top of page

LITHUANIA - Data Protection and GDPR Review

the history of data protection in Lithuania, like in other European Union (EU) member states, is shaped largely by the evolving legislative framework at the European level. However, it's important to remember that this information may not cover all developments up to the current date, and you may want to consult more current resources for the most up-to-date information. Here's an outline:

Pre-EU Data Protection Laws:

Prior to its EU membership, Lithuania had its own national data protection laws, reflecting a growing global awareness of the importance of safeguarding personal data. These laws were somewhat rudimentary compared to what exists now but laid the groundwork for more comprehensive legislation in the future.

EU Membership and Data Protection Directive:

Lithuania joined the EU in 2004, and one of the obligations as a member was the harmonization of its data protection laws with EU legislation. At that time, the EU Data Protection Directive (Directive 95/46/EC) was the prevailing law. The Directive set a precedent for how personal data should be handled but allowed for some flexibility at the national level. Lithuania adopted this framework, and the State Data Protection Inspectorate was responsible for oversight and enforcement.

General Data Protection Regulation (GDPR):

The adoption of the General Data Protection Regulation (GDPR) in 2018 was a milestone, not just for Lithuania but for all EU member states. The GDPR provides a much more rigorous framework for data protection, with stringent rules and heavy fines for non-compliance. Since GDPR is a regulation, rather than a directive, it has direct effect in Lithuania without the need for national legislation to implement it. Nevertheless, Lithuania, like other EU countries, also adopted national laws to complement the GDPR and address issues specific to the country.

Role of Institutions:

The State Data Protection Inspectorate in Lithuania plays an important role in overseeing compliance, investigating complaints, and enforcing penalties for violations. Its role has been further emphasized since the introduction of the GDPR, given the more stringent data protection requirements and greater public awareness about data protection issues.

Special Provisions and Local Issues:

Lithuania, like many other countries, has certain industry-specific data protection regulations, such as for healthcare, education, and employment, which have evolved over time. The GDPR allows member states to specify their own rules in certain areas, and Lithuania has made use of this to address national concerns.

Future Developments:

As data protection becomes an even more critical concern due to technological advances, Lithuania is likely to continue evolving its data protection laws and practices, both as a member of the EU and in response to national needs.

The overall aim of Lithuania's data protection history is to create a balanced environment that protects individual privacy while enabling lawful data processing for legitimate purposes.

Lithuania, as a member of the European Union, falls under the scope of the General Data Protection Regulation (GDPR). This comprehensive guide will explain what GDPR is, how it impacts Lithuania, and what businesses and individuals should be aware of in terms of compliance.

Guide Contents

  1. Introduction to GDPR

  2. State Data Protection Inspectorate: The Regulatory Body

  3. Key Principles of GDPR

  4. Individual Rights Under GDPR

  5. Data Protection Officer (DPO)

  6. Data Breaches and Penalties

  7. Special Provisions in Lithuania

  8. Tips for Compliance

  9. Summary

1. Introduction to GDPR

GDPR, which stands for General Data Protection Regulation, is a piece of legislation that aims to give citizens of the EU more control over their personal data and ensure that organizations handle data responsibly. It was implemented on May 25, 2018, and replaced the previous Data Protection Directive. The regulation applies to any entity, whether inside or outside the EU, that processes personal data of EU citizens.

2. State Data Protection Inspectorate: The Regulatory Body

In Lithuania, the State Data Protection Inspectorate is the main authority responsible for enforcing GDPR. This body is tasked with monitoring compliance, investigating complaints, and issuing penalties for non-compliance.

3. Key Principles of GDPR

Lawfulness, Fairness, and Transparency

Data should be processed lawfully, fairly, and transparently.

Purpose Limitation

Data should only be collected for specific and legitimate purposes.

Data Minimization

Only the data necessary for the stated purpose should be collected.


Data should be kept up to date and accurate.

Storage Limitation

Data should not be kept for longer than necessary.

Integrity and Confidentiality

Data should be processed securely to maintain its integrity and confidentiality.

4. Individual Rights Under GDPR

  • Right to Access: Individuals can request copies of their data.

  • Right to Rectification: They can also ask for incorrect data to be corrected.

  • Right to Erasure: Individuals have the right to request the deletion of their data.

  • Right to Restriction: Individuals can ask that their data not be processed under certain conditions.

  • Right to Data Portability: Individuals can request that their data be transferred to another service provider.

5. Data Protection Officer (DPO)

Organizations are often required to appoint a Data Protection Officer, especially if they process sensitive data or perform large-scale data processing. This person serves as the liaison between the company and regulatory bodies and is responsible for ensuring compliance.

6. Data Breaches and Penalties

In the event of a data breach, organizations are required to report it within 72 hours to the regulatory body and affected individuals. Penalties can be severe, with fines up to €20 million or 4% of the annual global turnover, whichever is higher.

7. Special Provisions in Lithuania

Lithuania has a set of national laws that complement GDPR, including special provisions in sectors such as healthcare, education, and employment. These laws often elaborate on the requirements for data protection impact assessments, the role of DPOs, and other sector-specific matters.

8. Tips for Compliance

  • Perform a data audit to understand what data you have and why you have it.

  • Update your privacy policy and inform your users.

  • Implement security measures to protect data.

  • Educate employees about GDPR and data protection measures.

9. Summary

Data protection in Lithuania is governed by both EU-wide GDPR laws and national provisions. Companies and individuals should be proactive in understanding their obligations and taking steps to comply with them to avoid severe penalties.

By adhering to GDPR and local data protection regulations, organizations can ensure that they not only comply with the law but also build trust with their customers.


bottom of page