Enforcement

€9,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 9,000 against the Employment Service under the Ministry of Social Security and Labor of the Republic of Lithuania. Following a data leak involving the data of 292 clients, the DPA found that the controller had failed to implement sufficient technical and organizational measures to prevent such incidents.

€9,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 1,000 on the Vilnius District Municipality Administration. The Municipality Administration had been hacked. The attack resulted in issues and delays regarding public services, and personal data was affected. In addition, the notification to data subjects lacked information on how to protect personal data.

€2,385,276 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store 'Vinted'. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using 'shadow blocking' to remove users from th

€12,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 12,000 on a company providing vehicle history check services. The controller refused a data subject's request to rectify personal data and failed to provide requested information. Additionally, the controller failed to prove that the processed data was accurate or that accuracy tests had been carried out.

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined a company EUR 20,000. The company had suffered a data breach in which personal data of 50,000 data subjects were compromised. During its investigation, the DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller's information systems. Also, the DPA found that the company failed to s

€8,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined a company EUR 8, 000. The controller failed ot properly fulfil the data subject's right to access their personal data processed by the company. The controller partially provided information about the processing of the data subject's personal data, but the data subject was not given the opportunity to verify the legal basis (or bases) for the processing of their personal data, the specific data being processed, the purposes of processing, the retention period, etc.

€6,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined Praktiškas UAB, the operator of SportGates sports clubs, EUR 6,000. The controller had processed biometric data of customers in the context of their access to sports facilities. During its investigation, the DPA found that the customers' consent to the processing of their biometric data could not be considered voluntary. This was because the controller did not offer the provision of any other type of information for access to the sports clubs. Nor did it provide the

€110,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been publish

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that t

€15,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) imposed a fine of EUR 15,000 on Registrų Centras. The controller is a company which manages several Lithuanian registers. The company suffered a data breach that affected 22 of these registers. During its investigation, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing of personal data. The measures implemented by the controller were clearly not sufficient to ensure the continuous integrity, av

€12,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company 'IT sprendimai sėkmei' had developed the app, which was then used by the NVSC. In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The

€3,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) imposed a fine of EUR 3,000 on the company 'IT sprendimai sėkmei'. The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The controller had developed the app, which was then used by the Lithuanian National Health Service. In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app w

€15,000 fine - Lithuanian Data Protection Authority (VDAI)

During the data synchronization of the Population Information System of the Municipal Administration with the databases of the State Centre for Business Registers, the personal data of an applicant for the fostering of an adopted child was replaced, due to an error, with the personal data of the biological parents, which were subsequently accessible in the Population Register of the Republic of Lithuania. This constituted a violation of the principles of integrity and confidentiality of personal

€8,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) fined a company EUR 8,000 for conducting sound recordings on public transport buses in violation of Article 5 GDPR, Article 13 GDPR, Article 24 GDPR and Article 35 GDPR.

€61,500 fine - Lithuanian Data Protection Authority (VDAI)

During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursua