Skip to main content

Latvia has adopted the Law on Personal Data Processing


The national Law on Personal Data Processing (the National Law) has entered into force on July 5th, 2018, which made Latvia the first Baltic state who adopted its own national legislation based on the General Data Protection Regulation (GDPR).

Powers of supervisory authority

The National Law inter alia regulates the powers of the national supervisory authority – the Data State Inspectorate (the DSI) and most importantly, the powers to perform the inspections, including all activities to establish whether the data processing complies with the requirements of GDPR and other laws, including the right to visit the place of data processing and obtain information by using all lawful methods and all other necessary actions. Before performing the inspection, the DSI shall inform the controller about the purpose, time and place of the visit and shall ask the representative to be present. However, the absence of the representative cannot be an obstacle for a performance of the inspection.

The National Law thus does not include the controversial wording of the Draft Law which allowed the DSI, without any warning and upon receipt of the decision of the court judge, to enter, in the presence of police, the non-residential premises, apartments, buildings or other objects of immovable property which are in ownership, possession or in use of a data controller or processor, and to perform coercive screening or inspection, to receive any and all documents (including the information on electronic devices) and even the right to seal such premises for 72 hours to ensure the preservation of evidence.

It is also important that similar to previous law, the DSI shall maintain the powers to arrange the qualification test for the Data protection officer as well as examine whether the persons have met the requirements for the maintenance of professional qualification. The more specific requirements shall be specified by the Regulations issued by the Cabinet of Ministers, which have not been developed yet.


General rules on data processing and the limitations

The National Law confirms the position of the Draft law that the child’s consent in relation to information society services shall be considered as lawful, if the child is at least 13 years old, or if the child is younger than 13 years – the consent shall be given by his parent or lawful guardian.

The dashcams used by natural persons for private needs shall not be an object of the National law and the GDPR, therefore the requirement to register dashcams with DSI no longer exists; the data from dashcams shall not be disclosed to other persons and institutions, except if there are grounds specified in the GDPR.

The National law also specifies the minimum information regarding video surveillance to be provided to data subjects on informative signs, i.e. the sign shall include at least the name, contact information of the controller and the purpose of data processing, as well as an opportunity to receive other information specified in Article 13 of the GDPR.

The National Law requires that audit trails (log files) – the registered data on the specific events in the information systems - shall be saved for a period not exceeding one year after the record has been made, if no otherwise stated in any other law or results from the nature of the processing. The National Law does not regulate the duties to secure the storage of log files, such duties shall remain regulated by other applicable laws. The controller has no duty to provide to the data subject the information stipulated in the Article 15 of the GDPR, if no audit trails with the information requested are available. The controller has also no duty to keep the information of the audit trails just to satisfy the data subject’s request.


Administrative and Civil proceedings in case of infringement

The DSI shall take its decisions in accordance with the Administrative Procedure law or the legal acts regulating the process of administrative violations. The administrative acts and actual actions made by the DSI shall be contested within the administrative proceedings.

In case of infringement of civil rights, if the violation has resulted from the breach of requirements of the GDPR, the claim, in accordance with the Civil Procedure Law, shall be lodged within five years after the violation has occurred, or, in case of a long lasting violation – from the day of ceasing the violation.


Article provided by: Jana Panko, NJORD Law Latvia

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.