Ask our legal expert!

Gencs Valters

info@gencs.eu

Claim your FREE copy

Doing Business Guide in the Baltics.

Data Protection in Lithuania

20 June 2011

LITHUANIA

TOPIC – ACCESS

1.1.Legal requirements

Article 22 of the Constitution indicates that the private life of a human being shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other communications shall be inviolable. Information concerning the private life of a person may be collected only upon a justified court decision and only according to the law. The law and the court shall protect everyone from arbitrary or unlawful interference in his private and family life, from encroachment upon his honour and dignity.

The citizen shall have the right to receive, according to the procedure established by law, any information concerning him that is held by State institutions. The person presenting to the data controller or the data processor a document certifying his identity shall have the right to obtain information on the sources and the type of his personal data that has been collected, the purpose of their processing and the data recipients to whom the data are disclosed or have been disclosed for at least the last year. Having received an enquiry from a person concerning the processing of his personal data, the data controller must reply to person whether personal data relating to him are processed, and disclose to the person the requested data no later than within thirty calendar days of the date of the person’s enquiry. On a request of a person, such data must be disclosed in writing. Once in a calendar year the data controller shall disclose such data to the person free of charge. When such data are disclosed for a fee, the amount of the fee shall not exceed the cost of disclosure of the data. The procedure governing the fee for disclosure of data is determined by the Government.

Personal data can be disclosed under a data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure. The contract must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt, the conditions, the procedure of use and the extent of personal data that is disclosed. The request must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt and the extent of personal data requested.

Personal data to data recipients in the European Union Member States or other countries of the European Economic Area shall be transferred on the same conditions and in accordance with the same procedure as that applicable to data recipients in the Republic of Lithuania. Transfer of personal data to data recipients in third countries shall be subject to an authorization from the State Data Protection Inspectorate. Without an authorization of the State Data Protection Inspectorate, personal data shall be transferred to a third country or to an international law enforcement organization only if:

1) the person has given his consent for the transfer of his personal data;

2) the transfer of personal data is necessary for the conclusion or performance of a contract between the data controller and a third party in the interests of the person;

3) the transfer of personal data is necessary for the performance of a contract between the data controller and the person or for the implementation of pre-contractual measures to be taken in response to the person’s request;

4) the transfer of personal data is necessary (or required by laws) for important public interests or for the purpose of legal proceedings;

5) the transfer is necessary for the protection of vital interests of the person;

6) the transfer is necessary for the prevention or investigation of criminal offences;

7) personal data are transferred from a public data file in accordance with the procedure laid down in laws and other legal acts

The level of legal protection of personal data shall be assessed by considering all circumstances related to transfer of data particularly the laws and other legal acts or acts prepared by the data controller on legal protection of personal data in force in the third country of destination, the nature of the data to be transferred, methods, purposes and duration of the data processing and safeguards applicable in the country concerned. The State Data Protection Inspectorate may grant an authorization to transfer personal data to a third country which cannot guarantee an adequate level of legal protection of personal data on condition that the data controller has established adequate data protection safeguards for the protection of an individual’s right to private life and the protection and exercise of other rights of the person. Such safeguards must be stipulated in the contract on the transfer of personal data to a third country or in other document concluded in writing.

Banks and other credit institutions as well as financial undertakings engaged in credit and (or) financial activities may disclose to each other the persons’ to whom these banks and other credit institutions as well as financial undertakings, who are engaged with credit and (or) financial activities, have rendered or intend to render financial services concerning the acceptance of the risk (as it is laid down in the Law on Financial Institutions) (hereinafter – services) and the persons’, providing security of obligations of the above mentioned persons’ to the above mentioned institutions and undertakings, personal data (name, surname, personal identification number (data of identity document if personal identification number is not given), the type and the amount of the requested and denied financial obligations, the types, the amount and the terms of performance of existing financial obligations, data about the performance of these obligations as well as data about previous financial obligations and their performance) for the purposes of evaluation of solvency on the condition that the persons have given their consent.

Banks and other credit institutions may obtain personal data only when the person:

1) applies to these institutions and undertakings for the services or for the security of financial obligations;

2) has received services from these institutions and undertaking or has given security for the financial obligations and it is necessary to evaluate the existence of the risk for the proper fulfillment of the undertaken obligations.

1.2. How is legal requirement typically addressed?

The data controller and data processor must implement appropriate organizational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the personal data to be protected and the risks represented by the processing and must be defined in a written document (personal data processing regulations approved by the data controller, a contract concluded by the data controller and the data processor, etc.).

Unauthorized access to personal data is subject to compensation for material or moral damages. However, such individual’s right to his personal data shall not prevail over any public interest, such as for gathering evidence in criminal investigations.

LITHUANIA

TOPIC:BIOMETRIC DATA

There is no legislation governing the processing of biometric data in Lithuania, except for the data that is processed in passports, identity cards, residence permits and managed by the police for identification purposes.
Specification on requests for personal documents’ issue, alteration, registration, orders for formation of personal documents and data on personal documents validity defines biometrics as a person's facial image and fingerprints.

Institutions, which according to the laws are granted the right to register the biometric data and / or requests for personal documents issue: the consular offices and diplomatic embassies, the Migration Department under the Ministry of Internal Affairs, the Vilnius District Police Headquarters Migration Board, the major counties chief of police headquarters Migration departments, the police offices’ immigration groups, the Public Service Department and other institutions responsible for the registration of the application and / or the issue of personal identification documents.

In Lithuania passports and other travel documents with biometric data were started to issue by the time indicated by European Union and the necessary equipment was purchased in 2006-2007. Biometric data and sample signatures are stored in the Register of Citizens of Lithuania. In order not to violate individual rights to privacy and the confidentiality of their life, the biometric data and sample signatures stored in the Register are accessible only for law enforcement and national security authorities.

For biometric data protection, the general Personal Data Protection Law’s rules, establishing the fair processing criteria and principles that must be followed in collecting and using personal data, are applicable:

Personal data may be processed when:

1) the data subject has given his consent;

2) a contract to which the data subject is party is being concluded or performed;

3) it is a legal obligation of the data controller under laws to process personal data;

4) processing is necessary in order to protect vital interests of the data subject;

5) processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;

6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject.

It is prohibited to process special categories of personal data, except in the following cases:

1) the data subject has given his consent;

2) such processing is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in laws;

3) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity;

4) processing of personal data is carried out for political, philosophical, religious purposes or purposes concerning the trade-unions by a foundation, association or any other non-profit organisation, as part of its activities, on condition that the personal data processed concern solely the members of such organisation or to other persons who regularly participate in such organisation in connection with its purposes. Such personal data may not be disclosed to a third party without the data subject’s consent;

5) the personal data have been made public by the data subject;

6) the data are necessary, in the cases laid down in laws, in order to prevent and investigate criminal or other illegal activities;

7) the data are necessary for a court hearing;

8) it is a legal obligation of the data controller under laws to process such data.

Personal data relating to a person's record of conviction, criminal acts or security measures may be processed, for crime prevention, investigation purposes and in other cases laid down by laws, only by a state institution or agency in the manner laid down in laws. Other natural or legal persons may process such data in the cases laid down by laws provided that appropriate measures laid down in laws and other legal acts for the protection of legitimate interests of the data subject have been adequately implemented. Detailed data about previous convictions may be processed only according to the procedure laid by the Law on State Registers.

LITHUANIA

TOPIC: CONSENT

1. Legal requirement

Data protection Law defines the Consent as an indication of will given freely by a data subject indicating his agreement to the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject’s free will. Therefore, the personal data may be processed if the data subject has given his consent, and this especially applies to processing special categories of personal data.

The consent is one of the premises for Lawful Processing of Personal Data. However, there are other preconditions for personal data to be lawfully processed:

1) a contract to which the data subject is party is being concluded or performed;

This condition applies, as well, in case of employment contract. In accordance with the provisions of Data protection law, data processing can be carried out without the consent of a data subject, if it is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in laws.

2) it is a legal obligation of the data controller under laws to process personal data;

3) processing is necessary in order to protect vital interests of the data subject;

4) processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;

5) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject.

Banks and other credit institutions as well as financial undertakings engaged in credit and (or) financial activities may disclose to each other the data subjects’ to whom these banks and other credit institutions as well as financial undertakings, who are engaged with credit and (or) financial activities, have rendered or intend to render financial services concerning the acceptance of the risk (as it is laid down in the Law on Financial Institutions) and the data subjects’, providing security of obligations of the above mentioned persons’ to the above mentioned institutions and undertakings, personal data (name, surname, personal identification number (data of identity document if personal identification number is not given), the type and the amount of the requested and denied financial obligations, the types, the amount and the terms of performance of existing financial obligations, data about the performance of these obligations as well as data about previous financial obligations and their performance) for the purposes of evaluation of solvency on the condition that the data subjects have given their consent.

For the purposes of social insurance and social assistance administrative institutions of the State Social Insurance Fund and legal persons providing or administering social assistance shall exchange personal data without the data subject’s consent.

2. How is legal requirement typically addressed?

There are no special formalities to obtain consent from the data subjects, apart from the requirement that consent shall be issued freely and independently. In cases where the relationship between the data controller and the data subject is subordinate, such as employee data processing or consumer data processing, written consent is strongly recommended, as the burden of proof of establishing free and independent consent lies with the employer or business.

In order to have a valid consent in practice, it is necessary to give the data subject full information on how the data will be processed. This means that the following information should be provided:

Who is seeking the consent;
What personal data of the individual will be used;
For what purposes the individual's data will be used;
Other additional information (particular personal data that the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have an access to his personal data and the right to request for rectification of incorrect, incomplete and inaccurate personal data) in the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights.

3. Categories

(a) Data-types – no additional comments.

(b) Employment – In accordance to data protection act, data processing can be carried out without the consent of a data subject, if it is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law. It is also established through current practice, that where the public disclosure of personal data information is necessary for the purposes of employment, it is not treated as being subject to the protections in the DPA.

(c) Handling of data – no additional comments

Customers and marketing - Personal data may be processed for direct marketing purposes only after the data subject has given his consent. The data controller must provide a clear, free-of-charge and easily realisable possibility for the data subject to give or refuse giving his consent for the processing of his personal data for direct marketing purposes.

(d) Enforcement – Failure to obtain a relevant consent when required to do so constitutes "unfair" processing of personal data and is subject to complaints and to compensation for material or moral damages.

4. Template

There is no applicable template for this topic.

LITHUANIA

TOPIC - DATA PROCESSING

1.1. Legal requirements

Data protection Law regulates relations arising in the course of the processing of personal data by automatic means, and during the processing of personal data by other than automatic means in filing systems: lists, card indexes, files, codes, etc. The Law establish the rights of natural persons as data subjects, the procedure for the protection of these rights, the rights, duties and liability of legal and natural persons while processing personal data. This law defines Data processing as any operation, which is performed with personal data such as collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations. Data processing by automatic means is any operation performed with personal data carried out in whole or in part by automatic means. Data processor is defined as a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller. The data processor and/or the procedure of its/his nomination may be laid down in laws or other legal acts.

Art. 3 of Data Protection law provides the requirements for Personal Data Processing:

The data controller must ensure that personal data are: 1) collected for specified and legitimate purposes and later are not processed for purposes incompatible with the purposes determined before the personal data concerned are collected; 2) processed accurately, fairly and lawfully; 3) accurate and, where necessary, for purposes of personal data processing, kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended; 4) identical, adequate and not excessive in relation to the purposes for which they are collected and further processed; 5) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed.

Personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only in the cases laid down in laws, provided that adequate data protection measures are laid down in laws.

Personal data shall not be stored longer than it is necessary for data processing purposes. Personal data must be destroyed when they are no more needed for their processing purposes, with the exception of data which must be transferred to State archives in the cases laid down in laws.

Personal data may be processed when:

1) the data subject has given his consent;

2) a contract to which the data subject is party is being concluded or performed;

3) it is a legal obligation of the data controller under laws to process personal data;

4) processing is necessary in order to protect vital interests of the data subject;

It is prohibited to process special categories of personal data, except in the following cases:

1) the data subject has given his consent;

3) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity;

5) the personal data have been made public by the data subject;

6) the data are necessary, in the cases laid down in laws, in order to prevent and investigate criminal or other illegal activities;

7) the data are necessary for a court hearing;

8) it is a legal obligation of the data controller under laws to process such data.

The legitimate interests exception has been expressly recognised only recently (although available in the DPA since the original legislation) in the ruling by the High Administrative Court of the Republic of Lithuania in Chief Vilnius Police Commissariat v. Data Protection Inspectorate. This related to the online publication of the personal data of individuals convicted for driving under the influence of alcohol, narcotics and similar substances. The court ruled that such publication does not infringe upon personal data protection, as it is justified by the legitimate public interest in prevention of such acts.

The DPA contains limited exemptions for certain types of processing. For example, processing for domestic purposes or manual processing of personal data are largely exempt from the provisions of the DPA.

The processing of personal data by the media for the purpose of providing information to the public, artistic and literary expression is supervised by the Inspector of Journalist Ethics. His competencies are laid down in the Law on Provision of Information to the Public.

1.2. How is legal requirement typically addressed?

The data subject, in accordance with the procedure laid down in this Law, has the right: 1) to know (be informed) about the processing of his personal data; 2) to have an access to his personal data and to be informed of how they are processed; 3) to request rectification or destruction of his personal data or suspension of further processing of his personal data, with the exception of storage, where the data are processed not in compliance with the provisions of this Law and other laws; 4) to object against the processing of his personal data.

The data controller must provide the data subject from whom data relating him are collected directly, with the following information, except where the data subject already has it:1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or requisites and the address of registered office (where the data controller or its representative is a legal person); 2) the purposes of the processing of the data subject’s personal data; 3) other additional information (the recipient and the purposes of disclosure of the data subject’s personal data; particular personal data that the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have an access to his personal data and the right to request for rectification of incorrect, incomplete and inaccurate personal data) in the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights.

Where the data controller obtains personal data not from the data subject, he must inform the data subject about that before the start of personal data processing or, if he intends to disclose the data to third parties, he must inform the data subject about that no later than by the moment when the data are disclosed for the first time, except in the cases where laws or other legal acts determine the procedure for collection or disclosure of such data and data recipients. In such case, the data controller must provide the data subject with the following information, except where the data subject already has it:

1) the identity of himself (the data controller) and his representative, if any; his permanent place of residence (where the data controller or his representative is a natural person); or requisites and address of registered office (where the data controller or its representative is a legal person);

2) the purposes of the processing or the intended processing of the data subject’s personal data;

3) other additional information (the sources and the type of the data subject’s personal data which are or will be collected; the recipient of the data subject’s personal data and the purposes of the disclosure; the date subject’s right to have access to his personal data and his right to request rectification of incorrect, incomplete and inaccurate personal data to the extent necessary to ensure fair processing of personal data without infringing upon the rights of data subjects.

Violations of Data protection Law requirements render data controllers, data processors and other persons liable under the laws. Any person who has sustained damage as a result of unlawful processing of personal data or any other acts (omissions) by the data controller, the data processor or other persons, violating the provisions of this Law shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him.

1.3. Categories

Personal Data Processing for Social Insurance and Social Assistance Purposes:

For the purposes of social insurance and social assistance administrative institutions of the State Social Insurance Fund and legal persons providing or administering social assistance may exchange personal data without the data subject’s consen.

Personal Data Processing for Health Care Purposes:

Personal data on a person’s health (its state, diagnosis, prognosis, treatment, etc.) may be processed by an authorised health care professional. A person’s health is subject to professional secrecy under the Civil Code, laws regulating patients’ rights and other legal acts. Personal data on a person’s health may be processed by automatic means, also for scientific medical research purposes the data may be processed only having notified the State Data Protection Inspectorate.

Personal Data Processing for the Purposes of Elections, Referenda and Citizens' Legislative Initiative:

Information compiled by the Central Electoral Committee on the basis of statements and other documents submitted by candidates or their representatives and announced on the Internet website, about candidates, votes received by the candidates, lists of members of electoral or referendum committees, observers, representatives, members of initiative groups and lists of donors of political campaigns may be revised after the announcement of election or referendum results, only for the purposes of correction of language mistakes or when the information on the Internet website differs from the information in the statements and other documents delivered at the time prescribed by legal acts. Personal identification numbers of the candidates and any other persons, their citizenship or numbers of their identification documents, the exact address (street, number of the house, number of the apartment) of their place of residence may not be made public on the Internet website.

Personal Data Processing for Scientific Research Purposes

Personal data may be processed for scientific research purposes on condition that the data subject has given his consent. Without the data subject’s consent, personal data may be processed for scientific research purposes only upon notifying the State Data Protection Inspectorate. Personal data which have even used for scientific research purposes must be altered immediately in the manner which makes it impossible to identify the data subject. The personal data collected and stored for scientific research purposes may not be used for any other purposes. Research results may be made public together with the personal data on condition that the data subject has given his consent to have his personal data made public.

Personal Data Processing for Statistical Purposes

Processing of personal data for statistical purposes is the carrying out of statistical surveys and disclosure and storage of their results. Personal data collected for other than statistical purposes may be used, in the cases laid down in laws, for the preparation of official statistical information. Personal data collected for statistical purposes may be disclosed and used for other than statistical purposes in accordance with the procedure and in the cases laid down in the Law on Statistics. Personal data collected for different statistical purposes shall be compared and combined only on condition that the personal data are protected against unlawful use for other than statistical purposes.

Special categories of personal data shall be collected for statistical purposes solely in the form which does not permit direct or indirect identification of the data subject, except in the cases laid down in laws.

Personal Data Processing for Direct Marketing Purposes

Personal data may be processed for direct marketing purposes only after the data subject has given his consent. Personal data may be processed for direct marketing purposes if, when collecting the data, the storage period for personal data is set. The data controller must provide a clear, free-of-charge and easily realisable possibility for the data subject to give or refuse giving his consent for the processing of his personal data for direct marketing purposes.

Personal Data Processing for Electronic Communication Purposes

It shall be prohibited to disclose the content of information transmitted over electronic communications networks and/or related traffic data to persons that are not actual users of electronic communications services without the consent of the interested actual users of electronic communications services or to create conditions for gaining access to such information and/or related traffic data. Persons other than actual users of electronic communications services shall be prohibited from listening, tapping, storing or otherwise intercepting information or related traffic data or gaining secret access to such information or related traffic data, except when legally authorised to do so.

Traffic data relating to subscribers and/or actual users of electronic communications services processed and stored by the provider of a public communications network and/or public electronic communications services must be erased or modified in such a way that it would not be possible to establish, either directly or indirectly, the identity of the subscriber or actual user when the data is no longer needed for the transmission of information.

Personal Data Processing for the Purpose of Evaluating a Person's Solvency and Managing His Debt

The data controller shall have the right to process and disclose to third parties having legitimate interests data, including personal identification number, of data subjects who have failed to fulfil, in a timely and proper manner, their financial and (or) property obligations (hereinafter - debtors) for the purpose of evaluating their solvency and managing their debt, provided that data protection requirements set out in legal acts are duly complied with.

The data controller shall have the right to disclose debtors’ data, including personal identification number, to other data controllers who process consolidated debtor files (hereinafter consolidated files). The data controller may process consolidated files for the purpose of disclosing such data to third parties having legitimate interests so that they could evaluate solvency of the data subject and manage his debt only if he has duly notified the State Data Protection Inspectorate which must carry out a prior checking.

Processing of Data about the Rendered Financial Services Connected to Risk Acceptance for the Purpose of Solvency Evaluation

Banks and other credit institutions as well as financial undertakings engaged in credit and (or) financial activities may disclose to each other the data subjects’ to whom these banks and other credit institutions as well as financial undertakings, who are engaged with credit and (or) financial activities, have rendered or intend to render financial services concerning the acceptance of the risk (as it is laid down in the Law on Financial Institutions) (hereinafter – services) and the data subjects’, providing security of obligations of the above mentioned persons’ to the above mentioned institutions and undertakings, personal data (name, surname, personal identification number (data of identity document if personal identification number is not given), the type and the amount of the requested and denied financial obligations, the types, the amount and the terms of performance of existing financial obligations, data about the performance of these obligations as well as data about previous financial obligations and their performance) for the purposes of evaluation of solvency on the condition that the data subjects have given their consent.

Banks and other credit institutions as well as financial undertakings engaged with credit and (or) financial activities shall ensure the received data subjects’ data are not:

1) processed for purposes incompatible with the purposes determined before the personal data concerned are collected;

2) stored for a period longer than twelve months, if a negative decision concerning the granting the service is taken.

Details of the competent national regulatory authority:

The State Data Protection Inspectorate (the “Inspectorate”)
A. Juozapavičiaus g. 6 / Slucko g. 2
LT-09310 Vilnius
Lithuania

www.ada.lt

1.4.Templates

There is no applicable template for this topic.

LITHUANIA

TOPIC: DATA CONTROLLER

1. Legal requirement

Data Protection Law defines Data controller as a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. Where the purposes of processing personal data are laid down in laws or other legal acts, the data controller and/or the procedure for its/his nomination may be laid down in such laws or other legal acts.

In accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania, every data controller shall be registered in the State Register of Personal Data Controllers.

The data controller has the right to designate person or unit to be responsible for data protection. The person or unit responsible for data protection shall 1) make public the processing of personal data actions carried out by the data controller in accordance with the procedure established by the Government; 2) supervise as to whether personal data are processed in compliance with the provisions of this Law and other legal acts on data protection; 3) initiate the preparation of the notifications to the State Data Protection Inspectorate of the existence of circumstances specified in Article 33(1) of this Law; 4) monitor the processing of personal data carried out by the data controller’s employees; 5) present proposals, findings to the data controller regarding establishment of data protection and data processing measures and supervise implementation and use of these measures; 6) undertake measures to eliminate any violations in the processing of personal data without delay; 7) instruct employees authorised to process personal data on the provisions of this Law and other legal acts on personal data protection; 8) initiate the preparation of applications to the State Data Protection Inspectorate of the inquiries regarding processing and protection of personal data; 9) assist the data subjects in exercising their rights; 10) notify the State Data Protection Inspectorate in writing upon finding that the data controller processes personal data violating the provisions of this Law and other legal acts on data protection and refuses to rectify these violations.

The data controller must notify the State Data Protection Inspectorate of appointment or withdrawal of the person or unit responsible for data protection within thirty calendar days.

The data controller must ensure that personal data are:

1) collected for specified and legitimate purposes and later are not processed for purposes incompatible with the purposes determined before the personal data concerned are collected;

2) processed accurately, fairly and lawfully;

3) accurate and, where necessary, for purposes of personal data processing, kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended;

4) identical, adequate and not excessive in relation to the purposes for which they are collected and further processed;

5) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed.

Personal data may be disclosed under a personal data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure.

The data controller must provide the data subject with the conditions for exercising the rights laid down in laws, with the exception of cases laid down in laws when it is necessary to ensure:

1) state security or defence;

2) public order and prevention, investigation, detection and prosecution of criminal offences;

3) important economic or financial interests of the state;

4) prevention, investigation and detection of violations of official or professional ethics;

5) protection of the rights and freedoms of the data subject or other persons.

The data controller must justify the refusal to grant the request of the data subject to exercise the rights granted to the data subject by this Law. Having received a request from the data subject, the data controller must reply him within thirty calendar days of the date of data subject’s application. Where the request of the data subject is written, the data controller’s reply must also be written.

2. How is the legal requirement typically addressed?

The data controller and data processor must implement appropriate organisational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the personal data to be protected and the risks represented by the processing and must be defined in a written document (personal data processing regulations approved by the data controller, a contract concluded by the data controller and the data processor, etc.). The data controller shall process personal data himself and (or) shall authorise a data processor. Where the data controller authorises a data processor to process personal data, he must choose a data processor providing guarantees in respect of adequate technical and organisational data protection measures and ensuring compliance with those measures.

LITHUANIA

TOPIC:LEGAL REQUIREMENTS IN THE EVENT OF A DATA SECURITY BREACH RESULTING IN THE UNLAWFUL DISCLOSURE OF PERSONAL INFORMATION.

Complaints

A person shall have the right to lodge a complaint with the State Data Protection Inspectorate against acts (omissions) of the data controller violating the provisions of data protection laws. The State Data Protection Inspectorate also investigates persons’ complaints transmitted to it by other institutions.

Complaints are generally lodged in writing, including electronic format. Documents lodged by electronic means must be signed with a secure electronic signature. Having received an oral complaint or if the State Data Protection Inspectorate has established the existence of elements constituting a violation of this Law from mass media and (or) other sources, the State Data Protection Inspectorate may initiate an investigation on its own.

The complaint is required to contain the following information:

1) addressee - the State Data Protection Inspectorate;

2) full name and address of the complainant and, at the complainant’s choice, his telephone number or electronic mail address. Anonymous complaints are not investigated, unless the Director of the State Data Protection Inspectorate decides otherwise;

3) name of the complainer (data controller) and address of its registered office or his residence, or address of the place where data are processed;

4) description, time and circumstances of the act (omission) complained about;

5) the complainant’s application to the State Data Protection Inspectorate;

6) date of the complaint and the complainant’s signature.

The complaint may be covered with the evidence available or a description of them.

A failure to keep to the format of a complaint or give requisites does not constitute the basis for refusal to investigate the complaint.

A complaint must be investigated and a reply to the complainant given within two months of the date of receipt of the complaint, unless the investigation requires a longer period owing to the complexity of circumstances indicated in the complaint, plenitude of information or continuous character of actions complained about. In such cases, the period of investigation shall be extended but for not longer than two months. The entire period of investigation of a complaint may not be longer than four months. The complainant shall be informed of the decision of the State Data Protection Inspectorate to extend the period of investigation of the complaint. Complaints must be investigated in the shortest possible period.

Upon completion of an investigation, the State Data Protection Inspectorate shall make a motivated decision:

1) to admit the complaint as justified;

2) to reject the complaint;

3) to dismiss the investigation of the complaint.

At the request of the State Data Protection Inspectorate, data controllers and other legal and natural persons must immediately deliver information, copies and transcripts of documents, copies of data, and to give access to all data, facilities related with the processing of personal data, and documents necessary for the discharge of its function of supervision of personal data processing.

The Decisions of the State Data Protection Inspectorate may be appealed against in a court in accordance with the procedure laid down in laws.

Liability

Any act of non-compliance with the DPA or secondary data protection legislation gives rise to civil and administrative (but not criminal) liability. Administrative sanctions include reprimand and monetary fines of amounts from EUR 30 to EUR 1,200.

Recent case law has allowed sanctions under the Law on Advertising to be applied in case of marketing violations affecting personal data. As a result, significantly higher sanctions of up to EUR 9,000 would apply for violation of direct marketing rules.

Administrative prosecution can only be initiated against individuals who have committed a data protection violation, or the officer responsible for data protection issues within the company which has committed the violation. If such an officer does not exist, the CEO of the entity is held responsible for the data protection issues. The company itself may not be subject to administrative prosecution. Typical administrative penalties are fines from 300 to 1,000 Litas (EUR 85 to 300). Penalties are approximately doubled for repeated violations. A notable exception is the liability for violations of direct marketing rules, which separately applies to the company, which committed the violations. A separate penalty of up to EUR 9,000 would apply for such violations under the Law on Advertising. Responsible individual within such company may be held separately responsible and tried under the administrative prosecution rules outlined at the beginning of this paragraph.

The individual affected by the breach of the DPA is also entitled to claim pecuniary and moral damages.

Violations of data protection laws render data controllers, data processors and other persons liable under the laws. Any person who has sustained damage as a result of unlawful processing of personal data or any other acts (omissions) by the data controller, the data processor or other persons, violating the provisions of lawful processing of personal data shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him. The extent of pecuniary and non-pecuniary damage shall be determined by a court.

LITHUANIA

Topic : Data Subject's Rights

What rights do Data Subjects have under Privacy Laws?

