VšĮ Biržų ligoninė – €6,000 Fine (Lithuania, 2026)

In April 2025, the DPA carried out an ex-officio investigation regarding the video surveillance activities of a hospital (the controller). In its investigations, the DPA found that the controller had placed video surveillance cameras in several areas, including outdoor areas, entrances, common areas and operating rooms. All indoor cameras recorded both video and audio, and the controller placed signs informing data subjects of the surveillance activities. The controller argued that its surveillance activities were lawful under legitimate interest (Article 6(1)(f) GDPR). The DPA first found a violation of Articles 5(1)(a) and 6(1) GDPR, as the hospital did not have a valid legal basis for the video surveillance activities. The DPA noted that the controller had only relied on legitimate interests to process the data. The DPA therefore assessed whether the cumulative requirements under Article 6(1)(f) GDPR were met; whether the controller has a legitimate interest, whether the processing is necessary for the purpose, and whether data subjects’ rights and freedoms override the controller’s legitimate interests. The DPA acknowledged that the controller’s aims of ensuring a safe environment for patients in general and ensuring efficiency in the operating rooms were legitimate aims. In addition, the surveillance activities were necessary to ensure a safe environment, and the data subjects’ rights and freedoms did not override the controller’s legitimate interest. This, however, was not the case for all the cameras; the DPA made a distinction between the surveillance of outdoors or common areas (such as corridors), and operating rooms or staff areas. According to the DPA, the surveillance of operating and staff rooms did not meet the requirements of necessity or overriding interests. For example, the controller could efficiently organise its operating rooms with less restrictive means, and it had not provided evidence that video surveillance was the only necessary mean