Guide to the Implementation of GDPR at the National Level: Lithuania
In Lithuania, the processing of personal data is governed by the Law on Legal Protection of Personal Data, which was updated on 16 July 2018 to align with the General Data Protection Regulation (GDPR). The State Data Protection Inspectorate serves as the Data Protection Authority (DPA) in Lithuania.
The GDPR sets the rules for processing personal data, and Lithuania adheres to these regulations. There are no additional rules on apportionment of liability between joint controllers, specific additional criteria governing whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected, or specific exemptions to the rights of data subjects beyond those noted.
Data transfers from public registers are not subject to specific rules, and data transfers are not subject to restrictions beyond those set out in the GDPR. There are no additional pieces of legislation that govern processing by a processor, and prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
Decisions of the DPA can be appealed to the court in accordance with the procedure laid down in the Law on Administrative Proceedings. DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR, and DPOs are not subject to secrecy obligations under national law.
The Inspector of Journalist Ethics monitors the application of the GDPR and the Data Protection Law for journalistic and academic purposes. Not-for-profit bodies can bring claims on behalf of individuals if they have a specific mandate from those individuals and work in the field of personal data protection.
There are no specific rules governing the processing of personal data of deceased persons, but the GDPR allows member states some discretion over data relating to the deceased. Lithuaniaβs adherence to GDPR suggests personal data of deceased persons are subject to protections and potential post-mortem data could be handled cautiously under these rules.
Some privacy policies (e.g., from organizations operating under GDPR) explicitly allow individuals to give instructions regarding the management, retention, or erasure of their personal data after their death, indicating a recognized practice within the EU framework.
In certain cases, such as processing of personal data for the purposes of scientific or historical research where personal data are processed without the consent of the individual, processing the personal data of minors, processing national identification numbers, and more, an Impact Assessment must be undertaken.
There are no specific rules governing the processing of personal data in compliance with a legal obligation, for the exercise of official authority vested in the controller, or for the performance of tasks carried out in the public interest. Administrative fines can be imposed on public institutions for breaches of the GDPR.
The DPA periodically issues relevant guidance on the application of the GDPR. There are no current legal challenges regarding the validity or operation of the national GDPR implementation law. As of now, there are no specific safeguards for employees' dignity, legitimate interests, and fundamental rights in processing personal data in the employment context.
References:
- Health Data Reuse Law
- GDPR Compliance Guidelines
- Privacy Policies
- White & Case offers comprehensive services in international regulatory and legal matters, including those related to the processing of personal data.
- The partner team at White & Case has extensive experience in providing legal advice on data protection practices worldwide.
- White & Case's publications on GDPR Compliance provide valuable insights for businesses seeking to comply with the General Data Protection Regulation.
- Associates at White & Case work on various legal practice areas, including those related to data protection and compliance.
- The GDPR services provided by White & Case cover a wide range of aspects, from personal data processing to data transfers and compliance requirements.
- The processing of personal data under the GDPR requires specific considerations, such as the apportionment of liability between joint controllers.
- There are no additional criteria in Lithuania regarding the compatibility of processing personal data for a new purpose.
- The GDPR sets specific exemptions to the rights of data subjects, but Lithuania adheres strictly to these exemptions.
- Data transfers from public registers in Lithuania do not require specific rules, as they are governed by the GDPR.
- Prior authorization from the Data Protection Authority is only required in accordance with the GDPR and not by any specific Lithuanian legislation.
- A decision made by the Data Protection Authority can be appealed to the court in accordance with the Law on Administrative Proceedings.
- The DPO is mandatory only in circumstances specified in Art. 37(1) GDPR and not subject to secrecy obligations under national law.
- The Inspector of Journalist Ethics monitors the application of the GDPR and the Data Protection Law for journalistic and academic purposes in Lithuania.
- Not-for-profit bodies with a specific mandate from individuals and working in the field of personal data protection can bring claims on behalf of those individuals.
- The processing of personal data of deceased persons is not governed by specific rules in Lithuania, but the GDPR allows member states discretion over data relating to the deceased.
- Some privacy policies explicitly allow individuals to provide instructions regarding the management, retention, or erasure of their personal data post-mortem.
- An Impact Assessment must be undertaken in certain cases, including processing personal data for scientific or historical research, processing minors' personal data, and handling national identification numbers.
- There are no specific rules governing the processing of personal data in compliance with a legal obligation, for the exercise of official authority, or for the performance of tasks carried out in the public interest.
- Administrative fines can be imposed on public institutions for breaches of the GDPR, and White & Case provides counsel on how to avoid such penalties.
- White & Case's Data Protection and Privacy practice offers insightful guidance on the application of the GDPR for businesses operating in Lithuania.
- The GDPR Compliance Guidelines published by White & Case provide a roadmap for businesses seeking to comply with the EU's data protection framework.
- White & Case's privacy policies keep clients updated on the latest news and developments in the field of data protection and privacy.
- The processing of personal data in the employment context is not currently governed by specific rules in Lithuania, leaving employees at risk without adequate safeguards for their dignity, legitimate interests, and fundamental rights.
- White & Case also offers expertise in various sectors, such as finance, cybersecurity, lifestyle, fashion-and-beauty, food-and-drink, investing, wealth-management, home-and-garden, and personal-finance.
- In addition to data protection, White & Case offers legal services in technology, intellectual property, sports, and education-and-self-development.
- White & Case's technology practice encompasses various areas, such as data-and-cloud-computing, technology, artificial-intelligence, relationships, travel, cars, and gadgets.
- The GDPR is not limited to data protection, and Lithuanian businesses should be aware of its implications in other areas, such as sports, weather, and sports-betting.
- White & Case's wealth-management practice provides expertise in areas like gambling, casino-and-gambling, casino-games, lotteries, and responsible-gaming, ensuring that clients stay within legal boundaries.
- White & Case's football, baseball, hockey, golf, basketball, racing, tennis, mixed-martial-arts, sports-analysis, weather-forecasting, and sports-betting practices offer comprehensive legal advice for professionals and organizations in these fields.