TAKING COUNSEL: Data Protection

  • 2007-11-07
  • by Elina Rubeze [Kronbergs & Cukste]
One of the main aims of data protection is to protect the privacy of the individual, and to ensure a balance between the individual's interests with those of third parties wishing to utilize personal data for legitimate purposes. Since 2000, this area has been governed by the Personal Data Protection Law, in content based on the European Parliament and Council Directive 95/46/EK of October 24, 1995, on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data.

Almost all businesses engage in personal data processing of one sort or another, although some are probably not always aware of this. It may be that they have a database of something as seemingly innocuous as persons' names, surnames, and telephone numbers. Personal data is considered as consisting of any information, and which is identified or identifiable vis a vis the natural person. Amongst other data it includes name, surname, address, telephone number, person code, financial information, and unique features or other indicia by which a person can be identified. There is a separate category, considered sensitive data, which includes health information, sexual, religious, philosophical or political persuasion, membership in a trade union, ethnic origin and other data, the processing of which requires adherence to particular conditions.
Any of the following actions with personal data is considered data processing, triggering a registration requirement with the Data State Inspection: data collection, registration, recording, storing, arrangement, transformation, utilization, transfer, transmission and dissemination, blockage or erasure.

In accordance with the amendments of March 15, 2007 to the Personal Data Protection Law, as of September 1, 2007 a simplified personal data processing registration procedure was introduced. The amendments no longer require registration of the processing system, but the fact of data processing as such. In addition, there is no requirement to register if the processor appoints a personal data processing specialist, who is qualified under the law. A processor is any natural person or legal entity, state or municipal institution, which determines the purpose of data processing and methodology and takes responsibility for data processing and its conformity with the law.

The law provides that processors who have registered personal data processing systems with the Data State Inspection until September 1, 2007 may, free of charge, submit to the Data State Inspection by March 1, 2008 additional requisite information to ensure that the data processing is in compliance with the new registration requirements contained in the March 15, 2007 amendments to the law.
Sanctions for violation of the law according to the Code of Administrative Violations are as follows, with or without confiscation of tools by which the violation was committed:
A violation of lawful processing of personal data including sensitive personal data, violation of registered purpose and scope of processing personal data may trigger a fine of up to about 1,422 euros.
A violation of registration requirements regarding the data processing system and other violations of the law may trigger a fine of up to 355 euros.

Where no confiscatory element is included, with fines for non-compliance being so low, one may legitimately question whether serious disincentives are in place to ensure adherence to the law. Nevertheless, on reputational grounds as well as from a practical perspective, knowing that the scale of fines may change upwards in due course to more substantial levels, it is good practice to ensure that a company's personal data processing practices are in order. In this regard, seeking the professional advice of trained legal counsel experienced in data processing issues and solutions is a sensible move.

Elina Rubeze is a lawyer at Kronbergs & Cukste. Together with Teder Glickmann & Partnerid in Estonia and Jurevicius, Balciunas & Bartkus in Lithuania, Kronbergs & Cukste belongs to Baltic Legal Solutions, giving seamless legal service across the Baltics. Baltic Legal Solutions is also a member of the Pinsent Masons Luther Group, a pan European network of law firms, including the United Kingdom, France, Germany, Hungary, Austria
and the Baltics