first fine in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’, a company that provides financial operation services globally, was fined 61,500 EUR in respect of GDPR Articles 5, 32 and 33 relating to improper processing of personal data in instant screen images (screenshots).

Improper processing of personal data

Of the company’s images, 9000 were found to contain personal details and payment session copies of customers of 12 different banks in different countries. It was also found that ‘Mister Tango’ processes an extensive amount of personal data that is not stated in its privacy policy, which violates GDPR Art. 5.

Furthermore, for at least 2 days the list of processed payments showing customers’ data was visible online. Disclosure of personal data is treated as a personal data breach and must be reported within 72 hours (GDPR Art. 33). However, VDAI was not informed about the incident.

Data Protection Authority investigation

Before deciding to impose the fine, the VDAI considered all the factors relative to whether or not ‘Mister Tango’ acted to the best of its abilities in making sure that data processing was transparent, compliant and secure.

VDAI concluded that ‘Mister Tango’ doesn’t have the necessary technical and organisational security measures in place to ensure the required level of safety, including protection against unauthorised processing or disclosure (GDPR Art.32).

The VDAI’s decision has not yet come into force and can be appealed against through the court.

The original source: Įmonės atsakomybės neišvengs – Lietuvoje skirta ženkli bauda už Bendrojo duomenų apsaugos reglamento pažeidimus

More on this topic:

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...