RegRally Insights: Personal Data Protection and ICT Regulation – September 2025

Welcome to the September 2025 edition of RegRally Insights: Personal Data Protection and ICT Regulation.
This month’s edition brings sharp focus on data protection and cybersecurity developments in Lithuania and Europe.

The VDAI reports a surge in personal data breaches in H1 2025, publishes its 2024 activity report, and launches an investigation into the Creditinfo cyberattack. We also cover fresh guidance for SMEs on strengthening email security, and highlight a GDPR fine in Greece underscoring strict rules around sensitive data.

Our briefing distills the key enforcement trends, supervisory priorities, and practical steps organisations should take to reduce risks, strengthen compliance, and safeguard trust.

Lithuania: VDAI Reports 116 Personal Data Breaches in H1 2025

In the first half of 2025, the State Data Protection Inspectorate (VDAI) received 116 personal data breach (PDB) notifications, affecting 168,822 data subjects.

Breach types:

  • Confidentiality breaches – 86%
  • Integrity breaches – 2%
  • Availability breaches – 10%
  • Not classified as a PDB – 2%

Main causes:

  • Human error – 57%
  • IT/system issues – 11%
  • Cyber incidents – 32%, including ransomware, unauthorized access, social engineering, brute force, SQL injection, and system disruptions.

Compliance with GDPR reporting deadlines:

  • 78% of cases were reported within the 72-hour requirement.
  • 22% were reported late.

Enforcement actions:

  • January 2025: €9,000 fine to a public institution for GDPR violations.
  • February 2025: €3,529 fine for inadequate data protection measures.
  • 4 instructions and 14 recommendations issued to strengthen data security.

Practical takeaways for organizations:

  • Address human error through regular staff training and awareness programs.
  • Strengthen cybersecurity to prevent unauthorized access and targeted attacks.
  • Ensure timely reporting of all incidents in line with GDPR requirements.
  • Follow VDAI’s guidance to avoid penalties and improve data protection practices.

Lithuania: VDAI Publishes 2024 Activity Report

The State Data Protection Inspectorate (VDAI) has released its 2024 activity report, highlighting its key priorities, achievements, and future goals in personal data protection.

Priority 1 – Prevention and trust-building

  • Focus on education to strengthen competence among data controllers, processors, and DPOs.
  • The ADASL (level of personal data protection) reached 63% overall and 72% among management groups, reflecting stronger awareness.
  • Emphasis on amicable complaint resolution: since 2022, cases resolved amicably have increased by 93%, fostering prevention and trust.

Priority 2 – Strengthening international cooperation

  • Active participation in the European Data Protection Board (EDPB): 173 meetings in 2024 (149 in 2023, 76 in 2022).
  • Lead supervisory authority in 57 international cases.
  • Organized the EU seminar on Binding Corporate Rules in Vilnius (April 2024).
  • Continued close cooperation with Latvian and Estonian authorities, including joint inspections and annual Baltic meetings.

Supervision and monitoring

  • 12 inspections carried out (down from 46 in 2023 and 44 in 2022).
  • Increased reliance on monitoring activities – 92 cases in 2024 (mainly cookie compliance and direct marketing).
  • Monitoring provides early recommendations and helps prevent violations before enforcement.

Amicable complaint resolution – rising trend

  • 52 complaints resolved amicably in 2024 (up 11% vs. 2023).
  • Since 2022, amicable settlements have grown 93%, saving resources and improving satisfaction for both data subjects and controllers.

Practical takeaways for organizations:

  • Stay proactive: review cookie policies, direct marketing procedures, and complaint-handling practices.
  • Embrace monitoring: address deficiencies early to avoid inspections and sanctions.
  • Encourage amicable resolution: collaborative settlement strengthens client trust and reduces risk.

Greece: €10,000 GDPR Fine for Shield of David Association

The Hellenic Data Protection Authority (DPA) has fined the association Shield of David € 10,000 for multiple GDPR violations, underscoring the strict obligations regarding the handling of sensitive data and minors’ information.

Key violations identified:

  • Access rights denied – failure to provide a minor’s personal data upon request (€3,000).
  • Unlawful data sharing – transmission of medical records and social history to a private company (€3,000).
  • Improper disclosure – circulation of a court decision without a lawful basis (€3,000).
  • Non-cooperation with the DPA – refusal to cooperate during the investigation (€1,000).

Practical lessons for organisations:

  • Ensure lawful and transparent processing, particularly with minors’ data.
  • Implement clear procedures to fulfil data subject access requests promptly.
  • Avoid unauthorised sharing of sensitive or legal information.
  • Maintain full cooperation with supervisory authorities to prevent additional sanctions.

Lithuania: NKSC Issues Practical Guidance on Email Security for SMEs

The National Cyber Security Centre (NKSC) under the Ministry of National Defence has released the second set of practical cybersecurity recommendations, focusing on email protection – one of the most frequently exploited services.

The guidance is particularly relevant for very small, small, and medium-sized enterprises (SMEs), which often rely on default configurations or minimal security measures. NKSC highlights that missing or misconfigured authentication records (SPF, DKIM, DMARC) expose organisations to spoofing, phishing, and fraud attempts, undermining trust and endangering sensitive data.

Key context

  • According to the 2024 National Cyber Security Status Report, most registered incidents involved social engineering attacks (phishing) targeting login or payment credentials.
  • SMEs remain frequent targets for malicious attachments and ransomware due to lower cybersecurity resilience.

NKSC recommendations for organisations:

  • Enable SPF, DKIM, and DMARC to authenticate email senders.
  • Use strong passwords and multi-factor authentication.
  • Conduct regular phishing simulations and employee awareness training.
  • Periodically review and update email configurations.

Organisations can check their domain security free of charge via NKSC’s tool: sauguspastas.nksc.lt.

Lithuania: VDAI Investigates Cyber Incident at Creditinfo

On 25 July 2025, international credit information provider Creditinfo suffered a major cyberattack by the ransomware group Payoutsking, resulting in the leak of more than 2.3 TB of data on the dark web.

While the incident involved Creditinfo Lithuania’s clients, the company confirmed that its local systems remained secure and no Lithuanian clients’ data were compromised.

Creditinfo Lithuania promptly informed the State Data Protection Inspectorate (VDAI) and began notifying affected individuals. VDAI has launched an investigation into the breach.

Key takeaway for organisations:

  • Large-scale incidents at international partners or service providers can create risks even when your systems are secure.
  • Regularly review third-party data handling agreements and security measures.
  • Maintain a clear incident response and communication plan to protect individuals and mitigate reputational impact.

 

 

Newsletter SubscriptionGet in touch
Free initial advice now!

Have a question or need more information?

Send us an e-mail message!