Latvia Data Privacy Laws: GDPR, DVI Enforcement & Compliance Guide (2026)

Latvia enforces data privacy through the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the national Personal Data Processing Law, in force since 5 July 2018, backed by a constitutional guarantee under Article 96 of the Satversme and criminal penalties under Section 145 of the Criminal Law.

Latvia operates one of the EU's most complete data protection regimes, combining the directly applicable GDPR with national implementing legislation, criminal sanctions, and a constitutional privacy guarantee that predates the GDPR by more than a decade. For businesses processing data of Latvian residents, compliance requires attention to all three layers.

This article covers Latvia's full data protection framework: the constitutional foundation, the implementing statute, the supervisory authority's powers and enforcement record, breach notification, data subject rights, DPO requirements, cross-border transfers, the EU AI Act overlay, and criminal liability under the Latvian Criminal Law.

This article addresses Latvia's data protection law under the GDPR and the national Personal Data Processing Law. It does not address sector-specific regimes such as electronic communications law or financial supervision rules. For the EU-level framework, see our EU data privacy laws overview. For Latvia's recording consent rules, see Latvia recording laws.

Quick Answer: What Are Latvia's Data Privacy Laws?

Latvia's primary data privacy instruments are the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Personal Data Processing Law (Fizisko personu datu apstrādes likums), which entered into force on 5 July 2018. The GDPR applies directly across all EU member states without transposition; the national law supplements it where the GDPR grants member states discretion. The Data State Inspectorate (DVI) enforces both instruments. Privacy also enjoys constitutional protection under Article 96 of Latvia's Satversme, which the Constitutional Court has used to strike down disproportionate data disclosure requirements. For most practical compliance purposes, GDPR obligations are the operative rules; the DPL adds national specifics on consent age, DPO qualification testing, employment-context processing, and criminal referral procedures.

Constitutional Basis: Satversme Article 96

Latvia's commitment to privacy has constitutional roots that predate the GDPR. Article 96 of the Satversme (Latvian Constitution) states: "Everyone has the right to inviolability of his or her private life, home and correspondence." Latvia's Constitutional Court has held that Article 96 encompasses protection of personal data, not merely physical spaces and communications.

The Constitutional Court has applied Article 96 actively in data protection contexts. In a 2021 ruling, the court found that Article 141(2) of the Road Traffic Law, which made a person's demerit points a matter of generally accessible public information, was incompatible with Article 96 because the restriction on private life was not proportionate to any legitimate public interest. In earlier cases, the court examined whether legislation requiring public-sector employers to publish employee remuneration data on their websites for at least eight years was compatible with Article 96, finding a disproportionate interference with private life.

These rulings establish an independent domestic standard: even where EU law does not require a particular level of protection, Latvian legislation that discloses personal data without adequate justification can be struck down under the Satversme. The constitutional baseline reinforces the GDPR and adds a layer that national legislators must respect when exercising the discretion the GDPR grants member states.

The Personal Data Processing Law (DPL)

The Personal Data Processing Law (Fizisko personu datu apstrādes likums) was adopted by the Latvian Parliament (Saeima) on 21 June 2018 and entered into force on 5 July 2018. It replaced the earlier Personal Data Protection Law, which had governed data processing in Latvia since 2000. The new law was designed specifically to exercise the national discretions available under the GDPR rather than to create an independent data protection regime.

Structure and Key Provisions

The DPL is organized into nine chapters containing 39 sections. The chapters address: scope of the law; the supervisory authority and its powers; lawful processing grounds for specific national contexts; data subject rights and the exercise of those rights; obligations of controllers and processors; remedies, liability, and administrative sanctions; criminal offenses; and transitional provisions.

Key national provisions that the DPL adds to the GDPR framework include:

• Children's digital consent age. The DPL sets the minimum age for valid consent to information society services at 13, exercising the option under GDPR Article 8 to lower the default threshold of 16. Children under 13 require parental or guardian consent.
• Personal identification numbers. The DPL establishes specific rules for processing the Latvian personal identification number (personas kods), a uniquely sensitive identifier used across public and private administration.
• DPO qualification testing. The DPL gives the DVI authority to arrange qualification examinations for data protection officers and to maintain a roster of certified candidates. Appointing a DVI-listed DPO is not mandatory, but controllers may choose from that roster.
• Employment-context processing. The DPL permits certain processing activities in employment relationships, including processing related to permissible questions during job interviews and processing related to an employer's obligation to ascertain trade union membership before issuing a notice of termination.
• Public interest and research derogations. The DPL implements the GDPR's research and archival derogations, restricting data subjects' rights of access, rectification, erasure, and objection for processing carried out for scientific, historical, or statistical purposes to the extent those rights would materially hinder the research purpose.

Language Requirements

The DPL does not specify a language for privacy notices. However, Latvia's official language legislation requires that communications directed to consumers, public authorities, and employees be conducted in Latvian. In practice, privacy notices and consent forms directed at Latvian residents must be available in Latvian.

The Data State Inspectorate (DVI)

The Datu valsts inspekcija (Data State Inspectorate, DVI) is Latvia's national supervisory authority for personal data protection. Established in 2001 and operating as a functionally independent institution under the Cabinet of Ministers, the DVI holds the full suite of powers set out in GDPR Article 58.

Investigative Powers

The DVI may carry out data protection audits, visit premises where processing takes place, demand information from controllers and processors using all lawful means, and obtain access to all personal data and information necessary to its investigations. It may also instruct the notified body to provide audit reports and request access to certification bodies.

Corrective Powers

The DVI may issue warnings where intended processing would likely violate the GDPR, issue reprimands where processing has already violated it, order controllers and processors to comply with data subject requests, impose temporary or permanent bans on processing, and levy administrative fines under GDPR Article 83. It may also withdraw or order the suspension of a certification.

Advisory and Authorization Powers

The DVI issues opinions on draft legislation and administrative measures. It approves binding corporate rules (BCRs). It publishes guidance on specific processing topics and handles complaints from data subjects. Controllers wishing to use BCRs as a transfer mechanism must obtain DVI approval before relying on them.

DPO Certification Function

The DVI's certification function for data protection officers is distinctive among EU supervisory authorities. The inspectorate arranges qualification tests and maintains a published roster of DPOs who have passed those tests. This function provides organizations with a state-endorsed mechanism for identifying qualified candidates, though it is not the only permissible route to DPO appointment under GDPR Article 37(5).

DVI Strategic Priorities

The DVI's strategic plan for 2021 to 2025 prioritized a balanced approach: enforcement against serious violations combined with education and proactive guidance for controllers and processors. The inspectorate worked to reduce bureaucratic burden while ensuring meaningful remedies for data subjects. As the plan period ended, the DVI has focused additional attention on AI-related data processing risks following the EU AI Act's entry into force.

Legal Bases for Processing

Latvia does not alter the six legal bases for processing set out in GDPR Article 6(1). Controllers must identify and document a valid legal basis before processing commences. The six bases are:

For special category data under GDPR Article 9 (health, biometric, genetic, racial, religious, political, and similar data), the DPL does not introduce additional national conditions beyond the exemptions in Article 9(2). Controllers must rely on one of those listed exemptions plus a legal basis under Article 6.

Data Subject Rights

Latvia implements the standard eight GDPR data subject rights: information (Articles 13-14), access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection (Article 21), and rights related to automated decision-making (Article 22). The DPL introduces nationally specific limitations on some of these rights.

Access Right Restrictions

The right of access does not apply where processing is carried out for purposes of national security, state protection, public safety, criminal law activities, or taxation and financial market participant supervision. Controllers relying on these exemptions must still inform data subjects that processing is taking place (unless even that would compromise security purposes) and must inform the DVI.

Research and Archival Derogations

For scientific or historical research, statistical purposes, or archival purposes in the public interest, data subjects' rights of access, rectification, erasure, and objection may be restricted to the extent that full exercise would prevent or seriously impair the research or archival purpose. Controllers relying on these derogations must have implemented appropriate safeguards.

Official Publications

For data processed in official publications such as official gazettes, the right to erasure does not apply automatically, though the DVI may direct erasure where it concludes the data subject's rights outweigh the public interest in publication.

Breach Notification Requirements

Latvia follows the GDPR breach notification framework in Articles 33 and 34 without significant national derogations. The ZZ Dats case (discussed under enforcement) illustrates the consequences of inadequate breach notification and security measures.

Notifying the DVI

A controller must notify the DVI within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If notification is delayed beyond 72 hours, the controller must provide a reasoned explanation for the delay. Breach notifications are submitted through the DVI's dedicated online portal at pazinojums.dvi.gov.lv.

The notification must include: the nature of the breach and categories of data affected; the approximate number of data subjects and records involved; the name and contact details of the DPO or another contact point; a description of likely consequences; and a description of measures taken or proposed to address the breach and mitigate its effects.

Notifying Affected Individuals

Where a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify affected data subjects without undue delay. The notification must describe the breach in clear, plain language and provide the same information about consequences and remedial measures.

Notification to individuals is not required if: the controller applied encryption or other measures rendering the data unintelligible; subsequent measures eliminated the high risk; or individual notification would require disproportionate effort, in which case a public communication may substitute.

Processor Obligations

Processors must notify the controller without undue delay after becoming aware of a breach, regardless of whether that breach is likely to result in risk to data subjects. This obligation is unconditional on the processor's side; it is the controller's subsequent assessment that determines whether the DVI and individuals must be notified.

DVI Enforcement Actions and Notable Fines

Latvia is not among the EU's highest-volume GDPR enforcers, but the DVI has issued substantive fines and pursued systemic violations across sectors. The following cases represent the most significant enforcement actions.

SIA Tet: EUR 1,200,000 (Decision 2022, Court Upheld June 2024)

The largest GDPR fine in Latvian history was imposed on SIA Tet, one of Latvia's largest telecommunications and internet service companies. The DVI initiated an ex officio investigation into Tet's practice of transferring customer personal data to out-of-court debt recovery service providers.

The DVI found multiple violations of GDPR Articles 5(1) and 6(1). Specifically, Tet failed to verify customer identities before signing service agreements. When transferring personal data to debt recovery services, the company had not confirmed whether the underlying customer data was accurate. In one instance, because Tet had not verified a customer's submitted information, the personal data of a minor was transferred to a debt collection company without any legal basis or consent. Tet also compared old and new customer data in its systems without authorization, violating the principles of purpose limitation and accuracy.

The DVI originally imposed a fine of EUR 3,200,000. Considering mitigating factors including the company's cooperation with the investigation and remedial measures it took, the DVI reduced the fine to EUR 1,200,000. Tet challenged the decision in court. In June 2024, the Riga Regional Court upheld the DVI's decision in full. The judgment is final and not subject to further appeal.

SIA ZZ Dats: EUR 300,000 (October 2025)

In October 2025, the DVI imposed a EUR 300,000 fine on SIA ZZ Dats, an IT services company acting as a processor for Latvian municipalities. The case arose from a data breach that occurred between 29 October and 2 November 2024, when a technical vulnerability in ZZ Dats' Unified Municipal Information System allowed unauthorized parties to access and copy personal data.

The breach affected 42 of Latvia's municipalities (all except Riga). The data compromised included names, surnames, personal identification numbers, and addresses of municipal residents and employees. The DVI found that ZZ Dats had violated Article 32 of the GDPR by failing to implement security measures appropriate to the risk of its processing activities.

In addition to fining ZZ Dats, the DVI issued reprimands to the municipalities themselves in their capacity as data controllers who had delegated processing to ZZ Dats. ZZ Dats has appealed the fine to Riga City Court. The case is the most significant public-sector data breach enforcement action in Latvia's GDPR enforcement history.

