The State Data Protection Inspectorate (VDAI) of the Republic of Lithuania has been recently issued guidance on how employers should assess cases where employees misuse their access rights to personal data in the register/system. As data security and the General Data Protection Regulation (GDPR) becoming increasingly important in the workplace, understanding the responsibilities of employers and employees is critical for maintaining the compliance.
Key takeaways from VDAI’s guidance
1. Employer’s obligation to investigate and document Data Security Breaches
Under Article 32(4) of the GDPR, data controllers and processors have to ensure that employees process personal data only as instructed – unless the processing is required by Union or national law. This means that employers must have systems in place to investigate any potential misuse of access to personal data and adequately document any breaches.
2. Employees are not independent Data Controllers
If an employee unlawfully accesses personal data in a register, such as the Real Estate Register, they do not assume the role of an independent data controller. The VDAI clarified this point in a February 18, 2025 decision. A single employee accessing data is not considered independent data processing under GDPR. This clarification helps employers understand that while employees may misuse their access rights, they are not responsible for data processing independently; the responsibility lies with the employer.
3. Employer’s Responsibility
Employers are responsible for any misconduct related to their employees’ misuse of personal data. One case reviewed by VDAI found that the employer did not manage the breach appropriately, even though they had initiated disciplinary action against the employee. This highlights the critical need for employers to ensure that proper measures are in place for handling data breaches and enforcing compliance.
ECOVIS ProventusLaw recommendations on the best practices for Data Protection Compliance
- Employee Training and Awareness
Regular training is essential to ensure that employees understand their obligations under GDPR. Employers should conduct training on data protection policies, the risks of unauthorised data processing, and the potential consequences of breaching data security protocols. Well-informed employees are less likely to misuse access to personal data.
- Clear Guidelines for Data Access
Employers should establish clear and strict policies regarding who can access personal data and under what conditions. These guidelines should also include clear instructions on reporting unauthorised access or data breaches. Defining and enforcing these policies helps prevent misuse and ensures quick response when issues arise.
- Technical and Organizational Security Measures
Employers should implement various technical and organisational measures to protect personal data. This includes using access controls, encryption, and audit tools to detect and prevent unauthorised access. Regular reviews and updates to security measures ensure that data protection practices are always aligned with evolving security threats and regulatory requirements.
In today’s strict regulatory environment, employers must proactively manage employee access to personal data and ensure full compliance with GDPR. By implementing strong training programs, clear access policies, and robust security measures, employers can mitigate the risk of data breaches and demonstrate their commitment to protecting personal data.
Ecovis ProventusLaw’s certified data protection experts are ready to help you navigate these complex requirements. From providing tailored GDPR compliance advice to training employees and helping implement effective security measures, we are equipped to help your organisation maintain a secure and compliant data environment. Let our team help you ensure your data protection practices are robust and aligned with regulatory expectations.