The Saeima has adopted and the President promulgated the following laws: amended individual data protection Act do for individuals in the data protection Act (the Saeima of the Republic of Latvia and the Cabinet of Ministers rapporteur, 2000, No 9) follows: 1. in article 2, paragraph 1: turn off ' use of the personal data processing the data in the system ";
Add to paragraph 2 with the words "according to the webmaster of the system, the information provided in accordance with article 8 of this law";
Replace paragraph 5, the words "relevant criteria" with the words "relevant personally identifiable criteria";
Express points 9 and 10 by the following: "9) system administrator: a person or entity that dictates a person's data processing system and processing facilities;
10) third party: any natural or legal person, other than the data subject, the webmaster of the system, the operator and the person who directly authorized by the system administrator or operator of personal data. "
2. Make article 3 and 4 by the following: ' article 3. (1) in this Act, subject to the exceptions laid down in this article, refers to all forms of processing of personal data and any natural or legal person, provided that: 1) System Manager is registered in the Republic of Latvia;
2) data processing is performed outside the borders of the territory of the Republic of Latvia, which belongs to the Republic of Latvia in accordance with international agreements;
3) to the territory of the Republic of Latvia is in the equipment, which is used for the processing of personal data.
(2) the first subparagraph of this article, 3. in the cases referred to in point system administrator shall appoint persons responsible for compliance with this law.
(3) this Act does not apply to natural persons established in the information systems in which the processing of personal data carried out for personal or home and family needs and that the personal data collected will not be disclosed to other persons.
4. article. The protection of personal data, which are considered State secrets, governed by the objects that law, subject to the exceptions laid down in the law "on State secrets".
3. To make article 7 paragraph 2 and 3 as follows: "2) data processing stems from contractual obligation of the data subject or, pursuant to a request of the data subject, the data processing necessary for the conclusion of the contract;
3) data processing system curator statutory duty; ".
4. Express 8 and 9 article by the following: ' article 8. (1) obtaining personal data from the data subject, the system administrator is required to provide the following information to the data subject, unless it is already in the possession of the data subject: 1) system administrator and operator of personal data name, or first name and last name as well as address;
2) intended purpose of the processing of personal data and reasoning.
(2) at the request of the data subject the system administrator is required to provide the following information: 1) possible data recipient;
2) the data subject's right of access to your personal data and make corrections thereto;
3) or response is mandatory or voluntary, as well as the possible consequences of failure to reply.
(3) the first part of this article does not apply, if the law allows the processing of personal data, without revealing its purpose.
9. article. (1) if personal data have not been obtained from the data subject, the system administrator has a duty to collect use or disclose for the first time of such personal data to third parties, to provide the data subject with the following information: 1) system administrator and operator of personal data name, or first name and last name as well as address;
2) intended purpose of the processing of personal data.
(2) at the request of the data subject the system administrator is required to provide the following information: 1) possible data recipient;
2) category of personal data and data sources;
3) the data subject's right of access to your personal data and make corrections thereto.
(3) the second paragraph of this article shall not apply where: 1) of the Act provide for the processing of personal data, without informing the data subject;
2) when processing personal data for historical, statistical or scientific research or the Latvian National Archives, informing the data subject requests the proportionate effort or not is impossible. "
5. in article 10: make the first part of paragraph 1 and 2 as follows: "1) fair and lawful processing of personal data;
2) the processing of personal data only in accordance with its intended purpose and to the extent that it is needed; "
Add to the first part of paragraph 4, the words "in accordance with the purpose of the processing of personal data";
to supplement the article with the third part as follows: "(3) the first subparagraph of paragraph 3 and 4 do not apply to the processing of personal data by the Latvian National Archive Fund of the law."
6. in article 11: make paragraph 5 by the following: "5) processing of personal data is necessary for the purposes of medical treatment, healthcare services or the Administration and distribution of medicinal products;";
to supplement the article with 7, 8, 9 and 10 of the following paragraph: 7) "processing of personal data is necessary for the provision of social assistance and social assistance service provider;
8) processing of personal data is necessary for the Latvian National Archives Foundation and by the national archives and the national archives of the authority of the Director-General approved the national rights of the vault;
9) processing of personal data is necessary for statistical surveys conducted by the Central Statistical Bureau;
10) treatment refers to the personal data of the data subject himself is issued. "
7. Make the article 12 by the following: ' article 12. Personal data relating to offences, criminal convictions in criminal matters, criminal matters and proceedings in closed court in civil cases, may be processed only for legal persons and, in the cases specified by law. "
8. To supplement the law with article 13.1 the following: "13.1 article. Personal identification (classification) codes may be processed if: 1) you have received the consent of the data subject;
2) identification (classification) code processing arises from the purpose of the processing of personal data;
3) identification (classification) code required further processing the data subject's anonymity;
4) is received in the data state inspection written permission. "
9. To make article 14 second subparagraph by the following: "(2) the operator of personal data entrusted to him the personal data may be processed only to the extent specified in the contract, according to the intended purpose and under the responsibility of the system's instructions if they do not conflict with the laws and regulations."
10. in article 15: to supplement the first part with the words "the protection of national security and criminal justice";
adding to the third subparagraph of paragraph 3 with the words "data deleted or blocked".
11. Supplement article 17 following the words "statistical research purposes" with the words "or Latvian National Archive Fund, in accordance with the laws".
