Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

I. Legal framework

Comprehensive law

The main rules regarding privacy and data protection are defined in the Civil Code of Lithuania, which was enacted in 2000 (the privacy protection provisions have not been amended since) as well as in the Law on Legal Protection of Personal Data (LLPPD).1

Article 2.22 of the Civil Code protects the right to an image. It states "Photograph (or its part) or some other image of a natural person may be reproduced, sold, demonstrated, published and the person may be photographed only with his consent. Such consent after natural person's death may be given by his spouse, parents or children." Consent will not be required where such acts are related to a person's public activities, his/her official post, request of law enforcement agencies, or where a person is photographed in public places. A person's photograph (or its part) produced under the said circumstances, however, may not be demonstrated, reproduced, or sold if those acts were to abase person's honour, dignity or damage his professional reputation. The Civil Code provides that a natural person whose right to an image has been infringed has the right to request the court to oblige the discontinuance of the said acts and redressing of the property and non-pecuniary damage. After a person's death, such a claim may be presented by his spouse, children, and parents.

Article 2.23 of the Civil Code elaborates the ways of protection of the right to privacy embedded in Articles 22 and 24 of the Constitution. It states, "Privacy of a natural person shall be inviolable. Information on person's private life may be made public only with his consent. After person's death the said consent may be given by person's spouse, children and parents. "Public announcement of facts of private life, however truthful they may be, as well as making private correspondence public in violation of law as well as invasion of person's dwelling without his/her consent except as otherwise provided by the law, keeping his/her private life under observation or gathering of information about him/her in violation of law as well as other unlawful acts, infringing the right to privacy shall form the basis for bringing an action for non-pecuniary damage incurred by the said acts.

According to Article 2.24(6) of the Civil Code, the author's liability is waived when the data falls short of reality, if publicised data is about a public person, or his or her state or social activities, and the author publicised the data in good faith in order to acquaint society with that person.2 The Supreme Court interpreted Article 2.24(6) of the Civil Code noting that the author of misleading, incomplete, or incorrect information about a public person is released from liability for the act of publishing the material, but the author is not released from a duty to correct the information, should it degrade the honour and dignity of the public person.3

Lithuania's predominant data protection regulation, the Law on Legal Protection of Personal Data,4 was passed in 1996 and has since been amended multiple times, most recently on 1 January 2009. Its passage was mainly fostered by Lithuania's political aim to become a member of the European Union; legislative amendments to the LLPPD ensured its compliance with the EU Directive 1995/46/EC on data protection.5 Lithuania has been a full member of the EU since 2004.6

The 2003 amendment radically changed the aim of the LLPPD. The current law seeks "protection of an inviolability of an individual's right to private life with regard to the processing of personal data"7 in comparison with previous wording of the LLPPD, which aimed at balancing individuals' and controllers’ interests. The stated purpose of the LLPPD is to protect the private lives of people by establishing the rights of individuals and regulations for data controllers. It extends to personal information held by both public and private entities. In addition to baseline protections, the LLPPD also includes specific provisions for the processing of personal data in various sectors and for various purposes, including social security, social care, health care, scientific research, direct marketing, statistics, elections, video surveillance, referenda, and citizens' legislative initiatives and telecommunications.

Individuals are entitled to know about the processing of their personal data, have access to that data, familiarise themselves with the processing method, demand rectification or destruction of their personal data and object to the processing of their personal data. These rights are, however, contingent upon several enumerated exceptions, such as national security, law enforcement and important economic or financial interests of the state. In addition to these rights, the data subject who has sustained damage as a result of unlawful processing of personal data, or any other acts or omissions by the data controller, the data processor or any other persons, in violation of the provisions of the LLPPD, shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him/her. The extent of pecuniary and non-pecuniary damage is determined by the courts.

The latest amendments of 1 January 2009 introduced some novelties into the Lithuanian personal data protection rules. The main amendments are the following. A new chapter on video surveillance was introduced, including a definition of the concept of video surveillance, and requirements for the installation of video surveillance devices, notification to data subjects, and processing of collected video data.8 The use of personal identification codes was restricted: the amendments prohibit making personal identification numbers public and prohibit the collection and processing of personal identification numbers for direct marketing purposes. The scope of application of the LLPPD was broadened: the amendments provide that Lithuanian branch offices and representative offices of a data controller of EU Member State or another state of the European Economic Area shall be bound by the provisions of the LLPPD applicable to the data controllers. It must be noted that before this amendment, Lithuanian branch offices and representative offices of EU-based companies did not fall within the scope of the LLPPD. More stringent requirements were  placed on data controllers regarding health-related personal data for scientific or medical research: The amendments provide that the State Data Protection Inspectorate must be notified and must carry out prior checking when personal data on a person's health is processed by automatic means, and also when this data is processed for scientific medical research purposes.9 More specific rules were established regarding the processing of personal data by credit institutions for the purposes of evaluating creditworthiness of their clients. Finally, the independence of the State Data Protection Inspectorate was strengthened; the amendments provide for the rights of the data controller to designate a person or unit to be responsible for data protection, which shall notify the State Data Protection Inspectorate about the violations of the LLPPD.10

Personal data can only lawfully be processed if used for predefined purposes such as compliance with a legal obligation or as a necessary adjunct to a commercial transaction. The use must be accurate, fair, lawful, and not excessive in relation to the predefined purpose. Finally, personal data can only be further disclosed under a personal data disclosure contract, specifying the purposes for which the data will be used and the conditions and procedures of its use.

Article 25 of the LLPPD determines that personal data may be processed by automated means subject to notification by the data controller or his representative of the State Data Protection Inspectorate in accordance with the procedure established by the Government of the Republic of Lithuania, except the case where the personal data is possessed for the purposes of internal administration and other cases prescribed by the LLPPD. LLPPD establishes a definition of the internal administration and defines it as an activity which ensures an independent functioning of the data controller (structure administration, personnel management, management and use of materials and finances, and clerical work).

Furthermore, the processing of sensitive personal data requires a special notification form for prior checking. Sensitive personal data are data concerning racial or ethnic origin of a natural person, his political opinions or religious, philosophical or other beliefs, membership in trade unions, and his health, sexual life, and criminal convictions. Article 33 of the LLPPD specifies the circumstances under which prior checking by the State Data Protection Inspectorate of information processing activities is necessary. Prior checking must be carried out where the data controller intends to process sensitive personal data or process public data files by automatic means, where the data controller of state or institutional registers or information systems of state and municipal institutions intends to authorise the data controllers to process personal data and in other cases established by the LLPPD. In addition, the Law on State Registers11 provides for further controls on the use and legitimacy of state data registers that contain personal information, and mandates that data registers may only be erased or destroyed in cooperation with the State Data Protection Inspectorate.

As a complement to the protections described above, in 1998 the Code of Administrative Offences was supplemented with monetary penalties for unlawful personal data processing and unlawful state information systems processing. The violation of personal data protection entails administrative liability.

Article 214(14) of the Code of Administrative Offences provides sanctions for the processing of personal data in violation of the provisions of the LLPPD. The unlawful processing of personal data per se (for instance, the unlawful use of person's email address or any other personal data, irrespective of the purpose of use) is subject to a fine from LTL500 (approximately. €145) to LTL1,000 (€290). If the violation is repeated the fines range from LTL1,000 (€290) to LTL2,000 (€579).

A 2006 amendment to the Code of Administrative Offences provides that any organisation that fails to indicate mandatory information (name, registered office, legal form, code, register where registration data is stored and kept, or other mandatory data, as established by the laws) on its corporate Internet site shall be subject to a fine.

Sector-based laws

In addition to the above-mentioned laws, several other Lithuanian laws additionally regulate certain specific aspects of data processing activities. These laws are: the Law on Electronic Communications,12 adopted in 2004 and amended most recently on 15 March 2009, which contains rules on processing of personal data and the protection of privacy in the sphere of electronic communications; the Code of Administrative Offences,13 which establishes administrative sanctions for violation of the national legal rules on data processing; the Law on the Ratification of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) as amended by the Committee of Ministers of the Council of Europe;14 and the Law on the Rights of Patients and Compensation of the Damage to their Health, adopted in 1996 and amended several times, most recently on 1 March 2010, which provides for the rules concerning the inviolability of the patient's private life.15

Data protection authority

The State Data Protection Inspectorate (the Inspectorate) is responsible for supervising and monitoring the processing of personal data, and enforcing the provisions of the LLPPD and the Law on State Registers.16 Before data processing takes place, the data controller must inform the Inspectorate, which registers the processor and has the power to carry out prior checking.17 After processing is carried out, the Inspectorate checks its lawfulness, handles appeals for denial of access to records, and grants authorisations to data controllers to disclose personal data to data recipients in third countries. Other functions of the Inspectorate include examination of personal requests and complaints, assistance to data controllers and data subjects, and composition of methodological recommendations on the protection of personal data.

The Inspectorate is a government institution financed from the state budget. The Inspectorate is accountable to, and its regulations are approved by, the government. The status of the Inspectorate is a specific one because, while under the executive power, it is competent to inspect and control the processing of personal data by legislative bodies. The lack of full independence of the Inspectorate as a national supervisory authority was noted in 2006 in evaluation by experts of the European Commission relating to Lithuania's preparedness for implementation of its membership in the Schengen agreement, specifically the country's adequacy in the data protection field.18 The EU's report states that data protection in Lithuania is appropriate and entirely conforms to Schengen, except the fact that the Inspectorate is not fully independent. The Inspectorate's administrative integration within the government structures could represent a risk for its functional independence.19

On 15 April 2009, the government planned to change the status of the Inspectorate from an institution accountable to the government to an institution accountable to the Ministry of Justice.20 Since the Ministry of Justice supervises the state register system and individual registers, the functional independence of the Inspectorate would have remained imperilled. The project, however, was not implemented and the Inspectorate still functions under the government.

In 2004, the Inspectorate gained full membership status in the Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up under Article 29 of the Directive 95/46/EC of the European Parliament and of the Council. After the ratification of the Europol Convention21 on 22 April 2004 and its entering into force on 1 September 2004, as well as the ratification of the Convention on the Use of Information Technology for Customs Purposes22 on 1 May 2004 and its entering into force on 1 August 2004, the Inspectorate became a full member of the Joint Supervisory Authorities of Europol, Schengen, and Customs.

In a 2005 case, O. Jakstaite v. Prime Minister,23 the petitioner, former Inspectorate Director Ms. Jakstaite, appealed the judgment of the Vilnius Circuit Administrative Court to the Supreme Administrative Court of Lithuania for annulment of a Prime Minister's decree. The decree imposed on the Inspectorate Director an official sanction, namely, a severe reprimand for breach of principles and rules of ethics of state servants' activities, as well as, infringement of principles of objectivity and proportionality. Vilnius Circuit Administrative Court indicated that the Inspectorate selected an authoritarian management style, and that the Director often adopted all decisions ex parte and employees had no actual influence on decision-making. The representative of the Prime Minister in the case stated that the internal rules of the Inspectorate are too strict. Furthermore, it was determined that Ms. Jakstaite was often behaving in an unprofessional manner, and thus raised the mistrust of the society and commercial entities, whose activities in the data protection field are controlled by the Inspectorate. It was also established that the Inspectorate had often been expressing different opinions on the same issues. The Supreme Administrative Court concluded that the Director of the Inspectorate, Ms. Jakstaite, breached principles and rules of ethics of state servants' activities and violated the objectivity and proportionality principles embedded in Article 4 of the Law on Public Administration.

During 2006 the Inspectorate reviewed 161 complaints and requests from individuals, investigated 729 notifications on data processing, answered 84 requests from Convention ETS No. 108 Member States, prepared 310 conclusions on prior checkings and conducted 92 preventative inspections. In total, the Inspectorate provided 2,484 consultations. The Inspectorate provided information to the public through mass media, conferences, seminars, and other means 141 times in 2006; this is a significant improvement in outreach efforts as compared to 2005. In 2006, the Inspectorate performed inspections on how personal data are being processed in selected sections: in banks established and operating in Lithuania and also in public utilities service providers.24

In 2007, the Inspectorate celebrated its tenth anniversary.25 In this year the Inspectorate received 154 complaints and handled 129 of them.26 It carried out 318 inspections. The Inspectorate also analysed 790 notifications on data processing.27 The Inspectorate drafted 53 replies to enquiries from countries to Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108).28 Among the inspections, six were conducted on financial institutions to check the scope and lawfulness of personal data processing of individuals referring to the financial institutions for the speedy credit services by Internet or mobile text messages.29 The Inspectorate also found that police officers checking the identity of traffic violators were also checking personal data including their genealogical tree. This data was also printed and attached as evidence. After a series of reversals on appeals, the Supreme Administrative Court acknowledged that the Inspectorate's instruction to disable the software's access to the Residents' Register was valid as the rule was overbroad and did not have basic privacy protections.30 In the same year, in a joint initiative with the data controllers, the Inspectorate organised seminars, meetings and workshops, which resulted in an increased level of public awareness and dissemination of information.31 The Inspectorate planned to intensify the activities performed to increase information dissemination on data protection matters and carry out preventive activities by performing sectoral inspections. In addition, the Inspectorate issued sample Rules for Personal Data Processing at Schools, which were subsequently approved by the Inspectorate Director. The rules aim to ensure compliance with the LLPPD.32

In 2008, the Inspectorate investigated 115 complaints out of the 153 received.33 In addition, the Inspectorate performed 126 preventive inspections and prepared 114 conclusions on prior checking.34

In 2009, the Inspectorate investigated 166 complaints out of 201 received.35 This is the largest number of complaints received in the last three years. In 2009 persons most actively complained about the processing of personal data for direct marketing purposes: these complaints increased three times in comparison to 2008.36 In addition, in 2009 the Inspectorate performed 165 preventive inspections and prepared 114 conclusions on prior checking.37 The Inspectorate also started preparation on draft laws regarding the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.38 The European Council requires relevant provisions to be transposed into national legislation by November 2010.39

In 2008 and 2009 the number of legal consultations provided by the Inspectorate to data subjects and data controllers has increased: 3,179 consultations in 2008 and 3,696 consultations in 2009.40

The available results show that contrary to previous years, the number of administrative law offence protocols drawn up in 2009 has increased significantly. Fourteen protocols out of 27 drawn up by the Inspectorate were found by the court of first instance to be well grounded, thus the number of the protocols rejected by the court is decreasing.

Major privacy and data protection case law

The case law in the privacy and data protection fields is not very extensive. One of the reasons for this status quo is that the right to privacy is still a novelty in the laws of Lithuania and in the courts' practice. Lithuanians rarely refer to the courts or other institutions due to violations of their private life.41 The more rural settlements especially perceive the boundaries of private life in a very liberal way.42 However, the case law regarding the right to privacy is gradually developing.

The majority of cases regarding privacy protection dealt with by the Supreme Court of Lithuania relate to conflicts between two constitutional rights, i.e., right to private life and right to freedom of expression. In the majority of the cases violations of the right to privacy or the right to an image were found.

In the case of 17 February 2004, the Supreme Court explained that a public person is not under the same defence of honour and dignity as the private one because higher behaviour requirements are set for the public person than for the private one. Therefore, the public person has to tolerate the publicised information (even though it is not precise in full) or opinion about him.43

In another case, the Supreme Court indicated that person's right to privacy is not absolute.44 Immunity of private life can be restricted if the person abuses his/her right (for example, by acting dishonestly, then seeking to defend himself or herself with a claim to privacy). The right to claim a right of privacy might be reasonably denied on a case-by-case basis. The plaintiff worked as a sales clerk. From the point of view of the territory the sphere of the private life consists of a person's living accommodations, as well as premises which the person uses for his housekeeping or professional activities or similar.45 The public workplace is not a person's private sphere. Salesmen cannot require that their privacy be guaranteed at their workplace, i.e., in the salesroom; therefore, surveillance of the salesroom and the salesmen's work is not secret surveillance of person's private life. The defendant, the owner of the store, installed video cameras in public locations, i.e., in the salesroom above the working place of the saleswomen (cash register) in order to prevent law infringements and crimes. The work of the saleswoman was public character activity; therefore she could not require privacy at her workplace. The plaintiff made an administrative law infringement; her behaviour was dishonest in the workplace, even unlawful; therefore, the plaintiff cannot use violation of her right to privacy in her defence.

In the case of 2 November 2004, the Supreme Court, interpreting Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and the person's right to private life, entrenched in national law, indicated that a violation of the right to private life can be understood as the filming of a private person in his/her private tenure without his/her consent, and/or distribution or publicising of the video record in which the private person is recorded without his/her consent.46 Substantiation measures, or admissible evidence, may consist of photos, audio, and video records, made without infringing the law. Admissibility of the substantiation measure is understood as receiving of information, constituting the content of the proof, without violating procedures set by the laws. Upon assessing the admissibility of the video record as the substantiation measure, it should be decided whether this proof was received without violation of the rights and interests of the data subjects who are recorded in the video record, in particular their right to privacy. The Supreme Court indicated that since in the present case the filming was conducted in the shop premises belonging to the defendant, the salesroom, i.e., the public place, the filmed persons were in labour relations with the defendant and materially liable for carried work. Such filming cannot be regarded as violation of the private person's rights; therefore, information in the video record has to be recognised as a proper proof when considering the labour duties violation.47 This proof shall be assessed and analysed together with other evidence in the case. On the basis of these arguments the Supreme Court repealed the decision of the appellate instance court, where it was decided that the discussed video records violated the person's right to his private life and, thus, could not be regarded as admissible measure of substantiation.

On 29 November 2004, the Supreme Court indicated that the right to the private life and privacy is not violated if the elements of a publication's content do not create a possibility to identify the person about whom the information in the publication is provided.48 In this decision, the Supreme Court concluded that the first instance court reasonably rejected the claim and the court of appeals left the decision without changes after the courts were not able to determine that the publicised information in the article was in particular about the plaintiff's private life.

In the case of 2 January 2008, the Supreme Court found a violation of the constitutional right to privacy and confirmed that any information related to person's health would be deemed to be private.49 The Supreme Court rejected the argument of the Court of Appeal of Lithuania that it was necessary to publish the information in question regarding the person's health in order to inform the society about the effects of drug use. The Court found that the information was published merely to draw readers' attention and no real social interest to know the facts of a certain person's private life existed. As emphasised by the Court "lawful and well-grounded public interest to know certain information about other person cannot be equated to society's interest to satisfy its curiosity".

In another case of August 2008, the Supreme Court of Lithuania has also explained that the fact that a person had not previously avoided talking to the media and had revealed information which is considered to be intimate (e.g., the conception, etc.), shall not be considered to be a consent to publish information about his/her private life.50

In the case of 23 September 2008, the Supreme Court found a violation of person's right to an image. The case concerned a video shown on a local channel about the alleged violation of the traffic rules by the plaintiff, without her consent.51 Since the Civil Code does not provide for the ways in which the consent must be expressed, the Supreme Court affirmed that upon the well-established case law it may be given verbally, in writing, or may be implied from the actions, e.g. the person talks publicly about the details of his/her private life, gives an interview for a journalist, etc. Nevertheless, consent to be photographed does not ex officio provide for consent to reproduce, sell, demonstrate, or publish the photograph.52 The same rules apply for broadcasting the video record: if the person has not given consent to be recorded, be it explicitly or implicitly, it shall be deemed that he/she has not given consent to broadcast the video via media tools.

In the case of 13 February 2009, the Supreme Court again found a violation of the right to private life: the applicants' complaint concerned the publishing of pictures of them taken at the nudist beach, and thus interfering with their right to private life. The Court found that "no public interest" existed to justify this kind of interference. The Supreme Court, however, reduced the amount to be paid for the plaintiffs as non-pecuniary damage, from LTL75,000 (approximately €21,740) to LTL15,000 (€4,350).53 One must note that the European Court of Human Rights (ECHR) has criticised the case law of Lithuanian courts regarding the reward of non-pecuniary damage.54

In 2007 the Supreme Administrative Court heard an appeal from the Vilnius District Administrative Court concerning the practice of checking personal data and using software to compose the complete genealogical tree of anyone detained for a traffic violation.55 The District Court had concluded that the practice was needed for the pursuit of legitimate police interests.56 The Supreme Court reversed this finding, stating that the data could be processed for a person under operational investigation, but not for an individual who contravened road traffic regulations.57

In 2008 the Supreme Administrative Court resolved a dispute in which the police published on a Web site for a month personal data related to drivers who were caught driving under the influence as an informational, educational, and preventive measure. The Court concluded that in this situation an offender's right to privacy does not counterweigh the interest of prevention of grave infringements, so such data processing was lawful.58

Footnotes

  • 1. The Law on Legal Protection of Personal Data, No. I-1374 (2009), available in English at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633 (Official Translation).
  • 2. J. Kaliacius v. I. Starosaite-Zvaguliene, 27 October 2004, No. 3K-3-579/2004, Supreme Court of the Republic of Lithuania, Overview of the Supreme Court Cassation Practice for the year 2004, at 14.
  • 3. Id.
  • 4. Law on Legal Protection of Personal Data, supra.
  • 5. Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data,available both in English and in Lithuanian at http://www.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Legislation..
  • 6. European Union Member States Index, available at http://europa.eu/abc/european_countries/eu_members/lithuania/index_en.htm.
  • 7. Law on Legal Protection of Personal Data, supra.
  • 8. State Data Protection Inspectorate, Newsletter on Personal Data Protection No. 1 (16), January 2009, available at http://www.ada.lt/images/cms/File/naujienu/Biuleteniai/2009%20January,%201(16).pdf. On video surveillance, see also infra.
  • 9. State Data Protection Inspectorate, Newsletter on Personal Data Protection No. 5 (20) 1 May 2009, available at http://www.ada.lt/images/cms/File/naujienu/Biuleteniai/2009%20May,%205(20).pdf.
  • 10. Id.
  • 11. The Law on State Registers, No. I-1490 (1996), State News, 1996, No.86-2043.
  • 12. In Lithuanian: Elektroninių ryÅ¡ių įstatymas, No. IX-2135, adopted on 15 April 2004, last amendments adopted on 14 November 2008, in force as from 15 March 2009.
  • 13. In Lithuanian: AdministraciniųteisÄ—s pažeidimų kodeksas, last amendments adopted on 10 June 2010, in force as from 22 June 2010.
  • 14. In Lithuanian: Ä®statymas dÄ—l Konvencijos dÄ—l asmenų apsaugos ryÅ¡ium su asmens duomenų automatizuotu tvarkymu (ETS Nr. 108) su Europos Tarybos Ministrų Komiteto priimtomis pataisomis ratifikavimo,No. IX-189, adopted on 20 February 2001.
  • 15. In Lithuanian: Pacientų teisių ir žalos sveikatai atlyginimo įstatymas, No. I-1562, adopted on 3 October 1996, last amendments adopted on 10 November 2009, in force as from 1 March 2010, available at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=360565.
  • 16. Government of Republic of Lithuania Resolution No. 1185 Concerning the Setting up of the State Data Protection Inspectorate, 10 October 1996, State news, 1996, No. 100-2293.
  • 17. Recommended form approved by Order No. 1T-28 of 29 January 2004 of the Director of the State Data Protection Inspectorate, "Notification of automated processing," 29 January 2004. See State Data Protection Inspectorate, Registration of Data Controllers, available at http://www.ada.lt/index.php?lng=en&action=page&id=10107.
  • 18. Annual Activity Report 2006 of the State Data Protection Inspectorate, at 3, available at http://www.ada.lt/images/cms/File/ataskaitos/Galutinis_EN.pdf.
  • 19. Id. at 3.
  • 20. Annual Activity Reports 2009 of the State Data Protection Inspectorate, at 5, available in Lithuanian at http://www.ada.lt/images/cms/File/ataskaitos/Microsoft%20Word%20-%202009....
  • 21. Europol Convention, State News, 2004, No. 113-4202 (in Lithuanian), available at http://www3.lrs.lt/cgi-bin/preps2?Condition1=238239&Condition2=. On 1 January 2010, the Europol Convention was replaced by the Council Decision of 6 April 2009 establishing the European Police Office (EUROPOL), Official Journal of the European Union L 121, 15 May 2009, at 37.
  • 22. Convention on the Use of Information Technology for Customs Purposes, State News, 2004, No. 36-1188 (in Lithuanian), available at http://www3.lrs.lt/cgi-bin/preps2?Condition1=228195&Condition2=.
  • 23. O. Jakstaite v. Prime Minister, 22 April 2005, No. A10 – 459 – 05, Supreme Administrative Court.
  • 24. Annual Activity Report 2006 of the State Data Protection Inspectorate, supra.
  • 25. 11th Annual Report of the Article 29 Working Party on Data Protection, supra at 69.
  • 26. Annual Activities Report 2007 of the State Data Protection Directorate, at 11, available at http://www.ada.lt/images/cms/File/ataskaitos/2007_ANNUAL_REPORT.pdf.
  • 27. Id. at 13.
  • 28. Id. at 16.
  • 29. Country Report of State Data Protection Inspectorate to International Working Group on Data Protection in Telecommunications, 13 August 2008.
  • 30. IWG Country Report – Lithuania, 43rd Meeting of the Working Group, March 2008.
  • 31. Annual Activities Report 2007 of the State Data Protection Directorate, supra at 5.
  • 32. 11th Annual Report of the Article 29 Working Party on Data Protection 66 (June 2008) available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
  • 33. Annual Activities Report 2008 of the State Data Protection Directorate, at 10, available at http://www.ada.lt/images/cms/File/ataskaitos/Report%202008%2020090528.pdf.
  • 34. Id. at 14.
  • 35. Annual Activity Report 2009 of the State Data Protection Inspectorate, supra at 12.
  • 36. Id. at 13.
  • 37. Id. at 14.
  • 38. Id. at 20.
  • 39. Id. at 23.
  • 40. Id. at 9.
  • 41. Activity Report of the Inspector of Journalistic Ethics, supra.
  • 42. Id.
  • 43. V. Vizbaras v. I. Dzedulioniene, 17 February 2004, No. 3K-3-56/2004, Supreme Court of the Republic of Lithuania, Overview of the Supreme Court Cassation Practice for the year 2004, at 14.
  • 44. J. Bartasiuniene v. Public Institution "Humana people to people Baltic," 3 May 2004, No. 3K-3-289/2004, Supreme Court of the Republic of Lithuania, Overview of the Supreme Court Cassation Practice for the Year 2004, at 67 – 68.
  • 45. Id.
  • 46. P. Lasas v. JSC "VP Market," 2 November 2004, No. 3K-3-643/2004, Supreme Court of the Republic of Lithuania, Overview of the Supreme Court Cassation Practice for the Year 2004, at 67.
  • 47. Id. at 67.
  • 48. J. Varapnickiene-Mazyliene v. Vilnius City Children Rights Defence Service, 29 November 2004, No. 3K-3-600/2004, Supreme Court of the Republic of Lithuania, Overview of the Supreme Court Cassation Practice for the year 2004, at 13 - 14.
  • 49. S.Å . and V.Å . v Ltd Lietuvos rytas,2 January 2008, No. 3K-7-2/2008, the Supreme Court of the Republic of Lithuania.
  • 50. Ž.Ž. v Ltd Ekstra Žinios, 14 August 2008, No. 3K-3-393/2008, the Supreme Court of the Republic of Lithuania.
  • 51. L.L. and A.L. v Ltd Roventa ,23 September 2008, No. 3K-3-394/2008, the Supreme Court of the Republic of Lithuania.
  • 52. See also T.G. v R.Å ., Ltd Brolių Tomkų leidykla, 24 February 2003, No. 3K-3-294/2003, the Supreme Court of the Republic of Lithuania.
  • 53. D.M. and L.M. v Ltd Ekstra Žinios, 13 February 2009, No. 3K-3-26/2009, the Supreme Court of the Republic of Lithuania.
  • 54. Biriuk v. Lithuania, Application No. 23373/03, Judgment of 25 November 2008, paragraph 44 – 47.
  • 55. 11th Annual Report of the Article 29 Working Party on Data Protection, supra at 66-67.
  • 56. Id. at 67.
  • 57. Id. at 67.
  • 58. Vilnius County Police Headquarters v. State Data Protection Inspectorate, 24 April 2008, No. A-525-689-08, Supreme Administrative Court.