Data Protection in Latvia during Covid-19

Given that into account, the Latvian government implemented enormous amount of changes in the national regulations trying to contain the spread of COVID-19, inter alia changing regulatory acts and provisions relating to personal data processing matters.

Hereunder Rödl & Partner Riga office would like to provide up-to-date information regarding data processing provisions, guidelines, and practice from the national personal data protection regulation standpoint.

• PROCESSING OF HEALTH DATA AND GEOLOCATION » 
  

• TELEWORKING » 
  

• DATA PROTECTION OBLIGATIONS » 
  

• websites protection » 
  

• Country specifics »
  

According to the decree of Cabinet of Ministers “Regarding Declaration of the Emergency Situation” dated March 12, 2020, the persons who have been determined by the Centre for Disease Prevention and Control as contact persons of the COVID-19 infectious disease:

• must ensure self-isolation at the place of residence (home quarantine) for 14 days and availability to be able to contact and cooperate with the family doctor and other medical practitioners. During this period they must stay at the place of residence, are not allowed to go to work, community and public places, as well as to places where a large number of people is present;
• must observe their health condition for 14 days and measure body temperature twice a day (in the morning and in the evening);
• must call the emergency number without delay if any signs of acute respiratory infection occur (cough, increased body temperature (fever), shortness of breath);
• must not endanger other persons to the risk of infection by reducing direct contact with other persons (avoid welcoming guests, do not go or attend private visits, do not use the public transport, etc.);
• must use any of the possibilities for the purchase of basic necessities or food (by door-to-door delivery, avoiding contact with the supplier; delivery of food or goods which is ensured by relatives by leaving the purchased products at the door; requesting assistance of the local government social service office, avoiding direct contact with the social worker.
  

As regards to the persons who have arrived from foreign countries, except Lithuania and Estonia, or for whom the COVID-19 diagnosis has been confirmed and whose health condition allows to undergo medical treatment at home, they must be under strict isolation, observing aforementioned movement limitations. In the event of a healthy recovery the isolation may be discontinued only with the permission of the attending physician. Referring to the citizens and permanent residents of Latvia, and also to the foreigners who have not visited other countries than Lithuania and Estonia, these persons are not subject to the self-isolation for 14 days at place of residence.

The most important state institutions, which are responsible and entitled to process health data and geolocation of citizens during the emergency situation, are as follows:

• Centre for Disease Prevention and Control;
  
• Health Inspectorate;
  
• State Police and the municipal police.

The Health Inspectorate in cooperation with the State Police and the municipal police have the authority to control of the execution of the above listed requirements. The Centre for Disease Prevention and Control is entitled to transfer personal data (name, surname, personal identity number, telephone number, the address of the place of quarantine and the actual place of residence) to the Health Inspectorate, the State Police, and the municipal police or ensure that the abovementioned institutions have access to the respective personal data.

In order to monitor and ensure that persons comply with the imposed movement restrictions, telecommunication companies are providing geolocation data of their customer’s mobile devices only upon written requests from authorized state institutions. In this regard, service providers publicly announced that it is not possible to determine the exact location of each person because only an approximate location which is matching territory of football pitch can be traced. Representative of other service provider emphasized that the mobile operator does not track the location of its clients, but upon justified request the location of person can be determined, by analysing information from the base stations to which the customer’s device is or was connected. Worth mentioning that the State Police and the municipal police have the right to search for the persons who are obliged to observe self-isolation or quarantine, and, if they are ignoring it, also have the right to forcibly convey the abovementioned persons to the place of quarantine or the actual residence, as well as impose monetary sanctions.

Given that into account, these ongoing data processing activities are performed mainly for a certain group of persons that are recognized as potential carriers of the disease that might endanger safety of the public health. There is no other publicly available information concerning government’s personal data processing that are not anonymized in connection to geolocation of persons. Anonymous data are used by state institutions for statistical and intelligence purposes, as well as administration of COVID-19 spread in the territory of Latvia.

Currently, in Latvia, a few mobile applications are being developed in order to provide a platform for citizens to inform on a voluntary basis about places they visited before falling ill with COVID-19. The Prime Minister of Latvia explained that it is important for the society to know whether they have accidentally been in contact with someone who later finds out that he or she has been diagnosed with COVID-19. Other app would help monitor whether persons are observing quarantine and self-isolation. Unfortunately, there is no information on when such applications will become available, where and how they can be downloaded, etc.

In addition, the national supervisory institution – the Data State Inspectorate, instructed state institutions, when publishing information about new places where COVID-19 has spread, respective information could be published strictly in a way that it does not allow to identify specific patients or contact persons. For instance, if any institution plans to publish a map of COVID-19 spread, the responsible authority may do so by indicating the city or town in question with a larger population.

Due to COVID-19 outbreak and in order to mitigate negative outcome at workplaces, as well as to protect personnel, clients and visitors, companies are conducting temperature measurements on daily basis. It shall be noted that, in Latvia, here are no any specific regulations introduced for processing of such health data of the personnel or third parties.

 

As it was explained by the Data State Inspectorate, temperature measurements could be seen as a precautionary measure that meets the requirements of GDPR, as long as the results of temperature measurements are not stored anywhere or being made available to others. Also, supervisory institution advises to refrain from default temperature measurements and instead, firstly, just ask the employees, whether they have symptoms of COVID 19 or have they been diagnosed with COVID-19, and then, if necessary, measure temperature.

Nonetheless, according to the Latvian labor regulatory acts, in general it is the duty of the employer to ensure working conditions that meet the requirements of occupational health and safety. This also means that it is the employer's responsibility to ensure that his negligence does not cause his employees to fall ill as a result of the virus at work. In the same time, every employee must act responsibly toward his/hers workplace and inform the employer without hesitation if he/she is infected or at risk to fall ill. In light of such prudent actions employers are also entitled to ask employees, whether they have been abroad during the last 14 days and have/have not been in contact with patients diagnosed with COVID-19 or contact persons thereof.

Practical problem with temperature measurement is that temperature measurements are not always performed in suitable places. For example, in one supermarket chain, temperature is being measured for everyone before entering the store. Due to weather conditions, clothing, peculiarities and characteristics of the person, etc., temperature measurements are quite inaccurate, which may also give a misleading impression of a person's true health condition. Nonetheless, in Latvia, here it is the most commonly used health data processing measure to fight and try to contain the spread of the COVID-19.

Referring to relations between companies and their clients, visitors, as well as suppliers, it should be reminded that Latvian supervisory institutions has developed general guidelines regards to what would be considered a good practice. Companies related to high intensity of human flow (retailers, grocery shops, pharmacies, shopping centres, etc.) were required to provide additional security measures at cash desks and monitor flow of visitors to avoid crowding. As regards to the latter, video surveillance is considered a main data processing instrument used for monitoring people. Given that CCTV itself requires privacy assessment and data protection impact assessment for companies where CCTV is already in place it is relatively easier to integrate a new purpose of personal data processing within existing policies. 

It is known that in certain business sectors, for instance, in supply chains, the contracting parties require the other and its staff to certify that they comply with the imposed restrictions. Employees visiting the office or business premises or couriers delivering products should declared healthy and parties have to immediately inform each other in case any of employees are being diagnosed with COVID-19. Nonetheless, it is up most important for companies to secure personal data of its employees against any unnecessary exposure. As a good practice could be considered informing the contracting party about the approximate time of the day, arrival, duration of presence, in order to the other party to have enough information to react and address this issue to its employees who potentially had been in contact.

As mentioned before, as per the Cabinet of Ministers decree No. 103 of 12 March 2020, since March 12, 2020 the emergency situation has been declared in Latvia. Pursuant to the Latvian government regulations, during the emergency situation, the state and local government institutions, as well as state owned companies shall assess and ensure, to the extent possible, the provision of on-site services remotely.

 

In addition, in order to ensure safety of persons working in private sector and mitigate the risks of the COVID-19 outbreak, the government encouraged companies to move from offices to work from home. Of course, businesses that are not tied to offices do not feel the transition to teleworking as much as those which do their day-to-day operations at offices, e.g., accountants, lawyers, sales managers, financial advisers, etc.

Nevertheless, most of professions had the ability to adapt to new challenges, inter alia adjusting internal business processes, policies, designing new or using existing technical tools in order to continue business operations, provide services and maintain active throughout this time.

Reacting to this matter, the Data State Inspectorate issued following guidelines:

Persons shall take special care to prevent devices such as flash drives, memory sticks, cell phones, laptops, or tablets from being misplaced or lost. Also, it is essential to ensure that computers, laptops, or other devices used for work are in a secure place, so that devices are in person’s sight and, during the work, any chances of other people seeing the device screen are minimized.

As regards to technical configurations, devices must have the necessary updates, such as operating system, software, antivirus updates. An effective access control system (i.e. multi-factor authentication and secure passwords) shall be used to restrict third-party access to the device, preferably ensuring encryption. Devices should automatically lock if for any reason they are left unattended, and in case of theft the device should immediately delete all data and clear the memory or it could be done remotely.

Companies have to implement internal policies for personnel and employees must comply with the rules on the remote use of work emails. Person’s work emails shall be used to perform only work-related duties, therefore, employees must make sure they send or receive any content of private matter on personal email addresses. In addition, no private information should be stored on devices provided by the employer solely for work purposes.

When sending emails, employees have to be sure that the recipient is indicated correctly, especially for emails that contain large amounts of personal data or sensitive personal data.

Organizations shall use trusted network or cloud services, whereas the personnel is instructed to follow internal rules and procedures for network or cloud access and data sharing within one organization or when communicating externally. If it is not possible to use trusted network or cloud services, organizations, particularly all employees, shall ensure that all locally stored data is properly backed up in a secure way.

Any exceptions due to the emergency situation, to the obligation comply with GDPR and local laws? Or do all countries need to comply as always. 

Despite the emergency situation, position of the Latvian Data State Inspectorate has not changed. Namely, even during this time, the requirements of GDPR must be strictly observed, personal data must be processed and information must be provided to data subjects in accordance with the provisions specified in applicable laws.

It is no secret that COVID-19 is a huge opportunity for the development of e-commerce, helping companies, especially merchants, to overcome current situation. 

Earlier and now, e-commerce in Latvia is widely used by companies to reach-out for customers. This approach is used in sale of groceries, household goods, electronics, clothes and other products through e-shops. Therefore, here is no urgency to transit business to e-commerce.

However, considering that consumer habits have changed due to closure of shops and shopping centres, now, more than ever before e-shops have become important places for processing personal data. In this regard, the main concern that merchants are facing is securing personal data of the users, including banking information. Experts only point out that in order to save resources and comply with security requirements, it is advisable to use already prepared e-shop platforms, which incorporate technical security solutions (HTTPS for communication, TSL, SSL - for data encryption, SET, CVV, AVS - for payment security, etc.).

The requirement to assess the dynamics of a student's individual development is provided by the Latvian education standards prepared by Cabinet of Ministers, as well as the sample curricula developed by the State Education Content Centre.

During the emergency situation in Latvia, here is temporarily terminated the study process in person in all educational institutions, and studies are organized remotely. Given that into account, teachers are asked to assess and choose appropriate technological tools and working methods, in order to ensure qualitative remote study process when analysing students’ performance data and make accurate decisions about further actions. In this regard, teachers are entitled to ask students to participate in video conferences, online webinars, receive for evaluation photos or home-filmed videos, etc. The Data State Inspectorate explained that it does not consider such teachers' approach to be inconsistent with the requirements of GDPR, when the studying process takes place remotely.

At the same time, the Data State Inspectorate noted that teachers should be assigning respective tasks to students in such a way that the parents are duly informed about the curriculum and the need to send the relevant data to teachers. Also, if it is possible to verify and examine the completion of the task assigned, teachers are instructed to choose privacy less impacting learning methods to the most possible extent, instead of using web chats, videos, for instance, use of applications, educational platforms, parental acknowledgment (in cases the student does not have a smart device).