DVI (Latvia) - SIA “Lursoft IT”: Difference between revisions
No edit summary |
|||
Line 65: | Line 65: | ||
}} | }} | ||
( | The Latvian DPA (Datu valsts inspekcija) imposed a fine of €65,000 on SIA “Lursoft IT" for breaching Articles 5(1)(a), (b), (c) and 6(1) GDPR. Lursoft published personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" on its website. | ||
==English Summary== | ==English Summary== | ||
Line 74: | Line 74: | ||
===Dispute=== | ===Dispute=== | ||
Did the publication on a website of personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" in breach of Articles 5(1)(a), (b), (c) and 6(1) of the GDPR? | |||
===Holding=== | ===Holding=== | ||
Line 98: | Line 98: | ||
The DPA then went on to confirm that there was no legal basis for processing (publishing) the non-public information on the "Register of Enterprises" under Articles 6(1)(e) and (f) GDPR. It went on to add that this entailed a breach of Articles 5(1)(a), (b) and (c) of the GDPR. | The DPA then went on to confirm that there was no legal basis for processing (publishing) the non-public information on the "Register of Enterprises" under Articles 6(1)(e) and (f) GDPR. It went on to add that this entailed a breach of Articles 5(1)(a), (b) and (c) of the GDPR. | ||
==== Outcome ==== | ====Outcome==== | ||
Finally, the DPA imposed a fine of €65,000 on Lursoft for breaching Article 5(1)(a), 5(1)(b), 5(1)(c) and 6(1) GDPR. Lursoft has since appealed the decision, meaning the fine is not final. | Finally, the DPA imposed a fine of €65,000 on Lursoft for breaching Article 5(1)(a), 5(1)(b), 5(1)(c) and 6(1) GDPR. Lursoft has since appealed the decision, meaning the fine is not final. | ||
==Comment== | ==Comment== |
Revision as of 11:22, 12 February 2021
DVI - SIA “Lursoft IT” | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 6(1)(f) GDPR Article 6(3) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Section 132 Insolvency Law Section 132(3) Insolvency Law Section 4 of the Law on the Register of Enterprises of the Republic of Latvia |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.01.2021 |
Published: | 23.02.2021 |
Fine: | 65000 EUR |
Parties: | SIA “Lursoft IT” |
National Case Number/Name: | SIA “Lursoft IT” |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Latvian |
Original Source: | Datu valsts inspekcija (in LV) |
Initial Contributor: | n/a |
The Latvian DPA (Datu valsts inspekcija) imposed a fine of €65,000 on SIA “Lursoft IT" for breaching Articles 5(1)(a), (b), (c) and 6(1) GDPR. Lursoft published personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" on its website.
English Summary
Facts
SIA “Lursoft IT” (Lursoft; the controller) processed personal data on its website (lursoft.lv) by (1) publishing information from the "Insolvency Register" which relates to a data subject although it had been more than a year since the termination of the insolvency proceedings concerned. Lursoft also (2) published data that is to be submitted to the "Register of Enterprises" (including non-public data such as the number of registration of legal entities and legal facts).
Dispute
Did the publication on a website of personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" in breach of Articles 5(1)(a), (b), (c) and 6(1) of the GDPR?
Holding
(1) Information from the "Insolvency Register"
The Latvian DPA (Datu valsts inspekcija) considered Section 132(3) of the Latvian Insolvency Law which states that information relating to natural persons involved in insolvency proceedings shall be made public in the Insolvency Register, including up to 1 year after the termination of an insolvency proceeding. Therefore, there was a violation of the law on the basis that the termination of the insolvency proceeding concerning the data subject had been terminated for more than one year. The DPA reiterated that Section 132(3) targets the responsible institution for the Register of Enterprises, but that although Lursoft is not the responsible institution, the Section of the law still applies to them. Information on an insolvency proceeding cannot be published if the proceeding has ended over a year ago.
The Latvian DPA also held that the controller must have an appropriate legal basis for proceeding personal data under Article 5(1)(a) GDPR. Lursoft claim to be have such a legal basis under Article 6(1)(c) GDPR. However, this was rejected by the Latvian DPA, which stated that for Article 6(1)(c) to apply, the obligation must be stipulated in law, and not just in a contract. The DPA clarified that a legal obligation under Article 6(1)(c) GDPR must be clearly stated in the legal provision.
The DPA also held that Section 4 of the Law on the Register of Enterprises of the Republic of Latvia regulated the right of persons to use information on the Enterprise Register. Paragraph 2 of that Section states that everyone has the right to request and receive information kept in the Register of Enterprises. However, the DPA clarified that this right to access and request the information does not give Lursoft the right to publish this information on its website. Therefore, Lursoft failed in claiming that there was a legal basis for processing the data under Article 6(1)(c) GDPR.
The Latvian DPA also held that Article 6(1)(e) GDPR could not be relied upon as a legal basis, despite Lursoft's arguments. The DPA clarified that Article 6(1)(e) is a valid legal basis if "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". Such tasks would be conferred by Union or the Member State law as per Article 6(3) GDPR. The DPA went on to outline that Article 6(1)(e) can only be relied upon in two situations: (1) if the controller has a formal mandate or carries out the processing because it is necessary in link with a task in the public interest or (2) where the controller, despite having no official authority, is required to disclose the data to a third party who has such powers. This formal mandate or task will be in the public interest specified in a legal instrument. The DPA clarified that there is no official obligation imposed on SIA “Lursoft IT” to publish information regarding the historical insolvency proceedings of a data subject a result of Section 132 of the Insolvency Law mentioned above.
Therefore, the DPA held that Articles 6(1)(c) and (e) GDPR were not valid legal bases for the data processing conducted by Lursoft.
(2) Information on the "Register of Enterprises"
The DPA outlined that Lursoft received information, including non-public data, from the Register of Enterprises on the basis of an agreement concluded between the two. The information provided was limited and it was stipulated in the agreement that sharing the information with third parties was not authorised. The DPA also held that Lursoft could not re-use the information provided and that the legal basis for the publication within the Data Regulation [comment: automated translation is unclear, this presumably refers to the GDPR] expired. Therefore, Lursoft could not publish these documents and continuing to process that personal data without a legal basis was unlawful. The DPA clarified that Article 6(1)(e) could not be considered a valid basis, as argued by Lursoft, as there was no legal instrument permitting the publication of the information.
The Latvian DPA also held that Lursoft could not rely on Article 6(1)(f) GDPR. The DPA clarified that a legitimate interest must be "legitimate - implemented in a way which complies with data protection and other legislation" (i.e. it must be a legitimate interest acceptable under the law). The DPA concluded that the legislation in this sector precluded the publication of non-public data sent to Lursoft. There was therefore no legitimate interest.
Various other arguments put forward by Lursoft under the Latvian Commercial Law, Section 4 of the Latvian Law on the Register of Enterprises of the Republic of Latvia, the Latvian National Sanctions Law and Section 26 of the Latvian Proceeds of Crime Act were rejected by the DPA as unfounded.
The DPA then went on to confirm that there was no legal basis for processing (publishing) the non-public information on the "Register of Enterprises" under Articles 6(1)(e) and (f) GDPR. It went on to add that this entailed a breach of Articles 5(1)(a), (b) and (c) of the GDPR.
