On October 1, 2024, the Data State Inspectorate (DVI) issued guidance on how organizations (as data controllers) can effectively inform data subjects about data processing activities. The DVI explained that organizations must ensure transparency in data processing by providing clear information on their role, the processing purpose, data subject rights, and other relevant aspects.

Furthermore, the DVI noted that while publishing a privacy policy online is the most common way for organizations to fulfill their obligation to inform, the method may be insufficient, especially if data is collected offline or without a direct website link available.

Consequently, the DVI encouraged organizations to use varied notification formats to ensure accessibility, such as printed privacy policies posted on the organization's premises, oral information in person through employees or automated/pre-recorded systems, and information provided in the 'real environment' through visible notifications in public spaces such as signs, information boards, or newspaper/media announcements.

In addition, the DVI also recommended a multi-level approach, where organizations provide essential information upfront and additional information as needed. The DVI emphasized that for compliance, organizations must document efforts to fulfill the General Data Protection Regulation (GDPR) requirements under Articles 13 and 14 of the GDPR. However, the DVI confirmed that organizations are not required to obtain confirmation from data subjects that they are familiar with the data processing rules.

You can read the press release, only available in Latvian, here.