LAWS Lithuanias law on the legal protection of personal data (1996, amended in 2008) is the principal legal act which transposes into the countrys laws the requirements of the European Unions Directive 95/46/EC, which speaks to protections in relation to the processing of legal data and the free movement of such data. There are other laws which regulate specific aspects of this issue. These include the law on electronic communications (2008), which speaks to the processing of personal data in that sphere. Theres the code of administrative offences (2008), which establishes administrative sanctions when rules on data processing are violated. Theres also the law on ratifying the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (ETS No. 108) of the Committee of Ministers of the Council of Europe (2001).
SECONDARY LEGAL ACTS Detailed rules about notification, the way in which the process is organised and the scope of responsibilities of the relevant government institutions include a government resolution on organising the State Register of Personal Data Controllers, one on approving new regulations and procedures on the notification by personal data controllers of automated processing of personal data (2002), and one on the establishment of the State Data Protection Inspectorate (1996). There are other regulations which speak to the technical and procedural details of data protection.
LEGISLATIVE DEVELOPMENTS Lithuanias parliament the law on legal protection in February 2008, and these will take effect on the first of January in 2009. There are several innovations in the law:
- The scope of the law has been expanded to include the Lithuanian branches of companies from other EU countries. The amendments identify them as data controllers which are fully subjected to the requirements of the law;
- The use of personal ID codes will be restricted to prohibit the publication of the codes or the use of the codes for direct marketing purposes;
- Theres a new chapter on video surveillance to define the concept and to set up rules on the processing of the relevant data;
- The amendments set out new rules for the processing of personal data when evaluating creditworthiness. These include more specific rules about the exchange of personal data among enterprises which face financial risks and, thus, have a special interest in this regard;
- The independence of the State Data Protection Inspectorate (SDPI) has been strengthened;
- There are provisions to simplify the notification procedure when a data controller has a specialised data protection unit;
- There is a detailed procedure for receiving and examining complaints from the inspectorate.
SCOPE OF THE LAW Data processing activities in Lithuania are regulated by law when they are handled by a data controller which is established in Lithuania, one which is not in Lithuania but is governed by international public law (including diplomatic and consular institutions), and one that is in a non-member state of the EU but uses automated personal data means in Lithuania. The exception here refers to those cases in which data are simply transited through the country or the EU. In the latter case the data controller must have an established subsidiary or representative in Lithuania, in which case the law applies to them. The law defines a data controller as an enterprise or individual which processes personal data alone or together with others. The law does not apply to public authorities and agencies, as defined in the EUs Data Protection Directive. Entities which are neither individuals nor legal persons cannot be data controllers under the meaning of the law. These include the Lithuanian branches and offices of foreign companies, as the Civil Code states that they are not legal persons in and of themselves. On numerous occasions the SDPI has confirmed that the law says that the Lithuanian branches and offices of foreign companies are considered to be units of the parent company. Data protection authorities believe that the regulations which apply to the member state in which the parent company is established should apply to such branches and offices. As soon as the aforementioned amendments come into effect on 1 January next year, the branches and offices will be considered to be data controllers.
TRANSFERS TO THIRD COUNTRIES The law also says that the transfer of personal data abroad is subject to the authorisation of the SDPI unless the data subject has given consent for the transfer; the transfer is needed in terms of contractual requirements between the data controller and the data subject or for the implementation of pre-contractual measures as requested by the subject; the transfer is required for the public interest or as part of legal proceedings; it is needed to protect the vital interests of the data subject; it is needed to prevent or investigate a crime; the data come from a public data file on the basis of procedures defined in other laws and legal acts. If none of this applies, agreements between data providers and receivers are to be submitted to the SDPI for its evaluation. The agency can approve the transfer of personal data to a third country if there is a sufficient level of personal data protection. This is assessed in light of all conditions related to the transfer, particularly taking into account the laws and regulations that are in force in the country of destination. This refers to legal protections, the nature of the data, the proposed processing operations, the purpose for the processing, the duration of the process, and the safeguards which must be in place in the relevant country. If data are to be transferred to a country in which there is no adequate level of legal protection, the SDPI will grant authority if the data controller itself has established adequate safeguards for the protection of the right to privacy and the rights of the data subject. Such safeguards must be stipulated in the relevant contract. The SDPI has already authorised data transfer to third countries where data transfer agreements that are based on the commissions standard contractual clauses on such transfers are in place.
NOTIFICATION OBLIGATIONS The law on the protection of personal data says that personal data may be processed by automated means only if the data controller notifies the SDPI in advance. The means that personal data can be processed only after such notification has been made. There are government regulations with respect to this process. The notification must state the purpose for personal data protection, the groups of data subjects, the categories of processed personal data for each group, any special categories of personal data that are being processed, the traffic data of public electronic communications service users that are being retained, the data recipients and groups thereof, the categories of personal data that are being transferred to foreign countries, the relevant data retention periods, and a list of all security measures which are in place. This notification does not have to be updated on any regular basis, but if the details of the data processing activities change, then information about these must be submitted to the SDPI within 30 days of the relevant change. If the purposes of data processing do not change, information can be submitted in free form, but if they do change, then full notification is necessary in line with the relevant requirements. Notification is not needed if personal data are processed for the data controllers internal administration; when they are processed for political, philosophical, religious or trade union purposes by any non-profit organisation, provided that the data relate only to its own members or to others who regularly participate in its activities; when they are processed by the mass media to provide public information or in pursuit of artistic or literary expression; and when they are processed in accordance with the Lithuanian law on state and official secrets. Internal administration in this case is defined as an activity which ensures the independent functioning of the data controller. This raises questions about compliance with the EUs data protection directive. The SDPI has said that the internal administration exemption may not be relied upon if the data controller is providing personal data to any third party.
ADMINISTRATIVE LIABILITY Any violation of data protection rules involves administrative liability. This applies to any illegal processing of personal data, as well as any violation of the norms which apply to the processing of personal data and the protection of privacy, as defined in the law on electronic communications. The unlawful processing of data (e.g., the unlawful use of someones E-mail address or other personal data, irrespective of the purpose of that use) will lead to fines of between 500 and 1,000 litas (EUR 145-290), with fines between LTL 1,000 and 2,000 for repeat offenders. Violation of privacy requirements (e.g., the unlawful processing of personal data for the purpose of direct marketing) will lead to similar fines. Anyone who has incurred damages because of the unlawful processing of personal data or because of any other action or inaction on the part of the data controller, the data processor or any other person may claim compensation for pecuniary and non-pecuniary damages that have been caused. |