The Lithuanian Data Protection authority (VDAI) published information on scheduled inspections and monitoring planned for 2022 in 53 organizations. As indicated in the notice, VDAI aims to identify possible risks for data subjects and assist the organizations with their GDPR compliance. Scheduled inspections are relevant not only to the organizations being reviewed but also to anyone that processes personal data.
According to VDAI, the main focus for inspections this year will be:
- Review of the implementation of the requirements related to the activities of the Data Protection Officer (DPO). For proper compliance, please review the following requirements:
– DPO appointment. DPO is mandatory for all companies or organizations whose main activity is the large-scale systematic monitoring of individuals or the large-scale processing of special categories of personal data, e.g., financial institutions, health care institutions;
– appropriate notification about the appointed DPO. VDAI must be notified about the appointed DPO, their details must be available publicly, e.g., on the organization’s website;
– DPO status. The appointed DPO must retain autonomy and be provided with sufficient resources. It is also crucial to involve your DPO in all matters related to the protection of personal data;
– professional qualities. DPO must be appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art. 39 of GDPR. For example, French Data protection authority advises that to meet the professional qualities, the person must have at least 3-year experience working in the field of data protection;
- Review requirements related to the use of cookies. In this respect, monitoring will be carried out by the VDAI via a written survey and, if necessary, a control questionnaire. For proper compliance with GDPR requirements, we recommend reviewing:
– whether information about the cookies used is provided. When you use cookies, data subjects must be notified. This should be done through a privacy or cookie policy;
– whether the text is clear. Your privacy or cookie policy as well as the cookie notice should avoid technical or legal jargon. Information must be provided in a clear and easy to understand language;
– whether there is adequate consent. All cookies, except strictly necessary (mandatory) cookies, require the appropriate consent of the data subject. The collection of data must be blocked until the data subject’s consent is obtained. Consent must only be registered by an explicit or positive action, such as clicking a confirmation button;
– consent withdrawal. It should be as easy to withdraw consent as it is to provide it, i.e., this option should be provided in the same notification message, without redirecting the subject to another page.
In the report, VDAI also emphasizes the importance of cooperation. The fines are rarely imposed during inspections, but cases of non-cooperation with the supervisory authority are treated very seriously.
In light of these plans for 2022 published by the VDAI, it is clear that the above-mentioned areas are becoming more and more relevant and important and that these areas need to be ensured not only in those companies or organizations that will be inspected by the DPAI but also in any other company or organization that has a DPO and uses cookies in its daily operations. For more information on the proper implementation of the requirements for the position of DPO here and here and for more information on the proper implementation of the requirements on the use of cookies, see here.
For more information or advice related to data protection please consult the experts of ECOVIS ProventusLaw.
This review was prepared by certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior lawyer Julija Ginotytė