SIA “Lursoft IT” – €65,000 Fine (Latvia, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
SIA “Lursoft IT” was fined EUR 65,000 for publishing outdated insolvency data and other personal information without a valid legal basis. This matters because it shows the importance of having a clear legal reason for processing personal data.
What happened
SIA “Lursoft IT” published personal data from the Insolvency Register and other sources without a valid legal basis.
Who was affected
Individuals whose insolvency data and other personal information were published on Lursoft's website were affected.
What the authority found
The Latvian data protection authority found that Lursoft violated GDPR by publishing personal data without a valid legal basis.
Why this matters
This case highlights the need for companies to ensure they have a legitimate reason for processing personal data. It serves as a warning to review data handling practices to comply with GDPR requirements.
GDPR Articles Cited
National Law Articles
SIA “Lursoft IT” (Lursoft; the controller) processed personal data on its website (lursoft.lv) by (1) publishing information from the "Insolvency Register" which relates to a data subject although it had been more than a year since the termination of the insolvency proceedings concerned. Lursoft also (2) published data that is to be submitted to the "Register of Enterprises" (including non-public data such as the number of registration of legal entities and legal facts). Did the publication on a website of personal data from the "Insolvency Register" as well as personal data that is to be submitted to the "Register of Enterprises" in breach of Articles 5(1)(a), (b), (c) and 6(1) of the GDPR? = The Latvian DPA (Datu valsts inspekcija) considered Section 132(3) of the Latvian Insolvency Law which states that information relating to natural persons involved in insolvency proceedings shall be made public in the Insolvency Register, including up to 1 year after the termination of an insolvency proceeding. Therefore, there was a violation of the law on the basis that the termination of the insolvency proceeding concerning the data subject had been terminated for more than one year. The DPA reiterated that Section 132(3) targets the responsible institution for the Register of Enterprises, but that although Lursoft is not the responsible institution, the Section of the law still applies to them. Information on an insolvency proceeding cannot be published if the proceeding has ended over a year ago. The Latvian DPA also held that the controller must have an appropriate legal basis for proceeding personal data under Article 5(1)(a) GDPR. Lursoft claim to be have such a legal basis under Article 6(1)(c) GDPR. However, this was rejected by the Latvian DPA, which stated that for Article 6(1)(c) to apply, the obligation must be stipulated in law, and not just in a contract. The DPA clarified that a legal obligation under Article 6(1)(c) GDPR must be clearly stated in the le
Related Enforcement Actions (0)
No other enforcement actions found for SIA “Lursoft IT” in LV
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. SIA “Lursoft IT” - Latvia (2021). Retrieved from cookiefines.eu
Last updated: