data state inspectorate annual report 2013 · protection authorities and carrying out the joint...

Data State Inspectorate Annual Report 2013

1

THE DATA STATE INSPECTORATE

ANNUAL REPORT 2013

Riga,

2 June 2014


2

CONTENT

Foreword by Signe Plūmiņa, the Director of the Data State Inspectorate 3

1 BASIC INFORMATION 5

1.1. Legal status, directions of activity and objectives 5

1.2. Main tasks and priorities 6

1.2.1. Participation in discussions on the European Commission's

reform of personal data protection

6

1.2.2. Organizing the 2nd Annual Meeting of the Baltic Data

Protection Authorities and carrying out the joint inspection

7

1.2.3. Recommendation development 8

II FINANCIAL RESOURCES AND RESULTS OF INSTITUTION

ACTIVITY

9

2.1. State budget financing and its use in 2013 9

2.2. Evaluation of the effectiveness of the budget program 10

2.3. DSI paid services 11

2.4. Improvement systems of leadership and activity 12

III STAFF 13

IV COMMUNICATION WITH THE PUBLIC 15

4.1. Public information and education activities 15

4.2. Registration of personal data processing 16

4.3. Registration of personal data protection specialists 18

4.4. Opinions and explanations 19

V DSI PRIORITIES FOR 2014 22


3

Everyone has the right to the

protection of personal data concerning

him or her.

Such data must be processed fairly

for specified purposes and on the basis of

the consent of the person concerned or

some other legitimate basis laid down by

law. Everyone has the right of access to

data which has been collected

concerning him or her, and the right to

have it rectified.

(Article 8 of the Charter of

Fundamental Rights of the European

Union)

Although the protection of privacy, in

particular, from state interference in it,

was strengthened internationally already

in 1948, when the first international legal

instrument - Article 12 of the United

Nations Universal Declaration of Human

Rights - established the right to

protection against interference with private and family life, solutions on how to

effectively apply this principle in practice are still being sought. This is also evident in

year 2013, which was very painful in the area of personal data protection, including the

so-called "Snowden case". As European Data Protection Officer P.Hustings has pointed

out - "The Snowden case was like an alarm bell. It revealed not only large-scale

espionage by intelligence services but also the shadow sides of the digital environment,

which includes devices we use on daily basis - phones, smartphones and tablets. This

was a painful discovery, because it directly affects us and our habits."1 Within the

framework of the European Union, there is ongoing debate on the reform of personal

data protection, which would allow for greater supervision of the processing of personal

data by controllers and guarantee greater rights to data subjects on the protection of

their personal data.

Privacy and personal data protection issues have gained a solid position on the

public agenda, both nationally and internationally. The development of information

technology has contributed to the development of the digital environment and digital

personality. The number of activities that we can take in the digital environment

increases every year, which increases the amount of personal data processing

accordingly. In view of this, it is increasingly difficult for an individual to control his

personal data - who uses them, at what time and for what purpose. Controllers must

therefore ensure timely provision of information (before processing personal data) and

must be comprehensible to the data subject. _____________________________ 1-European data protection supervisor: : “Internet companies will have to adapt” (available in Latvian).

Accessed on 28.01.2014. See: http://www.europarl.europa.eu/news/lv/news-room/content/20140127STO33808/html/EiropasDatu-aizsardz%C4%ABbas-uzraudz%C4%ABt%C4%81js-Interneta-uz%C5%86%C4%93mumiem-b%C5%ABsj%C4%81piel%C4%81gojas

http://www.europarl.europa.eu/news/lv/news-room/content/20140127STO33808/html/EiropasDatu-aizsardz%C4%ABbas-uzraudz%C4%ABt%C4%81js-Interneta-uz%C5%86%C4%93mumiem-b%C5%ABsj%C4%81piel%C4%81gojas





4

The issue of processing and protecting personal data is becoming more and

more topical not only to data subjects, but also to controllers, as the issue of data

protection is related to the safety of individuals and quality of life. Although this issue

is a matter of concern for many, every day we can be more cautious about the processing

and protection of our data, especially when it comes to careful downloading of various

applications in our mobile information technology devices. The Spring Conference of

the European Data Protection Supervisor focused on this issue as well, where it was

agreed to highlight personal data protection issues in the context of mobile applications

from the point of view of personal data protection.

The protection of personal data in the era of modern information technology

and internet development can only be ensured if each of us is more critical of our actions

involving the processing of personal data and will cooperate with the controller and the

personal data protection supervisory authority in order to prevent personal data

breaches and their possible consequences. In addition, such cooperation should take

place at international level, as processing of data is not restricted to one country.

Having evaluated the range of issues examined by the Data State Inspectorate,

it is concluded that the public's awareness of the role of data protection of natural

persons in their daily lives will increase. Data subjects are active in requiring

information from controllers about processing their personal data, as well as informing

the Data State Inspectorate about possible violations of the processing and protection

of personal data. Any case where personal data breach has been resolved by solving the

problem situation of a particular individual and finding that the personal data processing

controller not only violates personal data breaches, but also assesses the privacy aspects

of the future activity is considered to be a significant benefit to the public. The

controllers handle personal data more responsibly and in a more honest manner, the

greater the trust given by the data subjects to the particular controller, and also the

service or product offered by him.

I would like to introduce the Annual Report of 2013 made by the Data State

Inspectorate and remind you again - be prepared to protect your personal data and think

twice before you tell them to anyone else.

I would also like to thank everyone who devotes his time and complements his

knowledge of personal data protection issues, including having access to the

information contained in this Annual Report and who dare to exercise his data subject's

rights. Thanks also to all those controllers who, despite various challenges in the

processing and protection of personal data, continue to behave with integrity in the

processing of personal data as personal data controller. Such action generally

contributes to the protection of personal data in Latvia.

