DVI (Latvia) - SIA “DEPO DIY”

From GDPRhub
DVI - SIA “DEPO DIY”
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 5 GDPR
Article 5(1)(c) GDPR
Article 6(1)(a) GDPR
Article 6(1)(c) GDPR
Article 83(5) GDPR
Type: Other
Outcome: n/a
Started: 27.05.2022
Decided: 07.07.2022
Published: 19.10.2022
Fine: 17,495 EUR
Parties: depo-diy
National Case Number/Name: SIA “DEPO DIY”
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Latvian
Original Source: DVI (in LV)
Initial Contributor: Jette

the DPA finds that the contested decision, including but not limited to the complaints of the data subject, correctly established the facts of the case and qualified the administrative offence.

English Summary

Facts

DEPO (the controller) is a do-it-yourself store based in Latvia. In order to receive the additional services (such as home delivery or an accounting receipt) customers must obtain a customer card. Without such a card, the additional service is not provided. To obtain a card, customers must consent to the processing of their personal data for a number of unrelated purposes, such as registration in the accounting system, return of the purchase price to the customer card, identification when using additional services, allocation of the card and allocation of bonuses. The personal data to be included to achieve all these purposes: name, surname, personal identification number, date of birth (for non-residents), business registration number, address and telephone number.

Following several complaints from customers, the Latvian DPA started an investigation.The DPA found that customers who had not obtained a customer card - and thus consented to the processing of their personal data - could not receive the additional services. The DPA held that this did not ensure compliance with the definition of consent set out in Article 4(11) GDPR. It stated that consent cannot be considered as freely given if its withholding results in the service not being received at all. In addition, the DPA found that the controller unreasonably based processing of personal data on Article 6(1)(a) GDPR. For example, the processing of personal data related to invoices. Given that this processing does not depend on customers' will, it cannot be carried out on the basis of consent.

Moreover, the DPA found that the controller violated the principle of data minimisation. For example, customers were required to provide a personal identification number in order to receive an invoice for the purchase of goods, which is not necessary for the specific service.

The controller stated that the issue of a customer card is necessary to identify customers, e.g. when making a delivery. However, the DPA held that it is also possible to identify a person, e.g. when making a delivery, by asking for an ID card. there is no justification for the controller to require a the controller customer card in each case.

The DPAt is also possible for the controller to fulfil its other statutory obligations, such as issuing supporting documents on the basis of Article 6(1)(c) of the GDPR, without making it mandatory for customers to obtain a customer card as a prerequisite for the fulfilment of these tasks.

[2.5] The fact that only two data subjects have lodged a complaint about unlawful data processing is irrelevant in the present case.

The contested decision states that the existence of actual damage is not necessary to establish unlawful processing and an infringement of the fundamental rights of the data subject. In particular, it is irrelevant whether the processing has had any negative consequences (actual infringement of rights) in order to be considered as interference with fundamental rights.

[2.6] In the light of the foregoing, the contested decision finds that the controller, in the context of the provision of ancillary services, has carried out the processing of personal data of customers (natural persons) from 9 September 2020 to 10 June 2021, the processing (acquisition and storage) of name, surname, personal identification number or date of birth, contact details (telephone number, e-mail) address; from 10 June 2021 to the present, name, surname, e-mail and telephone number (address - only in Lithuania and Estonia) has infringed Article 5 of the GDPR. The processing of personal data has been and continues to be carried out on the basis of an incompatible legal basis set out in Article 6(1).

Holding

The DPA clarified that the essence of the infringement at hand was that a customer, who wished to receive one of the services offered by the controller, was forced to consent to the processing of personal data also for other purposes for which different legal bases and retention periods were indicated. Therefore, it was irrelevant which legal basis the controller indicated for the processing of personal data, consent or conclusion of a contract. The data subject had to, in any case, consent to the processing of their personal data to be granted a DEPO card, regardless of whether they wished to receive a service unrelated to the card. Furthermore, the DPA noted that, although the personal data was initially collected for the purpose of granting a DEPO card, the processing would be extended to other unrelated purposes, such as provision of delivery services.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv


                                                Riga



                                                                                SIA "DEPO DIY"
                                                                          authorized representative

                                                                                                 [..]


                                                                                        In case No.[..]


                                              The decision


In Riga, the date can be seen in the time stamp no. ([..]) [..]



       [1] On May 10, 2022, the Data State Inspectorate adopted decision no. [..] ([..]) For punishment
application (hereinafter - the contested decision) in administrative violation case no. [..] ([..])
(hereinafter - the Case), recognizing SIA "DEPO DIY", registration number 50003719281, legal

address Noliktavu iela 7, Dreiliņi, Stopiņi county, Ropažu county (hereinafter - DEPO) for
guilty of Article 83, paragraph 5 "a" of the General Data Protection Regulation (hereinafter referred to as the Data Regulation)
of the administrative violation provided for in subsection, applying an administrative penalty - a fine
4,373,818.52 euros (four million, three hundred and seventy-three thousand, eight hundred and eighteen euros,
fifty-two cents). The contested decision was notified to DEPO on May 11, 2022, by sending

contested decisions by registered mail.

       [2] The contested decision found the following circumstances, and it is justified by the following
considerations:
       [2.1] To receive Additional Services offered by DEPO, such as delivery of goods to

home or an accounting justification document, the customer must receive a DEPO card. Without such cards
Additional service is not provided. At the same time, to receive a DEPO card, for the customer
according to what is indicated in the questionnaire, he must "agree" that his personal data will be processed several times
for unrelated personal data processing purposes, such as registration in electronic accounting
in the accounting system, issuance of an accounting justification document, purchase fees or parts thereof

returning to the DEPO card, identifying the customer each time he uses additional services,
DEPO card allocation, Volume Bonus allocation. The personal data to be included in the questionnaire, in turn
should be indicated in the maximum amount necessary to achieve all the mentioned purposes - first name, last name,


1Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and
free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) 2

personal identification number, date of birth (for non-residents), registration of economic activity provider
number, address and phone number.
        [2.2.] DEPO has unreasonably based the processing of personal data carried out in order for the customer to receive

Additional services, to Article 6, paragraph 1, letter "a" of the Data Regulation.
        Considering the fact that a customer who has not given his consent to the issuance of a DEPO card cannot
to receive Additional Services, compliance with Article 4, Clause 11 of the Data Regulation is not ensured
to the defined definition of consent. In other words, consent cannot be considered freely given if they
as a result of non-delivery, the service cannot be received at all.
        Even though DEPO for the provision of certain services or the obligation specified in the regulatory acts

performance may require the processing of customers' personal data, but such processing must be based on
appropriate legal basis. For example, the processing of personal data related to the issuing of an invoice for goods,
is based on Article 6, Clause 1, letter "c" of the Data Regulation and the regulatory framework of the relevant country.
Considering that this processing does not depend on the will of the customer, it cannot be carried out on the basis of the Data Regulation
The legal basis specified in Article 6, paragraph 1, letter "a".
        [2.3.] DEPO has not ensured compliance with the principle of data minimization in relation to individuals
data processing for the purposes of providing additional services.

        Regardless of the chosen legal basis for the processing of personal data, the controller in any
in this case, the basic principles contained in Article 5 of the Data Regulation are binding. In the specific case, to the client
if you want to receive an invoice for the purchase of goods, you must specify a personal code, which is not required in a particular case
for receiving the service. It has been established that the processing of the personal code is not necessary for others
for receiving services, for example home delivery of goods.
        Thus, DEPO has processed personal data in an excessive amount, disregarding data minimization
principle.

        [2.3.] Although DEPO has repeatedly changed the terms of personal data processing over time,
however, there is no actual action that the customer is required to complete in order to receive the Additional Services
have changed. Namely, the Data Regulation is still used as the legal basis for personal data processing
Consent of the data subject referred to in Article 6(1)(a). Also not really changed
the amount of personal data to be processed.
        [2.3.1.] Regarding the amount of personal data to be processed, although on June 10, 2021,

a new questionnaire for receiving a DEPO card has been approved, in which both the amount of data to be provided and
scope of personal data processing purposes, however, in accordance with DEPO's privacy policy (as amended to
5 August 2021) the amount of personal data is indicated above, and it is also explained that this data is
provided when filling out the form for receiving a DEPO card.
        [2.3.2.] Regarding the legal basis for processing personal data for receiving a DEPO customer card
DEPO's privacy policy still refers to Article 6(1)(a) of the Data Regulation.
        Given that if the customer wants to receive the Additional Service, it must “opt in”

receive a DEPO customer card by specifying all the information required for receiving a DEPO customer card in the application form,
such consent cannot still be considered freely given. That is, the client must "agree" to receive the client
card, otherwise the Additional Service will not be provided to it.
        The mentioned conclusions are not changed by the fact that since 27.2021. September as the legal basis
The conclusion and execution of the contract is mentioned for issuing the DEPO card, because if the customer wants
to receive any of the Additional Services, it must also accept a DEPO card. Without DEPO card
issuing Additional service cannot be received.

        [2.4.] DEPO has unjustifiably stated that issuing a DEPO card is primarily necessary
for accurate customer identification, for example when making a delivery. This is a violation of the Data Regulation
The principle of data minimization resulting from Article 5(1)(c), according to which individuals
data can be processed only to the extent necessary to achieve the purpose. 3

        Given that it is possible to provide personal identification, for example, when making a delivery
also, for example, asking for an identity document is not a justified DEPO requirement in each
issue a DEPO customer card. This is also confirmed by the fact that when making a purchase in the online store

and when choosing the Additional service - delivery of goods - the customer does not need to receive a DEPO card.
        It is also possible for DEPO to fulfill other obligations set for it by law, e.g.
issued justification documents, based on Data Regulation 6. Article 1 subparagraph "c",
as a prerequisite for the fulfillment of these tasks without imposing a mandatory requirement for the client to receive a DEPO card.
        [2.5.] In the case, the fact that complaints about illegal data processing are
submitted by only two data subjects.

        The contested decision states that unlawful data processing and fundamental rights of the data subject
the existence of actual damage is not necessary to establish infringement. Namely, not decisive
the importance of whether the data processing carried out has caused any negative consequences (real violation of rights),
to be recognized as an interference with fundamental rights.
        [2.6] Taking into account the above, the contested decision found that the DEPO Additional service
within the scope of providing, performing customer (natural persons) personal data (from September 9, 2020 to
By June 10, 2021, name, surname, personal identification number or date of birth, contact information

(phone number, e-mail) addresses; from June 10, 2021 until now, name, surname, e-mail
and phone number (address – only in Lithuania and Estonia) processing (acquisition and storage) has violated
The principles of personal data processing set out in Article 5, Clause 1 "a", "b", "c" of the Data Regulation
and has carried out and continues to carry out the processing of personal data on the basis of inadequate Article 6 of the Data Regulation
The legal basis specified in paragraph 1.

        [3.] On May 27, 2022, DEPO submitted a complaint to the Data State Inspectorate (hereinafter -

contestation submission), asking to cancel the contested decision. The Data State Inspectorate finds that
the challenge application was submitted in the first part of Article 168 of the Law on Administrative Responsibility
within the prescribed period and its consideration is permissible.

        [4.] In the challenge submission, it is stated that DEPO is not provided with administrative responsibilities
statutory right to be heard. Although DEPO in accordance with the Law on Administrative Responsibility

The first part of Article 137 has asked the case to be considered in oral proceedings, based on the risks of Covid-19, as follows
the request has been refused. Also, DEPO asks to determine the oral process also at the challenge stage.
        The Director of the Data State Inspection does not see a violation in the fact that the case was considered in writing
in process. Namely, the first part of Article 9 of the Law on the Management of the Spread of Covid-19 Infection in direct text
provides for the right of the official to consider the case in a written process, if it has not been recognized as a necessary case
to consider in the oral process.
        The first part of Article 172 of the Law on Administrative Responsibility also stipulates that a higher official

the complaint is considered in a written process. At the same time, taking into account DEPO's request and the fact that Covid-19
the risks of spreading have decreased, the Director of the Data State Inspection considered it possible to examine the case
in the oral process.
        The complaint was heard in the oral process on June 27, 2022 and the arguments presented by DEPO are
evaluated, reflected in the subsequent text of the decision in the context of those expressed in the challenge submission
arguments, as well as taken into account when making a decision.
        During the examination of the case, DEPO provided additional information about the nature of the DEPO customer card

and allocation aspects. Confirmed that personal data is actually obtained for additional services
for the purposes of providing, as well as to fulfill the requirements of regulatory acts. DEPO customer card usage
personal data obtained during
or would gain some other economic benefit. DEPO also admitted that in the processing of personal data it is possible to perform 4

improvements, a new, more comprehensive privacy policy is being developed. In view of the above, DEPO requests
terminate the administrative violation case.


        [5] In the challenge submission, DEPO expresses the opinion that the official of the Data State Inspection,
during the inspection in the DEPO store, did not follow the procedural rules regarding inspections
implementation, as well as the 28 of 2022 Act No. drawn up in January [...] could not be used in the contested case
to justify the decision.
        The reasoning expressed by DEPO is basically based on the consideration that the processing of data of natural persons
15 of the law. article determines the procedure for carrying out checks, including providing an obligation before data processing

inform the manager of the place of visit about the purpose, time and place of the planned visit, as well as request
ensure the presence of the manager's authorized representative. DEPO also points out that the original draft
the editorial provided for the right of the officials of the Data State Inspection to enter the premises, conduct an inspection and
forced search without cooperation with the manager, but this norm was not accepted by the legislator.
On the basis of the aforementioned, a conclusion was made in the objection submission that any inspection should take place
in cooperation with the data controller.
        The Director of the Data State Inspection considers such an interpretation of legal norms to be unfounded.

Norms on inspection and controller contained in Article 15 of the Law on Processing of Personal Data
informing applies to cases when the inspection is carried out, using the Data for the State Inspectorate
the administrative power (coercive mechanisms) granted in the laws and regulations, and the responsibility of the controller
obey the orders of the Data State Inspectorate. The mentioned norm refers to entry into private property, as
also access to all systems and documents that do not have public access. At the same time, Personal Data
The first part of Article 15 of the Processing Law includes the right of the Data State Inspectorate to obtain information,
using all legal methods. Undoubtedly, public places can also be considered such a method

attending and performing activities that can be performed by any natural person. In the specific
in this case, the Data State Inspectorate obtained the information without using public authority, but by performing and
capturing actions that any natural person could perform. Therefore, the data of natural persons
The requirements referred to in Article 15 of the Processing Law do not apply to this type of information acquisition.
        If DEPO's claim was considered justified, it would prevent the State Inspectorate from performing the Data in general
any actions without the cooperation of the administrator, for example, to view websites, to register in various

platforms to check the amount of data to be collected, view the photos that the manager has placed on his
on a social account, view the locations of publicly placed cameras to find out their angles, as well as
take any other action. In all the mentioned cases, the State Inspection official obtains the Data
information without using state power, but recording their observations in a document, as was the case here
in case.

        [6] The challenge submission expresses the opinion that the Data State Inspectorate has violated

Article 117 of the Law on Administrative Responsibility stipulates that the administrative violation process
should be started in a reasonable and timely manner. The aforementioned is based on the fact that the State Data Inspectorate's administrative
the infringement process was not started immediately after receiving the last complaint on May 19, 2021, but
the place of initiation of the administrative violation case was chosen from May 19, 2021 to 2022
To be tested by February 2.
        In the view of the Director of the State Data Inspection, both the examination of the case has been observed
reasonableness, as well as timeliness, because the administrative violation case was initiated immediately after Datu

the state inspectorate had obtained all the necessary information, which allowed us to assume that it might have happened
administrative violation.
        It should be noted that conducting an inspection before starting an administrative offense case is also
in the manager's interest, because not every inspection results in an administrative violation process. Country of data
as a result of the inspection, an administrative process may be initiated, which ends with 5

administrative acts, or informing the supervisor about it in accordance with the "advise first" principle
ensuring compliance of the data processing with the Data Regulation, or no processing at all

further actions. If after every complaint received, the Data State Inspectorate should initiate
administrative violation process, it would unduly burden the supervisors by involving them unnecessarily
in administrative violation proceedings, because not nearly every data subject's complaint is justified and shows evidence of
administrative violation.
        As stated in its decision by the Department of Administrative Affairs of the Senate of the Supreme Court, Datu
the provisions of the regulation provide the Inspectorate with the right, in response to violations of personal data processing,

to make any of the decisions contained in the regulations, while leaving it to the supervisory authority
freedom of assessment regarding the type of decision. Upon receiving a complaint about possible personal data
processing violations, the inspection initially checks the received messages, including requesting information
from the data controller and/or processor to establish whether the processing of personal data in the said data subject
in the event that it has generally occurred. Submitting an application for possible violations of personal data processing
in the process does not mean that the verification of the information specified in the application will result in the detection of a violation,

issuing an administrative act and applying a corrective measure or imposing an administrative penalty.
        State inspection of data administrative process or administrative violation process against data
the manager starts only when it becomes aware of the facts. Such facts are obtained by the inspection by inspection and
obtaining the necessary information, which in turn gives grounds for initiating an administrative violation
process.
        A decision on the most appropriate remedy (a decision to initiate a case) can only be made when

collected sufficient information to assess whether a violation of personal data processing has occurred at all, and
the nature of this violation. Therefore, the deadline for making a decision is counted not from the applicant's complaint
from the moment of submission, but from the moment of discovery of the violation of personal data processing, that is, when it is
the relevant examination and clarification of the circumstances have been completed and it is established that the person really is
has committed a violation of personal data processing .2
        Taking into account the above, the Director of the Data State Inspection believes that the case has been considered in a timely manner and

carefully ascertaining all the circumstances of the case.

        [7] DEPO states in its challenge submission that the amount of data processed by it and the legal one
basis has been different in the period from September 9, 2020 to June 10, 2021 and from
from June 10, 2021 to May 10, 2022, which is also recognized in the contested decision. At the same time
the disputed decision does not analyze how this different scope of data processing and the legal basis are

shall be evaluated in connection with the provisions of Article 26 of the Law on Administrative Responsibility, that long-term
an administrative violation is the continuous realization of one administrative violation, which is related
with the subsequent long-term non-fulfillment of the obligations prescribed by law.
        [7.1.] The Director of the Data State Inspection cannot agree with the statement that DEPO made
the processing of personal data in the mentioned periods has not been assessed in their totality and no assessment has been given for it,
why this processing is considered one long-term administrative violation. On the contrary, the disputed one

5.7.3 of the decision. subsection describes in detail why the actual conditions regarding persons
data processing for receiving additional services has not changed. Namely, to receive Additional
services, the client is still required to issue a DEPO card, which
in order to receive it, the customer must fill out the form, submit the personal data requested in the form and agree to his/her own
for the processing of personal data for the purposes specified in the questionnaire. If the customer wants to receive, for example, additional
services - delivery of goods - the customer still needs to fill out the agreement on DEPO cards



2Decision of the Administrative Affairs Department of the Supreme Court Senate of April 28, 2020 in case no. A420230820 6

assignment, you must submit your personal data and the appropriate agreement on the assignment of a DEPO card
1.1. point must accept a DEPO card.
        The Director of the Data State Inspection additionally explains that the detected administrative violation

the point is that a customer who wants to receive one of the services offered by DEPO is forced
agree to the processing of personal data also for other personal data processing purposes, which are indicated differently
legal bases and periods of storage of personal data. For example, if a customer wants to receive a product
delivery service, then in order to receive this service he must undoubtedly submit and DEPO
the personal data of this customer, such as the delivery address, must be processed. According to DEPO's privacy policy
the legal basis for such processing of personal data is the conclusion and execution of the contract, while the term - 2

weeks after the date of creation of the relevant offer or 1 month, if at the customer's request
extended offer payment deadline. Thus, the customer can reasonably expect that after 2 weeks
the relevant delivery application DEPO will delete his personal data. Simultaneously DEPO this service
refuses to provide until the customer has agreed to also receive other services offered by DEPO and
concluded an agreement or consented to the processing of personal data also for these other, completely unrelated parties
purposes. Namely, the person must agree to receive the service - the granting of a DEPO card - and to
the delivery service would be provided, it is necessary to agree or conclude an agreement on the processing of his card data as well

for awarding and receiving related services. According to DEPO's privacy policy as follows
personal data is stored for the entire duration of the contract and for another 10 years after its termination.
        There is no legal significance to the legal basis for the processing of personal data - consent or
conclusion of the contract - for the purpose of granting the DEPO card, the DEPO has indicated, since the customer is forced in any case
"consent" to the processing of your data for the purpose of assigning a DEPO card, even if it wishes to receive a different one altogether
does not want to receive an unrelated service and, in fact, a DEPO card and use its benefits. This one
the circumstance has not changed as a result of the data processing changes made by DEPO, so what DEPO has done

the administrative violation is also considered long-lasting.
        [7.2.] The Director of the Data State Inspectorate, during the examination of the case, became convinced that in order to
also from June 10, 2021, the amount of personal data to be indicated in the application for receiving a DEPO card
has been reduced, it is actually still being processed. So, for example, if a person wants to receive
service, for the provision of which it is necessary to know the address of the customer (for example, delivery of goods
service), this person must submit an additional application, asking to add an additional field of debtor

for the account (the purpose is to issue a DEPO card), and personal data is stored not as long as
necessary for the purpose of providing an additional service, but is applied to personal data
storage period determined in connection with the purpose - the assignment of a DEPO card. I mean, it still does
linked and combined processing of personal data for several different purposes without separating specific ones
intentions. The DEPO also admitted in its oral explanations that the intention - the granting of a DEPO card - was in fact
includes a set of personal data necessary for receiving all additional services.
        [7.3.] At the same time, it should be taken into account that currently, for the purpose of assigning a customer card, the initial

the amount of personal data to be processed is such as is necessary for the provision of all services - name,
surname and contact information. A solution has been introduced in which the additional person's data is added only in it
at the moment when a service is requested for the provision of which this personal data is required. Although the data
processing necessary for one purpose continues to be extended to other unrelated ones
purposes, this circumstance will be evaluated when determining the penalty.

        [8] Paragraphs 24-29 of the challenge submission. point provides arguments that the Data State

the inspectorate has incorrectly assessed the content of the received data subjects' complaints.
        In the opinion of the Director of the State Inspection, there are no data for these considerations regarding the nuances of the content of the complaints
relevance to the case because DEPO wrongly assumes that the substance of the case is based on these complaints. Even if the test
is initiated because information about the possible administrative violation has been provided by the data subject, Datu
the state inspection does not have to limit itself to what is stated in the complaint. Namely, upon receiving any information that makes 7

believe that an administrative violation is occurring or could have occurred, the Data State Inspectorate has
the obligation to carefully examine all the circumstances of the case. The data subject's submission is an impulse that can be

a basis for initiating an administrative violation case or any other investigation. The data subject himself
in the further process – started on the basis of his complaint – if it is started, it does not happen in essence
Involved. The process initiated on the basis of the data subject does not create legal consequences for the data subject himself, but
both to the person or institution to which the alleged violation is indicated in the complaint.
        In the specific case, the Data State Inspectorate has analyzed all the circumstances of the case and reached a conclusion
to the conclusion of exactly how the administrative offense was committed. This violation is clear

formulated in the contested decision.
        For example, based on [..] complaint, it was concluded that if a customer wants to receive an invoice
for a product for which a personal code is not required for issuing, in accordance with those introduced by DEPO
conditions, however, this invoice cannot be received just because the customer does not want to agree to personal data
for processing for another purpose – receiving a DEPO card – within which a personal code is required.
Thus, customers are forced to agree to the processing of personal data to a greater extent than is necessary

to receive a specific service.
        [..] and [..] as a result of the examination of the complaint, it was established that DEPO, when issuing the customer's card,
obtains the widest possible amount of personal data that could be necessary for each purpose
to achieve and then process this data for purposes for which it is not necessary at all. For example, if
the client wants to agree only to a specific purpose of personal data processing - personal data processing so that
would receive volume discounts, then it is not justified to ask the person for the personal code of the specific personal data

is not necessary at all to achieve the processing purpose.
        In compliance with the above, the Director of the State Data Inspection finds that in the contested decision, including
but not only based on the data subject's complaints, the circumstances of the case are correctly established and qualified
administrative violation.
        At the same time, it is stated in DEPO's oral explanations that it is not in Latvia during its operation
received a complaint from a resident of Latvia regarding the processing of personal data, will be taken into account when determining

punishment.

        [9.] Regarding the further considerations expressed in the challenge submission, which
refers to the identified administrative violation in substance, the Director of the State Data Inspection states,
that they will not be considered in the order in which they are expressed in the challenge submission, but to be as accurate as possible
would reflect the nature and elements of the administrative violation, would try to group them according to their nature.


        [10.] First of all, it is necessary to emphasize that the issuance of the DEPO customer card and as a result thereof
processed personal data is an independent personal data processing purpose that requires a separate
legal basis. Also in DEPO's privacy policy, the purpose of data processing – granting a DEPO card –
has always been and still is separated for the purposes of personal data processing, including the purpose
– Provision of additional DEPO services. Different persons are also defined for these different purposes
                                                      3
legal basis for data processing and duration of storage.
        Clause 1 of the rules for granting a DEPO card states that the customer's card gives an opportunity
for the customer to shop more advantageously. The DEPO website also states - With a store-warehouse DEPO client
card is even more advantageous. You can also receive a Volume Bonus.
        Essentially, by registering as a DEPO customer and receiving a DEPO card, the customer is granted
additional benefits. Namely, the purpose of the customer card is to provide benefits to customers.

        Additional benefits are only benefits granted to DEPO customers that a person can receive
within the service. If a person, for example, wants to receive a volume bonus or offers


3https://depo.lv/privatuma-politika/ [accessed 06.06.2022] 8

for certain quantities of goods, it agrees or enters into an agreement on its own by prepayment
processing of personal data in order to receive a DEPO card. In this case, the system about the person is entered

certain types of personal data, which are necessary to provide you with additional benefits and corresponding DEPO
privacy policy, this data is stored for 10 years after withdrawal of consent or agreement
termination.
        Considering the fact that the contested decision does not analyze the issue of whether data processing
the deadline for achieving the purpose - receiving additional benefits - is proportionate, also in this decision Data State
the director of the inspection will not address this issue, only generally noting that DEPO cards

assigning for the purpose of determining advantages or benefits to the customer is a legitimate purpose and personal data
the processing has a legal basis, which is not questioned in the contested decision.
        One of the main features of this rule of law is, moreover, that a client who does not want to receive
DEPO card and does not want DEPO to process his personal data, it is still possible to buy goods
and receive services, only the purchase of these goods and the receipt of services are different
rules. For the purpose of personal data processing, to issue a DEPO card for granting additional benefits

the legal basis could be both a person's consent and an agreement if there are no additional benefits
possible to receive without certain type of personal data processing.
        DEPO's policy of allowing those who only wish to receive discounts to
make DEPO cards without specifying personal data.



        [11.] Next, it is necessary to address the question of why to receive additional services as
the legal basis cannot be used the consent of the person and why in this part DEPO carried out by the person
data processing is considered illegal.
        Data regulations 6. Article 1 Subparagraph "a" of point "a" determines the legal basis - the consent of the person
– the legal aspects are analyzed in detail in the contested decision, with which the Data State Inspectorate
the director will not consider them further in this decision.

        One of the key aspects of consent as a legal basis for data processing is that
consent can only be a proper legal basis if genuine ones are offered to the data subject
options to accept or reject the offer, give your consent without harmful consequences data
to a subject who has refused to give consent. If the consequences of consent impair the individual's freedom of choice,
then the consent is not voluntarily given.
        The fact that the person could not receive is undeniably considered as such harmful consequences

service if you do not agree to the processing of your personal data. Therefore, DEPO is unfounded
the indication contained in the challenge submission that DEPO may refuse to provide a certain type of
services, as long as the person does not provide such personal data that are not specifically required
for the performance of the service, because in such a case the person can choose another service provider.
        The European Data Protection Board's guidelines on consent clearly state,
that consent cannot be considered freely given if the controller claims to have been provided with a choice between it

for services provided, which include consent to the use of personal data for additional purposes, from
on the one hand, and an equivalent service offered by another controller on the other hand. In this case
freedom of choice would depend on what other market participants do and whether an individual data subject
would consider the services provided by another controller to be truly equivalent. Furthermore, it means that
managers are obliged to monitor market developments to ensure consent to their data processing
the activities would not cease to exist, because the competitor would later change the weight of its services.

the use of an argument means that consent based on an alternative offered by a third party


4 Guidelines of the European Data Protection Board of May 4, 2020 No. 05/2020 for consent in accordance with the Regulation
2016/679 9

does not comply with the Data Regulation, which means that the service provider cannot deny data subjects access
service on the basis that they do not agree to it.
        Thus, as established in the contested decision, DEPO may need to receive from

customers' personal data, including personal code, to ensure the provision of certain services
or fulfill the requirements set out in the regulatory acts, but DEPO's processing (acquisition) of such personal data
and storage) is not entitled to perform, based on the provisions of Article 6, Clause 1, letter "a" of the Data Regulation
the legal basis.
        At the same time, such processing of personal data may be carried out on the basis of another legal basis,
for example, Article 6(1)(b) of the Data Regulation – processing is necessary for the performance of the contract.

        It also follows from the oral explanations provided by DEPO that in fact personal data is collected
processed in DEPO's legitimate interests to ensure legal transaction processing, including avoidance
from conducting possible illegal transactions; to ensure the performance of the service, because without
the service cannot be provided for the relevant personal data; to comply with the regulatory act
requirements that oblige DEPO to process and store certain personal data for a certain period of time
period. DEPO's consent is used as a legal basis because it is mistakenly believed that consent is essential
performs the same function as informing a person.

        [11.1.] It is obvious from the challenge submission that DEPO did not understand the cases in which
the legal basis referred to in Article 6, Paragraph 1, Subparagraph "a" of the Data Regulation may be applied to personal data
for processing - consent of the individual. The challenge submission, for example, mentions that DEPO is the foundation
receive certain data that are necessary for the provision of these services. In addition, DEPO as data
the manager has chosen the client's consent as the main basis for receiving this data.
        This claim contains a number of mutual contradictions, in which case the service cannot
to be provided without processing personal data, then the person's consent, as already mentioned in this decision

In point 11, there may not be an appropriate legal basis for processing personal data. Namely, according to the Data Regulation
Article 4(11) requires the data subject's consent to be given freely. According to Article 7 of the Data Regulation
The freely given consent of clause 4 means that the provision or non-provision of the service must not be
subject to such consent. For example, if the delivery of goods is necessary for the provision of the service
process the customer's delivery address and this service cannot be provided without the processing of this data, persons
data processing must be based on Article 6, paragraph 1, subparagraph "b" of the Data Regulation - personal data

processing is necessary for the performance of the contract. Likewise, there should be a term for the storage of this personal data
determined by assessing the purpose for which this data is processed. DEPO privacy policy for the following data
the purpose of processing is mentioned and the term of personal data obtained for the specific purpose is determined,
for storage - 2 weeks after the date of creation of the relevant offer or 1 month if according to the customer
upon request, the offer payment deadline is extended. In practice, however, the situation is that,
when a person requests to provide a particular service, it is refused, unless the person agrees
for the processing of your personal data for a non-related purpose - for the issuance of the DEPO card and benefits

for receiving. So the person has to provide all their personal data, including those that are not required for the goods
for receiving the delivery service, in order to receive the DEPO card and then this personal data, which
provided by the customer in order to receive a DEPO card, DEPO uses another unrelated service
for provision, namely for another purpose of personal data processing.
        In compliance with the above, the Director of the State Data Inspectorate agrees with what was expressed in the objection submission
for the statement that DEPO does not and cannot have a legal obligation to fulfill certain individual obligations
services to persons who cannot be identified by DEPO, provided that these services without

processing of personal data cannot be ensured, nor is a person denied service only because
that it has not consented to the processing of its personal data for other purposes.
        [11.2.] In the challenge submission, it is especially highlighted that when signing the questionnaire to receive a DEPO card,
the person agrees to the processing of personal data, among others, for such purposes as specifying personal data
in the accounting justification documents, return the purchase fee or its part to the person on the DEPO card 10

etc. It must be repeated that any kind of personal data processing, which the controller is obliged to do under the law, cannot
be based on the consent of the individual, as the processing of personal data is mandatory to provide the specified
service. If the person does not agree to the processing of his personal data, this service cannot be provided at all

given, thus the consent is not considered freely given in the sense of Article 7, Paragraph 4.
        In essence, the controller has justified the processing of personal data for different purposes with one
legal basis – consent that does not correspond to the actual conditions of personal data processing. Manager
the obligation is to identify all performed personal data processing operations, to group these data processing operations
activities in accordance with the purpose and identify the legal basis that is appropriate for the stated purpose. About
such a legal basis can be served by subsections "b", "c", "f" of Article 6, Clause 1 of the Data Regulation. finally

according to the determined purpose and legal basis, the personal data to be processed can be determined
scope, storage period and other conditions of personal data processing.


        [12.] Based on paragraphs 10-11 of this decision. for the considerations mentioned in paragraph, it can be concluded that in them
in cases where the customer wants to receive an additional service, it is illegal for DEPO to ask to fill out
a questionnaire for receiving a DEPO customer card and to agree or enter into an agreement on the processing of personal data,

which is not related to the receipt of the specific service. This type of behavior results in, firstly,
the customer's consent to the processing of personal data for the purpose of receiving a DEPO customer card is no longer considered
freely provided, as the person does not have the right to refuse the processing of personal data if he wishes to receive
service. Second, personal data is processed excessively, because the customer's cards are in the questionnaire
in order to receive it, it is requested to provide personal data in a wider scope than is specifically required
for receiving the service.
        At the same time, the Director of the Data State Inspection, based on the oral statements provided by DEPO

for explanations, please note that currently personal data is processed only to the extent that
necessary for receiving a specific service, for example, the delivery address for the customer's account is
added only in the case when it is necessary for the execution of the specific service. At the same time after
when this data is obtained, it is also processed for other purposes and for the provision of other services which
the person did not request at the time of obtaining the personal data.
        [12.1.] In the challenge submission, it is stated that there is no official of the Data State Inspection

understood DEPO's cooperation model with buyers and thus tries to create a false impression that DEPO
obligates buyers to receive a DEPO customer card without any factual basis. How to
the basis for such an argument DEPO indicates that only buyers who want to receive additional
benefits – volume bonuses or additional services, for example, for the construction of an individual house, or
invoice with details, or delivery of goods, a personalized customer card must be taken out, because DEPO such
services are provided only if it is possible to identify their recipient. In addition, according to DEPO
to what is stated in the verbal explanations, customers often want to get it from DEPO themselves afterwards

personalized information about the services they have used and paid to submit
documents in the State Revenue Service or used in legal proceedings as evidence of the origin of the property.
Considering that the number of customers in the stores is very large, obtaining a DEPO card is the most convenient way for customers
get an instant service where the buyer is identifiable.
        First of all, the director of the Data State Inspectorate notes that it is important to distinguish between these two concepts -
additional benefits and additional services. As already mentioned in paragraph 10 of this decision, there are additional benefits
additional benefits for the customer that do not affect the receipt of the service as such. Additional service

provision, in turn, is separable from benefits in receiving services. Namely, if the person initiates
the receipt of a service and the provision of this service requires the processing of personal data,
then the legal basis for such processing of personal data is Article 6, paragraph 1, subparagraph "b" of the Data Regulation.
For example, if a person wants to receive goods delivered to his home, then this service cannot be fulfilled,
without processing data about the delivery address. It is also correctly mentioned in the contested decision that Article 11

DEPO may need to process certain types of personal data for the provision of services. As already
indicated above, the violation of data processing manifests itself in the fact that DEPO does not provide at all
services to their clients until they have agreed or entered into an agreement on their person

data processing for a completely different purpose – for granting a DEPO card, receiving benefits and so on
for the processing of personal data that are not necessary for receiving the specific, requested service.
       In compliance with the above, consent to the processing of personal data for the purpose of receiving a DEPO card is considered
freely given and thus legal.
       [12.2.] It is important to distinguish between consent to receive a service and consent to personal data
for processing that is not the same. The mere fact that a person has initiated the receipt of a service,

does not mean that the legal basis for the processing of personal data will automatically be the consent of the individual.
For example, in cases where a person asks them to issue an invoice, the manager has, according to legal norms
a certain obligation to process personal data. In this case, the legal basis for personal data processing
is the legal obligation referred to in Article 6(1)(c) of the Data Regulation, regardless of whether
that the invoice has been requested by the data subject. At the same time, the manager cannot make the provision of the service
depending on whether the customer agrees or disagrees to provide more personal data, nothing specific is required
for the performance of the service. If, for example, a person wants to receive a service such as sewing curtains, then yes

unreasonably ask the person to agree to the processing of their address, as this data is not necessary for the service
for execution and invoicing. It's just that a person's address may be needed in another DEPO
to receive the offered service, does not mean that the person must provide this data to another service
within, because this person does not want to receive such services for the fulfillment of which is necessary
process address.
       In compliance with the above, DEPO processes personal data to a wider extent than is necessary
to achieve the purpose, thus violating the principle of data minimization.

       [12.3] DEPO points out that its privacy policy sets out a number of DEPO's legal
interests and listed purposes for which personal data is processed. As already mentioned, the circumstances of the case are not
that DEPO had incorrectly identified the purposes of personal data processing in the privacy policy, but
both for the fact that a person in order to receive a service for the purpose of providing a specific type of person
data is not required, is forced to provide more personal data for purposes not applicable to
requested service.


       [13.] Finally, it must be concluded that, as a result, DEPO has combined the processing of personal data
for different, mutually separable and unrelated purposes, in one questionnaire, which the person has to fill out
must provide their personal data to achieve all purposes, DEPO has violated data minimization
principles.
       Although DEPO's privacy policy separates the different purposes of data processing, DEPO itself is
stated that the questionnaires for receiving a DEPO card (for an identified customer) / natural person

there are several forms for filling out and concluding an Agreement on the assignment of a DEPO card to a natural person
purposes, including those not related to offering and providing additional services, as well as several
legal bases. The aforementioned conclusion was also confirmed by DEPO in oral explanations.
       Thus, regardless of the purpose for which personal data is processed, DEPO, upon request
fill out a personal customer questionnaire for assigning a DEPO card, actually collect personal data for all
for data processing purposes that may arise in the future. These personal data processing purposes are not
separated from each other, thus processing personal data in an excessive amount. In essence DEPO would be

the questionnaire should be divided or the client should be given the opportunity to fill only certain fields (provide certain personal data
extent) depending on the specific purpose and legal basis of data processing, and the customer's consent would be
should be requested only in the case when the client really has freedom of choice. 12

        [13.1.] The challenge submission states that the contested decision does not specify any
a norm that would oblige customers to provide services that DEPO cannot adequately provide
identify.

        The Director of the Data State Inspection points out that this obligation of DEPO follows from the Data Regulation
The principle of data minimization contained in Article 5, paragraph 1, letter "c". Namely, according to the above
principles, DEPO does not have the right to process personal data that is not specifically required
for service provision. For example, if a person wants to use a curtain sewing service, so
it is not necessary to obtain data on a person's social security code or residence just because
DEPO wants to identify the customer who requested the mentioned service or because of another service

within the scope of provision, which the client has not currently requested and does not plan to request, such data processing
might be necessary. If DEPO has chosen to provide a service, it must be followed in providing it
the regulatory framework in force in the country, including the Data Regulation. Otherwise, the merchant in such
in the same way, it could be justified that it wants to provide its service only to certain skin color, gender or
nationality, because it is his absolute right to decide to whom to offer this service.

