← Lietuva

LIETUVOS RESPUBLIKOS

In short

This Law aims to protect the privacy of individuals when their personal data is processed, by regulating how personal data is handled and establishing the rights and responsibilities of those involved.

What it regulates

Who it concerns

Key points

📄 Įstatymo tekstas
LIETUVOS RESPUBLIKOS REPUBLIC OF LITHUANIA LAW ON LEGAL PROTECTION OF PERSONAL DATA 11 June 1996 – No I-1374 (As last amended on 12 May 2011 – No XI-1372) Vilnius CHAPTER ONE GENERAL PROVISIONS Article 1. Purpose, Objectives and Scope of the Law 1. The purpose of this Law shall be safeguarding of the inviolability of an individual’s private life in the course of processing personal data. 2. This Law shall regulate relations arising in the course of the processing of personal data by automatic means, and during the processing of personal data by other than automatic means in filing systems: lists, card indexes, files, codes, etc. The Law shall establish the rights of natural persons as data subjects, the procedure for protecting these rights, the rights, duties and liability of legal and natural persons while processing personal data. 3. This Law shall apply to the processing of personal data where: 1) personal data are processed by a data controller established and operating in the territory of Lithuania, as a part of activities thereof. Where personal data are processed by a branch office or a representative office of a data controller of a Member State of the European Union or another state of the European Economic Area, established and operating in the Republic of Lithuania, such a branch office or representative office shall be bound by the provisions of this Law applicable to the data controller; 2) personal data are processed by a data controller which is established in the territory other than the Republic of Lithuania, but which is bound by the laws of the Republic of Lithuania by virtue of international public law (including diplomatic missions and consular posts); 3) personal data are processed by a data controller established and operating in a country which is not a Member State of the European Union or another state of the European Economic Area (hereinafter referred to as a “third country”), where the data controller uses personal data processing means established in the Republic of Lithuania, with the exception of the cases where such means are used only for transit of data through the territory of the Republic of Lithuania, the European Union or another state of the European Economic Area. In the case laid down in this subparagraph, the data controller must have its representative, that is, an established branch office or a representative office in the Republic of Lithuania which shall be bound by the provisions of this Law applicable to the data controller. 4. This Law shall not apply if personal data are processed by a natural person only for his personal needs not related to business or profession. 5. When personal data are processed for the purposes of state security or defence, this Law shall apply to the extent that other laws do not provide otherwise. 6. This Law shall not restrict or prohibit free movement of personal data when fulfilling European Union membership commitments of the Republic of Lithuania. 7. This Law shall harmonise regulation of legal protection of personal data in the Republic of Lithuania with the European Union legal acts referred to in the Annex to this Law. As of 1 September 2011, the Article shall be supplemented with paragraph 5; paragraphs 5, 6 and 7 shall be renumbered as paragraphs 6, 7 and 8 respectively: 5. This Law shall not apply to the processing of personal data of deceased persons. 6. When personal data are processed for the purposes of state security or defence, this Law shall apply to the extent that other laws do not provide otherwise. 7. This Law shall not restrict or prohibit free movement of personal data when fulfilling European Union membership commitments of the Republic of Lithuania. 8. This Law shall harmonise regulation of legal protection of personal data in the Republic of Lithuania with the European Union legal acts referred to in the Annex to this Law. Version of Article 2 before 1 September 2011: Article 2. Definitions 1. Personal data shall mean any information relating to a natural person (data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 2. Data recipient shall mean a legal or a natural person to whom personal data are disclosed. The authorities supervising the implementation of this Law referred to in Articles 8 and 36 of this Law as well as other state and municipal institutions and agencies shall not be regarded as data recipients when they obtain personal data in response to a specific request for the purposes of fulfilling their control functions laid down in laws. 3. Disclosure of data shall mean disclosure of personal data by transmission or making them available by any other means (with the exception of publishing them in mass media). 4. Data processing shall mean any operation carried out with personal data: collection, recording, accumulation, storage, classification, grouping, connecting, changing (supplementation or correction), provision, publication, use, logical and/or arithmetical operations, search, dissemination, destruction or any other action or set of actions. 5. Data processing by automatic means shall mean any operation performed with personal data carried out in whole or in part by automatic means. 6. Data processor shall mean a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller. The data processor and/or the procedure of its/his nomination may be laid down in laws or other legal acts. 7. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. Where the purposes of processing personal data are laid down in laws or other legal acts, the data controller and/or the procedure for its/his nomination may be laid down in such laws or other legal acts. 8. Special categories of personal data shall mean data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions. 9. Prior checking shall mean an advance inspection of processing data before it is started in the cases laid down in this Law. 10. Filing system shall mean any structured set of personal data arranged in accordance with specific criteria relating to the person, allowing an easy access to personal data in the file. 11. Consent shall mean an indication of will given freely by a data subject indicating his agreement with the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject’s free will. 12. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services. 13. Third party shall mean a legal or a natural person, with the exception of the data subject, the data controller, the data processor and persons who have been directly authorised by the data controller or the data processor to process data. 14. Internal administration shall mean activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of available material and financial recourses, and clerical work). 15. Public data file shall mean a state register or any other data file which pursuant to laws and other legal acts is intended for the disclosure of information to the public and which may be lawfully used by the public. 16. Video surveillance shall mean processing of image data concerning natural person (hereinafter referred to as “image data”) by using automated video surveillance means (video and photo cameras, etc.) irrespective of whether these data are recorded in a file or not. Version of Article 2 as of 1 September 2011: Article 2. Definitions 1. Personal data shall mean any information relating to a natural person (data subject) who is known or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 2. Data recipient shall mean a legal or a natural person to whom personal data are disclosed. The authorities supervising the implementation of this Law referred to in Articles 8 and 36 of this Law as well as other state and municipal institutions and agencies shall not be regarded as data recipients when they obtain personal data in response to a specific request for the purposes of fulfilling their control functions laid down in laws. 3. Disclosure of data shall mean disclosure of personal data by transmission or making them available by any other means (with the exception of publishing them in mass media). 4. Data processing shall mean any action carried out with personal data: collection, recording, accumulation, storage, classification, grouping, connecting, changing (supplementation or correction), provision, publication, use, logical and/or arithmetical operations, search, dissemination, destruction or any other action or set of actions. 5. Data processing by automatic means shall mean any operation performed with personal data carried out in whole or in part by automatic means. 6. Data processor shall mean a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller. The data processor and/or the procedure of its/his nomination may be laid down in laws or other legal acts. 7. Data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. Where the purposes of processing personal data are laid down in laws or other legal acts, the data controller and/or the procedure for its/his nomination may be laid down in such laws or other legal acts. 8. Special categories of personal data shall mean data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life and criminal convictions. 9. Prior checking shall mean an advance inspection of processing data before it is started in the cases laid down in this Law. 10. Social and public opinion survey shall mean a systemic collection of data and/or information about natural and legal persons and interpretation thereof by means of statistical, analysis and other methods of social sciences with a view to obtaining insights required for decision-making. Direct marketing may not be undertaken when conducting a social and public opinion survey. 11. Filing system shall mean any structured set of personal data arranged in accordance with specific criteria relating to the person, allowing an easy access to personal data in the file. 12. Consent shall mean an indication of will given freely by a data subject indicating his agreement with the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject’s free will. 13. Direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services. 14. Third party shall mean a legal or a natural person, with the exception of the data subject, the data controller, the data processor and persons who have been directly authorised by the data controller or the data processor to process data. 15. Internal administration shall mean activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of available material and financial recourses, and clerical work). 16. Public data file shall mean a state register or an information system or any other data file which pursuant to laws of the Republic of Lithuania or other legal acts is intended for the disclosure of data, information, documents and/or copies thereof to the public and which may be lawfully used by the public. 17. Video surveillance shall mean processing of image data concerning natural person (hereinafter referred to as “image data”) by using automated video surveillance means (video and photo cameras, etc.) irrespective of whether these data are recorded in a file or not. 18. The concepts of a credit institution and a financial institution shall be interpreted as they are defined in the Law on Financial Institutions. CHAPTER TWO PERSONAL DATA PROCESSING Article 3. Requirements for the Processing of Personal Data 1. The data controller must ensure that personal data are: 1) collected for specified and legitimate purposes and later are not processed for purposes incompatible with the purposes determined before the personal data concerned are collected; 2) processed accurately, fairly and lawfully; 3) accurate and, where necessary, for purposes of personal data processing, kept up to date; inaccurate or incomplete data must be rectified, supplemented, erased or their further processing must be suspended; 4) identical, adequate and not excessive in relation to the purposes for which they are collected and further processed; 5) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected and processed. Paragraph 1 shall be supplemented with subparagraph 6 as of 1 September 2011: 6) processed in compliance with the clear and transparent requirements for personal data processing set forth in this Law and other laws regulating relevant activities. 2. Personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only in the cases laid down in laws, provided that adequate data protection measures are laid down in laws. Article 4. Storage and Destruction of Personal Data Personal data shall not be stored longer than it is necessary for data processing purposes. Personal data must be destroyed when they are no more needed for their processing purposes, with the exception of data which must be transferred to State archives in the cases laid down in laws. Article 5. Criteria for the Lawful Processing of Personal Data 1. Personal data may be processed if: 1) the data subject has given his consent; 2) a contract to which the data subject is party is being concluded or performed; 3) it is a legal obligation of the data controller under laws to process personal data; 4) processing is necessary in order to protect vital interests of the data subject; 5) processing is necessary for the exercise of official authority vested by laws and other legal acts in state and municipal institutions, agencies, enterprises or a third party to whom personal data are disclosed; 6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless such interests are overridden by interests of the data subject. 2. It shall be prohibited to process special categories of personal data, except in the following cases: 1) the data subject has given his consent; 2) such processing is necessary for the purposes of employment or civil service while exercising rights and fulfilling obligations of the data controller in the field of labour law in the cases laid down in laws; 3) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give his consent due to a physical disability or legal incapacity; 4) processing of personal data is carried out for political, philosophical, religious purposes or purposes concerning the trade-unions by a foundation, association or any other non-profit organisation, as part of its activities, on condition that the personal data processed concern solely the members of such organisation or to other persons who regularly participate in such organisation in connection with its purposes. Such personal data may not be disclosed to a third party without the data subject’s consent; 5) the personal data have been made public by the data subject; 6) the data are necessary, in the cases laid down in laws, in order to prevent and investigate criminal or other illegal activities; 7) the data are necessary for a court hearing; 8) it is a legal obligation of the data controller under laws to process such data. 3. The data about a person’s health may also be processed for the purposes and in the procedure laid down in Article 10 of this Law and other laws pertaining to health care. 4. Personal data relating to a person's record of conviction, criminal acts or security measures may be processed, for crime prevention, investigation purposes and in other cases laid down by laws, only by a state institution or agency in the manner laid down in laws. Other natural or legal persons may process such data in the cases laid down by laws provided that appropriate measures laid down in laws and other legal acts for the protection of legitimate interests of the data subject have been adequately implemented. Detailed data about previous convictions may be processed only according to the procedure laid by the Law on State Registers. Article 6. Disclosure of Personal Data In the cases laid down in this Law, personal data shall be disclosed under a personal data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure. The contract must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt, the conditions, the procedure of use and the extent of personal data that is disclosed. The request must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt and the extent of personal data requested. Version of Article 6 as of 1 September 2011: Article 6. Disclosure of Personal Data In the cases laid down in this Law, personal data shall be disclosed under a personal data disclosure contract between the data controller and the data recipient in the case of a multiple disclosure or in response to a request of the data recipient in the case of a single disclosure. The contract must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt, the conditions, the procedure of use and the extent of personal data that is disclosed. The request must specify the purpose for which personal data will be used, the legal basis for disclosure and receipt and the extent of personal data requested. Where personal data are processed by automatic means and appropriate measures ensuring data security are applied, in providing personal data under a personal data disclosure contract between the data controller and the data recipient priority must be given to disclosure of the data by automatic means, and when disclosing personal data at the request of the – to disclosure of data by means of electronic communications. Article 7. Use of Personal Identification Number 1. A personal identification number shall be a unique sequence of digits. A personal identification number shall be assigned to a person in accordance with the procedure laid down in the Law on Residents’ Register. 2. It shall be permitted to use a personal identification number when processing personal data only with the consent of the data subject, except in cases specified in paragraphs 4 and 5 of this Article, when the use of the personal identification number shall be prohibited. 3. A personal identification number may be used without the consent of the data subject only if: 1) such a right is laid down in this Law and other laws; 2) a scientific or statistical research is being carried out in the cases laid down in Articles 12 and 13 of this Law; 3) it is processed in State or institutional registers, provided that they have been officially  set up in accordance with the procedure laid down in the Law on State Registers, and in information systems, provided that they have been set up in accordance with the procedure laid down in legal acts; 4) it is processed by legal persons involved in activities related to granting of loans and recovery of debts, insurance or financial leasing, health care and social insurance as well as in the activities of other institutions providing and administrating social care, educational establishments, research and higher education institutions. Legal persons specified in this subparagraph may use personal identification number only for the purpose for which it has been received and only in these cases where it is necessary for a legitimate and specified purpose of personal data processing ; 5) classified data are processed in cases laid down by laws. 4. A personal identification number may not be made public. 5. A personal identification number may not be collected and processed for direct marketing purposes. Article 8. Processing of Personal Data and Coordination of the Freedom of Provision of Information to the Public The processing of personal data by the media for the purpose of providing information to the public, artistic and literary expression shall be supervised by the Inspector of Journalist Ethics. The sphere of competence thereof shall be laid down by the Law on Provision of Information to the Public. In these cases only the provisions of Articles 1, 2, 3, 4, 5, 6, 7, 30, 53 and 54 of this Law shall apply to the processing of personal data. Article 9. Personal Data Processing for the Purposes of Social Insurance and Social Assistance For the purposes of social insurance and social assistance administrative institutions of the State Social Insurance Fund and legal persons providing or administering social assistance shall exchange personal data without the data subject’s consent. Article 10. Personal Data Processing for the Purposes of Health Care 1. Personal data on a person’s health (its state, diagnosis, prognosis, treatment, etc.) may be processed by an authorised health care professional. A person’s health shall be subject to professional secrecy under the Civil Code, laws regulating patients’ rights and other legal acts. 2. Personal data processing for scientific medical research purposes shall be carried out in accordance with this and other laws. 3. Personal data on a person’s health may be processed by automatic means, also for scientific medical research purposes the data may be processed only having notified the State Data Protection Inspectorate. In this case, the State Data Protection Inspectorate must carry out a prior checking. Article 11. Personal Data Processing for the Purposes of Elections, Referendum and Citizens' Legislative Initiative 1. Processing of personal data (name, surname, date of birth, personal identification number, address of the place of residence, citizenship, number of the identification document) for the purposes of elections, referendum, citizens’ legislative initiative, political campaigns and financing of political parties shall be determined by this Law and other laws. 2. Information compiled by the Central Electoral Commission on the basis of statements and other documents submitted by candidates or their representatives and announced on the Internet website, about candidates, votes received by the candidates, lists of members of electoral or referendum committees, observers, representatives, members of initiative groups and lists of donors of political campaigns may be revised after the announcement of election or referendum results, only for the purposes of correction of language mistakes or when the information on the Internet website differs from the information in the statements and other documents delivered at the time prescribed by legal acts. Personal identification numbers of the candidates and any other persons, their citizenship or numbers of their identification documents, the exact address (street, number of the house, number of the apartment) of their place of residence may not be made public on the Internet website. Article 12. Personal Data Processing for the Purposes of Scientific Research 1. Personal data may be processed for the purposes of scientific research on condition that the data subject has given his consent. Without the data subject’s consent, personal data may be processed for the purposes of scientific research only upon notifying the State Data Protection Inspectorate. In this case, the State Data Protection Inspectorate must carry out a prior checking. 2. Personal data which have even used for the purposes of scientific research must be altered immediately in a manner which makes it impossible to identify the data subject. 3. The personal data collected and stored for the purposes of scientific research may not be used for any other purposes. 4. In the cases when the conducted research does not require personal identification data, the data controller shall provide to the data recipient such personal data from which identification of a person is not possible. 5. Research results shall be made public together with the personal data on condition that the data subject has given his consent to have his personal data made public. Article 13. Personal Data Processing for Statistical Purposes  1. Processing of personal data for statistical purposes shall mean the carrying out of statistical surveys and disclosure and storage of their results. 2. Personal data collected for other than statistical purposes may be used in the cases laid down by law for the preparation of official statistical information. 3. Personal data collected for statistical purposes may be disclosed and used for other than statistical purposes in accordance with the procedure and in the cases laid down in the Law on Statistics. 4. Personal data collected for different statistical purposes shall be compared and combined only on condition that the personal data are protected against unlawful use for other than statistical purposes. 5. Special categories of personal data shall be collected for statistical purposes solely in the form which does not permit direct or indirect identification of the data subject, except in the cases laid down by law. The Law shall be supplemented with Article 131 as of 1 September 2011: Article 131. Personal Data Processing for the Purposes of a Social and Public Opinion Survey 1. When conducting a social and public opinion survey, personal data may be processed only with the consent of a data subject. The data subject’s contact data (address, phone number) may be processed without the data subject’s consent until the first direct contact with the data subject, with the aim of contacting him. A data subject shall express his consent to or refusal of processing of his personal data for the purposes of a social and public opinion survey in the course of a direct contact with the conductor of the survey or in a written or equivalent form.  Where the data subject disagrees with the processing of his personal data personal data processing, such personal data must be immediately destroyed. 2. For the purposes of a social and public opinion survey, only the personal data which are necessary for the social and public opinion survey being conducted must be collected; the personal data used for a specific social and public opinion survey must be immediately altered in a manner which makes it impossible to identify the data subject. 3. The use of personal data collected and processed for the purposes of a social and public opinion survey for other purposes (for advertising, direct marking, commercial activities, etc.) shall be prohibited. Article 14. Personal Data Processing for the Purposes of Direct Marketing 1. Personal data may be processed for the purposes of direct marketing only after the data subject gives his consent. 2. Personal data may be processed for the purposes of direct marketing if a period for the storage of personal data is set when collecting such data. 3. The data controller must provide a clear, free-of-charge and easily realisable possibility for the data subject to give or refuse giving his consent for the processing of his personal data for the purposes of direct marketing. 4. Data controller while rendering services or selling goods in accordance with the procedure and conditions set by this Law, receives contact information (name, surname and address) from data subjects who are his customers may only use this data without a separate data subject’s consent for the marketing of his own goods or services of a similar nature provided that the customers have been given a clear, free-of-charge and easily realisable possibility not to give their consent or refuse giving their consent for the use of this data for the above-mentioned purposes at the time of collection of the data and, if initially the customer has not objected against such use of the data, at the time of each offer. Article 15. Personal Data Processing in the Field of Electronic Communications The processing of personal data in the field of electronic communications shall be governed by the Law on Electronic Communications and this Law. The Law shall be supplemented with Article 151 as of 1 July 2011: Article 151. Personal Data Processing in the Framework of Police and Judicial Cooperation in Criminal Matters as Provided for in Title V of Part Three of the Treaty on the Functioning of the European Union In the framework of police and judicial co-operation in criminal matters as provided for in Title V of Part Three of the Treaty on the Functioning of the European Union, personal data shall be processed in compliance with the Law on Legal Protection of Personal Data Processed in the Framework of Police and Judicial Co-operation in Criminal Matters and this Law. CHAPTER THREE VIDEO SURVEILLANCE Article 16. Conditions of Video Surveillance Video surveillance may be used for the purpose of ensuring public safety, public order and protecting person’s life, health, property and other rights and freedoms of persons but only in these cases when other ways or measures are insufficient and (or) inadequate for the achievement of the above mentioned purposes unless they are overridden by the interests of the data subject. Article 17. Video Surveillance in the Workplace Video surveillance in the workplace may be used only when because of the specifics of the work it is necessary to ensure security of persons, property or the public and in other cases when other means or measures are insufficient and/or inadequate for the achievement of the abovementioned purposes. Article 18. Requirements for Video Surveillance 1. Processing of image data must be set down in a written document approved by the data controller and specifying the purpose and the extent of video surveillance, the period of retention of video data, conditions of access to processed image data, conditions of and procedure for destroying these data and other requirements concerning legitimate processing of video data. 2. The data controller shall ensure that image data are processed only by persons who have been authorised by the data controller and who must be instructed on legal acts regulating legal protection of personal data and committed to abide by them against signature. Article 19. Installation of Video Surveillance Devices 1. Taking into account the specified purpose of video surveillance, video surveillance devices must be installed in such a manner so as to ensure that: 1) video surveillance does not cover a larger part of the premises or territory than it is necessary; 2) image data are collected only to such an extent that is necessary. 2. It shall be prohibited to install and operate installed video surveillance devices in such a manner that the area of surveillance covers residential premises and/or the adjacent private territory or entrance thereto, except for the cases specified by law. In common-use premises, video surveillance devices may be installed by a decision of the majority of co-owners. 3. It shall be prohibited to use video surveillance in premises where the data subject reasonably expects absolute protection of privacy and where such surveillance would undermine human dignity (e.g., toilets, changing-rooms, etc.). Article 20. Notification of the Data Subject of Video Surveillance 1. The data controller shall ensure that the following information is clearly and properly provided prior to the entrance to the premises or territory in which video surveillance is used: 1) information about the use of video surveillance therein; 2) the data controller’s details and contact information (address or phone number); Version of subparagraph 2 as of 1 September 2011: 2) the name and code of the data controller, where the data controller is a legal person, the name and surname of the data controller, where the data controller is a natural person, the contact information thereof (address or phone number). 2. The data controller may provide also other additional information relevant for ensuring the lawful processing of personal data without infringing a data subject’s rights (e.g., the purpose of video surveillance). 3. If video surveillance is used in the workplace and in the data controller’s premises or territories in which the data controller’s personnel work, the personnel must be notified of such processing of their image data against signature according to the procedure laid down in paragraph 1 of Article 24 of this Law. Version of paragraph 3 as of 1 September 2011: 3. If video surveillance is used in the workplace and in the data controller’s premises or territories in which the data controller’s personnel work, the personnel must be notified of such processing of their image data in writing according to the procedure laid down in paragraph 1 of Article 24 of this Law. CHAPTER FOUR EVALUATION OF SOLVENCY AND DEBT MANAGEMENT Version of the title of Chapter Four as of 1 September 2011: CHAPTER FOUR PROCESSING OF PERSONAL DATA ON EVALUATION OF SOLVENCY AND DEBT MANAGEMENT Version of Article 21 before 1 September 2011: Article 21. Personal Data Processing for the Purpose of Evaluating a Person's Solvency and Managing His Debt 1. The data controller shall have the right to process and disclose to third parties having legitimate interests the data, including personal identification number, of the data subjects who have failed to fulfil, in a timely and proper manner, their financial and/or property obligations to the data controller (hereinafter referred to as “debtors”) for the purpose of evaluating their solvency and managing their debt, provided that data protection requirements set out in this Law and other legal acts are duly complied with. 2. The data controller shall have the right to disclose debtors’ data, including personal identification number, to other data controllers who process consolidated debtor files (hereinafter referred to as “consolidated files”). The data controller may process consolidated files for the purpose of disclosing such data to third parties having legitimate interests so that they could evaluate the solvency of the data subject and manage his debt only if he has notified, according to the procedure laid down in Article 33 of this Law, the State Data Protection Inspectorate, which must carry out a prior checking. 3. The data controller may disclose debtors' data on condition that he has sent a written reminder to the data subject about a default on obligations and where, within 30 calendar days of the sending (submitting) date of the reminder: 1) the debt is not settled and/or the deadline for the repayment is not extended; or 2) the data subject does not contest the debt on compelling grounds. 4. The data controller may not process special categories of personal data. 5. Consolidated files may not be combined with personal data from other personal data files which have been compiled and are processed for purposes other than evaluation of solvency and debt management. 6. The data controller processing consolidated files must, upon receiving debtors’ data from the data controller referred to in paragraph 2 of this Article, provide each data subject with the following information (unless the data subject already has such information at his disposal): 1) his (the data controller’s) and his representative’s, if any, details and the address of the registered office; 2) the purposes of processing of the data subject’s personal data; 3) the sources and the type of the data subject’s data which have been collected, the recipient and the purposes for which the data are disclosed, the existence of the data subject's right of access to his personal data and his right to request rectification of incorrect, inaccurate and incomplete personal data. 7. The data about the default of data subject on a timely and proper fulfilment of his financial and/or property obligations may not be processed for a period longer than ten years from the date of settlement of the debt. Where the data subject repays his debt, data controllers must ensure that during the processing data about the data subject's default on timely and proper fulfilment of his financial and/or property obligations the following information is specified: 1) the fact of settlement of the debt by the data subject; 2) the date of the debt settlement. Version of Article 21 as of 1 September 2011: Article 21. Personal Data Processing for the Purpose of Evaluating a Person's Solvency and Managing His Debt 1. The data controller shall have the right to process and disclose to third parties having legitimate interests the data, including personal identification numbers, of the data subjects who have failed to fulfil, in a timely and proper manner, their financial and/or property obligations to the data controller (hereinafter referred to as “debtors”) for the purpose of evaluating their solvency and managing their debt, provided that data protection requirements set out in this Law and other legal acts are duly complied with. 2. The data controller shall have the right to disclose debtors’ data, including personal identification numbers, to other data controllers who process consolidated debtor files (hereinafter referred to as “consolidated debtor files”). The data controller may process consolidated debtor files for the purpose of disclosing such data to third parties having legitimate interests so that they could evaluate the solvency of the data subject and manage his debt only if he has notified, according to the procedure laid down in Article 33 of this Law, the State Data Protection Inspectorate, which must carry out a prior checking. 3. The data controller may disclose debtors’ data on condition that he has sent a written reminder by post or by means of electronic communications to the data subject about a default on obligations and where, within 30 calendar days of the sending (submitting) date of the reminder: 1) the debt is not settled and/or the deadline for the repayment is not extended; or 2) the data subject does not contest the debt on compelling grounds. 4. The data controller may not process special categories of personal data. 5. Consolidated debtor files may not be combined with personal data from other personal data files which have been compiled and are processed for purposes other than evaluation of solvency and debt management. 6. The data controller processing consolidated debtor files must, upon receiving debtors’ data from the data controller referred to in paragraph 2 of this Article, provide each data subject with the following information (unless the data subject already has such information at his disposal): 1) his/its (the data controller’s) and his/its representative’s, if any, name, code and the address of the registered office; 2) the purposes of processing of the data subject’s personal data; 3) the sources and the type of the data subject’s data which have been collected, the recipient and the purposes for which the data are disclosed, the data subject’s right of access to his personal data and the right to request rectification of incorrect, inaccurate and incomplete personal data. 7. The data about the default of data subject on a timely and proper fulfilment of his financial and/or property obligations may not be processed for a period longer than ten years from the date of settlement of the debt. Where the data subject repays his debt, data controllers must ensure that during the processing data about the data subject’s default on timely and proper fulfilment of his financial and/or property obligations the following information is specified: 1) the fact of settlement of the debt by the data subject; 2) the date of the debt settlement. Version of Article 22 before 1 September 2011: Article 22. Processing of Data on the Rendered Financial Services Related to Risk Acceptance for the Purpose of Solvency Evaluation 1. Banks and other credit institutions as well as financial undertakings engaged in credit and/or financial activities may disclose to each other the personal data (name, surname, personal identification number (in the absence of the personal identification number – data of a personal document), the type and the amount of the requested financial obligations which have been denied, the type, the amount and the terms of fulfilment of existing financial obligations, data on the fulfilment of these obligations as well as data on previous financial obligations and their fulfilment) of the data subjects to whom these banks and other credit institutions as well as financial undertakings engaged in credit and/or financial activities have rendered or intend to render financial services concerning the acceptance of the risk (as it is defined by the Law on Financial Institutions) (hereinafter referred to as “services”) and data of the data subjects providing security for obligations of the abovementioned persons to the abovementioned institutions and undertakings,  for the purposes of evaluation of solvency on the condition that the data subjects  have given their consent. 2. Banks and other credit institutions as well as financial undertakings engaged in credit and/or financial activities may obtain personal data on the conditions and within the scope of paragraph 1 of this Article only when the data subject: 1) applies to these institutions and undertakings for rendering of services or provision of security for fulfilment of financial obligations; 2) has been rendered services by these institutions and undertakings or has provided security for fulfilment of financial obligations and it is necessary to evaluate the existence of the risk for the proper fulfilment of the undertaken obligations. 3. Banks and other credit institutions as well as financial undertakings engaged in credit and/or financial activities shall ensure that the received data of data subjects are not: 1) processed for the purposes incompatible with the purposes determined before collecting the personal data; 2) stored for a period longer than 12 months, if a decision refusing to render the service is taken. 4. Banks and other credit institutions as well as financial undertakings engaged in credit and/or financial activities shall ensure that data on the services rendered, fulfilment and proper fulfilment thereof are not stored for a period longer than ten years from the date of fulfilment of these obligations, unless laws or legal acts adopted on their basis establish otherwise. Version of Article 22 as of 1 September 2011: Article 22. Processing of Personal Data on the Rendered Financial Services Related to Risk Acceptance or Creditworthiness for the Purpose of Evaluation of a Person’s Solvency and Financial Risk and Debt Management 1. Credit institutions and financial undertakings providing financial services related to risk acceptance or credit rating (hereinafter referred to as “financial services”) (hereinafter referred to as “financial institutions”) shall have the right to process and to receive from each other the personal data (name, surname, personal identification number (in the absence of the personal identification number – data of a personal document), address, phone number, the type and the amount of the requested financial and/or property obligations which have been granted or denied, the type, the amount and terms of fulfilment of existing financial and/or property obligations, data on the fulfilment of these obligations as well as data on previous financial and/or property obligations and their fulfilment, including data of data subjects contained in consolidated debtor files, also data on the income of the data subjects, the type and source of such income, data on the assets, marital status, position (occupation) and education of the data subjects) of the data subjects to whom the credit institutions and financial undertakings have rendered or intend to render financial services and of the data subjects providing security for obligations to the abovementioned institutions and undertakings,  for the purposes of evaluation of a person’s solvency and financial risk as well as debt management on the condition that the data subjects  have given their consent. 2. Where the data subject gives his consent, the data referred to in paragraph 1 of this Article may be processed for the purposes of evaluation of a person’s solvency and financial risk and debt management and be regularly updated in consolidated files of financial risk data (hereinafter referred to as “consolidated financial risk files”) under the data disclosure contracts concluded with financial institutions. Financial institutions may act as controllers of consolidated financial risk files only upon notifying, in accordance with the procedure laid down by Article 33 of this Law, the State Data Protection Inspectorate, which must carry out a prior checking. 3. Financial institutions may obtain personal data on the conditions and within the scope of paragraph 1 of this Article only when the data subject: 1) applies to these institutions for rendering of financial services or provision of security for fulfilment of financial and/or property obligations, and/or; 2) has been rendered financial services by these institutions or has provided security for fulfilment of financial and/or property obligations and it is necessary to evaluate the existence of the risk for the proper fulfilment of the undertaken obligations. 4. Financial institutions shall ensure that the received data of data subjects are not: 1) processed for the purposes incompatible with the purposes determined before collecting the personal data; 2) stored for a period longer than 12 months, if a decision refusing to render a financial service is taken. 5. Financial institutions shall ensure that data on the financial services rendered by them are not stored for a period longer than ten years from the date of rendering these services and fulfilment of obligations, unless laws or legal acts adopted on their basis establish otherwise. 6. All personal data contained in consolidated financial risk files may be provided only to financial institutions. Other persons rendering services related to the acceptance of financial risk for the purposes of evaluation of a person’s solvency and financial risk and debt management from consolidated financial risk files shall be disclosed only the following generalised data:  a person’s name, surname, personal identification code (in the absence of the personal identification number – data of a personal document) and the person’s credit rating.   7. It shall be prohibited to disclose personal data and a person’s credit rating from consolidated financial risk files for purposes other than evaluation of the person’s solvency and financial risk and debt management. 8. A data subject shall have the right to give to the controller of a consolidated financial risk file his opinion concerning determination of a person’s credit rating in accordance with the procedure laid down by Article 28 of this Law. CHAPTER FIVE RIGHTS OF THE DATA SUBJECT Article 23. Rights of the Data Subject 1. The data subject shall, in accordance with the procedure laid down in this Law, have the right: 1) to know (be informed) about the processing of his personal data; 2) to have an access to his personal data and to be informed of how they are processed; 3) to request rectification or destruction of his personal data or suspension of further processing of his personal data, with the exception of storage, where the data are processed in violation of the provisions of this Law and other laws; 4) to object against the processing of his personal data. 2. The data controller must provide the data subject with the conditions for exercising the rights laid down in this Article, with the exception of cases laid down in laws when it is necessary to ensure: 1) security or defence of the State; 2) public order and prevention, investigation, detection or prosecution of criminal offences; 3) important economic or financial interests of the State; 4) prevention, investigation and detection of violations of official or professional ethics; 5) protection of the rights and freedoms of the data subject or other persons. 3. The data controller must justify a refusal to grant the request of the data subject to exercise the rights granted to the data subject by this Law. Having received a request from the data subject, the data controller must reply him within 30 calendar days of the date of data subject’s application. Where the request of the data subject is submitted in writing, the data controller’s reply must also be executed in writing. 4. The data subject may appeal against acts (omissions) of the data controller to the State Data Protection Inspectorate within three months of receipt of the reply from the data controller or within three months of the date when the time period for giving a reply referred to in paragraph 3 of this Article expires. The acts (omissions) of the State Data Protection Inspectorate may be appealed against to court in accordance with the procedure laid down by law. Article 24. Informing the Data Subject about the Processing of Data Relating Thereto 1. The data controller must provide the data subject whose personal data he/it collects directly  from the latter with the following information, except where the data subject already has such information at his disposal: 1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or details and the address of the registered office (where the data controller or its representative is a legal person); Version of subparagraph 1 as of 1 September 2011: 1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or indicate the name, code and the address of the registered office (where the data controller or its representative is a legal person); 2) the purposes of processing of the data subject’s personal data; 3) other additional information (the recipient and the purposes of disclosure of the data subject’s personal data; the personal data which the data subject must provide and the consequences of his failure to provide the data, the right of the data subject to have access to his personal data and the right to request for rectification of incorrect, incomplete and inaccurate personal data) to the extent that is necessary for ensuring fair processing of personal data without infringing upon the data subject’s rights. 