﻿REPUBLIC OF LITHUANIA
LAW ON LEGAL PROTECTION OF PERSONAL DATA NO. AMENDMENT I-1374
LAW


Two thousand eighteen 30 June Lot XIII-1426
Vilnius








Article 1. Law on legal protection of personal data of the Republic of Lithuania
Lot I-1374 recast
Change the law on legal protection of personal data of the Republic of Lithuania no. I-1374 and arrange it as follows::


'THE REPUBLIC OF LITHUANIA
LEGAL PROTECTION OF PERSONAL DATA
LAW


CHAPTER I
GENERAL PROVISIONS


Article 1. Purpose and application of the law
1. The purpose of this law is to protect human fundamental rights and freedoms, in particular the human right to the protection of personal data, and to ensure a high level of protection of personal data.
2. This law lays down the characteristics of the processing of personal data, the legal status and powers of the state data protection Inspectorate, the powers of the ethics inspector of journalists, the procedures for examining violations of personal data and / or privacy laws ('infringements') by the state data protection Inspectorate and the ethics inspector of journalists ('the supervisory authority') and imposing administrative fines.
3. This law shall apply in conjunction with regulation (EU) 2016/679 and its implementing legislation.
4. This law applies when:
1) processing of personal data by a controller or processor domiciled in the Republic of Lithuania in the course of its activities, regardless of whether the data are processed in the European Union or not;
2) personal data is processed by a data controller established outside the Republic of Lithuania, which is subject to the laws of the Republic of Lithuania in accordance with international public law (including diplomatic missions of the Republic of Lithuania, consular offices).);
3) the European Union data subjects ' personal data is processed by the European Union established by the data controller or the data processor, which is in accordance with Regulation (EU) 2016/679 of 27 article has appointed a representative, established in the Republic of Lithuania, and the processing activities which are related to the offering of goods or services to those data subjects in the European Union, regardless of whether these goods or services to the data subject to be paid or not, or with the conduct, when these data entities functioning of the European Union monitoring.
5. This law implements the legislation of the European Union as set out in the annex to this law.


Article 2: Basic concepts of this law
1. 'Direct marketing' means an activity which aims to offer goods or services to individuals by post, telephone or other direct means and / or to ask their opinion on the goods or services offered.
2. Public authorities and bodies – state and municipal institutions and bodies, enterprises and public bodies, financed by state or municipal budgets and public money funds and authorized by the law of the Republic of Lithuania to perform public administration or provide public or administrative services to individuals or perform other public functions.
3. Other terms used in this law shall be understood as defined in regulation (EU) 2016/679.
CHAPTER II
FEATURES OF PROCESSING OF PERSONAL DATA


Article 3. Features of processing a personal code
1. A personal number may be processed where at least one of the conditions for the legality of the processing of personal data referred to in Article 6 (1) of regulation (EU) 2016/679 exists.
2. The publication of the personal code shall be prohibited.
3. It is prohibited to process a personal code for direct marketing purposes.




Article 4. Processing of personal data and freedom of expression and information
Where personal data are processed for journalistic or academic, artistic or literary expression purposes, no regulation (EU)) 2016/679 8, 12-23, 25, 30, 33-39, 41-50, 88-91 articles.




Article 5- Specific features of the processing of personal data in cases relating to an employment relationship
1. The processing of personal data relating to convictions and criminal offences by a candidate applying for the post or job function and by a worker shall be prohibited, unless such personal data are necessary to verify that the person fulfils the requirements laid down by law and implementing legislation for the performance of the post or job function.
2. The controller may collect personal data relating to qualifications, professional abilities and business qualities of a candidate applying for a post or job function from the former employer after having previously informed the candidate and from the current employer only with the candidate's consent.
3. With regard to the processing of the video and / or audio data in the workplace and the data controller's premises or in the territories, employ its staff, with regard to the processing of personal data relating to employees ' behaviour, location or movement of the monitoring, the following personnel of the processing of their personal data must be kept informed delivery or other information fact demonstrates the way of presentation of the Regulation (EU) 2016/679, article 13 (1) and (2) the information referred to in.
4. The provisions of this article shall also apply to the processing of personal data of persons working on the basis of legal relations equivalent to those referred to in the employment law of the Republic of Lithuania and of candidates applying for employment on those grounds.




Article 6. Age of the child for whom information society services are offered for consent
Where information society services are offered directly to the child, the processing of the child's personal data shall be lawful if the consent is given by a child of at least 14 years of age in accordance with Article 6 (1) (A) of regulation (EU) 2016/679.






CHAPTER III
SUPERVISORY AUTHORITIES


Article 7- Supervision of the application of regulation (EU) 2016/679 and of this law
1. The state data protection Inspectorate shall monitor the application of regulation (EU) 2016/679 and this law and shall ensure that these laws are applied, with the exception of articles of this law, the application of which falls within the competence of the ethics inspector of journalists in accordance with paragraph 2 of this article.
2. The ethics inspector of journalists shall monitor the application of regulation (EU) 2016/679 and this law and shall ensure that this legislation applies when personal data are processed for journalistic purposes and for academic, artistic or literary expression. The ethics inspector of journalists shall carry out the tasks of the supervisory authority set out in regulation (EU) 2016/679 and shall have the powers of the supervisory authority set out in regulation (EU) 2016/679. Points (j) To (L) and (N) to (t) of Article 57 (1), points (B) and (C) of Article 58 (1), points (e), (g), (h) and (J) of Paragraph 2, points (a), (C) and (E) to (J) of Paragraph 3 of regulation (EU) 2016/679 shall not apply to the ethics inspector of journalists.
3. The state data protection Inspectorate shall represent the supervisory authorities for the application of regulation (EU) 2016/679 in the European Data Protection Board established by regulation (EU) 2016/679.
4. In order to ensure compliance with the consistency Mechanism referred to in Article 63 of regulation (EU) 2016/679, supervisory authorities shall cooperate with each other when dealing with matters falling within the competence of the ethics inspector of journalists in accordance with paragraph 2 of this article.


Article 8- Status and operating principles of the state data protection Inspectorate
1. The state data protection Inspectorate is a government agency of the Republic of Lithuania. The structure of its administration is approved by the director of the state data protection Inspectorate.
2. The activities of the state data protection Inspectorate are based on the principles of legality, impartiality, publicity, professionalism in the performance of its functions. The state data protection Inspectorate shall be independent in carrying out the tasks of the supervisory authority and the functions laid down in regulation (EU) 2016/679 and in taking decisions on their performance. Its rights can only be restrained by law.
3. State and municipal institutions and bodies of the Republic of Lithuania Seimas members and other officials, political parties and political organisations, associations, other legal and natural persons shall not be entitled to the State data protection inspectorate, its head, civil servants and employees working under employment contracts, to have any political, economic, psychological, social pressure or any other unauthorized exposure. Interference in the activities of the state data protection Inspectorate is subject to statutory liability.


Article 9- Head of the state data protection Inspectorate
1. The state data protection Inspectorate is headed by the director of the state data protection Inspectorate.
2. The director of the state data protection Inspectorate may be a citizen of the Republic of Lithuania with a bachelor of law and a master of law or a juridical professional qualification (single-level legal university education) and a minimum of 10 years of legal or legal pedagogical work and who meets the requirements laid down in Article 53 (2) of regulation (EU) 2016/679. The requirements for good repute apply to civil servants as set out in the law on Civil Service of the Republic of Lithuania.
3. The director of the state data protection Inspectorate is a state official – head of the institution, who is accepted and dismissed by the government in accordance with the law of the Government of the Republic of Lithuania for a term of 4 years. The director of the state data protection Inspectorate is accountable to the government and the minister of Justice of the Republic of Lithuania.
4. The director of the state data protection Inspectorate must suspend membership of a political party during his term of office.
5. The director of the state data protection Inspectorate is dismissed:
1) voluntarily;
2. at the end of the term of office;
3) when it is determined that he has committed serious misconduct;
4.no longer meets the requirements laid down in paragraphs 2 and 4.


 
 Article 10- Deputy director of the state data protection Inspectorate (deputies)
1. The director of the state data protection Inspectorate has a deputy (deputy).
2. The deputy director (Deputies) of the state data protection Inspectorate shall comply with the requirements laid down in Article 9 (2) and (4) of this law for the director of the state data protection Inspectorate.
3. The deputy director of the state data protection Inspectorate is accepted and dismissed by the director of the state data protection Inspectorate in accordance with the law of the State Service.


Rule 11- Tasks and functions of the state data protection Inspectorate
1. The state data protection Inspectorate shall carry out the tasks of the supervisory authority set out in regulation (EU) 2016/679.
2. The state data protection inspectorate also performs the following functions:
1) provide data subjects, controllers and processors with advice on the protection of personal data and privacy, and develop methodological recommendations on the protection of personal data and make them public on their website;
2) in accordance with the convention for the protection of individuals with regard to the automated processing of personal data (ETS no. 108), provides assistance to data subjects residing abroad;
3) cooperate with, and participate in, supervisory authorities for the protection of personal data in other countries, European Union institutions, bodies and international organisations;
4) involved in the formulation and implementation of state policy in the field of personal data protection;
5) implements the convention for the protection of individuals with regard to the automated processing of personal data (ETS no. 108) provisions;
6) other functions provided for in this law and other legal acts.


Rule 12- Powers and rights of the state data protection Inspectorate
1. The state data protection Inspectorate shall have the Supervisory Authority powers set out in regulation (EU) 2016/679.
2. The state data protection inspectorate also has the right:
1. to obtain free of charge from controllers and processors, state and municipal authorities and bodies, other legal and natural persons all necessary information, copies and copies of documents, copies of data, and access to all data and documents necessary for the performance of the tasks and functions of the Supervisory Authority;
2.in the course of the infringement proceedings, enter without prior notice the premises (including leased or used for other purposes) or the territory where documents and / or equipment relating to the processing of personal data are located. Access to the territory, buildings, premises of the legal person (including leased or used on other grounds) is possible only during the working hours of the legal person, on presentation of a civil servant certificate. Access to the dwellings of a natural person (including leased or used on other grounds), where documents and / or equipment relating to the processing of personal data are available, may be subject to a court order for permission to enter the dwellings of a natural person;
3) participate in meetings of the Seimas, the government and other public institutions when discussing issues related to the protection of personal data and / or privacy;
4) invite experts( consultants), set up working groups on the examination of the processing or protection of personal data, the preparation of personal data protection documents, as well as other issues of competence of the state data protection Inspectorate;
5) provide guidance and guidance to controllers, processors and other legal or natural persons on the processing of personal data and / or the protection of privacy;
(6) exchange information with supervisory authorities of other states for the protection of personal data and international organisations to the extent necessary for the performance of their functions;
(7) participate in court proceedings concerning infringements of the provisions of international, European Union and national law on the protection of personal data;
8) use technical means during infringement proceedings;
9) receive oral and written explanations from legal and natural persons during infringement proceedings and require them to come to the premises of the state data protection inspectorate to give explanations;
10) use of available information (including personal data) obtained during infringement proceedings or in other functions;
11) enlist police officers to maintain public order and ensure possible use of coercion;
12) other rights established by laws and regulations.
3. If the State data protection inspectorate, when hearing the complaint, has reason to believe that the European Commission's adequacy decision, on standard data protection conditions of acceptance or of approved codes of conduct for the general validity is illegal, and from the European Commission's decision is in force, belong to the State data protection inspectorate decision, it suspends the examination of the complaint and, in accordance with the law on administrative cases of the Republic of Lithuania, applies to the Supreme Administrative Court of Lithuania with a request to the competent judicial authority of the European Union for a European Commission decision on adequacy, on the adoption of standard data protection conditions or on the universal validity of the approved codes of conduct. If the supreme administrative court of the State data protection inspectorate of the request, the basis for believing that the European Commission's adequacy decision, on standard data protection conditions of acceptance or of approved codes of conduct for the general validity is unlawful, it shall adopt a decision to apply to the competent European Union judicial authority with a request for a preliminary ruling in accordance with the Treaty on the functioning of the European Union (OJ 2016 C 202, p. 47. Article 267.
4. The state data protection inspectorate also has the rights and power of the state data protection Inspectorate in the code of administrative misconduct of the Republic of Lithuania when carrying out investigations and / or inspections on its own initiative and handling complaints.
Rule 13- Obligation to protect secrets and confidential information
The state data protection inspectorate, the director, journalist ethics inspector, these supervisory authorities, civil servants and employees working under the employment contract, must keep state, office, professional, commercial, or other laws of the protected secret information, as well as any other confidential information gained in carrying out its tasks or exercising its powers and the performance of their duties, to the extent and at the end of their service (work) relationship.


Rule 14- Mandatory requirements of the Supervisory Authority
Legal and natural persons shall exercise supervisory authority's requirements (including the requirement for entry into the supervisory authorities of the premises to give explanations, but not limited to, promptly provide information and / or explanations, copies of the documents and the copies, the copy of the data, facilitating the access to all data and / or equipment related to the processing of personal data, and documents required for the supervisory authorities to perform the functions.


CHAPTER IV
AUTHORISATION OF TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS BY THE STATE DATA PROTECTION INSPECTORATE AND ACCREDITATION OF CERTIFICATION BODIES


Rule 15 - Authorisation by the National Data Protection Inspectorate for the transfer of personal data to third countries or international organisations in accordance with Article 46 (3) of regulation (EU) 2016/679
1. The National Data Protection Inspectorate shall, in accordance with Article 46 (3) of regulation (EU) 2016/679, provide the controller with an authorisation for the transfer of personal data to a third country or international organisation or a reasoned written refusal to grant such authorisation no later than 20 working days. This period is calculated from the date on which the state data protection Inspectorate receives all the documents and information necessary for obtaining the permit.
2. Due to the complexity of the circumstances, the extent of the information or other significant objective circumstances, the time limit for the authorisation of the transfer of personal data to a third country or international organisation laid down in Paragraph 1 may be extended once to 10 working days. The National Data Protection Inspectorate, having taken a decision to extend the time limit referred to in Paragraph 1, shall notify the controller of the extension of the time limit and the reasons for the extension without delay, but no later than the time limit referred to in Paragraph 1.
3. The procedure for authorising the transfer of personal data to third countries or international organisations shall be laid down by the state data protection Inspectorate.


Rule 16- Accreditation of certification bodies
1. Certification bodies shall be accredited in accordance with Article 43 of regulation (EU) 2016/679 and the procedure for issuing accreditation and accreditation certificates shall be determined by the state data protection Inspectorate.
2. Certification bodies wishing to be accredited shall bear the costs of accreditation at rates approved by the government.


CHAPTER V
INFRINGEMENT PROCEEDINGS BY SUPERVISORY AUTHORITIES


SECTION ONE
GENERAL PROVISIONS


Rule 17- Rights and obligations of the person examined, the applicant, the person complained of and the person suspected of committing the infringement
1. The person subject to scrutiny, where the state data protection Inspectorate carries out an investigation and / or inspection on its own initiative, the applicant and the complainant, where the supervisory authority deals with a complaint, as well as the person suspected of committing an infringement during the administrative penalty procedure, shall have the rights and obligations set out in regulation (EU) 2016/679 and this law.
2. The person being examined, the applicant, the person being appealed and the person suspected of committing the infringement shall also have the right:
1) to obtain explanations on the subject matter and grounds of the investigation and / or inspection or complaint;
2) on its own initiative to provide additional explanations and / or information relating to the conduct of the investigation and / or inspection or the handling of the complaint;
3) appeal against the actions or omissions of the Supervisory Authority;
(4) access to the material of the investigation and / or inspection, the handling of the complaint and the imposition of an administrative fine, except for information which constitutes state, official, professional, commercial or other information protected by law.
3. Considered that this article referred to in paragraph 1, the persons are adequately informed and for them properly notified, if the supervisory authority of this section in cases of decisions, reports, other documents and information to these persons in the sending of the Republic of Lithuania register of legal entities of the specified address or to the Republic of Lithuania entered in the population register specified in the address, unless the person refers to another correspondence address for service or the register of Legal entities or entered in the Population register specified in the personal electronic parcel delivery address.


Rule 18- Issue of court permits to enter the dwellings of natural persons
1. When the supervisory authority decides to enter the premises of a natural person (including leased or used on other grounds) when investigating the infringement, it submits an application to the Administrative Court of Vilnius District for permission to enter the premises of a natural person.
2. An application for a judicial authorisation to enter a natural person's dwelling shall include the name of the natural person, the address of the dwelling, the nature of the alleged infringement and the actions to be taken.
3. After examining the application for permission from the court to enter the residential premises of a natural person, Vilnius District Administrative Court makes a reasoned order to grant or reject the application.
4. The application for permission from the court to enter the dwelling of a natural person must be examined and the order issued no later than 72 hours from the date of submission of the application.
5. If the supervisory authority does not agree with the Order of the Administrative Court of Vilnius District to reject the application for permission to enter the residential premises of a natural person, it has the right to appeal this order to the Supreme Administrative Court of Lithuania within 7 calendar days from the date of adoption of the order.
6. The Supreme Administrative Court of Lithuania shall examine the complaint of the supervisory authority against the Order of the Administrative Court of Vilnius District no later than 7 calendar days from the date of receipt of the complaint. A representative of the supervisory authority shall have the right to participate in the examination of the complaint.
7. The order issued by the Supreme Administrative Court of Lithuania on the complaint of the supervisory authority against the Order of the Administrative Court of Vilnius District is final and does not appeal.
Rule 19- Provision of information on the Supervisory Authority's infringement proceedings
The supervisory authority is the information of the existence of the proceedings of the society of information measures, the other with the investigation and / or verification of the performance or the examination of unrelated persons not until the study and (or) the inspection or the appeal hearing is not completed, unless the supervisory authority may provide information about the survey and / or inspection or complaint fact, when the information is given not to the supervisory authorities of the initiative.


SECOND SECTION
CARRYING OUT INVESTIGATIONS AND / OR INSPECTIONS AT THE INITIATIVE OF THE STATE DATA PROTECTION INSPECTORATE


Article 20- Investigations and / or inspections carried out at the initiative of the state data protection Inspectorate and the procedure for carrying out them
1. The state data protection Inspectorate May, on its own initiative, open an investigation and / or inspection on any matter relating to a possible breach of regulation (EU) 2016/679, this law and other laws on the protection of personal data and / or privacy.
2. The basis to initiate an investigation and / or inspection of the State data protection inspectorate of the initiative may be the public, authorities and institutions of the other member of the personal data protection supervisory authorities, international organisations, national and international non-governmental organizations or other sources, as well as media information personal data and (or) the protection of privacy issues. The state data protection Inspectorate May, on its own initiative, launch an investigation and / or inspection without relying on information provided by other sources.
3. The state data protection Inspectorate shall, on its own initiative, carry out investigations and / or inspections in relation to the possible violation of regulation (EU) 2016/679, this law and other laws on the protection of personal data and / or privacy in accordance with the procedures laid down by that legislation and by the state data protection Inspectorate.
4. Article 60 of regulation (EU) 2016/679 shall not apply to investigations and / or inspections carried out on the initiative of the National Data Protection Inspectorate.


Rule 21- Time limits for carrying out an investigation and / or inspection at the initiative of the state data protection Inspectorate
1. The investigation and / or inspection shall be carried out at the initiative of the state data protection Inspectorate for a maximum period of 4 months after the decision to carry out the investigation and / or inspection.
2. With regard to the investigation and / or verification of the complexity of the subject of the personal nature of the activity, investigation and / or verification of the scale, the personal and other legal entities or natural persons to avoid execution of the State data protection inspectorate requirements, survey and / or inspection at the time of paaiškėjusias new circumstances or other objective reasons set out in paragraph 1, the term of the State data protection inspectorate of the decision may be extended, but not longer than 2 months. The total time limit for carrying out an investigation and / or inspection at the initiative of the state data protection Inspectorate shall not exceed 6 months after the decision to carry out the investigation and / or inspection has been taken. The State Data Protection Inspectorate shall notify the person subject to the inspection without delay and at the latest by the expiry of the time limit referred to in Paragraph 1 of this article of the extension of the time limit for investigation and / or verification and of the reasons for the extension.


Rule 22- Decisions of the state data protection Inspectorate following an investigation / own-initiative inspection
1. The state data protection Inspectorate shall, upon completion of the investigation and / or inspection on its own initiative, decide on a reasoned basis::
(1) finding that no irregularities have been detected;
2.to provide the controller and / or the processor with instructions, recommendations and / or other measures referred to in Article 58 (2) of regulation (EU) 2016/679, Article 33 of this law and other laws on the protection of personal data and / or privacy. Where an administrative fine is to be imposed, the actions referred to in the fourth section of this chapter shall be carried out;
3.draw up a record of administrative misconduct against the person who committed the offence.
2. The decision taken shall be notified in writing by the National Data Protection Inspectorate no later than 3 working days from the date of the decision to the person subject to scrutiny, except in the case referred to in Paragraph 1 (2) where an administrative fine is intended to be imposed.
3. Decisions of the state data protection Inspectorate may be appealed to the court in accordance with the law on administrative matters.


SECTION THREE
HANDLING OF COMPLAINTS


Rule 23- Complaints procedure
1. The supervisory authority shall deal with complaints of breaches of regulation (EU) 2016/679, this law and other laws on the protection of personal data and / or privacy in accordance with the procedures laid down by the supervisory authority.
2. Where Article 60 of regulation (EU) 2016/679 is used in the examination of a complaint, Article 30 (2) of that law shall not apply.


Rule 24- Submission and content of the complaint
1. The following applicants are entitled to lodge a complaint with the state data protection Inspectorate:
1) data subject referred to in Article 77 (1) of regulation (EU) 2016/679-for infringements of regulation (EU) 2016/679;
2) data subject-breaches of this and other laws on the protection of personal data and / or privacy;
3.natural or legal person – for violations of the ninth section of the law on electronic communications of the Republic of Lithuania, with the exception of articles 61 (5), 64 (7) and 68 (2).
2. The data subject referred to in Article 77 (1) of regulation (EU) 2016/679 shall be entitled to lodge a complaint with the ethics inspector of journalists in respect of infringements of regulation (EU) 2016/679.
3. A written complaint may be lodged directly on arrival at the supervisory authority, by post or by electronic means.
4. The complaint lodged by the representative of the applicant shall be accompanied by a document certifying the authority of the representative of the applicant. To the complaint, which paragraph 1 (1, 2), or 2) the applicant shall submit to the non-profit body, organisation or association in accordance with the Regulation (EU) 2016/679 80 (1) of the law of protection of personal data and (or) the protection of privacy, in addition, must be accompanied by documents proving that it works for the protection of personal data.
5. The complaint shall state::
1. addressee-Supervisory Authority;
2) census date of complaint;
3. particulars of the applicant and his representative, if any:
(a) name, contact details of the natural person;
(B) name, code and contact details of the legal person;
(c) grounds for representation where the complaint is lodged by the applicant's representative;
4. identity of the person under appeal( name and code of the legal person, name and surname of the natural person), contact details, if known;
5. description of the acts (inaction) under appeal, the time and circumstances in which they were committed;
6) application by the applicant to the Supervisory Authority;
7.the signature of the applicant or of his representative, if any; a complaint lodged by electronic means must be signed by the applicant or his representative, if any, with a Qualified Electronic Signature, or formed by electronic means which ensure the integrity and immutability of the text.
6. The complaint must be accompanied by the documents available to deal with the complaint, or a description thereof.


Rule 25- Anonymous complaints
Anonymous complaints shall not be dealt with unless the director of the state data protection inspectorate or the ethics inspector of journalists decides otherwise.


Rule 26- Acceptance of the complaint
The acceptance of the complaint or part thereof shall be confirmed by the supervisory authority in writing. This letter shall state the date of receipt of the complaint, the name of the representative of the supervisory authority dealing with the complaint or part of it, the telephone number, the registration number of the complaint and the possibility of defending the rights of the applicant in court. A document confirming the receipt of the complaint or part of it shall be served on the applicant, sent by post or by electronic means no later than 3 working days from the date of receipt of the complaint by the supervisory authority.
Rule 27- Refusal of Appeal
1. The Supervisory Authority shall take a decision to refuse to deal with a complaint or part of a complaint and shall inform the applicant no later than 5 working days from the date of receipt of the complaint by the supervisory authority, indicating the grounds for refusal or part of the complaint (pleas), if:
1.the complaint or part of it does not comply with the requirements laid down in Article 24 (5) of this law concerning the content of the complaint. The absence of the information referred to in Article 24 (5) of this law in the complaint may not constitute grounds for refusing to deal with the complaint if the complaint without that information can be dealt with;
2. investigation of the circumstances or part of the circumstances of the complaint does not fall within the competence of the Supervisory Authority;
3. the complaint, or part of it, has been examined by the supervisory authority on the same subject, except where new circumstances or new facts are indicated;
4) the complaint or part of it has been dealt with or is pending before the court of the Republic of Lithuania or another member state of the European Union;
5) the complaint or part of it has been dealt with in the same matter by the Supervisory Authority of another member state of the European Union;
6) a pre-trial investigation is opened in relation to the subject of the complaint or part of it;
7) the text of the complaint is not readable, the applicant's request is not clearly worded or the content of the complaint is not understood;
8.more than 2 years have elapsed between the infringement referred to in the complaint or part thereof and the lodging of the complaint.
2. Where the investigation of the circumstances or parts of the circumstances contained in the complaint does not fall within the competence of the Supervisory Authority, the supervisory authority shall forward the complaint or part of it to the competent authority within the time limit referred to in Paragraph 1 and shall inform the applicant thereof. Where the Competent Authority is a court, the appeal or part of it shall be returned to the applicant by providing information on where it should be addressed.


Rule 28- Requirement for additional documents and / or information from the applicant
1. The supervisory authority shall require the applicant to provide additional documents and / or information necessary for the examination of the complaint or part of the complaint. The applicant shall be informed of the consequences of not providing additional documents and / or information.
2. The applicant must, at the request of the Supervisory Authority, provide the additional documents and information necessary for the examination of the complaint or part of it within the time limit specified by the supervisory authority, but no later than 10 working days from the date of receipt of the supervisory claim.


Rule 29- Termination of the complaint
1. The Supervisory Authority shall take a decision to terminate the examination of a complaint or part of a complaint, if the examination of the complaint or part of the complaint:
( 1) a request from the applicant not to examine the complaint or part of the complaint is received;
2. it appears that there are grounds (pleas in law) referred to in Article 27 (1) (2) to (6), (8) for refusing to deal with the complaint or part of the complaint;
3. the applicant, at the request of the Supervisory Authority, does not provide additional documents and / or information without which it is not possible to examine the complaint or part of it;
4) it turns out that the complaint, or part of it, cannot be examined due to lack of information or other material circumstances;
5) it turns out that the applicant has died.
2. The termination of the examination of the complaint or part of it shall be notified to the applicant no later than 3 working days after the decision referred to in Paragraph 1, except in the case referred to in Paragraph 1 (5).


Rule 30- Time limits for informing the applicant and dealing with the complaint
1. The Supervisory Authority shall inform the applicant of the progress of the complaint, if the complaint or part of it is not addressed, or of the outcome no later than 3 months from the date of receipt of the complaint by the supervisory authority.
2. The complaint, or part of it must be examined and the applicant answered within 4 months of receipt of the complaint with the supervisory authority of the day, unless the complaint or referred to or during the examination of the paaiškėjusių circumstances, the complexity, the level of information of the judgment under appeal of the person and other legal entities or natural persons evasion of the exercise of the supervisory authority's requirements, skundžiamų action of the continuous nature or other objective reasons, the complaint or part of the proceedings to extend. In these cases, the time limit for the examination of the complaint or part of it shall be extended, but not more than 2 months. The total time limit for processing a complaint or part of a complaint may not exceed 6 months from the date on which the complaint was received by the supervisory authority. The extension of the time limit and the reasons for the extension shall be notified to the applicant. The complaint or part of it must be dealt with in the shortest possible time.


Rule 31- Decisions of the Supervisory Authority following a complaint
1. The Supervisory Authority shall decide on a reasoned basis after the conclusion of the examination of the complaint or part of the complaint.:
1) declare the complaint or part of it justified;
2. dismiss the complaint or part of it.
2. Where the complaint or part of it is found to be justified, the state data protection Inspectorate shall state the reasons:
1.provide the controller and / or the processor with instructions, guidance and / or other measures as referred to in Article 58 (2) of regulation (EU) 2016/679, Article 33 of this law and other laws on the protection of personal data and / or privacy. Where an administrative fine is to be imposed, the actions referred to in the fourth section of this chapter shall be carried out;
2.draw up a record of administrative misconduct against the person who committed the offence.
3. Where a complaint or part of a complaint is found to be justified, the ethics inspector of journalists shall provide the controller and / or the processor with instructions, recommendations and / or other measures referred to in Article 58 (2) of regulation (EU) 2016/679 and Article 33 of this law on a reasoned basis. Where an administrative fine is to be imposed, the actions referred to in the fourth section of this chapter shall be carried out.
4. The decision taken shall be notified in writing by the supervisory authority to the applicant and to the person appealed, except in the cases referred to in Paragraph 2 (1) and (3), where an administrative fine is intended to be imposed, no later than 3 working days after its adoption.
5. The decision of the supervisory authority may be appealed to the court in accordance with the law on administrative justice.
SECTION FOUR
ADMINISTRATIVE FINES


Rule 32- Procedure for imposing administrative fines
1. The supervisory authority shall impose administrative fines for infringements of regulation (EU) 2016/679 and this law in accordance with regulation (EU) 2016/679 and this law.
2. Administrative fines are imposed by the director of the state data protection inspectorate or by the ethics inspector of journalists or by a person authorized by them.
3. A decision on the imposition of an administrative fine may be taken provided that no more than 2 years have elapsed from the date on which the infringement was committed and, in the case of the infringement, from the date on which it became manifest.


Rule 33- Administrative fines imposed on public authorities or bodies
1. Public authority or body, pažeidusiai Regulation (EU) 2016/679 article 83 (4) (a), (b) and (c) the supervisory authority has the right to appoint an administrative fine of up to 0.5 per cent of the public authority or institution for the current year budget and the other last year received gross annual income, but not more than thirty thousand euros.
2. Public authority or body, pažeidusiai Regulation (EU) 2016/679 article 83 (5) (a)–(e) and (or) of Regulation (EU) 2016/679 83 (6), the supervisory authority has the right to appoint an administrative fine of up to 1 per cent of the public authority or institution for the current year budget and the other last year received gross annual income, but not more than sixty thousand euros.
3. The Supervisory Authority shall be entitled to impose the administrative fine referred to in Article 83 (4), (5) and (6) of regulation (EU) 2016/679 for infringement of the provisions of regulation (EU) 2016/679 on a public authority or body carrying out an economic commercial activity.


Rule 34- Procedure for imposing administrative fines
1. The supervisory authority shall send the person suspected of committing the infringement a document containing a proposal for an administrative fine. Infringement offence suspected person shall be offered within the supervisory authorities of the prescribed period, which shall not be less than 10 working days of the supervisory authorities of the receipt date to submit written comments on this document set out the circumstances, except when such explanations have already been obtained during the investigation and / or inspection or examination of a complaint, provide information significant to the appointment of an administrative penalty and to express an opinion on the proceedings of the oral procedure. The failure to provide explanations and other information within the time limit referred to in this paragraph shall not preclude the issue of the imposition of an administrative fine.
2. A supervisory authority prepared to hear a case shall normally deal with it by written procedure in accordance with the explanations provided to it. A hearing shall not be held following a written procedure.
3. The supervisory authority may, at the request of a person suspected of committing an infringement or on its own initiative, decide, on the grounds of the complexity of the circumstances or other relevant circumstances, to proceed to oral proceedings where oral explanations of the person suspected of committing an infringement are necessary or in other cases where the case may be better dealt with by oral procedure. In oral proceedings, the person suspected of committing the infringement, the applicant and other interested persons must be informed of the place, date and time of the hearing at which the case is pending no later than 10 working days before the date of the hearing.
4. The hearing at which the case is pending may be attended by the person suspected of committing the infringement and by other persons whose presence is necessary for the proper investigation of the case.
5. The absence of a person suspected of committing an infringement or of his representative shall not prevent proceedings if the person suspected of committing the infringement has been duly informed of the hearing and has failed to provide evidence that he is unable to appear for serious reasons.
6. The meeting of the proceedings are open to the public, except in cases where the supervisory authority shall on its own initiative or the infringement offence suspected individual and (or) the applicant shall decide upon the application-examination of the case in closed session in order to protect the public, staff, professional, trade secrets or other laws protected the secrets or to ensure the rights of the individual to privacy and (or) the protection of personal data.
7. The hearing on the case is held in Lithuanian.
8. An audio recording of the hearing shall be made during the hearing in which the case is pending. It shall be kept in the minutes of the meeting.
9. Where the case is dealt with by written procedure, the Supervisory Authority shall take a decision on the imposition of an administrative fine within 20 working days of the expiry of the time limit laid down by the supervisory authority in the document referred to in Paragraph 1. If the case is dealt with by oral procedure at the hearing, the Supervisory Authority shall take a decision on the imposition of the administrative fine within 20 working days of the date of the hearing. The supervisory authority shall send a decision on the imposition of an administrative fine to the person concerned and to the applicant no later than 3 working days from the date of adoption.
10. The decision of the supervisory authority on the imposition of the administrative fine shall be reasoned. It must specify:
1. name of the issuing authority;
2. date and place of hearing;
3) details of the person to whom the decision has been made;
4) legal basis for decision-making;
5) irregularities, if found and their circumstances;
6) evidence collected and its assessment;
7) explanations (if any) of the person suspected of committing the offence and other persons, their assessment;
8) decision taken-to impose or not impose an administrative fine;
9) time limits and procedures for appeal.
11. The decision of the supervisory authority imposing an administrative fine may be appealed to the court in accordance with the law on administrative justice.


Rule 35- Enforcement of a decision imposing an administrative fine
1. The decision of the supervisory authority imposing an administrative fine must be implemented no later than 3 months from the date on which it was sent or served on the person to whom the administrative fine was imposed. In the event of an appeal against a decision of the supervisory authority imposing an administrative fine, it must be enforced no later than 3 months from the date on which the judgment became effective. The administrative fine must be paid to the state budget.
2. The decision of the supervisory authority on the imposition of an administrative fine is an executive document, executed in accordance with the procedure established by the code of Civil Procedure of the Republic of Lithuania. It can be submitted for execution no later than 3 years from the date of its adoption.


Republic Of Lithuania
legal protection of personal data
law
accessory


IMPLEMENTING EUROPEAN UNION LEGISLATION


1. Two thousand sixteen 27 April Regulation (EU) 2016/679 of the European Parliament and of the council on the protection of Natural Persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).“


Article 2: Entry into force, implementation and application of the law
1. This law, with the exception of Paragraph 2 of this article, shall enter into force in 2018. 16 July
2. Government of the Republic of Lithuania, State Data Protection Inspectorate and ethics inspector of journalists until 2018. 15 July adopt implementing acts of this law.
3. Since the entry into force of this law, references to the law on the legal protection of personal data of the Republic of Lithuania in the laws and regulations of the Republic of Lithuania shall be construed as references to the law on the legal protection of personal data of the Republic of Lithuania in 2016. 27 April The european Parliament and Council regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data protection regulation) (hereinafter – Regulation (EU) 2016/679) and, where applicable, the Personal data protection act.
4. The director of the state data protection inspectorate, who was admitted to office before the entry into force of this law, holds this post until the end of the term for which he was appointed.
5. Until the date of application of regulation (EU) 2016/679, authorisations granted by the state data protection inspectorate to carry out processing of personal data shall be valid for as long as the processing of personal data for which the authorisation is granted changes.


I declare this law adopted by the Seimas of the Republic of Lithuania.




President Of The Republic Dalia Grybauskaitė