DVI (Latvia) - SIA “JK Media group”: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Latvia |DPA-BG-Color= |DPAlogo=LogoLV.png |DPA_Abbrevation=DVI |DPA_With_Country=DVI (Latvia) |Case_Number_Name=SIA “JK Media group” |ECLI= |Original_Source_Name_1=DVI |Original_Source_Link_1=https://www.dvi.gov.lv/lv/media/3123/download?attachment |Original_Source_Language_1=Latvian |Original_Source_Language__Code_1=LV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2=...") |
No edit summary |
||
Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
On 10 January 2024, the DPA issued a decision ordering the controller to edit or delete personal data published on its website and issuing a reprimand for the breach of Article 5(1)(a), 5(1)(c), 12(1) to (4) GDPR. | On 10 January 2024, the DPA issued a decision ordering the controller to edit or delete personal data published on its website and issuing a reprimand for the breach of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|5(1)(c)]], [[Article 12 GDPR#1|12(1)]] to [[Article 12 GDPR#4|(4) GDPR]]. | ||
On 19 February 2024, the DPA re-examined the website of the controller noting that the personal data was still available. | On 19 February 2024, the DPA re-examined the website of the controller noting that the personal data was still available. |
Revision as of 12:06, 26 July 2024
DVI - SIA “JK Media group” | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(2) GDPR Article 24(1) GDPR Article 58(2) GDPR Article 83(5)(e) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 22.02.2024 |
Decided: | 28.03.2024 |
Published: | 24.07.2024 |
Fine: | 1,000 EUR |
Parties: | JK Media group SIA |
National Case Number/Name: | SIA “JK Media group” |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Latvian |
Original Source: | DVI (in LV) |
Initial Contributor: | fb |
The DPA fined a controller €1,000 after it failed to comply with a previous decision of the DPA ordering it to remove a page from its website.
English Summary
Facts
On 10 January 2024, the DPA issued a decision ordering the controller to edit or delete personal data published on its website and issuing a reprimand for the breach of Article 5(1)(a), 5(1)(c), 12(1) to (4) GDPR.
On 19 February 2024, the DPA re-examined the website of the controller noting that the personal data was still available.
Therefore, on 22 February 2024, the DPA opened an administrative offence case for failure to ensure compliance with the previous decision of the DPA.
The controller argued that it had not edited or deleted the publications because it did not have access to the archive material of the previous owner of the website.
Holding
The DPA set aside the controller’s argument. It noted that, in accordance with Article 24(1) GDPR, the controller should have implemented appropriate measures to ensure compliance with the GDPR and, pursuant to Article 5(2) GDPR, the controller should be able to demonstrate this compliance.
Therefore, the controller should have implemented appropriate measures in order to be able to edit or delete the content published on its website. The DPA recalled that one of the main priorities of the controller should be the accessibility of the information to the controller itself.
As a consequence, the DPA found a violation of Article 58(2) GDPR as the controller failed to comply with the orders given in a previous decision of the DPA.
On these grounds, the DPA issued a fine of €1,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv In case no. [..] The decision Riga, On March 28, 2024, no. [..] On the application of punishment 1. Authority (official) that makes the decision: Data State Inspections (hereinafter - Inspection) [..] (hereinafter - Official), in accordance with the General Data Protection Regulation 1 of the regulation (hereinafter - the Data Regulation) of Article 58, paragraph 2, subparagraph i), Data of natural persons of the Law on Processing (hereinafter - the Data Law), Article 5, Part One, Clause 2, Article 23 and Paragraph 4 of the first part of Article 115 of the Law on Administrative Responsibility (hereinafter - AAL). 2. Place and date of administrative violation case review: 2024 on March 21 at 10:00, Elijas Street 17, Riga. 3. Information about the participants in the process and their representatives and advocates (if any): 3.1. Person to be held responsible: Limited Liability Company "JK Media group", unified registration number 43603077179, legal address: Kastaniu iela 2A - 15, Jelgava, LV – 3008 (hereinafter – SIA). Victim: [..], personal identification number [..], declared address of residence: [..]. 3.2. SIA and [..] did not attend the hearing of the administrative violation case. SIA was notified of the date and time of the hearing of the administrative violation case The letter of February 28, 2024 from the Inspection Officer, while [..] with the Official 3 Letter of March 26, 2024. The Inspection received information from SIA that SIA agrees to the consideration of the case in writing in the process, while no information about the reasons for non-appearance or a request for postponement has been received from [..]. consideration of the case. The victim of paragraph 2) of the first part of Article 44 of the AAL has the right to participate in administrative proceedings in the consideration of the infringement case. According to the second part of the article, the victim exercises his rights voluntarily and in the amount you choose. Failure to exercise the right does not prevent the administrative violation process going on According to the fourth part of Article 137 of the AAL, the case of an administrative violation can be examined in a written process, if the participants in the process agree to it. In accordance with the above, the case has been examined without the person to be held liable (SIA) and the victim ([..]) presences. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons 2 on the processing of personal data and the free movement of such data and repealing Directive 95/46/EC Inspection letter N[..]About sending the decision, submitting information and examining the case 3Inspection letter N[..]About sending the decision and examining the case 2 4. In the consideration of the case, the actual and description of the established circumstances: 4.1. The official finds that in the materials of the administrative offense case (hereinafter - The case) is in Official's report of February 21, 2024 no. [..]About society with limited liability for the actions of "JK Media group" without securing the order of the Data State Inspection execution (hereinafter - the Report) with attachments. It follows from the information contained in the Report and its appendices that the Inspection, based on [..] complaint 4 (hereinafter - Complaint), in accordance with Article 57, paragraph 1 a) of the Data Regulation and Subsection (f), Article 4, Part One, Clause 1 of the Personal Data Processing Data Law, is performed a check on the SIA website at www.jelgavniekiem.lv (hereinafter - the Website) the processing of [..] personal data and the actions of the website administration without informing [..] about action taken after [..], as a data subject, request of May 6, 2022 in accordance with the Data Article 17 of the Regulation (hereinafter – Request) (Inspection case No. [..]). As part of the inspection case with the decision of the Inspection of January 10, 2024 no. [..]About the application of the corrective measure (hereinafter - the Decision), based on Article 58 of the Data Regulation Clause 2(b) and Clause 2(d) SIA were subject to corrective measures, by reprimanding SIA for Article 5(1)(a) and (c), Article 12(1) of the Data Regulation - failure to provide the requirements of paragraph 5 and the first and second parts of Article 32 of the Data Law, as well as issuing orders to SIA as a manager to coordinate processing activities with the provisions of the Data Regulation .. in a specific way and in a specific period of time. Namely, the Inspectorate imposed an obligation on SIA: 1) ensure data regulation-compliant [..] processing of personal data on the SIA Tīmekļa website by editing The publications mentioned in the decision or by deleting them as a whole, 2) to comply with Article 12.1 of the Data Regulation - The requirements of paragraph 5, i.e. fulfill [..] the Request and notify [..] of the action taken after Reasons for the request or non-performance. With the Decision, SIA was determined to inform the Inspection in writing about the implementation of the Decision by February 6, 2024, including by submitting a certified copy of the answers provided to the Inspection [...] a copy and a document confirming its notification. The decision was communicated to SIA by sending it to SIA on January 11, 2024 by registered mail. No. [..] to SIA's legal address: Kastaniu iela 2A – 15, Jelgava, LV – 3008, as well as additionally to SIA The postal address indicated on the website: Skolotāju iela 3, Jelgava, LV – 3001. According to State shares for publicly available information on the "Latvijas Pasts" website pasts.lv, both postal shipments were delivered on January 24, 2024. In addition to the above, the Decision was electronically notified (sent) to SIA on the website for the indicated communication channels: jkmediagroup.lv@gmail.com, redaktors@jelgavniekiem.lv, [..]@novaja.lv, [..]@novaja.lv. On the day of signing the Report, the Decision was not disputed, information (answer) about Execution of the decision was not received within the specified term, nor was information received about reasons for not providing information (answer). On February 19, 2024, the Inspection Officer carried out a repeat of the SIA website examination (hereinafter - Inspection Act), finding that the publications mentioned in the Decision (hereinafter - Publications) containing [...] personal data - name, surname and photos are still available On the website, thus SIA continues to carry out [...] personal data processing, contrary to the provisions of the Decision. 4.2. The official, based on the information in the Report and annexes, with of February 22, 2024 decision no. [..] initiated administrative violation case no. [..] about that SIA did not ensure the execution of the Decision, thus, continuing to process [...] personal data - name, surname and photo processing - publishing on the website, in violation of the basic principles of processing, namely Data 4 Received and registered in the inspection on August 22, 2022[..]r No. 5 6 the last day for submitting a written answer by mail or sending it electronically with a secure electronic signature [..][..] 7 Inspections of February 19, 2024 a[..]No. 8[..], [..] 3 Regulation Article 5(1)(a), (c), Article 6(1), the first sentence of Article 32 of the Data Law and the second part, as well as the data subject's rights in accordance with Article 12, Clauses 1-5 of the Data Regulation, without notifying the Data Subject about the action performed after the Request in accordance with the Data Regulation Article 17, and has not complied with the order of the supervisory authority (Inspection) in accordance with the Data Article 58, Paragraph 2 of the Regulation and has not provided access to information in violation of the Data Regulation Paragraph 1 of Article 58. Administrative violation qualified according to Article 83, Article 5 a), b) and e) of the Data Regulation in subsection for signs of an administrative violation. 4.3. The case materials contain the letter of the Inspection official of February 22, 2024, with which SIA was informed about the initiated administrative violation process, case review date and time, as well as invited to provide explanations by March 14, 2024, submissions or requests of a different nature, as well as evidence. 10 4.4. The case materials contain the letter of the Inspection officials of March 6, 2024, with who [..] was informed about the initiated administrative violation process and invited to evaluate the issue of recognition as a victim in the Case, by submitting the relevant request and specifying someone damage [..] is caused as a result of SIA's actions. 11 4.5. The case materials contain the explanations of SIA dated March 15, 2024 (hereinafter - Explanations). In the explanations, SIA states that [..] is talking about the articles that were on the website published on January 23, 2011 and February 1, 2012, but the website of SIA Tīmekļa in its took over the management only in June 2012, and the previous owners did not have access to it archive materials. In order to deal with the situation, in December 2023, SIA concluded an agreement with "[..]" SIA, with which are undergoing technical changes that allow access to old archives of previous owners materials. Currently, after 3 (three) months of work, it has been possible to access the archived materials, and both links pointed to by [..] have been deleted. Considering that by investing significant financial resources, which significantly lowered the company profitability, the situation that arose through no fault of the company has been eliminated, SIA asks for an opportunity terminate the case of an administrative violation. The contract of January 5, 2024 mentioned in the Explanation is attached to the Explanations No. [..] between SIA and "[..]" SIA Regarding the development of the portal platform. 12 4.6. The case materials contain [...] a reply letter dated March 4, 2024, in which [...] expresses a request for recognition as a victim in the Case, indicating the further justification of the victim's status for allocation. [..] believes that the violation of his subjective rights is a harm in itself. Namely, In Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union, there is the right to data protection formulated as individual subjective rights inherent to a person, that is, every person has the right to the protection of your personal data. Article 1, paragraph 2 of the Data Regulation also states that the regulation protects the fundamental rights and fundamental freedoms of natural persons and, in particular, their rights to the person data protection, that is, the right to personal data protection is mentioned as one of the person fundamental rights and fundamental freedoms, thus the violation of a person's fundamental rights is harm. A contrary understanding would undermine the idea of fundamental rights based on personal dignity. Similarly, the actions of SIA in a long period of time, contrary to [..]requests, to distribute pictures in which he is seen almost naked, has caused difficulties [...] in professional and private life. So far there hasn't been no workplace or other collective that has not seen him in underwear even before he has had the opportunity to meet these persons in real life conditions. Earlier discussions on various holding positions have stopped at the fact that such photos are still publicly available, in which [...] can be easily identified. 9 Inspection letter no. [..]About sending the decision, submitting explanations and examining the case 10 Inspection letter no. [..]About sending the decision and examining the case 11 Received and registered in the inspection on March 18, 2024 with no. [..] 12 Received and registered in the inspection on March 4, 2024 with no. [..] 4 [..] indicates that his current job duties include, among other things, the LR Saeima representation in the Constitutional Court proceedings. Such representation is made difficult by the fact that the public is always available photos that were taken more than 10 years ago and do not reflect the aspects that he purposefully improved in his daily life in the last decade. In addition, the feeling of powerlessness and the loss of confidence in the institutions of a democratic state under the rule of law caused by such dishonest the actions of individuals and the ability to remain unpunished, regardless of their illegal actions, creates [...] additional emotional harm. 4.7. The case materials contain the Official's decision of March 6, 2024 no. [..] – 2 Par the granting of victim status, which was notified by the Inspection's letter 13 of March 6, 2024 [..], informing [..] about the date and time of the case hearing, as well as inviting additional submissions explanations, submissions or requests of a different nature, as well as evidence. [..] has not provided additional explanations in the Case and has not submitted any additional requests or submissions. 4.8. The case materials contain the Official's inspection protocol of March 20, 2024 14 (hereinafter referred to as the Inspection Protocol), from which it follows that the Official, in order to make sure of SIA The truthfulness and compliance of the information provided in the explanations with the actual situation of 2024 On March 20th, the website was revisited. at 10.42 by entering the Website address in a web browser (www.jelgavniekiem.lv), a notice was presented with the following text in English: "Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request.n Please contact the server administrator, webmaster@susurs.com and inform them of the time the error occurred, and anything you might have done that might have caused the error. More information about this error may be available in the server error log.” (translation from English: Internal server error. The server encountered an internal error or misconfiguration, and it could not fulfill your request. Please contact the server administrator webmaster@susurs.com and let them know when the error occurred and what you have done, which could have caused the error. More information about this error can be found in server error in the magazine." at 11.30 re-entering the website address in the web browser (www.jelgavniekiem.lv), the same message is displayed with the following text: "Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request.n Please contact the server administrator, webmaster@susurs.com and inform them of the time the error occurred, and anything you might have done that might have caused the error. More information about this error may be available in the server error log.” (translation from English: Internal server error. The server encountered an internal error or misconfiguration and it could not fulfill your request. Please contact the server administrator webmaster@susurs.com and let them know when the error occurred and what you have done, which could have caused the error. More information about this error can be found in server error in the magazine." In view of the above, it was found that the website was not working during the inspection, and it was not possible to verify the content posted on the Website. 5. Normative act providing for liability for administrative violation: Data Article 83, paragraph 5, subparagraph a), b) and e) of the regulation. 5.1. According to Article 132 of the AAL, when considering an administrative offense case, it must be ascertained whether an administrative offense has been committed, or the relevant person is guilty of committing it, or this a person can be held administratively liable, or there are mitigating and aggravating factors circumstances, as well as other circumstances that are important for the correct decision of the case should be clarified. 13 In the inspection, letter no. [..] About sending the decision and examining the case 14 Registered in the inspection on March 20, 2024 with no. [..] 5 5.2. The first part of Article 5 of the AAL stipulates that an administrative offense shall be recognized illegal, culpable behavior (action or inaction), for which the law or the municipality binding regulations provide for administrative responsibility. 5.3. Administrative responsibility for the basic principle of processing, including the condition of consent, in compliance with the Data Regulations Articles 5, 6, 7 and 9, on the data subject's rights provided for by Articles 12-22 of the Data Regulation and on non-compliance with the order of the supervisory authority in accordance with Article 58, Clause 2 of the Data Regulation, or not providing access in violation of paragraph 1 of Article 58, violations. 5.4. Thus, in order to establish that SIA has committed an administrative violation, which is intended In Article 83, Clause 5, subparagraphs a), b) and e) of the Data Regulation, it is necessary to establish that SIA: 1) performed [...] personal data processing on the SIA Tīmekļa website, in violation of Article 5, Clause 1 of the Data Regulation and the basic principles of personal data processing defined in Article 6, paragraph 1, namely, is carried out unlawfully [...] processing of personal data; 2) has not respected [...] the rights in accordance with Articles 12-22 of the Data Regulation, that is, it has not informed [..] about the action carried out following the Request, nor has it informed about extensions of the deadline for providing information and/or reasons for non-performance, 3) none has complied with the order of the supervisory authority (Inspection) in accordance with Article 58 of the Data Regulation paragraph 2 and has not provided access to information in violation of Article 58 paragraph 1 of the Data Regulation, namely did not comply with the Decision, as well as did not provide information to the Inspectorate within the deadline specified in the Decision (answer) on the execution of the Decision or information on the reasons for not providing an answer. 5.5. The legal framework for the processing of personal data is determined by the Data Regulation, the Data Law and other regulatory acts. 5.5.1. According to Article 4(1) and (2) of the Data Regulation, "personal data" is any 15 16 information relating to an identified or identifiable natural person, in turn "processing" is any operation performed on personal data or sets of personal data 17 or a set of actions that are fully or partially performed by automated means, as well as actions with 19 for such personal data that form or are intended to form part of the file. That way [..] name, surname and picture are considered personal data, but their publication on the website of SIA Tīmekļa, is the processing of personal data within the meaning of subsections 1) and 2) of Article 4 of the Data Regulation. 5.5.2. Subparagraph 7 of Article 4 of the Data Regulation states that the processing of personal data 20 Compliance with the Data Regulation is the responsibility of the controller. It follows from the case materials that in the specific case in this case, the controller for the [..] personal data processing carried out on the website is SIA. 5.5.3. Article 5 of the Data Regulation defines the basic principles of personal data processing, in accordance with for which the processing of personal data must be a) lawful, fair and transparent and c) only according to the intended purpose and to the extent necessary for it, but in Article 6 - processing lawfulness, meaning that the processing is lawful only to the extent and only if applicable at least one of the grounds mentioned in Article 6, paragraph 1. In accordance with Article 5 of the Data Regulation For paragraph 2, the manager is responsible for compliance with Article 5 paragraph 1 and can demonstrate this. So, only by observing the basic principles of data processing specified in Article 5 of the Data Regulation and existing 15 an identifiable natural person is one who can be directly or indirectly identified, in particular with reference to an identifier, for example, the name, surname, identification number, location data of the mentioned person, online identifier or one or more physical, physiological, genetic, spiritual, economic, cultural or social identity factors 16 data subject 17 such as collection, registration, organization, structuring, storage, adaptation or transformation, retrieval, viewing, using, disclosing, transmitting, distributing or otherwise making available, matching or combining, restriction, erasure or destruction 18 Personal data processing by automated means includes data processing in information systems where possible 19 read a person by specific identifiers, for example, using information technical systems. any structured set of personal data that is accessible according to specific criteria, whether or not A set of 20 is centralized, decentralized or dispersed based on functional or geographical motivation. natural or legal person, public institution, agency or other body, alone or jointly with others determines the purposes and means of personal data processing [...] 6 to any of the legal grounds specified in Article 6, Clause 1 of the Data Regulation, persons data processing may be recognized as lawful. 5.5.4. The controller must also ensure the fulfillment of other requirements specified in the Data Regulation and the Data Law, including the data subject's rights set out in Chapter III of the Data Regulation and Chapter VIII of the Data Law compliance. Paragraphs 1-5 of Article 12 of the Data Regulation provide for the controller's obligations to the data subject [..] ensure all communications referred to in Articles 15-22 [..] regarding processing [..]. The manager contributes to the data implementation of the subject's rights in accordance with Articles 15-22. [..] The manager without undue delay and in any case, within a month after receiving the request, the data subject is informed of the activity, made upon request in accordance with Articles 15-22. If necessary, the said period can be extended for another two months, taking into account the complexity and number of requests. Manager inform the data subject of any such extension and the reasons for the delay within a month after receiving the request. [..] If the controller does not perform an action requested by the data subject, the controller informs the data subject without delay and within a month at the latest after receiving the request the reasons for non-performance and the possibility to file a complaint with the supervisory authority and appeal in court. The information [...] implemented in accordance with Articles 15-22 [...] shall be free of charge. [..]. 5.5.5. Clause 2 of Article 58 of the Data Regulation sets out the corrections of the supervisory authority powers, including the powers of the Inspectorate to issue an order to the manager specified in subsection (c). to fulfill the data subject's request to exercise the rights granted to him in accordance with this regulation. Data Article 58, paragraph 2 d) of the regulation provides for the authority of the Inspectorate to issue an order to the manager to coordinate processing operations with the provisions of the Data Regulation, if necessary – in a specific manner and in a specific period of time. On the other hand, in accordance with Article 58, Paragraph 1, Subsection e) of the Data Regulation, the supervisory authority have the authority to obtain from the controller and processor access to all personal data and all information necessary for the performance of its tasks. The first parts of Article 5 of the Data Law Paragraph 3 provides for the right of the Inspectorate to request according to its competence and free of charge in the specified amount and form to receive from private individuals, state administration institutions and information, documents or their copies and others necessary for officials to check materials, including restricted information. 5.6. The official, after evaluating the materials in the Case in connection with SIA and [..] provided explanations, has reached the following conclusions: 5.6.1. Regarding the processing of [..] personal data carried out by SIA on the website of SIA. It follows from the case materials that SIA justified the processing of personal data of the data subject with SIA the right to freedom of information. In this case, Article 85, paragraph 1 of the Data Regulation, which determines the procedure for processing, should be taken into account and in determining the mutual balance of freedom of speech and information, providing that member states with to its legislation maintains a balance between the right to the protection of personal data in accordance with regulation and the right to freedom of expression and information, including processing for journalistic purposes and for the purposes of academic, artistic or literary expression. Data processing in connection with freedom of speech and information is determined by Article 32 of the Data Law, which the first part states that the person has the right to process data for academic, artistic or for the needs of literary expression in accordance with the regulations, as well as process data for journalistic purposes, if it is done with the aim of publishing information that affects the public interests. In accordance with the second part of the mentioned article, when processing data for journalistic purposes, regulations provisions (except Article 5 of the Data Regulation) do not apply if all of the provisions in this chapter are available listed conditions: 1) data processing is carried out to exercise the right to name and information freedom, respecting a person's right to private life, and such data subjects are not affected interests that require protection and are more important than the public interest; 2) data processing is carried out with the aim of publishing information affecting the public interest; 3) data regulations compliance with the rules is incompatible with or prevents the exercise of the right to freedom of expression and information. In addition, the concept of "journalistic needs" should be interpreted as broadly as possible, including activities with objective 7 publish information, opinions or ideas through any means of dissemination. 21 This means that even after establishing the conditions of the second part of Article 32 of the Data Law, which exempts controller from complying with the requirements of the Data Regulation, the controller remains bound by Article 5 of the Data Regulation the established basic principles of data processing, namely, must be ensured from Article 5, paragraph 1 of the Data Regulation The requirement arising from subparagraph a) to make sure that everything has been observed in the processing of personal data processing conditions and the principle of minimality resulting from subsection (c), and it is not allowed, that the processing of personal data is carried out in an amount that is not appropriate for the purpose, i.e. according to the principle "the more, the better”. Therefore, the processing of [..] personal data carried out by SIA on the website of SIA could be recognized legal if it complies with the basic principles set out in Article 5 of the Data Regulation. The purpose of the Data Regulation is to protect the fundamental rights and freedoms of natural persons and in particular the right to the protection of personal data, however, it should be noted that the right to personal data protections are not absolute and must also be balanced with other fundamental rights. Although in this decision in the mentioned case, SIA has the right to take photographs and filming activities, in order to inform the public about current events in the city and county, including for cultural events held, SIA needs to evaluate whether the publication of such images would not conflict with the data subject's interests that require protection and are more important than public interest. When exercising the mentioned right to freedom of speech and information, one must not violate another person In the Constitution of the Republic of Latvia, in international and legal acts of the Republic of Latvia the strengthened fundamental rights of others to privacy and protection of personal data. In accordance with The processing of personal data of data regulations should be designed in such a way that it serves a person. The right to a person data protection is not an absolute prerogative; they must be considered in relation to their f22ction in society and must be balanced with other fundamental rights in accordance with the principle of proportionality. It follows from the above that the right to freedom of expression can be exercised in the same sense as any other right possessed by a person human rights, i.e. the right to freedom of speech, are not and cannot be superior to, for example, individuals 23 the right to personal data protection, and the principle of proportionality must be observed in their implementation, in each making an assessment in the specific case. When evaluating the rights, it must be taken into account that the public has the right to be informed about issues of public importance and the mass media have the right to disseminate them. Considering that between these two rights also include the right of a private person to the inviolability of private life, the controller must balance all the above-mentioned interests. Namely, or the data of natural persons processing (interference in a person's private life) is proportionate to the contribution that a journalist/mass media/writer/blogger has wanted to make a contribution to society as well as a contribution society cannot realize the natural person in less offensive ways (for example, without processing data of natural persons in general). Also, whether the question in question is to be assessed in conjunction necessary in a socially significant discussion (whether it can make a significant contribution to society and is legitimately necessary). In this sense, the Parliamentary Assembly of the Council of Europe emphasizes that every person is important the right to privacy and the right to freedom of expression because it is democratic the foundation of society. These rights are neither absolute nor enforceable in a hierarchical order, because they are equally important. However, the Assembly points out that in Article 8 of the European Convention on Human Rights the established right to the inviolability of private life provides for the protection of private individuals not only against public authorities, but also against private individuals or private sector institutions, including the media 21 cf. In the judgment of the European Court of Justice of December 16, 2008, in the case Satakunnan Markkinapčrssi and Satamedia, C -73/07, ECLI:EU:C:2008:727, 52-61. point 22 Recital (4) of the Data Regulation. 23 See, for example, Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union: "Everyone has the right to his protection of personal data" and paragraph 2 of Article 8: "Such data must be processed in good faith, for specific purposes and with the consent of the person concerned or with other legal grounds provided for by law. Everyone has approaches the right to the data collected about him and the right to have this data rectified." 8 funds, interference in their private life. 4 Taking into account what was found in the Case and what is indicated in this decision, the Inspectorate does not find that SIA would implement Data Regulation-compliant and proportionate [...] processing of personal data by making publicly available [...] faces and body images on the SIA Tīmekļa website, where the said images [..] are seen without outerwear (only in swimming trunks, underpants or shorts with partially naked body) more than 12 years after events mentioned in the publications. SIA continuing to process the mentioned [..] personal data even after the [..] Request for personal data after receiving data deletion, such circumstances are implemented, as a result of which [...] the right to privacy and the protection of personal data is violated to a higher extent than the rights of SIA and the company and freedom of information. Based on the above, the Inspectorate concludes that the Data Law is being implemented in the specific case to the requirements of the first and second parts of Article 32 and Article 5, paragraph 1 a) and processing of personal data not in accordance with point c) [..]. 5.8.2 Regarding the observance of the rights of [..] as a data subject. It follows from the case materials that [...] on May 6, 2022, contacted SIA by telephone with the desire about the removal of content from SIA's website, as a result of which [...] was invited to apply in writing to Ltd. with the exact address of the article and your wish. The inspection finds that [...] on May 6, 2022 applied at the website of SIA Tīmekļa with a request by sending it in an electronic mail to SIA Tīmekļa the website's electronic mail address [..]@novaja.lv, where the website was requested to remove the pictures, containing [..] images, from Publications. The case materials contain information that [..] has not received information (answer) to his Request, i.e. SIA since May 6, 2022 and still has not informed [..] about the operation, which was made after the Request, and also did not inform about the deadline for providing information reasons for extensions and/or non-performance. Also, it can be concluded from the Case materials that SIA did not respond to several Inspections invitations to fulfill [..] the data subject's Request .5 In view of the above, the Inspectorate concludes that SIA has not complied with the Data Regulations in its operations The requirements set out in clauses 1 - 5 of Article 12, thereby violating the rights of the data subject in accordance with Article 17 of the Data Regulation. 5.8.3. Regarding the execution of the Inspection Decision. It follows from the case materials that the Decision was adopted on January 10, 2024. In the decision in accordance with Article 58, Clause 2, c) and d) of the Data Regulation, an order was issued to SIA to The actions mentioned in the decision and in accordance with Article 58, paragraph 1, subparagraph e) of the Data Regulation SIA requested that SIA inform the Inspection in writing about the implementation of the Decision by 2024 for February 6, by submitting a certified copy of the answer provided to the Inspectorate and a document which confirms its notification. In accordance with the first and second parts of Article 70 of the Law on Administrative Procedure, the decision enters into force effective from the moment it is notified to the addressee, while the decision is notified to the addressee accordingly Notification Act. The second part of Article 4 of the Notification Law provides that the legal entity the document is notified to its legal address. According to the first part of Article 139 of the Commercial Law, the company's legal address is the address, where the management of the company is located. Therefore, the SIA must be reachable at the registered in the commercial register The legal address of the SIA, including the SIA, must ensure the receipt of correspondence. Paragraphs three and four of Article 8 of the Notification Act provide that a document notified as a registered postal item shall be deemed to have been notified on the seventh day after its delivery to the post office, as well as if a certificate is received from the post office about the delivery of the parcel or a document sent back, the same for 24 Resolution 1165 (1998) of the Parliamentary Assembly of the Council of Europe of 16 June 1998 on the right to private inviolability of life, paragraphs 11 and 12. 25 It follows from the Decision that the Inspection in the letter of February 16, 2023 no. [..] and on March 30, 2023 in letter no. [..] invited SIA to fulfill the requirements of Article 12.1 - 5. of the Data Regulation, i.e. fulfill the Request and inform [..] about the action performed after the Request or for the reasons for not performing the action. 9 itself is not affected by the fact of notification of the document. The presumption that the document has been announced in the seventh on the day after it is delivered to the post office or on the eighth day from the day it is registered in the institution as being sent document, the addressee can refute by pointing to objective circumstances independent of the addressee wishes were an obstacle to receiving the document at the specified address. The decision was communicated to SIA by sending it to SIA on January 11, 2024 by registered mail. No. [..] to SIA's legal address: Kastaniu iela 2A – 15, Jelgava, LV – 3008, as well as additionally to SIA The postal address indicated on the website: Skolotāju iela 3, Jelgava, LV – 3001. According to State shares for publicly available information on the website of "Latvijas Pasts" company pasts.lv, both postal shipments were delivered on January 24, 2024. In addition to the above, the Decision was sent electronically to those indicated on the website of SIA communication channels: jkmediagroup.lv@gmail.com, redaktors@jelgavniekiem.lv, [..]@novaja.lv, [..]@novaja.lv. Taking into account the above, it can be concluded that the information (answer) provided by the Inspection SIA regarding the Decision 26 execution should be received, at the latest, on February 14, 2024. After evaluating the circumstances in the Case and the evidence obtained in the Case, the Official concludes that SIA has not complied with the provisions of the Decision that SIA: 1) must provide Data Regulation-compliant [..] processing of personal data on the SIA Tīmekļa website, editing the publications or those mentioned in the Decision deleted as a whole, 2) the requirements of Article 12, paragraphs 1 - 5 of the Data Regulation must be fulfilled, i.e. must fulfill [...] Request and must inform [..] about the action taken after the Request or about the action reasons for non-implementation, 3) as well as the fact that SIA had to submit to the Inspectorate by February 6, 2024 information on the execution of the Decision, therefore, has not been observed by the supervisory authorities (Inspections) order in accordance with Article 58, paragraph 2 of the Data Regulation and has not provided access to information, in violation of Article 58, paragraph 1 of the Data Regulation. 5.8.4. SIA explains that it did not have access to the archive of the previous owners materials in order to edit the Publications or delete them, the situation did not arise due to the fault of SIA. In accordance with Article 24, paragraph 1 of the Data Regulation, taking into account the nature and extent of processing, context and intentions, as well as risks of varying likelihood and severity with respect to rights and freedoms of natural persons, the manager implements appropriate technical and organizational measures to ensure and be able to demonstrably demonstrate that processing takes place in accordance with this regulation. If necessary, the mentioned measures are reviewed and updated. In addition, in accordance with the Data Regulation According to Article 5, paragraph 2, the controller is responsible for compliance with data processing principles such as Data the principle of data integrity referred to in Article 5, paragraph 1 of the regulation, therefore the controller (SIA) has must be able to demonstrably demonstrate that it implements personal data processing in accordance with the Data Regulation. In the context of the above, the Official concludes that the statement of SIA that it was not available archive files of the previous owners of the Website, and therefore the manager (SIA) did not it is possible to make changes to the content of Publications (for example, to delete [...] those containing personal data text and image items) are not considered as justifications according to the Data Regulation of the person for restricting and editing data processing, because the manager (SIA) is responsible for SIA Tīmekļa the processing of personal data carried out on the website and the personal data processing conditions are determined directly by SIA to how the website functions, what is published on it, etc., therefore directly to SIA, according to the Data Article 24, paragraph 2 of the Regulation and Article 5, paragraph 2 of the Data Regulation, using various technical and organizational measures, it is necessary to be able to transparently make changes to the Website, so that prevent personal data processing activities that do not comply with the Data Regulation. One of the main ones the manager's priorities are the availability of information to the manager himself. Thus, even if the owner does not it is possible to edit a specific item on the Website because it is not available in the website archive, the manager (SIA) is required to delete the specific item on the Website if the manager does not it is possible to delete a specific item of the Website, it must then delete the specific Website 26 Letter of reply, sent on 6 February 2024 by ordinary post 27 are processed in such a way as to ensure adequate security of personal data, including protection against unauthorized access or illegal processing and against accidental loss, destruction or damage using appropriate technical or organizational measures ("integrity and confidentiality") 10 a collection of site publications that would contain, among other things, items from the Website (Publications) that process [...] personal data. Anyway, the manager has to do everything possible, using various technical and organizational measures to ensure Data Regulation appropriate processing of personal data, including by deleting or editing Publications. 5.8.5. SIA explained in the Explanations that SIA concluded a contract with "Advailo" SIA, with which technical changes are made that allow access to archived materials that after 3 (three) months investment of work and significant financial resources, has managed to access the archived materials and delete links to Publications. In compliance with the above, SIA asks to find the possibility of an administrative violation close the case. The official concludes that in the Decision SIA a specific deadline was set for both the execution of the Decision, both for providing information to the Inspectorate about the execution of the Decision, but SIA as specified in the Decision has not turned to the Inspection within the deadline and procedure, nor with information about what was imposed in the Decision the initiation of execution of the order, nor with a request to extend the deadline for execution of the Decision, moreover, In the Inspection report of February 19, 2024, it was established that both Publications were available On the website, but in the inspection protocol of March 20, 2024, it was not possible to check SIA Content posted on the website because the website was down. In addition, from SIA Patzerjumoos from the information provided, it does not follow that SIA fulfilled the Request and informed [..] about the action performed following the Request or for the reasons for not performing the action. In view of the above, the Official concludes that there are no such circumstances that would serve as a basis For termination of cases. 5.9. Checking the materials of the Case, evaluating the circumstances of the Case and the evidence in the Case, The official finds that SIA carried out [..] personal data processing on SIA's website in violation The provisions of Article 5, paragraph 1, subparagraphs a) and c) of the Data Regulation, as well as contrary to the Data Regulation Article 12, paragraphs 1 - 5, after [..] Request received until this decision at the time of acceptance, did not inform [..] about the actions carried out at the request of the data subject in accordance with Article 17 of the Data Regulation, and also failed to fulfill the tasks assigned in the Decision in accordance with the Data Regulation Article 58, Paragraph 2 and has not provided access to information in violation of Article 58 of the Data Regulation Paragraph 1, thus committing the administrative offense for which it is intended to be committed administrative responsibility in Article 83 paragraph 5 a), b) and e) of the Data Regulation. 5.10. The official finds that SIA is guilty of Article 83, Clause 5 a), b) and in the commission of an administrative violation provided for in subsection e) is proven by the Report and so attachments and other case materials. 