DVI (Latvia) - SIA "TET": Difference between revisions
mNo edit summary |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 83: | Line 83: | ||
=== Holding === | === Holding === | ||
Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material | Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material violations. The Latvian DPA noted that the controller had made a mistake in not ensuring the accuracy of personal data before sending it to debt recovery services for the purpose of assessing the data subject's solvency prior to formation of a service contract. The service was provided and connected without an identity check nor the data subject's confirmation of the contract. This resulted in the personal data of a minor being transferred to a debt recovery service. The DPA found that the transfer of unverified personal data violated [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(d) GDPR]]. | ||
Additionally, by posting documents | Additionally, by posting documents containing unverified and innacurate personal data in the controller's internal customer self-service system under the respective user account, the controller disclosed the personal data of the data subject (name, surname, date of birth and home address) to third parties. This violated [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(f) GDPR]]. | ||
The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of [[Article 5 GDPR|Article 5(1)(a), (b), (d) and (e) GDPR.]] Furthermore, there was no legal basis for these processing operations under [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of [[Article 5 GDPR|Article 5(1)(a), (b), (d) and (e) GDPR.]] Furthermore, there was no legal basis for these processing operations under [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Line 94: | Line 94: | ||
== Comment == | == Comment == | ||
This decision does not give a detailed overview of the material violations in the case. It seems that the full legal reasoning on material violations of the GDPR was included in another decision by the Lativan DPA, which was not published. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 15:46, 2 November 2022
DVI - Decision of 9 September 2022 | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 6(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 09.09.2022 |
Fine: | 1,200,000 EUR |
Parties: | Tet |
National Case Number/Name: | Decision of 9 September 2022 |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Latvian |
Original Source: | DVI (in LV) |
Initial Contributor: | n/a |
The Latvian DPA fined an internet service provider €1,200,000 for disclosing unverified personal data of customers to debt recovery services against Articles 5(1) and 6(1) GDPR.
English Summary
Facts
Tet (the controller) is an internet service provider which also offers additional services in the telecommunications and entertainment sectors. The Latvian DPA started an ex officio investigation into the controller's data processing practices. Specifically, it looked into the transfers of customers' (data subjects) data to out-of-court debt recovery service providers. The controller claimed that these transfers were carried out for the purpose of, among others, checking the solvency of data subjects when preparing a contract.
In the course of the investigation, the DPA found that the solvency checks with a debt recovery service happened without prior identity checks of the data subjects. In one case, because the controller had not verified the accuracy of the information provided by a customer, personal data of a minor was transferred to the debt recovery service.
On 15 July 2022, the DPA issued the original decision imposing the fine. On 2 August 2022, it received the controller's request for an oral hearing to express that the fine, among others, was disproportionate and not accurate, in addition to the proceedings before the DPA exceeding the time limits and allegedly not allowing the controller to exercise its rights.
Holding
Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material violations. The Latvian DPA noted that the controller had made a mistake in not ensuring the accuracy of personal data before sending it to debt recovery services for the purpose of assessing the data subject's solvency prior to formation of a service contract. The service was provided and connected without an identity check nor the data subject's confirmation of the contract. This resulted in the personal data of a minor being transferred to a debt recovery service. The DPA found that the transfer of unverified personal data violated Article 5(1)(a) and (d) GDPR.
Additionally, by posting documents containing unverified and innacurate personal data in the controller's internal customer self-service system under the respective user account, the controller disclosed the personal data of the data subject (name, surname, date of birth and home address) to third parties. This violated Article 5(1)(a) and (f) GDPR.
The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of Article 5(1)(a), (b), (d) and (e) GDPR. Furthermore, there was no legal basis for these processing operations under Article 6(1) GDPR.
The DPA took into account the objections raised by the controller during the oral hearing. Regarding the argument that the administrative violation process had been disproportionately long, the DPA stated that although the investigation and review procedure, indeed, extended the statutory time limits, such a procedural violation could not alter the final decision. Considering the argument that the severity of the infringement had been wrongly assessed, the DPA replied that, in light of Article 83 GDPR and the controller's yearly turnover, the fine was proportionate to the repeatedly found inconsistencies and violations in the discussed processing operations.
The DPA imposed a €3,200,000 fine on the controller, which was reduced to €1,200,000 considering mitigating circumstances, such as the cooperation of the controller and measures taken to remedy the violations.
Comment
This decision does not give a detailed overview of the material violations in the case. It seems that the full legal reasoning on material violations of the GDPR was included in another decision by the Lativan DPA, which was not published.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv Riga SIA "Tet" [..] In case no. [..] The decision In Riga, the date can be seen in the time stamp no. [..] [1] On July 15, 2022, the State Data Inspectorate (hereinafter - the Inspectorate) adopted a decision No. [..] On the imposition of a penalty (hereinafter - the decision) in administrative violation case no. [...] (further – case), recognizing SIA "Tet", registration number 40003052786, legal address: Dzirnavu iela 105, Riga, LV-1011 (hereinafter - Tet) for being guilty of the General Data Protection Regulation (hereinafter - Data regulation)83. Article 5 in committing an administrative offense provided for in sub-paragraph a), applying Tet conditional partial release from fine, i.e. reducing the amount of EUR 3,200,000.00 applied (three million two hundred thousand euros, 00 cents) in the amount of 50 percent, determining the final fine 1,600,000 (one million six hundred thousand euros, 00 cents). The decision was announced on Tet 2022 July 15 by sending it to Tet's email address. [2] The decision found the following circumstances and is based on the following considerations: [2.1.] Inspection officials [..] (hereinafter – official) are included in the case materials Report No.[..] of January 4, 2022 "On the actions of SIA "Tet"" (hereinafter - the report). In accordance with stated in the report, the Inspectorate received the State Police of the Vidzeme Region on August 9, 2021 the application sent by the administration's Valmiera precinct [..] dated June 19, 2021 together with the Police to the materials of departmental inspection regarding the fact that when applying for a contract for electronic communication services with Tet, the personal data of [..] minor sister, [..] were used. It follows from the Submission that the 2021 On June 16, [..] received a letter from SIA "Creditreform Latvija" (hereinafter - Creditreform) stating that On June 15, 2021, Tet has submitted an application to Creditreform for out-of-court debt recovery from [..]. Tet, giving an answer to the Procedures of the Liepāja station of the Kurzeme Region Administration of the State Police to the police department's request for information No.[..], in the response letter No.[..] of July 22, 2021 explained that on December 17, 2020, the service "Tet + 1 Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons in relation to processing of personal data and free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) 2 Registered in the inspection with No. [..]. 2 Films and Serials (Shortcut)" in [..] (p.k. [..]) name, but persons with personal code [..] between Tet customers do not. The contract and its appendix on the Service were not signed by the client, as well was not electronically approved in the Tet customer self-service system www.manstet.lv (hereinafter - Mans Tet). Considering that the payment for the services rendered was not made, Tet sent several times warning letters, but on 15 June 2021 the debt obligations were transferred to Creditreform. Taking into account the above, the Inspectorate requested additional information from Tet about the personal data provided by Tet processing, applying and confirming services on the Tet website www.tet.lv and Mans Tet, as well as transferring customer's debt obligations to debt recovery service providers, and Tet referring to DVI request, submitted his explanation. 4 [2.2] In the explanation, Tet indicated that the customer has the option on the website https://tet.plus (hereinafter - Tet+) apply for services by filling out the application in electronic form, indicating in it information necessary for concluding and executing the contract: name, surname, personal identification number (if new format personal code, then it is also necessary to specify the date of birth), mobile phone number, e-mail address and residential address. Tet explained that when filling out the application the personal code field is checked for syntax by the Citizenship and Migration Office personal code verification tool prepared by the administration (hereinafter - PMLP). From now on, the application is made processed and created a contract that is placed in My Tet. The contract can be approved by the customer My Tet, by authorizing with the internet bank. Thus, the Tet+ postpaid service can be connected by an adult a person whose identity is verified at the conclusion of the contract, which is possible only after internet bank authorizations. In the event that incorrect or false data is entered during the application phase, a contract cannot be created or it cannot be approved because the authorization with the internet bank at acceptance of the contract shows a sign of error. Regarding the transfer of customer's personal data to debt recovery service providers, Tet explained that the debt resulting from the concluded contract is transferred for collection (the contract is approved, identifying the customer with the internet bank), and that, among other things, it is checked when submitting the debt for collection solvency status of the person. After evaluating the information provided by Tet, it was found that in the case mentioned in the Submission, Tet transferred debts to Creditreform arising from an agreement that was not signed or approved when authorizing in the internet bank, the client's identification and the correctness of the submitted information were not carried out verification, which resulted in the transfer of personal data of a minor ([..]) to Creditreform. [2.3] In view of the above, the Inspection official decided to start an inspection on service application online. As a result of the inspection, the following was found: [2.3.1.] On December 9, 2021, an inspection of the Tet+ website was carried out, during which it was found that the Tet operator made a call not to the phone number indicated in the application, but to the phone number of the person whose personal code was specified in the application. 6 [2.3.2.] On December 16, 2021, a repeated inspection of the Tet+ website was carried out, which as a result, it was concluded that Tet used foreign persons whose personal identification number was obtained for the preparation of the contract specified in the application, data (not the data that was specified in the application itself), without the knowledge of this person and consent without taking any steps to verify the information provided in the application correctness and not identifying the client before preparing the contract and the relevant service providing. [2.3.3.] On December 22, 2022, a new inspection of the Tet+ website was conducted, during which it was established that Tet had used the incorrect information specified in the application form for the preparation of the contract 3 4 Inspection letter of October 28, 2021 No.[..] "Regarding information request". 5 Here letter of November 23, 2021 No.[..] (registered in the Inspection with No.[..]). 6 Inspection report of December 14, 2021 No. [..]. 7 Inspection report of December 20, 2021 No. [..]. Inspection report of December 27, 2021 No. [..]. 3 personal data without verifying the correctness of the information provided and the customer's identity before the contract preparation and provision of the relevant service, as the service was applied for using personal code of a minor. [2.4] In order to find out the existence or non-existence of an administrative violation, the examination of the case in the course of the Tet, information was requested several times. [2.5] An inspection was carried out on June 14, 2022, during which it was established that Tet+ postpaid application of the service is possible only after verifying the user's identity with the internet bank authentication. [2.6] Taking into account the information obtained during the inspection, as well as the explanations provided by Tet indicated, the Inspection officer found several violations committed by Tet: 1) the customer, when applying for an electronic communication service, is provided with the service and connected without the customer confirming the contract. Thus, Tet processes the data of persons without identity has been verified, thus violating Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation; 2) for the person who has not approved the contract, Tet issues an invoice for the provided electronic for communication services, recording and storing personal data in regulatory accounting in accordance with the procedures and deadlines specified in regulatory enactments. Thus, Article 5 of the Data Regulation is violated Clause 1 a) and d), moreover, such data processing takes place without Article 6 Clause 1 of the Data Regulation the prescribed legal basis; 3) of the customer who has not confirmed the contract in the order specified herein and who has not printed the invoice payment, personal data was transferred by Tet to an extrajudicial debt collection company. Thus it is Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation have been violated, moreover, such data processing takes place without The legal grounds specified in Article 6, Clause 1 of the Data Regulation; 4) by placing the mentioned contracts in the relevant Tet customer self-service system www.manstet.lv in the user account, Tet discloses (transmits) the data of the owner of the personal code (name, surname, date of birth and residential address) to third parties who used this person's data. This constitutes a violation Article 5, Clause 1, subparagraph a) and f) of the Data Regulation; 5) Tet processes (compares) personal data of new customers with customers available in its database (also for former) data. Thus, Article 5, Clause 1, subparagraph a), b), d) and e) of the Data Regulation are violated. [3] On August 2, 2022, the Inspectorate received Tet's August 1, 2022 complaint about the decision (hereinafter - the complaint), asking to consider the case in an oral process, cancel the decision in its entirety and terminate it administrative violation process. The inspection finds that the complaint was submitted to the Administrative within the term specified in the first part of Article 168 of the liability law (hereinafter - AAL) and its review is permissible. According to the first part of Article 172 of the AAL, a higher official examines the complaint in writing in the process within one month from the date of receipt of the complaint, while in accordance with the second part of Article 172 a higher official, on his own initiative, can consider the complaint also in an oral process, if he recognizes it as expedient. Taking into account the request indicated in Tet's complaint to consider the case in oral proceedings and the fact that Covid- 19 the risks of spreading have decreased, the Director of the Inspection considered it possible to examine the case in the oral process. The complaint in the oral process was considered on September 1, 2022 and the arguments expressed by Tet are evaluated, reflected in the subsequent text of the decision in the context of the arguments expressed in the complaint, as well as taken into account in making this decision. During the course of the case, Tet provided additional information about the range of services available at Tet and the separation of the Tet+ service from all services available on Tet. Tet confirmed that until As of January 13, 2022, when Tet+ service remote application was provided only using internet bank authentication, the customer could apply for the Tet+ service, without authenticating and Tet not making sure that the person whose name is given in the application, 4 matches the specified personal code. Also, Tet stated that it did not hand over minors ([..]) personal data to the debt collector Creditreform, taking into account that when applying for the service, the aforementioned the person had provided the personal code of an adult, therefore Tet had been transferred to Creditreform information about [...] as an adult. In view of the aforementioned, Tet requests the annulment of the decision in full and terminate the administrative violation case. The director of the inspection indicates that the objections contained in Tet's complaint will be evaluated in the following order they were indicated in the complaint, in connection with what was indicated in the oral explanations, at the same time objections about questions of a similar nature will be evaluated together. Procedural violations [4] The complaint states that the provisions of the law were not followed in the administrative violation process deadlines for starting a case. Namely, the Inspection on January 7, 2022, 5 months after receiving the news on August 9, 2021, adopted the decision specified in the first part of Article 117 of the AAL, thus significantly violating the procedural deadline set by the legislator - three working days or (prolonged news checks case) one month. Among other things, the Inspectorate responded to the received police reports only in 2021. on October 28, when Tet sent a request for information. In the opinion of the director of the inspection, the administrative violation process has been observed in the specific case the initiation period, as the case was initiated immediately after the Inspection official had obtained all the necessary information that allowed us to assume that an administrative violation might have occurred. The director of the inspection explains that when considering complaints about possible personal data processing violations before initiating administrative violation proceedings or administrative proceedings, The inspection complies with the provisions of the Data Regulation and the Data Processing Law of Natural Persons (hereinafter - FPDAL). regulatory framework. Among other things, Article 15 of the FPDAL sets out the procedure for conducting the inspection, providing that inspection includes all types of actions that the inspectorate performs in order to find out the compliance of data processing with data the requirements of the regulation and other regulatory acts, including visiting the data processing place, information acquisition using all legal methods and other necessary actions. Therefore, for the Inspection until the start of a specific process, there is discretion to take the necessary actions and investigate the specific case to ascertain the existence of a possible violation. It should be noted that conducting an inspection before starting an administrative offense case is also in the manager's interest, because not every inspection results in an administrative violation process. Inspections as a result of the inspection, an administrative process may be initiated, which concludes with an administrative act, or according to the "Consult first" principle, informing the administrator about the data processing carried out by him compliance with the Data Regulation, or no further action will be taken at all. If after for every received complaint, the Inspectorate should initiate an administrative violation process, it is unjustified would burden managers by involving them in unnecessary administrative violation processes, because not everyone's data the subject's complaint is justified and indicates an administrative violation. As stated in its decision by the Department of Administrative Affairs of the Senate of the Supreme Court, Datu the provisions of the regulation provide the Inspectorate with the right, in response to violations of personal data processing, to make any of the decisions contained in the regulations, while leaving it to the supervisory authority freedom of assessment regarding the type of decision. Upon receiving a complaint about possible personal data processing violations, the inspection initially checks the received messages, including requesting information from the data controller and/or processor to establish whether the processing of personal data in the said data subject in the event that it has generally occurred. Submitting an application for possible violations of personal data processing in the process does not mean that the verification of the information specified in the application will result in the detection of a violation, issuing an administrative act and applying a corrective measure or imposing an administrative penalty. 5 Inspection of administrative proceedings or administrative infringement proceedings against the data controller starts only when it becomes aware of the facts. Such facts are obtained by the inspectorate by inspection and acquisition the necessary information, which in turn gives the basis for starting the administrative violation process. A decision on the most appropriate remedy (a decision to initiate a case) can only be made when collected sufficient information to assess whether a violation of personal data processing has occurred at all, and the nature of this violation. Therefore, the deadline for making a decision is counted not from the applicant's complaint from the moment of submission, but from the moment of discovery of the violation of personal data processing, that is, when it is the relevant examination and clarification of the circumstances have been completed and it is established that the person really is has committed a violation of personal data processing. 8 In view of the above, the Inspection Officer carried out tests to find out Tet+ procedure for receiving the service and assessed compliance with the regulatory act regulating data protection requirements. As a result of the inspection, a number of non-conformities were found, which indicated the possibility violation, thus the Inspection official prepared a report in which he drew attention to the inspection found. Based on the report prepared by the official, a decision was made to initiate administrative violation process, because the information provided in the report was considered sufficient grounds for committing a possible violation. Considering that the officer's report was prepared On January 4, 2022, the decision to initiate the administrative violation process was made adopted on January 7, 2022, it can be concluded that within three working days in accordance with the first paragraph of Article 117 of the AAL one of the specified decisions was made for the part. Regarding the fact that the Inspection of information the request was sent by Tet only on October 28, 2021, indicating that Article 78, paragraph 2 of the Data Regulation a period of three months has been set in which the supervisory authority must consider the complaint and inform the data subject on the progress or results of the complaint. At the same time, neither the Data Regulation nor the FPDAL does not determine the term in which the Inspection should contact the manager to clarify the information stated in the complaint circumstances, therefore the objection that the Inspectorate approached Tet with a request for information late is not justified. Taking into account the above, the Director of the Data State Inspection believes that the case has been considered in a timely manner and observing the deadline for starting the administrative violation process set by AAL. [5] Tet states in the complaint that the administrative violation process has actually been disproportionately long, also violating the decision-making deadline. In Tet's view, the Inspectorate has not complied with Article 133 of the AAL the prescribed administrative violation review period, because according to the mentioned legal norm, cases the term of consideration and decision-making can be extended for a period not exceeding four months from the day when a decision was made to initiate the administrative violation process, simultaneously The inspection official made the decision on July 15, 2022, which is almost 2 months after due date. In addition, Tet expresses the opinion that the Inspectorate has been examining the case for almost a year a disproportionate term compared to the scope of the investigative activities carried out, thereby violating the procedures deadlines. The complaint also states that the disproportionately long time frame for processing the case has burdened Tet opportunities to exercise their procedural rights and provide more precise explanations to the Inspection, so for example, Tet was not able to identify clearly enough his status in the process, his rights and therefore to implement them, taking into account that investigative actions were carried out, Acts or procedural actions were prepared protocols, even the administrative violation process was not initiated. In addition to the Tertiary and post-administrative initiation of infringement proceedings on January 7, 2022, it has been difficult to determine what case is an administrative offense process. The disproportionately long duration of the case has led to errors in assessing the severity of the violation, as certain isolated situations have been unreasonably interpreted as inadequacy of a systemic or legal personal data processing system and, accordingly, also in the applicable one 8 Decision of the Department of Administrative Affairs of the Supreme Court Senate of April 28, 2020 in case no. A420230820 6 in the sanction, as well as caused errors in the determination of the financial year from which the possible penalty is calculated, significantly increasing the amount of the penalty. Finally, Tet points out that the Inspection had to apply the "Consult first" principle, because there are no victims in the case and at the time when the administrative offense was initiated process, that is, on January 7, 2022, Tet had already completed the additional technical work started in October 2021 the addition of safeguards that entered into force on January 13, 2022, and initially identified the risk was completely eliminated, just as the [...] case was resolved. Regarding the deadline for case consideration and decision-making, the Director of the Inspection states, that with the Inspection's letter of April 13, 2022 no. [..] For additional explanation and document submission and extension of the deadline for consideration of the administrative violation case the deadline was extended until July 8, 2022. At the same time, the Director of the Inspection finds that in accordance with the first part of Article 133 of the AAL, the administrative violation case is examined and a decision is made as soon as possible, but no later than within one month from the date of the decision on initiation of the administrative violation process. On the other hand, according to the second part of Article 133 of the AAL if due to objective reasons, it is impossible to meet the deadline specified in the first part of this article, the official can be extended for a period not exceeding four months from the day when a decision was made on initiation of the administrative violation process. The administrative violation process was initiated in 2022. on January 7, 2022 and extended until May 9, 2022, while on April 13, 2022, the cases the review period was extended to 8 July 2022, which means that the four months for consideration of the case and decision making. At the same time, the Director of the Inspection states, that according to the practice of the Senate of the Supreme Court, when assessing the impact of a procedural violation on the process result, it is necessary to find out whether this violation could have affected the substance of the decision. Thereby, in view of the above, even though the four-month decision-making period was not observed in the case review within the period from the day of initiation of the administrative violation process, at the same time the Director of the Inspection in view, this procedural violation could not affect the final decision in the case. In addition, it should be noted that the deadline for the consideration of the case was missed, because during the course of the consideration of the case it was continuously requested information, the answers given by Tet were evaluated, therefore the Director of the Inspection concludes that regardless of whether the decision would be made within four months or on the day when it was actually made, this the circumstance did not affect the final result, as it was necessary to find out all the circumstances in the case and them estimate. Regarding the disproportionately long time of the case review, the Director of the Inspection states that the administrative violation process was started only on January 7, 2022, while the decision was made adopted on July 15, 2022, which means that the case did not take place for one year as indicated by Tet. In the course of the administrative violation process, the Inspectorate requested the necessary information from Tet, assessed it, repeatedly requested information, in total the Inspectorate requested Tet information four times, therefore, during the course of the case, some actions were continuously taken to find out whether it had been done administrative violation. Thus, in the opinion of the Director of the Inspection, Tet's statement is unfounded, that the Inspectorate has examined the case for a disproportionately long time. Regarding the allegation that Tet failed to clearly identify his status in the proceedings, it should be noted that the administrative violation process was initiated on January 7, 2022, by making a decision on the initiation of the administrative violation process and the extension of the deadline for consideration of the case, where else among other things, the second page of the decision stated the rights of Tet as the person to be held responsible and duties. Therefore, Tet was informed of its status in the process when the process was initiated. Regarding time stage until the initiation of the administrative violation process, Tet was not granted procedural status because The inspection carried out inspection activities in accordance with the Data Regulation and FPDAL, not administrative as part of an infringement process or an administrative process. In addition, the Inspection did not have any information that Tet is confused about its procedural status, which prevents it from exercising its rights. 9 The law of administrative violations, Explanations of the Law of Administrative Responsibility, prepared by a collective of authors. In the scientific editorship of E. Danovska and G. Kūtra. - Riga, Courthouses Agency, 2020, p. 409. 7 During the examination of the case, Tet provided the Inspection with the information it requested, got acquainted with the case materials that show quite the opposite, that Tet clearly understands its procedural status and implements AAL prescribed rights. Among other things, the aforementioned did not prevent Tet from contacting the Inspectorate with a request to explain them the procedural status before the initiation of the administrative violation process, but the Inspection as such the request was not received. In view of the aforementioned, in the view of the Director of Inspection, Tet was provided as necessary information about its status in the process, and there were no circumstances that made it difficult for Tet to understand it status in process. Tet stated that even after initiating the administrative violation process on January 7, 2022 it has been difficult to establish what kind of case the administrative violation process is really about. Inspections the director explains that the AAL was indicated in the decision on the initiation of the administrative violation process The information listed in the first part of Article 121, including information about the commission of an administrative violation the actual circumstances, that is, what actions taken by Tet, which are recognized as inappropriate Data for the regulation, a process was initiated. In addition, it should be noted that the review of the administrative violation process During the inspection, the Inspectorate sent several requests for information to Tet, to which Tet responded. The director of the inspection finds that in the decision of January 7, 2022 on the administrative violation the initiation of the process and the extension of the deadline for consideration of the case, among other things, have been indicated, and the case has been started on the conduct of Tet, for the provision, preparation, conclusion and execution of electronic communication services, without verifying the identity of persons who remotely apply for electronic communication services. From now on in the course of the examination of the case, the Inspector's official specifies in relation to some electronic communication service, an administrative violation case is being conducted, namely Tet+ service, therefore The director of the inspection concludes that Tet had information that the case was being investigated for Tet+ service. Taking into account the above, the Director of the Inspection finds that Tet was at the disposal of the case during the examination sufficient information about the nature of the violation and that the violation is directly attributable to Tet+ service and the inconsistencies found in it. Tet explained that the disproportionately long term of the case has created both errors and violations in assessing the severity, as well as in determining the financial year from which the possible penalty is calculated, significantly increasing the amount of the penalty. The director of the inspection indicates that the severity of the violation was assessed taking into account the factual circumstances of the case and their legal evaluation, and according to the Inspection for the developed tool for determining the amount of administrative penalties, the offense committed by Tet was qualified as moderate. The director of the inspection explains that there was no administrative violation process proposed specifically for the [...] case, but on the basis of this case, an examination was carried out for procedure for receiving the Tet+ service provided by Tet, thus Tet's statement that the Inspection inaccurately linked Tet's answers with the information at the disposal of the Inspectorate. Regarding Tet in insight incorrectly determined financial year from which the applied fine was calculated, it must be indicated that accordingly According to Article 83, Clause 5 of the Data Regulation, administrative fines are applied in the case of a company up to 4 % of total worldwide annual turnover in the previous financial year. European Data Protection in the guidelines of the board of May 12, 2022 no. 04/2022 on the calculation of administrative fines, it is stated, that on the question of which event the term "previous" refers to, the Courts of the European Union (hereinafter - CJEU) jurisprudence in competition law can also be applied to the penalties of the Data Regulation, in order the relevant event would be the decision to impose a penalty issued by the supervisory authority and not the time of the offense or the court decision. Therefore, the Tet fine was justified the turnover obtained in the previous year, i.e. in 2021, is taken into account, because the decision on the application of the penalty has been adopted in 2022. In view of the above, the Director of the Inspection finds that, when determining Tet's punishment, she complied with the Data 10Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for public consultation (the guidelines are currently out for public consultation and their text may change), available: https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf . 8 Article 83 paragraph 5 of the regulation on determining the amount of the penalty from the previous financial world of the annual turnover obtained in the year. Regarding the application of the "Consult first" principle in a specific case, Inspections the director states that the principle "Consult first" was applied in Tet regarding previously established violation in 2021, applying a reprimand and imposing an obligation in the future to process personal data processing, comply with the decision and other personal data protection requirements. Inspection director explains that the "Consult first" principle does not apply in all cases. The mentioned principle application is evaluated taking into account several aspects - both whether the chosen means will be applied and will deter the manager from committing further violations, as well as, or previously the manager violations have been found in the operation. Considering that inconsistencies were repeatedly found here to the requirements of the regulatory acts regulating the processing of personal data, the Inspectorate did not see an opportunity to repeat to apply the principle "Consult first", thus, when deciding on the most appropriate remedy, it was necessary deemed fine. [6] Tet expresses the opinion that in the process of administrative violation in the performance of investigative activities private individuals were illegally involved. Namely, in Tet's discretion with the process of administrative violations unrelated private individuals were involved in the inspection, thus the Inspectorate violated its mandate. in the same way The Inspection has accessed the e-mail data of a private person [...], for which the Inspection official is directly indicated in the minutes of the investigative activity. Involving private individuals in conducting investigative activities Tet discretion has a detectable effect on the admissibility of evidence. Among other things, in investigative activities the processing of the personal data of the private individuals involved was carried out without a legal basis. First of all, the Director of the Inspection explains that the investigative activities are administrative for the initiation of the violation process were carried out within the framework of Chapter IV of the FPDAL, not AAL, because the Inspectorate has the right to carry out an inspection even without starting an administrative violation process or initiating an administrative one process. Thus, the indication that on December 9, 16, 22 and 28 December 2021 inspections were carried out on the basis of Article 109 of the AAL, is not justified. Regarding the involvement of private individuals within the framework of the inspection, the Director of the Inspection states that for the purpose to find out the procedures for receiving the Tet service Tet+ and its compliance with the data processing regulations in accordance with the requirements of regulatory acts, during the inspection, the Inspection official processed the persons of private individuals data. At the same time, the aim is to evaluate the procedure for receiving the service provided by the Inspection officer could not be achieved without processing personal data, as it was necessary to receive the service fill out the application, indicating personal data. Although the test was used personal data of private individuals, the Director of the Inspection states that the mentioned persons did not participate in the act on website review in the preparation and evaluation of the results obtained as part of the test. The mentioned the actions were carried out by the officials of the Inspection. For private individuals whose personal data was used when performing inspections, no information related to the investigation of the case was disclosed. Among others, private individuals processing of personal data was carried out in compliance with the data subject's information provided in the Data Regulation obligations and appropriate legal basis for data processing. Given that individuals independently did not carry out investigative activities, Tet's objection regarding the inadmissibility of evidence is not justified. Regarding Tet's indication that the legislator has not established the right for the Inspection to involve another person in the conduct of an administrative offense process, including minors, as determined by, for example, the police employees in accordance with Article 12, Clause 34 of the law "On the Police", the Director of the Inspection explains, that the physical involvement of private individuals in investigative activities by conducting control purchases and private individuals processing of personal data is a separate activity, taking into account that the inspection officer checks implemented independently, the evaluation of the test results was carried out without the involvement of private individuals, therefore it cannot be considered that private individuals were involved in investigative activities. In compliance with the above, at the discretion of the Director of the Inspection, private persons during the inspection were not involved illegally, because for the purpose of checking the application of the Tet+ service, there were 9 it is necessary to process personal data. There were no other models of action for the inspection or means of familiarization, how to check the implementation of the service in practice. [7] The complaint states that the investigative actions were unlawfully performed before the administrative one initiation of infringement proceedings. Namely, the investigative activities of the administrative violation process were carried out in December 2021, although the process itself was actually started only on January 7, 2022. Tet indicates that investigative activities are allowed only after the process has been initiated. On the other hand, if the official conducts a departmental inspection as soon as the official has information that clearly points to the committed administrative violation, the official must immediately initiate an administrative violation process. The director of the inspection states that FPDAL Chapter IV determines the procedure for the implementation of the inspection, regardless of any other process started. The regulation of Chapter IV of the FPDAL applies to Inspections the right to conduct an inspection even before an administrative violation process is initiated. Considering that before for the inspections carried out in December 2021, the Inspection official was not convinced of the violation the presence of signs, tests were carried out. After the inspection officer carried out the inspections, it was found that the obtained information indicates the commission of an administrative violation, as well as the specific one at the time a decision was made to initiate the administrative violation process. In view of the above, The director of the inspection states that the inspection official had the right to carry out inspections before the start administrative violation process. [8] Tet expresses the opinion that the Inspection has not mutually distinguished the administrative process from administrative violation process. Namely, the Inspection had, in accordance with the first part of Article 117 of the AAL the possibility of making one of three decisions. The inspection may not arbitrarily, by missing the deadline, the process reclassify as an administrative process. It is not clear from the case file whether the Inspection is distinguished processes, for example, the fixed result of a procedural action of the same type and content referred to as both the inspection act (inspection) and the inspection protocol. Tet states that he was not informed on the initiation of the administrative process. The additional complaint states that according to FPDAL Article 15 the fourth part, before starting the procedural actions, the manager must be informed about his rights, which was not done done, at the same time, in the sixth part of Article 16 of the FPDAL, it is stipulated that the person performing the procedural action issues a copy of the report of the person against whom the investigation was initiated, which Tet did not receive. The director of the inspection explains that no administrative proceedings were initiated against Tet. In accordance with Article 15 of the FPDAL, the Inspection performed inspection activities, which were not done in this particular case were carried out neither within the framework of the administrative infringement process nor the administrative process, but were carried out precisely in order to find out whether there are facts that could be the basis for the adoption of an administrative act or indicate a possible administrative violation. The inspection is not obliged in every case to start any of these processes, the Inspection has the right to initiate the process if sufficient information is obtained for a violation. Regarding the fourth part of Article 15 of the FPDAL, the Inspection explains that the said right the norm applies to face-to-face inspections in cases where the Inspectorate conducts an inspection at the manager's premises and in a specific case, before starting the inspection, the official informs the authorized persons of the controller or processor representatives for rights. Consistently, Article 16, Part Six of the FPDAL refers to face-to-face inspections and is to be read in the context of the fourth and fifth parts of the said article, that is, when conducting an on-site inspection, the supervisor or in the processor's premises, the official prepares a protocol of procedural activity, presents it to the persons, who participated in the relevant activity and a copy is issued to the person against whom the investigation has been initiated. The mentioned the legal provision does not apply to off-site checks where no controller or processor is required presence at the time of the procedural action. Regarding the result of the procedural action, which called both the inspection report and the inspection protocol, it should be noted that before the administrative the results of the inspection carried out for the initiation of infringement proceedings are consistently named Acts, on the other hand, the procedural action carried out within the administrative violation process is named inspection, because Article 104 of the AAL lists investigative activities, where paragraph 4 defines one of the investigative 10 for actions – inspection. In order not to create confusion about the presentation of test results before the initiation of the administrative violation process, the Inspection official used the name which does not match the name of the investigation activity defined by the AAL. In view of the above, the Director of the Inspection concludes that no action was taken against Tet the administrative process, thus the objection that the Inspectorate has not distinguished the processes is not justified, on the other hand, since FPDAL articles 15 and 16 set out in the part on conducting inspections, informing the supervisor on conducting an inspection, as well as issuing a protocol of procedural activity, is applicable in person inspections, Tet's objection that the Inspection did not comply with the inspections stipulated by the FPDAL is not justified execution procedure. [9] Tet expresses the opinion that the Inspectorate has violated the administrative violation process basic principles. [9.1.] First of all, in Tet's view, the Inspection has not followed the principle of the rule of law, because it is obvious violated its authority by transferring restricted access information about the administrative the infringement process to persons who are not involved in it, thereby violating the provisions of Article 28 of the AAL principles of the rule of law, as well as the prohibition contained in the first part of Article 14 of the FPDAL in the Inspection employees to disclose the information they have obtained in connection with the performance of tasks in the Inspection. The director of the inspection explains that it is not immediately clear from the objection mentioned by Tet, which one the information has been transferred by the Inspection official to third parties. This is also indicated by Tet, explaining that there is no complete information, what information the Inspection official has given to the third party at the disposal of persons. Taking into account the above, in the opinion of the Director of the Inspection, the objection is not justified and based to conjecture, as it indicates Tet suspicions and doubts about the disclosure of information, rather than concrete the fact that has happened. The inspection explains that the information is limited to third parties has not been disclosed, among others, to the persons whose personal data were used to perform the test, the following information was not disclosed. In compliance with the above, the Director of the Inspection states that the Inspection official has not violated them mandates, as well as when processing the personal data of individuals during the inspection, FPDAL has complied The prohibition contained in the first part of Article 14 to disclose information related to the performance of work tasks. [9.2.Secondly, Tet states that the Inspection did not comply with the procedural requirements established in Article 32 of the AAL the principle of economy, and also has not ensured the right provided for in the first part of Article 33 of the AAL defense. Namely, both during the administrative violation process and also during the preparation of the complaint in Tet it is not clear what factual circumstances are the subject of the proposed evidence. At the same time, the Inspectorate has not attached case materials to the decision - a report or other information, which would allow to conclude the nature of the violation for which the case has been initiated. The inspection officer had a duty immediately provide Tet with materials available in the case, namely the report. The director of the inspection explains that in case Tet was not clear about which actual ones circumstances, a case has been initiated, in accordance with Article 41, paragraph 1, paragraph 1 of the AAL for liability the called person has the right to familiarize himself with the administrative violation file materials, to make from documents, transcripts and make copies. with case materials only on June 30, 2022, that is, 5 months after the start of the process. The mentioned does not at all indicate that Tet was initially unclear as to what the case was about. On the contrary, if Tet such doubts would have existed, the right would have been exercised soon after the case was initiated. Regarding The inspection is obliged to add other materials to the decision on the administrative violation process initiation, the Director of the Inspection states that the first part of Article 121 of the AAL does not determine the obligation to add other materials to the said decision, taking into account that the content of the decision should be indicated sufficient information. On the other hand, if the person to be held accountable has a desire to get to know others case materials, it can use the rights established in paragraph 1 of the first part of Article 41 of the AAL get acquainted with the administrative violation file materials. In addition, it should be noted that after 11 The inspection official had sent a Tet report on his own initiative on March 1, 2022 and inspection act12, Tet the following answers to the initial questions asked by the Inspection official the essence of the questions did not change, which means that, upon receiving the case materials, Tet did not obtain additional information that would change its original answers. [9.3] In addition, Tet's right to a defense was violated because the decision does not specify which ones the circumstances were taken into account by the Inspectorate when determining the penalty. The element referred to in Article 83, Clause 2 of the Data Regulation analysis is one of the most important pieces of evidence in the case, while not including this reasoning in the decision denies Tet the opportunity to become familiar with the motivation of the penalty applied by the Inspectorate and to check the calculation of the penalty compliance of the methodology with the binding regulations and realize the right to defense. The instructions of the Director of Inspection are included in Article 83, Clause 2 of the Data Regulation in Clause 6.3 of the Decision the criteria included in determining the penalty. Therefore, in each case the Inspection takes into account these criteria, as well as when determining the amount of the fine, the guidelines developed by the Inspectorate "Amount of administrative fines" are used determination criteria for companies and individuals", which are published on the website of the Inspection and sets out the criteria that are taken into account in determining the penalty and what their effect is on the penalty to be imposed extent. On the other hand, according to the 2021 decision of the Riga Regional Court Criminal Court Board In the judgment of 23 November in case no. 01630000100120.1, the court panel joins the authorities in the explanation to the opinion expressed that the penalty calculation algorithm referred to, among other things complainant, is the institution's internal tool made publicly available for good management within the framework of the principle, ensure the transparency of the decisions made by the Data State Inspectorate. Thereby, considering that the mentioned penalty calculation algorithm is considered an internal document of the institution, In the opinion of the director of the inspection, the penalty calculation table should not be attached to the decision on the penalty application, however, in cases where the person called to account would like to get acquainted with the punishment calculation of the amount, a copy of said calculation can be issued. At the same time, the Director of the Inspection states, that after the request made by Tet during the oral hearing of the case on September 1, 2022, the Inspection sent Tet the table for calculating the fine imposed by the decision. Detailed with the appropriate decision the Director of the Inspection will carry out the assessment of the fine calculation criteria in paragraph 13 of this decision. [9.3.] Thirdly, Tet draws attention to the principle of procedural justice and the principle of governance violations at the disposal of the Inspection. Namely, in Tet's opinion, the practice of the Inspection is not to send what is needed right away information to the accountable person is contrary to the principle of good governance. Tet responds both to the jurisprudence of the Constitutional Court and the Law on State Administration. In addition to the Tet bull attention, that in accordance with the first part of Article 137 of the AAL, the administrative violation case is being considered in the oral process, the case corresponding to the fourth section of the aforementioned article can be considered in the written process, if the participants in the process agree to it. It is not clear why the Inspection official received the Tet the request to consider the case in an oral process, did not consider it necessary and did not provide an argument refusal. At Tet's discretion, the Inspection Officer should have given Tet an opportunity to be heard orally – by video conference or in person. Thus, Tet's right to be heard was violated. Although Tet does not deny that it had the opportunity to get acquainted with the case materials, however, the examination of the documents at the end of the administrative violation process and after the legal deadline for making a decision is violated The right to a fair trial enshrined in Article 30 of the AAL. The director of the inspection explains that the course of the administrative violation process is determined by AAL, not the Law on State Administration. Therefore, the AAL must be taken into account regarding the procedure determined, which, among other things, does not impose an obligation on the Inspection in addition to the decision on administrative 11 12 Inspection letter of March 1, 2022 no. [...] "On submission of explanations and documents". 13Tet letter of April 7, 2022 "About providing an answer" No. [..]. Criteria for determining the amount of administrative fines for companies and individuals, available: https://www.dvi.gov.lv/sites/dvi/files/media_file/administrativo-naudas-sodu-apmera-noteiksanas-kriteriji- for companies-and-individuals.pdf . 12 to add other cases to the initiation of infringement proceedings or the sending of a decision on the application of a penalty materials. Instead, in Article 41(1) of the AAL, the liable person shall certain right to familiarize with case materials. With regard to Tet's objections to the consideration of the case in the oral process, the Director of the Inspection explains that at the time when a decision was made on the procedure for examining the case, the Inspector's official did not see the need to specify or clarify additional circumstances in the case, moreover, taking into account the Covid- 19 mitigation measures and a recommendation to organize work remotely as much as possible, were taken a decision was made to consider the case in a written process. Therefore, the Director of the Inspection does not see it violation in that the case was considered in a written process. Namely, the spread of the Covid-19 infection the first part of Article 9 of the Law on Management directly provides for the right of an official to consider a case in a written process, if it has not deemed it necessary to examine the case in an oral process. In addition, it should be noted that by sending Tet's letter of June 14, 2022 no. [..] for the consideration of the case in the written process, the Inspectorate informed the Tet of the right to submit to the case until July 1, 2022 additions, evidence, as well as submissions or requests of a different nature, which are essential in Tet's opinion for a full and correct consideration of the case and the adoption of the relevant decision. Hence, although the thing was appointed for review in a written process, Tet administrative violation process review in the course of, including before the case was examined and the decision was taken, the right to provide was ensured explanations, the right to submit submissions and other information for proper consideration of the case. With Tet's objection of not respecting the right to be heard is unfounded. Regarding the Tet indication that inspection of documents at the end of administrative infringement proceedings violates Article 30 of the AAL the strengthened right to a fair trial, the Director of the Inspection states that Tet was not denied the right get acquainted with the case materials from the moment of initiation of the administrative violation process. The circumstance that Tet did not exercise this right in time, does not indicate that the Inspectorate has violated the provisions of the AAL principle of procedural justice. [10] The complaint states arguments about accountability and the burden of proof interaction, as well as violation of the presumption of innocence. Tet considers the contents of the Data Regulation the principle of accountability should not be interpreted broadly, transferring the burden of proof to at liable person, limiting AAL29. the presumption of innocence specified in the article. Accordingly The first part of Article 89 of the AAL has the burden of proof in administrative infringement proceedings official. Consequently, the Inspection official was obliged to obtain and to establish information about the facts, which will then be used to prove the existence of an administrative violation or absence. As part of the process, information was requested inconsistently and often regarding the explanations provided for the data processing of a specific person were unjustifiably attributed to the data processing system as a whole. So, for example, the Inspection official has not found out what information about [..] Tet has effectively handed over Creditreform. Consequently, the Inspection official has no reason to presume that Creditreform has used the information provided by Tet, rather than the data already in its possession or obtained [...] in the processing of personal data. Tet states that it has not transferred the data of a minor to Creditreform, because Tet the service was applied for in the system with the personal code of an adult. Therefore, it is not in the decision proven, but it is only alleged that Tet would have transferred the data of a minor to Creditreform. The director of the inspection explains the principle of accountability within which the supervisor must prove compliance of data processing with the Data Regulation and the burden of proof according to which the Inspection has the obligation to prove the existence or nonexistence of an administrative violation and clarify other circumstances for which are important in the correct decision of administrative violation cases, there are distinguishable and independent principles. Namely, the fact that the manager has the obligation to prove the legality of the data processing performed and compliance with the Data Regulation, does not exclude the burden of proof imposed on the Inspection in the process of an administrative violation and vice versa. The inspection does not dispute that, according to the AAL, it is obliged to prove the persons to be held responsible guilty of committing a violation, which the Inspection also carried out. To the inspection official in order to understand how 13 service application process is underway, it was also necessary to ask questions of a general nature. Thus, in the opinion of the Director of the Inspection, an administrative violation was requested as part of the process the necessary information from Tet to ascertain the existence or non-existence of a violation, as well as the process the information obtained within the framework was confirmed in accordance with the procedure established by the AAL. In view of the above, The director of the inspection finds that the official has complied with the obligation of proof set by the AAL and has confirmed the information in accordance with the procedures set forth in this law. Regarding the processing of [..] personal data, the Director of the Inspection states that on August 9, 2021 from the Valmiera station of the Vidzeme region administration of the State Police received the forwarded [...] of 2021 the application of June 19, together with the materials of the Police departmental examination. It can be seen from the materials, that in the contract for electronic communication services no. [..] the name, surname and persons of [..] are indicated code [..] corresponding to the personal code of an adult. In addition to Creditreform 2021 In the notice of the debt of 15 June, the first and last name and address of the residence are indicated, while the personal code is not specified. From the above, as well as the information provided in the Tet explanations The director of the inspection finds that Tet did not hand over the identity code of a minor, taking taking into account that it had the identity code of an adult, however, in order to recover the unpaid debt, gave Creditreform the identifying data of a minor [..] – name, surname, as well as others personal identification number and residential address of an adult. Doesn't matter in the specific case to the fact that Tet was not aware that he was transferring the personal data of a minor, because Creditreform the transferred personal code did not belong to [...], considering that Tet had allowed such situations by his actions possibility. The above is also confirmed in Tet's oral explanations, namely that Tet had possession [..] as the personal data of an adult and are not in its system [..] as minors personal code. In addition, Tet asks for an evaluation of the administrative violation process in the oral explanations inadmissible conditions, namely statutes of limitations [...] in the case of data processing. The director of the inspection indicates that in accordance with the first part of Article 118 of the AAL, the process of an administrative violation can be initiated no later than within one year from the date of the violation, but if the violation is prolonged, from the violation cut-off days. According to decision 5.7.5. for the violations found in point 2) and 3) in subsection Tet had issued an invoice for the services rendered to a person who is not present has approved the contract, as well as the client who has not approved the contract in accordance with the procedure established by Tet and who is not after paying the invoices, the personal data was transferred to Tet for extrajudicial debt collection for the company. The director of the inspection explains that according to the materials of the departmental inspection of the Police for the information provided, Tet submitted a debt application to Creditreform on 15 June 2021 extrajudicial recovery from [..] by transferring [..] personal data to the specific debt collector. The mentioned as evidenced by Creditreform's debt notice of 15 June 2021. Considering that the mentioned information was transferred to Creditreform on June 15, 2021, while the administrative violation the process was started on January 7, 2022, it can be determined that the administrative violation process the statute of limitations for initiation has not expired, because there was no time from the day of the violation to the initiation of the process a year has passed. Regarding invoicing to a customer who has not approved the contract, it should be noted that from Creditreform's debt notice of 15 June 2021 shows that Tet had invoiced [...] December 18, 2020, January 18, 2021, February 18, 2021, March 18, 2021 and on April 18, 2021. Thus, it can be established that the violation was carried out for a long time and was stopped by sending the last invoice on April 18, 2021. Considering that infringement proceedings were initiated On January 7, 2022, admittedly, a year had not passed since the day of termination of the violation. Observing mentioned, the Director of the Inspection finds that in relation to [..] illegal personal data carried out by Tet processing, the statute of limitations for starting the administrative violation process has been observed. In addition, it should be noted that invoicing and data transfer to the debt collector is Tet a systemic practice that applies not only to a specific data subject, but to any customer. 14 It cannot be denied that every customer receiving the service is billed for the service until every customer's data is processed. Such personal data processing operations are confirmed by the controller in internal documentation (instructions, process descriptions). This is also confirmed by oral examinations information provided at the time that personal data is stored even after the termination of transactions with customers for accounting purposes, to ensure accounting of invoices, as well as to resolve payment disputes. Thus, there is no dispute in the case that Tet issues invoices and performs personal data processing invoicing for prescribing, for all customers. Likewise, during the oral proceedings, Tet's representatives indicated that Tet was transferring customer data to debt collectors if payment for services is not received. The said persons data processing is also prohibited in the data processing register. Therefore, such actions are recognized as for systemic controller actions with personal data. And in this case, no specific data is relevant for the date of processing of personal data carried out by the subject, as they are only a confirmation of the implementation of Tet practices and work processes in relation to the processing of clients' personal data. Such personal data processing could have happened to any other customer whose inaccurate data could be used to conclude a contract and for receiving the service. Violations of the Data Regulation can be viewed in isolation only with respect to the specific data subject, only in cases where the controller's action exceptionally refers only to the specific data subject. On the other hand, the actions considered in the case are systemic actions in relation to any Tet customer. For example, if the persons mentioned in the inspection reports carried out by the 2021 Inspection continued receiving services, they would also be billed and in case of non-payment, their data would be handed over to debt collectors. The circumstances of the case are not such as to indicate that specific persons - [..] the case is unique and the treatment would have differed from general company practice. Material violations [11] The complaint states that the Inspectorate incorrectly evaluated the facts, made logical errors regarding the fact of conducting the assessment, as well as wrongly identifying the violation committed by Tet as intentional would do. The inspection director does not doubt that Tet carried out a risk assessment at the same time, as it was stated in the decision, they were not sufficiently identified. Namely, the effects of Tet personal data processing on the assessment of data protection of natural persons indicates that the initial risk of loss of integrity when a person tries to apply for a service by submitting another person's data, evaluated as reliable, in turn the consequences and level of risk are rated as moderate. At the same time, the risk of loss of integrity after risk control implementation of measures is assessed as unlikely, but the consequences and level of risk are assessed as average. The assessment indicates such risk control measures as employee training, access rights implementation, maintenance and regular revision, automatic interfaces, personal code syntax is verified with the personal code verification tool offered by PMLP, the identity of the service applicant is checked when confirming the contract My Tet, if necessary, make reminders for customers who have not approved contracts. Among other things, Tet explained in oral explanations that Tet assessed the mentioned risks and concluded that the probability of occurrence of the risks after minimization measures, namely after PMLP tool and email verification, is low. The director of the inspection states that there are none of the indicated risk control measures sufficient to ensure that the person could not apply for the service through other persons data, for example, the PMLP tool checks only the existence of the personal code, not the correspondence of the personal code to the person specified in the application, as well as employee training, will not exclude the possibility that the person will abuse may use another person's personal data. In view of the aforementioned, in the opinion of the Director of the Inspection, the integrity indicated in the Tet assessment the risk of loss was not adequately evaluated, taking into account the ineffective control measures of the ship for mitigating the mentioned risk and the situation when a person would use another person's data of the service for application, prevention. Regarding the intentional violation, the Director of the Inspection explains that according to the Data Regulation For Article 83, Paragraph 2, Subparagraph b), one of the criteria for determining the amount of the penalty is the circumstance, or the violation was committed intentionally or due to negligence. Decision 6.3. paragraph explains that the violation was done intentionally because Tet was aware and assessed the risks, however they were not properly assessed and were not appropriate risk control measures have been implemented. The director of the inspection indicates that for intentional or willful misconduct may be considered to involve both knowledge and awareness of the nature of the violation, while a violation committed unintentionally or due to carelessness means that there was no violation intent to cause a breach, even though the controller has breached the statutory duty of care. Observing mentioned, in the opinion of the Director of the Inspection, signs of an intentional violation can be seen in Tet's possession. To it indicates the effect of Tet's actions on personal data processing on the protection of natural persons' data assessment, establishing that the initial occurrence of risk when a person tries to apply for a service, when submitting another person's data, it is reliable and as risk-mitigating measures in oral explanations indicating, for example, the implementation of the PMLP tool and email verification, which cannot be considered as effective measures to prevent the mentioned risk. Reliance that consumers are generally bona fide and will not commit illegal activities using the personal data of others, does not mean that Tet as the manager it is not necessary to take all possible risk mitigation actions to ensure that service applications it is not possible to perform such illegal activities at the moment. Therefore, in accordance with the aforementioned, Inspections the director concludes that Tet was aware that such a risk existed, moreover, it was initially assessed as probable, however the risk mitigating measures were not chosen according to the said risk because even after the said measures implementation, it was possible to apply for the service using another person's personal data. In the opinion of the director of the inspection, Tet's actions indicate intentional actions and there is a reason to conclude, that the administrative offense was committed intentionally. [11.1.] Tet does not agree with the inspection official's analysis of the actual circumstances and for the legal assessment, it is considered that no administrative violation has been identified and proven in the case the circumstances contained in the subject of proof of the process, or the composition of the administrative offense itself essences. The director of the inspection states that several violations committed by Tet have been found and proven in the decision. The director of the inspection will evaluate each of them sequentially, in the context of the circumstances found in the case. 1) When applying for an electronic communication service, the customer is provided with the service and connected without the customer confirming the contract. Thus, Tet processes the data of persons without identity has been verified, thus violating Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation. The director of the inspection states that it has been established in the case that [...] received the service, but did not approved the contract. This is evidenced by what is indicated in Tet's explanations, that in a situation where personal data were handed over for debt collection, although the contract for the service was not approved, the Tet employee was made a mistake because he was not sure, the liability has been confirmed, therefore the debt was transferred to collection. Thus, the Director of the Inspection concludes that in case the Tet employee had made sure of the contract confirmation, personal data would not be transferred for debt collection. In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point the specified violation committed by Tet, namely that the customer, when applying for the electronic communication service, the service is provided and connected without the customer confirming the contract and verifying the persons compliance of the identity with the personal code specified in the application. 2) For the person who has not approved the contract, Tet issues an invoice for the services provided for electronic communication services, recording personal data and keeping accounting in accordance with the procedures and deadlines specified in the regulatory legal acts. 14Tet letter of April 7, 2022 no. [..]. 16 The director of the inspection states that it has been established in the case that [...] received the service without confirmation contract. Considering that payment for the services was not received, Tet [...] transferred the debt for recovery Creditreform. When transferring the debt, CreditreformTet added the issued invoices. Parto testifies letter from Creditreform dated 15 June 2021 “Debt Notice” attached to the police file, where unpaid invoice numbers are listed as the basis of the claim. In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point alleged breach by Tet that a person who had not approved the contract was billed by Tet for the services provided. 3) A customer who has not approved the contract in accordance with the procedure established by Tet and who has not performed payment of invoices, personal data was transferred by Tet to an extrajudicial debt collection company. The director of the inspection finds that according to 11.1 of this decision. in paragraph 1) to the aforementioned, it was established in the case that [..] had not approved the contract and Tet transferred the debt to [..] Cretitreform. This is confirmed by both Tet's complaint and oral explanations. In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point the specified violation committed by Tet, namely the customer who has not approved the contract in accordance with the procedure specified by Tet and who has not paid the due invoices, personal data was transferred to Tet for extrajudicial debt collection for the company. 4) By inserting the mentioned contracts into the relevant My Tet self-service system of Tet customers in the user account, Tet discloses (transmits) the data of the owner of the personal code (name, surname, date of birth and residential address) to third parties who used this person's data. The director of the inspection states that the official, according to the Act of December 20, 2021 no. [..] regarding the review of the website https://tet.plus/ and https://mans.tet.lv/ carried out on December 16, 2021 indicated, found that Tet prepared the contract not on the name of the person indicated in the application, but based on the name of the person whose personal code was provided in the application. Thereby also on the Mans Tet portal, the relevant user was not the person initially indicated in the application, but another person. Thus, it was established that the person whose name, surname was initially indicated in the application, the personal data of a stranger was disclosed - name, surname, date of birth and place of residence. In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point the specified violation committed by Tet that Tet discloses (transmits) on the My Tet portal in the relevant user account data of the owner of the personal code (name, surname, date of birth and residential address) to third parties to persons who used this person's data. 5) Tet processes (compares) the personal data of new customers with those available in its database for customer (including former) data. The Director of the Inspection states that in accordance with the 2021 decision of the Inspection officials Act of 14 December no. [..] and Act of December 20, 2021 No. [..] about the inspections carried out on the websites https://tet.plus/ and https://mans.tet.lv/ it was established that in a situation where as a customer indicated [..], the Tet employee called not the phone number indicated in the application, but their phone the number that belonged to the owner of the personal code specified in the application. As well as in a situation where as a client indicated [..], the draft contract was prepared in the name of [..] using the personal data of this person according to the information provided in the Tet database. It should also be indicated that the e-mail is a reminder to close the contract was sent not to the e-mail address specified in the application, but to the person whose person code specified in the application, e-mail address. In additional oral explanations, Tet confirmed that the residence address of the former customer in the event that Tet does not have a dispute with the customer is stored only for accounting purposes, to issue invoices and delivery notes. Taking into account the above, the Director of the Inspection finds that the above unequivocally indicates that Tet used the personal data of former customers for comparison with the data of new customers. On the other hand, Tet the objection that the employees made a mistake in the stacked cases must be evaluated critically, because the mistakes of the employees 17 took place within the scope of the inspection carried out by the Inspectorate, and the two situations are also distinguishable in the application two different persons were specified, which means that the former was done for two customers comparison of customer data. Therefore, the Director of the Inspection concludes that 5.7.5 of the decision has been proven. Tet specified in point the violation that Tet processes (compares) the personal data of new customers with its database available customer (including former) data. Taking into account all the above, the Director of the Inspection acknowledges that the findings in the decision the violations are justified and the evaluation of the actual circumstances of the case was carried out correctly. [11.2.] In Tet's opinion, it is not clear why the penalty has been calculated in accordance with Article 83, Clause 5 a) of the Data Regulation and within the scope of the sanction of subsection (b), if the decision of the Inspection official found Tet guilty only in committing the offense provided for in subsection a). At the same time, the decision on an administrative violation initiation of the process and in other documents, the Inspection official mentions Article 5 a), b), c), of the Data Regulation (d), (e) and (f), however, in determining the sanction, the scope of the offense is widened and extended to not only on the specific principles, but on all of them in general. The director of the inspection states that decision 6.3. a typing error has occurred in the subsection regarding the reference to Article 83(5)(b) of the Data Regulation. This is evidenced by the fact that no in the decision, nor in the decisive part, the Data Regulation indicated in the mentioned subsection was not evaluated violation, thus the sanction was calculated only for Article 83, paragraph 5, letter a) of the Data Regulation the specified violation. Tet stated that in the decision on the initiation of the administrative violation process and others in the documents, the Inspection official mentions Article 5 a), b), c), d), e) and f) of the Data Regulation, however, when determining the sanction, the scope of the violation is expanded and applied not only to specific ones principles, but for everyone in general. The director of the inspection explains that decision 5.7.5. point was it is explained what violations Tet has committed and what conditions of the Data Regulation were not observed. At the same time, in the decisive part of the decision, the Inspection official does not repeatedly list the findings violations, but indicates which category of violations is applicable in the specific case. Taking taking into account that the violations committed by Tet are qualified according to Article 83, paragraph 5 a) of the Data Regulation subsection, the reference in the decisive part is made directly to the mentioned subsection, without additional enumeration specific violations of the basic principles of data processing, as the specific subsection already covers violation of basic principles. In addition, it should be noted that 5.7.5 of the decision. violation is listed in paragraph, para to whom a penalty has been applied in accordance with Article 83, paragraph 5, subparagraph a) of the Data Regulation. [11.3.] Tet indicates that the Inspection official has based the decision on the second part of Article 41 of the AAL part 4, at the same time it is not clear what kind of violation and in what time period Tet must be terminated. The director of the inspection indicates that the reference to paragraph 4 of the second part of Article 41 of the AAL was made because according to Tet's explanations, on January 13, 2022, Tet ensured that the application The Tet+ service is only possible using internet bank authentication, which is also specified 5.7.5 of the decision. in point Thus, the violation for which Tet was held responsible was eliminated, namely that it is not possible to apply for the Tet+ service without authentication, i.e. personal identity checks in a way that confirms the correspondence of the person's name and surname to the indicated personal code. At the same time The director of the inspection explains that the manager can be prosecuted for an already committed violation, which no longer continues and has been eliminated because the violation was detected within a certain period of time. Hence Tet the objections expressed in the complaint and oral explanations that the purpose of the decision is not understandable, because the problem was fixed a week after the start of the process, does not stand up to criticism, considering that during the time when The inspection officer carried out an inspection, a violation was found. 