DVI (Latvia) - 02/02/2024: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 108: | Line 108: | ||
=== Holding === | === Holding === | ||
To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of Articles 5(1)(a), (2) and 12(1) GDPR. | To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#2|(2)]] and [[Article 12 GDPR#1|12(1)]] GDPR. | ||
The DPA stated that in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as: | The DPA stated that in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as: |
Revision as of 08:34, 19 June 2024
DVI - 02/02/2024 | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 7 GDPR Article 12 GDPR Article 12(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 29.06.2022 |
Decided: | 02.02.2024 |
Published: | |
Fine: | 1,000 EUR |
Parties: | AQAPHOTO |
National Case Number/Name: | 02/02/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Latvian |
Original Source: | DVI (in LV) |
Initial Contributor: | im |
The DPA fined a company offering photography services at an amusement park €1000. The company took visitors' photos based on an implied consent which in reality could not be considered an affirmative action.
English Summary
Facts
On 20 May 2023, the DPA carried out an on-site investigation into operation of company AQAPHOTO (‘controller’) carried out the at the Līvu Akvaparks, a water amusement park. The controller’s primary activity was offering photography services to visitors (‘data subjects’) at the amusement park. For the purpose to capture and provide photographic memories, the controller hired photographers which took photos of the visitors and were recognizable by wearing yellow T-shirts saying “AQUA FOTO TEAM”. The visitors can select their photos on the monitors located at the AQUAPHOTO booth. The controller used facial recognition technology software to identify the individuals that requested their photos.
The controller informed about its data processing operations in 5 different forms available to the visitors. However, their privacy policy was inconsistent across these different places.
- On the amusement’s park website, the privacy policy stated that visitors would be photographed by walking up to the photographers and then obtain their photos at the AQAPHOTO stand.
- The section “Visitor rules” published on their website further specified that visitors with minors under their guardianship may be photographed in the amusement park. If the visitors did not wish to be photographed they had to take a distinguishing sign from the employees of the AWAPHOTO stand.
- On the contrary, the “Terms and Conditions of Photo Services and Personal Data Processing” posted at the company’s stand said that distinguishing sign could be obtained from the amusement park’s cash desk or the photographers hired by AQAPHOTO.
- By a visual information poster at the amusement park’s cash desk with a text saying:
- 'Don't be afraid of the AQUAPHOTO photographer. You do not want to be photographed in red. Green wristbands make many beautiful photographs’
- The posted also provided that the data subjects would not receive photographs of other visitors of the amusement park.
The DPA officers were informed by the controller that the collection of visitors’ personal and biometric data was based on two different consents:
- Consent during the visit – the data subjects were offered two colored wristbands before entering amusement park: green for consent to pictures and red for rejecting this processing. consented to having their photos taken during their visit to the amusement park. In this case, no biometric data processing is involved.
- Consent after the visit – after visiting the amusement park, data subjects consented to biometric data processing, allowing the system to use facial images to recognize and select their relevant photos
In addition to these inconsistencies, the DPA’s inspection revealed that the data processing practice did not meet the data protection standard the company declared. Firstly, the employees of the amusement park did not inform the inspection officers about the possible processing of personal data by means of photography.
Secondly, they did not offer the officers the option to choose between the red or green wristband to express their preference regarding this type of data processing. At the ticket office, the inspection officers also noticed a sign saying: “Don’t be afraid of the AQUAPHOTO photographer” and another one in Latvian, English and Russian: “You don’t want to be photographed in the red wristband, instead, green wristband makes for many beautiful photos.” However, the officers also noted that the visitors did not actually wore a green wristband. The adults wore a grey one and children wore red wristbands. Additionally, the photographs were also taken at various attractions sites, such as “Unique Tornado”, “Jacuzzi” or other attractions with pools where the wristbands were not visible.
Thirdly, the officers asked if visiting the stand before entering the amusement park was required. The cashier clarified it was not obligatory; they would be photographed during their visit and could select the photos afterward at the stand.
Fourthly, none of the visitors of the park was asked for their consent before the photographs were taken.
Fifthly, despite the fact that one of the inspection officers informed the company’s employees that they visited the park alone, they were offered to buy a photo that included both them.
The officers concluded that contrary to the information provided by the amusement park and the company, the data subjects are in fact not verbally informed about the processing of their data by the means of photography carried out on the premises of the park.
The controller claimed that the DPA should consider that the consent was collected by implication. According to the EDPB Opinion 05/2020 consent, whether explicit or not, must be given by a statement or an explicit affirmative action and must express consent to the processing of personal data. This is complemented by recital 32 GDPR which states that consent should be given by an explicit affirmative act including oral communication.
Lastly, the controller raised arguments against the DPA’s inspection at the amusement park and claimed that according to Article 15 Lithuanian Data Protection Law, any inspection must take place in cooperation with the controller.
Holding
To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of Articles 5(1)(a), (2) and 12(1) GDPR.
The DPA stated that in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as:
- inviting the photographer to take the photo,
- visibly posing for the camera, • the visitor smiling and looking at the photographer,
- consent given in advance, during the visit or other obvious actions from which it can be inferred that the visitor wishes to be photographed
Moreover, the DPA listed possible situations which could be misunderstood as consent:
- visitor does not take active steps to approach the photographer to take the photograph
- the photographer pays attention to the visitor of the water park, the visitor does not pay attention to the photographer and does not take active steps to take the photograph
- the visitor indicates by gestures that they do not wish to be photographed
It was concluded that according to the evidence of this case, the manner of obtaining consent by the controller is not compliant with the above-mentioned requirements because:
- the controller could not demonstrate the valid consent as many photos were not based on a clear affirmative action (visitors were not aware of photographers taking pictures at certain attractions)
- consent mechanism was not specified and explicitly explained to the visitors and several options were available to collect it. In fact, implied actions likely gave the photographers false impression of an expression of informed will of data subjects to take the photos.
Therefore, the controller did not provide the data subjects with the right to consent or object to the processing and therefore violated Article 5(1)(a), 6 and 7 GDPR.
With regards to the processing of biometric data, the DPA concluded that this processing is carried out on the basis of explicit consent of a data subject according to Article 9(2)(a) GDPR. Additionally, in the absence of consent, the processing of personal data is based on Article 6(1)(b) GDPR as manual selection of images by visual identification of the customer (data subject) is required for the purpose of concluding a transaction for the purchase of photographs. Therefore, the DPA found no infringement of processing of biometric data.
Regarding the controller’s argument on the validity of the inspection at the amusement park, the DPA considered that this interpretation of the legal provisions is unjustified. Article 15 of the Lithuanian Data Protection Law refers to cases when the inspection is carried out by the DPA using the administrative power granted to it by the regulatory enactments. In the present case, the DPA officers obtained the information not by exercising public authority but by carrying out these acts as any natural person would since they were visiting public places. As a result, the requirements of Article 15 of the Lithuanian Data Protection Law do not apply and the evidence of this case is admissible.
As a result, the DPA fined the controller €1000 for violations of Articles 5(1)(a), (2), 6, 7 and 12(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv Limited Liability Company "AQUAPHOTO" to the authorized person [...] In case no. [..] The decision Riga, 02.02.2024. No. [..] On the appealed decision in the case of an administrative violation [1.] Data State Inspections (hereinafter – Inspection) [..] (hereinafter – Official) of 2023 On December 15, decision no. [..] "On the imposition of a penalty" (hereinafter - the Decision) administrative in violation case no. [..] (hereinafter - the Case), recognizing the limited liability company 1 "AQUAPHOTO" (hereinafter - AQUAPHOTO) is guilty of the General Data Protection Regulation (hereinafter – Data Regulation) Article 83.5. of the administrative offense provided for in sub-paragraphs a) and b). making, applying an administrative fine of EUR 1000.00 (one thousand euros, 00 cents). The decision was announced on December 15, 2023, by sending it to the authorized representative of AQUAPHOTO to the person [..] to the e-mail address. In accordance with the second part of Article 9 of the Notification Law a document sent by electronic mail shall be considered notified on the second working day after it sending. Therefore, the Decision is considered to have been announced on December 19, 2023. [2.] The decision found the following circumstances: [2.1.] The case materials contain the Officer's report of August 4, 2023 no. [..] about test file no. partial termination and initiation of the administrative violation process" (hereinafter - Report) with attachments. The report states that: [2.1.1.]AQUAPHOTO operates limited liability company "Akvaparks", registrations number 40003508890 (hereinafter - Akvaparks) in the premises and provided by Akvaparks in the water amusement park "Livu" Akvaparks" (hereinafter - Livu Aquaparks) photo services for visitors, thereby making Livu Processing of personal data (photos) of water park visitors – natural persons (data subjects). (acquisition, storage, transfer) in the form of photography. On June 29, 2022, the Inspectorate launched a personal data processing inspection ([..]) to verify Akvaparks and AQUAPHOTOLivė Aquapark visitors - natural persons (data 1Regulation No. 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons in relation to processing of personal data and free circulation of such data and repealing Directive 95/46/EC 2 subject) processing of personal and biometric data, incl. using the one offered by NtechLab facial recognition technology program, providing photography services, matching Data regulation and the requirements of the Personal Data Processing Law (hereinafter - the Data Law). On April 6, 2023, Inspection officials performed an in-person inspection of AQUAPHOTO data at the processing site, i.e. AQUAPHOTO at the customer service point, which is located in the premises of Livu Aquapark Viestura Street 24, Jurmala. AQUAPHOTO was not found within the scope of the mentioned inspection case illegal processing of biometric data, therefore the inspection in this part was completed and with the Inspection August 7, 2023 letter no. [..] AQUAPHOTO was informed that the verification of biometric data processing in inspection case no. [..] has been completed without finding the Data Regulations and Data at AQUAPHOTO's disposal violations of the law. [2.1.2.] At the same time, inspection file no. Within [..] the Inspectorate obtained information which testified that: [2.1.2.1.] AQUAPHOTO is carried out by a visitor of Livu Aquapark - a natural person (data subject) processing of personal data (photos) in the form of photography based on two types of consent: 1) consent of the data subject to take photos during the visit to Livu Aquapark (in this case, no processed biometric data); 2) the data subject's consent, which is already provided after Livu Aquapark for the processing of visit, biometric data (in addition to taking a face image) in order to AQUAPHOTO would recognize and select relevant photos of the data subject in the billboard system; [2.1.2.2.] before entering Livu Aquapark, data subjects are offered to choose one of for two-color bracelets. Consent to take photos is confirmed by a green wristband, a ban to take pictures – a red bracelet; [2.1.2.3.] informing data subjects about the planned processing of personal data in the form of photography and the actual handing out of wristbands is done by Aquapark cashiers. You can also get bracelets at AQUAPHOTO for photographers in Livu Aquapark; [2.1.2.4.] additional information on the processing of personal data in the form of photography is available: 1) On the website of the Aquapark (hereinafter - the Website) in the "Current" section, in which the article "Catch a beautiful a moment!” with the text of the following content: "To make the time spent in the aquapark memorable, use SIA "Aquaphoto" professional photographer services. So that the great moments spent in the water park remain in memories SIA "Aquaphoto" offers the services of professional photographers. Photographers will take great and professional photos, which will be a beautiful addition to the family album for Livu Aquapark the perfectly spent vacation would be immortalized and unforgettable. You will recognize the photographer by the yellow shirt with the inscription AQUA FOTO TEAM! Feel free to go over and say you want a photo for memory. Where are these photos after that can get? When leaving the recreation area, approach AQUAFOTO in the lobby of Livu Aquapark choose the pictures you like best on the stand and monitor and they will be yours! [..] Memorize! If you if you want more beautiful pictures, get a green wristband from the staff of AQUA FOTO, which is located in the water park in the lobby at the entrance! If you don't want photos and you don't want a red bracelet to be taken in your picture![..]”; 2) 1.9 of the "Visitor Terms" section of the website. in subsection: "The visitor is informed that Visitor and his or her minor children or minors under guardianship Aqua Park photographs may be taken in the territory. The visitor has the right to get acquainted with his personal data in connection with photo by manager - SIA "Aquaphoto", reg. No. 40103215468, Dižozolu iela 25-6, Riga, LV-1058, contact information – phone: +371 29846414, e-mail: aquaphoto@inbox.lv. If the Visitor does not want to be photographed, he takes a badge from the employees of SIA "Aquaphoto""; 3) at In the regulations placed on the AQUAPHOTO stand "Photo services and processing of personal data rules" stating that "Consent to photography is confirmed by a green wristband, prohibition – a red wristband, which is issued at the Akvaparks cash desk or can be obtained from in the photographer's attraction area”; 4) with a visual information poster at the Aqua Park cash desks; [2.1.2.5.] data subjects are not provided with photos showing other Livu Aquaparks visitors. 3 [2.2.] Taking into account the conflicting information related to the receipt of data subjects' consent and informing about taking photographs, the Inspection, on its own initiative, carried out on May 20, 2023 face-to-face inspection (hereinafter - May 20, 2023 inspection) of the AQUAPHOTO service at the place of delivery in Livu Aquapark, in order to verify the conformity of the information at the disposal of the Inspectorate actual conditions. [2.3.] The report of the Inspection officials [..] of June 1, 2023 is in the appendix of the report No. [..] and [..] of June 2, 2023, report no. [..] for what was done on May 20, 2023 in Livua Aquapark Check. As part of the mentioned inspection, it was found that: [2.3.1.] at the time of purchase of non-tickets, employees of Liva Akvaparkakase did not inform the non-purchasers Inspection officials about the possible processing of personal data in the form of photography did not provide either information and did not offer the option to choose one of the wristbands (green or red); [2.3.2.] to the question of the Inspection official [..] about the possibilities of receiving photos, Livu The cashier of the water park pointed with her hand to the AQUAPHOTO stand, indicating that it was with them. To the inspection official's clarifying question, or before visiting Livu Aquapark should approach the AQUAPHOTO stand, the Aquapark cashier explained that it is not mandatory, because during the visit to Livu Aquapark, the official will be photographed, after which he will be able to approach AQUAPHOTO stand and choose the relevant photos; [2.3.3.[ Two photographers took photos during the visit to Livu Aquapark in yellow vests. Visitors to Livu Aquapark, including the two officials, before the photo admissions, consent was not asked; [2.3.4.] photos were also taken at moments when visitors to Livu Aquapark participated in various activities in attractions, such as the "Unique Tornado" or located in jacuzzis and swimming pools, where the price was visible; [2.3.5.] none of the visitors to Livu Aquapark had a green bracelet on their arm. Adults wore gray-blue wristbands, while children wore red wristbands; [2.3.6.] a small informational poster with the following text is placed near the Livu Aqua Park ticket offices: "Don't be afraid of the AQUAPHOTO photographer", which states the following in three languages (Latvian, English and Russian). information: "You don't want to be immortalized in red concert gloves. Concert bracelet in green color a lot beautiful photos”; [2.3.7.] despite the fact that the Inspection official [..] informed AQUAPHOTO employees, that she visited the water park alone, was offered to the Inspection official opportunity to purchase and the officer also purchased a photo of both her and the other Inspection officer. [2.3.8.] Taking into account the above, the inspection of May 20, 2023 concluded that, contrary to the Aqua Park and For the information provided by AQUAPHOTO, data subjects are not actually informed verbally about Liv They are not offered the opportunity to receive data processing in the water park premises in the form of photography a green or red colored wristband to indicate their choice of how to take the photo also, contrary to the information provided by AQUAPHOTO, the Inspection official had the opportunity to purchase a photo showing not only her, but also other visitors to Livu Aquapark (in the specific case – the other Inspection official). Also, in the inspection of May 20, 2023, it was concluded that the cash register located at the Livu Aquapark the informational poster and the photo services placed at the AQUAPHOTO service stand personal data processing rules, do not provide the visitors of Livua Aquapark a true, easy accessible, transparent and understandable information about the processing of data in the form of photography, successively denying they have the opportunity to express unequivocal consent or refusal before visiting Livu Aquapark for taking photos. [2.4.] Evaluating the information obtained in the inspection of May 20, 2023 in the context of the inspection case no. [...] materials, the Report concludes that AQUAPHOTO's commercial activities - within the framework of the provision of photography services, performed by Livua Aquaparks visitor-natural person 4 (data subject's) personal data - photo processing - acquisition, storage, transfer, in violation basic principles of processing, including conditions for consent, in compliance with Article 5, 1 of the Data Regulation. point (a), Article 6, paragraph 1 and Article 7, and the rights of data subjects under the Data paragraph 1 of Article 12 of the regulation - i.e. without providing data subjects with real rights from the outset and agree or object to the processing of your data at any time, thus not providing adequate personal data the legal basis for the processing of personal data, and not providing the data during the acquisition of personal data fulfillment of the obligation of clear, understandable and accurate information regarding data processing, which indicates a real possibility that the administrative violation for which the administrative offense is intended has occurred responsibility in Article 83(5)(a) and (b) of the Data Regulation. [2.5.] The case materials contain the Official's decision of August 4, 2023 no. [..] about the initiation of the administrative violation process and the extension of the deadline for consideration of the case (hereinafter - decision of 4 August 2023). On August 7, 2023, the decision of August 4, 2023 with a cover letter notified to AQUAPHOTO by registered mail to its registered address. [2.6.] In the case materials, there is the letter of the Inspection dated August 8, 2023 no. [..] "About submission of explanations and request for information", as well as in connection with the mentioned letter Explanations of the authorized representative of AQUAPHOTO [..] (hereinafter - the Representative) dated October 6, 2023 (hereinafter – Explanations). [2.7.] The case materials contain AQUAPHOTO Representative's November 28, 2023 submission "opinion on the legality of the proposed administrative violation case, information request and request to postpone the examination of the administrative violation case" (hereinafter - Submission) and Inspection letter of December 4, 2023 no. [..] "On giving an answer". [2.8.] During the consideration of the case, the representative of AQUAPHOTO repeated what was already presented explanations, additionally certifying that the consent of the data subjects to the processing of personal data (photo for reception) is obtained both by bracelets and by conclusive actions. Data subjects are informed with an informative poster at the Aquapark cash desks and the AQUAPHOTO stand, with the information provided on the Website, as well as through Livu Akvapark's cashiers, who provide information and factual information handing out wristbands. Likewise, the AQUAPHOTO representative stated that he could not submit additional explanations, because he has not received the response of the Inspection to the arguments expressed in the Submission. In the opinion of the representative, the Check is logically incomprehensible and was carried out without complying with the Data Law 15 and Article 16 requirements. The representative stated that the case should be closed because the evidence was not conducted against the law were not obtained by legal means and the only evidence provided by AQUAPHOTO can be recognized in the Case explanations, as well as the information provided by AQUAPHOTO during the April 6, 2023 face-to-face inspection. Regarding the Official's request to explain how AQUAPHOTO's cooperation with Livu Aquapark employees in informing data subjects and issuing wristbands, AQUAPHOTO The representative informed that cooperation is taking place, but exactly how it is happening, in which document this form of cooperation, including employee liability is covered, etc., the representative could not explain. [2.9.] In the decision, the Official concluded that: [2.9.1.] The circumstances found in the case clearly prove that AQUAPHOTO's Explanations and the information given in the oral explanations about obtaining the consent of the data subjects when issuing a wristband of the corresponding color is not implemented in practice. Namely, according to what was found in the Inspection, the data wristbands and Livu Aquapark cash registers are not issued to subjects before visiting Livu Aquapark employees do not inform data subjects about the processing of personal data in the form of photography. Sequentially from the data the subjects do not receive consent in accordance with the requirements of the Data Regulation. This is confirmed even more the fact that none of the visitors to Livu Aquapark had green paint on their hands during the inspection a bracelet. Taking into account the above, the Official concludes that AQUAPHOTO both in person on April 6, 2023 during the inspection, as well as later when providing explanations in the Case, has given false information to the Inspection information about the actual circumstances in the order of issuing bracelets and informing data subjects. 5 Although AQUAPHOTO explained that the Aquapark cashier can make a mistake in the ratio to the execution of informing and handing out bracelets, and there is no reason to draw a conclusion from one case, that the visitors are not informed, the Official concluded that two Inspections participated in the Inspection officials and according to the information provided in the reports, in both cases the officials did not verbal information about the planned processing of personal data in the form of photography was provided, and was not offered the opportunity to express consent or denial by receiving a wristband of the corresponding color. That way The official concluded that by not issuing bracelets to the visitors of Livua Aquapark, AQUAPHOTO does not provide data subjects with the right to initially and at any time agree or object to their personal data for data processing, consecutively AQUAPHOTO cannot demonstrably demonstrate that the data subject has given his consent for the processing of personal data and that a valid consent and the requirements of the Data Regulation have been received from the data subject appropriate consent. In addition, during the entire investigation, including the case review, the Inspection after for several requests, cooperation documents between AQUAPHOTO and Aquapark were not submitted, which thus calls into question the existing cooperation between the parties regarding the duty of Aquapark employees to issue wristbands and inform data subjects, as well as indicating that such cooperation is not prohibited in the company's internal regulations and the employees are not informed about it. [2.9.2.] Regarding obtaining consent by conclusive actions, Officer pointed out that the Data Regulation does not provide for such a form of consent. In addition, if the processing is based on consent, the manager must be able to demonstrably prove that the data subject has unequivocally consented to his personal data for processing which, in the opinion of the Official, cannot be implemented with conclusive actions. Namely, in conclusion actions can give the photographer a false impression of a photo of conscious statements of will for admission, as a result of which the data subject's personal data would be processed without the requirements of the Data Regulation receiving appropriate consent. Taking into account the above, the Official concluded that in the specific case with conclusive actions consent received cannot be recognized as complying with the requirements of the Data Regulation, including the conditions of Article 7 the consent of the data subject and cannot be used as a legal basis for the person carried out by AQUAPHOTO for data processing. Even more so if AQUAPHOTO has implemented a special data subject's consent procedure, by handing them a wristband of the relevant color, then it can be assumed that the visitors of Livu Aqua Park there is either a green or red bracelet on the arm and consent to the performance of other, additional actions for receiving, is not required. [2.9.3.] In view of the above, the Official concludes that AQUAPHOTO carried out and continues to carry out Liv Processing of personal data of water park visitors – natural persons (data subjects) (obtaining photos, storage), based on a legal basis that does not meet the requirements of the Data Regulation for valid consent acquisition. Namely, AQUAPHOTO carried out and continues to carry out the mentioned personal data processing in violation basic principles of processing, including conditions for consent, in accordance with Article 5, 1 of the Data Regulation. (a), Article 6(1) and Article 7. In compliance with the above, AQUAPHOTO has committed an administrative violation for Data in Article 83, paragraph 5, letter a) of the regulation. [2.9.4.] Regarding the processing (transfer) of personal data carried out by AQUAPHOTO, the Official concluded that the processing of said personal data is carried out on the basis of Article 9, Paragraph 2 of the Data Regulation Subparagraph a) – the explicit consent of the data subject, which, in the opinion of the Official, is appropriate the legal basis for performing biometric data identification of the data subject. Failure to provide consent in this case, the processing of personal data is based on Article 6, paragraph 1, subparagraph b) of the Data Regulation (ie manual selection of images by visual identification of the customer) to conclude a transaction for the purchase of photos. AQUAPHOTO's presentation, printing or sending of selected photos to the e-mail specified by the customer postal address and the sales person at the AQUAPHOTO stand, the legal basis is the Data Regulation Article 6, paragraph 1, subparagraph b) - conclusion of the transaction. Regarding the above, Officer no violations were found. 6 [2.9.5.] Regarding informing data subjects, AQUAOHOTO explained that data information about the processing of natural persons' data available to subjects is easily available both on the Website and at the cash desks of Līvu Aquapark and at the AQUAPHOTO stand, thus AQUAPHOTO has complied with the Data information and transparency requirements set out in the regulation. The official stated that according to Data the transparency of regulations is inextricably linked to the principle of honesty as well as the principle of accountability. It follows from Article 5, Clause 2 of the Data Regulation that the controller must always be able to demonstrably demonstrate that persons the data is processed in a transparent manner with respect to the data subject. Accountabilities in connection with it the principle requires transparency of processing operations so that data controllers can demonstrate their compliance of obligations with the Data Regulation. The elements of the principle of transparency are not only that information about processing of personal data must be visible and easily accessible, but it must also be concise and understandable and using clear and simple language. Namely, the fact that the data subject has access to information about processing of personal data does not in itself mean that the principle of transparency has been observed and so elements. The official concluded that the informational poster placed at the Aquapark cash desks contained the following information: "Don't be afraid of an AQUAPHOTO photographer. You don't want to have a concert bracelet in red immortalized. Concert bracelet in green color, many beautiful photos". Although the small poster contains information in three different languages (Latvian, Russian and English), it is not provided in a way understandable to the data subjects, in clear and simple language. Namely, the data subject is not informed about what "concert processes" are is their meaning, applicability and order of receipt, as well as other issues related to The consent control measure implemented by AQUAPHOTO. In addition, according to the Inspection established, such information is not provided to data subjects verbally before Livu Aquapark ticket purchases. Also, the Officer concluded that the information provided to the data subjects about the bracelet the pick-up point is misleading, that is, in the Aquapark Website, subsection 1.9 of the Visitor Regulations it is indicated that [..] if the Visitor does not want to be photographed, he should contact the employees of SIA "Aquaphoto". take the mark of distinction. On the other hand, in the regulations placed at the AQUAPHOTO stand "Photo service and personal data processing rules" states that "Consent to take photos is confirmed by a green wristband, the ban on photography is confirmed by a red wristband, which is issued At the cash desk of the water park or you can get it from the photographer in the amusement area". Taking into account the above, AQUAPHOTO has provided the data subjects with information about the person's actions data processing, but has not taken appropriate measures to fully implement the rights of data subjects in accordance with the requirements of Article 12, paragraph 1 of the Data Regulation - i.e. has not provided data subjects with clear, fulfillment of the duty of clear and accurate information regarding data processing. That way AQUAPHOTO has processed personal data without complying with Article 5, paragraph 1 a) of the Data Regulation the requirements specified in sub-section, paragraph 2 and paragraph 1 of Article 12, without ensuring transparency and compliance with the principle of accountability in the processing of personal data of natural persons (customers). Sequentially AQUAPHOTO has committed an administrative violation provided for in Article 835 of the Data Regulation. point in subparagraph b). [2.9.6.] With regard to the opinion expressed by AQUAPHOTO in the Submission and Case review, that The inspection official did not follow the procedural rules while performing the inspection in Livu Aquapark with regard to conducting the inspection, so the facts and other information specified in the Report cannot be used as evidence in accordance with the second and third parts of Article 93 of the AAL, the Officer states the following. The reasoning expressed by AQUAPHOTO is basically based on the consideration that Article 15 of the Data Law determines the procedure for conducting checks, including providing for the obligation before the place of data processing visits, inform the manager about the purpose, time and place of the planned visit, ask the manager to provide the presence of the authorized representative, as well as to inform the manager about his rights. AQUAPHOTO also states that in accordance with Article 16 of the Data Law, the progress of the examination must be recorded in the protocol of the procedural activity, which May 20, 2023 was not drawn up. Based on the above, AQUAPHOTO made a conclusion, that any verification should take place in cooperation with the data controller. 7 The official considers such an interpretation of legal norms to be unfounded. In Article 15 of the Data Law the included norms on conducting the inspection and informing the supervisor apply to cases when the inspection is carried out by using the administrative power granted to it in the regulatory acts (coercive mechanisms), and the manager's obligation to obey the orders of the Inspectorate. The mentioned norm refers to trespassing on private property as well as access to non-public systems and documents access. At the same time, the first part of Article 15 of the Data Law contains the right of the Inspectorate to obtain information using all legal methods. Undoubtedly, it can also be considered as such a method visiting public places and performing such activities, which can be performed by any natural person. In the specific case, the Inspectorate obtained the information without using public authority, but by conducting and capturing actions that any natural person could perform. Therefore, in Article 15 of the Data Law the mentioned requirements do not apply to this type of information acquisition, consequently the official had no obligation to inform the manager about his rights, as well as to draw up a procedural protocol according to the Data to that specified in Article 16 of the law. If AQUAPHOTO's statement was considered justified, it would prevent the Inspection from performing at all any actions without cooperation with the manager, such as viewing websites, would be publicly posted the locations of the video cameras to find out their angles and to perform any other actions. In all in the mentioned cases, the Inspection official obtains information without using state power, but recording his observations in a report, as was the case here. In view of the above, the news that officials obtained as part of the Inspection, may be used as evidence in the Case. [2.9.7.] Regarding the fact that the Inspection official performed the Inspection in the presence of another to a woman who may not be an employee of the Inspection and to whom information about the Inspections has been disclosed execution, the Inspection indicates that the Inspection was carried out by two Inspection officials, which is confirmed The reports of the two officials attached to the report. Hence, the information on conducting the Test has not been disclosed to third parties. [2.9.8.] Regarding the opinion expressed by AQUAPHOTO, it is objectively not clear in what way The inspection was able to complete the inspection against AQUAPHOTO, announcing that no violations were found, but later to send a decision on the initiation of an administrative violation case, the official stated that The inspection case was initiated regarding the biometric data processing carried out in Livu Aquapark, in connection with the established the use of the technical tool and the transfer of personal data outside the European Union. Test cases within the scope of the Inspection did not find any Data Regulations in the biometric data processing performed by AQUAPHOTO violations, sequentially the examination case in the part on the processing of biometric data was terminated. On the other hand, in order to make sure that the additional information obtained within the scope of the examination file corresponds to the actual circumstances (Livu Aqua Park employees inform data subjects about personal data processing in the form of photography and issue green and red color wristbands), The inspection case was continued, by performing an in-person inspection. The information obtained during the inspection showed that it was administrative committing a violation, therefore, in the Report, a proposal was made to complete the Inspection case for biometric data processing and start the process of administrative violation. [2.9.9.] During the consideration of the case, the representative of AQUAPHOTO stated that the case is not objectively understandable, moreover, AQUAPHOTO cannot submit additional explanations, as it has not received a response to the Submission. The official states that in response to the Submission, the Inspection in the letter of December 4, 2023 3 informed AQUAPHOTO that the circumstances presented in the Submission and the requests expressed do not affect it and does not interfere with the consideration of the Case on its merits, therefore, the date of the Case consideration will not be postponed and the information requested in the Submission will be provided in accordance with the Freedom of Information Act established procedures and deadlines. In view of the above, the Official concluded that the Case did not exist during consideration and also before that circumstances that would make it difficult for AQUAPHOTO to provide additional explanations in the Case. In addition 2 Inspection official[..]2023. for the report of 1 June[..and [..[..] 3Inspection's letter of December 4, 2023 no. [..] 8 AQUAPHOTO had at its disposal all Case materials and information about the nature of the violation. Also, the Official concluded that AQUAPHOTO is guilty of Article 83, Clause 5 a) and in the commission of an administrative violation provided for in subsection b) is proven by the Report and so attachments and other case materials. [2.9.10.] The official, taking into account the reasoning mentioned in the Decision, concluded that the Data Regulation in the sense of Article 83, Clause 5 of the Data Regulation, violations are considered material violations, as well as the circumstances found in the Case and the conclusions made by the Official, The official, using the determination of the amount of the administrative fine developed by the Inspectorate mechanism for companies and individuals, recognizes the violation committed by AQUAPHOTO as average severe, determining the sanction provided for in Article 83, paragraph 5, sub-paragraphs a) and b) of the Data Regulation administrative fine EUR 765.36 (seven hundred sixty-five euros and thirty-six cents) amount. At the same time, the Officer taking into account the fact that the personal data processed by AQUAPHOTO (Livu Photos of Aquapark visitors) are used for commercial purposes, namely AQUAPHOTO gains economic benefit from the personal data processing (sale of photos). Also taking into account that that the violation was committed intentionally and not due to negligence, the Officer adjusted the fine by applying a fine of EUR 1000.00 (one thousand euros) as appropriate to deter AQUAPHOTO from for further violations of personal data processing. [2.10.] AQUAPHOTO January 2, 2024 was registered in the inspection on January 3, 2024 complaint about the Decision (hereinafter – Complaint) . The inspection finds that the complaint was submitted under the Administrative Responsibility Law (hereinafter - AAL) within the term specified in the first part of Article 168 and its examination is permissible. [3.] According to AAL172. the first part of the article, the higher official examines complaints in writing in the process within one month from the date of receipt of the complaint. Administrative offense cases the circumstances are clarified by a higher official based on the evidence in the relevant case. At the same time, Article 47 of the AAL stipulates that a higher official in the sense of this law is a person who is authorized to commit an administrative offense in accordance with the competence defined in the regulatory enactments control of the legality and reasonableness of the decision taken in the case. Taking into account the above, the Director of the Inspection, as a higher official, examines the Case again essence in connection with the circumstances indicated in the Complaint. On obtaining consent through conclusive actions [4.] The complaint states that, in the opinion of AQUAPHOTO, the consideration given by the Inspectorate that Datu the regulation does not provide for obtaining consent with conclusive actions is completely unjustified and contradictory with the positions of the European Data Protection Board based on the following arguments: [4.1.] The Data Regulation stipulates that the data subject's consent must be unambiguous if the relevant data is ordinary personal data that is not sensitive (Article 6 of the Data Regulation states that consent is required and Article 4 defines that consent must be unequivocal), but unambiguous if the relevant data is sensitive personal data (i.e. refers to any of the sensitive data listed in Article 9, paragraph 1 of the Data Regulation categories). Consent, whether implied or not, must be given by notice or express affirmative action and must express consent to the processing of personal data in accordance with Article 4 of the Data Regulation Clause 11. This is complemented by Recital 32 of the Data Regulation, which states that consent "should be given with a clear affirmative action ... such as by written notice, including by electronic means, or verbal statement". The manner in which consent must be given by data subjects remains "unambiguous" regarding the processing of all types of personal data, specifying that this requires "clear affirmative activity" and that consent must be "unambiguous" for sensitive data." The director of the inspection, regarding the mentioned argument, states that Article 4 of the Data Regulation Clause 11 states that the data subject's consent is any freely given, specific, informed and 9 unequivocal reference to the wishes of the data subject, with which he is notified or clearly affirmative gives consent to the processing of his/her personal data in the form of action. At the same time, in recital 32 of the Data Regulation it is explained that consent should be given by an express affirmative act, which means freely given, a specific, deliberate and unambiguous indication of the data subject's consent to the personal data related to him for processing, for example by written, including electronic, or oral notification. This could include marking a field with a tick on an Internet website, an information society service the choice of technical settings or other statements or actions that in this case clearly indicate that the data the subject agrees to the proposed processing of his personal data. Silence, previously marked fields or abstention from action should not therefore be considered as consent. Taking into account the above, it can be concluded that the mentioned regulation of the Data Regulation does not define clear data the subject's form of giving consent, but determines the requirements for receiving valid consent. At the same time, it can be concluded that AQUAPHOTO reasonably stated that according to the consent of the data subject the said legal justification must be unambiguously provided in the specific case. [4.2.] AQUAPHOTO points out that the Data Regulation clearly states that even unambiguous consent must be given by affirmative action, but this does not mean that consent is not possible by implication for actions. Moreover, it is affirmative action and unequivocal consent that is sufficient to would meet the consent requirements for both ordinary personal data and sensitive personal data processing. In the specific situation, AQUAPHOTO, when taking photographs in the premises of Livu Akvaparks, processes ordinary personal data that requires unequivocal consent to be received by means of another statement or action which, in this context, clearly indicates that the data subject consents for the proposed processing of his personal data. The main point is that all consent must be an active activity, t. i.e., a positive action or indication indicating a person's willingness to consent to a specific processing operation – for taking photos. AQUAPHOTO photographers, when taking photos, do not perform the relevant actions on the basis to inactivity, silence or otherwise arbitrary photography of theme park visitors. Photography with implied consent is only done if active action is received from on the part of the visitor, such as inviting a photographer to take a photo, obvious posing in front of the camera, the visitor smiling and looking at the photographer, before the visit express consent, as well as other obvious actions from which it can be inferred that there is visitor's willingness to take photos. Accordingly, in all these cases there are clear actions that the person consciously and actively chose to consent to the taking of photographs that would comply with the Data Regulation to that specified for another statement or action that clearly indicates in this context that the data subject agrees for the proposed processing of his personal data. In addition, there are clearly defined when taking pictures actions so that the photographer does not misunderstand the consent given when the person does not want to be photographed photography, first of all, it is in cases where the visitor does not take an active action to address the photographer for taking a photo, secondly, with the photographer paying attention to the water park visitor, the visitor does not pay attention to the photographer and does not take active actions to take photos, thirdly, the visitor indicates by gestures that he does not want to be photographed. Regarding this argument, the Director of the Inspection states that the requirements are valid consents in addition to the Data Regulation, are explained in the Guidelines of the European Data Protection Board No. 05/2020 on consent in accordance with Regulation 2016/679 (Adopted on May 4, 2020) (hereinafter - Guidelines). Regarding the fact that the consent must have an unambiguous indication of the data subject wishes Clause 75 of the Guidelines explains that the Data Regulation clearly states that consent must requires a statement or clear affirmative action by the data subject, which means that it always to be provided in an active form or by means of a declaration. On the other hand, point 75 of the Guidelines explains that an explicit affirmative action means that the data subject has knowingly consented to a particular processing. Consent can also be obtained through written or (recorded) oral confirmation, including 10 electronic means. In addition to the above, paragraph 84 explains that Managers should develop consent mechanisms in a way that is understandable to data subjects. Managers should avoid ambiguity and must ensure that the acts by which consent is given can be distinguished from others for actions. The director of the inspection finds that the evidence in the case is at the Livu Akvaparks cash desks posted information, information posted at the AQUAPHOTO stand, information available on the website and 1.9 of the Aquapark visitor rules. subsection indicates that visitors to Livu Aquaparks consent to photography is confirmed by a bracelet of the corresponding color. How consent is obtained, e.g. gesturing to oneself and then posing, smiling, is not specified in the mentioned materials. At the same time, it can be concluded that the materials of the Case do not confirm that AQUAPHOTO was developed by Liva as well A clear consent mechanism has been publicly announced to the visitors of the water park in cases where the data subject's consent is obtained by conclusive actions before the processing is carried out. Thereby, The director of the inspection is critical of the fact that such a mechanism has been created and is being implemented in real life. It should also be noted that in accordance with Article 7, Clause 1 of the Data Regulation, AQUAPHOTO as the controller it is necessary to be able to demonstrably demonstrate that the data subject has consented to the processing of his personal data, if the processing based on consent. If photography is done based on conclusive actions, which is not rare can be so misunderstood or ambiguous, for example, a person looks at a person behind photographer, or a person goes down the tube and looks at their family member, it does not mean that the photographer clear affirmative action is provided. Considering that photographers do not only photograph persons who pose themselves, but take photos when the person is swimming in the pool, in the jacuzzi or taking part in any of for attractions, i.e. performs processing in real life situations where a person may not notice the photographer at all, obtaining consent through conclusive actions is not possible in these situations. It is doubtful that a person can consciously and with an active action give consent to photography, if in the specific situations she may also be unaware that she is being photographed. Just because a person sees a photographer doesn't mean they do active action and action to give your consent. Namely, the concluded actions can be created for the photographer a false impression of the expression of a conscious will to take photos, as a result of which the data subject processing of personal data would be carried out without obtaining consent in accordance with the requirements of the Data Regulation. Therefore, the Director of the Inspection recognizes as justified the conclusion contained in the Decision, that in the specific in the event that consent received through conclusive actions is not recognized as a requirement of the Data Regulation, including the conditions of Article 7, appropriate consent of the data subject and cannot be used as legal basis for personal data processing by AQUAPHOTO. Even more so if AQUAPHOTO has introduced a special procedure for obtaining the data subject's consent by issuing them a wristband of the relevant color, then it is assumed that the visitors of Livu Aquapark have either a green or a red bracelet on their arm and performing other, additional actions for obtaining consent is not necessary. The fact that it is various forms of consent have been introduced - both bracelets and conclusive actions, one might rather point out to the fact that one developed mechanism does not work in practice and other ways to ensure are sought legal basis for data processing. On the admissibility of the examination of May 20, 2023 as evidence [5.] The complaint states that AQUAPHOTO believes that the Inspection can implement any actions, which are aimed at checking the compliance of processing only based on the provisions of Chapter IV of the Data Law procedures for the implementation of inspections. [5.1.] At the discretion of AQUAPHOTO, the Inspection can carry out an on-site inspection only based on The requirements of the second to fourth parts of Article 15 of the Data Law, as well as Article 16 of the Data Law. AQUAPHOTO indicates that regarding the inspection carried out by the Inspection officials, AQUAPHOTO: a) has not received information about the planned visit of the Inspection officials, contrary to the way it was carried out in the previous inspection - on April 6, 2023; b) in the test no representative of AQUAPHOTO participated, because for this inspection Inspection AQUAPHOTO 11 did not inform; c) as part of the inspection, AQUAPHOTO has not been warned of its rights; d) after the protocol of the procedural activity of the inspection on May 20, 2023 has not been drawn up. Regarding the mentioned argument, the Director of the Inspection finds that from the case materials and from the information mentioned in sub-sections [2.2] and [2.3] of this decision, it follows that two Inspections officials, taking into account the fact that the inspection file contained contradictory information about Liva in the Aquapark implemented personal data processing in the form of photography, on May 20, 2023 in Livu Aquapark as female visitors did the inspection. From the point of view of the Director of Inspection, a face-to-face inspection based on Data the procedures for the implementation of the inspections specified in Chapter IV of the law, can be implemented in those cases, if it is necessary to use the powers of public authority to enter or obtain premises not accessible to the public publicly unavailable documents or data from management information systems. On the other hand, in cases when it is necessary to check the controller's processing of data from the data subject and ordinary consumers point of view, without using a privileged position, Inspection officials can carry out the following inspections, not complying with the procedures for the implementation of inspections specified in Chapter IV of the Data Law. In this case Inspections officials visited a public area open to any paying person for the specified service, thereby also verifying how the data processing is practically implemented. Such actions could be performed by any person to find out how the manager implements the processing of personal data and for that no special regulatory regulation is required. [5.2.] AQUAPHOTO draws attention to the fact that the annotation of the Data Law states: "In doing tests, they can be of different nature. Planned inspections, unplanned inspections and entry into premises, without notifying the manager (entry and forcible search)." In addition, the annotation states: “Planned checks are carried out by the controller or other legal entities (possible controller or processor) in the presence of an authorized responsible person or, if one is appointed, in the presence of a data protection specialist. The inspection agrees in advance with the time of the visit of the legal or natural person and those present persons. During the inspection, the legal or natural person can also invite legal, financial or IT consultant or lawyer. Cases should be distinguished when the Inspection establishes a fact (for example location of the video camera) or wants to get an explanation from the relevant legal or Natural persons. If the Inspection needs to establish a fact, it should be done by an authorized representative presence, on the other hand, if it is necessary to obtain information, documents and explanations from the legal department persons, it must be done in the presence of an authorized representative or a data protection specialist. By doing unplanned inspection or forced entry into the premises, the Inspection does not warn of its arrival, but it has a judge's permission must be obtained." Accordingly, according to the annotation of the Data Law, the Inspectorate has the right to perform unscheduled inspection only with the permission of the judge. The Data Act does not specify procedures or exceptions this requirement, in addition, this requirement applies to all unplanned inspections performed by the Inspectorate. In addition, according to the annotation of the draft law, the concepts of "unplanned inspection" and "forced entering the premises", therefore, in the case of an unplanned inspection, are not covered by the Inspection Decision the mentioned cases that the teenager's permission is required only in cases where public authority is exercised implementation, but also for unplanned inspections as such. Regarding the mentioned argument, the Director of the Inspection states that AQUAPHOTO is unfounded refers to the information contained in the annotation of the draft law "Personal Data Processing Law". to the tests. The aforementioned draft law was clarified in the Saeima by deleting from it the regulation on Inspection officials, based on the judge's decision, have the right to be in the presence of the police without prior warning to enter the property, possession or use of the controller or processor in uninhabitable premises, apartments, buildings and other immovable objects, opening them and those in them storage facilities, to perform a forced search of these facilities and the storage facilities in them and in the mentioned facilities and belongings and documents in storage facilities (including in the electronic information system - computers, on diskettes and other information media - viewing of messages (data) stored. Argument referred to AQUAPHOTO, refers to the drafting of the law, which was not adopted, so it cannot be considered as justified and in accordance with the current regulatory framework. Namely, currently Data Law 12 does not regulate the issue of various types of tests and obtaining the judge's permission for certain ones at all types of testing. In addition, the regulation described in the annotation referred to entry by the manager in real estate, which is not a publicly accessible space, and where other private persons have access limited. On the other hand, Livu Aquapark is a place where any resident can enter and be without restrictions. Similarly, in the digital environment, Livu Aquapark has a website that can be visited any internet user, including an Inspection official. The inspection does not require the manager's permission and there is no need to inform the administrator that the Inspection Officer will visit the administrator's website. [5.3.] In AQUAPHOTO's opinion, it does not matter that the premises of Livu Aquaparks are publicly available, because, even if these premises are available to Livu Aquaparks visitors for the purposes of their commercial activities, they are not public spaces, as would be the case with a public park, street or other public space, with it, the Inspection would also need to comply with the procedures established by the Data Law. Regarding this argument, the Director of the Inspection states that the second part of Article 110 of the AAL stipulates, that areas or premises not accessible to the public (that is, places where you cannot enter or stay without consent of the owner, possessor or holder) and inspection of the belongings in them can be done with the owner consent of the (owner, keeper) or the decision of the judge of the district (city) court, adopted on the basis of to the official's application and the attached materials. Hence, AAL is explained the question of what is considered a non-public space that requires viewing judge's decision. In the view of the inspection, the premises of Livu Aquaparks, which are available to visitors, does not correspond to the given explanation and a judge's decision is not necessary for the inspection of such premises. [5.4.] AQUAPHOTO believes that in the specific situation, the Inspection, using fraud, without coordinating actions with the court and using their powers as Inspection officials, undertook for natural persons and arrived at AQUAPHOTO's business premises, where he conducted a covert operation investigation and asked questions of AQUAPHOTO employees using a deception which is in nature shall be considered a check in accordance with the provisions of the Data Law. An ordinary water park the visitor receiving AQUAPHOTO services would not mislead about the persons with whom visited the amusement park, as well as in other ways would not engage in misleading activities, as performed by the Inspections officials. In the opinion of the Director of the Inspection, AQUAPHOTO's argument that the Inspections officials have fraudulently carried out the specific inspection using their authority. Said statement does not contain information on exactly how the officials used their powers. In addition, officials who carried out this inspection, did not initiate administrative infringement proceedings against AQUAPHOTO. Regarding the fact that officials deliberately misled AQUAPHOTO employees about to the persons with whom he visited the Livu Aquaparks premises, it is indicated that none of the documents in the Case adult visitors to Livu Aquaparks are not obliged to inform AQUAPHOTO about for persons with whom Livu Aquaparks premises are visited. The official AQUAPHOTO employee had provided the information that she was alone, therefore based on the mentioned information and above The information provided by AQUAPHOTO representatives, recorded in the procedural actions of April 6, 2023 protocol no. [..] 7. in point 7: "The photos taken in Jakadana show other water theme park visitors, including with a red wristband, then such photos are immediately deleted and does not go to the photo processing server for selection", a photo with multiple people at all could not be sold to an official. Taking into account the arguments contained in paragraph [5] of this decision, as well as in paragraph [2.9.6] of this decision Based on the arguments given by the official, the Director of the Inspection concludes that the Inspection official The test performed on May 20, 2023 may be used as evidence in the Case. Evaluating the circumstances of the Case, the evidence provided by AQUAPHOTO, the Decision and the Complaint, The director of the inspection concludes that the inspection officer has justified AQUAPHOTO in the decision Article 835 of the Data Regulation. 13 of the administrative offense provided for in sub-paragraphs a) and b). making, applying an administrative fine of AQUAPHOTO EUR 1000.00 (one thousand euros, 00 cents). Taking into account the above and in accordance with Article 132, Article 168 of the Law on Administrative Responsibility first part, Article 172 and Article 173, first part, paragraph 1, Director of Inspection decided leave the decision of December 15, 2023 no. [..] "On the application of punishment" would not change, but to reject the complaint of limited liability company "AQUAPHOTO". The fine shall be paid in full no later than one month from the date of entry into force of this decision the day of entry into any banking institution or after the deadline for voluntary execution of the fine end of this decision in accordance with Articles 262 and 269 of the Law on Administrative Responsibility will be immediately handed over to a sworn bailiff for enforcement. Details for paying a fine: Beneficiary: State Treasury Registration No.: 90000050138 Account no.: LV69TREL1060191019200 Beneficiary BIC code: TRELLV22 Notes: Indicate the number of this decision. The fine applied in the process of the administrative violation will be reimbursed procedural costs and damages to natural resources can be paid on the portal www.latvija.lv, using the e-service Administrative fines check and payment. Please note that, in accordance with Article 568 of the Civil Procedure Law, voluntary execution of the decision after the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate execution costs to the bailiff. At the same time, we inform you that the limited liability company "AQUAPHOTO", respecting The Inspectorate has the right to request the first, second and third part of Article 266 of the Law on Administrative Responsibility postpone the execution of the fine for a period of up to one month or divide the fine into parts, if any objective circumstances due to which the full amount of the fine is not possible within the term of voluntary execution execute the sentence decision. According to Article 184 of the Law on Administrative Responsibility. the first part of the article and the first and third articles of Article 186 part of these decisions can be appealed by limited liability company "AQUAPHOTO" within 10 working days from the day when the decision in the case of an administrative offense was announced in the district (city) court following a complaint address of residence declared by the applicant when submitting a complaint to the Data State Inspectorate (Elijas Street 17, Riga, LV-1050), curator's working day after the end of the deadline for submitting a complaint, complaints and matters materials are sent to the district (city) court after jurisdiction. Director J. Macuka [..]