Support Centre

Lithuania - National GDPR Implementation Overview

August 2019

1. THE LAW

1.1. National implementing legislation of the GDPR

The General Data Protection Regulation (Regulation (EU) 2016/679) ('the GDPR') entered into force on 27 April 2016. Following a two year transition period and on 25 May 2018 the GDPR became directly applicable law in all Member States of the European Union ('EU').

However, GDPR allows Member States to legislate differently in their national laws, providing room for different interpretations and enforcement practices among the Member States in relation to data protection matters.

Law No XIII-1426 of 30 June 2018 amending Law No I-1374 ('the Law') (only available in Lithuanian here) is applicable together with the GDPR and its implementing legislation.

The Law is applicable to:

  • controllers and processors established in Lithuania, regardless of whether the processing takes place in the EU;
  • controllers subject to Lithuanian law by virtue of the public international law; 
  • controllers and processors, which are not established in the EU, but have designated a representative in Lithuania to process the personal data of data subjects located in EU, where the processing activities are related to:
    • offering of goods or services, irrespective of whether a payment from the data subject is required; or
    • monitoring behaviour of data subjects in the EU.

The Law sets out:

  • certain restrictions on the use of personal identification code (see Section 12);
  • specific provisions in respect of the processing of personal data of employees and candidates (see more information under Sections 6 and 12);
  • the age of a child in relation to information society services (see Section 5);
  • exemptions from certain GDPR provisions in respect of the freedom of expression and information (see Section 12);
  • the powers of the supervisory authority (see Section 11 below).

The State Data Protection Inspectorate ('the VDAI') is empowered with the supervision and enforcement of the Law and of the GDPR in Lithuania. The VDAI has enacted several legal acts (decrees of the VDAI Director) in the area of data protection:

  1. Decree No. 1T-92 of 17 July 2019 Regarding the approval of the rules for conducting investigations and/or inspections by the State Data Protection Inspectorate (only available in Lithuanian here);
  2. Decree No. 1T-75 of 2 July 2019 Regarding approval of controlling questionnaires (only available in Lithuanian here);
  3. Decree No. 1T-48 of 5 April 2019 Regarding approval of controlling questionnaires (only available in Lithuanian here);
  4. Decree No. 1T-35 of 14 March 2019 Regarding approval of a list of data processing operations subject to Data Protection Impact Assessment (only available in Lithuanian here);
  5. Decree No. 1T-34 of 8 March 2019 Regarding approval of the description of the procedure for consultation at the State Data Protection Inspectorate (only available in Lithuanian here);
  6. Decree No. 1T-28 5 March 2019 Regarding approval of the rules of procedure of the State Data Protection Inspectorate (only available in Lithuanian here);
  7. Decree No. 1T-84 of 29 August 2018 Regarding approval of the rules for prior consultation (only available in Lithuanian here);
  8. Decree No. 1T-82 of 29 August 2018 Regarding approval of recommended form for the personal data breach notification (only available in Lithuanian here);
  9. Decree No. 1T-73 of 30 July 2018 Regarding approval of the description of procedures for the data subject's rights to information, access, personal data rectification, deletion and restriction of personal data processing, where the data subject exercises these rights through the State Data Protection Inspectorate (only available in Lithuanian here);
  10. Decree No. 1T-72 (1.12.E) of 27 July 2018 Regarding approval of the procedure for submission of personal data breach notification to the State Data Protection Inspectorate (as amended on 29 August 2018 by order No. 1T-83) (only available in Lithuanian here);
  11. Decree No. 1T-68 of 18 July 2018 Regarding approval of the description of the procedure for authorising the transfer of personal data to third countries or international organisations (only available in Lithuanian here);
  12. Decree No. 1T-63 of 9 July 2018 Regarding approval of the model rules on the exercise of data subject rights (only available in Lithuanian here);
  13. Decree No. 1T-54 of 4 June 2018 Regarding approval of the recommended form for complaint's (only available to in Lithuanian here); and
  14. Decree No. 1T-52 of 24 May 2018 Regarding approval of an application for authorisation to transfer personal data to a third country or an international organisation (only available in Lithuanian here).

This Note provides a high level overview on Lithuanian specific matters.  

