LATVIA

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Fizisko personu datu apstrādes likums

Status: ADOPTED

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT: Child’s consent is lowered to the minimum of 13 years old (Art 44 Latvian Act) (Art 33 Latvian Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CCTV (Art 6)

VARYING REQUIREMENT: The Act and GDPR apply to individuals using automated data recording devices for road, personal, or household purposes. Disclosure of records obtained in road traffic to individuals or entities is prohibited unless allowed under the GDPR. Also, the Act and GDPR do not apply to individuals using automated video surveillance for personal or household purposes.

When using video surveillance, a controller must inform data subjects of its name, contact details, the purpose of processing, and the possibility to obtain additional information pursuant to Art 13 GDPR (Art 36 Latvian Act). 

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

ADDITIONAL REQUIREMENT: Criminal data may be processed upon express consent, in order to prevent an immediate significant public safety risk and in the prevention, investigation, and prosecution of crime or enforcement of criminal penalties (Art 45 Latvian Act) (Art 34 Latvian Act).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

SPECIFYING REQUIREMENT: A data subject’s access rights under Art 15 GDPR is restricted if a controller  is not allowed to disclose certain information in accordance with laws, regulations, national security, state defense, public security, and criminal law as well as to ensure the financial interests of a company for tax purposes, prevention of money laundering and terrorist financing, or supervision of financial market participants and the functioning of guarantee schemes, resolutions, and macroeconomic analysis (Art 27 Latvian Act).

VARYING REQUIREMENT: The data subject may receive information on the recipients or categories of recipients that have received the data subject’s personal data within the last two years (Art 27 Latvian Act).

A controller has the right not to provide information under Art 15 GDPR if it no longer has an audit trail related to the information requested (Art 37 Latvian Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

ADDITIONAL REQUIREMENT:
A DPO may be appointed based on Art 37(5) GDPR or based on the SA’s data protection specialist list (Art 17 Latvian Act).

Certification (Art 42)

SPECIFYING REQUIREMENT:
The certification body will be a national accreditation body, but if no institution becomes accredited, the SA has the authority to issue certifications. The criteria for issuing the certificates, and the criteria and requirements for accreditation of certification bodies, under Art 42(5) and 43(3) GDPR must be approved by the SA and published on its website no later than three working days after approval (Art 21 Latvian Act). 

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT:
In addition to the powers under Art 58 GDPR, the Act further specifies inspection powers such as the right to request and receive, free of charge, information, documents, or copies, including restricted access information (Art 5 Latvian Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

No Deviation

PENALTIES (ART 84)

No Deviation

Freedom of expression and information (Art 85)

SPECIFYING REQUIREMENT:

When processing data for journalistic purposes, the GDPR does not apply, with the exception of Art 5 GDPR, if certain conditions are met (Art 32 Latvian Act).

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING REQUIREMENT:

When processing data for journalistic purposes, the GDPR does not apply, with the exception of Art 5 GDPR, if certain conditions are metWhen data are processed for statistical purposes, the rights under Art 15, 16, 18, and 21 GDPR do not apply if they may prevent or significantly impede the achievement of the specific purposes and derogations necessary to achieve those purposes (Art 29 Latvian Act).

When data are processed for archiving purposes in the public interest for the purpose of forming, storing, evaluating, preserving, and using the national documentary heritage, the rights under Art 15 and 16 GDPR must be exercised in accordance with the laws and regulations governing the field of archives (Art 30 Latvian Act).

When data are processed for archiving purposes in the public interest for the purpose of designing, storing, evaluating, preserving, and using the national documentary heritage, the rights under Art 18–21 GDPR do not apply if they may prevent or significantly impede the achievement of the specific purposes and derogations necessary to achieve those purposes (Art 30 Latvian Act).

When data are processed for scientific or historical research in the public interest, the rights under Art 15, 16, 18, and 21 GDPR do not apply if they may prevent or significantly impede the achievement of the specific purposes and derogations necessary to achieve those purposes (Art 31 Latvian Act). (Art 32 Latvian Act).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

LOCAL DPA GUIDANCE & LEGAL SOURCES

REMARKS

No Deviation