TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

LITHUANIA

 

The State Data Protection Inspectorate website: http://www.ada.lt/index.php?lng=en

 

Law on Legal Protection of Personal Data 2008 (came into force 1 January 2009)

http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633

 

What needs to be done prior to collection?

 

NOTIFY THE INSPECTORATE

 

Article 31 – Notification of Data Processing

 

Personal data may be processed by automatic means only when the data controller or his representative in accordance with the procedure established by the Government notifies the State Data Protection Inspectorate (SDPI), except where personal data are processed:

(1)     For the purposes of internal administration

(2)     For political, philosophical, religious or trade-union related purposes by a foundation, association or any other non-profit organisation on condition that the personal data processed relate solely to the members of such organisation or to other persons who regularly participate in its activities in connection with the purpose of such organisation

(3)     In the cases laid down in Article 8 of this Law

(4)     In accordance with the procedure laid down in the Law on State Secrets and Official Secrets

 

Article 32 – Person or unit responsible for data collection

 

The data controller shall have the right to designate person or unit to be responsible for data protection.

 

See Statute for more information

 

CONTACT THE DATA SUBJECT

 

Article 24 – Informing the Data Subject about the processing of Data relating to him

 

  1. The data controller must provide the data subject from whom data relating him are collected directly, with the following information, except where the data subject already has it:

(1)     The identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or requisites and the address of the registered office (where the data controller or its representative is a legal person);

(2)     The purposes of the processing of the data subject’s personal data;

(3)     Other additional information (the recipient and the purposes of disclosure of the data subject’s personal data, particular personal data that the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have access to his personal data and the right to request for rectification of incorrect, inaccurate and incomplete personal data) in the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights

 

  1. Where the data controller obtains personal data not from the data subject, he must inform the data subject about that before the start of personal data processing or, if he intends to disclose the data to third parties, he must inform the data subject about that no later than by the moment when the data are disclosed for the first time, except in the cases where laws or other legal acts determine the procedure for collection or disclosure of such data and data recipients. In such case, the data controller must provide the data subject with the following information, except where the data subject already has it:

(1)     The identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or requisites and the address of the registered office (where the data controller or its representative is a legal person);

(2)     The purposes of the processing or intended processing of the data subject’s personal data;

(3)     Other additional information (the sources and type of the data subject’s personal data which are or will be collected; the recipient of the data subject’s personal data and the purposes of disclosure of the data subject’s personal data; the right of the data subject to have access to his personal data and the right to request for rectification of incorrect, inaccurate and incomplete personal data) in the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights

 

  1. When the data controller collects or intends to collect personal data from the data subject and processes or intends to process the data for purposes of direct marketing, before disclosing data subject’s data he must inform the data subject about the recipient of his personal data and the purposes for which his personal data will be disclosed

 

  1. Paragraph 2 of this Article shall not be applicable to the processing of personal data for the statistical, historical or scientific research purposes, where the disclosure of such information is impossible or too complicated (owing to a large number of data recipients, the outdated character of the data and excessively large expenses) or where the procedure for collecting and disclosing of data is laid down in laws. The data controller must duly notify the State Data Protection Inspectorate about that in accordance with the procedure laid down in Article 33 of this Law. The State Data Protection Inspectorate must carry out a prior checking.

 

What needs to be done prior to shipping?

 

Article 35 – Transfer of personal data to Data Recipients in foreign countries

 

  1. Personal data to data recipients in the European Union Member States or other countries of the European Economic Area shall be transferred on the same conditions and in accordance with the same procedure as that applicable to data recipients in the Republic of Lithuania

 

  1. Transfer of personal data to data recipients in third countries shall be subject to an authorisation from the SDPI, except in those cases referred to in paragraph 5 of this Article

 

  1. The SDPI shall grant or refuse to grant an authorisation for transfer of personal data to third countries no later than within two months from the date of the receipt of the application for the authorisation by the data controller. An authorisation shall be granted provided that there is an adequate level of legal protection of personal data in these countries. The level of legal protection of personal data shall be assessed by considering all circumstances related to transfer of data particularly the laws and other legal acts or acts prepared by the data controller on legal protection of personal data in force in the third country of destination, the nature of the data to be transferred, methods, purposes and duration of the data processing and safeguards applicable in the country concerned

 

  1. The SDPI may grant an authorisation to transfer personal data to a third country which cannot guarantee an adequate level of protection of personal data on a condition that the data controller has established adequate data protection safeguards for the protection of an individual’s right to a private life and the protection and exercise of other rights of the data subject. Such safeguards must be stipulated in the contract on the transfer of personal data to a third country or in other document concluded in writing

 

 

 

  1. Without an authorisation of the SDPI, personal data shall be transferred to a third country or to an international law enforcement only if:           

(1)     The data subject has given his consent for the transfer of his personal data;

(2)     The transfer of personal data is necessary for the conclusion or performance of a contract between the data controller and a third party in the interests of the data subject;

(3)     The transfer of personal data is necessary for the performance of a contract between the data controller and the data subject or for the implementation of pre-contractual measures to be taken in response to the data subjects request;

(4)     The transfer of personal data is necessary (or required by law) for public interests or for the purpose of legal proceedings;

(5)     The transfer is necessary for the protection of vital interests of the data subject;

(6)     The transfer is necessary for the prevention or investigation of criminal offences;

(7)     Personal data are transferred from a public data file in accordance with the procedure laid down in laws or other legal acts

 

What are the sanctions for non-compliance?

 

Article 53 – Liability for violation of this law

 

Violations of this Law shall render data controllers, data processors and other persons liable under the Laws

 

Article 54 – Compensation for pecuniary and non-pecuniary damage

 

Any person who has sustained damage as a result of unlawful processing of personal data or any other acts (omissions) by the data controller, the data processor, or other persons violating the provisions of this Law shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him.

 

The extent of pecuniary and non-pecuniary damage shall be determined by a court

 

Please refer to the State Data Protection Inspectorate website for more information on the Statute

© TRILANTIC - All rights reserved. | Disclaimer | Client Login