RegRally Insights: Personal Data Protection and ICT Regulation, July 2026

RegRally Insights: Personal Data Protection and ICT Regulation, July 2026

European and Lithuanian data protection regulators continue to strengthen expectations around practical GDPR compliance, cybersecurity and AI governance. Recent developments demonstrate an increased focus on incident response, technical security measures, transparency obligations and accountability, while supervisory authorities continue to enforce compliance through significant fines and targeted guidance.

This edition covers key regulatory updates from the EDPB and the Lithuanian State Data Protection Inspectorate (VDAI), including new guidance on personal data breach notifications, enforcement actions concerning cybersecurity, cookies and lawful processing, as well as practical recommendations to help organisations strengthen their GDPR and ICT compliance frameworks.

EDPB Publishes Data Breach Notification Template

The European Data Protection Board (EDPB) has adopted a common template for data breach notifications to improve GDPR compliance and harmonize reporting processes across Europe. This new template is designed to help organizations notify Data Protection Authorities (DPAs) in a clear, consistent, and timely manner when a personal data breach occurs. By providing a structured format, the template aims to reduce confusion and streamline communication between organizations and regulators.

The template includes predefined options and detailed guidance on how to complete each section, addressing the information requirements set out in Article 33 of the GDPR. This helps ensure that notifications contain all necessary details about the breach, such as its nature, scope, and potential impact on individuals. The standardized approach is especially beneficial for smaller organizations that may lack dedicated legal or data protection staff, simplifying the notification process and reducing administrative burdens.

To promote transparency and gather diverse perspectives, the EDPB has opened the template for public consultation until August 5, 2026. Stakeholders from various sectors are encouraged to provide feedback on the template’s content and usability. After the consultation period, the EDPB will finalize the template and set a timeline for its implementation by all DPAs across the EU.

Overall, the adoption of this common data breach notification template represents a significant step toward greater consistency and efficiency in GDPR enforcement. It supports quicker incident reporting, facilitates better coordination among DPAs, and ultimately helps protect individuals’ personal data by enabling faster responses to breaches across Europe.

Recommended actions

Organisations should review and update their personal data breach response procedures to ensure they align with the EDPB’s proposed common notification template. Establishing clear internal reporting processes, maintaining accurate records of security incidents, and ensuring that all information required under Article 33 GDPR can be collected promptly will help facilitate timely and complete breach notifications. Businesses should also consider participating in the public consultation to provide feedback on the template before it is finalised.

Source: EDPB | Date: 12 June 2026
Link

Meta’s AI Training Program Collects European Employee Data

Meta’s Model Capability Initiative (MCI), a program designed to collect data from employee workstations in the US for AI training, is reportedly capturing more European data than the company has publicly admitted. Internal documents reveal that MCI records emails and chats exchanged between US-based employees and their European colleagues. This raises concerns about compliance with the European Union’s General Data Protection Regulation (GDPR), particularly regarding the scope and purpose of data collection.

The main issue lies in the fact that Meta has consistently stated that MCI only operates on US work devices and does not monitor European employees. However, the internal evidence shows that any communication US employees have with European coworkers or customers is included in the data collected for AI training. Privacy experts argue that this practice conflicts with GDPR’s purpose limitation principle, which restricts the use of personal data to the purpose for which it was originally collected-in this case, workplace communication, not AI training.

Legal advisors from the Vienna-based NOYB organization highlight that repurposing employee communications for AI training without proper consent violates GDPR, even if European employees themselves are not directly monitored. The volume and regularity of data capture suggest that the processing is systematic rather than incidental, which could lead to regulatory action by the Irish Data Protection Commission, Meta’s lead EU privacy supervisor. The case adds to ongoing tensions between Meta and European regulators over data protection and privacy compliance.

Meta’s AI training program relies heavily on detailed data about how employees use various workplace tools, giving it a competitive advantage. However, this approach exposes the company to significant legal risks under GDPR, especially since European employees’ data is being processed without clear safeguards. The outcome of this case may set important precedents for how AI training data involving cross-border communications is handled under European data protection laws.

Recommended actions

Organisations developing or deploying AI systems should carefully assess whether personal data collected for one purpose may lawfully be reused for AI training. Before repurposing employee or customer communications, businesses should identify an appropriate legal basis under the GDPR, assess compliance with the purpose limitation and transparency principles, and, where necessary, conduct a Data Protection Impact Assessment (DPIA). Employers should also ensure that internal policies clearly explain how workplace communications may be processed and implement appropriate safeguards to minimise legal and regulatory risks associated with AI training.

Lithuanian DPA Fines InMedica EUR 450,000 for GDPR Security Failures

The Lithuanian State Data Protection Inspectorate (VDAI) has imposed a EUR 450,000 administrative fine on healthcare provider InMedica for infringements of the General Data Protection Regulation (GDPR) relating to inadequate security measures that resulted in personal data breaches.

The decision follows two separate investigations, which were later consolidated into a single enforcement proceeding.

The first investigation was initiated by the VDAI after publicly available information emerged in September 2024 regarding an alleged security incident affecting Kardiolita. According to reports, an unauthorized third party gained access to the company’s internal patient information system, exposing patients’ personal data. Based on this information, the VDAI launched an ex officio investigation into potential GDPR violations.

The second investigation was opened following InMedica’s notification of a personal data breach involving a ransomware attack. During the incident, four IT systems containing patients’ and employees’ personal data were encrypted by attackers.

Following its investigations, the VDAI concluded that both organisations had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under the GDPR.

In particular, the authority found that:

  • multi-factor authentication (MFA) was not implemented for employees or privileged users accessing systems remotely via the internet;
  • access to systems containing personal data was not sufficiently restricted to authorised personnel;
  • password requirements did not meet appropriate complexity standards (in the case of Kardiolita); and
  • deficiencies in access control and authentication significantly increased the risk of unauthorised access to personal data.

Since 25 June 2025, InMedica became the legal successor to Kardiolita, assuming all of its rights and obligations. Consequently, the administrative fine was imposed on InMedica.

The VDAI found infringements of:

  • Article 24(1) GDPR (Responsibility of the controller);
  • Article 32(1)(b) GDPR (Security of processing); and
  • Article 5(1)(f) GDPR (Integrity and confidentiality principle).

Recommended actions

This decision highlights the importance of implementing risk-based technical and organisational security measures in line with Articles 24 and 32 GDPR. Organisations should regularly review their cybersecurity frameworks, ensure that multi-factor authentication is enabled for remote and privileged access, enforce robust password and access management policies, and periodically assess whether user access rights remain appropriate. Regular security audits, vulnerability assessments, employee cybersecurity training, and tested incident response plans are also essential to reducing the risk of personal data breaches and mitigating potential regulatory sanctions.

Source: VDAI
Link

Lithuanian DPA Issues Reprimand Over Cookie Compliance

VDAI has issued a decision following a follow-up inspection of a company’s compliance with an earlier order concerning cookie practices on its website. The inspection assessed whether the company had implemented the corrective measures required by the authority after a previous investigation. Although the company stated that its cookie banner had been updated and that analytics and marketing cookies were only placed after obtaining user consent, the VDAI identified two remaining compliance issues.

First, VDAI found that a non-essential cookie (“livin_wishlist”) was still being stored on users’ devices before consent had been obtained. According to the VDAI, this practice violates Article 73(4) of the Republic of Lithuania Law on Electronic Communications, which permits non-essential cookies only after users have given informed consent.

Second, the Inspectorate concluded that the information explaining the purpose of cookies was available only in English. As the website primarily targets users in Lithuania, the authority held that this does not satisfy the GDPR transparency principle. Privacy information must be presented in clear, understandable language appropriate for the intended audience.

As a result, VDAI determined that the company had failed to fully comply with its previous enforcement order. VDAI issued:

  • a reprimand for failure to comply with the earlier corrective order; and

a new order requiring the company to:

  • ensure that all non-essential cookies are activated only after obtaining valid user consent; and
  • provide cookie-related information in Lithuanian to ensure transparency for users.

The decision serves as another reminder that cookie compliance extends beyond implementing a consent banner. Organisations must ensure that no non-essential cookies are set before consent is obtained and that cookie notices are provided in a language that is clear and accessible to the website’s target audience.

Recommended actions

Organisations should review their websites to ensure that:

  • no non-essential cookies are placed or accessed before valid user consent has been obtained;
  • all cookies classified as “necessary” genuinely meet the legal criteria for exemption from the consent requirement;
  • cookie consent mechanisms accurately reflect the website’s actual technical behaviour;
  • cookie notices and consent interfaces are provided in the language(s) of the website’s target audience and are clear, transparent, and easy to understand;
  • regular technical audits are carried out to verify that website updates or third-party tools have not introduced cookies that bypass the consent mechanism; and
  • periodic compliance reviews are performed to ensure that previous remediation measures remain effective over time.

The decision also demonstrates that supervisory authorities may verify not only whether an organisation has formally implemented corrective measures, but also whether those measures function correctly in practice. Organisations should therefore combine legal review with periodic technical testing of their cookie management solutions to reduce the risk of regulatory action.

Source: VDAI | Date: 25June 2026
Link

Lithuanian DPA: Randomly Generated Phone Numbers Are Still Personal Data

VDAI has issued a reprimand to a company after finding that it unlawfully processed an individual’s personal data by calling a randomly generated telephone number for the purposes of a public opinion survey.

The complaint arose after an individual received an unsolicited telephone call inviting her to participate in a survey. The company explained that it did not obtain the individual’s phone number from any database but instead used software that randomly generated telephone numbers. It argued that the processing was based on its legitimate interests under Article 6(1)(f) GDPR.

VDAI rejected this argument. It emphasised that the method by which a telephone number is obtained is not decisive. Once a randomly generated number belongs to an identifiable individual, it constitutes personal data within the meaning of the GDPR. Consequently, generating and calling such a number amounts to the processing of personal data and requires a valid legal basis.

VDAI further noted that although the company relied on legitimate interests, it failed to demonstrate why that legal basis was applicable. In particular, it did not provide evidence that the processing was necessary for its legitimate interests, nor did it demonstrate that it had carried out the required balancing test to assess whether its interests outweighed the rights and freedoms of the data subject.

As the company was unable to substantiate the lawfulness of the processing under any of the legal bases set out in Article 6(1) GDPR, VDAI concluded that it had infringed the GDPR’s lawfulness principle under Article 5(1)(a) and processed personal data without a valid legal basis in breach of Article 6(1). Taking into account the circumstances of the case, including the limited nature of the data involved and the absence of demonstrated harm to the complainant, the authority issued a reprimand.

Why does this matter?

The decision confirms that organisations cannot avoid the application of the GDPR simply because personal data was generated randomly rather than obtained from an existing database. If a randomly generated identifier corresponds to an identifiable individual, it is personal data, and its processing must comply with the GDPR.

The decision also serves as a reminder that relying on legitimate interests requires more than a general statement. Organisations should document the necessity of the processing, conduct and retain a legitimate interests assessment (LIA), and be able to demonstrate compliance with the accountability principle if requested by a supervisory authority.

Recommended actions

Organisations should carefully assess the legal basis before conducting telephone surveys or outreach campaigns, regardless of how contact details are obtained.

In particular, organisations should:

  • recognise that randomly generated telephone numbers may constitute personal data where they relate to identifiable individuals, meaning that the GDPR applies from the moment such numbers are processed;
  • ensure that a valid legal basis under Article 6 GDPR exists before initiating calls;
  • where relying on legitimate interests, carry out and document a Legitimate Interests Assessment (LIA), demonstrating the necessity of the processing and balancing the organisation’s interests against the rights and freedoms of individuals;
  • maintain appropriate documentation to demonstrate compliance with the GDPR accountability principle, as supervisory authorities may request evidence supporting the chosen legal basis; and
  • periodically review outreach and survey practices to ensure that they remain compliant with both the GDPR and applicable national laws.

Source: VDAI | Date: 25 June 2026
Link

VDAI Published Its 2025 Annual Report on Personal Data Protection Supervision

The Lithuanian State Data Protection Inspectorate (VDAI) has published its 2025 Annual Report, providing an overview of the key developments, supervisory activities and enforcement trends in the field of personal data protection in Lithuania.

The report highlights the Inspectorate’s supervisory and enforcement activities, including investigations into GDPR compliance, handling of data subjects’ complaints, personal data breach notifications, inspections, and cooperation with other European data protection authorities under the GDPR’s consistency and cooperation mechanisms. It also outlines the Inspectorate’s efforts to promote awareness by issuing guidance, recommendations and educational materials for both public and private sector organisations.

The report provides useful insights into the areas that continue to attract regulatory attention, including data security, transparency, data subject rights, direct marketing, cookies, and other key GDPR compliance obligations. It serves as a valuable resource for organisations seeking to understand current enforcement priorities and strengthen their data protection compliance programmes in line with the regulator’s expectations.

Recommended actions

Annual Report demonstrates that regulators continue to focus on the practical implementation of GDPR requirements rather than on formal compliance alone. Organisations should regularly review their data protection practices, ensure that appropriate technical and organisational measures are in place, maintain effective procedures for handling data subject requests and personal data breaches, and verify that their privacy documentation accurately reflects their processing activities. Regular GDPR compliance reviews and staff training remain essential to reducing regulatory and operational risks.

Source: VDAI | Date: 1 July 2026
Link

Practical takeaway for organisations

The VDAI has published recommendations on ensuring the security of personal data processed by online stores. The guidance is intended to assist e-commerce businesses and other data controllers in assessing and implementing appropriate organisational and technical measures to protect customers’ personal data.

Online stores process a wide range of personal data, including customers’ names, contact details, delivery addresses, order information and payment-related data. Given the nature of this information, it is essential to ensure that appropriate safeguards are in place to protect personal data against unauthorised access, loss, alteration or disclosure.

The recommendations address the key data security considerations relevant to e-commerce operations and provide practical guidance on strengthening data protection and supporting compliance with the GDPR. The document is intended to be a useful resource for both online store operators and IT professionals responsible for information security and data protection compliance.

Recommended actions

VDAI recommends that online retailers regularly review user access rights, implement multi-factor authentication for administrator accounts, ensure timely installation of security updates, and maintain secure backup and recovery procedures. Businesses should also periodically assess the security of third-party service providers, such as hosting companies and payment service providers, and establish clear procedures for detecting, reporting and responding to personal data breaches. Taking these practical steps can significantly reduce cybersecurity risks while supporting ongoing GDPR compliance.

Source: VDAI | Date: 8 July 2026
Link

Need assistance?

Our Data Protection, Privacy and ICT specialists can help your organisation navigate evolving GDPR, cybersecurity and digital compliance requirements.

We can assist with:

  • GDPR compliance assessments and gap analyses
  • Data protection audits and internal compliance reviews
  • Personal data breach response and regulatory notifications
  • Privacy policies, internal procedures and documentation updates
  • Data Protection Impact Assessments (DPIAs) and Legitimate Interests Assessments (LIAs)
  • ICT, cybersecurity and AI governance compliance
  • Regulatory investigations and communication with supervisory authorities
  • Data protection and cybersecurity training for management and employees

If you have any questions regarding the regulatory developments covered in this edition or would like to assess your organisation’s GDPR and ICT compliance, our team will be happy to assist you.

 

About the Author:


Loreta Andziulytė is an Attorney at Law and Partner at ECOVIS ProventusLaw. Having more than 20 years’ experience, she is ranked in FinTech Legal by Chambers and Partners FinTech Legal (2020, 2023, 2024, 2025, 2026), ranked in Employment Law by Chambers and Partners (2023, 2024, 2025, 2026), and recognised in Employment, TMT, Dispute Resolution, Tax and FinTech by The Legal 500 (2019–2025).

Loreta is a Certified Information Privacy Professional (CIPP/E) and head of the firm’s technology team. She specializes in FinTech licensing, regulatory affairs, and data protection, guiding international financial institutions through complex compliance frameworks.

Connect on LinkedIn →

Newsletter SubscriptionGet in touch