LAW

As a member of the European Union, Lithuania has implemented the EU Data Protection Directive 95/46/EC which is step by step amending its national legislation. Lithuania passed the Law on Legal Protection of Personal Data on 11 June 1996 (the "Data Protection Law"), which has been amended on 17 July 2000, 22 January 2002 and 21 January 2003 in order to transpose the provisions from the Directive. The latest modifications to the Data Protection Law came into force on 1 September 2011. They include amendments and new regulations on public polls, credit referencing agencies and public governance of data protection. Enforcement is carried out by the State Data Protection Inspectorate.

In addition, Lithuania has fully transposed the Directive 2006/24/EC (the Data Retention Directive ) into national law through the Law on Electronic Communications dated 15 April 2004 (latest amendments came into force on 1 August 2011). The Law on Electronic Communications governs protection of privacy in the area of electronic communications.

DEFINITION OF PERSONAL DATA

Any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

DEFINITION OF SENSITIVE PERSONAL DATA

Data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sex life and criminal convictions.

NATIONAL DATA PROTECTION AUTHORITY

The State Data Protection Inspectorate (the "Inspectorate")

The Inspectorate's mission is to ensure high level of data protection. The Inspectorate tries to ensure that data controllers and providers of public communications networks and publicly available electronic communications services fulfil the requirements set up for data protection.

REGISTRATION

Only data controllers who process data by automatic means are obliged to undergo mandatory registration. The Data Protection Law establishes the requirement, that such data processing may be carried out only when the data controller or his representative notifies the Inspectorate except cases where personal data is processed:

  • for the purposes of internal administration (including group level administration);
  • for political, philosophical, religious or trade union related purposes by a foundation, association or any other non profit organisation on the condition that the personal data processed relates solely to the members of such organisation or to other persons who regularly participate in its activities in connection with the purposes of such organisations;
  • by the media for the purpose of providing information to the public for artistic and literary expression; or
  • in accordance with regulation on state secrets and official secrets.

The data controller when notifying the Inspectorate of data processing has to submit a standard notification form, which includes information about:

  • the purpose of the data processing;
  • the groups of data subjects;
  • the sources of the personal data;
  • the groups of the receivers of the data;
  • the list of categories of personal data that are being processed;
  • the personal data transfers to foreign countries;
  • the personal data retention period;
  • the data processors; and
  • the list of security measures.

After notification, data controllers are registered in the State Register of Personal Data Controllers which is administered by the Inspectorate. The notification and registration of data controllers is free of charge.

If data is not processed by automatic means, there is no obligation to notify the Inspectorate. However, certain data processing may be carried out only if an authorisation has been granted by the Inspectorate after prior checking of the data processing. The Inspectorate shall carry out prior checking of personal data processing in the following cases:

  • where the data controller intends to process sensitive personal data by automatic means, except where the processing is carried out for the purposes of internal administration or in the cases of prevention and investigation of criminal or other illegal activities, as well as court hearings;
  • where the data controller intends to process public data files by automatic means, unless laws and other legal acts lay down a procedure for the disclosure of data;
  • where the data controller of state or institutional registers or information systems of state and municipal institutions intends to authorise the data processor to process personal data, except in cases where laws and other legal acts establish the right of the data controller to authorise a particular data processor to process personal data or where the data processor is a legal person established by the data controller;
  • health data is being processed by automatic means or for scientific medical research purposes;
  • data is being processed in relation to evaluating a person's solvency and managing his/her debt; or
  • data is being processed for statistical, historical or scientific research purposes.

DATA PROTECTION OFFICERS

Under the legislation of Lithuania the organisations (data controllers) have a right (but not an obligation) to designate a person to be responsible for the data protection ("Data Protection Officer"). The data controller must notify the Inspectorate of appointment or withdrawal of the data protection officer within 30 days.

The data protection officer shall:

  • make public the processing of personal data actions carried out by the data controller in accordance with the procedure established by the Government;
  • supervise as to whether personal data is processed in compliance with the provisions of the Data Protection Law and other legal acts on data protection;
  • initiate the preparation of the notifications to the Inspectorate in case of prior checking;
  • monitor the processing of personal data carried out by the data controller's employees;
  • present proposals, findings to the data controller regarding establishment of data protection and data processing measures and supervise implementation and use of these measures;
  • undertake measures to eliminate any violations in the processing of personal data without delay;
  • instruct employees authorised to process personal data on the provisions of Data Protection Law and other legal acts on personal data protection;
  • initiate the preparation of applications to the Inspectorate of the inquiries regarding processing and protection of personal data;
  • assist data subjects in exercising their rights; and
  • notify the Inspectorate in writing where the data controller processes personal data in violation of the data protection laws and refuses to rectify these violations.

In addition, if no data protection officer is appointed, the CEO of the data controller will be ex officio deemed responsible for data protection compliance and will be also personally liable for any legal violations of the Data Protection Law.

COLLECTION AND PROCESSING

The term data processing means any operation, which is performed in relation to personal data (eg collection, recording, storage, classification combining, disclosure, making available, use, destruction or etc.). It must be carried out in accordance with the requirements and in cases set by laws. According to the Data Protection Law personal data may be processed if:

  • the data subject has given his consent;
  • a contract to which the data subject is party is being concluded or performed;
  • it is a legal obligation of the data controller under laws to process personal data;
  • processing is necessary in order to protect vital interests of the data subject;
  • processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;
  • processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data is disclosed, unless such interests are overridden by interests of the data subject.

Sensitive personal data (data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions) can only be processed in the following cases:

  • the data subject has given his consent (ie expressed clearly, in a written or equivalent form or any other form giving unambiguous evidence of the data subject's free will);
  • such processing is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in law;
  • it is necessary to protect the vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity;
  • the processing of personal data is carried out for political, philosophical, religious purposes or purposes concerning the trade unions by a foundation, association or any other non profit organisation, as part of its activities, on condition that the personal data processed concern solely the members of such organisation or to other persons who regularly participate in such organisation in connection with its purposes;
  • the personal data has been made public by the data subject;
  • the data is necessary, in the cases laid down in law, in order to prevent and investigate criminal or other illegal activities;
  • the data is necessary for a court hearing; or
  • it is a legal obligation of the data controller under laws to process such data.

In addition, it must be mentioned that the data controller must provide the fair processing information to data subjects in cases where personal data has been obtained directly or from a third party or prior to it being released to a third party, except where the data subject already has it. It shall contain information about:

  • the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or requisites and the address of registered office (where the data controller or its representative is a legal person);
  • the purposes of the processing of the data subject's personal data;
  • other additional information (the recipient and the purposes of disclosure of the data subject's personal data; particular personal data that the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have an access to his personal data and the right to request the rectification of incorrect, incomplete and inaccurate personal data) to the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject's rights.

TRANSFER

All cross border transfers of personal data within the European Economic Area (the European Union countries plus Norway, Liechtenstein and Iceland) shall take place on the same conditions and in accordance with the same procedure applicable to data recipients in Lithuania. Cross-border transfers outside the European Economic Area shall be subject to special authorization from the Inspectorate unless the exceptional conditions for cross border data transfer are satisfied. These are cases where:

  • the data subject has given his consent for the transfer of his personal data;
  • the transfer of personal data is necessary for the conclusion or performance of a contract between the data controller and a third party in the interests of the data subject;
  • the transfer of personal data is necessary for the performance of a contract between the data controller and the data subject or for the implementation of pre contractual measures to be taken in response to the data subject's request;
  • the transfer of personal data is necessary (or required by law) for important public interests or for the purpose of legal proceedings;
  • the transfer is necessary for the protection of vital interests of the data subject;
  • the transfer is necessary for the prevention or investigation of criminal offences;
  • personal data is transferred from a public data file in accordance with the procedure laid down in law and other legal acts.

The Inspectorate shall grant authorization provided that an adequate level of legal protection of personal data is ensured in the recipient's country or by the means of transferring (i.e. adequate data protection safeguards). In practice adequate level of protection may be achieved by the following means:

  • model contractual clauses approved by the European Commission;
  • Binding Corporate Rules;
  • personal data is transferred to countries whitelisted by the European Commission; or
  • personal data transfers to the United States companies, which have subscribed to the Safe Harbour principles.

SECURITY

Lithuanian data protection legislation obliges the data controller and data processor to implement appropriate organisational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the personal data to be protected and the risks represented by the processing. Moreover, they must be defined in a written document (personal data processing regulations approved by the data controller, a contract concluded by the data controller and the data processor, etc.) in accordance with the general requirements on the organisational and technical data protection measures laid down by the Inspectorate. Key measures taken shall be disclosed to the Inspectorate through the data controller registration form.

BREACH NOTIFICATION

The providers of publicly available electronic communications services have the obligation to notify the personal data breach to the Inspectorate without undue delay. When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider must also notify the subscriber or individual of the breach, except where the provider has demonstrated to the satisfaction of the Inspectorate that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Without prejudice to the provider's obligation to notify subscribers and individuals concerned, if the provider has not already notified the subscriber or individual of the personal data breach, the Inspectorate, having considered the likely adverse effects of the breach, may require it to do so.

Other data controllers do not possess a general obligation to notify individuals or the Inspectorate of a data security breach. It may only be advisable as a part of bona fide obligations for minimising civil liability.

ENFORCEMENT

The implementation of the Data Protection Law shall be supervised and monitored by the Inspectorate. The key objectives of the Inspectorate shall be supervision of data controllers' activities when processing personal data, monitoring the legality of personal data processing, prevention of violations in data processing and ensuring protection of the rights of the data subject.

Any violation of data protection rules or breach of the rights of data subject causes administrative liability. No criminal liability is provided for data protection violations. The Inspectorate has no power to impose penalties for violations, although the Inspectorate can issue a statement on an administrative offence according to which national courts can impose fines from LTL 500 (approx. EUR 140) to LTL 2000 (approx. EUR 570). It shall be noticed that these administrative sanctions may only be applied to individuals and legal entities/companies may not be subject to administrative prosecution. If a company commits a violation, the Data Protection Officer or the CEO of the entity will be held responsible for such an administrative offence.

In addition, the individual affected by the breach of the Data Protection Law is also entitled to claim pecuniary and moral damages.

ELECTRONIC MARKETING

The Data Protection Law will apply to most electronic marketing activities, with the exception of e-mail marketing (which is regulated by the Law on Electronic Communications), as there is processing and use of personal data involved (e.g. an email address is deemed "personal data" for the purposes of the Data Protection Law). The rules set forth in both laws are generally identical.

The Data Protection Law does not prohibit the use of personal data for the purposes of electronic marketing but requires individuals to consent to the processing of their personal data for direct marketing purposes in advance (eg a right to "opt-in").

There is one exception from opt-in requirement, providing instead for an opt-out scheme.

Unsolicited electronic marketing, including emails, can only be sent without consent if:

  • The contact detail have been provided in the course of a sale and the data subject is an existing customer;
  • The marketing relates to a similar product;
  • The recipient was given a means of refusing the use of their contact details for marketing when they were collected; and
  • The recipient did not object to the direct marketing use at the time when his personal data was collected.

Direct marketing communication must not disguise or conceal the identity of the sender. SMS marketing is included within the regulations applicable to all direct marketing.

The above opt-out exception to existing customer applies in relation to individuals. For e-mail marketing opt-in is required from both individuals and corporations (all e-mail account holders without any exceptions). Otherwise for non-email electronic marketing only individual opt-in is required, and said existing client opt-out exception is allowed, if all of the conditions for this exception are fulfilled.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

The PEC Regulations (as amended by Directive 2009/12/EC) are implemented in Lithuania through the Law on Electronic Communications. Amendments of the Law on Electronic Communications which came into effect on 1 August 2011, implemented the Directive 2009/12/ EC. Specifically the Law on Electronic Communications contains regulations on collection of location and traffic data by public electronic communications services providers ("CSPs") and use of cookies (and similar technologies).

Traffic Data – Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

  • It is being used to provide a value added service;
  • Consent has been given for the retention of the Traffic Data; and
  • It is required for investigation of a grave crime.

Traffic Data can only be processed by a CSP for:

  • The management of business needs, such as billing or traffic;
  • Dealing with customer enquiries;
  • The prevention of fraud; or
  • The provision of a value added service.

Location Data – Location Data may only be processed for the provision of value added service with consent.

CSPs are also required to take measures and put a policy in place to ensure the security of the personal data they process.

Cookie Compliance – The use and storage of cookies and similar technologies requires:

  1. clear and comprehensive information; and b) consent of the website user.

Lithuanian State Data Protection Inspectorate has published recommendations about the method of consent to the use for cookies. The guidance confirmed that consent can be obtained through pop-ups, banners or website registration while relevant settings contained within current browsers are not likely to form a valid consent. According to the guidance, the users must be given a genuine opportunity not to consent. There is no clear guidance on possibility to obtain an implied consent.

Consent is not required for cookies that are;

  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • strictly necessary for the provision of a service requested by the user.

Enforcement of a breach of the PEC Regulations is dealt with by the Inspectorate and sanctions for breach are the same as set out in the Enforcement section above.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com