- CHAPTER ONE GENERAL PROVISIONS
- CHAPTER TWO PERSONAL DATA PROCESSING
- CHAPTER THREE VIDEO SURVEILLANCE
- CHAPTER FOUR EVALUATION OF SOLVENCY AND DEBT MANAGEMENT
- CHAPTER FIVE RIGHTS OF THE DATA SUBJECT
- CHAPTER SIX SECURITY OF DATA
- CHAPTER SEVENR EGISTRATION OF DATA CONTROLLERS
- CHAPTER EIGHT TRANSFER OF PERSONAL DATA TO DATA RECIPIENTS IN FOREIGN COUNTRIES
- CHAPTER NINE MONITORING OF IMPLEMENTATION OF THIS LAW
- CHAPTER TEN ACCEPTABILITY AND INVESTIGATION OF COMPLAINTS
- CHAPTER ELEVEN LIABILITY
REPUBLIC OF LITHUANIA
LAW AMENDING THE LAW ON LEGAL PROTECTION OF PERSONAL DATA
11 June 1996 No. I-1374
Vilnius
(A new version of 1 February 2008, No. X-1444 )
Article 1. A New Version of the Law of the Republic of Lithuania on Legal Protection of Personal Data
The Law of the Republic of Lithuania on Legal Protection of Personal Data shall be amended and set forth to read as follows:
“REPUBLIC OF LITHUANIA
CHAPTER ONE
Article 1. Purpose, Objectives and Scope of the Law
1. The purpose of this Law is protection of an individual’s right to private life while processing personal data.
2. This Law shall regulate relations arising in the course of the processing of personal data by automatic means, and during the processing of personal data by other than automatic means in filing systems: lists, card indexes, files, codes, etc. The Law shall establish the rights of natural persons as data subjects, the procedure for the protection of these rights, the rights, duties and liability of legal and natural persons while processing personal data.
3. This Law shall apply to the processing of personal data where:
1) personal data are processed by a data controller who is established and operating in the territory of Lithuania, as part of its/his activities. Where personal data are processed by a branch office or a representative office of a data controller of Member State of the European Union or another state of the European Economic Area, established and operating in the Republic of Lithuania, such branch office or representative office shall be bound by the provisions of this Law applicable to the data controller;
2) personal data are processed by a data controller which is established in the territory other than the Republic of Lithuania but which is bound by the laws of the Republic of Lithuania by virtue of international public law (including diplomatic missions and consular posts);
3) personal data are processed by a data controller established and operating in a non-member state of the European Union or another state of the European Economic Area (hereinafter – third state), which uses personal data processing means established in the Republic of Lithuania, with the exception of cases where such means are used only for transit of data through the territory of the Republic of Lithuania, the European Union or another state of the European Economic Area. In the case laid down in this subparagraph, the data controller must have its representative – an established branch office or a representative office in the Republic of Lithuania which shall be bound by the provisions of this Law applicable to the data controller.
4. This Law shall not apply if personal data are processed by a natural person only in the course of his personal activities unrelated to business or profession.
5. When personal data are processed for the purposes of State security or defence, this Law shall apply only where other laws of the Republic of Lithuania do not provide otherwise.
6. This Law shall not restrict or prohibit free movement of personal data when fulfilling European Union membership commitments of the Republic of Lithuania.
7. This Law shall harmonise regulation of legal protection of personal data in the Republic of Lithuania with the European Union legal acts referred to in the Annex to this Law.
Article 2. Definitions
1. Personal data shall mean any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
2. Data recipient shall mean a legal or a natural person to whom personal data are disclosed. The authorities supervising the implementation of this Law referred to in Articles 8 and 36 of this Law as well as other state and municipal institutions and agencies shall not be regarded as data recipients when they obtain personal data in response to a specific request for the purposes of fulfilling their control functions laid down in laws.
3. Disclosure of data shall mean disclosure of personal data by transmission or making them available by any other means (with the exception of publishing them in mass media).
4. Data processing shall mean any operation, which is performed with personal data such as collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations.
5. Data processing by automatic means shall mean any operation performed with personal data carried out in whole or in part by automatic means.
6. Data processor shall mean a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller. The data processor and/or the procedure of its/his nomination may be laid down in laws or other legal acts.
7. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. Where the purposes of processing personal data are laid down in laws or other legal acts, the data controller and/or the procedure for its/his nomination may be laid down in such laws or other legal acts.
8. Special categories of personal data shall mean data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions.
9. Prior checking shall mean an advance inspection of processing data before it is started in the cases laid down in this Law.
10. Filing system shall mean any structured set of personal data arranged in accordance with specific criteria relating to the person, allowing an easy access to personal data in the file.
11. Consent shall mean an indication of will given freely by a data subject indicating his agreement to the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject’s free will.
12. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services.
13. Third party shall mean a legal or a natural person, with the exception of the data subject, the data controller, the data processor and persons who have been directly authorised by the data controller or the data processor to process data.
14. Internal administration shall mean activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of available material and financial recourses, and clerical work).
15. Public data file shall mean a state register or any other data file which pursuant to laws and other legal acts is intended for the disclosure of information to the public and which may be lawfully used by the public.
16. Video surveillance shall mean processing of image data concerning natural person (hereinafter – image data) by using automated video surveillance means (video and photo cameras, etc.) irrespective of whether these data are recorded in a file or not.
CHAPTER TWO
PERSONAL DATA PROCESSING
Article 3. Requirements for Personal Data Processing
1. The data controller must ensure that personal data are:
1) collected for specified and legitimate purposes and later are not processed for purposes incompatible with the purposes determined before the personal data concerned are collected;
2) processed accurately, fairly and lawfully;
3) accurate and, where necessary, for purposes of personal data processing, kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended;
4) identical, adequate and not excessive in relation to the purposes for which they are collected and further processed;
5) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed.
2. Personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only in the cases laid down in laws, provided that adequate data protection measures are laid down in laws.
Article 4. Storage and Destruction of Personal Data
Personal data shall not be stored longer than it is necessary for data processing purposes. Personal data must be destroyed when they are no more needed for their processing purposes, with the exception of data which must be transferred to State archives in the cases laid down in laws.
Article 5. Criteria for Lawful Processing of Personal Data
1. Personal data may be processed if:
1) the data subject has given his consent;
2) a contract to which the data subject is party is being concluded or performed;
3) it is a legal obligation of the data controller under laws to process personal data;
4) processing is necessary in order to protect vital interests of the data subject;
5) processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed;
6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject.
2. It shall be prohibited to process special categories of personal data, except in the following cases:
1) the data subject has given his consent;
2) such processing is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in laws;
3) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity;
4) processing of personal data is carried out for political, philosophical, religious purposes or purposes concerning the trade-unions by a foundation, association or any other non-profit organisation, as part of its activities, on condition that the personal data processed concern solely the members of such organisation or to other persons who regularly participate in such organisation in connection with its purposes. Such personal data may not be disclosed to a third party without the data subject’s consent;
5) the personal data have been made public by the data subject;
6) the data are necessary, in the cases laid down in laws, in order to prevent and investigate criminal or other illegal activities;
7) the data are necessary for a court hearing;
8) it is a legal obligation of the data controller under laws to process such data.
3. The data about a person’s health may also be processed for the purposes and in the procedure laid down in Article 10 of this Law and other laws pertaining to health care.
4. Personal data relating to a person's record of conviction, criminal acts or security measures may be processed, for crime prevention, investigation purposes and in other cases laid down by laws, only by a state institution or agency in the manner laid down in laws. Other natural or legal persons may process such data in the cases laid down by laws provided that appropriate measures laid down in laws and other legal acts for the protection of legitimate interests of the data subject have been adequately implemented. Detailed data about previous convictions may be processed only according to the procedure laid by the Law on State Registers.
Article 6. Forms of Disclosure of Personal Data
In the cases laid down in this Law, personal data shall be disclosed under a personal data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure. The contract must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt, the conditions, the procedure of use and the extent of personal data that is disclosed. The request must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt and the extent of personal data requested.
Article 7. Use of Personal Identification Number
1. Personal identification number is a unique sequence of digits. Personal identification number is assigned to a person in accordance with the procedure laid down in the Law on the Population Register.
2. It shall be permitted to use personal identification number when processing personal data only with the consent of the data subject, except in cases specified in paragraphs 4 and 5 of this Article, when the use of personal identification number shall be prohibited.
3. Personal identification number may be used without the consent of the data subject only if:
1) such a right is laid down in this and other laws;
2) a scientific or statistical research is carried out in the cases laid down in Articles 12 and 13 of this Law;
3) it is processed in State or institutional registers, provided that they have been officially set up in accordance with the procedure laid down in the Law on State Registers and in information systems provided that they have been set up in accordance with the procedure laid down in legal acts;
4) it is processed by legal persons involved in activities related to granting of loans and recovery of debts, insurance or financial leasing, health care and social insurance as well as in the activities of other institutions providing and administrating social care, educational establishments, science and studies institutions. Legal persons specified in this subparagraph may use personal identification number only for the purpose for which it has been received and only in these cases where it is necessary for a legitimate and specified purpose of personal data processing ;
5) classified data are processed in cases laid down by laws. LAW ON LEGAL PROTECTION OF PERSONAL DATA
GENERAL PROVISIONS