Signe Plūmiņa

Data State Inspectorate Director


5

I BASIC INFORMATION

1.1.Legal Status, Directions of Activity and Objectives

In accordance with Section 29 of the Personal Data Protection Law, the Data

State Inspectorate (hereinafter – the DSI) is a state administration institution under the

supervision of the Ministry of Justice acting independently and permanently, fulfilling

the functions specified in laws, takes decisions and issues administrative acts in

accordance with the law.

According to Paragraph 1 of the Transitional Provisions of the Personal Data

Protection Law, the DSI commenced its work on January 1, 2001. On December 10,

2013, the Cabinet of Ministers Regulations No. 1415 "The Data State Inspectorate

Bylaws" were adopted.

Since 2001 Signe Plūmiņa is the Director of the DSI, in 2013 she took part in

development of the amendments to the Personal Data Protection Law, as well as

participated in discussions at the European Union and national level on the reform of

personal data protection, including assessing the need to improve the regulatory

enactments.

The DSI carries out personal data protection supervision in accordance with the

Personal Data Protection Law and carries out the accreditation and supervision of

reliable certification service providers in accordance with the Electronic Documents

Law, supervises data protection in the electronic communications area in accordance

with the Electronic Communications Law, and supervises the unauthorized commercial

communication ban compliance with the Law on Information Society Services and

ensures the reporting requirements of Directive 2009/136 / EC concerning the

protection of personal data breaches in the field of electronic communications.

The basic principle of personal data protection is to ensure that every individual

can control information about himself, i.e., control or know how others use this

information. The protection of personal data is an integral part of the information

society, which promotes public trust in public administration and participation in the

decision-making process.

The protection of personal data in Latvia has been strengthened as a

fundamental human right by introducing more specific regulation in various areas of

personal data processing and creating more effective regulation for the protection and

supervision of personal data protection, which is being improved taking into account

the impact of the development of information technologies and the Internet

environment on the protection of personal data and growth of personal data processing

in various fields.

The DSI rights in the field of personal data protection, as set forth in Section 29,

Paragraph four of the Personal Data Protection Law:

1) in accordance with the procedures prescribed by laws and regulations, to

receive, free of charge, information from natural persons and legal persons as is

necessary for the performance of functions pertaining to inspection;

2) to perform inspection of a processing of personal data;

3) to require that data be blocked, that incorrect or unlawfully obtained data be

erased or destroyed, or to order a permanent or temporary prohibition of data

processing;

4) to bring an action in court for violations of this Law;

5) to cancel a registration certificate of the processing of personal data if in

inspecting the processing of personal data infringements are determined;


6

6) to impose administrative penalties according to the procedures specified by

law regarding infringements of processing of personal data;

7) to perform inspections in order to determine the conformity of processing of

personal data to the requirements of laws and regulations in cases where the

administrator has been prohibited by law to provide information to a data subject and a

relevant submission has been received from the data subject.

The DSI also ensures the supervision of the processing of personal data

provided for in the Schengen Information System Act and represents the Republic of

Latvia in the Joint Schengen Information System Supervisory Authority, the Joint

Europol Supervison Authority, the Europol Appeal Committee and the Joint Customs

Information System Supervisory Authority (also ensured the conduct of inspections at

the national level for the above-mentioned information systems) as well as Article 29

of the Directive 95/46 / EC Working Party and the Council of Europe Convention on

the Protection of Individuals with regard to Automatic Processing of Personal Data in

the Advisory Committee as well as other activities of the European Union and

international personal data protection authorities.

1.2. Mains Tasks and Priorities

DSI priorities for 2013:

1) Participation in discussions on the reform of the European Commission in

the field of personal data protection;

2) Organizing the 2nd annual meeting of the Baltic Data Protection Authorities

and conducting a joint inspection;

3) Development of the Recommendations - "Personal Data Protection in

Workplaces" and "Personal Data Processing Security".

The Report provides an overview of the progress made with regard to the

operational priorities for 2013.

1.2.1. Participation in Discussions on the European Commission's

Reform of Personal Data Protection

Already on January 25, 2012, the European Commission presented a package

of documents, launching a comprehensive reform of the European Union's data

protection rules. A key element of the personal data protection reform is the draft

regulation on the protection of individuals with regard to the processing of personal

data and their free movement, which proposes to modernize existing principles by

improving the joint data protection rules applicable throughout the European Union. In

1995, Directive 95/46 / EC of the European Parliament and of the Council on the

protection of individuals with regard to the processing of personal data and on the free

movement of such data was adopted, which is also at the moment the basic instrument

for the protection of personal data introduced into national law in the Member States.

The development of globalization and the development of new technologies have led

to the emergence of increasingly new aspects in the context of which data protection

regulation could be modernized. In order to guarantee at European Union level the right

of individuals to a high level of protection with regard to the processing of personal

data, it has been decided to update and modernize the current regulation.


7

The main changes proposed in the European Commission proposal are reducing

administrative burdens, increasing the responsibility and obligations of personal data

controllers (for example, the obligation of entrepreneurs to enforce personal data

protection information technology and personal data processing software in the

development process), improving the institute for personal data protection, “the right to

be forgotten"(i.e., requiring the deletion of their personal data after the goal of their

processing has been achieved), thus contributing to more effective protection of

personal data and promoting individuals' trust in the use of information technology in

the processing of personal data.

At the same time, along with the changes, the basic principles that have been

observed to date in the area of data protection - the implementation of the Single Market

and the effective exercise of the fundamental rights of the individual and the freedom

enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and

Article 16 of the Treaty on the Functioning of the European Union2 - remain unchanged.

Representatives of the Ministry of Justice participate in the drafting of the draft

Regulation in the European Union Information Exchange and Data Protection Working

Party (DAPIX), while the Data State Inspectorate has provided the necessary support

in the context of interpreting the various provisions of the Regulation from a practical

point of view. In 2013, the Data State Inspectorate, in co-operation with the Ministry

of Justice, continued to participate in the European Union data protection reform

initiative.

The reform issues were also debated on the European Data Protection Day,

which is celebrated for the eighth year on January 28 in all the Member States of the

European Union, as well as in the United States and Canada, in order to raise awareness

among the public about the protection of personal data. On this day, an informative

event on personal data protection issues was organized in cooperation with the

European Commission Representation in Latvia and the European Parliament

Information Center.

1.2.2.Organizing the 2nd Annual Meeting of the Baltic Data Protection

Authorities and Carrying out the Joint Inspection

Taking into account the common historical heritage of the Baltic States and

cooperation in promoting the economic development of this region, in 2012 the

agreement was reached on closer cooperation of the Baltic States in the field of

supervision of personal data protection. In the period from March 21 to 22, 2013, the

second Annual Meeting of the Personal Data Protection Supervisory Authorities of the

Baltic States was held in Riga, organized by the Data State Inspectorate. Within the

framework of the Meeting, various practical issues related to the processing and

protection of personal data were discussed, including the Schengen evaluation visit in

October 2012 and its results in all three Baltic States.

The exchange of information on practical work experience is one of the most

important aspects of these annual meetings in order to facilitate the harmonization of

data protection requirements in the Baltic region and in the European Union as a whole.

The Baltic Data Protection Authorities also discussed the practical aspects of

implementing the EU Data Protection Reform, and it was decided that cooperation in

__________________________________________ 2- For additional information see a website of the European Union: http://ec.europa.eu/justice/data-

protection/.


8

this format will continue in the future. The cooperation of the Baltic States in the field

of personal data protection is highly appreciated by the European Union institutions

and is emphasized as a positive example for other European Union Member States. The

Article 29 Working Party of Directive 95/46 / EC was informed on the results of this

cooperation.

In 2013, it was decided to implement a joint inspection activity in Lithuania,

Estonia and Latvia to evaluate the processing and protection of personal data in relation

to the gambling sector in order to facilitate the adequate protection of personal data

protection. Overall, in the three Baltic States, 13 casinos were inspected in 2013.

It should be noted that national regulations in each of the Baltic States impose

certain requirements for the processing and protection of personal data, including the

necessary video surveillance in gambling venues (including casinos), ensuring the

continuous indoor and outdoor video surveillance of gaming space. Therefore, the

processing and protection of personal data has been evaluated in relation to the

regulatory enactments governing the gambling sector and the data protection laws of

each country.

The most important conclusion of the joint inspection is that all the casinos

examined during the inspection need to improve their activities in relation to the

processing and protection of personal data, special attention should be paid to the

information required from customers (visitors) and its storage periods, processing of

personal data in the framework of video surveillance (especially for work quality

assessment of employees, and the provision of information to the data subjects about

video surveillance). In Lithuania and in casino inspections in Latvia, it was found that

it is necessary to improve the practice of direct marketing by communicating with

clients to ensure the implementation of personal data protection requirements. In all

three Baltic States, one of the biggest issues concerns the storage of personal data (both

personal data processing of video surveillance and the register of casino visitors) and

this issue will be discussed with the responsible supervisory authorities of the sector in

all the Baltic States.

1.2.3. Recommendation Development

In 2013, two Recommendations were developed - "Personal Data Protection in

the Workplace" and " Security of Personal Data Processing". Both Recommendations

on employment relationship and data security are very topical in assessing complaints

received by the DSI about possible violations.

Human resources are the wealth of every country and the employer, which

affects the ability to achieve the goals pursued both individually and nationally. Today,

the development of human resources capital is largely influenced by the development

of information technology and the Internet environment, contributing to the

development of the knowledge society, considering it as a prerequisite for a high quality

of life and prosperity in the future. Within the framework of human resources

management, as well as for the fulfillment of duties, Internet and information

processing technologies are also increasingly used to process personal data. Using

various information technology and internet development opportunities, personal data

of a certain amount can be processed and thus can affect the rights of individuals to

privacy.


9

In view of this and the State Data Inspectorate’s experience in handling a

variety of applications and complaints, as well as the issues raised during the

consultations and information seminars, the Data State Inspectorate has prepared

recommendation with regard to the processing of personal data and its protection in the

workplace with the aim to motivate employers to reflect on different personal data

protection and data processing issues to improve overall data protection at workplaces.

This recommendation is intended to help ensuring the compliance of personal data

processing with the Personal Data Protection Law. Recommendation provides insight

into the most important personal data processing and protection aspects at the

workplace only, and each employer (controller) should assess, for what purpose and to

what extent, to carry out processing of personal data, as well as to assess the security

measures in each specific situation to ensure the protection of personal data. The text

of the Recommendation is available on the DSI website in electronic format -

http://www.dvi.gov.lv/lv/jaunumi/publikacijas/.

The Recommendation "Security of Personal Data Processing" is intended for

small organizations and businesses as a set of practical advice for information

technology (IT) security issues from a data protection point of view, in order to facilitate

understanding of the security of personal data and promote responsibility for the

processing of personal data.

Maintaining secure and law-abiding IT systems can be a complex task, which

requires both time and resources, as well as specialist knowledge. If personal data is

processed in IT systems, this creates additional risks. To ensure that data processing is

safe and reliable, the increased level of risk should be acknowledged and technical

measures applied in accordance with the requirements of the regulatory enactments, as

well as the capabilities and needs of each organization. They do not always have to be

expensive or overly complicated. Many of the measures mentioned in the

Recommendation can be implemented with little financial investment. The text of the

Recommendation is available on the DSI website in electronic format -

http://www.dvi.gov.lv/lv/jaunumi/publikacijas/.

II FINANCIAL RESOURCES AND RESULTS OF

INSTITUTION ACTIVITY

2.1. State Budget Financing and its Use in 2013

The DSI funding consists of two sources of revenue:

1) grant from general revenues;

2) paid services and other own revenue.

The total budget use and budget implementation in 2013, and the comparison with the

previous year is summarized in Table 1.

http://www.dvi.gov.lv/lv/jaunumi/publikacijas/


10

Table 1. Program 27.00.00 "Data Protection"

State budget financing and its use in 2013

No. Financial indicators Last year

(factual

fulfillment

LVL)

Reference year

Approved by

law (LVL)

Factual

fulfillment

(LVL)

1. Financial resources to

cover expenses (total)

258386 282418 279312

1.1. Grants 251090 265317 265007

1.2. Paid services and and

other own revenue

7296 17101 14305

1.3. Foreign financial

assistance

1.4. Donations and gifts

2. Expenditure (total) 251285 287581 280975

2.1. Maintenance expenses

(total)

246533 280826 274220

2.1.1. Current expenses 246533 280826 274220

2.1.2. Interest expense

2.1.3. Subsidies, grants and

social benefits

2.1.4. Current payments to the

budget of the European

Community and

international cooperation

2.1.5. Maintenance costs

transferts

2.2. Capital expenditure 4752 6755 6755

2.2. Evaluation of the Effectiveness of the Budget Program

In the framework of the budget program 27.00.00 "Data Protection", LVL

280975 or 98% of planned expenditure was acquired.

In line with the decline in resources, in 2013, the DSI took budgetary resource-

saving measures by limiting expenditure in expenditure headings such as post,

telephone and other communications services, administrative expenditure of the

institution and expenditure related to the institution's activities. In 2013, the

remuneration of employees remained in the amount of 2012. For a summary of the

performance indicators of the budget program, see Table 2.


11

Table 2.Output indicators of

the budget program

Efficient indicator Planned

value

Factual

fulfillment

Explanation

Registered personal

data processing

350 532 In fact, the number of processing

personal data registered

exceeded the planned number of

registered personal data

processing by 52%, as several

amendments to the regulatory

enactments came into force, that

intended the controller's duty to

register the processing of

personal data in the DSI.

The processing of registered

personal data increased (in

particular, regarding video

surveillance and the processing

of personal data by family

doctors).

Personal data

processing inspections

350 677 Taking into account the number

of complaints of inhabitants and

the number of applications for

processing personal data

received, the number of

inspections of personal data

processing increased,

Fee for registration of

personal data

processing

12 000 15 351,20 The planned amount of the fee

exceeds the planned amount

because the number of registered

processing increased by using

video surveillance.

Penalties applied for

breaches of personal

data

10 500 20476,55 Penalties were applied for

detected personal data breaches,

as well as for failure to provide

information to the DSI.

In general, the DSI has reached the projected value of performance indicators

in 2013.

In 2013, from the State budget funds, no reserach were conducted on issues

within the competence of the DSI.

2.3.DSI Paid Services

The DSI provides paid services in accordance with the price list, approved by

the Cabinet of Ministers Regulations No. 992 "Price List of the Data State Inspectorate

Services" of September 24, 2013


12

In 2013, the financial gain received from paid services is LVL 14,305.

The most commonly used paid services of the DSI were filling and printing of

the application for registration of personal data processing, the DSI workshops and the

organization of the qualification examination of the personal data protection specialist.

Filling and printing of the application for registration of personal data processing

The DSI consults the controllers on filling in the application for registration of

personal data processing, meeting face-to-face and printing a completed application for

registration of personal data processing. In 2013, this paid service is provided to 13

controllers or their representatives. The fee for the service is 21,19 Ls. Total revenue

for this paid service in 2013 - 305.95 Ls. Compared to 2012, the amount of

consultations mentioned has decreased by almost 50% (in 2012 - 23). This is explained

by the fact that several samples of personal data processing registration applications

were developed and improved (for example, a sample application for video surveillance

was developed for the provision of placement services and family doctors) and

telephone counseling was provided during which the DSI specialists explained to the

controllers and their authorized persons issues about the filing of applications.

Organized seminars on personal data protection

The DSI has organized informative seminars on the protection of personal data

- registration of personal data processing, personal data protection audit, video

surveillance, and other personal data protection issues. In total, in 2013, the Data State

Inspectorate organized 4 workshops on data protection. Fee for the service - LVL 33.90

per person, revenues from the seminars organized by the DSI in 2013 - LVL 2536.30

(in 2012, 3 seminars were organized, revenue from this paid service - 1320.00 LVL).

In 2013, there was a greater interest among various target audiences in

organizing informative seminars organized by the DSI, which is not becuse of the

urgency of the issue of the processing and protection of personal data, but also due to

the awareness of individuals about the issues of personal data protection, because in

seminars each participant has the opportunity to improve their knowledge of the person

data processing and protection.

Organizing a qualification examination for a personal data protection officer

In 2013, the DSI organized four examinations of personal data protection

specialists for 51 applicants. The service includes the preparation of the examination

questions and tasks, the preparation of individual response forms, the organization of

the examination and the evaluation of the results by the commission of three persons,

as well as the decision on the preparation of the test results and the issuance of

certificates.

In 2013, the qualification of personal data protection specialists was granted to

22 applicants. The fee for the service is 205.93 Ls, the total income for the provision of

the "Personal Data Protection Specialist Qualification Examination" paid service in

2013 is LVL 12,191.16. (Compared to 2012, the income for this paid service has

doubled - LVL 5346.00).


13

2.4. Improvement Systems of Leadership and Activity

In 2013, the Internal audit department of the Ministry of Justice, conducted an

audit in the DSI on "Budget planning, preparation and approval of planning

documents".

The opinion of the Internal audit division of the Ministry of Justice on the

budget planning, the preparation and approval of planning documents in the DSI, shows

that the procedures established by the DSI ensure that budget planning, planning and

approval process is comparable, timely significant and complete, and assures that

possible risks that could affect the financial management of the DSI are managed.

In turn, in accordance with the requirements set out in the State Program for

Prevention and Combating of Corruption 2013-2015, the DSI regularly conducted and

implemented anti-corruption plan measures aimed at eliminating the conflict of interest

in the activities of DSI employees, including the DSI employee attended the Seminar

"Corruption Prevention" organised by the Corruption Prevention and Combating

Bureau, and also conducted a relevant seminar for employees of the DSI.

To reduce the administrative burden for entrepreneurs, in 2013, the price of paid

services provided by DSI was reduced, and starting from September 24, 2013, the paid

services of the DSI are provided in accordance with Cabinet of Ministers Regulation

No. 992 of September 24, 2013 "The Data State Inspectorate’s price list for paid

services”.

In addition, to reduce administrative resources of the institution. starting from

2014 no personal data processing registration certificates will be issued, as information

about the fact that the DSI has taken a decision regarding a definite controller on the

registration of the processing of personal data, is published in the public Personal Data

Processing Register available on the DSI Internet home page -

http://www.dvi.gov.lv/registri/pdas/. The legal status of the legal entity (controller) is

determined by the DSI’s decision to register personal data processing rather than the

registration certificate for the processing of personal data (therefore, there is no legal

significance for the issue of the registration certificate), therefore in 2013, the DSI has

drafted an amendment to the Personal Data Protection Law, which provides the waiver

of the processing of personal data for registration certificates in 2014.

III STAFF

In 2013, neither structural reforms were made, nor internal reorganization,

retaining 19 posts. In the reporting period, the institution employed an average of 17

employees, of which an average of 14 women and 3 men. The average age of staff in

2013 was 34 years. In 2013, the DSI employed employees aged 21 to 72 years.

Distribution of education levels of the DSI employees in 2013:

1) one employee - secondary education;

2) one employee - incomplete higher education;

3) 15 employees have higher education;

4) 5 employees have a master's degree.

In 2013, the DSI personnel turnover has not diminished compared to 2012, but

has remained unchanged. In 2013, 6 employees were suspended and 5 employees were

admitted.


14

In-house seminars on various data protection issues were organized to raise the

capacity of the DSI staff, and in 2013, the DSI staff attended various seminars and

courses. The following Public Administration School seminars were attended:

- From the specialist to the leader;

- Interpretation and practical application of Labor Law and Remuneration Law;

- Use of transport in institution and capital company of state and local

government;

- Legal protection of personal data;

- Stress and professional burnout.

A Seminar on personnel management organized by the Riga International

School of Economics and Business Administration was attended, in which topical

issues regarding the selection process for applicants were discussed, as well as the

Seminar "Remote work: For and Against" organized by Microsoft Latvia.

Taking into account that, according to the DSI assessment of work environment

risks, one of the psychological and emotional factors faced by the DSI employees in

their work is emotional violance. Therefore, to reduce the probability of occurrence of

emotional violence and to improve the quality of communication with the clients of

DSI, a Seminar on non-verbal communication in difficult situations was attended at

Ltd. Triviums. An internal workshop on communication in difficult situations was also

organized for all DSI employees who provide customer service.

The security manager attended the tech-educational conference "TechDay

2013" organized by Microsoft Latvia, which discussed the latest developments and

topical issues in IT security and management. In turn, the employees of the First

Supervisory Department attended seminars on the legal issues "Fundamental Issues of

Administrative Procedure", "Basic Issues of Administrative Law" and "Practical

Realization of Personal Data Processing" organized by Ltd. "Funditus". The accounting

officer and the personnel officer attended the seminars "Changes in Horizon when

moving to the euro" organized by Ltd. "FMS". The procurement officer participated in

the Seminar "Amendments to the Public Procurement Law 2013" organized by Ltd.

"Funditus".

0

1

2

3

4

5

6

7

20-15 26-30 31-35 36-40 41-45 46-60 Above 70

Distribution of the Number of DSI Employees by Age Group

2012 2013


15

As the work of the DSI is unthinkable without the cooperation of other European

Union data protection supervisory authorities, foreign language text analysis and

development, in 2013, two DSI employees supplemented their German language skills

by attending language programs by the German Ministry of Foreign Affairs and

Goethe's Institute in the framework of Europahetzwerk Deutsch for civil servants.

In 2012, the European Union Agency for Fundamental Rights (FRA) launched

a study on the use of mediation in resolving personal data protection issues as well as

its use in preventing personal data breaches identified. This issue is also relevant for

Latvia, taking into account the draft Law on Mediation. Within the framework of this

research, the DSI representative participated in discussions with experts from other

countries on various practical aspects of personal data supervision issues, assessing the

possibility of implementing mediation in practice in Latvia. To deepen the knowledge

of mediation among DSI staff, in 2012, two DSI employees attended the "Mediation

Basic Course" organized by the “ Mediation and ADR”.

Performing the annual DSI personnel assessment, the DSI employees pointed

out that raising capacity by attending training seminars is essential in the context of

employee growth. In 2014, the DSI plans to continue the established practice of

organizing DSI in-house seminars. However, taking into account current trends in

employee turnover and remuneration, retaining and motivating employees will be one

of the challenges in 2014.

IV COMMUNICATION WITH THE PUBLIC

In 2013, the DSI, in cooperation with the Public Relations Department of the

Administrative Department of the Ministry of Justice, provided information to the mass

media. The DSI regularly cooperates with the Media, at least three times a week, taking

into account the urgency and complexity of the issue of the processing and protection

of personal data influenced by the development of information technology and the

Internet environment. In 2013, various issues related to the protection of personal data

were updated, including a discussion on the reform of personal data protection initiated

by the European Commission.

4.1.Public Information and Education Activities

Most often, the DSI's views on various practical issues of processing and

protecting personal data were requested by journalists from the TV3 "BezTabu", as well

as Internet news portals, with a request to explain how a particular individual could act

in various situations concerning the processing and protection of personal data.

Information was also provided on the results of the various inspections.

In 2013, information requests from journalists of several foreign media on

inspection cases were received, which were reviewed by other national data protection

supervisory authorities and where the residents of Latvia were involved in the violation.

Based on the information provided by mass media, in 2013, the DSI started

several cases of administrative violation regarding alleged breaches of personal data

protection.

The most up-to-date information on the DSI functions and current issues in the

field of personal data protection is published on the DSI Internet home page -

www.dvi.gov.lv.

http://www.dvi.gov.lv/


16

To inform the public in 2013, 4 DSI seminars were organized as DSI paid

services, the conduct of DSI several informative meetings on issues of processing and

protection of personal data for members of the Association of Latvian Traders,

representatives of local governments (including librarians, educators) were also

provided. The DSI director participated in informative seminar organized by the

Ministry of Justice for employees of the State Administration regarding issues of

processing and protection of personal data.

Every working day from 14:00 to 16:00, the DSI employees provide telephone

consultations, explaining the provisions of the Personal Data Protection Law and

informing how to deal with a specific individual's problem related to a possible breach

of personal data protection. In general, counseling is required by data subjects about

their rights under the PDPL (how to handle the situation). Telephone counseling is also

provided to controllers of the processing of personal data processing. In 2013, the DSI

on average, provided 225 phone consultations (including for third-country nationals

who process personal data in Latvia and controllers who transfer personal data to third

countries or who want to exercise their data subject's rights).

For the eighth year on, 28 January, the European Data Protection Day was

celebrated. As every year, within this day, personal data protection supervisory

authorities are implementing activities to raise awareness of the right of the public to

protect their personal data and to encourage more attention when personal data is passed

on to (disclosed) to someone. As already indicated in the report, the DSI participated in

the event organized by the European Commission Representation in Latvia and the

Information Center of the European Parliament on personal data processing and

protection issues, as well as on the current situation in the field of protection of personal

data in Latvia, inviting citizens to protect their data and assess the need for their data

transfer ( for example, indicating the risks in the Internet environment).

In order to provide insight into what has been done and what has been seen in

2013, the DSI has summarized the most important information in the context of

registering personal data processing, as well as the most up-to-date personal data

protection files, in section 4.2 of the Annual Report 2013.

4.2. Registration of Personal Data Processing

Article 21, Paragraph three of the PDPL specifies cases in which the processing

of personal data by controllers is to be registered with the DSI, i.e. if:

1) intends to transfer personal data to a state other than a Member State of the

European Union or European Economic Area;

2) intends to process personal data when providing financial or insurance

services, carrying out raffles or lotteries, market or public opinion researches,

personnel selection or personnel assessment as the form of commercial activity;

3) carries out processing of information about the health of a person;

4) processes of personal data relates to the criminal offences, criminal records

and penalties in administrative violations matters.

The procedure for registering personal data processing also applies to the

processing of personal data carried out in accordance with the PDPL Article 7,

paragraphs 3, 4, 5 and 6, Article 11, Article 13.1, Paragraphs 2, 3 and 4 and Article 28.

Thus, for example, the state and local government institutions, for which processing of

personal data is required for the performance of duties prescribed by law, the legal basis

for the processing of personal data is Article 7, Paragraph 3 of the Law.


17

The PDPL, which came into force on March 7, 2014, was developed to evaluate

the PDPL standards and their application in practice, including, to facilitate the

operation of the controller. Amendments to the PDPL provide that registration of

personal data processing is only required in certain cases (see Article 21 of the PDPL).

In 2013, the DSI has registered 532 personal data processing and changes in the

processing of personal data, which is more than planned to be registered (planned -

350). Upon receipt of a contoller's request, the DSI examines the information provided,

requesting additional information and performing a pre-registration checking if

necessary.

In order to ensure effective supervision of personal data protection, the Data

State Inspectorate, like other Member States of the European Union, conducts pre-

registration checking. Section 22, Paragraph two of the Law provides that The Data

State Inspectorate shall identify the processing personal data where risks are possible

for the rights and freedoms of data subjects. Pre-registration checking must be

determined for such processing of personal data. The Data State Inspectorate

determines each year the areas of personal data processing risks when assessing the

risks associated with the processing of personal data, the number of violations in certain

areas of personal data processing, as well as foreign experience and information

provided on relevant issues in certain areas.

The following areas of risk were identified in 2013:

1) the processing of sensitive personal data, in the framework of which

information about the health of a person is processed;

2) processing of biometric data, including video surveillance;

3) the processing of personal data, in the framework of which the transfer of

personal data outside the European Union borders to third countries takes place (also

paying attention to the use of cloud computing technologies).

When deciding on registration of personal data processing, a DSI issues to the

controller a decision regarding the registration of processing of personal data and makes

an entry in the register of publicly accessible personal data processing available on the

DSI Internet homepage: http://www.dvi.gov.lv/en/persona-data -protection-and-

specialist-registration / personal-data-processing-regists /.

In accordance with Section 22, Paragraph nine of the PDPL, for every

registration of the processing of personal data, a submission of the respective

application to the State Data Inspectorate shall be subject to a state fee in accordance

with the procedure and amount specified by the Cabinet, in accordance with Paragraph

2 of the Cabinet of Ministers Regulation No. 813 of 27 November 2007 " On the

registration fee for registration of personal data processing and registered modifications

registration state fee in the Personal Data Protection Law” 20 or 40 lats (28.46 or 56.91

euros). State and local government institutions do not pay state fees for processing or

modifying registration. The total amount of state duty paid in 2013 for registration of

personal data processing and making changes in personal data processing is LVL

15,351.20. In comparison with 2012, the state fee has increased, in 2012 - 13 285.00

LVL.

Compared to the previous reporting period, the highest number of pre-

registration checking is carried out in connection with the processing of sensitive

personal data. In the case of video surveillance, as well as in the previous reporting

period, follow-up was carried out (20% of the total number of registered personal data

processing), in which it was found that the controller did not correct the weaknesses in

the processing of personal data (in particular, in the case of video surveillance, cases


18

were found where the controller failed to provide information to the data subjects or

has not provided them in accordance with the requirements of the Law). The

Inspectorate has also repeatedly requested the controllers to specify signs of video

surveillance in order to comply with the requirements of the Law. The issue of the

storage periods for personal data processed during video surveillance is also relevant,

which is assessed on a case-by-case basis. Compared to the previous reporting period,

the number of controllers who, after re-evaluation, reduces the storage period for

personal data and more carefully evaluates the processing of personal data performed

or planned as a whole, has increased. The number of pre-registration checking related

to person's health during the reference period has significantly increased.

