REPUBLIC OF LITHUANIA

LAW

ON LEGAL PROTECTION OF PERSONAL DATA

 

11 June 1996 No I-1374

(As last amended on 3 November 2016 – No XII-2709)

Vilnius

 

CHAPTER ONE

GENERAL PROVISIONS

 

Article 1. Objective, Purpose and Scope of the Law

1. The purpose of this Law shall be safeguarding of the inviolability of an individual’s private life in the course of processing personal data.

2. This Law shall regulate relations arising in the course of the processing of personal data by automatic means, and during the processing of personal data by other than automatic means in filing systems: lists, card indexes, files, codes, etc. The Law shall establish the rights of natural persons as data subjects, the procedure for protecting these rights, the rights, duties and liability of legal and natural persons while processing personal data.

3. This Law shall apply to the processing of personal data where:

1) personal data are processed by a data controller established and operating in the territory of Lithuania, as a part of activities thereof. Where personal data are processed by a branch office or a representative office of a data controller of a Member State of the European Union or another state of the European Economic Area, established and operating in the Republic of Lithuania, such a branch office or representative office shall be bound by the provisions of this Law applicable to the data controller;

2) personal data are processed by a data controller which is established in the territory other than the Republic of Lithuania, but which is bound by the laws of the Republic of Lithuania by virtue of international public law (including diplomatic missions and consular posts);

3) personal data are processed by a data controller established and operating in a country which is not a Member State of the European Union or another state of the European Economic Area (hereinafter: a ‘third country’), where the data controller uses personal data processing means established in the Republic of Lithuania, with the exception of the cases where such means are used only for transit of data through the territory of the Republic of Lithuania, the European Union or another state of the European Economic Area. In the case laid down in this point, the data controller must have its representative, that is, an established branch office or a representative office in the Republic of Lithuania which shall be bound by the provisions of this Law applicable to the data controller.

4. This Law shall not apply if personal data are processed by a natural person only for his personal needs not related to business or profession.

5. This Law shall not apply to the processing of personal data of deceased persons.

6. When personal data are processed for the purposes of state security or defence, this Law shall apply to the extent that other laws do not provide otherwise.

7. This Law shall not restrict or prohibit free movement of personal data when fulfilling European Union membership commitments of the Republic of Lithuania.

8. This Law shall harmonise regulation of legal protection of personal data in the Republic of Lithuania with the European Union legal acts referred to in the Annex to this Law.

 

Article 2. Definitions

1. Personal data shall mean any information relating to a natural person (data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

2. Data recipient shall mean a legal or a natural person to whom personal data are disclosed. The authorities supervising the implementation of this Law referred to in Articles 8 and 36 of this Law as well as other state and municipal institutions and agencies shall not be regarded as data recipients when they obtain personal data in response to a specific request for the purposes of fulfilling their control functions laid down in laws.

3. Disclosure of data shall mean disclosure of personal data by transmission or making them available by any other means (with the exception of publishing them in mass media).

4. Data processing shall mean any operation, which is performed with personal data such as collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations.

5. Data processing by automatic means shall mean any operation performed with personal data carried out in whole or in part by automatic means.

6. Data processor shall mean a legal or a natural person other than an employee of the data controller processing personal data on behalf of the data controller. The data processor and/or the procedure of its/his nomination may be laid down in laws or other legal acts.

7. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. Where the purposes of processing personal data are laid down in laws or other legal acts, the data controller and/or the procedure for its/his nomination may be laid down in such laws or other legal acts.

8. Special categories of personal data shall mean data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions.

9. Prior checking shall mean an advance inspection of processing data before it is started in the cases laid down in this Law.

10. Social and public opinion survey shall mean a systemic collection of data and/or information about natural and legal persons and interpretation thereof by means of statistical, analysis and other methods of social sciences with a view to obtaining insights required for decision-making. Direct marketing may not be undertaken when conducting a social and public opinion survey.

11. Filing system shall mean any structured set of personal data arranged in accordance with specific criteria relating to the person, allowing an easy access to personal data in the file.

12. Consent shall mean an indication of will given freely by a data subject indicating his agreement to the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject’s free will.

13. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services.

14. Third party shall mean a legal or a natural person, with the exception of the data subject, the data controller, the data processor and persons who have been directly authorised by the data controller or the data processor to process data.

15. Internal administration shall mean activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of available material and financial resources, and clerical work).

16. Public data file shall mean a state register or an information system or any other data file which, pursuant to laws of the Republic of Lithuania or other legal acts, is intended for the disclosure of data, information, documents and/or copies thereof to the public and which may be lawfully used by the public.

17. Video surveillance shall mean processing of image data concerning natural person (hereinafter: ‘video data’) by using automated video surveillance means (video and photo cameras, etc.) irrespective of whether these data are recorded in a file or not.

18. The concepts of a credit institution and a financial institution shall be interpreted as they are defined in the Law on Financial Institutions.

 

CHAPTER TWO

PERSONAL DATA PROCESSING

 

Article 3. Requirements for the Processing of Personal Data

1. The data controller must ensure that personal data are:

1) collected for specified and legitimate purposes and later are not processed for purposes incompatible with the purposes determined before the personal data concerned are collected;

2) processed accurately, fairly and lawfully;

3) accurate and, where necessary, for purposes of personal data processing, kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended;

4) identical, adequate and not excessive in relation to the purposes for which they are collected and further processed;

5) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed.

6) processed in compliance with the clear and transparent requirements for personal data processing set forth in this Law and other laws regulating relevant activities.

2. Personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only in the cases laid down by laws, provided that adequate data protection measures are laid down by laws.

 

Article 4. Storage and Destruction of Personal Data

Personal data shall not be stored longer than it is necessary for data processing purposes. Personal data must be destroyed when they are no more needed for their processing purposes, with the exception of data which must be transferred to state archives in the cases laid down by laws.

 

Article 5. Criteria for the Lawful Processing of Personal Data

1. Personal data may be processed if:

1) the data subject has given his consent;

2) a contract to which the data subject is party is being concluded or performed;

3) it is a legal obligation of the data controller under laws to process personal data;

4) processing is necessary in order to protect vital interests of the data subject;

5) processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;

6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject.

2. It shall be prohibited to process special categories of personal data, except in the following cases:

1) the data subject has given his consent;

2) such processing is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in laws;

3) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity;

4) processing of personal data is carried out for political, philosophical, religious purposes or purposes concerning the trade-unions by a foundation, association or any other non-profit organisation, as part of its activities, on condition that the personal data processed concern solely the members of such organisation or to other persons who regularly participate in such organisation in connection with its purposes. Such personal data may not be disclosed to a third party without the data subject’s consent;

5) the personal data have been made public by the data subject;

6) the data are necessary, in the cases laid down in laws, to prevent and investigate criminal or other unlawful acts;

7) the data are necessary for a court hearing;

8) it is a legal obligation of the data controller under laws to process such data.

3. Data on a person’s health may also be processed for the purposes and in the procedure laid down in Article 10 of this Law and other laws regulating health care.

4. The personal data related to a person’s record of conviction, criminal acts or security measures may be processed, for crime prevention, investigation purposes and in other cases laid down by laws, only by a state institution or agency in the manner laid down in laws. Other natural or legal persons may process such data in the cases laid down by laws provided that appropriate measures laid down in laws and other legal acts for the protection of legitimate interests of the data subject have been adequately implemented. Detailed data about previous convictions may be processed only according to the procedure laid by the Law on State Registers.

 

Article 6. Disclosure of Personal Data

In the cases laid down in this Law, personal data shall be disclosed under a personal data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure. The contract must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt, the conditions, the procedure of use and the extent of personal data that is disclosed. The request must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt and the extent of personal data requested. Where personal data are managed by automatic means and appropriate measures ensuring data security are applied, in disclosing personal data under a personal data disclosure contract between the data controller and the data recipient priority must be given to disclosure of the data by automatic means, and when disclosing personal data at the request of the data recipient – to disclosure of data by means of electronic communications.

 

Article 7. Use of a Personal Identification Number

1. A personal identification number shall be a unique sequence of digits. A personal identification number shall be assigned to a person in accordance with the procedure laid down in the Law on Residents’ Register.

2. It shall be permitted to use a personal identification number when processing personal data only with the consent of the data subject, except in cases specified in paragraphs 4 and 5 of this Article, when the use of the personal identification number shall be prohibited.

3. A personal identification number may be used without the consent of the data subject only if:

1) such a right is laid down in this Law and other laws;

2) a scientific or statistical research is being carried out in the cases laid down in Articles 12 and 13 of this Law;

3) it is processed in state or departmental registers, provided that they have been officially  set up in accordance with the procedure laid down in the Law on State Registers, and in information systems, provided that they have been set up in accordance with the procedure laid down in legal acts;

4) it is processed by legal persons involved in activities related to granting of loans and recovery of debts, insurance or financial leasing, health care and social insurance as well as in the activities of other institutions providing and administrating social care, educational establishments, research and higher education institutions. Legal persons specified in this point may use personal identification number only for the purpose for which it has been received and only in these cases where it is necessary for a legitimate and specified purpose of personal data processing;

5) classified data are processed in cases laid down by laws.

4. A personal identification number may not be made public.

5. A personal identification number may not be collected and processed for direct marketing purposes.

 

Article 8. Processing of Personal Data and Adjustment of the Freedom of Provision of Information to the Public

The processing of personal data by the media for the purpose of providing information to the public, artistic and literary expression shall be supervised by the Inspector of Journalist Ethics. The remit thereof shall be laid down by the Law on Provision of Information to the Public. In these cases, only the provisions of Articles 1, 2, 3, 4, 5, 6, 7, 30, 53 and 54 of this Law shall apply to the processing of personal data.

 

Article 9. Personal Data Processing for the Purposes of Social Insurance and Social Assistance

For the purposes of social insurance and social assistance administrative institutions of the State Social Insurance Fund and legal persons providing or administering social assistance shall exchange personal data without the data subject’s consent.

 

Article 10. Personal Data Processing for the Purposes of Health Care

1. Personal data on a person’s health (its state, diagnosis, prognosis, treatment, etc.) may be processed by an authorised health care professional. A person’s health shall be subject to professional secrecy under the Civil Code, the laws regulating patients’ rights and other legal acts.

2. Personal data processing for scientific medical research purposes shall be carried out in accordance with this and other laws.

3. Personal data on a person’s health may be processed by automatic means, also for scientific medical research purposes only subject to giving a notice to the State Data Protection Inspectorate. In this case, the State Data Protection Inspectorate must carry out a prior checking.

 

Article 11. Personal Data Processing for the Purposes of Elections, Referendum and Citizens’ Legislative Initiative

1. Processing of personal data (name, surname, date of birth, personal identification number, address of the place of residence, citizenship, number of the identification document) for the purposes of elections, referendum, citizens’ legislative initiative, political campaigns and financing of political parties shall be determined by this Law and other laws.

2. Information compiled by the Central Electoral Commission on the basis of statements and other documents submitted by candidates or their representatives and announced on a website, about candidates, votes received by the candidates, lists of members of electoral or referendum committees, observers, representatives, members of initiative groups and lists of donors of political campaigns may be revised after the announcement of election or referendum results, only for the purposes of correction of language mistakes or when the information on the website differs from the information in the statements and other documents delivered at the time prescribed by legal acts. Personal identification numbers of the candidates and any other persons, their citizenship or numbers of their identification documents, the exact address (street, number of the house, number of the apartment) of their place of residence may not be made public on the website.

 

Article 12. Personal Data Processing for the Purposes of Scientific Research

1. Personal data may be processed for the purposes of scientific research on condition that the data subject has given his consent. Without the data subject’s consent, personal data may be processed for the purposes of scientific research only upon giving a notice to the State Data Protection Inspectorate. In this case, the State Data Protection Inspectorate must carry out a prior checking.

2. Personal data which have even used for the purposes of scientific research must be altered immediately in a manner which makes it impossible to identify the data subject.

3. The personal data collected and stored for the purposes of scientific research may not be used for any other purposes.

4. In the cases when the conducted research does not require personal identification data, the data controller shall provide to the data recipient such personal data from which identification of a person is not possible.

5. Research results shall be made public together with the personal data on condition that the data subject has given his consent to have his personal data made public.

 

Article 13. Personal Data Processing for Statistical Purposes

1. The processing of personal data for statistical purposes shall mean the carrying out of statistical surveys and disclosure and storage of their results.

2. The personal data collected for other than statistical purposes may be used in the cases laid down by law for the preparation of official statistical information.

3. The personal data collected for statistical purposes may be disclosed and used for other than statistical purposes in accordance with the procedure and in the cases laid down in the Law on Statistics.

4. The personal data collected for different statistical purposes shall be compared and combined only on condition that the personal data are protected against unlawful use for other than statistical purposes.

5. Special categories of personal data shall be collected for statistical purposes solely in the form which does not permit direct or indirect identification of the data subject, except in the cases laid down by law.

 

Article 131. Personal Data Processing for the Purposes of a Social and Public Opinion Survey

1. When conducting a social and public opinion survey, personal data may be processed only with the consent of a data subject. The data subject’s contact data (address, phone number) may be processed without the data subject’s consent until the first direct contact with the data subject, with the aim of contacting him. The data subject shall grant his consent to personal data processing for the purposes of a social and public opinion survey or refuse to grant it in the course of a direct contact with the conductor of the survey or in a written or equivalent form. Where the data subject refuses to grant his consent to personal data processing, such personal data must be immediately destroyed.

2. Only the personal data which are necessary for conducting a social and public opinion survey must be collected for the purposes of the social and public opinion survey; the personal data used for a specific social and public opinion survey must be altered immediately in a manner which makes it impossible to identify the data subject.

3. The use of the personal data collected and processed for the purposes of a social and public opinion survey for other purposes (for advertising, direct marking, commercial activities, etc.) shall be prohibited.

 

Article 14. Personal Data Processing for the Purposes of Direct Marketing

1. Personal data may be processed for the purposes of direct marketing only after the data subject gives his consent.

2. Personal data may be processed for the purposes of direct marketing if a period for the storage of personal data is set when collecting such data.

3. The data controller must provide a clear, free-of-charge and easily realisable possibility for the data subject to give or refuse giving his consent for the processing of his personal data for the purposes of direct marketing.

4. The data controller who, while rendering services or selling goods in accordance with the procedure and conditions set by this Law, receives contact information (name, surname and address) from the data subjects being his customers may only use this data without a separate data subject’s consent for the marketing of his own goods or services of a similar nature provided that the customers have been given a clear, free-of-charge and easily realisable possibility not to give their consent or refuse giving their consent for the use of this data for the above-mentioned purposes at the time of collection of the data and, if initially the customer has not objected against such use of the data, at the time of each offer.

 

Article 15. Personal Data Processing in the Areas of Electronic Communications and Cyber Security

The processing of personal data in the areas of electronic communications and cyber security shall be governed by the Law on Electronic Communications, the Law on Cyber Security and this Law.

 

Article 151. Personal Data Processing in the Framework of Police and Judicial Cooperation in Criminal Matters as Provided for in Title V of Part Three of the Treaty on the Functioning of the European Union

In the framework of police and judicial co-operation in criminal matters as provided for in Title V of Part Three of the Treaty on the Functioning of the European Union, personal data shall be processed in compliance with the Law on Legal Protection of Personal Data Processed in the Framework of Police and Judicial Co-operation in Criminal Matters and this Law.