The data subject, in accordance with Lithuanian Privacy Laws, has the right: 1) to know (be informed) about the processing of his personal data; 2) to have an access to his personal data and to be informed of how they are processed; 3) to request rectification or destruction of his personal data or suspension of further processing of his personal data, with the exception of storage, where the data are processed not in compliance with the provisions of this Law and other laws; 4) to object against the processing of his personal data.

The data controller must provide the data subject with the conditions for exercising the rights laid down in this Article, with the exception when it is necessary to ensure: 1) state security or defence; 2) public order and prevention, investigation, detection and prosecution of criminal offences; 3) important economic or financial interests of the state; 4) prevention, investigation and detection of violations of official or professional ethics; 5) protection of the rights and freedoms of the data subject or other persons.

The data controller must justify the refusal to grant the request of the data subject to exercise the rights granted to the data subject by laws. Having received a request from the data subject, the data controller must reply him within thirty calendar days of the date of data subject’s application. Where the request of the data subject is written, the data controller’s reply must also be written.

The data subject may appeal against acts (omissions) of the data controller to the State Data Protection Inspectorate within three months of receipt of the reply from the data controller or within three months of the date when the time period for giving a reply expires. The acts (omissions) of the State Data Protection Inspectorate may be appealed against in the court in accordance with the procedure laid down in laws.

The right to be informed

The data controller must provide the data subject from whom data relating him are collected directly, with the following information, except where the data subject already has it: 1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or requisites and the address of registered office (where the data controller or its representative is a legal person); 2) the purposes of the processing of the data subject’s personal data; 3) other additional information (the recipient and the purposes of disclosure of the data subject’s personal data; particular personal data that the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have an access to his personal data and the right to request for rectification of incorrect, incomplete and inaccurate personal data) in the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights.

2) the purposes of the processing or the intended processing of the data subject’s personal data;

When the data controller collects or intends to collect personal data from the data subject and processes or intends to process the data for the purposes of direct marketing, before disclosing data subject’s data he must inform the data subject about the recipient of his personal data and the purposes for which his personal data will be disclosed.

4.1 The Right of Access to Personal Data

The data subject presenting to the data controller or the data processor a document certifying his identity shall have the right to obtain information on the sources and the type of his personal data that has been collected, the purpose of their processing and the data recipients to whom the data are disclosed or have been disclosed for at least the last year.

Having received an enquiry from the data subject concerning the processing of his personal data, the data controller must reply to data subject whether personal data relating to him are processed, and disclose to the data subject the requested data no later than within thirty calendar days of the date of the data subject’s enquiry. On a request of a data subject, such data must be disclosed in writing. Once in a calendar year the data controller shall disclose such data to the data subject free of charge. When such data are disclosed for a fee, the amount of the fee shall not exceed the cost of disclosure of the data. The procedure governing the fee for disclosure of data shall be determined by the Government.

The Right to Request Rectification, Destruction or Suspension of Further Processing of Personal Data

Where the data subject, after familiarizing with his personal data, finds that his personal data are incorrect, incomplete and inaccurate and applies to the data controller, the latter must check the personal data concerned without delay and, at a written, oral or any other request of the data subject, rectify the incorrect, incomplete and inaccurate personal data and (or) suspend processing of such personal data, except storage, without delay.

Where the data subject, after familiarizing with his personal data, finds that his personal data are processed unlawfully and unfairly and applies to the data controller, the latter must check without delay and free of charge the lawfulness and fairness of the processing of personal data and, at a written request of the data subject, destroy the personal data collected unlawfully and unfairly or suspend processing of such personal data, except storage, without delay.

When, at the data subject’s request, processing of his (her) personal data are suspended, the personal data concerned must be stored until they are rectified or destroyed either at the data subject’s request or upon expiry of their storage period. Other processing operations of such personal data may be performed solely:

1) for the purpose of giving proof of the existence of circumstances due to which processing of the data was suspended;

2) where the data subject gives his consent for further processing of his personal data;

3) where the rights or legitimate interests of third parties have to be protected.

The data controller must notify the data subject of the performed or not performed rectification, destruction or suspension of processing of personal data at the data subject’s request without delay.

For questions, please, contact Valters Gencs, attorney at law at info@gencs.eu

The material contained here is not to be construed as legal advice or opinion.