New peculiarities in Latvia concerning personal data processing

The Data State Inspectorate has publicly announced that at the end of 2020 a penalty of EUR 65 000 as well as an obligation to stop unlawful processing (publishing) of personal data have been imposed on the Latvian IT company. According to the press release issued by the Data State Inspectorate, the supervision authority found that this company carried out unlawful processing of personal data by publishing on its own data base platform personal data included in the non-public (limited access) part gathered from the registration files maintained by the Enterprise Register. The State Data Inspectorate has drawn attention to the fact that the illegal disclosure of personal data established within the framework of the case relates to the personal data which cannot be made publicly available upon discretion of the third party service provider.

In this case it is important to note that relevant amendments to the Law “On the Enterprise Register of the Republic of Latvia” entered into force on January 7, 2020. In accordance with these amendments the registration case and the files therein is divided into two parts – public and non-public registration information. The public documents and, consequently, personal data therein, for instance, about person’s capability to represent certain company, shareholders folios, articles of association, amendments thereof, is publicly available and may be re-used, i.e., republished, by the merchants providing such services. On the other hand, non-public documents, which are not directly linked to the business or commercial activities, but nonetheless contain personal data, are considered to be restricted access information and the re-use of such information for public disclosure purpose is prohibited. Consequently, republishing of personal data included in the non-public part of the registration files does not have a legal basis in accordance with the provisions of the GDPR.

Furthermore, as per Data State Inspectorate press release, the Latvian IT company failed to comply with the deadline specified in the Latvian Insolvency Law, which states an explicit deadline for publishing information on the historical insolvency proceedings of a natural person. Namely, historical information attributable to person’s insolvency proceedings can be made publicly available at the merchant’s database no longer than one year after the date of the entry regarding the termination of the insolvency proceedings thereof. However, in this case such information on the historical insolvency proceedings of a natural person was publicly available for five years after. Therefore, taking into account a large number of data subjects affected by such unlawful data processing, as well as the amount of personal data published and the company turnover results, monetary fine of EUR 65,000 has been imposed. This decision has been appealed by the Latvian IT company and further litigation will enlighten more details on this case.  

 

Another quite relevant topic is video surveillance on private property of a natural person. Article 2 (2) (c) of the EU General Data Protection Regulation (hereinafter – the GDPR) states that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity. At the same time, video surveillance is considered to be the processing of personal data by automated means and depending on whether it is possible to identify any certain persons by using such data processing tool, other GDPR provisions relating to the processing of personal data must be considered. 

The Data State Inspectorate has recently publicly emphasized that up until May 25, 2018 it was necessary to register any planned processing of personal data in The Data State Inspectorate prior to any commencement of video surveillance but with the GDPR coming into force this obligation no longer exists. It is also noted the GDPR is not applicable to false cameras or when no personal data is processed through the camera, for example, when the camera is not switched on or the recording resolution is so low that the image does not allow this information to be attributed to an identifiable person. Nonetheless, video surveillance carried out for personal or household purpose also has to be compliant, inter alia in cases where the neighboring or adjoining property of other persons or the public space is or may be observed.

In the Data State Inspectorate published guidelines many factors are described that shall be taken into consideration before starting video surveillance. For example, it is important to ensure that a neighbouring private area is not observed in the video surveillance, but, if it does fall in the filming area, then only the territory closely associated with achieving the chosen purpose of processing personal data – prevention or detection of a criminal offence or misdemeanor, shall be observed.

Moreover, the minimum number of cameras needed to achieve the purpose of the data processing should be assessed and also the storage period of the video surveillance records should be fixed and the recordings should not be kept for longer than necessary. In this regard, the supervision authority advises that video recordings should be stored not longer than a few days, i.e., 72 hours, because it is not usually useful to keep records for longer period but, if there is necessity to store such data for a longer period of time, then more detailed considerations shall be provided to determine reasonable retention period. It is also important to keep in mind and ensure that only persons, who actually need the access to the records, can access them. Moreover, the number of such persons must be strictly limited and monitored at all times in order to ensure secure and compliant processing of personal data. 

Another consideration also shall be remembered, namely, upon installing video surveillance system there is an obligation to inform data subjects on the processing of personal data. At the location of the camera or before entering the filming area a warning sign must be placed in a readily legible manner which visibly informs about the installed video surveillance, purposes thereof and the data controller responsible for it.

All in all, it is important to remember that when doubts arise as to whether or not the processing of data through video surveillance falls within the scope of the GDPR, it is recommended to contact the Data State Inspectorate for clarifications or address such inquiry to competent professionals, because regardless of the data processing purpose – purely household or commercial activity, it must comply with the requirements of the GDPR.