Outcome
Finally, the DPA imposed a fine of €65,000 on Lursoft for breaching Article 5(1)(a), 5(1)(b), 5(1)(c) and 6(1) GDPR. Lursoft has since appealed the decision, meaning the fine is not final.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
EXTRACT Blaumaņa Street 11 / 13-15, Riga, LV-1011, tel. 67223131, fax 67223556, e-mail info@dvi.gov.lv, www.dvi.gov.lv SIA “Lursoft IT” Matisa Street 8 Riga, LV-1001 […] In case no. […] Decision In Riga, the date can be seen on the time stamp no. […] [1] On 23 November 2020, the State Data Inspectorate adopted Decision no. […] About soda (hereinafter - the contested decision) in administrative infringement case no. […] ('the Case'), recognizing the registration of Lursoft IT, a limited liability company number 40003170000, legal address Matīsa Street 8, Riga (hereinafter - SIA “Lursoft IT”) guilty of Article 83 of the General Data Protection Regulation (hereinafter referred to as the Data Regulation) For the administrative offense provided for in paragraph 5 (a) and to be fined a fine of EUR 65,000 (sixty-five thousand euros). The contested decision SIA “Lursoft IT” notified on 30 November 2020 by sending the contested decision by registered post. [2] The contested decision finds the following circumstances and is based on the following considerations: [2.1.] SIA “Lursoft IT” has processed personal data on the website lursoft.lv, by publishing 1) what is to be submitted to the Register of Enterprises in the section “Documents” of the Enterprise Database personal data included in the non-public part of the registration of legal entities and legal facts registration and other documents containing; 2) Insolvency Register database information on historical insolvency proceedings of a natural person for more than one year after the entry on the dates of termination of the insolvency proceedings of a natural person. According to Article 4 (7) of the Data Regulation, the adequacy of the processing of personal data is responsible manager. According to the privacy policy of SIA “Lursoft IT” information system holder and the manager is SIA “Lursoft IT”. SIA "Lursoft IT" is responsible for personal data processing ensuring compliance with the regulatory framework on the website lursoft.lv. Thus, Ltd. Lursoft IT, as the controller of personal data processing, had to be provided, inter alia, by the Data Regulation 1 Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) 2 The consequent requirement under Article 5 (1) (a) to verify that the personal data there is a legal basis for the processing, the principle of de minimis deriving from points (b) and (c), and The principle of accountability contained in Article 5 (2) of the Data Regulation. [2.2.] On the website of SIA “Lursoft IT” lursoft.lv in the Insolvency Register database, on the contrary information and documents regarding natural persons have been inserted in the data processing regulatory enactments historical insolvency proceedings for which a record of a natural person termination of the insolvency proceedings was made more than one year ago. [2.2.1.] According to Section 132, Paragraph three of the Insolvency Law, natural persons the information entered in the insolvency proceedings file shall be made public in the insolvency register by natural persons during the insolvency proceedings, as well as one year after the entry of a natural person the date of termination of the insolvency proceedings. It is therefore inadmissible to record them disclosure, for which an entry regarding the termination of the insolvency proceedings of a natural person done more than one year ago. [2.2.2.] The reference of SIA “Lursoft IT” to the Data State Inspectorate of 2018 is unfounded The information provided on November 26, from which SIA “Lursoft IT” has concluded that Insolvency The obligation set out in the third paragraph of Article 132 applies only to the responsible authority - the Company register. In the said reference, the Data State Inspectorate has explained that the Insolvency Law The legal norm included in the third paragraph of Article 132 is addressed to the Register of Enterprises, which is responsible the institution shall enter in the insolvency register regarding the insolvency proceedings of a natural person information specified by law. Considering that SIA “Lursoft IT” is not considered to be the responsible institution, it is not the addressee of Section 132, Paragraph three of the Insolvency Procedure Law. At the same time does not mean that SIA “Lursoft IT” is not bound by other legal norms, including from the Insolvency the conclusion arising from Section 132 of the Law that the entries in the insolvency register are not restricted the status of the availability information, as long as their public availability is determined by the Insolvency the law. The purpose of this provision is to determine that the data on the insolvency proceedings of a natural person one year after the entry of the termination of the proceedings is no longer freely available unrestricted thus ensuring the right of a natural person to the protection of his or her personal data. The regulation of Section 132, Paragraph three of the Insolvency Law is applicable to everyone insolvency proceedings of natural persons - both those terminated before the entry into force of the norm August 1, 2018, and thereafter. Although the third part of Section 132 of the Insolvency Law the norm determines the term for publication of information in the insolvency register, however, it should not be translated narrowly, ie giving rise to the presumption that the dissemination and publication of these data elsewhere after the term specified in the said norm is not limited to any term. Purpose of that provision would not be achievable if the re-users of the information in the Register of Enterprises continued to physically dissemination of data on insolvency proceedings terminated by persons also in accordance with the Insolvency Law The time limit referred to in the third paragraph of Article 132. [2.3.] In accordance with Article 5 (1) (a) of the Data Regulation for the controller the processing of personal data must have an appropriate legal basis. [2.3.1.] Regarding SIA “Lursoft IT” on the website lursoft.lv Insolvency database posted information and documents on the historical insolvency of a natural person processes for which an entry has been made regarding the termination of the insolvency proceedings of a natural person the following was established more than one year ago. [2.3.2.] In the contested decision it is established that SIA “Lursoft IT” is a reference to the Data Regulation The legal basis for the processing of personal data referred to in Article 6 (1) (c) is unfounded. Article 6 (1) (c) of the Data Regulation provides the legal basis in circumstances where the processing is necessary for compliance with a legal obligation to which the controller is subject. Article 6 (3) of the Data Regulation, on the other hand, provides that this basis for processing shall be determined by a European law Union law or the law of a Member State applicable to the controller. In the said 3 the legal basis also defines the purpose of the processing of personal data. Recital 45 of the Data Regulation clarifies that where processing is carried out in accordance with a legal obligation incumbent on the controller, the basis for processing should be laid down in Union or national law. Also the purpose of the processing should be laid down in Union or national law. Thus, in order for Article 6 (1) (c) of the Data Regulation to apply, these obligations must be laid down in law and not, for example, in contractual obligations. Personal data the processor must not have a margin of discretion as regards compliance with the obligations. Subject to the above, Data Article 6 (1) (c) shall not apply to voluntary unilateral relations; and public - private partnerships in which more data are processed than required by the law provides for a legal obligation to process personal data. In addition, the legal obligations themselves must be sufficiently clear as to the processing of personal data which they provide for. Namely, to refer to Article 6 (1) (c) of the Data Regulation must be clearly stated in the legal provisions the type and object of processing. 16 SIA “Lursoft” IT reference to the law “On the Register of Enterprises of the Republic of Latvia” 2. and Article 4 as the legal basis for the disclosure of information on historical natural persons insolvency proceedings for more than one year after the entry of a natural person the date of termination of the insolvency process on the website of SIA “Lursoft IT” lursoft.lv The insolvency register database is unfounded. 16 According to Article 2 of the Law “On the Register of Enterprises of the Republic of Latvia” the insolvency register in accordance with this Law, the Insolvency Law and other regulatory enactments the Register of Enterprises. Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” regulates the rights of persons to use the information of the Enterprise Register. The second paragraph of that article states that everyone has the right to request and receive information from the registers kept by the Register of Enterprises, observing restrictions specified in regulatory enactments. The above-mentioned norms of the Law “On the Register of Enterprises of the Republic of Latvia” are legal the obligation of the Register of Enterprises to process personal data, as well as the right of persons to access this information. These legal norms do not provide for the rights or obligations of SIA Lursoft IT ”to publish information on historical insolvency proceedings of a natural person. Thus, these legal norms are general and not the legal basis for the processing of personal data forming. The contested decision also does not establish any other legal norms that SIA “Lursoft IT” create a legal obligation to publish information on historical individuals insolvency proceedings. Therefore, SIA “Lursoft IT” reference to Article 6 of the Data Regulation Paragraph 1 (c) for information on historical natural persons publication of insolvency proceedings for more than one year after the entry of a natural person the date of termination of the insolvency process on the website of SIA “Lursoft IT” lursoft.lv The insolvency register database is unfounded. [2.3.3.] In the contested decision it is established that SIA “Lursoft IT” is a reference to the Data Regulation The legal basis for the processing of personal data referred to in Article 6 (1) (e) is unfounded. Article 6 (1) (e) of the Data Regulation provides that processing is permissible if processing is necessary for the performance of a task carried out in the public interest or in the exercise of a controller legally conferred official authority. Article 6 (3) of the Data Regulation provides that those grounds for processing shall be determined by European Union law or the law of a Member State applicable to the controller. That legal basis also defines personal data the purpose of the processing or, in the case of Article 6 (1) (e) of the Data Regulation processing - it is necessary for the performance of a task carried out in the public interest or in the exercise of a right official powers legally conferred on the controller. Recital 45 of the Data Regulation explains that in the case of processing necessary for the