We are happy to present you brief overview on GDPR application in three Baltic states in the last year. Overview is given on the activities of data protection authorities, enterprises and data subjects.
Lithuania
State Data Protection Inspectorate on the application of GDPR
State Data Protection Inspectorate (SDPI) of the Republic of Lithuania has published useful information concerning application of GDPR in the Republic of Lithuania over the last half a year of application of General Data Protection Regulation (GDPR).
According to the published information, Lithuanian SDPI has not imposed any fines under the GDPR yet, nevertheless, the SDPI has carried out 19 inspections of the organizations on its own initiative. It turns out that in 18 cases breaches of data processing have been identified, thus, the SDPI has provided only instructions to those organizations. The mentioned organizations operate in a food, housekeeping goods, pharmaceuticals trade sectors, and the majority of the breaches have been detected in the field of direct marketing and loyalty programs those companies execute.
In the private sector
Gladly, according to the statistics of the SPDI, more than 700 private and more than 700 representatives of the public sector have notified the SDPI about the designation of the Data Protection Officer. It seems that according to the nature of the activity, the majority of the organizations are state institutions and bodies that are active in the field of financial services, education and culture, health care and law enforcement etc.
Data subjects’ behavior
In addition, starting from 25th of May when the GDPR has come into entry, the number of data subjects’ complaints has grown by almost a half compared to the previous years, i.e. almost 800 complaints have been received during 2018. The data subjects’ complaints were issued mainly regarding illegal processing of personal data for the direct marketing purposes, illegal processing of special category of personal data, illegal video surveillance etc.
Also, the SDPI indicated that over 80 data breach notifications have been received by the authority. The majority of such data breach reports were due to disclosure, loss, theft of personal data and illegal copying of it.
Latvia
State Data Protection Inspectorate on the application of GDPR
Under GDPR regime Data State Inspectorate (DSI) has started 74 violation cases and issued four warnings[1]. No fines have been imposed for GDPR infringements yet[2]. However, 1,400 euro fine has been imposed according to the national Personal Data Protection Law (in force until July of 2018) for submitting to the court non-anonymized printout from the Land Register which included personal data (names, surnames, personal codes) other than litigation parties and was not amended to hide unnecessary information. Such fine outlines the trend of local authorities in imposing fines which are allowed by the GDPR as well.
DSI hasn’t been very active in explanatory work, publishing altogether twenty news entries on its website “news” section since 25 May 2018, seven to nine being instrumental in GDPR application.
In the private sector
Without strong support of the local data protection authority, big businesses mostly already have worked hard to ensure compliance, however in small and medium enterprise sector there is still a lot of work to be done. For businesses compliance is taking a lot of resources and many GDPR provisions are vague and unclear, small businesses struggling even with the most basic aspects of the regulation. Public sector also is still working towards compliance. Out of 119 municipalities, which are under obligation to appoint data protection officer, only 26 have complied[3].
Data subjects’ behavior
DSI has received 1051 complaints under GDPR[4], which shows that data subjects are empowered and use GDPR. Some examples of complaints given by DSI include personal data processing for commercial needs, identity theft, and processing personal data of minors. Data subjects are not always using their rights in good faith and some access requests seen were intended as objections to terms of the service itself, using GDPR as the tool to get concessions from the controller. The question is whether the benefits for citizens outweigh the costs for companies (acting in good faith and with fear of sanctions), who are struggling to process all requests within the legal deadline.
Estonia
State Data Protection Inspectorate on the application of GDPR
Estonian Data Protection Inspectorate (EDPI) has been active in notification work – educating market participants and giving information on GDPR. EDPI is currently still working on updating their guidelines to be GDPR coherent [5]. EDPI has published explanations and general tips on their social media for example on the matter of large scale processing. However, these posts on social media are for guidance and should not be interpreted as the official statements of the EDPI. No big incidents or fines have been issued by the EDPI.
The official statistics on the year 2018 is not yet available. But EDPI has announced in a press release [6] that there has not been more complaints, however, EDPI’s advice line has been ringing a lot more – this year from may till the end of august 960 calls, last year same time only 453 calls. Also, trending have been explanation requests. The general conclusion made by EDPI is that the burning questions have not changed for example questions of processing personal data in work relations and direct marketing. What is new are the questions about data protection officer (DPO) as in Estonia DPO has not been mandatory; questions about data breach notification and transferring personal data outside of the EU.
In the private sector
Estonian businesses have different level of understanding the GDPR and on when or how to take action on it. Meaning, large and larger medium size enterprises have probably gone through at least the GDPR minimum program – looking through their processing activities, updating their privacy policies, putting together data breach incident plans and guidelines. For data intensive companies the work has been more intensive – conducting data protection impact assessments, auditing their data processing and general data protection actions etc.
Data subjects’ behavior
No big change is visible in the activities of data subjects. Holders/owners of bigger data registries have gotten more information requests and requests to delete all information about the data subject. So, typical information, access and removal (deletion) requests.
Authors of this blog post are Julianna Antonova, Arina Stivrina , Goda Sukackaite and Maarja Lehemets.
[1] G. Suhoveckis, G. Feldmanis. LNT News TOP 10. The number of complaints regarding the handling of personal data has considerably increased [TV broadcast].
Available at: https://tvplay.skaties.lv/lnt-zinu-top-10/lnt-zinu-top-10-10297751/.
Viewed on 3 December 2018.
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] Guidelines available on Data Protection Inspectorate’s homepage.
[6] Press release available in Estonian.