        [14.] The contested submission states that the applied fine is unreasonable and

excessive.
        [14.1] DEPO repeatedly refers to the fact that the fact that
The legal basis for granting the DEPO card has changed
has already provided the assessment in paragraph 7 of this decision, finding that the period of the violation has been determined correctly,
thus this circumstance has no effect on the applied fine.
        [14.2.] DEPO's reference to the fact that the fine applied by DEPO is considered unjustified
significantly exceeds other penalties applied by the Data State Inspectorate, as well as those applied by other countries

penalties. The supervisory authority has discretion in setting penalties and assesses each case
circumstances. The mere fact that a lesser penalty has been imposed on another manager does not give grounds for demanding a penalty
reduction, because both factual and legal differences in the cases indicated in the challenge submission
circumstances. Namely, DEPO is not in the same and comparable conditions with those persons who have money
penalty applied for other violations of personal data processing.
        [14.3.] In the challenge submission, it is stated that the applied fine is not appropriate

to the conditions set forth in Article 13 of the Law on Administrative Responsibility, as the amount of the fine is
one that can prevent DEPO from conducting further business. In particular, it is necessary to take into account, Canadians
the fine amounts to more than 28% of DEPO's 2020 profit.
        In the opinion of the Director of the State Data Inspection, the following are generally achieved with the fine imposed
Elements defined in the Administrative Responsibility Law, such as protection of public order, punishment
for the offense committed, as well as the person who committed the administrative offense and other persons
deterring further administrative violations. Namely, significant fines though

reinforces the binding nature of certain legal norms, and expresses an official condemnation of illegal actions,
both ensure that the offense is no longer committed by the punished person, as well as by other persons.
        At the same time, it must be agreed that Article 13 of the Law on Administrative Responsibility has not been complied with
the strengthened element of restorative justice. That is to say, any offense disrupts society
the existing order and justice, while the punishment for a committed offense should be determined in such a way that
would restore the disturbed balance. Rebalancing means that the appropriate penalty cannot be either
one that does not create any tangible consequences for the offender himself and does not provide satisfaction to the victims

persons, nor one that burdens the violator to such an extent that it not only deters him from further unlawful
actions, but creates a risk of not being able to engage in commercial activity at all. For the prescribed penalty, let it
meet the element of justice, should be proportionate to the offense committed.
        According to the Director of the Data State Inspection, the fine amounts to almost a third of the year
profits are not proportional to the offense committed and can be reduced. 13

        Questions related to the nature of the offense committed and indicating disproportionality will be
discussed in the following text of the decision.


        [15.] The Director of the Data State Inspection finds that not everyone was taken into account when imposing the penalty
circumstances characterizing the committed administrative violation. According to Article 83, Clause 1 of the Data Regulation
the supervisory authority must ensure that the fines applied for violations of this regulation in each
are effective, proportionate and dissuasive in a given case. In accordance with Article 83, paragraph 2 of the Data Regulation,
when determining the amount of the penalty, the supervisory authorities should take due account of several elements that indicate

the nature and seriousness of the offense or the offender's attitude towards the offense committed. in the same way
it is necessary to take into account other elements that are important in the case, even if they are not directly listed in the Data
in paragraph 2 of Article 83 of the regulation.
        Although the internal tool of the Data State Inspectorate is reasonably applied in determining the penalty -
The mechanism for determining the amount of administrative fines for companies and individuals –
In the opinion of the Director of the State Data Inspection, it was additionally necessary to assess whether there is no evidence for the specific case

any additional conditions or criteria not reflected in this tool may apply. You can also take v5ra
taken into account in the guidelines developed by the European Data Protection Board on the application of administrative penalties
(hereinafter – Guidelines for the Application of Administrative Penalties).
        [15.1.] In accordance with Article 83, paragraph 2, subparagraph "a" of the Data Regulation, it is necessary to take into account
the nature, severity and duration of the violation, taking into account the relevant type of data processing, extent or
purposes, as well as the number of affected data subjects and the damage caused to them.

        As can be seen from the contested decision 6.3. of subsection, when assessing the amount of the penalty, has been taken into account
the nature, duration, extent of the violation, the damage caused to the data subjects. Not rated at the same time
the severity of the violation, which is one of the most important aspects in the application of punishment, as well as data processing
purpose.
        The guidelines for the application of administrative penalties stipulate that the severity of the violation can be assessed,
taking into account the specific circumstances of the particular case. The gravity of the violation is indicated by the context,

in which personal data processing is carried out, for example business, non-profit organization, political
party.
        In the specific case, the Director of the State Data Inspectorate agrees that it was unreasonably not taken into account
the fact that DEPO is a retail company, the largest cost item of which is resale
cost of purchased goods. It is essential to take into account that information technology companies to which
based on the provisions of the Data Regulation, the main source of profit is based directly on the processing of personal data,

therefore, firstly, the percentage of profit from turnover is significantly higher, secondly, financial and
the manpower resource that goes into ensuring compliance with the Data Regulation is greater as well as greater
there is a risk of harm to data subjects. Also, the Administrative Penalties Guidelines state that
it is necessary to take into account whether the purpose of processing personal data is to observe, evaluate personal aspects
or make decisions that may have negative consequences for the data subject, as well as existing inequalities
between the manager and the data subject, for example, in cases where the data subject is a child, student, employee

or the patient. Considering the fact that the director of the State Inspectorate of Data sees one aspect that could
testify to the special gravity of the offense, the applied fine can be significantly reduced, because
especially taking into account the fact that the manager is a retail company, which was additionally affected by the Covid-
19 measures implemented for prevention.
        Regarding the purpose of processing personal data, the Guidelines for the Application of Administrative Penalties contain
it is recommended to take into account whether the processing of personal data is related to the controller's core activity. Country of data

the director of the inspection considers this to be one of the most important aspects to be taken into account when evaluating


5Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Adopted on 12 May 2022 – version for
public consultation (the guidelines are currently out for public consultation and their text may change). 14

the severity of the offence. Namely, if the processing of personal data is related to the main activity of the manager, it is also
accordingly, greater attention of the manager must be paid, and the manager cannot plead with the normative
insufficient knowledge of the regulation. In the specific case, the processing of personal data is not related to

DEPO's core business, but is performed to provide additional benefits or additional services
clients. In view of the above, this aspect should be taken into account to determine a lower penalty.
        [15.2.] In accordance with Article 83, paragraph 2, subparagraph "b" of the Data Regulation, it is necessary to take into account
whether the violation was committed intentionally or due to negligence. Although the contested decision generally states,
that DEPO has not previously been administratively punished, has reviewed the Privacy Policy several times,
reduced the amount of personal data provided in the questionnaires, cooperated with the institution, but it has not been done

the conclusion of whether the violation was committed intentionally or due to negligence, which plays an important role in punishment
in determining.
        Taking into account the evidence obtained in the contested decision, the directors of the State Data Inspectorate
in the opinion, it is sufficient to conclude that the administrative violation caused negligence. DEPO
has tried to align its personal data processing activities with the requirements of the Data Regulation, has attracted
specialists to ensure the fulfillment of the requirements set out in the regulatory acts. They are visible at the same time
signs of insufficient care and carelessness, perhaps in the selection of specialists who are not enough

qualified to evaluate personal data processing activities when making changes to the data processing policy
chaotically, without forming a systematic approach to the said question.
        Taking into account the mentioned circumstances, the Director of the Data State Inspection recognizes the severity of the violation as
low. According to the guidelines for the application of administrative penalties, in cases where the severity of the violation
is low, the initial penalty point should be set at 0-10% of the applicable one
maximum penalty.
        [15.3.] When determining the initial penalty application point in the range of 0-10%, it should also be taken into account that

that DEPO's turnover exceeding 250 million per year is considered high.
        The Director of the Data State Inspection believes that, taking into account that the severity of the violation is low,
however, at the same time, DEPO's undue diligence in deciding questions about personal data processing is visible,
as well as the considerable turnover of DEPO, it is justified to set the initial penalty point at 10%
in the amount specified in the contested decision, namely 10% of the daily turnover, which amounts to
72897. At the same time, taking into account what was found in the contested decision, including but not limited to the significant

the duration of the infringement and the number of data subjects affected, for the initial point of application of the penalty
coefficient 6, which totals 437,382 euros, is to be preserved.

        [16.] At the same time, in accordance with the guidelines for the application of administrative penalties after the sentence
mathematical calculation, it is possible to adjust the penalty by evaluating whether it reaches the Data in the regulation
the set goals of punishment - is effective, proportionate and dissuasive. The amount of the fine should be determined in accordance with
the context of the offense.

        [16.1.] Regarding the effectiveness of the penalty, it must be assessed whether it is suitable to secure personal data
processing compliance with the Data Regulation and punishing the manager.
        The Director of the Data State Inspection finds that, although the punishment is suitable for punishing the controller, however
it is not relevant to facilitate compliance with the Data Regulation. It should be noted that DEPO all administrative
during the infringement process has tried to align its personal data processing with the requirements of the Data Regulation and
continues to do so now, according to the information provided in the oral explanations. In view of the above,
the imposition of a significant fine would not motivate the manager to ensure compliance with the requirements of the Data Regulation,

but, on the contrary, could create an understanding that regardless of whether proactive action is taken and regardless
from the manager's subjective attitude, the violation will also be subject to the same fine. Country of data
in the opinion of the director of the inspection, the most important thing is to ensure that managers are motivated to process personal data
make improvements without the use of coercive mechanisms. In cases where the manager has
observed disinterest, inaction or deliberate avoidance of effective tools of compliance Data 15

a more significant fine should be considered for the provision of the regulation, while when the manager's actions show
for the desire to ensure compliance with the normative regulation of data processing, there should be a fine
for a smaller one.

       [16.2.] The principle of proportionality dictates that the penalty applied should not exceed what it is
necessary to achieve the goal. If it is possible to achieve the goal by several means, a choice should be made
the less offensive. When assessing proportionality, the violation must be viewed as a single whole, the main one
paying attention to the gravity of the offense as such.
       Although the director of the State Data Inspection agrees that the administrative violation is qualified
the type of administrative penalty - a fine - has been correctly and correctly chosen and applied

The mechanism for determining the amount of administrative fines, however, fines are necessary
adjusted to comply with the principle of proportionality.
       In the specific case, it is essential to take into account that according to DEPO in oral explanations
the personal data processed by the information provided are not used for marketing purposes or
for business planning, for any other activity that is not directly related to the provision of the service
to the specific person or the fulfillment of the requirements of regulatory acts. Namely, DEPO does not get any economic
benefit from personal data processing. Subject to the above, the administrative fine regardless

there is sufficient reason for the supervisor to be motivated to prevent the detected violations.
applying a lower administrative fine does not mean that the violation can continue. Thus, if
If DEPO's violation continues, the Data State Inspectorate would have the right to impose a penalty for the same
violation, this time already considering the manager's actions, not preventing the violation in time, as responsibility
aggravating circumstance.
       It should also be taken into account that the offense was committed due to a misunderstanding. According to administrative
to the considerations expressed during the case review, DEPO has tried to make the customers aware,

applying the wrong legal bases, and has not yet understood the purpose of various data processing
nuances of separation. Administrative fine at the discretion of the Director of the State Data Inspection
even a small application would be sufficient to motivate DEPO to attract qualified persons
data protection specialists and prevent detected violations.
       [16.3.] Taking into account the above, the Director of the Data State Inspection believes that the correction of the fine,
setting it at 4% of the initially calculated amount, i.e. applying a fine of 17,495 Euros

amount would be sufficient to deter DEPO from further data processing violations.

[17.] At the same time, taking into account the powers of the State Inspectorate of Data, which are specified in Data Regulation 58. Article
In clauses "d" and "i" of paragraph 2, the Director of the Data State Inspection considers it necessary to impose
DEPO on the obligation to harmonize data processing activities with the Data Regulation by December 1, 2022
regulations, develop an assessment of the impact on data protection and submit it to the Data State
in the inspection until December 15, 2022.




       Taking into account the above and in accordance with Article 132, Article 168 of the Law on Administrative Responsibility
first part, Article 172 and Article 173, first part, point 4, Article 58, point 2 "d" of the Data Regulation and
The Director of the Data State Inspection of subparagraph "i".

                                              decided
1. to be amended by the decision of May 10, 2022 no. No. [..] ([..]) On the application of the penalty in the appropriate

the amount of the administrative fine, determining SIA "DEPO DIY", registration number 50003719281,
legal address Noliktavu iela 7, Dreilini, Stopiņu parish, Ropaž district, for Data regulations 83. Article
the commission of an administrative violation provided for in subparagraph "a" of paragraph 5 shall be subject to an administrative fine 16

in the amount of EUR 17,495 (seventeen thousand four hundred and ninety-five euros).

2. impose an obligation on DEPO until 20221. to coordinate data processing activities with Datu
regulations, develop an assessment of the impact on data protection and submit it to the Data State
in the inspection until December 15, 2022.

The fine shall be paid in full no later than one month from the entry into force of this decision
days in any banking institution or after the expiry of the term of voluntary execution of the fine, this decision
in accordance with Articles 262 and 269 of the Law on Administrative Responsibility will be immediately surrendered

for execution by a sworn bailiff.

      Details for paying a fine:
      Beneficiary: State Treasury
      Registration No.: 90000050138
      Account no.: LV69TREL1060191019200
      Beneficiary BIC code: TRELLV22

      Notes: Indicate the number of this decision.

The fine applied in the process of the administrative violation will be reimbursed
procedural costs and damages to natural resources can be paid on the portal www.latvija.lv,
using the e-service Administrative fines check and payment.


Please note that, according to Article 568 of the Civil Procedure Law, voluntary execution of the decision after
when the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate for the enforcement
expenses to the bailiff.
At the same time, we inform you that the Company, in accordance with the second Article 266 of the Law on Administrative Responsibility

and the third part, has the right to the execution of the fine in parts, if there are objective circumstances, due to which the fine is imposed
within the term of voluntary execution, it is not possible to execute the sentence decision in full.
In accordance with the first part of Article 184 and the first part of Article 186 of the Law on Administrative Responsibility

the decision of the DEPO can be appealed within 10 working days from the day the administrative decision was announced
in the infringement case in the district (city) court at the registered address of the Company, by submitting a complaint Data
at the state inspection (Elijas iela 17, Riga, LV-1050), which within three working days after submitting the complaint
upon expiration of the term, the complaint with the case materials is sent to the district (city) court upon approval.


Director J. Macuka


[..]