Triniti Jurex
What law(s) specifically govern personal data / information?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR) - the main legal framework governing the processing of personal data in Lithuania and across the EU, establishing data subject rights, controller/processor obligations, and lawful bases for processing;
The Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the Law on Legal Protection of Personal Data) - national law supplementing the GDPR, detailing the powers of the State Data Protection Inspectorate and additional local requirements, such as age thresholds for children’s consent;
The Law on Electronic Communications of the Republic of Lithuania (hereinafter referred to as the Law on Electronic Communications) - regulates confidentiality of communications, use of cookies and similar technologies, telemarketing and data retention obligations for electronic communications providers;
Law on Information Society Services of the Republic of Lithuania (hereinafter referred to as the Law on Information Society Services) - regulates the provision of information society services and the rights, obligations and responsibilities of information society service providers;
Law on the Legal Protection of Personal Data Processed for the Purposes of Prevention, Investigation, Detection, or Prosecution of Criminal Offences, Execution of Penalties, or for National Security or Defence Purposes of the Republic of Lithuania - transposes Directive (EU) 2016/680; governs processing of personal data by competent authorities for law enforcement and national security purposes;
Law on Cyber Security of the Republic of Lithuania - establishes cybersecurity requirements for critical and important information infrastructure, some of which may involve the protection of personal data against cyber threats;
Code of Administrative Offences of the Republic of Lithuania - sets out administrative liability for breaches of data protection obligations under national law and the GDPR;
Sector-specific laws (e.g., Labour Code, Law on Patient Rights, Law on Education) often contain personal data protection provisions relevant to those specific contexts;
Index of retention periods for internal administrative documents, approved by the Chief Archivist of Lithuania.
What are the key data protection principles in this jurisdiction?:
The key principles of data protection stem from GDPR and are further supplemented by national legislation.
The core principles include the following:
- Lawfulness, Fairness, and Transparency: personal data must be processed lawfully, fairly, and in a transparent way in relation to the data subject.
- Purpose Limitation: data must be collected for specified, explicit, and legitimate purposes and not used in ways that are incompatible with those purposes.
- Data Minimisation: collected personal data should be adequate, relevant, and limited to what is necessary for the intended purposes.
- Accuracy: personal data must be accurate and, where needed, kept up to date.
- Storage Limitation: personal data should be kept in a form that allows identification of data subjects for no longer than necessary for the processing purposes.
- Integrity and Confidentiality: personal data must be processed securely, with measures in place to protect against unauthorised or unlawful processing, as well as accidental loss, destruction, or damage.
- Accountability: the data controller bears responsibility for ensuring compliance with these principles, must implement suitable technical and organisational measures and must be able to demonstrate compliance with all of the above principles.
These principles apply to both public and private sector data controllers operating in Lithuania.
What is the supervisory authority / regulator in charge of data protection?
In Lithuania the supervision of personal data protection is carried out by two institutions – the State Data Protection Inspectorate (hereinafter referred to as the SDPI) and the Service of the Journalist Ethics Inspector.
The main supervisory institution in Lithuania is the SDPI – it monitors the application of GDPR, the Law on Legal Protection of Personal Data, the Law on Electronic Communications, ensuring compliance with these laws, except for the articles of the Law on Legal Protection of Personal Data the supervision of which falls under the competence of the Journalistic Ethics Inspector.
The Journalistic Ethics Inspector monitors the application of GDPR and Law on Legal Protection of Personal Data and ensures that these legal acts are applied when personal data are processed for journalistic purposes and for the purposes of academic, artistic or literary expression.
Is there a requirement to register with a supervisory authority / regulator?
Registration of a controller or processor is not required in Lithuania.
However, the GDPR provides for certain instances where the controller or processor must inform or consult the supervisory authority:
- When a data protection officer (hereinafter referred to as DPO) is appointed, the controller or processor must communicate the DPO’s contact details to the supervisory authority.
- If a data protection impact assessment (hereinafter referred to as DPIA) indicates that the intended processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to consult the supervisory authority before commencing the processing.
- Prior authorization would be required for international data transfer based on contractual clauses not approved by the European Commission.
Is there a requirement to notify the supervisory authority / regulator?
Generally, under the GDPR and Lithuanian law, there is no routine obligation to notify the SDPI about data processing activities. However, notification is required in specific situations, including:
- Under Article 33 of the GDPR, in the event of a personal data breach, the controller must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. This obligation does not apply if the breach is unlikely to pose a risk to the rights and freedoms of natural persons.
- Under Article 36 of GDPR, if DPIA indicates that the intended processing would result in a high risk to data subjects in the absence of measures taken to mitigate the risk, the controller must consult the SDPI before starting the processing.
- Under Article 49 (1) of GDPR, if a data transfer cannot rely on an adequacy decision (Article 45), appropriate safeguards (Article 46, including BCRs), or specific derogations (Article 49(1)), it may still be carried out only under strict conditions: the transfer must be non-repetitive, concern a limited number of data subjects, and be necessary for compelling legitimate interests of the controller that do not override the data subjects’ rights. In such cases, the controller is required to conduct a thorough assessment, implement appropriate safeguards, and notify the supervisory authority of the transfer. The data subject must also be informed of the transfer and the legitimate interests pursued.
Is it possible to register with / notify the supervisory authority / regulator online?
The supervisory authorities accept documents sent via National Electronic Delivery System and via email if the document is signed with electronic signature.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to Information
In line with the principles of fair and transparent processing, data subjects must be informed about the existence and purpose of any processing activity. According to Articles 13 and 14 of the GDPR, individuals have the right to receive information about the identity of the controller and specific details regarding the processing of their personal data.
Right of Access
Under Article 15 of the GDPR, data subjects have the right to access their personal data collected by a controller. This right enables individuals to understand and verify the lawfulness of the processing, and it should be exercisable easily.
Right to Rectification
As provided in Article 16 of the GDPR, individuals have the right to request the correction of inaccurate personal data concerning them without undue delay.
Right to Erasure (Right to Be Forgotten)
In accordance with Article 17 of the GDPR, data subjects may request the deletion of their personal data when one of the conditions listed in Article 17(1) applies.
Right to Restrict Processing
Under Article 18(1) of the GDPR, data subjects have the right to request the restriction of processing in certain circumstances specified by the Regulation.
Right to Data Portability
Article 20 of the GDPR grants individuals the right to receive their personal data in a structured, commonly used, and machine-readable format. They may also request the transfer of such data to another controller, or that the transfer take place directly between controllers, where the legal criteria is met.
Right to Object
According to Article 21 of the GDPR, individuals may object at any time to the processing of their data on grounds relating to their particular situation, where the processing is based on public interest (Article 6(1)(e)) or the legitimate interests of the controller (Article 6(1)(f)), including any related profiling.
In addition, individuals have an unconditional right to object to processing for direct marketing purposes (Article 21(2)–(3)).
Right to Withdraw Consent
As set out in Article 7(3) of the GDPR, a data subject has the right to withdraw previously given consent at any time.
Right to Lodge a Complaint
Pursuant to Article 77 of the GDPR, individuals have the right to file a complaint with a supervisory authority, particularly in the Member State where they reside, work, or where the alleged violation occurred, if they believe that their personal data is being processed in violation of the GDPR.
Right Not to Be Subject to Automated Decisions
Under Article 22 of the GDPR, data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, if such decisions produce legal effects or similarly significant consequences for them.
Is there a requirement to appoint a data protection officer (or equivalent)?
- Public Authorities or Bodies
- Where the processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity.
- Large-Scale Monitoring
- Where the core activities of the controller or processor involve processing operations that, by their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale.
- Special Categories and Criminal Data
- Where the core activities consist of processing, on a large scale, special categories of personal data as defined in Article 9, or personal data relating to criminal convictions and offences as referred to in Article 10 of GDPR.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, according to Article 35(1) of the GDPR, when a type of processing, particularly involving new technologies, and considering the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out DPIA before initiating the processing.
Under Article 35(3), a DPIA is specifically required in the following cases:
- Automated Decision-Making and Profiling
- When there is a systematic and extensive evaluation of personal aspects relating to individuals based on automated processing, including profiling, and decisions are made that have legal or similarly significant effects on the individual.
- Large-Scale Processing of Special Categories of Data
- When processing involves large-scale handling of special categories of personal data as outlined in Article 9(1), or data relating to criminal convictions and offences as set out in Article 10.
- Systematic Public Monitoring
- When there is large-scale, systematic monitoring of publicly accessible areas.
- In addition, SDPI has approved a non-exhaustive list of data processing operations that are subject to DPIA:
The processing of personal data for scientific or historical research purposes takes place in at least one of the following cases:
- when special categories of personal data is processed without the data subject’s consent, or when personal data is processed by linking or combining data sets;
- when the data of minors is processed;
- when a personal identification number is processed.
The large-scale processing of personal data obtained not from the data subject, where providing the information specified in Article 14(1) and (2) of GDPR is impossible or would involve a disproportionate effort, or where providing such information would make the achievement of the purposes of processing impossible or would seriously impair them.
The processing of personal data where informing the recipients to whom the personal data have been disclosed about the rectification, erasure, or restriction of processing in accordance with Article 19 of GDPR is impossible or would involve a disproportionate effort.
The processing of biometric data for the purpose of uniquely identifying a natural person in the context of monitoring or control of data subjects, or where personal data of vulnerable data subjects are processed.
The processing of genetic data for the purpose of evaluating or scoring the characteristics of a data subject, including profiling and forecasting.
The processing of personal image data when video surveillance is carried out in at least one of the following cases:
- in premises and/or areas that are not owned or lawfully controlled by the data controller, where the video surveillance complies with the principles relating to personal data processing as set out in Article 5 of GDPR;
- in healthcare, social care, correctional institutions, and other facilities providing services to vulnerable individuals;
- together with sound recording.
The recording of telephone conversations.
The processing of personal data using innovative technologies or using existing technologies in a new way, where personal data of vulnerable data subjects are processed.
The processing of children’s personal data for direct marketing purposes, the evaluation of children’s personal aspects based on automated processing, including profiling, or where information society services are offered directly to children.
The processing of employees’ personal data for monitoring or control purposes: the processing of image and/or sound data in the workplace and/or in premises or areas where the data controller’s employees work; the processing of personal data related to monitoring employees’ communication, behavior, location, or movement.
Does this jurisdiction have any specific data breach notification requirements?
Lithuania follows the data breach notification requirements set out in the GDPR, supplemented by national law; however, on 2 July 2018, the SDPI issued recommendations titled ”On the Procedure for Detection, Investigation, Reporting, and Documentation of Personal Data Security Breaches”.
When reporting a personal data breach, the recommended form approved by the Director of the SDPI, as approved by Order No. 1T-82(1.12.E) dated 29 August 2018, „Regarding the Approval of the Recommended Form for Reporting a Personal Data Breach” (Register of Legal Acts, 2018-08-29, No. 13583), is used.
What restrictions apply to the international transfer of personal data / information?
The international transfers of personal data are governed by Articles 44–50 of the GDPR.
Transfers of personal data to countries within the European Economic Area are considered equivalent to transfers within the European Union. These countries are deemed to offer an adequate level of data protection, and the same rules apply as for data transfers within EU.
Transfers to countries that have been granted an adequacy decision by the European Commission under Article 45(3) of the GDPR are also treated in the same way as transfers within European Union. A list of such countries is available on the European Commission’s official website.
Transfers to all other countries are regarded as transfers to countries with an insufficient level of data protection. In such cases, additional safeguards must be implemented, or the transfer must fall under one of the exceptions set out in the GDPR (Article 49). In general, the following options apply:
- Safeguards under Article 46(2) GDPR
Personal data may be transferred using one of the mechanisms listed in Article 46(2), such as:
- a legally binding and enforceable instrument between public authorities or bodies,
- binding corporate rules (BCRs),
- standard contractual clauses (SCCs),
- legally binding agreements between public sector bodies,
- approved codes of conduct, or
- certification mechanisms accompanied by enforceable commitments by the controller or processor in the third country.
These mechanisms do not require prior authorisation from the supervisory authority.
- Safeguards under Article 46(3) GDPR
Transfers may also be carried out using safeguards listed in Article 46(3), which do require prior authorisation from the competent supervisory authority. These may include:
- contractual clauses between the exporter and the recipient of the data in the third country or international organisation, or
- provisions included in administrative arrangements between public authorities that ensure enforceable data subject rights.
Before granting authorisation, the supervisory authority will consult the European Data Protection Board and apply the GDPR’s consistency mechanism.
- Derogations under Article 49 GDPR
If no adequacy decision (Article 45) or suitable safeguards (Article 46) are in place, data transfers may still occur under the limited conditions set out in Article 49. These include, inter alia:
- the data subject’s explicit consent,
- necessity of the transfer for the performance of a contract with the data subject or in their interest,
- important public interest reasons;
- the need for the transfer in connection with the establishment, exercise, or defence of legal claims,
- etc.
Data controllers must assess and document the legal basis and safeguards for each international transfer and ensure compliance with all applicable rules.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the GDPR, which directly applies to Lithuania, has extra-territorial effect.
According to Article 3(1) of the GDPR, the GDPR applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or processor located in the European Union, regardless of whether the actual processing takes place within the European Union.
Furthermore, under Article 3(2), the GDPR also applies to the processing of personal data of individuals who are in the European Union by a controller or processor established outside the European Union, where the processing activities are related to either:
- the offering of goods or services to individuals in the European Union regardless of whether payment is required, or
- the monitoring of their behaviour, to the extent that such behaviour takes place within the European Union.
What rules specifically deal with marketing?
In Lithuania, marketing activities involving personal data are regulated under the GDPR, Law on Legal Protection of Personal Data, Law on Electronic Communications, as well as Law on Information Society Services.
Under Article 2(1) of the Law on Legal Protection of Personal Data, direct marketing means an activity aimed at offering goods or services to individuals by mail, telephone, or other direct means, and/or seeking their opinion regarding the offered goods or services.
Key requirements are the following:
- The use of personal data must have legal basis.
- Prohibition of using personal identification number for direct marketing purposes (Article 3(3) the Law on Legal Protection of Personal Data).
Consent Requirement - for direct marketing via electronic communications (e.g., email, SMS), prior explicit consent from the data subject is generally required (opt-in) (Article 81(1) of the Law on Electronic Communications), except for existing customers where exemptions may apply (Article 81(2) of the Law on Electronic Communications), under which direct marketing messages may be sent to clients (without their prior consent) if all of the following conditions are met:
- the company providing the services or selling the goods collects the client’s email addresses during the delivery of services/goods in compliance with the terms and conditions of the GDPR;
- the clients did not object to such processing for direct marketing purposes at the time their email addresses were collected;
- such a company can then only market its own similar goods or services to its clients;
- the clients are given a clear, free, and easy-to-exercise option to object to or refuse to such use of their contact details for such purposes, both when the contact details were collected and with each subsequent direct marketing message.
In addition, Article 9(1)(1) of the Law on Information Society Services stipulates that „where commercial information is sent without the prior consent of the recipient as provided for in the LEC, it must be clearly identifiable as commercial information sent without prior consent”.
In accordance with the list of data processing operations that are subject to DPIA approved by the SDPI, DPIA must be conducted prior to the processing of children’s personal data for direct marketing purposes.
The SDPI actively monitors and enforces compliance with marketing rules, including electronic marketing restrictions.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, the same rules apply.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Please refer to the answer provided above.
What rules specifically deal with cookies?
Specific rules governing the storage of information on a user’s device and access to information already stored on the device are primarily found in EU legislation like the ePrivacy Directive.
These requirements of the ePrivacy Directive were transferred to the Law on Electronic Communications. Under Article 73(4) of the Law on Electronic Communications, storing information or gaining access to information already stored in the terminal equipment of a subscriber or actual user of publicly available electronic communications services is permitted only on the condition that the respective subscriber or actual user, having been provided with clear and comprehensive information in accordance with the GDPR, including information about the purposes of processing, has given their consent. These provisions do not prohibit technical storage or access that is solely for the purpose of transmitting a communication over an electronic communications network, or that is strictly necessary to provide an information society service explicitly requested by the subscriber or actual user of the publicly available electronic communications services.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Under the GDPR, organizations that fail to comply with its requirements may face significant administrative fines and corrective actions:
Administrative fines:
These penalties are structured in tiers based on the nature and severity of the violation.
In Lithuania, the Director of the State Data Protection Inspectorate or the Inspector of Journalist Ethics can impose administrative fines.
The administrative fine decision can be appealed in court.
Corrective actions:
Article 58(2) of GDPR lists a range of corrective powers available to supervisory authorities, which include issuing warnings, reprimands, ordering the controller/processor to comply with the data subject’s requests, ordering to bring processing operations into compliance, ordering to communicate a data breach, imposing temporary or permanent limitations or bans on processing, ordering the rectification or erasure of personal data, etc.
Public Notification of Decisions:
Lithuanian supervisory authorities publish their decisions related to findings of violations (after investigation, inspection, and/or complaint examination) publicly on their website. This public announcement, while not a financial penalty, can have reputational consequences for the organization that committed the violation. When violations are found, the identity of the data controller and/or processor is revealed.
Non-compliance with data protection rules related to direct marketing
Fines by State Data Protection Inspectorate are generally imposed under the Code of Administrative Offences of the Republic of Lithuania:
For first-time violations of the Law on Electronic Communications:
- Employees who send direct marketing messages based on received instructions can be fined from €150 to €580
- Managers or responsible persons can be fines from €300 to €1,150
For repeated violations within 1 year from the first offence:
- Employees who send direct marketing messages based on received instructions can be fined from €580 to €1,200
- Managers or responsible persons can be fined from €1,100 to €3,000
In many cases, half of the minimum fine is applied for a first-time administrative offence.
The GDPR allows for administrative fines of up to the greater of EUR 20 million or 4% of a company’s total worldwide annual turnover (Article 83 of GDPR).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinational organisations processing personal data of individuals in Lithuania (without having a physical presence in the country) should be aware of the following key factors:
- Extra-territorial applicability of the GDPR: the GDPR applies if the organisation offers goods or services to individuals in Lithuania or monitors their behaviour, regardless of the organisation’s location;
- EU Representative: if the organisation has no establishment in the EU, it may be required to designate a representative in the EU to act as a contact point for data subjects and supervisory authorities;
- Legal basis and transparency: all processing must have a lawful basis under the GDPR (e.g., consent, contract, legitimate interest, etc.), and the organisation must provide clear and accessible privacy information to Lithuanian data subjects in a language they can understand (usually Lithuanian);
- Data subject rights: Organisations must be prepared to uphold data subject rights and respond to data subjects’ requests in a timely manner;
- Data transfers: if personal data is transferred from Lithuania to a non-EU/EEA country, appropriate safeguards or another valid transfer mechanism must be in place;
- Supervisory authority: the organisation will fall under the supervision of the SDPI in Lithuania with respect to its processing activities affecting individuals in Lithuania.
In addition, multinational organisations should be aware that sector-specific data protection requirements may apply in Lithuania, particularly in areas such as healthcare (e.g., patient rights and health data confidentiality), finance, electronic communications, and employment. These may impose stricter conditions on data processing, retention, or consent.
There are also procedural requirements under national law. For example, in space of data breach prior notification to SDPI using specific national forms may be required. Multinational organisations should also ensure readiness to conduct DPIA where required.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations should closely monitor ongoing legislative developments, particularly regarding data transfers to non-EU countries (most notably the USA and UK). In addition, on 21 May 2025, the European Commission issued a Proposal for a Regulation amending several instruments, including the GDPR, to extend certain mitigating measures available for small and medium sized enterprises to small mid-cap companies and to introduce further simplification measures, which may ease compliance burdens for smaller organisations operating across borders.