VDAI (Lithuania) - 3R-537
From GDPRhub
| VDAI - 3R-537 | |
|---|---|
 | |
| Authority: | VDAI (Lithuania) |
| Jurisdiction: | Lithuania |
| Relevant Law: | Article 5(1)(a) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 15(1)(b) GDPR Article 15(1)(g) GDPR Article 33(5) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 15.05.2025 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 3R-537 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Lithuanian |
| Original Source: | VDAI (in LT) |
| Initial Contributor: | cci |
The DPA clarified that direct marketing and political advertising are distinct and incompatible purposes for processing personal data, and warned a politician over unlawful political advertising.
English Summary
Facts
In October 2024 a politician (the controller) sent political advertising emails about his candidacy for the Parliament. The mails included a list of all the recipients.
One of the recipients (the data subject) reached out to the data controller. She pointed out that personal data of the recipients was included in the emails and requested information about the processing of her data. The controller did not provide her with a clear answer.
The data subject later filed a complaint with the DPA. She claiming that she never consented to receiving political advertising on her email address. She also claimed that the controller failed to reply to her request and that the inclusion of the recipients in the mails, constituted a data breach.
After the complaint was filed, the controller deleted the data subject’s contacts from his database.
Holding
First, the DPA held that the candidate was a controller for the processing of personal data. So, he was under the corresponding obligations under the GDPR, including the duty to ensure the lawfulness of the data processing.
With regards to lawfulness, the controller claimed that he had previously collected the data subject’s consent for the purpose of direct marketing. In the controller’s view, this justified the processing of the data subject’s email address for the purpose of political advertising.
The DPA rejected the argument. In this regard, the DPA clarified that direct marketing and political advertising are distinct activities under Lithuanian law[1]. So, the DPA held that they also constitute different purposes for processing personal data. The DPA further observed that the purposes of direct marketing and political advertising are not only different but also incompatible.
In other words, the DPA held that the data subject's consent to the processing of her data for direct marketing, did not extend to political advertising. The data controller should have collected another consent specifically for direct marketing, in order to invoke consent as a legal basis.
On these grounds, the DPA held that the controller processed personal data without a legal basis, in violation of Article 5(1)(a) GDPR.
With regards to the inclusion of other recipient’s data in the emails, the DPA held that the controller violated Article 33. The data subject herself informed the controller about the data breach. So, the controller was aware of the breach and violated his obligation to notify the DPA.
Finally, the DPA held that the controller violated Article 15 GDPR by failing to respond to the data subject’s request.
Overall, the DPA issued a warning against the controller for violating Articles 5(1)(a), 13(1), 13(2), 15(b), 15(g) and 33(5) GDPR and ordered the controller to respond to the access request. The DPA held it unnecessary to issue other remedies, as the controller was no longer a political candidate at the time of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
STATE DATA PROTECTION INSPECTORATE DECISION May 15, 2025 No. 3R-537 (2.13-1.E) Vilnius The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) received a complaint from [DATA NOT TO BE PUBLISHED] (hereinafter referred to as the Applicant) dated 14 October 2024 (Inspection Reg. No. 1R-6657 (2.13.Mr) (hereinafter referred to as the complaint). The applicant indicated in the complaint that on 12 October 2024, she received a campaign (direct marketing) letter at her e-mail address [DATA NOT PUBLISHED] inviting her to vote for the candidate for members of the Seimas of the Republic of Lithuania (hereinafter referred to as the Seimas) [DATA NOT PUBLISHED] (hereinafter referred to as the Complainant), although she had not given consent to receive such letters. She also indicated that she received the letter together with the list of recipients, which means that other recipients also received the Applicant's personal information. data. She noted that her right to receive information about data processing was violated, and that she contacted the Complainant regarding the processing of personal data, but she was not given a clear answer. The Inspectorate, having examined the Applicant's complaint within its competence, n u s t a t ÿ: The person complained about in the response to the Inspectorate (Inspection reg. No. 1R-6973 (2.13.Mr)) (hereinafter response) indicated that he had the Applicant's e-mail address, because he had been sending her newsletters about new products or promotions in the e-shop for a long time, the Applicant herself had given verbal consent to receive such letters. He admits that he made a mistake in indicating all the addressees in the e-mail, he did not think that it was something bad. When the Applicant asked not to send her any more information, he deleted her contacts from his database. The processing of personal data is regulated by the GDPR1 and the GDPR2 . According to these legal acts, the processing of personal data is considered lawful only if it complies with the principles relating to the processing of personal data set out in Article 5 of the GDPR and is justified by at least one of the conditions for lawful processing of personal data set out in Article 6(1) of the GDPR. Article 5(2) of the GDPR states that the data controller is responsible for ensuring compliance with Article 5(1) of the GDPR and must be able to demonstrate compliance (accountability principle). Article 4(7) of the GDPR establishes that a data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of data. It should be noted that during elections, both political parties and specific candidates, when processing personal data, determine the purposes of data processing and decide on the means by which data will be processed (determine the circle of persons who will be able to familiarize themselves with them, select data protection measures, etc.), thus they are recognized as data controllers and all the rights and obligations of a data controller established by the GDPR apply to both political parties, political committees, and candidates. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR) 2 Law of the Republic of Lithuania on the Legal Protection of Personal Data (hereinafter referred to as the Law on the Legal Protection of Personal Data) Considering that the Complainant sent the email to the Applicant as a candidate for the Seimas, he should be considered a data controller within the meaning of the GDPR and all rights and obligations of a data controller established by the GDPR apply to him. Regarding data processing (sending campaign letters) The applicant indicated in the complaint that she received a campaign (direct marketing) letter to her e-mail address inviting her to vote for the Complainant, although she had not given consent to receive such letters. The copy of the email sent to the Applicant contained in the complaint materials shows that on 12 October 2024, the Complainant sent her an email urging her to vote for him in the Seimas elections, attached a sample of the ballot paper to the email, and marked the email as political advertising. Political advertising – positive or negative information disseminated by a state politician, political organization, its member, participant in an election political campaign, candidate, on their behalf and/or in their interests, in any form and by any means, for payment or free of charge, during the election political campaign period or between election political campaigns, which is intended to influence the election results or influence the motivation of voters when voting in elections or the dissemination of which promotes a state politician, political organization, its member or participant in an election political campaign, candidate, as well as their ideas, goals or program (Part 1 of Article 95 of the Electoral Code of the Republic of Lithuania). Direct marketing is an activity aimed at offering goods or services to individuals by mail, telephone or other direct means and/or asking for their opinion on the goods or services offered. (Article 2, paragraph 1 of the ADTAÿ). Taking into account the specified provisions and the content (characteristics) of the concepts of political advertising and direct marketing, political advertising should not be considered direct marketing. However, it should be noted that although the provisions of the EPR3 cannot be applied to the actions of the Respondent in sending political advertising to the Applicant, such processing of personal data must comply with the GDPR. requirements. The Complainant indicated in its response to the Inspectorate that it has the Applicant's e-mail address, because it has been sending her newsletters about new products or promotions in the e-store for a long time, the Applicant herself had given verbal consent to receive such letters, but did not provide any information on the basis of which the Applicant sent political advertising, i.e. did not prove (did not prove) either that the aforementioned e-mail was sent on the basis of consent, or other grounds for lawful processing of personal data established in Article 6(1) of the GDPR. Although the Complainant indicated that the Applicant gave her consent to send newsletters about new products or promotions in the e-store, it should be noted that the purpose of data processing (in the case under consideration, sending political advertising) must be specified at the time of receipt of the data. If personal data are processed for a purpose other than that indicated to the data subject at the time of their collection, the new purpose must be compatible with the original one. If the purposes of data processing are incompatible, then the data may not be processed. It should be noted that if data are collected for commercial purposes, such data may not be subsequently processed for electoral purposes, as these two different purposes are incompatible. Taking into account the above, the Inspectorate decides that the Complainant has not proven that in the case under consideration the personal data of the Applicant were processed (political advertising was sent) under the existence of at least one condition for lawful personal data processing, established in Article 6(1) of the GDPR, thus the data were processed unlawfully and the Complainant violated the principle of lawfulness established in Article 5(1)(a) of the GDPR. Taking this into account, the Applicant's complaint in the part regarding data processing (sending of campaign letters) is recognized as justified. Regarding the rights of the data subject 3 Law of the Republic of Lithuania on Electronic Communications The applicant stated in the complaint that her right to receive information about data processing was violated, and that she contacted the Respondent regarding the processing of personal data, but was not provided with a clear answer. Article 13(1) and (2) of the GDPR sets out what information must be provided in the data to the subject when personal data is collected from him/her. Article 15 of the GDPR establishes the right of access to data by the data subject. Paragraph 1 of this Article provides that the data subject shall have the right to obtain from the data controller confirmation as to whether personal data relating to him or her are being processed and, where such data are being processed, the right to access the personal data and the information referred to in points (a) to (h) of this paragraph. Article 15 (b) and (g) of the GDPR establish the right to access the relevant categories of personal data and all available information about the sources of the data, where the data are not collected from the data subject. After examining the complaint materials, it was established that on 12-10-2024, the Applicant applied to the Complainant with a request to send a document in which she (the Applicant) agreed to direct marketing, indicated the personal data being processed, their sources, i.e. applied for the exercise of the right to access the data, and also attached a photo showing that the e-mail address of all recipients of the letter was visible. The Complainant submitted a response to the Applicant on the same day, indicated that she (the Applicant) subscribes to the Complainant's newsletters, indicated that the personal data has not been transferred to anyone, and apologized for the inconvenience caused. After assessing the response provided by the Respondent to the Applicant, it can be concluded that it did not provide all the information requested by the Applicant, i.e. it did not indicate which personal data of the Applicant (their categories) are processed by the Respondent, and the sources of this data. Taking this into account It must be concluded that the Complainant has improperly implemented the requirements of Article 15(1)(b) and (g) of the GDPR. It should also be noted that the Inspectorate, by letter No. 2R-162 (2.13.Mr) dated 15 January 2025, addressed the Complainant with an instruction to provide information in implementing the principle of accountability (hereinafter referred to as the instruction), requested, among other things, to indicate whether the Applicant was provided with information about the processing of her personal data, as required by Article 13 of the GDPR, if so, to indicate when and what information was provided and to provide supporting evidence, if not, to justify why. The Respondent did not provide any information to the Inspectorate in its response regarding the fact that it had provided the Applicant with information about the processing of her personal data, therefore the Inspectorate decides that the information specified in Article 13(1) and (2) of the GDPR was not provided to the Applicant and the Respondent violated the requirements of Article 13(1) and (2) of the GDPR. Taking into account the above, the Applicant's complaint regarding the rights of the data subject is recognized as justified. Due to a personal data security breach Personal data must be processed in accordance with the principles set out in Article 5(1) of the GDPR. According to Article 5(1)(f) of the GDPR, personal data must be processed in such a way that appropriate technical or organizational measures ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality). Article 4(12) of the GDPR states that a personal data breach (hereinafter referred to as a ADSP) – a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Guidelines4, when explaining the concepts of unauthorised or unlawful data processing, note that this means the disclosure of personal data (or provision of access to data) to recipients who are not authorised to receive (or access) the data or the processing of data in any other form that infringes the GDPR. 4 Article 29 of the Data Protection Working Party Guidelines of 3 October 2017 on the notification of personal data breaches under Regulation (EU) 2016/679 (hereinafter referred to as the Guidelines) 4 The data collected during the examination of the complaint shows that the Complainant disclosed the email addresses of other persons (recipients of the letter) to the recipients of the letter in an e-mail while sending political advertising, therefore it must be concluded that ADSP occurred in the case under consideration and when assessing the circumstances established during the examination of the complaint, the provisions of the GDPR regulating the management of ADSP should be applied. Article 33(1) of the GDPR provides that in the case of a personal data processing, the controller shall notify the personal data processing to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data processing, unless the personal data processing is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33(5) of the GDPR provides that the controller shall document all personal data processing, including the facts relating to the personal data processing, its effects and the corrective action taken. Article 34(1) of the GDPR provides that where the personal data processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data processing to the data subject without undue delay. In view of the above, it should be noted that in all cases the data controller must document and analyse the personal data processing operations that have occurred in order to assess their impact on the rights and freedoms of data subjects and to implement the accountability principle provided for in Article 5(2) of the GDPR. The guidelines state that the requirement of Article 33(5) GDPR is linked to the accountability principle set out in Article 5(2) GDPR. The purpose of recording non-reportable and reportable breaches is also linked to the controller's obligations under Article 24 GDPR; the supervisory authority may request access to those records. Data controllers are therefore encouraged to maintain an internal register of breaches, regardless of whether they are required to report the breach or not. It is also noted that while the data controller chooses the method and system for documenting breaches, there are several elements of the information to be recorded that are mandatory in all cases – the data controller must record detailed information about the breach, indicating its causes, location and the personal data affected by the breach, and should also indicate the impact, consequences and remedial actions taken (page 28 of the Guidelines). It is apparent from the Complaint materials that the Applicant informed the Respondent that all recipients were visible in the e-mail he sent on 12-10-2024, so on the specified date the Respondent learned about the ADSP that had occurred. In the instruction sent to the Complainant, the Inspectorate requested, among other things, to indicate whether it was assessed whether ADSP occurred by disclosing the Applicant's e-mail address (by entering it in the visible address field), whether an investigation was conducted, if so, whether it was determined that ADSP occurred, and also requested to provide available documented information (investigation materials, conclusions/reports), an extract from the personal data security breach register/ log and other available materials related to the event indicated in the complaint. and explain why the ADSP was not notified to the supervisory authority, as required by Article 33 of the GDPR, and indicate whether it was assessed whether the ADSP is likely to result in a high risk to the rights and freedoms of the data subject (if so, indicate what decision was taken, whether the ADSP was notified to the data subjects, and if not, why). The Complainant indicated in his response to the Inspectorate that all recipients were visible in the e-mail due to an error, but did not provide any information that the ADSP was documented and other actions specified in Articles 33–34 of the GDPR were performed, therefore the Inspectorate decides that the Complainant, by sending the e-mail and disclosing the e-mail addresses of the recipients in it and not assessing that the ADSP occurred as a result of such actions of the latter and by failing to perform his duties as a data controller as provided for in Articles 33–34 of the GDPR, violated Article 33(5) of the GDPR. Taking this into account, the Applicant's complaint in part regarding the breach of personal data security is recognized as justified. Regarding impact measures Paragraph 129 of the GDPR preamble provides that any measure taken by a supervisory authority must be appropriate, necessary and proportionate to ensure compliance with this Regulation, taking into account the circumstances of each specific case. 5 When deciding on the imposition of sanctions on the Complainant, the Inspectorate takes into account the fact that the violations are of a one-time nature (the Inspectorate has no data that the Complainant has not sent political advertising illegally for the first time, has not properly implemented the rights of the data subject, and that the Complainant has had more similar ADSPs and they have not been properly documented), i.e. the violations are not systematic. Taking into account the above, the Complainant is ordered to exercise the Applicant's right to access the data in accordance with the submitted request for violations of Article 15(1)(b) and (g) of the GDPR, in accordance with Article 58(2)(d) of the GDPR, and for violations of Article 5(1)(a), Article 13(1) and (2), Article 33(5) of the GDPR, in accordance with Article 58(2)(b) of the GDPR, a reprimand is issued. Considering that the Complainant is no longer a candidate for members of the Seimas, an instruction to document the ADSP that occurred is not issued. The application of other measures of influence, in the opinion of the Inspectorate, would not be proportionate in the case under consideration. The Inspectorate, taking into account the above and in accordance with Article 31(1) of the Act on the Protection of 1, point 1 of paragraph 2 of the same article, points b and d of Article 58 paragraph 2 of the GDPR, n u s p r e n d ž i a: 1. The complaint is deemed to be well-founded. 2. To issue a reprimand to the person complained against for violations of Article 5(1)(a), Article 13(1) and (2), and Article 33(5) of the GDPR. 3. To issue an order to the person complained against for violations of Article 15, Paragraph 1, Points b and g of the GDPR – to exercise the Applicant's right to access the data in accordance with the submitted request by 2025-06-16 . 4. Inform the Applicant and the Respondent about the decision made. This decision may be appealed to the Regional Administrative Court (address: Žygimantÿ g. 2, Vilnius) within one month from the date of its delivery, in accordance with the procedure established by the Law on Administrative Procedure of the Republic of Lithuania. Deputy Director, deputy director 5 Danguole Morkuniene
- ↑ The DPA referred to Article 95 of the Electoral Code of the Republic of Lithuania (for the definition of political advertising) and Article 2 of the Law on the Legal Protection of Personal Data (for the definition of direct marketing).
