Valstybinė duomenų apsaugos inspekcija – Court Ruling (Lithuania, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Lithuania ruled that the Klaipėda City Social Support Centre improperly investigated an employee's behavior without a valid reason. This matters because it shows that companies must have a legal basis for processing personal data, even in workplace investigations.
What happened
The court found that the Klaipėda City Social Support Centre processed an employee's personal data without a valid legal basis.
Who was affected
The employee of the Klaipėda City Social Support Centre who was investigated for alleged unethical behavior.
What the authority found
The court decided that the Centre could not justify its data processing under GDPR rules, as it failed to prove a legitimate interest.
Why this matters
This ruling highlights the importance of having a clear legal basis for data processing in workplace settings. Companies should ensure they understand their obligations under data protection laws to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is an employee of the controller, the budgetary institution Klaipėda City Social Support Centre (Klaipėdos miesto socialinės paramos centras). On 2 April 2021, the controller’s Ethics Committee received a report stating that the data subject allegedly had behaved in an unethical way in the workplace environment. These conducts consisted in writing disrespectful statements about her colleagues and managers in a closed Facebook group and, more generally, having a rude attitude while working. On 6 August 2021, the data subject filed a complaint with the DPA. She argued that the investigation of the Ethics Committee infringed data protection law, as it processed her personal data without a legal basis under Article 6(1) GDPR. The data subject complained that the Committee unlawfully obtained her correspondence in the closed Facebook group. The DPA upheld the complaint. It found that the controller could not base its processing on legitimate interest under Article 6(1)(f) GDPR and that, however, it had not applied the balancing test of interests and did not assess whether the legitimate interests of the controller override the rights and freedoms of the data subject. Moreover, the DPA noted that the controller can be considered equivalent a public authority acting in the performance of their task. Therefore, according to Article 6(1) GDPR, Article 6(1)(f) GDPR cannot apply. The decision was appealed before the Vilnius Regional Administrative Court (Vilniaus apygardos administracinis teismas). On 27 February 2023, the controller’s appeal was dismissed. The court held that the act of receiving and analysing the data subject’s posts constitutes processing of personal data under Article 4(2) GDPR. Moreover, it pointed out that the processing of personal data is lawful only if it relies on one of the legal basis contained in Article 6(1) GDPR. As for Article 6(1)(f) GDPR, the court found that the controller had not proven that its alleged interest of ensuring
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Valstybinė duomenų apsaugos inspekcija in LT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Valstybinė duomenų apsaugos inspekcija - Lithuania (2024). Retrieved from cookiefines.eu
Last updated: