DVI (Latvia) - SIA GZ AUTO: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Latvia |DPA-BG-Color= |DPAlogo=LogoLV.png |DPA_Abbrevation=DVI |DPA_With_Country=DVI (Latvia) |Case_Number_Name=SIA GZ AUTO |ECLI= |Original_Source_Name_1=DVI |Original_Source_Link_1=https://gdprhub.eu/images/a/ad/Lemums_dvi_sia_par-korektiva-lidzekla-piemerosanu2.pdf |Original_Source_Language_1=Latvian |Original_Source_Language__Code_1=LV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan...") |
mNo edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA reprimanded a controller for processing analytical and marketing cookies before users | The DPA reprimanded a controller for processing analytical and marketing cookies before users took any action on a website. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 19 January 2024, the DPA carried out an inspection | On 19 January 2024, the DPA carried out an inspection on the website ''grosauto.lv'', which is operated by SIA GZ AUTO (‘controller’), a company that provided car services. Once the website was visited, a cookie banner appeared with the following text: ‘T''his website uses cookies to optimize its performance. By continuing to use this website, you agree to the use of cookies. Read more''.’ Thus, it appears that visitors are not able to provide consent other way than just continuing to use the website. | ||
When the DPA visited the controller’s e-shop they were taken to another website called detalas.lv. At the bottom of the page a cookie banner appeared with a text saying: | When the DPA visited the controller’s e-shop they were taken to another website called ''detalas.lv''. At the bottom of the page a cookie banner appeared with a similar text as on the previous website saying: ‘''We use cookies to ensure you get the best experience on our website. By continuing to use this website or by staying on the page, you agree to our use of Cookies. Continue''.’ Once they clicked on the ‘Use of cookies’ they were provided with information that the website collected analytical cookies and indicated that as a visitor they could turn off cookies based on the browser they were using. By clicking on ‘Continue’, the banner window disappeared. | ||
Additionally, the website contained a ‘Privacy Policy’ which specified the possibility to withdraw consent in cases where customers’ personal data are processed by SIA GZ AUTO on the basis of customer’s consent. | |||
However, it emerged that the controller used analytical ‘_ga’ cookies (used by Google), marketing ‘_fbp’ cookies (used by Facebook) and necessary cookies from the moment the website was opened – before the consent was provided | However, it emerged that the controller used analytical ‘_ga’ cookies (used by Google), marketing ‘_fbp’ cookies (used by Facebook) and necessary cookies from the moment the website was opened – before the consent was provided | ||
=== Holding === | === Holding === | ||
According to the DPA, the storage of analytical and advertising cookies on the visitors’ end devices was carried out without the legal basis laid down in [[Article 6 GDPR#1|Article 6(1) GDPR]], i.e. without the data subject’s informed consent. Despite the information on the provision of consent and the possibility to withdraw it in the Privacy Policy of the controller, in practice this option did not exist. In fact, the controller must obtain the data subject’s free and informed consent before any other action is taken on the website, including the online store ''detalas.lv'' in accordance with [[Article 7 GDPR]]. | |||
On this basis, the DPA reprimanded the controller for an infringement of Article 5(1)(a), Article 6(1) and [[ | On this basis, the DPA reprimanded the controller for an infringement of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 6 GDPR#1|Article 6(1)]] and [[Article 7 GDPR]]. The controller was ordered to make necessary changes to its website to ensure that the use of cookies complies with the requirements of the GDPR, in particular to ensure an adequate ‘consent mechanism’. | ||
== Comment == | == Comment == |
Latest revision as of 16:18, 4 June 2024
DVI - SIA GZ AUTO | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 7 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 19.01.2024 |
Decided: | 29.01.2024 |
Published: | |
Fine: | n/a |
Parties: | SIA GZ AUTO |
National Case Number/Name: | SIA GZ AUTO |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Latvian |
Original Source: | DVI (in LV) |
Initial Contributor: | im |
The DPA reprimanded a controller for processing analytical and marketing cookies before users took any action on a website.
English Summary
Facts
On 19 January 2024, the DPA carried out an inspection on the website grosauto.lv, which is operated by SIA GZ AUTO (‘controller’), a company that provided car services. Once the website was visited, a cookie banner appeared with the following text: ‘This website uses cookies to optimize its performance. By continuing to use this website, you agree to the use of cookies. Read more.’ Thus, it appears that visitors are not able to provide consent other way than just continuing to use the website.
When the DPA visited the controller’s e-shop they were taken to another website called detalas.lv. At the bottom of the page a cookie banner appeared with a similar text as on the previous website saying: ‘We use cookies to ensure you get the best experience on our website. By continuing to use this website or by staying on the page, you agree to our use of Cookies. Continue.’ Once they clicked on the ‘Use of cookies’ they were provided with information that the website collected analytical cookies and indicated that as a visitor they could turn off cookies based on the browser they were using. By clicking on ‘Continue’, the banner window disappeared.
Additionally, the website contained a ‘Privacy Policy’ which specified the possibility to withdraw consent in cases where customers’ personal data are processed by SIA GZ AUTO on the basis of customer’s consent.
However, it emerged that the controller used analytical ‘_ga’ cookies (used by Google), marketing ‘_fbp’ cookies (used by Facebook) and necessary cookies from the moment the website was opened – before the consent was provided
Holding
According to the DPA, the storage of analytical and advertising cookies on the visitors’ end devices was carried out without the legal basis laid down in Article 6(1) GDPR, i.e. without the data subject’s informed consent. Despite the information on the provision of consent and the possibility to withdraw it in the Privacy Policy of the controller, in practice this option did not exist. In fact, the controller must obtain the data subject’s free and informed consent before any other action is taken on the website, including the online store detalas.lv in accordance with Article 7 GDPR.
On this basis, the DPA reprimanded the controller for an infringement of Article 5(1)(a), Article 6(1) and Article 7 GDPR. The controller was ordered to make necessary changes to its website to ensure that the use of cookies complies with the requirements of the GDPR, in particular to ensure an adequate ‘consent mechanism’.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv In case no. [..] Ltd. GZ AUTO Pulkveža Brieža street 93B - 12 Sigulda, Sigulda district, LV - 2150 The decision Riga, 29.01.2024. No. [..] On the application of the corrective measure [1] Information about SIA GZ has come to the disposal of the Data State Inspectorate (hereinafter - I1spekcija). AUTO, registration number 40203231971 (hereinafter - SIA) for violations by persons committed by SIA in data processing using cookies on the SIA website grosauto.lv (hereinafter - the Website). [2] In order to verify the legality of the activities carried out by SIA and in accordance with the Data of Natural Persons Article 4, paragraph 1, paragraph 1 and Article 5, paragraph 1 of the processing law (hereinafter – Data Law) paragraph 1, Article 57 paragraph 1 a) of the General Data Protection Regulation (hereinafter - the Data Regulation) and (h) and Article 58(1)(a), (d), (e) were followed up. 3 [2.1] On January 19, 2024, the inspection official inspected the website of SIA, which found the following: 1) The website offers the opportunity to buy parts for cars, which is doable by visiting the website online store detalas.lv, as well as information about SIA is available location of stores throughout Latvia. By clicking on the "Stores" section, it is possible to find stores and car services, as well as the following information is indicated at the bottom of the page: Details "SIA "GZ AUTO", Reg. No. 40203231971, Legal address: Pulkveža Brieža iela 93B – 12, Sigulda, Postal address: Piebalgas 85, Vaives parish, Cēsu prov., LV-4136, Bank: AS "Citadele banka", SWIFT code: PARXLV22, EUR Account No. LV77PARX0022935610001”. So SIA is the administrator and persons of the Website data controller. 2) A banner window with write "This website uses cookies to optimize its operation. By continuing to use this website, you you agree to the use of cookies. Read more. I AGREE". It is possible to click on "AGREE" and the said banner window closes. 1 https://www.ur.gov.lv/lv/legal-entity/?id=40203231971 2 Regulation of the European Parliament and of the Council (EU) No. 2016/679 (April 27, 2018) on the protection of natural persons regarding the processing of personal data and the free movement of such data and repealing Directive 95/46/EC 3 Inspection report of January 19, 2024 No. [..] 4https://online.detalas.lv/Login/Login.aspx 5https://grosauto.lv/kontakti/ 2 3) At the bottom of the website page, there is a "Customer Registration" section that opened when clicked page https://online.detalas.lv/Register/Register.aspx, which shows a window that the customer can fill out indicating whether there is a natural/legal person, the chosen natural person, the next page opens, in which you must indicate such personal data as name, surname, e-mail, telephone number, the customer must choose the nearest store from of the proposed list and the user's name must be specified. The option to agree or disagree was also offered to receive news, personalized offers by marking "Yes" or "No" and must be marked in some way and want to receive information in Latvian or Russian by SMS or e-mail. 4) Clicking on the "Buy iStore" section opened a page where, as a registered user, both as an unregistered user it is possible to purchase goods. A banner window appears at the bottom of the page with the following text "We use cookies to provide the best possible website usage experience. By continuing to use this website or by staying on the page, you agree to Cookies 7 for use. To continue". Clicking on "Use of cookies" opens the page "Homepages cookies", which provides information about what cookies are used on the detalas.lv page analytical cookies and it is indicated that as a visitor of the detalas.lv page, cookies should be turned off, taking into account the browser you are using. On the other hand, when you press "Continue", the banner window disappears. 5) The website contains a "Privacy Policy" consisting of 23 (twenty-three) sections. Section 13 of the Privacy Policy "The right to withdraw your consent" states: "In cases where Customer data is processed by GZ AUTO on the basis of the Customer's consent, the Customer has the right at any time withdraw your consent, and the data processing based on the Client's consent will be stopped. Your own The Client can correct the consent - revoke it or re-give previously revoked consent by submitting appropriately updated Customer Support Program application form or by contacting GZ AUTO Customer support in the ways specified in the program rules. If the Customer's consent becomes invalid or is revoked or cancelled, GZ AUTO deletes the data processed on the basis of the Customer's consent, unless there is also another basis for their processing to reach others the purposes of data processing provided for in this Policy, but in the cases specified in the Policy - GZ AUTO permanently anonymizes the data. In any situation, the consent given by the Client and proof of it in GZ AUTO can also be stored for a longer period if it is necessary to be able to protect your rights in connection with demands and claims made against GZ AUTO." 6) By clicking on the open website with the right mouse button of the working computer during the viewing pages without consent, the browser's menu window opens, and selecting the "Inspect" option but then in the top section of the "Application" option, and on the left side of the "Cookies" section, you can see that The website uses analytical cookies "_ga". On the other hand, during the inspection, if consent is given, then it was found that both analytical cookies and marketing cookies '_fbp' are used as also necessary cookies. Also, checking which ones on the detalas.lv website's online store page cookies are used, it was found that analytical "_ga" cookies are used on the mentioned page. According to publicly available information, cookies such as “_ga”, “_gid”, “_gat” are Google cookies, they are used to analyze website visitors. On the other hand, "fbp" is Facebook cookie to display ads while on Facebook after visiting the site. In general, after evaluating what is available on the website, including the online store detalas.lv information, during the inspection it was found that the website is not provided with legal correct possibility for the website user to agree/opt-out in accordance with regulatory requirements from the use of cookies. A website is not only used for the functionality of the website necessary cookies, but also other types, such as analytical and advertising cookies, without the visitor consents given by (the data subject). 6 7https://online.detalas.lv/Login/Login.aspx?lang=lat 8https://detalas.lv/majaslapas-sikdatnes/ https://policies.google.com/technologies/cookies?hl=lv 3 [2.2.] Based on the information obtained during the inspection, inspections were started on January 19, 2024 case no. [..] (hereinafter – the Case) regarding the processing of personal data on the Website using cookies. [3] In accordance with the findings in points [1-2] of this decision, the Inspectorate concludes the following. [3.1] In accordance with the Data Regulation, cookies and other tracking technologies that may be used to profile or identify users, must be considered personal data and thus have applicable requirements of the Data Regulation. The Court of the European Union 11 has also recognized that cookies processing of personal data of data subjects, which is subject to data protection, is carried out in the form of use requirements. [3.2] In accordance with Article 4, subsection 7) of the Data Regulation on the adequacy of personal data processing is the responsible manager 12 and according to the information provided on the website, SIA is recognized as controller for the processing of personal data carried out on the website. This means that SIA, as the controller, must comply with Article 5 of the Data Regulation in the processing of personal data the established basic principles of personal data processing, according to which: 1) personal data must be processed in a lawful, fair and transparent manner; 2) collection of personal data shall be carried out in specific, clear and for legitimate purposes, and their further processing is not carried out in a manner incompatible with said purposes; 3) personal data must be adequate, relevant and contain only what is necessary for their processing purposes; 4) storage of personal data in a way that allows the identification of data subjects cannot be longer as necessary for the purposes for which the relevant personal data is processed; 5) personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage using appropriate 13 technical or organizational measures. According to Article 6, Clause 1 of the Data Regulation, the controller the processing of personal data carried out is lawful only to the extent and only if in relation to it at least one of the following legal grounds is applicable: consent, contract enforcement, legal obligation, public interest, protection of vital interests and legitimate interests compliance. In addition, in accordance with the principle of accountability established in Article 5, paragraph 2 of the Data Regulation, directly the manager is obliged to ensure a personal data processing process that allows proving that the manager the processing of personal data is in accordance with the requirements of the data protection regulatory framework. In compliance with the above, the Inspectorate states that only in accordance with the provisions of Article 5 of the Data Regulation basic principles and in the presence of any of the legal provisions specified in Article 6, Clause 1 of the Data Regulation grounds, the processing of personal data may be recognized as legal. On the other hand, if the mentioned conditions are not met complied with, the personal data processing performed by the controller does not comply with the requirements of the Data Regulation and may not be done perform. Thus, before processing personal data, the manager must assess whether there is a legal and bona fide purpose for the planned processing of personal data, whether it is possible to achieve this purpose with the planned one processing of personal data and whether this goal cannot be achieved by processing personal data in a smaller way in volume, in a different way or without processing them at all. 9 Personal data is any information with which it is possible to identify a natural person, in particular with reference to an identifier, for example, the name, surname, identification number, location data, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identity factors (Article 4, Clause 1 of the Data Regulation) 10 11 Paragraph 1 of Article 4 of the Data Regulation; recitals 26 and 30 Preliminary ruling of the European Court of Justice of June 5, 2018 in case No. C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, available at: http://curia.europa.eu/juris/document/document.jsf?text=s%25C4%25ABkdatnes&docid=202543&pageIndex=0&docla ng=lv&mode=req&dir=&occ=first&part=1&cid=4970214#ctx1 12 a natural or legal person, public institution, agency or other body that determines alone or jointly with others the purposes and means of personal data processing [..] 13 Data Regulation, Article 5, Clause 1, subparagraph a) ("lawfulness, integrity and transparency"), subparagraph b) ("purpose limitations”), point c (“data minimization”), point e (“storage limitation”) and point f) (“integrity and confidentiality”). 4 In addition to ensuring the legal basis and respecting the principles of data processing, the controller has also ensure the fulfillment of other requirements of the Data Regulation and the Data Law, including Chapter III of the Data Regulation the mentioned rights of the data subject, including the obligation of the controller in Article 12, paragraph 1 of the Data Regulation take appropriate measures to be concise, transparent and easily accessible, using a clear and plain language, would provide the data subject with all the information referred to in Articles 13 and 14 and ensure all 15-22 communication referred to in Article and Article 34 regarding processing. Although the Data Regulation does not state that all information regarding the processing of personal data by the administrator must be indicated on the administrator's website website, the Data Regulation provides that the said information must be easily accessible, clearly understandable and transparently. In compliance with the requirements of the mentioned legal regulation, regarding the processing of personal data using cookies, the Inspectorate explains that regarding absolutely necessary (technical) cookies use, the manager is obliged to provide the data subject with all the information provided for in the Data Regulation data processing using cookies (including but not limited to the types of cookies used, data processing purpose, data controller, etc.). On the other hand, regarding the personal data provided on the Website processing using cookies that are not absolutely necessary (technical) cookies, Inspection explains that, in addition to the obligation to provide information already mentioned above, it is also necessary prior and informed consent, as the first and second paragraphs of Article 7 of the ISPL state that the information storage in the subscriber's or user's terminal or gaining access to the terminal store14ai information is permitted if the respective subscriber or user has given their consent after has received clear and comprehensive information about the purpose of the aforementioned processing in accordance with the Data regulation. In addition, Article 7, paragraph 3 of the Data Regulation stipulates that the manager must ensure that the data subject You can withdraw your consent at any time as easily as you gave it. The Data Regulation does not stipulate that giving and withdrawing consent must always be done through the same action. However, if consent is obtained by electronic means and with just one mouse click, swipe gesture or keystroke, data subjects should in practice be able to withdraw this consent just as easily. The request for a simple withdrawal is described in the Data Regulation as requiring valid consent aspect. If the right of withdrawal does not meet the requirements of the Data Regulation, then the controller's consent mechanism does not comply with the Data Regulation. In accordance with Article 7, paragraph 3 of the Data Regulation, the controller must inform the data subject on the right of withdrawal before obtaining the actual consent. The inspection indicates that in this particular case the manager (SIA) did not provide the website user the right to agree, the right to agree to the processing of cookies, because the developed banner does not work, let it be possible only agree to the use of cookies. During the inspection, it was found that the website is being processed analytical cookies, regardless of whether the Website User agrees or not at all choice, but if the visitor agrees to the use of cookies, marketing cookies are also processed, thereby misleading the users of the Website. On the other hand, in the "Homepage cookies" rules, which can be found if you visit the website's online store detalas.lv in the cookie opt-out the mechanism is complex. It should also be noted that the website does not provide the possibility to disagree with analytical, for the processing of marketing cookies. In addition, we explain that using cookies requires the consent of the data subject it is not necessary to obtain all the cookies used on the specific website. security-related cookies do not require the data subject's consent to be used by the web website, like personalized cookies, does not require the data subject's consent, however, 15 in order to process analytical or advertising cookies, it is necessary to obtain consent from the user. Namely, the manager has the consent of the data subject must be obtained before any other activities are carried out on the website, including cases 14 The consent referred to in the first part of the Article is not required if the information storage terminal is accessed the information stored in the terminal is necessary for ensuring the circulation of information in the electronic communication network or to an intermediary service provider to provide the service requested by the subscriber or user. 15 Law on Information Society Services 7. the second part of the article 16 Law on Information Society Services 7. first part of Article 5 even if the visitor, for example, does not register a customer on the website, but only browses the website as such.17 The inspection informs that guidelines are available on its website (https://www.dvi.gov.lv/lv/dvi). "Guidelines for the use of cookies on the website", which provide recommendations for administrators who install cookies and uses them to obtain information (personal data processing). In addition, we invite you to familiarize yourself with For inspection explanations "Our website uses cookies, please accept!" (https://www.dvi.gov.lv/lv/jaunums/dvičrevo-musu-timekla-vietne-tiek-izmantotas-sikdatnes-ludzu- agree), "What should I know about cookies?" (https://www.dvi.gov.lv/lv/jaunums/dvičrevo-kas-man-jazina-par-sikdatnem-jeb-cookies). [3.3] In view of the aforementioned, in relation to the use of cookies on the website unarīdetalas.lv, it can be concluded, that the websites use analytical cookies and advertising cookies without the visitor (data subject) given consents, which in fact are not provided free and informed in accordance with the requirements of the Data Regulation the possibility to agree or refuse the use of certain cookies on websites. It follows that the storage of information in the subscriber's or user's terminal is carried out without Article 6, Clause 1 of the Data Regulation the prescribed legal basis, namely without the informed consent of the data subject. On the basis of the above, the Inspectorate finds that the information provided on the website of SIA Tīmekļa the processing of personal data using cookies does not currently comply with Article 5, Paragraph 1 of the Data Regulation (a), Article 6(1), Article 7, ISPL7¹. to the requirements of the first part of Article [4] We inform you that the Inspection implements the "Consult first" principle in its activities, which provides that The primary tasks of the inspection are the effective protection of data of natural persons (instructions on the controller deficiencies identified in the personal data processing and providing suggestions for their elimination) and in case of illegal processing of personal data, performing the necessary actions with the aim of to stop it as soon as possible, thereby reducing the damage caused to the data subject. [5] Article 58, paragraph 2, subparagraph d) of the Data Regulation provides for the authority of the Inspectorate to issue an order for the controller or the processor to coordinate the processing activities with the provisions of the Data Regulation, needs case - in a specific way and in a specific period of time. Article 23 of the Data Regulation stipulates that the Inspection, when making decisions regarding the imposition of a legal obligation, the Law on Administrative Procedure shall be applied (hereinafter - APL). [5.1] Taking into account the above and the fact that SIA has found violations of the provisions of the Data Regulation, For the inspection in accordance with the first part of Article 62 of the APL, deciding on the issuance of an administrative act that could be unfavorable to the addressees, the authority (in the specific case the Inspectorate) is necessary to find out and evaluate the opinion and arguments of the addressees in this case. On the other hand, the second parts of Article 62 of the APL Point 3) specifies that clarifying the person's opinion and arguments is not necessary, if necessary it follows from the essence that clarifying the person's opinion is impossible or inadequate. Given this the factual circumstances specified in the decision, namely that a violation has been detected, from the point of view of the addressee (SIA). clarifying before issuing the decision is not useful, because the opinion or arguments of SIA cannot influence decision on the merits. [5.2] According to the first part of Article 66 of the APL, it is necessary to decide on the administrative act utility of issuance. Namely, when making a decision on the prevention of data processing of an unlawful person, The inspection should evaluate the possibility of deciding on a smaller restriction of personal rights. Evaluating the necessity and necessity of the administrative act, the Inspectorate concludes that the decision adoption is both necessary and necessary to achieve the goal of preventing the Data Regulation and ISPL violations of the rules in personal data processing carried out by SIA using cookies. The administrative act is a suitable means to achieve the goal, as it creates a legal obligation for SIA to prevent detected violations within a specific procedural term, as well as prevent similar violations occurrence in the future. 17 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and life protection in the electronic communications industry. Article 5, paragraph 3, recital 25 6 The administrative act can be considered as the most proportionate means for achieving the goal, because in comparison with the decision on imposing an administrative penalty is considered more lenient. At the same time, legal the imposition of the obligation is aimed at the data subject in the Data Regulation, the Data Law and other regulatory acts provision of the expected fundamental rights to personal data protection. In compliance with the above, the Inspection, on the basis of Article 58, paragraph 1, subparagraph e) of the Data Regulation and sub-paragraph d) of paragraph 2, Article 23 of the Data Regulation, Article 5 of the first part 3 of the Data Law and paragraph 6, paragraph one of Article 13 of the ISPL and paragraph 2) of Article 63 of the first paragraph of the APL, decides: oblige SIA to make the necessary changes to the Website, ensuring that the use of cookies complies with the requirements of the Data Regulation and the ISPL, in particular to ensure appropriate a "consent mechanism" so that data subjects have genuine opportunities to consent and/or opt-out from the use of non-mandatory cookies, to inform in writing about the implementation of the decision until 2024 on March 1, by submitting information about the measures taken by the SIA to the Inspectorate. According to the first and second parts of Article 70 of the APL, the decision enters into force from the moment it is announced to the addressee, while the decision is notified to the addressee in accordance with the Notification Law. Notification Act The second part of Article 4 provides that the legal entity is notified of the document at its legal address. Notifications The third and fourth parts of Article 8 of the law stipulate that a document notified as registered mail, shall be considered notified on the seventh day after it has been delivered to the post office, as well as if a statement is received from the post office delivery of the shipment or a returned document does not in itself affect the notification of the document fact. This decision in accordance with the first and second parts of Article 76, Article 79 of the Administrative Procedure Law the first part and 24 of the Data Law. the first part of the article can be appealed within one month of its entry into force days Data to the Director of the State Inspection. [6] The Inspectorate informs that Article 83, Clause 5 of the Data Regulation provides for the application of administrative fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, depending on the amount greater, in accordance with Clause 2 for violations of the following rules: on the basic principle of processing, including conditions for consent, subject to Articles 5, 6, 7 and 9, the data subject's rights under Data Articles 12 - 22 of the regulation, if the order of the supervisory authority or temporary or final processing is not followed or restriction of data circulation in accordance with Article 58, paragraph 2 of the Data Regulation, or access has not been granted, in violation of Article 58, paragraph 1 of the Data Regulation. In compliance with the above, the Inspectorate informs that in the event that the provisions of this letter are not fulfilled order, the Inspectorate will implement other powers granted to the Inspectorate in the Data Regulation. Taking into account the fact that from January 1, 2023, all legal entities - companies, associations, foundations, trade unions and other legal subjects registered in the registers in Latvia The official electronic address or e-mail address is mandatory, the Inspectorate invites legal entities to create an e- address. More information is available in the article published on the website of the Data State Inspectorate: https://www.dvi.gov.lv/lv/jaunums/e-adrese. Deputy Director L. Dilba [..] 18 the last day for submitting a written response by post or sending it electronically with a secure electronic signature