On the protection of personal data

28.05.2018 Veronika Ceplisa, lawyer

On May 25, 2018 in the territory of the European Union (EU) the General Data Protection Regulation (hereinafter referred to as – the Regulation) (EU) 2016/679 “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data” came into force, which repealed the Directive 95/46/EC, as well as the operation of the Personal Data Protection Law of Latvia.

If earlier the issue of data processing in each country was solved differently, then from May 25, 2018 the Regulation straightforwardly and immediately applies in all EU member countries, including in the territory of Latvia, without the need to develop national statutory enactments. 

In fact, the Regulation provides for the modernization of already existing principles for the protection of personal data, creating unified rules for the protection of personal data that operate throughout the EU. The protection provided for in this Regulation must be applied to natural persons regardless of their citizenship or residence when processing of their personal data. 

The Regulation does not apply to the processing of personal data of legal persons, e.g., enterprises, including the name and form of the legal person, as well as contact information of the legal person. 

The Regulation also does not apply to the processing of personal data by natural persons in the course of implementation of exclusively personal or household activity that is not related to professional or commercial activity. Personal or household activity may include correspondence and storage of addresses, interaction through social networks. 

What does the concept of “personal data” include? It is about any information with the help of which you can identify a person – a data subject, i.e. name, surname, contact information, address of residence, photo, date of birth, personal code, etc. Accordingly, the processing of personal data means the collection, registration, structuring, storage, use, transfer, destruction and other activities with the above-mentioned information. 

A natural or legal person, state structure, enterprise or other institution that determines the purposes and means of processing of personal data is called the Controller. 

This Regulation provides that if an enterprise collects or stores data of employees, processes of clients’ data and other natural persons, conducts targeted marketing activities or works with sensitive data, then the operation of Regulation extends to this enterprise, and the enterprise acts as a Controller. 

In other words, this Regulation applies to any enterprise or self-employed person, who hires employees, makes out invoices or concludes contracts with natural persons, as well as on another basis processes of personal data. 

Therefore, it is very important to be aware of the amount of personal data that the enterprise processes. To do this, it is important to carry out an audit and identify how and for what purpose personal data is collected, stored, used, who has access to it and to whom it is subsequently transferred. 

According to Article 5 of the Regulation, when processing of personal data, the following principles must be complied with: 

  1. Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner. Information about the purposes, methods and volumes of processing of personal data should be stated as accessible and simple as possible. 
  2. Purpose limitation. Personal data must be collected for specified, explicit and legitimate purposes. 
  3. Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, i.e. in the minimum amount. 
  4. Accuracy. Personal data must be accurate and up-to-date. 
  5. Storage limitation. Personal data must be kept in a form which permits identification of data subjects within the period necessary for processing purposes. 
  6. Integrity and confidentiality. Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, loss, damage or destruction of data. 

The Regulation also determines that the processing of personal data shall be lawful only if one of the following conditions is met: 

  1. the data subject has given consent to the processing of his or her personal data; 
  2. processing of personal data is necessary for the performance or entering into a contract; 
  3. processing of personal data is necessary for compliance with a legal obligation to which the controller is subject (e.g., an enterprise transmits information on its employees to the State Revenue Service or the State Social Insurance Agency); 
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g., if a person gets to the hospital after a serious accident, the hospital does not need his consent to look for a document proving his identity in order to find his medical history in the future or contact with his nearest relatives); 
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (e.g. the Latvian Association of Family Physicians has certain official powers and can conduct disciplinary proceedings against its members); 
  6. processing is necessary for the purposes of the legitimate interests pursued by the Controller (e.g. to ensure the security of property, this enterprise can videotape natural persons). 

It is worth paying attention to the first paragraph of the above-mentioned conditions – obtaining the consent of the data subject for the processing of personal data. The Regulation establishes that the consent must be freely granted, specific, conscious and unambiguous.

The consent can be given in written, oral or electronic form. The consent can be expressed by setting an appropriate mark in a certain field of the Internet site (in the form of a checkmark, a cross, a dot, etc.) or selecting a technical setting or other statement that clearly indicates that the data subject agrees in the specified context to the planned processing of his or her personal data. The silence of the data subject, a pre-ticked/crossed or inactivity of a person is not an expression of his or her consent. The consent of the data subject must be extended to all types of processing of personal data. If processing covers several purposes, then the consent must be given for all purposes. It must be remembered that the person whose data is being processed has the right to withdraw his or her consent at any time. He or she needs to be informed about this right. 

It should be noted that the Regulation as a whole gives the data subject a very broad rights and control over his or her personal data. These rights include: 

  • The right to access his or her data, as well as information about the purposes of processing, data categories, the recipients to whom personal data have been or will be disclosed, the period during which personal data will be stored, etc. 
  • The right to make corrections to inaccurate personal data. 
  • The right to erasure of personal data (‘right to be forgotten’). This right can be used if, for example, personal data is no longer required for the purposes for which they were received, or the data subject withdraws consent from which the processing was performed, or if there is no other legal basis for processing, as well as in other cases established by the Regulation. 
  • The right to restriction of processing of personal data. The data subject shall have the right to obtain from the controller restriction of processing of personal data if the accuracy of personal data is disputed by the data subject, if the processing is illegal and the data subject objects to the removal of personal data, if the controller no longer needs personal data for processing purposes, but they are required by the data subject for justification, enforcement or defence of legal claims and in other cases. 
  • The right to object. The data subject on the grounds arising from his or her particular situation has the right to object to the processing of personal data relating to him or her in the cases specified in the Regulation. In such a case, the controller must stop processing of personal data, unless the controller can provide convincing legal grounds for processing that prevail over the interests, rights and freedoms of the data subject or for the creation, implementation or protection of legal claims. In this case, the controller has the right to process personal data, with the exception of storage, only with the consent of the data subject, or to justify, execute or maintain protection against legal claims. 
  • Other rights provided by the Regulation. 

Article 37 of the Regulation defines the duty for the Controller to involve a data protection officer in the protection of personal data in the following cases: 

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; 
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences. If the enterprise does not meet any of the above criteria, then the obligation to appoint such a data protection officer does not apply to it. 

The main feature of this Regulation, which is worth paying attention to, is the introduction of serious penalties for violating the rules for processing of personal data. 

It is determined in the Regulation that monetary fines should be effective, proportionate and appropriate. For example, violation of the basic principles of processing, including the conditions for consent (Articles 5, 6, 7 and 9 of the Regulation), non-observance of the rights of the data subject (Articles 12-22 of the Regulation), non-compliance with the principles of the transfer of personal data to the recipient in a third country or international organization (Articles 44-49 of the Regulation) entail administrative fines of up to 20 million euros or up to 4% of the company’s turnover for the previous financial year, whichever is greater. 

These administrative fines are set in the Regulation; they will not be included in national statutory enactments. The state supervisory authority, namely the State Data Inspectorate, is responsible for the recovery of the above-mentioned fines in Latvia. In the event of a minor breach, the supervisory authority may pronounce a reprimand.

Recent News