Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Lithuania - Data Protection

History of Data Protection in LITHUANIA

The Lithuanian Law on the Legal Protection of Personal Data of 11 June 1996, which implements Directive 95/46/EC, was amended on 17 July 2000 and then again on 21 January 2003.

The State Data Protection Inspectorate predates this, having been established on 10 October 1996 by Resolution 185 of the Lithuanian Government. It commenced its work on 3 February 1997. In October 2001, the Inspectorate was restructured, and became a Governmental Institution, although it maintains its independence as it supervises the fulfilment of the Law on Legal protection of Personal Data.

Summary of Data Protection in LITHUANIA

Title of Data Protection Legislation Law on the Legal Protection of Personal Data
Name of supervisory authority State Data Inspectorate
General Powers of supervisory authority Article 29 of the Law on the Legal Protection of Personal Data provides the legal basis for the State Data Inspectorate. Article 31. sets out the Functions of the Inspectorate, including administering the Register of Personal Data Controllers, and supervising the activities of the registered data controllers;
examining personal requests and complaints;
checking the lawfulness of personal data processing and take decisions in respect of the breaches of personal data processing;
granting authorisations to data controllers to disclose personal data to data recipients in third countries. Article 32(1) grants powers to the Inspectorate. These include powers to obtain access to premises where documents and equipment used for personal data processing are stored;
to make recommendations and give instructions to data controllers with regard to personal data processing and protection;
to take part in legal proceedings involving violations of international and national law on personal data protection.
Who has standing to notify the supervisory authority of breaches? Probably anybody, but certainly the data subject. See Law on the Legal protection of Personal Data, Article 17 and Article 31(2).
What are the penalties for data controllers if they breach the law? The penalties for breaches are not listed in the Law on the Legal Protection of Personal Data. However, Article 34 does state that a person who has suffered damage as a result of unlawful processing of data "or any other acts or omissions by the data controller" is entitled to claim compensation.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. See Article 7 of the Law on the Legal Protection of Personal Data, entitled 'Use of Personal Identification Number'. Article 7(2) states that to process a personal identification number, the consent of the data subject must be obtained. Article 7(3) states that the "personal identification number may be used when processing personal data without the consent of the data subject only if: 1) such a right is stipulated in this Law and other laws;
2) for research or statistical purposes in cases specified in Articles 12 and 13 of this Law;
3) in state registers and information systems provided that they have been officially approved under law;
4) it is used by legal persons involved in activities related to granting of loans, recovery of debts, insurance or leasing, health care and social insurance as well as in the activities of other institutions of social care, educational establishments, research and studies institutions, and when processing classified data in cases provided by law".
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
Does the Data Protection Legislation cover the deceased? No, but other law's extend protection to the deceased. Article 2.3 of the Civil Code states that spouses, parents or children can give consent to use the deceased's personal information, which must otherwise remain private. The Law on The Rights of Patients and Compensation of the Damage to their Health states in Article 10.2 that "All of the information concerning the condition of the patient's health, diagnosis, prognosis and treatment, and also, all of the other information of personal nature concerning the patient, must be held as confidential, even after the patient's death". The Ministry of Health Decree on Confidentiality 1999/12/16 no. 552 in paragraph 7 states that "information related to person's health remains confidential even after the patient's death".
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions