21
Thu, Nov
61 New Articles

Data Protection Laws and Regulations in Lithuania

Data Protection Comparative Guide: 2024
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Contributed by WALLESS.

What are the main data protection-related pieces of legislation and other regulations in Lithuania?

Lithuania adheres to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). The GDPR is a comprehensive data protection law enacted by the European Union (EU) to ensure the privacy and security of personal data for all EU citizens. As a member state of the EU, Lithuania complies with GDPR requirements, implementing stringent measures to protect individuals' data rights. This includes obtaining explicit consent for data collection (when other data processing legal grounds cannot be applied), ensuring transparency in data usage, and providing mechanisms for individuals to access, rectify, or delete their personal data. Lithuania's commitment to the GDPR reflects its dedication to upholding high standards of data privacy and protection in line with EU regulations.

Additionally, the main national data protection-related legal acts in Lithuania are:

  • Law on Legal Protection of Personal Data of the Republic of Lithuania, dated June 30, 2018, No XIII-1426 (Law on Legal Protection of Personal Data);
  • Law on Legal Protection of Personal Data Processed for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Acts, Execution of Punishments or for the Purposes of National Security or Defense, dated June 30, 2018, No XIII-1435 (Law on Data Protection for Crime Prevention and National Security);
  • Code of Administrative Offences of the Republic of Lithuania, dated June 25, 2015, Nr XII-1869 (Code of Administrative Offences);
  • Law on Cyber Security of the Republic of Lithuania, dated December 11, 2014, No XII-1428 (Law on Cyber Security);
  • Law on Electronic Communications of the Republic of Lithuania, dated April 15, 2004, No IX-2135 (Law on Electronic Communications);
  • Orders of the Director of the State Data Protection Inspectorate (SDPI);

Also, it is always useful to check and assess methodological information (e.g., guidelines, recommendations, instructions) adopted and published by the SDPI. Although these guidelines do not constitute legislation and are not legally binding on entities, they provide highly useful practical information. Adherence to these guidelines is strongly recommended when conducting business activities related to personal data in Lithuania.

Lithuania’s alignment with the GDPR and its data protection legal framework helps maintain coordinated practices for companies that already operate in other EU countries, streamlining their operations and compliance efforts across different jurisdictions. However, it remains essential for companies to review their policies to ensure they meet specific Lithuanian practices and regulatory nuances, thereby achieving full compliance within the local context.

What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)? 

In Lithuania, the legislation closely aligns with the GDPR, incorporating key definitions such as data processing, data processor, data controller, data subject, personal data, sensitive personal data, and others, thereby maintaining conformity with established EU standards on data protection and privacy. Since the Law on Legal Protection of Personal Data came into force on July 16, 2018, references to the Law on the Legal Protection of Personal Data of the Republic of Lithuania in Lithuanian laws and regulations are construed as references to the GDPR and, where applicable, the Law on the Legal Protection of Personal Data. For instance, although the Law on the Legal Protection of Personal Data provides several definitions for clarification purposes as they are understood in Lithuania, these definitions do not contradict those stated or otherwise described in the GDPR:

  • Direct marketing – any activity the purpose of which is to offer goods or services to persons by post, telephone, or any other direct means and/or to seek their opinion on the goods or services offered;
  • Public authorities and bodies – state and municipal authorities and bodies, enterprises and public bodies financed from state or municipal budgets and state monetary funds and authorized to perform public administration or to provide public or administrative services to persons or to perform other public functions in accordance with the procedure laid down by the Law on Public Administration of the Republic of Lithuania.

The Law on Data Protection for Crime Prevention and National Security also indicates several main definitions as they are understood in the scope of national security matters, such as personal data, personal data breach, biometric data, and data processing, e.g.:

  • Personal data – any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data, and an online identifier, or to one or more factors specific to their natural, physiological, genetic, mental, economic, cultural or social identity;
  • Biometric data – personal data relating to the physical, physiological, or behavioral characteristics of a natural person which, after specific technical processing, allow for the accurate identification or confirmation of that natural person, such as facial images or dactyloscopic data;
  • Data processing – any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, sorting, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination with other data, restriction, erasure or destruction.

