DVI (Latvia) - SIA “Lursoft IT”: Difference between revisions

From GDPRhub
 
(6 intermediate revisions by one other user not shown)
Line 29: Line 29:
|GDPR_Article_3=Article 6(1)(e) GDPR
|GDPR_Article_3=Article 6(1)(e) GDPR
|GDPR_Article_Link_3=Article 6 GDPR#1e
|GDPR_Article_Link_3=Article 6 GDPR#1e
|GDPR_Article_4=Article 6(3) GDPR
|GDPR_Article_4=Article 6(1)(f) GDPR
|GDPR_Article_Link_4=Article 6 GDPR#3
|GDPR_Article_Link_4=Article 6 GDPR#1f
 
|GDPR_Article_5=Article 6(3) GDPR
|GDPR_Article_Link_5=Article 6 GDPR#3
|GDPR_Article_6=Article 5(1)(b) GDPR
|GDPR_Article_Link_6=Article 5 GDPR#1b
|GDPR_Article_7=Article 5(1)(c) GDPR
|GDPR_Article_Link_7=Article 5 GDPR#1c


|National_Law_Name_1=Section 132 Insolvency Law
|National_Law_Name_1=Section 132 Insolvency Law
Line 60: Line 65:
}}
}}


(Temporary)
The Latvian DPA (Datu valsts inspekcija) imposed a fine of €65,000 on SIA “Lursoft IT" for breaching Articles 5(1)(a), (b), (c) and 6(1) GDPR. Lursoft published personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" on its website.


==English Summary==
==English Summary==
Line 69: Line 74:
===Dispute===
===Dispute===


 
Did the publication on a website of personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" in breach of Articles 5(1)(a), (b), (c) and 6(1) of the GDPR?
===Holding===
===Holding===


==== (1) Information from the "Insolvency Register" ====
====(1) Information from the "Insolvency Register"====
The Latvian DPA (Datu valsts inspekcija) considered Section 132(3) of the Latvian Insolvency Law which states that information relating to natural persons involved in insolvency proceedings shall be made public in  the Insolvency Register, including up to 1 year after the termination of an insolvency proceeding. Therefore, there was a violation of the law on the basis that the termination of the insolvency proceeding concerning the data subject had been terminated for more than one year. The DPA reiterated that Section 132(3) targets the responsible institution for the Register of Enterprises, but that although Lursoft is not the responsible institution, the Section of the law still applies to them. Information on an insolvency proceeding cannot be published if the proceeding has ended over a year ago.
The Latvian DPA (Datu valsts inspekcija) considered Section 132(3) of the Latvian Insolvency Law which states that information relating to natural persons involved in insolvency proceedings shall be made public in  the Insolvency Register, including up to 1 year after the termination of an insolvency proceeding. Therefore, there was a violation of the law on the basis that the termination of the insolvency proceeding concerning the data subject had been terminated for more than one year. The DPA reiterated that Section 132(3) targets the responsible institution for the Register of Enterprises, but that although Lursoft is not the responsible institution, the Section of the law still applies to them. Information on an insolvency proceeding cannot be published if the proceeding has ended over a year ago.


Line 83: Line 88:
Therefore, the DPA held that Articles 6(1)(c) and (e) GDPR were not valid legal bases for the data processing conducted by Lursoft.
Therefore, the DPA held that Articles 6(1)(c) and (e) GDPR were not valid legal bases for the data processing conducted by Lursoft.


==== (2) Information on the "Register of Enterprises" ====
====(2) Information on the "Register of Enterprises"====
 
The DPA outlined that Lursoft received information, including non-public data, from the Register of Enterprises on the basis of an agreement concluded between the two. The information provided was limited and it was stipulated in the agreement that sharing the information with third parties was not authorised. The DPA also held that Lursoft could not re-use the information provided and that the legal basis for the publication within the Data Regulation [comment: automated translation is unclear, this presumably refers to the GDPR] expired. Therefore, Lursoft could not publish these documents and continuing to process that personal data without a legal basis was unlawful. The DPA clarified that Article 6(1)(e) could not be considered a valid basis, as argued by Lursoft, as there was no legal instrument permitting the publication of the information.
 
The Latvian DPA also held that Lursoft could not rely on Article 6(1)(f) GDPR. The DPA clarified that a legitimate interest must be "legitimate - implemented in a way which complies with data protection and other legislation" (i.e. it must be a legitimate interest acceptable under the law). The DPA concluded that the legislation in this sector precluded the publication of non-public data sent to Lursoft. There was therefore no legitimate interest.
 
Various other arguments put forward by Lursoft under the Latvian Commercial Law, Section 4 of the Latvian Law on the Register of Enterprises of the Republic of Latvia, the Latvian National Sanctions Law and Section 26 of the Latvian Proceeds of Crime Act were rejected by the DPA as unfounded.


The DPA then went on to confirm that there was no legal basis for processing (publishing) the non-public information on the "Register of Enterprises" under Articles 6(1)(e) and (f) GDPR. It went on to add that this entailed a breach of Articles 5(1)(a), (b) and (c) of the GDPR.


====Outcome====
Finally, the DPA imposed a fine of €65,000 on Lursoft for breaching Article 5(1)(a), 5(1)(b), 5(1)(c) and 6(1) GDPR. Lursoft has since appealed the decision, meaning the fine is not final.
==Comment==
==Comment==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 16:10, 6 December 2023

DVI - SIA “Lursoft IT”
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 6(3) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Section 132 Insolvency Law
Section 132(3) Insolvency Law
Section 4 of the Law on the Register of Enterprises of the Republic of Latvia
Type: Investigation
Outcome: Violation Found
Started:
Decided: 14.01.2021
Published: 23.02.2021
Fine: 65000 EUR
Parties: SIA “Lursoft IT”
National Case Number/Name: SIA “Lursoft IT”
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Latvian
Original Source: Datu valsts inspekcija (in LV)
Initial Contributor: n/a

The Latvian DPA (Datu valsts inspekcija) imposed a fine of €65,000 on SIA “Lursoft IT" for breaching Articles 5(1)(a), (b), (c) and 6(1) GDPR. Lursoft published personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" on its website.

English Summary

Facts

SIA “Lursoft IT” (Lursoft; the controller) processed personal data on its website (lursoft.lv) by (1) publishing information from the "Insolvency Register" which relates to a data subject although it had been more than a year since the termination of the insolvency proceedings concerned. Lursoft also (2) published data that is to be submitted to the "Register of Enterprises" (including non-public data such as the number of registration of legal entities and legal facts).

Dispute

Did the publication on a website of personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" in breach of Articles 5(1)(a), (b), (c) and 6(1) of the GDPR?

Holding

(1) Information from the "Insolvency Register"

The Latvian DPA (Datu valsts inspekcija) considered Section 132(3) of the Latvian Insolvency Law which states that information relating to natural persons involved in insolvency proceedings shall be made public in the Insolvency Register, including up to 1 year after the termination of an insolvency proceeding. Therefore, there was a violation of the law on the basis that the termination of the insolvency proceeding concerning the data subject had been terminated for more than one year. The DPA reiterated that Section 132(3) targets the responsible institution for the Register of Enterprises, but that although Lursoft is not the responsible institution, the Section of the law still applies to them. Information on an insolvency proceeding cannot be published if the proceeding has ended over a year ago.

The Latvian DPA also held that the controller must have an appropriate legal basis for proceeding personal data under Article 5(1)(a) GDPR. Lursoft claim to be have such a legal basis under Article 6(1)(c) GDPR. However, this was rejected by the Latvian DPA, which stated that for Article 6(1)(c) to apply, the obligation must be stipulated in law, and not just in a contract. The DPA clarified that a legal obligation under Article 6(1)(c) GDPR must be clearly stated in the legal provision.

The DPA also held that Section 4 of the Law on the Register of Enterprises of the Republic of Latvia regulated the right of persons to use information on the Enterprise Register. Paragraph 2 of that Section states that everyone has the right to request and receive information kept in the Register of Enterprises. However, the DPA clarified that this right to access and request the information does not give Lursoft the right to publish this information on its website. Therefore, Lursoft failed in claiming that there was a legal basis for processing the data under Article 6(1)(c) GDPR.

The Latvian DPA also held that Article 6(1)(e) GDPR could not be relied upon as a legal basis, despite Lursoft's arguments. The DPA clarified that Article 6(1)(e) is a valid legal basis if "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". Such tasks would be conferred by Union or the Member State law as per Article 6(3) GDPR. The DPA went on to outline that Article 6(1)(e) can only be relied upon in two situations: (1) if the controller has a formal mandate or carries out the processing because it is necessary in link with a task in the public interest or (2) where the controller, despite having no official authority, is required to disclose the data to a third party who has such powers. This formal mandate or task will be in the public interest specified in a legal instrument. The DPA clarified that there is no official obligation imposed on SIA “Lursoft IT” to publish information regarding the historical insolvency proceedings of a data subject a result of Section 132 of the Insolvency Law mentioned above.

Therefore, the DPA held that Articles 6(1)(c) and (e) GDPR were not valid legal bases for the data processing conducted by Lursoft.

(2) Information on the "Register of Enterprises"

The DPA outlined that Lursoft received information, including non-public data, from the Register of Enterprises on the basis of an agreement concluded between the two. The information provided was limited and it was stipulated in the agreement that sharing the information with third parties was not authorised. The DPA also held that Lursoft could not re-use the information provided and that the legal basis for the publication within the Data Regulation [comment: automated translation is unclear, this presumably refers to the GDPR] expired. Therefore, Lursoft could not publish these documents and continuing to process that personal data without a legal basis was unlawful. The DPA clarified that Article 6(1)(e) could not be considered a valid basis, as argued by Lursoft, as there was no legal instrument permitting the publication of the information.

The Latvian DPA also held that Lursoft could not rely on Article 6(1)(f) GDPR. The DPA clarified that a legitimate interest must be "legitimate - implemented in a way which complies with data protection and other legislation" (i.e. it must be a legitimate interest acceptable under the law). The DPA concluded that the legislation in this sector precluded the publication of non-public data sent to Lursoft. There was therefore no legitimate interest.

Various other arguments put forward by Lursoft under the Latvian Commercial Law, Section 4 of the Latvian Law on the Register of Enterprises of the Republic of Latvia, the Latvian National Sanctions Law and Section 26 of the Latvian Proceeds of Crime Act were rejected by the DPA as unfounded.

The DPA then went on to confirm that there was no legal basis for processing (publishing) the non-public information on the "Register of Enterprises" under Articles 6(1)(e) and (f) GDPR. It went on to add that this entailed a breach of Articles 5(1)(a), (b) and (c) of the GDPR.

Outcome

Finally, the DPA imposed a fine of €65,000 on Lursoft for breaching Article 5(1)(a), 5(1)(b), 5(1)(c) and 6(1) GDPR. Lursoft has since appealed the decision, meaning the fine is not final.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

                                                                                     EXTRACT









        Blaumaņa Street 11 / 13-15, Riga, LV-1011, tel. 67223131, fax 67223556, e-mail info@dvi.gov.lv, www.dvi.gov.lv




                                                                              SIA “Lursoft IT”
                                                                                    Matisa Street 8
                                                                                  Riga, LV-1001


                                                                                             […]


                                                                                   In case no. […]



                                            Decision

In Riga, the date can be seen on the time stamp no. […]




       [1] On 23 November 2020, the State Data Inspectorate adopted Decision no. […] About soda

(hereinafter - the contested decision) in administrative infringement case no. […]
('the Case'), recognizing the registration of Lursoft IT, a limited liability company
number 40003170000, legal address Matīsa Street 8, Riga (hereinafter - SIA “Lursoft IT”)
guilty of Article 83 of the General Data Protection Regulation (hereinafter referred to as the Data Regulation)
For the administrative offense provided for in paragraph 5 (a) and to be fined

a fine of EUR 65,000 (sixty-five thousand euros). The contested decision SIA “Lursoft IT”
notified on 30 November 2020 by sending the contested decision by registered post.

       [2] The contested decision finds the following circumstances and is based on the following
considerations:


       [2.1.] SIA “Lursoft IT” has processed personal data on the website lursoft.lv,
by publishing 1) what is to be submitted to the Register of Enterprises in the section “Documents” of the Enterprise Database
personal data included in the non-public part of the registration of legal entities and legal facts
registration and other documents containing; 2) Insolvency Register database information on

historical insolvency proceedings of a natural person for more than one year after the entry
on the dates of termination of the insolvency proceedings of a natural person.
       According to Article 4 (7) of the Data Regulation, the adequacy of the processing of personal data is
responsible manager. According to the privacy policy of SIA “Lursoft IT” information system holder

and the manager is SIA “Lursoft IT”. SIA "Lursoft IT" is responsible for personal data processing
ensuring compliance with the regulatory framework on the website lursoft.lv. Thus, Ltd.
Lursoft IT, as the controller of personal data processing, had to be provided, inter alia, by the Data Regulation


1 Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) 2

The consequent requirement under Article 5 (1) (a) to verify that the personal data
there is a legal basis for the processing, the principle of de minimis deriving from points (b) and (c), and
The principle of accountability contained in Article 5 (2) of the Data Regulation.

       [2.2.] On the website of SIA “Lursoft IT” lursoft.lv in the Insolvency Register database, on the contrary
information and documents regarding natural persons have been inserted in the data processing regulatory enactments
historical insolvency proceedings for which a record of a natural person
termination of the insolvency proceedings was made more than one year ago.

       [2.2.1.] According to Section 132, Paragraph three of the Insolvency Law, natural persons
the information entered in the insolvency proceedings file shall be made public in the insolvency register by natural persons
during the insolvency proceedings, as well as one year after the entry of a natural person
the date of termination of the insolvency proceedings. It is therefore inadmissible to record them
disclosure, for which an entry regarding the termination of the insolvency proceedings of a natural person
done more than one year ago.
       [2.2.2.] The reference of SIA “Lursoft IT” to the Data State Inspectorate of 2018 is unfounded

The information provided on November 26, from which SIA “Lursoft IT” has concluded that Insolvency
The obligation set out in the third paragraph of Article 132 applies only to the responsible authority - the Company
register.
       In the said reference, the Data State Inspectorate has explained that the Insolvency Law
The legal norm included in the third paragraph of Article 132 is addressed to the Register of Enterprises, which is responsible
the institution shall enter in the insolvency register regarding the insolvency proceedings of a natural person
information specified by law. Considering that SIA “Lursoft IT” is not considered to be the responsible institution,
it is not the addressee of Section 132, Paragraph three of the Insolvency Procedure Law. At the same time

does not mean that SIA “Lursoft IT” is not bound by other legal norms, including from the Insolvency
the conclusion arising from Section 132 of the Law that the entries in the insolvency register are not restricted
the status of the availability information, as long as their public availability is determined by the Insolvency
the law. The purpose of this provision is to determine that the data on the insolvency proceedings of a natural person
one year after the entry of the termination of the proceedings is no longer freely available unrestricted
thus ensuring the right of a natural person to the protection of his or her personal data.
       The regulation of Section 132, Paragraph three of the Insolvency Law is applicable to everyone
insolvency proceedings of natural persons - both those terminated before the entry into force of the norm

August 1, 2018, and thereafter. Although the third part of Section 132 of the Insolvency Law
the norm determines the term for publication of information in the insolvency register, however, it should not be translated
narrowly, ie giving rise to the presumption that the dissemination and publication of these data elsewhere after
the term specified in the said norm is not limited to any term. Purpose of that provision
would not be achievable if the re-users of the information in the Register of Enterprises continued to physically
dissemination of data on insolvency proceedings terminated by persons also in accordance with the Insolvency Law
The time limit referred to in the third paragraph of Article 132.


       [2.3.] In accordance with Article 5 (1) (a) of the Data Regulation for the controller
the processing of personal data must have an appropriate legal basis.
       [2.3.1.] Regarding SIA “Lursoft IT” on the website lursoft.lv Insolvency database
posted information and documents on the historical insolvency of a natural person
processes for which an entry has been made regarding the termination of the insolvency proceedings of a natural person
the following was established more than one year ago.
       [2.3.2.] In the contested decision it is established that SIA “Lursoft IT” is a reference to the Data Regulation

The legal basis for the processing of personal data referred to in Article 6 (1) (c) is
unfounded.
       Article 6 (1) (c) of the Data Regulation provides the legal basis
in circumstances where the processing is necessary for compliance with a legal obligation to which the controller is subject.
Article 6 (3) of the Data Regulation, on the other hand, provides that this basis for processing shall be determined by a European law
Union law or the law of a Member State applicable to the controller. In the said 3

the legal basis also defines the purpose of the processing of personal data. Recital 45 of the Data Regulation
clarifies that where processing is carried out in accordance with a legal obligation incumbent on the controller,
the basis for processing should be laid down in Union or national law. Also
the purpose of the processing should be laid down in Union or national law.
       Thus, in order for Article 6 (1) (c) of the Data Regulation to apply, these

obligations must be laid down in law and not, for example, in contractual obligations. Personal data
the processor must not have a margin of discretion as regards compliance with the obligations. Subject to the above, Data
Article 6 (1) (c) shall not apply to voluntary unilateral relations; and
public - private partnerships in which more data are processed than required by the law
provides for a legal obligation to process personal data. In addition, the legal obligations themselves must be
sufficiently clear as to the processing of personal data which they provide for. Namely, to refer to

Article 6 (1) (c) of the Data Regulation must be clearly stated in the legal provisions
the type and object of processing. 16
       SIA “Lursoft” IT reference to the law “On the Register of Enterprises of the Republic of Latvia” 2.
and Article 4 as the legal basis for the disclosure of information on historical natural persons
insolvency proceedings for more than one year after the entry of a natural person
the date of termination of the insolvency process on the website of SIA “Lursoft IT” lursoft.lv

The insolvency register database is unfounded. 16
       According to Article 2 of the Law “On the Register of Enterprises of the Republic of Latvia”
the insolvency register in accordance with this Law, the Insolvency Law and other regulatory enactments
the Register of Enterprises.
       Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” regulates the rights of persons
to use the information of the Enterprise Register. The second paragraph of that article states that everyone has the right
to request and receive information from the registers kept by the Register of Enterprises, observing

restrictions specified in regulatory enactments.
       The above-mentioned norms of the Law “On the Register of Enterprises of the Republic of Latvia” are legal
the obligation of the Register of Enterprises to process personal data, as well as the right of persons to access this
information. These legal norms do not provide for the rights or obligations of SIA Lursoft
IT ”to publish information on historical insolvency proceedings of a natural person.
Thus, these legal norms are general and not the legal basis for the processing of personal data

forming.
       The contested decision also does not establish any other legal norms that SIA “Lursoft IT”
create a legal obligation to publish information on historical individuals
insolvency proceedings. Therefore, SIA “Lursoft IT” reference to Article 6 of the Data Regulation
Paragraph 1 (c) for information on historical natural persons
publication of insolvency proceedings for more than one year after the entry of a natural person

the date of termination of the insolvency process on the website of SIA “Lursoft IT” lursoft.lv
The insolvency register database is unfounded.

       [2.3.3.] In the contested decision it is established that SIA “Lursoft IT” is a reference to the Data Regulation
The legal basis for the processing of personal data referred to in Article 6 (1) (e) is
unfounded.

       Article 6 (1) (e) of the Data Regulation provides that processing is permissible if
processing is necessary for the performance of a task carried out in the public interest or in the exercise of a controller
legally conferred official authority. Article 6 (3) of the Data Regulation provides that
those grounds for processing shall be determined by European Union law or the law of a Member State
applicable to the controller. That legal basis also defines personal data
the purpose of the processing or, in the case of Article 6 (1) (e) of the Data Regulation

processing - it is necessary for the performance of a task carried out in the public interest or in the exercise of a right
official powers legally conferred on the controller. Recital 45 of the Data Regulation explains that
in the case of processing necessary for the performance of a task carried out in the public interest, or
in the exercise of its official powers, the basis for processing should be determined by the Union or by Article 4

under the law of a Member State. The purpose of the processing should also be specified by the Union or
under the law of a Member State. Union or national law should also specify whether:
a controller performing a task carried out in the public interest or in the exercise of official authority,
should be a public authority or other natural or legal person governed by public law
or if it is in the public interest, including for health purposes, such as the public
health, social protection and the management of health services - private law

entity, such as a professional association.
       It follows from those provisions that Article 6 (1) (e) of the Data Regulation
is applicable to two situations. First, it applies to cases where the same person who
processes personal data, has a formal mandate or carries out an exercise in the public interest
task and when the processing is necessary for the exercise of that power or the performance of that task. Secondly,
this provision could be applicable in cases where the person carrying out the personal data
processing, has no formal authority, but is required to disclose the data to a third party who has such

powers. It is important to emphasize that this formal mandate or task will be in the public interest
specified by regulatory enactments.

       [2.3.4.] In the contested decision it is established that SIA “Lursoft IT” refers to the Data Regulation
Persons referred to in Article 23 and Article 26 of the Personal Data Processing Law
processing is unjustified.
      Article 23 of the Data Regulation and Article 26 of the Personal Data Processing Law define the data

restrictions on the rights of data subjects and their scope, rather than legal bases for the processing of personal data,
which are set out exclusively in Article 6 (1) of the Data Regulation.

       [2.3.5.] In the Contested Decision it is established that the reference of SIA “Lursoft IT” to the Insolvency
the legal basis for the processing of personal data specified in Section 132 of the Law is unfounded.
       Article 132 of the Insolvency Law regulates the insolvency proceedings of a natural person
publicity, the first part of which shall specify the information to be entered by the responsible authority in the event of insolvency

in the register regarding the insolvency proceedings of a natural person. Article 132 of the Insolvency Law
the second subparagraph provides that this information may also be published in other registers, information systems or
databases, the third part stipulates that the information shall be made public in the insolvency register of natural persons
during the insolvency proceedings, as well as one year after the entry of a natural person
the dates of termination of the insolvency proceedings, while the fourth part determines the message
shelf life.

       It does not follow from Article 132 of the Insolvency Law that SIA “Lursoft IT” has an obligation or official
the power to publish information regarding the historical insolvency proceedings of a natural person
for more than one year after the entry regarding the termination of the insolvency proceedings of a natural person
dates of commission. Namely, the mentioned legal norm does not provide for any kind of others with data processing
related obligations, including historical information on the natural person to the re-user
transfer insolvency proceedings to third parties.


       [2.3.6.] SIA “Lursoft IT” has unreasonably referred to the term of personal data storage,
which provides that records of a natural person may be kept for five years from the date on which the debt was paid
the debt obligation has ended, thus SIA “Lursoft IT” has a legal basis to reflect
information regarding the insolvency proceedings registered for a natural person, if since the making of the entry
5 years have passed in the insolvency register for the termination of insolvency proceedings.
       SIA “Lursoft IT” points out that when determining the term, it has evaluated not only the Insolvency Law
norms, but also other regulatory enactments, and has applied the principle of analogy with Consumer Law

protection law, the Credit Information Bureau Law, the Credit Register Law,
Credit risk management regulations and other legislation from which the data
for default shall be kept for five years from the date of payment of the debt or from the date on which:
the debt obligation has expired on another legal basis, thus also providing for the disclosure of this information
term - 5 years. 5
       The contested decision finds that there is no apparent analogy in the present case
because the case in question is governed by a rule of law in force, namely the
Section 132, Paragraph three of the Insolvency Law, which clearly refers to natural persons
the duration of the publicity of the insolvency proceedings. Thus, SIA Lursoft IT had no basis

apply other provisions which are not relevant to the case.

      [2.4.] No 2.3. It follows from the analysis in paragraph 1 that the legal basis for personal data
publication cannot be Article 6 (1) (c) and (e) of the Data Regulation, as it is not
enshrined in the relevant legal norms - the Law on the “Register of Enterprises of the Republic of Latvia”
  16 10
Article 2, second paragraph of Article 4. This legal basis cannot be covered by the Data Regulation
Article 23, Section 132, Paragraph one of the Insolvency Law, Personal Data Processing Law
Article 26, as well as agreements concluded between SIA “Lursoft IT” and the Register of Enterprises.

       [2.5.] SIA “Lursoft IT” on its website lursoft.lv in the Enterprise Database section

“Documents” has published the legal entity and legal fact to be submitted to the Register of Enterprises
registrations and other personal data included in the non-public part of the registration file
documents (in documentary form).

       [2.5.1.] In the contested decision, the law “On Latvia
                                    10 15
Article 4, Eleventh Part, Article 4, Paragraph one, Clause 3
Point (a) and the fourth paragraph of Article 4
       Documents in the register file that are included in the public part of the registration file
(in the Commercial Register) are exhaustively defined in Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia”
point (a) of the first subparagraph of Article
                                                                  15
       Section 4, Paragraph four of the Law “On the Register of Enterprises of the Republic of Latvia” provides that
that the information and documents included in the non-public part of the registration file are of limited availability
information. The information and documents of the non-public part of private registration files are requested
Requests for restricted access to information specified in the Law on Information Transparency
in order.
                                                                     10
       Section 4, Paragraph eleven of the Law “On the Register of Enterprises of the Republic of Latvia”
stipulates that the recipient of information in the register kept by the Register of Enterprises shall not have the right to re-use
documents included in the non-public part of the file of registration of legal entities and legal facts.

       [2.5.2.] SIA “Lursoft IT” received information from the Register of Enterprises on the basis of

the agreement concluded on 1 August 2018 between the Register of Enterprises and SIA Lursoft IT.
       Clause 1 of the said agreement stipulates that the Register of Enterprises grants SIA “Lursoft IT” for
the non-exclusive and non-transferable right to receive the Company the remuneration specified in the agreement
information created in the process of registration of legal entities and legal facts at the disposal of the register,
including for re-use for commercial and non-commercial purposes. Amount of information and

the framework is specified in regulatory enactments regarding the issuance of information from the Register of Enterprises. In accordance with
of the contract 3.1. and 3.2. The Register of Enterprises shall transfer the information to SIA Lursoft IT
in accordance with the procedures and to the extent provided for in regulatory enactments. Information may contain limited information
availability information. SIA “Lursoft IT” uses restricted information
in accordance with the requirements of regulatory enactments. SIA "Lursoft IT" confirms that will not transfer limited

availability information to third parties.
       [2.5.3.] Statement of SIA “Lursoft IT” that it does not have registration in the Register of Enterprises
the document of the non-public part of the case shall be deemed unfounded.
       SIA “Lursoft IT” substantiates the said statement with the argument that it has from
Existing documents for business register registration files received by 2018

August 1, while for the period from August 1, 2018, d15 documents are received, which
in accordance with Section 4, Paragraph one of the Law “On the Register of Enterprises of the Republic of Latvia”
Paragraph 3 are included in the public part. Thus, SIA “Lursoft IT” has not been transferred and, consequently, 6

could not and did not process the documents of the Register of Enterprises, which in accordance with the law “On
Register of Enterprises of the Republic of Latvia ”(in the wording in force as of January 7, 2020)
considered as non-public documents. The specific legal norm does not have retroactive force.
      In the contested decision, in response to the arguments of SIA “Lursoft IT”, it was established that despite
to the fact that until January 7, 2020 SIA “Lursoft IT” was entitled to process personal data
documents on the basis of the Law “On the Register of Enterprises of the Republic of Latvia”
  10
Section 4, Paragraph two, with the entry into force on January 7, 2010 of the Law “On the Republic of Latvia
Register of Enterprises ”in the wording of the second paragraph of Article 4, which stipulates that the Register shall be kept by the Register
the recipient of the information does not have the right to re-use the documents to be included in the right holder
and in the non-public part of the legal fact registration file, SIA “Lursoft IT” such personal data
The legal basis for the publication within the meaning of the Data Regulation expired, thus preventing SIA “Lursoft IT”
to publish documents (including historical ones) to be included in the legal entity and legal fact
in the non-public part of the registration file and contains the data of identifiable natural persons. To continue

the processing of personal data, including publication if it has lost its legal basis, in accordance with the person
regulatory enactments regulating data processing is not permitted.

       [2.6.] Regarding the legal basis for the processing of personal data, the website of SIA “Lursoft IT”
on the website lursoft.lv in the section “Documents” of the Enterprise Database by publishing it to the Register of Enterprises
to be submitted and in the non-public part of the case of registration of legal entities and legal facts
registration and other documents containing personal data (in documentary form),

the contested decision finds the following.

       [2.6.1.] The reference of SIA “Lursoft IT” to Article 6 (1) “e” of the Data Regulation is unfounded.
as the legal basis for the processing of data.
       As Article 6 (1) (e) of the Data Regulation provides the legal basis
for the processing of personal data 2.3.3. in the circumstances referred to in subparagraph, and no regulatory enactment
provides for the right of SIA “Lursoft IT” to publish the rights and rights to be submitted to the Register of Enterprises

the personal data included in the non-public part of the registration file of subjects and legal facts
registration and other documents (in documentary form), Article 6 (1) of the Data Regulation
Subparagraph (e) does not apply.

       [2.6.2.] The reference of SIA “Lursoft IT” to Article 6 (1) (f) of the Data Regulation is
considered unfounded.

       Article 6 (1) (f) of the Data Regulation provides the legal basis for personal data
processing in circumstances where processing is necessary in the legitimate interests of the controller or of a third party
unless the interests or fundamental rights and freedoms of the data subject
necessary protection of personal data take precedence over such interests. To Data Regulation
Article 6 (1) (f) would be the legal basis for the processing of personal data, inter alia
the legitimate interests of the controller or of the third party must be balanced with the data subject
fundamental rights and freedoms.

       Legitimate interests mean, among other things, that they must be legitimate - implemented in a way
which complies with data protection and other legislation. In other words, there must be a legitimate interest
acceptable under the law.
       The contested decision finds that the legal norms preclude the Register of Enterprises
to be submitted and included in the non-public part of the file of registration of legal entities and legal facts
publication of registration and other documents (in documentary form) containing personal data.
In view of the above, Article 6 (1) (f) of the Data Regulation cannot be considered legal

basis for the processing of personal data performed by SIA “Lursoft IT”.

       [2.6.3.] Based on 2.3.4. paragraph, SIA “Lursoft IT” reference to
Article 23 of the Data Regulation as the legal basis for data processing is unfounded. 7
       [2.6.4.] SIA “Lursoft IT” unreasonably refers to the fact that SIA “Lursoft IT” exists
The legal basis set out in Article 1 (5) and Article 4 of the Freedom of Information Act
disclosure of information.
       Section 1 (5) of the Freedom of Information Act states that re-use is an institution

the use for commercial purposes of information in the public domain held by the authority, or
for a non-commercial purpose other than the original purpose for which the information was created, if any
an individual who uses the information at the disposal of the institution without performing public administration
tasks. In its turn, Article 4 of the Law on Information Disclosure provides that it is generally available
information is information that is not classified as restricted information.
Thus, the regulation clearly states that re-use is allowed only in the public domain
                                                                         10
information. Also in the eleventh Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia
Part 1 clearly states that the recipient of information from the registers kept by the Register of Enterprises has no rights
to re-use the documents included in the files of registration of legal entities and legal facts
in the non-public part.
       In view of the above, SIA “Lursoft IT”, based on the Information Transparency Law

Article 1 (5) and Article 4 are not entitled to publish the information to be submitted to the Register of Enterprises and
personal data included in the non-public part of the registration file of legal entities and legal facts
registration and other documents (in documentary form) containing

       [2.6.5.] The reference of SIA “Lursoft IT” to Section 7, Paragraph one of the Commercial Law is not substantiated
the prescribed legal basis for the disclosure of information.

       The first part of Article 7 of the Commercial Law stipulates that everyone has the right to get acquainted with
commercial register entries and documents submitted to the commercial register authority. In turn
the second paragraph of that article provides that everyone has the right, upon written request
to receive information regarding the entries in the commercial register and the document in the registration file of the merchant
extracts and copies in paper or electronic form. Pursuant to Section 6, Paragraph two of the Commercial Law
the commercial register is maintained by an institution authorized by law - the commercial register institution. Law “On
                                             7
Article 2 of the Register of Enterprises of the Republic of Latvia ”stipulates that the Commercial Register shall be maintained by the Enterprise
register.
       Taking into account that SIA “Lursoft IT” is not considered to be a commercial register institution, it is not
shall be deemed to be the addressee of the legal norm included in Section 7, Paragraph one of the Commercial Law.


       [2.6.6.] SIA “Lur10ft IT” unreasonably refers to the law “On the Republic of Latvia
The second paragraph of Article 4, which was in force until 7 January 2020, as legal
basis for the processing of personal data.
       The second part of Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia”, which was in force
by 7 January 2020, provided that everyone has the right to submit to the Register of Enterprises
to request and receive information from the registers, including a relevant written submission

information for re-use for commercial and non-commercial purposes. The information shall be provided
used and processed in compliance with regulatory enactments regarding the openness of information and natural persons
data protection restrictions and in accordance with regulatory enactments on the law
registration of subjects and legal facts in the Register of Enterprises.
       Although until 7 January 2020, that provision did not impose any restrictions

to re - use the documents received from the Register of Enterprises, these restrictions came into force and
became binding on SIA “Lursoft IT” together with the currently valid Law “On the Republic of Latvia
The adoption of the second paragraph of Article 4. Continue processing of personal data, including
publication if it has lost its legal basis in accordance with the rules governing the processing of personal data
regulatory enactments are not permissible.


       [2.6.7.] SIA “Lursoft IT” unreasonably refers to the Sanction and the Republic of Latvia
to publish the legal basis specified in the National Sanctions Law to be submitted to the Register and

the personal data included in the non-public part of the registration file of subjects and legal facts
registration and other documents (in documentary form) containing
       SIA “Lursoft IT” has not indicated a specific legal norm that would allow the mentioned document
disclosure and also the Data State Inspectorate does not have information on such a legal norm
existence.


       [2.6.8.] The reference of SIA “Lursoft IT” to the proceeds of crime is not substantiated
money laundering and the prevention of the financing of terrorism and proliferation
Criminal Proceeds Act).
       Section 26 of the Proceeds of Crime Act determines the cases in which the subject of the law is
entitled to perform simplified customer research.
       SIA “Lursoft IT” is not a subject of the Criminal Proceeds Act and is not included in it
the right of SIA “Lursoft IT” to publish the information to be submitted to the Register of Enterprises and the legal entity and

containing personal data included in the non-public part of the legal fact registration file
registration and other documents (in documentary form). The following is also unfounded
disclosure of documents in the interests of the subjects of law, because the subjects of law are provided with legal protection
basis and mechanism for obtaining information for the performance of their duties.
       SIA “Lursoft IT” unreasonably refers to the guidelines of the supervisory authorities and
recommendations of a recommendatory nature. The information contained in these documents cannot be
interpreted as a call to conduct customer research in violation of regulatory enactments.


      [2.7.] No 2.6. The analysis carried out in point (a) shows that the legal basis for personal data
publication cannot be Article 6 (1) (e) and (f) of the Data Regulation, as it is not
enshrined in the relevant legal provisions - Article 1 (5) of the Law on Freedom of Information,
Article 4, Section 7, Paragraph one of the Commercial Law, the Law on “Enterprise of the Republic of Latvia
in the second paragraph of Article 4, in the version in force until 7 January 2020, the International
and the Law on National Sanctions of the Republic of Latvia, Section 26 of the Proceeds of Crime Law.

Article 23 of the Data Regulation, as well as contracts which
have been concluded between SIA “Lursoft IT” and the Register of Enterprises. Article 6 of the Data Regulation
Paragraph 1 (f) cannot justify the processing of personal data which is prohibited by law.

       [2.8.] In view of the above, the contested decision finds that SIA “Lursoft IT” web
on the website lursoft.lv in the “Documents” section of the Enterprise Database by publishing the Register of Enterprises

documents that contain personal data and are not mentioned in the Law “On the Enterprise of the Republic of Latvia
register ”in Article 4, as well as by publishing on the website of SIA“ Lursoft IT ”lursoft.lv Insolvency
information in the registry database on insolvency proceedings for more than one year from the record of
the date of termination of the insolvency proceedings of a natural person, has made personal data
processing in breach of Article 5 (1) (a), (b) and (c) of the Data Regulation
principles of personal data processing and without a legal basis, thus violating the Data Regulations
Requirements for the processing of personal data set out in Article 6 (1).


       [2.9.] In the contested decision it is established that SIA “Lursoft IT” contrary to its
instructions, the instructions received by the Data State Inspectorate were not terminated or restricted
publication for a period of time until it is ascertained whether the processing complies with the normative
regulation. There are doubts about the possible non-compliance of personal data processing with the normative
regulation, Lursoft IT Ltd. should have acted accordingly, which was not done despite the
Data from the State Inspectorate and the Register of Enterprises regarding possible non-compliance with the Data Regulation

data processing.

       [2.10.] Based on Section 5, Paragraph one of the Personal Data Processing Law
Article 23 (2), Article 58 (2) (d) of the Data Regulation, Administrative
Section 115, Paragraph one, Clause 4, Section 151, Paragraph one, Clause 1 of the Liability Law, 9

Article 156, the second and third paragraphs of Article 157, the first paragraph of Article 166, Article 168, Article 262,
Article 269,
       1. to find SIA “Lursoft IT” guilty in Article 83 (5) “a” of the Data Regulation
and committed a fine of EUR 65 000 (sixty
five thousand euros);

        2. to oblige processing operations to comply with by 15 December 2020
The provisions of Article 5 (a), (b), (c) of the Data Regulation and Article 6 (1) of the Data Regulation,
namely to ensure the lawful, fair and appropriate processing of personal data upon termination
the processing (publication) of the personal data referred to in the contested decision, the processing of which has lost its legal status
basis.


       [3.] On 15 December 2020, SIA Lursoft IT submitted a complaint to the State Data Inspectorate
(hereinafter - the appeal), requesting the annulment of the contested decision and the administrative
terminate the infringement proceedings in the case. The Data State Inspectorate finds that the appeal application
submitted within the term specified in Section 168, Paragraph one of the Administrative Liability Law and so on
consideration is admissible.


       [4.] The statement of opposition states that SIA “Lursoft IT” publishes only
publicly available documents on a legal basis - the subject of the Proceeds of Crime Act and
in other public interests:

       [4.1.1.] The opinion is expressed in the appeal submission that neither in the contested decision nor the cases
the materials do not explain for which categories of personal data the violation has been established. Having
taking into account the fact that the Data State Inspectorate is not within the competence of the Law “On the Republic of Latvia

business registers ”, the case must be about personal data.
       The Director of the Data State Inspectorate (hereinafter - the Director) finds that the contested decision contains
contains an explanation of the personal data the processing of which is considered unlawful, as this
the legal basis referred to in Article 6 of the Data Regulation is not available for processing. These personal data,
which processing is not permitted are included in the contested decision and are reflected in Article 2.5.1. of this decision.
and the Director agrees with this analysis. Namely, the documents in the registry file that are

included in the public part of the registration case15 (in the commercial register) are exhaustively specified in the law “On
Register of Enterprises of the Republic of Latvia ”in Article 4, Paragraph one, Clause 3, Subparagraph“ a ”. Tie
are the articles of association, annual reports and other reporting documents received for publication in the Register of Enterprises,
divisions of the register of participants, agreements (decisions) on establishment, reduction of share capital
regulations, capital increase regulations and reorganization agreements, foreign
confirmations of the merchant regarding the registration of the company in the relevant state, the foreign merchant

founding treaties or equivalent documents, documents amended earlier
and court rulings on the dissolution of the company. At the same time
The second part of Article 4. 15 of the Law “On the Register of Enterprises of the Republic of Latvia” provides that
the documents and information in the registration file which are not specified in Paragraph one of this Section shall be included
the non - public part of the registration file, while the fourth paragraph of that article provides that
the information and documents included in the non-public part of the registration file are of limited availability

information.
       Taking into account that SIA “Lursoft IT” on its website lursoft.lv Company databases
in the section “Documents” has published the legal entity to be submitted to the Register of Enterprises and
containing personal data included in the non-public part of the legal fact registration file
registration and other documents that exceed the provisions of the Law “On Enterprises of the Republic of Latvia
the volume of the documents specified in Section 4.15, Paragraph one, as established in the contested decision

unlawful processing of data refers to those personal data included in these - the register
in the documents included in the non-public part.
       That finding is also correctly reflected in the contested decision, which states that the penalty is imposed
suitable for the activities performed by SIA “Lursoft IT” with personal data when publishing information 10

on the cases to be submitted to the Register of Enterprises and the registration of legal entities and legal facts
personal data included in the non-public part (for example, name, surname, personal identification code)
registration and other documents (in documentary form) of SIA “Lursoft IT” on the Internet
on the website lursoft.lv in the section “Documents” of the Enterprise Database.


       [4.1.2.] The statement of opposition indicates that the official has not been able to separate the specifics
processing operations for which it wishes to impose a penalty.
       As indicated in section 4.1.1 of this Decision. the contested decision finds that
Violation of data processing performed by SIA “Lursoft IT” when publishing information about the Company
in the non-public part of the file to be submitted to the register and registration of legal entities and legal facts
registration and other documents containing personal data included (in documentary form)

SIA “Lursoft IT” on the website lursoft.lv in the section “Documents” of the company database.
       Although the contested decision also assesses the personal data of SIA Lursoft IT
the lawfulness of receipt from the Register of Enterprises is not decisive in this case, since
the violation is applied for a specific personal data processing activity - personal data
publication.


       [4.1.3.] SIA “Lursoft IT” indicates in the contest submission that the official is not
justified the violation of the interests of the data subject only by assessing the processing of personal data on the basis of
to legitimate interests.
       The Director points out that the unlawful processing of data and the fundamental rights of the data subject
the existence of actual damage is not necessary for the finding of an infringement. According to the European
The case-law of the Court of Justice of the European Union is not decisive as to whether the data made
processing has had any negative consequences (actual infringement) for it to be considered

interference with fundamental rights. Hence the fact whether specific ones have been identified
negative consequences for the right holder do not change the fact of violation of fundamental rights.

        [4.1.4.] The opinion is expressed in the submission of the appeal that the contested decision does not contain
includes a justification for exactly how the processing of documents infringes Article 5 of the Data Regulation.
       The Director states that the contested decision states that, in accordance with Article 6 of the Data Regulation

The processing referred to in paragraph 1 shall be lawful only to the extent and only if at least one of the following applies
Justifications referred to in Article 6 (1). In addition to providing a legal basis under
Article 5 of the Data Regulation requires the controller to comply with the other conditions laid down in the Data Regulation, in accordance with
which any processing of personal data must be lawful, fair and transparent, and
only in accordance with the intended purpose and to the extent necessary for that purpose.
       The mere fact that the contested decision did not clearly distinguish and describe each of the Data Regulations

Infringement of Article 5 (1) (a), (b) and (c) does not mean that it has not been assessed.
For reasons of legal clarity, the Director alleges infringement of the following relevant legal provisions
explanation.
       In accordance with Article 5 (1) (a) of the Data Regulation, personal data are processed
lawfully, in good faith and in a manner transparent to the data subject. Of that provision, inter alia
obligations to process personal data only if there is a legal basis for it. Given that

in the contested decision it is established that SIA “Lursoft IT” has processed personal data without appropriate information
legal basis, it has also infringed Article 5 (1) (a) of the Data Regulation.
       Pursuant to Article 5 (1) (b) of the Data Regulation, personal data are collected
for specific, clear and legitimate purposes and shall not be further processed by them
incompatible purposes. Taking into account that SIA “Lursoft IT” from the Register of Enterprises
the personal data obtained continued to be published even after the legal basis for such loss had disappeared

publication, ie without a legitimate intention, by such actions SIA “Lursoft IT” has violated the Data
Article 5 (1) (b) of the Regulation.


2, for example, Österreichischer Rundfunk and Others, C-465/00, C-138/01 and C-139/01, EU: C: 2003: 294 11

       Article 5 (1) (c) of the Data Regulation states that personal data are adequate,
appropriate and include only what is necessary for the purposes of their processing ("data minimization"). Having
taking into account the fact that SIA “Lursoft” published personal data in a larger amount than allowed by law
Article 5 (1) (c) of the Data Regulation has been infringed.

       [4.1.5.] The appeal submission indicates that the contested decision is not substantiated

Within the meaning of Section 153, Paragraph one, Clause 8 of the Administrative Liability Law.
       In accordance with Section 153, Paragraph one, Clause 8 of the Administrative Liability Law in the decision
on the application of the penalty shall indicate the legal basis for the decision, including the legal provision which
provides for liability for an administrative violation. According to the Director, the contested decision contains:
sufficiently clear legal provisions on liability for administrative offenses -
Article 83 (5) (a) of the Data Regulation. Namely, SIA "Lursoft IT", performing personal data
has not complied with the basic principles of personal data processing - Article 5 (1) of the Data Regulation

Points (a), (b) and (c) and Article 6 of the Data Regulation.

       [5.] The statement of opposition states that SIA “Lursoft IT” does not have the Company at its disposal
the document of the non-public part of the register. SIA “Lursoft IT” considers that the contested decision does not contain
includes the legal basis in accordance with Section 153, Paragraph one of the Administrative Liability Law

Part 8, as the prohibition to publish non-public registration files of the Register of Enterprises
part of the documents, taking into account that these documents contain personal data, to SIA “Lursoft IT”
extended regardless of the date on which they are attached to the registration file:

       [5.1.] The statement of opposition states that SIA “Lursoft IT” had the right to acquire
the information in the registration file, as it had a generally accessible status. Official
has not substantiated the statement that the documents in the registration file until 2018

August 1, shall be considered as restricted documents.
       First, the Director points out that there is no dispute in the case that SIA “Lursoft” documents from
the registration files have been legally acquired both before 1 August 2018 and after that date. In the case
there is a dispute over the processing of personal data contained in these documents, the disclosure of which to the breach
the moment of detection. The violation has been established regarding the processing of personal data performed by SIA “Lursoft IT”,
publishing information regarding the legal entity to be submitted to the Register of Enterprises and the legal entity
registrations containing personal data included in the non - public part of the factual registration file; and

other documents (in documentary form) on the website of SIA “Lursoft IT” lursoft.lv
In the "Documents" section of the company database.
       Second, the Data State Inspectorate evaluates the processing of personal data, not the document itself
acquisition and publication. The official in the contested decision did not state that the documents which
were in the registration file before 1 August 2018 are considered to be limited
access to documents, since such a finding has no effect on the contested decision
conclusions reached. As mentioned above, the Data State Inspectorate did not assess whether SIA “Lursoft

IT ”obtained the personal data legally and the illegality of the processing of this particular personal data also
not found in the contested decision. The contested decision assesses only whether in 2020 SIA
The processing of data by Lursoft IT when publishing documents containing personal data is appropriate
the legal norms that were in force at the time of the performance of the specific activity - publication.
       The contested decision finds that the processing of personal data by SIA Lursoft IT
At the time of publication, Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia” was in force

point (a) of paragraph 3 of the first subparagraph, which sets out exhaustively the types of documents which
to be included in the public part of the registration file. Paragraph four of this article provides that registration
the information and documents included in the non-public part of the case are restricted access information.
Section 4.10, Paragraph eleven of the Law “On the Register of Enterprises of the Republic of Latvia” provides that
The recipient of the information kept by the Register of Enterprises shall not have the right to re-use it
documents included in the non-public part of the file of registration of legal entities and legal facts.
Taking into account that the publication of documents containing personal data by SIA “Lursoft IT” 12

At the time these documents were included in the non-public part of the registration file, the person was found
breach of data processing by processing personal data without Article 6 (1) of the Data Regulation
legal basis. In this respect, there is no legal significance to the fact that historically these
documents containing personal data had a generally accessible status. In the contested decision
the decision did not establish a violation regarding the disclosure of personal data by SIA “Lursoft IT”

at the time when these documents containing personal data were generally available.
       Section 4, Paragraph one, Clause 3 of the Law “On the Register of Enterprises of the Republic of Latvia”
The purpose of point (a), the fourth paragraph and the eleventh paragraph of Article 4 is to define them
the types of documents, the disclosure of which is not permitted during the validity of the legal norm.
Given that disclosure of those documents is not permissible, it is also clear that
the disclosure of personal data contained therein is prohibited. There is ample evidence in the case that this

During the validity of the legal norm, SIA “Lursoft IT” has published those containing personal data
documents which have been determined by the legislator as non-public. There is nothing in this respect
importance of the fact that it has historically been possible to make such documents public. It is illegal to do
an act prohibited by the legislature solely on the basis of the fact that ever such an act
was permissible. The Data State Inspectorate did not assess or establish a violation of SIA Lursoft IT
for the publication of documents by it during the period in which such publication was authorized.


       [5.1.1.] At the same time, the Director draws attention to the fact that it would be possible to assess whether persons
The general availability of documents containing data also means that the personal data contained therein
they have a generally accessible status and are not subject to the processing of personal data
regulatory provisions.
       In the Director's view, the processing of personal data is in any case covered by the Data Regulation
and the resulting claims, and SIA “Lursoft IT” as a controller of personal data processing had

the regulatory enactments regulating data processing must be observed. This conclusion follows from both
Agreements concluded between the Register of Enterprises and SIA “Lursoft IT”, which contained a reference to the fact that
The information provided by the Business Register may include restricted information, and Ltd.
Lursoft IT restricted access information must be used in accordance with the requirements of regulatory enactments,
as well as a confirmation from SIA “Lursoft IT” that it will not transfer restricted access information
third parties, as well as the regulations of the Cabinet of Ministers, which regulated the issuance of information

from the Register of Enterprises, provided that upon receipt of the information provision
the recipient of the information, as the controller, is independently responsible for the compliance of the processing of personal data
regulatory enactments regulating the protection of personal data.
       Thus, receiving personal data from the Register of Enterprises, regardless of whether this data
were included in a publicly available or restricted access document, SIA “Lursoft IT” had to be evaluated
the legal basis for such data processing, including the proportionality between the interests of SIA Lursoft IT

publication of data and the interests of data subjects not to publish this information. Finding that data
the interests of the subject prevail and there is no legal basis for the processing of personal data, personal data
processing, including disclosure, should be stopped immediately, even if personal data
are contained in a publicly available document.
       At the same time, given that that aspect was not assessed separately in the contested decision
and no penalty has been imposed for it, the Director will not assess it further.


       [5.1.2.] The reference of SIA “Lursoft IT” to the fact that the official should have been also not substantiated
to apply all four methods of interpretation of legal norms. Law “On the Republic of Latvia
4. The legal provision contained in the eleventh paragraph of Article 10 is unequivocal,
clearly stating that the recipient of the information in the registers kept by the Register of Enterprises has no rights
to re-use the documents included in the files of registration of legal entities and legal facts

in the non-public part. The grammatical text of a legal provision also clearly indicates its meaning and purpose.
An interpretation of a provision of law cannot lead to a different result if the wording of that provision is unambiguous.
       Moreover, even if included in Article 4. 10 of the Law “On the Register of Enterprises of the Republic of Latvia”
legal provision would be assessed in depth, it could not lead to different conclusions. In this 13

It is important to note that the contested decision assesses the processing of personal data and not
disclosure or re-use of documents as such. Namely, regardless of the registers
the information contained was in the public or non-public part, in respect of those documents
the personal data contained therein and the operations with them had to comply with the processing of personal data
regulatory framework. Just because a document is public does not automatically mean that
the personal data contained therein become publicly available information in respect of which it does not exist

the Data Regulation applies. At the same time, if the legislator has established a mandatory provision in a legal norm,
a clear ban on the publication of certain types of documents, including personal data
prohibition of processing, the applicator of a legal norm cannot come to a translation of legal norms
conclusion that he is not covered by this provision.

       [5.2.] SIA “Lursoft IT” expresses the opinion in the submission of contestation that the restriction
to re-use the documents received from the Register of Enterprises in accordance with the Cabinet

Regulation No. of 27 March 2018 191 “Regulations on the Enterprise of the Republic of Latvia
register information issuance and other paid services ”(hereinafter - the Regulations on
Business Register for Paid Services) has existed since 1 August 2018 and does not exist
applicable to historical documents received before 1 August 2018.
       The Director repeatedly draws attention to the fact that the Law “On Enterprises of the Republic of Latvia
Articles 4.0 and 4.15 of the "register" clearly and unequivocally prohibit the disclosure of documents
which, at the time of the validity of the legal norm, is in the non-public part of the registers. Not in these or in others

The legislation does not contain any indication that that prohibition does not apply to
documents already in the possession of re-users. Also the provision of the Enterprise Register
for paid services, paragraph 48 explicitly stated that persons who until 2018
March 31, received information for re-use in accordance with the Cabinet of Ministers of 2014
June 3 regulations no. 277 "Information from the Register of Enterprises of the Republic of Latvia
the conditions for the re - use of documents laid down in those rules
cases of registration of a legal entity or a legal fact shall apply as of 1 August 2018.

As a result, a ban on re-use, including publication, came into force on 1 August 2018,
documents that are currently in the non-public part of the register.
       The reference to the fact that from the law “On Latvia
Paragraph 35 of the Transitional Provisions of the draft Law on Business Registers of the Republic of Latvia was deleted
provided that the recipients of information from the Register of Enterprises shall ensure that it is not re-used
available information for which restricted access status has been established, even if they do so

have received the information prior to the amendment of this Law, which determines restricted access
information status, entry into force, therefore SIA “Lursoft IT” has the right to publish this information.
The exclusion of this legal norm from the draft law only indicates that with regard to
the use of restricted information is subject to the general rules laid down by
there was no need to repeat the bill, and this obligation was included in the provision on
Business Register paid services in paragraph 48. Nor can such a law be considered
the rule has retroactive effect, as it applies only to those activities which are carried out by law

during the period of validity of the provision. The Data State Inspectorate evaluates the document performed by SIA “Lursoft IT” and
the disclosure of the personal data contained therein which is currently taking place in accordance with the legal provisions which are
applicable to personal data processing, which took place until 2018
August 1, the Data State Inspectorate shall apply the legal norms in force at that time. In addition
It should be noted that the contested decision did not assess at all the activities carried out by SIA Lursoft IT
before 1 August 2018.


       [6.] The statement of opposition states that the legal basis for the processing of personal data
are the legitimate interests of third parties. Namely, SIA “Lursoft IT” processing personal data
In the interests of the subjects of the Law on the Prevention of Money Laundering.
       The director points out that the contested decision comprehensively assesses the work performed by SIA Lursoft IT
compliance of the data processing with Article 6 (1) (f) of the Data Regulation, which is also reflected in Article 14 of this Regulation

2.6.2 of the decision. in point. In particular, the contested decision explains that there are legitimate interests
means, inter alia, that they must be lawful, implemented in a way that complies with data protection
and other legislation. In other words, a legitimate interest must be acceptable under
legislation. Taking into account that the interests of SIA “Lursoft IT” cannot be assessed as legitimate, also
the processing of personal data performed on the basis thereof shall be recognized as unlawful.
        In addition, the Director explains that legitimate interests are one of the six Data Regulations

The legal bases contained in Article 6 (1) which allow the processing of personal data.
According to Article 6 (1) (f) of the Data Regulation, the processing of personal data is lawful
only to the extent and only if such processing is necessary for the legitimate interests of the controller or a third party
interests, unless the interests or fundamental rights and freedoms of the data subject
who need the protection of personal data take precedence over such interests, in particular where:
the data subject is a child. Legitimate interests are inherently more flexible than other Data
the legal bases for the processing of personal data contained in Article 6 (1) of the Regulation and could

be extended in principle to any processing operation of personal data for a reasonable purpose.
Given that this basis for the processing of personal data can be applied to a very wide range of controllers
interests, it obliges the controller to perform a balancing test in assessing whether the controller
the interests in each particular case prevail over the interests of the data subject on his or her personal data
protection.
        A legal norm that allows the processing of personal data on the basis of the legitimate interests of the controller
interests can be conditionally divided into three parts. Namely, it is necessary to establish that 1) exists

legitimate interest of the controller; 2) personal data is required for the implementation of this legitimate interest
processing; 3) the interests or fundamental rights and freedoms of the data subject do not take precedence over those of the controller
legitimate interest in the processing of personal data. This means that a controller alone is not enough
a statement that the processing of personal data is necessary to achieve his or her legitimate interests. Lai
based on Article 6 (1) (f) of the Data Regulation, the controller must be able to prove everything
the existence of three elements.
        As already mentioned, a very wide range of interests of the controller can be considered as legitimate interests.

The legitimate interests of the controller may also include the pursuit of the interests of third parties. The following third
the interests of the persons are to be assessed and taken into account when deciding whether the interests of the data subject are present
prevalent (in the examination of the third criterion mentioned above).
        Section 1 (5) of the Freedom of Information Act states that re-use is an institution
use of publicly available information held by the authority for commercial or commercial purposes; or
for non-commercial purposes other than the original purpose for which the information was created, if any

an individual who uses the information at the disposal of the institution without performing public administration
tasks. The mentioned legal norm indicates the interest of SIA “Lursoft IT” to publish documents and
to process personal data for commercial purposes by providing a service to third parties.
The Director acknowledges this interest as justified and significant. In addition, the Director agrees that in the implementation of his
interest is also indirectly exercised by the recipients of services, including the proceeds of crime
the interest of the subjects of the prevention law to access the information they need as easily as possible.
        At the same time, while interest may be significant, it must also be legitimate. Any

interest - substantial or insignificant - if it is illegal or unethical cannot be considered legitimate
Within the meaning of Article 6 (1) (f) of the Data Regulation.
        Thus, if it is established that SIA "Lursoft IT" processes personal data for its own commercial
interests and indirectly also in the interests of the subjects of the Law on the Prevention of Money Laundering,
however, such processing violates legal prohibitions on the processing of personal data, as follows
the processing of personal data cannot be considered legitimate and in compliance with the Data Regulation.
        In the present case, both the contested decision and that decision state on several occasions that:
                                                                                   15
SIA “Lursoft IT” contrary to the first of Article 4 of the Law “On the Register of Enterprises of the Republic of Latvia”
paragraph 3 (a), the fourth subparagraph and the eleventh paragraph of Article 4
has published information regarding the subject to be submitted to the Register of Enterprises and the legal entity for the prohibition
and 15 containing personal data included in the non - public part of the legal fact registration file

registration and other documents (in documentary form) on the website of SIA “Lursoft IT”
lursoft.lv in the section “Documents.
       In view of the above, no legitimate interest of SIA “Lursoft IT” in personal data can be established
processing of personal data has been carried out in breach of Article 6 of the Data Regulation, namely
the processing was carried out without a legal basis. If the interest for which personal data was made
processing is found to be unlawful, no further evaluation of the processing is required,

clarifying the necessity of personal data processing for the implementation of the interest or the data subject
interests, as these assessments cannot legitimize the processing of personal data which already exist
found to be unlawful, that is to say, without the existence of a legitimate interest.

       [7] The statement of opposition states that the official is not in the contested decision
has clarified the legal basis for the processing of personal data in relation to the Insolvency Register
disclosure of information 5 years after the end of insolvency:


       [7.1] SIA “Lursoft” by publishing information on the insolvency of a natural person,
based on Article 6 (1) (f) of the Data Regulation to provide a third party
respect for legitimate interests.
       Although with regard to the disclosure of data on the insolvency of a natural person in the disputed
the decision does not explicitly refer to point (f) of the first paragraph of Article 6 of the Data Regulation,
that does not mean that the contested decision does not assess that legal basis at all. These rights

an in-depth analysis of the provision has not been carried out as it has been identified as the only possible basis for personal data
processing.
       At the same time, both the contested decision states and the Director finds that SIA
“Lursoft IT” processing of personal data performed by it in relation to SIA “Lursoft IT” website
lursoft.lv Information and documents about natural persons placed in the insolvency database
historical insolvency proceedings for which a record of a natural person
termination of insolvency proceedings made more than one year ago cannot be based on Data

Article 6 (1) (f) of the Regulation, as in this case the interests of the data subject
the protection of its personal data prevails over the interests of SIA “Lursoft IT” regarding data
publication.
       Also, processing of personal data by SIA “Lursoft IT”, publishing personal data
documents regarding the insolvency proceedings of a natural person, the termination of which
an entry made less than one year ago is considered lawful and made in accordance with the Data

Article 6 (1) (f) of the Regulation.

       [7.2.] The term for deleting records specified in the Insolvency Law is not applicable to
SIA “Lursoft IT”, because in accordance with Section 132, Paragraph three of the Insolvency Law there is such an obligation
applicable only to the responsible authority - the Register of Enterprises.
       The Director points out that Section 132, Paragraph three of the Insolvency Law and the related Data
A detailed explanation of the State Inspectorate 's reference is contained in the contested decision and is also set out in the contested decision

2.2 of this Decision. point. The director agrees with this argument.
       Section 132, Paragraph three of the Insolvency Law stipulates that information is made public by insolvencies
in the register during the insolvency proceedings of a natural person, as well as one year after the entry of
the dates of termination of the insolvency proceedings of a natural person.
       Although indeed the addressee of Section 132, Paragraph three of the Insolvency Law as for
the institution responsible for the insolvency register is the Register of Enterprises, but SIA “Lursoft IT”,
disclosure of personal data on the basis of Article 6 (1) (f) of the Data Regulation, as

in particular, in accordance with that provision, those factors had to be taken into account in the assessment of proportionality
the essence of a legal norm. It is also necessary to recall that the Data State Inspectorate legal norm
translation within the scope of its competence shall be performed only in connection with the documents of the insolvency register
processing of personal data contained in 16

       For the processing of personal data to be considered lawful, it must, inter alia, be carried out on the basis of
on one of the legal bases listed in Article 6 (1) of the Data Regulation. In the specific
In this case, SIA Lursoft IT published information on the insolvency of a natural person on the basis of
to Article 6 (1) (f) of the Data Regulation. On the mentioned legal basis SIA “Lursoft IT”
refers in its application and is not called into question and is therefore assessed separately
in the contested decision.

       Nor is it challenged in the contested decision and, consequently, will not be singled out in this decision
it is assessed that the processing of personal data by publishing information on the insolvency of a natural person
one year after the record of the date of termination of the insolvency proceedings of the natural person, is
legal and complies with the rules on the processing of personal data. Namely, the dispute is only about whether Ltd.
Lursoft IT was able to publish personal data on the insolvency of a natural person for more than one
one year after the record of the date of termination of the insolvency proceedings of a natural person.
       The Director notes that the legal basis of SIA "Lursoft IT" is personal data of natural

for the disclosure of a person's insolvency for more than one year after the entry of a natural person
the dates of the closure of the insolvency proceedings in accordance with Article 6 (1) (f) of the Data Regulation
there is a legitimate interest in obtaining an economic advantage by providing a particular type
services for third parties. Undoubtedly in its own way also provided by SIA “Lursoft IT”
Recipients of the service have an interest in accessing the published personal data on the basis of
different legal bases for the processing of personal data (receipt and further processing)
However, it cannot be considered that SIA “Lursoft IT” acts on behalf of these persons and

in the absence of an individual legitimate interest in obtaining an economic advantage.
This consideration is also implicitly confirmed by Article 1 (5) of the Freedom of Information Act,
according to which re-use is at the disposal of the institution and made public by the institution
use of the information for commercial or non-commercial purposes other than that information
the original purpose of the creation, if it is done by an individual whose information is in the possession of the institution
used without performing public administration tasks. Interests of third parties to access personal data
documents, as already mentioned in paragraph 6 of this Decision, can be assessed in a balancing exercise

a test between those interests of the third party and the controller and the interests, fundamental rights and interests of the data subject
fundamental freedoms.
       In order to use legitimate interests as a legal basis, it is necessary to strike a balance
the legitimate interests of the controller or of third parties must be weighed against the data
interests or fundamental rights and freedoms of the subject. Legitimate application of this legal basis
it is necessary to have three cumulative conditions at the same time: 1) the data controller or the third

the existence of legitimate interests of the persons to whom the data are disclosed; 2) the need to process personal data
respect for legitimate interests; The condition that the fundamental rights of the person do not prevail; and
freedoms covered by data protection. The existence and need for a legitimate interest
to process personal data in order to pursue these legitimate interests, there is no dispute. Namely, the Data State
in the opinion of the inspection, a third is missing for the application of Article 6 (1) (f) of the Data Regulation
element - the interests of SIA “Lursoft IT” in the specific case do not prevail over the data subject
interests and non-disclosure of data after one year has elapsed since the entry of the natural person

the dates of termination of the insolvency proceedings.
       By adopting the legal norm included in Section 132, Paragraph three of the Insolvency Law,
the legislature has, inter alia, assessed whether the public interest in receiving information about natural persons
insolvency after a certain period of time is more important than the data subject's rights to these data
not to publish. In conducting the balancing test, the legislature has come to the conclusion that the public
interest without restriction to receive this information exists only one year after the entry of the physical
the date of termination of the person's insolvency proceedings. At the end of this period, the rights of the data subject

protection of their data and non-disclosure of information are considered a priority. Guided
from this assessment, the legislator has also obliged the Register of Enterprises to delete this information.
It is this assessment that, in the opinion of the Data State Inspectorate, is binding on any other person, including
SIA “Lursoft IT”, which publishes data of identical content. In addition, given that the Company
The Registry shall publish personal data on the insolvency of a natural person on the basis of Article 17 of the Data Regulation

Article 6 (1) (c) and (e) in the public interest, this assessment is all the more so
applies to the processing of personal data performed by SIA “Lursoft IT”, which is based on economic
interest rather than a real and immediate public need. It would not be acceptable for SIA “Lursoft
IT ”or any other private person from Article 6 (1) (f) of the Data Regulation
the resulting assessment of proportionality would lead to the opposite conclusion than the legislature,
that his interests prevail. As stated in the contested decision, such interpretations

as a result, the purpose of Section 132, Paragraph three of the Insolvency Law would not be achieved, as it would be
the publication of personal data, the receipt of which to the public is not predominant, has been continued
interest.
       In addition, the first sentence of recital 47 of the Data Regulation states that
controller, including the controller to whom the personal data may be disclosed, or the legitimate
the interests of the data subject may be the legal basis for the processing, provided that the interests of the data subject or
fundamental rights and freedoms are not more important in the light of the reasonable expectations of data subjects, which

based on their relationship with the manager. In this case, the data subject on the basis of
The third part of Section 132 of the Insolvency Law is expected that data about him will no longer be made public
available to anyone interested, as the legislator has stipulated that longer disclosure of personal data
not in the public interest. The data subject does not expect re-users to continue his personalities
disclosure of data for profit only because they are not covered by the Insolvency Law
Article 132, third paragraph, direct addressees.
       Thus, although SIA Lursoft IT does not have Section 132, Paragraph three of the Insolvency Law

the direct addressee, he is bound by the essence of this legal norm and the legislator included therein
interpretation in assessing the proportionality between the data subject's interests in his or her personal data
protection and control over their personal data and the interest of SIA “Lursoft IT” and their customers
continue to process personal data without any restrictions.
       In view of the above, the Director concludes that the contested decision rightly concludes that SIA
For data processing performed by Lursoft IT, publishing information on the insolvency of a natural person
proceedings for more than one year after the entry of the insolvency proceedings of a natural person

there is no legal basis referred to in Article 6 (1) of the Data Regulation.

        [7.3] The statement of opposition states that the publication of personal data 5 years after
the end of the insolvency is in the interests of the clients of SIA Lursoft IT.
       The director does not doubt that the clients of SIA “Lursoft IT” may be interested in accessing persons
data 5 years after the entry of the insolvency proceedings of a natural person

however, in the light of the contested decision and Article 7.2 of that decision. contained in paragraph
an assessment leading to the conclusion that the data subject has an interest in his or her person
non-disclosure of data one year after the entry regarding the termination of the insolvency proceedings of a natural person
prevails over the general interest of the public and third parties on such personal data
disclosure, this argument has no legal significance in the present case.
       In addition, it should be noted that in the event that a particular person has a legal interest in acquiring and
to process personal data regarding the insolvency proceedings of a natural person after it has passed

It has an opportunity to apply to the Register of Enterprises with a separate request.
In this case, the Register of Enterprises as the controller of personal data processing in each specific case
perform a proportionality test assessing the interests of the data subject and the third party in relation to the data
interests of the entity.

       [8] In the appeal, SIA Lursoft IT states that the contested decision does not contain
reasonable reasons for choosing a fine among other regulatory means, nor fully justified

all the criteria provided for in Article 83 of the Data Regulation for determining the penalty and its amount have been assessed. SIA
Lursoft IT considers that the contested decision does not comply with Articles 58 and 83 of the Data Regulation,
Section 16, Paragraph one and Section 153, Paragraph one, Clause 8 of the Administrative Liability Law.
       The Director points out that in accordance with Section 19, Paragraph two of the Administrative Liability Law,
in determining the nature and extent of the administrative penalty, the nature of the offense committed shall be taken into account;

the personality of the called person (for a legal person - reputation), property status, violation
mitigating and aggravating circumstances. In addition to the Data Regulations
The second paragraph of Article 83 provides that when deciding whether to impose an administrative fine, and
when deciding on the amount of the administrative fine, as appropriate in each case
take into account the elements set out in points (a) to (k). It must be stated that the contested decision
6.3. An explanation of the justification for the administrative fine was provided in paragraph 1, including

the nature of the violation and the degree of cooperation with the supervisory authority, the core activities of SIA “Lursoft IT”
the number of data subjects affected, the persistence of the breaches and other circumstances. Would be
it should be noted that Article 83 (5) of the Data Regulation provides that the supervisory authority shall apply
administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of
its total worldwide annual turnover in the preceding business year, whichever is the greater
the amount is higher. In view of the above, with regard to the amount of imposition of a penalty Inspectorate
is not limited to the amount of 4% of turnover, but is entitled to impose an administrative fine of up to 20 million.

euro. In determining the specific penalty, the Inspectorate took into account the turnover of the manager, but applied all of them
the criteria set out in the Data Regulation to determine the amount of the penalty.
       At the same time, it should be noted that the first part of Section 153 of the Administrative Liability Law determines
the content of the decision imposing the penalty, including in paragraph 10 the decision to indicate the person
the penalty imposed. At the same time, this part of the article does not specify how the appropriate should be reflected
justification of the penalty. The Director has obtained an assessment of the contested decision and the case file
confidence that the penalty imposed is reasonable, proportionate and dissuasive.

       The mere fact that the contested decision indicates the fine in euros and not in units of the fine
cannot affect the validity of this Decision. It should be noted that penalties for personal data
non-compliance with the protection requirements are set out in the Data Regulation, which expresses the amount of the fine in euros instead of
in fine units. Given that there can be no regulation of European Union law
subordinate to the national procedural regulations, the Inspectorate imposes penalties in accordance with the Data
requirements of this Regulation, namely by setting the penalty in euro.
       The contested decision also lists specifically the legal provisions in respect of which it was established

infringement and the penalty imposed, namely Article 83 (5) (a) of the Data Regulation.


       In the light of the foregoing, in the light of the case - file and the application,
in accordance with Section 132, Section 168, Paragraph one, Section 172 and of the Administrative Liability Law
Article 173, first paragraph, point (1), the Director concludes that the contested decision is well founded and

legal, therefore decides to leave the contested decision unchanged and the appeal application
reject.

       In accordance with the first paragraph of Article 184 and the first paragraph of Article 186
the Applicant may appeal against this decision within 10 working days from the date of notification of the decision
in an administrative violation case in a district (city) court according to the legal address of the Applicant,
by submitting a complaint to the Data State Inspectorate (Elijas Street 17, Riga, LV-1050), which

within the period after the deadline for submission of the complaint, the complaint with the case materials shall be sent to the district
(city) court of jurisdiction.



Director J.Macuka


[…]


EXTRACT CORRECT