RegRally Insights: Personal Data Protection and ICT Regulation – May 2026

Welcome to the latest edition of RegRally Insights, where we explore key developments shaping data protection, cybersecurity, and ICT regulation across the EU and Lithuania. This month’s update highlights significant enforcement trends, evolving GDPR compliance expectations, and practical regulatory guidance impacting businesses operating in digital and data-driven environments.

From expanding supervisory scrutiny and increased enforcement activity to new expectations in direct marketing, DPIAs, and access rights handling, organisations are facing a steadily maturing regulatory landscape that demands both stronger governance and operational discipline.

Stay informed, stay compliant, and ensure your organisation is prepared for the next wave of regulatory change.

EDPB introduces DPIA template to harmonise GDPR risk assessments and strengthen consistency of data protection impact analysis across the EU (public consultation open until 9 June)

The European Data Protection Board (EDPB) has launched a standardised template to support organisations in conducting Data Protection Impact Assessments (DPIAs) under the GDPR. The tool aims to improve clarity, comparability, and compliance quality across EU jurisdictions by providing a structured approach to documenting data processing risks and safeguards.

Key elements of the initiative:
• Standardised DPIA template to support consistent GDPR compliance across Member States.
• Public consultation open until 9 June; stakeholders can provide feedback before final adoption.
• Data Protection Authorities may adopt it as a common EU standard or align it with national frameworks.

When a DPIA is mandatory:
A DPIA is required for high-risk processing activities, including:
• Automated decision-making and profiling with legal or similarly significant effects.
• Large-scale processing of sensitive data or criminal offence data.
• Large-scale monitoring of publicly accessible spaces.
• Processing biometric data for identification or monitoring.
• Recording telephone conversations or video surveillance with audio.
• Systematic employee monitoring (e.g., workplace tracking systems).
• Other processing is likely to result in a high risk to individuals’ rights and freedoms.

Core DPIA requirements:
A DPIA must:
• Describe processing purpose, scope, context, and nature.
• Assess necessity, proportionality, and GDPR compliance.
• Identify and evaluate risks to data subjects.
• Define mitigation measures and security safeguards.
Practical benefits of DPIA use:
• Demonstrates GDPR accountability and compliance.
• Identifies and reduces privacy and security risks early.
• Optimises data processing and reduces unnecessary collection.
• Supports cost-efficient integration of data protection measures in system design.

A DPIA should be conducted where personal data processing is likely to result in a high risk to individuals’ rights and freedoms, particularly when using new technologies, carrying out large-scale processing, or implementing systematic monitoring. Conducting a DPIA helps identify and mitigate risks at an early stage and supports compliance with GDPR requirements.

We recommend:

• assess whether a DPIA is required under the GDPR;
• include legal, technical, and organisational measures in the assessment;
• establish internal DPIA procedures and documentation processes;
• regularly review DPIAs where processing activities or associated risks change.

DPIAs are commonly required for biometric data processing, employee monitoring, CRM systems, large-scale personal data processing, data transfers to third countries, and other complex processing activities.
https://ecovis.lt/duomenu-apsauga/darbuotoju-asmens-duomenu-apsauga/

UAB “SMAGUS” direct marketing breach: Lithuanian Data Protection Authority finds unlawful email marketing without consent, but issues only a warning due to isolated human error and prompt remediation

Core findings and outcome:
• Complaint received on 3 June 2025 regarding unsolicited promotional email sent on 27 May 2025.
• Email promoted family-oriented park activities and was classified as direct marketing under the Law on Electronic Communications (Article 81(1)).
• The company claimed the email originated from the visitor lottery forms and was incorrectly entered due to human error.
• Inspectorate confirmed the email was sent without the prior consent of the recipient.
Regulatory assessment:
• Violation established: direct marketing sent without valid consent.
• Breach attributed to an isolated operational mistake (data entry error).
• No evidence of systematic misuse or large-scale unlawful processing.
Mitigating factors considered:
• One-off incident rather than structural compliance failure.
• Immediate corrective action: email address deleted and apology issued.
• No significant harm or adverse consequences identified.
Final decision:
• Complaint upheld as well-founded.
• No fines or corrective sanctions imposed.
• Acknowledgement of infringement deemed proportionate and sufficient.
Practical takeaway:
Even in cases of confirmed GDPR-adjacent direct marketing breaches, supervisory authorities may opt for proportional enforcement where the infringement is isolated, promptly corrected, and not indicative of systemic non-compliance.

As of 1 July, Article 81 of the Republic of Lithuania Law on Electronic Communications will be amended, introducing updated requirements for the use of electronic communications services for direct marketing purposes.

From that date, direct marketing via electronic communications (e.g. email, SMS) will be subject to updated requirements:

• B2B marketing (legal entities) may be carried out without prior consent, provided that recipients are given a clear, free, and easily exercisable opt-out option in every communication. The opt-out mechanism must be functional and easy to use in practice.
• B2C marketing (natural persons) will continue to require prior, explicit, informed, and unambiguous consent.
• The “soft opt-in” exception remains available only for existing customers and applies strictly under defined conditions.
• All marketing messages must include a clear unsubscribe mechanism, and opt-out requests must be implemented promptly.
• Organisations should review and document their marketing processes and update their procedures and documentation accordingly to ensure that direct marketing activities comply with GDPR and the Republic of Lithuania Law on Electronic Communications.

Source: https://vdai.lrv.lt/public/canonical/1776931112/1377/2026-04-21%20sprendimas%20Nr.%203R-726%20(2.13-1.E).pdf

UAB DELSKA Lithuania fined for GDPR security failure following cloud breach affecting ~3,000 individuals

Incident background
• Investigation initiated by Lithuanian State Data Protection Inspectorate (VDAI) in March 2025.
• Triggered by notification of a cybersecurity incident involving a public cloud services platform used by UAB “Rakrėjus” (later merged into UAB DELSKA Lithuania).
• Breach impacted personal data of approximately 3,000 data subjects.
• Some data could not be restored; temporary disruption of services, including financial services.

Regulatory assessment
• Breach classified as medium severity.
• Authority found insufficient technical and organisational safeguards to protect personal data.
• Violation of Article 32(1)(b) GDPR (security of processing – ensuring ongoing confidentiality, integrity, availability, and resilience of systems).

Key compliance issue
• Failure to implement adequate security measures appropriate to the risk level of cloud-based processing.
• Insufficient resilience leading to both data loss and operational disruption.

Enforcement outcome
• Administrative fine: EUR 4,500.
• Liability imposed on UAB DELSKA Lithuania as legal successor of the merged entity UAB “Rakrėjus”.

Key takeaway
This decision reinforces that GDPR Article 32 obligations extend to cloud-based infrastructures and survive corporate restructuring events such as mergers. Even medium-severity incidents involving partial data loss and service disruption can result in regulatory sanctions where security controls are deemed insufficient relative to processing risks.

Organisations should ensure appropriate technical and organisational safeguards, including access controls, encryption, regular risk assessments, and secure backup solutions.

We recommended to:
• assess the security standards of cloud service providers and clearly allocate responsibilities in data processing agreements;
• implement continuous monitoring, software updates, and incident detection mechanisms;
• maintain reliable backup and recovery systems to ensure business continuity and prevent data loss;
• provide regular staff training and establish internal security policies to reduce risks related to human error;
• establish clear incident response procedures to ensure timely identification, containment, and reporting of personal data breaches in accordance with GDPR requirements.

Source: https://vdai.lrv.lt/public/canonical/1775211861/1339/2026-03-23%20sprendimas%20Nr.%203R-490%20(2.13-1.E).pdf