Regulation
shall not apply in so far as they may prevent or substantially impede the attainment of the objectives in question and derogations are necessary for that purpose.
purposes.

Article 30. Processing of data for archiving purposes in the public interest
(1) Where data are processed for archiving purposes in the public interest in order to create, store, evaluate, store and
national documentary heritage, the data subject shall exercise the rights set out in Articles 15 and 16 of the Data Regulation
in accordance with the regulatory enactments regulating the field of archives.
(2) Where data are processed for archiving purposes in the public interest in order to create, store, evaluate, store and
use the national documentary heritage, the data subject's rights under Articles 18, 19, 20 and 21 of the Data Regulation
shall not apply in so far as they may prevent or substantially impede the attainment of the objectives in question and derogations are necessary for that purpose.
purposes.

Article 31 Processing of data for scientific or historical research purposes
Where data are processed for scientific or historical research purposes in the public interest, Articles 15, 16, 18 and
The rights of the data subject under Article 21 shall not apply to the extent that they may prevent or substantially impede the specific purpose.
and derogations are necessary to achieve those objectives.

Article 32. Data processing in relation to freedom of expression and information
(1) A person has the right to process data for the needs of academic, artistic or literary expression
in accordance with the provisions of regulatory enactments, as well as to process data for the needs of journalism, if this is done for the purpose
publish information of public interest.
(2) When processing data for journalistic purposes, the provisions of the Data Regulation (except Article 5) do not apply, if any
all the following conditions can be established:
1) data processing is carried out in order to exercise the right to freedom of expression and information, observing the right of a person to privacy
the interests of the data subject, which are in need of protection and which are more important, are not affected
for the public interest;
2) data processing is performed for the purpose of publishing information which affects the public interest;
3) compliance with the provisions of the data regulation is incompatible or prevents the exercise of the right to freedom of expression and information.
(3) When processing data for the purposes of academic, artistic or literary expression, the provisions of the Data Regulation
(with the exception of Article 5) shall not apply if all of the following conditions are met:
1) the processing of data is performed in compliance with the right of a person to privacy and such data subject is not affected
interests which require protection and which are more important than the public interest;
2) compliance with the provisions of the Data Regulation is incompatible or prevents the exercise of the right to freedom of expression and information.

Article 33 Conditions for the child 's consent to information society services
Where, in accordance with Article 8 of the Data Regulation, the direct provision of information society services requires data
consent of the data subject and the data subject is a child, his or her consent shall be considered as the basis for the processing of the data and the processing of his or her data.
processing is lawful if the child is at least 13 years old or if, in the case of a child under 13 years of age
age, consent has been given by his or her parent or legal guardian.

11/14

Page 12

Article 34 Data processing in the field of criminal law
Processing of data for initially unforeseen purposes in the field of criminal law is allowed:
1) in accordance with the regulatory enactments implementing the Directive of the European Parliament and of the Council of 27
Directive (EU) 2016/680 of 6 April 2016 on the protection of individuals with regard to the processing of personal data by the
competent authorities for the prevention, investigation, detection or prosecution of criminal offenses
the free movement of such data and repealing Council Framework Decision 2008/977 / JHA;
2) to use the data in administrative or civil proceedings, as well as a state institution authorized by law
in the activities of officials, in so far as it relates to the prevention, detection, investigation or prosecution of criminal offenses
prosecution, enforcement of criminal penalties, proceedings for proceeds of crime, medical and educational

coercive measures or coercive measures against legal persons or in force
the process and re-examination of rulings;
3) to prevent an immediate and significant threat to public security;
4) if the data subject has given consent to the processing of data.

Article 35. Rights of the data subject with regard to the processing of data by Eurojust and Europol
(1) A data subject has the right to submit a request to the Inspectorate regarding the processing of his or her data or regarding the processing of his or her data
inspection at Eurojust or Europol.
(2) Upon receipt of the request referred to in Paragraph one of this Section, the Inspectorate shall immediately, but not later than one month
forward the request to Eurojust or Europol, as the case may be, from the date of its receipt and inform it thereof
data subject.

Article 36. Video surveillance conditions
(1) The requirements of this Law and the Data Regulation do not apply to data processing performed by natural persons using
automated data recording devices for road, personal or household use. Traffic
It is prohibited to disclose the obtained records to other persons and institutions, except in cases when any of the following is established
the data processing grounds set out in the Data Regulation.
(2) The requirements of this Law and the Data Regulation do not apply to data processing performed by natural persons using
automated video surveillance devices for personal or household use. About data processing
large - scale surveillance of public space is not considered for personal or household purposes, or
cases where technical aids for structuring information are used.
(3) If the controller uses an information sign to inform data subjects regarding video surveillance, the said sign shall indicate:
at least the name of the controller, contact details, the purpose of the data processing, as well as an indication of the possibility to obtain other data
the information specified in Article 13 of the Regulation.

