Changes to the law on protecting personal data – what to expect and how to prepare? 

From 1 July 2024, amendments to the Law on Personal Data Protection of the Republic of Lithuania (the Law) came into force. These amendments not only give the employer the right to ask a candidate or an employee to provide information on criminal records, but also introduce new rules on the public disclosure of decisions of the supervisory authority, the handling of complaints, and other procedural issues.

Do we need to prepare for these changes and, if so, how?

Employers can ask candidates or employees to provide a criminal record certificate

What has changed?

Until 1 July 2024, the law in force provided that the processing of personal data relating to candidates or employees with a criminal record is only possible if the employer has a legal obligation under the law to check their criminal records. For example, this could be the case for employees in certain positions in the financial, education or aviation sectors. This regulation has limited the ability of employers to ask candidates or employees to provide criminal record certificates where the legislation did not require a criminal record for that position, although employers often had a legitimate interest in obtaining such data.

From 1 July 2024, amendments to the Law entered into force, allowing the processing of candidates’ or employees’ personal data relating to criminal convictions also in cases where such data is necessary for the employer’s legitimate interests. This means that the requirement that the employer may only obtain the criminal record data of a candidate or employee in cases provided for in law no longer applies. The employer will now have the right to request such data from the candidate or employee on the grounds of legitimate interest.

What are the steps to be taken?

The Law provides that to process data on convictions and criminal offences in the employment relationship based on legitimate interest, the employer will have to do the following:

• prepare and carry out an assessment of the legitimate interest in processing such personal data and prepare a written report on this assessment. Although such assessment reports are nothing new for employers (they are also provided for in the General Data Protection Regulation (EU) 2016/679 (GDPR) – Article 6(1)(f)), the Law specifies what exactly should be assessed when processing criminal record data. For example, the specificities of particular duties or job functions and the risks that the employer may be exposed to if the functions in question are performed by a person who has been convicted of certain criminal offences, etc., must be taken into account
• adopt and publish on its website a list of the positions (if any)  for which a person is required to have no criminal record. This list shall include the offences for which the person must be free of convictions. That is, the employer must draw up: (1) a list of the positions for which it is a requirement that the employee has no criminal record; and (2) a list of the offences for which the employee must not have been convicted.

The employer will only be entitled to process the criminal record data of a candidate or employee whose intended position or job function is included in the abovementioned list.

Where such a right or obligation is provided for in the Law, it does not mean that all employers acquire such a right in all cases. It is therefore necessary to take into account the important aspects listed below:

Firstly, the employer must be able to justify the objective necessity of processing such data and carrying out the abovementioned actions.

Secondly, the amendment to the Law provides that data on convictions and criminal offences may only be processed if the requirements of the GDPR are met. This means that all the rules and principles set out in the GDPR must be complied with, including the obligation to properly inform data subjects about the processing of their data, to ensure the exercise of their rights, etc.

Thirdly, it will be up to the candidate or employee to provide the employer with information on criminal records. That is, the Law does not give employers the right to themselves contact the authorised authorities and request the provision of data on a person’s criminal record.

Fourthly, the State Data Protection Inspectorate has published “Recommendation on employer processing of criminal record data“. Employers are therefore advised to carefully read the information provided by the inspectorate, which should help them both in deciding on the positions to be subject to the non-conviction requirement and in drafting the abovementioned documents.

Changes to the infringement procedure – what to look out for?

Having taken into account the areas that receive the most complaints from data subjects, the Law strengthens the procedure for complaints to the State Data Protection Inspectorate regarding the lawfulness of video surveillance and the exercise of data subjects’ rights. From 1 July 2024, before lodging a complaint with the State Data Protection Inspectorate, the data subject will be obliged to contact the controller or processor who carries out the video surveillance or is requested to enforce the data subjects’ rights. The data subject will have to provide information about such contact and the (non-)response provided by the controller/processor, together with the complaint to the State Data Protection Inspectorate. Failure to provide such information will entitle the State Data Protection Inspectorate to refuse to examine the complaint.

Other important changes are also foreseen in the Law, but it is particularly important for data controllers and processors to note that the limitation period for the imposition of an administrative fine has been extended from two to three years. The law also introduces the possibility for peaceful resolution of complaints, already promoted in the work of the State Data Protection Inspectorate.

More transparency in the work of supervisory authorities

So far, only a limited amount of information related to decisions taken on data protection breaches has been made public.

The law foresees that from 1 January 2025, the data protection supervisory authorities – the State Data Protection Inspectorate and the Inspector of Journalist Ethics – will be obliged to make their decisions on infringement proceedings publicly available on their website no later than five working days after the date of adoption of the decision, in accordance with the requirements for protecting information protected by law. Decisions will be public for 10 years.

This forced openness of information can be viewed in two ways. On the one hand, greater publicity will allow controllers, processors and subjects to better understand the trends of the regulator and to plan data protection compliance within their organisations accordingly. On the other hand, however, a breach committed by a controller will be made public, which, depending on the amount of information published, may have an impact on the reputation of those individuals.

Questions? Our Data Protection and Employment teams are here to help.