1) where personal data are processed by a data controller or a data processor with the registered office in the Republic of Lithuania in the course of their activities, regardless of whether the data are processed in the European Union;

2) where personal data are processed by a data controller established outside the Republic of Lithuania, including diplomatic missions and consular posts of the Republic of Lithuania, and subject to the laws of the Republic of Lithuania by virtue of public international law;

3) where the processing of personal data of data subjects who are in the European Union is carried out by a data controller or a data processor that is established outside the European Union and that has appointed a representative established in the Republic of Lithuania in accordance with Article 27 of Regulation (EU) 2016/679 and where the data processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union.

1. ‘Direct marketing’ means an activity intended for offering goods or services to individuals by post, telephone, or any other direct means and/or for obtaining their opinion about the offered goods or services.

2. ‘Government institutions and agencies’ means state and municipal institutions and agencies, enterprises and establishments funded from the state or municipal budgets and state monetary funds and authorised, in accordance with the procedure established by the Law of the Republic of Lithuania on Public Administration, to perform public administration, or in charge of providing persons with public or administrative services or performing other public functions.

3. Other definitions used in this Law shall be interpreted as they are defined in Regulation (EU) 2016/679.

1. A personal number may be processed where at least one of the conditions for the lawfulness of the processing of personal data referred to in Article 6(1) of Regulation (EU) 2016/679 applies.

2. A personal number may not be made public.

3. A personal number may not be processed for direct marketing purposes.

1. Processing of personal data on convictions and criminal offences of an employee or a candidate applying for or a position or job functions shall be prohibited, with the exception of the cases where such processing is necessary in order to verify whether an individual meets the requirements provided for by laws and implementing legal acts for holding the position or performing the job functions.

2. In respect of personal data on qualifications, professional skills, and professional qualities of a candidate applying for a position or job functions, a data controller may collect such data from a previous employer upon a prior notice to the candidate, and from the current employer only upon the candidate’s consent.

3. When video and/or audio data is processed at a workplace and when personal data relating to the monitoring of the conduct, location, or movement of employees is processed on the premises or territories of a data controller where its employees work, the employees must be informed against signature of such processing of their personal data or be informed thereof by any other means that enable the data controller to prove the fact of information and must be provided with the information referred to in Article 13(1) and Article 13(2) of Regulation (EU) 2016/679.

4. The provisions of this Article shall also apply to the processing of personal data of persons employed on the basis of legal relations equivalent to the employment relations specified in the Law of the Republic of Lithuania on Employment and to the processing of personal data of candidates applying for employment on the said basis.

1. The State Data Protection Inspectorate shall monitor and ensure the application of Regulation (EU) 2016/679 and this Law, with the exception of the Articles of this Law the application whereof, pursuant to paragraph 2 of this Article, falls within the remit of the Inspector of Journalist Ethics.

2. The Inspector of Journalist Ethics shall monitor and ensure the application of Regulation (EU) 2016/679 and this Law for the processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary self-expression. The Inspector of Journalist Ethics shall perform the tasks and exercise the powers of the supervisory authority specified in Regulation (EU) 2016/679. Points (j) to (l) and (n) to (t) of Article 57(1), points (b) and (c) of Article 58(1), points (e), (g), (h), and (j) of Article 58(2) and points (a), (c) and (e) to (j) of Article 58(3) of Regulation (EU) 2016/679 shall not apply to the Inspector of Journalist Ethics.

3. The State Data Protection Inspectorate shall represent the supervisory authorities in charge of monitoring the application of Regulation (EU) 2016/679 in the European Data Protection Board established by this Regulation.

4. In order to ensure compliance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679, the supervisory authorities shall cooperate with each other when dealing with matters that fall within the remit of the Inspector of Journalist Ethics under paragraph 2 of this Article. 

1. The State Data Protection Inspectorate shall be an agency of the Government of the Republic of Lithuania. Its administrative structure and strategic and annual action plans shall be approved by the Director of the State Data Protection Inspectorate.

2. Activities of the State Data Protection Inspectorate in the discharge of its functions shall be based on the principles of lawfulness, impartiality, publicity and professionalism. The State Data Protection Inspectorate shall be independent in performing the tasks of the supervisory authority specified in Regulation (EU) 2016/679 and in performing the functions assigned to it by this Law, as well as in taking decisions on the performance thereof. Its rights may be restricted solely by laws.

3. No state and municipal institutions or agencies, members of the Seimas of the Republic of Lithuania or other officials, political parties, political organisations, associations, or other legal and natural persons shall have the right to exert any political, economic, psychological or social pressure or make other undue impact on the State Data Protection Inspectorate, its Director, civil servants, and employees working under employment contracts.  Interference with the activities of the State Data Protection Inspectorate shall entail liability established by law.

1. The head of the Sate Data Protection Inspectorate shall be a Director.

2. A citizen of the Republic of Lithuania of good repute, who holds a bachelor’s and a master’s degree in law, or a lawyer’s professional qualification degree (one-cycle university education in law) with a record of at least ten years of employment in the legal profession or the legal education profession and who meets the requirements specified in Article 53(2) of Regulation (EU) 2016/679 may be appointed as the Director of the State Data Protection Inspectorate.

3. The Director of the State Data Protection Inspectorate shall be a civil servant and head of the agency. The Director of the State Data Protection Inspectorate shall be accountable to the Government and the Minister of Justice of the Republic of Lithuania.

4. The Director of the State Data Protection Inspectorate must suspend any membership of a political party for the duration of the Director’s term of office.

5. The Director of the State Data Protection Inspectorate shall be dismissed from office in the following cases:

1. The Director of the State Data Protection Inspectorate shall have one or several deputies.

2. The Deputy Director(s) of the State Data Protection Inspectorate shall meet the requirements for the Director of the State Data Protection Inspectorate provided for in Article 9(2) and Article 9(4) of this Law.

3. The Deputy Director of the State Data Protection Inspectorate shall be employed and dismissed by the Director of the State Data Protection Inspectorate in accordance with the procedure established by the Law on Public Service.

1. The State Data Protection Inspectorate shall perform the tasks of the supervisory authority specified in Regulation (EU) 2016/679.

2. The State Data Protection Inspectorate shall also perform the following functions:

1. The State Data Protection Inspectorate shall enjoy the powers of the supervisory authority specified in Regulation (EU) 2016/679.

2. The State Data Protection Inspectorate shall also have the right to the following:

3. Where the State Data Protection Inspectorate has grounds to believe, in the course of handling a complaint, that a decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct is unlawful and the decision of the State Data Protection Inspectorate depends on the validity of this decision of the European Commission, the State Data Protection Inspectorate shall suspend the handling of the complaint and apply to the Supreme Administrative Court of Lithuania, in accordance with the procedure established by the Law of the Republic of Lithuania on Administrative Proceedings, requesting the latter to apply to the competent judicial authority of the European Union regarding the decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct. Where the Supreme Administrative Court of Lithuania has reason to believe, in the course of examining a request of the State Data Protection Inspectorate, that a decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct is unlawful, the Supreme Administrative Court of Lithuania shall decide to apply to a competent judicial authority of the European Union requesting it to adopt a preliminary ruling pursuant to Article 267 of the Treaty on the Functioning of the European Union (OJ 2016 C 202, p. 47).

4. When conducting own-initiative investigations and/or inspections and handing complaints, the State Data Protection Inspectorate shall also enjoy the rights and powers of the State Data Protection Inspectorate established in the Code of Administrative Offences of the Republic of Lithuania.

1. The State Data Protection Inspectorate must, in accordance with Article 46(3) of Regulation (EU) 2016/679, issue to a data controller an authorisation for transfer of personal data to a third country or an international organisation or give a reasoned written refusal to issue such authorisation to a data controller no later than within 20 working days. This deadline shall be calculated from the day of receipt by the State Data Protection Inspectorate of all the documents and information necessary for obtaining an authorisation.

2. Due to the complexity of circumstances, the scope of information, or other important objective reasons, the deadline, referred to in paragraph 1 of this Article, for issuing an authorisation for transfer of personal data to a third country or an international organisation may be extended once for a period of up to 10 working days. Having decided to extend the deadline referred to in paragraph 1 of this Article, the State Data Protection Inspectorate must, immediately, but no later than before the expiry of the deadline referred to in paragraph 1 of this Article, notify the data controller of the extension of the deadline for issuing the authorisation and the reasons for such an extension.

3. The procedure for issuing authorisations for transfer of personal data to third countries or international organisations shall be established by the State Data Protection Inspectorate.

1. Certification bodies shall be accredited in accordance with Article 43 of Regulation (EU) 2016/679 and the procedure for accreditation and issuing of accreditation certificates shall be established by the State Data Protection Inspectorate.

2. Certification bodies wishing to be accredited shall cover the costs of accreditation at the rates approved in accordance with the procedure established by the Government.

1. A person under inspection, where the State Data Protection Inspectorate conducts an own-initiative investigation and/or inspection, a complainant and a complainee, where the supervisory authority handles a complaint, and a person suspected of infringement, where the procedure of imposing an administrative fine is launched, shall have the rights and obligations specified in Regulation (EU) 2016/679 and this Law.

2. A person under inspection, a complainant, a complainee, and a person suspected of infringement shall also have the right to the following:

3. The persons referred to in paragraph 1 of this Article shall be considered to have been duly informed and duly notified where, in the cases referred to in this Chapter, the supervisory authority sends decisions, notifications, other documents and information to these persons at their registered office address indicated in the Register of Legal Entities of the Republic of Lithuania or at their residential address  indicated in the Population Register of the Republic of Lithuania, except for the cases where the person indicates another correspondence address, or at the person’s e-delivery address indicated in the Register of Legal Entities or the Population Register.

1. In the course of examining an infringement, the supervisory authority, having decided to enter the residential premises of a natural person, including those rented or used on other grounds, shall submit to Vilnius Regional Administrative Court an application for a court authorisation for entering the residential premises of the natural person.

2. An application for a court authorisation for entering the residential premises of a natural person shall indicate the first name and surname of the natural person, the address of the residential premises, the nature of the alleged infringement, and the action to be taken.

3. Having examined an application for a court authorisation for entering the residential premises of a natural person, Vilnius Regional Administrative Court shall adopt a reasoned ruling to grant an authorisation or reject the application.

4. The application for a court authorisation for entering the premises of a natural person shall be examined and the ruling shall be adopted no later than within 72 hours from the submission of the application.

5. Where the supervisory authority disagrees with a ruling of Vilnius Regional Administrative Court to reject the application for a court authorisation for entering the residential premises of a natural person, the supervisory authority shall have the right to appeal against the ruling to the Supreme Administrative Court of Lithuania within seven calendar days from the day of adoption of the ruling.

6. The Supreme Administrative Court of Lithuania must examine the appeal of the supervisory authority against the ruling of Vilnius Regional Administrative Court no later than within seven calendar days from the day of receipt of the appeal. A representative of the supervisory authority shall have the right to attend the appeal proceedings.

7. The ruling of the Supreme Administrative Court of Lithuania on the appeal of the supervisory authority against the ruling of Vilnius Regional Administrative Court shall be final and not subject to appeal.

1. The State Data Protection Inspectorate may, on its own initiative, launch an investigation and/or inspection on any matter relating to a possible infringement of Regulation (EU) 2016/679, this Law, and other laws regulating the protection of personal data and/or privacy.

2. An investigation and/or inspection on the initiative of the State Data Protection Inspectorate may be launched on the basis of the information on the protection of personal data and/or privacy provided by members of society, government institutions and agencies, foreign personal data protection supervisory authorities, international organisations, national and international non-governmental organisations, the media and other sources. The State Data Protection Inspectorate may launch an investigation and/or inspection on its own initiative without reference to any information provided by other sources.

3. The State Data Protection Inspectorate shall, on its own initiative, conduct investigations and/or inspections in relation to a possible infringement of Regulation (EU) 2016/679, this Law, and other laws regulating the protection of personal data and/or privacy in accordance with the procedure established by these legal acts and the State Data Protection Inspectorate.

4. Where investigations and/or inspections are conducted on the initiative of the State Data Protection Inspectorate in compliance with Article 60 of Regulation (EU) 2016/679, Article 21 of this Law shall not apply.

1. The duration of an investigation and/or inspection on the initiative of the State Data Protection Inspectorate shall not exceed four months from the day of the decision to launch the investigation and/or inspection.

2. Taking into account the complexity of an investigation and/or inspection, the nature of activities of the person under inspection, the scope of an investigation and/or inspection, the avoidance by the person under inspection and other legal or natural persons to comply with the requirements of the State Data Protection Inspectorate, as well new circumstances, or other objective reasons discovered during the investigation and/or inspection, the duration specified in paragraph 1 of this Article may be extended for up to two months by a decision of the State Data Protection Inspectorate. The overall duration of an investigation and/or inspection on the initiative of the State Data Protection Inspectorate may not exceed six months from the day of taking the decision to launch the investigation and/or inspection. The State Data Protection Inspectorate must notify the person under inspection of the extension of the duration of the investigation and/or inspection and the reasons for the extension thereof immediately but no later than before the expiry of the duration referred to in paragraph 1 of this Article.

1. Having completed an own-initiative investigation and/or inspection, the State Data Protection Inspectorate may, on a reasoned basis, decide to do the following:

2. The State Data Protection Inspectorate shall, no later than within three working days from the adoption of the decision, notify the person under inspection thereof in writing, with the exception of the case referred to in Article 22(1)(2) of this Law, where an administrative fine is to be imposed.

3. Judicial remedy may be sought against the decisions of the State Data Protection Inspectorate in accordance with the procedure established by the Law on Administrative Procedure.

1. The supervisory authority shall handle complaints regarding infringements of Regulation (EU) 2016/679, this Law, and other laws on the protection of personal data and/or privacy in accordance with the procedure established by these legal acts and the supervisory authority.

2. Where the handling of a complaint is based on Article 60 of Regulation (EU) 2016/679, Article 30(2) of this Law shall not apply.

1. A complaint may be lodged with the State Data Protection Inspectorate by the following complainants:

2. A complaint in respect of infringements of Regulation (EU) 2016/679 may be lodged with the Inspector of Journalist Ethics by the data subject referred to in Article 77(1) of Regulation (EU) 2016/679.

3. A written complaint may be lodged with the supervisory authority in person, by post, or by electronic means.

4. Where a complaint is lodged by the representative of a complainant, the complaint shall be accompanied by a document confirming the powers of the representative. Where a complaint is lodged on behalf of the complainant referred to in Article 24(1)(1), Article 24(1)(2), or Article 24(2) of this Law by a non-profit body, organisation or association in accordance with Article 80(1) of Regulation (EU) 2016/679 or the laws regulating the protection of personal data and/or privacy, the complaint must be accompanied by documents confirming that this body, organisation, or association is active in the field of protection of personal data. 

5. A complaint shall contain the following information:

6. A complaint shall be accompanied by the documents or a description thereof necessary for the handling of the complaint.

1. The supervisory authority shall refuse to handle a complaint or a part thereof and shall notify the complainant thereof no later than within five working days from the day of receipt of the complaint at the supervisory authority, and explain the grounds for the refusal, where the following circumstances exist:

2. Where the investigation of the circumstances or part thereof specified in the complaint is outside the remit of the supervisory authority, it shall, within the deadline referred to in paragraph 1 of this Article, refer the complaint or a part thereof to the competent authority and notify the complainant thereof. Where the competent authority is a court, the complaint or a part thereof shall be returned to the complainant notifying the latter of where to apply.

1. A request of the supervisory authority to a complainant to submit additional documents and/or information necessary for the handling of the complaint or a part thereof must be reasoned. The complainant shall be informed about the consequences of the failure to submit additional documents and/or information.

2. At the request of the supervisory authority, the complainant must submit additional documents and information necessary for the handling of the complaint or a part thereof within the deadline specified by the supervisory authority, but no later than within 10 working days from the day of receipt of the request.

1. The supervisory authority shall decide to discontinue the handing of a complaint or a part thereof where the following circumstances emerge in the course of the complaint proceedings:

2. The complainant shall be notified of the termination of the complaint proceedings no later than within three working days from the adoption of the decision referred to in Article 29(1) of this Law, except for the case referred to in Article 29(1)(5) of this Law.

1. The supervisory authority shall notify a complainant of the results or progress of handling a complaint where the complaint or a part thereof have not been examined no later than within three months from the day of receipt of the complaint by the supervisory authority.

2. A complaint or a part thereof must be handled and a reply must be sent to the complainant within four months from the day of receipt of the complaint by the supervisory authority, except for the cases where it is necessary to extend the handling of the complaint or a part thereof due to the complexity of the circumstances indicated in the complaint or part thereof or discovered during the handing, the scope of information, avoidance to comply, by the complainee and other legal or natural persons, with the requirements of the supervisory authority, the continuous nature of the actions subject to complaint or other objective reasons. In such cases, the deadline for handling a complaint or a part thereof shall be extended, but for no longer than two months. The total duration of handling a complaint or a part thereof may not exceed six months from the day of receipt of the complaint by the supervisory authority. The complainant shall be notified of the extension of the deadline for handing the complaint or a part thereof and of the reasons for the extension. A complaint or a part thereof must be handled within the shortest possible period.

1. Upon completing the examination of a complaint or a part thereof, the supervisory authority may, on a reasoned basis, decide to do the following:

2. Where a complaint or a part thereof is recognised as well founded, the State Data Protection Inspectorate shall, on a reasoned basis, take the following steps:

3. Where a complaint or a part thereof is recognised as well founded, the Inspector of Journalist Ethics shall give reasoned instructions or recommendations to the data controller and/or the data processor and/or apply other measures referred to in Article 58(2) of Regulation (EU) 2016/679 and Article 33 of this Law. Where an administrative fine is to be imposed, the action referred to in Section Four of this Chapter shall be taken;

4. The supervisory authority shall, no later than within three working days from the adoption of the decision, notify the complainant and the complainee thereof in writing, with the exception of the cases referred to in Article 31(2)(1) and Article 31(3) of this Law where an administrative fine is to be imposed.

5. Judicial remedy may be sought against the decisions of the supervisory authority in accordance with the procedure established by the Law on Administrative Proceedings.

1. The supervisory authority shall impose administrative fines for infringements of Regulation (EU) 2016/679 and this Law in accordance with Regulation (EU) 2016/679 and this Law.

2. Administrative fines shall be imposed, within remit, by the Director of the State Data Protection Inspectorate or the Inspector of Journalist Ethics or a person authorised by them.

3. A decision on the imposition of an administrative fine may be adopted within no more than two years from the day of the commission of an infringement or from the day of the discovery of an infringement where the infringement is continuous.

1. For infringement of provisions of Article 83(4)(a), Article 83(4)(b), and Article 83(4)(c) of Regulation (EU) 2016/679, the supervisory authority shall have the right to impose an administrative fine on a government institution or agency in the amount of up to 0.5 per cent of the latter’s budget of the current year and of other annual gross income received during the preceding year, but not exceeding EUR 30,000.

2. For infringement of provisions of Articles 83(5)(a) to 83(5)(e) or Article 83(6) of Regulation (EU) 2016/679, the supervisory authority shall have the right to impose an administrative fine on a government institution or agency in the amount of up to 1 per cent of the latter’s budget of the current year and of other annual gross income received during the preceding year, but not exceeding EUR 60,000.

3. For infringement of provisions of Regulation (EU) 2016/679 by a government institution or agency engaged in economic and commercial activities, the supervisory authority shall have the right to impose an administrative fine referred to in Articles 83(4), 83(5), and 83(6) of Regulation (EU) 2016/679.

1. The supervisory authority shall send a document containing a proposal to impose an administrative fine to the person suspected of infringement. The person suspected of infringement shall be offered, within the deadline established by the supervisory authority, which may not be shorter than 10 working days from the day of receipt of this document, to submit written explanations concerning the circumstances provided in the document, except for the cases where these explanations have already been obtained in the course of investigation and/or inspection or in the course of handling of the complaint; to provide information relevant to imposing the administrative fine; and to express an opinion on the hearing of the case under an oral procedure. Failure to provide explanations and other information within the deadline referred to in this paragraph shall not prevent the supervisory authority from considering the imposition of an administrative fine.

2. When ready to consider a case, the supervisory authority shall normally do it under a written procedure based on the explanations submitted. Where a case is considered under a written procedure, no hearing shall be held.

3. Due to the complexity of circumstances or other important factors, the supervisory authority may, at the request of the person suspected of infringement or on its own initiative, decide to hear a case under an oral procedure, where it is necessary to hear oral explanations of the person suspected of infringement or in other instances where a case may be better heard under an oral procedure. Where a case is heard under an oral procedure, the person suspected of infringement, the complainant and other interested persons must be notified of the venue, date, and time of the hearing at least 10 working days prior to the day of the hearing.

4. The person suspected of infringement and other persons whose attendance is required for the proper hearing of the case may attend the hearing and provide explanations.

5. Failure by the person suspected of infringement or the representative thereof to attend shall not prevent the hearing of the case if the person suspected of infringement has been duly informed of the hearing and has not provided any evidence of being unable to attend for serious reasons.

6. The hearing shall be public, except for the cases where the supervisory authority, on its own initiative or at the request of the person suspected of infringement and/or the complainant, decides to hold a closed hearing with a view to protecting state, official, professional and commercial secrets or other secrets protected by law or with a view to ensuring the person’s right to privacy and/or protection of personal data.

7. The hearing shall be held in the Lithuanian language.

8. The hearing shall be audio recorded. The audio recording shall be deemed the minutes of the hearing.

9. Where a case is considered under a written procedure, the supervisory authority shall take a decision on the imposition of an administrative fine within 20 working days from the expiry of the deadline set by the supervisory authority in the document referred to in paragraph 1 of this Article. Where a case is heard under an oral procedure, the supervisory authority shall take a decision on the imposition of an administrative fine within 20 working days from the day of the hearing. The supervisory authority shall send the decision on the imposition of an administrative fine to the complainant and to the person in respect whereof the decision has been taken no later than within three working days from the day of adoption of the decision.  

10. The decision of the supervisory authority on the imposition of an administrative fine must be reasoned. The decision must specify the following:

11. Judicial remedy may be sought against the decision of the supervisory authority on the imposition of an administrative fine in accordance with the procedure established by the Law on Administrative Proceedings.

1. The decision of the supervisory authority on the imposition of an administrative fine must be executed no later than within three months from the day of its dispatch or delivery to the person on whom the administrative fine has been imposed. In the event where judicial remedy is sought against the decision of the supervisory authority on the imposition of an administrative fine, the decision must be executed no later than within three months from the entry into force of the court decision. The administrative fine must be paid into the state budget.

2. The decision of the supervisory authority on the imposition of an administrative fine shall be an enforceable document to be executed in accordance with the procedure established by the Code of Civil Procedure of the Republic of Lithuania. It may be been filed for execution no later than within three years after its adoption.

I promulgate this Law passed by the Seimas of the Republic of Lithuania.

PRESIDENT OF THE REPUBLIC                                                       ALGIRDAS BRAZAUSKAS

Annex to

the Law of the Republic of Lithuania on Legal Protection of Personal Data

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).