DLA Piper Intelligence

Data Protection
Laws of the World

Law

Lithuania
Lithuania

As a member of the European Union, Lithuania has implemented the EU Data Protection Directive 95/46/EC. Lithuania passed the Law on Legal Protection of Personal Data on 11 June 1996 (Data Protection Law), which has been amended on 17 July 2000, 22 January 2002 and 21 January 2003 in order to transpose the provisions from the Directive. The latest modifications to the Data Protection Law came into effect on 1 January 2017. The amendments are relatively small and insignificant as the industry is currently in expectation of the General Data Protection Regulation. Enforcement is carried out by the State Data Protection Inspectorate (DPI). 

In addition, Lithuania has fully transposed the Directive 2006/24/EC (the Data Retention Directive) into national law through the Law on Electronic Communications dated 15 April 2004 (Electronic Communications Law, latest amendments will come into effect on 1 May 2017). The Electronic Communications Law regulates protection of privacy in the area of electronic communications. 

Please note that the data retention requirements (6 months in Lithuania) were transposed into the relevant local laws from the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks) which was declared invalid by the CJEU by its decision of 8 April 2014 (Judgment in Joined Cases C-293/12 and C-594/12). 

The DPI has issued only a limited number of guidelines on particular data protection issues. Opinions and recommendations of the EU Article 29 Data Protection Working Party are often followed by the DPI and Lithuanian courts while interpreting abstract provisions of the Data Protection Law.  

Last modified 26 Jan 2017
Law
Lithuania

As a member of the European Union, Lithuania has implemented the EU Data Protection Directive 95/46/EC. Lithuania passed the Law on Legal Protection of Personal Data on 11 June 1996 (Data Protection Law), which has been amended on 17 July 2000, 22 January 2002 and 21 January 2003 in order to transpose the provisions from the Directive. The latest modifications to the Data Protection Law came into effect on 1 January 2017. The amendments are relatively small and insignificant as the industry is currently in expectation of the General Data Protection Regulation. Enforcement is carried out by the State Data Protection Inspectorate (DPI). 

In addition, Lithuania has fully transposed the Directive 2006/24/EC (the Data Retention Directive) into national law through the Law on Electronic Communications dated 15 April 2004 (Electronic Communications Law, latest amendments will come into effect on 1 May 2017). The Electronic Communications Law regulates protection of privacy in the area of electronic communications. 

Please note that the data retention requirements (6 months in Lithuania) were transposed into the relevant local laws from the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks) which was declared invalid by the CJEU by its decision of 8 April 2014 (Judgment in Joined Cases C-293/12 and C-594/12). 

The DPI has issued only a limited number of guidelines on particular data protection issues. Opinions and recommendations of the EU Article 29 Data Protection Working Party are often followed by the DPI and Lithuanian courts while interpreting abstract provisions of the Data Protection Law.  

Last modified 26 Jan 2017
Definitions

Definition of personal data

Any information relating to a natural person (i.e. data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

In the Data Protection Law, sensitive personal data is called “special categories of personal data”.

Special categories of personal data is data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions.

Last modified 26 Jan 2017
Authority

The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija in Lithuanian, website available here http://ada.lt/

Address:
A. Juozapavičiaus str. 6
LT-09310 Vilnius Lithuania
T +370 5 279 1445
F +370 5 261 9494
ada@ada.lt

Last modified 26 Jan 2017
Registration

Data controllers must notify the DPI about processing of personal data by automated means unless one of the statutory exceptions applies. On the basis of this notification the DPI enters the data controller into the State Register of Personal Data Controllers. 

The Data Protection Law establishes the requirement that such data processing may be carried out only when the data controller or his representative notifies the Inspectorate except cases where personal data is processed:

  1. for the purposes of internal administration (including group level administration)

  2. for political, philosophical, religious or trade union related purposes by a foundation, association or any other non profit organisation on the condition that the personal data processed relates solely to the members of such organisation or to other persons who regularly participate in its activities in connection with the purposes of such organisations

  3. by the media for the purpose of providing information to the public for artistic and literary expression, or

  4. in accordance with regulation on state secrets and official secrets. 

    “Internal administration” covers activities which ensure independent functioning of the data controller: administration, personnel management, management and use of property, financial recourses, clerical work, etc. DPI interprets internal administration only as the activities of data controllers that are necessary, inevitable and stemming directly from statutory requirements. Any other activity/data processing which does not directly derive from the law and is carried out at the initiative of the data controller is considered exceeding the purpose of internal administration and needs to be notified (for e.g. operating a whistleblowing system, hotline, internal IT helpdesk, etc.). 

    The data controller when notifying the Inspectorate of data processing has to submit a standard notification form, which includes information about:

  1. the purpose of the data processing

  2. the groups of data subjects

  3. the sources of the personal data

  4. the groups of the receivers of the data

  5. the list of categories of personal data that are being processed

  6. the personal data transfers to foreign countries

  7. the personal data retention period

  8. the data processors, and

  9. the list of security measures. 

    The DPI has 30 calendar days to adopt its decision. There is no stamp duty. Along with the notification data controller is required to submit a description of data security measures which is a standard form document approved by the DPI. 

    There are no periodical renewal obligations. However, the registrations should be periodically reviewed internally to make sure they reflect actual situation and the needs of the company. 

There are no changes with respect to the prior checking procedure.

Last modified 26 Jan 2017
Data Protection Officers

Under the legislation of Lithuania the organisations (data controllers) have a right (but not an obligation) to designate a person to be responsible for the data protection (‘Data Protection Officer’). The data controller must notify the Inspectorate of appointment or withdrawal of the data protection officer within 30 days.

In addition, if no data protection officer is appointed, the CEO of the data controller will be ex officio deemed responsible for data protection compliance and will be also personally liable for any legal violations of the Data Protection Law.

Last modified 26 Jan 2017
Collection & Processing

Personal data processing must have a legitimate basis. A legitimate basis under the Data Protection Law, among other things, can be the consent of the data subject, and the legitimate interests of the data controller or by a third party to whom the personal data is disclosed, unless such interests are overridden by interests of the data subject (other criteria for legitimate processing of personal data would most likely be inapplicable in this case).

Data controller must process the personal data lawfully and honestly, and only in conformity with the intended purpose and not more than to the extent required. Therefore the categories of personal data must be carefully examined and excluded from processing, if their processing is not necessary for the intended purpose

Last modified 26 Jan 2017
Transfer

Transfers within EU/EEA member countries from Lithuania can be carried out without any additional notification or authorisation of the DPI on the basis of a data transfer agreement. 

Transfers outside EU/EEA member countries from Lithuania must be prior authorised by the DPI unless one of the statutory exceptions apply (the exceptions include data subject’s consent, necessary for implementation of contract, protection of vital interests of data subject, investigation of criminal activity, etc.). The DPI authorises data transfer to third countries if the applicant demonstrates that the recipient country ensures adequate level of protection for personal data. After the Schrems decision adequate level of protection can be supported either by providing the DPI with the SCC approved by the European Commission concluded between the data importer and data exporter or by BCR (i.e. Intra-group Data Transfer Agreement) along with the request for authorisation for transfer. 

The DPI has 2 months to adopt its decision. There is no stamp duty. There are no periodical renewal obligations. However, the authorisations should be kept up to date. 

Same rules apply with respect to transfers of sensitive personal data. Only direct processors (not sub-processors) must be filed with the DPI.

Last modified 26 Jan 2017
Security

Lithuanian data protection legislation obliges the data controller and data processor to implement appropriate organisational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the personal data to be protected and the risks represented by the processing. Moreover, they must be defined in a written document (personal data processing regulations approved by the data controller, a contract concluded by the data controller and the data processor, etc) in accordance with the general requirements on the organisational and technical data protection measures laid down by the Inspectorate. Key measures taken shall be disclosed to the Inspectorate through the data controller registration form.

Specific data security requirements are set forth by General Requirements for Organisational and Technical Data Security Means approved by Order No 1T-71(1.12) of 12 November 2008 of the Director of the Inspectorate.

Last modified 26 Jan 2017
Breach Notification

In practice, the DPI seldom initiates investigations without a complaint from a data subject or other interested party.

Under the Electronic Communications Law, publicly available electronic communications services providers must notify the DPI of any personal data breach without delay. The provider must also notify the individual of such breach where it is likely to adversely affect their personal data or privacy.

There is no statutory requirement to inform the DPI or other state institutions about past non-compliance.

Last modified 26 Jan 2017
Enforcement

Failure to comply with data processing requirements may potentially raise liability under the Code of Administrative Offenses of the Republic of Lithuania for illegitimate processing of personal data and imply a violation of data subject’s rights. Currently the maximum administrative fine for improper processing of personal data is EUR 580 (EUR 1,200 for a repeated offense) or EUR 1,150 (EUR 3,000 for a repeated offense) for the head or other responsible person of a legal entity. Peculiarity of the Lithuanian administrative law is that in case of an administrative infringement, the managers of the company are being fined and not the legal entity itself. 

The statute of limitation is two years from when the offense was committed, in case of continued offenses – within two years after the offense was identified. 

Data subjects whose rights have been violated also have the right to claim compensation of damages (economic and moral) in the course of a civil claim. However such type of civil claims in practice are uncommon.

Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing to individuals in Lithuania must only be conducted in accordance with the Data Protection Law, the Electronic Communications Law and the Law on Advertising of the Republic of Lithuania (Advertising Law). Only direct marketing tailored to natural persons is subject to the requirements of the above mentioned laws. Direct marketing actions that are targeting legal persons (i.e. companies) are not subject to any of these regulations.

General requirements for direct marketing:

  1. The customer has given his prior consent.

    Under Lithuanian law, an opt-in principle applies, i.e. the customer should actively express his willingness to receive commercial communication.

  2. The customer consent must be obtained separately from other terms of the contract between the parties.

    Consent cannot be obtained in the standard terms presented to the customer (e.g. “By accepting these terms you agree to receive our commercial communication to the e-mail provided to us”). The consent must stand separately from other contractual terms, so that the data subject has an actual possibility to choose whether he or she wants to receive commercial communication from the company or not.

  3. The company must ensure that customers have been given a clear, free-of-charge and easily realisable possibility not to give their consent or refuse giving their consent for the use of this data for the above-mentioned purposes at the time of collection of the data and, if initially the customer has not objected against such use of the data, at the time of each offer.

None direct marketing should be carried out where the contact has requested not to receive unsolicited direct marketing. 

Exemption: if the company has obtained a telephone number from its customer within the scope of its business transactions legitimately, the company is permitted to use the telephone number for promotional communication if such communication is regarding similar goods or services of the service provider. 

Additional requirements under the Advertising Law:

  1. Direct marketing must be clearly recognisable as commercial communication;

  2. The person on behalf of whom this commercial communication is distributed must be clearly identified;

  3. The content of the offer and conditions regarding receiving of the service must be formulated clearly and precisely. 

Each marketing communication is a separate violation, for which a penalty of up to EUR 3,000 may be imposed.

Last modified 26 Jan 2017
Online Privacy

Traffic Data

Traffic Data held by a public electronic communications services provider must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

  • It is being used to provide a value added service

  • Consent has been given for the retention of the Traffic Data, and

  • It is required for investigation of a grave crime

Traffic Data can only be processed by a CSP for:

  • The management of business needs, such as billing or traffic

  • Dealing with customer enquiries

  • The prevention of fraud, or

  • The provision of a value added service

Cookies

The use of cookies is permitted only if approved by the user (under Lithuanian law, an opt-in principle applies). However, consent is not required for cookies used for website’s technical structure and for cookies used for showing website’s content. Furthermore, consent is not required for session ID cookies and for so called 'shopping basket' cookies (these exceptions do not apply if such cookies are used for collecting statistical information on use of the website).

It is required to provide clear and exhaustive information on use of cookies including information about the purposes of cookies related data processing. This information should be provided in the privacy policy of the website. Consent to the terms of the website’s privacy policy or terms of use containing the information on use of cookies is considered insufficient. Consent though web browser settings may be considered adequate only if the browser settings allow choosing what cookies may be used and for what purposes. However, considering the nature of currently used web browsers the consent through web browser settings is not considered appropriate under Lithuanian laws. 

Location data

Processing of location data trigger the regulation of personal data processing laws. The data controller must have a legitimate basis for such personal data processing (e.g. the data subject has given his consent; a contract to which the data subject is party is being concluded or performed; it is a legal obligation of the data controller under laws to process personal data; processing is necessary in order to protect vital interests of the data subject; etc.).

Last modified 26 Jan 2017
Contacts
Kaupo Lepasepp
Kaupo Lepasepp
Partner
T +372 6 400 900
Mihkel Miidla
Mihkel Miidla
Senior Associate, Head of Technology & Data Protection
T +372 6 400 959
Last modified 26 Jan 2017