DVI (Latvia) - SIA "Fitsypro"

From GDPRhub
DVI - SIA "Fitsypro"
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 58(1)(b) GDPR
Article 58(1)(e) GDPR
Article 83(2) GDPR
Article 83(5)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.02.2023
Published:
Fine: 1,000 EUR
Parties: n/a
National Case Number/Name: SIA "Fitsypro"
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Latvian
Original Source: Datu valsts inspekcija (in LV)
Initial Contributor: mg

The Latvian DPA fined a company for not having provided access to data and information necessary to carry out an ex officio investigation. Nevertheless, the fine was reduced to €1,000 due to high insolvency risks.

English Summary

Facts

The Latvian DPA, in cooperation with the Estonian and the Lithuanian one, started a joint investigation about the processing of personal data in the context of car rental services. In particular, there were doubts about the lawfulness of processing activities undertaken by a company – the controller – in the context of a mobile app necessary to use the car rental services. Therefore, the DPA carried out data protection audits and requested access to personal data and other information necessary to the fulfilment of its tasks pursuant to Article 58(1)(b) and (e) GDPR. The controller was “unreachable” and did not comply with the DPA’s instructions. The DPA formally opened a sanctioning procedure against the controller.

Holding

The DPA noted that, as all the notification formalities were respected, the fact that the controller was “unreachable” did not exclude its liability pursuant to Article 83(5)(e) GDPR and Latvian administrative law. Also, the controller did not provide any explanation why it failed to comply with the DPA’s order.

The DPA held that the adoption of a fine was the only way to force the controller to comply with the GDPR. In the quantification of such a fine pursuant to Article 83(2) GDPR, the DPA particularly stressed as an aggravating factor the complete lack of cooperation on the side of the controller. Moreover, the DPA referred to its own guidelines on fine determination under the GDPR to qualify the infringement as ‘moderately serious’.

In principle, the DPA held that a €15,000 fine was appropriate. However, in light of the economic difficulties affecting the controller and considering the risk of insolvency high, the DPA decided that a €1,000 was more proportionate in the case at issue.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv




                                            The decision

Riga,

on February 27, 2023

On the application of punishment

      1. Authority (official) that makes the decision: Data State Inspections (hereinafter -
DVI) Legal advisor of the Supervision Department, Tatyana Lashchenkova (hereinafter – Official), according to
General Data Protection Regulation (hereinafter referred to as GDPR) Article 58, Clause 2, subparagraph i), Physical
Personal Data Processing Law (hereinafter - FPDAL) Article 5, Part One, Clause 2 and Administrative
Article 115, Part One, Clause 4 of the Liability Law (hereinafter - AAL).

      2. Place and date of administrative violation case review: DVI, Riga, Elijas
iela 17, on February 24, 2023, at 9:00 a.m.
      3. Information about the participants in the process and their representatives and advocates (if any):
      Responsible person: SIA "Fitsypro", single registration number 40203120888,
legal address Alberta street 1 – 17, Riga, LV-1010 (hereinafter - SIA).
      Taking into account the trends in the spread of the Covid-19 virus in recent months and the recommendations of the government

to the extent possible, organize all processes remotely in order to reduce the risk of infection, in accordance with the Covid-
19, the case of the first parts of Article 9 of the Law on the Management of the Spread of Infection was examined in a written process.
      4. The actual and established facts of the commission of an administrative violation during the case review
statement of circumstances:
      4.1. The official finds that in the administrative violation case materials (hereinafter - the case)
there is the report of January 24, 2023 by the legal advisor of the Prevention Department of DVI, Renars Pugač [..] About

The actions of SIA "Fitsypro" by not providing information to the Data State Inspectorate (hereinafter - the Report) with
attachments. According to the information contained in the report and annexes, it can be established that DVI together with
Lithuanian and Estonian data supervisory authorities had started a common preventive check on
Compliance with the requirements of the GDPR in companies in the Baltic States whose type of activity is related to vehicles
short term rental. DVI, on the basis of those specified in Article 58, Clause 1, b) and e) of GDPR
powers, as well as clauses 3, 5 and 6 of the first part of Article 5 of the FPDAL Law, has started the preventive

examination of personal data processing in the field of short-term rental of vehicles.
      As part of the inspection, DVI, based on the information at its disposal and Articles 55-58 GDPR
and Articles 3-5 of the FPDAL, which stipulates that the DVI has the right, according to its competence, to obtain from the controller
and the processor's access to all personal data and all information necessary for its tasks
for carrying out, request and receive free of charge in the specified amount and form from private individuals, the state
the information, documents or it necessary for inspection by administrative institutions and officials


1Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons in relation to
processing of personal data and free circulation of such data and repealing Directive 95/46/EC 2

copies and other materials, including restricted access information and receive for inspection
necessary information, documents and other materials about the services provided to individuals,

On July 26, 2022, approached SIA with a request for information [..] (hereinafter – Request No. 1)
by registered mail to its registered address at 1-17 Alberta Street, Riga, inviting you to submit
information related to the processing of personal data in the field of short-term rental of vehicles until 2022
August 19. The information (answer) from SIA was not received within the deadline indicated in Request No. 1, how
also no information was received about the reasons for not providing information (answer). From VAS "Latvijas
Post" on August 30, 2022 Request No. 1 was received as a returned document with VAS

"Latvijas Pasts" label has expired.
      In compliance with the above, on September 14, 2022, DVI sent the Company of the Republic of Latvia
to the register (hereinafter – Company register) a letter [..] in which DVI informed that SIA does not receive
correspondence at its stated legal address and thus cannot be reached at the stated address.
      On September 16, 2022, DVI received a reply from the Register of Companies [...]"About SIA
"Fitsypro"", in which the Register of Companies informed that a warning was sent to SIA on September 15, 2022

for the submission of documents in which SIA is invited to submit explanations about its unreachability
at the legal address or for registration of applications for change of legal address.
      Taking into account the fact that DVI has not received the necessary information for the inspection from SIA,
On November 22, 2022, DVI sent registered mail to SIA's legal address and e-mail address
datuaizsardziba@fiqsy.com Regarding the letter of November 22, 2022 [..] (hereinafter - Request No. 2),
in which SIA was repeatedly invited to provide the information mentioned in Request No. 2 until 2022

for December 9. The information (answer) was not received within the deadline specified in request No. 2, nor was it
received information about the reasons for not providing information (answer).
      4.2. The official finds that the case files contain the Official's letter dated January 27, 2023
inspection report [..] (hereinafter – Inspection Report), from which it follows that SIA has mastered the mobile apps
For the processing of personal data by Fiqsy customers.
      4.3. The official finds that the case files contain the Official's letter dated January 27, 2023

decision [..] on the initiation of the administrative violation process [..] in accordance with Article 83, Clause 5 of GDPR
Subsection e) on the actions of SIA, not providing information to DVI on its July 26, 2022 information
request [..] and the information request [..] of November 22, 2022, which is necessary for its
for the performance of tasks, thereby violating Article 58, Clause 1, subparagraph e) of GDPR.
      4.4. The official finds that the case materials contain the letter of DVI dated January 30, 2023 [..],
in which SIA was informed about the initiation of the administrative violation process, about the fact that the case will be examined

in the written process on February 24, 2023 at 9:00 a.m., which is also invited to submit by February 17, 2023
explanations, submit evidence or make requests in connection with the administrative offense case,
which, in the opinion of SIA, is essential for a full and correct consideration of the case and the adoption of the relevant decision.
      The official finds that the SIA has not submitted its SIA by the time the case is considered
explanations, evidence and made requests.
      4.5. According to Article 132 of the AAL, when considering an administrative violation case, it must be ascertained whether there is

an administrative offense has been committed, whether it was committed by the person held responsible or by this person
can be brought to administrative responsibility, or there are extenuating and aggravating circumstances, as well as
other circumstances that are important for the correct decision of the case should be clarified.
      4.6. Thus, in order to establish whether SIA has committed an administrative violation, which is intended
In Article 83, Clause 5, subparagraph e) of GDPR, it is necessary to establish that SIA, at the request of DVI,
failed to provide DVI with the information it requested, necessary for the performance of its tasks, in breach

GDPR, Article 58, Clause 1, Subparagraph e) and did not inform about non-provision of information
reasons.


2 Clause 6 of the Privacy Policy, available at: https://www.fiqsy.com/lv/privatuma-politika/ 3

      4.7. The legal framework for the processing of personal data is determined by GDPR, FPDAL and others

regulatory acts, on the other hand, the competence, tasks and rights of the DPA are determined by Articles 55-58 of GDPR and
Articles 4 - 5 of FPDAL.
      4.7.1. In accordance with Article 58, Clause 1, Subparagraph e) of GDPR, DVI has the authority to obtain data from the controller
and the processor's access to all personal data and all information necessary for it
for performing tasks. Clause 3 of the first part of Article 5 of the FPDAL provides for the rights of DVI according to its own
competence to request and receive free of charge in the specified amount and form from private individuals, the state

the information, documents or it necessary for inspection by administrative institutions and officials
copies and other materials, including restricted information.
      Article 31 of the GDPR stipulates that the manager and the processor and, where appropriate, the manager or
upon request, the representative of the processor cooperates with the supervisory authority in the performance of its tasks.
      4.7.2. Paragraph 7 of Article 4 of the GDPR stipulates that the compliance of personal data processing with the GDPR is
                  3
responsible manager. According to the information found within the case, the manager in the mobile app
The personal data processing carried out by Fiqsy is SIA.
      4.7.3. According to the first part of Article 139 of the Commercial Law, the company's legal address is the address,
where the management of the company is located. Therefore, the SIA must be reachable at the SIA registered in the commercial register
at the legal address.
      According to the fourth part of Article 12 of the Commercial Law, if messages are sent to the merchant,

documents or other correspondence to its legal address entered in the commercial register, it is considered that
the merchant has received these documents, news or other correspondence. Taking into account the above, it can be concluded that
that the SIA must be reachable and receive its correspondence, which is sent to the SIA's legal address.
      4.7.4. The first, second, third and fifth parts of Article 3 of the Notification Law stipulate that documents
notification is made by the institution: 1) on the spot in the institution or by delivery by an employee or a messenger assigned by it

mediation; 2) using postal services; 3) using electronic communications; 4) publicly. Yes
the external regulatory act does not specify a specific way of notifying the document, the institution itself chooses it
a way that would ensure adequate notification of the document to the addressee. The institution takes into account as much as possible
the method of notification of the document specified by the addressee. The addressee is obliged to accept what is communicated by the institution
document. If there is a disagreement about the notification of the document, the institution has the obligation to prove

the fact of notification of the document. If the addressee claims that he did not receive the document, he this statement
justified by pointing to objective circumstances that, regardless of the addressee's will, were an obstacle
for receiving the document.
      The second part of Article 4 of the Law on Notification provides that the document is notified to the legal entity
legal address.
      The third and fourth parts of Article 8 of the Notification Law stipulate that a document notified as

a registered postal item shall be considered notified on the seventh day after its delivery to the post office, as well as if from
a confirmation of delivery of the parcel or a document sent back is received by the post office, that in itself
does not affect the fact of notification of the document. The presumption that the document has been notified on the seventh day after
in the post office or on the eighth day from the day it was registered in the institution as a document to be sent,
the addressee can refute by pointing to objective circumstances that, regardless of the will of the addressee, were for

obstacle to receiving the document at the specified address.
      4.7.5. Request No. 1 SIA was sent on July 26, 2022 by registered mail, thus
considered to have been received on August 2, 2022, while the information provided by DVI SIA (answer) would be
must be received, at the latest, August 27, 2022. 4




3 a natural or legal person, public institution, agency or other body that alone or jointly with others determines
the purposes and means of personal data processing [..]
4 Reply letter by sending on August 19, 2022 as a simple postal item 4

      Request No. 2 SIA was sent on November 22, 2022 by registered mail, and accordingly
                                                                             5
Request No. 2 for publicly available information on the VAS Latvijas Pasts website pasts.lv
delivered to SIA on December 6, 2022, while the information (answer) provided by DVI SIA should be received,
at the latest, on December 17, 2022.
      4.8. Checking the case materials, evaluating the circumstances of the case and the evidence in the case,
The official finds that SIA did not provide the DVI according to the DVI Request No. 1 and Request No. 2
the requested information, which was requested from SIA on the basis of Article 58, Clause 1 e) of GDPR

and FPDAL Article 5, Part One, Clause 3, and also did not inform about the information
reasons for non-submission, thus committing the administrative violation for which it is intended to be committed
administrative liability in Article 83, Clause 5, Sub-paragraph e) of GDPR.
      4.9. The official finds that the SIA is guilty of the violation provided for in Article 83, Clause 5, letter e) of the GDPR
in the commission of an administrative violation is proven by: Report with attachments and Inspection report with

