The State Data Protection Inspectorate – personal data protection supervisory authority of the Republic of Lithuania has punished Vilnius City Municipality Administration for infringements of the General Data Protection Regulation. A fine in the amount of EUR 15,000 has been imposed for improperly processed personal data of the parents of an adopted child.

The State Data Protection Inspectorate (hereinafter referred to as the “SDPI”) imposed an administrative fine in the amount of EUR 15,000 on Vilnius City Municipality Administration (hereinafter referred to as the “Municipality Administration”) for infringements of the General Data Protection Regulation (hereinafter referred to as the “GDPR”). The fine was imposed for infringements of Articles 5(1)(d) and 5(1)(f) of the GDPR, i.e. a failure to implement appropriate technical and organisational measures, thus, failing to ensure the accuracy of processed personal data when processing personal data of the parents of the adopted child.

Having carried out an investigation, the SDPI has determined that when filling in an application for education of the adopted child in the Centralised Application Submission and Population Information System (hereinafter referred to as the “IS”) of the Municipality Administration, the applicant indicated his data; nevertheless, according to the agreement between the Municipality Administration and the State Enterprise Centre of Registers providing for that the data in the IS shall be automatically updated on a monthly basis, when the data in the IS was automatically updated, the contact personal data of the applicant was updated and replaced with the contact data (e-mail address) of one of the biological parents of the child available in the Population Register of the Republic of Lithuania (hereinafter referred to as the “Population Register”).

When processing personal data, the Municipality Administration must follow the principle of accuracy which provides for that the data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Article 5(1)(d) of the GDPR), and the principle of integrity and confidentiality providing for that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) of the GDPR).

The SDPI in its decision whereby a fine was imposed on the Municipality Administration has pointed out that, in a particular case, such contact personal data as e-mail address irrespective of whether it is indicated in the Population Register or not and, if such data is indicated in the Population Register, such data may at any time be changed by the person and only the data subject should change it and the data controller should not arbitrarily update the data on the basis of information available at the State Enterprise Centre of Registers. Even more so, in this case, there were no grounds for concluding that after update of data, namely the contact data of the applicant has been obtained from the Population Register, since data was updated not even on the basis of the applicant’s data indicated in the State Enterprise Centre of Registers but on the data of the child although it is not the child but the applicant who is a party to the education agreement. Thus, when processing the e-mail address of the third party (one of the biological parents of the child) as the contact data of the applicant, the Municipality Administration has failed to implement appropriate organisational and technical measures; thus, failing to ensure the principle of accuracy of processed personal data and breached Articles 5(1)(d) and 5(1)(f) of the GDPR.

When deciding on the amount of the administrative fine, the SDPI has considered all circumstances relevant to holding the Municipality Administration liable, for example:

– Although, in the case in question, the infringement committed by the Municipality Administration is attributed to individuals (applicants), it is not accidental and would have occurred for any person in the same circumstances due to the technical and organisational measures improperly applied by the Municipality Administration in processing of personal data;

– Data concerning adoption of the child which is particularly sensitive data and his further education has been disclosed;

– The infringement has been committed through negligence;

– The Municipality Administration repeatedly committed the infringement; in 2019 a reprimand was imposed on the Municipality Administration for a similar infringement (improper implementation of organisational and technical measures failing to ensure the principle of accuracy of personal data when processing personal data of the adopted child in the IS of the Municipality Administration).

When imposing the fine on the Municipality Administration, the amount of the budget of the current year and other comprehensive annual income received last year was also taken into account.

The afore-mentioned decision of the SDPI is not effective and may be appealed against to the court.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

https://edpb.europa.eu/news/national-news/2020/lithuanian-dpa-imposes-fine-improperly-processed-personal-data-parents_en