GDPR Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a legislative regime that seeks to protect, and remove obstacles to the flow of, personal data, while imposing obligations on organisations that process such data. The GDPR came into effect across the European Union (“EU”) on 25 May 2018 and applied in Lithuania from that date. In Lithuania, the GDPR is supplemented by the Personal Data Protection Law dated 30 June 2018 (“PDPL”).

The GDPR and relevant data protection legislation governs how organisations process information about individuals, including but not limited to the collection, recording, structuring, storage, use and disclosure or transfer of personal data to third parties. Further, they protect individuals with regard to the processing of data, in particular by:

• requiring personal data to be processed lawfully, fairly and transparently, on the basis of the data subject’s consent or another specified basis;
• conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified; and
• conferring responsibility to monitor and enforce the GDPR and supplemental data protection legislation on the relevant Commissioner in each jurisdiction (the State Data Protection Inspectorate (“VDAI”) in Lithuania).

What do the different terms mean?

The GDPR sets out a number of definitions, including the following:

• “personal data” is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”;
• “processing” is “any operation or set of operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”;
• “controller” is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”; and
• “processor” is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Who does the GDPR apply to?

The GDPR applies to the processing of personal data:

• in the context of the activities of an establishment of a controller or a processor in the EU (including Lithuania), regardless of whether the processing takes place in the EU or elsewhere;
• of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities relate to (a) offering goods or services to those data subjects in the EU or (b) monitoring data subjects’ behaviour taking place in the EU; and
• by a controller not established in the EU but where EU law applies by virtue of public international law.

LondonLink LT UAB (“LondonLink”) is incorporated in Lithuania, which is in the EU, and is subject to the GDPR and the PDPL.

What responsibilities do companies have under the GDPR?

LondonLink and other companies must ensure that a data subject’s consent to the processing of personal data is clear, affirmative, and in plain language, and must make it easy for data subjects to withdraw consent at any time if they wish to do so.

Article 13 of the GDPR provides that at the time that personal data is obtained, controllers must provide data subjects with certain information, namely:

• the identity and the contact details of the controller (and, where applicable, the controller’s representative);
• the contact details of the Data Protection Officer (“DPO”), where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party (where the processing is necessary and permitted for the purposes of those interests);
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and related information;
• the period for which the personal data will be stored (or the criteria used to determine that period);
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
• the existence of the right to withdraw consent at any time;
• the existence of the right to lodge a complaint with the Commissioner (e.g. the VDAI in Lithuania);
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
• the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Are there any specific rules that businesses should follow to ensure compliance?

Article 5 of the GDPR provides that personal data must be:

• processed lawfully, fairly and in a transparent manner;
• collected only for specified, explicit and legitimate purposes;
• adequate, relevant and limited to what is necessary;
• accurate and, where necessary, kept up-to-date;
• held only for the time necessary and no longer; and
• processed in a manner that ensures appropriate security of the personal data.

What are the penalties for failing to comply with the GDPR?

The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.

The maximum fine a company can face is 4% of their annual global turnover or EUR 20 million, whichever is higher.

Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover or EUR 10 million, whichever is higher.

Do all organisations now have to appoint a DPO?

Article 37 of the GDPR provides that the controller and the processor shall appoint a DPO where:

• the processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
• the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale special categories of data or personal data relating to criminal convictions and offences.

Where none of the above criteria apply, the relevant organisation is not required to appoint a DPO (although it may still wish to do so) but it must nevertheless ensure that it has sufficient staff and skills in place to be able to carry out its obligations under the GDPR.

As none of the above criteria apply, LondonLink has not appointed a DPO.

What rights do individuals have under the EU GDPR?

The key rights of data subjects under the GDPR are:

• the right to be informed - organisations must be completely transparent in how they are using personal data;
• the right of access - i.e. to know exactly what information is held about them and how it is processed;
• the right of rectification - i.e. to have personal data rectified if it is inaccurate or incomplete;
• the right to erasure (or 'the right to be forgotten') - to have their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue;
• the right to restrict processing - i.e. to block or suppress processing of their personal data;
• the right to data portability - i.e. to retain and reuse their personal data for their own purpose;
• the right to object - i.e. in certain circumstances, to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing or for scientific and historical research;
• the right to automated decision making and profiling - i.e. not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning, or significantly affecting, them. This is intended to protect data subjects against the risk that a potentially damaging decision is made without human intervention; and
• the right to complain to the Commissioner (e.g. the VDAI in Lithuania) if they consider that the processing of their personal data infringes the GDPR.