Edita Ivanauskiene, Attorney at law, Patent attorney, EiiP

On 16 July 2018 a new edition of the Law on Legal Protection of Personal Data (the Law) entered into force in Lithuania. This grand change of the Law has been affected by the need to adjust national provisions of personal data protection with respect to the General Data Protection Regulation (the GDPR) applicable from 25 May 2018.

Although the provisions of the GDRP have direct legal effect in Lithuania, there are certain areas in which the GDPR leaves it to Lithuania and other member states to adopt their own national rules:

(i)                 the balance between the right to protection of personal data under the GDPR and the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression (Art.17(3), 85);

(ii)               the age of child who is offered the information society services to give consent (Art. 6, 8);

(iii)             processing of personal data contained in official documents in order to find the balance between public access to official documents with the right to the protection of personal data (Art. 86);

(iv)             determining the conditions regarding the processing of national ID numbers (Art. 87);

(v)               creating new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law (Art.9(2)(b), 88);

(vi)             under certain conditions restricting the data subject’s rights to access, rectification, restriction of processing and to object when it comes to the processing of their personal data for scientific, historical or statistical purposes (Art. 89);

(vii)           imposing specific obligations onto controllers or processors that are subject to an obligation of professional secrecy (Art.9(2)(i), (3), 14(5)(d), 54(2), 90);

(viii)         processing personal data in the context of churches and religious establishments (Art. 91).

Lithuania has chosen to regulate specifically the following areas in the Law:


Processing of Personal code


A personal code may be processed when one of the conditions for the legal processing of personal data referred to in Article 6(1) of the GDPR is satisfied. It is forbidden to communicate the personal code into public and to process personal code for direct marketing purposes (Art. 3).

Processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression

When personal data is processed for journalistic or academic, artistic or literary purposes, Article 8(Conditions applicable to child’s consent in relation to information society services), Articles 12 to 23 (Rights of the data subject), Article 25 (Data protection by design and by default), Article 30 (Records of processing activities), Articles 33 to 39 (Notification of a personal data breach to the supervisory authority, Communication of a personal data breach to the data subject, Data protection impact assessment, Prior consultation, Data protection officer, Position of the data protection officer, Tasks of the data protection officer), Articles 41 to 50 (Monitoring of approved codes of conduct, Certification, Certification bodies, Transfers of personal data to third countries or international organisations), Articles 88 to 91 (Processing in the context of employment, Safeguards and derogations relating to processing forarchiving purposes in the public interest, scientific or historicalresearch purposes or statistical purposes, Obligations of secrecy) of the GDPR shall not apply (Art. 4).

Peculiarities of the processing of personal data in relation to employment relations 


It is forbidden to process the prospective employee‘s, candidate’s and the employee’s personal data about convictions and criminal offenses, except when such personal data are necessary to verify that a person meets the requirements prescribed by laws and implementing legislation for performing duties or work functions (Art. 5(1)).


The data controller may collect personal data relating to qualifications, professional abilities and business characteristics of a candidate applying for a job or for performing work functions from a former employer if the data controller has informed the candidate about it beforehand, if from the existing employer – the consent of the candidate is needed (Art. 5(2)).


Processing of video and / or audio data in the workplace and at the controller’s premises or in the areas where his staff work, processing of personal data relating to the monitoring of employees’ behavior, location or movement, requires to inform the staff of such processing of their personal data in writing or in other way which proves the fact of informing and providing the staff information referred to in Article 13(1) and (2) of the GDRP (Art. 5(3)).


The provisions of Article 5 also apply to the processing of personal data of persons who work on the basis of legal relations equal to the employment relations specified in the Law on Employment of the Republic of Lithuania and personal data of candidates applying for work on these grounds. That means that the mentioned above provisions of Art. 5 apply to persons who work or is a candidate for duties in civil service, diplomatic service and in all other cases when the legal relations indicated in Art. 4(3) is equaled to employment relations.


The age of the child who is offered the information society services to give consent


When information society services are directly offered to the child, the processing of the child’s personal data is legal if consent is given by a child under 14 years of age in accordance with Article 6(1) (a) of the GDPR.


For more information or advice, please contact Edita Ivanauskiene by phone +37068611584 or by email: