Reflecting on GDPR Enforcement: 7 Key Infringement Cases in Latvia from 2024

In 2024, the Inspectorate received 693 complaints from data subjects and 148 third-party reports. Several inspections were also initiated on the Inspectorate's initiative. Of these inspections, 49 corrective measures were applied and 23 decisions in administrative infringement proceedings were adopted.

This article will focus on seven of these infringements, which were recorded last year. As the Inspectorate recognized that fines are not always necessary to achieve justice or remedy the situation, alternative corrective measures to fines were applied in several cases.

Multiple cases in the past year have highlighted the importance of cooperation between the controller and the Inspectorate by providing the necessary information when an inspection case is opened. Failure to provide the information may result in negative consequences for the controller, including fines. Last year, the Inspectorate opened many inspection cases relating to the hospital's conduct as the controller. In one such case, the hospital allegedly obtained and transferred patients' personal data to third parties without any legal basis and without informing the data subject. The Hospital did not respond to the Inspectorate's requests to provide answers and explanations. This led to the Inspectorate recognizing such actions as an infringement and imposing a fine of EUR 2000 as a corrective measure on the Hospital. 

A limited liability company was fined EUR 500 for failing to provide information to the Inspectorate. In this case, the Inspectorate carried out preventive checks by looking at the privacy policies of companies published online. The Inspectorate identified deficiencies in the privacy policy and requested the company to respond, which the company failed to do. 

A number of video surveillance inspections were also carried out in 2024. In one of these cases, the Inspectorate had requested information from the company based on complaints from data subjects about video surveillance. When the company was beckoned to provide clarifications about why and on what legal basis the video surveillance was being carried out, no reply was provided. Hence, a fine of EUR 500 was imposed on the company. This highlights the importance of cooperation with the Inspectorate and compliance with its requests, otherwise, such action will be considered a separate offence.

The Inspectorate also received a complaint from a natural person that a certain company providing security services published a video fragment, from its surveillance system, online. Although the video in question was deleted from the online web application, the Inspectorate concluded that the controller also made an audio recording of the video surveillance, which had no legal basis. The company became subject to corrective measures - an obligation to stop creating audio recordings of the surveillance video. 

Several cases relating to the publication of information in the media were also inspected last year. In one case, a collective petition by the company's employees was republished on a website. The published petition retained the names and signatures of 34 employees. Although the legitimate aim of the publication was to inform the public about the wrongful conduct of the undertaking in question, there was no need to include personally identifiable information about the employees to achieve the aim. An obligation to remove personally identifiable information about the applicants was placed upon the undertaking. 

It must be pointed out that publicly available information cannot be freely used. This was highlighted by one of last year's cases. A website republished information from the Health Inspectorate's website, which included information on the name, profession, specialty certification, expiry date and number of the certificate. As it is possible to identify certain individuals from the information provided, contrary to the view of the controller, it was established that personal data was processed in the case. The controller was subject to corrective measures to determine the legal basis for the processing of personal data, as well as to develop and submit personal data processing rules to the Inspectorate.

​

Personal data of a data subject includes not only identifying information, such as name, surname and personal identification number but also images of the person. In this case, online media published an image of a data subject who complained to the Inspectorate. The data subject had requested the controller to delete the images in question, but the controller did not comply with this request. The Inspectorate carried out an inspection and found that the images depicting the data subject were still available in the media. The Inspectorate initially issued a warning to the controller and ordered the controller to bring its processing activities into line with the provisions of the GDPR. However, after a re-inspection, it was found that the obligations imposed had not been complied with. The infringement was considered moderately serious and a corrective measure of a fine amounting to EUR 1 000 was imposed.

These cases remind us of the need for verification of the lawfulness and the genuine necessity of data processing, as well as the obligation to cooperate with the data protection authority when necessary.