Skip to content
World Watch/Latvia/Data & Privacy

Data & Privacy · Latvia

Data protection & GDPR compliance in Latvia (2026)

Comprehensive lawGDPR (EU Regulation 2016/679) directly applicable; supplemented by Latvia's Personal Data Processing Law (Fizisko personu datu apstrādes likums, in force 5 July 2018); supervised by the Data State Inspectorate (Datu valsts inspekcija, DVI)Country index 96 · A+

Latvia shaded by its data & privacy status

Data protection in Latvia: comprehensive law, under GDPR (EU Regulation 2016/679) directly applicable; supplemented by Latvia's Personal Data Processing Law (Fizisko personu datu apstrādes likums, in force 5 July 2018); supervised by the Data State Inspectorate (Datu valsts inspekcija, DVI).

Latvia's data-protection regime is anchored in the directly applicable GDPR, complemented by the national Personal Data Processing Law that entered into force on 5 July 2018, replacing the earlier Personal Data Protection Law of 2000. The Data State Inspectorate (DVI) is the independent supervisory authority and a full EDPB member with powers to investigate, issue corrective orders, and impose administrative fines. National law exercises several GDPR derogations, most notably lowering the age of digital consent to 13 and specifying rules on employment data processing, audit-trail retention, and video surveillance signage.

GDPR & data protection in Latvia

In Latvia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data State Inspectorate (DVI).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Data State Inspectorate (DVI)
Applies to
any organisation processing the personal data of people in Latvia, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Latvia supplements it with a national data-protection act and its own supervisory authority.

GDPR in Latvia: FAQ

Does the GDPR apply in Latvia?

Yes. As an EU/EEA member, Latvia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data State Inspectorate (DVI).

Who enforces data protection law in Latvia?

The Data State Inspectorate (DVI).

What are the GDPR fines in Latvia?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Latvia?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Latvia?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary legal basis

GDPR (Regulation 2016/679) applies directly and takes precedence. Latvia's Personal Data Processing Law (5 July 2018) provides national specifications and permitted derogations, replacing the 2000 Personal Data Protection Law across the full lifecycle of personal-data processing.

Supervisory authority, DVI

The Data State Inspectorate (Datu valsts inspekcija) is Latvia's Art. 51 GDPR supervisory authority, staffed with 38 posts. It investigates complaints, conducts audits, issues binding corrective orders, and imposes administrative fines; it accepts data-breach notifications in Latvian and participates fully in EDPB cooperation mechanisms.

Age of digital consent

Latvia exercises the Art. 8 GDPR derogation to set the minimum age for a child's valid consent to information society services at 13 years, three years below the GDPR default of 16.

DPIA lists (Art. 35 GDPR)

The DVI has published both a mandatory DPIA list (Art. 35(4)) and a DPIA-exemption list (Art. 35(5)). The EDPB issued Opinion 14/2018 on the mandatory list and Opinion 6/2024 on the exemption list, confirming their consistency with the GDPR.

Employment & video-surveillance specifics

National law permits employment-data processing for admissible job-interview questions and employer verification of trade-union membership before issuing redundancy notice. Video-surveillance signage must include at minimum the controller's name, contact details, and processing purpose, alongside the Art. 13 GDPR reference.

NIS2 transposition, infringement proceedings

Latvia missed the 17 October 2024 NIS2 Directive transposition deadline. The European Commission issued a reasoned opinion against Latvia in May 2025 for failure to notify full transposition, initiating formal infringement proceedings. Full NIS2 transposition will expand security and incident-reporting obligations that interact directly with GDPR data-breach requirements for essential and important entities.

Latvia - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →