Latvia Data Privacy Laws: GDPR Implementation Guide (2026)

Latvia occupies a unique position in the European data protection landscape as a Baltic nation that has built a modern privacy framework from the ground up over the past two decades. After regaining independence in 1991, the country moved steadily toward EU alignment, and its data protection regime now reflects both European standards and national priorities.

This guide covers Latvia's complete data protection framework, from the implementing legislation and the DVI's enforcement record to breach notification requirements and the criminal penalties that set Latvia apart from many of its EU neighbors.

Legal Framework and GDPR Implementation

Latvia's data protection system rests on two primary legal pillars. The GDPR applies directly as EU law across all member states, while the Personal Data Processing Law (the "DPL") supplements it with nationally specific provisions.

The DPL entered into force on 5 July 2018, replacing the earlier Law on the Protection of Personal Data of Natural Persons that had been in effect since 2000. The new law was specifically designed to fill the gaps where the GDPR grants member states discretion over implementation details.

Structure of the Personal Data Processing Law

The DPL is organized into nine chapters containing 39 sections. These chapters address the scope of the law, the supervisory authority, lawful processing grounds, data subject rights, and remedies.

Key national provisions in the DPL include rules on the processing of personal identification numbers, the age threshold for children's consent, qualifications for data protection officers, and supplementary conditions for processing in employment and public interest contexts.

The DPL does not specify language requirements for privacy notices. However, Latvian official language law determines the language that must be used for relevant processing activities. In practice, this means that communications directed at consumers, public bodies, and employees who do not speak the language of the document must be provided in Latvian.

Constitutional Protections

Latvia's commitment to data protection also has constitutional roots. The Latvian Constitution (Satversme) recognizes the right to privacy in Article 96, which protects the inviolability of private life, home, and correspondence. This constitutional foundation provides an additional layer of protection beyond what EU law requires.

The Data State Inspectorate (DVI)

The Datu valsts inspekcija (Data State Inspectorate, or DVI) is Latvia's national data protection authority. Established in 2001, it is a functionally independent institution responsible for enforcing the GDPR and the DPL within Latvia.

DVI Powers and Authority

The DVI holds the full range of powers set out in GDPR Article 58. These include investigative powers, corrective powers, and authorization and advisory powers.

On the investigative side, the DVI may visit premises where data processing takes place, demand information from controllers and processors using all lawful methods, and carry out data protection audits. The inspectorate can obtain access to all personal data and all information necessary for its investigations.

The DVI's corrective powers enable it to issue warnings and reprimands, order controllers and processors to comply with data subject requests, impose temporary or permanent bans on processing, and levy administrative fines under GDPR Article 83.

The DVI also maintains a unique role in DPO certification. It arranges qualification tests for data protection officers and examines whether individuals meet the requirements for maintaining their professional qualifications. While appointing a DVI-listed DPO is not mandatory, controllers and processors may choose someone from the inspectorate's roster or appoint any other person who meets the GDPR Article 37(5) requirements.

DVI Strategic Priorities

The DVI's strategic plan for 2021 to 2025 focused on promoting the implementation of personal data protection through cooperation with both the public and private sectors. Key priorities included educating the public, remedying violations promptly, and minimizing bureaucratic and repressive functions in favor of proactive guidance.

The inspectorate has emphasized a balanced approach, combining enforcement action against serious violations with educational outreach to help organizations understand and comply with their obligations.

Notable Enforcement Actions and Fines

While Latvia is not among the EU's most aggressive GDPR enforcers by volume, the DVI has issued several significant fines that demonstrate its willingness to act against organizations that violate data protection rules.

SIA TET: EUR 1,200,000 (2022)

The largest GDPR fine in Latvian history was imposed on SIA TET, one of Latvia's major telecommunications companies. The DVI found multiple violations of Articles 5(1) and 6(1) GDPR.

The investigation revealed that TET failed to verify customer identities before signing service agreements. The company then transferred personal data, including data belonging to a minor, to a debt recovery service without proper verification or a lawful basis. TET also compared personal data of old and new customers in its database without authorization, violating the principles of lawfulness, purpose limitation, accuracy, and storage limitation.

This case sent a strong signal to Latvian businesses that the DVI is prepared to impose substantial fines for systemic data protection failures.

SIA DEPO DIY: Consent Violations

The DVI investigated SIA DEPO DIY, a major retail chain, after receiving customer complaints. The investigation found that customers who refused to obtain a loyalty card, and therefore did not consent to personal data processing, were denied access to certain additional services.

The DVI held that this arrangement violated the definition of consent under GDPR Article 4(11), because consent cannot be considered freely given if withholding it results in the customer losing access to services entirely. The inspectorate also found that DEPO DIY inappropriately relied on consent as the legal basis for processing related to invoices, when that processing did not actually depend on the customer's choice. Data minimization violations were also identified.

SIA Lursoft IT: EUR 65,000

The DVI fined SIA Lursoft IT EUR 65,000 for breaching Articles 5(1)(a), (b), (c) and 6(1) GDPR. Lursoft had published information from the Insolvency Register on its website even though more than one year had passed since the termination of the relevant insolvency proceedings.

Additionally, Lursoft published non-public data received from the Register of Enterprises, including registration numbers for legal entities, despite an agreement that prohibited sharing this information with third parties. The DVI found that Lursoft had no valid legal basis for continuing to process and publish this personal data.

SIA QUANTRUM: Audio Recording Via CCTV

The DVI found that SIA QUANTRUM was recording audio through CCTV cameras, which violated Articles 5(1)(a) and (c) and 6(1) GDPR. The inspectorate ordered the company to stop recording audio in connection with its video surveillance system, finding that the audio capture went beyond what was necessary and proportionate.

Online Retailer: EUR 7,000 (2019)

In one of its earlier GDPR enforcement actions, the DVI imposed a EUR 7,000 fine on an online retailer for data protection violations. While modest by comparison to later fines, this case demonstrated the DVI's intent to enforce GDPR requirements across all sectors.

Breach Notification Requirements

Latvia follows the standard GDPR breach notification framework established in Articles 33 and 34 of the regulation. There are no significant national derogations from these requirements.

Notification to the DVI

When a personal data breach occurs, the controller must notify the DVI within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the controller must provide a reasoned justification for the delay.

The notification to the DVI must include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, the name and contact details of the data protection officer or other contact point, a description of the likely consequences, and a description of the measures taken or proposed to address the breach.

Notification to Data Subjects

When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify the affected data subjects without undue delay. This notification must describe the nature of the breach in clear and plain language and provide the same information about consequences and remedial measures.

Data subject notification is not required if the controller has implemented appropriate technical and organizational measures that render the data unintelligible (such as encryption), if the controller has taken subsequent measures that ensure the high risk is no longer likely to materialize, or if individual notification would involve disproportionate effort, in which case a public communication may be used instead.

Processor Obligations

Data processors must notify the controller without undue delay after becoming aware of a personal data breach. This obligation exists regardless of whether the breach is likely to result in risk to data subjects. The processor's notification should provide sufficient information for the controller to fulfill its own obligations to the DVI and affected individuals.

Penalties and Criminal Liability

Latvia's penalty framework is notable for combining standard GDPR administrative fines with criminal sanctions under the national Criminal Law. This dual approach gives authorities more tools to address data protection violations.

Administrative Fines Under GDPR

The DVI can impose administrative fines following the two-tier structure set out in GDPR Article 83. For less serious infringements, fines can reach up to EUR 10 million or 2% of total worldwide annual turnover from the preceding financial year, whichever is higher. For more serious infringements, the maximum rises to EUR 20 million or 4% of total worldwide annual turnover.

The DVI has developed its own mechanism for calculating fine amounts, taking into account factors such as the nature and severity of the violation, whether the infringement was intentional or negligent, the number of data subjects affected, and the degree of cooperation with the authority.

Criminal Penalties Under Section 145

Section 145 of the Latvian Criminal Law, titled "Illegal Activities Involving Personal Data of Natural Persons," establishes three categories of criminal offense.

The first category covers illegal activities involving personal data that cause substantial harm. The punishment includes deprivation of liberty for up to two years, temporary deprivation of liberty, community service, or a fine.

The second category targets controllers or processors who carry out illegal data processing for the purpose of vengeance, property acquisition, or blackmail. This carries a more severe penalty of up to four years' imprisonment, along with alternatives of temporary deprivation of liberty, community service, or a fine.

The third and most serious category addresses individuals who influence a controller, processor, or data subject using violence, threats, abuse of trust, bad faith, or deceit to carry out illegal data processing activities. This can result in imprisonment for up to five years.

These criminal provisions are significant because they create personal liability for individuals involved in data protection violations, going beyond the organizational liability that GDPR administrative fines address.

Data Protection Officer Requirements

Latvia has not expanded the mandatory DPO appointment requirements beyond those set out in GDPR Article 37(1). A DPO must be appointed when processing is carried out by a public authority or body, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities involve large-scale processing of special category data or criminal conviction data.

DPO Qualifications and the DVI Roster

The DVI maintains a list of qualified data protection officers. Controllers and processors may appoint a person from this roster or choose any other individual who meets the professional qualities and expert knowledge requirements specified in GDPR Article 37(5).

The DVI arranges qualification tests for prospective DPOs and examines whether existing DPOs continue to meet the requirements for maintaining their professional qualification. This certification function is distinctive among EU member states and provides organizations with an additional avenue for identifying qualified candidates.

Children's Data and Consent

Latvia has set the minimum age for valid digital consent at 13 years old, exercising the option under GDPR Article 8 to lower the threshold from the default of 16. This makes Latvia one of the member states with the lowest consent age in the EU.

For children under 13, consent for information society services must be given or authorized by the child's parent or legal guardian. Organizations offering digital services to children must make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility, taking into account available technology.

International Data Transfers

Latvia follows the standard GDPR framework for international data transfers established in Chapter V of the regulation. Personal data may be transferred to third countries that have received an adequacy decision from the European Commission without additional safeguards.

For transfers to countries without adequacy decisions, controllers and processors may rely on appropriate safeguards including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, or certification mechanisms.

There is generally no requirement for prior approval from the DVI when using Standard Contractual Clauses. However, approval from the supervisory authority is necessary to rely on Binding Corporate Rules. The DVI must also be informed of transfers made using the minor transfers exemption under GDPR Article 49.

Employee Data Protection

Latvia's data protection rules apply fully in the employment context. Employers processing employee personal data must comply with both the GDPR and the DPL, and must have a lawful basis for each processing activity.

Workplace Monitoring and CCTV

Video surveillance in the workplace is permitted but subject to strict conditions. If a controller uses notices to inform data subjects of CCTV, the notice must indicate at minimum the name and contact information of the controller, the purpose of data processing, and information about the possibility of obtaining further details as specified in GDPR Article 13.

The DVI's enforcement action against SIA QUANTRUM demonstrates that audio recording through surveillance cameras faces particularly high scrutiny. Audio capture in connection with video surveillance must be justified on a case-by-case basis and is likely to be considered disproportionate in most workplace settings.

Permissible Processing in Employment

National law permits processing of certain types of employee data, including processing related to enforcement of rules regarding admissible job interview questions and processing in relation to an employer's duty to ascertain employee membership in a trade union before giving notice of termination of an employment contract.

Employers should be aware that relying on employee consent as a legal basis for processing is generally disfavored, given the inherent power imbalance in the employment relationship. Legitimate interests or legal obligation are typically more appropriate bases for employment-related processing.

CJEU Impact on Latvian Law

The Court of Justice of the European Union has directly addressed Latvian data protection law. In a June 2021 ruling, the CJEU found that EU data protection law precluded certain provisions of earlier Latvian legislation that required the public disclosure of personal data without adequate safeguards.

This ruling reinforced the principle that national transparency requirements must be balanced against data protection rights, and it has shaped how Latvia approaches the intersection of open government and personal data protection.

Practical Compliance Steps for Organizations

Organizations operating in Latvia or processing data of Latvian residents should take several key steps to ensure compliance.

First, conduct a thorough data mapping exercise to identify all personal data processing activities, their legal bases, and any international transfers. Ensure that privacy notices are available in Latvian where required by language law.

Second, review consent mechanisms carefully. The DEPO DIY enforcement action demonstrates that the DVI scrutinizes whether consent is truly freely given, particularly in consumer relationships where withholding consent may result in loss of services.

Third, establish robust breach notification procedures that can meet the 72-hour reporting deadline. Designate clear internal responsibilities for breach detection, assessment, and reporting.

Fourth, consider whether a DPO appointment is required under GDPR Article 37(1). If so, evaluate candidates from the DVI's certified roster alongside other qualified professionals.

Fifth, if processing children's data, implement age verification mechanisms appropriate to the 13-year consent threshold. Develop clear procedures for obtaining and verifying parental consent for younger children.

This article is for informational purposes only and does not constitute legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Latvia for guidance on your specific situation.