Lithuania Data Privacy Laws: GDPR, VDAI Enforcement & Compliance Guide (2026)

Lithuania enforces data privacy through the EU General Data Protection Regulation and the national Law on Legal Protection of Personal Data, amended 16 July 2018. The State Data Protection Inspectorate (VDAI) holds full enforcement powers, including fines up to EUR 20 million, and imposed a record EUR 2,385,276 on Vinted in July 2024.

Lithuania sits at the intersection of the Baltic tech economy and EU data protection law. Vilnius is the EU's largest fintech hub, home to over 280 firms serving 30 million customers across Europe, and that concentration of data-intensive businesses means the State Data Protection Inspectorate (VDAI) operates in a high-stakes enforcement environment.

The VDAI proved it is willing to act. The EUR 2.4 million fine against Vinted in 2024 was the largest in the authority's history and one of the most closely watched GDPR enforcement actions in the Baltic region. It also triggered a 15% year-over-year rise in complaint filings, signaling that Lithuanian data subjects are paying attention.

This guide covers Lithuania's complete data protection regime, from its constitutional roots through the national implementing law, the supervisory structure, data subject rights, cross-border transfer rules, the EU AI Act overlay, and the enforcement record that gives all of this its practical weight.

Quick Answer

Lithuania's data protection law is the EU General Data Protection Regulation, applied directly since 25 May 2018, supplemented by the national Law on Legal Protection of Personal Data (as amended 16 July 2018). The law's constitutional anchor is Article 22 of the Lithuanian Constitution. The supervisory authority is the VDAI. The largest fine in Lithuanian enforcement history is EUR 2,385,276 (Vinted, 2024). Data controllers must notify the VDAI of breaches within 72 hours. The digital consent age is 14. Lithuania has also been an early mover on EU AI Act governance, designating the Communications Regulatory Authority (RRT) as AI market surveillance authority ahead of the August 2025 EU deadline.

Constitutional Foundation

The Lithuanian Constitution adopted on 25 October 1992 provides the fundamental legal basis for privacy protection. Article 22 states that the private life of a human being shall be inviolable and that the law and courts shall protect against arbitrary or unlawful interference in private and family life and from encroachment upon honour and dignity. The article specifies that personal correspondence, telephone conversations, telegraph messages, and other forms of communication are inviolable.

Article 22 also establishes when privacy can be limited: information concerning the private life of a person may be collected only upon a justified court decision and only in accordance with the law. This formulation reflects Lithuania's post-Soviet legal tradition, in which constitutional limits on state surveillance were a deliberate rejection of Soviet-era practices.

The constitutional protection extends beyond government actors. Lithuanian courts have interpreted Article 22 as creating obligations that private entities must also respect when they process personal data about citizens, providing a rights-based foundation that reinforces the statutory GDPR framework.

Legal Framework: GDPR and the National Implementing Law

Lithuania's data protection system operates on two levels. The GDPR applies directly as EU law across all member states. Below it, the Law on Legal Protection of Personal Data addresses the areas where the GDPR permits or requires national provisions.

The national law was amended on 16 July 2018 to align with GDPR requirements. It addresses several areas where Lithuania exercised the discretion the GDPR grants member states:

Supervisory authority structure. The law establishes the VDAI's organizational framework, appointment procedures, independence guarantees, and funding mechanisms.

Personal identification codes. The Lithuanian personal identification code (asmens kodas) receives specific restrictions under the national law. Controllers may process it only when collection is necessary for the stated purpose and a valid legal basis exists. The VDAI has consistently emphasized that routine collection should be avoided when alternative identification methods are adequate.

Employment data. The national law supplements GDPR employment data rules with requirements specific to the Lithuanian workplace, including written notice obligations for employee monitoring.

Journalistic and creative exemptions. Lithuania created a unique dual supervisory structure to balance data protection with freedom of expression for journalistic, academic, artistic, and literary processing.

Criminal record data. From 1 July 2024, employers may process candidates' and employees' criminal conviction data not only when required by law but also when necessary for the employer's legitimate interests, provided those interests do not override individual rights. Employers must document a legitimate interest assessment and publish a list of positions for which a clean criminal record is required.

Age of digital consent. Lithuania fixed the age at 14, exercising the GDPR option to lower the default from 16.

Law Enforcement Directive. The national law also transposes Directive 2016/680, which governs data processing by competent authorities for law enforcement purposes, establishing a parallel framework for criminal justice data.

The VDAI: Lithuania's Supervisory Authority

The State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija, VDAI) is Lithuania's independent data protection supervisory authority, based in Vilnius. Its Director is appointed by the Seimas (Lithuanian Parliament), a structural choice designed to insulate the authority from executive branch influence.

The VDAI oversees compliance with the GDPR and the national data protection law across both public and private sectors. It represents Lithuania on the European Data Protection Board (EDPB), participating in the EU's cooperative governance structure for cross-border cases.

Powers and Functions

The VDAI holds the full range of GDPR supervisory and enforcement powers. On the investigative side, it can receive and investigate complaints, conduct inspections on its own initiative, request information from controllers and processors, and obtain access to premises and data. On the corrective side, it can issue warnings and reprimands, order operations brought into compliance, impose temporary or permanent processing bans, and levy administrative fines.

The VDAI publishes its enforcement decisions, including the reasoning behind fines and orders, providing public transparency about its enforcement priorities. The authority also performs an advisory function, issuing guidance documents and providing practical clarifications that help organizations understand their duties before enforcement becomes necessary.

The Dual Supervisory Structure

Lithuania has a unique arrangement where the Inspector of Journalist Ethics shares certain supervisory responsibilities with the VDAI. When personal data processing relates to journalistic purposes or to academic, artistic, or literary expression, the Inspector of Journalist Ethics holds rights and obligations comparable to those of the VDAI and cooperates with the Inspectorate to ensure GDPR compliance.

This dual structure reflects a deliberate policy choice to place media-related processing oversight in the hands of an authority with specific expertise in press freedom, rather than requiring the VDAI to develop that expertise independently.

Legal Bases for Processing

Processing personal data in Lithuania is lawful only if it rests on one of the GDPR's six legal bases:

Consent. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent. Consent cannot be made a condition of receiving a service when the processing is not necessary for that service. Data subjects must be able to withdraw consent at any time, and withdrawal must be as easy as giving it.

Contract performance. Processing is lawful when necessary to fulfill a contract with the data subject or to take pre-contractual steps at the data subject's request.

Legal obligation. Controllers subject to a legal obligation to process certain data may process on this basis.

Vital interests. Processing necessary to protect the life of the data subject or another person is lawful, but this basis applies only where no other basis is available.

Public task. Public authorities and bodies processing data in the exercise of official authority rely on this basis, which requires a clear statutory foundation.

Legitimate interests. Controllers may process data when necessary for their legitimate interests or those of a third party, unless those interests are overridden by the data subject's fundamental rights and freedoms. This is the most flexible basis but requires a documented balancing test. Controllers must inform data subjects of the specific legitimate interest pursued, and data subjects have the right to object.

Special category data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation) requires explicit consent or one of the narrower bases in GDPR Article 9(2).

Data Subject Rights

Individuals in Lithuania hold the full suite of GDPR rights, enforceable against both public bodies and private organizations:

Right of access. Data subjects may request a copy of their personal data and information about how it is processed. Controllers must respond free of charge, though they may charge a reasonable fee or refuse manifestly excessive requests.

Right to rectification. Inaccurate personal data must be corrected without undue delay.

Right to erasure. Data subjects may request deletion when consent is withdrawn, when data is no longer necessary for the purpose it was collected, when they object and no overriding legitimate grounds exist, or when processing is otherwise unlawful.

Right to restriction. Subjects may request restricted processing during the period a controller verifies accuracy, when processing is unlawful, or when the subject has objected and verification of the controller's grounds is pending.

Right to data portability. Where processing is based on consent or contract and carried out by automated means, data subjects may receive their data in a machine-readable format and transmit it to another controller.

Right to object. Data subjects may object at any time to processing based on legitimate interests or public task, including profiling. They may also object to direct marketing at any time without restriction.

Rights related to automated decision-making. Individuals may request not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Right to complain. Data subjects may submit complaints to the VDAI or seek judicial remedy. Lithuanian law also permits data subjects to mandate non-profit organizations to exercise these rights on their behalf.

Controllers must respond to data subject requests within one month, extendable to three months for complex or numerous requests with notice to the data subject.

Data Protection Officers

DPO appointment is mandatory under Article 37 GDPR in three situations: where the controller is a public authority or body; where core activities consist of regular and systematic monitoring of data subjects on a large scale; or where core activities consist of large-scale processing of special category data.

Lithuania applies GDPR Article 37 without additional national extensions. Organizations may voluntarily appoint a DPO, and where they do, the full GDPR DPO framework applies as if appointment were mandatory.

DPOs must have expert knowledge of data protection law and practice, must be provided with resources necessary to carry out their tasks, must be accessible to data subjects, and must report to the highest level of management. They cannot be dismissed or penalized for performing their DPO functions.

Controllers and processors must notify the VDAI of the DPO's contact details and publish those details so that data subjects can contact the DPO directly. The VDAI has issued warnings in cases involving inadequate DPO arrangements, particularly in the healthcare and public administration sectors.

Consent and the Age of Digital Consent

Lithuania fixed the age of digital consent at 14, lower than the GDPR default of 16. Children aged 14 and older may independently consent to information society services such as social media platforms, online gaming services, and apps. Children under 14 require verifiable parental or guardian authorization.

Consent in Lithuania follows strict standards regardless of age. Controllers may not use consent as a basis where there is a clear imbalance of power, such as in many employment relationships, because consent in that context may not be genuinely freely given. The VDAI has indicated in guidance that employment consent should not be relied upon for processing that is not clearly beneficial to the employee or genuinely optional.

Breach Notification

Standard GDPR breach notification requirements apply. Controllers must notify the VDAI within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Where notification cannot be made within 72 hours, the initial notification must include reasons for the delay.

Where a breach is likely to result in high risk to data subjects, those individuals must also be notified directly without undue delay, using clear and plain language.

In 2025, the VDAI published practical clarifications on what does not constitute a personal data breach, with examples including unopened misdelivered mail and records concerning deceased persons. This guidance helps organizations avoid unnecessary notifications while ensuring genuine breaches are captured.

2024 Breach Statistics

The VDAI received 273 reports of personal data security breaches in 2024, compared to 254 in 2023. The number of affected data subjects nearly tripled, rising from 571,833 in 2023 to 1,467,368 in 2024.

Confidentiality breaches accounted for 87% of all cases. Integrity breaches and accessibility breaches each accounted for 6%. Human error caused 52% of breaches. Cyber incidents were responsible for 49% of affected data subjects (712,881 individuals), while breaches from other factors affected 51% (754,487 individuals).

Notification timeliness remains a challenge: 79% of controllers reported breaches within the 72-hour window in 2024, while 21% filed late.

Cross-Border Data Transfers

Lithuania, as an EU member state, is part of the European Economic Area. Transfers between Lithuania and other EEA countries require no additional safeguards. The GDPR governs all transfers to countries outside the EEA.

Transfers to third countries are lawful on one of three foundations:

Adequacy decisions. The European Commission has determined that a number of countries provide adequate protection, including the United Kingdom, Japan, South Korea, Switzerland, Israel, and Canada (for commercial organizations). Transfers to these countries may proceed without additional safeguards.

Appropriate safeguards. Where no adequacy decision exists, controllers may use Standard Contractual Clauses adopted by the European Commission, Binding Corporate Rules approved by a supervisory authority, approved codes of conduct, or certification mechanisms.

Derogations. In limited circumstances, transfers may occur based on explicit consent, contract necessity, vital interests, or public interest. These derogations are narrow and cannot serve as a routine basis for ongoing transfers.

Following the Court of Justice's Schrems II judgment, controllers must also conduct transfer impact assessments (TIAs) to verify that third-country legal protections do not undermine the SCCs or other safeguards in practice. The VDAI reviews certain transfer arrangements and can authorize specific derogations within 20 working days of receiving complete documentation.

EU AI Act Overlay

The EU AI Act entered into force on 1 August 2024 and is phasing in across member states. It creates a horizontal framework for AI systems that operates alongside, not instead of, the GDPR. The two regimes interact at multiple points.

Where a high-risk AI system processes personal data, its conformity declaration under Article 47 of the AI Act must include a statement of GDPR compliance. In Lithuania, AI systems used for consequential decisions about individuals, such as credit scoring, recruitment screening, or biometric identification, must satisfy both AI Act conformity requirements and GDPR lawfulness requirements simultaneously.

Lithuania was among the first EU member states to complete its AI Act governance designation. The Communications Regulatory Authority (RRT) has been appointed as both the national competent authority and the single point of contact for AI Act purposes, completing this step ahead of the EU's August 2025 deadline. Lithuania's Innovation Agency is also establishing an AI regulatory sandbox where businesses can receive expert compliance guidance before market deployment.

The VDAI retains its GDPR enforcement authority. For AI systems that process personal data, controllers face oversight from both the RRT (AI Act product compliance) and the VDAI (data protection compliance). Organizations building or deploying AI in Lithuania should map their compliance obligations against both frameworks from the outset.

The Data Act (effective 12 September 2025) and the Data Governance Act add further layers for certain data-sharing and data intermediary activities. Lithuanian organizations operating across these frameworks should assess which instruments apply to their data flows.

Penalties and Enforcement

Lithuania follows the GDPR's two-tier penalty framework. The lower tier imposes fines of up to EUR 10 million or 2% of worldwide annual turnover for processor obligation violations, technical requirement failures, breach notification failures, and DPO requirement violations. The upper tier imposes fines of up to EUR 20 million or 4% of worldwide annual turnover for violations of fundamental processing principles, data subject rights, and lawful basis requirements.

VDAI Enforcement Record

The VDAI's enforcement posture evolved significantly over the years since GDPR's application. Early enforcement from 2019 to 2021 produced approximately 57 fines, with amounts ranging from EUR 3,000 to EUR 61,500. In 2023, the authority issued 13 fines totaling EUR 64,060 along with 127 compliance orders and 97 reprimands.

In 2024, the enforcement profile changed sharply. The VDAI issued 13 administrative fines totaling EUR 2,423,971. The highest fine was EUR 2,385,276 and the lowest was EUR 231. The Vinted penalty alone accounted for more than 98% of the year's total fine value.

Vinted (EUR 2,385,276, July 2024). The VDAI's largest fine was imposed on Vinted UAB, the Lithuanian online second-hand clothing platform. The investigation found violations of GDPR Articles 5(1)(a) (lawfulness, fairness, and transparency), 5(2) (accountability), 12(1) (transparent information and communication), and 12(4) (failure to act on data subject requests). The case centered on Vinted's practice of shadow-blocking: the platform appeared to process erasure requests while actually continuing to process the user's data. The VDAI found the company's transparency disclosures inadequate and its accountability documentation insufficient.

CityBee (EUR 110,000, November 2021). The VDAI fined UAB Prime Leasing, operator of the car-sharing platform CityBee, following a February 2021 incident in which customer data appeared in CSV files on an external forum. Investigation revealed the data had been exposed since February 2018 in an unencrypted database backup file. The fine addressed violations of GDPR Article 32(1)(a), (b), and (d), covering security of processing. The case required coordination with supervisory authorities from 18 other EU member states because the breach affected citizens across the EU.

Sports club biometric data (EUR 20,000, 2021). A sports club was fined for unlawfully processing clients' biometric data without a proper legal basis, demonstrating that the VDAI enforces biometric data requirements regardless of organization size.

Online second-hand platform (2025). The VDAI fined a company operating an online second-hand trading and exchange platform for GDPR violations, continuing its focus on e-commerce platform accountability.

Complaint Trends

The VDAI received 1,408 complaints in 2024, up from 1,230 in 2023 (approximately 15% growth). In 2024, the authority also conducted 16 inspections and 10 monitoring actions across private and public sector entities.

Employment Data Processing

Lithuania's national law supplements the GDPR with specific employment data provisions. Employers must have a valid GDPR legal basis for all employee personal data processing, and the scope of processing must not exceed what is necessary for the employment relationship.

Employee monitoring is subject to additional requirements. When employers process data linked to monitoring employees' behavior, location, or movement, those employees must be informed in writing or through another documented means before monitoring begins. Biometric data used for access control or attendance tracking requires a higher standard of justification.

