Advanced Search

Amendments To Individual Data Protection Law

Original Language Title: Grozījumi Fizisko personu datu aizsardzības likumā

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
The Saeima has adopted and the President promulgated the following laws: amended individual data protection Act do for individuals in the data protection Act (the Saeima of the Republic of Latvia and the Cabinet of Ministers rapporteur, 2000, no. 9; 2002, 23. No No 3; 2007) follows: 1. Replace the words "the whole law system administrator" (fold) with the word "Administrator" (fold).
2. in article 2: express the following in paragraph 9: "9) Manager: a natural or legal person, State or local government institution, which defines the purpose of the processing of personal data and processing facilities, as well as responsible for the processing of personal data in accordance with this Act;";
to supplement the article with this paragraph 11: "11) a personal identification code: a number that is assigned to the data subject's identification."
3. Article 3: make the first part of paragraph 3 by the following: ' 3) in the Republic of Latvia is in the equipment, which is used for the processing of personal data, except when the equipment is used only for the transmission of personal data through the territory of the Republic of Latvia. "
make the third paragraph as follows: "(3) this Act does not apply to the processing of personal data carried out by natural persons for personal or home and family needs, and personal data will not be disclosed for IE third parties."
4. Supplement article 5, first paragraph, after the word "the" with the words "journalistic purposes in accordance with the law" On press and other media ".
5. Make the third paragraph of article 9 of the introductory paragraph as follows: "(3) the first and second subparagraphs shall not apply, if:".
6. in article 11: replace paragraph 5, the words "treatment" with the words "the distribution of medicine and medical equipment for distribution or administration";
to supplement the article with this paragraph 11: "11) processing of personal data is necessary for the performance of public administration functions or create a legal information system of the country."
7. Make the article 12 by the following: ' article 12. Personal data relating to offences, criminal convictions in criminal cases and cases of administrative offences, as well as a court order or court files may be processed only for legal persons and, in the cases specified by law. "
8. Express article 13.1 the following: "13.1 article. Personal identification codes may be processed in one of the following cases: 1) you have received the consent of the data subject;
2) identification code of the processing of personal data follows from the purpose of the processing;
3) identification code processing required further anonymity of the data subject;
4) is received in the data state inspection written permission. "
9. in article 16: turn off in the first paragraph, the words "the processing of personal data contained in the system";
to turn off the second part.
10. Express article 19 by the following: ' article 19. The data subject may prohibit your processing of personal data for commercial purposes, article 7 of this law, 6. in the cases referred to in paragraph 1, the use of information society services, market and public opinion research, genealogical studies, except where otherwise provided by law. "
11. Turn off the title of chapter IV, the word "system".
12. Article 21 of the expression as follows: "article 21. (1) all State and local government bodies, natural and legal persons who carry out or wants to initiate the processing of personal data, register it in accordance with the procedure laid down in this Act.
(2) the statutory registration scheme does not apply to the processing of personal data: 1) the accounting and personnel records;
2) State and local government information systems in which the collected personal data is publicly available;
3) journalistic purposes in accordance with the law "On press and other mass media";
4) archival purposes in accordance with the law on Archives ";
5) by religious organizations;
6) if the Superintendent law has registered in the personal data protection specialist. "
13. To supplement the law with 21.1 and 21.2 of the article as follows: "article 21.1. (1) the administrator may not register the processing of personal data, where he seconded specialists on the protection of personal data. Specialists on the protection of personal data is not personal data operator.
(2) personal data protection specialists designate the natural person who is a graduate in law, information technology or related field and who are trained in the Cabinet.
(3) the Superintendent shall grant a personal data protection officer the necessary resources, provides the necessary information and the framework of working time lays down time so that he could also make a data protection specialist.
(4) the administrator shall register the personal data protection specialist data State Inspectorate. If the data protection officer in performing audits of the processing of personal data, does not need additional accredited data State Inspectorate.
(5) personal data protection specialist register is publicly available. Personal data protection specialist register specifies the following information: 1 name of the person), contact information (address, phone number, e-mail address);
2) to a person is designated;
3) in place of the processing of personal data and the details of the options to get this law, article 22, the information referred to in the first subparagraph.
(6) the data State Inspectorate for the protection of personal data limits a specialist registration, if not this article gives all the information referred to in the fifth subparagraph.
(7) the data State Inspectorate does not register personal data protection specialist if: 1) he does not satisfy the requirements of this Act;
2) timed one of this law, article 22 of the sixth part of the cases referred to.
(8) the data state inspection excludes personal data protection experts from the register in the following cases where: 1) has received an application for the exclusion of the responsibility of the processing of personal data in the register;
2) month of specialists on the protection of personal data in the registration does not submit the application to the Postmaster about the exclusion of the processing of personal data of the processing of personal data in the registry.
(9) the data state inspection on protection of personal data, professional registration takes 15 days after all of the fifth subparagraph of this article, the information referred to in the submission data State Inspectorate.
(10) the data State Inspectorate may exclude personal data protection professionals from the registry and require registration of personal data processing in accordance with article 22 of this law, if the data State Inspectorate for personal data protection specialist of the processing of personal data reveals that violations of the law.
Article 21.2. (1) the data protection expert shall organize, control and supervise the care taken in the processing of personal data in compliance with the requirements of the law. State and local agencies can ask the administrator to the data protection officer to carry out the audit.
(2) personal data protection specialist creates the registry, including article 22 of this law the information referred to in the first paragraph (except the same in the first paragraph of article 10 and the information referred to in paragraph 11), which provided free of charge to the data subject or for public inspection on request.
(3) personal data protection specialists are required to maintain and without a legal basis to withhold personal data even after employment or termination of the service.
(4) the data protection expert shall prepare each year an annual report on its activities and shall submit it to the officer. "
14. Express article 22 and 23 by the following: ' article 22. (1) article 21 of this law, in the said institutions and individuals wishing to initiate the processing of personal data, the data submitted to the National Registration Office application that includes the following information: 1) curator's name, surname, identity code (legal person, the name and registration number), address, and phone number;
2) operator of personal data (if any) name, surname, identity code (legal person, the name and registration number), address, and phone number;
3) processing of personal data, the legal basis;
4 types of personal data) and to the processing of personal data;
5) the data subject categories;
6) personal data the categories of beneficiaries;
7) provided for the processing of personal data;
8) planned acquisition of personal data;
9) processing of personal data;
10) information resources or technical resources, as well as responsibility for the security of information systems;
11) technical and organisational measures that ensure the protection of personal data;
12) any personal data will be transferred to other countries that are not members of the European Union or European economic area Member States.
(2) the data State Inspectorate identifies it to the processing of personal data where possible risks to the rights and freedoms of data subjects. Such processing of personal data established pre-registration check.
(3) the registration of processing of personal data, the data state inspection issues the curator or his authorised person processing personal data in the registration certificate.
(4) Before committing changes to the processing of personal data in these changes are recorded in the data state inspection, with the exception of the first paragraph of this article, the information referred to in paragraph 11.
(5) If changes to the processing of personal data in the technical and organisational measures which significantly affect the processing of personal data protection, information on the time of year to be submitted to public inspection.

(6) where a change in the administrator or webmaster of the closure of the operation, he shall submit the data State Inspectorate for the application of the exclusion of the processing of personal data of the processing of personal data in the registry.
(7) the data State Inspectorate shall decide on the exclusion of the responsibility of the processing of personal data in the registry, as well as withdrawing to the processing of personal data in the registration certificate, if: 1) administrator is not prevented breaches data State Inspectorate within the specified time limits;
2) put the month after the change takes place in the processing of personal data is not submitted the application for changes or the processing of personal data is not submitted by the sixth part of this article the said submission.
(8) the cabinet shall determine such application form samples: 1) to the processing of personal data in the registration application;
2) application for changes to the processing of personal data;
3) specialists on the protection of personal data in the registration application;
4) application for exclusion of the processing of personal data of the processing of personal data in the register;
5) application for personal data protection specialist from data state inspection records.
(9) for each of the processing of personal data in the registration or the fourth paragraph of this article, the change in the registration duty payable to the Cabinet in the order and amount.
23. article. (1) the data State Inspectorate shall defer registration of personal data processing or decision on changes of the processing of their personal data if: 1) the processing of personal data in the application for registration of the deficiencies found;
2) is not providing all of this law article 22, first paragraph contains information;
3) is not paid the State fee.
