On 6 March 2018 the Cabinet of Ministers approved the Data Processing Bill, drafted in the light of the EU General Data Protection Regulation (GDPR). This article takes a look at the purpose of the Bill and the areas it governs.
The purpose of the Bill
As you may know, the GDPR begins to apply from 25 May 2018. Unlike the Data Protection Directive,
1 the GDPR is directly applicable across the EU, and so member states are not required to pass its provisions into their national legislation. However, the GDPR permits member states to adopt national provisions that clarify the data processing principles laid down by the GDPR. The GDPR also gives member states the power to pass special provisions into their national legislation. The Bill has been drafted to meet GDPR requirements.
Coverage
A key area governed by the Bill is the status and functions of the National Data Office (NDO). The GDPR provides that the data processing regulator (the NDO in Latvia) should be independent and have adequate financial and human resources enabling it to efficiently carry out the tasks set by the GDPR. For this reason the Bill contains detailed provisions for the NDO’s independent status and competence, lays down rules for appointing its head, and defines its employee powers and internal decision-making procedures.
For example, the Bill puts the NDO under the supervision of the Cabinet of Ministers, not the Ministry of Justice, and provides that Parliament will appoint the head of the NDO for a term of up to five years. To avoid the risk of corruption and help the NDO develop its range of activities, a person’s tenure as head of the NDO will be limited to two consecutive terms.
To meet GDPR requirements the NDO will have the power to carry out all necessary activities to ensure that personal data processing complies with GDPR requirements, e.g. pay a visit to the site of processing, enter the premises, conduct a forced search, and obtain information using all statutory methods.
The GDPR lists cases where entities will be required to appoint a data protection officer (DPO). The Bill defines persons that may be appointed as DPO and lays down procedures for having them entered on the list of DPOs maintained by the NDO.
Given the powers delegated by the GDPR, the Bill restricts a data subject’s access rights. While the principle laid down by the GDPR provides that a data subject may request certain types of information, the Bill limits the number of cases where a data subject is unable to exercise this right and the data controller has the power to withhold information, e.g. where such disclosure is prohibited by legislation on national security, national defence or public security, or by criminal law. The Bill also provides for exclusions from GDPR requirements, e.g. where personal data is processed for purposes of official publication, statistics, or archiving in the public interest.
_______________________________________________
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