12. Express article 18 as follows: "article 18. If the data subject disputes the individual decision taken based solely on the automated processing of data, and create, amend, or terminate the legal relationship is found, the system administrator has an obligation to review it. The system administrator may refuse to review such a decision if it is based on the law or the contract concluded with data subjects. "
13. Express article 21, second paragraph as follows: "(2) the statutory registration scheme does not apply to the processing of personal data in the accounting and personnel records, where the personal data is not stored in electronic form, as well as to civil law in this interfaith religious organizations formed the personal data processing systems."
14. in article 22: make the second paragraph as follows: "(2) the data State Inspectorate assesses and determines the personal data processing systems must be carried out pre-registration check. ';
to make the fourth subparagraph by the following: "(4) Before committing changes to the processing of personal data in the system, these changes are recorded in the data State Inspectorate of a change: 1) system administrator or operator of personal data;
2) personal data processing systems;
3 types of personal data) or processing personal data for the purpose;
4) information resources or technical resources, as well as responsibility for the security of information systems;
5) data processing system, which is linked in the system;
6) processing of personal data;
7) types of personal data that will be transferred to other countries. ";
to supplement the article with the fifth and sixth the following: "(5) If changes to the processing of personal data in the system of technical and organisational protection features that significantly affect system protection, information about one year to submit a data State Inspectorate.
(6) for each person's data processing system or the fourth paragraph of this article changes the registration referred to in the relevant State fee prescribed by the Cabinet of Ministers and about. "
15. Make the article 24 as follows: "article 24. (1) the data State Inspectorate for personal data processing system shall be included in the register of this law, the information referred to in article 22 (except in the same article, paragraph 16). The registry is a component of the national information system.
(2) the first paragraph of this article shall not be included in the register information about the registered personal data processing system which is governed by the law "on State secrets" and operational activities by law. "

16. To make article 25, first subparagraph as follows: "(1) the system administrator and operator of personal data, are obliged to apply the necessary technical and organisational measures to protect personal data and to prevent their unlawful handling."
17. To supplement article 26 with the second part as follows: "(2) the State and local government bodies shall submit each year to the public inspection of the personal data processing system internal audit opinion (also a system of risk analysis) and a survey of information security measures."
18. in article 28: make the first paragraph by the following: "(1) personal data may be transferred to another country if that country ensures a level of protection of data corresponding to a given Latvia the existing level of data protection."
make the second paragraph, the introductory paragraph as follows: "(2) the Exception referred to in the first subparagraph are allowable requirements, if the administrator shall undertake surveillance of the conservation measures and with at least one of the following conditions:";
to make the second part of paragraph 2 as follows: "2) data transfer is necessary to comply with the agreement between the data subject and system knowledge, personal data shall be in accordance with the contractual obligation of the data subject or, pursuant to a request of the data subject, the data transfer required for the conclusion of a contract;"
to supplement the article with the third part as follows: "(3) the data protection level of assessment in accordance with the first paragraph of this article shall State Inspectorate and provide written consent for the transfer of personal data."
19. Article 29: make the first paragraph by the following: "(1) the data protection supervision data State Inspectorate, which is located under the aegis of the Minister of Justice, act independently and autonomously using the legislation to specific functions, make decisions, and manage administrative provisions in accordance with the law. Data State Inspectorate is a government institution, the functions, rights and obligations established by law. Data State Inspectorate is headed by a Director, who is appointed and released from Office by the Cabinet of Ministers on a proposal of the Minister of Justice. ";
adding to the third subparagraph of paragraph 4, the words "and provide advice on national and local government bodies to create a personal data processing system compliance with the requirements of the laws";
Supplement third paragraph 6 by the following: "6) accredit persons wishing to carry out system audits of State and local government bodies in the processing of personal data systems of cabinet order.";
turn off the fourth subparagraphs in paragraph 2, the word "pre-registration";
to complement the fourth with 5, 6, and 7, paragraph by the following: "5) cancel the registration of the processing of personal data, if the processing of personal data in the framework of irregularities;
6) in accordance with the procedure prescribed by law to levy administrative penalties for violations of the processing of their personal data;
7) to carry out an inspection to determine the processing of personal data in compliance with the legislative requirements in cases where a system administrator with the law prohibited to provide information to the data subject and received the submission from the data subject.
20. Article 30: replace the introductory part of the first subparagraph, the words "the inspectors, indicating the service card" with the words "data State Inspectorate employees";
Add to the first subparagraph of paragraph 5, the words "or other specialists";
to supplement the first part with point 7 by the following: ' 7) to draw up a Protocol on administrative violation of the processing of their personal data. "
21. transitional provisions: to replace in paragraph 2, the words "and a 2002 1 January" with the figures and the words "March 1, 2003";
transitional provisions be supplemented with points 3 and 4 by the following: "3. the amended article 4 shall enter into force on July 1, 2003, but amended article 29, first paragraph shall enter into force on January 1, 2004.
4. personal data processing system, which so far does not impose the obligation to register the data State Inspectorate, are registered to the July 1, 2003. "
The Parliament adopted the law of 24 October.
State v. President Vaira Vīķe-Freiberga in Riga 2002. on 13 November, the Editorial Note: the law shall enter into force on 27 November 2002.