On May 25, 2018 in the territory of the European Union (EU) the General Data Protection Regulation (hereinafter referred to as – the Regulation) (EU) 2016/679 “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data” came into force, which repealed the Directive 95/46/EC, as well as the operation of the Personal Data Protection Law of Latvia.
If earlier the issue of data processing in each country was solved differently, then from May 25, 2018 the Regulation straightforwardly and immediately applies in all EU member countries, including in the territory of Latvia, without the need to develop national statutory enactments.
In fact, the Regulation provides for the modernization of already existing principles for the protection of personal data, creating unified rules for the protection of personal data that operate throughout the EU. The protection provided for in this Regulation must be applied to natural persons regardless of their citizenship or residence when processing of their personal data.
The Regulation does not apply to the processing of personal data of legal persons, e.g., enterprises, including the name and form of the legal person, as well as contact information of the legal person.
The Regulation also does not apply to the processing of personal data by natural persons in the course of implementation of exclusively personal or household activity that is not related to professional or commercial activity. Personal or household activity may include correspondence and storage of addresses, interaction through social networks.
What does the concept of “personal data” include? It is about any information with the help of which you can identify a person – a data subject, i.e. name, surname, contact information, address of residence, photo, date of birth, personal code, etc. Accordingly, the processing of personal data means the collection, registration, structuring, storage, use, transfer, destruction and other activities with the above-mentioned information.
A natural or legal person, state structure, enterprise or other institution that determines the purposes and means of processing of personal data is called the Controller.
This Regulation provides that if an enterprise collects or stores data of employees, processes of clients’ data and other natural persons, conducts targeted marketing activities or works with sensitive data, then the operation of Regulation extends to this enterprise, and the enterprise acts as a Controller.
In other words, this Regulation applies to any enterprise or self-employed person, who hires employees, makes out invoices or concludes contracts with natural persons, as well as on another basis processes of personal data.
Therefore, it is very important to be aware of the amount of personal data that the enterprise processes. To do this, it is important to carry out an audit and identify how and for what purpose personal data is collected, stored, used, who has access to it and to whom it is subsequently transferred.
According to Article 5 of the Regulation, when processing of personal data, the following principles must be complied with:
The Regulation also determines that the processing of personal data shall be lawful only if one of the following conditions is met:
It is worth paying attention to the first paragraph of the above-mentioned conditions – obtaining the consent of the data subject for the processing of personal data. The Regulation establishes that the consent must be freely granted, specific, conscious and unambiguous.
The consent can be given in written, oral or electronic form. The consent can be expressed by setting an appropriate mark in a certain field of the Internet site (in the form of a checkmark, a cross, a dot, etc.) or selecting a technical setting or other statement that clearly indicates that the data subject agrees in the specified context to the planned processing of his or her personal data. The silence of the data subject, a pre-ticked/crossed or inactivity of a person is not an expression of his or her consent. The consent of the data subject must be extended to all types of processing of personal data. If processing covers several purposes, then the consent must be given for all purposes. It must be remembered that the person whose data is being processed has the right to withdraw his or her consent at any time. He or she needs to be informed about this right.
It should be noted that the Regulation as a whole gives the data subject a very broad rights and control over his or her personal data. These rights include:
Article 37 of the Regulation defines the duty for the Controller to involve a data protection officer in the protection of personal data in the following cases:
The main feature of this Regulation, which is worth paying attention to, is the introduction of serious penalties for violating the rules for processing of personal data.
It is determined in the Regulation that monetary fines should be effective, proportionate and appropriate. For example, violation of the basic principles of processing, including the conditions for consent (Articles 5, 6, 7 and 9 of the Regulation), non-observance of the rights of the data subject (Articles 12-22 of the Regulation), non-compliance with the principles of the transfer of personal data to the recipient in a third country or international organization (Articles 44-49 of the Regulation) entail administrative fines of up to 20 million euros or up to 4% of the company’s turnover for the previous financial year, whichever is greater.
These administrative fines are set in the Regulation; they will not be included in national statutory enactments. The state supervisory authority, namely the State Data Inspectorate, is responsible for the recovery of the above-mentioned fines in Latvia. In the event of a minor breach, the supervisory authority may pronounce a reprimand.