data state inspectorate annual report 2013 · protection authorities and carrying out the joint...
TRANSCRIPT
Data State Inspectorate Annual Report 2013
1
THE DATA STATE INSPECTORATE
ANNUAL REPORT 2013
Riga,
2 June 2014
Data State Inspectorate Annual Report 2013
2
CONTENT
Foreword by Signe Plūmiņa, the Director of the Data State Inspectorate 3
1 BASIC INFORMATION 5
1.1. Legal status, directions of activity and objectives 5
1.2. Main tasks and priorities 6
1.2.1. Participation in discussions on the European Commission's
reform of personal data protection
6
1.2.2. Organizing the 2nd Annual Meeting of the Baltic Data
Protection Authorities and carrying out the joint inspection
7
1.2.3. Recommendation development 8
II FINANCIAL RESOURCES AND RESULTS OF INSTITUTION
ACTIVITY
9
2.1. State budget financing and its use in 2013 9
2.2. Evaluation of the effectiveness of the budget program 10
2.3. DSI paid services 11
2.4. Improvement systems of leadership and activity 12
III STAFF 13
IV COMMUNICATION WITH THE PUBLIC 15
4.1. Public information and education activities 15
4.2. Registration of personal data processing 16
4.3. Registration of personal data protection specialists 18
4.4. Opinions and explanations 19
V DSI PRIORITIES FOR 2014 22
Data State Inspectorate Annual Report 2013
3
Everyone has the right to the
protection of personal data concerning
him or her.
Such data must be processed fairly
for specified purposes and on the basis of
the consent of the person concerned or
some other legitimate basis laid down by
law. Everyone has the right of access to
data which has been collected
concerning him or her, and the right to
have it rectified.
(Article 8 of the Charter of
Fundamental Rights of the European
Union)
Although the protection of privacy, in
particular, from state interference in it,
was strengthened internationally already
in 1948, when the first international legal
instrument - Article 12 of the United
Nations Universal Declaration of Human
Rights - established the right to
protection against interference with private and family life, solutions on how to
effectively apply this principle in practice are still being sought. This is also evident in
year 2013, which was very painful in the area of personal data protection, including the
so-called "Snowden case". As European Data Protection Officer P.Hustings has pointed
out - "The Snowden case was like an alarm bell. It revealed not only large-scale
espionage by intelligence services but also the shadow sides of the digital environment,
which includes devices we use on daily basis - phones, smartphones and tablets. This
was a painful discovery, because it directly affects us and our habits."1 Within the
framework of the European Union, there is ongoing debate on the reform of personal
data protection, which would allow for greater supervision of the processing of personal
data by controllers and guarantee greater rights to data subjects on the protection of
their personal data.
Privacy and personal data protection issues have gained a solid position on the
public agenda, both nationally and internationally. The development of information
technology has contributed to the development of the digital environment and digital
personality. The number of activities that we can take in the digital environment
increases every year, which increases the amount of personal data processing
accordingly. In view of this, it is increasingly difficult for an individual to control his
personal data - who uses them, at what time and for what purpose. Controllers must
therefore ensure timely provision of information (before processing personal data) and
must be comprehensible to the data subject. _____________________________ 1-European data protection supervisor: : “Internet companies will have to adapt” (available in Latvian).
Accessed on 28.01.2014. See: http://www.europarl.europa.eu/news/lv/news-room/content/20140127STO33808/html/EiropasDatu-aizsardz%C4%ABbas-uzraudz%C4%ABt%C4%81js-Interneta-uz%C5%86%C4%93mumiem-b%C5%ABsj%C4%81piel%C4%81gojas
Data State Inspectorate Annual Report 2013
4
The issue of processing and protecting personal data is becoming more and
more topical not only to data subjects, but also to controllers, as the issue of data
protection is related to the safety of individuals and quality of life. Although this issue
is a matter of concern for many, every day we can be more cautious about the processing
and protection of our data, especially when it comes to careful downloading of various
applications in our mobile information technology devices. The Spring Conference of
the European Data Protection Supervisor focused on this issue as well, where it was
agreed to highlight personal data protection issues in the context of mobile applications
from the point of view of personal data protection.
The protection of personal data in the era of modern information technology
and internet development can only be ensured if each of us is more critical of our actions
involving the processing of personal data and will cooperate with the controller and the
personal data protection supervisory authority in order to prevent personal data
breaches and their possible consequences. In addition, such cooperation should take
place at international level, as processing of data is not restricted to one country.
Having evaluated the range of issues examined by the Data State Inspectorate,
it is concluded that the public's awareness of the role of data protection of natural
persons in their daily lives will increase. Data subjects are active in requiring
information from controllers about processing their personal data, as well as informing
the Data State Inspectorate about possible violations of the processing and protection
of personal data. Any case where personal data breach has been resolved by solving the
problem situation of a particular individual and finding that the personal data processing
controller not only violates personal data breaches, but also assesses the privacy aspects
of the future activity is considered to be a significant benefit to the public. The
controllers handle personal data more responsibly and in a more honest manner, the
greater the trust given by the data subjects to the particular controller, and also the
service or product offered by him.
I would like to introduce the Annual Report of 2013 made by the Data State
Inspectorate and remind you again - be prepared to protect your personal data and think
twice before you tell them to anyone else.
I would also like to thank everyone who devotes his time and complements his
knowledge of personal data protection issues, including having access to the
information contained in this Annual Report and who dare to exercise his data subject's
rights. Thanks also to all those controllers who, despite various challenges in the
processing and protection of personal data, continue to behave with integrity in the
processing of personal data as personal data controller. Such action generally
contributes to the protection of personal data in Latvia.
Signe Plūmiņa
Data State Inspectorate Director
Data State Inspectorate Annual Report 2013
5
I BASIC INFORMATION
1.1.Legal Status, Directions of Activity and Objectives
In accordance with Section 29 of the Personal Data Protection Law, the Data
State Inspectorate (hereinafter – the DSI) is a state administration institution under the
supervision of the Ministry of Justice acting independently and permanently, fulfilling
the functions specified in laws, takes decisions and issues administrative acts in
accordance with the law.
According to Paragraph 1 of the Transitional Provisions of the Personal Data
Protection Law, the DSI commenced its work on January 1, 2001. On December 10,
2013, the Cabinet of Ministers Regulations No. 1415 "The Data State Inspectorate
Bylaws" were adopted.
Since 2001 Signe Plūmiņa is the Director of the DSI, in 2013 she took part in
development of the amendments to the Personal Data Protection Law, as well as
participated in discussions at the European Union and national level on the reform of
personal data protection, including assessing the need to improve the regulatory
enactments.
The DSI carries out personal data protection supervision in accordance with the
Personal Data Protection Law and carries out the accreditation and supervision of
reliable certification service providers in accordance with the Electronic Documents
Law, supervises data protection in the electronic communications area in accordance
with the Electronic Communications Law, and supervises the unauthorized commercial
communication ban compliance with the Law on Information Society Services and
ensures the reporting requirements of Directive 2009/136 / EC concerning the
protection of personal data breaches in the field of electronic communications.
The basic principle of personal data protection is to ensure that every individual
can control information about himself, i.e., control or know how others use this
information. The protection of personal data is an integral part of the information
society, which promotes public trust in public administration and participation in the
decision-making process.
The protection of personal data in Latvia has been strengthened as a
fundamental human right by introducing more specific regulation in various areas of
personal data processing and creating more effective regulation for the protection and
supervision of personal data protection, which is being improved taking into account
the impact of the development of information technologies and the Internet
environment on the protection of personal data and growth of personal data processing
in various fields.
The DSI rights in the field of personal data protection, as set forth in Section 29,
Paragraph four of the Personal Data Protection Law:
1) in accordance with the procedures prescribed by laws and regulations, to
receive, free of charge, information from natural persons and legal persons as is
necessary for the performance of functions pertaining to inspection;
2) to perform inspection of a processing of personal data;
3) to require that data be blocked, that incorrect or unlawfully obtained data be
erased or destroyed, or to order a permanent or temporary prohibition of data
processing;
4) to bring an action in court for violations of this Law;
5) to cancel a registration certificate of the processing of personal data if in
inspecting the processing of personal data infringements are determined;
Data State Inspectorate Annual Report 2013
6
6) to impose administrative penalties according to the procedures specified by
law regarding infringements of processing of personal data;
7) to perform inspections in order to determine the conformity of processing of
personal data to the requirements of laws and regulations in cases where the
administrator has been prohibited by law to provide information to a data subject and a
relevant submission has been received from the data subject.
The DSI also ensures the supervision of the processing of personal data
provided for in the Schengen Information System Act and represents the Republic of
Latvia in the Joint Schengen Information System Supervisory Authority, the Joint
Europol Supervison Authority, the Europol Appeal Committee and the Joint Customs
Information System Supervisory Authority (also ensured the conduct of inspections at
the national level for the above-mentioned information systems) as well as Article 29
of the Directive 95/46 / EC Working Party and the Council of Europe Convention on
the Protection of Individuals with regard to Automatic Processing of Personal Data in
the Advisory Committee as well as other activities of the European Union and
international personal data protection authorities.
1.2. Mains Tasks and Priorities
DSI priorities for 2013:
1) Participation in discussions on the reform of the European Commission in
the field of personal data protection;
2) Organizing the 2nd annual meeting of the Baltic Data Protection Authorities
and conducting a joint inspection;
3) Development of the Recommendations - "Personal Data Protection in
Workplaces" and "Personal Data Processing Security".
The Report provides an overview of the progress made with regard to the
operational priorities for 2013.
1.2.1. Participation in Discussions on the European Commission's
Reform of Personal Data Protection
Already on January 25, 2012, the European Commission presented a package
of documents, launching a comprehensive reform of the European Union's data
protection rules. A key element of the personal data protection reform is the draft
regulation on the protection of individuals with regard to the processing of personal
data and their free movement, which proposes to modernize existing principles by
improving the joint data protection rules applicable throughout the European Union. In
1995, Directive 95/46 / EC of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data was adopted, which is also at the moment the basic instrument
for the protection of personal data introduced into national law in the Member States.
The development of globalization and the development of new technologies have led
to the emergence of increasingly new aspects in the context of which data protection
regulation could be modernized. In order to guarantee at European Union level the right
of individuals to a high level of protection with regard to the processing of personal
data, it has been decided to update and modernize the current regulation.
Data State Inspectorate Annual Report 2013
7
The main changes proposed in the European Commission proposal are reducing
administrative burdens, increasing the responsibility and obligations of personal data
controllers (for example, the obligation of entrepreneurs to enforce personal data
protection information technology and personal data processing software in the
development process), improving the institute for personal data protection, “the right to
be forgotten"(i.e., requiring the deletion of their personal data after the goal of their
processing has been achieved), thus contributing to more effective protection of
personal data and promoting individuals' trust in the use of information technology in
the processing of personal data.
At the same time, along with the changes, the basic principles that have been
observed to date in the area of data protection - the implementation of the Single Market
and the effective exercise of the fundamental rights of the individual and the freedom
enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and
Article 16 of the Treaty on the Functioning of the European Union2 - remain unchanged.
Representatives of the Ministry of Justice participate in the drafting of the draft
Regulation in the European Union Information Exchange and Data Protection Working
Party (DAPIX), while the Data State Inspectorate has provided the necessary support
in the context of interpreting the various provisions of the Regulation from a practical
point of view. In 2013, the Data State Inspectorate, in co-operation with the Ministry
of Justice, continued to participate in the European Union data protection reform
initiative.
The reform issues were also debated on the European Data Protection Day,
which is celebrated for the eighth year on January 28 in all the Member States of the
European Union, as well as in the United States and Canada, in order to raise awareness
among the public about the protection of personal data. On this day, an informative
event on personal data protection issues was organized in cooperation with the
European Commission Representation in Latvia and the European Parliament
Information Center.
1.2.2.Organizing the 2nd Annual Meeting of the Baltic Data Protection
Authorities and Carrying out the Joint Inspection
Taking into account the common historical heritage of the Baltic States and
cooperation in promoting the economic development of this region, in 2012 the
agreement was reached on closer cooperation of the Baltic States in the field of
supervision of personal data protection. In the period from March 21 to 22, 2013, the
second Annual Meeting of the Personal Data Protection Supervisory Authorities of the
Baltic States was held in Riga, organized by the Data State Inspectorate. Within the
framework of the Meeting, various practical issues related to the processing and
protection of personal data were discussed, including the Schengen evaluation visit in
October 2012 and its results in all three Baltic States.
The exchange of information on practical work experience is one of the most
important aspects of these annual meetings in order to facilitate the harmonization of
data protection requirements in the Baltic region and in the European Union as a whole.
The Baltic Data Protection Authorities also discussed the practical aspects of
implementing the EU Data Protection Reform, and it was decided that cooperation in
__________________________________________ 2- For additional information see a website of the European Union: http://ec.europa.eu/justice/data-
protection/.
Data State Inspectorate Annual Report 2013
8
this format will continue in the future. The cooperation of the Baltic States in the field
of personal data protection is highly appreciated by the European Union institutions
and is emphasized as a positive example for other European Union Member States. The
Article 29 Working Party of Directive 95/46 / EC was informed on the results of this
cooperation.
In 2013, it was decided to implement a joint inspection activity in Lithuania,
Estonia and Latvia to evaluate the processing and protection of personal data in relation
to the gambling sector in order to facilitate the adequate protection of personal data
protection. Overall, in the three Baltic States, 13 casinos were inspected in 2013.
It should be noted that national regulations in each of the Baltic States impose
certain requirements for the processing and protection of personal data, including the
necessary video surveillance in gambling venues (including casinos), ensuring the
continuous indoor and outdoor video surveillance of gaming space. Therefore, the
processing and protection of personal data has been evaluated in relation to the
regulatory enactments governing the gambling sector and the data protection laws of
each country.
The most important conclusion of the joint inspection is that all the casinos
examined during the inspection need to improve their activities in relation to the
processing and protection of personal data, special attention should be paid to the
information required from customers (visitors) and its storage periods, processing of
personal data in the framework of video surveillance (especially for work quality
assessment of employees, and the provision of information to the data subjects about
video surveillance). In Lithuania and in casino inspections in Latvia, it was found that
it is necessary to improve the practice of direct marketing by communicating with
clients to ensure the implementation of personal data protection requirements. In all
three Baltic States, one of the biggest issues concerns the storage of personal data (both
personal data processing of video surveillance and the register of casino visitors) and
this issue will be discussed with the responsible supervisory authorities of the sector in
all the Baltic States.
1.2.3. Recommendation Development
In 2013, two Recommendations were developed - "Personal Data Protection in
the Workplace" and " Security of Personal Data Processing". Both Recommendations
on employment relationship and data security are very topical in assessing complaints
received by the DSI about possible violations.
Human resources are the wealth of every country and the employer, which
affects the ability to achieve the goals pursued both individually and nationally. Today,
the development of human resources capital is largely influenced by the development
of information technology and the Internet environment, contributing to the
development of the knowledge society, considering it as a prerequisite for a high quality
of life and prosperity in the future. Within the framework of human resources
management, as well as for the fulfillment of duties, Internet and information
processing technologies are also increasingly used to process personal data. Using
various information technology and internet development opportunities, personal data
of a certain amount can be processed and thus can affect the rights of individuals to
privacy.
Data State Inspectorate Annual Report 2013
9
In view of this and the State Data Inspectorate’s experience in handling a
variety of applications and complaints, as well as the issues raised during the
consultations and information seminars, the Data State Inspectorate has prepared
recommendation with regard to the processing of personal data and its protection in the
workplace with the aim to motivate employers to reflect on different personal data
protection and data processing issues to improve overall data protection at workplaces.
This recommendation is intended to help ensuring the compliance of personal data
processing with the Personal Data Protection Law. Recommendation provides insight
into the most important personal data processing and protection aspects at the
workplace only, and each employer (controller) should assess, for what purpose and to
what extent, to carry out processing of personal data, as well as to assess the security
measures in each specific situation to ensure the protection of personal data. The text
of the Recommendation is available on the DSI website in electronic format -
http://www.dvi.gov.lv/lv/jaunumi/publikacijas/.
The Recommendation "Security of Personal Data Processing" is intended for
small organizations and businesses as a set of practical advice for information
technology (IT) security issues from a data protection point of view, in order to facilitate
understanding of the security of personal data and promote responsibility for the
processing of personal data.
Maintaining secure and law-abiding IT systems can be a complex task, which
requires both time and resources, as well as specialist knowledge. If personal data is
processed in IT systems, this creates additional risks. To ensure that data processing is
safe and reliable, the increased level of risk should be acknowledged and technical
measures applied in accordance with the requirements of the regulatory enactments, as
well as the capabilities and needs of each organization. They do not always have to be
expensive or overly complicated. Many of the measures mentioned in the
Recommendation can be implemented with little financial investment. The text of the
Recommendation is available on the DSI website in electronic format -
http://www.dvi.gov.lv/lv/jaunumi/publikacijas/.
II FINANCIAL RESOURCES AND RESULTS OF
INSTITUTION ACTIVITY
2.1. State Budget Financing and its Use in 2013
The DSI funding consists of two sources of revenue:
1) grant from general revenues;
2) paid services and other own revenue.
The total budget use and budget implementation in 2013, and the comparison with the
previous year is summarized in Table 1.
Data State Inspectorate Annual Report 2013
10
Table 1. Program 27.00.00 "Data Protection"
State budget financing and its use in 2013
No. Financial indicators Last year
(factual
fulfillment
LVL)
Reference year
Approved by
law (LVL)
Factual
fulfillment
(LVL)
1. Financial resources to
cover expenses (total)
258386 282418 279312
1.1. Grants 251090 265317 265007
1.2. Paid services and and
other own revenue
7296 17101 14305
1.3. Foreign financial
assistance
1.4. Donations and gifts
2. Expenditure (total) 251285 287581 280975
2.1. Maintenance expenses
(total)
246533 280826 274220
2.1.1. Current expenses 246533 280826 274220
2.1.2. Interest expense
2.1.3. Subsidies, grants and
social benefits
2.1.4. Current payments to the
budget of the European
Community and
international cooperation
2.1.5. Maintenance costs
transferts
2.2. Capital expenditure 4752 6755 6755
2.2. Evaluation of the Effectiveness of the Budget Program
In the framework of the budget program 27.00.00 "Data Protection", LVL
280975 or 98% of planned expenditure was acquired.
In line with the decline in resources, in 2013, the DSI took budgetary resource-
saving measures by limiting expenditure in expenditure headings such as post,
telephone and other communications services, administrative expenditure of the
institution and expenditure related to the institution's activities. In 2013, the
remuneration of employees remained in the amount of 2012. For a summary of the
performance indicators of the budget program, see Table 2.
Data State Inspectorate Annual Report 2013
11
Table 2.Output indicators of
the budget program
Efficient indicator Planned
value
Factual
fulfillment
Explanation
Registered personal
data processing
350 532 In fact, the number of processing
personal data registered
exceeded the planned number of
registered personal data
processing by 52%, as several
amendments to the regulatory
enactments came into force, that
intended the controller's duty to
register the processing of
personal data in the DSI.
The processing of registered
personal data increased (in
particular, regarding video
surveillance and the processing
of personal data by family
doctors).
Personal data
processing inspections
350 677 Taking into account the number
of complaints of inhabitants and
the number of applications for
processing personal data
received, the number of
inspections of personal data
processing increased,
Fee for registration of
personal data
processing
12 000 15 351,20 The planned amount of the fee
exceeds the planned amount
because the number of registered
processing increased by using
video surveillance.
Penalties applied for
breaches of personal
data
10 500 20476,55 Penalties were applied for
detected personal data breaches,
as well as for failure to provide
information to the DSI.
In general, the DSI has reached the projected value of performance indicators
in 2013.
In 2013, from the State budget funds, no reserach were conducted on issues
within the competence of the DSI.
2.3.DSI Paid Services
The DSI provides paid services in accordance with the price list, approved by
the Cabinet of Ministers Regulations No. 992 "Price List of the Data State Inspectorate
Services" of September 24, 2013
Data State Inspectorate Annual Report 2013
12
In 2013, the financial gain received from paid services is LVL 14,305.
The most commonly used paid services of the DSI were filling and printing of
the application for registration of personal data processing, the DSI workshops and the
organization of the qualification examination of the personal data protection specialist.
Filling and printing of the application for registration of personal data processing
The DSI consults the controllers on filling in the application for registration of
personal data processing, meeting face-to-face and printing a completed application for
registration of personal data processing. In 2013, this paid service is provided to 13
controllers or their representatives. The fee for the service is 21,19 Ls. Total revenue
for this paid service in 2013 - 305.95 Ls. Compared to 2012, the amount of
consultations mentioned has decreased by almost 50% (in 2012 - 23). This is explained
by the fact that several samples of personal data processing registration applications
were developed and improved (for example, a sample application for video surveillance
was developed for the provision of placement services and family doctors) and
telephone counseling was provided during which the DSI specialists explained to the
controllers and their authorized persons issues about the filing of applications.
Organized seminars on personal data protection
The DSI has organized informative seminars on the protection of personal data
- registration of personal data processing, personal data protection audit, video
surveillance, and other personal data protection issues. In total, in 2013, the Data State
Inspectorate organized 4 workshops on data protection. Fee for the service - LVL 33.90
per person, revenues from the seminars organized by the DSI in 2013 - LVL 2536.30
(in 2012, 3 seminars were organized, revenue from this paid service - 1320.00 LVL).
In 2013, there was a greater interest among various target audiences in
organizing informative seminars organized by the DSI, which is not becuse of the
urgency of the issue of the processing and protection of personal data, but also due to
the awareness of individuals about the issues of personal data protection, because in
seminars each participant has the opportunity to improve their knowledge of the person
data processing and protection.
Organizing a qualification examination for a personal data protection officer
In 2013, the DSI organized four examinations of personal data protection
specialists for 51 applicants. The service includes the preparation of the examination
questions and tasks, the preparation of individual response forms, the organization of
the examination and the evaluation of the results by the commission of three persons,
as well as the decision on the preparation of the test results and the issuance of
certificates.
In 2013, the qualification of personal data protection specialists was granted to
22 applicants. The fee for the service is 205.93 Ls, the total income for the provision of
the "Personal Data Protection Specialist Qualification Examination" paid service in
2013 is LVL 12,191.16. (Compared to 2012, the income for this paid service has
doubled - LVL 5346.00).
Data State Inspectorate Annual Report 2013
13
2.4. Improvement Systems of Leadership and Activity
In 2013, the Internal audit department of the Ministry of Justice, conducted an
audit in the DSI on "Budget planning, preparation and approval of planning
documents".
The opinion of the Internal audit division of the Ministry of Justice on the
budget planning, the preparation and approval of planning documents in the DSI, shows
that the procedures established by the DSI ensure that budget planning, planning and
approval process is comparable, timely significant and complete, and assures that
possible risks that could affect the financial management of the DSI are managed.
In turn, in accordance with the requirements set out in the State Program for
Prevention and Combating of Corruption 2013-2015, the DSI regularly conducted and
implemented anti-corruption plan measures aimed at eliminating the conflict of interest
in the activities of DSI employees, including the DSI employee attended the Seminar
"Corruption Prevention" organised by the Corruption Prevention and Combating
Bureau, and also conducted a relevant seminar for employees of the DSI.
To reduce the administrative burden for entrepreneurs, in 2013, the price of paid
services provided by DSI was reduced, and starting from September 24, 2013, the paid
services of the DSI are provided in accordance with Cabinet of Ministers Regulation
No. 992 of September 24, 2013 "The Data State Inspectorate’s price list for paid
services”.
In addition, to reduce administrative resources of the institution. starting from
2014 no personal data processing registration certificates will be issued, as information
about the fact that the DSI has taken a decision regarding a definite controller on the
registration of the processing of personal data, is published in the public Personal Data
Processing Register available on the DSI Internet home page -
http://www.dvi.gov.lv/registri/pdas/. The legal status of the legal entity (controller) is
determined by the DSI’s decision to register personal data processing rather than the
registration certificate for the processing of personal data (therefore, there is no legal
significance for the issue of the registration certificate), therefore in 2013, the DSI has
drafted an amendment to the Personal Data Protection Law, which provides the waiver
of the processing of personal data for registration certificates in 2014.
III STAFF
In 2013, neither structural reforms were made, nor internal reorganization,
retaining 19 posts. In the reporting period, the institution employed an average of 17
employees, of which an average of 14 women and 3 men. The average age of staff in
2013 was 34 years. In 2013, the DSI employed employees aged 21 to 72 years.
Distribution of education levels of the DSI employees in 2013:
1) one employee - secondary education;
2) one employee - incomplete higher education;
3) 15 employees have higher education;
4) 5 employees have a master's degree.
In 2013, the DSI personnel turnover has not diminished compared to 2012, but
has remained unchanged. In 2013, 6 employees were suspended and 5 employees were
admitted.
Data State Inspectorate Annual Report 2013
14
In-house seminars on various data protection issues were organized to raise the
capacity of the DSI staff, and in 2013, the DSI staff attended various seminars and
courses. The following Public Administration School seminars were attended:
- From the specialist to the leader;
- Interpretation and practical application of Labor Law and Remuneration Law;
- Use of transport in institution and capital company of state and local
government;
- Legal protection of personal data;
- Stress and professional burnout.
A Seminar on personnel management organized by the Riga International
School of Economics and Business Administration was attended, in which topical
issues regarding the selection process for applicants were discussed, as well as the
Seminar "Remote work: For and Against" organized by Microsoft Latvia.
Taking into account that, according to the DSI assessment of work environment
risks, one of the psychological and emotional factors faced by the DSI employees in
their work is emotional violance. Therefore, to reduce the probability of occurrence of
emotional violence and to improve the quality of communication with the clients of
DSI, a Seminar on non-verbal communication in difficult situations was attended at
Ltd. Triviums. An internal workshop on communication in difficult situations was also
organized for all DSI employees who provide customer service.
The security manager attended the tech-educational conference "TechDay
2013" organized by Microsoft Latvia, which discussed the latest developments and
topical issues in IT security and management. In turn, the employees of the First
Supervisory Department attended seminars on the legal issues "Fundamental Issues of
Administrative Procedure", "Basic Issues of Administrative Law" and "Practical
Realization of Personal Data Processing" organized by Ltd. "Funditus". The accounting
officer and the personnel officer attended the seminars "Changes in Horizon when
moving to the euro" organized by Ltd. "FMS". The procurement officer participated in
the Seminar "Amendments to the Public Procurement Law 2013" organized by Ltd.
"Funditus".
0
1
2
3
4
5
6
7
20-15 26-30 31-35 36-40 41-45 46-60 Above 70
Distribution of the Number of DSI Employees by Age Group
2012 2013
Data State Inspectorate Annual Report 2013
15
As the work of the DSI is unthinkable without the cooperation of other European
Union data protection supervisory authorities, foreign language text analysis and
development, in 2013, two DSI employees supplemented their German language skills
by attending language programs by the German Ministry of Foreign Affairs and
Goethe's Institute in the framework of Europahetzwerk Deutsch for civil servants.
In 2012, the European Union Agency for Fundamental Rights (FRA) launched
a study on the use of mediation in resolving personal data protection issues as well as
its use in preventing personal data breaches identified. This issue is also relevant for
Latvia, taking into account the draft Law on Mediation. Within the framework of this
research, the DSI representative participated in discussions with experts from other
countries on various practical aspects of personal data supervision issues, assessing the
possibility of implementing mediation in practice in Latvia. To deepen the knowledge
of mediation among DSI staff, in 2012, two DSI employees attended the "Mediation
Basic Course" organized by the “ Mediation and ADR”.
Performing the annual DSI personnel assessment, the DSI employees pointed
out that raising capacity by attending training seminars is essential in the context of
employee growth. In 2014, the DSI plans to continue the established practice of
organizing DSI in-house seminars. However, taking into account current trends in
employee turnover and remuneration, retaining and motivating employees will be one
of the challenges in 2014.
IV COMMUNICATION WITH THE PUBLIC
In 2013, the DSI, in cooperation with the Public Relations Department of the
Administrative Department of the Ministry of Justice, provided information to the mass
media. The DSI regularly cooperates with the Media, at least three times a week, taking
into account the urgency and complexity of the issue of the processing and protection
of personal data influenced by the development of information technology and the
Internet environment. In 2013, various issues related to the protection of personal data
were updated, including a discussion on the reform of personal data protection initiated
by the European Commission.
4.1.Public Information and Education Activities
Most often, the DSI's views on various practical issues of processing and
protecting personal data were requested by journalists from the TV3 "BezTabu", as well
as Internet news portals, with a request to explain how a particular individual could act
in various situations concerning the processing and protection of personal data.
Information was also provided on the results of the various inspections.
In 2013, information requests from journalists of several foreign media on
inspection cases were received, which were reviewed by other national data protection
supervisory authorities and where the residents of Latvia were involved in the violation.
Based on the information provided by mass media, in 2013, the DSI started
several cases of administrative violation regarding alleged breaches of personal data
protection.
The most up-to-date information on the DSI functions and current issues in the
field of personal data protection is published on the DSI Internet home page -
www.dvi.gov.lv.
Data State Inspectorate Annual Report 2013
16
To inform the public in 2013, 4 DSI seminars were organized as DSI paid
services, the conduct of DSI several informative meetings on issues of processing and
protection of personal data for members of the Association of Latvian Traders,
representatives of local governments (including librarians, educators) were also
provided. The DSI director participated in informative seminar organized by the
Ministry of Justice for employees of the State Administration regarding issues of
processing and protection of personal data.
Every working day from 14:00 to 16:00, the DSI employees provide telephone
consultations, explaining the provisions of the Personal Data Protection Law and
informing how to deal with a specific individual's problem related to a possible breach
of personal data protection. In general, counseling is required by data subjects about
their rights under the PDPL (how to handle the situation). Telephone counseling is also
provided to controllers of the processing of personal data processing. In 2013, the DSI
on average, provided 225 phone consultations (including for third-country nationals
who process personal data in Latvia and controllers who transfer personal data to third
countries or who want to exercise their data subject's rights).
For the eighth year on, 28 January, the European Data Protection Day was
celebrated. As every year, within this day, personal data protection supervisory
authorities are implementing activities to raise awareness of the right of the public to
protect their personal data and to encourage more attention when personal data is passed
on to (disclosed) to someone. As already indicated in the report, the DSI participated in
the event organized by the European Commission Representation in Latvia and the
Information Center of the European Parliament on personal data processing and
protection issues, as well as on the current situation in the field of protection of personal
data in Latvia, inviting citizens to protect their data and assess the need for their data
transfer ( for example, indicating the risks in the Internet environment).
In order to provide insight into what has been done and what has been seen in
2013, the DSI has summarized the most important information in the context of
registering personal data processing, as well as the most up-to-date personal data
protection files, in section 4.2 of the Annual Report 2013.
4.2. Registration of Personal Data Processing
Article 21, Paragraph three of the PDPL specifies cases in which the processing
of personal data by controllers is to be registered with the DSI, i.e. if:
1) intends to transfer personal data to a state other than a Member State of the
European Union or European Economic Area;
2) intends to process personal data when providing financial or insurance
services, carrying out raffles or lotteries, market or public opinion researches,
personnel selection or personnel assessment as the form of commercial activity;
3) carries out processing of information about the health of a person;
4) processes of personal data relates to the criminal offences, criminal records
and penalties in administrative violations matters.
The procedure for registering personal data processing also applies to the
processing of personal data carried out in accordance with the PDPL Article 7,
paragraphs 3, 4, 5 and 6, Article 11, Article 13.1, Paragraphs 2, 3 and 4 and Article 28.
Thus, for example, the state and local government institutions, for which processing of
personal data is required for the performance of duties prescribed by law, the legal basis
for the processing of personal data is Article 7, Paragraph 3 of the Law.
Data State Inspectorate Annual Report 2013
17
The PDPL, which came into force on March 7, 2014, was developed to evaluate
the PDPL standards and their application in practice, including, to facilitate the
operation of the controller. Amendments to the PDPL provide that registration of
personal data processing is only required in certain cases (see Article 21 of the PDPL).
In 2013, the DSI has registered 532 personal data processing and changes in the
processing of personal data, which is more than planned to be registered (planned -
350). Upon receipt of a contoller's request, the DSI examines the information provided,
requesting additional information and performing a pre-registration checking if
necessary.
In order to ensure effective supervision of personal data protection, the Data
State Inspectorate, like other Member States of the European Union, conducts pre-
registration checking. Section 22, Paragraph two of the Law provides that The Data
State Inspectorate shall identify the processing personal data where risks are possible
for the rights and freedoms of data subjects. Pre-registration checking must be
determined for such processing of personal data. The Data State Inspectorate
determines each year the areas of personal data processing risks when assessing the
risks associated with the processing of personal data, the number of violations in certain
areas of personal data processing, as well as foreign experience and information
provided on relevant issues in certain areas.
The following areas of risk were identified in 2013:
1) the processing of sensitive personal data, in the framework of which
information about the health of a person is processed;
2) processing of biometric data, including video surveillance;
3) the processing of personal data, in the framework of which the transfer of
personal data outside the European Union borders to third countries takes place (also
paying attention to the use of cloud computing technologies).
When deciding on registration of personal data processing, a DSI issues to the
controller a decision regarding the registration of processing of personal data and makes
an entry in the register of publicly accessible personal data processing available on the
DSI Internet homepage: http://www.dvi.gov.lv/en/persona-data -protection-and-
specialist-registration / personal-data-processing-regists /.
In accordance with Section 22, Paragraph nine of the PDPL, for every
registration of the processing of personal data, a submission of the respective
application to the State Data Inspectorate shall be subject to a state fee in accordance
with the procedure and amount specified by the Cabinet, in accordance with Paragraph
2 of the Cabinet of Ministers Regulation No. 813 of 27 November 2007 " On the
registration fee for registration of personal data processing and registered modifications
registration state fee in the Personal Data Protection Law” 20 or 40 lats (28.46 or 56.91
euros). State and local government institutions do not pay state fees for processing or
modifying registration. The total amount of state duty paid in 2013 for registration of
personal data processing and making changes in personal data processing is LVL
15,351.20. In comparison with 2012, the state fee has increased, in 2012 - 13 285.00
LVL.
Compared to the previous reporting period, the highest number of pre-
registration checking is carried out in connection with the processing of sensitive
personal data. In the case of video surveillance, as well as in the previous reporting
period, follow-up was carried out (20% of the total number of registered personal data
processing), in which it was found that the controller did not correct the weaknesses in
the processing of personal data (in particular, in the case of video surveillance, cases
Data State Inspectorate Annual Report 2013
18
were found where the controller failed to provide information to the data subjects or
has not provided them in accordance with the requirements of the Law). The
Inspectorate has also repeatedly requested the controllers to specify signs of video
surveillance in order to comply with the requirements of the Law. The issue of the
storage periods for personal data processed during video surveillance is also relevant,
which is assessed on a case-by-case basis. Compared to the previous reporting period,
the number of controllers who, after re-evaluation, reduces the storage period for
personal data and more carefully evaluates the processing of personal data performed
or planned as a whole, has increased. The number of pre-registration checking related
to person's health during the reference period has significantly increased.
To facilitate registration of the processing of personal data in the framework of
video surveillance at the Inspectorate, a model application for the controller for the
processing of personal data - video surveillance for the purpose of prevention of
criminal offenses and protection of property respectively, used by the controllers is
developed, and the recommendations developed by the Inspectorate are used to find the
optimal solution for the processing of personal data.
During the reporting period, the number of complicated personal data
processing issues has increased, the meetings of which are organized at the Data State
Inspectorate, which allows the controller to provide additional information about the
processing of personal data and to find a solution for more appropriate protection of
personal data. One of the challenges in recent years is to find out who the personal data
controller is and who is the operator, taking into account the specifics of different
personal data processing cases. There is also a question about the joint contoller and
the distribution of responsibilities accordingly.
As indicated, on a number of occasions the relevance of the information
provided by the controllers was verified by performing checking at the places where
personal data was processed. As a result of the pre-registration checking, a decision is
made to register or not the processing of personal data in the Data State Inspectorate,
or additional information from the controller is requested in order to prevent the
deficiencies of the Law established in the framework of the on-site inspection. During
the reporting period, for example, several re-pre-registration on-site inspections were
carried out in municipalities that did not initially provide all information about the
processing of personal data. As a result of pre-registration checking,the controllers
often chose to supplement their employees' knowledge of the requirements of the Law
by attending paid seminars organized by the Data State Inspectorate as well as
analyzing the information provided by the DSI Recommendations.
4.3. Registration of Personal Data Protection Specialists
As a result of the globalization process, economic processes today do not have
a geographical boundary that restricts the application of relevant laws, including with
regard to the protection of personal data, because there is no universal international
standard for the processing and protection of personal data that would be binding on all
countries. Therefore, the personal data protection self-regulation approach can help to
address these potential inaccuracies in order to apply commonly the requirements of
personal data protection and privacy. One of these self-regulatory mechanisms is the
personal data protection specialist in each specific company or institution. The first
personal data specialist institute was introduced in Germany in 1977 for the private
sector as an additional self-regulatory mechanism to help those responsible for the
protection of personal data (i.e., controllers) ensure that their activities meet the
Data State Inspectorate Annual Report 2013
19
requirements of the law. Personal data protection specialists are present in several EU
Member States and it is believed that the personal data protection specialist promotes
the trust of customers and employees in the processing of personal data by an
organization / institution that will be provided in accordance with the requirements of
the law and the principles of personal data protection good practice.
In order to facilitate the protection of personal data, the institution or company
leader may appoint a definite employee to be responsible for the protection of personal
data, may use outsourced capabilities regarding both the processing and protection of
personal data and the appointment of a personal data protection specialist (the data
protection specialist is qualified by the DSI after the person has passed the examination
at the DSI; a personal data protection specialist is not a mandatory requirement states
in law.
Personal data protection specialists, since the introduction of this institute in
Latvia in 2007, have opted for both public sector institutions and private sector
representatives, whose main task is to provide support and advice to the leadership of
the institution or company in issues related to the processing and protection of personal
data, including solving problem issues in this field. To become a personal data
protection specialist, the individual needs higher education in law science or
information technology.
In 2013, the DSI registered 42 personal data protection specialists on the basis
of a contoller's application.
Compared to 2012, controllers have registered 12 personal data protection
specialists more than in 2012 –there were 30. Controllers apply personal data protection
specialists in the DSI, who have acquired the qualification of a personal data protection
specialist. The DSI examines an application for the registration of a specialist within 15
days from the day it was received. The registration of personal data protection
specialists in the DSI is free of charge.
On December 18, 2013, amendments to the Cabinet of Ministers Regulations
No. 80 "Procedure for the Training of Personal Data Protection Specialists" came into
force, which supplemented Regulations No. 80, providing for the procedure of
reapplication of certificates or maintenance of qualifications. It is also planned to
specify the list of subjects to be acquired in order to be able to take a test at the
Inspectorate and obtain the qualification of a personal data protection specialist, to
appoint lecturers who carry out specialist training, at least five years experience in the
field of personal data protection.
4.4. Opinions and Explanations
In 2013, the DSI received 362 written complaints and, in ensuring personal data
protection supervision, carried out 677 inspections concerning possible non-
compliance of personal data processing with the PDPL. Administrative penalties were
applied in 36 cases - 14 alerts and 22 fines (in total 20 910 LVL). Eight decisions of the
DSI officials regarding the imposition of administrative penalties were challenged by
the director of the DSI, while the court appealed against four decisions of the director
of the DSI regarding the imposition of an administrative penalty and one decision
refusing to renew the procedural deadline.
Compared to the previous year, the number of cases where a penalty is imposed
for failure to provide information to the DSI has changed, there is still a large number
of such violations. In most cases, administrative penalties were applied for the
processing of unlawful personal data (including violation of Article 7 of the PDPL and
Data State Inspectorate Annual Report 2013
20
the first and second Paragraphs of Article 10), however, in 2013, compared to 2012, the
number of cases where an administrative penalty has been imposed for failure to
provide information to the data subject, has increased (violations of Articles 8, 9 or 15
of the PDPL). This shows that data subjects are increasingly aware of and exercise their
statutory rights, but controllers may not be sufficiently informed about their obligations
vis-à-vis the data subjects.
Complaints were mainly filed on the following areas of personal data
processing:
• Registration of a person as an employee of the company to the State Revenue
Service without the consent of this person to be an employee;
• Failure to provide the information requested by the data subject;
• Publication of personal data on the Internet and transfer of other type of
personal data to third parties (disclosure).
In 2013, the number of complaints received from the processing of personal
data processed in the debt recovery process has decreased, for example, regarding the
transfer of a debt recovery case to the debt recovery company or the insertion of
personal data into the credit history database. This is explained by the fact that at the
end of 2012 the Law On Extrajudicial Recovery of Debt entered into force, which
regulates the activities of the debt recovery service provider and sets requirements for
the creditor and the provider of debt recovery services in respect of debt recovery and
the creation of a database of debt history.
In 2013, the number of complaints received for registering a person as an
employee of the company in the State Revenue Service has been increased without the
consent of this person. Such unlawful personal data processing results in a significant
adverse impact on the data subject's social guarantees, for example, the data subject is
deprived of the right to receive unemployment status and unemployment benefit as a
person is registered as an employee in the State Revenue Service and this information
is only entitled to the correction of the particular company, which for the most part it
does not do it voluntarily. Consequently, the DSI obliges the State Revenue Service to
correct the personal data mentioned in the application, as a result of enforcement, of the
substitute prescribed in the Administrative Procedure Law. As a result of the checking,
personal data is being corrected, but it takes quite much time and consumes a lot of the
DSI resources. In order to find a more effective solution to this problem, as far as
possible to eliminate its causes, the DSI in the beginning of 2013 initiated a meeting
with the parties involved in the process - the State Revenue Service, the State Labor
Inspectorate and also the Ministry of Justice.
In 2013, there has been an increase in the number of complaints related to the
processing of personal data in the field of management, such as billing, the amount of
personal data requested on questionnaires, the amount of personal data provided to the
manager, personal data that becomes available to all owners of apartment houses, debts
for utilities.
Compared to 2012, in 2013, the number of cases that the DSI receives when a
person names other personal data to the police instead of his personal data, has remained
unchanged. However, the system of liability for the use of other personal data changed,
namely, in April 2013, amendments to the Criminal Law entered into force, which
changed the wording of Article 281 of the Criminal Law, which now foresees that the
concealment of the identity of a person, if committed in order to avoid criminal or
administrative liability or committing a criminal offense or in order to help another
person to evade criminal or administrative liability is punishable by deprivation of
liberty for a term up to one year, or by temporary imprisonment, or by forced labor, or
Data State Inspectorate Annual Report 2013
21
by a fine. Consequently, the DSI, upon receipt of the case and having established this
purpose, terminates the administrative offense record keeping and transmits the file to
the State Police for the commencement of criminal proceedings.
Personal data processing checking are also carried out on the initiative of the
DSI and based on information provided by the media, other institutions and citizens.
For example, the DSI carried out an inspection of the bank's activity by
obtaining and using excessive amounts of personal data from potential employees. As
a result of the inspection, the bank processed questionnaires filled out by potential
employees, reviewed various issues related to the storage and use of personal data. The
DSI continues inspections on this issue in other credit institutions.
Following up on customer loyalty cards in 2013, the DSI found that controller
was not able to justify the amount of personal data requested frequently and the need
for a legitimate aim in the questionnaires that is completed for receiving a loyalty card.
Within the DSI inspections, the DSI provided the controllers references to identified
deficiencies, calling for the processing of personal data to be consistent with the PDPL.
During the supervision of the Information Society Services Act (hereinafter -
ISSA), in 2013, the DSI carried out 25 inspections, applying two administrative fines,
totaling LVL 1,000 for sending unlawful commercial communications. In general,
compared to 2012, in 2013, the number of complaints has increased regarding the illegal
sending of commercial communications and the drawing up of commercial
communications. Also, there has been an increase in interest from the merchants
regarding the application of the ISSA and ensuring the legal transmission of
commercial communications.
An important obstacle to supervision compliance with the ISSA and PDPL is
the constant emergence of new and evolving existing technologies and services, while
the regulatory framework and the current inspection practice are not capable of ensuring
sufficiently effective operation under new and changing conditions. The DSI staff must
be able to grow steadily and be prepared to face new and unforeseen situations. Also,
in many cases when an activity is carried out in an electronic environment, for example,
a commercial communication or personal data published on the Internet, it is difficult
to identify the person responsible for the action, given that the electronic environment
has the ability to act by hiding its identity. Also, the DSI work is adversely affected by
both legal and natural person's actions without providing timely information or not
providing the required information within the DSI examination at all.
Taking into account the experience gained during the inspections carried out in
2013 and the issues raised in the consultations, in 2014, the DSI intends to prioritize
the processing of personal data within the framework of labor relations, the security of
personal data and the right of the data subject to obtain from the manager the
information on the data subject processing of personal data.
In 2013, the DSI was involved in 23 cases, which were verbally or written
considered by the courts. In most cases, the court reviewed the decisions of the DSI on
the application of administrative penalties and other DSI decisions, including the DSI
decision on the obligation to suspend the processing of personal data, the DSI decision
to extend the probation period, and the refusal of the DSI to grant the status of personal
data protection specialist. In 2013, the court withdrew only one DSI decision, as the
court considered that in the particular case it was not sufficiently clear whether the
person liable to prosecution was in the meaning of PDPL.
In one of the cases before the court, the DSI carried out an einspection of the
case of sensitive personal data (health information) of the data subject group. The actual
circumstances showed that the company that received the complaint from the group of
Data State Inspectorate Annual Report 2013
22
citizens (which included sensitive data) about the company's activity, i.e. the complaint
was submitted for a specific purpose, disclosed to the health authority these sensitive
data and requested the health authority to provide further information on the health of
the population. The company justified its action with the fact that additional health
information was needed in order to defend its interests and verify the validity of the
citizens' complaint. In the course of the inspection, the DSI found that the company's
conduct in disclosing sensitive data to the health authority, as well as the behavior of
the health authority, on request of sensitive data, was inappropriate for the PDPL - the
processing of personal data was performed without a legal basis and purpose. The court
joined the DSI's arguments and stated that the company was not entitled to disclose
sensitive personal data to the health authority. The Court noted that the fair and lawful
processing of personal data imposes an obligation on the controller of personal data to
comply with the requirements of the regulatory framework and the right of a person to
protect his personal data which is a fundamental right and their violation should be
proportionate to the violation of the interests of the controller of personal data.
V DSI PRIORITIES FOR 2014
1) Pre-registration checking in risk areas:
• Sensitive personal data;
• Transfer of personal data to third countries;
• Biometric data processing (including video surveillance).
2) Cooperation with personal data protection authorities of other EU Member States in
order to promote the protection of personal data in the Internet.
3) Development of Recommendation "Data subject rights".