Article 37 Audit records
(1) For the purposes of this Section, audit records are records of information available for the analysis of certain events
system (eg data on access to the information system, data entry, modification, deletion and transmission).
(2) If the manager has an obligation to ensure the storage of system audit records, they shall not be stored
for more than one year after the making of the entry, unless the regulatory enactments or the nature of the processing provide otherwise.
(3) The controller has the right not to provide the data subject with the information referred to in Article 15 of the Data Regulation if he or she no longer has it
an audit trail in which the information requested by the data subject is available.
(4) The controller is not obliged to keep information in audit records only for the purpose of satisfying the data subject
demand.

12/14

Page 13

Chapter IX
Administrative breaches in the field of data protection and competence
in administrative infringement proceedings
(Chapter in the wording of the Law of 06.05.2021 , which enters into force on 04.06.2021. )

Article 38 Unlawful handling of personal data and failure of the controller or processor
(1) The following shall apply to any illegal activities of a legal person in public law with personal data
a warning or a fine to an official of up to two hundred fine units.
(2) The failure to perform the duties of a controller or processor in an institution of a legal person of public law shall apply
a warning or a fine to an official of up to two hundred fine units.
(In the wording of the Law of 06.05.2021 , which enters into force on 04.06.2021. )

Article 39. Competence in administrative infringement proceedings
Ad ministratīvā infringement process of this Law 38 of these violations by an inspectorate.
(In the wording of the Law of 06.05.2021 , which enters into force on 04.06.2021. )

Transitional provisions

1. With the entry into force of this Law, the Personal Data Protection Law ( Law of the Republic of Latvia
Saeima and Cabinet of Ministers Reporter, 2000, No. 9; 2002, No. 23; 2007, Nos. 3, 8; 2008, No. 7; 2009, No. 14; Latvia
Journal , 2010, No. 78 ; 2012, No. 104; 2014, No. 38).

2. Until the entry into force of the law implementing the 2016 European Parliament and Council Regulations in Latvia
Directive (EU) 2016/680 of 27 April 2016 on the protection of individuals with regard to the processing of personal data by
the competent authorities for the prevention, investigation, detection or prosecution of criminal offenses; or
criminal offenses and on the free movement of such data, repealing the requirements of Council Framework Decision 2008/977 / JHA, but not
no later than 1 October 2019 for the processing of personal data by the competent authorities in order to:
prevent, investigate, detect crimes or prosecute them or the execution of criminal penalties, it is
Section 2 , Section 3, Paragraphs 1 and 4, Section 4 , Sections 6 , 7 , 8 and 7 of the Personal Data Protection Act shall apply .
9 , Article 10 , first, second, third and fourth parts of Article 11 3, 6, 10 and 11, 12 , 13 and 14 , 15th
Article One and Two, three, Clauses 1, 2, 3, 4 and 6, the fourth and fifth paragraphs, Article 16 and Article 20 , 21 1 Article
the first, third and fourth paragraph 21. 2 Article first paragraph of Article 25 of the first paragraph of Article 27 , Article 28 first paragraph, second subparagraph
Paragraphs 3 and 4, Article 29, first paragraph, third subparagraph, points 1, 2 and 4, fourth subparagraph, points 1, 2, 3, 6, 7 and 8, 30
Article 31, first paragraph, and Article 31 .
(As amended by the Law of 23.05.2019 , which enters into force on 31.05.2019. )

3. Until the date of entry into force of this Law, the appointed Director of the Data State Inspectorate shall act as the Director of the Inspectorate
functions until a new director of the Inspectorate is appointed to the position in accordance with the procedures specified in Section 6 of this Law , but not
beyond 31 December 2019.

4. Persons whose data are included in the register of data protection specialists of the Data State Inspectorate before this Law
entry into force and which are not excluded from this register shall be included in the list of data protection specialists if they
within six months from the date of entry into force of this Law, submit a relevant written request to the Director of the Inspectorate.

5. By 1 June 2024, the Cabinet of Ministers shall evaluate the data protection regulations contained in this Law
the usefulness of the specialist qualification examination and submit to the Saeima an assessment regarding the possibility to waive this examination.
(As amended by the Law of 06.05.2021 , which enters into force on 04.06.2021. )

The law enters into force on the day following its promulgation.
13/14

Page 14

The law was adopted by the Saeima on June 21, 2018.
President R. Vējonis
Riga, July 4, 2018

© Official publisher "Latvijas Vēstnesis"

14/14

