Lithuania Data Privacy Laws: GDPR Implementation Guide (2026)

Lithuania has established itself as an active GDPR enforcer among the Baltic states, with the landmark Vinted fine demonstrating that the State Data Protection Inspectorate is willing to impose substantial penalties on major technology companies. The country's approach combines systematic enforcement with practical guidance that reflects the real-world challenges organizations face in achieving compliance.

This guide covers Lithuania's complete data protection framework, from the legal foundations through enforcement trends and practical compliance considerations.

Legal Framework and GDPR Implementation

Lithuania's data protection system operates under the GDPR as supplemented by the Law on Legal Protection of Personal Data, which entered into force on 16 July 2018. This legislation was adopted relatively quickly after the GDPR became applicable, making Lithuania one of the earlier EU member states to finalize implementing legislation.

The law addresses areas where the GDPR permits or requires national provisions, including the organizational framework and powers of the VDAI, rules for processing personal identification codes, provisions for data processing in the context of employment, exemptions for journalistic and academic processing, and the transposition of the Law Enforcement Directive.

Constitutional Foundation

The Lithuanian Constitution provides the foundation for data protection through Article 22, which guarantees that the private life of a person shall be inviolable, that personal correspondence, telephone conversations, telegraph messages, and other communications shall be inviolable, and that information concerning the private life of a person may be collected only upon a justified court decision and only in accordance with the law.

The VDAI: Lithuania's Data Protection Authority

The State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija, or VDAI) is Lithuania's independent supervisory authority for data protection. Based in Vilnius, the VDAI oversees compliance with the GDPR and national data protection legislation across both public and private sectors.

The VDAI is headed by a Director appointed by the Lithuanian Parliament. The authority handles complaints, conducts investigations, provides guidance to organizations, and imposes sanctions for non-compliance.

Powers and Functions

The VDAI holds the standard range of GDPR supervisory and enforcement powers. It can investigate complaints and conduct inspections on its own initiative, issue warnings and reprimands, order controllers and processors to bring operations into compliance, impose temporary or permanent processing bans, and levy administrative fines.

The authority also publishes decisions, including fines and orders, on its website, providing transparency about its enforcement activities.

The Dual Supervisory Structure

Lithuania has a unique arrangement where the Inspector of Journalist Ethics shares certain supervisory responsibilities with the VDAI. When personal data processing relates to journalistic purposes or academic, artistic, or literary expression, the Inspector of Journalist Ethics holds rights and obligations similar to those of the VDAI and cooperates with the Inspectorate to ensure compliance.

This dual structure reflects Lithuania's approach to balancing data protection with freedom of expression, creating a specialized supervisory path for media and creative activities.

Fines and Penalties

Lithuania follows the GDPR's standard two-tier penalty framework. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to certain violations, while more serious infringements can attract fines of up to EUR 20 million or 4% of worldwide annual turnover.

Notable Enforcement Actions

Vinted (EUR 2,385,276, 2024): The VDAI's largest fine was imposed on Vinted, the Lithuanian online second-hand clothing platform. The EUR 2.4 million penalty was levied for infringements of GDPR Articles 5 (principles relating to processing), 5(2) (accountability), 12(1) (transparent information), and 12(4) (failure to act on data subject requests). The case involved the company's handling of user data deletion requests and transparency in data processing practices.

Online Second-Hand Platform (2025): The VDAI fined a company operating an online second-hand clothing trading platform for GDPR violations, continuing its focus on e-commerce platform compliance.

Sports Club Biometric Data (2021): A sports club was fined EUR 20,000 for unlawful processing of clients' biometric data, demonstrating that the VDAI enforces biometric data requirements even against smaller organizations.

Earlier Enforcement Pattern (2019-2021): During this period, the VDAI issued approximately 57 fines for GDPR violations, with amounts ranging from EUR 3,000 to EUR 61,500, establishing a pattern of consistent but measured enforcement.

Data Breach Trends in Lithuania

The VDAI has provided valuable insights into the nature of data breaches reported in Lithuania. According to 2025 findings, 57% of reported breaches in Lithuania resulted from employee errors rather than malicious attacks or system failures.

The most common breach types include emails sent to wrong recipients, lost laptops or mobile devices, and files left accessible without proper security controls. These findings highlight that human error remains the primary data protection risk for most Lithuanian organizations.

In response, the VDAI published guidance in 2025 clarifying what does not constitute a personal data breach, providing examples such as unopened misdelivered mail and records concerning deceased persons. This practical guidance helps organizations distinguish between incidents that require formal breach notification and those that do not.

Personal Identification Code

Lithuania's personal identification code (asmens kodas) is used as a primary identifier across government and private sector systems. The Law on Legal Protection of Personal Data establishes specific restrictions on how this identifier may be processed, reflecting the elevated privacy risks associated with universal identifiers.

Organizations may only process personal identification codes when it is necessary for the purposes for which the data is collected and when there is a legal basis for such processing. The VDAI has issued guidance emphasizing that routine collection of personal identification codes should be avoided when alternative identification methods are available.

Employment Data Processing

Lithuania's data protection framework includes provisions specific to the employment context. Employers must have a valid legal basis for processing employee personal data, and the scope of processing must be limited to what is necessary for the employment relationship.

The VDAI has addressed workplace monitoring in its guidance, establishing that employee surveillance must be proportionate, transparent, and based on a legitimate purpose. Employees must be informed about monitoring practices before they are implemented.

Age of Digital Consent

Lithuania set the age of digital consent at 14 years old. Children aged 14 and older can independently consent to information society services. Children under 14 require parental authorization.

Data Breach Notification

Standard GDPR breach notification requirements apply in Lithuania. Controllers must notify the VDAI within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. The VDAI provides notification procedures and guidance on its official website.

International Data Transfers

Lithuania follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards, or applicable derogations.

E-Commerce and Platform Compliance

The Vinted fine signals the VDAI's focus on technology platforms and e-commerce companies, which is particularly relevant given Lithuania's growing fintech and technology sector. Vilnius has become a significant hub for European technology companies, and the VDAI's enforcement activity reflects the data protection challenges that come with this growth.

Platform operators should pay particular attention to data deletion request handling, transparency in privacy notices, and accountability documentation. The Vinted case specifically targeted failures in these areas.

Practical Compliance Tips

Organizations in Lithuania should invest in employee training to reduce the human error that drives the majority of data breaches. Implement technical controls such as email delay features that allow recipients to be verified before messages are sent, device encryption for all mobile devices and laptops, and access controls that limit file visibility to authorized personnel.

E-commerce platforms and technology companies operating from Lithuania should review their data subject request handling procedures. The Vinted fine shows that the VDAI will impose significant penalties for failures in transparency and responsiveness to user requests.

Ensure that any biometric data processing has a proper legal basis and has been assessed for necessity and proportionality. The sports club case shows the VDAI will enforce biometric data requirements across all organization sizes.

Take advantage of the VDAI's published guidance, particularly the 2025 clarifications on what constitutes (and does not constitute) a personal data breach. This guidance can help organizations avoid unnecessary breach notifications while ensuring that genuine breaches are properly reported.

Disclaimer: This article provides general information about Lithuania's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Lithuania for guidance on your specific situation.