EU – Baltic States, Good for Business, Latvia, Legal Counsel, Legislation, Markets and Companies, Technology
International Internet Magazine. Baltic States news & analytics
Sunday, 06.10.2024, 12:56
Personal Data Processing Law is coming into force in EU on May 25, 2018
As for now,
procession of personal data in Latvia is regulated by Personal Data Protection Law, which is expected to expire, when a
new law will be adopted. The Saeima already approved the concept of new Personal Data Processing Law, but date
of coming into force is currently unknown. The bill will be examined by the
parliamentary commission and during the Saeima session, which means, that
during legal uncertainty it is crucial to take the EU Regulation into account.
It should be
noted, that common rules of personal data protection principles won’t change.
At the same time, legal mechanisms of personal data protection and data subject
rights will be expanded significantly. According to the EU Regulation, data
administrator should fully acquaint data subject with:
·
Personal data processing method.
·
Purpose of personal data processing.
·
Legal basis of personal data processing.
·
Legitimate interests, which is necessary to protect by
processing personal data.
·
Information about data protection specialist.
·
Personal data receivers.
·
Information about transferring personal data to third
(non-EU) countries.
During data processing administrator also should provide data subject with information about:
- The storage period.
- · Data subject rights to have access to his personal data.
- · Data subject rights to withdraw his consent to process his data.
- · Data subject rights to make a complaint to a responsible government institution.
- · Data subject obligations to provide information to data administrator and repercussions should data subject refuse.
The EU Regulation also sets up requirements, when data protection specialist must be provided by data administrator. Latvian Personal Data Protection Law already regulates this area, and new rules will just make minor adjustments for the EU legislation system’s unification. In the EU Regulation it is said, that data protection specialist must be provided when:
- · Data administrator belongs to public institution or structure (except courts).
- · Regular and systematic observation of a large scale of data subjects is happening.
- · Processes personal data in relation to the criminal offences and other violations.
- · It is prescribed by the law.
In connection to
the new requirements, it’s also crucial to understand the new data protection
impact assessment. Data administrator should from now on assess how data
processing method can affect the subject’s personal data. After the EU Regulation comes into force, Data State
Inspectorate will develop and publish the list of data processing methods that
require data protection impact assessment. The assessment is required, when
evaluation and profiling is going to happen, as well as sensitive data
processing, the new or innovative technologies are used, and in some other
cases. The impact assessment should be done by data administrator, and consists
of:
- · Systemic description of personal data processing (processing type, scale and goals are reported; receivers, equipment, programs, the storage period etc. are specified).
- · The assessment of necessity and proportionality (legality and legitimacy of data processing are confirmed; data subject is aware of his rights and responsibilities).
- · Managing possible risks for the subject (sources of risk are taken into account, precautionary measures are made, possible impact on rights and freedoms of the subject in case of unlawful changes and data loss).
·
Persons involved in data processing (data protection
specialist’s consultation, the subject’s opinion on the matter).
The assessment
is not necessary if data processing had been made before 25 May 2018 (except
cases, when processing conditions were changed), data subject isn’t taking a
great risk, the method of data processing is one of the methods that don’t need
to have the data protection impact assessment according to a government
institution, or the same method of data processing had already been
assessed.
In view of the
foregoing, it’s necessary to note, that there are no fundamental changes in
data processing. As for now, Latvia doesn’t have national law, that’s why it’s
important to take the EU Regulation
into consideration. Even though the EU Regulation
is not concrete in describing data processing principles in the contrast
national legislation, it’s possible to prepare for the upcoming changes now.
Law firm INLAT PLUS international will help your company to prepare for the new
changes and to protect your interests for a period of uncertainty.
Contact information
In order to get
a consultation and additional information you can contact us by phone, email or
coming to our INLAT PLUS international
office:
Office phone
number: (+371) 672 997 76
Mobile phone
number: (+371) 296 216 15
E-mail:
[email protected]
Address:
Krišjāņa Valdemāra iela 38-612, Riga, Latvia