6. Institutions (Officials) that examined the administrative violation case, applicable penalty: 6.1. Subparagraphs a), b) and e) of Article 83, paragraph 5 of the Data Regulation provide that for processing the basic principle, including the condition of consent, pursuant to Articles 5, 6, 7 and 9 of the Data Regulation violations, violations of the rights of data subjects in accordance with Articles 12 - 22, monitoring failure to comply with the authority's order and failure to provide access to information may be enforced administrative fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is the case the amount is greater. Recital (148) of the preamble to the Data Regulation explains that in order to strengthen the Data Regulation enforcement of the rules, in addition to appropriate measures applied by the supervisory authority in accordance with The Data Regulation, or instead, for violations of the Data Regulation should be sanctioned, including administrative fines. In the case of minor violations or if a fine, which could would impose a disproportionate burden on a natural person, a reprimand may be issued instead of a fine. However due consideration should be given to the nature, severity and duration of the violation, whether the violation was committed intentional, actions taken to reduce the harm suffered, degree of responsibility or any respectively previous violations, how the supervisory authority became aware of the violation, compliance measures against the controller or processor, compliance with the code of conduct and any other aggravating or mitigating circumstances. For imposing sanctions, including administrative fines 11 appropriate procedural guarantees should be applied in accordance with general Union rules legal principles and the Charter, including effective judicial protection and due process. 6.2. Pursuant to Article 83(1) of the Data Regulation, the supervisory authority has an obligation ensure that for the violations of the Data Regulation referred to in paragraphs 4, 5 and 6 in accordance with Data the application of the administrative fines provided for in the regulations is effective in each specific case, proportionate and dissuasive. In accordance with Article 83, paragraph 2 of the Data Regulation, when deciding whether to apply the administrative fine, and when making a decision on the amount of the administrative fine, in each case case, the following elements are duly taken into account: a) the nature, severity and duration of the violation, taking taking into account the relevant type, extent or purpose of data processing, as well as the number of affected data subjects and the extent of the damage caused to them; b) whether the violation was committed intentionally or due to negligence; c) any action by the controller or processor to mitigate the damage caused to the data subjects; d) the level of responsibility of the controller or processor, taking into account technical and organizational aspects the measures they implement in accordance with Articles 25 and 32; e) any relevant manager or previous violations of the processor; (f) the degree of cooperation with the supervisory authority in order to compensate violation and mitigate its possible adverse consequences; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the violation, in particular, whether the controller or processor has reported a breach, and in such case – to what extent; (i) if The measures mentioned in Clause 2 of Article 58 have already been directed against the same subject the relevant manager or processor, how the mentioned measures have been fulfilled; j) approved actions compliance with codes in accordance with Article 40 or compliance with approved certification mechanisms in accordance with Article 42; and (k) any other aggravating or mitigating circumstance that may apply the circumstances of the case, for example the financial benefits directly or indirectly derived from the violation or avoided losses. Article 13 of the AAL states that an administrative penalty is a means of influence that is applied to the person who committed the administrative offense in order to protect public order, justice would be restored, the offense would be punished, as well as the administrative offense would be deterred the perpetrator and other persons from committing further administrative violations. According to Article 14 of the AAL, the following penalties can be applied for an administrative violation: warnings, fines, deprivation of rights and prohibition of exercising rights. The second part of Article 19 of the AAL stipulates that the type and measure of the administrative penalty must be taken into account the nature of the offense committed, the identity of the person to be held responsible (for a legal entity – reputation), property status, circumstances of committing the offense, mitigating factors and aggravating circumstances. In accordance with Article 23 of the Data Law, the Inspectorate, adopting the provisions of Article 58 of the Data Law decisions, regarding the imposition of a legal obligation, the Law on Administrative Procedure is applied and with regard to administrative punishments – the record keeping (process) of administrative violations regulatory acts, as far as the Data Law and the Data Regulation do not stipulate otherwise. Data regulations the conditions regarding the application of the administrative fine and its amount differ from the AAL to the included provisions, i.e. the Data Regulation determines otherwise in the relevant matter, therefore When determining the amount of the fine, the official shall apply the provisions contained in the Data Regulation, and accordingly, the penalty is applied according to the provisions of the Data Regulation. 6.3. When determining the penalty, the Official takes into account the nature, severity and duration of the violation, taking taking into account the relevant type, extent or purpose of data processing, as well as the number of affected data subjects - in the specific case, several types of processing specified in Article 5, Clause 1 of the Data Regulation can be found violations of basic principles and data subject rights in accordance with Articles 12-22 of the Data Regulation, as well as SIA has not ensured the execution of the order contained in the Decision, which SIA had to execute according to the Data Article 58, paragraph 2, letter d) of the regulation, and did not provide information on the execution of the Decision, thus in violation of Article 58(1)(e) of the Data Regulation, which corresponds to three of the Data Regulation for administrative violations provided for in paragraph 5 of Article 83, which in essence continued and were not reduced in more than a year and a half since [..] had sent SIA its Request, as 12 were also not completely eliminated within the scope of the Case. The official takes into account that in the committed only one natural person is affected in the violation -[..]; whether the violation was committed intentionally or due to carelessness - there is a sufficient basis to conclude that the violation was committed intentionally, because SIA is aware of her actions, incl. inaction, unlawful nature, foresees its harmful consequences and knowingly allowed these consequences to occur; any action by the controller or processor to mitigate damage caused to data subjects – In the case, it has been established that the victim – [..], SIA's actions resulted in non-material damage that was not prevented, mitigated or compensated; that which category of personal data was affected by the violation - special categories of persons were not affected data; manager's previous violations - SIA has not previously been administratively punished for this decision committing the considered violation; the degree of cooperation with the supervisory authority - even if it is an SIA cooperated with the Inspectorate, provided explanations in the Case, there were no violations until the Case was considered prevented; the way in which the Inspection found out about the violation - upon receiving a Complaint from the victim [..]; any other aggravating or mitigating circumstance applicable to the circumstances of the case - SIA The Official did not find extenuating circumstances, but an aggravating circumstance The Official acknowledges that the unlawful conduct continues despite the Official's demand end it. In determining the amount of the fine, information from the Enterprise Register database was used, where 28 available information as of the date of this decision shows that the last one submitted by SIA information on financial indicators, including annual turnover and profit of SIA, is indicated in the 2022 report. Considering that in the sense of the Data Regulation, the provisions of Article 83, Clause 5 of the Data Regulation violations are considered material violations, as well as the circumstances found in the Case and The conclusions drawn by the official, the official using the ones developed by the Inspectorate Administra29vo the mechanism for determining the amount of fines for companies and individuals persons, recognizes the violation committed by SIA as moderately serious, in accordance with Article 83 of the Data Regulation The administrative fine provided for in the framework of the sanction of sub-paragraphs a), b) and e) of paragraph 5 is EUR in the amount of 332.01 (three hundred and thirty-two euros and one cent). 6.4. At the same time, the Official assesses whether any additional charges are applicable to the particular Case conditions or criteria not reflected in this tool. Also, the Official can take into account 30 Guidelines on the application of administrative penalties developed by the European Data Protection Board (hereinafter – Guidelines for the Application of Administrative Penalties). The said guidelines stipulate that determining the amount of the final penalty, incl. it should be taken into account whether several can be identified within one case simultaneous violations. In cases where the violator is found to have violated several legal provisions, separate fines may be applied. The official concludes that in the specific case SIA has made several Data Regulations violations and is responsible for the violation provided for in Article 83, paragraph 5, letter a), b) and e) of the Data Regulation in committing an administrative offense, and this aspect must be taken into account to determine a higher end punishment. According to Article 83, paragraph 2, letter b) of the Data Regulation, it is necessary to take into account whether the violation was committed intentionally or due to negligence. Although SIA has not previously been administratively fined, The official, taking into account the evidence obtained in the Case, concludes that the administrative violation is done on purpose. Namely, SIA deliberately did not react for almost two years and still does not react neither to [..], as a data subject, the request for data deletion mentioned in the Request, nor to the Inspection for several letters sent as part of the Inspection case, in which SIA was invited to comply Inspections did not comply with the request and to stop illegal [..] data processing, even more so Determined in the decision. 28 Available at: https://info.ur.gov.lv/#/legal-entity/40203120888 29 https://www.dvi.gov.lv/lv/media/289/download 30Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 24 May 2023 https://www.edpb.europa.eu/system/files/2024- 01/edpb_guidelines_042022_calculationofadministrativefines_lv_0.pdf 13 At the same time, in accordance with the guidelines for the application of administrative penalties after the sentence mathematical calculation, it is possible to adjust the penalty by evaluating whether it reaches the Data in the regulation the set goals of punishment - is effective, proportionate and dissuasive. The amount of the penalty must be determined according to the context of the offense. Regarding the effectiveness of the penalty, it must be assessed whether it is suitable to ensure the compliance of personal data processing with the Data Regulation and to punish the controller. The principle of proportionality dictates that the appropriate penalty should not exceed what it is necessary to achieve the goal. When assessing proportionality, the infringement must be viewed as a single offence whole, focusing on the gravity of the offense as such. The officer concludes that although the penalty is appropriate to punish the controller, it is not adequate to promote compliance with the Data regulation, therefore, the fine needs to be adjusted. In the specific case, the Official takes into account the fact that SIA has done several things, i.e. 3 (three) Violation of Article 83, Clause 5 of the Data Regulation. Also, the Official takes into account the fact that the violation is committed intentionally and not due to negligence, as well as the fact that the illegal behavior is continued, despite the demands of the Inspectorate to terminate it. 6.5. In view of the above, the Official considers that the fine adjustment by applying the money a fine of EUR 1000.00 (one thousand euro 00 cents) would be adequate to deter SIA from for further violations of personal data processing. Taking into account the above, based on Article 5, Part One, Clause 2 of the Data Law, Article 23, Article 58(2)(i) of the Data Regulation, Article 14(1) of the AAL Paragraph 2, Paragraph 4 of the second part of Article 41, Paragraph 4 of the first paragraph of Article 115, Paragraph 1 of Article 151 part 1, the second and third parts of Article 157, the first part of Article 166 and Article 168, Article 262, Article 269, Official decides: recognize the Limited Liability Company "JK Media group" as guilty of Article 83 of the Data Regulation in committing the administrative offense provided for in sub-paragraphs a), b) and e) of paragraph 5 and punish with a fine of EUR 1000.00 (one thousand euros). In accordance with Article 156 of the AAL, we inform and invite within a reasonable period of time - until 2024 April 15 – to eliminate the violations found in the Case by submitting the requested information to the Inspection information in the scope and form determined by the Inspection. The fine shall be paid in full no later than one month from this decision effective date in any banking institution or after voluntary execution of the fine at the end of the term, this decision will immediately be handed over to a jury for enforcement to the performer. Details for paying the fine: Beneficiary: State Treasury Registration No.: 90000050138 Account no.: LV69TREL1060191019200 Beneficiary BIC code: TRELLV22 Notes: Indicate the date and number of this decision. According to the first paragraph of Article 166, as well as the first paragraph of Article 168 of the AAL, a person called to administrative responsibility, this decision within ten working days from the announcement of the decision days can be appealed to a higher official (Inspection Director) by submitting a complaint Data for the state inspection at Elijas street 17, Riga, LV-1050. 31 The last day for submitting a response by mail or sending it with a secure electronic signature is 14 In accordance with Article 262 of the Law on Administrative Responsibility, the term specified in the decision 1 (one) month is set for voluntary execution of the fine in full the decision has entered into legal force. The procedure for voluntary execution of the fine has been established In Article 263 of the Law on Administrative Responsibility. In the event that the fine is not voluntarily paid within the time limit specified in this decision, then in accordance with the first part of Article 269 of the Law on Administrative Responsibility, the institution after a fine at the end of the term of voluntary execution, the decision on the sentence is immediately transferred to compulsory execution to a sworn bailiff. Please note that, according to Article 568 of the Civil Procedure Law, the decision is voluntary enforcement after the enforcement document has been submitted for enforcement will not relieve the obligation reimburse the execution costs of the bailiff. The fine applied in the process of the administrative violation will be reimbursed procedural expenses and damages to natural resources can be paid on the portal www.latvija.lv, using the e-service Administrative fines check and payment. Officer T. Lashchenkova