The Saeima has adopted and the President promulgated the following laws: individual data protection law chapter I General provisions article 1. This law aims to protect the fundamental rights and freedoms of natural persons, especially privacy, in relation to an individual's data (personal data) processing.
 
2. article. The law is applied in the following terms: 1) the data subject – physical person can be identified, directly or indirectly, through the processing of personal data in the system;
2) the data subject's consent, the data subject's free, clearly expressed in the faith by which the data subject permission to process your personal data;
3) personal data: any information relating to an identified or identifiable natural person;
4) processing of personal data: the personal data of any action, including data collection, registration, administration, storage, alteration, use, transfer, transmission and disclosure of information, lock or delete;
5) system to the processing of personal data — any form of structured fixed set of personal data that is available, subject to certain criteria;
6) personal data the operator — system administrators notified the person who performs the processing of personal data by the system administrator;
7) recipient of personal data: the natural or legal person to whom the personal data are disclosed;
8) sensitive personal data: the personal data that indicate a person's race, ethnic origin, religious, philosophical and political convictions, membership of trade unions, as well as provide information about the person's health or sex life;
9) system administrator: a person or entity that controls the processing of personal data in the system, its objectives and the means of processing;
10) third party: any natural or legal person, other than the data subject, system administrator, system operator and persons who directly authorized by the system administrator or operator of personal data.
 
3. article. (1) this law applies to all forms of processing of personal data and any natural or legal person who is involved in the processing of personal data, except in the second and third subparagraphs above.
(2) this Act does not apply to natural persons established in the information systems in which the processing of personal data is carried out for personal or home and family needs and that the personal data collected will not be disclosed to other persons.
(3) this Act does not apply to the processing of personal data by the public authorities national security and criminal justice.
 
4. article. The protection of personal data, which are recognized as national secret objects, shall be governed by the law "on State secrets".
 
5. article. (1) this law 7, 8, 9 and article 11 does not apply, if the personal data are processed, artistic or journalistic literary needs and where the law provides otherwise.
(2) the first paragraph of this article shall apply subject to the person's right to privacy and freedom of expression.
Chapter II general principles to the processing of personal data in article 6. Each natural person has the right to the protection of personal data.
 
7. article. Processing of personal data is allowed only if the law does not provide otherwise and if at least one of the following conditions: 1) is the data subject's consent;
2) data processing stems from contractual obligation of the data subject;
3) data processing system the curator of his lawful duties;
4) data processing required to protect the data subject's vital interests, including life and health;
5) data processing required to ensure compliance with the public interest or in the exercise of public power tasks for which personal data is passed to the system administrator or transmitted to a third party;
6) processing is necessary for the data subject, subject to the fundamental rights and freedoms, the realization of the responsibility of the system or its third party legal interests, for which the personal data have been disclosed.
 
8. article. (1) obtaining personal data from the data subject, the system administrator is required to provide the following information to the data subject, unless it is already in the possession of the data subject: 1) system under the name or the first name and last name as well as address;
2) the processing of personal data provided for the purpose of and grounds;
3) possible recipients of the personal data;
4) the data subject's right of access to your personal data and make corrections thereto;
5) or response is mandatory or voluntary, as well as the possible consequences of failure to reply.
(2) the first part of this article does not apply, if the law allows the processing of personal data, without revealing its purpose.
 
9. article. (1) if personal data have not been obtained from the data subject, the system administrator has an obligation before disclosing data to third parties to provide the data subject with the following information: 1 name of the system administrator) or first and last name, and address;
2) the intended purpose of the processing of personal data;
3) possible recipients of the personal data;
4) source of personal data;
5) the data subject's right of access to their personal data and the ability to make those repairs.
(2) the first paragraph of this article shall not apply where: 1) of the Act provide for the processing of personal data, without informing the data subject;
2) when processing personal data in scientific, historical or statistical research, informing the data subject requests the proportionate effort or not is impossible.
 
10. article. (1) in order to protect the interests of the data subject, System Manager provides: 1) the legitimacy of the processing of personal data;
2) personal data collection according to the intended purpose and to the extent required;
3 persons) the storage strategy that allows data subjects to be identified during the period, not exceeding the intended purpose of the data processing the specified period;
4 the accuracy of personal data) and their timely renewal, correction or deletion, if personal data are incomplete or inaccurate.
(2) the processing of personal data for purposes not originally is allowed if it does not violate the rights of the data subject and the scientific or statistical research purposes only in accordance with this law, article 9 and article 10 of the conditions referred to in the first subparagraph.
 
11. article. Sensitive personal data processing is prohibited, except when: 1) the data subject has given his written consent for the processing of sensitive data;
2) special processing of personal data without the consent of the data subject, is provided for in the laws regulating the employment relationship, and these laws guaranteeing the protection of personal data;
3) processing of personal data is necessary to protect the data subject or of another person's life and health, and the data subject is physically or legally incapable of giving his consent;
4) processing of personal data is necessary to achieve a legitimate non-commercial public organizations and their associations ' objectives, if the data processing is associated only with that organization or association members and their personal data will not be passed to third parties;
5) processing of personal data is necessary for the purposes of medical treatment by the medical treatment of a person or authority, ensuring an adequate protection of personal data;
6) processing relates to data which are needed for natural or legal persons of the legal rights and interests in court.
 
12. article. If the personal data relating to disciplinary and administrative irregularities or judgements in civil cases, the processing of these data is authorised to carry out only in a State or municipal institution authorized officials.
 
13. article. (1) it is the duty of the system administrator in the cases specified by law to disclose personal data to State and local officials. The system administrator gets personal data only to those State and local officials before the disclosure of data is identified.
(2) personal data may be disclosed on the basis of written submissions or agreement, specifying the purpose of use of data, where the law provides otherwise. Personal data appearing in the request information which permits identification of data of data subjects and the applicant, as well as the amount of personal data would be required.
(3) the person received data may only be used for the intended purpose.
 
14. article. (1) the processing of personal data, the system administrator may be entrusted to an operator of personal data by written contract.
(2) the operator of personal data entrusted to him the personal data may be processed only to the extent specified in the contract and according to the intended purpose.
(3) personal data the operator before the start of the processing of personal data carried out under the system of the safety precautions specified by the data processing system for protection in accordance with the requirements of the law.
Chapter III rights of the data subject article 15. (1) in addition to this law, 8 and 9 the rights referred to in article the data subject shall have the right to get all the information gathered about him in any of the processing of personal data in the system, unless the disclosure of this information is not prohibited by law.
(2) the data subject has the right to obtain information on those natural or legal persons, which are for a fixed period from the system administrator have received information about the data subject. The data subject, the information to be included in the prohibited State institutions, which are drivers of criminal procedure, operational entities, or other institutions, for which the law forbids the disclosure of such details.
(3) the data subject has the right to request the following information: 1 name of the system administrator) or first and last name, and address;

2) processing personal data for the purpose, scope and type;
3) date when the data subject's personal data last revisions;
4) data source, if the law does not prohibit the disclosure of the information;
5) automated processing systems used in processing methods for applying are taken individually automated decisions.
(4) the data subject has the right to a month from the date of submission of the request (not more than twice a year) receive, without charge, in writing, the information referred to in this article.
 
16. article. (1) the data subject has the right to have his personal data added or corrected, and stopped processing them or destroy them if personal data are incomplete, outdated, false, illegal or they are no longer needed for the purpose of the collection. If the data subject can be justified, that the processing of personal data the personal data included in the system are incomplete, outdated, false, illegal or they are no longer needed for the purpose of the collection, system administrators will be obliged to remedy this shortcoming or breach and to notify third parties that have been previously processed data.
(2) if the information was withdrawn, the system administrator, make available both the new and the undo information, as well as to reference that information received by the recipient at the same time.
 
Article 17. This law, articles 15 and 16 shall not apply where the processed data are used only for scientific and statistical purposes and studies based on those relating to the data subject without any action and any decision is adopted.
 
18. article. A person may not be subject to an individual decision taken based solely on the automated processing of data. The person may be subject to the above decision, if it is adopted in accordance with the law or the contract concluded with the data subject.
 
19. article. The data subject shall have the right to object to its processing of personal data, if they will be used for commercial purposes.
 
20. article. The data subject shall have the right to appeal against the data in the national inspection system responsible for the refusal to supply this law, the information referred to in article 15 of this law, or to carry out the activity referred to in article 16.
Chapter IV of the processing of personal data and the protection of the system of registration article 21. (1) all State and local government bodies, other natural and legal persons who carry out or wants to initiate the processing of personal data and the type of personal data processing systems, they are recorded in accordance with the procedure laid down in this Act, unless otherwise provided by law.
(2) the statutory registration scheme does not apply to the processing of personal data by public safety, crime or national security and defence taken by law authorized special institutions.
 
22. article. (1) article 21 of this law, in the said institutions and individuals wishing to initiate the processing of personal data and to create a personal data processing system, the data shall be submitted for registration to the national inspection that includes the following information: 1) institutions or individuals (System administrators) name (first name, last name), registration number, address, and phone number;
2 webmaster) authorized persons first name, last name, ID number, address, and phone number;
3) processing of personal data, the legal basis of the system;
4) any personal data includes system, for which purpose it was intended for and what will be the amount of the processing of personal data;
5) the data subject categories;
6) personal data the categories of beneficiaries;
7) provided for the processing of personal data;
8) programmable data acquisition and quality control mechanisms;
9) other data processing systems which will be linked to register system;
10) any personal data from the system to be registered will be able to get the involved systems and what data will be recorded in the system can be obtained from related systems;
11) the way in which the data to be recorded in the system will be provided to the other system;
12) an individual identification number that will be used to register in the system;
13) the way in which the exchange of information will take place with the data subject;
14) the order in which the data subject is entitled to obtain information about yourself, as well as 8 and 9 of this Act, the information referred to in article;
15) data reload and restore order;
16) the technical and organisational measures that ensure the protection of personal data;
17) any personal data will be transferred to other countries.
(2) the data state inspection prior to the processing of personal data in the registration system makes the system checks of the processing of personal data.
(3) registration of personal data processing system, data issued by the national inspection system administrator or his authorized person processing personal data of the registration certificate of the system.
(4) before the change takes place in the first part of this information is to be recorded in the data State Inspectorate.
 
23. article. Data State Inspectorate may refuse to register a person's data processing system, if not the entire submitted: 1) this law, information specified in article 22;
2) checking of the personal data processing system irregularities.
 
24. article. (1) the data State Inspectorate for personal data processing system shall be included in the register of this law, the information referred to in article 22. The register is publicly available.
(2) information about the registered personal data processing systems published regulations.
 
25. article. (1) the duties of the system is to use the appropriate technical and organisational measures to protect personal data and prevent unlawful processing.
(2) the system administrator controls the processing of personal data personal data entered in the system type and time of administration and is responsible for the conduct of the person carrying out the processing of personal data.
 
26. article. The processing of personal data in the system for the protection of the mandatory technical and organisational requirements determined by the Cabinet of Ministers.
 
27. article. (1) natural persons who are involved in the processing of personal data, in writing, to undertake to save and not to disclose personal data. This person has a duty not to disclose the personal data after labour law or other contractual relationship.
(2) the system is to carry out the duties referred to in the first subparagraph personal tracking.
(3) when processing personal data, the operator must follow the instructions of the system administrators.
 
28. article. (1) personal data may be transferred to another country if that country ensures a level of protection of data corresponding to a given Latvia the existing level of data protection and the data State Inspectorate in written agreement.
(2) the Exception referred to in the first subparagraph are allowable requirements if they comply with at least one of the following conditions: 1) the data subject has consented to the transfer of data to other countries;
2) data transfer is necessary to comply with the agreement between the data subject and system knowledge, or personal data shall be in accordance with the contractual obligation of the data subject;
3) data transfer is needed and requested, in the manner laid down in accordance with the relevant State and public interests or have the proceedings;
4) data transfer is necessary in order to protect the data subject's life and health;
5) data transfer applies to public or publicly available register of personal data accumulated.
 
29. article. (1) personal data protection supervision data State Inspectorate, which is located under the supervision of the Ministry of Justice. Data State Inspectorate is headed by a Director, who is appointed and released from Office by the Cabinet of Ministers on a proposal of the Minister of Justice.
(2) the data State Inspectorate operates in accordance with the by-laws approved by the Cabinet of Ministers. Data State Inspectorate of each year provide the Cabinet a report on its activities and shall be published in the newspaper "journal".
(3) the data state inspection duties in the field of protection of personal data are the following: 1) provide the country the processing of personal data in compliance with the requirements of this law;
2) to make decisions and to handle complaints related to the protection of personal data;
3) register of personal data processing systems;
4) propose and carry out activities aimed at effective protection of personal data;
5) jointly with the Directorate-General of the State Archives of Latvia to decide on personal data processing system to transfer to the national archives.
(4) the data state inspection rights in the field of protection of personal data are the following: 1) regulations prescribed free of charge receive from natural and legal persons the inspection tasks necessary information;
2) make personal data processing system of pre-registration testing;
3) request blocking data, erroneous or illegal deletion or destruction of data, to determine the permanent or temporary prohibition of the processing of data;
4) sue for violations of this law.
 
30. article. (1) in order to comply with article 29 of this law provided for in the third subparagraph, the data state inspection to the Director or his authorized inspectors presented a service card, have the right to: 1) free to visit any of the non-residential premises, which contain personal data processing systems, and systems in the presence of a representative of the responsibility to carry out the necessary checks and other measures to determine the processing of personal data in compliance with the law;
2) require written or oral explanation from any natural or legal person related to the processing of personal data;

3) request to show documents and provides other information relevant to the processing of personal data by the system;
4) request for personal data processing systems, equipment, or any of its media and determine the question of expertise in research;
5) if necessary, the performance of his duties, to call for law enforcement personnel;
6) if necessary, prepare and submit to the law enforcement authorities in the prosecution of individuals guilty of material to the liability.
(2) the Registration and inspection of the data involved national inspection staff provide registration and information obtained in the course of inspections is not disclosed, except publicly available information. This prohibition is in force even after the employee ceased to hold office.
 
31. article. Data State Inspectorate's decisions can be appealed in court.
 
32. article. If the violation of this Act, the person has suffered harm or injury, it has the right to receive appropriate compensation.
Transitional provisions 1. Chapter IV of this law "the processing of personal data and the protection of system logging" shall enter into force on 1 January 2001.
2. Article 21 of this law in the institutions and people that action undertaken before the entry into force of this Act, register the data state inspection until January 1, 2002. The system operation is not registered after that date terminated.
 
The Parliament adopted the law of 23 March 2000.
 
President Vaira Vīķe-Freiberga V., Riga 2000 of 6 April