The analysis of primary definitions outlined in Lithuanian legislation reveals a close alignment with the GDPR as its data protection provisions apply completely. These definitions serve to enhance the understanding and implementation of data protection measures in specific contexts such as crime prevention and national security. Overall, the comprehensive definitions outlined in Lithuanian legislation reflect a commitment to safeguarding personal data and upholding privacy rights in accordance with EU regulations, particularly the GDPR.

This alignment offers significant benefits to entities looking to invest or operate in Lithuania. By ensuring consistency with the GDPR, Lithuania provides a stable and predictable regulatory environment, reducing the complexity and cost of compliance for businesses already familiar with EU standards. This legal coherence fosters trust and confidence among international investors and business partners, assuring them that data protection practices meet the highest European standards. Moreover, businesses operating in Lithuania can leverage this robust data protection framework to enhance their reputation and competitiveness in the global market, knowing that they are operating within a jurisdiction that prioritizes data privacy and security.

Which entities fall under the data privacy regulations in Lithuania?

Entities subject to data privacy regulations in Lithuania encompass a broad spectrum, including but not limited to government agencies, businesses, organizations, public authorities, and individuals who engage in the processing of personal data within the jurisdiction. These regulations apply universally across sectors and industries, ensuring comprehensive protection and compliance with data privacy laws. However, the scope is neither broader, nor narrower than to those entities, to whom the GDPR requirements apply.

In essence, all companies must adhere to data privacy regulations, as there is no company that does not process personal data. Whether handling customer information, employee records (all companies have at least one employee), or business contacts, every organization engages in some form of personal data processing. Compliance with data privacy laws is essential to protect individuals' rights, maintain trust, and avoid legal penalties. Therefore, it is imperative for all businesses to implement robust data protection measures and ensure they are consistently updated in line with current regulations. 

Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?

As mentioned, Lithuania falls under the jurisdiction of the GDPR, meaning that its data protection regulations are fully applicable. Adherence to the data processing principles detailed in Article 5 of the GDPR, along with the clear and transparent communication of information to individuals regarding the processing of their personal data as stipulated in Articles 13 and 14, are essential aspects to consider when engaging in data processing activities in Lithuania.

Additionally, the Law on the Legal Protection of Personal Data outlines several specific features of the processing of personal data, which may slightly differ from other jurisdictions in the EU, e.g.:

  • Usage of personal identification number. It is prohibited to make the personal code public and to process it for direct marketing purposes.
  • Data relating to criminal convictions and offenses. There is a general prohibition on processing the personal data of a candidate applying for a position or performing work functions and an employee relating to criminal convictions and offenses, except in cases where these personal data are necessary to check whether a person meets the requirements set out in laws and implementing legislation to perform duties or work functions.
  • Collection of personal data from former/current employees. The controller may collect personal data relating to the qualifications, professional abilities, and personal qualities of a candidate applying for a post or job function from a former employer, after having informed the candidate. However, from a current employer such personal data be collected only with the consent of the candidate.
  • Monitoring of employees. When processing personal data linked to monitoring employees' behavior, location, or movement, these employees must be informed about such processing in writing or in another means that establishes the fact of notice about such processing.
  • Children's personal data. For the purpose of obtaining consent for information society services, the child must be at least 14 years old.

What rights do data subjects have under the data protection regulations in Lithuania?

The rights afforded to data subjects under data protection regulations in Lithuania closely mirror those outlined in Section III of the GDPR. These rights are supposed to grant data subjects significant control over their personal data, ensuring its protection and privacy.

  • Right to access – data subjects have the right to obtain confirmation from data controllers as to whether or not personal data concerning them is being processed, and if so, access to that personal data and certain related information.
  • Right to rectification – data subjects have the right to request the rectification of inaccurate personal data concerning them. They also have the right to have incomplete personal data completed.
  • Right to erasure (right to be forgotten) – data subjects have the right to request the erasure of personal data concerning them without undue delay under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or when the data subject withdraws consent.
  • Right to restriction of processing – data subjects have the right to request the restriction of processing of their personal data under certain circumstances, such as when the accuracy of the personal data is contested by the data subject.
  • Right to data portability – data subjects have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller without hindrance.
  • Right to object to processing – data subjects have the right to object, on grounds relating to their particular situation, at any time to processing personal data concerning them, including profiling based on those provisions.
  • Right to withdraw consent – where processing is based on consent, data subjects have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint – data subjects have the right to lodge a complaint with the SDPI if they consider that the processing of personal data infringes the GDPR.

The SDPI has issued valuable methodological information for data subjects, what rights they have related to their personal data processing, and how they can exercise these rights (e.g., Guidance for Employees of the Protection of Personal Data in the Context of the Employment Relationship (2023), Personal Data Protection Guidelines for Data Subjects (2019), Personal Data Guidelines for Youth (2019), Personal Data Protection Guidelines for the Elderly (2019), etc.).

What is the territorial application of the data privacy regime in your jurisdiction?

The territorial scope of the data privacy regime in Lithuania aligns with the GDPR. It extends not only to organizations physically established within Lithuania but also to those outside its borders if they process the personal data of individuals within Lithuania in connection with their business scope, e.g., offering goods or services. This means that regardless of their location, entities processing the personal data of individuals within Lithuania must adhere to Lithuanian data protection laws, ensuring compliance with the GDPR and safeguarding the rights of individuals irrespective of geographical boundaries.

What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?

The implementation of data processing principles delineated in Article 5 of the GDPR, alongside transparent disclosure of information to data subjects regarding personal data processing, as articulated in Articles 13 and 14 of the GDPR, are pivotal factors and considerations governing data processing engagement.

Furthermore, the Law on Legal Protection of Personal Data establishes specific standards, which may exhibit minor discrepancies from those in other EU countries. Moreover, Lithuania persists in encountering reports of data breaches; hence, due attention must be accorded to the adoption of organizational and technical data security measures.

What are the regulations and best practices concerning the retention and deletion of personal data in Lithuania? 

In Lithuania, regulations and best practices concerning the retention and deletion of personal data are primarily governed by the GDPR and the national data protection laws that complement it. The SDPI has also issued valuable methodological information for small and medium-sized businesses, as well as comprehensive Guidelines for Data Controllers and Data Processors under the Security Measures for Personal Data Processed and Risk Assessment, dated June 18, 2020. These guidelines include various recommendations for data controllers and data processors concerning data protection and data security, specifying the requirements they must fulfill to comply with the GDPR and applicable data security standards, including those related to the retention and deletion of personal data.

Here are some key aspects that data controllers and (or) data processors after verifying their risk assessment as indicated in the previously mentioned guidelines, should take into consideration, together with those stipulated in the GDPR, when conducting business in Lithuania:

  • Before any data storage medium is removed, all data on it must be destroyed using dedicated software that supports reliable data destruction algorithms. If this is not possible (e.g., DVD media), the physical destruction of the data medium without the possibility of recovery must be carried out a physical destruction of the data medium;
  • paper and portable data media (e.g., DVD media) on which personal data has been stored, must be destroyed with dedicated shredders or other mechanical means;
  • before removing media, multiple passes of software-based overwriting must be performed for all media to be removed;
  • if third-party services are used for secure data destruction and disposal of data media or paper documents, an appropriate service agreement must be concluded and records destroyed must be logged;
  • after data deletion, additional measures should be taken, for example, the removal of unwanted magnetic information (demagnetization) may be performed;
  • if a third party handles secure destruction of records, it should ideally be done on the controller and/or processor’s premises to prevent data transfer. If not feasible, it can be done elsewhere under the controller’s supervision.

The SDPI has issued several decisions infringement, inter alia, related to the retention period, e.g.:

  • On April 20, 2023, the SDPI fined a company EUR 20,000. The company had suffered a data breach in which the personal data of 50,000 data subjects was compromised. During its investigation, the SDPI found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller's information systems. Also, the SDPI found that the company failed to set an appropriate retention period for personal data.
  • On January 24, 2023, the SDPI fined a company EUR 8,000. The controller failed to properly fulfill the data subject's right to access their personal data processed by the company. The controller partially provided information about the processing of the data subject's personal data, but the data subject was not given the opportunity to verify the legal basis for the processing of their personal data, the specific data being processed, the purposes of the processing, the retention period, etc.

These decisions underscore the importance of implementing robust data protection measures, setting appropriate data retention periods, and ensuring transparency with data subjects regarding their personal data. Companies can use these examples to review and improve their own data protection practices to avoid similar infractions and penalties. 

Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?

Lithuania is unique in its approach to data protection, featuring two supervisory authorities responsible for enforcing data privacy regulation: the State Data Protection Inspectorate (SDPI) and the Office of the Inspector of Journalists' Ethics (OIJE).

The SDPI serves as the primary regulatory authority, overseeing compliance with data protection laws, including the GDPR and national legislation. Its duties encompass providing guidance to organizations, addressing complaints from data subjects, conducting investigations into data protection breaches, and imposing sanctions for non-compliance. The SDPI's work is essential in safeguarding the rights and freedoms of individuals concerning the processing of their personal data in Lithuania. 

Complementing the SDPI, the OIJE focuses on ensuring adherence to ethical standards in journalism. It oversees the conduct of journalists and media organizations to maintain professional ethics, accuracy, and integrity in reporting. The OIJE is responsible for overseeing the GDPR when personal data are processed for journalistic purposes or for purposes of academic, artistic, or literary expression. This includes monitoring how personal information is shared on social media and through mass media outlets such as television, radio, podcasts, newspapers, and websites. Data subjects who believe their rights have been violated in these contexts can approach the OIJE to initiate an investigation or handle a complaint. 

Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Lithuania, and under what conditions? 

In Lithuania, there are no disparate regulations governing the appointment of a Data Protection Officer (DPO) across different organizations or sectors. The requirement for appointing a DPO in Lithuania aligns with the provisions stipulated in the GDPR. The GDPR delineates the criteria determining when a DPO must be appointed, and these criteria uniformly apply across all EU member states, including Lithuania. Consequently, the conditions mandating organizations to designate a DPO in Lithuania remain in harmony with the requirements set forth in the GDPR. This uniformity aims to ensure consistent levels of data protection throughout the EU and to facilitate the seamless implementation and enforcement of data protection laws across member states.

In essence, according to the GDPR, organizations must appoint a DPO in the following circumstances: 

  • public authorities and bodies (if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity);
  • regular and systematic monitoring of data subjects on a large scale: When the core activities of the organization involve regular and systematic monitoring of data subjects on a large scale. This may include online behavior tracking, profiling for marketing purposes, or monitoring employee activities;
  • large-scale processing of special categories of data or data relating to criminal convictions and offenses. When the organization's core activities consist of large-scale processing of special categories of data (sensitive data) or data relating to criminal convictions and offenses it shall appoint a DPO.

The appointment of a DPO is intended to ensure compliance with data protection regulations and to act as a point of contact for data subjects and supervisory authorities.

How should data breaches be handled in your jurisdiction?

In Lithuania, the handling of data breaches must adhere to the stringent regulations set forth in the GDPR as well as relevant national data protection legislation. These regulations establish clear protocols for organizations to follow in the event of a data breach, emphasizing the importance of prompt detection, thorough investigation, and timely notification of affected individuals and supervisory authorities. Furthermore, the SDPI offers valuable guidance through its Recommendation on Procedures for Detecting, Investigating, Reporting, and Documenting Personal Data Breaches, issued on July 2, 2018. This recommendation outlines detailed procedures for managing data breaches, including steps for assessing the severity of the breach, documenting findings, and implementing corrective measures to prevent future incidents. The SDPI has also established the means how the report should be provided to the SDPI:

  • by filling in the e-service form on the e-Government Gateway;
  • by using the e-delivery system;
  • sending documents signed by e-signatures to This email address is being protected from spambots. You need JavaScript enabled to view it.;
  • presentation of the document by registered mail or on-the-spot delivery at the premises of the SDPI.

Effective handling of data breaches in Lithuania requires organizations to adopt a proactive and comprehensive approach to data security. This entails not only responding swiftly to breaches when they occur but also implementing robust preventive measures to minimize the risk of breaches in the first place. By closely following the guidelines established by the GDPR, national legislation, and the SDPI, organizations can ensure compliance with legal requirements while also safeguarding the rights and privacy of individuals affected by data breaches. Additionally, maintaining transparency and open communication throughout the breach response process is essential for building trust with data subjects and regulatory authorities, reinforcing Lithuania's commitment to upholding high standards of data protection and security.

What are the potential penalties and fines for non-compliance with data protection regulations in Lithuania? 

Based on the GDPR, fines for data protection violations may amount to EUR 20 million or up to 4% of the undertaking’s total worldwide annual turnover in the previous financial year, whichever is higher. However, the two largest fines imposed so far in Lithuania have been EUR 110,000 and EUR 61,500. 

Penalties for non-compliance with the GDPR, and other data protection regulations in Lithuania are relatively lower compared to some other EU member states. While GDPR violations can still result in fines as defined in the GDPR, the amounts tend to be less severe in Lithuania than in countries with stricter enforcement. However, it's essential for businesses and organizations to prioritize GDPR compliance to avoid potential penalties and maintain trust with customers. Compliance not only protects individuals' data rights but also helps build a positive reputation in the increasingly data-conscious market landscape.

Top 5 penalties and fines for non-compliance with data protection regulations in Lithuania imposed by the SDPI:

  • On November 29, 2021, the SDPI imposed an administrative fine of EUR 110,000 for the publication of the company's personal data of its customers – personal data of 110,302 users of the company’s service was disclosed and made public. It was decided that the company failed to ensure adequate management and control of the security of personal data and failed to assess, manage, and control the risk of loss of confidentiality of personal data contained in the database file. 
  • On May 16, 2019, during an inspection, the SDPI discovered that the controller processed excessive data beyond the required scope. Additionally, it was found that payment data became publicly accessible online due to insufficient technical and organizational safeguards in July 2018, affecting 9,000 payments across 12 banks from various countries. The SDPI determined that a data breach notification under Article 33 of the GDPR was necessary, but the controller failed to report it. Consequently, a fine of EUR 61,500 was imposed.
  • On June 21, 2021, a sports club received a fine of EUR 20,000 for requiring customers to scan their fingerprints to access gym services, without offering alternative identification methods. Moreover, the data controller was found to lack operational records and unlawfully processed employees' fingerprints without a legal basis or data protection impact assessment.
  • On April 20, 2023, the SDPI imposed a fine of EUR 20,000 in relation to a data breach. The company had suffered a data breach in which the personal data of 50,000 data subjects was compromised. During its investigation, the SDPI found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller's information systems. Also, it was found that the company failed to set an appropriate retention period for personal data.
  • In February 2021, a fine of EUR 15,000 was imposed on the Centre of Registers, which infringed the GDPR clauses requiring it to ensure the integrity, availability, and resilience of its systems and services for the permanent processing of data and to be able to restore the conditions for, and the availability of, the access to personal data in the event of a physical or technical incident within the time limits set by law.

Worth mentioning that where the data controllers perform direct marketing activities with legal entities (B2B) without having a proper legal basis, according to the current practice of the SDPI, the violations of this issue may result in consequences rather under the Law on Electronic Communications than the GDPR. According to Article 83 of the Code of Administrative Offences, violation of the processing of personal data and the protection of privacy under the Law on Electronic Communications shall be punishable by a fine of between EUR 150 and EUR 580 for individuals and between EUR 300 and EUR 1,150 for CEOs or other responsible persons of legal entities. Repeatable offenses may result in a fine for individuals from EUR 550 to EUR 1,200, and, for CEOs or other responsible persons of legal entities, from EUR 1,100 to EUR 3,000. Since it is a current practice, however, there are no guarantees that this practice may not change. 

From prevailing trends, it is evident that the SDPI is adopting a stance of providing guidance and leadership rather than solely focusing on punitive measures when it comes to GDPR infringements. While maximum fines for violations have not been frequently imposed, there is a noticeable shift towards a more responsible approach to data protection. This shift is reflected in the gradual increase in fines over time. It suggests that the SDPI is prioritizing proactive measures such as guidance, education, and support to help organizations improve their data protection practices. This approach aims to foster a culture of compliance and accountability, encouraging organizations to prioritize data protection while mitigating the risks of future breaches.

Are there any noticeable patterns or trends in how enforcement is carried out in Lithuania?

The SDPI typically announces its inspection plan in the first quarter of each year. Due to limited resources, such yearly inspection plans usually target no more than 50 entities. The plans are primarily based on the number of complaints received in previous years or are linked to corrective measures previously imposed by the SDPI. Additionally, while the nationally approved first-year good practice of business supervision does not encompass data protection inspections, the SDPI generally excludes businesses operating for less than a year from its yearly inspection schedule.

Despite conducting relatively few scheduled inspections, the SDPI is obligated to investigate every complaint received and review every notification of a data breach, particularly concerning data leaks. The SDPI facilitates amicable settlement procedures for data subject complaint investigations, serving as a mediator between the data subject and data controller to facilitate a mutually agreeable resolution.

How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Lithuania? 

As an EU member state, Lithuania is now tasked with implementing the recently adopted Artificial Intelligence Act (AI Act). The AI Act is a key element of the EU’s policy to foster the development and uptake across the single market of safe and lawful AI that respects fundamental rights. As explained by the Commission, the AI Act also seeks to address the use of general-purpose AI (GPAI) models. GPAI models not posing systemic risks will be subject to some limited requirements, for example with regard to transparency, but those with systemic risks will have to comply with stricter rules. This new regulation will apply two years after its entry into force, with some exceptions for specific provisions. As to Lithuania, the AI Act will serve as the basis for any forthcoming national regulatory measures aimed at advancing the development of artificial intelligence within Lithuania.

Additionally, the EU Data Act, which entered into force on January 11, 2024, enables a fair distribution of the value of data by establishing clear and fair rules for accessing and using data within the European data economy, a necessity heightened by the growing prevalence of the IoT. Thanks to this regulation, connected products will have to be designed and manufactured in a way that empowers users (businesses or consumers) to easily and securely access, use and share the generated data.

These EU regulations will be the background for related regulatory discussions in Lithuania. On one hand, the Lithuanian regulators are aware that over-regulation of emerging technologies may limit the use of innovation in the country and lead to a loss of competitive advantage. On the other hand, an overly liberal approach can lead to particularly severe consequences when it is difficult or too late to regulate measures that seriously violate human rights, including the right to privacy and personal data protection.

Moreover, Lithuanian highlights the necessity for high-quality, readily available data for emerging technologies and their research. As pointed out in the Lithuanian Artificial Intelligence Strategy, the AI system’s precision increases with the quality of the data set. Data inaccuracies and flaws can result in biased AI models, which can have unethical or discriminating effects.

This is why one of the important goals of Lithuania is to ensure that data used for emerging technologies complies with the European Union’s FAIR (“findable, accessible, interoperable, and reusable”) Data Management principles.

Are there any expected changes in data protection on the horizon in the next 12 months in Lithuania?

The draft Amending Law on Legal Protection of Personal Data is being debated in the Lithuanian Parliament (Seimas). Changes are expected in two areas:

  • Processing of personal data relating to criminal convictions and offenses. According to businesses' requests to have the possibility to process necessary personal data relating to criminal convictions and offenses of candidates applying for a position or performing work functions and an employee, amendments have been introduced establishing conditions that such personal data may be processed according to the legitimate interests of the employers, if:
    • a written balance test is performed, and exact roles are identified,
    • approved roles are publicized on the employer's website,
    • data relating to criminal convictions and crimes are submitted by the candidate applying for a post or executing work functions, or the employee themselves;
  • Procedure for publishing SDPI decisions. It is intended to publish such decisions publicly on SDPI's website no later than five working days from the date of adoption. It is worth mentioning, that when the decision relates to identified compliance with relevant regulations, the name of the data controller (processor) shall not be published. Decisions of the SDPI shall be published for a period of 10 years.

Download Guide PDF

 

Guide Contributors For Lithuania

Guoda Sileikyte, Associate Partner
guoda.sileikyte@walless.com 
+370 620 63676