WorldLII Home | Databases | WorldLII | Search | Feedback

National Data Privacy Legislation
You are here:  WorldLII >> Databases >> National Data Privacy Legislation >> 2018 >> [2018] NDPrivLegis 44

Database Search | Name Search | Recent Documents | Noteup | LawCite | Download | Help

Lithuania: Law on Legal Protection of Personal Data [2018] NDPrivLegis 44 (16 July 2018)

Non-Official Translation


Consolidated version since 16/07/2018

Law published: Official Journal 1996, No. 63-1479, i. k. 0961010ISTA00I-1374

Recast since 16/07/2018:
No. XIII-1426, 2018-06-30, published in TAR 11/07/2018, i. k. 2018-11733

REPUBLIC OF LITHUANIA
LAW ON LEGAL PROTECTION OF PERSONAL DATA

11 June 1996 No. I-1374
Vilnius

TAR note. Since the entry into force of Law No. XIII-1426 (16 July 2018) the references in laws and regulations of the Republic of Lithuania to the Law on Legal Protection of Personal Data of the Republic of Lithuania are considered as references to Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as Regulation (EU) 2016/679) and, where applicable, to the Law on the Legal Protection of Personal Data.


CHAPTER ONE
GENERAL PROVISIONS

Article 1. Purpose and Application of the Law
1. The purpose of this Law shall be protection of the fundamental rights and freedoms of an individual’s, first of all (primarily, in the first instance) the right to personal data protection, and to ensure a high level of protection of personal data.
2. This Law shall establish the peculiarities of personal data processing, the legal status and powers of the State Data Protection Inspectorate, the powers of the Inspector of Journalist Ethics, the procedure for investigation of infringements of the law governing the personal data and/or privacy protection (hereinafter - infringements) and for the imposition of administrative fines by the State Data Protection Inspectorate and the Inspector of Journalist Ethics (hereinafter – the supervisory authority, supervisory authorities).
3. This Law shall apply in conjunction with Regulation (EU) 2016/679 and its implementing legislation.
4. This Law shall apply where:
1) personal data is processed by a data controller or data processor with establishment located in the Republic of Lithuania, in the course of its activities, regardless of whether data are processed in the European Union or not;
2) personal data is processed by a data controller established outside the Republic of Lithuania and which is bound by the laws of the Republic of Lithuania in accordance with international public law (including diplomatic missions of the Republic of Lithuania and consular posts);
3) personal data of data subjects in the European Union are processed by a data controller or data processor established outside the European Union which has appointed a representative established in the Republic of Lithuania in accordance with Article 27 of Regulation (EU) 2016/679 and data processing activity relates to offering the goods or services for these data subjects in the European Union, irrespective of a payment of the data subject is required for these goods or services, or monitoring of behaviour when these data subjects operate in the European Union.
5. This Law shall implement legal acts of the European Union indicated in the Annex to this Law.

Article 2. Main Definitions of this Law
1. Direct marketing - an activity aimed at offering goods or services by post, telephone or other direct means and/or inquiring their opinion on goods or services offered.
2. Government institutions and bodies - state and municipal institutions and bodies, enterprises and public institutions, which are financed from state or municipal budgets and state monetary funds and authorized to perform public administration or provide public or administrative services to individuals or perform other public functions in accordance with the Law on Public Administration of the Republic of Lithuania.
3. Other definitions used in this Law are understood as defined in Regulation (EU) 2016/679.

CHAPTER TWO
PECULIARITIES OF PERSONAL DATA PROCESSING

Article 3. Peculiarities of Processing of Personal Identification Number
1. Personal identification number can be processed when any of the conditions for the processing of personal data referred to in Article 6 (1) of Regulation (EU) 2016/679 are lawful.
2. It is prohibited to publish the personal identification number.
3. It is prohibited to process personal identification number for purposes of direct marketing.


Article 4. Processing of Personal Data and Freedom of Expression and Information
When personal data is processed for journalistic or academic, artistic or literary purposes, Articles 8, 12 to 23, 25, 30, 33 to 39, 41 to 50, 88 to 91 of Regulation (EU) No. 2016/679 shall not apply.

Article 5. Peculiarities of the Processing of Personal Data in Relation to the Employment Context
1. It is prohibited to process personal data of a candidate to perform duties or carry out work functions, or personal data of an employee relating to convictions and criminal offenses, unless such personal data are necessary to verify that a person meets the requirements established in laws and regulations in force to perform his duties or functions.
2. The data controller may collect personal data relating to qualifications, professional skills and specific characteristics of a candidate applying to perform duties or work functions from a former employer, by informing the candidate in advance and from the existing employer – only with a consent of the candidate.
3. When processing video and/or audio data in the workplace and at the controller’s premises or in the areas where its staff is employed, and processing personal data related to the monitoring of employees’ behaviour, location or movement, these employees shall be informed of such processing of their personal data by signing or other means that prove the fact of informing providing the information referred to in Article 13 (1) and (2) of Regulation (EU) 2016/679.
4. The provisions of this Article shall also apply to the processing of personal data of individuals who work on the basis of legal relations equal to the employment relations specified in Law on Employment of the Republic of Lithuania and personal data of candidates applying to work on these grounds.

Article 6. The age of the Child to Give a Consent who is Offered with Services of Information Society
When information society services are directly offered to a child, the processing of the child’s personal data is legal if consent is given by a child older than 14 years of age in accordance with Article 6 (1) (a) of Regulation (EU) 2016/679.


CHAPTER THREE
SUPERVISORY AUTHORITIES


Article 7. Supervision of Application of Regulation (EU) 2016/679 and this Law
1. The State Data Protection Inspectorate monitors the application of Regulation (EU) 2016/679 and this Law and shall ensure application of these legal acts, with the exception of the articles of this Law, the application of which is the responsibility of the Inspector of Journalist Ethics in accordance with paragraph 2 of this article.
2. The Inspector of Journalist Ethics shall monitor the application of Regulation (EU) 2016/679 and this Law and ensure that this legislation applies to the processing of personal data for journalistic purposes and academic, artistic or literary purposes. The Inspector of Journalist Ethics shall perform the tasks determined by the supervisory authority set forth in Regulation (EU) 2016/679 and has the powers of the supervisory authority set forth in Regulation (EU) 2016/679. The Inspector of Journalist Ethics is not bound by Article 57 (1) (j) - (l) and (n) - (t), Article 58 (1) (b) and (c), (2) (e), (g), (h) (j), and (3) (a), (c) and (e) – (j).
3. The State Data Protection Inspectorate represents the supervisory authorities for application of Regulation (EU) 2016/679 at the European Data Protection Board established under the Regulation (EU) 2016/679.
4. In order to ensure compliance with the mechanism for ensuring consistency referred to in Article 63 of Regulation (EU) 2016/679, the supervisory authorities shall cooperate with each other when dealing with issues falling within the competence of the Inspector of Journalist Ethics in accordance with paragraph 2 of this Article.

Article 8. Status and Operational Principles of the State Data Protection Inspectorate
1. The State Data Protection Inspectorate is the institution of the Government of the Republic of Lithuania. The structure of its administration is approved by the Director of the State Data Protection Inspectorate.
2. The activities of the State Data Protection Inspectorate are based on the principles of legality, impartiality, publicity and professionalism in the performance of its functions. The State Data Protection Inspectorate is independent in the performance of the tasks of the supervisory authority established by Regulation (EU) 2016/679 and the functions assigned to it in accordance with this Law and in adopting decisions on their performance. Its rights may be restricted only by law.
3. State and municipal institutions and bodies, members of the Seimas of the Republic of Lithuania and other officials, political parties and political organizations, associations, other legal entities and natural persons shall not be entitled to pressurize the State Data Protection Inspectorate, its head, state officials and employees working under employment contracts, in political, economic, psychological, social manner or make other unlawful influence. Interference with the activities of the State Data Protection Inspectorate gives rise to statutory responsibility.

Article 9. Head of the State Data Protection Inspectorate
1. The State Data Protection Inspectorate is led by the Director of the State Data Protection Inspectorate.
2. The Director of the State Data Protection Inspectorate may be appointed a citizen of the Republic of Lithuania with good repute, having a professional degree of Bachelor in Law or a Master in Law or a lawyer (one-stage juridical university education) and having pedagogical work experience of at least 10 years and complying with the requirements established in Article 53 (2) of the Regulation (EU) 2016/679. The requirements for good reputation shall apply to the state officials as set forth in the Law on Civil Service of the Republic of Lithuania.
3. The Director of the State Data Protection Inspectorate is a state official - a head of an institution who is appointed for a 4-year term of office and dismissed by the Government of the Republic of Lithuania in accordance with the procedure established in the Law. The Director of the State Data Protection Inspectorate is accountable to the Government and the Minister of Justice of the Republic of Lithuania.
4. The Director of the State Data Protection Inspectorate shall suspend his membership in a political party during his term of office.
5. The Director of the State Data Protection Inspectorate shall be dismissed from office:
1) voluntary;
2) at the end of the term of office;
3) when it is established that he has committed a serious infringement;
4) no longer complies with the requirements set forth in paragraphs 2 and 4 of this Article.

Article 10. Deputy Director (Deputies) of the State Data Protection Inspectorate
1. The Director of the State Data Protection Inspectorate shall have a deputy (deputies).
2. The Deputy Director (Deputies) of the State Data Protection Inspectorate shall comply with the requirements set forth in Article 9 (2) (4) of this Law for the Director of the State Data Protection Inspectorate.
3. The Deputy Director of the State Data Protection Inspectorate shall be appointed to office and removed from office by the Director of the State Data Protection Inspectorate in accordance with the procedure established by the Law on Civil Service.

Article 11. Tasks and Functions of the State Data Protection Inspectorate
1. The State Data Protection Inspectorate carries out the tasks of the Supervisory Authority established by Regulation (EU) 2016/679.
2. The State Data Protection Inspectorate also performs the following functions:
1) provides advice to data subjects, data controllers and processors on the protection of personal data and privacy, and develops methodological guidance on the protection of personal data and publishes them on its website;
2) assists data subjects who live abroad in accordance with the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108);
3) cooperates with personal data protection supervisors of other countries, institutions of the European Union, bodies and international organizations and participates in activities;
4) participates in the formation of state policy in the field of personal data protection and implements it;
5) implements the provisions of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108);
6) other functions specified in this Law and other legal acts.

Article 12. The Powers and Rights of the State Data Protection Inspectorate
1. The State Data Protection Inspectorate shall have the powers of the Supervisory Authority set forth in Regulation (EU) 2016/679.
2. The State Data Protection Inspectorate is also entitled to:
1) obtain free of charge all necessary information, copies of documents, and copies of the data from data controllers and data processors, state and municipal institutions and bodies, other legal and natural persons, as well as access to all data and documents necessary to perform supervisory tasks and functions;
2) enter the premises (including leased or used on other grounds) of a person under investigation, a person complained against or persons related to them during an infringement investigation proceeding without any prior notice, or the territory where documents and/or equipment related to the processing of personal data are kept. Access to the territory, buildings, premises of a legal entity (including leased or used on other grounds) is allowed only during working hours of a legal person upon presentation of a certificate of a public servant. Access to premises of a natural person (including leased or used on other grounds), where documents and/or equipment related to the processing of personal data are held, is possible only upon presentation of a court order regarding the permission to enter residential premises of a natural person;
3) participate in meetings of the Seimas, the Government, and other state institutions when issues related to the protection of personal data and/or privacy are being considered;
4) invite experts (consultants), to form work groups of expertise on processing or protection of personal data, preparation of personal data protection documents, as well as to solve other issues of competence of the State Data Protection Inspectorate;
5) provide recommendations and instructions to data controllers, processors and other legal or natural persons regarding the processing of personal data and (or) privacy protection;
6) exchange information with personal data protection supervisory authorities of other countries and international organizations to the extent necessary to carry out their functions;
7) participate in court proceedings on violations of the rules of international, European Union and national law on personal data protection issues;
8) use technical means during the investigation of violations;
9) receive oral and written explanations from legal and natural persons during the investigation of violations and require them to come to the premises of the State Data Protection Inspectorate to give explanations;
10) use the existing information (including personal data) obtained during the investigation of violations or exercising other functions;
11) involve police officers to maintain public order and in order to ensure the possible use of violence;
12) other rights established by laws and other legal acts.
3. If the State Data Protection Inspectorate has a basis to believe while examining a complaint that the European Commission’s decision on adequacy, on the adoption of standardized data protection conditions or on the universality of approved codes of conduct is unlawful and the decision of the State Data Protection Inspectorate depends on validity of this European Commission decision, it suspends the investigation of the complaint and, in accordance with the procedure established by the Law on Administrative Proceedings of the Republic of Lithuania, appeals before the Supreme Administrative Court of Lithuania with a request to apply to the competent judicial authority of the European Union regarding the European Commission’s decision on adequacy, on the adoption of standard data protection conditions or on the universal validity of approved codes of conduct. If the Supreme Administrative Court of Lithuania, while examining the application of the State Data Protection Inspectorate, has a reason to believe that the European Commission’s decision on adequacy, on the adoption of standard data protection conditions or on the universality of approved codes of conduct is unlawful, it decides to apply to the competent judicial authority of the European Union with a reference to adopt a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (OJ 2016 C 202, p. 47).
4. The State Data Protection Inspectorate also has the rights and powers of the State Data Protection Inspectorate established in the Code of Administrative Offenses of the Republic of Lithuania by conducting investigations and (or) audits and examining complaints on its own initiative.

Article 13. Liability to Keep Secrets and Confidential Information
The Director of the State Data Protection Inspectorate, the inspector of ethics of journalists, civil servants and employees of these supervisory authorities, who work under employment contracts, must keep the information constituting national, service, professional, commercial or other secrets defined by law, as well as any other confidential information which they learned performing their tasks or exercising their powers, both performing their duties and after the ending of their service (employment) relationship.

Article 14. Compulsory Nature of Requirements of the Supervisory Authority
Legal entities and natural persons must comply with the requirements of the supervisory authority (including, but not limited to, the requirement to come to the premises of the supervisory authority to provide explanations), provide information and/or explanations promptly, provide duplicate copies and copies, copies of data, access to all data and/or equipment related to the processing of personal data and the documents necessary for the performance of functions of supervisory authority.


CHAPTER FOUR
ISSUE OF PERMITS OF STATE DATA PROTECTION INSPECTORATE TO TRANSMIT PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS AND ACCREDITATION OF CERTIFICATION BODIES

Article 15. Issue of Permits of State Data Protection Inspectorate to Transmit Personal Data to Third Countries or International Organizations in accordance with Article 46 (3) of Regulation (EU) 2016/679
1. In accordance with Article 46 (3) of Regulation (EU) 2016/679, the State Data Protection Inspectorate must provide the data controller with permission for the transfer of personal data to the third country or an international organization or a reasoned written refusal to issue this permit no later than within 20 working days. This term is calculated from the date on which the State Data Protection Inspectorate receives all documents and information necessary for obtaining the permit.
2. Due to complexity of circumstances, scope of information or other relevant objective circumstances, the period to issue permits to transfer personal data to a third country or an international organization as provided for in paragraph 1 herein may be extended once up to 10 working days. The State Data Protection Inspectorate, after adopting the decision to extend the term specified in paragraph 1 of this Article, must immediately, but not later than up to the end of the term specified in paragraph 1 of this Article, notify the data controller of the extension of the period for issuing the permit and reasons for the extension of the term.
3. The State Data Protection Inspectorate shall establish the procedure for the issuance of permits for the transfer of personal data to third countries or international organizations.

