Latvia

The general rule under the Personal Data Protection Law is that data controllers and processors must use the necessary technical and organizational measures to protect personal data and prevent their illegal processing as provided in CoM Regulation No 40. Furthermore, in order to outsource data processing a data controller must conclude an agreement with a data processor. The data processor must perform its duties according to the instructions and scope provided in the agreement and before commencing data processing the data processor must perform the safety measures for the protection of the data processing system according to the instructions provided by the data controller.
In addition, specific technical and organizational measures must be included in agreements concerning transfer or personal data outside EU/EEA, when a data controller relies on the EU Standard Contractual Clauses or elects to draft the data transfer agreement according to the requirements under the Cabinet of Ministers Regulation No 634, dated 16 August 2011 “Regulation on the Mandatory Provisions that Must be Included in Data Transfer Agreements” [Latvian].
While according to Article 26.4. of the FCMC Regulation No 112 an agreement between a market participant and an outsourcing cloud computing service provider must include provisions containing a clear description of a service, security requirements, confidentiality obligations, rights to receive the necessary information for monitoring the service, requirements for outsourcing cloud computing service providers to immediately report incidents as well as the right to terminate the outsourcing contract.