Lithuanian National Public Health Centre for the Ministry of Health – CJEU Judgment (Lithuania, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
On 24 March 2020, the Lithuanian Minister of Health approved the development and implementation of an IT system for the purposes of recording and monitoring the data of persons exposed to the COVID-19 Virus, for epidemiological monitoring purposes. On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘CNSP’) informed the IT company ‘IT sprendimai sėkmei’ (‘ITSS’) that the CNSP had selected it to create a mobile application for the above purpose. Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number. On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS. On 18 May 2020, the Lithuanian DPA opened an investigation into the mobile application and the data collected by it. By letter of 4 June 2020, the CNSP informed ITSS that due to lack of funding for the acquisition, the procurement process was terminated. On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR. The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the pur
GDPR Articles Cited
On 24 March 2020, the Lithuanian Minister of Health approved the development and implementation of an IT system for the purposes of recording and monitoring the data of persons exposed to the COVID-19 Virus, for epidemiological monitoring purposes. On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘CNSP’) informed the IT company ‘IT sprendimai sėkmei’ (‘ITSS’) that the CNSP had selected it to create a mobile application for the above purpose. Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number. On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS. On 18 May 2020, the Lithuanian DPA opened an investigation into the mobile application and the data collected by it. By letter of 4 June 2020, the CNSP informed ITSS that due to lack of funding for the acquisition, the procurement process was terminated. On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR. The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the pur
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Lithuanian National Public Health Centre for the Ministry of Health in LT
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
5 December 2023
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-4511About this data
Cite as: Cookie Fines. Lithuanian National Public Health Centre for the Ministry of Health - Lithuania (2023). Retrieved from cookiefines.eu
Last updated: