Nacionaliniam visuomenės sveikatos centrui (NVSC) – €12,000 Fine (Lithuania, 2021)

The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company 'IT sprendimai sėkmei' had developed the app, which was then used by the NVSC. In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.