For the first time in 2022 the SDPI (Valstybinė duomenų apsaugos inspekcija) received fewer complaints than the previous year (1164 in 2021, and 889 in 2022). Most resolved complaints have to do with exercising the rights of the data subject, video surveillance, direct marketing, and collection of personal data.

By far the most infringements in the year 2022 had to do with loss of confidentiality (269 cases), loss of accessibility (21), and loss of integrity (19).

Only 27 cases throughout the year were resolved by the parties coming to an understanding themselves.

Decision concerning the implementation of the right of access to data

The SDPI found that a data controller was not suitably carrying out the subject’s right to access of data, when the controller refused to provide copies of transcripts from recordings of phone calls with the subject’s employee. The controller argued that providing such data would infringe the employee’s (other person’s) rights.

Decision concerning breach of confidentiality

The SDPI found that confidentiality was breached when a malicious file was uploaded to an online store by accessing an IT company employee’s account details. According to SDPI, the incident occured due to inadequate organisational and technical security measures, which amounts to a breach of the GDPR by the IT company.

What businesses should know:

• If the SDPI finds a serious violation of the GDPR, they can continue investigating the data controller, despite the parties coming to a peaceful understanding.
• It is mandatory to have a legal basis for refusing a subject’s request to access data.
• It is worth analysing whether your business has appropriate organisational and technical security measures, to reduce the risk of fines in case of a breach of personal data security.