Skip to main content

Data State Inspectorate examines the obtaining and saving personal data by third persons

Jana Paņko (LV), Partner of EuroCloud CPC Network

While the Ministry of Justice of the Republic of Latvia is working on the changes of national legislation for the application of the new General Data Protection Regulation, which entered into force on May 24th, 2016, the national Data State Inspectorate (the “DSI”) has recently examined several cases causing controversies among the public and touching important issues of security of personal data:

Among them is the DSI’s explanation about the use of data, taped on the car video recorders widely used among Latvian car drivers. DSI specified that **if the vehicle is equipped with the video recorder which’s performance causes personal data collection and processing, i.e. if the quality settings of video recorder allow to identify individuals through the filmed material, then a registration of the personal data processing shall be performed, since the Clause 5 of Section 21 of the Personal Data Protection Law applies: a video surveillance is being carried out and the collected material is being retained in a way of enabling access to this video fully or in separate parts. DSI also clarified that persons are entitled to transfer video records obtained by means of use of car video recorder or any other device, when performing video surveillance, to law enforcement bodies or other third persons only in cases, if legal ground to act so exists (Section 7 of the Personal Data Protection Law); however, one should take into account that if processing of personal data, when carrying out video surveillance, has been performed without registration in the DSI, then a person, whose data (for example, picture) were processed, may file a complaint with the DSI. The DSI turns attention to the fact that the legal ground for transfer of such data may be, for example, request by the State Police (such transfer of data would conform to Section 7 (3) of the Personal Data Protection Law).

(**excerpt from the article. See full article here:

DSI has also examined a case about the collection and retain of medical data of individuals performed by a legal entity which’s business is a maintenance of an information system – a medical data archive where the various medical institutions keep the results of made medical examination. The concerns of public about the security of private medical data and the suspected unauthorized access to such sensitive information appeared when an individual found out that this company has an access to his medical examinations  made in other medical institutions of several years, and he nor gave his consent to this company, nor he was warned that such data will be passed to a third person and retained by such company. Having examined the issue, DSI admitted that such company should be treated as a personal data operator who performs his activity on a basis of the agreements concluded with the medical institutions - personal data administrators. The notification of individuals about the delivery of information to a data operator by now is only an advisable measure of personal data administrator, what, however, will be revised starting from May, 2018 by the application of General Data Protection Regulation.


Changes in the national regulation regarding the personal identification numbers

One of the upcoming changes in the national regulation will enter into force on July 1th, 2017: the changes of the Population Register law will specify that personal identity number, which by now is being composed by eleven numbers first six of which refer to the day, month and the year of birth, and other five are being composed by a specific rules, will change, so the first two numbers will be “32” and other nine numbers from “0” to “9” will be automatically randomly generated. Thus, through the new personal identity numbers will not be possible to establish person’s age, so it will prevent the possible discrimination of an individual and provide for the security of such data. The individuals, who have a personal identity number composed by the previous rules, will have a single opportunity to require a new personal identity number compiled without the date of birth.


Article provided by: Jana Paņko, Latvia

External links:

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.