Personal Data Protection and ICT Regulation

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter, April 2025 edition, on personal data protection and ICT regulation.

Lithuanian Data Protection Authority Sanctions Company for Unsolicited Marketing Emails

In a recent decision, the State Data Protection Inspectorate (VDAI) found a company in violation of the Republic of Lithuania Law on Electronic Communications (ERĮ) for sending unsolicited marketing emails without prior consent.

The company acknowledged that its database was compromised in December 2024, resulting in the unauthorized addition of new email addresses. Although it removed the compromised data and halted marketing activities, the VDAI concluded that it failed to demonstrate valid consent from recipients, as required under Article 81 of ERĮ.

Key Takeaways:

Consent is mandatory before sending marketing communications.
Companies must maintain evidence of consent.
VDAI directed the company to obtain valid consent for future campaigns.
Enhanced data protection measures were recommended to avoid recurrence.

Lithuanian Supreme Court: Unlawful Data Access by Public Agency Breaches GDPR

In a ruling issued on March 26, 2025, the Supreme Administrative Court of Lithuania (LVAT) upheld the decision of the State Data Protection Inspectorate, confirming that the Public Management Agency unlawfully accessed personal data from the State Civil Servants Register (VATARAS).

Over a two-year period, 19 employees accessed an individual’s data 244 times without legal grounds. The Agency failed to properly inform staff about data protection obligations and did not monitor how data was accessed, violating the General Data Protection Regulation (GDPR).

LVAT emphasized that:

Unlawful and unmonitored access to personal data is a serious breach of GDPR Article 5.
The data controller—in this case, the Agency—is responsible for ensuring lawful processing, even if it is not the register administrator.
The Agency’s attempt to shift liability to individual employees was rejected; employers must set and control the means and purposes of processing.

Recommendations for Institutions:

1. Ensure Lawful and Transparent Data Processing

Establish and document a clear legal basis for processing personal data (GDPR Articles 5 and 6).

2. Implement Robust Access Controls

Limit access to personal data strictly to authorized personnel.
Apply role-based access controls (RBAC) to avoid unnecessary access.

3. Enhance Monitoring and Auditing

Monitor systems for unauthorized data access.
Maintain logs and activate alerts for suspicious activity.

4. Strengthen Employee Awareness

Provide regular GDPR training.
Require staff to acknowledge internal data handling policies.

VDAI Ruling: Failure to Respect Opt-Out Request Violates GDPR

In a recent decision, the State Data Protection Inspectorate (VDAI) ruled that a multi-apartment building management company violated the General Data Protection Regulation (GDPR) by continuing to send payment reminder emails to a resident who had formally objected to receiving such messages.

Key Findings:

The company relied on legitimate interest under GDPR Article 6(1)(f) to process personal data and send reminders to ensure building maintenance payments.
However, under GDPR Article 21, individuals can object to processing based on legitimate interests.
The company failed to respect this right in a timely manner, initially citing technical limitations as the reason it could not exclude the resident from automated reminders.
Even after manually removing the reminder system, other notifications continued, raising concerns about insufficient control over data processing preferences.

VDAI Conclusions:

The payment reminders were lawful, but failing to promptly act on the opt-out request constituted a violation.
Technical limitations cannot justify non-compliance—companies must ensure their systems are designed to respect data subject rights from the outset.
Articles 24 and 25 of the GDPR require data controllers to implement privacy by design and default.

VDAI: Company Breached GDPR by Ignoring Direct Marketing Opt-Out

The State Data Protection Inspectorate (VDAI) upheld a complaint against a company for failing to process a data subject’s request to opt out of direct marketing. Despite using a designated email address for marketing, the company did not monitor it for replies. It failed to implement proper technical and organisational measures to respect data subject rights under GDPR and national law. VDAI emphasised that technical limitations do not exempt controllers from ensuring individuals can exercise their rights effectively.

Recommendation:
Following the VDAI ruling, organizations must review and strengthen their processes to ensure data subjects can effectively exercise their right to object to direct marketing. Each marketing message must include a free and easy-to-use opt-out option. Opt-out requests should be properly received, logged, and processed promptly. Email addresses designated for such requests must be functional and actively monitored. If the system cannot process replies, alternative contact methods must be clearly provided.

VDAI: Crisis Center’s Video Surveillance Deemed Excessive and Non-Compliant with GDPR

The State Data Protection Inspectorate (VDAI) found that a crisis center’s video surveillance practices violated GDPR requirements. Cameras were installed not only in common areas but also in more private locations, such as near restrooms and dining spaces—exceeding what is necessary and proportionate under Article 6(1)(f) GDPR. Furthermore, the center failed to adequately inform residents about the surveillance, providing only vague warning signs rather than clear, accessible details as required by Articles 13 and 14. While a complainant expressed disagreement with the data processing, VDAI noted no formal objection was submitted, and thus this part of the complaint was dismissed.

VDAI Issues Recommendations to Online Stores on Personal Data Security

Following its 2024 monitoring of 10 e-commerce platforms, the State Data Protection Inspectorate (VDAI) has issued practical recommendations to strengthen GDPR compliance. The assessment focused on privileged access, data deletion, encryption, and change management.

Key Recommendations:

Access Rights: Regularly audit privileged access and use monitoring tools to detect misuse.
Data Deletion: Implement clear, documented procedures to securely delete data once retention periods expire.
Encryption: Apply and periodically review encryption measures for data in transit and at rest.
Change Management: Establish strict procedures to assess, document, and approve system changes.
Policy Review: Keep the data protection policy current, covering all key technical and organisational safeguards.

EDPB Updates Procedure for Approving Binding Corporate Rules (BCRs)

The European Data Protection Board (EDPB) has revised the procedure for how EU privacy authorities assess Binding Corporate Rules (BCRs) used for international data transfers under the GDPR. Under the new process, the competent supervisory authority will first approve the BCRs in line with the GDPR’s consistency mechanism (Article 63), after which the EDPB will provide a non-binding opinion on the draft decision.

EU Proposes Six-Month Extension of UK Data Adequacy Decisions

On March 18, 2025, the European Commission proposed extending the UK’s data adequacy decisions by six months, allowing unrestricted personal data transfers under the GDPR and the Law Enforcement Directive. Originally set to expire on June 27, 2025, the extension would remain in effect until December 27, 2025, giving the UK time to finalise its Data (Use and Access) Bill. The European Commission will reassess adequacy based on the finalised legislation before proposing a long-term renewal. The draft decisions have been sent to the European Data Protection Board for opinion.