• Insights

Latvia – The GDPR one year on

Written by
COBALT, the full-service law firm in Latvia of choice for local and multinational businesses and global top law firms.
In the twelve months since the GDPR took effect, the Latvian data protection protection authority has received a record number of complaints and started to impose low-level penalties. Latvia has also adopted local data protection legislation.

The Latvian DPA did not impose many penalties during the first year of GDPR application. The biggest publicly announced penalty was only EUR 2000, which is even smaller than the penalties imposed before the GDPR started to apply a year ago. There are several reasons for this: the DPA announced that in the first year it would be devoted to consulting to ensure appropriate implementation of the GDPR. The DPA was also overloaded due to a record number of complaints. Additionally, historically, the activity of the DPA regarding penalties has been variable: if one year has been productive in terms of penalties, the next has usually been less active.

Data controllers also started reporting personal data breaches but many of these cases did not qualify to be reported under the GDPR. Thus, many controllers choose an overly cautious reporting strategy.

Latvia has adopted a local ‘Personal Data Processing Law’. The Law does not repeat the provisions of the GDPR; instead it sets out provisions regarding the DPA, data protection officers, certification mechanisms, exceptions for data subjects’ rights as well as some specific personal data processing cases (such as children’s person data, video surveillance and logs). Still many data protection provisions can be found in other legislation related to other specific areas of law (such and litigation, patients’ rights, accounting, tax and many others).

There are several trends related to implementation of the GDPR. The most widespread one relates to dealing with the data subjects’ requests: while ensuring access rights is a good test for reviewing a controller’s data processing activities, the ‘right to be forgotten’ can be a reason for a further litigation. Moreover, companies have started paying more attention to security measures tailored specifically for personal data. Finally, GDPR-related questions have become an important part of M&A deals.