May 2023

1. Governing Texts

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is the main legal instrument applied directly, regulating and stipulating the general rules for data protection in Lithuania.

The GDPR is supplemented by Law No. XIII-1426 of 30 June 2018 amending Law No. I-1374 (only available in Lithuanian here) ('Personal Data Protection Law'). If businesses do not have any presence (as a data controller or data processor) in Lithuania, the Personal Data Protection Law is not applicable.

1.1. Key acts, regulations, directives, bills

The main laws governing data protection in Lithuania are namely: 

• the GDPR; and 
• Personal Data Protection Law. 

1.2. Guidelines

Guidance and recommendations by the State Data Protection Inspectorate ('VDAI'), i.e. the Lithuanian data protection authority (are available in Lithuanian here).

1.3. Case law

There is no significant case law regarding GDPR enforcement.

2. Scope of Application

2.1. Personal scope

There are no national law variations, GDPR provisions shall be applied. 

2.2. Territorial scope

There are no national law variations, GDPR provisions shall be applied. 

2.3. Material scope

There are no national law variations, GDPR provisions shall be applied. 

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

In Lithuania data protection is divided between two supervisory authorities:

• the VDAI; and
• the Office of the Inspector of Journalist Ethics ('ZEIT'), which supervises data protection when data is processed for journalistic, academic, artistic, or literary purposes.

3.2. Main powers, duties and responsibilities

In addition to the tasks determined in Article 57 of the GDPR, according to Article 11 of the Personal Data Protection Law, the VDAI has the following duties:

• to advise data subjects, data controllers, and data processors on the protection of personal data and privacy, as well as develops methodological recommendations on the protection of personal data and make them publicly available on its website; and
• to participate in national policy development and execution regarding personal data protection.

In order to do so, the VDAI is vested with powers that, further to those arising under Article 58 of the GDPR, include the following arising under Article 12 of the Personal Data Protection Law, namely:

• to obtain from data controllers, data processors, state institutions, or any other legal entities, all information, including copies of documents or any data needed to execute its functions and tasks;
• to enter, without prior notice, the premises of the legal entity being investigated or the entity connected to it (including rented or otherwise used premises) or the area where the documents and/or equipment relating to the processing of personal data are located; access to the territory, buildings, or premises of the legal person (including rented or used on other grounds) is allowed only during the working hours of the legal person upon presentation of the necessary certification;
• to provide data controllers, data processors, and other legal or natural persons with recommendations and instructions regarding the processing of personal data and/or the protection of privacy; and
• to receive oral and written explanations from legal and natural persons during the investigation of violations, and to demand that they arrive at the offices of the VDAI for explanations.

ZEIT has fewer powers than the VDAI. Mainly ZEIT analyses complaints of data subjects in relation to their personal data being processed for journalistic, academic, artistic, or literary purposes. However, ZEIT can issue fines or other restrictive measures under Article 58(2) of the GDPR, for example, to issue warnings to a data controller or data processor.

4. Key Definitions

Data controller: There are no national law variations, GDPR provisions shall be applied.

Data processor: There are no national law variations, GDPR provisions shall be applied.

Personal data: There are no national law variations, GDPR provisions shall be applied.

Sensitive data: There are no national law variations, GDPR provisions shall be applied.

Health data: There are no national law variations, GDPR provisions shall be applied.

Biometric data: There are no national law variations, GDPR provisions shall be applied.

Pseudonymisation: There are no national law variations, GDPR provisions shall be applied.

5. Legal Bases

5.1. Consent

There are no national law variations, GDPR provisions shall be applied.

5.2. Contract with the data subject

There are no national law variations, GDPR provisions shall be applied.

5.3. Legal obligations

There are no national law variations, GDPR provisions shall be applied.

5.4. Interests of the data subject

There are no national law variations, GDPR provisions shall be applied.

5.5. Public interest

There are no national law variations, GDPR provisions shall be applied.

5.6. Legitimate interests of the data controller

There are no national law variations, GDPR provisions shall be applied.

5.7. Legal bases in other instances

According to the Personal Data Protection Law employers can collect data from previous candidate employees only after informing the candidate, and from previous or current employees only where they consent to this. Employers must inform their personnel, when they use any sound (e.g. phone taping) or video recording equipment to monitor personnel.

If personal data is being processed for journalistic, academic, artistic, or literary purposes, Articles 12–23, 25, 30, 33–39, 41–50, and 88–91 of GDPR do not apply

6. Principles

There are no national law variations, GDPR provisions shall be applied.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no national requirement for data controllers or data processors to register or pay a fee.

7.2. Data transfers

There are no national law variations, GDPR provisions shall be applied.

7.3. Data processing records

There are no national law variations, GDPR provisions shall be applied.

7.4. Data protection impact assessment

Taking into account the costs of implementation, nature, scope, context, and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers, and data processors must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).

