TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

What Needs to be Done Prior to Collection


Contact the data subject

Contact the Inspectorate


Article 18 Informing the Data Subject about the Processing of Data Relating to Him


1. The data controller must provide to the data subject from whom data relating to himself is collected directly the following information, except where the data subject already has it:

1) the identity of the data controller and his representative if any, and his permanent place of residence where the data controller or his representative is a natural person, or other particulars, and the registered office where the data controller or its representative is a legal person;

2) the purposes of the processing of the data subject’s personal data;

3) any other additional information - the recipient of the data and for what purposes the data of the data subject is disclosed; what personal data the data subject is supposed to provide and the consequences of his failure to provide data, the right of the data subject to have access to his personal data and the right to request rectification of incorrect, incomplete and inaccurate personal data, necessary for ensuring a proper processing of personal data without violation of the data subject’s rights.

2. Where the data controller obtains personal data not from the data subject he must inform the data subject about it before the start of data processing or, if he intends to disclose the data to third parties, he must inform the data subject about it not later than by the moment when the data is disclosed for the first time, unless the laws or other legal acts determine the procedure for collection or disclosure of such data and the data recipients. In such cases the data controller must provide to the data subject the following information except where the data subject already has such information:

1) the identity of himself (the data controller) and his representative if any, his permanent place of residence where the data controller or his representative is a natural person, or other particulars and the registered office where the data controller or its representative is a legal person;

2) the purposes of the processing or the intended processing of the personal data of the data subject;

3) any other additional information (the sources and type of his personal data which is being collected or will be collected; the recipient of the data subject’s personal data and the purposes of the disclosure; the right of the data subject to have access to his personal data and his right to request rectification of incorrect, incomplete and inaccurate personal data) to the extent it is necessary to ensure a fair processing of personal data without violating the rights of the data subject.

3. When the data controller collects or intends to collect personal data from the data subject and processes or intends to process the data for the purposes of direct marketing, before disclosing the data of the data subject he must inform the data subject about the recipient of the personal data and the purposes for which the data will be disclosed.

4. Paragraph 2 of this Article shall not be applicable to the processing of personal data for statistical or research purposes where the provision of such information is impossible or involves unnecessary difficulties owing to a large number of data recipients, the outdated character of the data and excessively large expenses or where the procedures for collecting and disclosing data are established by law. The data controller must duly notify the State Data Protection Inspectorate about it following the procedure set out in Article 26 of this Law.


Contact the Inspectorate


Article 24 Security of Data


1. The data controller and data processor must implement appropriate organizational and technical measures intended for the protection of personal data against any accidental or unlawful destruction, alteration, disclosure as well as against any other unlawful processing. These measures must ensure a level of security appropriate to the nature of the data to be protected and the risks represented by the processing and must be specified in a written document or its equivalent (data processing regulations approved by the data controller, a contract concluded by the data controller and the data processor etc.).

2. The data controller shall himself process personal data and/or shall authorise the data processor to do so. If the data controller authorizes the data processor to process personal data, he must choose a processor providing guarantees in respect of adequate technical and organizational data protection measures and ensuring compliance with those measures.

3. When authorising the data processor to process personal data, the data controller shall stipulate that personal data must be processed only on instructions from the data controller.

4. The relations between the data controller and the data processor who is not the data controller shall be regulated by a written contract except where such relations are provided for by laws or other legal acts.

5. The employees of the data controller, the data processor and their representatives who are processing personal data must keep confidentiality of personal data if the personal data is not intended for public disclosure. This obligation shall continue after leaving the public service, transfer to another position or upon termination of employment or contractual relations.


Registration of Data Controllers


Article 25 Notification of Data Processing


1. Personal data may be processed by automated means subject to notification by the data controller or his representative to the State Data Protection Inspectorate (pursuant to paragraph 3(3), Article 1 of this Law) in accordance with the procedure established by the Government, except when personal data is processed:

1) for the purposes of internal administration;

2) in the course of activities by a foundation, association or any other non-profit-seeking body for political, philosophical or trade union aims on condition that the processed data relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes;

3) in the cases specified in Article 8 of this Law;

4) in the cases specified in Article 10 of this Law;

5) following the procedure set forth in the Law of the Republic of Lithuania on State and Official Secrets.


Article 27 Registration of Data Controllers


1. Data controllers shall be registered in the State Register of Personal Data Controllers.

2. The State Register of Personal Data Controllers shall be administered by the State Data Protection Inspectorate.
© TRILANTIC - All rights reserved. | Disclaimer | Client Login