Lithuania personal data regulation overview


Starting from the first machine calculation, computers and the IT industry gain a huge impact on our civilization. Nowadays we can see how IT altered the way we communicate, entertain, work and create. It`s, even, hard to imagine how it would’ve been without the Internet and other worldwide networks. The IT industry is all about data and how to use it. 

Isn’t it satisfying to make a video call with your friends or to get some groceries with a single touch on your smartphone? However, there are some downsides to such informatization. Confidentiality issues, leakage of private data, cyber threats, and harm that may be caused by wrong data in the wrong hands – are just the tip of the iceberg. That’s the reason why governments and international organizations are developing regulations, standards, recommendations, and specialized laws for the most vulnerable and important categories of data.


GDPR and Law on legal protection of personal data

Nowadays it’s not just recommended, it’s already a necessity to provide rules for confidentiality protection to prevent harmful personal data usage.  For that reason, there are two main regulations in the scope of data protection in Lithuania.

The first of them is General Data Protection Regulation (GDPR). GDPR is a part of EU legislation and can be directly applied by local authorities. Its main goal is to provide users with full control over their personal information. In addition, it tries to unify the collection, processing, storage, and movement of data across the EU.

 Regulation itself contains principles and basic mechanics for data processors and controllers. However, there are no direct instructions or standards. That makes it more adaptable to existing legislation and procedures.  

The second regulation – is Lithuania Law on legal protection of personal data. The purpose of this Law is to ensure a high level of protection of personal data. This law is mirroring GDPR principles more practically. Precisely, it’s about the formation, functionality, and jurisdiction of supervisory authority – VDAI (State Data Protection Inspectorate).

In addition, there are a few specialized local personal data protection regulations:

  • Law of Republic of Lithuania on legal protection of personal data, processed for the purposes of prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, or national security, or defense. 
  • Republic of Lithuania Law on cyber security
  • Director of state data protection inspectorate Order on the approval of the standard contractual clauses for the data processing agreement

Lithuania data protection authority 

The State Data Protection Inspectorate (VDAI) – is a Lithuanian local data privacy supervisory authority. Basically, VDAI should perform two kinds of tasks: defined by GDPR and defined by local legislation 

VDAI tasks


Local legislation

  • Monitor and enforce the application of GDPR.
  • Provide advice on data protection.
  • Provide information to any data subject about their rights.
  • Develop methodological guidance on data protection.
  • Handle complaints lodged by data subjects or organizations.
  • Assists data subjects.
  • Conduct investigations on the application of regulations.  
  • Cooperate with foreign supervising authorities and data protection organizations.
  • Monitor relevant developments in the field of personal data protection.
  • Formation of state policy in the field of personal data protection.
  • Encourage the establishment of data protection certification mechanisms.


GDPR violation cases in Lithuania

Analyzing statistics of VDAIs activity from 2019 to 2021 there were about 57 fines for GDPR violations. According to information, given by VDAI, fine size has no exact limitations and can dramatically vary according to circumstances. Mostly it depends on the type of violations, their quantity, and damage done to data subjects. As provided by VDAI decisions, fines are varied from 3 000 € to 61 500 €. 

Jurisdiction of VDAI is not limited to technological or IT companies, it covers all situations of personal data use. For example, in 2021 one sports club violated GDPR by unlawful usage of clients’ biometrical data. As a result, the club had to pay 20 000 € of fine.  

However, the most memorable cases are connected with IT, technology, and online marketing.  Like in the case of Luxembourg CNPD investigation of Amazon EUROPE CORE S.À R.L. activity, where fine reached up to 746 million euros.  


Role of DPO in your company 

So, what precautions should be taken by your company to avoid unnecessary investigations, fines, and additional difficulties connected with personal data? 

The first option is to make it yourself.  To guarantee that your company is on the right way, you should monitor actual legislation, and track new tendencies in privacy. To comply your companies’ product or service with GDPR, it’s nice to have a data map, or somehow track data movement, to find weak spots or potential data breaches.  

You should develop algorithms and train your whole team for various scenarios of data breaches or data loss. This means not just inner investigation and technical analysis, but how to inform your customers and supervising authorities about the incident. 

The second way is to get a certified DPO (Data Protection Officer) in your team to take care of it. DPO role is to help you to create an adequate level of data protection and to ensure that your data policy is working effectivity. It is the job of DPO to help you in the creation of all necessary documentation and policies for personal data processing, as well, as communication with supervisory authorities. 

    Your question to IT lawyers