1.2. Guidelines

The VDAI has released several useful recommendations/guidelines:

  1. Reply to a frequently asked question regarding direct marketing (only available in Lithuania here);
  2. Recommendation regarding the appointment of data protection officers in the public sector and specifics of regulation of their activities (only available in Lithuanian here);
  3. Summary regarding requirements for video recording (only available in Lithuanian here);
  4. Summary of most common cases when complaints are considered unreasonable by the VDAI (only available in Lithuanian here);
  5. Recommendation regarding the processing of video records in private household and block of flats (only available in Lithuanian here);
  6. Recommendation regarding the processing of personal data during the elections (only available in Lithuanian here);
  7. Guidelines on appropriate organisational and technical data protection safeguards for controllers and processors (only available in Lithuanian here);
  8. Recommendation to small and medium-sized businesses on application of GDPR (only available in Lithuanian here);
  9. Standard template for data protection impact assessment (only available in Lithuanian here);
  10. Recommendation on the procedure for detection, investigation, notification and filing of personal data security breaches (only available in Lithuanian here);
  11. Recommendation on requirements for draft legal acts regulating personal data processing (only available in Lithuanian here);
  12. Recommendation on records to be made about data processing activities (only available in Lithuanian here);
  13. Reply to a frequently asked question regarding the application of GDPR for processing data about members of managing bodies of legal entities (only available in Lithuanian here);
  14. Reply to a frequently asked question as to whether the GDPR provisions apply to natural persons who have published personal data of other individuals on social media (only available in Lithuanian here); and
  15. Reply to a frequently asked question on how controllers should inform about on-going video surveillance in an information table (only available in Lithuanian here).

1.3. Case Law

After commencement of application of GDPR in Lithuania, dozens of cases were examined before the administrative courts.

Some most interesting cases concerning the interpretation of GDPR by Lithuanian administrative courts are the following:

Case No. eI-1345-643/2019

In Case No. eI-1345-643/2019 of 17 June 2019 of the Vilnius Administrative Court (only available in Lithuanian here), the company challenged the decision of the VDAI, which had issued a reprimand for violations of GDPR. The VDAI found that the company violated Articles 5(1)(c) and 13 of the GDPR by disclosing sensitive personal data of a former employee to the recruitment company. The Vilnius Administrative Court ('the Court') found that the company has violated the rights of individuals enshrined in the GDPR. In particular, the principle of adequacy was infringed as the company disclosed to the recruitment company the employee's personal data and the reason for dismissal, as well as other excessive information. The court emphasised that data relating to employee's labour discipline should be regarded as data within the meaning of Article 4 of the GDPR. The Court also found that the company did not comply with the data minimisation principle outlined the Article 5 of the GDPR, and disclosed the data to third parties without informing the data subject directly, thereby violating the principle of transparency enshrined in the Article 13 of the GDPR. The Court decided that the decision of the VDAI was lawful and justified.

Case No. I-2363-583/2019

In Case No. I-2363-583/2019 of 15 March 2019 of the Vilnius Administrative Court (only available in Lithuanian here), an individual applied to the Court for non-pecuniary damage. The individual stated that he was being held in a detention cell which did not meet the requirements of the legislation. The cell was equipped with video surveillance cameras above the sanitary unit, which, according to the individual, violated his right to privacy. Pursuant to Articles 5 and 6 of the GDPR, the Court found that the supervision of the individuals held in detention by means of technical measures was lawful in the light of the objectives pursued. Video cameras are installed in the detention facilities to ensure the protection of human rights and freedoms, public order and the safety of individuals. The Court found that video surveillance in the cell was lawful for the performance of the task in the public interest and was consistent with Article 6 of the GDPR.

Case No. eI-2126-815/2019

In Case No. eI-2126-815/2019 of 3 April 2019 of the Vilnius Administrative Court (only available in Lithuanian here), a dispute arose after an individual complained to the VDAI for unlawful video surveillance. He stated that his neighbour installed cameras that covered a larger area than his private property and collected data about him and his family life. The VDAI ordered the neighbour to cease video surveillance outside his territory. The individual appealed to the court seeking the annulment of the decision of VDAI. The Court decided that video surveillance of the third party's property was unlawful, therefore dismissed the complaint.

Case No. I-4109-208/2018

In Case No. I-4109-208/2018 of 20 December 2018 of the Vilnius Administrative Court (only available in Lithuanian here), a police officer received a disciplinary sanction for sleeping in a service car and non-performing his direct duties. The police officer appealed to the Court seeking the annulment of the disciplinary sanction, arguing that such continuous monitoring of employees is not compatible with the principle of proportionally under the GDPR. The Court held that, in applying the principle of transparency set out in Recital 39 of the GDPR, natural persons should be made aware of how personal data relating to them is collected, used, accessed or otherwise processed and to which extent such personal data is or will be processed. The Court decided that the police officer was aware of continuous surveillance of the service car and he had agreed to work under such conditions. The Court dismissed the complaint.

2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

2.1. Main regulator for data protection

Under the Law, personal data protection supervision activities in Lithuania are carried out by two institutions – the VDAI and the Office of the Inspector of Journalist Ethics ('ZEIT').

2.2. Main powers, duties and responsibilities

VDAI

The VDAI monitors the application of the GDPR and the Law. The VDAI performs the tasks of the supervisory authority and has the powers of the supervisory authority as defined in GDPR.

Additionally, the VDAI performs the following principal functions:

  1. advises data subjects, data controllers and processors on the protection of personal data and privacy, as well as develops methodological recommendations on the protection of personal data;
  2. provides assistance to data subjects residing abroad in accordance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as amended by the Treaty No. 223 Protocol) and implements other provisions of the same;
  3. co-operates with and participates in the activities of the supervisory authorities of other Member States on the protection of personal data, institutions, bodies of the European Union and international organisations;
  4. implements state policy in the field of protection of personal data.

ZEIT

The principal function of the ZEIT is the protection of personal non-property rights (honour and dignity, privacy and personal data) in the field of public information. According to Law, the function of the Inspector of the ZEIT ('the Inspector') is to monitor the application of the GDPR and to ensure that it is applied when personal data is processed for journalistic purposes and for academic, artistic or literary expression purposes.

The Inspector carries out the tasks of the VDAI and has the powers of the supervisory authority provided in the application of the GDPR, except for certain tasks and powers stipulated under:

  • Articles 57(1)(j) to 57(1)(l) and 57(1)(n) to 57(1)(t) of the GDPR;
  • Articles 58(1)(b) and (c) of the GDPR;
  • Articles 58(2)(e), (g), (h) and (j) of the GDPR; and
  • Articles 58(3)(a), (c) and 58(3)(e) to 58(3)(j) of the GDPR.

The competence of the ZEIT is limited to overseeing the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.

When exercising its powers, the Inspector must cooperate with the VDAI to ensure the consistent application of the data protection laws.

3. NOTIFICATION | REGISTRATION

3.1.    National requirements

Upon commencement of application of the GDPR, the procedure of the VDAI for registration of controllers ceased to exist in Lithuania. Consequently, the register of personal data controllers was abolished by the VDAI.

Companies and organisations are no longer under obligation to report to the VDAI about personal data processing.

There are no fees foreseen under national legislation in this respect.

4. DATA SUBJECT RIGHTS

4.1. Variations of GDPR on right of information to be provided

There are no specific variations or restrictions in relation to the right of information in the Law or decrees of the VDAI director.

4.2. Variations of GDPR on right to erasure

There are no specific variations or restrictions in relation to the right to erasure in the Law or decrees of the VDAI director.

4.3. Variations of GDPR on right to restriction of processing

There are no specific variations or restrictions in relation to the right to restriction of processing in the Law or decrees of the VDAI director.

4.4. Variations of GDPR on right to data portability

There are no specific variations or restrictions in relation to the right to data portability in the Law or decrees of VDAI director.

4.5. Variations of GDPR on automated individual decision-making, including profiling

There are no specific variations or restrictions in relation to automated individual decision-making, including profiling in the DPA or decrees of the VDAI Director.

5. CHILDREN

5.1. National regulation of the processing of children's data and age of consent

Article 10(1) of the Law on Fundamentals of Protection of the Rights of the Child 1996 stipulates that a child has the right to his or her private and family life, the privacy of communications, the protection of personal data, the confidentiality of correspondence, honour and dignity, and the integrity and freedom of the individual.

With respect to Article 8(1) of the GDPR, the Law reduces the age of children's consent in relation to information society services from 16 to 14 years.

