In Lithuania, the supervisory authority has issued an order listing the situations in which a data protection impact assessment is required. This includes processing phone call recordings, using biometrics, etc. The Commissioner defined cookies in an online dictionary as data stored on the computer that contains certain information. This rudimentary definition is supplemented by a brief explanation indicating that cookies allow each server to know which pages have been visited recently by simply reading them. However, if the Entrepreneur has demonstrated to AEPC that it has taken the necessary technical protection measures and that these measures have been applied to the relevant data, the Entrepreneur is not obliged to inform the subscriber or the individual of the personal data breach. These technical safeguards ensure that personal data becomes unreadable to anyone who does not have authorized access to the data. In addition, the data shall be stored in a form which does not allow the identification of the persons concerned for longer than is necessary in relation to the purpose for which they were collected or further processed. Supervisory and enforcement powers are shared between the State Data Protection Inspectorate and the Office of the Inspector of Journalistic Ethics. Its competence is limited to the control of the processing of personal data for journalistic purposes and for the purposes of scientific, artistic or literary expression. In exercising his powers, the Inspector of Journalistic Ethics shall cooperate with the Data Protection Authority to ensure the uniform application of data protection laws.
The controller or processor who processes personal data to provide business opportunities or services may use the personal data from a public data list. The controller or processor may no longer process such data if the data subject has objected to further processing. Furthermore, in this opinion, the Commissioner underlines the importance for controllers to adopt data protection directives, which should include, inter alia: Data protection legislation defines personal data as any information relating directly or indirectly to an identified or identifiable natural person, in particular by reference to an identification number or to one or more factors; that are specific to their physical concern, physiological, mental, economic, cultural or social identity. The protection of personal data is based on the adequacy of the data, the data relevant to the purpose of their processing and not excessive in relation to that purpose, as well as the accuracy of the data, the updated and complete data. Territorial scope. The law applies to controllers and processors established in Lithuania and to controllers under Lithuanian law based on international law. With regard to companies that offer goods or services or monitor the behaviour of data subjects in the EU, the law only applies to controllers and processors who have appointed a representative in Lithuania. This seems to imply that if, for example, an Asian company targets data subjects in Lithuania but has appointed a representative in Germany or is exempted from appointing a representative (Article 27(2) GDPR) or has not appointed a representative in violation of Article 27 GDPR, it is not obliged to comply with the law. Personal data collected for any purpose may be further processed for historical, scientific or statistical purposes, provided that the data is not processed to take actions or decisions concerning an individual. The GDPR is implemented by Law No.
XIII-1426 of 30 June 2018 amending Law No. I-1374 (available only in Lithuanian here) (“Personal Data Protection Act”). If the companies are not present in Lithuania (as data controllers or data processors), the Personal Data Protection Act does not apply. If the personal data is processed for journalistic, scientific, artistic or literary purposes, Articles 12-23, 25, 30, 33-39, 41-50 and 88-91 of the GDPR do not apply. In accordance with Instruction No. 47 of 14. September 2018 “On establishing rules to maintain the security of personal data processed by large processors”, which, as mentioned above, only applies to large data processors, the DPO must immediately inform the large data processing unit in writing of any risk of violation of the rights of data subjects. even in the event of a violation of the legislation on the protection of personal data.
Providers of electronic communications services must include in the contract concluded with the user information on the retention, duration and processing of traffic data. The Law on electronic communications provides that such traffic data may only be processed by data subjects authorised by providers of electronic communications services, namely those responsible for billing or traffic management, customer service, marketing, fraud detection or the provision of value-added services, provided that the processing of traffic data is limited to the extent of their respective activities. should be limited. Data protection law introduces the obligation for the controller or processor to take appropriate organisational and technical measures to protect personal data against unlawful or accidental destruction, accidental loss or access or disclosure by unauthorised persons, as well as against any type of unlawful processing. Giedrė Rimkūnaitė-Manke heads the GLIMSTEDT office, Vilnius, for intellectual property, technology, media and communication (TMC) and data protection. She is the initiator of the “GLIMSTEDT For Startup Business” platform, which is primarily educational and aims to provide start-ups with legal services in an extremely efficient and timely manner at a fair and reasonable price known in advance. Data protection law prohibits the publication of personal codes (i.e. national identification numbers) and their processing for direct marketing purposes. In addition, personal codes can only be processed if one of the legal bases mentioned in Article 6(1) GDPR exists. The information provided by the controller through the notification, with the exception of the general description of the measures relating to the security of personal data, is published by the Commissioner`s Office in the electronic register of controllers, which is publicly accessible on the official website. Summary: Lithuania has implemented the GDPR through the law. The VDAI has actively promoted the enforcement of data protection laws and has issued guidelines that address, among other things, biometric data, processing of personal data in the context of debt collection, as well as security measures and risk assessments.
The VDAI has focused on biometric data, as evidenced by the in-depth review of the use of biometric data in sport, the strengthening of international cooperation and public education in the field of personal data protection.