JK Media group SIA – €1,000 Fine (Latvia, 2024)

On 10 January 2024, the DPA issued a decision ordering the controller to edit or delete personal data (a picture portraying the data subject half naked) published on its website and issuing a reprimand for the breach of Article 5(1)(a), 5(1)(c), 12(1) to (4) GDPR. On 19 February 2024, the DPA re-examined the website of the controller noting that the personal data was still available. Therefore, on 22 February 2024, the DPA opened an administrative offence case for failure to ensure compliance with the previous decision of the DPA. The controller argued that it had not edited or deleted the publications because it did not have access to the archive material of the previous owner of the website. The DPA dismissed the controller’s argument. It noted that, in accordance with Article 24(1) GDPR, the controller should have implemented appropriate measures to ensure compliance with the GDPR and, pursuant to Article 5(2) GDPR, the controller should be able to demonstrate this compliance. Therefore, the controller should have implemented appropriate measures in order to be able to edit or delete the content published on its website. The DPA recalled that one of the main priorities of the controller should be the accessibility of the information to the controller itself. As a consequence, the DPA found a violation of Article 58(2) GDPR as the controller failed to comply with the orders given in a previous decision of the DPA. On these grounds, the DPA issued a fine of €1,000.