REPUBLIC OF LITHUANIA
LAW

ON LEGAL PROTECTION OF PERSONAL DATA

 

11 June 1996 No I-1374

Vilnius

(As last amended on 11 November 2021 – No XIV-640)

 

 

Note from the Register of Legal Acts. Since the entry into force of Law No XIII-1426 of 16 July 2018, references made in laws and other legal acts of the Republic of Lithuania to the Law of the Republic of Lithuania on Legal Protection of Personal Data shall be construed as references to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(hereinafter: ‘Regulation (EU) 2016/679’) and, where applicable, as references to the Law on Legal Protection of Personal Data.

 

CHAPTER I

GENERAL PROVISIONS

 

Article 1. Purpose and scope of the Law

1. The purpose of this Law shall be to protect the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data, and to ensure a high level of protection of personal data.

 

2. This Law shall establish the specific aspects of processing of personal data, the legal status and powers of the State Data Protection Inspectorate, the powers of the Inspector of Journalist Ethics, the procedure for examining infringements of legal acts regulating the protection of personal data and/or privacy (hereinafter: ‘infringements’) and the procedure for imposing administrative fines by the State Data Protection Inspectorate and the Inspector of Journalist Ethics (hereinafter collectively: ‘supervisory authority’ or ‘supervisory authorities’).

 

3. This Law shall apply in conjunction with Regulation (EU) 2016/679 and its implementing legislation.

 

4. This Law shall apply in the following cases:

1) where personal data are processed by a data controller or a data processor with the registered office in the Republic of Lithuania in the course of their activities, regardless of whether the data are processed in the European Union;

2) where personal data are processed by a data controller established outside the Republic of Lithuania, including diplomatic missions and consular posts of the Republic of Lithuania, and subject to the laws of the Republic of Lithuania by virtue of public international law;

3) where the processing of personal data of data subjects who are in the European Union is carried out by a data controller or a data processor that is established outside the European Union and that has appointed a representative established in the Republic of Lithuania in accordance with Article 27 of Regulation (EU) 2016/679 and where the data processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union.

 

5. This Law shall implement the legal acts of the European Union listed in the Annex to this Law.

 

Article 2. Definitions

1. ‘Direct marketing’ means an activity intended for offering goods or services to individuals by post, telephone, or any other direct means and/or for obtaining their opinion about the offered goods or services.

 

2. ‘Government institutions and agencies’ means state and municipal institutions and agencies, enterprises and establishments funded from the state or municipal budgets and state monetary funds and authorised, in accordance with the procedure established by the Law of the Republic of Lithuania on Public Administration, to perform public administration, or in charge of providing persons with public or administrative services or performing other public functions.

 

3. Other definitions used in this Law shall be interpreted as they are defined in Regulation (EU) 2016/679.

 

CHAPTER II

SPECIFIC ASPECTS OF THE PROCESSING OF PERSONAL DATA

 

Article 3. Specific aspects of the processing of a personal number

1. A personal number may be processed where at least one of the conditions for the lawfulness of the processing of personal data referred to in Article 6(1) of Regulation (EU) 2016/679 applies.

 

2. A personal number may not be made public.

 

3. A personal number may not be processed for direct marketing purposes.

 

Article 4. Processing of personal data and freedom of expression and information

Articles 8, 12 to 23, 25, 30, 33 to 39, 41 to 50, and 88 to 91 of Regulation (EU) 2016/679 shall not apply to the processing of personal data for journalistic purposes or for the purposes of academic, artistic or literary expression.

 

Article 5. Specific aspects of the processing of personal data in the context of employment

1. Processing of personal data on convictions and criminal offences of an employee or a candidate applying for or a position or job functions shall be prohibited, with the exception of the cases where such processing is necessary in order to verify whether an individual meets the requirements provided for by laws and implementing legal acts for holding the position or performing the job functions.

 

2. In respect of personal data on qualifications, professional skills, and professional qualities of a candidate applying for a position or job functions, a data controller may collect such data from a previous employer upon a prior notice to the candidate, and from the current employer only upon the candidate’s consent.

 

3. When video and/or audio data is processed at a workplace and when personal data relating to the monitoring of the conduct, location, or movement of employees is processed on the premises or territories of a data controller where its employees work, the employees must be informed against signature of such processing of their personal data or be informed thereof by any other means that enable the data controller to prove the fact of information and must be provided with the information referred to in Article 13(1) and Article 13(2) of Regulation (EU) 2016/679.

 

4. The provisions of this Article shall also apply to the processing of personal data of persons employed on the basis of legal relations equivalent to the employment relations specified in the Law of the Republic of Lithuania on Employment and to the processing of personal data of candidates applying for employment on the said basis.

 

Article 6. Child’s age and consent in relation to information society services

Where information society services are offered directly to a child, the processing of the personal data of the child shall be lawful only provided the child is at least 14 years of age and gives consent to such processing pursuant to Article 6(1)(a) of Regulation (EU) 2016/679.

 

CHAPTER III

SUPERVISORY AUTHORITIES

 

Article 7. Supervision of the application of Regulation (EU) 2016/679 and this Law

1. The State Data Protection Inspectorate shall monitor and ensure the application of Regulation (EU) 2016/679 and this Law, with the exception of the Articles of this Law the application whereof, pursuant to paragraph 2 of this Article, falls within the remit of the Inspector of Journalist Ethics.

 

2. The Inspector of Journalist Ethics shall monitor and ensure the application of Regulation (EU) 2016/679 and this Law for the processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary self-expression. The Inspector of Journalist Ethics shall perform the tasks and exercise the powers of the supervisory authority specified in Regulation (EU) 2016/679. Points (j) to (l) and (n) to (t) of Article 57(1), points (b) and (c) of Article 58(1), points (e), (g), (h), and (j) of Article 58(2) and points (a), (c) and (e) to (j) of Article 58(3) of Regulation (EU) 2016/679 shall not apply to the Inspector of Journalist Ethics.

 

3. The State Data Protection Inspectorate shall represent the supervisory authorities in charge of monitoring the application of Regulation (EU) 2016/679 in the European Data Protection Board established by this Regulation.

 

4. In order to ensure compliance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679, the supervisory authorities shall cooperate with each other when dealing with matters that fall within the remit of the Inspector of Journalist Ethics under paragraph 2 of this Article. 

 

Article 8. Status and operating principles of the State Data Protection Inspectorate

1. The State Data Protection Inspectorate shall be an agency of the Government of the Republic of Lithuania. Its administrative structure and strategic and annual action plans shall be approved by the Director of the State Data Protection Inspectorate.

 

2. Activities of the State Data Protection Inspectorate in the discharge of its functions shall be based on the principles of lawfulness, impartiality, publicity and professionalism. The State Data Protection Inspectorate shall be independent in performing the tasks of the supervisory authority specified in Regulation (EU) 2016/679 and in performing the functions assigned to it by this Law, as well as in taking decisions on the performance thereof. Its rights may be restricted solely by laws.

 

3. No state and municipal institutions or agencies, members of the Seimas of the Republic of Lithuania or other officials, political parties, political organisations, associations, or other legal and natural persons shall have the right to exert any political, economic, psychological or social pressure or make other undue impact on the State Data Protection Inspectorate, its Director, civil servants, and employees working under employment contracts.  Interference with the activities of the State Data Protection Inspectorate shall entail liability established by law.

 

Article 9. Director of the State Data Protection Inspectorate

1. The head of the Sate Data Protection Inspectorate shall be a Director.

 

2. A citizen of the Republic of Lithuania of good repute, who holds a bachelor’s and a master’s degree in law, or a lawyer’s professional qualification degree (one-cycle university education in law) with a record of at least ten years of employment in the legal profession or the legal education profession and who meets the requirements specified in Article 53(2) of Regulation (EU) 2016/679 may be appointed as the Director of the State Data Protection Inspectorate.

 

3. The Director of the State Data Protection Inspectorate shall be a civil servant and head of the agency. The Director of the State Data Protection Inspectorate shall be accountable to the Government and the Minister of Justice of the Republic of Lithuania.

 

4. The Director of the State Data Protection Inspectorate must suspend any membership of a political party for the duration of the Director’s term of office.

 

5. The Director of the State Data Protection Inspectorate shall be dismissed from office in the following cases:

1) at Director’s dismissal request;

2) upon the expiry of the term of office;

3) where the Director has been found guilty of a serious misconduct;

4) where the Director no longer meets the requirements specified in paragraphs 2 and 4 of this Article;

5) where the Director reaches the age of 65.

 

Article 10. Deputy Director(s) of the State Data Protection Inspectorate

1. The Director of the State Data Protection Inspectorate shall have one or several deputies.

 

2. The Deputy Director(s) of the State Data Protection Inspectorate shall meet the requirements for the Director of the State Data Protection Inspectorate provided for in Article 9(2) and Article 9(4) of this Law.

 

3. The Deputy Director of the State Data Protection Inspectorate shall be employed and dismissed by the Director of the State Data Protection Inspectorate in accordance with the procedure established by the Law on Public Service.

 

Article 11. Tasks and functions of the State Data Protection Inspectorate

1. The State Data Protection Inspectorate shall perform the tasks of the supervisory authority specified in Regulation (EU) 2016/679.

 

2. The State Data Protection Inspectorate shall also perform the following functions:

1) provide consultations to data subjects, data controllers, and data processors on the protection of personal data and privacy, as well as produce methodological recommendations on the protection of personal data and publish them on its website.

2) repealed as of 14 November 2019.

3) cooperate with foreign personal data protection supervisory authorities, European Union institutions, agencies and international organisations and participate in their activities;

4) engage in the shaping of the national policies on the protection of personal data and implement them;

5) implement the provisions of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) concluded in Strasbourg on 28 January 1981 and its protocols;

6) perform other functions provided for by this Law and other legal acts.

 

Article 12. Powers and rights of the State Data Protection Inspectorate

1. The State Data Protection Inspectorate shall enjoy the powers of the supervisory authority specified in Regulation (EU) 2016/679.

 

2. The State Data Protection Inspectorate shall also have the right to the following:

1) obtain free of charge from data controllers and data processors, state and municipal institutions and agencies, and other legal and natural persons all the necessary information, copies and transcripts of documents, and copies of data; and access all data and documents necessary for the performance of the tasks and functions of the supervisory authority;

2) in the course of examining infringements, access, without prior notice, the premises, including those rented or used on other grounds, of the person under inspection, the complainee or persons related to them or access the territory where the documents and/or equipment related to the processing of personal data are kept. Access, upon presentation of a certificate of a civil servant, to the territory, buildings and premises of a legal person, including those rented or used on any other grounds, shall be permitted only during office hours of the legal person. Access to the residential premises of a natural person, including those rented or used on other grounds,  where documents and/or equipment related to the processing of personal data are kept shall be permitted only upon presentation of a court ruling authorising entry to the residential premises of the natural person;

3) attend sittings of the Seimas and meetings of the Government and other state institutions where their agenda includes items related to the protection of personal data and/or privacy.

4) invite experts/consultants and set up working groups for expert investigation of processing or protection of personal data, for drafting of documents on protection of personal data and for addressing other matters within the remit of the State Data Protection Inspectorate;

5) provide recommendations and instructions to data controllers, data processors, and other legal or natural persons regarding the processing of personal data and/or protection of privacy;

6) exchange information with foreign personal data protection supervisory authorities and international organisations to the extent necessary for the performance of their functions;

7) attend court hearings on infringements of international, European Union’s, and domestic legal provisions on the protection of personal data;

8) use technical measures in the course of examining infringements;

9) in the course of examining infringements, obtain oral and written explanations from legal and natural persons and request that they arrive at the premises of the State Data Protection Inspectorate to provide explanations;

10) use the available information, including personal data, obtained in the course of examining infringements or performing other functions;

11) enlist the assistance of police officers for maintaining public order and ensuring possible use of coercion;

12) exercise other rights provided for by laws and other legal acts.

 

3. Where the State Data Protection Inspectorate has grounds to believe, in the course of handling a complaint, that a decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct is unlawful and the decision of the State Data Protection Inspectorate depends on the validity of this decision of the European Commission, the State Data Protection Inspectorate shall suspend the handling of the complaint and apply to the Supreme Administrative Court of Lithuania, in accordance with the procedure established by the Law of the Republic of Lithuania on Administrative Proceedings, requesting the latter to apply to the competent judicial authority of the European Union regarding the decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct. Where the Supreme Administrative Court of Lithuania has reason to believe, in the course of examining a request of the State Data Protection Inspectorate, that a decision of the European Commission on adequacy, on adoption of standard data protection clauses, or on universal validity of approved codes of conduct is unlawful, the Supreme Administrative Court of Lithuania shall decide to apply to a competent judicial authority of the European Union requesting it to adopt a preliminary ruling pursuant to Article 267 of the Treaty on the Functioning of the European Union (OJ 2016 C 202, p. 47).

 

4. When conducting own-initiative investigations and/or inspections and handing complaints, the State Data Protection Inspectorate shall also enjoy the rights and powers of the State Data Protection Inspectorate established in the Code of Administrative Offences of the Republic of Lithuania.

 

Article 13. Obligation of secrecy and confidentiality 

The Director of the State Data Protection Inspectorate, the Inspector of Journalist Ethics, as well as civil servants of and employees working under employment contracts in the said supervisory authorities must protect the information comprising a state, official, professional, commercial, or any other secret protected by law, as well as any other confidential information which comes to their knowledge in the course of performing their tasks or exercising their powers, both during their service  and after the termination of their service/employment relations.

 

Article 14. Binding power of the requests of the supervisory authority

Legal and natural persons must comply with the requests of the supervisory authority, including but not limited to a request to arrive at the premises of the supervisory authority for providing explanations, immediately provide information and/or explanations, copies and transcripts of documents, copies of data, and provide access to all data and/or equipment related to the processing of personal data and documents necessary for the performance of the functions of the supervisory authority.

 

CHAPTER IV

AUTHORISATION FOR TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS AND ACCREDITATION OF CERTIFICATION BODIES BY THE STATE DATA PROTECTION INSPECTORATE

 

Article 15. Authorisation by the State Data Protection Inspectorate for transfer of personal data to third countries or international organisations in accordance with Article 46(3) of Regulation (EU) 2016/679

1. The State Data Protection Inspectorate must, in accordance with Article 46(3) of Regulation (EU) 2016/679, issue to a data controller an authorisation for transfer of personal data to a third country or an international organisation or give a reasoned written refusal to issue such authorisation to a data controller no later than within 20 working days. This deadline shall be calculated from the day of receipt by the State Data Protection Inspectorate of all the documents and information necessary for obtaining an authorisation.

 

2. Due to the complexity of circumstances, the scope of information, or other important objective reasons, the deadline, referred to in paragraph 1 of this Article, for issuing an authorisation for transfer of personal data to a third country or an international organisation may be extended once for a period of up to 10 working days. Having decided to extend the deadline referred to in paragraph 1 of this Article, the State Data Protection Inspectorate must, immediately, but no later than before the expiry of the deadline referred to in paragraph 1 of this Article, notify the data controller of the extension of the deadline for issuing the authorisation and the reasons for such an extension.

 

3. The procedure for issuing authorisations for transfer of personal data to third countries or international organisations shall be established by the State Data Protection Inspectorate.

 

Article 16. Accreditation of certification bodies

1. Certification bodies shall be accredited in accordance with Article 43 of Regulation (EU) 2016/679 and the procedure for accreditation and issuing of accreditation certificates shall be established by the State Data Protection Inspectorate.

 

2. Certification bodies wishing to be accredited shall cover the costs of accreditation at the rates approved in accordance with the procedure established by the Government.

 

CHAPTER V

EXAMINATION OF INFRINGEMENTS CARRIED OUT BY

THE SUPERVISORY AUTHORITIES

 

SECTION ONE

GENERAL PROVISIONS

 

Article 17. Rights and obligations of a person under inspection, a complainant, a complainee, and a person suspected of infringement

 

1. A person under inspection, where the State Data Protection Inspectorate conducts an own-initiative investigation and/or inspection, a complainant and a complainee, where the supervisory authority handles a complaint, and a person suspected of infringement, where the procedure of imposing an administrative fine is launched, shall have the rights and obligations specified in Regulation (EU) 2016/679 and this Law.

 

2. A person under inspection, a complainant, a complainee, and a person suspected of infringement shall also have the right to the following:

1) obtain explanations about the subject matter of and grounds for the investigation and/or inspection or handling of the complaint;

2) on their own initiative, submit additional explanations and/or information related to the investigation and/or inspection or handling of the complaint;

3) appeal against any acts or omissions by the supervisory authority;

4) access the material relating to the investigation and/or inspection, handling of a complaint, and imposition of an administrative fine, except for the information comprising a state, official, professional, commercial or any other secret protected by law.

 

3. The persons referred to in paragraph 1 of this Article shall be considered to have been duly informed and duly notified where, in the cases referred to in this Chapter, the supervisory authority sends decisions, notifications, other documents and information to these persons at their registered office address indicated in the Register of Legal Entities of the Republic of Lithuania or at their residential address  indicated in the Population Register of the Republic of Lithuania, except for the cases where the person indicates another correspondence address, or at the person’s e-delivery address indicated in the Register of Legal Entities or the Population Register.

 

Article 18. Issuing court authorisations for entering residential premises of natural persons

1. In the course of examining an infringement, the supervisory authority, having decided to enter the residential premises of a natural person, including those rented or used on other grounds, shall submit to Vilnius Regional Administrative Court an application for a court authorisation for entering the residential premises of the natural person.

 

2. An application for a court authorisation for entering the residential premises of a natural person shall indicate the first name and surname of the natural person, the address of the residential premises, the nature of the alleged infringement, and the action to be taken.

 

3. Having examined an application for a court authorisation for entering the residential premises of a natural person, Vilnius Regional Administrative Court shall adopt a reasoned ruling to grant an authorisation or reject the application.

 

4. The application for a court authorisation for entering the premises of a natural person shall be examined and the ruling shall be adopted no later than within 72 hours from the submission of the application.

 

5. Where the supervisory authority disagrees with a ruling of Vilnius Regional Administrative Court to reject the application for a court authorisation for entering the residential premises of a natural person, the supervisory authority shall have the right to appeal against the ruling to the Supreme Administrative Court of Lithuania within seven calendar days from the day of adoption of the ruling.

 

6. The Supreme Administrative Court of Lithuania must examine the appeal of the supervisory authority against the ruling of Vilnius Regional Administrative Court no later than within seven calendar days from the day of receipt of the appeal. A representative of the supervisory authority shall have the right to attend the appeal proceedings.

 

7. The ruling of the Supreme Administrative Court of Lithuania on the appeal of the supervisory authority against the ruling of Vilnius Regional Administrative Court shall be final and not subject to appeal.

 

Article 19. Provision of information about the examination of an infringement conducted by the supervisory authority

The supervisory authority shall provide no information to the media and other persons unrelated to the ongoing investigation and/or inspection or handling of a complaint about the ongoing examination of an infringement until the investigation and/or inspection or handling of the complaint is completed, except for the cases where the supervisory authority may provide information about the fact of the ongoing investigation and/or inspection or handling of the complaint, where the information is provided on the initiative of any agency other than the supervisory authority.

 

SECTION TWO

CONDUCTING INVESTIGATIONS AND/OR INSPECTIONS ON THE INITIATIVE OF THE STATE DATA PROTECTION INSPECTORATE

 

Article 20. Investigations and/or inspections conducted on the initiative of the State Data Protection Inspectorate and the procedure for conducting thereof

1. The State Data Protection Inspectorate may, on its own initiative, launch an investigation and/or inspection on any matter relating to a possible infringement of Regulation (EU) 2016/679, this Law, and other laws regulating the protection of personal data and/or privacy.

 

2. An investigation and/or inspection on the initiative of the State Data Protection Inspectorate may be launched on the basis of the information on the protection of personal data and/or privacy provided by members of society, government institutions and agencies, foreign personal data protection supervisory authorities, international organisations, national and international non-governmental organisations, the media and other sources. The State Data Protection Inspectorate may launch an investigation and/or inspection on its own initiative without reference to any information provided by other sources.

 

3. The State Data Protection Inspectorate shall, on its own initiative, conduct investigations and/or inspections in relation to a possible infringement of Regulation (EU) 2016/679, this Law, and other laws regulating the protection of personal data and/or privacy in accordance with the procedure established by these legal acts and the State Data Protection Inspectorate.

 

4. Where investigations and/or inspections are conducted on the initiative of the State Data Protection Inspectorate in compliance with Article 60 of Regulation (EU) 2016/679, Article 21 of this Law shall not apply.

 

Article 21. Duration of an investigation and/or inspection conducted on the initiative of the State Data Protection Inspectorate

1. The duration of an investigation and/or inspection on the initiative of the State Data Protection Inspectorate shall not exceed four months from the day of the decision to launch the investigation and/or inspection.

 

2. Taking into account the complexity of an investigation and/or inspection, the nature of activities of the person under inspection, the scope of an investigation and/or inspection, the avoidance by the person under inspection and other legal or natural persons to comply with the requirements of the State Data Protection Inspectorate, as well new circumstances, or other objective reasons discovered during the investigation and/or inspection, the duration specified in paragraph 1 of this Article may be extended for up to two months by a decision of the State Data Protection Inspectorate. The overall duration of an investigation and/or inspection on the initiative of the State Data Protection Inspectorate may not exceed six months from the day of taking the decision to launch the investigation and/or inspection. The State Data Protection Inspectorate must notify the person under inspection of the extension of the duration of the investigation and/or inspection and the reasons for the extension thereof immediately but no later than before the expiry of the duration referred to in paragraph 1 of this Article.

 

Article 22. Decisions of the State Data Protection Inspectorate following an own-initiative investigation and/or inspection

1. Having completed an own-initiative investigation and/or inspection, the State Data Protection Inspectorate may, on a reasoned basis, decide to do the following:

1) conclude that no infringements have been established;

2) provide instructions or recommendations to the data controller and/or the data processor and/or apply other measures referred to in Article 58(2) of Regulation (EU) 2016/679, Article 33 of this Law and other laws regulating the protection of personal data and/or privacy. Where an administrative fine is to be imposed, the action referred to in Section Four of this Chapter shall be taken;

3) draw up an administrative offence report in respect of the person who has committed the infringement.

 

2. The State Data Protection Inspectorate shall, no later than within three working days from the adoption of the decision, notify the person under inspection thereof in writing, with the exception of the case referred to in Article 22(1)(2) of this Law, where an administrative fine is to be imposed.

 

3. Judicial remedy may be sought against the decisions of the State Data Protection Inspectorate in accordance with the procedure established by the Law on Administrative Procedure.

 

SECTION THREE

HANDLING OF COMPLAINTS

 

Article 23. Procedure for handling complaints

1. The supervisory authority shall handle complaints regarding infringements of Regulation (EU) 2016/679, this Law, and other laws on the protection of personal data and/or privacy in accordance with the procedure established by these legal acts and the supervisory authority.

 

2. Where the handling of a complaint is based on Article 60 of Regulation (EU) 2016/679, Article 30(2) of this Law shall not apply.

 

Article 24. Lodging and content of complaints

1. A complaint may be lodged with the State Data Protection Inspectorate by the following complainants:

1) the data subject referred to in Article 77(1) of Regulation (EU) 2016/679 where the complaint relates to infringements of Regulation (EU) 2016/679;

2) a data subject where the complaint relates to infringements of this Law and other laws regulating the protection of personal data and/or privacy;

3) a natural or legal person where the complaint relates to infringements of Chapter IX of the Law of the Republic of Lithuania on Electronic Communications, with the exception of Article 73(5), Article 76(7), Article 80(2), and Article 80(3).

 

2. A complaint in respect of infringements of Regulation (EU) 2016/679 may be lodged with the Inspector of Journalist Ethics by the data subject referred to in Article 77(1) of Regulation (EU) 2016/679.

 

3. A written complaint may be lodged with the supervisory authority in person, by post, or by electronic means.

 

4. Where a complaint is lodged by the representative of a complainant, the complaint shall be accompanied by a document confirming the powers of the representative. Where a complaint is lodged on behalf of the complainant referred to in Article 24(1)(1), Article 24(1)(2), or Article 24(2) of this Law by a non-profit body, organisation or association in accordance with Article 80(1) of Regulation (EU) 2016/679 or the laws regulating the protection of personal data and/or privacy, the complaint must be accompanied by documents confirming that this body, organisation, or association is active in the field of protection of personal data. 

 

5. A complaint shall contain the following information:

1) the supervisory authority as the addressee of the complaint;

2) the date of drawing up the complaint;

3) data of the complainant and its representative, if any:

(a) the first name, surname, and contact details of the natural person;

(b) the name, code, and contact details of the legal person;

(c) the grounds for representation where the complaint is lodged by the representative of the complainant;

4) the identity of the complainee (name and code of the legal person or first name and surname of the natural person), and the contact details, if known;

5) the description of the act/omission subject to complaint, as well as the time and circumstances of commission thereof;

6) the request by the complainant to the supervisory authority;

7) the signature of the complainant or the representative, if any. A complaint lodged by electronic means must be signed by a qualified electronic signature of the complainant or the representative, if any, or drawn up by electronic means that ensure the integrity and inviolability of the text.

 

6. A complaint shall be accompanied by the documents or a description thereof necessary for the handling of the complaint.

 

Article 25. Anonymous Complaints

No anonymous complaints shall be handled, unless the Director of the State Data Protection Inspectorate or the Inspector of Journalist Ethics decide otherwise.

 

Article 26. Acceptance of a complaint

The supervisory authority shall confirm in writing the fact of acceptance of a complaint or a part thereof. The letter of confirmation shall indicate the date of acceptance of the complaint, the first name, surname, and telephone number of the representative of the supervisory authority handling the complaint or a part thereof, the registration number of the complaint and the possibility to defend the complainant’s rights in court. The document confirming the acceptance of a complaint or a part thereof shall be delivered to the complainant in person or sent by post or electronic means no later than within three working days from the day of receipt of the complaint by the supervisory authority.

 

 

Article 27. Refusal to handle a complaint

1. The supervisory authority shall refuse to handle a complaint or a part thereof and shall notify the complainant thereof no later than within five working days from the day of receipt of the complaint at the supervisory authority, and explain the grounds for the refusal, where the following circumstances exist:

1) the complaint or a part thereof fails to meet the requirements referred to in Article 24(5) of this Law and applicable to the content of a complaint. Failure to provide information referred to in Article 24(5) of this Law in a complaint may not serve as grounds for the refusal to accept the complaint where the complaint can be handled without this information;

2) investigation of the circumstances or a part thereof specified in the complaint is outside the remit of the supervisory authority;

3) another complaint or a part thereof on the same matter has already been handled by the supervisory authority, except for the cases where new circumstances or new facts are presented;

4) another complaint or a part thereof on the same matter has been heard or is being heard by a court of the Republic of Lithuania or that of any other Member State of the European Union;

5) a complaint or a part thereof on the same matter has been handled by a supervisory authority of another European Union Member State;

6) a pre-trial investigation has been launched in respect of the subject matter of the complaint or a part thereof;

7) the text of the complaint is illegible, the complainant’s request has not been formulated clearly, or the content of the complaint is incomprehensible;

8) the complaint has been lodged more than two years later following the commission of the infringements indicated in the complaint or a part thereof.

 

2. Where the investigation of the circumstances or part thereof specified in the complaint is outside the remit of the supervisory authority, it shall, within the deadline referred to in paragraph 1 of this Article, refer the complaint or a part thereof to the competent authority and notify the complainant thereof. Where the competent authority is a court, the complaint or a part thereof shall be returned to the complainant notifying the latter of where to apply.

 

Article 28. Request for additional documents and/or information from a complainant

1. A request of the supervisory authority to a complainant to submit additional documents and/or information necessary for the handling of the complaint or a part thereof must be reasoned. The complainant shall be informed about the consequences of the failure to submit additional documents and/or information.

 

2. At the request of the supervisory authority, the complainant must submit additional documents and information necessary for the handling of the complaint or a part thereof within the deadline specified by the supervisory authority, but no later than within 10 working days from the day of receipt of the request.

 

Article 29. Termination of complaint proceedings

1. The supervisory authority shall decide to discontinue the handing of a complaint or a part thereof where the following circumstances emerge in the course of the complaint proceedings:

1) the complainant submits a request to discontinue the handling of the complaint or a part thereof;

2) the ground(s) referred to in Articles 27(1)(2) to 27(1)(6) and Article 27(1)(8) of this Law for refusing to handle the complaint or a part thereof are discovered;

3) the complainant fails to submit, at the request of the supervisory authority, any additional documents and/or information, which makes it is impossible to handle the complaint or a part thereof;

4) it is discovered that the complaint or a part thereof cannot be handled due to the lack of information or due to other important circumstances;

5) it transpires that the complainant has died.

 

2. The complainant shall be notified of the termination of the complaint proceedings no later than within three working days from the adoption of the decision referred to in Article 29(1) of this Law, except for the case referred to in Article 29(1)(5) of this Law.

 

Article 30. Deadline for notifying a complainant and for handling a complaint

1. The supervisory authority shall notify a complainant of the results or progress of handling a complaint where the complaint or a part thereof have not been examined no later than within three months from the day of receipt of the complaint by the supervisory authority.

 

2. A complaint or a part thereof must be handled and a reply must be sent to the complainant within four months from the day of receipt of the complaint by the supervisory authority, except for the cases where it is necessary to extend the handling of the complaint or a part thereof due to the complexity of the circumstances indicated in the complaint or part thereof or discovered during the handing, the scope of information, avoidance to comply, by the complainee and other legal or natural persons, with the requirements of the supervisory authority, the continuous nature of the actions subject to complaint or other objective reasons. In such cases, the deadline for handling a complaint or a part thereof shall be extended, but for no longer than two months. The total duration of handling a complaint or a part thereof may not exceed six months from the day of receipt of the complaint by the supervisory authority. The complainant shall be notified of the extension of the deadline for handing the complaint or a part thereof and of the reasons for the extension. A complaint or a part thereof must be handled within the shortest possible period.

 

Article 31. Decisions of the supervisory authority following the examination of a complaint

1. Upon completing the examination of a complaint or a part thereof, the supervisory authority may, on a reasoned basis, decide to do the following:

1) recognise the complaint or a part thereof as well founded;

2) reject the complaint or a part thereof.

 

2. Where a complaint or a part thereof is recognised as well founded, the State Data Protection Inspectorate shall, on a reasoned basis, take the following steps:

 

1) provide instructions or recommendations to the data controller and/or the data processor and/or apply other measures referred to in Article 58(2) of Regulation (EU) 2016/679, Article 33 of this Law, and other laws regulating the protection of personal data and/or privacy. Where an administrative fine is to be imposed, the action referred to in Section Four of this Chapter shall be taken;

2) draw up an administrative offence report in respect of the person who has committed the infringement.

 

3. Where a complaint or a part thereof is recognised as well founded, the Inspector of Journalist Ethics shall give reasoned instructions or recommendations to the data controller and/or the data processor and/or apply other measures referred to in Article 58(2) of Regulation (EU) 2016/679 and Article 33 of this Law. Where an administrative fine is to be imposed, the action referred to in Section Four of this Chapter shall be taken;

 

4. The supervisory authority shall, no later than within three working days from the adoption of the decision, notify the complainant and the complainee thereof in writing, with the exception of the cases referred to in Article 31(2)(1) and Article 31(3) of this Law where an administrative fine is to be imposed.

 

5. Judicial remedy may be sought against the decisions of the supervisory authority in accordance with the procedure established by the Law on Administrative Proceedings.

 

SECTION FOUR

ADMINISTRATIVE FINES

 

Article 32. Procedure for imposing administrative fines

1. The supervisory authority shall impose administrative fines for infringements of Regulation (EU) 2016/679 and this Law in accordance with Regulation (EU) 2016/679 and this Law.

 

2. Administrative fines shall be imposed, within remit, by the Director of the State Data Protection Inspectorate or the Inspector of Journalist Ethics or a person authorised by them.

 

3. A decision on the imposition of an administrative fine may be adopted within no more than two years from the day of the commission of an infringement or from the day of the discovery of an infringement where the infringement is continuous.

 

 

Article 33. Administrative fines imposed on government institutions or agencies

1. For infringement of provisions of Article 83(4)(a), Article 83(4)(b), and Article 83(4)(c) of Regulation (EU) 2016/679, the supervisory authority shall have the right to impose an administrative fine on a government institution or agency in the amount of up to 0.5 per cent of the latter’s budget of the current year and of other annual gross income received during the preceding year, but not exceeding EUR 30,000.

 

2. For infringement of provisions of Articles 83(5)(a) to 83(5)(e) or Article 83(6) of Regulation (EU) 2016/679, the supervisory authority shall have the right to impose an administrative fine on a government institution or agency in the amount of up to 1 per cent of the latter’s budget of the current year and of other annual gross income received during the preceding year, but not exceeding EUR 60,000.

 

3. For infringement of provisions of Regulation (EU) 2016/679 by a government institution or agency engaged in economic and commercial activities, the supervisory authority shall have the right to impose an administrative fine referred to in Articles 83(4), 83(5), and 83(6) of Regulation (EU) 2016/679.

 

Article 34. Administrative fines procedure

1. The supervisory authority shall send a document containing a proposal to impose an administrative fine to the person suspected of infringement. The person suspected of infringement shall be offered, within the deadline established by the supervisory authority, which may not be shorter than 10 working days from the day of receipt of this document, to submit written explanations concerning the circumstances provided in the document, except for the cases where these explanations have already been obtained in the course of investigation and/or inspection or in the course of handling of the complaint; to provide information relevant to imposing the administrative fine; and to express an opinion on the hearing of the case under an oral procedure. Failure to provide explanations and other information within the deadline referred to in this paragraph shall not prevent the supervisory authority from considering the imposition of an administrative fine.

 

2. When ready to consider a case, the supervisory authority shall normally do it under a written procedure based on the explanations submitted. Where a case is considered under a written procedure, no hearing shall be held.

 

3. Due to the complexity of circumstances or other important factors, the supervisory authority may, at the request of the person suspected of infringement or on its own initiative, decide to hear a case under an oral procedure, where it is necessary to hear oral explanations of the person suspected of infringement or in other instances where a case may be better heard under an oral procedure. Where a case is heard under an oral procedure, the person suspected of infringement, the complainant and other interested persons must be notified of the venue, date, and time of the hearing at least 10 working days prior to the day of the hearing.

 

4. The person suspected of infringement and other persons whose attendance is required for the proper hearing of the case may attend the hearing and provide explanations.

 

5. Failure by the person suspected of infringement or the representative thereof to attend shall not prevent the hearing of the case if the person suspected of infringement has been duly informed of the hearing and has not provided any evidence of being unable to attend for serious reasons.

 

6. The hearing shall be public, except for the cases where the supervisory authority, on its own initiative or at the request of the person suspected of infringement and/or the complainant, decides to hold a closed hearing with a view to protecting state, official, professional and commercial secrets or other secrets protected by law or with a view to ensuring the person’s right to privacy and/or protection of personal data.

 

7. The hearing shall be held in the Lithuanian language.

 

8. The hearing shall be audio recorded. The audio recording shall be deemed the minutes of the hearing.

 

9. Where a case is considered under a written procedure, the supervisory authority shall take a decision on the imposition of an administrative fine within 20 working days from the expiry of the deadline set by the supervisory authority in the document referred to in paragraph 1 of this Article. Where a case is heard under an oral procedure, the supervisory authority shall take a decision on the imposition of an administrative fine within 20 working days from the day of the hearing. The supervisory authority shall send the decision on the imposition of an administrative fine to the complainant and to the person in respect whereof the decision has been taken no later than within three working days from the day of adoption of the decision.  

 

10. The decision of the supervisory authority on the imposition of an administrative fine must be reasoned. The decision must specify the following:

1) the name of the authority that has adopted the decision;

2) the date and venue of the hearing;

3) the data of the person in respect of whom the decision has been taken;

4) the legal basis for adopting the decision; 

5) the infringements, if any are established, and their circumstances;

6) available evidence and its assessment;

7) explanations, if any, given by the person suspected of infringement and other persons and assessment of the explanations;

8) the decision on whether to impose an administrative fine or not;

9) the deadline and the procedure for appealing against the decision.

 

11. Judicial remedy may be sought against the decision of the supervisory authority on the imposition of an administrative fine in accordance with the procedure established by the Law on Administrative Proceedings.

 

Article 35. Execution of the decision on the imposition of an administrative fine

1. The decision of the supervisory authority on the imposition of an administrative fine must be executed no later than within three months from the day of its dispatch or delivery to the person on whom the administrative fine has been imposed. In the event where judicial remedy is sought against the decision of the supervisory authority on the imposition of an administrative fine, the decision must be executed no later than within three months from the entry into force of the court decision. The administrative fine must be paid into the state budget.

 

2. The decision of the supervisory authority on the imposition of an administrative fine shall be an enforceable document to be executed in accordance with the procedure established by the Code of Civil Procedure of the Republic of Lithuania. It may be been filed for execution no later than within three years after its adoption.

 

I promulgate this Law passed by the Seimas of the Republic of Lithuania.

 

 

 

PRESIDENT OF THE REPUBLIC                                                       ALGIRDAS BRAZAUSKAS

 

Annex to

the Law of the Republic of Lithuania on Legal Protection of Personal Data

 

LEGAL ACTS OF THE EUROPEAN UNION IMPLEMENTED BY THIS LAW

 

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).