Data Protection & Privacy 2018 (Lithuania)

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection (for example, the OECD guidelines, Directive 95/46/EC, the EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms)?

Data protection in Lithuania is governed by Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as LPPDL). The LPPDL is substantially based on the European Union (hereinafter referred to as EU) Data Privacy Directive 95/46/EC.

It is necessary to pay attention to the current changes of data protection regulation. The European Parliament and the Council have released the regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as regulation 2016/679) that come into force from 25 May 2018. The regulation 2016/679 is a direct application document and from mentioned date in all the Member States of the EU will have the same power. In Lithuania, in addition, certain aspects will be discussed in the new version of the LPPDL. At this moment the Ministry of Justice of the Republic of Lithuania has submitted a draft of the LPPDL to the institutions and the public. It is expected that the new version of the LPPDL will come into force from 25 May 2018. Taking into account that it is only a draft of the new version of the LPPDL submitted, the answers bellow are based on the current version of the LPPDL.

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority (in particular any powers to require information, or carry out audits or inspections).

The Lithuanian data protection authority is the State Data Protection Inspectorate (SDPI). The SDPI shall have the right to:

• obtain access, subject to a prior notice in writing, or without a prior notice where the lawfulness of processing of personal data is to be checked in response to a complaint, to premises of the person being checked (including the premises rented or used on other grounds), or to the territory where the documents and equipment related with the processing of the personal data are kept. Access to the territory, buildings and premises of a legal person (including the buildings and premises rented or used on any other grounds), shall be permitted only during office hours of the legal person being checked upon presenting a certificate of a civil servant. Access to residential premises (including premises leased or used on any other basis) of a natural person being checked, where documents and facilities related with the personal data processing are kept shall be permitted only upon producing a court order warranting entry into the residential premises;
• to obtain, free of charge, from state and municipal institutions and agencies, other legal and natural persons the entire necessary information, copies and transcripts of documents, copies of data and access all data and documents necessary for the discharge of its functions of supervision of personal data processing;
• to make recommendations and give instructions to the data controller on personal data processing and protection issues;
• to draw up records of administrative offences in accordance with the procedure laid down in laws;
• to use photo, video and audio recording equipment in gathering evidence in the course of checking of the lawfulness of personal data processing;
• to take part in legal proceedings over violations of the provisions of international and national law on personal data protection;

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The breaches of rules stipulated by the LPPDL may result in administrative liability. The SDPI shall have the right to draw up records of administrative offences. Breaches may be fined.

Also illegal collection of information about the person's private life or disclosure and use of this type of information may result in criminal liability. These breaches are punished by imprisonment for a maximum period of three years, or arrest, or restriction of liberty, or a fine, or community service. Offences such as disclosure and use of information about the person's private life are only prosecuted if a formal complaint is filed by the affected data subject or his legitimate representative or there is a request of the prosecutor.

Moreover, according to LPPDL, any person who has sustained damage as a result of unlawful processing of personal data or any other acts (omissions) by the data controller, the data processor or other persons violating the provisions of this Law shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him/her. The extent of pecuniary and non-pecuniary damage shall be determined by a court.

Does the data protection law cover all sectors and types of organisation or are some areas of activity (such as national security or policing) outside its scope? (Give details.)

The LPPDL provides for certain exceptions (there are entities or areas of activity to which it does not apply). The LPPDL shall not apply if personal data are processed by a natural person only for his personal needs not related to business or profession, also shall not apply to the processing of personal data of deceased persons. When personal data are processed for the purposes of state security or defence, the LPPDL shall apply to the extent that other laws do not provide otherwise.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The LPPDL do not wholly cover interception of communications, electronic marketing or monitoring and surveillance of individuals. Relevant laws in this regard are: the Law on Electronic Communications of the Republic of Lithuania, the Law on Cybersecurity of the Republic of Lithuania.

Identify any further laws or regulations that provide specific data protection rules for related areas (for example, rules on e-health records, the use of social media or credit information)?

The Law on Mass Media of the Republic of Lithuania contains rules that apply to protection of personal data which are used for mass media purposes. The Civil Code of the Republic of Lithuania and other health’s care acts contain special rules for protection of information about patient’s health. The Law on Legal Protection of Personal Data Processed in the Framework of Police and Judicial Co-operation in Criminal Matters contains regulation of personal data processing during police and judicial co-operation in criminal matters.

What forms of PII are covered by the law? (Does the law cover all PII or is its scope limited by format, for example, electronic records only?)

The LPPDL shall regulate relations arising in the course of the processing of personal data by automatic means, and during the processing of personal data by other than automatic means in filing systems: lists, card indexes, files, codes, etc. 

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The LPPDL is applicable when:

• personal data are processed by a data controller established and operating in the territory of Lithuania, as a part of activities thereof. Where personal data are processed by a branch office or a representative office of a data controller of a Member State of the European Union or another state of the European Economic Area, established and operating in the Republic of Lithuania, such a branch office or representative office shall be bound by the provisions of this Law applicable to the data controller;
• personal data are processed by a data controller which is established in the territory other than the Republic of Lithuania, but which is bound by the laws of the Republic of Lithuania by virtue of international public law (including diplomatic missions and consular posts);
• personal data are processed by a data controller established and operating in a country which is not a Member State of the European Union or another state of the European Economic Area (hereinafter referred to as a “third country”), where the data controller uses personal data processing means established in the Republic of Lithuania, with the exception of the cases where such means are used only for transit of data through the territory of the Republic of Lithuania, the European Union or another state of the European Economic Area. In the case laid down in this subparagraph, the data controller must have its representative, that is, an established branch office or a representative office in the Republic of Lithuania which shall be bound by the provisions of this Law applicable to the data controller.

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners?

Basically all processing or use of PII is covered by the LPPDL, other laws provide for more detailed provisions for specific sectors and types of organisation or some areas of activity (see questions 4 and 5). There is also a distinction between the data controller (a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data) and data processor (a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller).

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent? (Give details.)

Lithuanian legal regulation requires that the holding of PII has specific legal ground for processing of personal data. According to the LPPDL personal data may be processed if:

• the data subject has given his consent;
• a contract to which the data subject is party is being concluded or performed;
• it is a legal obligation of the data controller under laws to process personal data;
• processing is necessary in order to protect vital interests of the data subject;
• processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;
• processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject.

For special categories of personal data (data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions) LPPDL stipulates stricter grounds.

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

The European Parliament and the Council have released the regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as regulation 2016/679) that come into force from 25 May 2018. The regulation 2016/679 is a direct application document and from mentioned date in all the Member States of the EU will have the same power. In Lithuania, in addition, certain aspects will be discussed in the new version of the LPPDL. At this moment the Ministry of Justice of the Republic of Lithuania has submitted a draft of the LPPDL to the institutions and the public. It is expected that the new version of the LPPDL will come into force from 25 May 2018.The new version of the LPPDL establishes the peculiarities of certain aspects of personal data processing, also the legal basis and activities of the SDPI and other state institutions, which form the state policy in the field of personal data protection and monitor the application of Regulation 2016/679. Moreover, in the new national legal regulation procedure for investigating violations and imposing administrative penalties by the supervisory authority is set. The new version of the LPPDL also establishes stricter personal code management rules. A personal code can not be used as the sole search criteria for searching other personal data. This requirement is considered as one of the data security measures to ensure that personal data is not disclosed to other persons.