DVI (Latvia) - SIA "TET": Difference between revisions
From GDPRhub
m (→Holding) |
|||
| Line 85: | Line 85: | ||
Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material violations. The Latvian DPA noted that the controller had made a mistake in not ensuring the accuracy of personal data before sending it to debt recovery services for the purpose of assessing the data subject's solvency prior to formation of a service contract. The service was provided and connected without an identity check nor the data subject's confirmation of the contract. This resulted in the personal data of a minor being transferred to a debt recovery service. The DPA found that the transfer of unverified personal data violated [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(d) GDPR]]. | Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material violations. The Latvian DPA noted that the controller had made a mistake in not ensuring the accuracy of personal data before sending it to debt recovery services for the purpose of assessing the data subject's solvency prior to formation of a service contract. The service was provided and connected without an identity check nor the data subject's confirmation of the contract. This resulted in the personal data of a minor being transferred to a debt recovery service. The DPA found that the transfer of unverified personal data violated [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(d) GDPR]]. | ||
Additionally, by posting documents | Additionally, by posting documents containing unverified and innacurate personal data in the controller's internal customer self-service system under the respective user account, the controller disclosed the personal data of the data subject (name, surname, date of birth and home address) to third parties. This violated [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(f) GDPR]]. | ||
The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of [[Article 5 GDPR|Article 5(1)(a), (b), (d) and (e) GDPR.]] Furthermore, there was no legal basis for these processing operations under [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of [[Article 5 GDPR|Article 5(1)(a), (b), (d) and (e) GDPR.]] Furthermore, there was no legal basis for these processing operations under [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Revision as of 15:43, 2 November 2022
| DVI - Decision of 9 September 2022 | |
|---|---|
 | |
| Authority: | DVI (Latvia) |
| Jurisdiction: | Latvia |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 6(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 09.09.2022 |
| Fine: | 1,200,000 EUR |
| Parties: | Tet |
| National Case Number/Name: | Decision of 9 September 2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Pending appeal |
| Original Language(s): | Latvian |
| Original Source: | DVI (in LV) |
| Initial Contributor: | n/a |
The Latvian DPA fined an internet service provider €1,200,000 for disclosing unverified personal data of customers to debt recovery services against Articles 5(1) and 6(1) GDPR.
English Summary
Facts
Tet (the controller) is an internet service provider which also offers additional services in the telecommunications and entertainment sectors. The Latvian DPA started an ex officio investigation into the controller's data processing practices. Specifically, it looked into the transfers of customers' (data subjects) data to out-of-court debt recovery service providers. The controller claimed that these transfers were carried out for the purpose of, among others, checking the solvency of data subjects when preparing a contract.
In the course of the investigation, the DPA found that the solvency checks with a debt recovery service happened without prior identity checks of the data subjects. In one case, because the controller had not verified the accuracy of the information provided by a customer, personal data of a minor was transferred to the debt recovery service.
On 15 July 2022, the DPA issued the original decision imposing the fine. On 2 August 2022, it received the controller's request for an oral hearing to express that the fine, among others, was disproportionate and not accurate, in addition to the proceedings before the DPA exceeding the time limits and allegedly not allowing the controller to exercise its rights.
Holding
Although the decision focuses mainly on re-assessing the final amount of the administrative fine, the DPA briefly recalled the material violations. The Latvian DPA noted that the controller had made a mistake in not ensuring the accuracy of personal data before sending it to debt recovery services for the purpose of assessing the data subject's solvency prior to formation of a service contract. The service was provided and connected without an identity check nor the data subject's confirmation of the contract. This resulted in the personal data of a minor being transferred to a debt recovery service. The DPA found that the transfer of unverified personal data violated Article 5(1)(a) and (d) GDPR.
Additionally, by posting documents containing unverified and innacurate personal data in the controller's internal customer self-service system under the respective user account, the controller disclosed the personal data of the data subject (name, surname, date of birth and home address) to third parties. This violated Article 5(1)(a) and (f) GDPR.
The controller also compared the personal data of old (including former customers) and new customers available in its database in violation of Article 5(1)(a), (b), (d) and (e) GDPR. Furthermore, there was no legal basis for these processing operations under Article 6(1) GDPR.
The DPA took into account the objections raised by the controller during the oral hearing. Regarding the argument that the administrative violation process had been disproportionately long, the DPA stated that although the investigation and review procedure, indeed, extended the statutory time limits, such a procedural violation could not alter the final decision. Considering the argument that the severity of the infringement had been wrongly assessed, the DPA replied that, in light of Article 83 GDPR and the controller's yearly turnover, the fine was proportionate to the repeatedly found inconsistencies and violations in the discussed processing operations.
The DPA imposed a €3,200,000 fine on the controller, which was reduced to €1,200,000 considering mitigating circumstances, such as the cooperation of the controller and measures taken to remedy the violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv
Riga
SIA "Tet"
[..]
In case no. [..]
The decision
In Riga, the date can be seen in the time stamp no. [..]
[1] On July 15, 2022, the State Data Inspectorate (hereinafter - the Inspectorate) adopted a decision
No. [..] On the imposition of a penalty (hereinafter - the decision) in administrative violation case no. [...] (further
– case), recognizing SIA "Tet", registration number 40003052786, legal address: Dzirnavu iela 105,
Riga, LV-1011 (hereinafter - Tet) for being guilty of the General Data Protection Regulation (hereinafter - Data
regulation)83. Article 5 in committing an administrative offense provided for in sub-paragraph a), applying
Tet conditional partial release from fine, i.e. reducing the amount of EUR 3,200,000.00 applied
(three million two hundred thousand euros, 00 cents) in the amount of 50 percent, determining the final fine
1,600,000 (one million six hundred thousand euros, 00 cents). The decision was announced on Tet 2022
July 15 by sending it to Tet's email address.
[2] The decision found the following circumstances and is based on the following considerations:
[2.1.] Inspection officials [..] (hereinafter – official) are included in the case materials
Report No.[..] of January 4, 2022 "On the actions of SIA "Tet"" (hereinafter - the report). In accordance with
stated in the report, the Inspectorate received the State Police of the Vidzeme Region on August 9, 2021
the application sent by the administration's Valmiera precinct [..] dated June 19, 2021 together with the Police
to the materials of departmental inspection regarding the fact that when applying for a contract for electronic communication services
with Tet, the personal data of [..] minor sister, [..] were used. It follows from the Submission that the 2021
On June 16, [..] received a letter from SIA "Creditreform Latvija" (hereinafter - Creditreform) stating that
On June 15, 2021, Tet has submitted an application to Creditreform for out-of-court debt recovery from
[..].
Tet, giving an answer to the Procedures of the Liepāja station of the Kurzeme Region Administration of the State Police
to the police department's request for information No.[..], in the response letter No.[..] of July 22, 2021
explained that on December 17, 2020, the service "Tet +
1
Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons in relation to
processing of personal data and free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
2 Registered in the inspection with No. [..]. 2
Films and Serials (Shortcut)" in [..] (p.k. [..]) name, but persons with personal code [..] between Tet
customers do not. The contract and its appendix on the Service were not signed by the client, as well
was not electronically approved in the Tet customer self-service system www.manstet.lv (hereinafter - Mans
Tet). Considering that the payment for the services rendered was not made, Tet sent several times
warning letters, but on 15 June 2021 the debt obligations were transferred to Creditreform.
Taking into account the above, the Inspectorate requested additional information from Tet about the personal data provided by Tet
processing, applying and confirming services on the Tet website www.tet.lv and Mans Tet, as well as transferring
customer's debt obligations to debt recovery service providers, and Tet referring to DVI
request, submitted his explanation. 4
[2.2] In the explanation, Tet indicated that the customer has the option on the website https://tet.plus
(hereinafter - Tet+) apply for services by filling out the application in electronic form, indicating in it
information necessary for concluding and executing the contract: name, surname, personal identification number (if new
format personal code, then it is also necessary to specify the date of birth), mobile phone number,
e-mail address and residential address. Tet explained that when filling out the application
the personal code field is checked for syntax by the Citizenship and Migration Office
personal code verification tool prepared by the administration (hereinafter - PMLP). From now on, the application is made
processed and created a contract that is placed in My Tet. The contract can be approved by the customer My Tet,
by authorizing with the internet bank. Thus, the Tet+ postpaid service can be connected by an adult
a person whose identity is verified at the conclusion of the contract, which is possible only after
internet bank authorizations. In the event that incorrect or false data is entered during the application phase,
a contract cannot be created or it cannot be approved because the authorization with the internet bank at
acceptance of the contract shows a sign of error.
Regarding the transfer of customer's personal data to debt recovery service providers, Tet
explained that the debt resulting from the concluded contract is transferred for collection (the contract is approved,
identifying the customer with the internet bank), and that, among other things, it is checked when submitting the debt for collection
solvency status of the person.
After evaluating the information provided by Tet, it was found that in the case mentioned in the Submission, Tet
transferred debts to Creditreform arising from an agreement that was not signed or approved
when authorizing in the internet bank, the client's identification and the correctness of the submitted information were not carried out
verification, which resulted in the transfer of personal data of a minor ([..]) to Creditreform.
[2.3] In view of the above, the Inspection official decided to start an inspection on
service application online. As a result of the inspection, the following was found:
[2.3.1.] On December 9, 2021, an inspection of the Tet+ website was carried out, during which
it was found that the Tet operator made a call not to the phone number indicated in the application, but to
the phone number of the person whose personal code was specified in the application. 6
[2.3.2.] On December 16, 2021, a repeated inspection of the Tet+ website was carried out, which
as a result, it was concluded that Tet used foreign persons whose personal identification number was obtained for the preparation of the contract
specified in the application, data (not the data that was specified in the application itself), without the knowledge of this person and
consent without taking any steps to verify the information provided in the application
correctness and not identifying the client before preparing the contract and the relevant service
providing.
[2.3.3.] On December 22, 2022, a new inspection of the Tet+ website was conducted, during which
it was established that Tet had used the incorrect information specified in the application form for the preparation of the contract
3
4 Inspection letter of October 28, 2021 No.[..] "Regarding information request".
5 Here letter of November 23, 2021 No.[..] (registered in the Inspection with No.[..]).
6 Inspection report of December 14, 2021 No. [..].
7 Inspection report of December 20, 2021 No. [..].
Inspection report of December 27, 2021 No. [..]. 3
personal data without verifying the correctness of the information provided and the customer's identity before the contract
preparation and provision of the relevant service, as the service was applied for using
personal code of a minor.
[2.4] In order to find out the existence or non-existence of an administrative violation, the examination of the case
in the course of the Tet, information was requested several times.
[2.5] An inspection was carried out on June 14, 2022, during which it was established that Tet+ postpaid
application of the service is possible only after verifying the user's identity with the internet bank
authentication.
[2.6] Taking into account the information obtained during the inspection, as well as the explanations provided by Tet
indicated, the Inspection officer found several violations committed by Tet:
1) the customer, when applying for an electronic communication service, is provided with the service and
connected without the customer confirming the contract. Thus, Tet processes the data of persons without identity
has been verified, thus violating Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation;
2) for the person who has not approved the contract, Tet issues an invoice for the provided electronic
for communication services, recording and storing personal data in regulatory accounting
in accordance with the procedures and deadlines specified in regulatory enactments. Thus, Article 5 of the Data Regulation is violated
Clause 1 a) and d), moreover, such data processing takes place without Article 6 Clause 1 of the Data Regulation
the prescribed legal basis;
3) of the customer who has not confirmed the contract in the order specified herein and who has not printed the invoice
payment, personal data was transferred by Tet to an extrajudicial debt collection company. Thus it is
Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation have been violated, moreover, such data processing takes place without
The legal grounds specified in Article 6, Clause 1 of the Data Regulation;
4) by placing the mentioned contracts in the relevant Tet customer self-service system www.manstet.lv
in the user account, Tet discloses (transmits) the data of the owner of the personal code (name, surname, date of birth
and residential address) to third parties who used this person's data. This constitutes a violation
Article 5, Clause 1, subparagraph a) and f) of the Data Regulation;
5) Tet processes (compares) personal data of new customers with customers available in its database (also
for former) data. Thus, Article 5, Clause 1, subparagraph a), b), d) and e) of the Data Regulation are violated.
[3] On August 2, 2022, the Inspectorate received Tet's August 1, 2022 complaint about the decision
(hereinafter - the complaint), asking to consider the case in an oral process, cancel the decision in its entirety and terminate it
administrative violation process. The inspection finds that the complaint was submitted to the Administrative
within the term specified in the first part of Article 168 of the liability law (hereinafter - AAL) and its review is
permissible.
According to the first part of Article 172 of the AAL, a higher official examines the complaint in writing
in the process within one month from the date of receipt of the complaint, while in accordance with the second part of Article 172
a higher official, on his own initiative, can consider the complaint also in an oral process, if he recognizes it as
expedient. Taking into account the request indicated in Tet's complaint to consider the case in oral proceedings and the fact that Covid-
19 the risks of spreading have decreased, the Director of the Inspection considered it possible to examine the case
in the oral process.
The complaint in the oral process was considered on September 1, 2022 and the arguments expressed by Tet are
evaluated, reflected in the subsequent text of the decision in the context of the arguments expressed in the complaint, as well as
taken into account in making this decision.
During the course of the case, Tet provided additional information about the range of services available at Tet
and the separation of the Tet+ service from all services available on Tet. Tet confirmed that until
As of January 13, 2022, when Tet+ service remote application was provided only
using internet bank authentication, the customer could apply for the Tet+ service,
without authenticating and Tet not making sure that the person whose name is given in the application, 4
matches the specified personal code. Also, Tet stated that it did not hand over minors ([..])
personal data to the debt collector Creditreform, taking into account that when applying for the service, the aforementioned
the person had provided the personal code of an adult, therefore Tet had been transferred to Creditreform
information about [...] as an adult. In view of the aforementioned, Tet requests the annulment of the decision in full and
terminate the administrative violation case.
The director of the inspection indicates that the objections contained in Tet's complaint will be evaluated in the following order
they were indicated in the complaint, in connection with what was indicated in the oral explanations, at the same time objections about
questions of a similar nature will be evaluated together.
Procedural violations
[4] The complaint states that the provisions of the law were not followed in the administrative violation process
deadlines for starting a case. Namely, the Inspection on January 7, 2022, 5 months after receiving the news
on August 9, 2021, adopted the decision specified in the first part of Article 117 of the AAL, thus significantly
violating the procedural deadline set by the legislator - three working days or (prolonged news checks
case) one month. Among other things, the Inspectorate responded to the received police reports only in 2021.
on October 28, when Tet sent a request for information.
In the opinion of the director of the inspection, the administrative violation process has been observed in the specific case
the initiation period, as the case was initiated immediately after the Inspection official had obtained
all the necessary information that allowed us to assume that an administrative violation might have occurred.
The director of the inspection explains that when considering complaints about possible personal data processing
violations before initiating administrative violation proceedings or administrative proceedings,
The inspection complies with the provisions of the Data Regulation and the Data Processing Law of Natural Persons (hereinafter - FPDAL).
regulatory framework. Among other things, Article 15 of the FPDAL sets out the procedure for conducting the inspection, providing that
inspection includes all types of actions that the inspectorate performs in order to find out the compliance of data processing with data
the requirements of the regulation and other regulatory acts, including visiting the data processing place, information
acquisition using all legal methods and other necessary actions. Therefore, for the Inspection
until the start of a specific process, there is discretion to take the necessary actions and investigate
the specific case to ascertain the existence of a possible violation.
It should be noted that conducting an inspection before starting an administrative offense case is also
in the manager's interest, because not every inspection results in an administrative violation process. Inspections
as a result of the inspection, an administrative process may be initiated, which concludes with an administrative act, or
according to the "Consult first" principle, informing the administrator about the data processing carried out by him
compliance with the Data Regulation, or no further action will be taken at all. If after
for every received complaint, the Inspectorate should initiate an administrative violation process, it is unjustified
would burden managers by involving them in unnecessary administrative violation processes, because not everyone's data
the subject's complaint is justified and indicates an administrative violation.
As stated in its decision by the Department of Administrative Affairs of the Senate of the Supreme Court, Datu
the provisions of the regulation provide the Inspectorate with the right, in response to violations of personal data processing,
to make any of the decisions contained in the regulations, while leaving it to the supervisory authority
freedom of assessment regarding the type of decision. Upon receiving a complaint about possible personal data
processing violations, the inspection initially checks the received messages, including requesting information
from the data controller and/or processor to establish whether the processing of personal data in the said data subject
in the event that it has generally occurred. Submitting an application for possible violations of personal data processing
in the process does not mean that the verification of the information specified in the application will result in the detection of a violation,
issuing an administrative act and applying a corrective measure or imposing an administrative penalty. 5
Inspection of administrative proceedings or administrative infringement proceedings against the data controller
starts only when it becomes aware of the facts. Such facts are obtained by the inspectorate by inspection and acquisition
the necessary information, which in turn gives the basis for starting the administrative violation process.
A decision on the most appropriate remedy (a decision to initiate a case) can only be made when
collected sufficient information to assess whether a violation of personal data processing has occurred at all, and
the nature of this violation. Therefore, the deadline for making a decision is counted not from the applicant's complaint
from the moment of submission, but from the moment of discovery of the violation of personal data processing, that is, when it is
the relevant examination and clarification of the circumstances have been completed and it is established that the person really is
has committed a violation of personal data processing. 8
In view of the above, the Inspection Officer carried out tests to find out Tet+
procedure for receiving the service and assessed compliance with the regulatory act regulating data protection
requirements. As a result of the inspection, a number of non-conformities were found, which indicated the possibility
violation, thus the Inspection official prepared a report in which he drew attention to the inspection
found. Based on the report prepared by the official, a decision was made to initiate
administrative violation process, because the information provided in the report was considered sufficient
grounds for committing a possible violation. Considering that the officer's report was prepared
On January 4, 2022, the decision to initiate the administrative violation process was made
adopted on January 7, 2022, it can be concluded that within three working days in accordance with the first paragraph of Article 117 of the AAL
one of the specified decisions was made for the part. Regarding the fact that the Inspection of information
the request was sent by Tet only on October 28, 2021, indicating that Article 78, paragraph 2 of the Data Regulation
a period of three months has been set in which the supervisory authority must consider the complaint and inform the data
subject on the progress or results of the complaint. At the same time, neither the Data Regulation nor the FPDAL
does not determine the term in which the Inspection should contact the manager to clarify the information stated in the complaint
circumstances, therefore the objection that the Inspectorate approached Tet with a request for information late is not
justified.
Taking into account the above, the Director of the Data State Inspection believes that the case has been considered in a timely manner and
observing the deadline for starting the administrative violation process set by AAL.
[5] Tet states in the complaint that the administrative violation process has actually been disproportionately long,
also violating the decision-making deadline. In Tet's view, the Inspectorate has not complied with Article 133 of the AAL
the prescribed administrative violation review period, because according to the mentioned legal norm, cases
the term of consideration and decision-making can be extended for a period not exceeding four months
from the day when a decision was made to initiate the administrative violation process, simultaneously
The inspection official made the decision on July 15, 2022, which is almost 2 months after
due date. In addition, Tet expresses the opinion that the Inspectorate has been examining the case for almost a year
a disproportionate term compared to the scope of the investigative activities carried out, thereby violating the procedures
deadlines. The complaint also states that the disproportionately long time frame for processing the case has burdened Tet
opportunities to exercise their procedural rights and provide more precise explanations to the Inspection, so
for example, Tet was not able to identify clearly enough his status in the process, his rights and therefore
to implement them, taking into account that investigative actions were carried out, Acts or procedural actions were prepared
protocols, even the administrative violation process was not initiated. In addition to the Tertiary and post-administrative
initiation of infringement proceedings on January 7, 2022, it has been difficult to determine what case
is an administrative offense process. The disproportionately long duration of the case has led to errors
in assessing the severity of the violation, as certain isolated situations have been unreasonably interpreted as
inadequacy of a systemic or legal personal data processing system and, accordingly, also in the applicable one
8 Decision of the Department of Administrative Affairs of the Supreme Court Senate of April 28, 2020 in case no. A420230820 6
in the sanction, as well as caused errors in the determination of the financial year from which the possible penalty is calculated,
significantly increasing the amount of the penalty. Finally, Tet points out that the Inspection had to apply
the "Consult first" principle, because there are no victims in the case and at the time when the administrative offense was initiated
process, that is, on January 7, 2022, Tet had already completed the additional technical work started in October 2021
the addition of safeguards that entered into force on January 13, 2022, and initially identified
the risk was completely eliminated, just as the [...] case was resolved.
Regarding the deadline for case consideration and decision-making, the Director of the Inspection states,
that with the Inspection's letter of April 13, 2022 no. [..] For additional explanation and document
submission and extension of the deadline for consideration of the administrative violation case
the deadline was extended until July 8, 2022. At the same time, the Director of the Inspection finds that
in accordance with the first part of Article 133 of the AAL, the administrative violation case is examined and a decision is made
as soon as possible, but no later than within one month from the date of the decision on
initiation of the administrative violation process. On the other hand, according to the second part of Article 133 of the AAL if
due to objective reasons, it is impossible to meet the deadline specified in the first part of this article, the official
can be extended for a period not exceeding four months from the day when a decision was made on
initiation of the administrative violation process. The administrative violation process was initiated in 2022.
on January 7, 2022 and extended until May 9, 2022, while on April 13, 2022, the cases
the review period was extended to 8 July 2022, which means that the four
months for consideration of the case and decision making. At the same time, the Director of the Inspection states,
that according to the practice of the Senate of the Supreme Court, when assessing the impact of a procedural violation on the process
result, it is necessary to find out whether this violation could have affected the substance of the decision. Thereby,
in view of the above, even though the four-month decision-making period was not observed in the case review
within the period from the day of initiation of the administrative violation process, at the same time the Director of the Inspection
in view, this procedural violation could not affect the final decision in the case. In addition, it should be noted that
the deadline for the consideration of the case was missed, because during the course of the consideration of the case it was continuously requested
information, the answers given by Tet were evaluated, therefore the Director of the Inspection concludes that regardless
of whether the decision would be made within four months or on the day when it was actually made, this
the circumstance did not affect the final result, as it was necessary to find out all the circumstances in the case and them
estimate.
Regarding the disproportionately long time of the case review, the Director of the Inspection states that
the administrative violation process was started only on January 7, 2022, while the decision was made
adopted on July 15, 2022, which means that the case did not take place for one year as indicated by Tet.
In the course of the administrative violation process, the Inspectorate requested the necessary information from Tet,
assessed it, repeatedly requested information, in total the Inspectorate requested Tet information four times,
therefore, during the course of the case, some actions were continuously taken to find out whether it had been done
administrative violation. Thus, in the opinion of the Director of the Inspection, Tet's statement is unfounded,
that the Inspectorate has examined the case for a disproportionately long time.
Regarding the allegation that Tet failed to clearly identify his status in the proceedings,
it should be noted that the administrative violation process was initiated on January 7, 2022, by making a decision
on the initiation of the administrative violation process and the extension of the deadline for consideration of the case, where else
among other things, the second page of the decision stated the rights of Tet as the person to be held responsible and
duties. Therefore, Tet was informed of its status in the process when the process was initiated. Regarding time
stage until the initiation of the administrative violation process, Tet was not granted procedural status because
The inspection carried out inspection activities in accordance with the Data Regulation and FPDAL, not administrative
as part of an infringement process or an administrative process. In addition, the Inspection did not have any
information that Tet is confused about its procedural status, which prevents it from exercising its rights.
9 The law of administrative violations, Explanations of the Law of Administrative Responsibility, prepared by a collective of authors.
In the scientific editorship of E. Danovska and G. Kūtra. - Riga, Courthouses Agency, 2020, p. 409. 7
During the examination of the case, Tet provided the Inspection with the information it requested, got acquainted with the case
materials that show quite the opposite, that Tet clearly understands its procedural status and implements AAL
prescribed rights. Among other things, the aforementioned did not prevent Tet from contacting the Inspectorate with a request to explain them
the procedural status before the initiation of the administrative violation process, but the Inspection as such
the request was not received. In view of the aforementioned, in the view of the Director of Inspection, Tet was provided as necessary
information about its status in the process, and there were no circumstances that made it difficult for Tet to understand it
status in process.
Tet stated that even after initiating the administrative violation process on January 7, 2022
it has been difficult to establish what kind of case the administrative violation process is really about. Inspections
the director explains that the AAL was indicated in the decision on the initiation of the administrative violation process
The information listed in the first part of Article 121, including information about the commission of an administrative violation
the actual circumstances, that is, what actions taken by Tet, which are recognized as inappropriate Data
for the regulation, a process was initiated. In addition, it should be noted that the review of the administrative violation process
During the inspection, the Inspectorate sent several requests for information to Tet, to which Tet responded.
The director of the inspection finds that in the decision of January 7, 2022 on the administrative violation
the initiation of the process and the extension of the deadline for consideration of the case, among other things, have been indicated, and the case has been started
on the conduct of Tet, for the provision, preparation, conclusion and execution of electronic communication services,
without verifying the identity of persons who remotely apply for electronic communication services. From now on
in the course of the examination of the case, the Inspector's official specifies in relation to some electronic communication
service, an administrative violation case is being conducted, namely Tet+ service, therefore
The director of the inspection concludes that Tet had information that the case was being investigated for Tet+
service.
Taking into account the above, the Director of the Inspection finds that Tet was at the disposal of the case during the examination
sufficient information about the nature of the violation and that the violation is directly attributable to Tet+
service and the inconsistencies found in it.
Tet explained that the disproportionately long term of the case has created both errors and violations
in assessing the severity, as well as in determining the financial year from which the possible penalty is calculated,
significantly increasing the amount of the penalty. The director of the inspection indicates that the severity of the violation was
assessed taking into account the factual circumstances of the case and their legal evaluation, and according to the Inspection
for the developed tool for determining the amount of administrative penalties, the offense committed by Tet was qualified
as moderate. The director of the inspection explains that there was no administrative violation process
proposed specifically for the [...] case, but on the basis of this case, an examination was carried out for
procedure for receiving the Tet+ service provided by Tet, thus Tet's statement that the Inspection
inaccurately linked Tet's answers with the information at the disposal of the Inspectorate. Regarding Tet in insight
incorrectly determined financial year from which the applied fine was calculated, it must be indicated that accordingly
According to Article 83, Clause 5 of the Data Regulation, administrative fines are applied in the case of a company up to 4
% of total worldwide annual turnover in the previous financial year. European Data Protection
in the guidelines of the board of May 12, 2022 no. 04/2022 on the calculation of administrative fines, it is stated,
that on the question of which event the term "previous" refers to, the Courts of the European Union
(hereinafter - CJEU) jurisprudence in competition law can also be applied to the penalties of the Data Regulation, in order
the relevant event would be the decision to impose a penalty issued by the supervisory authority and not
the time of the offense or the court decision. Therefore, the Tet fine was justified
the turnover obtained in the previous year, i.e. in 2021, is taken into account, because the decision on the application of the penalty has been adopted
in 2022. In view of the above, the Director of the Inspection finds that, when determining Tet's punishment, she complied with the Data
10Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for
public consultation (the guidelines are currently out for public consultation and their text may change), available:
https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf . 8
Article 83 paragraph 5 of the regulation on determining the amount of the penalty from the previous financial world
of the annual turnover obtained in the year.
Regarding the application of the "Consult first" principle in a specific case, Inspections
the director states that the principle "Consult first" was applied in Tet regarding previously established
violation in 2021, applying a reprimand and imposing an obligation in the future to process personal data
processing, comply with the decision and other personal data protection requirements. Inspection director
explains that the "Consult first" principle does not apply in all cases. The mentioned principle
application is evaluated taking into account several aspects - both whether the chosen means will be
applied and will deter the manager from committing further violations, as well as, or previously the manager
violations have been found in the operation. Considering that inconsistencies were repeatedly found here
to the requirements of the regulatory acts regulating the processing of personal data, the Inspectorate did not see an opportunity to repeat
to apply the principle "Consult first", thus, when deciding on the most appropriate remedy, it was necessary
deemed fine.
[6] Tet expresses the opinion that in the process of administrative violation in the performance of investigative activities
private individuals were illegally involved. Namely, in Tet's discretion with the process of administrative violations
unrelated private individuals were involved in the inspection, thus the Inspectorate violated its mandate. in the same way
The Inspection has accessed the e-mail data of a private person [...], for which the Inspection official is directly
indicated in the minutes of the investigative activity. Involving private individuals in conducting investigative activities
Tet discretion has a detectable effect on the admissibility of evidence. Among other things, in investigative activities
the processing of the personal data of the private individuals involved was carried out without a legal basis.
First of all, the Director of the Inspection explains that the investigative activities are administrative
for the initiation of the violation process were carried out within the framework of Chapter IV of the FPDAL, not AAL, because the Inspectorate has
the right to carry out an inspection even without starting an administrative violation process or initiating an administrative one
process. Thus, the indication that on December 9, 16, 22 and 28 December 2021
inspections were carried out on the basis of Article 109 of the AAL, is not justified.
Regarding the involvement of private individuals within the framework of the inspection, the Director of the Inspection states that for the purpose
to find out the procedures for receiving the Tet service Tet+ and its compliance with the data processing regulations
in accordance with the requirements of regulatory acts, during the inspection, the Inspection official processed the persons of private individuals
data. At the same time, the aim is to evaluate the procedure for receiving the service provided by the Inspection officer
could not be achieved without processing personal data, as it was necessary to receive the service
fill out the application, indicating personal data. Although the test was used
personal data of private individuals, the Director of the Inspection states that the mentioned persons did not participate in the act on
website review in the preparation and evaluation of the results obtained as part of the test. The mentioned
the actions were carried out by the officials of the Inspection. For private individuals whose personal data was used when performing
inspections, no information related to the investigation of the case was disclosed. Among others, private individuals
processing of personal data was carried out in compliance with the data subject's information provided in the Data Regulation
obligations and appropriate legal basis for data processing. Given that individuals independently
did not carry out investigative activities, Tet's objection regarding the inadmissibility of evidence is not justified.
Regarding Tet's indication that the legislator has not established the right for the Inspection to involve another person
in the conduct of an administrative offense process, including minors, as determined by, for example, the police
employees in accordance with Article 12, Clause 34 of the law "On the Police", the Director of the Inspection explains,
that the physical involvement of private individuals in investigative activities by conducting control purchases and private individuals
processing of personal data is a separate activity, taking into account that the inspection officer checks
implemented independently, the evaluation of the test results was carried out without the involvement of private individuals, therefore
it cannot be considered that private individuals were involved in investigative activities.
In compliance with the above, at the discretion of the Director of the Inspection, private persons during the inspection
were not involved illegally, because for the purpose of checking the application of the Tet+ service, there were 9
it is necessary to process personal data. There were no other models of action for the inspection or
means of familiarization, how to check the implementation of the service in practice.
[7] The complaint states that the investigative actions were unlawfully performed before the administrative one
initiation of infringement proceedings. Namely, the investigative activities of the administrative violation process were
carried out in December 2021, although the process itself was actually started only on January 7, 2022. Tet
indicates that investigative activities are allowed only after the process has been initiated. On the other hand, if
the official conducts a departmental inspection as soon as the official has information that clearly points to
the committed administrative violation, the official must immediately initiate an administrative violation
process.
The director of the inspection states that FPDAL Chapter IV determines the procedure for the implementation of the inspection,
regardless of any other process started. The regulation of Chapter IV of the FPDAL applies to Inspections
the right to conduct an inspection even before an administrative violation process is initiated. Considering that before
for the inspections carried out in December 2021, the Inspection official was not convinced of the violation
the presence of signs, tests were carried out. After the inspection officer carried out the inspections, it was
found that the obtained information indicates the commission of an administrative violation, as well as the specific one
at the time a decision was made to initiate the administrative violation process. In view of the above,
The director of the inspection states that the inspection official had the right to carry out inspections before the start
administrative violation process.
[8] Tet expresses the opinion that the Inspection has not mutually distinguished the administrative process from
administrative violation process. Namely, the Inspection had, in accordance with the first part of Article 117 of the AAL
the possibility of making one of three decisions. The inspection may not arbitrarily, by missing the deadline, the process
reclassify as an administrative process. It is not clear from the case file whether the Inspection is
distinguished processes, for example, the fixed result of a procedural action of the same type and content
referred to as both the inspection act (inspection) and the inspection protocol. Tet states that he was not informed
on the initiation of the administrative process. The additional complaint states that according to FPDAL Article 15
the fourth part, before starting the procedural actions, the manager must be informed about his rights, which was not done
done, at the same time, in the sixth part of Article 16 of the FPDAL, it is stipulated that the person performing the procedural action issues
a copy of the report of the person against whom the investigation was initiated, which Tet did not receive.
The director of the inspection explains that no administrative proceedings were initiated against Tet.
In accordance with Article 15 of the FPDAL, the Inspection performed inspection activities, which were not done in this particular case
were carried out neither within the framework of the administrative infringement process nor the administrative process, but were carried out
precisely in order to find out whether there are facts that could be the basis for the adoption of an administrative act
or indicate a possible administrative violation. The inspection is not obliged in every case
to start any of these processes, the Inspection has the right to initiate the process if sufficient information is obtained
for a violation. Regarding the fourth part of Article 15 of the FPDAL, the Inspection explains that the said right
the norm applies to face-to-face inspections in cases where the Inspectorate conducts an inspection at the manager's premises and
in a specific case, before starting the inspection, the official informs the authorized persons of the controller or processor
representatives for rights. Consistently, Article 16, Part Six of the FPDAL refers to face-to-face inspections and
is to be read in the context of the fourth and fifth parts of the said article, that is, when conducting an on-site inspection, the supervisor or
in the processor's premises, the official prepares a protocol of procedural activity, presents it to the persons,
who participated in the relevant activity and a copy is issued to the person against whom the investigation has been initiated. The mentioned
the legal provision does not apply to off-site checks where no controller or processor is required
presence at the time of the procedural action. Regarding the result of the procedural action, which
called both the inspection report and the inspection protocol, it should be noted that before the administrative
the results of the inspection carried out for the initiation of infringement proceedings are consistently named Acts,
on the other hand, the procedural action carried out within the administrative violation process is named inspection,
because Article 104 of the AAL lists investigative activities, where paragraph 4 defines one of the investigative 10
for actions – inspection. In order not to create confusion about the presentation of test results before
the initiation of the administrative violation process, the Inspection official used the name which
does not match the name of the investigation activity defined by the AAL.
In view of the above, the Director of the Inspection concludes that no action was taken against Tet
the administrative process, thus the objection that the Inspectorate has not distinguished the processes is not justified,
on the other hand, since FPDAL articles 15 and 16 set out in the part on conducting inspections, informing the supervisor
on conducting an inspection, as well as issuing a protocol of procedural activity, is applicable in person
inspections, Tet's objection that the Inspection did not comply with the inspections stipulated by the FPDAL is not justified
execution procedure.
[9] Tet expresses the opinion that the Inspectorate has violated the administrative violation process
basic principles.
[9.1.] First of all, in Tet's view, the Inspection has not followed the principle of the rule of law, because it is obvious
violated its authority by transferring restricted access information about the administrative
the infringement process to persons who are not involved in it, thereby violating the provisions of Article 28 of the AAL
principles of the rule of law, as well as the prohibition contained in the first part of Article 14 of the FPDAL in the Inspection
employees to disclose the information they have obtained in connection with the performance of tasks in the Inspection.
The director of the inspection explains that it is not immediately clear from the objection mentioned by Tet, which one
the information has been transferred by the Inspection official to third parties. This is also indicated by Tet,
explaining that there is no complete information, what information the Inspection official has given to the third party
at the disposal of persons. Taking into account the above, in the opinion of the Director of the Inspection, the objection is not justified and based
to conjecture, as it indicates Tet suspicions and doubts about the disclosure of information, rather than concrete
the fact that has happened. The inspection explains that the information is limited to third parties
has not been disclosed, among others, to the persons whose personal data were used to perform the test, the following
information was not disclosed.
In compliance with the above, the Director of the Inspection states that the Inspection official has not violated them
mandates, as well as when processing the personal data of individuals during the inspection, FPDAL has complied
The prohibition contained in the first part of Article 14 to disclose information related to the performance of work tasks.
[9.2.Secondly, Tet states that the Inspection did not comply with the procedural requirements established in Article 32 of the AAL
the principle of economy, and also has not ensured the right provided for in the first part of Article 33 of the AAL
defense. Namely, both during the administrative violation process and also during the preparation of the complaint in Tet
it is not clear what factual circumstances are the subject of the proposed evidence.
At the same time, the Inspectorate has not attached case materials to the decision - a report or other information,
which would allow to conclude the nature of the violation for which the case has been initiated. The inspection officer had a duty
immediately provide Tet with materials available in the case, namely the report.
The director of the inspection explains that in case Tet was not clear about which actual ones
circumstances, a case has been initiated, in accordance with Article 41, paragraph 1, paragraph 1 of the AAL for liability
the called person has the right to familiarize himself with the administrative violation file materials, to make from
documents, transcripts and make copies.
with case materials only on June 30, 2022, that is, 5 months after the start of the process. The mentioned
does not at all indicate that Tet was initially unclear as to what the case was about. On the contrary, if Tet
such doubts would have existed, the right would have been exercised soon after the case was initiated. Regarding
The inspection is obliged to add other materials to the decision on the administrative violation process
initiation, the Director of the Inspection states that the first part of Article 121 of the AAL does not determine the obligation
to add other materials to the said decision, taking into account that the content of the decision should be indicated
sufficient information. On the other hand, if the person to be held accountable has a desire to get to know others
case materials, it can use the rights established in paragraph 1 of the first part of Article 41 of the AAL
get acquainted with the administrative violation file materials. In addition, it should be noted that after 11
The inspection official had sent a Tet report on his own initiative on March 1, 2022 and
inspection act12, Tet the following answers to the initial questions asked by the Inspection official
the essence of the questions did not change, which means that, upon receiving the case materials, Tet did not obtain additional
information that would change its original answers.
[9.3] In addition, Tet's right to a defense was violated because the decision does not specify which ones
the circumstances were taken into account by the Inspectorate when determining the penalty. The element referred to in Article 83, Clause 2 of the Data Regulation
analysis is one of the most important pieces of evidence in the case, while not including this reasoning in the decision
denies Tet the opportunity to become familiar with the motivation of the penalty applied by the Inspectorate and to check the calculation of the penalty
compliance of the methodology with the binding regulations and realize the right to defense.
The instructions of the Director of Inspection are included in Article 83, Clause 2 of the Data Regulation in Clause 6.3 of the Decision
the criteria included in determining the penalty. Therefore, in each case the Inspection takes into account these criteria, as well as
when determining the amount of the fine, the guidelines developed by the Inspectorate "Amount of administrative fines" are used
determination criteria for companies and individuals", which are published on the website of the Inspection
and sets out the criteria that are taken into account in determining the penalty and what their effect is on the penalty to be imposed
extent. On the other hand, according to the 2021 decision of the Riga Regional Court Criminal Court Board
In the judgment of 23 November in case no. 01630000100120.1, the court panel joins the authorities
in the explanation to the opinion expressed that the penalty calculation algorithm referred to, among other things
complainant, is the institution's internal tool made publicly available for good management
within the framework of the principle, ensure the transparency of the decisions made by the Data State Inspectorate. Thereby,
considering that the mentioned penalty calculation algorithm is considered an internal document of the institution,
In the opinion of the director of the inspection, the penalty calculation table should not be attached to the decision on the penalty
application, however, in cases where the person called to account would like to get acquainted with the punishment
calculation of the amount, a copy of said calculation can be issued. At the same time, the Director of the Inspection states,
that after the request made by Tet during the oral hearing of the case on September 1, 2022, the Inspection
sent Tet the table for calculating the fine imposed by the decision. Detailed with the appropriate decision
the Director of the Inspection will carry out the assessment of the fine calculation criteria in paragraph 13 of this decision.
[9.3.] Thirdly, Tet draws attention to the principle of procedural justice and the principle of governance
violations at the disposal of the Inspection. Namely, in Tet's opinion, the practice of the Inspection is not to send what is needed right away
information to the accountable person is contrary to the principle of good governance. Tet responds
both to the jurisprudence of the Constitutional Court and the Law on State Administration. In addition to the Tet bull
attention, that in accordance with the first part of Article 137 of the AAL, the administrative violation case is being considered
in the oral process, the case corresponding to the fourth section of the aforementioned article can be considered in the written process,
if the participants in the process agree to it. It is not clear why the Inspection official received the Tet
the request to consider the case in an oral process, did not consider it necessary and did not provide an argument
refusal. At Tet's discretion, the Inspection Officer should have given Tet an opportunity to be heard orally
– by video conference or in person. Thus, Tet's right to be heard was violated. Although Tet
does not deny that it had the opportunity to get acquainted with the case materials, however, the examination of the documents
at the end of the administrative violation process and after the legal deadline for making a decision is violated
The right to a fair trial enshrined in Article 30 of the AAL.
