The State Data Protection Inspectorate ('VDAI') published, on 18 April 2023, the summarised results of data protection officers' ('DPOs') performance inspections. In particular, the VDAI highlighted that it carried out planned inspections on the activities of DPOs in 2022 to identify conformity with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Notably, the VDAI identified that many DPOs, in performing other roles simultaneously, such as safety representative or other decision-making roles, had a conflict of interest, noting that DPOs must not determine the aims and means of processing personal data. Likewise, the VDAI outlines that in many cases, for larger organisations, the responsibilities of the DPO and other privacy professionals were not determined. Accordingly, the VDAI noted that, should more than one DPO need to be appointed, their team should be formed with clearly defined responsibilities and a division of functions.

In addition, the VDAI clarified that employees must be informed about the designated DPO and their function, so that they may easily contact the DPO regarding any questions about the GDPR. Further, the VDAI detailed that when the DPO of an organisation changes, information relating to such a change must be publicised.

Finally, the VDAI also outlined that DPOs must periodically conduct assessments and audits of compliance with the GDPR, and inform the data controller of the results, following findings that only a small number of DPOs perform such activities. In this regard, the VDAI provided that data controllers should provide every opportunity for DPOs to carry out the assessments of the audits.

You can read the announcement here and the inspection results here, both only available in Lithuanian.