RegRally Insights: GDPR and ICT Regulation

Welcome to the August 2025 edition of RegRally Insights: Personal Data Protection and ICT Regulation. This month, we highlight the latest developments shaping data governance, GDPR compliance, and ICT regulation across Europe and Lithuania. Organisations and individuals must remain vigilant and proactive, from the EU’s Data Governance Act, which fosters trustworthy data sharing, to proposals easing GDPR obligations for SMEs and VDAI guidance on responsible data handling, credit checks, CCTV use, and recruitment processes.

Our briefing summarises key regulatory updates, practical recommendations, and emerging compliance trends to help you navigate this complex landscape confidently.

Data Governance Act: New EU Rules Empowering Transparent Data Sharing

The State Data Protection Inspectorate (VDAI) reminds the public of the Data Governance Act (DGA), an already-present EU regulation many may still overlook. It aims to boost trust in data sharing and create the foundations of a fair and transparent EU data economy.

Key insights:

The DGA (Regulation EU 2022/868) introduces a framework for safe, voluntary, and trustworthy data sharing, both personal and non-personal.
It regulates data intermediation service providers – organisations that act as neutral platforms between data holders and users – requiring them to meet transparency and oversight standards.
It enables the re-use of specific protected public sector data and creates a secure mechanism for non-personal data transfers outside the EU.
The DGA also establishes data altruism: voluntary, non-commercial data sharing by individuals or companies for the public good (e.g., healthcare, environment, public services).
Altruistic organizations must ensure consent management, transparency, and annual public reporting, and can register for official EU recognition.
A new institution, the European Data Innovation Board, will guide consistent DGA implementation, making Lithuania’s participation highly relevant.

The DGA doesn’t merely create new obligations—it lays the foundation for a new data ecosystem based on trust, control, and shared public value.

Our recommendation:

The EU Data Governance Act (Regulation 2022/868) is now in force and introduces new obligations and opportunities for companies that enable or facilitate data sharing. It is recommended to:

Assess whether your company qualifies as a data intermediation service provider or supports data altruism.
Review your privacy policies, consent management, and data access controls.

EDPB and EDPS Weigh In on GDPR Amendment Proposal Expanding SME Compliance Exemptions

The European Commission has proposed amending the GDPR to ease compliance for smaller organisations by raising the record-keeping exemption threshold from 250 to 750 employees, except where high-risk processing is involved (as per Article 35 GDPR). The proposal also defines SMEs and Small Mid-Cap Companies in the GDPR and broadens access to support tools. In their Joint Opinion, the EDPB and EDPS back the simplification but call for clearer alignment with SME/SMC definitions and confirmation that public bodies remain excluded from the exemption.

Our recommendation:

If you’re an SME or SMC, start exploring participation in GDPR codes of conduct and certification schemes (Article 40(1) GDPR), which are now more explicitly extended to include SMCs.
Voluntarily keep high-risk records of data processing operations even if your organisation qualifies for the derogation from maintaining those records.

Stay informed about developments and final adoption, as the Proposal is not yet final.

The European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement

The Statement outlines new initiatives to facilitate GDPR compliance for micro, small, and medium organisations, strengthen consistency, and boost cross-regulatory cooperation.

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification are required. It will also provide the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations.

The EDPB will launch a series of direct and practical resources to simplify the GDPR application.

The Board recognises the growing complexity of the digital regulatory landscape. It has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.

VDAI Issues Guidance on Lawful Processing of Personal Data in Public Information

The State Data Protection Inspectorate (hereinafter referred to as the ‘’VDAI’’) receives reports from the public on various instances of disclosure of personal data in possible breach of the General Data Protection Regulation (hereinafter referred to as the ‘’GDPR’’), both in the public and the private sector. Such reports are also received about the publication of information by journalists or other producers and disseminators of public information.

VDAI points out that such processing is subject to the requirements for lawful processing of personal data under the GDPR. According to the GDPR, personal data may only be processed (and thus made public) under the principles relating to the processing of personal data as set out in Article 5 of the GDPR and where such processing can be justified based on at least one of the conditions for the lawful processing of personal data as set out in Articles 6 or 9 of the GDPR.

Our recommendation:

VDAI reminds organisations that publishing personal data—whether in the private sector or by media producers—is subject to strict GDPR requirements.

Before making any personal data public, companies should:

Carefully assess the purpose of the publication and ensure it is lawful and necessary.
Verify compliance with GDPR principles (Article 5), including lawfulness, fairness, and transparency.
Ensure a valid legal basis for processing the data under Articles 6 or 9 GDPR.
Evaluate the sensitivity of the data and the potential harm publication may cause to the individual or their relatives.
Apply proportionality, balancing public interest against privacy rights, even when publishing information about public figures.

Organisations can reduce legal risks and protect individuals’ fundamental rights by conducting thorough assessments before disclosing personal data.

Think Before You Share: VDAI Issues Guidance on Protecting Personal Data

The state data protection inspectorate (hereinafter referred to as VDAI) urges the public to remain vigilant and always check whether personal data and other important personal information is safe before being published and/or shared.

There are cases where people, when posting their personal data, documents, or other sensitive information on online platforms (e.g., the document-sharing platform Scribd), do not read the privacy settings or publicity parameters carefully enough, and as a result, this data and these documents become publicly available. Third parties, such as fraudsters, can exploit this publicly disclosed personal data, so the VDAI urges people to handle their personal information responsibly.

Before using any online service or platform, we recommend that you:

Read the privacy policy and terms of service.
Check whether it is clearly stated how your personal data will be used.
Make sure that the information you upload will only be accessible to you or whether it may be displayed publicly.
Pay attention to whether the service provider is established in the EU or has a designated representative in the EU if it operates from a third country.

If data has been published without your consent:

First, you should contact the data controller or platform administrator directly with a request to remove your data.
If you do not receive a response or are not satisfied with the response, you can contact VDAI.

VDAI Upholds Homeowners’ Association’s Right to Use CCTV for Security

The Lithuanian Data Protection Inspectorate (VDAI) rejected a complaint against the “JŪRA” homeowners’ association over alleged unlawful CCTV use and sharing of footage on Facebook. VDAI found the surveillance—seven cameras monitoring the courtyard and surroundings—was justified under GDPR’s legitimate interest basis, backed by documented incidents and member approval. No evidence supported claims of footage being posted online. The Inspectorate confirmed compliance but reminded that CCTV must remain necessary, proportionate, and respectful of individuals’ rights.

Our recommendations:

Organisations planning to implement video surveillance should carefully assess and document the necessity and proportionality. A recent ruling by the State Data Protection Inspectorate (VDAI) confirmed that surveillance can be lawful when supported by:

A clear legitimate interest (e.g., property protection, safety),
Evidence of ongoing issues (e.g., repeated incidents of vandalism or theft),
Approval by stakeholders or members, and
Consideration of less intrusive alternatives.

Additionally, organisations must avoid unjustified data disclosures, such as posting footage on social media, and ensure that surveillance is clearly communicated to affected individuals. They must always prioritize transparency, minimal data collection, and security of recorded material.

VDAI Fines TELE2 for Failing to Inform Customers About Credit Checks

The State Data Protection Inspectorate (VDAI) found UAB “TELE2” in breach of the GDPR for failing to inform customers about personal data processing during creditworthiness checks properly. Two separate complaints revealed that TELE2 employees accessed third-party credit databases without notifying the individuals, contrary to transparency requirements under Articles 5 and 21 of the GDPR. Although TELE2 cited legitimate interest under Article 6(1)(f) to mitigate financial risk, the VDAI stressed that data subjects must be clearly informed and allowed to object. TELE2 has committed to procedural improvements, technical safeguards, and staff reminders to ensure future compliance.

Our recommendation:

If your company performs credit checks or assesses financial risk using personal data, you must clearly inform individuals in advance, even if you rely on legitimate interest as your legal basis (GDPR Art. 6(1)(f)).

Clearly explain why and how you will use personal data (e.g., creditworthiness check).
Inform individuals of their object rights (GDPR Art. 21).
Train staff to follow consistent procedures and provide required information during all interactions, especially phone calls.

VDAI Warns Employer for Unlawfully Retaining Job Interview Recording

The State Data Protection Inspectorate (VDAI) ruled that UAB “Kretingos šilumos tinklai” violated the GDPR by keeping a job interview recording after the candidate had signed an employment contract. The candidate was told the recording would be deleted at the end of recruitment, yet it was later found in a bailiff’s report. The company cited legitimate interest under Article 6(1)(f) GDPR, but the assessment was done only after the complaint. Its data retention policy did not authorise keeping interview recordings beyond hiring, breaching Article 5(1)(e) data minimisation and storage limitation principles. As this was a first offence and no harm was identified, the VDAI issued a warning rather than a fine.

Our recommendations:

When recording job interviews or collecting any personal data during recruitment, companies must ensure clear communication and strict adherence to data retention limits under the GDPR.

Inform candidates in advance about the purpose, legal basis (e.g., legitimate interest), and exact retention period of interview recordings or notes.
Stick to your retention policies—once the recruitment process ends or a contract is signed, delete the data unless there’s a valid, pre-defined reason to keep it.
Update your internal policies to cover recruitment data, including interview recordings explicitly.
Assess your legal basis (e.g., legitimate interest) before collecting data, not retroactively.