Draft Law “On Personal Data Processing” Was Announced in Latvia
On October 12, 2017, the Draft Law on Personal Data Processing was announced at the meeting of state secretaries of Latvia, developed by the Ministry of Justice. The purpose of the bill is to establish legal prerequisites for the application of the EU Regulation on General Data Protection with new requirements for the personal data protection.
The Regulation will come into effect on May 25, 2018 and will ensure the harmonization of the existing principles for the personal data protection in the Member States of the EU, creating uniform rules that will operate throughout the EU. At the moment, this sphere is regulated by the Law “On Personal Data Protection”, which will lapse from the moment of the application of the Regulation.
The Regulation provides for a number of key innovations designed to improve the work of the single market:
- unified conditions for the personal data protection at the level of the European Union, which relate to the processing, storage, transfer to other enterprises and archiving;
- application of the principle of agency of one stop to entrepreneurs: companies will have to cooperate only with one supervising agency for the data protection in order to ensure easier and more accessible business activities in the EU;
- uniform rules for all companies, regardless of their country of registration.
Institution of supervision
The Regulation imposes an obligation for EU Member States to establish an institution for data surveillance that will take over the function of monitoring compliance with the rules of the Regulations. In Latvia, this supervisory body is the State Data Inspectorate (SDI), which should become an independent institution from the moment the Regulation enters into force. The Draft Law includes provisions on the independent status of the SDI, its competencies, the rules for the appointment of the director, the powers of the staff and the decision-making procedure.
Personal Data Protection Specialist
The Regulation also provides for the introduction of an institution of a specialist in the personal data protection in all participating countries. Namely, the obligation to appoint a specialist for the personal data protection in specified cases is introduced in order to provide an opportunity for the manager to choose the most suitable candidate for this position who has sufficient knowledge to perform the official duties. The bill provides for an order in which a person can pass the examination, obtain the status of a specialist in the field of data protection and get into the supported SDI list.
Certification of personal data protection
The Regulation establishes the possibility of creating certification mechanisms for the personal data protection, as well as printing and marking of data protection, to show clearly that the actions performed by the managers and processors are in compliance with the Regulations, taking into account the specific needs of micro, small and medium-sized enterprises. There are also procedures and rules that must be followed in order to obtain the status of a certification institution and to issue certificates and seals of data protection. It is important to note that the SDI itself can issue a certificate or a data protection seal, until the license of the certification institution is not issued.
Specific situations in processing
The Draft Law also includes the rules on specific situations in processing that relate to the implementation of other basic human rights, derogations relating to processing for archiving in the public interest, for the purposes of scientific or historical research or statistics, as well as processing of public classified data.
The bill provides specific rules and exceptions for the processing of personal data for the needs of journalism, as well as academic, artistic or literary applications.
An assessment of the balance between the rights to privacy and freedom of expression is required for data processing for these purposes. In particular, this includes assessing whether the interests of a data subject do not influence the protection of their privacy and the human right to receive information, and thus whether the publication of certain information may cause negative consequences for the data subject or harm them.
Penalties for Regulation violation
According to the Regulations, each institution of supervision is obliged to ensure the application of the envisaged administrative monetary penalties and to monitor it to be effective, proportionate and appropriate in each specific case. The Regulation also provides that each participating country has the right to develop rules on whether it is possible to apply and to what extent the administrative monetary penalties to public institutions and structures located on its territory.