Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

The Law on Legal Protection of Personal Data is in line with the international curve.

The personal data protection provisions set out in the law closely follow the EU Data Protection Directive (95/46/EC), while the State Data Protection Inspectorate (DPI) – which supervises compliance with the Law on Legal Protection of Personal Data – largely follows the Article 29 Working Party.

Are any changes to existing data protection legislation proposed or expected in the near future?

Yes – the DPI plans to issue guidelines and opinions in the coming months as to how the national data protection legislation will be amended to align with the EU General Data Protection Regulation, which will apply to Lithuania as well as other EU member states in mid-2018.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The Law on Legal Protection of Personal Data (dated June 11 1996 and published in the Official Journal in 1996 (63-1479) with subsequent revisions and amendments).

An English translation, which does not contain the latest amendments, is available at www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=435305.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Law on Legal Protection of Personal Data applies where:

  • personal data is processed by a data controller established and operating in Lithuania (including a branch office or a representative office of a data controller established within the European Economic Area) by automatic means; or
  • a data controller from outside the European Economic Area uses personal data processing means established in Lithuania (except where such means are used only for transit through Lithuania).

What kind of data falls within the scope of the legislation?

The Law on Legal Protection of Personal Data applies only to the processing of personal data. According to the law, ‘personal data’ means any information relating to a data subject that identifies or can identify the data subject directly or indirectly, including personal identification numbers and factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Are data owners required to register with the relevant authority before processing data?

Yes – data controllers must notify the State Data Protection Inspectorate (DPI) about any processing of personal data by automated means, unless one of the statutory exceptions applies. On the basis of this notification, the DPI will enter the data controller in the State Register of Personal Data Controllers.

Is information regarding registered data owners publicly available?

Yes – the State Register of Personal Data Controllers database is available at https://ada.lt/go.php/lit/IMG/401.

Is there a requirement to appoint a data protection officer?

No obligation to appoint a data protection officer exists; however, a data controller can do so on its own initiative.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The DPI is in charge of supervising compliance with the Law on Legal Protection of Personal Data. It can impose fines and initiate investigations.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data processing must have a legitimate basis. According to the Law on Legal Protection of Personal Data, this includes:

  • obtaining the data subject’s consent; and
  • serving the legitimate interests of the data controller or a third party to which the personal data is disclosed, unless these interests override the data subject’s interests (other criteria for legitimate processing of personal data would most likely be inapplicable in this case).

Data controllers must process personal data lawfully and honestly. Further, data processing must conform to the purposes for which it was collected and cannot exceed the extent required to fulfil these purposes. Therefore, the categories of personal data must be carefully examined and excluded from processing where they are unnecessary for the intended purpose of the processing.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data cannot be retained for longer than is necessary to achieve the purpose for which it was collected. If there is no legal basis (eg, a statutory obligation to keep accounting documents or private documents with archival value) for retaining personal data, it should be deleted.

There are no accepted standards for retention periods, but the State Data Protection Inspectorate is of the opinion that retention periods should be as short as possible.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes – individuals must be provided with information about:

  • the exact purposes of the data processing;
  • the data retention period;
  • the data processors (if known);
  • their right to refuse personal data processing;
  • the consequences of refusal; and
  • other relevant information.

Do individuals have a right to request deletion of their data?

Yes – data subjects have a right to request rectification or destruction of their personal data or suspension of further processing.

Consent obligations
Is consent required before processing personal data?

Not necessarily. Personal data processing must have a legitimate basis which, according to the Law on Legal Protection of Personal Data, can include the data subject’s consent; however, another legal basis may apply.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes – the Law on Legal Protection of Personal Data sets out an exhaustive list of grounds for processing personal data, including where:

  • the data subject has given his or her consent;
  • a contract to which the data subject is party is concluded or performed;
  • the data controller is legally obliged to process personal data;
  • the processing is necessary in order to protect the data subject’s vital interests;
  • the processing is necessary for state and municipal institutions, agencies, enterprises or third parties to which the personal data has been disclosed to exercise their official authority; or
  • the processing is necessary for the data controller or a third party to which the data has been disclosed to achieve its legitimate interests, unless such interests are overridden by the data subject’s interests.

What information must be provided to individuals when personal data is collected?

Individuals must be provided with information about:

  • the exact purposes of the data processing;
  • the data retention period;
  • the data processors (if known);
  • their right to refuse personal data processing;
  • the consequences of refusal; and
  • other relevant information.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Under the Law on Legal Protection of Personal Data, data controllers and processors must implement appropriate organisational and technical measures to protect personal data against accidental or unlawful destruction, alteration and disclosure and any other unlawful processing. These measures must ensure a level of security that is appropriate to the nature of the personal data being protected and the risks of the processing. The measures must be defined in a written document (eg, personal data processing regulations approved by the data controller or a contract concluded by the data controller and the data processor) in accordance with the general requirements on the organisational and technical data protection measures laid down by the State Data Protection Inspectorate (DPI).

Specific data security requirements are set out in the General Requirements for Organisational and Technical Data Security Means, which have been approved by the director of the DPI.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Electronic communication service providers must notify individuals in the event of a breach where the breach is likely to have a negative impact on the privacy or data security of subscribers or registered users of the service or other persons. Other data owners and processors need not notify individuals in the event of a breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Only electronic communication service providers are required to notify the DPI in the event of a breach. Other data owners and processors need not notify the DPI in the event of a breach.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Direct marketing tailored to natural persons is subject to the requirements of the Law on Legal Protection of Personal Data and the Law on Electronic Communications. Direct marketing actions that target legal persons are not subject to these regulations.

Cookies
Are there rules governing the use of cookies?

Yes – the Law on Electronic Communications and the Order of the Director of State Data Protection Inspectorate on the Approval of Guidelines for the Use of Cookies and Similar Tools (July 25 2013, 1T-32 (1.12)).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Law on Legal Protection of Personal Data applies to personal data that is processed within Lithuania and transferred outside the jurisdiction.

If personal data is collected and processed by a local entity in Lithuania, transfers of personal data to countries outside the European Union or European Economic Area require prior authorisation from the State Data Protection Inspectorate (DPI). Access to personal data from outside the European Union and European Economic Area is considered a transfer for the purposes of the Law on Legal Protection of Personal Data.

Are there restrictions on the geographic transfer of data?

Yes – transfers from Lithuania to countries outside the European Union or European Economic Area must be authorised by the DPI, unless one of the statutory exceptions apply.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If personal data is collected and processed by a local entity in Lithuania, transfers of personal data to countries outside the European Union and European Economic Area must receive prior authorisation from the DPI. Access to personal data from outside the European Union and European Economic Area is considered a transfer for the purposes of the Law on Legal Protection of Personal Data.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

Failure to comply with data processing requirements may raise liability under the Code on Administrative Offences with regard to illegitimate processing of personal data and violations of data subjects’ rights. The maximum administrative fine for improper processing of personal data is €289 (€579 for repeat offences). For data protection violations of a legal person, this fine is imposed on the chief executive officer of the entity in question. The statute of limitations is six months from the date of the offence and, in case of continued offences, within six months of the offence being identified.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Data subjects whose rights have been violated can claim compensation for damages (economic and moral) in accordance with the laws on civil procedure. However, in practice, civil claims on these grounds are uncommon.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes – the Law on Cybersecurity.

Which cyber activities are criminalised in your jurisdiction?

In Lithuanian criminal jurisprudence, the term ‘cybercrime’ is used in its broadest sense – in other words, to refer to any illegal action involving computer systems or computer networks. Cybercrimes are separated from ordinary crimes on the basis of the technology involved: digitalisation, automatisation and data transfer networking. Cybercrimes include offences that are impossible without a computer (eg, hacking), as well as offences for which a computer is not usually necessary but may be involved (eg, data theft and distribution of child pornography).

Which authorities are responsible for enforcing cybersecurity rules?

The National Cybersecurity Council and the Communications Regulatory Authority.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Companies can obtain insurance for cybersecurity breaches; however, this is uncommon.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No; however, this is recommend.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Only public administration bodies must report cybercrime threats, attacks and breaches to the relevant authorities. There is no such requirement for other (ie, private) entities.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No; however, it is recommended that companies keep records of cybercrime threats, attacks and breaches.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

According to the Code on Administrative Offences, failure to follow the Cybersecurity Law may result in administrative liability. However, if the term ‘cybercrime’ is interpreted in a broader sense, it could be considered a crime “against security of electronic data and information systems”, as set out in the Criminal Code. Accordingly, cybercrime may result in criminal liability, such as community service, fines, restriction of liberty, arrest or imprisonment for up to three years, in accordance with the Criminal Code.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Failure to comply with cybersecurity requirements may trigger liability under the Code on Administrative Offences. The maximum administrative fine for a breach of the Cybersecurity Law is €1,448 (€5,792 for repeated offences). This fine is imposed on the chief executive officer.