Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data processing must have a legitimate basis. According to the Law on Legal Protection of Personal Data, this includes:

  • obtaining the data subject’s consent; and
  • serving the legitimate interests of the data controller or a third party to which the personal data is disclosed, unless these interests override the data subject’s interests (other criteria for legitimate processing of personal data would most likely be inapplicable in this case).

Data controllers must process personal data lawfully and honestly. Further, data processing must conform to the purposes for which it was collected and cannot exceed the extent required to fulfil these purposes. Therefore, the categories of personal data must be carefully examined and excluded from processing where they are unnecessary for the intended purpose of the processing.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data cannot be retained for longer than is necessary to achieve the purpose for which it was collected. If there is no legal basis (eg, a statutory obligation to keep accounting documents or private documents with archival value) for retaining personal data, it should be deleted.

There are no accepted standards for retention periods, but the State Data Protection Inspectorate is of the opinion that retention periods should be as short as possible.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes – individuals must be provided with information about:

  • the exact purposes of the data processing;
  • the data retention period;
  • the data processors (if known);
  • their right to refuse personal data processing;
  • the consequences of refusal; and
  • other relevant information.

Do individuals have a right to request deletion of their data?

Yes – data subjects have a right to request rectification or destruction of their personal data or suspension of further processing.

Consent obligations
Is consent required before processing personal data?

Not necessarily. Personal data processing must have a legitimate basis which, according to the Law on Legal Protection of Personal Data, can include the data subject’s consent; however, another legal basis may apply.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes – the Law on Legal Protection of Personal Data sets out an exhaustive list of grounds for processing personal data, including where:

  • the data subject has given his or her consent;
  • a contract to which the data subject is party is concluded or performed;
  • the data controller is legally obliged to process personal data;
  • the processing is necessary in order to protect the data subject’s vital interests;
  • the processing is necessary for state and municipal institutions, agencies, enterprises or third parties to which the personal data has been disclosed to exercise their official authority; or
  • the processing is necessary for the data controller or a third party to which the data has been disclosed to achieve its legitimate interests, unless such interests are overridden by the data subject’s interests.

What information must be provided to individuals when personal data is collected?

Individuals must be provided with information about:

  • the exact purposes of the data processing;
  • the data retention period;
  • the data processors (if known);
  • their right to refuse personal data processing;
  • the consequences of refusal; and
  • other relevant information.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Law on Legal Protection of Personal Data applies to personal data that is processed within Lithuania and transferred outside the jurisdiction.

If personal data is collected and processed by a local entity in Lithuania, transfers of personal data to countries outside the European Union or European Economic Area require prior authorisation from the State Data Protection Inspectorate (DPI). Access to personal data from outside the European Union and European Economic Area is considered a transfer for the purposes of the Law on Legal Protection of Personal Data.

Are there restrictions on the geographic transfer of data?

Yes – transfers from Lithuania to countries outside the European Union or European Economic Area must be authorised by the DPI, unless one of the statutory exceptions apply.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If personal data is collected and processed by a local entity in Lithuania, transfers of personal data to countries outside the European Union and European Economic Area must receive prior authorisation from the DPI. Access to personal data from outside the European Union and European Economic Area is considered a transfer for the purposes of the Law on Legal Protection of Personal Data.

Click here to view the full article.