DVI (Latvia) - SIA “ZZ Dats”

Summary

Latvia's Data State Inspectorate (DVI) fined data processor SIA "ZZ Dats" €300,000 for violating Article 32 GDPR following a large-scale personal data breach detected in late 2024 that affected nearly all Latvian municipalities. The DPA found the processor failed to implement adequate technical and organizational security measures to protect personal data, and also held the municipalities responsible as controllers for insufficient oversight of the processor's activities. The decision was appealed to Riga City Court and subsequently confirmed.

Full text

Help DVI (Latvia) - SIA “ZZ Dats”: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 16:09, 4 November 2025 view sourceXz (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators379 editsTag: Visual edit← Older edit Latest revision as of 09:07, 16 April 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators405 editsm Line 52: Line 52: |Party_Link_3=|Party_Link_3= |Appeal_To_Body=Riga City Court|Appeal_To_Body=Riga City Court (Latvia) |Appeal_To_Case_Number_Name=|Appeal_To_Case_Number_Name= |Appeal_To_Status=Appealed - Confirmed|Appeal_To_Status=Appealed - Confirmed Latest revision as of 09:07, 16 April 2026 DVI - SIA “ZZ Dats” Authority: DVI (Latvia) Jurisdiction: Latvia Relevant Law: Article 32 GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: 28.10.2025 Fine: 300.000 EUR Parties: SIA “ZZ Dats” National Case Number/Name: SIA “ZZ Dats” European Case Law Identifier: n/a Appeal: Appealed - ConfirmedRiga City Court (Latvia) Original Language(s): Latvian Original Source: Datu valsts inspekcija (in LV) Initial Contributor: xz The DPA fined a processor €300,000 after a large-scale data breach in the processor’s system affected almost all national municipalities. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In the system of SIA “ZZ Dats,” a large-scale personal data leak was detected by the processor, affecting almost all Latvian municipalities, the controllers. The leaked data were stored and maintained in the information system of the processor. Based on the received information about this potential data breach, the Data State Inspectorate, the Latvian DPA, initiated an investigation. Holding The DPA held that the processor violated Article 32 GDPR because they had not sufficiently ensured compliance with the processor’s obligations under the GDPR and imposed a fine of €300,000. Under Article 32 GDPR, both controllers and processors are required to implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, disclosure, or unauthorized access. The DPA further held that the controllers are also responsible for inadequate supervision of the processor’s activities. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details. At the end of 2024, a large-scale personal data leak was detected, affecting almost all Latvian municipalities. The leaked data was stored and maintained in the information system of SIA “ZZ Dats”. The State Data Inspectorate (Inspekcija), upon receiving information about a possible personal data protection violation, immediately launched an inspection to clarify the circumstances of the incident and the actions of the responsible persons. As a result of the inspection, the Inspectorate found SIA “ZZ Dats” guilty of non-compliance with the requirements set out in Article 32 of the Data Regulation. The aforementioned article provides that both controllers and processors are obliged to implement appropriate technical and organizational security measures to ensure the protection of personal data against accidental or unlawful destruction, loss, disclosure or unauthorized access to them. The Inspectorate concluded that the company had not sufficiently ensured the fulfillment of the processor’s obligations in accordance with the requirements of the Regulation, therefore, an administrative penalty was imposed on the company for the detected violation – a fine of 300,000 euros. SIA “ZZ Dats” has appealed this decision to the Riga City Court. The fine for the company was determined in accordance with the method for calculating fines developed by the Inspectorate, which sets out uniform principles for calculating the amount of the fine in accordance with Article 83 of the Data Regulation. This implemented method is based on the EDPB guidelines. In connection with the data leak, the Inspectorate has also adopted decisions on the municipalities involved, which have been reprimanded for insufficient supervision over the activities of the processor. The municipalities could appeal these reprimands to the Director of the Inspectorate. Considering that the case is still ongoing, the decisions are not publicly available, while the decision on the application of an administrative fine to SIA “ZZ Dats” has been assigned the status of restricted access. Retrieved from "https://gdprhub.eu/index.php?title=DVI_(Latvia)_-_SIA_“ZZ_Dats”&oldid=51336" Categories: DVI (Latvia)LatviaArticle 32 GDPRLatvian This page was last edited on 16 April 2026, at 09:07. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities