In the publication “More than 30 infringement cases have been initiated in Latvia due to breaches of the General Data Protection Regulation” (“Par datu aizsardzības regulas neievērošanu Latvijā uzsāktas vairāk nekā 30 pārkāpumu lietas”) Data State Inspectorate (DSI) expresses its readiness to begin imposing stiffer fines on companies for inappropriate data protection.
Data State Inspectorate points out that the majority of complaints about illegal processing of data are justified and it warns that the greatest risk to be fined is for the economic operators who believe that the General Data Protection Regulation (GDPR) does not concern them or who have entrusted implementation of the GDPR to staff members with insufficient experience in data protection.
Supervisory bodies of other European countries already have imposed rather sizeable fines for breaches of the Regulation. For instance, a healthcare institution in Portugal received a fine of EUR 400 000 for inappropriate management of system access rights, while the French data protection watchdog CNIL fined Google EUR 50 million for failing to make appropriate communication to individuals concerning processing of their data.
These events serve as encouragement to Latvian companies to take action and improve their GDPR compliance. It is not too late to begin preparing just now, as addressing many irregularities is not a matter of large financial investments to improve the systems but a matter of implementing certain organisational measures. Of course, it is of utmost importance that such measures be implemented by well-informed staff or external specialists.
As concerns reviews, in our opinion, the communication between the reviewed party and the reviewer is crucial i.e. that both parties speak the same language and share the understanding of the matters under review and are able to provide well-grounded answers. When a review is made, it is important to understand the recommendations provided by the supervisory body and the process within which it operates not to lose the opportunity to exercise one’s own rights as a subject involved in the process. Finding any instances of non-compliance by DSI is just the beginning of the process, the next step is to assess the gravity of the breach and proportionality of the fine, followed by establishing the gaps, compensating the victims and imposing penalties, as well as raising objections if the reviewed party does not agree with DVI’s decision. The decision may be appealed according to administrative proceedings where it is essential to comply with the appeal deadline to not waste the opportunity to fight for the cancellation or reduction of the fine.