the data state inspectorate · of the digital environment and the digital personality, which makes...
TRANSCRIPT
The Data State Inspectorate Annual Report 2012
1
THE DATA STATE INSPECTORATE
ANNUAL REPORT 2012
Riga
1 July 2013
The Data State Inspectorate Annual Report 2012
2
CONTENT
Foreword by Signe Plūmiņa, the Director of the Data State Inspectorate 3
I BASIC INFORMATION 5
1.1. Legal status, directions of activity and objectives 5
1.2. Main tasks and priorities 6
1.2.1. Participation in discussions on the European Commission's reform
of personal data protection
6
1.2.2. Schengen evaluation visit in the area of data protection 7
1.2.3. Recommendation development 8
II FINANCIAL RESOURCES AND RESULTS OF INSTITUTION
ACTIVITY
8
2.1. State budget financing and its use in 2012 8
2.2. Evaluation of the effectiveness of the budget program 9
2.3. DSI paid services 10
2.4. Improvement systems of leadership and activity 11
III STAFF 11
IV COMMUNICATION WITH THE PUBLIC 14
4.1. Public information and education activities 14
4.2. Registration of personal data processing 15
4.3. Registration of personal data protection specialists 16
4.4. Opinions and explanations 16
V THE DSI PRIORITIES FOR 2013 18
The Data State Inspectorate Annual Report 2012
3
Gabriel Garcia Markess once said that
everyone has three lives: public life,
private life and secret life.1
Nowadays, it is becoming
increasingly difficult to separate these
areas of life with the development of
information technologies and
opportunities offered by the Internet
environment.
The privacy and personal data
protection issues have entered the public
agenda both at the national and
international levels. The rapid
development of information technology
and the Internet in the 21st century has
enabled the processing of personal data
to unprecedented levels and at an
unbelievable rate, even by creating new
personal data (such as location and load
data) and offering "the Internet of things” which in the near future will significantly change the daily life of individuals.
The development of information technology has contributed to the development
of the digital environment and the digital personality, which makes it increasingly
difficult for an individual to control his personal data - who uses them, at what point
and for what purpose.
2012 has marked the time of change in the data protection of natural persons. A
great deal of work has been invested in the preparation of a draft Personal Data
Protection Regulation initiated by the European Commission as well as planned
changes to European Union-wide information systems (e.g. Europol, Schengen
Information System). At the same time, it should be noted that there is an international
debate on personal data that is becoming increasingly valuable for both the private
sector and the public sector, creating new opportunities and personal data, even known
as the 21st Century of New Oil.
If we look at the strategic objectives of the European Union, as set out in the
Digital Agenda for Europe2, they are largely linked to the development of the Internet,
including the development of smart devices and the "internet of things online", which
is related to the processing of personal data. It is expected that the "case internet" will
introduce significant changes in health care, allowing patients to receive care remotely,
while allowing medical personnel to remotely receive sensitive personal data. In the
context of information technology, cloud computing and the development of the
Internet, it is essential to ensure the protection of personal data and data security, since
it will depend on the extent to which individuals will rely on new information technology offerings. Being able to operate an Internet environment without sacrificing
______________________________ 1- A prominent Colombian Writer, Nobel Prize Winner Gabriel García Marcos is widely quoted for
various lives of the individuals with regard to the privacy. For more information, see the article of
H.Spurling „Gabriel García Márquez: a Life by Gerald Martin” of 10.11.2008 at
http://www.telegraph.co.uk/culture/books/non_fictionreviews/3563061/Gabriel-Garcia-Marquez-aLife-
by-Gerald-Martin-review.html. 2- For more information, see the European Commission's website: https://ec.europa.eu/digital-agenda/ne
The Data State Inspectorate Annual Report 2012
4
your privacy is an important prerequisite for the development of the "Internet of
Things" and is related to the individual's trust not only in the Internet environment, but
also in a particular service provider. The situation when you come home, and the light
will turn on automatically, the water will be boiled in the electronic teapot and the dish
will be prepared in the oven, is no longer a fantastic movie scenario, but it becomes a
reality using smart home appliances. Therefore, it is important for service providers to
implement the principle of integrated privacy by providing their services.
Following the changes in the range of issues to be addressed by the Data State
Inspectorate and increasing public awareness of the role of the data protection of
individuals in their daily lives by protecting their data subject's rights, the greatest
satisfaction is the case when it has succeeded in preventing personal data breach by
resolving the individual’s problem and finding that the personal data processing
controller not only avoids personal data breaches, but also assesses the privacy aspects
and the need to process personal data for specific purposes only.
I would like to introduce the Public Report of 2012 made by the Data State
Inspectorate and remind you to be prepared to protect your personal data and think over
before you tell them to others, ascertaining whether and for what purpose it is necessary,
and also I would like to thank every individual who has expressed interest in the
protection of personal data and has dared to exercise the rights of its data subject or has
faithfully implemented the processing of personal data as a personal data controller,
thus jointly strengthening the protection of personal data in Latvia.
Signe Plūmiņa
The Data State Inspectorate Director
____________________________________
The Data State Inspectorate Annual Report 2012
5
I BASIC INFORMATION
1.1.Legal Status, Directions of Activity and Objectives
The Data State Inspectorate (hereinafter – the DSI) is a state administration
institution under the supervision of the Ministry of Justice acting independently and
permanently, fulfilling the functions specified in laws, takes decisions and issues
administrative acts in accordance with the law.
According to Paragraph 1 of the Transitional Provisions of the Personal Data
Protection Law, the DSI commenced its work on January 1, 2001. On November 28,
2000, the Cabinet of Ministers adopted Regulations No. 408 "Regulations on the Data
State Inspectorate". Director of the DSI since 2001 is Signe Plūmiņa, who also
participated in the process of elaboration of the Personal Data Protection Law and
participated in the discussions on the reform of personal data protection at the European
Union and national level in 2012, including the need to improve the normative acts.
The DSI carries out personal data protection supervision in accordance with the
Personal Data Protection Law and carries out the accreditation and supervision of
reliable certification service providers in accordance with the Electronic Documents
Law, supervises data protection in the electronic communications sector in accordance
with the Electronic Communications Law, and supervises the unauthorized commercial
communication ban compliance with the Law on Information Society Services and
ensures the reporting requirements of Directive 2009/136/EC concerning the protection
of personal data breaches in the field of electronic communications.
The basic principle of personal data protection is to ensure that each individual
can control information about himself, i.e. control how others use or know how others
use this information. The protection of personal data is an integral part of the
information society, which promotes public trust in public administration and
participation in the decision-making process.
The protection of personal data in Latvia has been strengthened as a key
component of human rights by introducing more specific regulation in various areas of
personal data processing and creating more effective regulation for the protection and
supervision of personal data protection, which is being improved taking into account
the impact of information technology development on the protection of personal data
and increasing the processing of personal data in various fields.
The DSI rights in the field of personal data protection, as set forth in Section 29,
Paragraph four of the Personal Data Protection Law:
1) in accordance with the procedures prescribed by laws and regulations, to
receive, free of charge, information from natural persons and legal persons as is
necessary for the performance of functions pertaining to inspection;
2) to perform inspection of a processing of personal data;
3) to require that data be blocked, that incorrect or unlawfully obtained data be
erased or destroyed, or to order a permanent or temporary prohibition of data
processing;
4) to bring an action in court for violations of this Law;
5) to cancel a registration certificate of the processing of personal data if in
inspecting the processing of personal data infringements are determined;
6) to impose administrative penalties according to the procedures specified by
law regarding infringements of processing of personal data;
The Data State Inspectorate Annual Report 2012
6
7) to perform inspections in order to determine the conformity of processing of
personal data to the requirements of laws and regulations in cases where the
administrator has been prohibited by law to provide information to a data subject and a
relevant submission has been received from the data subject.
The DSI also ensures the supervision of the processing of personal data
provided for in the Schengen Information System Act and represents the Republic of
Latvia in the Joint Schengen Information System Supervisory Authority, the Joint
Europol Supervison Authority, the Europol Appeal Committee and the Joint Customs
Information System Supervisory Authority (also ensured the conduct of inspections at
the national level for the above-mentioned information systems) as well as Article 29
of the Directive 95/46/EC Working Party and the Council of Europe Convention on the
Protection of Individuals with regard to Automatic Processing of Personal Data in the
Advisory Committee as well as other activities of the European Union and international
personal data protection authorities.
1.2. Mains Tasks and Priorities
The DSI priorities for 2012:
1) Participation in discussions on the reform of the European Commission in
the field of personal data protection;
2) Schengen evaluation visit in the area of data protection (in October 2012);
3) Development of the Recommendations - " Personal Data Protection in the
Framework of Labor Relations" and "Data Security".
The Report provides an overview of the progress made with regard to the
priorities for 2012.
1.2.1. Participation in Discussions on the European
Commission's Reform of Personal Data Protection
On 25 January, 2012, the European Commission presented a package of
documents launching a comprehensive reform of the European Union's data protection
rules. A key element of the personal data protection reform is the draft regulation on
the protection of individuals with regard to the processing of personal data and their
free movement, which proposes to modernize existing principles by improving the
uniform data protection rules applicable throughout the European Union. In 1995,
Directive 95/46/EC of the European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data and on the free movement of
such data was adopted, which is also at the moment the basic instrument for the
protection of personal data introduced into national law in the Member States. The
development of globalization and the development of new technologies have led to the
emergence of increasingly new aspects in the context of which data protection
regulation could be modernized. In order to guarantee at European Union level the right
of individuals to a high level of protection with regard to the processing of personal
data, it has been decided to update and modernize the current regulation.
The main changes proposed in the European Commission proposal are reducing
administrative burdens, increasing the responsibilities and obligations of personal data
operators (for example, the obligation of entrepreneurs to introduce personal data
protection in the process of developing information technology and personal data
The Data State Inspectorate Annual Report 2012
7
processing software), improving the institute for Personal Data Protection, to facilitate
implemantation “the right to be forgotten " (i.e. requiring the deletion of their personal
data after the goal of their processing has been achieved), thus contributing to more
effective protection of personal data and promoting individuals' confidence in the use
of information technology in the processing of personal data.
At the same time, along with the changes, the basic principles that have been
observed to date in the area of data protection - the implementation of the single market
and the effective observance of the fundamental rights and freedoms of the individual,
as set in Article 8 of the Charter of Fundamental Rights of the European Union and
Article 16 of the Treaty on the Functioning of the European Union, remain unchanged.3
In the development process of draft regulation in the European Union
Information Exchange and Data Protection Working Party (DAPIX) the
representatives of the Ministry of Justice participate, while the Data State Inspectorate
has provided the necessary support in the context of interpreting the various provisions
of the Regulation from a practical point of view. In 2013, the Data State Inspectorate,
in co-operation with the Ministry of Justice, will continue to participate in the European
Union data protection reform initiative.
On October 5, 2012, the Working Party 29 of the Directive 95/46/EC, in which
the Data State Inspectorate is also represented, adopted Opinion No. 08/2012 "Further
Contribution to the Debate on the Reform of the Data Protection Law"4, which points
to problematic issues from the point of view of personal data protection.
1.2.2. Schengen Evaluation Visit in the Are of Data Protection
Five years have passed since Latvia joined the Schengen area on December 21,
2007. Within the Schengen area, individuals have the opportunity and the right to move
freely. The Schengen Agreement area is an area where internal border checks are
canceled between certain Schengen area countries. Border checks are performed only
upon entry into the Schengen territory. The purpose of cooperation between countries
in the Schengen area is to protect individuals and their property by reducing the
opportunities for abuse of this right. To provide this, a special data exchange system
has been set up: the Schengen Information System (SIS), which involves an enhanced
and effective cooperation between the police, customs, external border control and
judicial authorities of all Schengen Member States, which is necessary for the removal
of internal borders. In Latvia, in October 2006, before the accession of Latvia to the
Schengen area, Schengen evaluation experts took a visit, during which it was assessed
whether Latvia, as a potential Schengen area country, has correctly and efficiently taken
the necessary measures to abolish internal border controls. The assessment visit was
carried out in areas related to internal border controls, visas, data protection, police
cooperation and the Schengen Information System. In October 2012, a revisit of the
Schengen evaluation experts to Latvia in the field of personal data protection was
carried out, in the framework of which Latvia received a positive assessment of the
application of the Schengen acquis as well as ensuring the supervision of personal data
protection in practice.
____________________________________ 3- For more information, see the European Commission's website: http://ec.europa.eu/justice/data-
protection/ 4- See the text of the Opinion at: http://ec.europa.eu/justice/data-
protection/article29/documentation/opinion-recommendation/files/2012/wp199_lv.pdf#h2-2.
The Data State Inspectorate Annual Report 2012
8
Schengen evaluation visit’s experts welcomed cooperation between the Baltic
Data Protection Supervisory Authorities through joint inspection activities. A positive
information leaflet on the SIS prepared by the DSI and on the rights of the data subject
to access their data in the SIS was also positively evaluated (the booklet was also
prepared in English and Russian, taking onto account that requests for information on
their data in the SIS are mainly requested by third-country nationals) and the model
forms developed for the data subject's submission to both the State Police and the DSI
for alleged violations of the processing of personal data in the SIS.5
1.2.3. Recommendation Development
In 2012, two Recommendations were planned - "Protection of personal data
within the framework of employment relations" and "Data security". Taking into
account the amount of work related to the preparation for the Schengen evaluation
experts' visit in Latvia in the field of personal data protection, as well as taking into
account employee turnover, the development of recommendations was postponed to
2013.
Both the Recommendation on employment relations and data security are very
topical in assessing complaints received by DSI about alleged violations. Within the
framework of personal data protection in the framework of employment relations, the
recommendation will be developed for employers (for controllers within the meaning
of the Personal Data Protection Law) with the aim to improve the protection of personal
data. In turn, the Recommendation on data security will be developed for small and
medium-sized enterprises, with the aim to raise awareness of the security of personal
data and promote responsibility for the processing of personal data.
II FINANCIAL RESOURCES AND RESULTS OF
INSTITUTION ACTIVITY
2.1.State Budget Financing and its Use in 2012
The DSI funding consists of two sources of revenue:
1) grant from general revenues;
2) paid services and other own revenue.
The total budget use and budget implementation in 2012, and the comparison with the
previous year is summarized in Table 1.
____________________________________________ 5- Information on the rights of the data subject in the Schengen Information System is available on the
website of the Data State Inspectorate: http://www.dvi.gov.lv/fpda/.
The Data State Inspectorate Annual Report 2012
9
Table 1. Program 27.00.00 "Data Protection"
State budget financing and its use in 2012 No. Financial indicators Last year
(factual
fulfillment
LVL)
Reference year
Approved by
law (LVL)
Factual
fulfillment
(LVL)
1. Financial resources to
cover expenses (total)
273861 282418 272613
1.1. Grants 266147 265317 265317
1.2. Paid services and and
other own revenue
7714 17101 7296
1.3. Foreign financial
assistance
1.4. Donations and gifts
2. Expenditure (total) 273861 287581 251285
2.1. Maintenance expenses
(total)
269109 277666 246533
2.1.1. Current expenses 269109 277666 246533
2.1.2. Interest expense
2.1.3. Subsidies, grants and
social benefits
2.1.4. Current payments to the
budget of the European
Community and
international cooperation
2.1.5. Maintenance costs
transferts
2.2. Capital expenditure 4752 4752 4752
2.2. Evaluation of the Effectiveness of the Budget Program
In the framework of the budget program 27.00.00 "Data Protection", LVL
251285 LVL or 89% of planned expenditure was acquired.
In line with the decline in resources, in 2012, the DSI took budgetary resource-
saving measures by limiting expenditure in expenditure headings such as post,
telephone and other communications services, administrative expenditure of the
institution and expenditure related to the institution's activities. In 2012, the
remuneration of employees remained in the amount of 2011. For a summary of the
performance indicators of the budget program, see Table 2.
Table 2.Output indicators of
the budget program Efficient indicator Planned
value
Factual
fulfillment
Explanation
Registered personal
data processing
350 463 In fact, the number of processing
personal data registered
The Data State Inspectorate Annual Report 2012
10
exceeded the planned number of
registered personal data
processing by 32.3%, as sectoral
pre-registration checking was
carried out, which resulted in an
increase of the processing of
registered personal data (in
particular, regarding video
surveillance and the processing
of personal data by family
doctors).
Personal data
processing inspections
350 496 The number of inspections of
personal data processing have
been increased, taking into
account the number of
complaints by citizens.
Fee for registration of
personal data
processing
12 000 13 285 The planned amount of the fee is
slightly beyond what is planned,
as the number of registered
processings increased by video
surveillance.
Penalties applied for
breaches of personal
data
10 500 18 410 Penalties were applied for
detected personal data breaches,
as well as for failure to provide
information to the DSI.
In general, the DSI has reached the projected value of performance indicators
in 2012.
In 2012, from the State budget funds, no reserach were conducted on issues
within the competence of the DSI.
2.3. DSI Paid Services
The DSI provides paid services in accordance with the price list, approved by
the Cabinet of Ministers Regulations No. 1063 "Price List of the Data State Inspectorate
Services" of December 19, 2006.
In 2012, the financial gain received from paid services is LVL 7296.
The most commonly used paid services of the DSI were filling in and printing
of the application for registration of personal data processing, the DSI seminars and the
organization of the qualification examination of the personal data protection specialist.
Filling in and printing of the application for registration of personal data
processing
The DSI advises the recipient of the service on filling in the application for registration
of personal data processing, by meeting face-to-face and printing a completed
application for the processing of personal data processing. In 2012, this paid service is
provided to 26 controllers or their representatives. Fee for service 25,00 Ls. Total
revenue for this paid service in 2012 - 630 Ls.
The Data State Inspectorate Annual Report 2012
11
Organized seminars on personal data protection of natural persons
The DSI has organized informative seminars on the protection of personal data -
registration of personal data processing, personal data protection audit, video
surveillance, and others personal data protection issues. In total, in 2012, the Data State
Inspectorate organized 3 workshops on data protection. The fee for the service is 40, -
Ls / per person, in 2012 the revenue from seminars organized by the DSI - 1320 Ls.
Organizing a qualification test for a personal data protection specialist
In 2012, the DSI organized three tests of personal data protection specialists, in
which 20 applicants participated. The service includes the preparation of the
examination questions and tasks, the preparation of individual response forms, the
organization of the examination and the evaluation of the results by the commission of
three persons, as well as the decision on the preparation of the test results and the
issuance of certificates.
In 2012, the qualification of personal data protection specialists was awarded to
12 applicants. The fee for the service is 243.00 LVL, the total income for the provision
of the "Personal Data Protection Specialist Qualification Test" paid service in 2012 is
LVL 5346. (Compared to 2011, the income from this paid service has increased slightly
by more than 50%, in 2012 - LVL 2916.00).
2.4. Improvement Systems of Leadership and Activity
Within the framework of the 2012 Internal Audit Department of the Ministry of
Justice, the DSI carried out the following audits:
1) Development and coordination of normative acts;
2) Public Procurement System.
The opinion issued by the Internal Audit Division of the Ministry of Justice on
the internal control system of the DSI shows that, overall, an internal control system
has been established, is functioning and is being improved according to the
recommendations of the Internal Audit Division of the Ministry of Justice.
In accordance with the requirements set out in the State Program for Prevention
and Combating of Corruption 2013-2015, the DSI conducted a regular implementation
and supervision of Anti-corruption Plan aimed at preventing conflict of interest in the
activities of DSI employees. It also includes the attandance of DSI employee the
seminar organized by the Corruption Prevention and Combating Bureau "Corruption
Prevention ", and also conducted a relevant seminar for employees of the DSI.
III STAFF
The DSI in 2012, like in 2011, had 19 positions. In the framework of the DSI, a
structural reorganization was implemented in the framework of the Cabinet of Ministers
Recommendation No. 2 "Procedure for the Establishment of the State Administration
Institution" of December 14, 2010. On November 1, 2012, the operational part of the
institution was liquidated as well as the Finance and Budget Planning Department,
The Data State Inspectorate Annual Report 2012
12
while the Administrative Division, which performs the functions of both liquidated
parts, was established.
In the reporting period, the institution employed an average of 15 employees, of
which 12 women and 3 men. The average age of staff in 2012 was 36 years. In 2012,
the Data State Inspectorate employed employees aged 20-71 years.
In 2012, DSI, in comparison with previous years, has increased personnel
turnover. In 2012, 5 employees stopped working and 7 new employees started their
employment relations. In 2012, the average employee's employment duration for the
DSI was 2.4 years, which significantly affects the efficiency of the DSI, as it is initially
necessary to invest time and effort in training new employees. The number of
complaints and counseling, on the other hand, has a tendency to increase, as well as
issues that the DSI needs to provide counseling, becomes more complex and requires
in-depth knowledge of information technology and legislation knowledge in the area of
personal data protection or specific data processing.
Within the framework of 2012, the issue has been raised not only about
attracting new employees to the DSI, taking into account the remuneration and its
competitiveness in the labor market, but also keeping and motivating. Taking into
account this factor, all the staff positions were not completed, as it was not possible to
attract relevant professional staff in line with the funding allocated within the state
budget. This problem is expected to become very topical in 2013. The other EU data
protection authorities, as well as the European Data Supervisor Office, are facing a
similar problem.
Distribution of education levels for DSI staff - two employees have an
incomplete higher education and 13 employees have higher education. 5 employees
have a master's degree, but one employee plans to get it in 2013.
Domestic DSI workshops on various data protection issues, information
technology, information circulation issues and communication and stress reduction
were organized to raise the capacity of DSI staff, taking into account the specifics and
intensity of work, as well as on the basis of identified work environment risks. All
0
33.5
4
5
4
2
11
2 1.8
6
4
1 1 1
0
1
2
3
4
5
6
7
Zem 20 20-25 26-30 31-35 36-40 41-45 50-60 Virs 70
The DSI employees by age group
2012 2011
The Data State Inspectorate Annual Report 2012
13
employees who started work in the DSI, the seminar on "Topicalities of data protection
of natural persons" to provide insight into the Personal Data Protection Law and its
practical application.
In 2012, the DSI staff attended various seminars and courses, including several
seminars organized by the State Administration School:
- Corruption prevention;
- Conflict and problem solving strategies and tactics;
- Organization of public procurement tenders and application of negotiation procedures
- topical requirements of the Public Procurement Law;
- Personnel document management as one of the most important tools for personnel
management;
- Amendments to the Latvian Administrative Violations Code.
The seminar at the Riga International School of Economics and Business
Administration in the field of personnel management was attended, where the topical
issues related to the selection process of applicants for attraction of competent and
professional employees, challenges of today's and future labor market, a map of skills
and competences were discussed. The security officer participated on the 33rd Session
organized by the Computer Networking School of Latvia, where discussions were held
on news and current issues in the IT sector, including IT security issues. Two employees
of the DSI also attended seminars "Information Disclosure and Protection of Personal
Data" organized by the Latvian Judicial Training Center and "Topicalities of handling
administrative violation cases ". The accounting officer attended the seminar "New
changes in the preparation of annual reports for 2012 in the state budget and local
government institutions" organized by Ltd. "Lietišķās Informācijas dienests" and the
seminar "Accounting in the budgetary institution - topical issues" organized by the
School of Public Administration and seminar organized by Ltd. "Letija" “The Law on
the Compensation of State and Local Government Officials and Employees and its
Application ".
On November 22nd and 29th, 2012, the DSI employee hold a lecture at
informative seminar organized by the Ministry of Justice "Personal Data Protection
Violations and Related Issues".
As DSI's work is unthinkable without the cooperation with other European Data
Protection Supervisory Authorities, English language text analysis and development, in
2012 two DSI employees supplemented their English language skills by attending
English courses. One DSI employee attended German language course offered to civil
servants by German Foreign Ministry and Goethe-Institut program Europahetzwerk
Deutsch to supplement their German language skills.
In 2012, the European Union Agency for Fundamental Rights (FRA) launched
a study on the use of mediation in resolving personal data protection issues as well as
its use in preventing personal data breaches identified. This issue is also relevant for
Latvia, taking into account the draft Law on Mediation. Within the framework of this
research, the DSI representative participated in discussions with experts from other
countries on various practical aspects of personal data supervision issues, assessing the
possibility of implementing mediation in practice in Latvia. In order to deepen the
knowledge of the DSI staff about mediation, in 2012 two DSI employees attended the
"Basic Mediation Course" organized by the Association “Mediation and ADR”.
In assessing the annual performance of the staff, the DSI staff pointed out that
raising capacity by attending training seminars and organized in-house seminars is
essential in the context of employee growth, as well as working environment and
technical support have a significant impact on the results of the work. In the course of
The Data State Inspectorate Annual Report 2012
14
2013, the DSI intends to continue the established practice of organizing DSI internal
seminars in order to promote employee growth opportunities and motivate, through
self-learning, to improve and enhance their knowledge of personal data protection
issues.
IV COMMUNICATION WITH THE PUBLIC
In 2012, the DSI, in cooperation with the Public Relations Department of the
Administration Department of the Ministry of Justice, provided information to the mass
media. The DSI regularly cooperates with the mass media, at least twice a week. In
2012, various issues related to the protection of personal data were updated, including
the discussion on personal data protection reform, initiated by the European
Commission.
4.1.Public Information and Education Activities
Most often, the DSI's opinions on various practical personal data protection
issues were asked by TV3 broadcasters "BezTabu" and LNT TV journalists, as well as
Internet news portals, asking them to explain how a particular individual can handle
various personal data protection situations and what are the results of various
inspections. There were also requests from several foreign mass media received
regarding inspections that were reviewed by other national data protection supervisory
authorities and where the residents of Latvia were involved in the committing
infringements.
Based on the information provided by the mass media, in 2012, the DSI
launched several cases of administrative violation regarding alleged breaches of
personal data protection.
The most up-to-date information on the DSI functions and current issues in the
field of personal data protection is available at the DSI Internet home page -
www.dvi.gov.lv.
For informing the public in the framework of the year 2012 6 free workshops
on personal data protection issues were organized for judges, representatives of local
governments (including librarians). The DSI in cooperation with the Information
Technology Security Incident Institution CERT.LV has also organized educational
workshops for the staff of educational institutions on personal data protection issues.
The DSI employees provide telephone consultations every working day from
14:00 to 16:00, explaining the provisions of the Personal Data Protection Law and
informing how to deal with a specific individual's problem related to a possible breach
of personal data protection. In general, counseling is required by data subjects about
their rights under the PDPL (how to handle the situation). Telephone counseling is also
provided to controllers of the processing of personal data in the DSI. In total the DSI
provided 4126 telephone consultations in 2012 (including to third-country nationals
who process personal data in Latvia and controllers who transfer personal data to third
countries).
More than 60% of all face-to-face consultations were related to cases where a
person has been registered at the State Revenue Service as an employee of the company
or registered in the Register of Enterprises of the Republic of Latvia as a member of the
management board of the company without the existence of such relationships.
Unfortunately, such cases tend to increase.
The Data State Inspectorate Annual Report 2012
15
For the seventh year on January 28, the European Data Protection Day was
celebrated. As every year, within this day, personal data protection supervisory
authorities are performing activities to raise awareness of the right of the public to
protect their personal data and to encourage more attention when personal data is passed
on (disclosed) to someone. The Data Protection Day is celebrated in all European
countries, as well as in the United States and Canada. Prior to the European Data
Protection Day 2012, the European Commission proposed a major reform of the EU
data protection rules (see information at DSI's priorities for 2012), therefore, in 2012
the DSI representatives participated in discussions that looked at the nature of the
reform and the current situation in the field of personal data protection in Latvia,
inviting citizens to protect their data and assess the need for their data transfer (for
example, to indicate the risks in the Internet environment).
In order to provide insight into what has been done and what has been seen in
2012, the DSI has summarized the most important information in the context of the
registration of personal data processing, as well as the most up-to-date cases of personal
data protection, in Section 4.2 of the Annual Report 2012.
4.2. Registration of Personal Data Processing
In 2012, the DSI has registered 463 personal data processing and changes in the
processing of personal data, which is more than it was planned (350 respectively).
Upon receiving a controller’s request, the DSI reviews the information
provided, if necessary, requests additional information and conducts a pre-registration
checking. Each year the DSI defines areas of personal data processing, assessing the
risks associated with the processing of personal data, the number of violations in certain
areas of personal data processing, as well as foreign experience and information
provided on key issues in specific areas. In 2012, the following risk areas were
identified:
- Sensitive personal data processing;
- biometric data processing, including video surveillance;
- processing of personal data within which transfers of personal data outside the
European Union's borders to third countries occur (also paying attention to the use of
cloud computing technologies).
The following areas of risk were identified for 2013:
- processing of sensitive personal data, in which information on personal health is
processed;
- video surveillance;
- the processing of personal data within which transfers of personal data outside the
European Union to third countries occur.
When deciding on the registration of processing personal data, the DSI issues a
registration certificate to controller for the processing of personal data and makes an
entry in the public register of personal data processing available on the DSI website:
www.dvi.gov.lv/registri/pdas/.
In 2012, amendments were made to the PDPL, which provides for the revision
of Article 21 of the Personal Data Protection Law (hereinafter - PDPL) by reducing the
list of data processing persons required registration of data processing, as well as
providing that the DSI issues the registration certificate of personal data processing
upon request of the controller and stipulating that the DSI has the right to postpone the
The Data State Inspectorate Annual Report 2012
16
registration of personal data processing if the DSI has established a pre-registration
checking.
In accordance with Section 22, Paragraph nine of the PDPL, for every
registration of the processing of personal data, a submission of the relevant application
to the State Data Inspectorate shall be subject to a state fee in accordance with the
procedure and amount specified by the Cabinet, which, in accordance with Paragraph
2 of the Cabinet of Ministers Regulation No. 813 of 27 November 2007 " Regulations
on the registration fee for the registration of personal data processing and registration
of registered modifications registration state fee stated in the Personal Data Protection
Law " is 20 or 40 lats. State and local government institutions do not pay state fees for
processing or modifying registration. Total amount of state fee paid in 2012 for
registration of personal data processing and making modifications in personal data
processing is 13285,00 Ls (12 000 Ls were planned). Compared to 2011, the amount of
the state fee has decreased, in 2011 - 14070.00 Ls.
4.3.Registration of Personal Data Protection Specialists
In 2012, the DSI registered 30 personal data protection specialists upon
controller's application. Compared to 2011, controllers have registered 6 personal data
protection specialists more, in 2011- 24. Controllers announce to the DSI personal data
protection specialists who have acquired the qualification of a personal data protection
specialist. An application for the registration of a specialist is required by the DSI within
15 days from the day it was received. The registration of personal data protection
specialists in the DSI is free of charge.
Taking into account that seven specialists will terminate the personal data
protection specialist's license in 2013, the DSI has drafted amendments to Cabinet of
Ministers Regulation No. 80 of February 5, 2008 "Procedure for the Training of
Personal Data Protection Specialists", which provides supplementing these provisions
by providing for the procedure , in which the re-obtaining of certificates or maintenance
of qualifications takes place. It is also planned to specify the list of subjects to be
acquired in order to be able to take a test at the inspectorate and obtain the qualification
of a personal data protection specialist, to appoint lecturers who carry out specialist
training, at least five years experience in the field of personal data protection.
4.4. Opinions and Explanations
In 2012, the DSI received 296 written complaints and, ensuring personal data
protection supervision, carried out 496 inspections of possible non-compliance of
personal data processing with the PDPL.Within the framework of the inspections,
personal data processing violations were detected and administrative penalties were
imposed in 73 cases - 52 alerts and 21 fine (totaling 18 910 LVL). Seven decisions of
the DSI officials regarding the imposition of administrative sanctions were challenged
by the Director of the DSI, while the court ruled against 5 decisions of the DSI Director
regarding the imposition of an administrative fine.
Compared to the previous year, there has been a slight decrease in the number
of cases when the penalty is imposed for failure to provide information to the DSI, but
such violations still remain high. In most cases, administrative penalties were applied
to the processing of unlawful personal data (including violation of Article 7 of the
PDPL and the first Paragraph of Article 10), however, in 2012 the number of cases
The Data State Inspectorate Annual Report 2012
17
where an administrative penalty is imposed for failure to provide information to the
data subject violated Articles 8, 9 or 15 of the PDPL). This suggests that data subjects
are increasingly aware and use their statutory rights, but controllers may not be
sufficiently informed about their responsibilities with regard to the data subjects.
Complaints were mainly filed on the following areas of personal data
processing:
• Transfer of personal data for debt collection purposes;
• Registration of a person as an employee of the company to the State Revenue
Service without the consent of this person to be an employee;
• Failure to provide the information requested by the data subject;
• Publication of personal data on the Internet and the transfer of other personal
data to third parties.
A fairly large number of complaints were received regarding the processing of
personal data processed in the debt recovery process - the transfer of a debt recovery
file to the debt collection company, the insertion of personal data into the credit history
database and the disclosure of personal data on the debtor's family members,
colleagues. Violations were mostly detected in terms of conduct, the insertion of
personal data on a debt into a credit history database and disclosure to the debtor's
family members and colleagues. In one case, the debt collection company for the
storage of personal data in the credit history database, which contains personal data, is
available to third parties, and an administrative penalty of LVL 2,000 was imposed on
the data subject for failure to provide information. The further reduction of such
offenses could be further enhanced by the Law on Out-of-Court Recovery, which
entered into force at the end of 2012 and which more precisely governs the claims of
debt recovery companies and the processing of personal data that is allowed in the
recovery process.
In 2012, a lot of complaints were still received regarding the registration of a
person as an employee of an enterprise in the State Revenue Service without the consent
of this person. Such unlawful personal data processing results in a significant adverse
impact on the data subject's social guarantees, for example, the data subject is deprived
of the right to receive unemployment status and unemployment benefit as a person is
registered as an employee in the State Revenue Service and this information is only
entitled to the correction of the particular company, which for the most part it does not
do it voluntarily. Consequently, the DSI obliges the State Revenue Service to correct
the personal data mentioned in the application, as a result of enforcement, of the
substitute file prescribed in the Administrative Procedure Law. As a result of the
checking, personal data is being corrected, but it takes quite a long time and consumes
a lot of DSI resources. In order to find a more efficient solution to this problem and to
solve it, as far as possible to eliminate its causes, the DSI plans to address the Ministry
of Justice in 2013.
Personal data processing checking are also carried out on the initiative of the
DSI and on the basis of information provided by the media and other institutions. In
2012, the DSI performed most of such inspections on the basis of information provided
by the State and Municipal Police, which in turn mostly reported cases where
individuals used personal data from other persons instead of their personal data. The
number of such cases in 2012 has remained unchanged over 2011. In 2012, the DSI
also launched several tests on customer loyalty cards, establishing that sometimes the
controller is not able to justify the amount of personal data requested and the need for
it to reach a legal goal. In 2013, these checking will be continued.
The Data State Inspectorate Annual Report 2012
18
In the course of supervision the Information Society Service Law (hereinafter -
ISSL), in 2012, the DSI carried out 13 inspections, including one administrative penalty
of LVL 1300 for unlawful processing of personal data and the sending of illegal
commercial communications.
An important obstacle to supervise compliance with ISSL and PDPL is that the
new and emerging technologies and services are constantly evolving, while the
regulatory framework and the current inspection practice are not capable of ensuring
sufficiently effective operation under new and changing conditions. The DSI staff must
be able to grow steadily and be prepared to face new and unforeseen situations. Also,
in many cases when an activity is carried out in an electronic environment, for example,
a commercial communication or personal data published on the Internet is posted, it is
difficult to identify the person responsible for the action, noticing that in the electronic
environment there is an ability to act by hiding its identity. Also, the DSI work is
adversely affected by both legal and natural person's actions without providing timely
information or not providing the required information within the DSI inspection at all.
Taking into account the experience gained during the inspections carried out in
2012, and the issue raised in the consultations, in 2013, the DSI intends to prioritize the
processing of personal data within the framework of labor relations, the security of
personal data and the right of the data subject to obtain from the controller information
on the identity of the data subject processing of personal data.
In 2012, the DSI was involved in 22 cases, which were examined by the courts
orally or in writing. In one case at a hearing in the context of criminal proceedings
regarding the commission of an offense established in Section 145 of the Criminal Law,
the DSI representative participated as a personal data protection supervisor, giving the
court an opinion on the status of a natural person as a controller. In one case, the DSI
filed a lawsuit against the refusal by a sworn bailiff to take the decision of the DSI to
enforce it. The court declared the refusal of the sworn bailiff to be unlawful. In other
cases, the court reviewed the decisions of the DPA appealed against the application of
administrative penalties and other DSI decisions, including the decision of the DSI to
suspend the processing of personal data, the obligation to register the processing of
personal data by DSI, the DSI refusal to grant the status of personal data protection
specialist and the DSI refusal to provide a reference . In 2012, the court withdrew only
one DSI decision on which the DSI filed an appeal.
In 2012, cooperation with the data protection supervisory institutions of the
Baltic States, the DSI representatives was facilitated by participating in the first meeting
of the personal data protection authorities of the Baltic States, which took place on
March 1 and 2, 2012 in Parnu, Estonia. The exchange of information on practical work
experience is one of the most important aspects of these annual meetings in order to
facilitate harmonization of data protection requirements in the Baltic region and in the
European Union as a whole. The Baltic Data Protection Authorities also discussed the
practical aspects of implementing the EU Data Protection Reform, and it was decided
to continue cooperation in such format in the future. Within the framework of the
meeting, an agreement was reached on the implementation of the 2012 control measures
in the field of personal data protection, which was implemented simultaneously in all
three Baltic States - a unified control measure of personal data protection supervisory
authorities in connection with the processing of personal data by Radisson Blu hotels.
In 2013, the second annual meeting of representatives of the Baltic Data Protection
Supervisory Authorities will take place in Riga.
The Data State Inspectorate Annual Report 2012
19
V THE DSI PRIORITIES FOR 2013
1) Participation in discussions on the European Commission's reform in data protection;
2) Organizing the 2nd Annual Meeting of the Baltic Data Protection Authorities and
conducting a single inspection;
3) Development of the Recommendation - " Personal data protection within the
framework of legal labor relations" and "Data security".