“High standards of professional work.” (IFLR1000, 2017)


Continued implementation of measures of personal data protection requirements

On 5 February 2019, Dienas bizness HUB published an article on the measures for implementation of personal data protection requirements by Andis Ozoliņš, Attorney at Law of PRIMUS DERLING, and Linards Birznieks, Certified Data Specialist.

Quite a period of time has lapsed since the commencement of the implementation of the General Data Protection Regulation, and most companies have already, more or less, rearranged their personal data processing according to the new requirements. However, all the measures have not yet been implemented.

National framework

At the end of the preceding year, the Data State Inspectorate adopted the list of personal data processing activities subject to Data Protection Impact Assessment (impact assessment or DPIA) in Latvia. Adoption of the above list at the level of each Member State is provided by the General Data Protection Regulation. The personal data supervisory authorities of the EU Member States have been very active, originally offering more than 260 types of personal data processing in general, in case whereof the impact assessment should be carried out.

Although the list can be confusing, still it is not long, and each controller can easily peruse it on the Data State Inspectorate website. In case of uncertainty, one should address the data protection specialists or the Data State Inspectorate. According to the recommendations of Article 29 Working Party, in case of doubt about the need to carry out the impact assessment it would be better to carry it out. It is worth noting that the impact assessment should not be ignored. Incorrectly carried out assessment of the processing operations, which fails to identify all the risks related to the specific processing, will also be considered a breach of the requirements of the regulation. To carry out the impact assessment correctly, one should not only be familiar with the specifics of the particular type of data processing, but also with the rather voluminous materials of the data protection best practice, currently under active development process, and it would be hard to get along without specialist advice. Yet, carrying out of correct assessment is associated with use of additional resources. Therefore, occasionally, it would be more advantageous for the personal data controllers to first ascertain whether the impact assessment in each particular situation really is a legal obligation imposed upon them.

The full version of the article in the Latvian language is available here.