Lietuvos draudimas – Complaint Upheld (Lithuania, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An insurance company in Lithuania was found to have transferred a person's data to a debt collection agency without proper notification. This ruling matters because it reinforces the need for companies to inform users about how their data is used.
What happened
Lietuvos draudimas transferred a person's personal data to a third party without providing necessary information.
Who was affected
The individual whose data was transferred without proper notification was affected.
What the authority found
The DPA upheld the complaint, finding that the insurance company violated GDPR Articles 14(3)(a) and (b) by not providing timely information.
Why this matters
This case highlights the importance of transparency in data processing. Companies should ensure they communicate clearly with users about their data handling practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Lietuvos draudimas (the controller) is an insurance company. In 2025, a data subject filed a complaint with the DPA. According to the data subject, the controller transferred their personal data to a third party without establishing liability for damages. The controller also failed to provide information in accordance with Article 14 GDPR, and processed data to an excessive extent. During its investigations, the DPA found that the controller obtained data from third parties during insurance proceedings in order to identify the data subject; this includes the state company registry and a third person affected by the data subject. The controller later transferred the data subject’s data to a debt collection agency (the processor) after the data subject failed to pay the controller within the time limit. The DPA first clarified that it was not competent to examine the parties’ insurance rights, and that this case was limited to verifying the lawfulness of the processing activities. The DPA partially upheld the data subject’s claim. The DPA found a violation of Articles 14(3)(a) and (b) GDPR, as the controller provided the data subject with information required under Articles 14(1) and (2) GDPR late. The controller received data from third parties regarding the data subject, therefore, it should have provided this information without undue delay (and no later than upon first contact with the data subject). According to the DPA, the controller failed to do both. However, the DPA did not find a violation of Article 28(3) GDPR. The DPA stated that the GDPR regulates the relationship between controllers and processors, and does not give the data subject the right to object to (or authorise) a controller transferring data to a processor. The DPA also dismissed the data subject’s data minimisation claim. The DPA found that the controller processed the necessary data in the debt collection proceedings; if the controller limited the data processed (e.g. to first and last n
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Lietuvos draudimas in LT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Lietuvos draudimas - Lithuania (2026). Retrieved from cookiefines.eu
Last updated: