In July 2018, Lithuania adopted the new Law on Legal Protection of Personal Data. Two supervisory authorities — the State Data Protection Inspectorate and the Office of the Inspector of Journalist Ethics — were tasked with monitoring and application of the regulation.
In 2018, their efforts focused mostly on exercising their advisory and investigatory powers, as well as the promotion of public awareness around the EU General Data Protection Regulation. During the last year, Lithuania's data protection authority received 859 complaints from the data subjects, whereas only 480 in 2017. A majority of the complaints concerned issues related to data processing for direct marketing purposes, processing of special categories of personal data and closed-circuit TV. The authority also received 100 data breach notifications, while 1470 organizations, both private and public, informed the DPA about the appointment of the data protection officers. Although the DPA carried out some ex officio investigations in 2018 and found violations of the GDPR, no fines were imposed.
This contribution will look into the recommendation adopted by Lithuania's DPA, analyzing the recently published data protection impact assessment "blacklist" and discussing ongoing and upcoming ex officio investigations scheduled for 2019.
Recommendations adopted by the DPA
In 2018–19, Lithuania's DPA released numerous guidelines and recommendations to assist with the interpretation and application of the GDPR. Among the topical document are:
- Recommendations for the records of processing activities. The recommendations include additional guidelines on Article 30 of the GDPR. Importantly, they dispel the widespread myth that companies with less than 250 employees are exempt from the obligation to maintain the records of processing. The DPA gives an example of an insurance company of 100 employees that processes client data for contractual purposes on a regular basis. Since such processing is not occasional, the company is under obligation to document it and maintain the relevant records.
- A template for DSAR procedure. The template document provides internal procedures for handling data subject access requests and can be customized and adapted to the controller’s needs. Surprisingly, the template procedure suggests requiring, for identification purposes, the data subject to provide a notarized copy of the ID card or a passport where DSAR is logged in writing. Such a requirement can hardly be considered proportionate to the purposes pursued and may create additional risks for both the controllers and the data subjects themselves.
- Recommendations on data processing in the electoral context. In light of the upcoming European Parliament and national elections, the DPA reminded the political parties and candidates about their obligations under the GDPR. The recommendations highlight that political campaigning by email or phone is only lawful where individual’s free and unambiguous consent was obtained. In line with the commission’s guidance document from September 2019, the recommendations suggest carrying out a data protection impact assessment where political actors engage in the extensive voter monitoring and profiling.
The final DPIA "blacklist"
On March 18, the DPA published the final list of the processing operations requiring a mandatory DPIA (available here in English). It builds on the initial DPIA "blacklist," reviewed by the European Data Protection Board in September 2018 and subsequently revised by the DPA. The DPA followed the majority of the recommendations put forward by the EDPB and, as a result, additional criteria were specified for some of the general processing operations. For example, whereas initially, any processing of genetic data triggered an obligation to perform a DPIA, now DPIA is mandatory only for the processing of genetic data "while evaluating the data subject's features or scoring, including profiling and forecasting."
As requested by the EDPB, the DPA specifically indicated that the list is non-exhaustive, and the DPIA has to be performed for all processing operations (whether or not they are included in the list) that are likely to result in the high risk to the rights and freedoms of the data subjects. The Lithuanian DPIA "blacklist" should also be read in conjunction with the Article 29 Working Party guidelines on the DPIA as the latter clarifies some of the terminologies used in the DPA’s list, such as "large scale processing" or "vulnerable data subjects."
One of the more disputed processing operations included in the "blacklist" is processing of personal data "using innovative technologies or using existing technologies in a new way when personal data of vulnerable data subjects are processed." While "new technologies" are mentioned in Recitals 89 and 91, as well as Article 35(1), of the GDPR, controllers expressed concern with the overly broad and all-encompassing interpretation of this provision.
Importantly, the list refers to the large-scale processing in only one case (large-scale "invisible" data processing without providing the data subject with the Article 14 information), while in all other cases processing of data of a single individual could, arguably, trigger a DPIA.
Ex officio investigations planned for 2019
In February 2019, the DPA published a plan to carry out 75 ex officio investigations throughout the year. The supervisory authority set out to assess, to a varying degree, compliance with the GDPR requirements in the following contexts:
- Biometric data processing by the sports clubs.
- Compliance of the tourism and sports providers with the data minimisation principle when concluding and executing rental agreements, as well as compliance with the obligation to inform data subjects about the processing of their data.
- Compliance with the data minimization principles when a guest’s personal data is being processed by the hotels.
- Data processing agreements concluded by the state institutions.
- Security of the data processed by the instant loan agencies for contractual purposes.
According to the DPA, enforcement priorities were determined based on the new data processing requirements under the GDPR, complaints lodged by the data subjects and a public opinion poll carried out in late 2018. For example, 59% of the poll respondents stated that, when it comes to processing of their data, they trust the instant loan agencies the least compared to other entities, such as banks or tax authorities.
Ex officio investigations will be carried out by written inquiries, on-site audits or a combination of the two. The DPA has to inform the concerned entity at least 10 working days before the on-site audit. One investigation may take up to five months (up to six months in exceptional and complex cases) and result in the DPA using its corrective powers where the instances of noncompliance are identified. The investigation into the biometric data processing by the sports clubs is currently ongoing, and its results should be made available in April.
On the DPA’s website, one can find the ex officio investigation schedules dating back to 2014, but none of them has been discussed as extensively as the one released this year. The GDPR has generated, for various reasons, unprecedented attention for the data protection issues in Lithuania, and the results of the DPA's investigations will show to what degree this interest was translated into the effective privacy management practices on the ground.