What is the Non-personal data regulation?
Today's economy is increasingly dependent on data that can add significant value to existing services and cultivate entirely new and innovative business models. To take full advantage of the data economy, the European Commission (EC) has developed a legal framework to ensure a free movement of non-personal data[i] within the European Union (EU).
The regulation 2018/1807 of the European Parliament and of the Council of 14th of November 2018 on a framework for the free flow of non-personal data in the European Union (further – Non-personal data regulation), which reduces obstacles for the free flow of non-personal data in the EU, is directly applicable in all EU Member States from 28th of June 2019.
The Ministry of Environmental Protection and Regional Development of the Republic of Latvia is designated[ii] as the responsible institution for the implementation of Non-personal data regulation in Latvia and accordingly coordinates the fulfilment of the duties set for the Member States in the Non-personal data regulation.
How to contact the national contact point in Latvia?
- The Ministry of Environmental Protection and Regional Development of the Republic of Latvia, Peldu street 25, Riga, LV-1494, Latvia
- Phone no.: +371 66016740
- e-mail: FFOD@varam.gov.lv
- Monday – 8:30-18:00
- Tuesday, Wednesday, Thursday – 8:30-17:00
- Friday – 8:30-16:00
The national contact point performs the following tasks:
- Provides general information to users on:
1.1. Non-personal data regulation;
- Competent institutions in Latvia and other EU Member states on Non-personal data regulation;
- Existing territorial restrictions of free flow of non-personal data in Latvia;
- Liaises with national contact points of other EU Member states and European Commission;
- Sends data access requests to the competent authorities of Latvia from other national contact points of EU Member states;
- Sends data access requests to other national contact points of EU Member states made by competent authorities in Latvia.
What does the Non-personal data regulation provide?
Non-personal data regulation is designed to promote the data economy and the development of new technologies, such as autonomous cross-border systems and artificial intelligence technologies, and to remove obstacles to the free flow of non-personal data within the Member States and between information technology (IT) systems. To ensure the above, the Non-personal data regulation provides:
- Free flow of non-personal data across EU borders - implementing the principle that every organization should be able to store and process data anywhere in the EU;
- Regulatory control over the availability of non-personal data - state institutions retain access to data even if it is located in another EU Member State or when it is stored or processed in the cloud;
- An easier way to switch cloud providers for professional users - service providers should develop codes of conduct regarding the conditions under which users can move data between cloud providers and return data to their IT environment;
- Full compliance and synergy with the cybersecurity package[iii] and the condition that all security requirements already in place for companies storing and processing data will also be respected when companies store or process data outside the EU or in the cloud;
- Non-personal data availability to competent institutions[iv].
Existing territorial restrictions of free flow of non-personal data in Latvia
- In the Law “On Accounting” Section 6 states that Accounting registers together with source documents by Latvian companies shall be kept in the territory of Latvia.
Law “On Accounting” will expire with the new Accounting Law coming into force, and its project is currently under the consideration in the Parliament of the Republic of Latvia (On 29th of April 2021 accepted in the 2nd reading in the Parliament of the Republic of Latvia)[v]. In the new Accounting Law`s Section 27, the first paragraph is intended to state that accounting documents in electronic format are storable in the Republic of Latvia or territory of any other member state of the European Union, in accordance to requirements of Non-personal data regulation. The new Accounting law is intended to come into force in 2022.
- Regulations in the field of archives:
2.1. Archives Law;
2.3. Regulation No. 750 of the Cabinet adopted on 6th of November 2021 on “Regulations of the National Documentary Heritage Register”;
2.5. Regulation No. 397 of the Cabinet adopted on 24th of May 2011 on “Procedure by which a Record Included in the National Documentary Heritage may be Temporarily taken out of the Republic of Latvia, as well Security Copies of the Record shall be made and the Number Thereof shall be Determined”.
Previously noted regulations contain territorial restrictions on non-personal data and are retainable, with the compliance of Non-personal data regulation`s Section 4, Clause 1 justification. The regulation applies to original documents created by public institutions, including electronic data – both personal data and non-personal data. To ensure the authenticity of the data, in these type of public documents personal data and non-personal data cannot be separated and processed separately, as they are inextricably linked. Thereby following Section 2, Clause 2 of the Non-personal data regulation, the Non-personal data regulation does not apply to this data.
The rules on document (including electronic data) storage, issued by the Cabinet on the grounds of the requirements in the Archives Law, in the National Archives of Latvia, archives of the institution or in accredited private archives until the end of the time period of storage specified for them or until transfer to National Archives of Latvia is justified on grounds of public security, namely the obligation of the state to preserve the national documentary heritage for the future generations, to ensure the protection of the rights of the state and individuals, the proof of rights, obligations and the fulfilment of legal obligations.
[i] “data” is data, which is not a personal data as defined in the EU Regulation (ES) 2016/679 Section 4, Clause 1; electronic data, which is not a persona; data (Non-personal data regulation Section 2, Clause 1 and Section 3, Sub clause 1): https://eur-lex.europa.eu/legal-content/LV/TXT/?uri=CELEX:32018R1807
[ii] Subject to Section 7 of the Non-personal data regulation and on the basis of Cabinet regulation No. 255 on 10th of April 2012 “Rules for monitoring and coordinating the transposition and implementation of European Union law” Clause 3 and 4.
[iii] On 16th of 2020 EC introduced the new EU strategy on cybersecurity: https://ec.europa.eu/digital-single-market/en/cybersecurity-strategy. This strategy is one of the most important elements in building the Europe’s digital future, EU recovery plan and the EU Security Union Strategy. At the same time, to ensure the cyber resilience and physical resilience of critical units and networks, the EC proposed a Directive on measures to achieve a uniformly high level of cyber security across the EU (revised NIS Directive) and a new Directive on the resilience of critical units.
[iv] “competent institution” is an institution or any other body in the member state, who is authorized by national law to perform a public function or exercise public authority and who is authorized to obtain access to data processed by a natural or legal person for the performance of his official duties as defined in Union or national law (Section 3, Sub clause 6 of the Non-personal data regulation);