Article 16. Accreditation of Certification Bodies
1. The State Data Protection Inspectorate shall accredit certification bodies as well as establish the procedure for accreditation and issuing accreditation certificates in accordance with Article 43 of Regulation (EU) 2016/679.
2. Accreditation costs shall be paid by certification bodies wishing to be accredited in accordance with the rates approved by the Government.


CHAPTER FIVE
PROCEEDINGS OF INFRINGEMENTS PERFORMED BY
SUPERVISORY AUTHORITIES

SECTION ONE
GENERAL PROVISIONS

Article 17. The Rights and Obligations of the Person under Investigation, the Applicant, the Person Complained Against and the Person Suspected of Committing the Infringement
1. A person to be inspected, when the State Data Protection Inspectorate carries out an investigation and/or inspection on its own initiative, the applicant and the person complained against when the supervisory authority examines a complaint, and the person suspected of committing an infringement during the procedure for imposing an administrative fine, is bound by the rights and obligations specified in Regulation (EU) 2016/679 and in this Law.
2. The person to be inspected, the applicant, the person complained against and the person suspected of committing the infringement shall also be entitled:
1) receive explanations on the subject and basis of investigation and/or inspection or processing of a complaint;
2) provide additional explanations and/or information concerning the conduct of an investigation and/or inspection or examination of a complaint on its own initiative;
3) appeal against acts or omissions of the supervisory authority;
4) access the information on the investigation and/or inspection, the processing of the complaint and the imposition of the administrative penalty, except for national, service, professional, commercial or other information containing secret which is protected by law.
3. Persons referred to in paragraph 1 of this Article shall be deemed to be duly informed and duly notified if, in the cases specified in this section, the supervisory authority sends letters and other documents and information to such persons to the address of their registered location or to residential address indicated on the Register of Legal Entities of the Republic of Lithuania, unless the person specifies another correspondence address, or at the delivery address for the person’s electronic parcels indicated in the Register of Legal Entities or in the Residential Register.

Article 18. Issue of Court Permits to Enter Residential Premises of Natural Persons
1. The Supervisory Authority, when considering the violation and deciding to enter residential premises of a natural person (including leased or used on other grounds), shall submit an application to the Vilnius Regional Administrative Court for the issuance of a court authorization to enter residential premises of a natural person.
2. The application for issuing a court’s permit to enter the residential premises of a natural person must include the name, surname, address of the residential premises, the nature of the suspected violation and the actions to be performed.
3. Having examined the application for the issuance of a court’s permit to enter residential premises of a natural person, Vilnius Regional Administrative Court shall adopt a reasoned order to satisfy or refuse the application.
4. An application for the issuance of a court’s permit to enter residential premises of a natural person shall be examined and the ruling adopted not later than within 72 hours from the moment of submission of the application.
5. If the supervisory authority does not agree with the decision of the Vilnius Regional Administrative Court to reject an application for the issuance of a court’s permit to enter residential premises of a natural person, it has the right to appeal this ruling before the Supreme Administrative Court of Lithuania within 7 calendar days from the date of the adoption of this ruling.
6. The Supreme Administrative Court of Lithuania has to process the complaint of the supervisory authority regarding the decision of the Vilnius Regional Administrative Court not later than within 7 calendar days from the receipt of this complaint. The representative of the supervisory authority has the right to participate in the examination of the complaint.
7. The ruling of the Supreme Administrative Court of Lithuania regarding the complaint of the supervisory authority regarding the ruling of the Vilnius Regional Administrative Court is final and not subject to appeal against.

Article 19. Providing Information on Investigation of an Infringement by the Supervisory Authority
The Supervisory Authority does not provide information on the investigation of infringement to the mass media, other individuals not related to investigation and/or inspection or investigation of the complaint, until the investigation and/or inspection or investigation of the complaint is completed, except for the cases when the supervisory authority is able to provide information on the fact of an investigation and/or inspection or investigation of a complaint in process, where information is provided not at the initiative of a non-supervisory authority.

SECTION TWO
PERFORMING INVESTIGATIONS AND/OR INSPECTIONS AT THE INITIATIVE OF THE STATE DATA PROTECTION INSPECTORATE

Article 20. Investigations and/or Inspections Carried out at the Initiative of the State Data Protection Inspectorate and the Procedure for their Execution
1. The State Data Protection Inspectorate may on its own initiative initiate an investigation and/or inspection on any issue concerning the possible breach of Regulation (EU) 2016/679, this Law and other laws regulating the protection of personal data and/or privacy.
2. The basis for the initiation of an investigation and/or inspection on the initiative of the State Data Protection Inspectorate may be information submitted by the society, public authorities and institutions, supervisory authorities for personal data protection of other countries, international organizations, national and international non-governmental organizations or received from other sources, as well as information on personal data and/or privacy protection issues in mass media. The State Data Protection Inspectorate may on its own initiative initiate an investigation and/or inspection, without reference to information provided by other sources.
3. The State Data Protection Inspectorate carries out investigations and/or inspections at its own initiative concerning the possible violation of Regulation (EU) 2016/679, this Law and other laws regulating the protection of personal data and/or privacy, according to the established procedure of the State Data Protection Inspectorate.
4. When investigations and/or inspections are conducted at the initiative of the State Data Protection Inspectorate pursuant to Article 60 of Regulation (EU) 2016/679, Article 21 of this Law shall not apply.

Article 21. Deadlines for the Investigation and/or Inspection at the Initiative of the State Data Protection Inspectorate
1. The investigation and/or inspection at the initiative of the State Data Protection Inspectorate shall be carried out no longer than 4 months after the adoption of the decision to perform this investigation and/or inspection.
2. With regard to the complexity of the investigation and/or inspection, the nature of the activities of the person being inspected, the scope of the investigation and/or inspection, the avoidance of the person being inspected and other legal or natural persons to comply with the requirements of the State Data Protection Inspection, when new circumstances or other objective reasons are revealed during the investigation and/or inspection, the term specified in Paragraph 1 of this Article may be extended by the decision of the State Data Protection Inspectorate, but not longer than for 2 months. The total term of investigation and/or inspection at the initiative of the State Data Protection Inspectorate may not exceed 6 months from the date of adoption of the decision to perform an investigation and/or inspection. The National Data Protection Inspectorate must notify the person being inspected immediately, but not later than by the end of the term specified in paragraph 1 of this Article, of the extension of the investigation and/or inspection period and the reasons for the extension of this term.

Article 22. Decisions of the State Data Protection Inspectorate after the Investigation and/or Inspection on its Own Initiative
1. The State Data Protection Inspectorate, upon completion of the investigation and/or inspection on its own initiative, decides reasonably:
1) to establish that no violations have been found;
2) to provide instructions, recommendations to the data controller and/or data processor and/or apply other measures indicated in Article 58 (2) of Regulation (EU) 2016/679, Article 33 of this Law and other laws regulating the protection of personal data and/or privacy. If an administrative fine is to be imposed, the actions referred to in Section 4 of this Chapter shall be carried out;
3) to draw up an administrative offense record for the person who committed the violation.
2. The State Data Protection Inspectorate shall notify the person being inspected in writing of the decision taken not later than within 3 working days from the date of adoption of the decision, except in the case referred to in paragraph 1(2) of this Article, when an administrative fine is to be imposed.
3. The decisions of the State Data Protection Inspectorate may be appealed against before the court in accordance with the procedure established by the Law on the Administrative Proceedings.

SECTION THREE
INVESTIGATION OF COMPLAINTS

Article 23. Procedure for Investigation of Complaints
1. The supervisory authority shall investigate complaints concerning infringements of Regulation (EU) 2016/679, this Law and other laws regulating the protection of personal data and/or privacy, in accordance with this legislation and in accordance with the procedure established by the supervisory authority.
2. When the complaint is handled in accordance with Article 60 of Regulation (EU) 2016/679, the Article 30 (2) of this Law shall not apply.

Article 24. Complaint Submission and its Content
1. The following applicants may submit a complaint to the State Data Protection Inspectorate:
1) a data subject referred to in Article 77 (1) of Regulation (EU) 2016/679, concerning infringements of Regulation (EU) 2016/679;
2) a data subject regarding violations of this and other laws regulating the protection of personal data and/or privacy;
3) a natural person or legal entity - regarding violations of section nine of the Law on Electronic Communications of the Republic of Lithuania, with the exception of Article 61(5), Article 64(7) and Article 68(2).
2. A data subject referred to in Article 77 (1) of Regulation (EU) 2016/679 may submit a complaint to the Inspector of Journalist Ethics in the event of a breach of Regulation (EU) 2016/679.
3. A written complaint may be submitted directly upon arrival at the supervisory authority, by mail or electronic means.
4. If the complaint is submitted by the applicant’s representative, the complaint must be presented with a document certifying the authorization of the applicant’s representative. If a complaint is submitted by a non-profit institution, organization or association on behalf of the applicant, indicated in paragraph 1(2) or paragraph 2 of this Article, additional documents must be presented to prove that it acts in the field of personal data protection in accordance with Article 80 (1) of Regulation (EU) 2016/679 or laws regulating the protection of personal data and/or privacy.
5. The complaint shall include:
1) the addressee – the supervisory authority;
2) the date of conclusion of the complaint;
3) data of the applicant and his representative, if any:
a) name and surname, contact details of the natural person;
b) name, code and contact details of the legal entity;
c) the basis of representation, when the complaint is submitted by the applicant’s representative;
4) identity of the person complained against (name and code of legal entity, name and surname of a natural person), contact details, if known;
5) the description of the actions complained against (omission), the time of their occurrence and circumstances;
6) the application of the applicant to the supervisory authority;
7) signature of the applicant or his representative, if any; if a complaint is submitted by electronic means, it must be signed with a qualified electronic signature of the applicant or his representative, if any, or made by electronic means which ensure the integrity and irrevocability of the text.
6. The complaint must be added with available documents necessary for the examination of the complaint, or their description.

Article 25. Anonymous Complaints
Anonymous complaints shall not be considered, unless the Director of the State Data Protection Inspectorate or the inspector of ethics of journalists decides otherwise.

Article 26. Acceptance of the Complaint
The fact of acceptance of a complaint or part thereof shall be confirmed by the supervisory authority in writing. This document indicates the date of receipt of the complaint, name and surname, telephone number of the representative of the supervisory authority investigating the complaint or part thereof, registration number of the complaint and the possibility to defend rights of the applicant in court. The document confirming the fact of acceptance of a complaint or part thereof shall be given to the applicant, sent by post or by electronic means no later than within 3 working days after receipt of the complaint by the supervisory authority.

Article 27. Refusal to Investigate a Complaint
1. The supervisory institution shall adopt a decision to refuse to examine the complaint or part thereof and inform the applicant not later than within 5 working days from receipt of the complaint by the supervisory authority, indicating the reason (reasons) for refusal to examine the complaint or part thereof, if:
1) the complaint or part thereof does not comply with the requirements referred to in Article 24 (5) of this Law regarding the content of the complaint. Failure to indicate the information referred to in Article 24 (5) of this Law in the complaint may not be a basis for refusing to examine a complaint if the complaint can be investigated without this information;
2) investigation of the circumstances or part thereof specified in the complaint is not within the competence of the supervisory authority;
3) the complaint or part thereof has been examined by the supervisory authority on the same issue, except when new circumstances or new facts are indicated;
4) the complaint or part thereof has been examined on the same matter or is being examined in the court of the Republic of Lithuania or another Member State of the European Union;
5) the complaint or part thereof has been examined on the same matter by the supervisory authority of another Member State of the European Union;
6) a pre-trial investigation has been initiated regarding the subject of a complaint or part thereof;
7) the text of the complaint is not readable; the applicant formulated unclear application or the contents of the complaint is incomprehensible;
8) more than 2 years have passed since the implementation of the infringements referred to in the complaint or the part thereof until submission of the complaint.
2. When investigation of the circumstances referred to in the complaint or in part thereof does not fall within the competence of the supervisory authority, the supervisory authority shall transmit the complaint or part thereof to the competent authority and inform the applicant accordingly within the time period referred to in paragraph 1 of this Article. When the competent authority is a court, the complaint or part thereof shall be returned to the applicant with information where to apply.

Article 28. Request for Additional Documents and/or Information from the Applicant
1. The requirement from the applicant to provide additional documents and/or information necessary for the examination of the complaint or part thereof must be reasoned. The applicant is notified of the consequences of failure to provide the additional documentation and/or information.
2. At the request of the supervisory authority, the applicant must submit additional documents and information necessary for examination of the complaint or part thereof within the time period specified by the supervisory authority, but not later than within 10 working days from the receipt of the supervisory institution’s request.

Article 29. Termination of Investigation of the Complaint
1. The supervisory authority shall take a decision to terminate the examination of a complaint or part thereof if, during the examination of a complaint or part thereof:
1) the request of the applicant is received to discontinue investigation of the complaint or part thereof;
2) it appears that there is a reason (reasons specified) for refusing to examine the complaint or part thereof referred to in paragraphs 2-6, 8 of Article 27 (1) of this Law;
3) at the request of the supervisory authority, the applicant fails to submit additional documents and/or information without which it is not possible to examine the complaint or part thereof;
4) it becomes evident that the complaint or part thereof cannot be considered due to lack of information or other significant circumstances;
5) it becomes evident that the applicant has died.
2. The applicant shall be notified of the termination of the examination of the complaint or a part thereof, not later than within 3 working days after the decision referred to in paragraph 1 of this Article, except for the case referred to in paragraph 1(5) of this article.

Article 30. Time limits for Informing the Applicant and Investigating the Complaint
1. The supervisory authority shall notify the applicant of the progress of the complaint processing, if the complaint or part thereof has not been examined, or of the results thereof not later than within 3 months from the date of receipt of the complaint by the supervisory authority.
2. The complaint or part thereof must be examined and answered to the applicant within 4 months from receipt of the complaint by the supervisory authority, except in cases where it is necessary to extend investigation of the complaint or part thereof due to the complexity of the circumstances indicated in the complaint or in the part thereof, as well as the scope of information, avoidance of compliance with the requirements of the supervisory authority by the person complained against and other legal or natural persons, continuation of the actions complained against or other objective reasons. In these cases, the time limit for consideration of the complaint or part thereof is extended, but not longer than for 2 months. The general time limit for examination of the complaint or part thereof may not be longer than 6 months from the date of receipt of the complaint by the supervisory authority. The applicant shall be notified of the extension of the consideration term of the complaint or part thereof and the reasons for the extension. The complaint or part thereof must be examined within the shortest possible time.

Article 31. Decisions of Supervisory Authority upon Examination of the Complaint
1. Upon completing the examination of the complaint or part thereof, the supervisory institution shall decide reasonably:
1) to acknowledge the complaint or part thereof justified;
2) to reject the complaint or part thereof.
2. When a complaint or a part thereof is found to be justified, the State Data Protection Inspectorate shall reasonably:
1) provide instructions, recommendations to the controller and/or processor and/or apply other measures established in Article 58 (2) of Regulation (EU) 2016/679, Article 33 of this Law and other laws regulating the protection of personal data and/or privacy. If an administrative fine is to be imposed, the actions referred to in Section 4 of this Chapter shall be carried out;
2) compile an administrative offense report for the person who committed the infringement.
3. When a complaint or a part thereof is found to be justified, the Inspector of Journalist Ethics reasonably provides the instructions and recommendations to the data controller and/or processor and/or applies other measures referred to in Article 58 (2) of Regulation (EU) 2016/679 and Article 33 of this Law. If an administrative fine is to be imposed, the actions referred to in Section 4 of this Chapter shall be carried out.
4. The supervisory authority notifies the applicant and the person complained against of the decision taken in writing, not later than within 3 working days from the date of its adoption, except in cases specified in paragraph 2 (1) and paragraph 3 of this article when an administrative fine is to be imposed.
5. A decision of the supervisory authority may be appealed against before the court in accordance with the procedure established by the Law on Administrative Proceedings.

SECTION FOUR
ADMINISTRATIVE PENALTIES


Article 32. Procedures for the Imposition of Administrative Fines
1. The supervisory authority shall impose administrative penalties for infringements of Regulation (EU) 2016/679 and this Law in accordance with Regulation (EU) 2016/679 and this Law.
2. Administrative fines shall be imposed by the Director of the State Data Protection Inspectorate or an inspector of ethics of journalists by their competence or a person authorized.
3. A decision on the imposition of an administrative fine may be adopted if no more than two years have elapsed from the date on which the infringement has been carried out, and if an infringement is prolonged, from the date of its disclosure.

Article 33. Administrative Fines Imposed on Public Institutions or Authorities
1. A supervisory authority has the right to impose an administrative fine to a public institution or authority which has infringed the provisions of Article 83 (4) (a), (b) and (c) of Regulation (EU) 2016/679, up to 0.5 per cent of the current year’s budget of a public institution or authority and in the amount of the total annual income received in previous year, but not more than thirty thousand euros.
2. A supervisory authority has the right to impose an administrative fine on a public institution or authority which has infringed the provisions of Article 83 (5) (a) to (e) of Regulation (EU) 2016/679 and/or Article 83 (6) of Regulation (EU) 2016/679, up to 1 percent of the current year’s budget of a public institution or authority and in the amount of the total annual income received in previous year, but not more than sixty thousand euros.
3. A supervisory authority has the right to impose an administrative fine on a public institution or authority performing an economic-commercial activity and which has infringed the provisions of Article 83 (4), (5) and (6) of Regulation (EU) 2016/679.

Article 34. Procedure for Imposition of Administrative Fines
1. The supervisory institution shall send a document containing the proposal to impose an administrative fine to the person suspected committing the violation. Within the time limit set by the supervisory authority, which may not be shorter than 10 working days from receipt of this document from the supervisory authority, the person suspected committing the violation is offered to provide written explanations on the circumstances set forth in this document, unless these explanations have already been obtained during the investigation and/or, in the course of an inspection and/or examination of a complaint, to provide information relevant for the imposition of an administrative fine and to give an opinion on investigation of the case under oral procedure. Failure to provide explanations and other information within the time limit specified in this paragraph shall not hinder to examine the matter of imposition of an administrative fine.
2. A supervisory authority, which is prepared to hear a case, normally examines it in a written procedure in accordance with the explanations provided to it. When the case is examined in accordance with the written procedure, the hearing is not organized.
3. The supervisory authority may, at the request of a person suspected committing an infringement or on his own initiative, on the basis of the complexity of circumstances or other important circumstances, decide to hear the case under oral procedure when it is necessary to hear oral explanations from the person suspected committing an infringement or in other cases where the case can be better examined in oral proceedings. Investigating a case in an oral procedure, a person suspected committing an infringement, an applicant and other persons concerned must be informed of the place and date and time of the hearing before the court at least 10 working days before the date of the hearing.
4. The person suspected of committing the violation and other persons whose participation is necessary for the proper consideration of the case may participate and provide explanations at the hearing of the case.
5. The absence of a person suspected of committing an infringement or his representative does not prevent the hearing of a case if the person suspected of committing the violation has been duly informed about the hearing and he has not provided evidence that he cannot arrive for important reasons.
6. The hearing is open to the public, unless the supervisory authority on its own initiative or at the request of the suspected person and/or applicant decides to hear the case in a private hearing in order to protect the national, service, professional, commercial secrets or other secrets protected by law or to ensure the personal right to privacy and/or protection of personal data.
7. The hearing of the case is conducted in the Lithuanian language.
8. Audio recording shall be made during the hearing of the case. It is considered as minutes of the hearing.
9. When the case is investigated under the written procedure, the supervisory authority shall adopt the decision on imposition of fine within 20 working days of the date referred to in paragraph 1 of this Article by the supervisory authority. If the case is investigated under the oral procedure, the supervisory authority shall take a decision on the imposition of an administrative fine within 20 working days from the date of the hearing. The supervisory authority shall send a decision on the imposition of an administrative fine to the person who is the subject of the decision and to the applicant at the latest within 3 working days from the date of the decision.
10. The decision of the supervisory authority on the imposition of an administrative fine shall be reasoned. It must include:
1) the authority issuing the decision;
2) the date and place of the hearing of the case;
3) details of the person who is the subject of the decision;
4) legal basis for the decision;
5) violations, if any, and their circumstances;
6) evidence collected and their assessment;
7) explanations (if any) of the person suspected of committing the infringement and other persons, their assessment;
8) a decision adopted: to impose or not to impose an administrative fine;
9) the terms and procedure for appealing against the decision.
11. A decision of the supervisory authority regarding the imposition of an administrative fine may be appealed before the court in accordance with the procedure established by the Law on Administrative Proceedings.

Article 35. Enforcement of the Decision Imposing an Administrative Fine
1. The decision of the supervisory institution regarding the imposition of an administrative fine shall be executed not later than within 3 months of the date it was sent or served to the person who is the subject of an administrative fine. If the decision of the supervisory authority regarding the imposition of an administrative fine shall be appealed against, it must be executed not later than within 3 months from the date of the enforcement of the decision of the court. An administrative fine must be paid to the state budget.
2. The decision of the supervisory authority regarding the imposition of an administrative fine is an enforcement document executed in accordance with the procedure established by the Code of Civil Procedure of the Republic of Lithuania. It may be submitted to execute no later than 3 years of the date of its adoption.



I promulgate this Law passed by the Seimas of the Republic of Lithuania.



THE PRESIDENT OF THE REPUBLIC ALGIRDAS BRAZAUSKAS

Annex

to the Law on

Legal Protection of Personal Data


IMPLEMENTATION OF EUROPEAN UNION LEGISLATION

1. Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).


Amendments:

1.
Seimas of the Republic of Lithuania, Law
No. VIII-662, 12/03/1998, Official Journal 1998, No. 31-819 (01/04/1998), i. k. 0981010ISTAVIII-662
Addition and amendment of Articles 1, 2, 3, 5, 6, 7, 8, 9, 14 of Law on Legal Protection of Personal Data of the Republic of Lithuania

2.
Seimas of the Republic of Lithuania, Law
No. VIII-1852, 17/07/2000, Official Journal 2000, No. 64-1924 (31/07/2000), i. k. 1001010ISTAIII-1852
Amendment Act of Law on Legal Protection of Personal Data of the Republic of Lithuania

3.
Seimas of the Republic of Lithuania, Law
No. IX-719, 22/01/2002, Official Journal 2002, No. 13-473 (06/02/2002), i. k. 1021010ISTA00IX-719
Addition and amendment of Articles 1, 2, 3, 5, 7, 14, 15, 16, 18, 20, 22, 24, 26 of Law on Legal Protection of Personal Data of the Republic of Lithuania

4.
Seimas of the Republic of Lithuania, Law
No. IX-970, 20/06/2002, Official Journal 2002, No. 68-2769 (03/07/2002), i. k. 1021010ISTA00IX-970
Addition with Article 10(1) and amendment Act of Articles 15, 17 of Law on Legal Protection of Personal Data of the Republic of Lithuania

5.
Seimas of the Republic of Lithuania, Law
No. IX-1296, 21/01/2003, Official Journal 2003, No. 15-597 (12/02/2003), i. k. 1031010ISTA0IX-1296
Amendment Act of Law on Legal Protection of Personal Data of the Republic of Lithuania

6.
Seimas of the Republic of Lithuania, Law
No. IX-2111, 13/04/2004, Official Journal 2004, No. 60-2120 (24/04/2004), i. k. 1041010ISTA0IX-2111
Amendment Act of Articles 23 and 26 of Law on Legal Protection of Personal Data of the Republic of Lithuania

7.
Seimas of the Republic of Lithuania, Law
No. X-1444, 01/02/2008, Official Gazette 2008, No. 22-804 (23/02/2008), i. k. 1081010ISTA00X-1444
Amendment Act of Law on Legal Protection of Personal Data of the Republic of Lithuania

8.
Seimas of the Republic of Lithuania, Law
No. XI-1372, 12/05/2011, Official Journal 2011, No. 65-3046 (28/05/2011), i. k. 1111010ISTA0XI-1372
Addition and amendment of sections 4 and 9 of Articles 1, 2, 3, 6, 20, 21, 22, 24, 25, 26, 27, 29, 33, 35, 36, 38, 40, 45, 53 of Law on Legal Protection of Personal Data of the Republic of Lithuania and addition to the Law with Articles 13-1, 15-1, 35-1, 41-1

9.
Seimas of the Republic of Lithuania, Law
No. XII-1430, 11/12/2014, published in TAR 23/12/2014, i. k. 2014-20555
Amendment Act of Article 15 of Law on Legal Protection of Personal Data of the Republic of Lithuania No. I-1374

10.
Seimas of the Republic of Lithuania, Law
No. XII-2103, 01/12/2015, published in TAR 09/12/2015, i. k. 2015-19490
Amendment Act of Article 36 of Law on Legal Protection of Personal Data of the Republic of Lithuania No. I-1374

11.
Seimas of the Republic of Lithuania, Law
No. XII-2709, 03/11/2016, published in TAR 09/11/2016, i. k. 2016-26494
Amendment Act of Article 41 of Law on Legal Protection of Personal Data of the Republic of Lithuania No. I-1374

12.
Seimas of the Republic of Lithuania, Law
No. XIII-1426, 30/06/2018, published in TAR of 11/07/2018, i. k. 2018-11733
Amendment Act of Law on Legal Protection of Personal Data of the Republic of Lithuania No. I-1374

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/NDPrivLegis/2018/44.html