bnt attorneys for CEE close.straight.forward

Latvia gets ready for the GDPR

Latvian Parliament passes Personal Data Processing Law at first reading.

On 12 April 2018, the Latvian Parliament passed the Personal Data Processing Law at first reading. The second – and final – reading is scheduled to take place in the upcoming weeks.

With this legislative act the Parliament is taking the necessary steps towards implementing the new legal framework introduced by the General Data Protection Regulation (GDPR). As of 25 May 2018, the current data protection regime in Latvia – as in other EU countries – will become obsolete and will be replaced by the directly applicable rules and procedures set by the GDPR. Nonetheless, the GDPR still leaves scope for certain national regulatory and implementing measures, such as the composition, functions and investigative powers of the national data protection authority; required qualifications for ‒ and competences of ‒ data protection officers (DPO); or age limits for children to consent to online content. In addition, national parliaments are reserved the right to decide on additional conditions for processing sensitive personal data, or processing personal data in the context of employment relationships or additional sanctions for violation of certain aspects of data protection rules.

The current version of the Personal Data Processing Law adopted by the Latvian Parliament does not make use of these options for making certain aspects of personal data protection even more stringent, nor does it contain any additional requirements or sanctions in the context of personal data processing. In those instances where the GDPR leaves discretion to member states to decide on the severity of a particular regulation, the Latvian legislator seems to follow a path with less restrictive impact (such as choosing the lowest possible age limit – 13 – for a child to be able to consent to data processing).

However, in its current version the Personal Data Processing Law contains some ambiguous provisions which might contravene the GDPR and as such would be invalid. For instance, when looking to appoint a DPO, data controllers or data processors would be allowed to pick not only a person registered as a DPO with the Latvian data protection authority but also “another person”. The requirements applicable to such “other person” – in contrast to the DPO – are not defined by law. This raises concerns whether this rule complies with the requirements of the GDPR, i.e., that a DPO should possess specific professional qualities and expert knowledge.

Source: Personal Data Processing Law