Consent is generally not a reliable basis for employment data processing where a meaningful power imbalance exists between employer and employee. The VDAI has indicated that reliance on consent should be treated with caution in employment contexts.

From 1 July 2024, employers gained an additional basis for processing criminal conviction data: legitimate interests, subject to a documented balancing assessment and publication of positions requiring a clean criminal record.

Personal Identification Code

The Lithuanian personal identification code (asmens kodas) functions as a universal identifier across government and private sector systems. The national data protection law restricts its processing more tightly than ordinary personal data. Controllers may process it only when necessary for the collection's stated purpose and when a valid legal basis exists.

The VDAI recommends that organizations avoid routinely collecting the personal identification code when a less invasive identification method would suffice. Failure to comply with these restrictions has been a recurring subject in VDAI complaints and inspections.

Recent Developments (2024 to 2026)

Vinted fine and transparency enforcement (July 2024). The EUR 2.4 million fine against Vinted marked a turning point in Lithuanian enforcement, signaling that the authority is prepared to impose major penalties for failures in data subject rights and transparency, not only for data breach cases.

Criminal record data amendment (July 2024). The Law on Legal Protection of Personal Data was amended to allow employers to process criminal background data via legitimate interests, replacing the prior approach that limited such processing to legally mandated cases only.

VDAI breach guidance (2025). The VDAI published practical guidance on what does not constitute a personal data breach, providing clarity that helps organizations distinguish reportable incidents from ordinary data handling errors.

EU AI Act governance designation (2024 to 2025). Lithuania designated the Communications Regulatory Authority (RRT) as its AI Act national competent authority and market surveillance authority, becoming one of the first EU member states to complete this step ahead of the August 2025 EU deadline.

Complaint volume growth (2024). Complaints to the VDAI rose approximately 15%, reaching 1,408 in 2024, driven in part by increased public awareness following the Vinted case.

Data Act and Data Governance Act. As these EU instruments phase in during 2025 and beyond, Lithuanian organizations must assess whether their data-sharing and data intermediary activities fall within their scope.

Business Compliance Considerations

Organizations doing business in Lithuania or processing Lithuanian residents' personal data face obligations across several dimensions.

Technical and organizational measures. Controllers must implement appropriate security measures for the nature and sensitivity of data they process. Encryption, access controls, and data minimization are baseline expectations. The VDAI's breach statistics show that human error remains the dominant risk: email misdirection, lost devices, and inadequately secured files account for the majority of reported breaches.

Data subject request handling. The Vinted case makes clear that the VDAI treats failures in data subject request handling as serious GDPR violations. Organizations should implement documented procedures for receiving, tracking, and responding to access, erasure, portability, and objection requests within the one-month statutory period.

E-commerce and platform operators. Technology companies and platforms operating from Lithuania are a priority enforcement target. Privacy notices must accurately describe data processing, consent mechanisms must meet GDPR standards, and deletion workflows must genuinely remove data rather than shadow-block requests.

Employee training. Human error causes the majority of Lithuanian data breaches. Systematic training on email handling, device security, and social engineering recognition reduces breach frequency and demonstrates to the VDAI that the organization takes a proactive compliance posture.

DPO appointment and registration. Public authorities and organizations meeting the Article 37 thresholds must appoint a DPO and register contact details with the VDAI. Voluntary appointment is encouraged for organizations that handle personal data as a significant element of their activities.

International transfers. Organizations transferring data outside the EEA must document their transfer mechanisms. Reliance on SCCs alone is not sufficient following Schrems II; controllers must conduct and document transfer impact assessments.

AI and data interactions. For organizations developing or deploying AI systems that process personal data, both the VDAI (GDPR) and the RRT (AI Act) may exercise oversight. Building compliance programs that address both frameworks simultaneously reduces the risk of gaps.

The EU data privacy laws page covers the overarching GDPR framework that underlies Lithuania's national implementation.

Disclaimer: This article provides general legal information about Lithuania's data privacy laws and is not legal advice. Data protection law changes frequently. Consult a qualified attorney licensed in Lithuania for guidance on your specific situation.