EU – Baltic States, Good for Business, Latvia, Legal Counsel, Legislation, Markets and Companies, Technology

International Internet Magazine. Baltic States news & analytics Friday, 14.06.2024, 02:10

Personal Data Processing Law is coming into force in EU on May 25, 2018

INLAT PLUS International, specially for BC, Riga, 24.05.2018.Print version
In a modern world, which is constantly changing because of new technologies and communication methods, the significance of personal data protection is growing rapidly. Every person wants to have a guarantee, that his private information will not be disclosed to third parties. In order to achieve this goal, General Data Protection Regulation (hereinafter – Regulation) was adopted to set common requirements for processing personal data in the EU. Regulation shall come into force from 25 May 2018, that’s why it’s important to prepare in advance.

As for now, procession of personal data in Latvia is regulated by Personal Data Protection Law, which is expected to expire, when a new law will be adopted. The Saeima already approved the concept of new Personal Data Processing Law, but date of coming into force is currently unknown. The bill will be examined by the parliamentary commission and during the Saeima session, which means, that during legal uncertainty it is crucial to take the EU Regulation into account.


It should be noted, that common rules of personal data protection principles won’t change. At the same time, legal mechanisms of personal data protection and data subject rights will be expanded significantly. According to the EU Regulation, data administrator should fully acquaint data subject with:

·         Personal data processing method.

·         Purpose of personal data processing.

·         Legal basis of personal data processing.

·         Legitimate interests, which is necessary to protect by processing personal data.

·         Information about data protection specialist.

·         Personal data receivers.

·         Information about transferring personal data to third (non-EU) countries.

During data processing administrator also should provide data subject with information about:

  • The storage period.
  • ·    Data subject rights to have access to his personal data.
  • ·    Data subject rights to withdraw his consent to process his data.
  • ·    Data subject rights to make a complaint to a responsible government institution.
  • ·    Data subject obligations to provide information to data administrator and repercussions should data subject refuse.

The EU Regulation also sets up requirements, when data protection specialist must be provided by data administrator. Latvian Personal Data Protection Law already regulates this area, and new rules will just make minor adjustments for the EU legislation system’s unification. In the EU Regulation it is said, that data protection specialist must be provided when: 


  • ·    Data administrator belongs to public institution or structure (except courts).
  • ·    Regular and systematic observation of a large scale of data subjects is happening.
  • ·    Processes personal data in relation to the criminal offences and other violations.
  • ·    It is prescribed by the law.   

In connection to the new requirements, it’s also crucial to understand the new data protection impact assessment. Data administrator should from now on assess how data processing method can affect the subject’s personal data. After the EU Regulation comes into force, Data State Inspectorate will develop and publish the list of data processing methods that require data protection impact assessment. The assessment is required, when evaluation and profiling is going to happen, as well as sensitive data processing, the new or innovative technologies are used, and in some other cases. The impact assessment should be done by data administrator, and consists of:

  • ·    Systemic description of personal data processing (processing type, scale and goals are reported; receivers, equipment, programs, the storage period etc. are specified).
  • ·    The assessment of necessity and proportionality (legality and legitimacy of data processing are confirmed; data subject is aware of his rights and responsibilities).
  • ·  Managing possible risks for the subject (sources of risk are taken into account, precautionary measures are made, possible impact on rights and freedoms of the subject in case of unlawful changes and data loss).


Persons involved in data processing (data protection specialist’s consultation, the subject’s opinion on the matter).

The assessment is not necessary if data processing had been made before 25 May 2018 (except cases, when processing conditions were changed), data subject isn’t taking a great risk, the method of data processing is one of the methods that don’t need to have the data protection impact assessment according to a government institution, or the same method of data processing had already been assessed.       


In view of the foregoing, it’s necessary to note, that there are no fundamental changes in data processing. As for now, Latvia doesn’t have national law, that’s why it’s important to take the EU Regulation into consideration. Even though the EU Regulation is not concrete in describing data processing principles in the contrast national legislation, it’s possible to prepare for the upcoming changes now. Law firm INLAT PLUS international will help your company to prepare for the new changes and to protect your interests for a period of uncertainty.        


Contact information


In order to get a consultation and additional information you can contact us by phone, email or coming to our INLAT PLUS international office:


Office phone number: (+371) 672 997 76

Mobile phone number: (+371) 296 216 15

E-mail: [email protected]

Address: Krišjāņa Valdemāra iela 38-612, Riga, Latvia

Search site