performance of a task carried out in the public interest, or in the exercise of its official powers, the basis for processing should be determined by the Union or by Article 4 under the law of a Member State. The purpose of the processing should also be specified by the Union or under the law of a Member State. Union or national law should also specify whether: a controller performing a task carried out in the public interest or in the exercise of official authority, should be a public authority or other natural or legal person governed by public law or if it is in the public interest, including for health purposes, such as the public health, social protection and the management of health services - private law entity, such as a professional association. It follows from those provisions that Article 6 (1) (e) of the Data Regulation is applicable to two situations. First, it applies to cases where the same person who processes personal data, has a formal mandate or carries out an exercise in the public interest task and when the processing is necessary for the exercise of that power or the performance of that task. Secondly, this provision could be applicable in cases where the person carrying out the personal data processing, has no formal authority, but is required to disclose the data to a third party who has such powers. It is important to emphasize that this formal mandate or task will be in the public interest specified by regulatory enactments. [2.3.4.] In the contested decision it is established that SIA “Lursoft IT” refers to the Data Regulation Persons referred to in Article 23 and Article 26 of the Personal Data Processing Law processing is unjustified. Article 23 of the Data Regulation and Article 26 of the Personal Data Processing Law define the data restrictions on the rights of data subjects and their scope, rather than legal bases for the processing of personal data, which are set out exclusively in Article 6 (1) of the Data Regulation. [2.3.5.] In the Contested Decision it is established that the reference of SIA “Lursoft IT” to the Insolvency the legal basis for the processing of personal data specified in Section 132 of the Law is unfounded. Article 132 of the Insolvency Law regulates the insolvency proceedings of a natural person publicity, the first part of which shall specify the information to be entered by the responsible authority in the event of insolvency in the register regarding the insolvency proceedings of a natural person. Article 132 of the Insolvency Law the second subparagraph provides that this information may also be published in other registers, information systems or databases, the third part stipulates that the information shall be made public in the insolvency register of natural persons during the insolvency proceedings, as well as one year after the entry of a natural person the dates of termination of the insolvency proceedings, while the fourth part determines the message shelf life. It does not follow from Article 132 of the Insolvency Law that SIA “Lursoft IT” has an obligation or official the power to publish information regarding the historical insolvency proceedings of a natural person for more than one year after the entry regarding the termination of the insolvency proceedings of a natural person dates of commission. Namely, the mentioned legal norm does not provide for any kind of others with data processing related obligations, including historical information on the natural person to the re-user transfer insolvency proceedings to third parties. [2.3.6.] SIA “Lursoft IT” has unreasonably referred to the term of personal data storage, which provides that records of a natural person may be kept for five years from the date on which the debt was paid the debt obligation has ended, thus SIA “Lursoft IT” has a legal basis to reflect information regarding the insolvency proceedings registered for a natural person, if since the making of the entry 5 years have passed in the insolvency register for the termination of insolvency proceedings. SIA “Lursoft IT” points out that when determining the term, it has evaluated not only the Insolvency Law norms, but also other regulatory enactments, and has applied the principle of analogy with Consumer Law protection law, the Credit Information Bureau Law, the Credit Register Law, Credit risk management regulations and other legislation from which the data for default shall be kept for five years from the date of payment of the debt or from the date on which: the debt obligation has expired on another legal basis, thus also providing for the disclosure of this information term - 5 years. 5 The contested decision finds that there is no apparent analogy in the present case because the case in question is governed by a rule of law in force, namely the Section 132, Paragraph three of the Insolvency Law, which clearly refers to natural persons the duration of the publicity of the insolvency proceedings. Thus, SIA Lursoft IT had no basis apply other provisions which are not relevant to the case. [2.4.] No 2.3. It follows from the analysis in paragraph 1 that the legal basis for personal data publication cannot be Article 6 (1) (c) and (e) of the Data Regulation, as it is not enshrined in the relevant legal norms - the Law on the “Register of Enterprises of the Republic of Latvia” 16 10 Article 2, second paragraph of Article 4. This legal basis cannot be covered by the Data Regulation Article 23, Section 132, Paragraph one of the Insolvency Law, Personal Data Processing Law Article 26, as well as agreements concluded between SIA “Lursoft IT” and the Register of Enterprises. [2.5.] SIA “Lursoft IT” on its website lursoft.lv in the Enterprise Database section “Documents” has published the legal entity and legal fact to be submitted to the Register of Enterprises registrations and other personal data included in the non-public part of the registration file documents (in documentary form). [2.5.1.] In the contested decision, the law “On Latvia 10 15 Article 4, Eleventh Part, Article 4, Paragraph one, Clause 3 Point (a) and the fourth paragraph of Article 4 Documents in the register file that are included in the public part of the registration file (in the Commercial Register) are exhaustively defined in Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” point (a) of the first subparagraph of Article 15 Section 4, Paragraph four of the Law “On the Register of Enterprises of the Republic of Latvia” provides that that the information and documents included in the non-public part of the registration file are of limited availability information. The information and documents of the non-public part of private registration files are requested Requests for restricted access to information specified in the Law on Information Transparency in order. 10 Section 4, Paragraph eleven of the Law “On the Register of Enterprises of the Republic of Latvia” stipulates that the recipient of information in the register kept by the Register of Enterprises shall not have the right to re-use documents included in the non-public part of the file of registration of legal entities and legal facts. [2.5.2.] SIA “Lursoft IT” received information from the Register of Enterprises on the basis of the agreement concluded on 1 August 2018 between the Register of Enterprises and SIA Lursoft IT. Clause 1 of the said agreement stipulates that the Register of Enterprises grants SIA “Lursoft IT” for the non-exclusive and non-transferable right to receive the Company the remuneration specified in the agreement information created in the process of registration of legal entities and legal facts at the disposal of the register, including for re-use for commercial and non-commercial purposes. Amount of information and the framework is specified in regulatory enactments regarding the issuance of information from the Register of Enterprises. In accordance with of the contract 3.1. and 3.2. The Register of Enterprises shall transfer the information to SIA Lursoft IT in accordance with the procedures and to the extent provided for in regulatory enactments. Information may contain limited information availability information. SIA “Lursoft IT” uses restricted information in accordance with the requirements of regulatory enactments. SIA "Lursoft IT" confirms that will not transfer limited availability information to third parties. [2.5.3.] Statement of SIA “Lursoft IT” that it does not have registration in the Register of Enterprises the document of the non-public part of the case shall be deemed unfounded. SIA “Lursoft IT” substantiates the said statement with the argument that it has from Existing documents for business register registration files received by 2018 August 1, while for the period from August 1, 2018, d15 documents are received, which in accordance with Section 4, Paragraph one of the Law “On the Register of Enterprises of the Republic of Latvia” Paragraph 3 are included in the public part. Thus, SIA “Lursoft IT” has not been transferred and, consequently, 6 could not and did not process the documents of the Register of Enterprises, which in accordance with the law “On Register of Enterprises of the Republic of Latvia ”(in the wording in force as of January 7, 2020) considered as non-public documents. The specific legal norm does not have retroactive force. In the contested decision, in response to the arguments of SIA “Lursoft IT”, it was established that despite to the fact that until January 7, 2020 SIA “Lursoft IT” was entitled to process personal data documents on the basis of the Law “On the Register of Enterprises of the Republic of Latvia” 10 Section 4, Paragraph two, with the entry into force on January 7, 2010 of the Law “On the Republic of Latvia Register of Enterprises ”in the wording of the second paragraph of Article 4, which stipulates that the Register shall be kept by the Register the recipient of the information does not have the right to re-use the documents to be included in the right holder and in the non-public part of the legal fact registration file, SIA “Lursoft IT” such personal data The legal basis for the publication within the meaning of the Data Regulation expired, thus preventing SIA “Lursoft IT” to publish documents (including historical ones) to be included in the legal entity and legal fact in the non-public part of the registration file and contains the data of identifiable natural persons. To continue the processing of personal data, including publication if it has lost its legal basis, in accordance with the person regulatory enactments regulating data processing is not permitted. [2.6.] Regarding the legal basis for the processing of personal data, the website of SIA “Lursoft IT” on the website lursoft.lv in the section “Documents” of the Enterprise Database by publishing it to the Register of Enterprises to be submitted and in the non-public part of the case of registration of legal entities and legal facts registration and other documents containing personal data (in documentary form), the contested decision finds the following. [2.6.1.] The reference of SIA “Lursoft IT” to Article 6 (1) “e” of the Data Regulation is unfounded. as the legal basis for the processing of data. As Article 6 (1) (e) of the Data Regulation provides the legal basis for the processing of personal data 2.3.3. in the circumstances referred to in subparagraph, and no regulatory enactment provides for the right of SIA “Lursoft IT” to publish the rights and rights to be submitted to the Register of Enterprises the personal data included in the non-public part of the registration file of subjects and legal facts registration and other documents (in documentary form), Article 6 (1) of the Data Regulation Subparagraph (e) does not apply. [2.6.2.] The reference of SIA “Lursoft IT” to Article 6 (1) (f) of the Data Regulation is considered unfounded. Article 6 (1) (f) of the Data Regulation provides the legal basis for personal data processing in circumstances where processing is necessary in the legitimate interests of the controller or of a third party unless the interests or fundamental rights and freedoms of the data subject necessary protection of personal data take precedence over such interests. To Data Regulation Article 6 (1) (f) would be the legal basis for the processing of personal data, inter alia the legitimate interests of the controller or of the third party must be balanced with the data subject fundamental rights and freedoms. Legitimate interests mean, among other things, that they must be legitimate - implemented in a way which complies with data protection and other legislation. In other words, there must be a legitimate interest acceptable under the law. The contested decision finds that the legal norms preclude the Register of Enterprises to be submitted and included in the non-public part of the file of registration of legal entities and legal facts publication of registration and other documents (in documentary form) containing personal data. In view of the above, Article 6 (1) (f) of the Data Regulation cannot be considered legal basis for the processing of personal data performed by SIA “Lursoft IT”. [2.6.3.] Based on 2.3.4. paragraph, SIA “Lursoft IT” reference to Article 23 of the Data Regulation as the legal basis for data processing is unfounded. 7 [2.6.4.] SIA “Lursoft IT” unreasonably refers to the fact that SIA “Lursoft IT” exists The legal basis set out in Article 1 (5) and Article 4 of the Freedom of Information Act disclosure of information. Section 1 (5) of the Freedom of Information Act states that re-use is an institution the use for commercial purposes of information in the public domain held by the authority, or for a non-commercial purpose other than the original purpose for which the information was created, if any an individual who uses the information at the disposal of the institution without performing public administration tasks. In its turn, Article 4 of the Law on Information Disclosure provides that it is generally available information is information that is not classified as restricted information. Thus, the regulation clearly states that re-use is allowed only in the public domain 10 information. Also in the eleventh Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia Part 1 clearly states that the recipient of information from the registers kept by the Register of Enterprises has no rights to re-use the documents included in the files of registration of legal entities and legal facts in the non-public part. In view of the above, SIA “Lursoft IT”, based on the Information Transparency Law Article 1 (5) and Article 4 are not entitled to publish the information to be submitted to the Register of Enterprises and personal data included in the non-public part of the registration file of legal entities and legal facts registration and other documents (in documentary form) containing [2.6.5.] The reference of SIA “Lursoft IT” to Section 7, Paragraph one of the Commercial Law is not substantiated the prescribed legal basis for the disclosure of information. The first part of Article 7 of the Commercial Law stipulates that everyone has the right to get acquainted with commercial register entries and documents submitted to the commercial register authority. In turn the second paragraph of that article provides that everyone has the right, upon written request to receive information regarding the entries in the commercial register and the document in the registration file of the merchant extracts and copies in paper or electronic form. Pursuant to Section 6, Paragraph two of the Commercial Law the commercial register is maintained by an institution authorized by law - the commercial register institution. Law “On 7 Article 2 of the Register of Enterprises of the Republic of Latvia ”stipulates that the Commercial Register shall be maintained by the Enterprise register. Taking into account that SIA “Lursoft IT” is not considered to be a commercial register institution, it is not shall be deemed to be the addressee of the legal norm included in Section 7, Paragraph one of the Commercial Law. [2.6.6.] SIA “Lur10ft IT” unreasonably refers to the law “On the Republic of Latvia The second paragraph of Article 4, which was in force until 7 January 2020, as legal basis for the processing of personal data. The second part of Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia”, which was in force by 7 January 2020, provided that everyone has the right to submit to the Register of Enterprises to request and receive information from the registers, including a relevant written submission information for re-use for commercial and non-commercial purposes. The information shall be provided used and processed in compliance with regulatory enactments regarding the openness of information and natural persons data protection restrictions and in accordance with regulatory enactments on the law registration of subjects and legal facts in the Register of Enterprises. Although until 7 January 2020, that provision did not impose any restrictions to re - use the documents received from the Register of Enterprises, these restrictions came into force and became binding on SIA “Lursoft IT” together with the currently valid Law “On the Republic of Latvia The adoption of the second paragraph of Article 4. Continue processing of personal data, including publication if it has lost its legal basis in accordance with the rules governing the processing of personal data regulatory enactments are not permissible. [2.6.7.] SIA “Lursoft IT” unreasonably refers to the Sanction and the Republic of Latvia to publish the legal basis specified in the National Sanctions Law to be submitted to the Register and the personal data included in the non-public part of the registration file of subjects and legal facts registration and other documents (in documentary form) containing SIA “Lursoft IT” has not indicated a specific legal norm that would allow the mentioned document disclosure and also the Data State Inspectorate does not have information on such a legal norm existence. [2.6.8.] The reference of SIA “Lursoft IT” to the proceeds of crime is not substantiated money laundering and the prevention of the financing of terrorism and proliferation Criminal Proceeds Act). Section 26 of the Proceeds of Crime Act determines the cases in which the subject of the law is entitled to perform simplified customer research. SIA “Lursoft IT” is not a subject of the Criminal Proceeds Act and is not included in it the right of SIA “Lursoft IT” to publish the information to be submitted to the Register of Enterprises and the legal entity and containing personal data included in the non-public part of the legal fact registration file registration and other documents (in documentary form). The following is also unfounded disclosure of documents in the interests of the subjects of law, because the subjects of law are provided with legal protection basis and mechanism for obtaining information for the performance of their duties. SIA “Lursoft IT” unreasonably refers to the guidelines of the supervisory authorities and recommendations of a recommendatory nature. The information contained in these documents cannot be interpreted as a call to conduct customer research in violation of regulatory enactments. [2.7.] No 2.6. The analysis carried out in point (a) shows that the legal basis for personal data publication cannot be Article 6 (1) (e) and (f) of the Data Regulation, as it is not enshrined in the relevant legal provisions - Article 1 (5) of the Law on Freedom of Information, Article 4, Section 7, Paragraph one of the Commercial Law, the Law on “Enterprise of the Republic of Latvia in the second paragraph of Article 4, in the version in force until 7 January 2020, the International and the Law on National Sanctions of the Republic of Latvia, Section 26 of the Proceeds of Crime Law. Article 23 of the Data Regulation, as well as contracts which have been concluded between SIA “Lursoft IT” and the Register of Enterprises. Article 6 of the Data Regulation Paragraph 1 (f) cannot justify the processing of personal data which is prohibited by law. [2.8.] In view of the above, the contested decision finds that SIA “Lursoft IT” web on the website lursoft.lv in the “Documents” section of the Enterprise Database by publishing the Register of Enterprises documents that contain personal data and are not mentioned in the Law “On the Enterprise of the Republic of Latvia register ”in Article 4, as well as by publishing on the website of SIA“ Lursoft IT ”lursoft.lv Insolvency information in the registry database on insolvency proceedings for more than one year from the record of the date of termination of the insolvency proceedings of a natural person, has made personal data processing in breach of Article 5 (1) (a), (b) and (c) of the Data Regulation principles of personal data processing and without a legal basis, thus violating the Data Regulations Requirements for the processing of personal data set out in Article 6 (1). [2.9.] In the contested decision it is established that SIA “Lursoft IT” contrary to its instructions, the instructions received by the Data State Inspectorate were not terminated or restricted publication for a period of time until it is ascertained whether the processing complies with the normative regulation. There are doubts about the possible non-compliance of personal data processing with the normative regulation, Lursoft IT Ltd. should have acted accordingly, which was not done despite the Data from the State Inspectorate and the Register of Enterprises regarding possible non-compliance with the Data Regulation data processing. [2.10.] Based on Section 5, Paragraph one of the Personal Data Processing Law Article 23 (2), Article 58 (2) (d) of the Data Regulation, Administrative Section 115, Paragraph one, Clause 4, Section 151, Paragraph one, Clause 1 of the Liability Law, 9 Article 156, the second and third paragraphs of Article 157, the first paragraph of Article 166, Article 168, Article 262, Article 269, 1. to find SIA “Lursoft IT” guilty in Article 83 (5) “a” of the Data Regulation and committed a fine of EUR 65 000 (sixty five thousand euros); 2. to oblige processing operations to comply with by 15 December 2020 The provisions of Article 5 (a), (b), (c) of the Data Regulation and Article 6 (1) of the Data Regulation, namely to ensure the lawful, fair and appropriate processing of personal data upon termination the processing (publication) of the personal data referred to in the contested decision, the processing of which has lost its legal status basis. [3.] On 15 December 2020, SIA Lursoft IT submitted a complaint to the State Data Inspectorate (hereinafter - the appeal), requesting the annulment of the contested decision and the administrative terminate the infringement proceedings in the case. The Data State Inspectorate finds that the appeal application submitted within the term specified in Section 168, Paragraph one of the Administrative Liability Law and so on consideration is admissible. [4.] The statement of opposition states that SIA “Lursoft IT” publishes only publicly available documents on a legal basis - the subject of the Proceeds of Crime Act and in other public interests: [4.1.1.] The opinion is expressed in the appeal submission that neither in the contested decision nor the cases the materials do not explain for which categories of personal data the violation has been established. Having taking into account the fact that the Data State Inspectorate is not within the competence of the Law “On the Republic of Latvia business registers ”, the case must be about personal data. The Director of the Data State Inspectorate (hereinafter - the Director) finds that the contested decision contains contains an explanation of the personal data the processing of which is considered unlawful, as this the legal basis referred to in Article 6 of the Data Regulation is not available for processing. These personal data, which processing is not permitted are included in the contested decision and are reflected in Article 2.5.1. of this decision. and the Director agrees with this analysis. Namely, the documents in the registry file that are included in the public part of the registration case15 (in the commercial register) are exhaustively specified in the law “On Register of Enterprises of the Republic of Latvia ”in Article 4, Paragraph one, Clause 3, Subparagraph“ a ”. Tie are the articles of association, annual reports and other reporting documents received for publication in the Register of Enterprises, divisions of the register of participants, agreements (decisions) on establishment, reduction of share capital regulations, capital increase regulations and reorganization agreements, foreign confirmations of the merchant regarding the registration of the company in the relevant state, the foreign merchant founding treaties or equivalent documents, documents amended earlier and court rulings on the dissolution of the company. At the same time The second part of Article 4. 15 of the Law “On the Register of Enterprises of the Republic of Latvia” provides that the documents and information in the registration file which are not specified in Paragraph one of this Section shall be included the non - public part of the registration file, while the fourth paragraph of that article provides that the information and documents included in the non-public part of the registration file are of limited availability information. Taking into account that SIA “Lursoft IT” on its website lursoft.lv Company databases in the section “Documents” has published the legal entity to be submitted to the Register of Enterprises and containing personal data included in the non-public part of the legal fact registration file registration and other documents that exceed the provisions of the Law “On Enterprises of the Republic of Latvia the volume of the documents specified in Section 4.15, Paragraph one, as established in the contested decision unlawful processing of data refers to those personal data included in these - the register in the documents included in the non-public part. That finding is also correctly reflected in the contested decision, which states that the penalty is imposed suitable for the activities performed by SIA “Lursoft IT” with personal data when publishing information 10 on the cases to be submitted to the Register of Enterprises and the registration of legal entities and legal facts personal data included in the non-public part (for example, name, surname, personal identification code) registration and other documents (in documentary form) of SIA “Lursoft IT” on the Internet on the website lursoft.lv in the section “Documents” of the Enterprise Database. [4.1.2.] The statement of opposition indicates that the official has not been able to separate the specifics processing operations for which it wishes to impose a penalty. As indicated in section 4.1.1 of this Decision. the contested decision finds that Violation of data processing performed by SIA “Lursoft IT” when publishing information about the Company in the non-public part of the file to be submitted to the register and registration of legal entities and legal facts registration and other documents containing personal data included (in documentary form) SIA “Lursoft IT” on the website lursoft.lv in the section “Documents” of the company database. Although the contested decision also assesses the personal data of SIA Lursoft IT the lawfulness of receipt from the Register of Enterprises is not decisive in this case, since the violation is applied for a specific personal data processing activity - personal data publication. [4.1.3.] SIA “Lursoft IT” indicates in the contest submission that the official is not justified the violation of the interests of the data subject only by assessing the processing of personal data on the basis of to legitimate interests. The Director points out that the unlawful processing of data and the fundamental rights of the data subject the existence of actual damage is not necessary for the finding of an infringement. According to the European The case-law of the Court of Justice of the European Union is not decisive as to whether the data made processing has had any negative consequences (actual infringement) for it to be considered interference with fundamental rights. Hence the fact whether specific ones have been identified negative consequences for the right holder do not change the fact of violation of fundamental rights. [4.1.4.] The opinion is expressed in the submission of the appeal that the contested decision does not contain includes a justification for exactly how the processing of documents infringes Article 5 of the Data Regulation. The Director states that the contested decision states that, in accordance with Article 6 of the Data Regulation The processing referred to in paragraph 1 shall be lawful only to the extent and only if at least one of the following applies Justifications referred to in Article 6 (1). In addition to providing a legal basis under Article 5 of the Data Regulation requires the controller to comply with the other conditions laid down in the Data Regulation, in accordance with which any processing of personal data must be lawful, fair and transparent, and only in accordance with the intended purpose and to the extent necessary for that purpose. The mere fact that the contested decision did not clearly distinguish and describe each of the Data Regulations Infringement of Article 5 (1) (a), (b) and (c) does not mean that it has not been assessed. For reasons of legal clarity, the Director alleges infringement of the following relevant legal provisions explanation. In accordance with Article 5 (1) (a) of the Data Regulation, personal data are processed lawfully, in good faith and in a manner transparent to the data subject. Of that provision, inter alia obligations to process personal data only if there is a legal basis for it. Given that in the contested decision it is established that SIA “Lursoft IT” has processed personal data without appropriate information legal basis, it has also infringed Article 5 (1) (a) of the Data Regulation. Pursuant to Article 5 (1) (b) of the Data Regulation, personal data are collected for specific, clear and legitimate purposes and shall not be further processed by them incompatible purposes. Taking into account that SIA “Lursoft IT” from the Register of Enterprises the personal data obtained continued to be published even after the legal basis for such loss had disappeared publication, ie without a legitimate intention, by such actions SIA “Lursoft IT” has violated the Data Article 5 (1) (b) of the Regulation. 2, for example, Österreichischer Rundfunk and Others, C-465/00, C-138/01 and C-139/01, EU: C: 2003: 294 11 Article 5 (1) (c) of the Data Regulation states that personal data are adequate, appropriate and include only what is necessary for the purposes of their processing ("data minimization"). Having taking into account the fact that SIA “Lursoft” published personal data in a larger amount than allowed by law Article 5 (1) (c) of the Data Regulation has been infringed. [4.1.5.] The appeal submission indicates that the contested decision is not substantiated Within the meaning of Section 153, Paragraph one, Clause 8 of the Administrative Liability Law. In accordance with Section 153, Paragraph one, Clause 8 of the Administrative Liability Law in the decision on the application of the penalty shall indicate the legal basis for the decision, including the legal provision which provides for liability for an administrative violation. According to the Director, the contested decision contains: sufficiently clear legal provisions on liability for administrative offenses - Article 83 (5) (a) of the Data Regulation. Namely, SIA "Lursoft IT", performing personal data has not complied with the basic principles of personal data processing - Article 5 (1) of the Data Regulation Points (a), (b) and (c) and Article 6 of the Data Regulation. [5.] The statement of opposition states that SIA “Lursoft IT” does not have the Company at its disposal the document of the non-public part of the register. SIA “Lursoft IT” considers that the contested decision does not contain includes the legal basis in accordance with Section 153, Paragraph one of the Administrative Liability Law Part 8, as the prohibition to publish non-public registration files of the Register of Enterprises part of the documents, taking into account that these documents contain personal data, to SIA “Lursoft IT” extended regardless of the date on which they are attached to the registration file: [5.1.] The statement of opposition states that SIA “Lursoft IT” had the right to acquire the information in the registration file, as it had a generally accessible status. Official has not substantiated the statement that the documents in the registration file until 2018 August 1, shall be considered as restricted documents. First, the Director points out that there is no dispute in the case that SIA “Lursoft” documents from the registration files have been legally acquired both before 1 August 2018 and after that date. In the case there is a dispute over the processing of personal data contained in these documents, the disclosure of which to the breach the moment of detection. The violation has been established regarding the processing of personal data performed by SIA “Lursoft IT”, publishing information regarding the legal entity to be submitted to the Register of Enterprises and the legal entity registrations containing personal data included in the non - public part of the factual registration file; and other documents (in documentary form) on the website of SIA “Lursoft IT” lursoft.lv In the "Documents" section of the company database. Second, the Data State Inspectorate evaluates the processing of personal data, not the document itself acquisition and publication. The official in the contested decision did not state that the documents which were in the registration file before 1 August 2018 are considered to be limited access to documents, since such a finding has no effect on the contested decision conclusions reached. As mentioned above, the Data State Inspectorate did not assess whether SIA “Lursoft IT ”obtained the personal data legally and the illegality of the processing of this particular personal data also not found in the contested decision. The contested decision assesses only whether in 2020 SIA The processing of data by Lursoft IT when publishing documents containing personal data is appropriate the legal norms that were in force at the time of the performance of the specific activity - publication. The contested decision finds that the processing of personal data by SIA Lursoft IT At the time of publication, Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” was in force point (a) of paragraph 3 of the first subparagraph, which sets out exhaustively the types of documents which to be included in the public part of the registration file. Paragraph four of this article provides that registration the information and documents included in the non-public part of the case are restricted access information. Section 4.10, Paragraph eleven of the Law “On the Register of Enterprises of the Republic of Latvia” provides that The recipient of the information kept by the Register of Enterprises shall not have the right to re-use it documents included in the non-public part of the file of registration of legal entities and legal facts. Taking into account that the publication of documents containing personal data by SIA “Lursoft IT” 12 At the time these documents were included in the non-public part of the registration file, the person was found breach of data processing by processing personal data without Article 6 (1) of the Data Regulation legal basis. In this respect, there is no legal significance to the fact that historically these documents containing personal data had a generally accessible status. In the contested decision the decision did not establish a violation regarding the disclosure of personal data by SIA “Lursoft IT” at the time when these documents containing personal data were generally available. Section 4, Paragraph one, Clause 3 of the Law “On the Register of Enterprises of the Republic of Latvia” The purpose of point (a), the fourth paragraph and the eleventh paragraph of Article 4 is to define them the types of documents, the disclosure of which is not permitted during the validity of the legal norm. Given that disclosure of those documents is not permissible, it is also clear that the disclosure of personal data contained therein is prohibited. There is ample evidence in the case that this During the validity of the legal norm, SIA “Lursoft IT” has published those containing personal data documents which have been determined by the legislator as non-public. There is nothing in this respect importance of the fact that it has historically been possible to make such documents public. It is illegal to do an act prohibited by the legislature solely on the basis of the fact that ever such an act was permissible. The Data State Inspectorate did not assess or establish a violation of SIA Lursoft IT for the publication of documents by it during the period in which such publication was authorized. [5.1.1.] At the same time, the Director draws attention to the fact that it would be possible to assess whether persons The general availability of documents containing data also means that the personal data contained therein they have a generally accessible status and are not subject to the processing of personal data regulatory provisions. In the Director's view, the processing of personal data is in any case covered by the Data Regulation and the resulting claims, and SIA “Lursoft IT” as a controller of personal data processing had the regulatory enactments regulating data processing must be observed. This conclusion follows from both Agreements concluded between the Register of Enterprises and SIA “Lursoft IT”, which contained a reference to the fact that The information provided by the Business Register may include restricted information, and Ltd. Lursoft IT restricted access information must be used in accordance with the requirements of regulatory enactments, as well as a confirmation from SIA “Lursoft IT” that it will not transfer restricted access information third parties, as well as the regulations of the Cabinet of Ministers, which regulated the issuance of information from the Register of Enterprises, provided that upon receipt of the information provision the recipient of the information, as the controller, is independently responsible for the compliance of the processing of personal data regulatory enactments regulating the protection of personal data. Thus, receiving personal data from the Register of Enterprises, regardless of whether this data were included in a publicly available or restricted access document, SIA “Lursoft IT” had to be evaluated the legal basis for such data processing, including the proportionality between the interests of SIA Lursoft IT publication of data and the interests of data subjects not to publish this information. Finding that data the interests of the subject prevail and there is no legal basis for the processing of personal data, personal data processing, including disclosure, should be stopped immediately, even if personal data are contained in a publicly available document. At the same time, given that that aspect was not assessed separately in the contested decision and no penalty has been imposed for it, the Director will not assess it further. [5.1.2.] The reference of SIA “Lursoft IT” to the fact that the official should have been also not substantiated to apply all four methods of interpretation of legal norms. Law “On the Republic of Latvia 4. The legal provision contained in the eleventh paragraph of Article 10 is unequivocal, clearly stating that the recipient of the information in the registers kept by the Register of Enterprises has no rights to re-use the documents included in the files of registration of legal entities and legal facts in the non-public part. The grammatical text of a legal provision also clearly indicates its meaning and purpose. An interpretation of a provision of law cannot lead to a different result if the wording of that provision is unambiguous. Moreover, even if included in Article 4. 10 of the Law “On the Register of Enterprises of the Republic of Latvia” legal provision would be assessed in depth, it could not lead to different conclusions. In this 13 It is important to note that the contested decision assesses the processing of personal data and not disclosure or re-use of documents as such. Namely, regardless of the registers the information contained was in the public or non-public part, in respect of those documents the personal data contained therein and the operations with them had to comply with the processing of personal data regulatory framework. Just because a document is public does not automatically mean that the personal data contained therein become publicly available information in respect of which it does not exist the Data Regulation applies. At the same time, if the legislator has established a mandatory provision in a legal norm, a clear ban on the publication of certain types of documents, including personal data prohibition of processing, the applicator of a legal norm cannot come to a translation of legal norms conclusion that he is not covered by this provision. [5.2.] SIA “Lursoft IT” expresses the opinion in the submission of contestation that the restriction to re-use the documents received from the Register of Enterprises in accordance with the Cabinet Regulation No. of 27 March 2018 191 “Regulations on the Enterprise of the Republic of Latvia register information issuance and other paid services ”(hereinafter - the Regulations on Business Register for Paid Services) has existed since 1 August 2018 and does not exist applicable to historical documents received before 1 August 2018. The Director repeatedly draws attention to the fact that the Law “On Enterprises of the Republic of Latvia Articles 4.0 and 4.15 of the "register" clearly and unequivocally prohibit the disclosure of documents which, at the time of the validity of the legal norm, is in the non-public part of the registers. Not in these or in others The legislation does not contain any indication that that prohibition does not apply to documents already in the possession of re-users. Also the provision of the Enterprise Register for paid services, paragraph 48 explicitly stated that persons who until 2018 March 31, received information for re-use in accordance with the Cabinet of Ministers of 2014 June 3 regulations no. 277 "Information from the Register of Enterprises of the Republic of Latvia the conditions for the re - use of documents laid down in those rules cases of registration of a legal entity or a legal fact shall apply as of 1 August 2018. As a result, a ban on re-use, including publication, came into force on 1 August 2018, documents that are currently in the non-public part of the register. The reference to the fact that from the law “On Latvia Paragraph 35 of the Transitional Provisions of the draft Law on Business Registers of the Republic of Latvia was deleted provided that the recipients of information from the Register of Enterprises shall ensure that it is not re-used available information for which restricted access status has been established, even if they do so have received the information prior to the amendment of this Law, which determines restricted access information status, entry into force, therefore SIA “Lursoft IT” has the right to publish this information. The exclusion of this legal norm from the draft law only indicates that with regard to the use of restricted information is subject to the general rules laid down by there was no need to repeat the bill, and this obligation was included in the provision on Business Register paid services in paragraph 48. Nor can such a law be considered the rule has retroactive effect, as it applies only to those activities which are carried out by law during the period of validity of the provision. The Data State Inspectorate evaluates the document performed by SIA “Lursoft IT” and the disclosure of the personal data contained therein which is currently taking place in accordance with the legal provisions which are applicable to personal data processing, which took place until 2018 August 1, the Data State Inspectorate shall apply the legal norms in force at that time. In addition It should be noted that the contested decision did not assess at all the activities carried out by SIA Lursoft IT before 1 August 2018. [6.] The statement of opposition states that the legal basis for the processing of personal data are the legitimate interests of third parties. Namely, SIA “Lursoft IT” processing personal data In the interests of the subjects of the Law on the Prevention of Money Laundering. The director points out that the contested decision comprehensively assesses the work performed by SIA Lursoft IT compliance of the data processing with Article 6 (1) (f) of the Data Regulation, which is also reflected in Article 14 of this Regulation 2.6.2 of the decision. in point. In particular, the contested decision explains that there are legitimate interests means, inter alia, that they must be lawful, implemented in a way that complies with data protection and other legislation. In other words, a legitimate interest must be acceptable under legislation. Taking into account that the interests of SIA “Lursoft IT” cannot be assessed as legitimate, also the processing of personal data performed on the basis thereof shall be recognized as unlawful. In addition, the Director explains that legitimate interests are one of the six Data Regulations The legal bases contained in Article 6 (1) which allow the processing of personal data. According to Article 6 (1) (f) of the Data Regulation, the processing of personal data is lawful only to the extent and only if such processing is necessary for the legitimate interests of the controller or a third party interests, unless the interests or fundamental rights and freedoms of the data subject who need the protection of personal data take precedence over such interests, in particular where: the data subject is a child. Legitimate interests are inherently more flexible than other Data the legal bases for the processing of personal data contained in Article 6 (1) of the Regulation and could be extended in principle to any processing operation of personal data for a reasonable purpose. Given that this basis for the processing of personal data can be applied to a very wide range of controllers interests, it obliges the controller to perform a balancing test in assessing whether the controller the interests in each particular case prevail over the interests of the data subject on his or her personal data protection. A legal norm that allows the processing of personal data on the basis of the legitimate interests of the controller interests can be conditionally divided into three parts. Namely, it is necessary to establish that 1) exists legitimate interest of the controller; 2) personal data is required for the implementation of this legitimate interest processing; 3) the interests or fundamental rights and freedoms of the data subject do not take precedence over those of the controller legitimate interest in the processing of personal data. This means that a controller alone is not enough a statement that the processing of personal data is necessary to achieve his or her legitimate interests. Lai based on Article 6 (1) (f) of the Data Regulation, the controller must be able to prove everything the existence of three elements. As already mentioned, a very wide range of interests of the controller can be considered as legitimate interests. The legitimate interests of the controller may also include the pursuit of the interests of third parties. The following third the interests of the persons are to be assessed and taken into account when deciding whether the interests of the data subject are present prevalent (in the examination of the third criterion mentioned above). Section 1 (5) of the Freedom of Information Act states that re-use is an institution use of publicly available information held by the authority for commercial or commercial purposes; or for non-commercial purposes other than the original purpose for which the information was created, if any an individual who uses the information at the disposal of the institution without performing public administration tasks. The mentioned legal norm indicates the interest of SIA “Lursoft IT” to publish documents and to process personal data for commercial purposes by providing a service to third parties. The Director acknowledges this interest as justified and significant. In addition, the Director agrees that in the implementation of his interest is also indirectly exercised by the recipients of services, including the proceeds of crime the interest of the subjects of the prevention law to access the information they need as easily as possible. At the same time, while interest may be significant, it must also be legitimate. Any interest - substantial or insignificant - if it is illegal or unethical cannot be considered legitimate Within the meaning of Article 6 (1) (f) of the Data Regulation. Thus, if it is established that SIA "Lursoft IT" processes personal data for its own commercial interests and indirectly also in the interests of the subjects of the Law on the Prevention of Money Laundering, however, such processing violates legal prohibitions on the processing of personal data, as follows the processing of personal data cannot be considered legitimate and in compliance with the Data Regulation. In the present case, both the contested decision and that decision state on several occasions that: 15 SIA “Lursoft IT” contrary to the first of Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” paragraph 3 (a), the fourth subparagraph and the eleventh paragraph of Article 4 has published information regarding the subject to be submitted to the Register of Enterprises and the legal entity for the prohibition and 15 containing personal data included in the non - public part of the legal fact registration file registration and other documents (in documentary form) on the website of SIA “Lursoft IT” lursoft.lv in the section “Documents. In view of the above, no legitimate interest of SIA “Lursoft IT” in personal data can be established processing of personal data has been carried out in breach of Article 6 of the Data Regulation, namely the processing was carried out without a legal basis. If the interest for which personal data was made processing is found to be unlawful, no further evaluation of the processing is required, clarifying the necessity of personal data processing for the implementation of the interest or the data subject interests, as these assessments cannot legitimize the processing of personal data which already exist found to be unlawful, that is to say, without the existence of a legitimate interest. [7] The statement of opposition states that the official is not in the contested decision has clarified the legal basis for the processing of personal data in relation to the Insolvency Register disclosure of information 5 years after the end of insolvency: [7.1] SIA “Lursoft” by publishing information on the insolvency of a natural person, based on Article 6 (1) (f) of the Data Regulation to provide a third party respect for legitimate interests. Although with regard to the disclosure of data on the insolvency of a natural person in the disputed the decision does not explicitly refer to point (f) of the first paragraph of Article 6 of the Data Regulation, that does not mean that the contested decision does not assess that legal basis at all. These rights an in-depth analysis of the provision has not been carried out as it has been identified as the only possible basis for personal data processing. At the same time, both the contested decision states and the Director finds that SIA “Lursoft IT” processing of personal data performed by it in relation to SIA “Lursoft IT” website lursoft.lv Information and documents about natural persons placed in the insolvency database historical insolvency proceedings for which a record of a natural person termination of insolvency proceedings made more than one year ago cannot be based on Data Article 6 (1) (f) of the Regulation, as in this case the interests of the data subject the protection of its personal data prevails over the interests of SIA “Lursoft IT” regarding data publication. Also, processing of personal data by SIA “Lursoft IT”, publishing personal data documents regarding the insolvency proceedings of a natural person, the termination of which an entry made less than one year ago is considered lawful and made in accordance with the Data Article 6 (1) (f) of the Regulation. [7.2.] The term for deleting records specified in the Insolvency Law is not applicable to SIA “Lursoft IT”, because in accordance with Section 132, Paragraph three of the Insolvency Law there is such an obligation applicable only to the responsible authority - the Register of Enterprises. The Director points out that Section 132, Paragraph three of the Insolvency Law and the related Data A detailed explanation of the State Inspectorate 's reference is contained in the contested decision and is also set out in the contested decision 2.2 of this Decision. point. The director agrees with this argument. Section 132, Paragraph three of the Insolvency Law stipulates that information is made public by insolvencies in the register during the insolvency proceedings of a natural person, as well as one year after the entry of the dates of termination of the insolvency proceedings of a natural person. Although indeed the addressee of Section 132, Paragraph three of the Insolvency Law as for the institution responsible for the insolvency register is the Register of Enterprises, but SIA “Lursoft IT”, disclosure of personal data on the basis of Article 6 (1) (f) of the Data Regulation, as in particular, in accordance with that provision, those factors had to be taken into account in the assessment of proportionality the essence of a legal norm. It is also necessary to recall that the Data State Inspectorate legal norm translation within the scope of its competence shall be performed only in connection with the documents of the insolvency register processing of personal data contained in 16 For the processing of personal data to be considered lawful, it must, inter alia, be carried out on the basis of on one of the legal bases listed in Article 6 (1) of the Data Regulation. In the specific In this case, SIA Lursoft IT published information on the insolvency of a natural person on the basis of to Article 6 (1) (f) of the Data Regulation. On the mentioned legal basis SIA “Lursoft IT” refers in its application and is not called into question and is therefore assessed separately in the contested decision. Nor is it challenged in the contested decision and, consequently, will not be singled out in this decision it is assessed that the processing of personal data by publishing information on the insolvency of a natural person one year after the record of the date of termination of the insolvency proceedings of the natural person, is legal and complies with the rules on the processing of personal data. Namely, the dispute is only about whether Ltd. Lursoft IT was able to publish personal data on the insolvency of a natural person for more than one one year after the record of the date of termination of the insolvency proceedings of a natural person. The Director notes that the legal basis of SIA "Lursoft IT" is personal data of natural for the disclosure of a person's insolvency for more than one year after the entry of a natural person the dates of the closure of the insolvency proceedings in accordance with Article 6 (1) (f) of the Data Regulation there is a legitimate interest in obtaining an economic advantage by providing a particular type services for third parties. Undoubtedly in its own way also provided by SIA “Lursoft IT” Recipients of the service have an interest in accessing the published personal data on the basis of different legal bases for the processing of personal data (receipt and further processing) However, it cannot be considered that SIA “Lursoft IT” acts on behalf of these persons and in the absence of an individual legitimate interest in obtaining an economic advantage. This consideration is also implicitly confirmed by Article 1 (5) of the Freedom of Information Act, according to which re-use is at the disposal of the institution and made public by the institution use of the information for commercial or non-commercial purposes other than that information the original purpose of the creation, if it is done by an individual whose information is in the possession of the institution used without performing public administration tasks. Interests of third parties to access personal data documents, as already mentioned in paragraph 6 of this Decision, can be assessed in a balancing exercise a test between those interests of the third party and the controller and the interests, fundamental rights and interests of the data subject fundamental freedoms. In order to use legitimate interests as a legal basis, it is necessary to strike a balance the legitimate interests of the controller or of third parties must be weighed against the data interests or fundamental rights and freedoms of the subject. Legitimate application of this legal basis it is necessary to have three cumulative conditions at the same time: 1) the data controller or the third the existence of legitimate interests of the persons to whom the data are disclosed; 2) the need to process personal data respect for legitimate interests; The condition that the fundamental rights of the person do not prevail; and freedoms covered by data protection. The existence and need for a legitimate interest to process personal data in order to pursue these legitimate interests, there is no dispute. Namely, the Data State in the opinion of the inspection, a third is missing for the application of Article 6 (1) (f) of the Data Regulation element - the interests of SIA “Lursoft IT” in the specific case do not prevail over the data subject interests and non-disclosure of data after one year has elapsed since the entry of the natural person the dates of termination of the insolvency proceedings. By adopting the legal norm included in Section 132, Paragraph three of the Insolvency Law, the legislature has, inter alia, assessed whether the public interest in receiving information about natural persons insolvency after a certain period of time is more important than the data subject's rights to these data not to publish. In conducting the balancing test, the legislature has come to the conclusion that the public interest without restriction to receive this information exists only one year after the entry of the physical the date of termination of the person's insolvency proceedings. At the end of this period, the rights of the data subject protection of their data and non-disclosure of information are considered a priority. Guided from this assessment, the legislator has also obliged the Register of Enterprises to delete this information. It is this assessment that, in the opinion of the Data State Inspectorate, is binding on any other person, including SIA “Lursoft IT”, which publishes data of identical content. In addition, given that the Company The Registry shall publish personal data on the insolvency of a natural person on the basis of Article 17 of the Data Regulation Article 6 (1) (c) and (e) in the public interest, this assessment is all the more so applies to the processing of personal data performed by SIA “Lursoft IT”, which is based on economic interest rather than a real and immediate public need. It would not be acceptable for SIA “Lursoft IT ”or any other private person from Article 6 (1) (f) of the Data Regulation the resulting assessment of proportionality would lead to the opposite conclusion than the legislature, that his interests prevail. As stated in the contested decision, such interpretations as a result, the purpose of Section 132, Paragraph three of the Insolvency Law would not be achieved, as it would be the publication of personal data, the receipt of which to the public is not predominant, has been continued interest. In addition, the first sentence of recital 47 of the Data Regulation states that controller, including the controller to whom the personal data may be disclosed, or the legitimate the interests of the data subject may be the legal basis for the processing, provided that the interests of the data subject or fundamental rights and freedoms are not more important in the light of the reasonable expectations of data subjects, which based on their relationship with the manager. In this case, the data subject on the basis of The third part of Section 132 of the Insolvency Law is expected that data about him will no longer be made public available to anyone interested, as the legislator has stipulated that longer disclosure of personal data not in the public interest. The data subject does not expect re-users to continue his personalities disclosure of data for profit only because they are not covered by the Insolvency Law Article 132, third paragraph, direct addressees. Thus, although SIA Lursoft IT does not have Section 132, Paragraph three of the Insolvency Law the direct addressee, he is bound by the essence of this legal norm and the legislator included therein interpretation in assessing the proportionality between the data subject's interests in his or her personal data protection and control over their personal data and the interest of SIA “Lursoft IT” and their customers continue to process personal data without any restrictions. In view of the above, the Director concludes that the contested decision rightly concludes that SIA For data processing performed by Lursoft IT, publishing information on the insolvency of a natural person proceedings for more than one year after the entry of the insolvency proceedings of a natural person there is no legal basis referred to in Article 6 (1) of the Data Regulation. [7.3] The statement of opposition states that the publication of personal data 5 years after the end of the insolvency is in the interests of the clients of SIA Lursoft IT. The director does not doubt that the clients of SIA “Lursoft IT” may be interested in accessing persons data 5 years after the entry of the insolvency proceedings of a natural person however, in the light of the contested decision and Article 7.2 of that decision. contained in paragraph an assessment leading to the conclusion that the data subject has an interest in his or her person non-disclosure of data one year after the entry regarding the termination of the insolvency proceedings of a natural person prevails over the general interest of the public and third parties on such personal data disclosure, this argument has no legal significance in the present case. In addition, it should be noted that in the event that a particular person has a legal interest in acquiring and to process personal data regarding the insolvency proceedings of a natural person after it has passed It has an opportunity to apply to the Register of Enterprises with a separate request. In this case, the Register of Enterprises as the controller of personal data processing in each specific case perform a proportionality test assessing the interests of the data subject and the third party in relation to the data interests of the entity. [8] In the appeal, SIA Lursoft IT states that the contested decision does not contain reasonable reasons for choosing a fine among other regulatory means, nor fully justified all the criteria provided for in Article 83 of the Data Regulation for determining the penalty and its amount have been assessed. SIA Lursoft IT considers that the contested decision does not comply with Articles 58 and 83 of the Data Regulation, Section 16, Paragraph one and Section 153, Paragraph one, Clause 8 of the Administrative Liability Law. The Director points out that in accordance with Section 19, Paragraph two of the Administrative Liability Law, in determining the nature and extent of the administrative penalty, the nature of the offense committed shall be taken into account; the personality of the called person (for a legal person - reputation), property status, violation mitigating and aggravating circumstances. In addition to the Data Regulations The second paragraph of Article 83 provides that when deciding whether to impose an administrative fine, and when deciding on the amount of the administrative fine, as appropriate in each case take into account the elements set out in points (a) to (k). It must be stated that the contested decision 6.3. An explanation of the justification for the administrative fine was provided in paragraph 1, including the nature of the violation and the degree of cooperation with the supervisory authority, the core activities of SIA “Lursoft IT” the number of data subjects affected, the persistence of the breaches and other circumstances. Would be it should be noted that Article 83 (5) of the Data Regulation provides that the supervisory authority shall apply administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding business year, whichever is the greater the amount is higher. In view of the above, with regard to the amount of imposition of a penalty Inspectorate is not limited to the amount of 4% of turnover, but is entitled to impose an administrative fine of up to 20 million. euro. In determining the specific penalty, the Inspectorate took into account the turnover of the manager, but applied all of them the criteria set out in the Data Regulation to determine the amount of the penalty. At the same time, it should be noted that the first part of Section 153 of the Administrative Liability Law determines the content of the decision imposing the penalty, including in paragraph 10 the decision to indicate the person the penalty imposed. At the same time, this part of the article does not specify how the appropriate should be reflected justification of the penalty. The Director has obtained an assessment of the contested decision and the case file confidence that the penalty imposed is reasonable, proportionate and dissuasive. The mere fact that the contested decision indicates the fine in euros and not in units of the fine cannot affect the validity of this Decision. It should be noted that penalties for personal data non-compliance with the protection requirements are set out in the Data Regulation, which expresses the amount of the fine in euros instead of in fine units. Given that there can be no regulation of European Union law subordinate to the national procedural regulations, the Inspectorate imposes penalties in accordance with the Data requirements of this Regulation, namely by setting the penalty in euro. The contested decision also lists specifically the legal provisions in respect of which it was established infringement and the penalty imposed, namely Article 83 (5) (a) of the Data Regulation. In the light of the foregoing, in the light of the case - file and the application, in accordance with Section 132, Section 168, Paragraph one, Section 172 and of the Administrative Liability Law Article 173, first paragraph, point (1), the Director concludes that the contested decision is well founded and legal, therefore decides to leave the contested decision unchanged and the appeal application reject. In accordance with the first paragraph of Article 184 and the first paragraph of Article 186 the Applicant may appeal against this decision within 10 working days from the date of notification of the decision in an administrative violation case in a district (city) court according to the legal address of the Applicant, by submitting a complaint to the Data State Inspectorate (Elijas Street 17, Riga, LV-1050), which within the period after the deadline for submission of the complaint, the complaint with the case materials shall be sent to the district (city) court of jurisdiction. Director J.Macuka […] EXTRACT CORRECT