You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Global
Contact
en
|
lv
| 50 Countries – Over 6,000 Colleagues – 1 Firm |
Worldwide
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Worldwide
Algeria
Angola
Ansbach
Argentina
Armenia
Australia
Austria
Azerbaijan
Bahrain
Bayreuth
Belarus
Belgium
Berlin
Bielefeld
Bosnia and Herzegovina
Botswana
Brazil
Bulgaria
Cambodia
Canada
Chemnitz
Chile
Cologne
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Dortmund
Dresden
Ecuador
Egypt
Eschborn
Estonia
Ethiopia
Finland
France
Fuerth
Georgia
Germany
Ghana
Greece
Hamburg
Hanover
Herford
Hof
Hong Kong (S.A.R.)
Hungary
India
Indonesia
Ireland
Italy
Japan
Jena
Kazakhstan
Kenya
Kuwait
Latvia
Libya
Liechtenstein
Lithuania
Luxembourg
Malaysia
Malta
Mauritius
Mettlach
Mexico
Moldova
Mongolia
Morocco
Mozambique
Munich
Myanmar
Namibia
Netherlands
New Zealand
Nigeria
North Macedonia
Norway
Nuremberg
Oman
Pakistan
Paraguay
Peru
Philippines
Plauen
Poland
Portugal
Qatar
Regensburg
Romania
Saudi Arabia
Selb
Serbia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Stuttgart
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Tunisia
Turkey
Uganda
Ukraine
Ulm
United Arab Emirates
United Kingdom
Uruguay
USA
Uzbekistan
Vietnam
Zambia
Own offices of Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(Colours appear during mouseover)
The Rödl & Partner website uses technical cookies and the cookie-free tracking technology Matomo to store anonymous and statistical data about the data flow of this website, with the aim of improving the operation of the Rödl & Partner website and making it even more user-friendly. If you do not agree to the analysis of your habits on this website using Matomo, no data will be collected. You have the opportunity to use this technology for analytics and statistical purposes by clicking
here
.
You have the opportunity to agree or refuse the technical cookies used by the website, which help Rödl & Partner to compile statistical data about visits to this website. This choice can be made by clicking on the relevant button at the bottom of the banner. More detailed information about the privacy aspects of Rödl & Partner can be found
here
.
Services
Interdisciplinary services
Services
Legal advisory
Tax consulting
Audit services
Business Process Outsourcing
Interdisciplinary services
Our Team
About Us
Facts and figures
Our team
Facts and figures
Entrepreneurial Spirit & Core Values
Rödl & Partner Latvia
News
Reflecting on GDPR Enforcement: 7 Key Infringement Cases in Latvia from 2024
Latvian
Currently selected
Reflecting on GDPR Enforcement: 7 Key Infringement Cases in Latvia from 2024
Page Content
published on 28 May 2025 | reading time approx. 4 minutes
In celebration of the General Data Protection Regulation (hereinafter - GDPR) anniversary on the 25th of May 2025, the Data Protection Inspectorate (hereinafter - the Inspectorate) conducted an online seminar. During this seminar, an overview of the breaches that were documented over the past year was provided. By examining these cases, it is possible to determine and highlight the importance of compliance with the GDPR and to observe its effects.
In 2024, the Inspectorate received 693 complaints from data subjects and 148 third-party reports. Several inspections were also initiated on the Inspectorate's initiative. Of these inspections, 49 corrective measures were applied and 23 decisions in administrative infringement proceedings were adopted.
This article will focus on seven of these infringements, which were recorded last year. As the Inspectorate recognized that fines are not always necessary to achieve justice or remedy the situation, alternative corrective measures to fines were applied in several cases.
Multiple cases in the past year have highlighted the importance of cooperation between the controller and the Inspectorate by providing the necessary information when an inspection case is opened. Failure to provide the information may result in negative consequences for the controller, including fines. Last year, the Inspectorate opened many inspection cases relating to the hospital's conduct as the controller. In one such case, the hospital allegedly obtained and transferred patients' personal data to third parties without any legal basis and without informing the data subject. The Hospital did not respond to the Inspectorate's requests to provide answers and explanations. This led to the Inspectorate recognizing such actions as an infringement and imposing a fine of EUR 2000 as a corrective measure on the Hospital.
A limited liability company was fined EUR 500 for failing to provide information to the Inspectorate. In this case, the Inspectorate carried out preventive checks by looking at the privacy policies of companies published online. The Inspectorate identified deficiencies in the privacy policy and requested the company to respond, which the company failed to do.
A number of video surveillance inspections were also carried out in 2024. In one of these cases, the Inspectorate had requested information from the company based on complaints from data subjects about video surveillance. When the company was beckoned to provide clarifications about why and on what legal basis the video surveillance was being carried out, no reply was provided. Hence, a fine of EUR 500 was imposed on the company. This highlights the importance of cooperation with the Inspectorate and compliance with its requests, otherwise, such action will be considered a separate offence.
The Inspectorate also received a complaint from a natural person that a certain company providing security services published a video fragment, from its surveillance system, online. Although the video in question was deleted from the online web application, the Inspectorate concluded that the controller also made an audio recording of the video surveillance, which had no legal basis. The company became subject to corrective measures - an obligation to stop creating audio recordings of the surveillance video.
Several cases relating to the publication of information in the media were also inspected last year. In one case, a collective petition by the company's employees was republished on a website. The published petition retained the names and signatures of 34 employees. Although the legitimate aim of the publication was to inform the public about the wrongful conduct of the undertaking in question, there was no need to include personally identifiable information about the employees to achieve the aim. An obligation to remove personally identifiable information about the applicants was placed upon the undertaking.
It must be pointed out that publicly available information cannot be freely used. This was highlighted by one of last year's cases. A website republished information from the Health Inspectorate's website, which included information on the name, profession, specialty certification, expiry date and number of the certificate. As it is possible to identify certain individuals from the information provided, contrary to the view of the controller, it was established that personal data was processed in the case. The controller was subject to corrective measures to determine the legal basis for the processing of personal data, as well as to develop and submit personal data processing rules to the Inspectorate.
Personal data of a data subject includes not only identifying information, such as name, surname and personal identification number but also images of the person. In this case, online media published an image of a data subject who complained to the Inspectorate. The data subject had requested the controller to delete the images in question, but the controller did not comply with this request. The Inspectorate carried out an inspection and found that the images depicting the data subject were still available in the media. The Inspectorate initially issued a warning to the controller and ordered the controller to bring its processing activities into line with the provisions of the GDPR. However, after a re-inspection, it was found that the obligations imposed had not been complied with. The infringement was considered moderately serious and a corrective measure of a fine amounting to EUR 1 000 was imposed.
These cases remind us of the need for verification of the lawfulness and the genuine necessity of data processing, as well as the obligation to cooperate with the data protection authority when necessary.
Stanislavs Sviderskis
Certified data protection specialist
Send inquiry
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
