On 18 October 2022, a draft amendment to the Law on Legal Protection of Personal Data (hereinafter – the Law) was registered in the Parliament of Lithuania, which aims to expand the list of grounds for processing personal data relating to criminal convictions and offences, to promote greater cooperation between the data protection supervisory authorities, and to increase public awareness of the activities of these authorities. ECOVIS ProventusLaw’s data protection experts provide a brief overview of the most important changes to the Law.
Most important changes
Processing personal data relating to criminal convictions and offences
The current version of the Law provides that personal data on convictions and criminal offences of employees and candidates to an employee position may be processed only if the data controller has a legal obligation to verify whether the person fulfils the legal requirements for the performance of the position or the functions of the job.
The draft amendments of the Law propose to extend the list of grounds for processing beforementioned personal data. It is envisaged that such personal data may be processed not only based on a legal obligation, but also based on the legitimate interests of the data controller, except where the interests, rights and freedoms of the data subject outweigh the interests of the data controller, and in particular where the data subject is a child.
However, the draft amendments also provide that in order to rely on legitimate interests, the data controller should:
- carry out an assessment of the legitimate interest in processing such personal data;
- publish on its website a list of the positions or job functions to which the requirement to be non-convicted would apply; and
- to process only personal data on convictions and criminal offences of those persons whose positions or job functions are included in that list.
Publication of supervisory authorities’ decisions
In order to increase the awareness of individuals about the safeguards, rules, rights and risks related to the processing of personal data, the draft amendments of the Law also provide that the State Data Protection Inspectorate and the Inspector of Journalist Ethics (hereinafter – supervisory authorities) must make publicly available on their website their decisions on investigations, inspections, or investigated complaints, at the latest within 5 working days from the day on which the decision was taken.
Cooperation between supervisory authorities
The draft amendments also provide for a duty of cooperation between supervisory authorities when investigating data protection infringements related to the exercise of their functions or tasks. On this basis, supervisory authorities would have the right to share all relevant information, including information protected by law, as well as state, professional and other secrets. Supervisory authorities should also cooperate actively in deciding which of them is competent to deal with a particular infringement.
Significance of the changes
Considering that the General Data Protection Regulation does not specifically provide for the cases in which the processing of personal data on convictions and criminal offences should be allowed, but gives the right to decide to the Member States, it can be argued that the current wording of the Law provides for a rather high level of protection of such data and severely restricts the processing of it. The adoption of the draft amendments would allow a more liberal approach to the processing of such data, allowing employers to assess on a case-by-case basis the need to obtain such information on potential and current employees in order to identify potential risks and protect their interests.
The obligation for supervisory authorities to cooperate in the adoption of decisions on infringement investigations and on issues of competence should improve not only the infringement investigation process, but also the quality of the decisions themselves and the uniformity of practice between authorities. The obligation to make their decisions public would lead to greater public awareness on information about the rights and safeguards guaranteed by data protection laws and the most common mistakes made in the processing of personal data, which could potentially help to reduce the number of data protection law infringements.
Prepared by Brigida Bacienė, ECOVIS ProventusLaw Data Protection Expert, and Gabija Bacevičiūtė, ECOVIS ProventusLaw Junior Lawyer