Valstybinė duomenų apsaugos inspekcija – Court Ruling (Lithuania, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject is an employee of the controller, the budgetary institution Klaipėda City Social Support Centre (Klaipėdos miesto socialinės paramos centras). On 2 April 2021, the controller’s Ethics Committee received a report stating that the data subject allegedly had behaved in an unethical way in the workplace environment. These conducts consisted in writing disrespectful statements about her colleagues and managers in a closed Facebook group and, more generally, having a rude attitude while working. On 6 August 2021, the data subject filed a complaint with the DPA. She argued that the investigation of the Ethics Committee infringed data protection law, as it processed her personal data without a legal basis under Article 6(1) GDPR. The data subject complained that the Committee unlawfully obtained her correspondence in the closed Facebook group. The DPA upheld the complaint. It found that the controller could not base its processing on legitimate interest under Article 6(1)(f) GDPR and that, however, it had not applied the balancing test of interests and did not assess whether the legitimate interests of the controller override the rights and freedoms of the data subject. Moreover, the DPA noted that the controller can be considered equivalent a public authority acting in the performance of their task. Therefore, according to Article 6(1) GDPR, Article 6(1)(f) GDPR cannot apply. The decision was appealed before the Vilnius Regional Administrative Court (Vilniaus apygardos administracinis teismas). On 27 February 2023, the controller’s appeal was dismissed. The court held that the act of receiving and analysing the data subject’s posts constitutes processing of personal data under Article 4(2) GDPR. Moreover, it pointed out that the processing of personal data is lawful only if it relies on one of the legal basis contained in Article 6(1) GDPR. As for Article 6(1)(f) GDPR, the court found that the controller had not proven that its alleged interest of ensuring
GDPR Articles Cited
The data subject is an employee of the controller, the budgetary institution Klaipėda City Social Support Centre (Klaipėdos miesto socialinės paramos centras). On 2 April 2021, the controller’s Ethics Committee received a report stating that the data subject allegedly had behaved in an unethical way in the workplace environment. These conducts consisted in writing disrespectful statements about her colleagues and managers in a closed Facebook group and, more generally, having a rude attitude while working. On 6 August 2021, the data subject filed a complaint with the DPA. She argued that the investigation of the Ethics Committee infringed data protection law, as it processed her personal data without a legal basis under Article 6(1) GDPR. The data subject complained that the Committee unlawfully obtained her correspondence in the closed Facebook group. The DPA upheld the complaint. It found that the controller could not base its processing on legitimate interest under Article 6(1)(f) GDPR and that, however, it had not applied the balancing test of interests and did not assess whether the legitimate interests of the controller override the rights and freedoms of the data subject. Moreover, the DPA noted that the controller can be considered equivalent a public authority acting in the performance of their task. Therefore, according to Article 6(1) GDPR, Article 6(1)(f) GDPR cannot apply. The decision was appealed before the Vilnius Regional Administrative Court (Vilniaus apygardos administracinis teismas). On 27 February 2023, the controller’s appeal was dismissed. The court held that the act of receiving and analysing the data subject’s posts constitutes processing of personal data under Article 4(2) GDPR. Moreover, it pointed out that the processing of personal data is lawful only if it relies on one of the legal basis contained in Article 6(1) GDPR. As for Article 6(1)(f) GDPR, the court found that the controller had not proven that its alleged interest of ensuring
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Valstybinė duomenų apsaugos inspekcija in LT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Valstybinė duomenų apsaugos inspekcija - Lithuania (2024). Retrieved from cookiefines.eu
Last updated: