Work on national personal data processing law
On 25 May 2018, the GDPR (Regulation (EU) 2016/679) entered into effect in all the EU Member States. In accordance with the GDPR, the Member States shall introduce provisions to specify the application of the GDPR provisions in their respective national legislation.
The Latvian law that fulfils this requirement specifies the GDPR’s application, the rights and duties of the competent authority, and the liability of officials, and introduces the institute of the data protection officer. However, the law is still being processed, and it currently awaits the examination by the Saeima (the Latvian Parliament) in the second readings.
The provisions most likely to be included in the national Personal Data Processing Law without any changes are:
- The minimum age of 13 years applied to a child's consent in relation to the information of society services.
- The exclusions applicable to data processing for journalistic purposes, or the purpose of academic, artistic, or literary expression, as well as for the official publications.
The supervision of conformity to the GDPR provisions and national law will be delegated to the Data State Inspectorate (DSI), which currently has these duties. When supervising, the DSI shall take the violation occurred (or likely to occur) into consideration and shall act on the principle of ‘consult first’ that aims at ensuring that the applicable request is clear to entrepreneurs. Within the first year of applying the GDPR, the DSI has committed itself not to impose severe penalties, but to explain the non-conformity to the subjects and provide guidance on the necessary steps to prevent violations in future.