(2) the data State Inspectorate does not track the processing of personal data or take a decision on the refusal to make changes to the processing of personal data if: 1) data state inspection findings and reported deficiencies are not remedied within 30 days;
2) the processing of personal data in the registration application or application for changes in the processing of the personal data submitted by a person who is not considered to be familiar with the meaning of this Act;
3) examination of the processing of personal data, the found breaches of the legislation in the field of protection of personal data.
(3) Submit the documents specified in the law by repeatedly in documents of the period, the deficiencies found in the statutory stamp duty fee.
(4) the second subparagraph of this article, 2. in the cases referred to in point a State fee refunded in accordance with the data State Inspectorate's decision. "
15. Make the article 24 as follows: "(1) the data state inspection register of personal data processing shall include article 22 of this law in the first and fourth part information, other than information referred to in the first subparagraph, in point 10 and 11. The register is publicly available.
(2) the first paragraph of this article shall not be included in the register of registered information for the processing of personal data, which shall be governed by the law "on State secrets" and operational activities by law. "
16. To supplement the law with article 24.1 the following: ' article 24.1. This law, in the fifth subparagraph of article 21.1 and article 24 of the register referred to in the first subparagraph are monitoring the processing of personal data in information systems. Monitoring of the processing of personal data in the information system is a national information system that organizes and manages data state inspection. "
17. off the second paragraph of article 25, the words "personal data processing system".
18. in article 26: turn off in the first paragraph, the word "system";
make the second paragraph as follows: "(2) the State and local government bodies shall submit every two years a data State Inspectorate for audit opinion on the processing of personal data to include risk analysis, and review of information security measures taken.";
to make the third part of the introductory paragraph as follows: "(3) the data state inspection, accredited for the person who wants to make the personal data processing audits State and local government institutions, external auditors perform:".
19. in article 28: make the first paragraph by the following: "(1) personal data may be transferred to another country of the European Union or European economic area Member State, if the State provides the level of protection of data corresponding to a given Latvia the existing level of data protection."
to make the second part of paragraph 1 by the following: "1) is the data subject's consent;"
to supplement the article with the fourth and fifth by the following: "(4) for the administrator in accordance with the second paragraph of this article, be able to monitor the relevant protection measures, the curator and the recipient of personal data entered into a contract for the transfer of personal data. The conditions which must be included in the contract for the transfer of personal data, shall be determined by the Cabinet of Ministers.
(5) personal data may be transferred to the European Union or European economic area Member State, if the State provides the level of protection of data corresponding to a given Latvia the existing level of data protection. "
20. Article 29: replace the third subparagraph of paragraph 3, the words "processing system" with the word "processing";
the third part of the present paragraph 6 by the following: "6) accredit persons wishing to carry out audits of the processing of personal data to State and local government institutions. The Cabinet of Ministers shall determine the order in which the accredited persons wishing to carry out audits of the processing of personal data to State and local government institutions, as well as the conditions to be met. ";
turn off the fourth subparagraphs in paragraph 2, the word "system";
Replace paragraph 5 of part IV, the words "processing system" with the word "processing".
21. Article 30: replace the first subparagraph of paragraph 1, the words "processing system" with the word "processing";
replace the first subparagraph of paragraph 3, the words "processing system" with the word "processing";
turn off the first part of paragraph 4, the word "system".
22. To supplement the law with article 30.1 of the following: ' article 30.1. Data State Inspectorate is the national monitoring authority, which shall carry out the national Schengen information system, monitoring and inspection of part, or included in the Schengen information system in the processing of the personal data of data subjects are not violated rights. "
23. the transitional provisions: adding to paragraph 3, after the word "amendments" with numbers and words "(24 October 2002)";
Replace in paragraph 4, the words "so far" with the words and figures "up to 28 November 2002";
Add to transitional provisions with paragraph 5 and 6 by the following: "5. the webmasters who have registered personal data processing systems until September 1, 2007, to March 1, 2008 for free public inspection data submitted additional information in order to provide information on the processing of personal data in compliance with article 22 of this law.
6. the State inspection of data up to March 1, 2008 to exclude from processing personal data for the persons registered in the register of data processing systems, which contain personal data of this law does not provide for registration, as well as if any of this is to the article 22 of the law laid down in the sixth. " The law shall enter into force on 1 September 2007.
The law adopted by the Parliament in the March 1, 2007. State v. President Vaira Vīķe-Freiberga in Riga, March 15, 2007 in