The Data State Inspectorate (DVI) has imposed a 300,000 euro fine on SIA “ZZ Dats” in connection with last year’s municipal data breach; the company has appealed the decision in court, the LETA news agency reports.
According to the Inspectorate, the data were stored in an information system maintained by ZZ Dats. Upon receiving information about a possible violation, the Inspectorate opened an investigation and found the company guilty of failing to fulfill the processor’s obligations in accordance with Article 32 of the General Data Protection Regulation (GDPR).
For the violation identified, the company received an administrative penalty—a €300,000 fine. ZZ Dats has appealed the decision to Riga City Court.
In relation to the breach, decisions were also made regarding the municipalities involved—they received reprimands, the DVI said.
As previously reported, “certain individuals” managed to gain unauthorized access to certain data from the Unified Municipal Information System between October 29 and November 2, 2024.
After the incident, ZZ Dats director Edžus Žeiris informed LETA that these individuals had managed to access a search index that contained a duplicated subset of data from the Unified Municipal Information System.
The incident directly affected 42 Latvian municipalities, excluding Riga.
Analysis by security specialists indicates that “certain individuals” accessed data on some municipal employees—including names, surnames, organizational unit, position, email address, and phone number; data on municipal residents (natural persons)—including names, surnames, personal ID numbers, and registered addresses; as well as metadata (file descriptions) of records management documents from certain municipalities.
After the problem was identified on November 2, the necessary actions were taken to reconfigure system security and to prevent further unauthorized access, the company explained.
At the time, representatives of the Association of Certified Personal Data Protection Specialists of Latvia told LETA that responsibility for the municipal data breach should be assessed in the plural. They stressed that the system developer ZZ Dats is only a data processor and, under the GDPR, municipalities (controllers) are responsible for choosing cooperation partners and setting standards to ensure the secure processing of personal data.
They also noted that ZZ Dats’ communication—stating that the incident did not have direct consequences for residents because no passwords or banking information were copied—downplayed significant risks, since names, surnames, personal ID numbers, and addresses were leaked. This information constitutes core personal data enabling full identification. The purposes of the data acquirers and possible uses of the data are unknown, the association cautioned.
The association also reminded that every municipality must appoint a Data Protection Officer (DPO).
Under the GDPR, a DPO monitors the controller’s compliance with data processing requirements. The GDPR also stipulates that the controller is responsible for the DPO’s meaningful involvement in data processing activities.
The association further stated that, based on publicly available information, the communication around the breach suggests GDPR requirements were not properly followed. The GDPR obliges controllers to actively manage a data breach, including adequately assessing its impact on the rights and freedoms of data subjects.
In 2024, ZZ Dats had a turnover of €117.662 million and a profit of €3.495 million.
ZZ Dats was registered in 1995 with share capital of €40,000, according to Firmas.lv. The company is owned by Māris Zieme (40%), Inga Ziema (35%), and Edžus Žeiris (25%).
Read also: “A stain of shame” or “sovereignty”? Parliament moves forward with withdrawal from the Istanbul Convention