Trademarks Trademarks
Trademarks
Design Design
Design
Patents Patents
Patents
Legal consultancy Legal consultancy
Legal consultancy
Technology and e-commerce Technology and e-commerce
Technology and e-commerce
Protection of personal data Protection of personal data
Protection of personal data
Contracts Contracts
Contracts
Copyright Copyright
Copyright
Disputes relating to trademarks, designs, inventions and copyright Disputes relating to trademarks, designs, inventions and copyright
Disputes relating to trademarks, designs, inventions and copyright
services
Trademarks Trademarks
Trademarks
Design Design
Design
Patents Patents
Patents
Legal consultancy Legal consultancy
Legal consultancy
Technology and e-commerce Technology and e-commerce
Technology and e-commerce
Protection of personal data Protection of personal data
Protection of personal data
Contracts Contracts
Contracts
Copyright Copyright
Copyright
Disputes relating to trademarks, designs, inventions and copyright Disputes relating to trademarks, designs, inventions and copyright
Disputes relating to trademarks, designs, inventions and copyright
services
Protection of personal data
Personal data

Personal data refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a given name or surname, an identification number, location data, internet protocol (IP) address, cookie identifiers, ID card number or e-mail address if it contains the person’s given name and/or surname, or to one or more factors specific to the physical, physiological, genetic, economic, mental, cultural or social identity of that natural person. In other words, it can be either objective or subjective information about a person, and this information is not necessarily accurate. In legal terms, such a natural person qualifies as a data subject.

 

Any personal data that is anonymized in a manner that makes it impossible or no longer possible to identify the relevant person no longer qualifies as personal data. Furthermore, a company registration number and e-mail address that does not contain a person’s given name and/or surname (for instance, information@company.lt) does not qualify as personal data either.

Metida
First consultation is free
Protection of personal data

Protection of personal data is part of protection of human rights. The main objective is to protect and defend a person’s privacy when personal data is processed. Most of the personal data that are collected are private and in many instances sensitive, meaning that a person must be sure that his or her data will not be accessed by unauthorized persons or used for any unlawful purposes – for instance, for identity theft. It is also important for a data subject that only necessary data about him or her be collected. In other words, a data subject must be protected against the collection of excessive personal information. Consequently, it is very important for any business to take into account these aspects of protection of rights of data subjects.

 

In Lithuania, the legal protection of personal data is regulated by the Constitution of the Republic of Lithuania and the Law on Legal Protection of Personal Data of the Republic of Lithuania. The State Data Protection Inspectorate is the country’s competent authority that oversees protection of personal data and processing and use of personal data for business and professional purposes.

Role of personal data for businesses

Personal data are indispensable for businesses. In order to collect and process personal data, a business must identify appropriate legal bases and ensure that the natural persons whose data are collected are aware that their data are processed and be able to obtain information about their other rights. Businesses also need to protect their own legitimate interests.

 

A company must prove that it processes data appropriately; it is obligated to implement approved rules for data processing and protection. The purpose of such rules is as follows: 1) to provide a legal basis for data processing; 2) to make data processing understandable to employees and define employees’ responsibility for personal data processing; and 3) to prove that the organization has assumed the obligation to process data appropriately and lawfully. Data protection measures are essentially grounded in a data security policy and related documents.

Rights of data controllers

A data controller must have clearly defined purposes and a legal basis for achieving these purposes, and may collect and process personal data as well as provide them to third parties pursuant to enforced legislation. In certain cases, personal data may be processed in the process of representing a company’s legitimate interests, provided that such processing does not materially affect a data subject’s fundamental rights or freedoms. A data controller may also process personal data with the aim to fulfil its contractual obligations in respect of the relevant person or where there is a need to protect a natural person’s vital interests.

Requirements for personal data protection

The GDPR lays down new data protection requirements applicable to the following:

 

  • Personal data processing rules or privacy policy of organizations;
  • Appropriate storage, processing and control of personal data;
  • Rights of data subjects and implementation of those rights;
  • Consent from data subjects to the processing of their personal data;
  • Personal data breaches;
  • Customized data protection and data protection impact assessment;
  • Systems to verify a person’s age and consent from parents or legal representatives for the processing of children’s personal data;
  • Implementation of the right of data subjects to familiarize themselves with their personal data;
  • Choice of data protection supervisory authority, if an organization works internationally.
The General Data Protection Regulation

In the process of processing personal data, businesses must prove that they collaborate with data controllers and employees in order to ensure adherence to the EU General Data Protection Regulation (GDPR). Such collaboration must be based both on internal data protection rules and agreements regarding personal data processing with third parties, confidentiality agreements and other external mechanisms.

 

The EU General Data Protection Regulation became effective on 25 May 2018. Pursuant to the GDPR, a data controller or a data processor must implement appropriate technical and organizational measures to ensure and be able to prove that personal data are processed in adherence to the Regulation. The measures referred to above must be reviewed and updated as required.

 

Large fines may be imposed for failure to adhere to the GDPR. A fine for personal data breaches may be up to 2–4 per cent of a company’s total annual worldwide turnover of the preceding financial year or up to EUR 10–20 million.

 

Furthermore, the GDPR obligates organizations, if need be, to appoint a data protection officer or other external person responsible for assuring adherence to personal data protection requirements.

Rights of data controllers

A data controller must have clearly defined purposes and a legal basis for achieving these purposes, and may collect and process personal data as well as provide them to third parties pursuant to enforced legislation. In certain cases, personal data may be processed in the process of representing a company’s legitimate interests, provided that such processing does not materially affect a data subject’s fundamental rights or freedoms. A data controller may also process personal data with the aim to fulfil its contractual obligations in respect of the relevant person or where there is a need to protect a natural person’s vital interests.

We provide the following services related to personal data protection
Data processing audit and checks

We evaluate, in cooperation with our clients, whether the data processing undertaken by them is lawful and we provide related proposals, consultancy, recommendations and assess risks. This service enables customers to draft the required recommendations and documents and helps to prevent personal data breaches.

Drafting of documents related to personal data protection

We develop sets of documents (both for internal and external use) to make sure companies satisfy mandatory requirements and are able to properly implement and substantiate personal data processing.

Services of a data protection officer

At a customer’s request, we appoint an officer to supervise the processing of the customer’s personal data on an ongoing basis. The functions of the officer also include representation in relations with supervisory authorities, customers and partners.

In-house training on correct processing of personal data for customer organisations/companies

At a customer’s request, we familiarize the customer’s employees with personal data processing and related matters.

Assistance in resolution of disputes related to personal data processing

We represent customers in disputes related to personal data processing. This process may include a number of stages – from negotiations to representation in relations with supervisory authorities or in court.

Data processing audit and checks
Drafting of documents related to personal data protection
Services of a data protection officer
In-house training on correct processing of personal data for customer organisations/companies
Assistance in resolution of disputes related to personal data processing
Do you have any questions?
We will help you with your concerns
Will will get in touch with you!

Our website uses cookies in order to improve this website, to offer better and customised services. If you agree, press ‘Accept‘. We will not place cookies on your device if you do not agree. However, certain functions of the website may not function properly or may not function at all. Please see our Privacy policy for more information about personal data processing, cookies, data they collect and your rights.