Who is Asking? Latvia’s DVI Clarifies Transparency Rules for Public Data Collection

Have you ever scrolled through your social media feed and stumbled upon a contest or an event registration that seemed just a little too vague? Perhaps it was a local photography competition or a giveaway for a new tech gadget, but the profile posting it was anonymous, or the organization’s name was abbreviated beyond recognition. As a journalist who spends my days dissecting the fine print of privacy policies, these are the moments where my internal alarm bells start ringing. In the world of data protection, an invitation to submit personal data without a clear identity is not just poor marketing—it is a regulatory red flag.

On March 19, 2026, the Latvian Data Protection Authority (DVI) addressed this exact issue. In a new guidance article, the DVI clarified the transparency obligations for organizations issuing public announcements that invite individuals to submit personal data. This move comes as a direct response to a growing number of complaints from individuals who felt they were being lured into sharing their information with ghosts. From a compliance standpoint, the DVI is reminding us that while the digital world feels ephemeral, the responsibility for data is permanent.

The Identity Crisis in Public Announcements

Under the framework of the General Data Protection Regulation (GDPR), transparency is not a mere suggestion; it is a fundamental pillar. Articles 12, 13, and 14 dictate that individuals must always know who is processing their data and how to reach them. Curiously, many organizations still operate under the assumption that a flashy poster or a catchy social media caption exempts them from these stringent requirements.

The DVI’s recent guidance cuts through this ambiguity. The authority noted that many public announcements are currently non-compliant because they lack basic identifiers. Whether it is an incomplete name or a post from a profile with no discernible link to a legal entity, these practices create an opaque environment where the data subject is left vulnerable. To put it another way, asking for data without identifying yourself is like asking someone to hand over their house keys to a person wearing a mask.

What Information is Actually Required?

One of the most practical takeaways from the DVI’s announcement is the clarification that organizations do not need to use the specific word "controller" in their public posts. While the GDPR is a robust legal document, its application in public-facing materials should be nuanced and accessible.

Instead of rigid terminology, the DVI expects two actionable pieces of information to be clearly visible:

1. The Full Legal Name: The organization must state its complete, official name. Abbreviations or "trading as" names that cannot be easily traced are insufficient.
2. Contact Details: There must be a clear path for the individual to obtain more information. This could include a registration number, a legal address, or a direct link to a comprehensive privacy policy.

In my own work as an editor, I often apply a principle of digital hygiene to the materials I review. If I cannot verify the source of a data request within three clicks, the request is fundamentally flawed. Organizations can meet their transparency obligations by including a direct link to event rules or a privacy-preserving landing page that houses all the necessary pre-collection information.

The Danger of Anonymous Data Collection

The DVI highlighted several improper practices that are now firmly under the regulatory microscope. Posting from an anonymous profile is perhaps the most egregious. In a regulatory context, an anonymous profile acts as a barrier to accountability. If a data breach—which I often liken to an oil spill—were to occur, the affected individuals would have no way of knowing who to hold responsible or where to exercise their right to be forgotten.

I recall an investigation I conducted into a series of "pop-up" webinars that collected professional contact details. Many of these organizers used generic names like "Global Tech Insights" without any underlying legal entity. When I dug deeper, I found that the data was being funneled into a secondary market. This is why the DVI’s stance is so vital: it forces the hand of the collector to be transparent from the very first point of contact.

Compliance as a Compass

For organizations, viewing compliance as a compass rather than a hurdle can save significant reputational damage. When a company is transparent about its identity, it builds a foundation of trust. In contrast, being vague about who is behind a data collection effort makes the organization look like it has something to hide. Essentially, the DVI is asking for the digital equivalent of a business card.

Notwithstanding the complexities of international data transfers or extraterritorial reach, the core of this guidance is simple: be honest about who you are. If you are running a contest in Riga or an event in Jurmala, your audience deserves to know exactly whose hands their data is landing in.

Practical Checklist for Your Next Announcement

To ensure your organization remains on the right side of the DVI’s expectations, consider this methodical approach to your next public call for data:

• Verify the Name: Does the announcement use the full legal name registered with the Enterprise Register?
• Test the Links: If you are using a link to a privacy policy, does it work on mobile devices where most social media browsing happens?
• Check the Profile: Is the social media account verified or clearly linked to your official website?
• Minimize the Ask: Apply data minimization. Do you really need their phone number for a newsletter sign-up, or is an email enough?

Ultimately, the DVI’s guidance serves as a reminder that privacy is a fundamental human right, not a checkbox to be ticked at the end of a project. By providing clear identification, organizations move away from precarious data practices and toward a more sophisticated, trustworthy digital ecosystem.

Sources:

• Latvian State Data Inspectorate (Datu valsts inspekcija - DVI) Official Article, March 2026.
• General Data Protection Regulation (GDPR), Articles 12, 13, and 14.
• Official Guidance on Transparency and Controller Identification in Public Space.