Overview of the landscape. The implementation of the GDPR has not changed the Estonian Data Protection Inspectorate’s (in Estonian: Andmekaitse Inspektsioon) approach regarding violations. They still follow the principle “rather warn and guide, not punish.” Therefore, there have not been major fines issued for data protection violations. Overall, there are still many uncertainties regarding the requirements of the GDPR, but the Data Protection Inspectorate is actively consulting with different stakeholders on issues related to data protection and working on updating the guidelines issued before the GDPR.
Concept of administrative fines. Estonia is working on introducing into the Estonian legal system a new administrative penalty—an administrative fine—to be able to react more efficiently to financial, competition, and data protection law violations. According to the Data Protection Inspectorate, sanctioning legal persons through misdemeanour proceedings (as is possible currently) is inefficient and burdensome to all parties involved. The changes are likely to simplify and shorten the process of imposing fines. The timeline for the proposed changes is currently unknown.
Usage of surveillance cameras. This topic has raised many questions in Estonia over the past three years. Mostly, the focus has been on questions such as for what purposes can surveillance cameras be used, where to place the cameras, how should data subjects be informed of the cameras, what should be recorded, etc. Regarding the obligation to provide information, the Data Protection Inspectorate has created an online tool that creates a proper information sign to be used to inform data subjects about surveillance cameras.
Personal data of employees. A significant number of topics addressed by the Data Protection Inspectorate over the past years related to personal data processing in employment relationships. For example, employees have expressed interest in what should happen with their mailbox and work-related email address after the termination of their employment relationship. In addition, unsurprisingly, the COVID-19 pandemic has raised questions about the processing of employees’ health data.
Personal data in economic information portals. For the past three years, the Data Protection Inspectorate has been monitoring the activity of economic information portals in Estonia regarding their personal data processing practices. Such portals gather information about Estonian enterprises and related persons from the e-Business Register and link the data with other data accessible from public sources. Data subjects have raised questions regarding the legality of such a processing activity. In 2020, the Data Protection Inspectorate issued guidelines for such portals that should help them achieve consistency with the applicable data protection legislation.
Overview of the landscape. The Latvian Data State Inspectorate (in Latvian: Datu valsts inspekcija) still follows the principle “consult first”, implying that it may apply fines after first consulting the company. Moreover, the Data State Inspectorate has started a new practice of publishing its decisions and provided criteria for determining the amount of the administrative fines, working actively towards lessening uncertainty and improving transparency.
Sanctions. Recently, the Data State Inspectorate has issued several significant fines under the GDPR. A fine of EUR 65,000 was imposed for the processing of the personal data of insolvent natural persons for longer than allowed under applicable laws. A fine of EUR 6,000 was imposed for the unlawful disclosure of an employee’s COVID-19 positive status to other employees. A fine of EUR 15,000 was imposed for sending commercial communication to the data subject irrespective of withdrawn consent, a non-compliant use of cookies, and a lack of clarity in the privacy policy.
Personal data security breaches. The number of personal data breach notifications to the Latvian Data State Inspectorate (113) in comparison with Lithuania (181) and Estonia (138) shows that it is likely that companies in Latvia underreport breaches, the probable reason being lack of knowledge of and confidence in the duty to report and anticipation of sanctions. Confidentiality breaches dominate in Latvia and in our practice, most breaches are attributable to human error, which further emphasises the importance of delivering engaging and uncomplicated regular GDPR training to all employees.
Trends in personal data processing. During the last year, TGS Baltic Latvia has addressed many questions of employers regarding data processing in the context of employment relationships, especially of health data. Moreover, in many cases, companies have proceeded with an overhaul of data protection practices and privacy policies put together in the GDPR birth year (2018). In addition, the Data State Inspectorate has recently addressed the processing of personal data in the context of social media and journalism, emphasising the need for a proper balance between the right to freedom of expression and the right to the protection of personal data for each processing in question.
Overview of the landscape. The implementation of the GDPR has not dramatically changed the approach of the Lithuanian State Data Protection Inspectorate (in Lithuanian: Valstybinė duomenų apsaugos inspekcija) in respect of violations. So far, major fines have been issued in cases where GDPR violations were so manifest and grave that other sanctions did not seem to achieve the disciplinary function. In particular, the Lithuanian State Data Protection Inspectorate takes a much more rigid stance where entities fail to cooperate during the investigations. In cases where considerable uncertainty as to the requirements of the GDPR still exists, the Inspectorate takes a reasonable approach.
Personal data security breaches. The most common personal data security breaches in 2020 took place on websites or information systems. Confidentiality breaches are undoubtedly predominant in Lithuania, whereas most violations are attributable to human error. This is a clear signal that employees need to be comprehensively trained and tested. When analysing the categories of personal data compromised, name, surname, e-mail, and other contact details clearly prevail.
Sanctions. In 2020, the Lithuanian State Data Protection Inspectorate issued eight recommendations, 175 instructions, 94 reprimands, and over 20 fines to companies (most of which were for lack of cooperation during the investigation). In 2020, a fine of EUR 15,000 was imposed on a public authority for breaches of Article 5 of the GDPR and a fine of EUR 8,000 was imposed on a company for recording sound on public transport buses in breach of Articles 5, 13, 24, and 35 of the GDPR.
Prior consultations. In 2020, the number of applications for prior consultations with the Lithuanian data protection authority increased. In total, eight applications were submitted, leading to six decisions.
Methodological assistance to the market. To reduce the number of individual claims and provide more detailed information on topical issues to larger stakeholder groups, the Lithuanian data protection authority has developed several pieces of methodological information addressed to both data controllers and data subjects, hosted awareness-raising events, etc.