The director of the inspection explains that the course of the administrative violation process is determined by AAL,
not the Law on State Administration. Therefore, the AAL must be taken into account regarding the procedure
determined, which, among other things, does not impose an obligation on the Inspection in addition to the decision on administrative
11
12 Inspection letter of March 1, 2022 no. [...] "On submission of explanations and documents".
13Tet letter of April 7, 2022 "About providing an answer" No. [..].
Criteria for determining the amount of administrative fines for companies and individuals, available:
https://www.dvi.gov.lv/sites/dvi/files/media_file/administrativo-naudas-sodu-apmera-noteiksanas-kriteriji-
for companies-and-individuals.pdf . 12
to add other cases to the initiation of infringement proceedings or the sending of a decision on the application of a penalty
materials. Instead, in Article 41(1) of the AAL, the liable person shall
certain right to familiarize with case materials.
With regard to Tet's objections to the consideration of the case in the oral process, the Director of the Inspection
explains that at the time when a decision was made on the procedure for examining the case, the Inspector's official
did not see the need to specify or clarify additional circumstances in the case, moreover, taking into account the Covid-
19 mitigation measures and a recommendation to organize work remotely as much as possible, were taken
a decision was made to consider the case in a written process. Therefore, the Director of the Inspection does not see it
violation in that the case was considered in a written process. Namely, the spread of the Covid-19 infection
the first part of Article 9 of the Law on Management directly provides for the right of an official to consider a case
in a written process, if it has not deemed it necessary to examine the case in an oral process.
In addition, it should be noted that by sending Tet's letter of June 14, 2022 no. [..] for the consideration of the case
in the written process, the Inspectorate informed the Tet of the right to submit to the case until July 1, 2022
additions, evidence, as well as submissions or requests of a different nature, which are essential in Tet's opinion
for a full and correct consideration of the case and the adoption of the relevant decision. Hence, although the thing
was appointed for review in a written process, Tet administrative violation process review
in the course of, including before the case was examined and the decision was taken, the right to provide was ensured
explanations, the right to submit submissions and other information for proper consideration of the case. With
Tet's objection of not respecting the right to be heard is unfounded. Regarding the Tet indication that
inspection of documents at the end of administrative infringement proceedings violates Article 30 of the AAL
the strengthened right to a fair trial, the Director of the Inspection states that Tet was not denied the right
get acquainted with the case materials from the moment of initiation of the administrative violation process. The circumstance that
Tet did not exercise this right in time, does not indicate that the Inspectorate has violated the provisions of the AAL
principle of procedural justice.
[10] The complaint states arguments about accountability and the burden of proof
interaction, as well as violation of the presumption of innocence. Tet considers the contents of the Data Regulation
the principle of accountability should not be interpreted broadly, transferring the burden of proof to at
liable person, limiting AAL29. the presumption of innocence specified in the article. Accordingly
The first part of Article 89 of the AAL has the burden of proof in administrative infringement proceedings
official. Consequently, the Inspection official was obliged to obtain and
to establish information about the facts, which will then be used to prove the existence of an administrative violation
or absence. As part of the process, information was requested inconsistently and often regarding
the explanations provided for the data processing of a specific person were unjustifiably attributed to the data processing
system as a whole. So, for example, the Inspection official has not found out what information about [..]
Tet has effectively handed over Creditreform. Consequently, the Inspection official has no reason to presume that
Creditreform has used the information provided by Tet, rather than the data already in its possession or obtained [...]
in the processing of personal data. Tet states that it has not transferred the data of a minor to Creditreform, because Tet
the service was applied for in the system with the personal code of an adult. Therefore, it is not in the decision
proven, but it is only alleged that Tet would have transferred the data of a minor to Creditreform.
The director of the inspection explains the principle of accountability within which the supervisor must prove
compliance of data processing with the Data Regulation and the burden of proof according to which the Inspection has
the obligation to prove the existence or nonexistence of an administrative violation and clarify other circumstances for which
are important in the correct decision of administrative violation cases, there are distinguishable and independent principles. Namely,
the fact that the manager has the obligation to prove the legality of the data processing performed and compliance with the Data Regulation,
does not exclude the burden of proof imposed on the Inspection in the process of an administrative violation and vice versa.
The inspection does not dispute that, according to the AAL, it is obliged to prove the persons to be held responsible
guilty of committing a violation, which the Inspection also carried out. To the inspection official in order to understand how 13
service application process is underway, it was also necessary to ask questions of a general nature.
Thus, in the opinion of the Director of the Inspection, an administrative violation was requested as part of the process
the necessary information from Tet to ascertain the existence or non-existence of a violation, as well as the process
the information obtained within the framework was confirmed in accordance with the procedure established by the AAL. In view of the above,
The director of the inspection finds that the official has complied with the obligation of proof set by the AAL and
has confirmed the information in accordance with the procedures set forth in this law.
Regarding the processing of [..] personal data, the Director of the Inspection states that on August 9, 2021
from the Valmiera station of the Vidzeme region administration of the State Police received the forwarded [...] of 2021
the application of June 19, together with the materials of the Police departmental examination. It can be seen from the materials,
that in the contract for electronic communication services no. [..] the name, surname and persons of [..] are indicated
code [..] corresponding to the personal code of an adult. In addition to Creditreform 2021
In the notice of the debt of 15 June, the first and last name and address of the residence are indicated, while
the personal code is not specified. From the above, as well as the information provided in the Tet explanations
The director of the inspection finds that Tet did not hand over the identity code of a minor, taking
taking into account that it had the identity code of an adult, however, in order to recover the unpaid debt,
gave Creditreform the identifying data of a minor [..] – name, surname, as well as others
personal identification number and residential address of an adult. Doesn't matter in the specific case
to the fact that Tet was not aware that he was transferring the personal data of a minor, because Creditreform
the transferred personal code did not belong to [...], considering that Tet had allowed such situations by his actions
possibility. The above is also confirmed in Tet's oral explanations, namely that Tet had possession
[..] as the personal data of an adult and are not in its system [..] as minors
personal code.
In addition, Tet asks for an evaluation of the administrative violation process in the oral explanations
inadmissible conditions, namely statutes of limitations [...] in the case of data processing. The director of the inspection indicates that
in accordance with the first part of Article 118 of the AAL, the process of an administrative violation can be initiated no later than
within one year from the date of the violation, but if the violation is prolonged, from the violation
cut-off days. According to decision 5.7.5. for the violations found in point 2) and 3)
in subsection Tet had issued an invoice for the services rendered to a person who is not present
has approved the contract, as well as the client who has not approved the contract in accordance with the procedure established by Tet and who is not
after paying the invoices, the personal data was transferred to Tet for extrajudicial debt collection
for the company. The director of the inspection explains that according to the materials of the departmental inspection of the Police
for the information provided, Tet submitted a debt application to Creditreform on 15 June 2021
extrajudicial recovery from [..] by transferring [..] personal data to the specific debt collector. The mentioned
as evidenced by Creditreform's debt notice of 15 June 2021. Considering that the mentioned
information was transferred to Creditreform on June 15, 2021, while the administrative violation
the process was started on January 7, 2022, it can be determined that the administrative violation process
the statute of limitations for initiation has not expired, because there was no time from the day of the violation to the initiation of the process
a year has passed.
Regarding invoicing to a customer who has not approved the contract, it should be noted that from
Creditreform's debt notice of 15 June 2021 shows that Tet had invoiced [...]
December 18, 2020, January 18, 2021, February 18, 2021, March 18, 2021 and
on April 18, 2021. Thus, it can be established that the violation was carried out for a long time and was stopped by
sending the last invoice on April 18, 2021. Considering that infringement proceedings were initiated
On January 7, 2022, admittedly, a year had not passed since the day of termination of the violation. Observing
mentioned, the Director of the Inspection finds that in relation to [..] illegal personal data carried out by Tet
processing, the statute of limitations for starting the administrative violation process has been observed.
In addition, it should be noted that invoicing and data transfer to the debt collector is Tet
a systemic practice that applies not only to a specific data subject, but to any customer. 14
It cannot be denied that every customer receiving the service is billed for the service until
every customer's data is processed. Such personal data processing operations are confirmed by the controller
in internal documentation (instructions, process descriptions). This is also confirmed by oral examinations
information provided at the time that personal data is stored even after the termination of transactions with customers
for accounting purposes, to ensure accounting of invoices, as well as to resolve payment disputes.
Thus, there is no dispute in the case that Tet issues invoices and performs personal data processing invoicing
for prescribing, for all customers. Likewise, during the oral proceedings, Tet's representatives indicated that Tet was transferring
customer data to debt collectors if payment for services is not received. The said persons
data processing is also prohibited in the data processing register. Therefore, such actions are recognized as
for systemic controller actions with personal data. And in this case, no specific data is relevant
for the date of processing of personal data carried out by the subject, as they are only a confirmation of the implementation of Tet
practices and work processes in relation to the processing of clients' personal data. Such personal data processing
could have happened to any other customer whose inaccurate data could be used to conclude a contract and
for receiving the service. Violations of the Data Regulation can be viewed in isolation only with respect to the specific data
subject, only in cases where the controller's action exceptionally refers only to the specific data
subject. On the other hand, the actions considered in the case are systemic actions in relation to any Tet customer.
For example, if the persons mentioned in the inspection reports carried out by the 2021 Inspection continued
receiving services, they would also be billed and in case of non-payment, their data would be
handed over to debt collectors. The circumstances of the case are not such as to indicate that specific persons - [..]
the case is unique and the treatment would have differed from general company practice.
Material violations
[11] The complaint states that the Inspectorate incorrectly evaluated the facts, made logical errors
regarding the fact of conducting the assessment, as well as wrongly identifying the violation committed by Tet as intentional
would do.
The inspection director does not doubt that Tet carried out a risk assessment at the same time, as it was
stated in the decision, they were not sufficiently identified. Namely, the effects of Tet personal data processing on
the assessment of data protection of natural persons indicates that the initial risk of loss of integrity when
a person tries to apply for a service by submitting another person's data, evaluated as reliable, in turn
the consequences and level of risk are rated as moderate. At the same time, the risk of loss of integrity after risk control
implementation of measures is assessed as unlikely, but the consequences and level of risk are assessed as average.
The assessment indicates such risk control measures as employee training, access rights
implementation, maintenance and regular revision, automatic interfaces, personal code syntax is
verified with the personal code verification tool offered by PMLP, the identity of the service applicant is
checked when confirming the contract My Tet, if necessary, make reminders
for customers who have not approved contracts. Among other things, Tet explained in oral explanations that
Tet assessed the mentioned risks and concluded that the probability of occurrence of the risks after minimization
measures, namely after PMLP tool and email verification, is low.
The director of the inspection states that there are none of the indicated risk control measures
sufficient to ensure that the person could not apply for the service through other persons
data, for example, the PMLP tool checks only the existence of the personal code, not the correspondence of the personal code
to the person specified in the application, as well as employee training, will not exclude the possibility that the person will abuse
may use another person's personal data.
In view of the aforementioned, in the opinion of the Director of the Inspection, the integrity indicated in the Tet assessment
the risk of loss was not adequately evaluated, taking into account the ineffective control measures of the ship
for mitigating the mentioned risk and the situation when a person would use another person's data of the service
for application, prevention.
Regarding the intentional violation, the Director of the Inspection explains that according to the Data Regulation
For Article 83, Paragraph 2, Subparagraph b), one of the criteria for determining the amount of the penalty is the circumstance, or
the violation was committed intentionally or due to negligence. Decision 6.3. paragraph explains that the violation was
done intentionally because Tet was aware and assessed the risks, however they were not properly assessed and were not
appropriate risk control measures have been implemented. The director of the inspection indicates that for intentional or
willful misconduct may be considered to involve both knowledge and awareness of
the nature of the violation, while a violation committed unintentionally or due to carelessness means that there was no violation
intent to cause a breach, even though the controller has breached the statutory duty of care. Observing
mentioned, in the opinion of the Director of the Inspection, signs of an intentional violation can be seen in Tet's possession. To it
indicates the effect of Tet's actions on personal data processing on the protection of natural persons' data
assessment, establishing that the initial occurrence of risk when a person tries to apply for a service,
when submitting another person's data, it is reliable and as risk-mitigating measures in oral explanations
indicating, for example, the implementation of the PMLP tool and email verification, which cannot be considered as
effective measures to prevent the mentioned risk. Reliance that consumers are generally bona fide and
will not commit illegal activities using the personal data of others, does not mean that Tet as the manager
it is not necessary to take all possible risk mitigation actions to ensure that service applications
it is not possible to perform such illegal activities at the moment. Therefore, in accordance with the aforementioned, Inspections
the director concludes that Tet was aware that such a risk existed, moreover, it was initially assessed as probable, however
the risk mitigating measures were not chosen according to the said risk because even after the said measures
implementation, it was possible to apply for the service using another person's personal data.
In the opinion of the director of the inspection, Tet's actions indicate intentional actions and there is a reason to conclude,
that the administrative offense was committed intentionally.
[11.1.] Tet does not agree with the inspection official's analysis of the actual circumstances and
for the legal assessment, it is considered that no administrative violation has been identified and proven in the case
the circumstances contained in the subject of proof of the process, or the composition of the administrative offense itself
essences.
The director of the inspection states that several violations committed by Tet have been found and proven in the decision.
The director of the inspection will evaluate each of them sequentially, in the context of the circumstances found in the case.
1) When applying for an electronic communication service, the customer is provided with the service and
connected without the customer confirming the contract. Thus, Tet processes the data of persons without identity
has been verified, thus violating Article 5, Clause 1, subparagraphs a) and d) of the Data Regulation.
The director of the inspection states that it has been established in the case that [...] received the service, but did not
approved the contract. This is evidenced by what is indicated in Tet's explanations, that in a situation where personal data
were handed over for debt collection, although the contract for the service was not approved, the Tet employee was
made a mistake because he was not sure, the liability has been confirmed, therefore the debt was transferred to collection.
Thus, the Director of the Inspection concludes that in case the Tet employee had made sure of the contract
confirmation, personal data would not be transferred for debt collection.
In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point
the specified violation committed by Tet, namely that the customer, when applying for the electronic communication service,
the service is provided and connected without the customer confirming the contract and verifying the persons
compliance of the identity with the personal code specified in the application.
2) For the person who has not approved the contract, Tet issues an invoice for the services provided
for electronic communication services, recording personal data and keeping accounting
in accordance with the procedures and deadlines specified in the regulatory legal acts.
14Tet letter of April 7, 2022 no. [..]. 16
The director of the inspection states that it has been established in the case that [...] received the service without confirmation
contract. Considering that payment for the services was not received, Tet [...] transferred the debt
for recovery Creditreform. When transferring the debt, CreditreformTet added the issued invoices. Parto testifies
letter from Creditreform dated 15 June 2021 “Debt Notice” attached to the police file,
where unpaid invoice numbers are listed as the basis of the claim.
In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point
alleged breach by Tet that a person who had not approved the contract was billed by Tet
for the services provided.
3) A customer who has not approved the contract in accordance with the procedure established by Tet and who has not performed
payment of invoices, personal data was transferred by Tet to an extrajudicial debt collection company.
The director of the inspection finds that according to 11.1 of this decision. in paragraph 1)
to the aforementioned, it was established in the case that [..] had not approved the contract and Tet transferred the debt to [..]
Cretitreform. This is confirmed by both Tet's complaint and oral explanations.
In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point
the specified violation committed by Tet, namely the customer who has not approved the contract in accordance with the procedure specified by Tet
and who has not paid the due invoices, personal data was transferred to Tet for extrajudicial debt collection
for the company.
4) By inserting the mentioned contracts into the relevant My Tet self-service system of Tet customers
in the user account, Tet discloses (transmits) the data of the owner of the personal code (name, surname, date of birth
and residential address) to third parties who used this person's data.
The director of the inspection states that the official, according to the Act of December 20, 2021 no. [..]
regarding the review of the website https://tet.plus/ and https://mans.tet.lv/ carried out on December 16, 2021
indicated, found that Tet prepared the contract not on the name of the person indicated in the application,
but based on the name of the person whose personal code was provided in the application. Thereby
also on the Mans Tet portal, the relevant user was not the person initially indicated in the application,
but another person. Thus, it was established that the person whose name, surname was initially indicated
in the application, the personal data of a stranger was disclosed - name, surname, date of birth and
place of residence.
In compliance with the above, the Director of the Inspection finds that 5.7.5 of the decision has been proven. in point
the specified violation committed by Tet that Tet discloses (transmits) on the My Tet portal in the relevant user account
data of the owner of the personal code (name, surname, date of birth and residential address) to third parties
to persons who used this person's data.
5) Tet processes (compares) the personal data of new customers with those available in its database
for customer (including former) data.
The Director of the Inspection states that in accordance with the 2021 decision of the Inspection officials
Act of 14 December no. [..] and Act of December 20, 2021 No. [..] about the inspections carried out
on the websites https://tet.plus/ and https://mans.tet.lv/ it was established that in a situation where as a customer
indicated [..], the Tet employee called not the phone number indicated in the application, but their phone
the number that belonged to the owner of the personal code specified in the application. As well as in a situation where as a client
indicated [..], the draft contract was prepared in the name of [..] using the personal data of this person
according to the information provided in the Tet database. It should also be indicated that the e-mail is a reminder to close
the contract was sent not to the e-mail address specified in the application, but to the person whose person
code specified in the application, e-mail address. In additional oral explanations, Tet confirmed that
the residence address of the former customer in the event that Tet does not have a dispute with the customer is stored only
for accounting purposes, to issue invoices and delivery notes.
Taking into account the above, the Director of the Inspection finds that the above unequivocally indicates that
Tet used the personal data of former customers for comparison with the data of new customers. On the other hand, Tet
the objection that the employees made a mistake in the stacked cases must be evaluated critically, because the mistakes of the employees 17
took place within the scope of the inspection carried out by the Inspectorate, and the two situations are also distinguishable in the application
two different persons were specified, which means that the former was done for two customers
comparison of customer data.
Therefore, the Director of the Inspection concludes that 5.7.5 of the decision has been proven. Tet specified in point
the violation that Tet processes (compares) the personal data of new customers with its database
available customer (including former) data.
Taking into account all the above, the Director of the Inspection acknowledges that the findings in the decision
the violations are justified and the evaluation of the actual circumstances of the case was carried out correctly.
[11.2.] In Tet's opinion, it is not clear why the penalty has been calculated in accordance with Article 83, Clause 5 a) of the Data Regulation
and within the scope of the sanction of subsection (b), if the decision of the Inspection official found Tet guilty only
in committing the offense provided for in subsection a). At the same time, the decision on an administrative violation
initiation of the process and in other documents, the Inspection official mentions Article 5 a), b), c), of the Data Regulation
(d), (e) and (f), however, in determining the sanction, the scope of the offense is widened and extended to
not only on the specific principles, but on all of them in general.
The director of the inspection states that decision 6.3. a typing error has occurred in the subsection
regarding the reference to Article 83(5)(b) of the Data Regulation. This is evidenced by the fact that no
in the decision, nor in the decisive part, the Data Regulation indicated in the mentioned subsection was not evaluated
violation, thus the sanction was calculated only for Article 83, paragraph 5, letter a) of the Data Regulation
the specified violation.
Tet stated that in the decision on the initiation of the administrative violation process and others
in the documents, the Inspection official mentions Article 5 a), b), c), d), e) and f) of the Data Regulation,
however, when determining the sanction, the scope of the violation is expanded and applied not only to specific ones
principles, but for everyone in general. The director of the inspection explains that decision 5.7.5. point was
it is explained what violations Tet has committed and what conditions of the Data Regulation were not observed.
At the same time, in the decisive part of the decision, the Inspection official does not repeatedly list the findings
violations, but indicates which category of violations is applicable in the specific case. Taking
taking into account that the violations committed by Tet are qualified according to Article 83, paragraph 5 a) of the Data Regulation
subsection, the reference in the decisive part is made directly to the mentioned subsection, without additional enumeration
specific violations of the basic principles of data processing, as the specific subsection already covers
violation of basic principles. In addition, it should be noted that 5.7.5 of the decision. violation is listed in paragraph, para
to whom a penalty has been applied in accordance with Article 83, paragraph 5, subparagraph a) of the Data Regulation.
