DVI (Latvia) - SIA “DEPO DIY”: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Latvia |DPA-BG-Color= |DPAlogo=LogoLV.png |DPA_Abbrevation=DVI |DPA_With_Country=DVI (Latvia) |Case_Number_Name=SIA “DEPO DIY” |ECLI= |Or...") |
No edit summary |
||
Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
fact | DEPO (the controller) is a do-it-yourself store based in Latvia. In order to receive the additional services (such as home delivery or an accounting receipt) customers must obtain a customer card. Without such a card, the additional service is not provided. To obtain a card, customers must consent to the processing of their personal data for a number of unrelated purposes, such as registration in the accounting system, return of the purchase price to the customer card, identification when using additional services, allocation of the card and allocation of bonuses. The personal data to be included to achieve all these purposes: name, surname, personal identification number, date of birth (for non-residents), business registration number, address and telephone number. | ||
Following several complaints from customers, the Latvian DPA started an investigation.The DPA found that customers who had not obtained a customer card - and thus consented to the processing of their personal data - could not receive the additional services. The DPA held that this did not ensure compliance with the definition of consent set out in Article 4(11) GDPR. It stated that consent cannot be considered as freely given if its withholding results in the service not being received at all. In addition, the DPA found that the controller unreasonably based processing of personal data on Article 6(1)(a) GDPR. For example, the processing of personal data related to invoices. Given that this processing does not depend on customers' will, it cannot be carried out on the basis of consent. | |||
Moreover, the DPA found that the controller violated the principle of data minimisation. For example, customers were required to provide a personal identification number in order to receive an invoice for the purchase of goods, which is not necessary for the specific service. | |||
The controller stated that the issue of a customer card is necessary to identify customers, e.g. when making a delivery. However, the DPA held that it is also possible to identify a person, e.g. when making a delivery, by asking for an ID card. there is no justification for the controller to require a the controller customer card in each case. | |||
The DPAt is also possible for the controller to fulfil its other statutory obligations, such as issuing supporting documents on the basis of Article 6(1)(c) of the GDPR, without making it mandatory for customers to obtain a customer card as a prerequisite for the fulfilment of these tasks. | |||
[2.5] The fact that only two data subjects have lodged a complaint about unlawful data processing is irrelevant in the present case. | |||
The contested decision states that the existence of actual damage is not necessary to establish unlawful processing and an infringement of the fundamental rights of the data subject. In particular, it is irrelevant whether the processing has had any negative consequences (actual infringement of rights) in order to be considered as interference with fundamental rights. | |||
[2.6] In the light of the foregoing, the contested decision finds that '''the controller''', in the context of the provision of ancillary services, '''has carried out the processing of personal data of customers''' (natural persons) from 9 September 2020 to 10 June 2021, the processing (acquisition and storage) of name, surname, personal identification number or date of birth, contact details (telephone number, e-mail) address; from 10 June 2021 to the present, name, surname, e-mail and telephone number (address - only in Lithuania and Estonia) '''has infringed Article 5 of the GDPR. The processing of personal data has been and continues to be carried out on the basis of an incompatible legal basis set out in Article 6(1).''' | |||
=== Holding === | === Holding === |
Revision as of 11:58, 25 October 2022
DVI - SIA “DEPO DIY” | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5 GDPR Article 5(1)(c) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 83(5) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 27.05.2022 |
Decided: | 07.07.2022 |
Published: | 19.10.2022 |
Fine: | 17,495 EUR |
Parties: | depo-diy |
National Case Number/Name: | SIA “DEPO DIY” |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Latvian |
Original Source: | DVI (in LV) |
Initial Contributor: | Jette |
the DPA finds that the contested decision, including but not limited to the complaints of the data subject, correctly established the facts of the case and qualified the administrative offence.
English Summary
Facts
DEPO (the controller) is a do-it-yourself store based in Latvia. In order to receive the additional services (such as home delivery or an accounting receipt) customers must obtain a customer card. Without such a card, the additional service is not provided. To obtain a card, customers must consent to the processing of their personal data for a number of unrelated purposes, such as registration in the accounting system, return of the purchase price to the customer card, identification when using additional services, allocation of the card and allocation of bonuses. The personal data to be included to achieve all these purposes: name, surname, personal identification number, date of birth (for non-residents), business registration number, address and telephone number.
Following several complaints from customers, the Latvian DPA started an investigation.The DPA found that customers who had not obtained a customer card - and thus consented to the processing of their personal data - could not receive the additional services. The DPA held that this did not ensure compliance with the definition of consent set out in Article 4(11) GDPR. It stated that consent cannot be considered as freely given if its withholding results in the service not being received at all. In addition, the DPA found that the controller unreasonably based processing of personal data on Article 6(1)(a) GDPR. For example, the processing of personal data related to invoices. Given that this processing does not depend on customers' will, it cannot be carried out on the basis of consent.
Moreover, the DPA found that the controller violated the principle of data minimisation. For example, customers were required to provide a personal identification number in order to receive an invoice for the purchase of goods, which is not necessary for the specific service.
The controller stated that the issue of a customer card is necessary to identify customers, e.g. when making a delivery. However, the DPA held that it is also possible to identify a person, e.g. when making a delivery, by asking for an ID card. there is no justification for the controller to require a the controller customer card in each case.
The DPAt is also possible for the controller to fulfil its other statutory obligations, such as issuing supporting documents on the basis of Article 6(1)(c) of the GDPR, without making it mandatory for customers to obtain a customer card as a prerequisite for the fulfilment of these tasks.
[2.5] The fact that only two data subjects have lodged a complaint about unlawful data processing is irrelevant in the present case.
The contested decision states that the existence of actual damage is not necessary to establish unlawful processing and an infringement of the fundamental rights of the data subject. In particular, it is irrelevant whether the processing has had any negative consequences (actual infringement of rights) in order to be considered as interference with fundamental rights.
[2.6] In the light of the foregoing, the contested decision finds that the controller, in the context of the provision of ancillary services, has carried out the processing of personal data of customers (natural persons) from 9 September 2020 to 10 June 2021, the processing (acquisition and storage) of name, surname, personal identification number or date of birth, contact details (telephone number, e-mail) address; from 10 June 2021 to the present, name, surname, e-mail and telephone number (address - only in Lithuania and Estonia) has infringed Article 5 of the GDPR. The processing of personal data has been and continues to be carried out on the basis of an incompatible legal basis set out in Article 6(1).
Holding
holding
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv Riga SIA "DEPO DIY" authorized representative [..] In case No.[..] The decision In Riga, the date can be seen in the time stamp no. ([..]) [..] [1] On May 10, 2022, the Data State Inspectorate adopted decision no. [..] ([..]) For punishment application (hereinafter - the contested decision) in administrative violation case no. [..] ([..]) (hereinafter - the Case), recognizing SIA "DEPO DIY", registration number 50003719281, legal address Noliktavu iela 7, Dreiliņi, Stopiņi county, Ropažu county (hereinafter - DEPO) for guilty of Article 83, paragraph 5 "a" of the General Data Protection Regulation (hereinafter referred to as the Data Regulation) of the administrative violation provided for in subsection, applying an administrative penalty - a fine 4,373,818.52 euros (four million, three hundred and seventy-three thousand, eight hundred and eighteen euros, fifty-two cents). The contested decision was notified to DEPO on May 11, 2022, by sending contested decisions by registered mail. [2] The contested decision found the following circumstances, and it is justified by the following considerations: [2.1] To receive Additional Services offered by DEPO, such as delivery of goods to home or an accounting justification document, the customer must receive a DEPO card. Without such cards Additional service is not provided. At the same time, to receive a DEPO card, for the customer according to what is indicated in the questionnaire, he must "agree" that his personal data will be processed several times for unrelated personal data processing purposes, such as registration in electronic accounting in the accounting system, issuance of an accounting justification document, purchase fees or parts thereof returning to the DEPO card, identifying the customer each time he uses additional services, DEPO card allocation, Volume Bonus allocation. The personal data to be included in the questionnaire, in turn should be indicated in the maximum amount necessary to achieve all the mentioned purposes - first name, last name, 1Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) 2 personal identification number, date of birth (for non-residents), registration of economic activity provider number, address and phone number. [2.2.] DEPO has unreasonably based the processing of personal data carried out in order for the customer to receive Additional services, to Article 6, paragraph 1, letter "a" of the Data Regulation. Considering the fact that a customer who has not given his consent to the issuance of a DEPO card cannot to receive Additional Services, compliance with Article 4, Clause 11 of the Data Regulation is not ensured to the defined definition of consent. In other words, consent cannot be considered freely given if they as a result of non-delivery, the service cannot be received at all. Even though DEPO for the provision of certain services or the obligation specified in the regulatory acts performance may require the processing of customers' personal data, but such processing must be based on appropriate legal basis. For example, the processing of personal data related to the issuing of an invoice for goods, is based on Article 6, Clause 1, letter "c" of the Data Regulation and the regulatory framework of the relevant country. Considering that this processing does not depend on the will of the customer, it cannot be carried out on the basis of the Data Regulation The legal basis specified in Article 6, paragraph 1, letter "a". [2.3.] DEPO has not ensured compliance with the principle of data minimization in relation to individuals data processing for the purposes of providing additional services. Regardless of the chosen legal basis for the processing of personal data, the controller in any in this case, the basic principles contained in Article 5 of the Data Regulation are binding. In the specific case, to the client if you want to receive an invoice for the purchase of goods, you must specify a personal code, which is not required in a particular case for receiving the service. It has been established that the processing of the personal code is not necessary for others for receiving services, for example home delivery of goods. Thus, DEPO has processed personal data in an excessive amount, disregarding data minimization principle. [2.3.] Although DEPO has repeatedly changed the terms of personal data processing over time, however, there is no actual action that the customer is required to complete in order to receive the Additional Services have changed. Namely, the Data Regulation is still used as the legal basis for personal data processing Consent of the data subject referred to in Article 6(1)(a). Also not really changed the amount of personal data to be processed. [2.3.1.] Regarding the amount of personal data to be processed, although on June 10, 2021, a new questionnaire for receiving a DEPO card has been approved, in which both the amount of data to be provided and scope of personal data processing purposes, however, in accordance with DEPO's privacy policy (as amended to 5 August 2021) the amount of personal data is indicated above, and it is also explained that this data is provided when filling out the form for receiving a DEPO card. [2.3.2.] Regarding the legal basis for processing personal data for receiving a DEPO customer card DEPO's privacy policy still refers to Article 6(1)(a) of the Data Regulation. Given that if the customer wants to receive the Additional Service, it must “opt in” receive a DEPO customer card by specifying all the information required for receiving a DEPO customer card in the application form, such consent cannot still be considered freely given. That is, the client must "agree" to receive the client card, otherwise the Additional Service will not be provided to it. The mentioned conclusions are not changed by the fact that since 27.2021. September as the legal basis The conclusion and execution of the contract is mentioned for issuing the DEPO card, because if the customer wants to receive any of the Additional Services, it must also accept a DEPO card. Without DEPO card issuing Additional service cannot be received. [2.4.] DEPO has unjustifiably stated that issuing a DEPO card is primarily necessary for accurate customer identification, for example when making a delivery. This is a violation of the Data Regulation The principle of data minimization resulting from Article 5(1)(c), according to which individuals data can be processed only to the extent necessary to achieve the purpose. 3 Given that it is possible to provide personal identification, for example, when making a delivery also, for example, asking for an identity document is not a justified DEPO requirement in each issue a DEPO customer card. This is also confirmed by the fact that when making a purchase in the online store and when choosing the Additional service - delivery of goods - the customer does not need to receive a DEPO card. It is also possible for DEPO to fulfill other obligations set for it by law, e.g. issued justification documents, based on Data Regulation 6. Article 1 subparagraph "c", as a prerequisite for the fulfillment of these tasks without imposing a mandatory requirement for the client to receive a DEPO card. [2.5.] In the case, the fact that complaints about illegal data processing are submitted by only two data subjects. The contested decision states that unlawful data processing and fundamental rights of the data subject the existence of actual damage is not necessary to establish infringement. Namely, not decisive the importance of whether the data processing carried out has caused any negative consequences (real violation of rights), to be recognized as an interference with fundamental rights. [2.6] Taking into account the above, the contested decision found that the DEPO Additional service within the scope of providing, performing customer (natural persons) personal data (from September 9, 2020 to By June 10, 2021, name, surname, personal identification number or date of birth, contact information (phone number, e-mail) addresses; from June 10, 2021 until now, name, surname, e-mail and phone number (address – only in Lithuania and Estonia) processing (acquisition and storage) has violated The principles of personal data processing set out in Article 5, Clause 1 "a", "b", "c" of the Data Regulation and has carried out and continues to carry out the processing of personal data on the basis of inadequate Article 6 of the Data Regulation The legal basis specified in paragraph 1. [3.] On May 27, 2022, DEPO submitted a complaint to the Data State Inspectorate (hereinafter - contestation submission), asking to cancel the contested decision. The Data State Inspectorate finds that the challenge application was submitted in the first part of Article 168 of the Law on Administrative Responsibility within the prescribed period and its consideration is permissible. [4.] In the challenge submission, it is stated that DEPO is not provided with administrative responsibilities statutory right to be heard. Although DEPO in accordance with the Law on Administrative Responsibility The first part of Article 137 has asked the case to be considered in oral proceedings, based on the risks of Covid-19, as follows the request has been refused. Also, DEPO asks to determine the oral process also at the challenge stage. The Director of the Data State Inspection does not see a violation in the fact that the case was considered in writing in process. Namely, the first part of Article 9 of the Law on the Management of the Spread of Covid-19 Infection in direct text provides for the right of the official to consider the case in a written process, if it has not been recognized as a necessary case to consider in the oral process. The first part of Article 172 of the Law on Administrative Responsibility also stipulates that a higher official the complaint is considered in a written process. At the same time, taking into account DEPO's request and the fact that Covid-19 the risks of spreading have decreased, the Director of the Data State Inspection considered it possible to examine the case in the oral process. The complaint was heard in the oral process on June 27, 2022 and the arguments presented by DEPO are evaluated, reflected in the subsequent text of the decision in the context of those expressed in the challenge submission arguments, as well as taken into account when making a decision. During the examination of the case, DEPO provided additional information about the nature of the DEPO customer card and allocation aspects. Confirmed that personal data is actually obtained for additional services for the purposes of providing, as well as to fulfill the requirements of regulatory acts. DEPO customer card usage personal data obtained during or would gain some other economic benefit. DEPO also admitted that in the processing of personal data it is possible to perform 4 improvements, a new, more comprehensive privacy policy is being developed. In view of the above, DEPO requests terminate the administrative violation case. [5] In the challenge submission, DEPO expresses the opinion that the official of the Data State Inspection, during the inspection in the DEPO store, did not follow the procedural rules regarding inspections implementation, as well as the 28 of 2022 Act No. drawn up in January [...] could not be used in the contested case to justify the decision. The reasoning expressed by DEPO is basically based on the consideration that the processing of data of natural persons 15 of the law. article determines the procedure for carrying out checks, including providing an obligation before data processing inform the manager of the place of visit about the purpose, time and place of the planned visit, as well as request ensure the presence of the manager's authorized representative. DEPO also points out that the original draft the editorial provided for the right of the officials of the Data State Inspection to enter the premises, conduct an inspection and forced search without cooperation with the manager, but this norm was not accepted by the legislator. On the basis of the aforementioned, a conclusion was made in the objection submission that any inspection should take place in cooperation with the data controller. The Director of the Data State Inspection considers such an interpretation of legal norms to be unfounded. Norms on inspection and controller contained in Article 15 of the Law on Processing of Personal Data informing applies to cases when the inspection is carried out, using the Data for the State Inspectorate the administrative power (coercive mechanisms) granted in the laws and regulations, and the responsibility of the controller obey the orders of the Data State Inspectorate. The mentioned norm refers to entry into private property, as also access to all systems and documents that do not have public access. At the same time, Personal Data The first part of Article 15 of the Processing Law includes the right of the Data State Inspectorate to obtain information, using all legal methods. Undoubtedly, public places can also be considered such a method attending and performing activities that can be performed by any natural person. In the specific in this case, the Data State Inspectorate obtained the information without using public authority, but by performing and capturing actions that any natural person could perform. Therefore, the data of natural persons The requirements referred to in Article 15 of the Processing Law do not apply to this type of information acquisition. If DEPO's claim was considered justified, it would prevent the State Inspectorate from performing the Data in general any actions without the cooperation of the administrator, for example, to view websites, to register in various platforms to check the amount of data to be collected, view the photos that the manager has placed on his on a social account, view the locations of publicly placed cameras to find out their angles, as well as take any other action. In all the mentioned cases, the State Inspection official obtains the Data information without using state power, but recording their observations in a document, as was the case here in case. [6] The challenge submission expresses the opinion that the Data State Inspectorate has violated Article 117 of the Law on Administrative Responsibility stipulates that the administrative violation process should be started in a reasonable and timely manner. The aforementioned is based on the fact that the State Data Inspectorate's administrative the infringement process was not started immediately after receiving the last complaint on May 19, 2021, but the place of initiation of the administrative violation case was chosen from May 19, 2021 to 2022 To be tested by February 2. In the view of the Director of the State Data Inspection, both the examination of the case has been observed reasonableness, as well as timeliness, because the administrative violation case was initiated immediately after Datu the state inspectorate had obtained all the necessary information, which allowed us to assume that it might have happened administrative violation. It should be noted that conducting an inspection before starting an administrative offense case is also in the manager's interest, because not every inspection results in an administrative violation process. Country of data as a result of the inspection, an administrative process may be initiated, which ends with 5 administrative acts, or informing the supervisor about it in accordance with the "advise first" principle ensuring compliance of the data processing with the Data Regulation, or no processing at all further actions. If after every complaint received, the Data State Inspectorate should initiate administrative violation process, it would unduly burden the supervisors by involving them unnecessarily in administrative violation proceedings, because not nearly every data subject's complaint is justified and shows evidence of administrative violation. As stated in its decision by the Department of Administrative Affairs of the Senate of the Supreme Court, Datu the provisions of the regulation provide the Inspectorate with the right, in response to violations of personal data processing, to make any of the decisions contained in the regulations, while leaving it to the supervisory authority freedom of assessment regarding the type of decision. Upon receiving a complaint about possible personal data processing violations, the inspection initially checks the received messages, including requesting information from the data controller and/or processor to establish whether the processing of personal data in the said data subject in the event that it has generally occurred. Submitting an application for possible violations of personal data processing in the process does not mean that the verification of the information specified in the application will result in the detection of a violation, issuing an administrative act and applying a corrective measure or imposing an administrative penalty. State inspection of data administrative process or administrative violation process against data the manager starts only when it becomes aware of the facts. Such facts are obtained by the inspection by inspection and obtaining the necessary information, which in turn gives grounds for initiating an administrative violation process. A decision on the most appropriate remedy (a decision to initiate a case) can only be made when collected sufficient information to assess whether a violation of personal data processing has occurred at all, and the nature of this violation. Therefore, the deadline for making a decision is counted not from the applicant's complaint from the moment of submission, but from the moment of discovery of the violation of personal data processing, that is, when it is the relevant examination and clarification of the circumstances have been completed and it is established that the person really is has committed a violation of personal data processing .2 Taking into account the above, the Director of the Data State Inspection believes that the case has been considered in a timely manner and carefully ascertaining all the circumstances of the case. [7] DEPO states in its challenge submission that the amount of data processed by it and the legal one basis has been different in the period from September 9, 2020 to June 10, 2021 and from from June 10, 2021 to May 10, 2022, which is also recognized in the contested decision. At the same time the disputed decision does not analyze how this different scope of data processing and the legal basis are shall be evaluated in connection with the provisions of Article 26 of the Law on Administrative Responsibility, that long-term an administrative violation is the continuous realization of one administrative violation, which is related with the subsequent long-term non-fulfillment of the obligations prescribed by law. [7.1.] The Director of the Data State Inspection cannot agree with the statement that DEPO made the processing of personal data in the mentioned periods has not been assessed in their totality and no assessment has been given for it, why this processing is considered one long-term administrative violation. On the contrary, the disputed one 5.7.3 of the decision. subsection describes in detail why the actual conditions regarding persons data processing for receiving additional services has not changed. Namely, to receive Additional services, the client is still required to issue a DEPO card, which in order to receive it, the customer must fill out the form, submit the personal data requested in the form and agree to his/her own for the processing of personal data for the purposes specified in the questionnaire. If the customer wants to receive, for example, additional services - delivery of goods - the customer still needs to fill out the agreement on DEPO cards 2Decision of the Administrative Affairs Department of the Supreme Court Senate of April 28, 2020 in case no. A420230820 6 assignment, you must submit your personal data and the appropriate agreement on the assignment of a DEPO card 1.1. point must accept a DEPO card. The Director of the Data State Inspection additionally explains that the detected administrative violation the point is that a customer who wants to receive one of the services offered by DEPO is forced agree to the processing of personal data also for other personal data processing purposes, which are indicated differently legal bases and periods of storage of personal data. For example, if a customer wants to receive a product delivery service, then in order to receive this service he must undoubtedly submit and DEPO the personal data of this customer, such as the delivery address, must be processed. According to DEPO's privacy policy the legal basis for such processing of personal data is the conclusion and execution of the contract, while the term - 2 weeks after the date of creation of the relevant offer or 1 month, if at the customer's request extended offer payment deadline. Thus, the customer can reasonably expect that after 2 weeks the relevant delivery application DEPO will delete his personal data. Simultaneously DEPO this service refuses to provide until the customer has agreed to also receive other services offered by DEPO and concluded an agreement or consented to the processing of personal data also for these other, completely unrelated parties purposes. Namely, the person must agree to receive the service - the granting of a DEPO card - and to the delivery service would be provided, it is necessary to agree or conclude an agreement on the processing of his card data as well for awarding and receiving related services. According to DEPO's privacy policy as follows personal data is stored for the entire duration of the contract and for another 10 years after its termination. There is no legal significance to the legal basis for the processing of personal data - consent or conclusion of the contract - for the purpose of granting the DEPO card, the DEPO has indicated, since the customer is forced in any case "consent" to the processing of your data for the purpose of assigning a DEPO card, even if it wishes to receive a different one altogether does not want to receive an unrelated service and, in fact, a DEPO card and use its benefits. This one the circumstance has not changed as a result of the data processing changes made by DEPO, so what DEPO has done the administrative violation is also considered long-lasting. [7.2.] The Director of the Data State Inspectorate, during the examination of the case, became convinced that in order to also from June 10, 2021, the amount of personal data to be indicated in the application for receiving a DEPO card has been reduced, it is actually still being processed. So, for example, if a person wants to receive service, for the provision of which it is necessary to know the address of the customer (for example, delivery of goods service), this person must submit an additional application, asking to add an additional field of debtor for the account (the purpose is to issue a DEPO card), and personal data is stored not as long as necessary for the purpose of providing an additional service, but is applied to personal data storage period determined in connection with the purpose - the assignment of a DEPO card. I mean, it still does linked and combined processing of personal data for several different purposes without separating specific ones intentions. The DEPO also admitted in its oral explanations that the intention - the granting of a DEPO card - was in fact includes a set of personal data necessary for receiving all additional services. [7.3.] At the same time, it should be taken into account that currently, for the purpose of assigning a customer card, the initial the amount of personal data to be processed is such as is necessary for the provision of all services - name, surname and contact information. A solution has been introduced in which the additional person's data is added only in it at the moment when a service is requested for the provision of which this personal data is required. Although the data processing necessary for one purpose continues to be extended to other unrelated ones purposes, this circumstance will be evaluated when determining the penalty. [8] Paragraphs 24-29 of the challenge submission. point provides arguments that the Data State the inspectorate has incorrectly assessed the content of the received data subjects' complaints. In the opinion of the Director of the State Inspection, there are no data for these considerations regarding the nuances of the content of the complaints relevance to the case because DEPO wrongly assumes that the substance of the case is based on these complaints. Even if the test is initiated because information about the possible administrative violation has been provided by the data subject, Datu the state inspection does not have to limit itself to what is stated in the complaint. Namely, upon receiving any information that makes 7 believe that an administrative violation is occurring or could have occurred, the Data State Inspectorate has the obligation to carefully examine all the circumstances of the case. The data subject's submission is an impulse that can be a basis for initiating an administrative violation case or any other investigation. The data subject himself in the further process – started on the basis of his complaint – if it is started, it does not happen in essence Involved. The process initiated on the basis of the data subject does not create legal consequences for the data subject himself, but both to the person or institution to which the alleged violation is indicated in the complaint. In the specific case, the Data State Inspectorate has analyzed all the circumstances of the case and reached a conclusion to the conclusion of exactly how the administrative offense was committed. This violation is clear formulated in the contested decision. For example, based on [..] complaint, it was concluded that if a customer wants to receive an invoice for a product for which a personal code is not required for issuing, in accordance with those introduced by DEPO conditions, however, this invoice cannot be received just because the customer does not want to agree to personal data for processing for another purpose – receiving a DEPO card – within which a personal code is required. Thus, customers are forced to agree to the processing of personal data to a greater extent than is necessary to receive a specific service. [..] and [..] as a result of the examination of the complaint, it was established that DEPO, when issuing the customer's card, obtains the widest possible amount of personal data that could be necessary for each purpose to achieve and then process this data for purposes for which it is not necessary at all. For example, if the client wants to agree only to a specific purpose of personal data processing - personal data processing so that would receive volume discounts, then it is not justified to ask the person for the personal code of the specific personal data is not necessary at all to achieve the processing purpose. In compliance with the above, the Director of the State Data Inspection finds that in the contested decision, including but not only based on the data subject's complaints, the circumstances of the case are correctly established and qualified administrative violation. At the same time, it is stated in DEPO's oral explanations that it is not in Latvia during its operation received a complaint from a resident of Latvia regarding the processing of personal data, will be taken into account when determining punishment. [9.] Regarding the further considerations expressed in the challenge submission, which refers to the identified administrative violation in substance, the Director of the State Data Inspection states, that they will not be considered in the order in which they are expressed in the challenge submission, but to be as accurate as possible would reflect the nature and elements of the administrative violation, would try to group them according to their nature. [10.] First of all, it is necessary to emphasize that the issuance of the DEPO customer card and as a result thereof processed personal data is an independent personal data processing purpose that requires a separate legal basis. Also in DEPO's privacy policy, the purpose of data processing – granting a DEPO card – has always been and still is separated for the purposes of personal data processing, including the purpose – Provision of additional DEPO services. Different persons are also defined for these different purposes 3 legal basis for data processing and duration of storage. Clause 1 of the rules for granting a DEPO card states that the customer's card gives an opportunity for the customer to shop more advantageously. The DEPO website also states - With a store-warehouse DEPO client card is even more advantageous. You can also receive a Volume Bonus. Essentially, by registering as a DEPO customer and receiving a DEPO card, the customer is granted additional benefits. Namely, the purpose of the customer card is to provide benefits to customers. Additional benefits are only benefits granted to DEPO customers that a person can receive within the service. If a person, for example, wants to receive a volume bonus or offers 3https://depo.lv/privatuma-politika/ [accessed 06.06.2022] 8 for certain quantities of goods, it agrees or enters into an agreement on its own by prepayment processing of personal data in order to receive a DEPO card. In this case, the system about the person is entered certain types of personal data, which are necessary to provide you with additional benefits and corresponding DEPO privacy policy, this data is stored for 10 years after withdrawal of consent or agreement termination. Considering the fact that the contested decision does not analyze the issue of whether data processing the deadline for achieving the purpose - receiving additional benefits - is proportionate, also in this decision Data State the director of the inspection will not address this issue, only generally noting that DEPO cards assigning for the purpose of determining advantages or benefits to the customer is a legitimate purpose and personal data the processing has a legal basis, which is not questioned in the contested decision. One of the main features of this rule of law is, moreover, that a client who does not want to receive DEPO card and does not want DEPO to process his personal data, it is still possible to buy goods and receive services, only the purchase of these goods and the receipt of services are different rules. For the purpose of personal data processing, to issue a DEPO card for granting additional benefits the legal basis could be both a person's consent and an agreement if there are no additional benefits possible to receive without certain type of personal data processing. DEPO's policy of allowing those who only wish to receive discounts to make DEPO cards without specifying personal data. [11.] Next, it is necessary to address the question of why to receive additional services as the legal basis cannot be used the consent of the person and why in this part DEPO carried out by the person data processing is considered illegal. Data regulations 6. Article 1 Subparagraph "a" of point "a" determines the legal basis - the consent of the person – the legal aspects are analyzed in detail in the contested decision, with which the Data State Inspectorate the director will not consider them further in this decision. One of the key aspects of consent as a legal basis for data processing is that consent can only be a proper legal basis if genuine ones are offered to the data subject options to accept or reject the offer, give your consent without harmful consequences data to a subject who has refused to give consent. If the consequences of consent impair the individual's freedom of choice, then the consent is not voluntarily given. The fact that the person could not receive is undeniably considered as such harmful consequences service if you do not agree to the processing of your personal data. Therefore, DEPO is unfounded the indication contained in the challenge submission that DEPO may refuse to provide a certain type of services, as long as the person does not provide such personal data that are not specifically required for the performance of the service, because in such a case the person can choose another service provider. The European Data Protection Board's guidelines on consent clearly state, that consent cannot be considered freely given if the controller claims to have been provided with a choice between it for services provided, which include consent to the use of personal data for additional purposes, from on the one hand, and an equivalent service offered by another controller on the other hand. In this case freedom of choice would depend on what other market participants do and whether an individual data subject would consider the services provided by another controller to be truly equivalent. Furthermore, it means that managers are obliged to monitor market developments to ensure consent to their data processing the activities would not cease to exist, because the competitor would later change the weight of its services. the use of an argument means that consent based on an alternative offered by a third party 4 Guidelines of the European Data Protection Board of May 4, 2020 No. 05/2020 for consent in accordance with the Regulation 2016/679 9 does not comply with the Data Regulation, which means that the service provider cannot deny data subjects access service on the basis that they do not agree to it. Thus, as established in the contested decision, DEPO may need to receive from customers' personal data, including personal code, to ensure the provision of certain services or fulfill the requirements set out in the regulatory acts, but DEPO's processing (acquisition) of such personal data and storage) is not entitled to perform, based on the provisions of Article 6, Clause 1, letter "a" of the Data Regulation the legal basis. At the same time, such processing of personal data may be carried out on the basis of another legal basis, for example, Article 6(1)(b) of the Data Regulation – processing is necessary for the performance of the contract. It also follows from the oral explanations provided by DEPO that in fact personal data is collected processed in DEPO's legitimate interests to ensure legal transaction processing, including avoidance from conducting possible illegal transactions; to ensure the performance of the service, because without the service cannot be provided for the relevant personal data; to comply with the regulatory act requirements that oblige DEPO to process and store certain personal data for a certain period of time period. DEPO's consent is used as a legal basis because it is mistakenly believed that consent is essential performs the same function as informing a person. [11.1.] It is obvious from the challenge submission that DEPO did not understand the cases in which the legal basis referred to in Article 6, Paragraph 1, Subparagraph "a" of the Data Regulation may be applied to personal data for processing - consent of the individual. The challenge submission, for example, mentions that DEPO is the foundation receive certain data that are necessary for the provision of these services. In addition, DEPO as data the manager has chosen the client's consent as the main basis for receiving this data. This claim contains a number of mutual contradictions, in which case the service cannot to be provided without processing personal data, then the person's consent, as already mentioned in this decision In point 11, there may not be an appropriate legal basis for processing personal data. Namely, according to the Data Regulation Article 4(11) requires the data subject's consent to be given freely. According to Article 7 of the Data Regulation The freely given consent of clause 4 means that the provision or non-provision of the service must not be subject to such consent. For example, if the delivery of goods is necessary for the provision of the service process the customer's delivery address and this service cannot be provided without the processing of this data, persons data processing must be based on Article 6, paragraph 1, subparagraph "b" of the Data Regulation - personal data processing is necessary for the performance of the contract. Likewise, there should be a term for the storage of this personal data determined by assessing the purpose for which this data is processed. DEPO privacy policy for the following data the purpose of processing is mentioned and the term of personal data obtained for the specific purpose is determined, for storage - 2 weeks after the date of creation of the relevant offer or 1 month if according to the customer upon request, the offer payment deadline is extended. In practice, however, the situation is that, when a person requests to provide a particular service, it is refused, unless the person agrees for the processing of your personal data for a non-related purpose - for the issuance of the DEPO card and benefits for receiving. So the person has to provide all their personal data, including those that are not required for the goods for receiving the delivery service, in order to receive the DEPO card and then this personal data, which provided by the customer in order to receive a DEPO card, DEPO uses another unrelated service for provision, namely for another purpose of personal data processing. In compliance with the above, the Director of the State Data Inspectorate agrees with what was expressed in the objection submission for the statement that DEPO does not and cannot have a legal obligation to fulfill certain individual obligations services to persons who cannot be identified by DEPO, provided that these services without processing of personal data cannot be ensured, nor is a person denied service only because that it has not consented to the processing of its personal data for other purposes. [11.2.] In the challenge submission, it is especially highlighted that when signing the questionnaire to receive a DEPO card, the person agrees to the processing of personal data, among others, for such purposes as specifying personal data in the accounting justification documents, return the purchase fee or its part to the person on the DEPO card 10 etc. It must be repeated that any kind of personal data processing, which the controller is obliged to do under the law, cannot be based on the consent of the individual, as the processing of personal data is mandatory to provide the specified service. If the person does not agree to the processing of his personal data, this service cannot be provided at all given, thus the consent is not considered freely given in the sense of Article 7, Paragraph 4. In essence, the controller has justified the processing of personal data for different purposes with one legal basis – consent that does not correspond to the actual conditions of personal data processing. Manager the obligation is to identify all performed personal data processing operations, to group these data processing operations activities in accordance with the purpose and identify the legal basis that is appropriate for the stated purpose. About such a legal basis can be served by subsections "b", "c", "f" of Article 6, Clause 1 of the Data Regulation. finally according to the determined purpose and legal basis, the personal data to be processed can be determined scope, storage period and other conditions of personal data processing. [12.] Based on paragraphs 10-11 of this decision. for the considerations mentioned in paragraph, it can be concluded that in them in cases where the customer wants to receive an additional service, it is illegal for DEPO to ask to fill out a questionnaire for receiving a DEPO customer card and to agree or enter into an agreement on the processing of personal data, which is not related to the receipt of the specific service. This type of behavior results in, firstly, the customer's consent to the processing of personal data for the purpose of receiving a DEPO customer card is no longer considered freely provided, as the person does not have the right to refuse the processing of personal data if he wishes to receive service. Second, personal data is processed excessively, because the customer's cards are in the questionnaire in order to receive it, it is requested to provide personal data in a wider scope than is specifically required for receiving the service. At the same time, the Director of the Data State Inspection, based on the oral statements provided by DEPO for explanations, please note that currently personal data is processed only to the extent that necessary for receiving a specific service, for example, the delivery address for the customer's account is added only in the case when it is necessary for the execution of the specific service. At the same time after when this data is obtained, it is also processed for other purposes and for the provision of other services which the person did not request at the time of obtaining the personal data. [12.1.] In the challenge submission, it is stated that there is no official of the Data State Inspection understood DEPO's cooperation model with buyers and thus tries to create a false impression that DEPO obligates buyers to receive a DEPO customer card without any factual basis. How to the basis for such an argument DEPO indicates that only buyers who want to receive additional benefits – volume bonuses or additional services, for example, for the construction of an individual house, or invoice with details, or delivery of goods, a personalized customer card must be taken out, because DEPO such services are provided only if it is possible to identify their recipient. In addition, according to DEPO to what is stated in the verbal explanations, customers often want to get it from DEPO themselves afterwards personalized information about the services they have used and paid to submit documents in the State Revenue Service or used in legal proceedings as evidence of the origin of the property. Considering that the number of customers in the stores is very large, obtaining a DEPO card is the most convenient way for customers get an instant service where the buyer is identifiable. First of all, the director of the Data State Inspectorate notes that it is important to distinguish between these two concepts - additional benefits and additional services. As already mentioned in paragraph 10 of this decision, there are additional benefits additional benefits for the customer that do not affect the receipt of the service as such. Additional service provision, in turn, is separable from benefits in receiving services. Namely, if the person initiates the receipt of a service and the provision of this service requires the processing of personal data, then the legal basis for such processing of personal data is Article 6, paragraph 1, subparagraph "b" of the Data Regulation. For example, if a person wants to receive goods delivered to his home, then this service cannot be fulfilled, without processing data about the delivery address. It is also correctly mentioned in the contested decision that Article 11 DEPO may need to process certain types of personal data for the provision of services. As already indicated above, the violation of data processing manifests itself in the fact that DEPO does not provide at all services to their clients until they have agreed or entered into an agreement on their person data processing for a completely different purpose – for granting a DEPO card, receiving benefits and so on for the processing of personal data that are not necessary for receiving the specific, requested service. In compliance with the above, consent to the processing of personal data for the purpose of receiving a DEPO card is considered freely given and thus legal. [12.2.] It is important to distinguish between consent to receive a service and consent to personal data for processing that is not the same. The mere fact that a person has initiated the receipt of a service, does not mean that the legal basis for the processing of personal data will automatically be the consent of the individual. For example, in cases where a person asks them to issue an invoice, the manager has, according to legal norms a certain obligation to process personal data. In this case, the legal basis for personal data processing is the legal obligation referred to in Article 6(1)(c) of the Data Regulation, regardless of whether that the invoice has been requested by the data subject. At the same time, the manager cannot make the provision of the service depending on whether the customer agrees or disagrees to provide more personal data, nothing specific is required for the performance of the service. If, for example, a person wants to receive a service such as sewing curtains, then yes unreasonably ask the person to agree to the processing of their address, as this data is not necessary for the service for execution and invoicing. It's just that a person's address may be needed in another DEPO to receive the offered service, does not mean that the person must provide this data to another service within, because this person does not want to receive such services for the fulfillment of which is necessary process address. In compliance with the above, DEPO processes personal data to a wider extent than is necessary to achieve the purpose, thus violating the principle of data minimization. [12.3] DEPO points out that its privacy policy sets out a number of DEPO's legal interests and listed purposes for which personal data is processed. As already mentioned, the circumstances of the case are not that DEPO had incorrectly identified the purposes of personal data processing in the privacy policy, but both for the fact that a person in order to receive a service for the purpose of providing a specific type of person data is not required, is forced to provide more personal data for purposes not applicable to requested service. [13.] Finally, it must be concluded that, as a result, DEPO has combined the processing of personal data for different, mutually separable and unrelated purposes, in one questionnaire, which the person has to fill out must provide their personal data to achieve all purposes, DEPO has violated data minimization principles. Although DEPO's privacy policy separates the different purposes of data processing, DEPO itself is stated that the questionnaires for receiving a DEPO card (for an identified customer) / natural person there are several forms for filling out and concluding an Agreement on the assignment of a DEPO card to a natural person purposes, including those not related to offering and providing additional services, as well as several legal bases. The aforementioned conclusion was also confirmed by DEPO in oral explanations. Thus, regardless of the purpose for which personal data is processed, DEPO, upon request fill out a personal customer questionnaire for assigning a DEPO card, actually collect personal data for all for data processing purposes that may arise in the future. These personal data processing purposes are not separated from each other, thus processing personal data in an excessive amount. In essence DEPO would be the questionnaire should be divided or the client should be given the opportunity to fill only certain fields (provide certain personal data extent) depending on the specific purpose and legal basis of data processing, and the customer's consent would be should be requested only in the case when the client really has freedom of choice. 12 [13.1.] The challenge submission states that the contested decision does not specify any a norm that would oblige customers to provide services that DEPO cannot adequately provide identify. The Director of the Data State Inspection points out that this obligation of DEPO follows from the Data Regulation The principle of data minimization contained in Article 5, paragraph 1, letter "c". Namely, according to the above principles, DEPO does not have the right to process personal data that is not specifically required for service provision. For example, if a person wants to use a curtain sewing service, so it is not necessary to obtain data on a person's social security code or residence just because DEPO wants to identify the customer who requested the mentioned service or because of another service within the scope of provision, which the client has not currently requested and does not plan to request, such data processing might be necessary. If DEPO has chosen to provide a service, it must be followed in providing it the regulatory framework in force in the country, including the Data Regulation. Otherwise, the merchant in such in the same way, it could be justified that it wants to provide its service only to certain skin color, gender or nationality, because it is his absolute right to decide to whom to offer this service. [14.] The contested submission states that the applied fine is unreasonable and excessive. [14.1] DEPO repeatedly refers to the fact that the fact that The legal basis for granting the DEPO card has changed has already provided the assessment in paragraph 7 of this decision, finding that the period of the violation has been determined correctly, thus this circumstance has no effect on the applied fine. [14.2.] DEPO's reference to the fact that the fine applied by DEPO is considered unjustified significantly exceeds other penalties applied by the Data State Inspectorate, as well as those applied by other countries penalties. The supervisory authority has discretion in setting penalties and assesses each case circumstances. The mere fact that a lesser penalty has been imposed on another manager does not give grounds for demanding a penalty reduction, because both factual and legal differences in the cases indicated in the challenge submission circumstances. Namely, DEPO is not in the same and comparable conditions with those persons who have money penalty applied for other violations of personal data processing. [14.3.] In the challenge submission, it is stated that the applied fine is not appropriate to the conditions set forth in Article 13 of the Law on Administrative Responsibility, as the amount of the fine is one that can prevent DEPO from conducting further business. In particular, it is necessary to take into account, Canadians the fine amounts to more than 28% of DEPO's 2020 profit. In the opinion of the Director of the State Data Inspection, the following are generally achieved with the fine imposed Elements defined in the Administrative Responsibility Law, such as protection of public order, punishment for the offense committed, as well as the person who committed the administrative offense and other persons deterring further administrative violations. Namely, significant fines though reinforces the binding nature of certain legal norms, and expresses an official condemnation of illegal actions, both ensure that the offense is no longer committed by the punished person, as well as by other persons. At the same time, it must be agreed that Article 13 of the Law on Administrative Responsibility has not been complied with the strengthened element of restorative justice. That is to say, any offense disrupts society the existing order and justice, while the punishment for a committed offense should be determined in such a way that would restore the disturbed balance. Rebalancing means that the appropriate penalty cannot be either one that does not create any tangible consequences for the offender himself and does not provide satisfaction to the victims persons, nor one that burdens the violator to such an extent that it not only deters him from further unlawful actions, but creates a risk of not being able to engage in commercial activity at all. For the prescribed penalty, let it meet the element of justice, should be proportionate to the offense committed. According to the Director of the Data State Inspection, the fine amounts to almost a third of the year profits are not proportional to the offense committed and can be reduced. 13 Questions related to the nature of the offense committed and indicating disproportionality will be discussed in the following text of the decision. [15.] The Director of the Data State Inspection finds that not everyone was taken into account when imposing the penalty circumstances characterizing the committed administrative violation. According to Article 83, Clause 1 of the Data Regulation the supervisory authority must ensure that the fines applied for violations of this regulation in each are effective, proportionate and dissuasive in a given case. In accordance with Article 83, paragraph 2 of the Data Regulation, when determining the amount of the penalty, the supervisory authorities should take due account of several elements that indicate the nature and seriousness of the offense or the offender's attitude towards the offense committed. in the same way it is necessary to take into account other elements that are important in the case, even if they are not directly listed in the Data in paragraph 2 of Article 83 of the regulation. Although the internal tool of the Data State Inspectorate is reasonably applied in determining the penalty - The mechanism for determining the amount of administrative fines for companies and individuals – In the opinion of the Director of the State Data Inspection, it was additionally necessary to assess whether there is no evidence for the specific case any additional conditions or criteria not reflected in this tool may apply. You can also take v5ra taken into account in the guidelines developed by the European Data Protection Board on the application of administrative penalties (hereinafter – Guidelines for the Application of Administrative Penalties). [15.1.] In accordance with Article 83, paragraph 2, subparagraph "a" of the Data Regulation, it is necessary to take into account the nature, severity and duration of the violation, taking into account the relevant type of data processing, extent or purposes, as well as the number of affected data subjects and the damage caused to them. As can be seen from the contested decision 6.3. of subsection, when assessing the amount of the penalty, has been taken into account the nature, duration, extent of the violation, the damage caused to the data subjects. Not rated at the same time the severity of the violation, which is one of the most important aspects in the application of punishment, as well as data processing purpose. The guidelines for the application of administrative penalties stipulate that the severity of the violation can be assessed, taking into account the specific circumstances of the particular case. The gravity of the violation is indicated by the context, in which personal data processing is carried out, for example business, non-profit organization, political party. In the specific case, the Director of the State Data Inspectorate agrees that it was unreasonably not taken into account the fact that DEPO is a retail company, the largest cost item of which is resale cost of purchased goods. It is essential to take into account that information technology companies to which based on the provisions of the Data Regulation, the main source of profit is based directly on the processing of personal data, therefore, firstly, the percentage of profit from turnover is significantly higher, secondly, financial and the manpower resource that goes into ensuring compliance with the Data Regulation is greater as well as greater there is a risk of harm to data subjects. Also, the Administrative Penalties Guidelines state that it is necessary to take into account whether the purpose of processing personal data is to observe, evaluate personal aspects or make decisions that may have negative consequences for the data subject, as well as existing inequalities between the manager and the data subject, for example, in cases where the data subject is a child, student, employee or the patient. Considering the fact that the director of the State Inspectorate of Data sees one aspect that could testify to the special gravity of the offense, the applied fine can be significantly reduced, because especially taking into account the fact that the manager is a retail company, which was additionally affected by the Covid- 19 measures implemented for prevention. Regarding the purpose of processing personal data, the Guidelines for the Application of Administrative Penalties contain it is recommended to take into account whether the processing of personal data is related to the controller's core activity. Country of data the director of the inspection considers this to be one of the most important aspects to be taken into account when evaluating 5Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for public consultation (the guidelines are currently out for public consultation and their text may change). 14 the severity of the offence. Namely, if the processing of personal data is related to the main activity of the manager, it is also accordingly, greater attention of the manager must be paid, and the manager cannot plead with the normative insufficient knowledge of the regulation. In the specific case, the processing of personal data is not related to DEPO's core business, but is performed to provide additional benefits or additional services clients. In view of the above, this aspect should be taken into account to determine a lower penalty. [15.2.] In accordance with Article 83, paragraph 2, subparagraph "b" of the Data Regulation, it is necessary to take into account whether the violation was committed intentionally or due to negligence. Although the contested decision generally states, that DEPO has not previously been administratively punished, has reviewed the Privacy Policy several times, reduced the amount of personal data provided in the questionnaires, cooperated with the institution, but it has not been done the conclusion of whether the violation was committed intentionally or due to negligence, which plays an important role in punishment in determining. Taking into account the evidence obtained in the contested decision, the directors of the State Data Inspectorate in the opinion, it is sufficient to conclude that the administrative violation caused negligence. DEPO has tried to align its personal data processing activities with the requirements of the Data Regulation, has attracted specialists to ensure the fulfillment of the requirements set out in the regulatory acts. They are visible at the same time signs of insufficient care and carelessness, perhaps in the selection of specialists who are not enough qualified to evaluate personal data processing activities when making changes to the data processing policy chaotically, without forming a systematic approach to the said question. Taking into account the mentioned circumstances, the Director of the Data State Inspection recognizes the severity of the violation as low. According to the guidelines for the application of administrative penalties, in cases where the severity of the violation is low, the initial penalty point should be set at 0-10% of the applicable one maximum penalty. [15.3.] When determining the initial penalty application point in the range of 0-10%, it should also be taken into account that that DEPO's turnover exceeding 250 million per year is considered high. The Director of the Data State Inspection believes that, taking into account that the severity of the violation is low, however, at the same time, DEPO's undue diligence in deciding questions about personal data processing is visible, as well as the considerable turnover of DEPO, it is justified to set the initial penalty point at 10% in the amount specified in the contested decision, namely 10% of the daily turnover, which amounts to 72897. At the same time, taking into account what was found in the contested decision, including but not limited to the significant the duration of the infringement and the number of data subjects affected, for the initial point of application of the penalty coefficient 6, which totals 437,382 euros, is to be preserved. [16.] At the same time, in accordance with the guidelines for the application of administrative penalties after the sentence mathematical calculation, it is possible to adjust the penalty by evaluating whether it reaches the Data in the regulation the set goals of punishment - is effective, proportionate and dissuasive. The amount of the fine should be determined in accordance with the context of the offense. [16.1.] Regarding the effectiveness of the penalty, it must be assessed whether it is suitable to secure personal data processing compliance with the Data Regulation and punishing the manager. The Director of the Data State Inspection finds that, although the punishment is suitable for punishing the controller, however it is not relevant to facilitate compliance with the Data Regulation. It should be noted that DEPO all administrative during the infringement process has tried to align its personal data processing with the requirements of the Data Regulation and continues to do so now, according to the information provided in the oral explanations. In view of the above, the imposition of a significant fine would not motivate the manager to ensure compliance with the requirements of the Data Regulation, but, on the contrary, could create an understanding that regardless of whether proactive action is taken and regardless from the manager's subjective attitude, the violation will also be subject to the same fine. Country of data in the opinion of the director of the inspection, the most important thing is to ensure that managers are motivated to process personal data make improvements without the use of coercive mechanisms. In cases where the manager has observed disinterest, inaction or deliberate avoidance of effective tools of compliance Data 15 a more significant fine should be considered for the provision of the regulation, while when the manager's actions show for the desire to ensure compliance with the normative regulation of data processing, there should be a fine for a smaller one. [16.2.] The principle of proportionality dictates that the penalty applied should not exceed what it is necessary to achieve the goal. If it is possible to achieve the goal by several means, a choice should be made the less offensive. When assessing proportionality, the violation must be viewed as a single whole, the main one paying attention to the gravity of the offense as such. Although the director of the State Data Inspection agrees that the administrative violation is qualified the type of administrative penalty - a fine - has been correctly and correctly chosen and applied The mechanism for determining the amount of administrative fines, however, fines are necessary adjusted to comply with the principle of proportionality. In the specific case, it is essential to take into account that according to DEPO in oral explanations the personal data processed by the information provided are not used for marketing purposes or for business planning, for any other activity that is not directly related to the provision of the service to the specific person or the fulfillment of the requirements of regulatory acts. Namely, DEPO does not get any economic benefit from personal data processing. Subject to the above, the administrative fine regardless there is sufficient reason for the supervisor to be motivated to prevent the detected violations. applying a lower administrative fine does not mean that the violation can continue. Thus, if If DEPO's violation continues, the Data State Inspectorate would have the right to impose a penalty for the same violation, this time already considering the manager's actions, not preventing the violation in time, as responsibility aggravating circumstance. It should also be taken into account that the offense was committed due to a misunderstanding. According to administrative to the considerations expressed during the case review, DEPO has tried to make the customers aware, applying the wrong legal bases, and has not yet understood the purpose of various data processing nuances of separation. Administrative fine at the discretion of the Director of the State Data Inspection even a small application would be sufficient to motivate DEPO to attract qualified persons data protection specialists and prevent detected violations. [16.3.] Taking into account the above, the Director of the Data State Inspection believes that the correction of the fine, setting it at 4% of the initially calculated amount, i.e. applying a fine of 17,495 Euros amount would be sufficient to deter DEPO from further data processing violations. [17.] At the same time, taking into account the powers of the State Inspectorate of Data, which are specified in Data Regulation 58. Article In clauses "d" and "i" of paragraph 2, the Director of the Data State Inspection considers it necessary to impose DEPO on the obligation to harmonize data processing activities with the Data Regulation by December 1, 2022 regulations, develop an assessment of the impact on data protection and submit it to the Data State in the inspection until December 15, 2022. Taking into account the above and in accordance with Article 132, Article 168 of the Law on Administrative Responsibility first part, Article 172 and Article 173, first part, point 4, Article 58, point 2 "d" of the Data Regulation and The Director of the Data State Inspection of subparagraph "i". decided 1. to be amended by the decision of May 10, 2022 no. No. [..] ([..]) On the application of the penalty in the appropriate the amount of the administrative fine, determining SIA "DEPO DIY", registration number 50003719281, legal address Noliktavu iela 7, Dreilini, Stopiņu parish, Ropaž district, for Data regulations 83. Article the commission of an administrative violation provided for in subparagraph "a" of paragraph 5 shall be subject to an administrative fine 16 in the amount of EUR 17,495 (seventeen thousand four hundred and ninety-five euros). 2. impose an obligation on DEPO until 20221. to coordinate data processing activities with Datu regulations, develop an assessment of the impact on data protection and submit it to the Data State in the inspection until December 15, 2022. The fine shall be paid in full no later than one month from the entry into force of this decision days in any banking institution or after the expiry of the term of voluntary execution of the fine, this decision in accordance with Articles 262 and 269 of the Law on Administrative Responsibility will be immediately surrendered for execution by a sworn bailiff. Details for paying a fine: Beneficiary: State Treasury Registration No.: 90000050138 Account no.: LV69TREL1060191019200 Beneficiary BIC code: TRELLV22 Notes: Indicate the number of this decision. The fine applied in the process of the administrative violation will be reimbursed procedural costs and damages to natural resources can be paid on the portal www.latvija.lv, using the e-service Administrative fines check and payment. Please note that, according to Article 568 of the Civil Procedure Law, voluntary execution of the decision after when the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate for the enforcement expenses to the bailiff. At the same time, we inform you that the Company, in accordance with the second Article 266 of the Law on Administrative Responsibility and the third part, has the right to the execution of the fine in parts, if there are objective circumstances, due to which the fine is imposed within the term of voluntary execution, it is not possible to execute the sentence decision in full. In accordance with the first part of Article 184 and the first part of Article 186 of the Law on Administrative Responsibility the decision of the DEPO can be appealed within 10 working days from the day the administrative decision was announced in the infringement case in the district (city) court at the registered address of the Company, by submitting a complaint Data at the state inspection (Elijas iela 17, Riga, LV-1050), which within three working days after submitting the complaint upon expiration of the term, the complaint with the case materials is sent to the district (city) court upon approval. Director J. Macuka [..]