Data protection & privacy laws in Latvia (2026)

GDPR (Regulation 2016/679) applies directly and takes precedence. Latvia's Personal Data Processing Law (5 July 2018) provides national specifications and permitted derogations, replacing the 2000 Personal Data Protection Law across the full lifecycle of personal-data processing.

The Data State Inspectorate (Datu valsts inspekcija) is Latvia's Art. 51 GDPR supervisory authority, staffed with 38 posts. It investigates complaints, conducts audits, issues binding corrective orders, and imposes administrative fines; it accepts data-breach notifications in Latvian and participates fully in EDPB cooperation mechanisms.

Latvia exercises the Art. 8 GDPR derogation to set the minimum age for a child's valid consent to information society services at 13 years, three years below the GDPR default of 16.

The DVI has published both a mandatory DPIA list (Art. 35(4)) and a DPIA-exemption list (Art. 35(5)). The EDPB issued Opinion 14/2018 on the mandatory list and Opinion 6/2024 on the exemption list, confirming their consistency with the GDPR.

National law permits employment-data processing for admissible job-interview questions and employer verification of trade-union membership before issuing redundancy notice. Video-surveillance signage must include at minimum the controller's name, contact details, and processing purpose, alongside the Art. 13 GDPR reference.

Latvia missed the 17 October 2024 NIS2 Directive transposition deadline. The European Commission issued a reasoned opinion against Latvia in May 2025 for failure to notify full transposition, initiating formal infringement proceedings. Full NIS2 transposition will expand security and incident-reporting obligations that interact directly with GDPR data-breach requirements for essential and important entities.