DVI (Latvia) - SIA “JK Media group”
From GDPRhub
| DVI - SIA “JK Media group” | |
|---|---|
 | |
| Authority: | DVI (Latvia) |
| Jurisdiction: | Latvia |
| Relevant Law: | Article 5(2) GDPR Article 24(1) GDPR Article 58(2) GDPR Article 83(5)(e) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 22.02.2024 |
| Decided: | 28.03.2024 |
| Published: | 24.07.2024 |
| Fine: | 1,000 EUR |
| Parties: | JK Media group SIA |
| National Case Number/Name: | SIA “JK Media group” |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Latvian |
| Original Source: | DVI (in LV) |
| Initial Contributor: | fb |
The DPA fined a controller €1,000 after it failed to comply with a previous decision of the DPA ordering it to remove a page from its website.
English Summary
Facts
On 10 January 2024, the DPA issued a decision ordering the controller to edit or delete personal data published on its website and issuing a reprimand for the breach of Article 5(1)(a), 5(1)(c), 12(1) to (4) GDPR.
On 19 February 2024, the DPA re-examined the website of the controller noting that the personal data was still available.
Therefore, on 22 February 2024, the DPA opened an administrative offence case for failure to ensure compliance with the previous decision of the DPA.
The controller argued that it had not edited or deleted the publications because it did not have access to the archive material of the previous owner of the website.
Holding
The DPA set aside the controller’s argument. It noted that, in accordance with Article 24(1) GDPR, the controller should have implemented appropriate measures to ensure compliance with the GDPR and, pursuant to Article 5(2) GDPR, the controller should be able to demonstrate this compliance.
Therefore, the controller should have implemented appropriate measures in order to be able to edit or delete the content published on its website. The DPA recalled that one of the main priorities of the controller should be the accessibility of the information to the controller itself.
As a consequence, the DPA found a violation of Article 58(2) GDPR as the controller failed to comply with the orders given in a previous decision of the DPA.
On these grounds, the DPA issued a fine of €1,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv
In case no. [..]
The decision
Riga,
On March 28, 2024, no. [..]
On the application of punishment
1. Authority (official) that makes the decision: Data State Inspections (hereinafter -
Inspection) [..] (hereinafter - Official), in accordance with the General Data Protection Regulation
1
of the regulation (hereinafter - the Data Regulation) of Article 58, paragraph 2, subparagraph i), Data of natural persons
of the Law on Processing (hereinafter - the Data Law), Article 5, Part One, Clause 2, Article 23 and
Paragraph 4 of the first part of Article 115 of the Law on Administrative Responsibility (hereinafter - AAL).
2. Place and date of administrative violation case review: 2024
on March 21 at 10:00, Elijas Street 17, Riga.
3. Information about the participants in the process and their representatives and advocates (if any):
3.1. Person to be held responsible: Limited Liability Company "JK Media
group", unified registration number 43603077179, legal address: Kastaniu iela 2A - 15,
Jelgava, LV – 3008 (hereinafter – SIA).
Victim: [..], personal identification number [..], declared address of residence: [..].
3.2. SIA and [..] did not attend the hearing of the administrative violation case.
SIA was notified of the date and time of the hearing of the administrative violation case
The letter of February 28, 2024 from the Inspection Officer, while [..] with the Official
3
Letter of March 26, 2024.
The Inspection received information from SIA that SIA agrees to the consideration of the case in writing
in the process, while no information about the reasons for non-appearance or a request for postponement has been received from [..].
consideration of the case.
The victim of paragraph 2) of the first part of Article 44 of the AAL has the right to participate in administrative proceedings
in the consideration of the infringement case. According to the second part of the article, the victim exercises his rights voluntarily
and in the amount you choose. Failure to exercise the right does not prevent the administrative violation process
going on
According to the fourth part of Article 137 of the AAL, the case of an administrative violation can be examined
in a written process, if the participants in the process agree to it.
In accordance with the above, the case has been examined without the person to be held liable (SIA) and the victim
([..]) presences.
1
Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons
2 on the processing of personal data and the free movement of such data and repealing Directive 95/46/EC
Inspection letter N[..]About sending the decision, submitting information and examining the case
3Inspection letter N[..]About sending the decision and examining the case 2
4. In the consideration of the case, the actual and
description of the established circumstances:
4.1. The official finds that in the materials of the administrative offense case (hereinafter -
The case) is in Official's report of February 21, 2024 no. [..]About society with
limited liability for the actions of "JK Media group" without securing the order of the Data State Inspection
execution (hereinafter - the Report) with attachments.
It follows from the information contained in the Report and its appendices that the Inspection, based on
[..] complaint 4 (hereinafter - Complaint), in accordance with Article 57, paragraph 1 a) of the Data Regulation and
Subsection (f), Article 4, Part One, Clause 1 of the Personal Data Processing Data Law, is
performed a check on the SIA website at www.jelgavniekiem.lv (hereinafter - the Website)
the processing of [..] personal data and the actions of the website administration without informing [..] about
action taken after [..], as a data subject, request of May 6, 2022 in accordance with the Data
Article 17 of the Regulation (hereinafter – Request) (Inspection case No. [..]).
As part of the inspection case with the decision of the Inspection of January 10, 2024 no. [..]About
the application of the corrective measure (hereinafter - the Decision), based on Article 58 of the Data Regulation
Clause 2(b) and Clause 2(d) SIA were subject to corrective measures,
by reprimanding SIA for Article 5(1)(a) and (c), Article 12(1) of the Data Regulation -
failure to provide the requirements of paragraph 5 and the first and second parts of Article 32 of the Data Law, as well as
issuing orders to SIA as a manager to coordinate processing activities with the provisions of the Data Regulation
..
in a specific way and in a specific period of time. Namely, the Inspectorate imposed an obligation on SIA: 1)
ensure data regulation-compliant [..] processing of personal data on the SIA Tīmekļa website by editing
The publications mentioned in the decision or by deleting them as a whole, 2) to comply with Article 12.1 of the Data Regulation -
The requirements of paragraph 5, i.e. fulfill [..] the Request and notify [..] of the action taken after
Reasons for the request or non-performance.
With the Decision, SIA was determined to inform the Inspection in writing about the implementation of the Decision
by February 6, 2024, including by submitting a certified copy of the answers provided to the Inspection [...]
a copy and a document confirming its notification.
The decision was communicated to SIA by sending it to SIA on January 11, 2024 by registered mail.
No. [..] to SIA's legal address: Kastaniu iela 2A – 15, Jelgava, LV – 3008, as well as additionally to SIA
The postal address indicated on the website: Skolotāju iela 3, Jelgava, LV – 3001. According to State shares
for publicly available information on the "Latvijas Pasts" website pasts.lv, both postal
shipments were delivered on January 24, 2024.
In addition to the above, the Decision was electronically notified (sent) to SIA on the website
for the indicated communication channels: jkmediagroup.lv@gmail.com, redaktors@jelgavniekiem.lv,
[..]@novaja.lv, [..]@novaja.lv.
On the day of signing the Report, the Decision was not disputed, information (answer) about
Execution of the decision was not received within the specified term, nor was information received about
reasons for not providing information (answer).
On February 19, 2024, the Inspection Officer carried out a repeat of the SIA website
examination (hereinafter - Inspection Act), finding that the publications mentioned in the Decision (hereinafter -
Publications) containing [...] personal data - name, surname and photos are still available
On the website, thus SIA continues to carry out [...] personal data processing, contrary to the provisions of the Decision.
4.2. The official, based on the information in the Report and annexes, with
of February 22, 2024 decision no. [..] initiated administrative violation case no. [..] about that
SIA did not ensure the execution of the Decision, thus, continuing to process [...] personal data - name, surname and
photo processing - publishing on the website, in violation of the basic principles of processing, namely Data
4 Received and registered in the inspection on August 22, 2022[..]r No.
5
6 the last day for submitting a written answer by mail or sending it electronically with a secure electronic signature
[..][..]
7 Inspections of February 19, 2024 a[..]No.
8[..], [..] 3
Regulation Article 5(1)(a), (c), Article 6(1), the first sentence of Article 32 of the Data Law
and the second part, as well as the data subject's rights in accordance with Article 12, Clauses 1-5 of the Data Regulation,
without notifying the Data Subject about the action performed after the Request in accordance with the Data Regulation
Article 17, and has not complied with the order of the supervisory authority (Inspection) in accordance with the Data
Article 58, Paragraph 2 of the Regulation and has not provided access to information in violation of the Data Regulation
Paragraph 1 of Article 58.
Administrative violation qualified according to Article 83, Article 5 a), b) and e) of the Data Regulation
in subsection for signs of an administrative violation.
4.3. The case materials contain the letter of the Inspection official of February 22, 2024, with
which SIA was informed about the initiated administrative violation process, case review
date and time, as well as invited to provide explanations by March 14, 2024,
submissions or requests of a different nature, as well as evidence. 10
4.4. The case materials contain the letter of the Inspection officials of March 6, 2024, with
who [..] was informed about the initiated administrative violation process and invited to evaluate
the issue of recognition as a victim in the Case, by submitting the relevant request and specifying someone
damage [..] is caused as a result of SIA's actions.
11
4.5. The case materials contain the explanations of SIA dated March 15, 2024 (hereinafter -
Explanations). In the explanations, SIA states that [..] is talking about the articles that were on the website
published on January 23, 2011 and February 1, 2012, but the website of SIA Tīmekļa in its
took over the management only in June 2012, and the previous owners did not have access to it
archive materials.
In order to deal with the situation, in December 2023, SIA concluded an agreement with "[..]" SIA, with
which are undergoing technical changes that allow access to old archives of previous owners
materials. Currently, after 3 (three) months of work, it has been possible to access the archived materials, and
both links pointed to by [..] have been deleted.
Considering that by investing significant financial resources, which significantly lowered the company
profitability, the situation that arose through no fault of the company has been eliminated, SIA asks for an opportunity
terminate the case of an administrative violation.
The contract of January 5, 2024 mentioned in the Explanation is attached to the Explanations
No. [..] between SIA and "[..]" SIA Regarding the development of the portal platform.
12
4.6. The case materials contain [...] a reply letter dated March 4, 2024, in which [...] expresses
a request for recognition as a victim in the Case, indicating the further justification of the victim's status
for allocation.
[..] believes that the violation of his subjective rights is a harm in itself. Namely,
In Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union, there is the right to data protection
formulated as individual subjective rights inherent to a person, that is, every person has
the right to the protection of your personal data. Article 1, paragraph 2 of the Data Regulation also states that
the regulation protects the fundamental rights and fundamental freedoms of natural persons and, in particular, their rights to the person
data protection, that is, the right to personal data protection is mentioned as one of the person
fundamental rights and fundamental freedoms, thus the violation of a person's fundamental rights is harm.
A contrary understanding would undermine the idea of fundamental rights based on personal dignity.
Similarly, the actions of SIA in a long period of time, contrary to [..]requests, to distribute pictures in which he is
seen almost naked, has caused difficulties [...] in professional and private life. So far there hasn't been
no workplace or other collective that has not seen him in underwear even before he has
had the opportunity to meet these persons in real life conditions. Earlier discussions on various
holding positions have stopped at the fact that such photos are still publicly available, in which [...]
can be easily identified.
9 Inspection letter no. [..]About sending the decision, submitting explanations and examining the case
10 Inspection letter no. [..]About sending the decision and examining the case
11 Received and registered in the inspection on March 18, 2024 with no. [..]
12 Received and registered in the inspection on March 4, 2024 with no. [..] 4
[..] indicates that his current job duties include, among other things, the LR Saeima
representation in the Constitutional Court proceedings. Such representation is made difficult by the fact that the public is always available
photos that were taken more than 10 years ago and do not reflect the aspects that he
purposefully improved in his daily life in the last decade. In addition, the feeling of powerlessness and
the loss of confidence in the institutions of a democratic state under the rule of law caused by such dishonest
the actions of individuals and the ability to remain unpunished, regardless of their illegal actions, creates [...]
additional emotional harm.
4.7. The case materials contain the Official's decision of March 6, 2024 no. [..] – 2 Par
the granting of victim status, which was notified by the Inspection's letter 13 of March 6, 2024 [..],
informing [..] about the date and time of the case hearing, as well as inviting additional submissions
explanations, submissions or requests of a different nature, as well as evidence.
[..] has not provided additional explanations in the Case and has not submitted any additional requests
or submissions.
4.8. The case materials contain the Official's inspection protocol of March 20, 2024 14
(hereinafter referred to as the Inspection Protocol), from which it follows that the Official, in order to make sure of SIA
The truthfulness and compliance of the information provided in the explanations with the actual situation of 2024
On March 20th, the website was revisited.
at 10.42 by entering the Website address in a web browser
(www.jelgavniekiem.lv), a notice was presented with the following text in English: "Internal Server
Error. The server encountered an internal error or misconfiguration and was unable to complete
your request.n Please contact the server administrator, webmaster@susurs.com and inform them
of the time the error occurred, and anything you might have done that might have caused the
error. More information about this error may be available in the server error log.” (translation
from English: Internal server error. The server encountered an internal error or misconfiguration,
and it could not fulfill your request. Please contact the server administrator
webmaster@susurs.com and let them know when the error occurred and what you have done,
which could have caused the error. More information about this error can be found in server error
in the magazine."
at 11.30 re-entering the website address in the web browser
(www.jelgavniekiem.lv), the same message is displayed with the following text: "Internal Server Error.
The server encountered an internal error or misconfiguration and was unable to complete your
request.n Please contact the server administrator, webmaster@susurs.com and inform them of
the time the error occurred, and anything you might have done that might have caused the error.
More information about this error may be available in the server error log.” (translation from
English: Internal server error. The server encountered an internal error or misconfiguration and
it could not fulfill your request. Please contact the server administrator
webmaster@susurs.com and let them know when the error occurred and what you have done,
which could have caused the error. More information about this error can be found in server error
in the magazine."
In view of the above, it was found that the website was not working during the inspection, and
it was not possible to verify the content posted on the Website.
5. Normative act providing for liability for administrative violation: Data
Article 83, paragraph 5, subparagraph a), b) and e) of the regulation.
5.1. According to Article 132 of the AAL, when considering an administrative offense case, it must be ascertained whether
an administrative offense has been committed, or the relevant person is guilty of committing it, or this
a person can be held administratively liable, or there are mitigating and aggravating factors
circumstances, as well as other circumstances that are important for the correct decision of the case should be clarified.
13 In the inspection, letter no. [..] About sending the decision and examining the case
14 Registered in the inspection on March 20, 2024 with no. [..] 5
5.2. The first part of Article 5 of the AAL stipulates that an administrative offense shall be recognized
illegal, culpable behavior (action or inaction), for which the law or the municipality
binding regulations provide for administrative responsibility.
5.3. Administrative
responsibility for the basic principle of processing, including the condition of consent, in compliance with the Data Regulations
Articles 5, 6, 7 and 9, on the data subject's rights provided for by Articles 12-22 of the Data Regulation and on
non-compliance with the order of the supervisory authority in accordance with Article 58, Clause 2 of the Data Regulation, or
not providing access in violation of paragraph 1 of Article 58, violations.
5.4. Thus, in order to establish that SIA has committed an administrative violation, which is intended
In Article 83, Clause 5, subparagraphs a), b) and e) of the Data Regulation, it is necessary to establish that SIA:
1) performed [...] personal data processing on the SIA Tīmekļa website, in violation of Article 5, Clause 1 of the Data Regulation
and the basic principles of personal data processing defined in Article 6, paragraph 1, namely, is carried out unlawfully
[...] processing of personal data; 2) has not respected [...] the rights in accordance with Articles 12-22 of the Data Regulation,
that is, it has not informed [..] about the action carried out following the Request, nor has it informed about
extensions of the deadline for providing information and/or reasons for non-performance, 3) none
has complied with the order of the supervisory authority (Inspection) in accordance with Article 58 of the Data Regulation
paragraph 2 and has not provided access to information in violation of Article 58 paragraph 1 of the Data Regulation, namely
did not comply with the Decision, as well as did not provide information to the Inspectorate within the deadline specified in the Decision
(answer) on the execution of the Decision or information on the reasons for not providing an answer.
5.5. The legal framework for the processing of personal data is determined by the Data Regulation, the Data Law
and other regulatory acts.
5.5.1. According to Article 4(1) and (2) of the Data Regulation, "personal data" is any
15 16
information relating to an identified or identifiable natural person, in turn
"processing" is any operation performed on personal data or sets of personal data 17 or
a set of actions that are fully or partially performed by automated means, as well as actions with
19
for such personal data that form or are intended to form part of the file. That way [..]
name, surname and picture are considered personal data, but their publication on the website of SIA Tīmekļa,
is the processing of personal data within the meaning of subsections 1) and 2) of Article 4 of the Data Regulation.
5.5.2. Subparagraph 7 of Article 4 of the Data Regulation states that the processing of personal data
20
Compliance with the Data Regulation is the responsibility of the controller. It follows from the case materials that in the specific case
in this case, the controller for the [..] personal data processing carried out on the website is SIA.
5.5.3. Article 5 of the Data Regulation defines the basic principles of personal data processing, in accordance with
for which the processing of personal data must be a) lawful, fair and transparent and c) only
according to the intended purpose and to the extent necessary for it, but in Article 6 - processing
lawfulness, meaning that the processing is lawful only to the extent and only if applicable
at least one of the grounds mentioned in Article 6, paragraph 1. In accordance with Article 5 of the Data Regulation
For paragraph 2, the manager is responsible for compliance with Article 5 paragraph 1 and can demonstrate this.
So, only by observing the basic principles of data processing specified in Article 5 of the Data Regulation and existing
15 an identifiable natural person is one who can be directly or indirectly identified, in particular with reference to an identifier,
for example, the name, surname, identification number, location data of the mentioned person, online
identifier or one or more physical, physiological, genetic,
spiritual, economic, cultural or social identity factors
16 data subject
17 such as collection, registration, organization, structuring, storage, adaptation or transformation, retrieval,
viewing, using, disclosing, transmitting, distributing or otherwise making available, matching or combining,
restriction, erasure or destruction
18 Personal data processing by automated means includes data processing in information systems where possible
19 read a person by specific identifiers, for example, using information technical systems.
any structured set of personal data that is accessible according to specific criteria, whether or not
A set of 20 is centralized, decentralized or dispersed based on functional or geographical motivation.
natural or legal person, public institution, agency or other body, alone or jointly with others
determines the purposes and means of personal data processing [...] 6
to any of the legal grounds specified in Article 6, Clause 1 of the Data Regulation, persons
data processing may be recognized as lawful.
5.5.4. The controller must also ensure the fulfillment of other requirements specified in the Data Regulation and the Data Law,
including the data subject's rights set out in Chapter III of the Data Regulation and Chapter VIII of the Data Law
compliance. Paragraphs 1-5 of Article 12 of the Data Regulation provide for the controller's obligations to the data subject [..]
ensure all communications referred to in Articles 15-22 [..] regarding processing [..]. The manager contributes to the data
implementation of the subject's rights in accordance with Articles 15-22. [..] The manager without undue delay and
in any case, within a month after receiving the request, the data subject is informed of the activity,
made upon request in accordance with Articles 15-22. If necessary, the said period
can be extended for another two months, taking into account the complexity and number of requests. Manager
inform the data subject of any such extension and the reasons for the delay within a month after
receiving the request. [..] If the controller does not perform an action requested by the data subject, the controller
informs the data subject without delay and within a month at the latest after receiving the request
the reasons for non-performance and the possibility to file a complaint with the supervisory authority and appeal
in court. The information [...] implemented in accordance with Articles 15-22 [...] shall be free of charge. [..].
5.5.5. Clause 2 of Article 58 of the Data Regulation sets out the corrections of the supervisory authority
powers, including the powers of the Inspectorate to issue an order to the manager specified in subsection (c).
to fulfill the data subject's request to exercise the rights granted to him in accordance with this regulation. Data
Article 58, paragraph 2 d) of the regulation provides for the authority of the Inspectorate to issue an order to the manager to coordinate
processing operations with the provisions of the Data Regulation, if necessary – in a specific manner and
in a specific period of time.
On the other hand, in accordance with Article 58, Paragraph 1, Subsection e) of the Data Regulation, the supervisory authority
have the authority to obtain from the controller and processor access to all personal data and all
information necessary for the performance of its tasks. The first parts of Article 5 of the Data Law
Paragraph 3 provides for the right of the Inspectorate to request according to its competence and free of charge
in the specified amount and form to receive from private individuals, state administration institutions and
information, documents or their copies and others necessary for officials to check
materials, including restricted information.
5.6. The official, after evaluating the materials in the Case in connection with SIA and [..] provided
explanations, has reached the following conclusions:
5.6.1. Regarding the processing of [..] personal data carried out by SIA on the website of SIA.
It follows from the case materials that SIA justified the processing of personal data of the data subject with SIA
the right to freedom of information.
In this case, Article 85, paragraph 1 of the Data Regulation, which determines the procedure for processing, should be taken into account
and in determining the mutual balance of freedom of speech and information, providing that member states with
to its legislation maintains a balance between the right to the protection of personal data in accordance with
regulation and the right to freedom of expression and information, including processing for journalistic purposes and
for the purposes of academic, artistic or literary expression.
Data processing in connection with freedom of speech and information is determined by Article 32 of the Data Law, which
the first part states that the person has the right to process data for academic, artistic or
for the needs of literary expression in accordance with the regulations, as well as process data
for journalistic purposes, if it is done with the aim of publishing information that affects the public
interests. In accordance with the second part of the mentioned article, when processing data for journalistic purposes, regulations
provisions (except Article 5 of the Data Regulation) do not apply if all of the provisions in this chapter are available
listed conditions: 1) data processing is carried out to exercise the right to name and information
freedom, respecting a person's right to private life, and such data subjects are not affected
interests that require protection and are more important than the public interest; 2)
data processing is carried out with the aim of publishing information affecting the public interest; 3) data regulations
compliance with the rules is incompatible with or prevents the exercise of the right to freedom of expression and information.
In addition, the concept of "journalistic needs" should be interpreted as broadly as possible, including activities with objective 7
publish information, opinions or ideas through any means of dissemination. 21
This means that even after establishing the conditions of the second part of Article 32 of the Data Law, which exempts
controller from complying with the requirements of the Data Regulation, the controller remains bound by Article 5 of the Data Regulation
the established basic principles of data processing, namely, must be ensured from Article 5, paragraph 1 of the Data Regulation
The requirement arising from subparagraph a) to make sure that everything has been observed in the processing of personal data
processing conditions and the principle of minimality resulting from subsection (c), and it is not allowed,
that the processing of personal data is carried out in an amount that is not appropriate for the purpose, i.e. according to the principle "the more,
the better”. Therefore, the processing of [..] personal data carried out by SIA on the website of SIA could be recognized
legal if it complies with the basic principles set out in Article 5 of the Data Regulation.
The purpose of the Data Regulation is to protect the fundamental rights and freedoms of natural persons and in particular
the right to the protection of personal data, however, it should be noted that the right to personal data
protections are not absolute and must also be balanced with other fundamental rights. Although in this decision
in the mentioned case, SIA has the right to take photographs and
filming activities, in order to inform the public about current events in the city and county, including
for cultural events held, SIA needs to evaluate whether the publication of such images
would not conflict with the data subject's interests that require protection and are
more important than public interest.
When exercising the mentioned right to freedom of speech and information, one must not violate another person
In the Constitution of the Republic of Latvia, in international and legal acts of the Republic of Latvia
the strengthened fundamental rights of others to privacy and protection of personal data. In accordance with
The processing of personal data of data regulations should be designed in such a way that it serves a person. The right to a person
data protection is not an absolute prerogative; they must be considered in relation to their f22ction in society and
must be balanced with other fundamental rights in accordance with the principle of proportionality. It follows from the above that
the right to freedom of expression can be exercised in the same sense as any other right possessed by a person
human rights, i.e. the right to freedom of speech, are not and cannot be superior to, for example, individuals
23
the right to personal data protection, and the principle of proportionality must be observed in their implementation, in each
making an assessment in the specific case.
When evaluating the rights, it must be taken into account that the public has the right to be informed about
issues of public importance and the mass media have the right to disseminate them. Considering that between
these two rights also include the right of a private person to the inviolability of private life,
the controller must balance all the above-mentioned interests. Namely, or the data of natural persons
processing (interference in a person's private life) is proportionate to the contribution that
a journalist/mass media/writer/blogger has wanted to make a contribution to society as well as a contribution
society cannot realize the natural person in less offensive ways (for example, without processing
data of natural persons in general). Also, whether the question in question is to be assessed in conjunction
necessary in a socially significant discussion (whether it can make a significant contribution to society and
is legitimately necessary).
In this sense, the Parliamentary Assembly of the Council of Europe emphasizes that every person is important
the right to privacy and the right to freedom of expression because it is democratic
the foundation of society. These rights are neither absolute nor enforceable in a hierarchical order, because they are
equally important. However, the Assembly points out that in Article 8 of the European Convention on Human Rights
the established right to the inviolability of private life provides for the protection of private individuals not only
against public authorities, but also against private individuals or private sector institutions, including the media
21 cf. In the judgment of the European Court of Justice of December 16, 2008, in the case Satakunnan Markkinapčrssi and Satamedia,
C -73/07, ECLI:EU:C:2008:727, 52-61. point
22 Recital (4) of the Data Regulation.
23 See, for example, Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union: "Everyone has the right to his
protection of personal data" and paragraph 2 of Article 8: "Such data must be processed in good faith, for specific purposes and with
the consent of the person concerned or with other legal grounds provided for by law. Everyone has approaches
the right to the data collected about him and the right to have this data rectified." 8
funds, interference in their private life. 4
Taking into account what was found in the Case and what is indicated in this decision, the Inspectorate does not find that SIA would implement
Data Regulation-compliant and proportionate [...] processing of personal data by making publicly available [...] faces
and body images on the SIA Tīmekļa website, where the said images [..] are seen without outerwear
(only in swimming trunks, underpants or shorts with partially naked body) more than 12 years after
events mentioned in the publications.
SIA continuing to process the mentioned [..] personal data even after the [..] Request for personal data
after receiving data deletion, such circumstances are implemented, as a result of which [...] the right to privacy and
the protection of personal data is violated to a higher extent than the rights of SIA and the company and
freedom of information.
Based on the above, the Inspectorate concludes that the Data Law is being implemented in the specific case
to the requirements of the first and second parts of Article 32 and Article 5, paragraph 1 a) and
processing of personal data not in accordance with point c) [..].
5.8.2 Regarding the observance of the rights of [..] as a data subject.
It follows from the case materials that [...] on May 6, 2022, contacted SIA by telephone with the desire
about the removal of content from SIA's website, as a result of which [...] was invited to apply in writing to
Ltd. with the exact address of the article and your wish. The inspection finds that [...] on May 6, 2022 applied
at the website of SIA Tīmekļa with a request by sending it in an electronic mail to SIA Tīmekļa
the website's electronic mail address [..]@novaja.lv, where the website was requested to remove the pictures,
containing [..] images, from Publications.
The case materials contain information that [..] has not received information (answer) to his
Request, i.e. SIA since May 6, 2022 and still has not informed [..] about the operation,
which was made after the Request, and also did not inform about the deadline for providing information
reasons for extensions and/or non-performance.
Also, it can be concluded from the Case materials that SIA did not respond to several Inspections
invitations to fulfill [..] the data subject's Request .5
In view of the above, the Inspectorate concludes that SIA has not complied with the Data Regulations in its operations
The requirements set out in clauses 1 - 5 of Article 12, thereby violating the rights of the data subject in accordance with
Article 17 of the Data Regulation.
5.8.3. Regarding the execution of the Inspection Decision.
It follows from the case materials that the Decision was adopted on January 10, 2024. In the decision
in accordance with Article 58, Clause 2, c) and d) of the Data Regulation, an order was issued to SIA to
The actions mentioned in the decision and in accordance with Article 58, paragraph 1, subparagraph e) of the Data Regulation SIA
requested that SIA inform the Inspection in writing about the implementation of the Decision by 2024
for February 6, by submitting a certified copy of the answer provided to the Inspectorate and a document which
confirms its notification.
In accordance with the first and second parts of Article 70 of the Law on Administrative Procedure, the decision enters into force
effective from the moment it is notified to the addressee, while the decision is notified to the addressee accordingly
Notification Act. The second part of Article 4 of the Notification Law provides that the legal entity
the document is notified to its legal address.
According to the first part of Article 139 of the Commercial Law, the company's legal address is the address,
where the management of the company is located. Therefore, the SIA must be reachable at the registered in the commercial register
The legal address of the SIA, including the SIA, must ensure the receipt of correspondence.
Paragraphs three and four of Article 8 of the Notification Act provide that a document notified as
a registered postal item shall be deemed to have been notified on the seventh day after its delivery to the post office, as well as if
a certificate is received from the post office about the delivery of the parcel or a document sent back, the same for
24 Resolution 1165 (1998) of the Parliamentary Assembly of the Council of Europe of 16 June 1998 on the right to private
inviolability of life, paragraphs 11 and 12.
25 It follows from the Decision that the Inspection in the letter of February 16, 2023 no. [..] and on March 30, 2023 in letter no. [..]
invited SIA to fulfill the requirements of Article 12.1 - 5. of the Data Regulation, i.e. fulfill the Request and inform [..] about
the action performed after the Request or for the reasons for not performing the action. 9
itself is not affected by the fact of notification of the document. The presumption that the document has been announced in the seventh
on the day after it is delivered to the post office or on the eighth day from the day it is registered in the institution as being sent
document, the addressee can refute by pointing to objective circumstances independent of the addressee
wishes were an obstacle to receiving the document at the specified address.
The decision was communicated to SIA by sending it to SIA on January 11, 2024 by registered mail.
No. [..] to SIA's legal address: Kastaniu iela 2A – 15, Jelgava, LV – 3008, as well as additionally to SIA
The postal address indicated on the website: Skolotāju iela 3, Jelgava, LV – 3001. According to State shares
for publicly available information on the website of "Latvijas Pasts" company pasts.lv, both postal
shipments were delivered on January 24, 2024.
In addition to the above, the Decision was sent electronically to those indicated on the website of SIA
communication channels: jkmediagroup.lv@gmail.com, redaktors@jelgavniekiem.lv, [..]@novaja.lv,
[..]@novaja.lv.
Taking into account the above, it can be concluded that the information (answer) provided by the Inspection SIA regarding the Decision
26
execution should be received, at the latest, on February 14, 2024.
After evaluating the circumstances in the Case and the evidence obtained in the Case, the Official concludes that
SIA has not complied with the provisions of the Decision that SIA: 1) must provide Data Regulation-compliant [..]
processing of personal data on the SIA Tīmekļa website, editing the publications or those mentioned in the Decision
deleted as a whole, 2) the requirements of Article 12, paragraphs 1 - 5 of the Data Regulation must be fulfilled, i.e. must fulfill [...]
Request and must inform [..] about the action taken after the Request or about the action
reasons for non-implementation, 3) as well as the fact that SIA had to submit to the Inspectorate by February 6, 2024
information on the execution of the Decision, therefore, has not been observed by the supervisory authorities (Inspections)
order in accordance with Article 58, paragraph 2 of the Data Regulation and has not provided access to information,
in violation of Article 58, paragraph 1 of the Data Regulation.
5.8.4. SIA explains that it did not have access to the archive of the previous owners
materials in order to edit the Publications or delete them, the situation did not arise due to the fault of SIA.
In accordance with Article 24, paragraph 1 of the Data Regulation, taking into account the nature and extent of processing,
context and intentions, as well as risks of varying likelihood and severity with respect to
rights and freedoms of natural persons, the manager implements appropriate technical and organizational
measures to ensure and be able to demonstrably demonstrate that processing takes place in accordance with this regulation.
If necessary, the mentioned measures are reviewed and updated. In addition, in accordance with the Data Regulation
According to Article 5, paragraph 2, the controller is responsible for compliance with data processing principles such as Data
the principle of data integrity referred to in Article 5, paragraph 1 of the regulation, therefore the controller (SIA) has
must be able to demonstrably demonstrate that it implements personal data processing in accordance with the Data Regulation.
In the context of the above, the Official concludes that the statement of SIA that it was not available
archive files of the previous owners of the Website, and therefore the manager (SIA) did not
it is possible to make changes to the content of Publications (for example, to delete [...] those containing personal data
text and image items) are not considered as justifications according to the Data Regulation of the person
for restricting and editing data processing, because the manager (SIA) is responsible for SIA Tīmekļa
the processing of personal data carried out on the website and the personal data processing conditions are determined directly by SIA
to how the website functions, what is published on it, etc., therefore directly to SIA, according to the Data
Article 24, paragraph 2 of the Regulation and Article 5, paragraph 2 of the Data Regulation, using various technical and
organizational measures, it is necessary to be able to transparently make changes to the Website, so that
prevent personal data processing activities that do not comply with the Data Regulation. One of the main ones
the manager's priorities are the availability of information to the manager himself. Thus, even if the owner does not
it is possible to edit a specific item on the Website because it is not available in the website archive,
the manager (SIA) is required to delete the specific item on the Website if the manager does not
it is possible to delete a specific item of the Website, it must then delete the specific Website
26 Letter of reply, sent on 6 February 2024 by ordinary post
27 are processed in such a way as to ensure adequate security of personal data, including protection against unauthorized access
or illegal processing and against accidental loss, destruction or damage using appropriate technical
or organizational measures ("integrity and confidentiality") 10
a collection of site publications that would contain, among other things, items from the Website
(Publications) that process [...] personal data. Anyway, the manager has to do everything possible,
using various technical and organizational measures to ensure Data Regulation
appropriate processing of personal data, including by deleting or editing Publications.
5.8.5. SIA explained in the Explanations that SIA concluded a contract with "Advailo" SIA, with which
technical changes are made that allow access to archived materials that after 3 (three) months
investment of work and significant financial resources, has managed to access the archived materials and
delete links to Publications. In compliance with the above, SIA asks to find the possibility of an administrative violation
close the case.
The official concludes that in the Decision SIA a specific deadline was set for both the execution of the Decision,
both for providing information to the Inspectorate about the execution of the Decision, but SIA as specified in the Decision
has not turned to the Inspection within the deadline and procedure, nor with information about what was imposed in the Decision
the initiation of execution of the order, nor with a request to extend the deadline for execution of the Decision, moreover,
In the Inspection report of February 19, 2024, it was established that both Publications were available
On the website, but in the inspection protocol of March 20, 2024, it was not possible to check SIA
Content posted on the website because the website was down. In addition, from SIA Patzerjumoos
from the information provided, it does not follow that SIA fulfilled the Request and informed [..] about
the action performed following the Request or for the reasons for not performing the action.
In view of the above, the Official concludes that there are no such circumstances that would serve as a basis
For termination of cases.
5.9. Checking the materials of the Case, evaluating the circumstances of the Case and the evidence in the Case,
The official finds that SIA carried out [..] personal data processing on SIA's website in violation
The provisions of Article 5, paragraph 1, subparagraphs a) and c) of the Data Regulation, as well as contrary to the Data Regulation
Article 12, paragraphs 1 - 5, after [..] Request received until this decision
at the time of acceptance, did not inform [..] about the actions carried out at the request of the data subject
in accordance with Article 17 of the Data Regulation, and also failed to fulfill the tasks assigned in the Decision in accordance with the Data Regulation
Article 58, Paragraph 2 and has not provided access to information in violation of Article 58 of the Data Regulation
Paragraph 1, thus committing the administrative offense for which it is intended to be committed
administrative responsibility in Article 83 paragraph 5 a), b) and e) of the Data Regulation.
5.10. The official finds that SIA is guilty of Article 83, Clause 5 a), b) and
in the commission of an administrative violation provided for in subsection e) is proven by the Report and so
attachments and other case materials.
6. Institutions (Officials) that examined the administrative violation case,
applicable penalty:
6.1. Subparagraphs a), b) and e) of Article 83, paragraph 5 of the Data Regulation provide that for processing
the basic principle, including the condition of consent, pursuant to Articles 5, 6, 7 and 9 of the Data Regulation
violations, violations of the rights of data subjects in accordance with Articles 12 - 22, monitoring
failure to comply with the authority's order and failure to provide access to information may be enforced
administrative fines of up to EUR 20,000,000 or, in the case of a company, up to 4%
of its total worldwide annual turnover in the preceding financial year, whichever is the case
the amount is greater.
Recital (148) of the preamble to the Data Regulation explains that in order to strengthen the Data Regulation
enforcement of the rules, in addition to appropriate measures applied by the supervisory authority in accordance with
The Data Regulation, or instead, for violations of the Data Regulation should be sanctioned, including
administrative fines. In the case of minor violations or if a fine, which could
would impose a disproportionate burden on a natural person, a reprimand may be issued instead of a fine. However
due consideration should be given to the nature, severity and duration of the violation, whether the violation was committed
intentional, actions taken to reduce the harm suffered, degree of responsibility or any respectively
previous violations, how the supervisory authority became aware of the violation, compliance
measures against the controller or processor, compliance with the code of conduct and any
other aggravating or mitigating circumstances. For imposing sanctions, including administrative fines 11
appropriate procedural guarantees should be applied in accordance with general Union rules
legal principles and the Charter, including effective judicial protection and due process.
6.2. Pursuant to Article 83(1) of the Data Regulation, the supervisory authority has an obligation
ensure that for the violations of the Data Regulation referred to in paragraphs 4, 5 and 6 in accordance with Data
the application of the administrative fines provided for in the regulations is effective in each specific case,
proportionate and dissuasive.
In accordance with Article 83, paragraph 2 of the Data Regulation, when deciding whether to apply the administrative
fine, and when making a decision on the amount of the administrative fine, in each case
case, the following elements are duly taken into account: a) the nature, severity and duration of the violation, taking
taking into account the relevant type, extent or purpose of data processing, as well as the number of affected data subjects and
the extent of the damage caused to them; b) whether the violation was committed intentionally or due to negligence;
c) any action by the controller or processor to mitigate the damage caused to the data subjects;
d) the level of responsibility of the controller or processor, taking into account technical and organizational aspects
the measures they implement in accordance with Articles 25 and 32; e) any relevant manager or
previous violations of the processor; (f) the degree of cooperation with the supervisory authority in order to compensate
violation and mitigate its possible adverse consequences; g) the categories of personal data
affected by the breach; h) the manner in which the supervisory authority became aware of the violation, in particular,
whether the controller or processor has reported a breach, and in such case – to what extent; (i) if
The measures mentioned in Clause 2 of Article 58 have already been directed against the same subject
the relevant manager or processor, how the mentioned measures have been fulfilled; j) approved actions
compliance with codes in accordance with Article 40 or compliance with approved certification mechanisms
in accordance with Article 42; and (k) any other aggravating or mitigating circumstance that may apply
the circumstances of the case, for example the financial benefits directly or indirectly derived from the violation or avoided
losses.
Article 13 of the AAL states that an administrative penalty is a means of influence that is
applied to the person who committed the administrative offense in order to protect public order,
justice would be restored, the offense would be punished, as well as the administrative offense would be deterred
the perpetrator and other persons from committing further administrative violations.
According to Article 14 of the AAL, the following penalties can be applied for an administrative violation:
warnings, fines, deprivation of rights and prohibition of exercising rights.
The second part of Article 19 of the AAL stipulates that the type and measure of the administrative penalty must be taken into account
the nature of the offense committed, the identity of the person to be held responsible (for a legal entity –
reputation), property status, circumstances of committing the offense, mitigating factors and
aggravating circumstances.
In accordance with Article 23 of the Data Law, the Inspectorate, adopting the provisions of Article 58 of the Data Law
decisions, regarding the imposition of a legal obligation, the Law on Administrative Procedure is applied and
with regard to administrative punishments – the record keeping (process) of administrative violations
regulatory acts, as far as the Data Law and the Data Regulation do not stipulate otherwise. Data regulations
the conditions regarding the application of the administrative fine and its amount differ from the AAL
to the included provisions, i.e. the Data Regulation determines otherwise in the relevant matter, therefore
When determining the amount of the fine, the official shall apply the provisions contained in the Data Regulation, and
accordingly, the penalty is applied according to the provisions of the Data Regulation.
6.3. When determining the penalty, the Official takes into account the nature, severity and duration of the violation, taking
taking into account the relevant type, extent or purpose of data processing, as well as the number of affected data subjects -
in the specific case, several types of processing specified in Article 5, Clause 1 of the Data Regulation can be found
violations of basic principles and data subject rights in accordance with Articles 12-22 of the Data Regulation, as well as
SIA has not ensured the execution of the order contained in the Decision, which SIA had to execute according to the Data
Article 58, paragraph 2, letter d) of the regulation, and did not provide information on the execution of the Decision,
thus in violation of Article 58(1)(e) of the Data Regulation, which corresponds to three of the Data Regulation
for administrative violations provided for in paragraph 5 of Article 83, which in essence continued and
were not reduced in more than a year and a half since [..] had sent SIA its Request, as 12
were also not completely eliminated within the scope of the Case. The official takes into account that in the committed
only one natural person is affected in the violation -[..]; whether the violation was committed intentionally or
due to carelessness - there is a sufficient basis to conclude that the violation was committed intentionally, because SIA is
aware of her actions, incl. inaction, unlawful nature, foresees its harmful consequences
and knowingly allowed these consequences to occur; any action by the controller or processor to mitigate
damage caused to data subjects – In the case, it has been established that the victim – [..], SIA's actions
resulted in non-material damage that was not prevented, mitigated or compensated; that
which category of personal data was affected by the violation - special categories of persons were not affected
data; manager's previous violations - SIA has not previously been administratively punished for this decision
committing the considered violation; the degree of cooperation with the supervisory authority - even if it is an SIA
cooperated with the Inspectorate, provided explanations in the Case, there were no violations until the Case was considered
prevented; the way in which the Inspection found out about the violation - upon receiving a Complaint from the victim [..];
any other aggravating or mitigating circumstance applicable to the circumstances of the case - SIA
The Official did not find extenuating circumstances, but an aggravating circumstance
The Official acknowledges that the unlawful conduct continues despite the Official's demand
end it.
In determining the amount of the fine, information from the Enterprise Register database was used, where 28
available information as of the date of this decision shows that the last one submitted by SIA
information on financial indicators, including annual turnover and profit of SIA, is indicated
in the 2022 report.
Considering that in the sense of the Data Regulation, the provisions of Article 83, Clause 5 of the Data Regulation
violations are considered material violations, as well as the circumstances found in the Case and
The conclusions drawn by the official, the official using the ones developed by the Inspectorate
Administra29vo the mechanism for determining the amount of fines for companies and individuals
persons, recognizes the violation committed by SIA as moderately serious, in accordance with Article 83 of the Data Regulation
The administrative fine provided for in the framework of the sanction of sub-paragraphs a), b) and e) of paragraph 5 is EUR
in the amount of 332.01 (three hundred and thirty-two euros and one cent).
6.4. At the same time, the Official assesses whether any additional charges are applicable to the particular Case
conditions or criteria not reflected in this tool. Also, the Official can take into account 30
Guidelines on the application of administrative penalties developed by the European Data Protection Board
(hereinafter – Guidelines for the Application of Administrative Penalties). The said guidelines stipulate that
determining the amount of the final penalty, incl. it should be taken into account whether several can be identified within one case
simultaneous violations. In cases where the violator is found to have violated several
legal provisions, separate fines may be applied.
The official concludes that in the specific case SIA has made several Data Regulations
violations and is responsible for the violation provided for in Article 83, paragraph 5, letter a), b) and e) of the Data Regulation
in committing an administrative offense, and this aspect must be taken into account to determine a higher end
punishment.
According to Article 83, paragraph 2, letter b) of the Data Regulation, it is necessary to take into account whether
the violation was committed intentionally or due to negligence. Although SIA has not previously been administratively fined,
The official, taking into account the evidence obtained in the Case, concludes that the administrative violation is
done on purpose. Namely, SIA deliberately did not react for almost two years and still does not react
neither to [..], as a data subject, the request for data deletion mentioned in the Request, nor to the Inspection
for several letters sent as part of the Inspection case, in which SIA was invited to comply
Inspections did not comply with the request and to stop illegal [..] data processing, even more so
Determined in the decision.
28 Available at: https://info.ur.gov.lv/#/legal-entity/40203120888
29 https://www.dvi.gov.lv/lv/media/289/download
30Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 24 May 2023
https://www.edpb.europa.eu/system/files/2024-
01/edpb_guidelines_042022_calculationofadministrativefines_lv_0.pdf 13
At the same time, in accordance with the guidelines for the application of administrative penalties after the sentence
mathematical calculation, it is possible to adjust the penalty by evaluating whether it reaches the Data in the regulation
the set goals of punishment - is effective, proportionate and dissuasive. The amount of the penalty must be determined
according to the context of the offense. Regarding the effectiveness of the penalty, it must be assessed whether it is
suitable to ensure the compliance of personal data processing with the Data Regulation and to punish the controller.
The principle of proportionality dictates that the appropriate penalty should not exceed what it is
necessary to achieve the goal. When assessing proportionality, the infringement must be viewed as a single offence
whole, focusing on the gravity of the offense as such. The officer concludes that
although the penalty is appropriate to punish the controller, it is not adequate to promote compliance with the Data
regulation, therefore, the fine needs to be adjusted.
In the specific case, the Official takes into account the fact that SIA has done several things, i.e. 3 (three)
Violation of Article 83, Clause 5 of the Data Regulation. Also, the Official takes into account the fact that
the violation is committed intentionally and not due to negligence, as well as the fact that the illegal behavior is
continued, despite the demands of the Inspectorate to terminate it.
6.5. In view of the above, the Official considers that the fine adjustment by applying the money
a fine of EUR 1000.00 (one thousand euro 00 cents) would be adequate to deter SIA from
for further violations of personal data processing.
Taking into account the above, based on Article 5, Part One, Clause 2 of the Data Law,
Article 23, Article 58(2)(i) of the Data Regulation, Article 14(1) of the AAL
Paragraph 2, Paragraph 4 of the second part of Article 41, Paragraph 4 of the first paragraph of Article 115, Paragraph 1 of Article 151
part 1, the second and third parts of Article 157, the first part of Article 166 and Article 168, Article 262,
Article 269, Official
decides:
recognize the Limited Liability Company "JK Media group" as guilty of Article 83 of the Data Regulation
in committing the administrative offense provided for in sub-paragraphs a), b) and e) of paragraph 5 and punish with
a fine of EUR 1000.00 (one thousand euros).
In accordance with Article 156 of the AAL, we inform and invite within a reasonable period of time - until 2024
April 15 – to eliminate the violations found in the Case by submitting the requested information to the Inspection
information in the scope and form determined by the Inspection.
The fine shall be paid in full no later than one month from this decision
effective date in any banking institution or after voluntary execution of the fine
at the end of the term, this decision will immediately be handed over to a jury for enforcement
to the performer.
Details for paying the fine:
Beneficiary: State Treasury
Registration No.: 90000050138
Account no.: LV69TREL1060191019200
Beneficiary BIC code: TRELLV22
Notes: Indicate the date and number of this decision.
According to the first paragraph of Article 166, as well as the first paragraph of Article 168 of the AAL, a person called
to administrative responsibility, this decision within ten working days from the announcement of the decision
days can be appealed to a higher official (Inspection Director) by submitting a complaint Data
for the state inspection at Elijas street 17, Riga, LV-1050.
31 The last day for submitting a response by mail or sending it with a secure electronic signature is 14
In accordance with Article 262 of the Law on Administrative Responsibility, the term specified in the decision
1 (one) month is set for voluntary execution of the fine in full
the decision has entered into legal force. The procedure for voluntary execution of the fine has been established
In Article 263 of the Law on Administrative Responsibility.
In the event that the fine is not voluntarily paid within the time limit specified in this decision, then
in accordance with the first part of Article 269 of the Law on Administrative Responsibility, the institution after a fine
at the end of the term of voluntary execution, the decision on the sentence is immediately transferred to compulsory execution
to a sworn bailiff.
Please note that, according to Article 568 of the Civil Procedure Law, the decision is voluntary
enforcement after the enforcement document has been submitted for enforcement will not relieve the obligation
reimburse the execution costs of the bailiff.
The fine applied in the process of the administrative violation will be reimbursed
procedural expenses and damages to natural resources can be paid on the portal www.latvija.lv,
using the e-service Administrative fines check and payment.
Officer T. Lashchenkova