18 [11.4.] In Tet's insight, the problems of effectiveness of data protection measures were identified on limit the number of cases where persons who already have restricted access information (personal codes) are trying to commit a criminal offense, therefore it is not possible to determine a penalty in the decision amount justification. Regarding Tet's objection that the Inspectorate has generalized its conclusions to Tet daily practice and that, in the opinion of Tet, unapproved contracts cannot indicate unlawful personal data processing, the Director of the Inspection explains that the Inspection made the conclusions indicated in the decision, based on the information obtained as a result of the inspection and the answers provided by the Tet to the Inspections to the questions asked by the official. In none of the explanations given has Tet pointed to circumstances that would indicate that Tet has different practices regarding the processing of applications, invoice writing off and transferring data to debt collectors. Also during the oral proceedings, the representatives indicated that Tet how the controller performs the processing of personal data for accounting purposes, which are also related to the processing of invoices, and also transfer customer data to debt collectors. No information appears anywhere in the case materials and representations that Tet implements different practices depending on the type of service with respect to the former customer data processing, invoicing and transfer of data to debt collectors. Article 5 of the Data Regulation Clause 2 provides for the principle of manager's accountability, which requires the manager to demonstrably demonstrate compliance Principles of data regulation. Therefore, it is the responsibility of the supervisor in the case of an administrative violation in the course of the examination, also demonstrate to the supervisory authority its compliance with the provisions of the Data Regulation. With if the manager has different procedures for different customers, or a specific case was individual and different from others, the supervisor must demonstrate this by providing explanations institution. It should be noted that at least 3 cases where personal data were processed were found in the case carried out in accordance with the provisions of the Data Regulation, which already indicates a systemic approach, not an employee one error. Moreover, in the course of the whole case, Tet has not provided any documents or a description of the processes which would indicate that the processing of the personal data of specific individuals would have differed from the general company practices. It should be stated that the internal procedures and instructions of the controller are known only to the controller and only to if there is a bona fide manager, information about them can be provided to the authority. The institution cannot request from the administrator documents or information of which it is not aware. Thus, the fact that the established Violations are not Tet's daily practice and do not occur in every instance where customer persons are handled data, should be evaluated critically, because by itself does not mean that the violation was not committed, nor for that no evidence has been presented for the claim. In addition, the Data Regulation provides for responsibility for violations also in cases where it is one or a few separate situations in which they are found non-compliance with the provisions of the Data Regulation. [11.5.] Also, Tet does not agree with the finding of the Inspection official that the unapproved contracts 564 persons would testify to an existing or possible case of fraud and illegal personal data processing. Therefore, the Inspectorate has no reason to generalize and apply a penalty on the basis of such a generalization. The director of the inspection indicates that it was not claimed in the letter, nor are the approval agreements unlawful processing of personal data, but that 564 persons whose contracts were potentially affected were not approved because there was a risk of illegal processing of personal data. In other words, the Inspection does not have any information about all 564 persons and whether personal data could have occurred in any of the cases processing violation, taking into account the significant number of persons, at the same time, taking into account that the Inspection, after checking, it was possible to conclude the service using the personal data of a stranger, it is not possible exclude the circumstance that such situations were also possible among the mentioned 564 persons. [12] Tet expresses the opinion that the Inspectorate did not apply equality in making the decision principle, which has resulted in the application of a disproportionate penalty. Tet refers to other Inspection tests cases where no fine was imposed in any of the cases. Thus in relation to Tet tika unfairly applied different treatment, the principle of equality is not applied. Likewise, in the view of Tet on the 19th the offense has been wrongly classified, unreasonably recognizing it as moderate, instead, even if if the violation was allowed, it should be recognized as minor and the principle "Consult first" should be applied. Tet states that it promptly cooperated with the Inspectorate, the victims were not identified and the possible violation was not found was actually remedied a week after the initiation of the administrative infringement process. Likewise, in Tet's view the offense has been wrongly classified, unreasonably recognizing it as moderate, instead, even if if the violation was allowed, it should be recognized as minor and the principle "Consult first" should be applied. Tet states that it promptly cooperated with the Inspectorate, the victims were not identified and the possible violation was not found was actually remedied a week after the initiation of the administrative infringement process. The Director of the Inspection explains that the other cases examined by the Inspection are indicated in Tet's complaint cannot be compared with the Tet administrative infringement process, because the cases have different factual circumstances, their legal assessment, as well as in this case it is essential to take into account that Tet had already been established violations in the processing of personal data, which means that the Inspection did not find the possibility to apply the principle "Consult first" when issuing a warning or an advertisement, then observe the regulations governing the processing of personal data requirements of regulatory acts. On the other hand, the fact that Tet cooperated with the Inspection has been taken into account, determining the amount of the penalty, as it is also indicated in section 6.3 of the decision. in point [12.1.] In addition, Tet believes that the Inspection has not taken into account that the Tet+ service is only a small part of the share of services in the Tet service basket, as well as the company's revenue from this service and its proportion to the total turnover of Tet. Regarding Tet's objection that the fact that Tet+ is only a small fraction of the has not been taken into account for the services provided by Tet and according to the information provided in Tet's oral explanations that The share of the total turnover of the Tet+ service reaches only [..], the Director of the Inspection explains that according to the Data Regulation83. Article 5 point, an administrative fine is applied, based on everything global annual turnover of the previous financial year, not turnover from a specific service. [13] Tet states in the complaint that the decision does not justify whether the Inspection official has sanctioned calculated correctly, following the guidelines issued by the Inspectorate itself, observing the provisions of the Data Regulation the purpose of punishment in connection with the principle of reasonable application of legal norms. Hence the calculated the administrative fine is clearly erroneous and illegal. The director of the inspection states that in accordance with Article 83, Clause 1 of the Data Regulation on supervision the institution must ensure that the fines applied for violations of this regulation in each particular case effective, proportionate and dissuasive. According to Data Regulation 83. Article 2 point, determining the penalty extent, the supervisory authorities should take into account several elements that indicate a violation nature and seriousness or about the offender's attitude towards the offense committed. It is also necessary to take also take into account other elements that are important in the case, even if they are not directly listed in Article 83 of the Data Regulation in point 2. Although the internal tool of the Inspection - Administrative is rightly applied in determining the penalty the mechanism for determining the amount of fines for companies and individuals - Inspections in the opinion of the director, it was additionally necessary to assess whether any additional conditions or criteria not reflected in this document. 15 of the European Data Protection Act can also be taken into account in the guidelines on the application of administrative penalties developed by the panel (hereinafter - the guidelines). [13.1.] The director of the inspection finds that, when applying the penalty, all the circumstances that describes the committed administrative violation. According to Article 83, paragraph 2 "a" of the Data Regulation subsection, it is necessary to take into account the nature, severity and duration of the violation, taking into account the relevant one 15Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for public consultation (the guidelines are currently out for public consultation and their text may change), available: https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf . 20 the type, extent or purpose of data processing, as well as the number of affected data subjects and what has been done to them damage. Decision 6.3. in subsection, when determining the amount of the penalty, criteria such as violation are taken into account essence; whether the violation was committed intentionally or due to negligence; any conduct of the controller or processor, to mitigate harm caused to data subjects; the number of affected data subjects; the one categories of personal data affected by a breach; previous offenses of the controller; degree of cooperation with a supervisory authority; the way in which the Inspection found out about the violation; mitigating and aggravating circumstances. In the opinion of the director of the inspection, 6.3 of the decision. those are incompletely evaluated in subsection criteria such as the number of affected data subjects, the level of responsibility of the controller or processor, taking into account the technical and organizational measures implemented, as well as the actions of the controller or processor to mitigate damage to the data subject. At the same time, the decision did not assess the severity, duration, or data of the violation the damage caused to subjects, as well as the purpose of data processing. Regarding the number of affected data subjects, 6.3 of the decision. subsection states that according to According to information provided by Tet, it continued to provide Tet+ services to 564 individuals without contracts approved. The director of the inspection states that, although contracts were not approved for 564 persons, at the same time, the aforementioned does not indicate that all of this person has been affected by the offense committed by Tet. Thus can conclude that the number of affected individuals may be lower. Regarding the level of responsibility of the manager or processor, taking into account the implemented technical and organizational measures, in the view of the Director of the Inspection, Tet had introduced some measures of risk for mitigation, for example, PMLP prepared personal code verification tool and e-mail verification, at the same time, these tools were not selected according to the identified risk. Decision 6.3. in the subsection regarding the controller's or processor's actions to mitigate the damage caused to data subjects, it is indicated that Tet has prevented a customer whose identity has not been confirmed, processing of personal data after detection of several cases of fraud, however, the amount of the penalty the criterion mentioned in the determination has not been adequately evaluated. The mentioned circumstance was not included in determining the penalty sufficiently taken into account. Taking into account that in the opinion of the Director of Inspection Tet after the violation findings (in October 2021), took effective action to prevent the damage, that is, started implementation of the internet bank authentication tool at the time of service application, it can be concluded that the manager took the necessary actions to prevent further illegal processing of third party data the occurrence of performance. However, in the opinion of the Inspectorate, such actions were carried out late, because even after In 2021, Tet+ service continued to exist for violations detected by Tet, it did not discontinued, which means that until January 13, 2022, when Tet introduced complete internet banking at the time of applying for the authentication service, illegal actions were possible when applying service and using a third party's personal data. The guidelines state that the severity of the violation must be assessed taking into account the specifics of the specific case circumstances. The severity of the violation is indicated, among other things, by the context in which personal data is processed carried out, e.g. business, non-profit organization, political party, scope of infringement, namely whether it is national or cross-border data processing. Likewise, the purpose of data processing, the data involved the number of subjects and the extent of the damage are important criteria for determining the gravity of the infringement. The director of the inspection states that there are no special circumstances in the case that would indicate a violation severe nature. According to the guidelines, the duration of the violation is determined, the longer the time of committing the violation, the more importance the supervisory authority can attach to this circumstance. In the opinion of the director of the inspection, it is important to take into account the period in which it was available to apply for the Tet+ service (until 2021 for March 31 services Shortcut) without internet bank authentication, that is, detectable the Tet+ service could be applied for from March 2021, while complete internet bank authentication the Tet+ service was provided only on January 13, 2022. Thus, almost a year of service on the 21st the application was provided without internet bank authentication and personal identity verification, without making sure that the person's first and last name corresponds to the person's specified personal code. Regarding the damage caused to the data subjects, it should be noted that the concept of damage in the guidelines is assessed in accordance with Recital 75 of the Data Regulation, i.e. the extent of the damage is physical, material and non-material damages. It should be pointed out that the offense committed by Tet was affected data subject – [..], at the same time the Director of the Inspection draws attention to the fact that in the criminal case, which some materials were sent to the Inspection, the essential circumstances were not clarified, namely who applied service in the name of [..] using another person's personal code, thus the Director of the Inspection the damage caused to the data subject cannot be adequately evaluated. Regarding the purpose of processing personal data, the guidelines recommend taking into account whether individuals data processing is related to the controller's core activity. The inspection director considers this one of the the most important aspects to be taken into account when assessing the severity of the violation. Namely, if personal data processing is related to the basic activity of the manager, and accordingly should be directed to the manager's attention, and the manager cannot plead insufficient knowledge of the regulatory framework or repeated mistakes made by employees. In the specific case, the processing of personal data is only part of Tet basic activities performed to provide services to customers. In view of the above, this aspect is acceptable taken into account to determine a lower penalty. [13.2.] When evaluating the criteria for determining the amount of the penalty, in the opinion of the Director of the Inspection, the violation the severity is maintained as moderate. According to the guidelines in cases where the severity of the offense is average, the initial penalty application point should be set at 10-20% of the applicable one maximum penalty. When determining the initial penalty application point in the range of 10-20%, it should also be taken into account that Tet turnover exceeding 200 million per year is considered high. Thus, the maximum applicable fine according to Article 83, Clause 5 of the Data Regulation The 4% threshold determined in subparagraph a) is 8,024,733.84. Considering that a moderately serious offense case, the initial point of application should be set at 10-20% of the applicable maximum penalty, the initial application point is set between 802,473.38 and 1,604,946.77. The director of the inspection believes that, taking into account the fact that the severity of the violation is medium and is visible action of Tet to prevent cases of inappropriate processing of personal data is reasonable to determine initial fine application point in the amount of 15% of the maximum applicable fine amount, i.e. 240,742.02. At the same time, taking into account the criteria established in this decision regarding the determination of the amount of the penalty assessment, a factor of 5 shall be determined for the initial penalty application point, which adds up to EUR 1,203,710.10. [13.3.] At the same time, according to the guidelines, after the mathematical calculation of the penalty, the penalty is it is possible to correct, by evaluating, whether it reaches the goals of punishment set in the Data Regulation - effective, proportionate and discouraging. The amount of punishment should be determined according to the context of the offense. [13.3.1.] Regarding 13.2 of this decision. effectiveness of the fine of EUR 1,203,710.10 calculated in point it must be assessed whether it is suitable to ensure the compliance of personal data processing with the Data Regulation and punish you know The director of the inspection finds that the punishment is suitable and appropriate for punishing the supervisor, so that would facilitate compliance with the Data Regulation. In evaluating the effectiveness of the punishment, it should be taken into account that Tet administrative cooperated with the Inspectorate during the violation process, prevented the case already at the initial stages of examination detected violations by making improvements in receiving the Tet+ service, ensuring that it is possible to apply for the service only with internet bank authentication. Additionally according to Tet to the one indicated in the oral explanations as soon as individual cases were identified in October 2021, 22 when other people's data was illegally used to apply for a service, Tet reacted and developed the necessary improvement plan to prevent abuse of strangers in the future data in service application. According to written and verbal information provided by Tet in the explanations, since January 13, 2022, the application of the Tet+ service has been provided only with internet bank. At the same time, regarding the evaluation of the effectiveness of the penalty, it was taken into account that until now Tet a reprimand has been applied for data processing violations and there is no previously established non-conformity have deterred Tet from further violations, suggesting that such a remedy would no longer be able achieve the goal and reprimanding did not deter the manager from other activities that do not comply with the Data Regulation performance. Taking into account the above, in the opinion of the Director of the Inspection, the amount of the fine determined is effective, while the imposition of a significant fine would not motivate the manager to ensure compliance with the Data Regulation requirements, but, on the contrary, could create an understanding that regardless of whether active action is taken and regardless of the manager's subjective attitude, the violation will still be subject to the same fine. In the opinion of the director of the inspection, the most important thing is to ensure that managers are motivated to process personal data make improvements without the use of coercive mechanisms. In cases where the manager has there is a lack of interest, inaction or deliberate avoidance of effective tools for compliance Data a more significant fine should be considered for the provision of the regulation, while when the manager's actions show for the desire to ensure compliance with the regulatory framework of data processing, there should be a fine for a smaller one. [13.3.2.] The principle of proportionality states that the penalty applied should not exceed what is necessary to achieve the goal. If it is possible to achieve the goal by several means, a choice should be made the less offensive. When assessing proportionality, the violation must be viewed as a single whole, the main one paying attention to the gravity of the offense as such. Therefore, it is necessary to assess whether the punishment is proportionate according to the gravity of the offense and the size of the company and the fact that the punishment should not be go beyond what is necessary to achieve the purpose of the Data Regulation. The director of the inspection explains that, taking into account the significant turnover of Tet, as well as the amount of turnover in the last 3 years, does not see the risks of the company's economic viability or other special circumstances for the disproportionality of the selected administrative fine with the company financial condition, therefore it is recognized that the chosen amount of the administrative fine is proportionate. [13.3.3.] According to the guidelines, the fine must also be a deterrent to further violations making Namely, a deterrent punishment is one that has a real deterrent effect. A fine is a deterrent if it does not allow a person to violate the goals and regulations set by European Union law. Observing the circumstances and nature of the violation evaluated in the decision, the Director of the Inspection finds that the selected the amount of the administrative fine is dissuasive. In the opinion of the director of the inspection, the administrative violation is qualified correctly and accordingly the type of administrative penalty - fine - has been correctly chosen and the Administrative fine has been applied amount determination mechanism, however, by re-evaluating administrative fine determinations the significance of the criteria in the specific case, the Director of the Inspection finds that a fine is necessary adjust according to the importance of the evaluated criteria in the case, so that it corresponds to the above-mentioned penalty determinations principles. Taking into account the above, the Director of the Inspection considers that adjusting the fine by setting it at 15% in the amount of the initially calculated amount, as well as by individualizing the punishment, taking into account the circumstances of the case and Tet's action, namely by imposing a fine of EUR 1,200,000.00, would be sufficient to deter Tet from further data processing violations. Taking into account the above and in accordance with Article 132, Article 168 23 of the Law on Administrative Responsibility first part, Article 172 and Article 173, first part, paragraph 4, Article 58, paragraph 2 i) of the Data Regulation subsection, Director of Inspection decided to be amended by the Inspection's decision of July 15, 2022 No.[..] "On the imposition of punishment" the amount of the administrative fine, determining SIA "Tet", registration number 40003052786, legal address: Dzirnavu iela 105, Riga, LV-1011, in accordance with Article 83, Clause 5, letter a) of the Data Regulation administrative fine of EUR 1,200,000.00 (one million two hundred thousand euros, 00 cents) in the amount. The fine shall be paid in full no later than one month from the entry into force of this decision days in any banking institution or after the expiry of the term of voluntary execution of the fine, this decision in accordance with Articles 262 and 269 of the Law on Administrative Responsibility will be immediately surrendered for execution by a sworn bailiff. Details for paying a fine: Beneficiary: State Treasury Registration No.: 90000050138 Account no.: LV69TREL1060191019200 Beneficiary BIC code: TRELLV22 Notes: Indicate the number of this decision. The fine applied in the process of the administrative violation will be reimbursed procedural costs and damages to natural resources can be paid on the portal www.latvija.lv, using the e-service Administrative fines check and payment. Please note that, according to Article 568 of the Civil Procedure Law, voluntary execution of the decision after when the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate for the enforcement expenses to the bailiff. At the same time, we inform you that the Company, in accordance with the second Article 266 of the Law on Administrative Responsibility and the third part, has the right to the execution of the fine in parts, if there are objective circumstances, due to which the fine is imposed within the term of voluntary execution, it is not possible to execute the sentence decision in full. In accordance with the first part of Article 184 and the first part of Article 186 of the Law on Administrative Responsibility the decision of Tet can be appealed within 10 working days from the day when the decision is announced in the administrative in the infringement case in the district (city) court at the registered address of the Company, by submitting a complaint Data at the state inspection (Elijas iela 17, Riga, LV-1050), which within three working days after submitting the complaint upon expiration of the term, the complaint with the case materials is sent to the district (city) court upon approval. Director J. Macuka [..]