RegRally Insights: Personal Data Protection and ICT Regulation – June 2025

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter, June 2025 edition, on personal data protection and ICT regulation.

Lithuanian Court Upholds GDPR Breach Finding Against Vinted

On 22 May 2025, the Vilnius Regional Administrative Court dismissed Vinted’s complaint against the State Data Protection Inspectorate, upholding findings of multiple GDPR violations. The court confirmed that Vinted failed to provide users with clear information on data processing and account suspension, inadequately responded to erasure requests, and lacked proper accountability documentation. It also ruled that Vinted’s shadow banning practices lacked a legal basis and transparency, breaching Articles 5 and 6 of the GDPR. The decision, which followed referrals from French authorities, marks the first-instance ruling and is subject to appeal.

Lithuanian DPA Upholds Complaint Against UAB “Consilium optimum” for Unlawful Direct Marketing and GDPR Violation

On May 16, 2025, the State Data Protection Inspectorate (the Inspectorate) issued a decision upholding a complaint against UAB “Consilium optimum” concerning unlawful direct marketing practices and failure to comply with a data subject access request.

Background

The complaint was based on:

  • A direct marketing email sent without the Complainant’s consent on May 29, 2024;
  • A phone call offering services on May 30, 2024, despite consent being limited to calls only;
  • A failure to respond to the Complainant’s access request submitted on May 31, 2024;
  • Use of pre-checked boxes in contracts to obtain consent for data processing.

Inspectorate’s Findings

  • The email constituted a breach of the Law on Electronic Communications, as no valid consent was obtained.
  • Although the Complainant had given written consent for phone marketing, the email was clearly outside the permitted scope.
  • The Respondent violated the General Data Protection Regulation (GDPR) by failing to respond to the Complainant’s data access request within the one-month deadline.
  • The pre-checked boxes were flagged as non-compliant with consent requirements under the GDPR, which requires that consent be freely given, specific, informed, and unambiguous.

Decision and Orders

The Inspectorate:

  • Upheld the complaint on both counts (direct marketing and data access);
  • Ordered UAB “Consilium optimum” to:
    • Respond to the Complainant’s access request no later than July 13, 2025;
    • Ensure all direct marketing practices comply with consent requirements and relevant legal provisions by July 14, 2025.

The decision underscores the importance of obtaining clear, specific consent for each channel of communication and adhering to data subject rights under the GDPR.

EDPS Issues Opinion on EU Return Regulation Proposal, Urges Stronger Data Protection Safeguards

On 28 May 2025, the European Data Protection Supervisor (EDPS) issued an Opinion on the proposed Regulation establishing a common EU system for returning third-country nationals. While supporting harmonised return procedures, the EDPS stresses the need for a fundamental rights impact assessment and stricter data protection safeguards. Key recommendations include clear communication of return decisions, alignment with EU data protection law, and reinforced safeguards for data transfers—particularly involving criminal records and minors. The EDPS underscores that individuals must be informed of their rights and that personal data transfers must meet strict necessity and proportionality standards.

Key EDPS recommendations include:

  • Ensuring individuals are properly informed about return decisions;
  • Aligning the Proposal with EU data protection laws and related migration legislation;
  • Strengthening safeguards for international personal data transfers, especially regarding criminal records and minors.

New Register of Lithuanian Cybersecurity Entities Established

The new Lithuanian Cybersecurity Entities Register has officially launched, including 1,443 organisations across 11 critical and 7 important sectors. With this expansion, nearly five times more entities than before, many of them from the private sector, have significantly increased their cybersecurity obligations.

Under the revised Cybersecurity Law and the Government Resolution of 6 November 2024, all registered organisations must comply with stricter cybersecurity standards. Transitional deadlines have been set:

  • 12 months for organisational requirements,
  • 24 months for certain technical requirements,
    both starting from the entity’s registration date.

To support implementation, the National Cyber Security Centre (NKSC) has made free services available via the KSIS platform.

Free Support: ECOVIS NIS2 Self-Assessment Tool

We have developed a free ECOVIS NIS2 Compliance Self-Assessment Tool to support your compliance journey. This tool is specifically designed to help organisations identify their current level of compliance, understand the regulatory gaps, and effectively plan the necessary steps toward full conformity with national cybersecurity standards.

You can check your organisation’s compliance with NIS2 requirements using our ECOVIS NIS2 self-assessment tool here: tis2.ecovis.lt

Whether you’re newly included in the Cybersecurity Entities Register or want to ensure readiness, our team of experts is here to assist. We provide tailored legal and regulatory guidance to help you navigate the organisational and technical requirements within the applicable transitional deadlines.

More about the Law on Cybersecurity of the Republic of Lithuania and the implementation of the NIS2 Directive and here.

Italian DPA Fines Replika Developer €5 Million for GDPR Violations

On 10 April 2025, Italy’s Data Protection Authority (Garante) imposed a €5 million fine on U.S.-based Luka Inc., the developer of the AI chatbot Replika, citing multiple violations of the General Data Protection Regulation (GDPR). Following a self-initiated investigation, the Garante found that Luka Inc. lacked a valid legal basis for data processing, failed to provide transparent user information, and offered an insufficient privacy policy. Additionally, the company’s age verification mechanisms were deemed ineffective, exposing minors to the service despite claims to the contrary. Other breaches included failures in data protection by design and default, and violations of core GDPR principles such as transparency, purpose limitation, and accountability. The authority ordered Luka Inc. to rectify its data processing practices to ensure full GDPR compliance.

Lithuanian DPA Issues Warning to Prime Leasing for GDPR Right to Erasure Failure

The State Data Protection Inspectorate (SDPI) has issued a formal warning to UAB Prime Leasing following an investigation into its failure to respond to a data subject’s request to exercise their right to erasure under the GDPR. The original request, submitted on 20 December 2022, went unanswered due to a human error by an external service provider, which failed to forward it to the appropriate internal team. A second request on 29 February 2024 was fulfilled promptly, and the company has since introduced procedures to prevent similar lapses.

The SDPI identified violations of the following GDPR provisions:

  • Article 12(3): Failure to respond within the required one-month deadline;
  • Article 17: Unjustified retention of personal data, violating the right to erasure;
  • Article 24(1): Insufficient internal controls and accountability measures;
  • Article 25(1): Lack of data protection by design and by default.

Taking into account the corrective actions taken, the absence of prior infringements, and the ultimately fulfilled request, the SDPI issued a warning pursuant to Article 58(2)(b) of the GDPR instead of imposing a fine.

Newsletter SubscriptionGet in touch
Free initial advice now!

Have a question or need more information?

Send us an e-mail message!