To facilitate registration of the processing of personal data in the framework of

video surveillance at the Inspectorate, a model application for the controller for the

processing of personal data - video surveillance for the purpose of prevention of

criminal offenses and protection of property respectively, used by the controllers is

developed, and the recommendations developed by the Inspectorate are used to find the

optimal solution for the processing of personal data.

During the reporting period, the number of complicated personal data

processing issues has increased, the meetings of which are organized at the Data State

Inspectorate, which allows the controller to provide additional information about the

processing of personal data and to find a solution for more appropriate protection of

personal data. One of the challenges in recent years is to find out who the personal data

controller is and who is the operator, taking into account the specifics of different

personal data processing cases. There is also a question about the joint contoller and

the distribution of responsibilities accordingly.

As indicated, on a number of occasions the relevance of the information

provided by the controllers was verified by performing checking at the places where

personal data was processed. As a result of the pre-registration checking, a decision is

made to register or not the processing of personal data in the Data State Inspectorate,

or additional information from the controller is requested in order to prevent the

deficiencies of the Law established in the framework of the on-site inspection. During

the reporting period, for example, several re-pre-registration on-site inspections were

carried out in municipalities that did not initially provide all information about the

processing of personal data. As a result of pre-registration checking,the controllers

often chose to supplement their employees' knowledge of the requirements of the Law

by attending paid seminars organized by the Data State Inspectorate as well as

analyzing the information provided by the DSI Recommendations.

4.3. Registration of Personal Data Protection Specialists

As a result of the globalization process, economic processes today do not have

a geographical boundary that restricts the application of relevant laws, including with

regard to the protection of personal data, because there is no universal international

standard for the processing and protection of personal data that would be binding on all

countries. Therefore, the personal data protection self-regulation approach can help to

address these potential inaccuracies in order to apply commonly the requirements of

personal data protection and privacy. One of these self-regulatory mechanisms is the

personal data protection specialist in each specific company or institution. The first

personal data specialist institute was introduced in Germany in 1977 for the private

sector as an additional self-regulatory mechanism to help those responsible for the

protection of personal data (i.e., controllers) ensure that their activities meet the


19

requirements of the law. Personal data protection specialists are present in several EU

Member States and it is believed that the personal data protection specialist promotes

the trust of customers and employees in the processing of personal data by an

organization / institution that will be provided in accordance with the requirements of

the law and the principles of personal data protection good practice.

In order to facilitate the protection of personal data, the institution or company

leader may appoint a definite employee to be responsible for the protection of personal

data, may use outsourced capabilities regarding both the processing and protection of

personal data and the appointment of a personal data protection specialist (the data

protection specialist is qualified by the DSI after the person has passed the examination

at the DSI; a personal data protection specialist is not a mandatory requirement states

in law.

Personal data protection specialists, since the introduction of this institute in

Latvia in 2007, have opted for both public sector institutions and private sector

representatives, whose main task is to provide support and advice to the leadership of

the institution or company in issues related to the processing and protection of personal

data, including solving problem issues in this field. To become a personal data

protection specialist, the individual needs higher education in law science or

information technology.

In 2013, the DSI registered 42 personal data protection specialists on the basis

of a contoller's application.

Compared to 2012, controllers have registered 12 personal data protection

specialists more than in 2012 –there were 30. Controllers apply personal data protection

specialists in the DSI, who have acquired the qualification of a personal data protection

specialist. The DSI examines an application for the registration of a specialist within 15

days from the day it was received. The registration of personal data protection

specialists in the DSI is free of charge.

On December 18, 2013, amendments to the Cabinet of Ministers Regulations

No. 80 "Procedure for the Training of Personal Data Protection Specialists" came into

force, which supplemented Regulations No. 80, providing for the procedure of

reapplication of certificates or maintenance of qualifications. It is also planned to

specify the list of subjects to be acquired in order to be able to take a test at the

Inspectorate and obtain the qualification of a personal data protection specialist, to

appoint lecturers who carry out specialist training, at least five years experience in the

field of personal data protection.

4.4. Opinions and Explanations

In 2013, the DSI received 362 written complaints and, in ensuring personal data

protection supervision, carried out 677 inspections concerning possible non-

compliance of personal data processing with the PDPL. Administrative penalties were

applied in 36 cases - 14 alerts and 22 fines (in total 20 910 LVL). Eight decisions of the

DSI officials regarding the imposition of administrative penalties were challenged by

the director of the DSI, while the court appealed against four decisions of the director

of the DSI regarding the imposition of an administrative penalty and one decision

refusing to renew the procedural deadline.

Compared to the previous year, the number of cases where a penalty is imposed

for failure to provide information to the DSI has changed, there is still a large number

of such violations. In most cases, administrative penalties were applied for the

processing of unlawful personal data (including violation of Article 7 of the PDPL and


20

the first and second Paragraphs of Article 10), however, in 2013, compared to 2012, the

number of cases where an administrative penalty has been imposed for failure to

provide information to the data subject, has increased (violations of Articles 8, 9 or 15

of the PDPL). This shows that data subjects are increasingly aware of and exercise their

statutory rights, but controllers may not be sufficiently informed about their obligations

vis-à-vis the data subjects.

Complaints were mainly filed on the following areas of personal data

processing:

• Registration of a person as an employee of the company to the State Revenue

Service without the consent of this person to be an employee;

• Failure to provide the information requested by the data subject;

• Publication of personal data on the Internet and transfer of other type of

personal data to third parties (disclosure).

In 2013, the number of complaints received from the processing of personal

data processed in the debt recovery process has decreased, for example, regarding the

transfer of a debt recovery case to the debt recovery company or the insertion of

personal data into the credit history database. This is explained by the fact that at the

end of 2012 the Law On Extrajudicial Recovery of Debt entered into force, which

regulates the activities of the debt recovery service provider and sets requirements for

the creditor and the provider of debt recovery services in respect of debt recovery and

the creation of a database of debt history.

