Lithuania - National Data Protection Law


    Lithuania - National Data Protection Law

    Law on the Protection of Personal Data XIIIP-2096 (2)

    The Lithuanian Parliament passed a fairly concise law on 30 June 2018, and it came into effect on 16 July 2018. This law is strongly focused on defining the powers of the supervisory authorities.

    Last Updated: July 24, 2019

  • General

    As with the other Member States,  this law:

    1. mirrors the GDPR in general;  and,
    2. adds provisions regulating specific aspects.

    Derogations and opening clauses

    In particular, this law:

    • keeps the old prohibition to process national identification numbers where the purpose of the processing is direct marketing, or where the purpose is to make such number publicly available;
    • lowers the consenting age of minors to 14 years;
    • provides specific rules concerning the processing of personal data for employment purposes, however, these rules have to be interpreted under the umbrella of the relevant sectoral legislation (i.e. the Labour Code);
    • prohibits the processing of data concerning criminal offences and convictions of prospective employees, unless said processing is necessary to assess their suitability for the position (e.g. it would make little sense for the diplomatic service of a country hiring new employees not to run a background check on criminal offences; same goes for law enforcement agencies);
    • allows employers to collect information about a prospective employee from their former employer only after having informed the concerned candidate about it;
    • imposes the obligation on employers to inform their employees about video or audio surveillance, profiling, as well as location and tracking of movement;
    • only applies to foreign data controllers offering goods or services (or monitoring data subject’s behaviour) if said controllers have designated representatives in Lithuania –which, merits further analysis because it seems to go against the spirit of the GDPR);
    • grants the DPA the authority to carry out investigations ex officio, which, in principle should not exceed 4 months (although the period can be extended for another 2 months);
    • grants the DPA the right to access the facilities of natural and legal persons without prior notice (this right is subject to a court order only in the case of natural persons); and,
    • lays down more lenient fines or public authorities — than those in the GPDR.

    Lithuanian law gives the DPA the power to accredit certification bodies, which will issue certifications in line with Article 43 GDPR. Certification will be issued abiding by data protection certification mechanisms. Certification mechanisms are to be developed by the Lithuanian DPA.

  • DatabreachPedia


    In Lithuania, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    State Data Protection Inspectorate
    Valstybinė duomenų apsaugos inspekcija
    Žygimantų str. 11-6a
    011042 Vilnius

    Tel. + 370 5 279 14 45
    Fax +370 5 261 94 94
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Lithuanian regulator advises to perform breach notification through its secure electronic notification interface, and it provides online guidance on breach assessment and notification.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.