Senior management and organisation

Please identify the authority’s senior management.

Raimondas Andrijauskas is the Inspectorate’s director.                     

When was the head of the authority appointed?

The head of the Inspectorate was appointed on February 2018.

How long is their term of office?

The head of the Inspectorate is appointed to office for a term of four years.

What is the process for nominating the head of the authority?

The head of the Inspectorate is appointed and dismissed by the government. More detailed information can be found in article No. 9 of Republic of Lithuania Law on Legal Protection of Personal Data, available at 

What was the authority’s budget for the most recently available financial year?

The budget for 2018 was €1.111 million.

How many data protection/privacy-focused staff does the authority employ?

There are 32 posts.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach?      

The order describing the procedure for notifying a personal data breach to the State Data Protection Inspectorate, approved by order of the director of the State Data Protection Inspectorate 27/07/2018, No. 1T-72(1.12.E), is available at (currently only available in Lithuanian).

Notification (signed by the data controller (a natural or legal person) or a person authorised by the head of the data controller) about the data breach should be provided to the Inspectorate. This can be done:

How and where should companies or their advisers contact the authority to start the binding corporate rules approval process?      

Companies must send documents to the Inspectorate (there are no exemplary forms):

What other contact information should companies and their advisers be aware of?

The Inspectorate’s main email address is [email protected].

Legal and enforcement framework

Can you search premises or force the disclosure of information without having to approach the courts?

If the data controller is a natural person, permission of the court is required to search premises or force disclosure of information. If the data controller is a legal person, permission of the court is not required.

What non-pecuniary measures can you take against companies that breach data protection rules?

The Inspectorate can give instructions, warnings or reprimands, or order the suspension of data processing, etc, pursuant to article 58 of the GDPR.

What emergency or interim measures can you take pending the full conclusion of your investigations?

The Inspectorate can order the suspension of data processing under article 58 of the GDPR.

Priorities and the future

What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?

The priority is to continue creating an effective system of personal data protection in Lithuania.

What data protection/privacy-related guidelines have you issued to date?

  • Recommendations on GDPR for small and medium-sized enterprises;
  • recommendation on records of processing activities;
  • recommendation on the identification, investigation, notification and documentation of personal data breaches;
  • guidelines on processing of personal data in the legislative process in accordance with the GDPR;
  • public consultation on data protection officers;
  • FAQs on how to inform about video surveillance; and
  • FAQs on the application of the GDPR when processing data of management-body members of a legal entity.

Unlock unlimited access to all Global Data Review content