By Renata Vasiliauskienė

Firm: Cobalt 

In the past year, the Lithuanian data protection authority has imposed its first fine for breach of the GDPR and released a list of planned compliance inspections for 2019. It has issued guidance on when a privacy impact assessment will be required.

On 16 May 2019, the first fine for a breach of the GDPR imposed by the Lithuanian State Data Protection Inspectorate was announced. A fine of EUR 61,500 was imposed on the electronic money institution MisterTango. The investigation proved that the company had breached three GDPR articles: the data minimisation principle, lack of security measures and failure to inform the DPA about a data security incident.

The company denies the alleged violations, specifically the failure to notify the DPA, stating that the obligation to notify was not breached, as the personal data incident was unlikely to result in risk to the rights and freedoms of individuals. It was reported that the data incident lasted two days, during which approximately 50 clients’ data was freely accessible from outside the company. However, according to the company no actual data leakage occurred. Nevertheless the DPA decided that it should have been notified. The company intends to appeal the decision to the national courts.

On 16 July 2018 the Law on Legal Protection of Personal Data was adopted. This law provides some basic rules for the use of individuals’ personal codes (national ID numbers) and for processing employee personal data. For example, it provides that it is forbidden to process candidate’s criminal record unless specifically prescribed by laws. In addition, the Lithuanian DPA has adopted an order specifying the data processing operations that require a privacy impact assessment. They include, for example, cases when telephone conversations are recorded, CCTV monitoring of public spaces occurs and when children’s data is processed for direct marketing purposes.

The GDPR is getting a lot of attention in the Lithuanian media, especially the interest can be observed among the business communities in the larger Lithuanian cities. In comparison, GDPR compliance in smaller towns as well as state and governmental institutions is still not adequate. Nevertheless, the Lithuanian DPA is quite active and supportive. In January, a list of planned inspections was made public announcing the names of 75 organisations that will face GDPR compliance inspections in 2019. After the investigations are completed, DPA usually provides its recommendations regarding the most common compliance failures.