Latvia: Exemptions from the General Data Regulation

The requirements of the GDPR do not apply to companies that do not process personal data, that is, according to Article 4(1) of the GDPR, data that can be used to identify, directly or indirectly, a specific person. This exemption therefore also includes the processing of anonymous data. This exception is based on the condition that the processing of the data in question does not identify a specific individual. It should be noted that a person can be identified not only by his or her name, as there are other pieces of information that allow an individual to be linked to data about them. It is therefore important to identify the data that are so closely linked to the individual that they can be identified.

It is also important to stress that for the purposes of the GDPR, a “data subject” is a natural person, so the requirements of the GDPR do not apply to legal persons and their official representatives, and beneficial owners, which must be reported and registered in local commercial registries. Moreover, the GDPR also does not apply to data of deceased persons. Data subject data are only protected by the GDPR during the lifetime of the person, after the death of the person the GDPR is no longer applicable, however, Member States may lay down rules on the processing of such data.

The Regulation is also limited to the territory of application, accordingly, it only applies when the data is processed in the European Union ("EU"). However, if the data processor, such as a company providing services, is located outside the EU but provides services or directs its business activities to EU residents, then the GDPR applies regardless of the place of processing. This suggests that companies should be clear whether they offer services to the EU market and, if so, they should comply with the GDPR or be exempt from it in certain circumstances.

There are situations in life where conflicts of interest arise, and it is necessary to clarify which interests should be prioritised in a given context. In this case, these are the individual’s right to the protection of personal data and national security. The GDPR does not apply to the processing of data for security purposes or for the prevention, investigation, detection or prosecution of criminal offences. This exemption applies if it can be demonstrated that compliance with the relevant rules endangers national security. In addition, these activities are already monitored by separate rules.

There are also separate exemptions for freedom of expression and information, including freedom of journalistic, academic, artistic or literary expression, and the right to protection of personal data under the GDPR. Journalists, researchers and artists are allowed to process personal data in certain cases derogating from the limits of the GDPR with the aim of ensuring a balance between freedom of expression and information and the individual’s right to the protection of personal data. In order to benefit from this exception, organisations must demonstrate that their processing is necessary for the intended purpose of expression or information.

For instance, in Latvia the parliament decided to limit the scope of public disclosure regarding the salaries of government officials. Initially, it was proposed that all government officials’ salaries be published online, but the final decision restricts this requirement to only high-ranking officials who holds decision-making power . This change has sparked debate, with proponents arguing for greater transparency and opponents raising concerns about privacy and data protection. Nonetheless, such regulation relates to the concept of the public interest to know how taxpayers’ money is being spent.