Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Latvia - Data Protection

History of Data Protection in LATVIA

Latvia's general law on data protection, the Personal Data Protection Law, was passed in 2000. It implements Directive 95/46/EC into national legislation.

On 24 October 2002 the Latvian Parliament passed a statute entitled "Amendments to Personal Data Protection Law". This law holds that the provisions of the Personal Data Protection Law are applicable to the processing of personal data in the field of criminal law and domestic security.

The Latvian Data State Inspectorate was established under Regulation No. 408 of 28 November 2000, the Statute of the Data State Inspectorate.

Summary of Data Protection in LATVIA

Title of Data Protection Legislation Personal Data Protection Law
Name of supervisory authority Data State Inspectorate
General Powers of supervisory authority Section 29(3) of the Personal Data Protection Law outlines the duties of the Inspectorate: "1) to ensure compliance of personal data processing in the State with the requirements of this Law;
2) to take decisions and review complaints regarding the protection of personal data;
3) to register personal data processing systems;
4) to propose and carry out activities aimed at raising the efficiency of personal data protection and submit reports on compliance of personal data processing systems created by government and local government institutions []
5) together with the Office of the Director General of the State Archives of Latvia, to decide on the transfer of personal data processing systems to the State archives for preservation thereof;
6) accredit persons wishing to perform system auditing of personal data processing systems of government and local government institutions in accordance with procedure established by the Cabinet of Ministers."
Who has standing to notify the supervisory authority of breaches? Probably anybody, but certainly the data subject (see s20, s29(3)(2) and s29(4)(1) of the Personal Data Protection Law.
What are the penalties for data controllers if they breach the law? There are no penalties for breaches mentioned in the Personal Data Protection Law.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. The Law on State Population Register states that each Latvian inhabitant shall be given personal identity number. Several laws regulate the usage of this identification number. They include the Tax Collection laws, the Administrative Procedure Law, and the Commercial Law. The personal identity number should also be treated as falling under the ambit of the Personal Data Protection Law.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? Yes, in limited circumstances, for example genetic research.
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions