The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline.
The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15.
The law, which consists of 35 articles, is fairly concise, and mostly aimed at particularizing the powers of the supervisory authorities. Among other notable provisions are the following:
Territorial scope. The law applies to controllers and processors established in Lithuania, as well as to controllers following the Lithuanian law by virtue of the public international law. With respect to the businesses offering goods or services or monitoring of behavior of data subjects in the EU, the law applies only to those controllers and processors that have designated a representative in Lithuania. This seems to imply that if, for example, an Asian business targets data subjects in Lithuania, but has designated a representative in Germany, or is exempt from designating a representative (Article 27(2) of the GDPR) or hasn’t designated a representative in breach of Article 27 of the GDPR, it will not be under an obligation to comply with the law.
National identification number. The law makes use of the margin of maneuver afforded to the member states under Article 87 of the GDPR, and maintains a previously established prohibition to process national identification number for direct marketing or to make the ID number public.
Personal data and freedom of expression. According to the law, Article 8(child’s consent), Articles 12-23 (rights of data subjects), 25 (data protection by design and by default), 30 (records of processing activities), 33-39(breach notifications, DPIA and DPO), 41-50 (monitoring of code of conduct, certification and international transfers), 88-91 (processing in the employment context, for the purposes of public interest, obligation of secrecy and data protection rules of churches) of the GDPR do not apply in their entirety when personal data is processed for journalistic purposes and the purposes of academic, artistic or literary expression.
Processing in the context of employment. The law provides for more specific rules with respect to processing of personal data in the employment context. These rules must be read together with the employer’s obligations under the new Labour Code. The law explicitly prohibits processing of prospective employees’ data about criminal convictions and offenses, unless such processing is necessary to determine the person’s suitability to fulfill requirements for the position under the relevant laws. Employers can collect information about the prospective employee’s qualifications or professional qualities from their former employers only after informing the candidate about such processing, whereas to collect the same information from the person’s current employer, they will need to obtain the employee’s prior consent. Also, employers have a new obligation to inform employees, in line with Article 13 of the GDPR, about video or audio surveillance, behavioral, location or movement tracking.
Child’s digital consent. Lithuania (along with Bulgaria, Austria and Cyprus) opted for 14 as the age of “digital consent.” Fourteen-year-olds can consent alone to the processing of their personal data in relation to the direct offer of information society services.
Powers of the supervisory authorities
Supervision and enforcement powers are shared between the State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics. The latter’s competence is limited to overseeing the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression. When exercising its powers, the Inspector for Journalist Ethics must cooperate with the DPA to ensure the consistent application of the data protection laws.
The law further provides for additional powers of the DPA and specifies certain procedures to be followed by both supervisory authorities.
Certification. The law provides for a new power of the DPA to accredit certification bodies. These bodies, in line with Article 43 of the GDPR, will issue certification under the data protection certification mechanisms. The rules for accreditation will be developed by the DPA.
Ex officio investigations. TheDPA has a right to carry out checks and investigations ex officio. As a rule, such checks and investigations should be completed within four months, however, the time period may be extended by two more months. As an outcome of the investigation, the DPA can use its corrective powers under Article 58(2) of the GDPR, including a power to impose an administrative fine. All the decisions of the DPA can be appealed against before the administrative courts.
Dawn raids. As previously, when undertaking the investigation, the DPA has a right to access premises of natural (subject to a court order) and legal persons (no court order is required) without prior notice. Also, the DPA has a right to request natural and legal persons to provide information orally or in writing as well as to provide additional testimonies in person at the DPA’s premises.
General considerations regarding fines. With respect to the statute of limitations, the law specifies that administrative fines may be imposed only within two years from the date of the infringement, or, in case of a continuous violation, from the date the infringement became known. The lower fine threshold for the public authorities and bodies is set at 0.5 percent of the institution’s annual budget and income received during the preceding year, whereas the higher fine threshold is set at 1 percent. The fine cannot exceed 30.000 EUR and 60.000 EUR respectively. If the institution or body engages in commercial activity, it can be subject to the GDPR-level fines.
Procedure for imposing fine. The controller or processor has 10 working days to respond to the findings of the supervisory authority and the proposed fine. The supervisory authority will then have 20 working days to make a final decision regarding the fine and its amount, usually, in the course of a written procedure. In certain cases, the supervisory authority may decide to organize an oral hearing, and to invite all the parties to the case. Such hearings will be public unless decided otherwise.
Representation of data subjects. The law allows a data subject to mandate a not-for-profit body, organization or association to submit a complaint before the supervisory authorities on her behalf. Such entity will need to provide documentation proving that it operates in the field of data protection. The law does not indicate what documents must be provided, most likely, this will be assessed on case by case basis. The law also does not provide privacy rights organizations a right to lodge a complaint independently of the data subject’s mandate (Article 80(2) of the GDPR).
Clearly, the law does not provide all the answers that Lithuania-based controllers and processors were looking for. Many important questions, including the processing operations requiring a mandatory DPIA, a procedure for a prior consultation with the DPA, and the requirements for certification bodies, will be addressed in rules that are yet to be adopted by the supervisory authorities.
Natalija Bitiukova, CIIP/E, data protection consultant at IT Governance Europe, board member at HRMI.