Following Article 35 of the GDPR, the VDAI has issued Order No. 1T-35 (1.12.E) regarding the List of Data Processing Operations Subject to the Requirement to Perform Data Protection Impact Assessment ('the Lithuania DPIA Blacklist'). Data controllers should perform a Data Protection Impact Assessment ('DPIA') in relation to data processing operations included in that list. The list is not definitive, and it is up to the data controller to evaluate the need to perform a DPIA in other cases that fall within Article 35 of the GDPR.

In this regard, the VDAI has issued the following guidance on DPIAs and Article 6(1)(c) of the GDPR (only available in Lithuanian here).

The Lithuania DPIA Blacklist provides the following types of processing operations requiring a DPIA:

• personal data processing is conducted for scientific or historical research purposes in at least one of the following cases:
  • when special categories of personal data are being processed without the data subject's consent or personal data processing is conducted matching or combining datasets;
  • when data of under-age persons are processed; or
  • when the personal identification number is processed;
• large scale personal data processing, when personal data have been received not from the data subject, and the provision of information provided for in Article 14(1) and (2) of the GDPR proves impossible or would involve a disproportionate effort or such provision of information is likely to render impossible or seriously impair the achievement of the objectives of that processing;
• personal data processing when notification of data recipients, to whom personal data were disclosed, on personal data rectification, erasure or restriction of processing of personal data in accordance with Article 19 of the GDPR proves impossible or would involve a disproportionate effort;
• processing of biometric data for the purpose of uniquely identifying a natural person when processing is done for the monitoring or control purposes or processing of personal data of vulnerable data subjects;
• processing of genetic data while evaluating the data subject's features or scoring, including profiling and forecasting;
• processing of personal video data when video surveillance is conducted in at least one of the following cases:
  • in premises and/or territories which are not owned by the controller or managed on other legal grounds, when video surveillance is conducted in accordance with principles relating to the processing of personal data provided for in Article 5 of the GDPR;
  • at healthcare, social care, detention establishments, and other agencies where services are provided for vulnerable data subjects; and
  • combined with audio recording;
• recording of telephone conversations;
• personal data processing using innovative technologies or using existing technologies in a new way when personal data of vulnerable data subjects are processed;
• processing of personal data of children for direct marketing purposes, assessment of personal aspects of children which is based on automated processing, including profiling, or when information society services are offered to children directly; or
• processing of personal data of employees for monitoring or control purposes: processing of personal video and/or sound data in a workplace and/or data controller's premises or territories where its employees work; processing of personal data related to the monitoring of employees, communication, behaviour, place, or movement.

If a DPIA under Article 35 of the GDPR or the Lithuania DPIA Blacklist indicates that the processing is likely to involve a high level of risk, the controller must consult the VDAI. To this end, the VDAI has published a form to submit a prior consultation request (only available to download in Lithuanian here).

Processing not subject to prior authorisation/consultation

The VDAI has not issued any guidance or list of activities exempted from prior consultation/ authorisation.

7.5. Data protection officer appointment

There are no specific or different requirements on data protection officer ('DPO') appointment, role, and tasks in Lithuania.

Nonetheless, the VDAI has issued guidance on the appointment of DPOs (only available in Lithuanian here) ('the DPO Guidance'), which notes, among other things, that the DPO may be an employee of the organisation or an outside person.

Notably, businesses, organisations, or any other entities must inform the VDAI about DPO appointments.

In this regard, data controllers or data processors must provide the following information:

• company name, state registration number, and contact details;
• information as to who appointed the DPO (data controller or data processor); and
• DPO name, surname, and contact details (including email, address, and telephone number), DPO position (e.g. if they are not only a DPO, or information about where the DPO works, in cases where this function has been outsourced).

This data can be sent by email: [email protected], by mail, or document transfer system used by VDAI.

7.6. Data breach notification

As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU GDPR Data Breach Guidance Note.

In Lithuania general breach notification requirements apply. The Director of the VDAI has issued Order No. 1T-72(1.12.E) of 27 July 2018 concerning the Approval of the Procedure for Submitting a Personal Data Breach Notification to the State Data Protection Inspectorate (only available in Lithuanian here), which provides a list of the information that must be included in the data breach notification. For example, contact details of the data controller or data processor, DPO, information about the data breach, amount of data subjects affected, type of personal data, etc.

Sectoral obligations and data breach

Article 74 of Law on Electronic Communications No. IX-2135 of 15 April 2004 (the most updated version is only available in Lithuanian here) requires providers of publicly available electronic communications services to report any data breach to the VDAI following requirements stated in Regulation (EU) 611/2013 of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under Directive 2002/58/EC on Privacy and Electronic Communications.

7.7. Data retention

The Personal Data Protection Law does not provide for any specific retention period for personal data. However, specific Lithuanian laws may provide for minimum (or maximum) retention periods, including:

• contracts for goods, works, services, acts of acceptance of goods, works, and services must be kept for ten years upon the expiration of the contract (The Office of the Chief Archivist of Lithuania Order No. V-100 of 9 March 2011) (only available in Lithuanian here) ('the Order No. V-100'));
• employment contract must be kept for 50 years upon the expiration of the contract ('the Order No. V-100'); and
• annual financial and budget implementation reports (sets of reports, etc.) must be kept for ten years ('the Order No. V-100')).

7.8. Children's data

Children must be at least 14 years old to validly consent to their data being processed.

7.9. Special categories of personal data

The Personal Data Protection Law forbids publishing personal codes (i.e. national identification numbers) and processing these for direct marketing purposes. Also, personal codes can be processed only if one of the legal bases stated in Article 6(1) of the GDPR applies.

According to the Personal Data Protection Law employers cannot collect data about employee or candidate criminal records; unless this is strictly necessary in relation to a job position (e.g. the security service etc.).

7.10. Controller and processor contracts

There are no national law variations, GDPR provisions shall be applied.

On 27 December 2021 the VDAI issued a Standard Contractual Clauses for the Data Processing Agreement ('Data Processing Agreement'). The Data Processing Agreement requires parties to provide information and agree to the obligation of the parties, information on processing of personal data, sub-processors, and instructions on processing of personal data.

8. Data Subject Rights

8.1. Right to be informed

According to Article 4 of the Personal Data Protection Law, data subjects do not have to be informed when their personal data is processed for journalistic, academic, artistic, or literary purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for journalistic, academic, artistic, or literary purposes, Articles 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 of the GDPR are not applicable to data controllers or data processors.

8.2. Right to access

According to Article 4 of the Personal Data Protection Law, the data subject does not have a right to access their personal data if it was collected for journalistic purposes and for academic, artistic, or literary expression purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for journalistic purposes or for academic, artistic, or literary expression purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 are not applicable to data controllers or processors.

8.3. Right to rectification

According to Article 4 of the Personal Data Protection Law, the data subject does not have a right to rectify their personal data if it was collected for the journalistic purposes and for academic, artistic, or literary expression purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for the journalistic purposes or for academic, artistic, or literary expression purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 are not applicable to data controllers or processors.

8.4. Right to erasure

According to Article 4 of the Personal Data Protection Law, data does not have to be erased if it was collected for journalistic, academic, artistic, or literary purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for journalistic, academic, artistic, or literary purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 of the GDPR are not applicable to data controllers or data processors.

8.5. Right to object/opt-out

According to Article 4 of the Personal Data Protection Law, the data subject does not have a right to object their personal data collection if it is being collected for the journalistic purposes and for academic, artistic, or literary expression purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for the journalistic purposes or for academic, artistic, or literary expression purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 are not applicable to data controllers or processors.

8.6. Right to data portability

According to Article 4 of the Personal Data Protection Law, the data subject does not have the right to data portability when data is being processed for journalistic, academic, artistic, or literary purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for journalistic, academic, artistic, or literary purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 of the GDPR are not applicable to data controllers or data processors.

8.7. Right not to be subject to automated decision-making

According to Article 4 of the Personal Data Protection Law, the data subject does not have the right to restrict processing for the purpose of automated individual decision-making, including profiling, if data is being processed for journalistic, academic, artistic, or literary purposes.

In general, Article 4 of the Personal Data Protection Law states that when personal data is being processed for journalistic, academic, artistic, or literary expression purposes, Article 8, 12 – 23, 25, 30, 33-39, 41-50, and 88-91 of the GDPR are not applicable to data controllers or data processors.

8.8. Other rights

There are no national law variations, GDPR provisions shall be applied.

9. Penalties

In Lithuania, administrative fines can be imposed not later than two years after the date on which the infringement was committed, or if the infringement is on-going, two years from the day on which it was established. In addition, the Personal Data Protection Law provides for the imposition of fines for infringements of the GDPR and the Personal Data Protection Law (Articles 1(3) and Article 32 of the Personal Data Protection Law). The imposition of fines are as follows (Article 33 of the Personal Data Protection Law):

• to impose an administrative fine on an authority or body that has infringed Articles 83 (4) (a), (b) and (c) of the GDPR up to 0.5% of the authority's or body's budget for the current year and other gross amounts received during the previous years' annual income, but not more than €30,000;
• to impose an administrative fine of up to 1% of the authority on an authority or body that infringes Articles 83 (5) (a) to (e) and/or 83 (6) of the GDPR or the amount of the budget of the institution for the current year and other gross annual income received in the previous year, but not more than €60,000; and
• to impose an administrative fine referred to in Articles 83 (4), (5) and (6) of the GDPR on an authority or body carrying out an economic activity.

9.1 Enforcement decisions

The VDAI has imposed fines related to, among other things, unlawful processing, failure to comply with the VDAI's orders, failure to conduct a DPIA, and failure to implement adequate technical and organisational measures.