From GDPRhub
Authority: VDAI (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Fine: 15000 EUR
Parties: Vilnius City Municipality Administration
National Case Number/Name:
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Lithuanian
Original Source: Lithuanian DPA (VDAI) Press release (in LT)
Initial Contributor: Linas Mockevicius

Lithuanian DPA imposes a fine of EUR 15.000,00 for a failure to implement sufficient technical and organizational measures with regards to education procedures of an adopted child.

English Summary[edit | edit source]

Facts[edit | edit source]

An applicant applied to the Vilnius City Administration (hereinafter - the Administration) with regards to the education of an adopted child. However, under the agreement concluded between the Administration and the State Registry, the information in the IT system was automatically updated once a month according to the data available in the State Registry. Due to this, the applicant's email was automatically replaced by the email of a biological father of the adopted child.

Dispute[edit | edit source]

Did the Administration fulfill its obligations under the GDPR with regards to the unilateral changes of applicant's email?

Holding[edit | edit source]

The DPA held that the Administration did not have a right under the GDPR to unilaterally change the applicant's email address according to the data provided in the State Registry. Furthermore, there are no grounds to believe that the information received from the State Registry belongs to the applicant, since the data was updated based on the child's data rather than the applicant's data in the State Registry. Hence, having processed personal data of the biological father of the child, the Administration performed a breach of principles of accuracy as well as integrity and confidentiality established in the Para 1 d and f of the Article 5 of the GDPR respectively.

Comment[edit | edit source]

An interesting idea from the DPA is that one's personal contact information such as email address, notwithstanding such information is provided in the State Registry, should be only changed by the data subject and the data controller should refrain itself from unilaterally changing, based on information in the public registries. Furthermore, it is worth mentioning that last year the Administration was imposed an order for exactly same breach of GDPR, nevertheless, no actions were taken in spite of this. This was one of the reasons why such fine was imposed. The decision could be appealed to the court.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.

The State Data Protection Inspectorate punished the Vilnius City Municipality Administration for violations of the General Data Protection Regulation. 15 thousand. A fine of EUR 1 million was imposed for incorrect processing of personal data of the adopted child's parents.

The State Data Protection Inspectorate (hereinafter - SDPI) allocated LTL 15,000 to the Vilnius City Municipality Administration (hereinafter - the municipal administration) for violations of the General Data Protection Regulation (hereinafter - BDAR). an administrative fine of EUR. The fine is imposed for violations of Article 5 (1) (d) and (f) of the BDAR - failure to implement appropriate technical and organizational measures, thus not ensuring the accuracy of the personal data processed, processing personal data of the adopted child's parents.

After conducting an investigation, the SDPI found that the applicant had submitted his data in the Centralized Application and Population Information System (hereinafter - IS) of the municipal administration when filling in the application for the adoption of the adopted child, however, according to the municipal administration agreement with the State Enterprise Register Center. The IS was updated once a month, after the automatic updating of the IS data the contact details of the applicant were updated and changed to the contact details (e-mail address) of one of the child's biological parents in the Population Register of the Republic of Lithuania (hereinafter - the Population Register).

When processing personal data, the municipal administration must follow the principle of accuracy, which stipulates that personal data must be accurate and, if necessary, kept up to date, and all reasonable measures must be taken to ensure that personal data that are inaccurate are deleted without delay. (Article 5 (1) (d) BDAR) and the principle of integrity and confidentiality, which stipulates that personal data must be processed in such a way as to ensure adequate security of personal data by appropriate technical or organizational means, including protection against unauthorized processing. authorization or unlawful processing of data and against unintentional loss, destruction or damage (Article 5 (1) (f) BDAR).

In the decision imposing a fine on the municipal administration, the SDPI stated that in a specific case, personal contact details such as e-mail address, whether or not they exist, and if listed in the Population Register, can be changed at any time and only the data subject should to change them, and not the data controller to update the data arbitrarily on the basis of the information in the State Enterprise Center of Registers. Moreover, in this case there was no reason to conclude that after updating the data from the Population Register the contact details of the applicant were obtained, as the data were updated not according to the applicant's data specified in the State Enterprise Register Center, but according to the child's data. child and the applicant. Thus, the municipal administration did not implement appropriate organizational and technical measures by handling the e-mail address of a third party (one of the child's biological parents) as the contact details of the applicant, thus failing to ensure the accuracy of the personal data processed and violating Article 5 (1) (d) and (f).

When deciding on the amount of the administrative fine, the SDPI assessed all the circumstances relevant to the application of liability to the municipal administration, such as:
- Although in the present case the breach committed by the municipal administration concerns only individuals (applicants), it is not in principle an accident and would have occurred to any person in the same circumstances due to improper technical and organizational measures of the municipal administration in processing personal data;
- That data on the adoption of the child, which is highly sensitive data, and his further education have been disclosed;
- That the infringement was committed negligently;
- That the municipal administration committed the violation repeatedly, due to a similar violation (improper implementation of organizational and technical measures without ensuring the principle of accuracy of personal data when processing the adopted child's personal data in the IS of the Municipal Administration) in 2019. was reprimanded.

The amount of the fine for the municipal administration also took into account the amount of the institution's budget for the current year and other gross annual revenues received in the previous year.

This decision of VDAI is not valid and can be appealed to a court.