VDAI (Lithuania) - 3R-345
| VDAI - 3R-345 | |
|---|---|
| [[File:|center|250px]] | |
| Authority: | VDAI (Lithuania) |
| Jurisdiction: | Lithuania |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 11.09.2024 |
| Decided: | 04.04.2025 |
| Published: | 04.04.2025 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 3R-345 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Lithuanian |
| Original Source: | VDAI (in LT) |
| Initial Contributor: | cci |
The DPA held that the Employment Service rightfully withheld information about the identity of the unintended recipients of a data subject’s personal data in its reply to an access request. The information was unintentionally disclosed to the recipients in course of a data breach.
English Summary
Facts
In July 2025, a data breach took place at the Employment Service of the Ministry of Social Security and Labour (the controller): the controller sent an email containing personal data to a large number of unintended recipients.
In August, one of the data subjects, whose data were breached, filed a request to access their data. In particular, the data subject requested the identity of all the individuals who unlawfully received their data because of the breach. The controller replied in October and informed the data subjects that their data were unlawfully disclosed to 264 individuals, without mentioning their names.
The data subject filed a complaint before the DPA, claiming that the controller’s response was both late and incomplete.
The controller claimed that handling the request was difficult. Due to the data breach, the controller received an unusually high number of requests. In the controller's view, this situation justified an extension[1] of the deadline for handling the subject's request.
Holding
The identify of the recipients
The DPA held that the data subject did not have a right to know the identity of the unlawful recipients of their data, for two reasons.
First, the DPA held that Articles 33 and 34 GDPR include no obligation for controllers to disclose the identity of individual recipients following a data breach[2].
Second, the DPA held that such a disclosure would reveal the fact that the recipients were registered with the controller. The DPA concluded that, in the case at hand, the disclosure of the recipients would have violated the core principles of the GDPR and would have unjustifiably compromised the rights and freedoms of the recipients.
Therefore, the DPA dismissed the data subject's allegation that the controller's response to their access request was incomplete.
The controller's late response
The DPA conceded that, in theory, a controller could invoke an extension for handling a data subject's request when dealing with an unusually high volume of requests- in line with Article 12(3) GDPR. However, the Article also requires controllers to communicate the extension of the deadline to the data subject. In the case at hand, the controller did not not do so. So, the DPA held that the controller could not invoke the extension.
Ultimately, the DPA held that the controller failed to respond in time. The DPA issued a reprimand for violating Article 12(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
- ↑ Article 12(3) GDPR: "The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay (...)".
- ↑ In this regard, the DPA referred to Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(9) GDPR, p. 165 (Oxford University Press 2020).