In 2013, the number of complaints received for registering a person as an

employee of the company in the State Revenue Service has been increased without the

consent of this person. Such unlawful personal data processing results in a significant

adverse impact on the data subject's social guarantees, for example, the data subject is

deprived of the right to receive unemployment status and unemployment benefit as a

person is registered as an employee in the State Revenue Service and this information

is only entitled to the correction of the particular company, which for the most part it

does not do it voluntarily. Consequently, the DSI obliges the State Revenue Service to

correct the personal data mentioned in the application, as a result of enforcement, of the

substitute prescribed in the Administrative Procedure Law. As a result of the checking,

personal data is being corrected, but it takes quite much time and consumes a lot of the

DSI resources. In order to find a more effective solution to this problem, as far as

possible to eliminate its causes, the DSI in the beginning of 2013 initiated a meeting

with the parties involved in the process - the State Revenue Service, the State Labor

Inspectorate and also the Ministry of Justice.

In 2013, there has been an increase in the number of complaints related to the

processing of personal data in the field of management, such as billing, the amount of

personal data requested on questionnaires, the amount of personal data provided to the

manager, personal data that becomes available to all owners of apartment houses, debts

for utilities.

Compared to 2012, in 2013, the number of cases that the DSI receives when a

person names other personal data to the police instead of his personal data, has remained

unchanged. However, the system of liability for the use of other personal data changed,

namely, in April 2013, amendments to the Criminal Law entered into force, which

changed the wording of Article 281 of the Criminal Law, which now foresees that the

concealment of the identity of a person, if committed in order to avoid criminal or

administrative liability or committing a criminal offense or in order to help another

person to evade criminal or administrative liability is punishable by deprivation of

liberty for a term up to one year, or by temporary imprisonment, or by forced labor, or


21

by a fine. Consequently, the DSI, upon receipt of the case and having established this

purpose, terminates the administrative offense record keeping and transmits the file to

the State Police for the commencement of criminal proceedings.

Personal data processing checking are also carried out on the initiative of the

DSI and based on information provided by the media, other institutions and citizens.

For example, the DSI carried out an inspection of the bank's activity by

obtaining and using excessive amounts of personal data from potential employees. As

a result of the inspection, the bank processed questionnaires filled out by potential

employees, reviewed various issues related to the storage and use of personal data. The

DSI continues inspections on this issue in other credit institutions.

Following up on customer loyalty cards in 2013, the DSI found that controller

was not able to justify the amount of personal data requested frequently and the need

for a legitimate aim in the questionnaires that is completed for receiving a loyalty card.

Within the DSI inspections, the DSI provided the controllers references to identified

deficiencies, calling for the processing of personal data to be consistent with the PDPL.

During the supervision of the Information Society Services Act (hereinafter -

ISSA), in 2013, the DSI carried out 25 inspections, applying two administrative fines,

totaling LVL 1,000 for sending unlawful commercial communications. In general,

compared to 2012, in 2013, the number of complaints has increased regarding the illegal

sending of commercial communications and the drawing up of commercial

communications. Also, there has been an increase in interest from the merchants

regarding the application of the ISSA and ensuring the legal transmission of

commercial communications.

An important obstacle to supervision compliance with the ISSA and PDPL is

the constant emergence of new and evolving existing technologies and services, while

the regulatory framework and the current inspection practice are not capable of ensuring

sufficiently effective operation under new and changing conditions. The DSI staff must

be able to grow steadily and be prepared to face new and unforeseen situations. Also,

in many cases when an activity is carried out in an electronic environment, for example,

a commercial communication or personal data published on the Internet, it is difficult

to identify the person responsible for the action, given that the electronic environment

has the ability to act by hiding its identity. Also, the DSI work is adversely affected by

both legal and natural person's actions without providing timely information or not

providing the required information within the DSI examination at all.

Taking into account the experience gained during the inspections carried out in

2013 and the issues raised in the consultations, in 2014, the DSI intends to prioritize

the processing of personal data within the framework of labor relations, the security of

personal data and the right of the data subject to obtain from the manager the

information on the data subject processing of personal data.

In 2013, the DSI was involved in 23 cases, which were verbally or written

considered by the courts. In most cases, the court reviewed the decisions of the DSI on

the application of administrative penalties and other DSI decisions, including the DSI

decision on the obligation to suspend the processing of personal data, the DSI decision

to extend the probation period, and the refusal of the DSI to grant the status of personal

data protection specialist. In 2013, the court withdrew only one DSI decision, as the

court considered that in the particular case it was not sufficiently clear whether the

person liable to prosecution was in the meaning of PDPL.

In one of the cases before the court, the DSI carried out an einspection of the

case of sensitive personal data (health information) of the data subject group. The actual

circumstances showed that the company that received the complaint from the group of


22

citizens (which included sensitive data) about the company's activity, i.e. the complaint

was submitted for a specific purpose, disclosed to the health authority these sensitive

data and requested the health authority to provide further information on the health of

the population. The company justified its action with the fact that additional health

information was needed in order to defend its interests and verify the validity of the

citizens' complaint. In the course of the inspection, the DSI found that the company's

conduct in disclosing sensitive data to the health authority, as well as the behavior of

the health authority, on request of sensitive data, was inappropriate for the PDPL - the

processing of personal data was performed without a legal basis and purpose. The court

joined the DSI's arguments and stated that the company was not entitled to disclose

sensitive personal data to the health authority. The Court noted that the fair and lawful

processing of personal data imposes an obligation on the controller of personal data to

comply with the requirements of the regulatory framework and the right of a person to

protect his personal data which is a fundamental right and their violation should be

proportionate to the violation of the interests of the controller of personal data.

V DSI PRIORITIES FOR 2014

1) Pre-registration checking in risk areas:

• Sensitive personal data;

• Transfer of personal data to third countries;

• Biometric data processing (including video surveillance).

2) Cooperation with personal data protection authorities of other EU Member States in

order to promote the protection of personal data in the Internet.

3) Development of Recommendation "Data subject rights".