Global menu

Our global pages


Investor's Legal Brief, May 2019

  • Lithuania
  • Other


1.    First significant fine was imposed for the breaches of the General Data Protection Regulation in Lithuania

The State Data Protection Inspectorate (SDPI, Inspectorate) has imposed a fine of EUR 61 500 to MisterTango, UAB ‘MisterTango’ for the breaches of General Data Protection Regulation (GDPR). According to the Inspectorate, the start of imposing fines under the General Data Protection Regulation should be a significant signal to other companies which only declaratively comply with the provisions of the above legal acts.
According to the SDPI notice, the sanctions were imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of the afore-mentioned Regulation, i.e. the personal data breach in the payment initiation service system which, inter alia, has also not been reported to the supervisory authority. The SDPI carried out an investigation and imposed a fine taking into account the received information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.
Regarding improper processing of personal data. In the light of the information collected during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for the purposes of implementation of the data minimisation principle, only data necessary for completion of payment should be collected. However, in addition to the afore-mentioned data, the company also collected such data as dates of provision of not reviewed electronic invoices, names of the pension funds, accumulated units and value thereof, accumulated amounts and so on.
Regarding the failure to give the notification of the personal data breach. According to the SDPI, the afore-mentioned incident where unauthorised persons were granted access to personal data in the Internet for 2 days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.
According to the press release of the SDPI, when deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the company processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact on the personal data allowing to directly identify the data subject to the supervisory authority
Based on publicly available comments provided by the UAB ‘MisterTango’, the company is going to appeal the SDPI decision.
This is the first significant fine imposed by the SDPI after the beginning of applicability of GDPR, that makes data controllers review their personal data protection practice compliance with the applicable laws. Data controllers should pay close attention to the amount of data processed and compliance with the data minimisation principle, suitable and actual (not only formal) implementation of data protection policies and procedures. Once a breach occurs, in cases established in the GDPR the data controller shall immediately inform as well as cooperate with the SDPI – non-compliance of this legal obligation might result in the strictest sanctions established.

2.    As of 15 May, international call and SMS tariffs become cheaper

As of 15th of May, 2019, a new maximum price will apply for all international calls and SMS within the EU. Consumers calling from their country to another EU country will pay a maximum amount of 19 cents per minute (+VAT) and 6 cents per SMS message (+VAT).
According to the data provided by the Communications Regulatory Authority (CRA), until the 15th of May, citizens of Lithuania calling from the fixed-line network to the fixed-line network of other EU member state have paid from 43 to 47 euro cents per minutes. A call from the fixed-line network to mobile network used to cost from 58 to 63 euro cents per minute, as where from mobile network to mobile and/or fixed-line network – from 37 to 89 euro cents per minute. The price for the Short Message Service (SMS) differed from 14 to 39 euro cents. As of 15th of May, the new rules on international calls will allow to lower the expenses when calling to other EU member states from 45 to 80 per cent.
These provisions are applicable only to natural persons using the services for their own needs. Business clients are not subject to these rules having in mind that certain service providers provide the business clients with extremely attractive offers.
According to the press release of European Commission, the telecommunications operators in EU will have to notify the customers regarding the new maximum prices. Such rules will be applicable in all 28 member states and will come into force soon in Norway, Iceland and Lichtenstein.

3.    State Data Protection Inspectorate has summarized most often occurring cases when the claims submitted to the Inspectorate are recognized as unfounded

State Data Protection Inspectorate (SDPI, Inspectorate) has provided a summary of most often occurring cases when the claims provided by the data subjects are considered as unfounded. The Inspectorate provides that upon the day when the General Data Protection Regulation (GDPR) has become applicable, it is clear that the awareness of Lithuanian citizens regarding data and privacy protection as well as human rights in this area has increased significantly. The awareness is also proven by the amount of claims received by the SDPI. In the year of 2017, the Inspectorate has received 480 claims, in 2018 – 859, and in the 1st quarter of 2019, the Inspectorate has already received 584 claims. The SDPI indicates that there are quite a lot of cases when the claims are recognized as unfounded and the examination of the claims is terminated. Most of these cases appear regarding the following types of data-involving areas:
•    Direct marketing – the Inspectorate notes that it is a usual case that data subjects believe that upon the applicability of the GDPR, data controllers and data processors are required to obtain a consent from the data subject for the direct marketing once again, however, it is not always the case;
•    Video surveillance – in some cases, the claims are submitted because of the cameras that do not actually perform any video surveillance, the cameras are fake, the video surveillance is performed by a natural person for purposes not related to the person’s business or profession, or when the video surveillance is performed in the territory belonging to several persons upon a consent from the majority of co-owners;
•    Information check from the registries – people tend to make a mistake that the information from the public registries may only be collected upon data subject’s consent or it is forbidden at all;
•    Transfer of personal data of debtor – when the personal data is transferred to be processed to other data processor to recover the debt and it is performed in the light of applicable legal requirements;
•    Fulfilling the legal obligation – respective authorities perform data processing in cases when applicable legal acts establish a legal duty to perform such data processing;
•    Time period of implementation of subjects’ rights – persons who execute their as data subjects’ rights, expect to receive the answer from the data controller or data processor straight away, and if the answer is not provided in the due course – persons prepare the claim to the SDPI, however, it should be noted that the GDPR establishes a time period of 1 month for the person performing data processing activities to prepare an answer to the request of the data subject.

4.    State Data Protection Inspectorate has published the results from the investigation on biometric data processing in sports clubs

The SDPI has performed several investigations in sports clubs owned by 3 companies regarding the processing of biometric data. After having completed the investigation, it has been established that companies process the fingerprint models, the so-called binary codes, for the purpose of entering the sports club and workplace control.
Biometric data is personal data received after a special technical processing action and that is related to person’s physical, physiological or behaviour features according to which person’s identity can be determined or confirmed. In the GDPR, such data is considered as a special category data that is subject to stricter requirements.
According to the SDPI, the companies that intend to process biometric data have a legal obligation to perform a data protection impact assessment (DPIA). It is important to determine, whether there is a ground to process such personal data, to assess possible risks as well as what safety measures are going to be sufficient to lower such risks. After having performed the investigations, the Inspectorate has ordered the companies to remove the breaches. One of the companies was ordered to stop the processing of persons’ fingerprints until the DPIA is performed and compliance to the GDPR is ensured. For two companies the SDPI ordered to terminate the processing of employees’ fingerprints. All three companies were ordered to ensure the technical and organizational data safety measures.
The Inspectorate indicates these crucial safety measures that are a-must upon processing of biometric data:
•    The information safety management of the organization has to be set in a detailed manner, e.g. the information safety has to be guaranteed, the responsibilities and roles of the employees as well as control policy of the data accessibility have to be clearly defined and documented;
•    The technical, software and network equipment has to be inventoried and renewed;
•    The basic procedures that are to be complied upon an incident or personal data safety breach have to be set;
•    The ability for the employees to process the information in a confidential manner has to be ensured.

5.    Reverse charge value added tax will be applicable for the new electronic goods

The Government of Lithuania has supplemented the Description of the cases where value added tax on goods and services provided is deducted and paid by the buyer. It stipulates that as of 1st August 2019 such reverse charge VAT mechanism will apply to new goods: hard drives (until 28 February 2022) and mobile phones, tablets and laptops (until 30 June 2022).
The State Tax Inspectorate recalls that the reverse charge VAT mechanism to the goods specified in the Description is applicable only if the buyer is a person registered as a VAT payer in Lithuania (except budgetary institutions). However, if a description of the goods / services listed above is issued to the purchaser of a cash register and a VAT invoice is issued, the obligation to pay VAT to the budget, irrespective of the status of the buyer, remains with the seller (the reverse charge mechanism is not applicable).
According to the Minister of Finance V. Šapoka, the application of the reverse VAT mechanism is an effective way to fight the shadow economy. It is applicable in exceptional cases. In order for Lithuania to have such an opportunity, the European Commission was approached.
At present, almost half of the EU Member States apply reverse VAT in the sale of mobile phones, computers, game consoles and similar electronic devices. Member States apply reverse VAT in the electronics trade to curb VAT embezzlement.

6.    Following the adoption of amendments to the law, private companies will be able to manage municipal heat only on a concession basis

On the 8th of May in 2019 The Government of the Republic of Lithuania approved amendments to the Law on Heat Sector of the Republic of Lithuania prepared by the Ministry of Energy, which establish that municipalities, when transferring management of heat farms to a private entity, would do so only by concluding concession contracts. In this way, the possibility of transferring heat management to implement different contracts (e.g. lease) between municipalities and private entities is eliminated.
These changes will make it possible to choose the heat consignee in a more transparent way and, with the conclusion of contracts with them, to properly control and supervise how these farms are managed.
Municipalities will have to comply with the Law on Concessions and take into account the strategic directions, goals, objectives and implementation measures set out in the National Energy Independence Strategy and the National Heat Development Program when planning concessions for the transfer of heat management and preparing all the necessary documents. After the Government has approved the amendments to the Law on Heat Sector of the Republic of Lithuania, they will come into force from 1st of January in 2020.

7.    Amendments to the Law on Prohibition of Unfair Activities of Retail Businesses

The Government adopted amendments and supplemented the Law on Prohibition of Unfair Practices of Retail Businesses by extending the list of prohibited unfair practices provided for in this Law. The amendments to this law also extended the powers of the Competition Council to give it more rights in the investigation.
The list of banned unfair practices so far has been supplemented by a ban on requiring suppliers to provide commercial discounts or any other remuneration, unless otherwise agreed in writing, by e-mail by post or other electronic means. Likewise, the law amendment prohibits retailers from applying negative measures to suppliers who have approached the Competition Council or a court for unfair practices.
Amendments to the law also extend the maximum duration of investigation to 18 months and the rights of the Competition Council to investigate violations and gather evidence. Amendments to the Act will come into force on 7th of July, 2019.


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Subscribe to ebriefings