the data state inspectorate · of the digital environment and the digital personality, which makes...

The Data State Inspectorate Annual Report 2012

1

THE DATA STATE INSPECTORATE

ANNUAL REPORT 2012

Riga

1 July 2013


2

CONTENT

Foreword by Signe Plūmiņa, the Director of the Data State Inspectorate 3

I BASIC INFORMATION 5

1.1. Legal status, directions of activity and objectives 5

1.2. Main tasks and priorities 6

1.2.1. Participation in discussions on the European Commission's reform

of personal data protection

6

1.2.2. Schengen evaluation visit in the area of data protection 7

1.2.3. Recommendation development 8

II FINANCIAL RESOURCES AND RESULTS OF INSTITUTION

ACTIVITY

8

2.1. State budget financing and its use in 2012 8

2.2. Evaluation of the effectiveness of the budget program 9

2.3. DSI paid services 10

2.4. Improvement systems of leadership and activity 11

III STAFF 11

IV COMMUNICATION WITH THE PUBLIC 14

4.1. Public information and education activities 14

4.2. Registration of personal data processing 15

4.3. Registration of personal data protection specialists 16

4.4. Opinions and explanations 16

V THE DSI PRIORITIES FOR 2013 18


3

Gabriel Garcia Markess once said that

everyone has three lives: public life,

private life and secret life.1

Nowadays, it is becoming

increasingly difficult to separate these

areas of life with the development of

information technologies and

opportunities offered by the Internet

environment.

The privacy and personal data

protection issues have entered the public

agenda both at the national and

international levels. The rapid

development of information technology

and the Internet in the 21st century has

enabled the processing of personal data

to unprecedented levels and at an

unbelievable rate, even by creating new

personal data (such as location and load

data) and offering "the Internet of things” which in the near future will significantly change the daily life of individuals.

The development of information technology has contributed to the development

of the digital environment and the digital personality, which makes it increasingly

difficult for an individual to control his personal data - who uses them, at what point

and for what purpose.

2012 has marked the time of change in the data protection of natural persons. A

great deal of work has been invested in the preparation of a draft Personal Data

Protection Regulation initiated by the European Commission as well as planned

changes to European Union-wide information systems (e.g. Europol, Schengen

Information System). At the same time, it should be noted that there is an international

debate on personal data that is becoming increasingly valuable for both the private

sector and the public sector, creating new opportunities and personal data, even known

as the 21st Century of New Oil.

If we look at the strategic objectives of the European Union, as set out in the

Digital Agenda for Europe2, they are largely linked to the development of the Internet,

including the development of smart devices and the "internet of things online", which

is related to the processing of personal data. It is expected that the "case internet" will

introduce significant changes in health care, allowing patients to receive care remotely,

while allowing medical personnel to remotely receive sensitive personal data. In the

context of information technology, cloud computing and the development of the

Internet, it is essential to ensure the protection of personal data and data security, since

it will depend on the extent to which individuals will rely on new information technology offerings. Being able to operate an Internet environment without sacrificing

______________________________ 1- A prominent Colombian Writer, Nobel Prize Winner Gabriel García Marcos is widely quoted for

various lives of the individuals with regard to the privacy. For more information, see the article of

H.Spurling „Gabriel García Márquez: a Life by Gerald Martin” of 10.11.2008 at

http://www.telegraph.co.uk/culture/books/non_fictionreviews/3563061/Gabriel-Garcia-Marquez-aLife-

by-Gerald-Martin-review.html. 2- For more information, see the European Commission's website: https://ec.europa.eu/digital-agenda/ne

http://www.telegraph.co.uk/culture/books/non_fictionreviews/3563061/Gabriel-Garcia-Marquez-aLife-by-Gerald-Martin-review.html

http://www.telegraph.co.uk/culture/books/non_fictionreviews/3563061/Gabriel-Garcia-Marquez-aLife-by-Gerald-Martin-review.html

https://ec.europa.eu/digital-agenda/ne


4

your privacy is an important prerequisite for the development of the "Internet of

Things" and is related to the individual's trust not only in the Internet environment, but

also in a particular service provider. The situation when you come home, and the light

will turn on automatically, the water will be boiled in the electronic teapot and the dish

will be prepared in the oven, is no longer a fantastic movie scenario, but it becomes a

reality using smart home appliances. Therefore, it is important for service providers to

implement the principle of integrated privacy by providing their services.

Following the changes in the range of issues to be addressed by the Data State

Inspectorate and increasing public awareness of the role of the data protection of

individuals in their daily lives by protecting their data subject's rights, the greatest

satisfaction is the case when it has succeeded in preventing personal data breach by

resolving the individual’s problem and finding that the personal data processing

controller not only avoids personal data breaches, but also assesses the privacy aspects

and the need to process personal data for specific purposes only.

I would like to introduce the Public Report of 2012 made by the Data State

Inspectorate and remind you to be prepared to protect your personal data and think over

before you tell them to others, ascertaining whether and for what purpose it is necessary,

and also I would like to thank every individual who has expressed interest in the

protection of personal data and has dared to exercise the rights of its data subject or has

faithfully implemented the processing of personal data as a personal data controller,

thus jointly strengthening the protection of personal data in Latvia.

Signe Plūmiņa

The Data State Inspectorate Director

____________________________________


5

I BASIC INFORMATION

1.1.Legal Status, Directions of Activity and Objectives

The Data State Inspectorate (hereinafter – the DSI) is a state administration

institution under the supervision of the Ministry of Justice acting independently and

permanently, fulfilling the functions specified in laws, takes decisions and issues

administrative acts in accordance with the law.

According to Paragraph 1 of the Transitional Provisions of the Personal Data

Protection Law, the DSI commenced its work on January 1, 2001. On November 28,

2000, the Cabinet of Ministers adopted Regulations No. 408 "Regulations on the Data

State Inspectorate". Director of the DSI since 2001 is Signe Plūmiņa, who also

participated in the process of elaboration of the Personal Data Protection Law and

participated in the discussions on the reform of personal data protection at the European

Union and national level in 2012, including the need to improve the normative acts.

The DSI carries out personal data protection supervision in accordance with the

Personal Data Protection Law and carries out the accreditation and supervision of

reliable certification service providers in accordance with the Electronic Documents

Law, supervises data protection in the electronic communications sector in accordance

with the Electronic Communications Law, and supervises the unauthorized commercial

communication ban compliance with the Law on Information Society Services and

ensures the reporting requirements of Directive 2009/136/EC concerning the protection

of personal data breaches in the field of electronic communications.

The basic principle of personal data protection is to ensure that each individual

can control information about himself, i.e. control how others use or know how others

use this information. The protection of personal data is an integral part of the

information society, which promotes public trust in public administration and

participation in the decision-making process.

The protection of personal data in Latvia has been strengthened as a key

component of human rights by introducing more specific regulation in various areas of

personal data processing and creating more effective regulation for the protection and

supervision of personal data protection, which is being improved taking into account

the impact of information technology development on the protection of personal data

and increasing the processing of personal data in various fields.

The DSI rights in the field of personal data protection, as set forth in Section 29,

Paragraph four of the Personal Data Protection Law:

1) in accordance with the procedures prescribed by laws and regulations, to

receive, free of charge, information from natural persons and legal persons as is

necessary for the performance of functions pertaining to inspection;

2) to perform inspection of a processing of personal data;

3) to require that data be blocked, that incorrect or unlawfully obtained data be

erased or destroyed, or to order a permanent or temporary prohibition of data

processing;

4) to bring an action in court for violations of this Law;

5) to cancel a registration certificate of the processing of personal data if in

inspecting the processing of personal data infringements are determined;

6) to impose administrative penalties according to the procedures specified by

law regarding infringements of processing of personal data;


6

7) to perform inspections in order to determine the conformity of processing of

personal data to the requirements of laws and regulations in cases where the

administrator has been prohibited by law to provide information to a data subject and a

relevant submission has been received from the data subject.

The DSI also ensures the supervision of the processing of personal data

provided for in the Schengen Information System Act and represents the Republic of

Latvia in the Joint Schengen Information System Supervisory Authority, the Joint

Europol Supervison Authority, the Europol Appeal Committee and the Joint Customs

Information System Supervisory Authority (also ensured the conduct of inspections at

the national level for the above-mentioned information systems) as well as Article 29

of the Directive 95/46/EC Working Party and the Council of Europe Convention on the

Protection of Individuals with regard to Automatic Processing of Personal Data in the

Advisory Committee as well as other activities of the European Union and international

personal data protection authorities.

1.2. Mains Tasks and Priorities

The DSI priorities for 2012:

1) Participation in discussions on the reform of the European Commission in

the field of personal data protection;

2) Schengen evaluation visit in the area of data protection (in October 2012);

3) Development of the Recommendations - " Personal Data Protection in the

Framework of Labor Relations" and "Data Security".

The Report provides an overview of the progress made with regard to the

priorities for 2012.

1.2.1. Participation in Discussions on the European

Commission's Reform of Personal Data Protection

On 25 January, 2012, the European Commission presented a package of

documents launching a comprehensive reform of the European Union's data protection

rules. A key element of the personal data protection reform is the draft regulation on

the protection of individuals with regard to the processing of personal data and their

free movement, which proposes to modernize existing principles by improving the

uniform data protection rules applicable throughout the European Union. In 1995,

Directive 95/46/EC of the European Parliament and of the Council on the protection of

individuals with regard to the processing of personal data and on the free movement of

such data was adopted, which is also at the moment the basic instrument for the

protection of personal data introduced into national law in the Member States. The

development of globalization and the development of new technologies have led to the

emergence of increasingly new aspects in the context of which data protection

regulation could be modernized. In order to guarantee at European Union level the right

of individuals to a high level of protection with regard to the processing of personal

data, it has been decided to update and modernize the current regulation.

The main changes proposed in the European Commission proposal are reducing

administrative burdens, increasing the responsibilities and obligations of personal data

operators (for example, the obligation of entrepreneurs to introduce personal data

protection in the process of developing information technology and personal data


7

processing software), improving the institute for Personal Data Protection, to facilitate

implemantation “the right to be forgotten " (i.e. requiring the deletion of their personal

data after the goal of their processing has been achieved), thus contributing to more

effective protection of personal data and promoting individuals' confidence in the use

of information technology in the processing of personal data.

At the same time, along with the changes, the basic principles that have been

observed to date in the area of data protection - the implementation of the single market

and the effective observance of the fundamental rights and freedoms of the individual,

as set in Article 8 of the Charter of Fundamental Rights of the European Union and

Article 16 of the Treaty on the Functioning of the European Union, remain unchanged.3

In the development process of draft regulation in the European Union

Information Exchange and Data Protection Working Party (DAPIX) the

representatives of the Ministry of Justice participate, while the Data State Inspectorate

has provided the necessary support in the context of interpreting the various provisions

of the Regulation from a practical point of view. In 2013, the Data State Inspectorate,

in co-operation with the Ministry of Justice, will continue to participate in the European

Union data protection reform initiative.

On October 5, 2012, the Working Party 29 of the Directive 95/46/EC, in which

the Data State Inspectorate is also represented, adopted Opinion No. 08/2012 "Further

Contribution to the Debate on the Reform of the Data Protection Law"4, which points

to problematic issues from the point of view of personal data protection.

1.2.2. Schengen Evaluation Visit in the Are of Data Protection

Five years have passed since Latvia joined the Schengen area on December 21,

2007. Within the Schengen area, individuals have the opportunity and the right to move

freely. The Schengen Agreement area is an area where internal border checks are

canceled between certain Schengen area countries. Border checks are performed only

upon entry into the Schengen territory. The purpose of cooperation between countries

in the Schengen area is to protect individuals and their property by reducing the

opportunities for abuse of this right. To provide this, a special data exchange system

has been set up: the Schengen Information System (SIS), which involves an enhanced

and effective cooperation between the police, customs, external border control and

judicial authorities of all Schengen Member States, which is necessary for the removal

of internal borders. In Latvia, in October 2006, before the accession of Latvia to the

Schengen area, Schengen evaluation experts took a visit, during which it was assessed

whether Latvia, as a potential Schengen area country, has correctly and efficiently taken

the necessary measures to abolish internal border controls. The assessment visit was

carried out in areas related to internal border controls, visas, data protection, police

cooperation and the Schengen Information System. In October 2012, a revisit of the

Schengen evaluation experts to Latvia in the field of personal data protection was

carried out, in the framework of which Latvia received a positive assessment of the

application of the Schengen acquis as well as ensuring the supervision of personal data

protection in practice.

____________________________________ 3- For more information, see the European Commission's website: http://ec.europa.eu/justice/data-

protection/ 4- See the text of the Opinion at: http://ec.europa.eu/justice/data-

protection/article29/documentation/opinion-recommendation/files/2012/wp199_lv.pdf#h2-2.

http://ec.europa.eu/justice/data-protection/

http://ec.europa.eu/justice/data-protection/

http://ec.europa.eu/justice/data-protection/article29/documentation/opinion-recommendation/files/2012/wp199_lv.pdf#h2-2

http://ec.europa.eu/justice/data-protection/article29/documentation/opinion-recommendation/files/2012/wp199_lv.pdf#h2-2


8

Schengen evaluation visit’s experts welcomed cooperation between the Baltic

Data Protection Supervisory Authorities through joint inspection activities. A positive

information leaflet on the SIS prepared by the DSI and on the rights of the data subject

to access their data in the SIS was also positively evaluated (the booklet was also

prepared in English and Russian, taking onto account that requests for information on

their data in the SIS are mainly requested by third-country nationals) and the model

forms developed for the data subject's submission to both the State Police and the DSI

for alleged violations of the processing of personal data in the SIS.5

1.2.3. Recommendation Development

In 2012, two Recommendations were planned - "Protection of personal data

within the framework of employment relations" and "Data security". Taking into

account the amount of work related to the preparation for the Schengen evaluation

experts' visit in Latvia in the field of personal data protection, as well as taking into

account employee turnover, the development of recommendations was postponed to

2013.

Both the Recommendation on employment relations and data security are very

topical in assessing complaints received by DSI about alleged violations. Within the

framework of personal data protection in the framework of employment relations, the

recommendation will be developed for employers (for controllers within the meaning

of the Personal Data Protection Law) with the aim to improve the protection of personal

data. In turn, the Recommendation on data security will be developed for small and

medium-sized enterprises, with the aim to raise awareness of the security of personal

data and promote responsibility for the processing of personal data.