2. Where the data controller obtains personal data not from a data subject, he must inform the data subject thereof before commencing the processing of personal data or, if he intends to disclose the data to third parties, he must inform the data subject thereof at the latest when the data are first disclosed, except in the cases where laws or other legal acts determine a procedure for collecting or disclosing such data and data recipients. In such cases, the data controller must provide the data subject with the following information, except where the data subject already has it at his disposal: 1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person) or details and the address of the registered office (where the data controller or its representative is a legal person); Version of subparagraph 1 as of 1 September 2011: 1) the identity and permanent place of residence of himself (the data controller) and his representative, if any (where the data controller or his representative is a natural person), or indicate the name, code and the address of the registered office (where the data controller or its representative is a legal person); 2) the purposes of the processing or the intended processing of the data subject’s personal data; 3) other additional information (the sources and the type of the data subject’s personal data which are or will be collected; the recipient of the data subject’s personal data and the purposes of the disclosure; the date subject’s right to have access to his personal data and his right to request rectification of incorrect, incomplete and inaccurate personal data to the extent necessary to ensure fair processing of personal data without infringing upon the rights of data subjects. 3. When the data controller collects or intends to collect personal data from the data subject and processes or intends to process the data for the purposes of direct marketing, before disclosing data subject’s data he must inform the data subject about the recipient of his personal data and the purposes for which his personal data will be disclosed. 4. Paragraph 2 of this Article shall not be applicable to the processing of personal data for the statistical, historical or scientific research purposes, where the disclosure of such information is impossible or too complicated (owing to a large number of data recipients, the outdated character of the data and excessively large expenses) or where the procedure for collecting and disclosing of data is laid down by law. The data controller must duly notify the State Data Protection Inspectorate thereof in accordance with the procedure laid down in Article 33 of this Law. The State Data Protection Inspectorate must carry out a prior checking. Version of paragraph 4 as of 1 September 2011: 4. Paragraph 2 of this Article shall not be applicable to the processing of personal data for the statistical, historical or scientific research purposes, where the disclosure of such information is impossible or too complicated (owing to a large number of data recipients, the outdated character of the data and excessively large expenses) or where the procedure for collecting and disclosing of data is laid down by law, also to the processing of the data subject’s contact data (address, phone number) for the purposes of a social and public opinion survey until the first direct contact with the data subject. In such cases, the data controller must duly notify the State Data Protection Inspectorate thereof in accordance with the procedure laid down in Article 33 of this Law. The State Data Protection Inspectorate must carry out a prior checking. Article 25. Data Subject’s Right of Access to His Personal Data 1. The data subject shall have the right, upon presenting to the data controller or the data processor a document certifying his identity, to obtain information on the sources and type of his personal data which have been collected, the purpose of their processing and the data recipients to whom the data are disclosed or were disclosed at least during the past year. Version of paragraph 1 as of 1 September 2011: 1. The data subject shall have the right, upon presenting to the data controller or the data processor a document certifying his identity or upon confirming his identity in accordance with the procedure laid down by legal acts or by means of electronic communications which permit a person’s identification, to obtain information on the sources and type of his personal data which have been collected, the purpose of their processing and the data recipients to whom the data are disclosed or were disclosed at least during the past year. 2. Having received an enquiry from a data subject concerning the processing of his personal data, the data controller must reply to the data subject whether the personal data relating thereto are processed, and disclose to the data subject the requested data no later than within 30 calendar days of the receipt of the data subject’s enquiry. At the request of the data subject, such data must be disclosed in writing. The data controller shall disclose such data to the data subject free of charge once per calendar year. When such data are disclosed for a fee, the amount of the fee may not exceed the cost of disclosure of the data. The procedure governing the fee for disclosure of data shall be determined by the Government. Article 26. Data Subject’s Right to Request Rectification, Destruction or Suspension of Further Processing of His Personal Data 1. Where a data subject, after familiarising with his personal data, finds that his personal data are incorrect, incomplete or inaccurate and applies to the data controller, the latter must check the personal data concerned without delay and, at a written, oral or any other request of the data subject, rectify the incorrect, incomplete and inaccurate personal data and/or suspend the processing of such personal data, except storage, without delay. Version of paragraph 1 as of 1 September 2011: 1. Where a data subject, after familiarising with his personal data, finds that his personal data are incorrect, incomplete or inaccurate and applies to the data controller, the latter must check the personal data concerned without delay and, at a written request of the data subject submitted in person, by post or by means of electronic communications, rectify the incorrect, incomplete and inaccurate personal data and/or suspend the processing of such personal data, except storage, without delay. 2. Where a data subject, after familiarising with his personal data, finds that his personal data are processed unlawfully and unfairly and applies to the data controller, the latter must check without delay and free of charge the lawfulness and fairness of the processing of personal data and, at a written request of the data subject, destroy the personal data collected unlawfully and unfairly or suspend processing of such personal data, except storage, without delay. 3. When, at a data subject’s request, the processing of his personal data is suspended, the pers …

🔗 Į oficialų šaltinį

DI paaiškinimas pagal oficialų įstatymo tekstą. Orientacinis, nepakeičia teisinės konsultacijos.