attachments.
      5. Normative act that provides for liability for an administrative violation: Article 83 of GDPR
Clause 5, subparagraph e).
      6. Appropriated by the institution (Official), which examined the administrative violation case
fine:
      6.1. Paragraph 5 of Article 83 of GDPR states that a violation of subparagraph e) can be applied

administrative fines in the amount of up to EUR 20,000,000, or in the case of a company up to 4% of it
of the total annual turnover achieved throughout the financial world in the previous year.
      6.2. Recital 148 of the preamble of the GDPR explains that, in order to strengthen the enforcement of the provisions of the GDPR,
in addition to or instead of appropriate measures applied by the supervisory authority under the GDPR,
Violations of the GDPR should be subject to sanctions, including administrative fines. Insignificant

in case of violations or if the fine that could be imposed would create a disproportionate burden on the natural person,
a reprimand may be issued instead of a fine. However, the nature and severity of the offense should be duly taken into account
and duration, whether the breach was intentional, actions taken to mitigate the harm suffered,
the degree of responsibility or any relevant previous infringements, the manner in which the supervisory authority became aware
for violation, compliance with the measures directed against the controller or processor, code of conduct

compliance and any other aggravating or mitigating circumstances. Sanctions, including administrative money
the imposition of penalties should be subject to appropriate procedural guarantees in accordance with general Union laws
legal principles and the Charter, including effective judicial protection and due process.
      6.3. In accordance with Article 83, Clause 1 of GDPR, the supervisory authority ensures that for 4, 5 and
Violations of the GDPR referred to in clause 6 are subject to the administrative fine provided for in this article
application in each specific case is effective, proportionate and dissuasive.

      According to Article 83, Clause 2 of GDPR, when deciding whether to apply an administrative fine,
and when making a decision on the amount of an administrative fine, in each specific case it is duly taken
take into account the following elements: a) the nature, severity and duration of the violation, taking into account the relevant data processing
the type, extent or purpose, as well as the number of affected data subjects and the extent of the damage caused to them;
b) whether the violation was committed intentionally or due to negligence; c) any action by the controller or processor to

mitigate the harm caused to data subjects; d) the level of responsibility of the controller or processor, taking
taking into account the technical and organizational measures they implement in accordance with Articles 25 and 32; e) any
relevant previous violations by the controller or processor; f) degree of cooperation with supervision
the institution to compensate for the violation and reduce its possible adverse consequences; g) what category
personal data has been affected by a breach; h) the manner in which the supervisory authority became aware of the violation, because
in particular, whether the controller or processor has reported the breach, and if so, to what extent; (i) if

The measures mentioned in Clause 2 of Article 58 have previously been directed against the relevant person for the same subject

5https://new.manspasts.lv/lv/sutijumu_mekletajs/?id=RR290277815LV
6 Reply letter by sending on December 9, 2022 as a simple postal item 5

controller or processor, how the mentioned measures have been fulfilled; j) the approved code of conduct

compliance in accordance with Article 40 or compliance with the approved certification mechanisms in accordance with
Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the case,
for example, direct or indirect financial benefits derived from the infringement or losses prevented.
      Article 13 of the AAL stipulates that the administrative penalty is a means of influence that is applied
to the person who committed the administrative violation in order to protect public order, restore
justice, punished for the offense committed, as well as deterring the perpetrator of the administrative offense

person and other persons from committing further administrative violations.
      According to the second part of Article 19 of the AAL, when determining the type and measure of the administrative penalty, it is taken into account
the nature of the offense committed, the identity of the person to be held responsible (for a legal entity -
reputation), financial position, circumstances of the violation, extenuating circumstances and
      According to Article 23 of the FPDAL, DVI, when adopting the decisions set out in Article 58 of the GDPR, regarding

the imposition of a legal obligation is applied by the Law on Administrative Procedure and in relation to
for administrative punishments - in the regulations regulating the administration (process) of administrative violations
acts, insofar as this law and GDPR do not stipulate otherwise. GDPR provisions in the matter of administrative
the application of the fine and its amount differ from the provisions contained in the AAL, i.e. GDPR
determines otherwise in the relevant matter, therefore the Official, when determining the amount of the fine, applies
the provisions contained in the GDPR, and accordingly the penalty will be applied according to the provisions of the GDPR.

      6.4. When determining the penalty, the Official takes into account the nature, duration and degree of cooperation with the violations
supervisory authority (DVI). In the specific case, SIA has not provided the necessary information to the IRS
for the performance of its tasks, in violation of Article 58, Clause 1, subparagraph e) of GDPR, i.e. - violation addressed
against the established administrative order. Violation committed by SIA, i.e. non-disclosure is long-standing
and has not been stopped, despite repeated appeals by DVI, the violation continues since 2022

August 27. The violation was committed with intent (intentionally), because Request No. 2 was actually received, therefore
it can be concluded that SIA was aware of the action and its consequences. The official finds that there is no cooperation with DVI
happened because, by the time the case was considered, DVI had not obtained what was necessary for the inspection
information. SIA has not previously been administratively punished for committing the violation considered in this decision.
      The Official has not found extenuating circumstances. For an aggravating circumstance

The official admits that SIA continued its illegal actions even after DVI Request No. 2
of receipt and did not provide the information requested by DVI, did not inform about non-provision of information
reasons and also does not provide it still.
      Official according to the guidelines developed by DVI on the amount of administrative fine
determination recognizes the violation committed by SIA as moderately serious.
      When determining the amount of the fine, information from the Enterprise Register database is used, where available

the information as of the day of this decision shows that the last financial information submitted by SIA
indicators, including the annual turnover and profit of SIA, are indicated in the 2021 annual report.
      Based on the mentioned sentencing criteria and taking into account the findings in the case
actual circumstances, SIA must be determined within the scope of the sanction of Article 83, Clause 5 of GDPR
administrative fine EUR 14,787.78 (fourteen thousand seven hundred and eighty seven

EUR and seventy-eight cents EUR).
      At the same time, the supervisory authority is obliged to take all cases into account when determining the applicable penalty
and the circumstances of the particular case under consideration, which are relevant to the case, even if they are not directly listed in the GDPR
Article 83, Clause 2, so that as a result, the goal of punishment is achieved in accordance with this decision above
to the mentioned Article 13 of the AAL.



7Inspection Mechanism for determining the amount of administrative fines for companies and individuals. Available
on the website: https://www.dvi.gov.lv/lv/media/289/download
8 Available at: https://info.ur.gov.lv/#/legal-entity/40203120888 6

      Considering the fact that the manager's main activity is not related to the processing of personal data (the manager offers
short-term rental of scooters and vehicles), as well as the fact that despite the 2021 net
turnover of EUR 899,590, the manager has not a profit in 2021, but a loss of EUR 246,372,

therefore, there is an increased risk that the company may become insolvent in the event of payment of the fine,
The official concludes that the determined fine of EUR 14,787.78 would not be proportionate
for the offense committed. At the same time, taking into account that the illegal behavior is continued, the Official
considers it possible to achieve the goal of administrative punishment so that it is effective and proportionate at the same time
and dissuasive as well as restorative and proportionate in reducing administrative fines
up to 1,000 (one thousand euros) approximately.

      6.5. Taking into account the above, based on FPDAL Article 5, Part One, Clause 2,
Article 23, GDPR Article 58, Clause 2, subparagraph i), AAL, Article 115, Part One, Clause 4, Article 151
Paragraph 1 of the first part, the second and third parts of Article 157, the first part of Article 166, Article 168, Article 262,

Article 269, Official:

                                             decides:

      to recognize SIA "Fitsypro" as guilty of the provisions of Article 83, Clause 5, subparagraph e) of GDPR
in committing an administrative offense and punish with a fine of EUR 1000.00 (one thousand euros)

amount.

      The fine shall be paid in full no later than one month from the date of entry into force of this decision
the day of entry into any banking institution or after the expiration of the term of voluntary execution of the fine
this decision will immediately be transferred to a sworn bailiff for enforcement.

      Details for paying a fine:

      Beneficiary: State Treasury
      Registration No.: 90000050138
      Account no.: LV69TREL1060191019200
      Beneficiary BIC code: TRELLV22
      Notes: Indicate the date and number of this decision.

      The fine applied in the process of the administrative violation will be reimbursed

procedural costs and damages to natural resources can be paid on the portal www.latvija.lv,
using the e-service Administrative fines check and payment.

      Please note that, in accordance with Article 568 of the Civil Procedure Law, voluntary execution of the decision
after the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate
execution costs to the bailiff.

      The decision can be appealed by submitting a complaint to the director of DVI, Elijas iela 17, Riga, LV-1050, 10
within (ten) working days from the day of notification (receipt) of this decision.




Official T. Lashchenkova