SIA DEPO DIY: Consent Violations

The DVI investigated SIA DEPO DIY, a major retail chain, after receiving consumer complaints. Customers who declined a loyalty card, and therefore declined to consent to personal data processing, were denied access to certain additional services. The DVI held that consent cannot be considered freely given under GDPR Article 4(11) when its refusal results in the loss of a service. The inspectorate also found that DEPO DIY had improperly designated consent as the legal basis for invoice-related processing where that processing did not actually depend on the customer's choice, and identified data minimization violations.

SIA Lursoft IT: EUR 65,000

The DVI fined SIA Lursoft IT EUR 65,000 for publishing insolvency register data after the termination of insolvency proceedings, and for publishing non-public company registration numbers received from the Register of Enterprises in breach of its agreement with that body. The DVI found violations of GDPR Articles 5(1)(a), (b), (c) and 6(1), concluding that Lursoft had no lawful basis for continuing to process and publish this data.

SIA QUANTRUM: Audio Recording Through CCTV

The DVI found that SIA QUANTRUM was recording audio through CCTV cameras, violating GDPR Articles 5(1)(a) and (c) and 6(1). The inspectorate ordered the company to cease audio recording in connection with its video surveillance system. The case established that audio capture alongside video surveillance requires specific independent justification and is likely disproportionate in most commercial settings.

Online Retailer: EUR 7,000 (2019)

One of the DVI's earliest GDPR enforcement actions was a EUR 7,000 fine against an online retailer for data protection violations. While modest compared to later fines, the case signaled the DVI's intent to enforce GDPR requirements across sectors from the outset.

Data Protection Officer Requirements

Latvia does not expand the mandatory DPO appointment obligations beyond those in GDPR Article 37(1). A DPO must be appointed in three circumstances: processing by a public authority or body (except courts acting in their judicial capacity); core activities that require regular and systematic monitoring of data subjects on a large scale; and core activities involving large-scale processing of special category data or data relating to criminal convictions.

The DVI Qualification Roster

The DVI maintains a publicly available list of individuals who have passed its qualification examinations for data protection officers. Controllers and processors may appoint a candidate from this roster or appoint any other individual who possesses the expert knowledge and professional qualities required under GDPR Article 37(5). The DVI also conducts periodic examinations to verify that existing DPOs continue to meet the qualification standard.

Where a DPO is appointed, the controller or processor must publish the DPO's contact details and communicate them to the DVI. The DPO must not receive instructions on the exercise of their tasks and must report directly to the highest management level.

Cross-Border Data Transfers

Latvia follows the standard GDPR Chapter V framework for international data transfers. The European Commission's adequacy decisions provide the simplest transfer mechanism: personal data may flow without additional safeguards to countries the Commission has determined provide an equivalent level of protection. The current list of adequacy decisions is maintained by the European Commission.

For transfers to non-adequate countries, the available mechanisms are:

• Standard Contractual Clauses (SCCs). The 2021 Commission SCCs (incorporating controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor modules) are the most widely used mechanism. Prior DVI approval is not required for SCCs.
• Binding Corporate Rules (BCRs). BCRs for intra-group transfers require DVI approval before they can be relied upon. The DVI is the competent supervisory authority for BCR applications where Latvia is the lead.
• Certification, codes of conduct, and ad hoc contracts. Available but less common in practice.
• GDPR Article 49 derogations. For occasional transfers based on consent, contract necessity, public interest, legal claims, or vital interests. The DVI must be informed of transfers relying on the legitimate interests derogation under Article 49(1) in fine.

Transfer Impact Assessments are not a formal statutory requirement under Latvian law, but the EDPB's guidance following the Schrems II ruling recommends them as a risk management tool for all SCC-based transfers to high-risk jurisdictions.

EU AI Act Overlay

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies progressively across the EU. Prohibitions on unacceptable-risk AI practices took effect on 2 February 2025; governance rules and obligations for general-purpose AI models took effect on 2 August 2025; the full regulation, including obligations for high-risk AI systems, applies from 2 August 2026.

Latvia's AI Act Implementation

Latvia enacted national legislation to operationalize the AI Act alongside its DORA obligations. The Law on Digital Operational Resilience and the Use of Artificial Intelligence in the Financial Market entered into force on 1 October 2025. This law designates Latvijas Banka (the Bank of Latvia) as the competent authority for AI systems used by financial market participants it supervises.

For AI systems outside the financial sector, Latvia designated multiple market surveillance authorities. The DVI (State Data Inspectorate) holds market surveillance authority specifically for prohibited AI practices and high-risk AI systems as defined in the AI Act. The DVI's existing GDPR expertise makes it the natural authority for AI applications that involve personal data processing, systematic monitoring, or biometric identification.

Interaction Between GDPR and the AI Act

The AI Act and the GDPR interact directly for AI systems that process personal data. Where a high-risk AI system processes personal data, controllers must comply with both regimes simultaneously. The AI Act's requirements for data governance (Article 10), transparency (Article 13), and conformity assessments layer on top of GDPR obligations for lawful processing, data minimization, and accountability.

Key areas of interaction include:

• Training data. GDPR principles of purpose limitation and data minimization apply to data used to train AI systems, not only to inference-time processing.
• Automated decision-making. GDPR Article 22 rights apply to decisions made solely by automated processing with legal or similarly significant effects, including AI-driven decisions in employment, credit, insurance, and public services.
• Biometric data. AI systems using biometric identification or categorization process special category data under GDPR Article 9, requiring both a GDPR Article 9(2) exemption and compliance with the AI Act's prohibitions on real-time remote biometric identification in public spaces.
• DPIAs and AI Act risk assessments. Controllers deploying high-risk AI systems that also constitute high-risk processing under GDPR must complete both a Data Protection Impact Assessment (DPIA) and an AI Act conformity assessment, which overlap significantly in scope.

Penalties and Criminal Liability

Latvia's penalty framework combines GDPR administrative fines with criminal sanctions under the national Criminal Law, giving authorities a broader enforcement toolkit than GDPR alone provides.

Administrative Fines Under GDPR Article 83

The DVI may impose fines following the two-tier GDPR structure:

The DVI calculates fine amounts based on factors including the nature, gravity, and duration of the violation; whether the infringement was intentional or negligent; the number of data subjects affected; the categories of data involved; the degree of cooperation with the investigation; any previous violations; and technical and organizational measures in place. The Tet case (original EUR 3.2M reduced to EUR 1.2M for cooperation and remediation) illustrates how mitigating factors operate in practice.

Criminal Penalties Under Section 145 of the Criminal Law

Section 145 of the Latvian Criminal Law, titled "Illegal Activities Involving Personal Data of Natural Persons," establishes three tiers of criminal offense:

First tier: Illegal activities involving personal data that cause substantial harm. Punishment includes deprivation of liberty up to two years, temporary deprivation of liberty, community service, or a fine.

Second tier: A controller or processor carrying out illegal personal data processing for the purpose of vengeance, property acquisition, or blackmail. This carries a maximum of four years' imprisonment, with alternatives of temporary deprivation of liberty, community service, or a fine.

Third tier: Using violence, threats, abuse of trust, deception, or bad faith to compel a controller, processor, or data subject to carry out illegal data processing activities. This carries a maximum of five years' imprisonment.

These criminal provisions create personal liability for individuals, complementing the organizational liability addressed by GDPR administrative fines. A senior employee who orders unlawful data transfers for competitive advantage, or who threatens a data subject to prevent the exercise of data rights, may face personal criminal prosecution alongside any corporate fine.

Recent Developments (2024-2026)

Several significant developments have shaped Latvia's data protection landscape since the previous review of this article.

June 2024: Tet Fine Upheld. The Riga Regional Court confirmed the DVI's EUR 1,200,000 fine against SIA Tet, making it the final and unappealable enforcement outcome. The case reinforced that telecom providers must verify customer data before transferring it to third-party debt recovery services and cannot rely on unverified customer submissions as an accurate data source.

October-November 2024: ZZ Dats Municipal Breach. Between 29 October and 2 November 2024, a technical vulnerability in ZZ Dats' municipal information system allowed unauthorized access to personal data of residents across 42 Latvian municipalities. The breach disclosed names, surnames, personal identification numbers, and addresses. The incident prompted immediate DVI investigation and resulted in the October 2025 fine.

February 2025: AI Act Implementation Planning. Latvia's Cabinet of Ministers considered an information report prepared by the Ministry of Smart Administration and Regional Development on implementing the AI Act, defining responsible institutions and required actions ahead of the regulation's full applicability date in August 2026.

August 2025: GPAI Model Obligations in Force. From 2 August 2025, governance rules and obligations for general-purpose AI models under the EU AI Act became applicable across Latvia and all EU member states. Providers of foundation models and large language models face documentation, transparency, and copyright compliance requirements.

October 2025: DVI Becomes AI Market Surveillance Authority. Latvia's Law on Digital Operational Resilience and the Use of Artificial Intelligence in the Financial Market entered into force on 1 October 2025. Alongside this, the DVI was formally designated as the market surveillance authority for prohibited AI practices and high-risk AI systems, expanding its enforcement mandate significantly beyond data protection.

October 2025: ZZ Dats Fined EUR 300,000. The DVI imposed its second-largest GDPR fine, against IT processor ZZ Dats, for the November 2024 municipal breach. ZZ Dats has appealed to Riga City Court; the fine is not yet final.

Business Compliance: Practical Steps

Organizations operating in Latvia or processing personal data of Latvian residents should address the following priorities:

Data mapping and legal basis documentation. Document all processing activities in a Record of Processing Activities (RoPA) under GDPR Article 30. For each activity, identify and document the legal basis. The DEPO DIY case demonstrates the DVI's willingness to scrutinize whether the nominated legal basis is accurate and whether consent is genuinely voluntary.

Consent mechanism audit. Review all consent flows to confirm that consent is specific, informed, freely given, and unambiguous. Ensure that refusal to consent does not result in loss of access to services to which the individual would otherwise be entitled.

Breach notification procedures. Establish documented internal procedures for breach detection, severity assessment, and DVI notification within 72 hours. The ZZ Dats case demonstrates that inadequate technical security measures leading to a large-scale breach will result in significant fines under Article 32, regardless of whether the notified breach involved intentional conduct.

Children's data compliance. Where services may be accessed by children, implement age verification appropriate to the 13-year consent threshold. For users under 13, establish processes for obtaining and verifying parental consent.

DPO appointment review. Determine whether mandatory DPO appointment is triggered under GDPR Article 37(1). If a DPO is appointed, consider whether candidates from the DVI's qualification roster meet organizational requirements, and ensure the DPO is granted the independence required by GDPR Article 38.

Cross-border transfer review. Map all transfers of personal data to non-EEA countries. For transfers to non-adequate countries, ensure current 2021 SCCs are in place and consider whether Transfer Impact Assessments are warranted for high-risk jurisdictions.

AI Act readiness. If deploying AI systems that process personal data, assess whether those systems fall into the high-risk categories defined in Annex III of the AI Act. Conduct both a DPIA and an AI Act conformity assessment for qualifying systems. Review training data practices for GDPR compliance. Monitor the DVI's developing guidance on AI oversight, as it is now Latvia's designated market surveillance authority for high-risk AI.

This article provides general legal information about Latvia's data protection framework as verified in May 2026. It does not constitute legal advice. Laws in this area change frequently. Consult a lawyer licensed in Latvia for advice on your specific situation.