Privacy Law at Lithuania
Lithuania's data protection framework is primarily governed by the General Data Protection Regulation (GDPR), enforced since 25 May 2018, alongside the Law on Legal Protection of Personal Data (2018) which supplements the GDPR with national-specific provisions.
Key Provisions of Lithuania's Data Protection Legislation
1. Legislative Framework
General Data Protection Regulation (GDPR) As an EU member state, Lithuania enforces the GDPR, ensuring harmonized data protection standards across the E.
Law on Legal Protection of Personal Data This national law complements the GDPR by establishing specific local rules, particularly in employment contexts, processing of personal codes, and procedural guidelines for supervisory authority.
Law on Electronic Communications Aligns with the EU's privacy Directive, regulating the use of cookies, marketing communications, and the security of electronic communications networks and service.
Sector-Specific Legislation Includes the Digital Services Act, Digital Markets Act, and the Law Enforcement Directive, which are transposed into Lithuanian law and apply to specific data processing activities.
2. Supervisory Authorities
State Data Protection Inspectorate (SDPI) The primary authority overseeing data protection compliance.
Office of the Inspector for Journalist Ethics Handles data protection matters related to journalistic, academic, artistic, or literary expression.
3. Key Principles of Data Processing
Lawfulness, Fairness, and Transparency Data must be processed lawfully, fairly, and transparently.
Purpose Limitation Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with that purpose.
Data Minimization Only data necessary for the intended purposes should be collected.
Accuracy Data must be accurate and, where necessary, kept up to dat.
Storage Limitation Data should be kept in a form that permits identification of data subjects for no longer than necessary.
Integrity and Confidentiality Data must be processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Accountability The controller is responsible for, and must be able to demonstrate, compliance with these principle.
4. Rights of Data Subjects
Right to Access Individuals have the right to obtain confirmation as to whether their personal data is being processed and, if so, access to the dat.
Right to Rectification Individuals can request the correction of inaccurate personal dat.
Right to Erasure ("Right to be Forgotten”) Under certain conditions, individuals can request the deletion of their personal dat.
Right to Restrict Processing Individuals can request the limitation of processing under specific circumstance.
Right to Data Portability Individuals can receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controlled.
Right to Object Individuals can object to the processing of their personal data on grounds relating to their particular situation.
Rights Related to Automated Decision-Making Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning the.
5. Children's Personal Data
In Lithuania, the age of digital consent is set at 1. Children aged 14 or older can provide their own consent for the processing of personal data in relation to information society service. For children under 14, consent must be obtained from or authorized by the holder of parental responsibility. Controllers must make reasonable efforts to verify that consent has been given or authorized by the holder of parental responsibility.
6. Data Protection Officer (DPO)
The appointment of a DPO is mandatory in certain circumstances, including:
Processing carried out by a public authority or body, except for courts acting in their judicial capacity.
Core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale.
Core activities consist of processing special categories of data or data relating to criminal convictions and offense. Where a DPO is appointed, their contact details must be provided to data subjects, typically through a privacy notice.
7. Data Protection Impact Assessment (DPIA)
A DPIA is required when processing is likely to result in a high risk to the rights and freedoms of individual. This assessment helps identify and mitigate risks associated with data processing activities.
8. Cross-Border Data Transfers
Transfers of personal data outside the European Economic Area (EEA) are permitted under specific conditions, including:
The receiving country ensures an adequate level of data protection.
Appropriate safeguards are in place, such as standard contractual clause.
The data subject has provided explicit consent.
9. Penalties for Non-Compliance
Violations of data protection laws can result in administrative fines up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Additionally, as of 1 July 2024, amendments to the Data Protection Law introduced stricter procedural requirements for data subjects to submit complaints and for supervisory authorities to publish decisions on infringement.
✅ Compliance Recommendations for Organizations in Lithuania
Organizations operating in Lithuania should:
Conduct Regular Audits Regularly review data processing activities to ensure compliance with GDPR and national law.
Appoint a DPO Designate a Data Protection Officer where required and ensure their contact details are accessible to
RELATED Blog
0 comments