New law on legal protection of personal data adopted in Lithuania
The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline.
The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15.
The law, which consists of 35 articles, is fairly concise, and mostly aimed at particularizing the powers of the supervisory authorities. Among other notable provisions are the following:
Territorial scope. The law applies to controllers and processors established in Lithuania, as well as to controllers following the Lithuanian law by virtue of the public international law. With respect to the businesses offering goods or services or monitoring of behavior of data subjects in the EU, the law applies only to those controllers and processors that have designated a representative in Lithuania. This seems to imply that if, for example, an Asian business targets data subjects in Lithuania, but has designated a representative in Germany, or is exempt from designating a representative (Article 27(2) of the GDPR) or hasn’t designated a representative in breach of Article 27 of the GDPR, it will not be under an obligation to comply with the law.