Consequently, where the child is below the age of 14 years and the data controller seeks to process data based on consent as legal basis, processing of the personal data of a child in relation to information society services shall be lawful only if and to the extent the consent is given or authorised by the holder of parental responsibility over the child. In accordance with the provisions set out in Articles 2.7(1), 3.163(1) and (2) of the Civil Code of the Republic of Lithuania the holder of parental responsibility for the child is his / her parents or guardians/curators.

6. PROCESSING OF SPECIAL CATEGORIES OF DATA & CRIMINAL CONVICTIONS

6.1. National regulation concerning the processing of special categories of data and criminal conviction data

Ther are no specific variations in relation to the processing of special categories of data in the Law or decrees of the VDAI director.

Article 5(1) of the Law complements Article 10 of the GDPR and explicitly prohibits processing of candidates' and employees' data on convictions and past criminal misdemeanours, unless such processing is necessary to verify that a person meets the requirements set out in the Law or implementing legislation for the respective position or performance of work related duties.

7. DATA PROTECTION OFFICER

7.1. Additional/varied requirements on DPO appointment, role and tasks 

There are no specific variations or additional requirements on appointment, role or tasks of data protection officer ('the DPO') in the Law or decrees of the VDAI director.

The appointment of the DPO has to be registered with the VDAI by using the Electronic Service System (only available in Lithuanian here).

8. DATA BREACH NOTIFICATION

8.1. Variation/exemptions on breach notification obligation

There are no specific variations or exemptions on obligations in respect of breach notification in the Law.

The VDAI has approved a data breach notification form (only available in Lithuanian here), which may be used by the data controllers when notifying the VDAI about the occurrence of a data breach under the GPPR. This form is not mandatory and data controllers are free to use their own form in compliance with the requirements of Article 33 of GDPR. Moreover, data controllers may also use the Electronic Submission Portal to notify VDAI of a breach (only available in Lithuanian here).

8.2. Sectoral obligations

Telecommunications

Under Article 62(4) of the Law on Electronic Communications of the Republic of Lithuania (the 'Electronic Communications Law') in the event of a personal data breach, the provider of public communications networks and/or public communications networks and/or public electronic communications services must immediately notify the VDAI of the breach. If a personal data breach may adversely affect the security of the subscriber or registered user of electronic communications services or of another individual, the provider of public communications networks and/or public electronic communications services must also inform the subscriber or registered user of electronic communications services, or any other individual, unless the provider of public communications networks and/or public electronic communications services demonstrates to VDAI that it had implemented appropriate technical measures that were applied to the personal data affected by the security breach.

In the notification, the provider of the public communications network and/or electronic communications service must describe the nature of the personal data breach and provide the contact details for further information and recommended measures to mitigate the adverse effects of the personal data breach. The notification to the VDAI, additionally, has to specify the consequences of the personal data breach and the measures proposed or taken by the provider of public communications networks and/or public electronic communications services to investigate the personal data breach.

The notifications referred to in the Electronic Communications Law have to be made in accordance with Regulation (EU) 611/2013 of the European Commission of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under Directive 2002/58/EC of the European Parliament and of the Council on Privacy and Electronic Communication.

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1. National activities subject to prior consultation/authorisation

Article 35(4) of the GDPR sets out the requirement for the supervisory authorities to establish and make public a list of the processing operations which are subject to the requirement for a Data Protection Impact Assessment ('DPIA'). Under Article 35(5) of GDPR the supervisory authorities may also establish and make public a list of the processing operations for which no DPIA is required.

On 14 March 2019, the VDAI released a public a list of processing operations which are subject to the requirement of DPIA (only available in Lithuanian here):

  1. processing of personal data is carried out for the purposes of scientific or historical research in at least one of the following cases:
    • special category personal data is processed without the consent of the data subject, or the processing of personal data is carried out by linking or combining data sets;
    • data subjects whose personal data is processed are underage; and
    • personal identification code is processed.
  2. processing of personal data on a large scale, where personal data are obtained from sources other than the data subject and the provision of information required by Articles 14(1) and 14(2) of the GDPR, is impossible or would require disproportionate effort, or if the provision of such information is likely to render impossible or seriously impair the objectives of that processing;
  3. processing of personal data where notification regarding rectification or erasure of personal data or restriction of processing to recipients of personal data under Article 19 of the GDPR proves impossible or would require a disproportionate effort;
  4. processing of biometric data with the intention to identify a specific natural person, for the purposes of monitoring or controlling data subjects, or processing personal data of vulnerable data subjects;
  5. processing of genetic data during data subject's performance evaluation or scoring, including profiling and predicting;
  6. processing of personal data during video surveillance in at least one of the following cases:
    • in premises and/or areas that are not used by the data controller on the grounds of ownership or other legitimate grounds, when video surveillance is carried out in accordance with the principles of personal data processing set out in Article 5 of the GDPR;
    • in healthcare, social care, imprisonment and other facilities, where services are provided to vulnerable data subjects;
    • together with recording of sound.
  7. recording of telephone conversations;
  8. processing of personal data using innovative technologies or using existing technologies in a new way where personal data of vulnerable data subjects is processed;
  9. processing of children personal data for direct marketing purposes, assessment of children personal aspects based on automated processing, including profiling, or when children are directly offered information society services; and
  10. processing of employee personal data for the purposes of monitoring or control:
    • processing of personal video and/or sound data at the workplace and/or at the premises of the controller or in the areas where its staff are employed; and
    • processing of personal data related to the monitoring of employee communication, behaviour, location or movement.

9.2. National activities not subject to prior consultation/authorisation 

The VDAI has not yet approved any list of processing operations for which no DPIA is required.

10. PROCESSING FOR SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES

10.1. National implementation of Article 89 of the GDPR

There are no specific variations in relation to the processing for scientific or historical research purposes in the Law.

11. SANCTIONS

Lithuanian supervisory authorities have the right to carry out checks and investigations ex officio. In 2018-2019, the VDAI carried out a number of investigations, some were in respect of the processing of biometric data at sport clubs, as well as loyalty programs and direct marketing carried out by grocery and pharmacy chains. In addition, supervisory authorities carry out investigations upon receipt of complaints.

During the investigation, the supervisory authorities have the right to request information, copies of data, access premises without prior notice, etc. Legal and natural persons are required to comply with the requirements of the supervisory authority (including, but not limited to, the requirement to come to the premises of the supervisory authority), provide prompt information and / or explanations, copies and transcripts of documents, copies of data, equipment relating to the processing of personal data and the documents required for the exercise of supervisory functions.

Investigations of supervisory authorities may result in administrative fines, warnings, reprimands, other corrective measures as they are set out for example in the GDPR, the Law and other laws.

The decisions of supervisory authorities are subject to appeal before the administrative courts.

The Law specifies that administrative fines may be imposed only within two years from the date of the infringement, or, in case of a continuous violation, from the date the infringement became known.

Procedure for imposing fines under the Law

Upon the decision to impose administrative fines and start the procedure for imposition of the fines, the VDAI sends a document setting out the proposal for the imposition of an administrative fine to the entity under investigation. The entity is given no less than ten working days to respond to the findings. The failure to provide explanations and other information within the set time limit do not preclude the determination of an administrative fine.

Decisions of the VDAI is subject to appeal before the administrative court.

12. OTHER SPECIFIC JURISDICTIONAL ISSUES

Processing of personal identification code

Under the Law, it is forbidden to:

  • disclose personal identification code publicly; and
  • use personal identification code for direct marketing purposes. 

Processing of personal data and freedom of expression and information

The Law stipulates that where personal data is processed for journalistic or academic, artistic or literary purposes, Articles 8, 12 to 23, 25, 30, 33 to 39, 41 to 50 and 88 to 91 of the GDPR shall not be applicable.

Processing personal data of employees and candidates

The Law explicitly prohibits the processing of candidates' and employees' data on convictions and past criminal misdemeanours, unless such processing is necessary to verify that a person meets the requirements set out in law or implementing legislation for the respective position or performance of work related duties.

The controller may collect personal data of the candidate relating to qualifications, professional competences and business features from a former employer after informing the candidate and from an existing employer but only with the consent of the candidate.

When processing of video and / or sound data at the workplace and in the premises or areas of the controller, when personal data relating to the monitoring of the behaviour, location or movements of employees is processed, employees must be provided with the information referred to in Articles 13(1) and 13(2) of the GDPR.

Accreditation

The Law provides for a new power of the VDAI to accredit certification bodies. The rules for accreditation will be developed by the VDAI.