II FINANCIAL RESOURCES AND RESULTS OF

INSTITUTION ACTIVITY

2.1.State Budget Financing and its Use in 2012

The DSI funding consists of two sources of revenue:

1) grant from general revenues;

2) paid services and other own revenue.

The total budget use and budget implementation in 2012, and the comparison with the

previous year is summarized in Table 1.

____________________________________________ 5- Information on the rights of the data subject in the Schengen Information System is available on the

website of the Data State Inspectorate: http://www.dvi.gov.lv/fpda/.

http://www.dvi.gov.lv/fpda/


9

Table 1. Program 27.00.00 "Data Protection"

State budget financing and its use in 2012 No. Financial indicators Last year

(factual

fulfillment

LVL)

Reference year

Approved by

law (LVL)

Factual

fulfillment

(LVL)

1. Financial resources to

cover expenses (total)

273861 282418 272613

1.1. Grants 266147 265317 265317

1.2. Paid services and and

other own revenue

7714 17101 7296

1.3. Foreign financial

assistance

1.4. Donations and gifts

2. Expenditure (total) 273861 287581 251285

2.1. Maintenance expenses

(total)

269109 277666 246533

2.1.1. Current expenses 269109 277666 246533

2.1.2. Interest expense

2.1.3. Subsidies, grants and

social benefits

2.1.4. Current payments to the

budget of the European

Community and

international cooperation

2.1.5. Maintenance costs

transferts

2.2. Capital expenditure 4752 4752 4752

2.2. Evaluation of the Effectiveness of the Budget Program

In the framework of the budget program 27.00.00 "Data Protection", LVL

251285 LVL or 89% of planned expenditure was acquired.

In line with the decline in resources, in 2012, the DSI took budgetary resource-

saving measures by limiting expenditure in expenditure headings such as post,

telephone and other communications services, administrative expenditure of the

institution and expenditure related to the institution's activities. In 2012, the

remuneration of employees remained in the amount of 2011. For a summary of the

performance indicators of the budget program, see Table 2.

Table 2.Output indicators of

the budget program Efficient indicator Planned

value

Factual

fulfillment

Explanation

Registered personal

data processing

350 463 In fact, the number of processing

personal data registered


10

exceeded the planned number of

registered personal data

processing by 32.3%, as sectoral

pre-registration checking was

carried out, which resulted in an

increase of the processing of

registered personal data (in

particular, regarding video

surveillance and the processing

of personal data by family

doctors).

Personal data

processing inspections

350 496 The number of inspections of

personal data processing have

been increased, taking into

account the number of

complaints by citizens.

Fee for registration of

personal data

processing

12 000 13 285 The planned amount of the fee is

slightly beyond what is planned,

as the number of registered

processings increased by video

surveillance.

Penalties applied for

breaches of personal

data

10 500 18 410 Penalties were applied for

detected personal data breaches,

as well as for failure to provide

information to the DSI.

In general, the DSI has reached the projected value of performance indicators

in 2012.

In 2012, from the State budget funds, no reserach were conducted on issues

within the competence of the DSI.

2.3. DSI Paid Services

The DSI provides paid services in accordance with the price list, approved by

the Cabinet of Ministers Regulations No. 1063 "Price List of the Data State Inspectorate

Services" of December 19, 2006.

In 2012, the financial gain received from paid services is LVL 7296.

The most commonly used paid services of the DSI were filling in and printing

of the application for registration of personal data processing, the DSI seminars and the

organization of the qualification examination of the personal data protection specialist.

Filling in and printing of the application for registration of personal data

processing

The DSI advises the recipient of the service on filling in the application for registration

of personal data processing, by meeting face-to-face and printing a completed

application for the processing of personal data processing. In 2012, this paid service is

provided to 26 controllers or their representatives. Fee for service 25,00 Ls. Total

revenue for this paid service in 2012 - 630 Ls.


11

Organized seminars on personal data protection of natural persons

The DSI has organized informative seminars on the protection of personal data -

registration of personal data processing, personal data protection audit, video

surveillance, and others personal data protection issues. In total, in 2012, the Data State

Inspectorate organized 3 workshops on data protection. The fee for the service is 40, -

Ls / per person, in 2012 the revenue from seminars organized by the DSI - 1320 Ls.

Organizing a qualification test for a personal data protection specialist

In 2012, the DSI organized three tests of personal data protection specialists, in

which 20 applicants participated. The service includes the preparation of the

examination questions and tasks, the preparation of individual response forms, the

organization of the examination and the evaluation of the results by the commission of

three persons, as well as the decision on the preparation of the test results and the

issuance of certificates.

In 2012, the qualification of personal data protection specialists was awarded to

12 applicants. The fee for the service is 243.00 LVL, the total income for the provision

of the "Personal Data Protection Specialist Qualification Test" paid service in 2012 is

LVL 5346. (Compared to 2011, the income from this paid service has increased slightly

by more than 50%, in 2012 - LVL 2916.00).

2.4. Improvement Systems of Leadership and Activity

Within the framework of the 2012 Internal Audit Department of the Ministry of

Justice, the DSI carried out the following audits:

1) Development and coordination of normative acts;

2) Public Procurement System.

The opinion issued by the Internal Audit Division of the Ministry of Justice on

the internal control system of the DSI shows that, overall, an internal control system

has been established, is functioning and is being improved according to the

recommendations of the Internal Audit Division of the Ministry of Justice.

In accordance with the requirements set out in the State Program for Prevention

and Combating of Corruption 2013-2015, the DSI conducted a regular implementation

and supervision of Anti-corruption Plan aimed at preventing conflict of interest in the

activities of DSI employees. It also includes the attandance of DSI employee the

seminar organized by the Corruption Prevention and Combating Bureau "Corruption

Prevention ", and also conducted a relevant seminar for employees of the DSI.

III STAFF

The DSI in 2012, like in 2011, had 19 positions. In the framework of the DSI, a

structural reorganization was implemented in the framework of the Cabinet of Ministers

Recommendation No. 2 "Procedure for the Establishment of the State Administration

Institution" of December 14, 2010. On November 1, 2012, the operational part of the

institution was liquidated as well as the Finance and Budget Planning Department,


12

while the Administrative Division, which performs the functions of both liquidated

parts, was established.

In the reporting period, the institution employed an average of 15 employees, of

which 12 women and 3 men. The average age of staff in 2012 was 36 years. In 2012,

the Data State Inspectorate employed employees aged 20-71 years.

In 2012, DSI, in comparison with previous years, has increased personnel

turnover. In 2012, 5 employees stopped working and 7 new employees started their

employment relations. In 2012, the average employee's employment duration for the

DSI was 2.4 years, which significantly affects the efficiency of the DSI, as it is initially

necessary to invest time and effort in training new employees. The number of

complaints and counseling, on the other hand, has a tendency to increase, as well as

issues that the DSI needs to provide counseling, becomes more complex and requires

in-depth knowledge of information technology and legislation knowledge in the area of

personal data protection or specific data processing.

Within the framework of 2012, the issue has been raised not only about

attracting new employees to the DSI, taking into account the remuneration and its

competitiveness in the labor market, but also keeping and motivating. Taking into

account this factor, all the staff positions were not completed, as it was not possible to

attract relevant professional staff in line with the funding allocated within the state

budget. This problem is expected to become very topical in 2013. The other EU data

protection authorities, as well as the European Data Supervisor Office, are facing a

similar problem.

Distribution of education levels for DSI staff - two employees have an

incomplete higher education and 13 employees have higher education. 5 employees

have a master's degree, but one employee plans to get it in 2013.

Domestic DSI workshops on various data protection issues, information

technology, information circulation issues and communication and stress reduction

were organized to raise the capacity of DSI staff, taking into account the specifics and

intensity of work, as well as on the basis of identified work environment risks. All

0

33.5

4

5

4

2

11

2 1.8

6

4

1 1 1

0

1

2

3

4

5

6

7

Zem 20 20-25 26-30 31-35 36-40 41-45 50-60 Virs 70

The DSI employees by age group

2012 2011


13

employees who started work in the DSI, the seminar on "Topicalities of data protection

of natural persons" to provide insight into the Personal Data Protection Law and its

practical application.

In 2012, the DSI staff attended various seminars and courses, including several

seminars organized by the State Administration School:

- Corruption prevention;

- Conflict and problem solving strategies and tactics;

- Organization of public procurement tenders and application of negotiation procedures

- topical requirements of the Public Procurement Law;

- Personnel document management as one of the most important tools for personnel

management;

- Amendments to the Latvian Administrative Violations Code.

The seminar at the Riga International School of Economics and Business

Administration in the field of personnel management was attended, where the topical

issues related to the selection process of applicants for attraction of competent and

professional employees, challenges of today's and future labor market, a map of skills

and competences were discussed. The security officer participated on the 33rd Session

organized by the Computer Networking School of Latvia, where discussions were held

on news and current issues in the IT sector, including IT security issues. Two employees

of the DSI also attended seminars "Information Disclosure and Protection of Personal

Data" organized by the Latvian Judicial Training Center and "Topicalities of handling

administrative violation cases ". The accounting officer attended the seminar "New

changes in the preparation of annual reports for 2012 in the state budget and local

government institutions" organized by Ltd. "Lietišķās Informācijas dienests" and the

seminar "Accounting in the budgetary institution - topical issues" organized by the

School of Public Administration and seminar organized by Ltd. "Letija" “The Law on

the Compensation of State and Local Government Officials and Employees and its

Application ".

On November 22nd and 29th, 2012, the DSI employee hold a lecture at

informative seminar organized by the Ministry of Justice "Personal Data Protection

Violations and Related Issues".

As DSI's work is unthinkable without the cooperation with other European Data

Protection Supervisory Authorities, English language text analysis and development, in

2012 two DSI employees supplemented their English language skills by attending

English courses. One DSI employee attended German language course offered to civil

servants by German Foreign Ministry and Goethe-Institut program Europahetzwerk

Deutsch to supplement their German language skills.

In 2012, the European Union Agency for Fundamental Rights (FRA) launched

a study on the use of mediation in resolving personal data protection issues as well as

its use in preventing personal data breaches identified. This issue is also relevant for

Latvia, taking into account the draft Law on Mediation. Within the framework of this

research, the DSI representative participated in discussions with experts from other

countries on various practical aspects of personal data supervision issues, assessing the

possibility of implementing mediation in practice in Latvia. In order to deepen the

knowledge of the DSI staff about mediation, in 2012 two DSI employees attended the

"Basic Mediation Course" organized by the Association “Mediation and ADR”.

In assessing the annual performance of the staff, the DSI staff pointed out that

raising capacity by attending training seminars and organized in-house seminars is

essential in the context of employee growth, as well as working environment and

technical support have a significant impact on the results of the work. In the course of


14

2013, the DSI intends to continue the established practice of organizing DSI internal

seminars in order to promote employee growth opportunities and motivate, through

self-learning, to improve and enhance their knowledge of personal data protection

issues.

IV COMMUNICATION WITH THE PUBLIC

In 2012, the DSI, in cooperation with the Public Relations Department of the

Administration Department of the Ministry of Justice, provided information to the mass

media. The DSI regularly cooperates with the mass media, at least twice a week. In

2012, various issues related to the protection of personal data were updated, including

the discussion on personal data protection reform, initiated by the European

Commission.

4.1.Public Information and Education Activities

Most often, the DSI's opinions on various practical personal data protection

issues were asked by TV3 broadcasters "BezTabu" and LNT TV journalists, as well as

Internet news portals, asking them to explain how a particular individual can handle

various personal data protection situations and what are the results of various

inspections. There were also requests from several foreign mass media received

regarding inspections that were reviewed by other national data protection supervisory

authorities and where the residents of Latvia were involved in the committing

infringements.

Based on the information provided by the mass media, in 2012, the DSI

launched several cases of administrative violation regarding alleged breaches of

personal data protection.

The most up-to-date information on the DSI functions and current issues in the

field of personal data protection is available at the DSI Internet home page -

www.dvi.gov.lv.

For informing the public in the framework of the year 2012 6 free workshops

on personal data protection issues were organized for judges, representatives of local

governments (including librarians). The DSI in cooperation with the Information

Technology Security Incident Institution CERT.LV has also organized educational

workshops for the staff of educational institutions on personal data protection issues.

The DSI employees provide telephone consultations every working day from

14:00 to 16:00, explaining the provisions of the Personal Data Protection Law and

informing how to deal with a specific individual's problem related to a possible breach

of personal data protection. In general, counseling is required by data subjects about

their rights under the PDPL (how to handle the situation). Telephone counseling is also

provided to controllers of the processing of personal data in the DSI. In total the DSI

provided 4126 telephone consultations in 2012 (including to third-country nationals

who process personal data in Latvia and controllers who transfer personal data to third

countries).

More than 60% of all face-to-face consultations were related to cases where a

person has been registered at the State Revenue Service as an employee of the company

or registered in the Register of Enterprises of the Republic of Latvia as a member of the

management board of the company without the existence of such relationships.

Unfortunately, such cases tend to increase.


15

For the seventh year on January 28, the European Data Protection Day was

celebrated. As every year, within this day, personal data protection supervisory

authorities are performing activities to raise awareness of the right of the public to

protect their personal data and to encourage more attention when personal data is passed

on (disclosed) to someone. The Data Protection Day is celebrated in all European

countries, as well as in the United States and Canada. Prior to the European Data

Protection Day 2012, the European Commission proposed a major reform of the EU

data protection rules (see information at DSI's priorities for 2012), therefore, in 2012

the DSI representatives participated in discussions that looked at the nature of the

reform and the current situation in the field of personal data protection in Latvia,

inviting citizens to protect their data and assess the need for their data transfer (for

example, to indicate the risks in the Internet environment).

In order to provide insight into what has been done and what has been seen in

2012, the DSI has summarized the most important information in the context of the

registration of personal data processing, as well as the most up-to-date cases of personal

data protection, in Section 4.2 of the Annual Report 2012.

4.2. Registration of Personal Data Processing

In 2012, the DSI has registered 463 personal data processing and changes in the

processing of personal data, which is more than it was planned (350 respectively).

Upon receiving a controller’s request, the DSI reviews the information

provided, if necessary, requests additional information and conducts a pre-registration

checking. Each year the DSI defines areas of personal data processing, assessing the

risks associated with the processing of personal data, the number of violations in certain

areas of personal data processing, as well as foreign experience and information

provided on key issues in specific areas. In 2012, the following risk areas were

identified:

- Sensitive personal data processing;

- biometric data processing, including video surveillance;

- processing of personal data within which transfers of personal data outside the

European Union's borders to third countries occur (also paying attention to the use of

cloud computing technologies).

The following areas of risk were identified for 2013:

- processing of sensitive personal data, in which information on personal health is

processed;

- video surveillance;

- the processing of personal data within which transfers of personal data outside the

European Union to third countries occur.

When deciding on the registration of processing personal data, the DSI issues a

registration certificate to controller for the processing of personal data and makes an

entry in the public register of personal data processing available on the DSI website:

www.dvi.gov.lv/registri/pdas/.

In 2012, amendments were made to the PDPL, which provides for the revision

of Article 21 of the Personal Data Protection Law (hereinafter - PDPL) by reducing the

list of data processing persons required registration of data processing, as well as

providing that the DSI issues the registration certificate of personal data processing

upon request of the controller and stipulating that the DSI has the right to postpone the

http://www.dvi.gov.lv/registri/pdas/


16

registration of personal data processing if the DSI has established a pre-registration

checking.

In accordance with Section 22, Paragraph nine of the PDPL, for every

registration of the processing of personal data, a submission of the relevant application

to the State Data Inspectorate shall be subject to a state fee in accordance with the

procedure and amount specified by the Cabinet, which, in accordance with Paragraph

2 of the Cabinet of Ministers Regulation No. 813 of 27 November 2007 " Regulations

on the registration fee for the registration of personal data processing and registration

of registered modifications registration state fee stated in the Personal Data Protection

Law " is 20 or 40 lats. State and local government institutions do not pay state fees for

processing or modifying registration. Total amount of state fee paid in 2012 for

registration of personal data processing and making modifications in personal data

processing is 13285,00 Ls (12 000 Ls were planned). Compared to 2011, the amount of

the state fee has decreased, in 2011 - 14070.00 Ls.

4.3.Registration of Personal Data Protection Specialists

In 2012, the DSI registered 30 personal data protection specialists upon

controller's application. Compared to 2011, controllers have registered 6 personal data

protection specialists more, in 2011- 24. Controllers announce to the DSI personal data

protection specialists who have acquired the qualification of a personal data protection

specialist. An application for the registration of a specialist is required by the DSI within

15 days from the day it was received. The registration of personal data protection

specialists in the DSI is free of charge.

Taking into account that seven specialists will terminate the personal data

protection specialist's license in 2013, the DSI has drafted amendments to Cabinet of

Ministers Regulation No. 80 of February 5, 2008 "Procedure for the Training of

Personal Data Protection Specialists", which provides supplementing these provisions

by providing for the procedure , in which the re-obtaining of certificates or maintenance

of qualifications takes place. It is also planned to specify the list of subjects to be

acquired in order to be able to take a test at the inspectorate and obtain the qualification

of a personal data protection specialist, to appoint lecturers who carry out specialist

training, at least five years experience in the field of personal data protection.

4.4. Opinions and Explanations

In 2012, the DSI received 296 written complaints and, ensuring personal data

protection supervision, carried out 496 inspections of possible non-compliance of

personal data processing with the PDPL.Within the framework of the inspections,

personal data processing violations were detected and administrative penalties were

imposed in 73 cases - 52 alerts and 21 fine (totaling 18 910 LVL). Seven decisions of

the DSI officials regarding the imposition of administrative sanctions were challenged

by the Director of the DSI, while the court ruled against 5 decisions of the DSI Director

regarding the imposition of an administrative fine.

Compared to the previous year, there has been a slight decrease in the number

of cases when the penalty is imposed for failure to provide information to the DSI, but

such violations still remain high. In most cases, administrative penalties were applied

to the processing of unlawful personal data (including violation of Article 7 of the

PDPL and the first Paragraph of Article 10), however, in 2012 the number of cases


17

where an administrative penalty is imposed for failure to provide information to the

data subject violated Articles 8, 9 or 15 of the PDPL). This suggests that data subjects

are increasingly aware and use their statutory rights, but controllers may not be

sufficiently informed about their responsibilities with regard to the data subjects.

Complaints were mainly filed on the following areas of personal data

processing:

• Transfer of personal data for debt collection purposes;

• Registration of a person as an employee of the company to the State Revenue

Service without the consent of this person to be an employee;

• Failure to provide the information requested by the data subject;

• Publication of personal data on the Internet and the transfer of other personal

data to third parties.

A fairly large number of complaints were received regarding the processing of

personal data processed in the debt recovery process - the transfer of a debt recovery

file to the debt collection company, the insertion of personal data into the credit history

database and the disclosure of personal data on the debtor's family members,

colleagues. Violations were mostly detected in terms of conduct, the insertion of

personal data on a debt into a credit history database and disclosure to the debtor's

family members and colleagues. In one case, the debt collection company for the

storage of personal data in the credit history database, which contains personal data, is

available to third parties, and an administrative penalty of LVL 2,000 was imposed on

the data subject for failure to provide information. The further reduction of such

offenses could be further enhanced by the Law on Out-of-Court Recovery, which

entered into force at the end of 2012 and which more precisely governs the claims of

debt recovery companies and the processing of personal data that is allowed in the

recovery process.

In 2012, a lot of complaints were still received regarding the registration of a

person as an employee of an enterprise in the State Revenue Service without the consent

of this person. Such unlawful personal data processing results in a significant adverse

impact on the data subject's social guarantees, for example, the data subject is deprived

of the right to receive unemployment status and unemployment benefit as a person is

registered as an employee in the State Revenue Service and this information is only

entitled to the correction of the particular company, which for the most part it does not

do it voluntarily. Consequently, the DSI obliges the State Revenue Service to correct

the personal data mentioned in the application, as a result of enforcement, of the

substitute file prescribed in the Administrative Procedure Law. As a result of the

checking, personal data is being corrected, but it takes quite a long time and consumes

a lot of DSI resources. In order to find a more efficient solution to this problem and to

solve it, as far as possible to eliminate its causes, the DSI plans to address the Ministry

of Justice in 2013.

Personal data processing checking are also carried out on the initiative of the

DSI and on the basis of information provided by the media and other institutions. In

2012, the DSI performed most of such inspections on the basis of information provided

by the State and Municipal Police, which in turn mostly reported cases where

individuals used personal data from other persons instead of their personal data. The

number of such cases in 2012 has remained unchanged over 2011. In 2012, the DSI

also launched several tests on customer loyalty cards, establishing that sometimes the

controller is not able to justify the amount of personal data requested and the need for

it to reach a legal goal. In 2013, these checking will be continued.


18

In the course of supervision the Information Society Service Law (hereinafter -

ISSL), in 2012, the DSI carried out 13 inspections, including one administrative penalty

of LVL 1300 for unlawful processing of personal data and the sending of illegal

commercial communications.

An important obstacle to supervise compliance with ISSL and PDPL is that the

new and emerging technologies and services are constantly evolving, while the

regulatory framework and the current inspection practice are not capable of ensuring

sufficiently effective operation under new and changing conditions. The DSI staff must

be able to grow steadily and be prepared to face new and unforeseen situations. Also,

in many cases when an activity is carried out in an electronic environment, for example,

a commercial communication or personal data published on the Internet is posted, it is

difficult to identify the person responsible for the action, noticing that in the electronic

environment there is an ability to act by hiding its identity. Also, the DSI work is

adversely affected by both legal and natural person's actions without providing timely

information or not providing the required information within the DSI inspection at all.

Taking into account the experience gained during the inspections carried out in

2012, and the issue raised in the consultations, in 2013, the DSI intends to prioritize the

processing of personal data within the framework of labor relations, the security of

personal data and the right of the data subject to obtain from the controller information

on the identity of the data subject processing of personal data.

In 2012, the DSI was involved in 22 cases, which were examined by the courts

orally or in writing. In one case at a hearing in the context of criminal proceedings

regarding the commission of an offense established in Section 145 of the Criminal Law,

the DSI representative participated as a personal data protection supervisor, giving the

court an opinion on the status of a natural person as a controller. In one case, the DSI

filed a lawsuit against the refusal by a sworn bailiff to take the decision of the DSI to

enforce it. The court declared the refusal of the sworn bailiff to be unlawful. In other

cases, the court reviewed the decisions of the DPA appealed against the application of

administrative penalties and other DSI decisions, including the decision of the DSI to

suspend the processing of personal data, the obligation to register the processing of

personal data by DSI, the DSI refusal to grant the status of personal data protection

specialist and the DSI refusal to provide a reference . In 2012, the court withdrew only

one DSI decision on which the DSI filed an appeal.

In 2012, cooperation with the data protection supervisory institutions of the

Baltic States, the DSI representatives was facilitated by participating in the first meeting

of the personal data protection authorities of the Baltic States, which took place on

March 1 and 2, 2012 in Parnu, Estonia. The exchange of information on practical work

experience is one of the most important aspects of these annual meetings in order to

facilitate harmonization of data protection requirements in the Baltic region and in the

European Union as a whole. The Baltic Data Protection Authorities also discussed the

practical aspects of implementing the EU Data Protection Reform, and it was decided

to continue cooperation in such format in the future. Within the framework of the

meeting, an agreement was reached on the implementation of the 2012 control measures

in the field of personal data protection, which was implemented simultaneously in all

three Baltic States - a unified control measure of personal data protection supervisory

authorities in connection with the processing of personal data by Radisson Blu hotels.

In 2013, the second annual meeting of representatives of the Baltic Data Protection

Supervisory Authorities will take place in Riga.


19

V THE DSI PRIORITIES FOR 2013

1) Participation in discussions on the European Commission's reform in data protection;

2) Organizing the 2nd Annual Meeting of the Baltic Data Protection Authorities and

conducting a single inspection;

3) Development of the Recommendation - " Personal data protection within the

framework of legal labor relations" and "Data security".