[11.3.] Tet indicates that the Inspection official has based the decision on the second part of Article 41 of the AAL
part 4, at the same time it is not clear what kind of violation and in what time period Tet must be terminated.
The director of the inspection indicates that the reference to paragraph 4 of the second part of Article 41 of the AAL was made because
according to Tet's explanations, on January 13, 2022, Tet ensured that the application
The Tet+ service is only possible using internet bank authentication, which is also specified
5.7.5 of the decision. in point Thus, the violation for which Tet was held responsible was eliminated, namely that
it is not possible to apply for the Tet+ service without authentication, i.e. personal identity checks
in a way that confirms the correspondence of the person's name and surname to the indicated personal code. At the same time
The director of the inspection explains that the manager can be prosecuted for an already committed violation,
which no longer continues and has been eliminated because the violation was detected within a certain period of time. Hence Tet
the objections expressed in the complaint and oral explanations that the purpose of the decision is not understandable, because
the problem was fixed a week after the start of the process, does not stand up to criticism, considering that during the time when
The inspection officer carried out an inspection, a violation was found. 18
[11.4.] In Tet's insight, the problems of effectiveness of data protection measures were identified on
limit the number of cases where persons who already have restricted access information
(personal codes) are trying to commit a criminal offense, therefore it is not possible to determine a penalty in the decision
amount justification.
Regarding Tet's objection that the Inspectorate has generalized its conclusions to Tet
daily practice and that, in the opinion of Tet, unapproved contracts cannot indicate unlawful personal data
processing, the Director of the Inspection explains that the Inspection made the conclusions indicated in the decision,
based on the information obtained as a result of the inspection and the answers provided by the Tet to the Inspections
to the questions asked by the official. In none of the explanations given has Tet pointed to
circumstances that would indicate that Tet has different practices regarding the processing of applications, invoice
writing off and transferring data to debt collectors. Also during the oral proceedings, the representatives indicated that Tet
how the controller performs the processing of personal data for accounting purposes, which are also related to the processing of invoices,
and also transfer customer data to debt collectors. No information appears anywhere in the case materials and
representations that Tet implements different practices depending on the type of service with respect to the former customer
data processing, invoicing and transfer of data to debt collectors. Article 5 of the Data Regulation
Clause 2 provides for the principle of manager's accountability, which requires the manager to demonstrably demonstrate compliance
Principles of data regulation. Therefore, it is the responsibility of the supervisor in the case of an administrative violation
in the course of the examination, also demonstrate to the supervisory authority its compliance with the provisions of the Data Regulation. With
if the manager has different procedures for different customers, or a specific case was
individual and different from others, the supervisor must demonstrate this by providing explanations
institution. It should be noted that at least 3 cases where personal data were processed were found in the case
carried out in accordance with the provisions of the Data Regulation, which already indicates a systemic approach, not an employee one
error. Moreover, in the course of the whole case, Tet has not provided any documents or a description of the processes which
would indicate that the processing of the personal data of specific individuals would have differed from the general company
practices. It should be stated that the internal procedures and instructions of the controller are known only to the controller and only to
if there is a bona fide manager, information about them can be provided to the authority. The institution cannot request from the administrator
documents or information of which it is not aware. Thus, the fact that the established
Violations are not Tet's daily practice and do not occur in every instance where customer persons are handled
data, should be evaluated critically, because by itself does not mean that the violation was not committed, nor for that
no evidence has been presented for the claim. In addition, the Data Regulation provides for responsibility for
violations also in cases where it is one or a few separate situations in which they are found
non-compliance with the provisions of the Data Regulation.
[11.5.] Also, Tet does not agree with the finding of the Inspection official that the unapproved contracts
564 persons would testify to an existing or possible case of fraud and illegal personal data
processing. Therefore, the Inspectorate has no reason to generalize and apply a penalty on the basis of such a generalization.
The director of the inspection indicates that it was not claimed in the letter, nor are the approval agreements
unlawful processing of personal data, but that 564 persons whose contracts were potentially affected
were not approved because there was a risk of illegal processing of personal data. In other words, the Inspection does not have any
information about all 564 persons and whether personal data could have occurred in any of the cases
processing violation, taking into account the significant number of persons, at the same time, taking into account that the Inspection,
after checking, it was possible to conclude the service using the personal data of a stranger, it is not possible
exclude the circumstance that such situations were also possible among the mentioned 564 persons.
[12] Tet expresses the opinion that the Inspectorate did not apply equality in making the decision
principle, which has resulted in the application of a disproportionate penalty. Tet refers to other Inspection tests
cases where no fine was imposed in any of the cases. Thus in relation to Tet tika
unfairly applied different treatment, the principle of equality is not applied. Likewise, in the view of Tet on the 19th
the offense has been wrongly classified, unreasonably recognizing it as moderate, instead, even if
if the violation was allowed, it should be recognized as minor and the principle "Consult first" should be applied.
Tet states that it promptly cooperated with the Inspectorate, the victims were not identified and the possible violation was not found
was actually remedied a week after the initiation of the administrative infringement process. Likewise, in Tet's view
the offense has been wrongly classified, unreasonably recognizing it as moderate, instead, even if
if the violation was allowed, it should be recognized as minor and the principle "Consult first" should be applied.
Tet states that it promptly cooperated with the Inspectorate, the victims were not identified and the possible violation was not found
was actually remedied a week after the initiation of the administrative infringement process.
The Director of the Inspection explains that the other cases examined by the Inspection are indicated in Tet's complaint
cannot be compared with the Tet administrative infringement process, because the cases have different factual circumstances,
their legal assessment, as well as in this case it is essential to take into account that Tet had already been established
violations in the processing of personal data, which means that the Inspection did not find the possibility to apply the principle
"Consult first" when issuing a warning or an advertisement, then observe the regulations governing the processing of personal data
requirements of regulatory acts. On the other hand, the fact that Tet cooperated with the Inspection has been taken into account,
determining the amount of the penalty, as it is also indicated in section 6.3 of the decision. in point
[12.1.] In addition, Tet believes that the Inspection has not taken into account that the Tet+ service is only
a small part of the share of services in the Tet service basket, as well as the company's revenue from this
service and its proportion to the total turnover of Tet.
Regarding Tet's objection that the fact that Tet+ is only a small fraction of the has not been taken into account
for the services provided by Tet and according to the information provided in Tet's oral explanations that
The share of the total turnover of the Tet+ service reaches only [..], the Director of the Inspection explains that
according to the Data Regulation83. Article 5 point, an administrative fine is applied, based on everything
global annual turnover of the previous financial year, not turnover from a specific service.
[13] Tet states in the complaint that the decision does not justify whether the Inspection official has sanctioned
calculated correctly, following the guidelines issued by the Inspectorate itself, observing the provisions of the Data Regulation
the purpose of punishment in connection with the principle of reasonable application of legal norms. Hence the calculated
the administrative fine is clearly erroneous and illegal.
The director of the inspection states that in accordance with Article 83, Clause 1 of the Data Regulation on supervision
the institution must ensure that the fines applied for violations of this regulation in each particular
case effective, proportionate and dissuasive. According to Data Regulation 83. Article 2 point, determining the penalty
extent, the supervisory authorities should take into account several elements that indicate a violation
nature and seriousness or about the offender's attitude towards the offense committed. It is also necessary to take
also take into account other elements that are important in the case, even if they are not directly listed in Article 83 of the Data Regulation
in point 2.
Although the internal tool of the Inspection - Administrative is rightly applied in determining the penalty
the mechanism for determining the amount of fines for companies and individuals - Inspections
in the opinion of the director, it was additionally necessary to assess whether any additional
conditions or criteria not reflected in this document. 15 of the European Data Protection Act can also be taken into account
in the guidelines on the application of administrative penalties developed by the panel (hereinafter - the guidelines).
[13.1.] The director of the inspection finds that, when applying the penalty, all the circumstances that
describes the committed administrative violation. According to Article 83, paragraph 2 "a" of the Data Regulation
subsection, it is necessary to take into account the nature, severity and duration of the violation, taking into account the relevant one
15Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for
public consultation (the guidelines are currently out for public consultation and their text may change), available:
https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf . 20
the type, extent or purpose of data processing, as well as the number of affected data subjects and what has been done to them
damage.
Decision 6.3. in subsection, when determining the amount of the penalty, criteria such as violation are taken into account
essence; whether the violation was committed intentionally or due to negligence; any conduct of the controller or processor,
to mitigate harm caused to data subjects; the number of affected data subjects; the one
categories of personal data affected by a breach; previous offenses of the controller; degree of cooperation
with a supervisory authority; the way in which the Inspection found out about the violation; mitigating and
aggravating circumstances. In the opinion of the director of the inspection, 6.3 of the decision. those are incompletely evaluated in subsection
criteria such as the number of affected data subjects, the level of responsibility of the controller or processor, taking into account
the technical and organizational measures implemented, as well as the actions of the controller or processor to mitigate
damage to the data subject. At the same time, the decision did not assess the severity, duration, or data of the violation
the damage caused to subjects, as well as the purpose of data processing.
Regarding the number of affected data subjects, 6.3 of the decision. subsection states that according to
According to information provided by Tet, it continued to provide Tet+ services to 564 individuals without contracts
approved. The director of the inspection states that, although contracts were not approved for 564 persons,
at the same time, the aforementioned does not indicate that all of this person has been affected by the offense committed by Tet. Thus can
conclude that the number of affected individuals may be lower.
Regarding the level of responsibility of the manager or processor, taking into account the implemented technical and
organizational measures, in the view of the Director of the Inspection, Tet had introduced some measures of risk
for mitigation, for example, PMLP prepared personal code verification tool and e-mail verification,
at the same time, these tools were not selected according to the identified risk.
Decision 6.3. in the subsection regarding the controller's or processor's actions to mitigate the damage
caused to data subjects, it is indicated that Tet has prevented a customer whose identity has not been confirmed,
processing of personal data after detection of several cases of fraud, however, the amount of the penalty
the criterion mentioned in the determination has not been adequately evaluated. The mentioned circumstance was not included in determining the penalty
sufficiently taken into account. Taking into account that in the opinion of the Director of Inspection Tet after the violation
findings (in October 2021), took effective action to prevent the damage, that is, started
implementation of the internet bank authentication tool at the time of service application, it can be concluded that the manager
took the necessary actions to prevent further illegal processing of third party data
the occurrence of performance. However, in the opinion of the Inspectorate, such actions were carried out late, because even after
In 2021, Tet+ service continued to exist for violations detected by Tet, it did not
discontinued, which means that until January 13, 2022, when Tet introduced complete internet banking
at the time of applying for the authentication service, illegal actions were possible when applying
service and using a third party's personal data.
