LITHUANIA

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymo

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT: The age of consent for a child is 14 years old (Art 6 Lithuanian Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))​

No Deviation

CCTV (Art 6)

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

No Deviation

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

CERTIFICATION (ART 42)

SPECIFYING REQUIREMENT: Accreditation of certification bodies, including related procedures, will be provided by the SA (Art 16 Lithuanian Act).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT: The SA may enter the premises of persons subject to investigation without prior notice. The right of entry is granted during working hours for legal persons. For natural persons, the SA must have a court order (Art 12 Lithuanian Act).

 

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: The statute of limitations for administrative fines is two years from the date of the infringement. Where there is a continuous violation, the clock starts ticking from the date the infringement became known (Art 32 Lithuanian Act).

An administrative fine issued on public authorities or bodies under Art 83(4) GDPR may be up to 0.5 percent of the current year’s budget and income received in the previous year, and cannot exceed €30,000. An administrative fine issued on public authorities or bodies under Art 83(5) GDPR may be up to 1 percent of the current year’s budget and income received in the previous year, and cannot exceed €60,000 (Art 33 Lithuanian Act).

PENALTIES (ART 84)

No Deviation

Freedom of expression and information (Art 85)

SPECIFYING REQUIREMENT: For processing carried out for journalistic, academic, artistic, or literary purposes, Art 8, 12–23, 25, 30, 33–39, 41–50, and 88–91 GDPR do not apply (Art 4 Lithuanian Act).

HR PROCESSING (ART 88)

SPECIFYING REQUIREMENT: An employer must collect a candidate’s consent in order to collect personal data related to the candidate’s qualifications or professional skills from a former employer. It is prohibited to process a candidate’s personal data relating to convictions and criminal offenses unless necessary to verify that the candidate meets the requirements of the role under applicable law.

An employer must inform employees of video and/or audio surveillance and the monitoring of employees’ behavior, location, and/or movement (Art 5 Lithuanian Act).  

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

No Deviation

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

REMARKS

SPECIFYING REQUIREMENT: National identification numbers must not be published and cannot be processed for direct marketing purposes (Art 3 Lithuanian Act). 

The Inspectorate is responsible for the supervision and enforcement of the Act and the GDPR except for processing of personal data for journalistic, academic, artistic, or literary purposes, which belongs to the Journalist Ethics Inspectorate (Art 7 Lithuanian Act).