Despite one of the main goals of the EU General Data Protection Regulation (GDPR) being to harmonise data protection law across the EU, it does allow the individual member states to introduce broad derogations concerning national security, the prevention of crime and the enforcement of civil claims, when fundamental rights to data protection are guaranteed and derogations themselves are necessary and proportionate.
Member states can also provide derogations in relation to specific processing activities, including processing that relates to freedom of expression and information, public access to official documents, personal codes (National ID numbers), employee data in employment, processing for archiving and statistical purposes, security obligations, and church and religious associations.
In the year since the GDPR, most member states have approved new data protection laws to apply the chosen derogations. In Lithuania, a new iteration of the Law on Legal Protection of Personal Data (hereinafter - the Law) came into force on 16.7.2018.
The Law regulates derogations of the regulation regarding processing of personal code (ID), freedom of expression (journalistic freedom), data processing in employment, the age of a child, the procedure for imposing fines and the functions of supervisory authorities.
- personal code may be processed under the Regulation (Art. 6 (1)); it is prohibited to process a personal code for the purpose of direct marketing, as well as to announce the personal code in public;
- if personal data is processed for journalism or academic purposes, or is an artistic or literary expression, then some provisions of the Regulation shall not be applicable, i.e.: Article 8 age of a child; articles 12–23 rights of data subjects; article 25 data protection by default and by design; article 30 documenting personal data processing; articles 33–39 informing of data breach, data protection impact assessment and appointing a DPO; articles 41–50 certification and transferring personal data to the third countries; and articles 88–91 employment related and processing for archiving purposes in the public interest, processing for scientific or historical research or statistical purposes, obligations of secrecy, churches and religious associations;
- in recruitment and for already existing employees, it is prohibited to check for existing criminal offences and convictions, unless this data is required by law for a specific job (position). For example, for jobs in law enforcement, such a background check is necessary.
- if an employer is a data controller they can collect candidate’s personal data for background checks, i.e. qualifications, professional experience and recommendations from a previous employer(s) by informing the candidate in advance. The job applicant’s consent is required in order to request a recommendation from a current employer;
- the age of a child to whom the information society services can directly be offered and legitimate age of consent for information society services is 14 years.
- fines shall be imposed under provision of the Regulation;
- a decision regarding an administrative fine shall be imposed within 2 years following discovery of the violation, and if the violation is ongoing then from the date the violation was uncovered;
- according to the law, fines for the Lithuanian public sector shall be reduced compared to the fines in the GDPR and are set from 1 to 1.5% of the annual budget but not more than EUR 30,000-60,000.
The supervisory authority is permitted to impose both fines and other sanctions: order the controller to rectify the violation, give a warning, make a reprimand, and set a final or temporary prohibition on the processing of personal data. There will be specific sanctions imposed in each separate case.
In its 2018 review, the Lithuanian State Data Protection Inspectorate (hereinafter - Inspectorate) stated that they carried out 141 preventive inspections and a sectoral review of health care organisations. In addition, direct marketing and the loyalty programmes of 12 major companies in the food, household goods and pharmacy industry were reviewed.
In 2018, the Inspectorate received 100 personal data breach notifications compared to 7 queries in 2017 and 8 in 2016. This trend reflects the case throughout Europe where the data protection regulators have reported a massive surge in notifications and queries. Most of the data protection violations were related to the publication of personal data (56 cases) and loss of data (11 cases).
In addition, the Inspectorate received 859 complaints from individuals regarding GDPR in 2018 compared to 480 in 2017 and 443 in 2016. The majority of the complaints (641) received were related to the actions of private sector companies. The biggest number of complaints was connected with direct marketing, but the complaints also concerned the lawfulness of processing images, the processing of personal data in the service sector and the personal data of debtors.
In 2018, various sanctions were imposed under Lithuanian legal acts and Regulation but no fines were issued. The first significant fine was levied for the violation of the security of personal data in a specific payment system, for which the sum of EUR 61,500 was levied in May 2019. In this specific case, personal data were made publicly available and the company failed to submit notification to the Inspectorate, which also found that the company was not adhering to data minimisation principles and was processing excessive amounts of personal data.
Prior to the GDPR coming into force, the public’s awareness of personal data processing was very low in Lithuania. However, the media exposure around GDPR and the already reported cases of fines are putting the spotlight on companies to comply with the GDPR requirements.
Author: Greta Aliukonienė, Legal adviser, Grant Thornton Baltic UAB