The guidelines state that the severity of the violation must be assessed taking into account the specifics of the specific case
circumstances. The severity of the violation is indicated, among other things, by the context in which personal data is processed
carried out, e.g. business, non-profit organization, political party, scope of infringement,
namely whether it is national or cross-border data processing. Likewise, the purpose of data processing, the data involved
the number of subjects and the extent of the damage are important criteria for determining the gravity of the infringement.
The director of the inspection states that there are no special circumstances in the case that would indicate a violation
severe nature.
According to the guidelines, the duration of the violation is determined, the longer the time of committing the violation,
the more importance the supervisory authority can attach to this circumstance. In the opinion of the director of the inspection,
it is important to take into account the period in which it was available to apply for the Tet+ service (until 2021
for March 31 services Shortcut) without internet bank authentication, that is, detectable
the Tet+ service could be applied for from March 2021, while complete internet bank authentication
the Tet+ service was provided only on January 13, 2022. Thus, almost a year of service on the 21st
the application was provided without internet bank authentication and personal identity verification,
without making sure that the person's first and last name corresponds to the person's specified personal code.
Regarding the damage caused to the data subjects, it should be noted that the concept of damage in the guidelines
is assessed in accordance with Recital 75 of the Data Regulation, i.e. the extent of the damage is
physical, material and non-material damages. It should be pointed out that the offense committed by Tet was
affected data subject – [..], at the same time the Director of the Inspection draws attention to the fact that in the criminal case, which
some materials were sent to the Inspection, the essential circumstances were not clarified, namely who applied
service in the name of [..] using another person's personal code, thus the Director of the Inspection
the damage caused to the data subject cannot be adequately evaluated.
Regarding the purpose of processing personal data, the guidelines recommend taking into account whether individuals
data processing is related to the controller's core activity. The inspection director considers this one of the
the most important aspects to be taken into account when assessing the severity of the violation. Namely, if personal data
processing is related to the basic activity of the manager, and accordingly should be directed to the manager's attention,
and the manager cannot plead insufficient knowledge of the regulatory framework or repeated
mistakes made by employees. In the specific case, the processing of personal data is only part of Tet
basic activities performed to provide services to customers. In view of the above, this aspect is acceptable
taken into account to determine a lower penalty.
[13.2.] When evaluating the criteria for determining the amount of the penalty, in the opinion of the Director of the Inspection, the violation
the severity is maintained as moderate. According to the guidelines in cases where the severity of the offense
is average, the initial penalty application point should be set at 10-20% of the applicable one
maximum penalty.
When determining the initial penalty application point in the range of 10-20%, it should also be taken into account that Tet
turnover exceeding 200 million per year is considered high.
Thus, the maximum applicable fine according to Article 83, Clause 5 of the Data Regulation
The 4% threshold determined in subparagraph a) is 8,024,733.84. Considering that a moderately serious offense
case, the initial point of application should be set at 10-20% of the applicable maximum
penalty, the initial application point is set between 802,473.38 and 1,604,946.77.
The director of the inspection believes that, taking into account the fact that the severity of the violation is medium and is
visible action of Tet to prevent cases of inappropriate processing of personal data is reasonable to determine
initial fine application point in the amount of 15% of the maximum applicable fine amount,
i.e. 240,742.02.
At the same time, taking into account the criteria established in this decision regarding the determination of the amount of the penalty
assessment, a factor of 5 shall be determined for the initial penalty application point, which adds up to
EUR 1,203,710.10.
[13.3.] At the same time, according to the guidelines, after the mathematical calculation of the penalty, the penalty is
it is possible to correct, by evaluating, whether it reaches the goals of punishment set in the Data Regulation - effective, proportionate
and discouraging. The amount of punishment should be determined according to the context of the offense.
[13.3.1.] Regarding 13.2 of this decision. effectiveness of the fine of EUR 1,203,710.10 calculated in point
it must be assessed whether it is suitable to ensure the compliance of personal data processing with the Data Regulation and punish
you know
The director of the inspection finds that the punishment is suitable and appropriate for punishing the supervisor, so that
would facilitate compliance with the Data Regulation. In evaluating the effectiveness of the punishment, it should be taken into account that Tet administrative
cooperated with the Inspectorate during the violation process, prevented the case already at the initial stages of examination
detected violations by making improvements in receiving the Tet+ service, ensuring that
it is possible to apply for the service only with internet bank authentication. Additionally according to Tet
to the one indicated in the oral explanations as soon as individual cases were identified in October 2021, 22
when other people's data was illegally used to apply for a service, Tet reacted and developed
the necessary improvement plan to prevent abuse of strangers in the future
data in service application. According to written and verbal information provided by Tet
in the explanations, since January 13, 2022, the application of the Tet+ service has been provided only with
internet bank. At the same time, regarding the evaluation of the effectiveness of the penalty, it was taken into account that until now Tet
a reprimand has been applied for data processing violations and there is no previously established non-conformity
have deterred Tet from further violations, suggesting that such a remedy would no longer be able
achieve the goal and reprimanding did not deter the manager from other activities that do not comply with the Data Regulation
performance.
Taking into account the above, in the opinion of the Director of the Inspection, the amount of the fine determined is effective,
while the imposition of a significant fine would not motivate the manager to ensure compliance with the Data Regulation
requirements, but, on the contrary, could create an understanding that regardless of whether active action is taken and
regardless of the manager's subjective attitude, the violation will still be subject to the same fine.
In the opinion of the director of the inspection, the most important thing is to ensure that managers are motivated to process personal data
make improvements without the use of coercive mechanisms. In cases where the manager has
there is a lack of interest, inaction or deliberate avoidance of effective tools for compliance Data
a more significant fine should be considered for the provision of the regulation, while when the manager's actions show
for the desire to ensure compliance with the regulatory framework of data processing, there should be a fine
for a smaller one.
[13.3.2.] The principle of proportionality states that the penalty applied should not exceed what
is necessary to achieve the goal. If it is possible to achieve the goal by several means, a choice should be made
the less offensive. When assessing proportionality, the violation must be viewed as a single whole, the main one
paying attention to the gravity of the offense as such. Therefore, it is necessary to assess whether the punishment is proportionate
according to the gravity of the offense and the size of the company and the fact that the punishment should not be
go beyond what is necessary to achieve the purpose of the Data Regulation.
The director of the inspection explains that, taking into account the significant turnover of Tet, as well as
the amount of turnover in the last 3 years, does not see the risks of the company's economic viability or
other special circumstances for the disproportionality of the selected administrative fine with the company
financial condition, therefore it is recognized that the chosen amount of the administrative fine is proportionate.
[13.3.3.] According to the guidelines, the fine must also be a deterrent to further violations
making Namely, a deterrent punishment is one that has a real deterrent effect. A fine is a deterrent if it
does not allow a person to violate the goals and regulations set by European Union law. Observing
the circumstances and nature of the violation evaluated in the decision, the Director of the Inspection finds that the selected
the amount of the administrative fine is dissuasive.
In the opinion of the director of the inspection, the administrative violation is qualified correctly and accordingly
the type of administrative penalty - fine - has been correctly chosen and the Administrative fine has been applied
amount determination mechanism, however, by re-evaluating administrative fine determinations
the significance of the criteria in the specific case, the Director of the Inspection finds that a fine is necessary
adjust according to the importance of the evaluated criteria in the case, so that it corresponds to the above-mentioned penalty determinations
principles.
Taking into account the above, the Director of the Inspection considers that adjusting the fine by setting it at 15%
in the amount of the initially calculated amount, as well as by individualizing the punishment, taking into account the circumstances of the case and
Tet's action, namely by imposing a fine of EUR 1,200,000.00, would be sufficient to deter
Tet from further data processing violations.
Taking into account the above and in accordance with Article 132, Article 168 23 of the Law on Administrative Responsibility
first part, Article 172 and Article 173, first part, paragraph 4, Article 58, paragraph 2 i) of the Data Regulation
subsection, Director of Inspection
decided
to be amended by the Inspection's decision of July 15, 2022 No.[..] "On the imposition of punishment"
the amount of the administrative fine, determining SIA "Tet", registration number 40003052786, legal
address: Dzirnavu iela 105, Riga, LV-1011, in accordance with Article 83, Clause 5, letter a) of the Data Regulation
administrative fine of EUR 1,200,000.00 (one
million two hundred thousand euros, 00 cents) in the amount.
The fine shall be paid in full no later than one month from the entry into force of this decision
days in any banking institution or after the expiry of the term of voluntary execution of the fine, this decision
in accordance with Articles 262 and 269 of the Law on Administrative Responsibility will be immediately surrendered
for execution by a sworn bailiff.
Details for paying a fine:
Beneficiary: State Treasury
Registration No.: 90000050138
Account no.: LV69TREL1060191019200
Beneficiary BIC code: TRELLV22
Notes: Indicate the number of this decision.
The fine applied in the process of the administrative violation will be reimbursed
procedural costs and damages to natural resources can be paid on the portal www.latvija.lv,
using the e-service Administrative fines check and payment.
Please note that, according to Article 568 of the Civil Procedure Law, voluntary execution of the decision after
when the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate for the enforcement
expenses to the bailiff.
At the same time, we inform you that the Company, in accordance with the second Article 266 of the Law on Administrative Responsibility
and the third part, has the right to the execution of the fine in parts, if there are objective circumstances, due to which the fine is imposed
within the term of voluntary execution, it is not possible to execute the sentence decision in full.
In accordance with the first part of Article 184 and the first part of Article 186 of the Law on Administrative Responsibility
the decision of Tet can be appealed within 10 working days from the day when the decision is announced in the administrative
in the infringement case in the district (city) court at the registered address of the Company, by submitting a complaint Data
at the state inspection (Elijas iela 17, Riga, LV-1050), which within three working days after submitting the complaint
upon expiration of the term, the complaint with the case materials is sent to the district (city) court upon approval.
Director J. Macuka
[..]
