The Lithuanian Border Police – Complaint Upheld (Lithuania, 2025)

In September 2024 the border police (the controller) stopped and fined an individual (the data subject) for driving a non-registered vehicle. Two officers uploaded a description of the data subject’s administrative offence on the border police’s Signal group along with the subject’s identity card and driver’s license. A third officer from the Signal group then forwarded the data to an unauthorized third party via Messenger. The controller later investigated the incident and sanctioned the officer responsible for the disclosure. The controller also considered that the breach was unlikely to result in a risk to the rights and freedoms of natural persons and, therefore, that it was not necessary to notify it to the DPA or the data subject. In the meantime, the data subject learned about the breach and filed a complaint with the DPA. The DPA investigated the complaint and found that controller’s data policies allowed and regulated the use of Signal for internal communications but did not allow the use of Messenger. The DPA clarified that leaks of identification documents are generally considered to be high-risk situations because the data could enable identity theft or other illegal actions data subjects. For this reason, the DPA held that the controller should have notified the data breach to both the DPA and the data subject. The DPA reprimanded the controller for having breached Articles 33(1) and 34(1) GDPR.