state data protection inspectorate of the republic of lithuania 18.09.2006, vilnius 1 schengen...
TRANSCRIPT
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius 1
SCHENGEN EVALUATION
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius2
I. Legal Framework
II. Independence, Functions and Powers
III. Organizational Structure
IV. Preventive Activities
V. Rights of Data Subject
VI. Co-operation
VII. Information Technologies
VIII. Awareness
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius3
I. Legal Framework
European Human Rights Convention – ratified in May 1995
Convention ETS No. 108 – ratified in February 2001
Additional Protocol to the Convention ETS No 108 – ratified in December 2003
Schengen Convention – including data protection binding on the basis of the Accession Treaty of the Republic of Lithuania to the EU
Directive 95/46/EC - transposed by the Data Protection Law (thereinafter - DP Law) in 2003
Directive 2002/58/EC – transposed by the Electronic Communications Law in 2004
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius4
I. Legal Framework
Article 22 of the Constitution of the Republic of Lithuania Decision of the Constitutional Court of the Republic of Lithuania in
1999 DP Law Law on Electronic Communications Law on Police Activities Other laws and legal acts Resolutions of the Government Orders of the Director of the State Data Protection Inspectorate
(thereinafter - SDPI)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius5
I. Legal Framework
Commentary of DP Law prepared and issued by the initiative of Phare Programme Twinning Project
In order to be recruited to the public service of the Republic of Lithuania, the candidates must know DP Law
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius6
I. Legal Framework
Scope of DP Law
If personal data are processed:
by a data controller who is established and operating on the territory of Lithuania DP Law shall apply
by a natural person and only for meeting his purely personal activity, unrelated to business or profession DP Law shall not be applied
for the purposes of State security, defence, DP Law shall apply as far as other laws do not provide otherwise
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius7
I. Legal Framework
By the resolutions of the Government of the Republic
of Lithuania SDPI is designated:
as the institution responsible for the independent supervision of the legitimacy of the processing of personal data in the N - SIS
as national supervisory body for Customs Information System and Europol
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius8
I. Legal Framework
Processing of personal data in police sector are regulated by:
DP Law
Law on Police Activities
Resolutions of the Government
Orders of the Minister of the Interior
Orders of the Police Commissioner General
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius9
II. Independence, Functions and Powers
Supervisory Authority
SDPI supervises and monitors the implementation of DP Law (with the exception for journalistic purposes)
Controls both the private and the public sector
Does not monitor processing of personal data in courts
Shall be accountable to Government
Provides its annual report to Government till 1st February of each year
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius10
II. Independence, Functions and Powers
Major objectives of SDPI shall be:
supervision of the activities of data controllers when processing personal data
monitoring the legality of processing of personal data
prevention of breaches in data processing
ensuring protection of the rights of the data subject
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius11
II. Independence, Functions and Powers
SDPI
Is independent, its rights may be limited only by law
In its activities SDPI shall be guided by the Constitution, international agreements, DP Law and other legal acts
The activities of SDPI are based on the principles of lawfulness, impartiality, openness and professionalism in the discharge of its functions
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius12
II. Independence, Functions and Powers
State and municipal institutions and agencies, members of Seimas and other officials, political parties, political and public organisations, other legal and natural persons
Shall have no right to exert any kind of political, economic, psychological or social pressure on the employees of SDPI or tamper with them in any other way
Liability - Interference with the activities of SDPI shall render the infringing party liable in accordance with law
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius13
II. Independence, Functions
and Powers
SDPI functions established by DP Law are:
to administer Register of Personal Data Controllers, carry out supervision of the activities of the data controllers
examine personal requests and complaints
check the lawfulness of personal data processing
grant authorizations for data transfers to third countries’
announce annual activity reports
provide assistance to data subjects and data controllers
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius14
II. Independence, Functions and Powers
SDPI functions:
to provide information about data protection legislation to other states
to carry out prior checking
to make recommendations to Seimas, Government, state institutions on drafts of legal acts
to assess the data processing regulations submitted by data controllers
to perform other functions set out in DP Law and other legal acts
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius15
II. Independence, Functions
and Powers
SDPI has a right designated by DP Law to:
obtain all necessary information for discharging supervision functions
obtain access, subject to a prior notice in writing, to the premises of the supervised person, or to the territory where the documents and equipment used for the data processing are kept
take part in the sessions of Seimas, meetings of Government and other state institutions when issues relating to the data protection are being deliberated
make recommendations and give instructions to data controllers (to rectify data, to stop processing of data, etc.)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius16
II. Independence, Functions and Powers
SDPI rights
summon experts/consultants, form work groups for examination of data processing or data protection, as well as for drafting of documents on data protection and for making decisions on other issues within the competence of SDPI
draw up protocols on administrative offences
exchange information with DPAs in other countries and international organizations
take part in legal proceedings involving violations of international and national law on data protection
exercise other rights provided by law and other legal acts
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius17
II. Independence, Functions and Powers
Decisions of SDPI are to:
give instruction to data controller
make recommendation to data controller
draw up protocols on administrative offences
Both data controller and data subject may appeal the decision of SDPI to the administrative court of Vilnius region within 1 month from the day of receipt of the decision
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius18
II. Independence, Functions and Powers
Enforcement
Drawn up protocols are submitted to the court
The fines for the violations are imposed by the court from 30 EUR (100 Lt) to 571 EUR (2000 Lt)
If any person has sustained damage as a result of unlawful processing of personal data or any other acts or omissions by the data controller, the data processor or any other persons shall be entitled to claim compensation for pecuniary and non-pecuniary damage
The extent of damage shall be determined by the court
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius19
II. Independence, Functions and Powers
Enforcement
According to the Penal Code:
unlawful collection of information about private life of individual is punished by public works or fine, or confinement, or arrest, or imprisonment up to two years. The penalty is also for the legal entity
the disclosure and use of such information is punished by public works or fine, or confinement, or arrest, or imprisonment up to three years. The penalty is also for the legal entity
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius20
II. Independence, Functions and Powers
Director of SDPI:
leads SDPI
shall be admitted and dismissed from work in accordance with the procedure laid down in Law on Public Service
shall be recruited by competition
shall be accountable to the Prime Minister
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius21
II. Independence, Functions and Powers
Director of SDPI according to the Regulations of SDPI shall:
represent SDPI
deal with issues within the competence of SDPI, by issuing orders and supervise enforcement of the orders
determine and manage organisational structure of SDPI, approve regulations of SDPI‘s divisions
perform other functions assigned to SDPI by the laws and other legal acts of the Republic of Lithuania
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius22
II. Independence, Functions and Powers
Temporary substitution
In the absence of Director, one of his deputies shall perform the functions of Director
Deputies shall be appointed and dismissed from the office by Director of SDPI in accordance with the procedure laid down in the Law on Public Service
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius23
III. Organizational Structure
The structure of the SDPI Director
Deputy Director Deputy Director
Chief Assistant
Complaints Investigation and International
Cooperation Division
Information and Technologies Division Law Division Prevention Division
Finance, Accounting and Corporate Matters
Division
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius24
III. Organizational Structure
Human Resources, Staff:
• head of the office and 31 civil servants recruited according to the requirements of the Law on Public Service
• 3 persons recruited on contract • divisions built on competencies and functions• functions and responsibilities of the civil servants made in
writing• all civil servants have university education Master’s degree,
head of the office has Ph.D. degree at Vilnius University• yearly every civil servant has training• Phare Programme Twinning Project on strengthening
administrative capacity has been carried out
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius25
III. Organizational Structure
Law Division – Head of Division and 4 Chief Specialists
Main responsibilities of the Division:
• provision of the consultations to data subjects and data controllers
• drafting of legal acts and harmonization of drafts of legal acts
• provision of recommendations to Seimas, Government, other institutions of laws or other legal acts within competence of SDPI]
• according assessment of the personal data processing regulations submitted by data controllers
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius26
III. Organizational Structure
Law Division, loading of the staff (statistical data from January – till 1 September 2006):
• harmonised 88 legal acts and documents of data controllers
• prepared 2 legal acts
• provided 1575 consultations to data subjects and data controllers
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius27
III. Organizational Structure
Prevention Division – Head of the Division and 5 Chief Specialists, 1 Senior Specialist
Main responsibilities of the Division:
• prevention of breaches in data processing
• administration of Register of Personal Data Controllers
• prior checking of data controllers
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius28
III. Organizational Structure
Prevention Division, loading of the staff (statistical data from January – till 1 September 2006):
• carried out 42 planned inspections, provided 29 instructions
• analysed 277 notifications on prior checking, granted 240 authorisations for data controllers
• examined 561 notifications of the processing of personal data
• Register of Personal Data Controllers supplemented by 186 data controllers
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius29
III. Organizational Structure
Complaints Investigation and International Cooperation Division – Head of Division and 5 Chief Specialists
Main responsibilities of Division:
• investigation of personal requests and complaints• investigation of the requests of data controllers to disclose personal
data to data recipients in third countries• provision of the assistance to data subjects residing abroad• provision of the information to other states about the legislation of
the Republic of Lithuania regulating protection of personal data• cooperation with data protection authorities from other countries and
participation data protection activity in an international context
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius30
III. Organizational Structure
Complaints Investigation and International Cooperation Division, loading of the staff (statistical data from January – till 1 September 2006):
• received 102 complaints, handled 84 complaints, drawn up 8 protocols on administrative offence, submitted 15 instructions to data controllers
• prepared 40 enquires and responses to the countries of the Convention ETS No 108
• prepared opinions on 46 documents issued by EC institutions
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius31
III. Organizational Structure
Information and Technologies Division – Head of Division, 5 Chief Specialists and Interpreter
Main responsibilities of Division:
• dealing as IT experts carrying out inspections of SDPI• coordinating of the technical expertise from outside• help to other civil servants of SDPI in creation legal documents and
evaluation IT systems regulations• collection of information about activity of SDPI and provision of it for
public• drawing up and announcement of the Annual Report on SDPI activity
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius32
III. Organizational Structure
Finance, Accounting and Corporate Matters Division – Head of Division and 2 Chief Specialists, 1 Senior Specialist, 1 Administrator
Main responsibilities of Division:
• administration of SDPI human resources• planning of the resources• accounting• procurement
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius33
III. Organizational Structure
Financial Resources
• SDPI is financed 100% from the National Budget of Lithuania• Allocation of the financial resources to SDPI made by the Law on the
Budget Structure by the individual line in the same way as for Seimas and other state institutions (Office of the President, State Audit Office, ministries and other)
• Law on the Budget Structure is considered by Seimas each year and any changes might be made only by Seimas in the same way as other laws
• Request for financial resources calculated according to the programs and functions of SDPI should be presented to Seimas following the order settled in the Strategic Planning Methodology approved by Government
• If additional means are needed the allocations might be changed after first six month of the year according to SDPI request
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius34
III. Organizational Structure
Financial Resources
Structure of SDPI budget:
• means for remuneration
• means for purchasing of property (tangible and intangible assets)
• means for purchasing of goods and services
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius35
III. Organizational Structure
IT Resources
IT resources of SDPI:
• personal computers
• standard software
• information systems:
- Register of Personal Data Controllers
- “Pagalba” – for help of data subjects
- other information systems for help of civil servants of SDPI
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius36
IV. Preventive Activities
Preventive inspections are planned and carried out
• in order to prevent violations of the privacy protection and personal data processing
• in accordance with procedures which have been determined by the legal acts
• according to approved yearly plan
• by the correspondence, on-site or in the mixed way
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius37
IV. Preventive Activities
Preventive inspections
carried out by assigned responsible SDPI specialist
information about previous inspections of data controller and all other necessary information is gathered
date and time of inspection is announced to the data controller
meeting with data controller, interviewing individuals involved in data processing, collecting related to the inspection information from data controller
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius38
IV. Preventive Activities
Preventive inspections
preparation of inspection report
depending on findings of the inspection may be taken following decisions:
- finish inspection
- prepare recommendation or
- prepare obligatory instruction
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius39
IV. Preventive Activities
Preventive inspections
data controller shall be informed about the inspection results
follow up of the obligatory instructions
if obligatory instructions are not obeyed protocol on administrative offences may be drawn up
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius40
IV. Preventive Activities
Prior Checking shall be carried out in the following cases:
where the data controller intends to process special categories of personal data by automated means (except cases provided by DP Law)
where the data controller intends to process by automated means public data files
where the data controller of the information systems of state registers or state and municipal institutions authorises the data processor to process personal data
other cases provided by DP Law
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius41
IV. Preventive Activities
Prior Checking
Procedures of prior checking are determined by the legal acts
Notification forms are published on SDPI web page www.ada.lt/images/cms/File/Teises%20aktai/6.pdf
Information about granted or refusal to grant authorisations is published in SDPI web page www.ada.lt/leidimai
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius42
IV. Preventive Activities
Dinamics of Prior Checkings and Preventive Inspections
136
356277234
365
63
18
42
0
100
200
300
400
500
600
2003 (from 1 July) 2004 2005 2006 (till 1 September)
Prior checkings Preventive inspections
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius43
IV. Preventive Activities
Registration of data controllers
personal data by automated means may be processed only after notification to SDPI
procedures of notification are determined by the legal acts
notification form is published on SDPI web page www.ada.lt/images/cms/File/Teises%20aktai/4.pdf
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius44
IV. Preventive Activities
Number of registered data controllers
1269
1694
21072349 2440
2588
0
500
1000
1500
2000
2500
3000
2001 2002 2003 2004 2005 2006 (till 1September)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius45
V. Rights of Data Subject
Right to be Informed
Data controller must provide to data subject the
following information:
• the identity of data controller and his representative
• the purposes of the processing
• any other additional information
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius46
V. Rights of Data Subject
Right of Access
• Data subject shall be entitled to obtain information on the source and type of personal data, the purposes and recipients
• Data controller must make a reply within 30 calendar days, on request such information must be provided to the data subject in writing
• Once a calendar year the information is provided to the data
subject free of charge
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius47
V. Rights of Data Subject
Right to Rectify
• Data controller must check the personal data without delay
• Data subject’s request to rectify or destroy the personal data
• Data controller must notify data subject on performed or not performed rectification, destruction
• Data controller must inform data recipients about rectified or destroyed personal data
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius48
V. Rights of Data Subject
Right to Object
• Data subject shall have the right to object (in writing, orally or in any other form)
• Data controller must:a) immediately and free of charge restrict processing of personal datab) duly notify the data recipients
• Data controller must notify the data subject about the cessation of the processing of personal data at the request of the data subject
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius49
V. Rights of Data Subject
Exceptions
In cases provided by laws and when it is necessary to ensure:
state security or defense public order, prevention, investigation, detection and
prosecution of criminal offences important economic or financial interests of the state prevention, investigation and detection of breaches of official or
professional ethics protection of the rights and freedoms of the data subject or any
other persons
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius50
V. Rights of Data Subject
Exercise of Rights
• Data controller must give a reasoned refusal to grant request of data subject to exercise the rights granted by DP Law
• Data controller must send a reply to data subject within 30 calendar days of the date of the data subject’s application
• Data subject may appeal act/omissions of data controller to SDPI:
1) within 3 months of the receipt of the reply from data controller or 2) within 3 months of the date when 30 calendar days for giving a
reply expire
SDPI decisions can be appealed to court
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius51
V. Rights of Data Subject
According to Article 23 of DP Law SDPI shall assist the data subject in exercising his right of access to his personal data after he applies to SDPI and produces his identity document
Personal data or information are collected only from registered data controllers (except classified information under Law on State and Official Secrets)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius52
V. Rights of Data Subject
Exercise of Rights
Every individual, either personally or through his representative, can lodge a complaint when he feels that his privacy rights are being breached
Complaints may be lodged by local citizens and by foreign individuals whose data are being processed in Lithuania
Complaints are usually lodged in Lithuanian, Russian or in English but other languages may be considered
No fees are charged for the complaint
A recommendable complaint form is available on the website (www.ada.lt) or at SDPI in Lithuanian and English languages
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius53
V. Rights of Data Subject
Procedure of Complaint Investigation
Procedure of complaints investigation is regulated by Law on Public Administration and approved written Rules for Performing of Inspections
Grounds for starting an administrative procedure are:
- written application by individual - facts disclosed in the in-service report of the civil servant - information presented in the media - other cases of infringement
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius54
V. Rights of Data Subject
Investigation Procedure
• Notification of applicant about the acceptance of complaint
• Examination of relevant legal basis and previous inspections
• If necessary requesting additional information from applicant
• Sending written inquiry to data controller
• Or performing on-site inspection
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius55
V. Rights of Data Subject
What happens following the inspection:
• formalization results of on-site inspection in the report
• depending on findings of the inspection decisions can be:
- to give instruction to data controller - to make recommendation to data controller - to draw up protocol on administrative offences
Applicant is informed on the results of the investigation
Inspected person is informed in writing on the results of the inspection when there are no violations established
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius56
V. Rights of Data Subject
• Data controller and data subject may appeal the decision of SDPI to the administrative court of Vilnius region within 1 month from the day of receipt of the decision
Investigation of a complaint may not last longer than 30 days, in special cases the consent of applicant is requested for extension of investigation term
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius57
V. Rights of Data Subject
0
20
40
60
80
100
120
Qua
ntity
in n
umbe
rs
2003 2004 2005 till September 1, 2006
Investigation of Personal Complaints
Received Complaints Draw n up Protocols on Administrative Offences
The court acknow ledged the breaches of the Law Given Instructions to Data Controllers
The breaches excluded during the time of investigation The breaches did not found
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius58
V. Rights of Data Subject
Nature of Complaints till September 1, 2006
17%
3%
8%
13%
10%2%
47%
Due to direct marketing Due to debtors'dataDue to sensitive data Due to excessive dataDue to processing of data in service sector Due to keeping of dataOther cases
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius59
V. Rights of Data Subject
0
10
20
30
40
50
Qua
ntity
in n
umbe
rs
2003 2004 2005 till September 1, 2006
Dynamics of the Nature of Complaints
Due to direct marketing Due to debtors'dataDue to sensitive data Due to excessive dataDue to processing of data in service sector Due to keeping of dataOther cases
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius60
VI. Co-operation
International co-operation
SDPI takes part in:
Article 29 Working Party and its subgroups European Council Working Party on Data Protection Convention ETS No 108 Consultative Committee and Bureau Europol, Schengen and Customs JSAs International Working Party on Data Protection in
Telecommunications other international conferences, workshops, meetings cooperation with EU data protection authorities
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius61
VI. Co-operation
Schengen National Coordination Commission was set up withparticipants from:
Ministry of the Interior Ministry of Foreign Affairs Ministry of Transport and Communications Ministry of Finance Office of the Government Migration Department Customs Department Police Department Representative from SDPI is member of this Commission
Regular meetings of this Commission are organised and heldamongst all participants
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius62
VI. Co-operation
Harmonization with Police:
the position of the Republic of Lithuania concerning EU legal instruments
national legal acts regulating processing of personal data in institutional registers, information systems, or in the cases provided for by law – in state registers in police sector
participation of SDPI specialists in the Phare project on SIS in Police Department
Preparation of materials concerning Schengen by Phare Twinning project
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius63
VI. Co-operation
Events
In order to check how personal data are processed during the process of issuing visas, in cooperation with Ministry of Foreign Affairs (MFA), SDPI carried out visits to 2 consulates of the Republic of Lithuania in June 2006:
Consulate General of the Republic of Lithuania in Kaliningrad (Russian Federation)
Embassy of the Republic of Lithuania to Ukraine
Report of visits with conclusions and recommendations was submitted to MFA
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius64
VI. Co-operation
Events
SDPI specialists made visits to Migration Department under the Ministry of the Interior in order to check functioning of Register of Foreigners, got acquainted with the documentation of preparatory works for N-SIS, N-VIS
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius65
VI. Co-operation
Events
In June 2006 SDPI organized seminar for law enforcement institutions, including national SIRENE unit, representatives from Ministry of Foreign Affairs, Ministry of the Interior on data protection requirements according to Schengen Convention
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius66
VI. Co-operation
Events
In October 2004 SDPI together with Europol JSB organized seminar for law enforcement institutions
“The Supervision of Data Processing according Europol Convention” in Vilnius
Seminar was attended by representatives from:• Ministry of the Interior• Police Department• State Security Department• Customs Department• Financial Crime Investigation Service• Prosecutor’s Office• Parliamentary Committee of National Security and Defense
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius67
VII. Information Technologies
IT system functionality:
• dissemination information to the public• effective communications within the office• access to most current legislation • provide good quality internet services• ensure functioning of Register of Personal Data Controllers • ensure proper feedback with data controllers and data
subjects• office automation
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius68
VII. Information Technologies
IT system content:
• Register of Personal Data Controllers• website http://www.ada.lt/• office automation system• Intranet system• legislation data base system (updates once per 24 h.)• Internet services with connection 2 Mbps• “Pagalba” – IT system help for data subject will be ready for
using in the end of 2006
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius69
VII. Information Technologies
“Pagalba” – help for data subject to exercise his/her
right to become acquainted with processing of
his/her personal data:
• IT system implemented in web technology • possibility of online requests from data subjects• secure connection of data controllers for providing requested
information• answers to data subjects can be sent by e. mail or given
directly (providing password for online connection)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius70
VII. Information Technologies
Scope of IT expertise:
• to deal as IT experts carrying out planned inspections or for complaints investigations
• coordinate the technical expertise from outside when dealing with complicated cases
• help Law Division in creation legal documents and evaluation IT systems regulations
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius71
VII. Information Technologies
Preparation to Schengen:
• investigations of existing national Visa IT system on sites (central office in the Ministry of Foreign Affairs, consular departments in Kaliningrad and Kiev)
• studies of Schengen (N-SIS) and Visa national IT systems (N-VIS) project documentation and meetings with project leaders
• studies of designed changes for existing IT systems communicated with N-SIS and SIS II
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius72
VIII. Awareness
Measures
• Website www.ada.lt
• Press releases, press conferences:- 15 press releases (2005)- 1 press conference (2005)- 29 comments for press (2005)
• Participating on TV and radio broadcasting (9 in 2005)
• Conferences, seminars, meetings
• Leaflets (12), recommendations (15 in 2005)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius73
VIII. Awareness
Measures
• Data protection day once a year
• Survey on the awareness of the data subjects about personal data protection and quality of activities of SDPI
• Training for government institutions (material prepared during Phare Programme Twinning Project)
• Film “Right to know”
• Poster in public places (one time action)
• Schoolchildren competition in writing essay about personal data protection (one time action, 2004)
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius74
VIII. Awareness
Website:
• main communication tool• information for public:
- legal acts- recommendations, complaint and registration forms - useful information about data protection - most important events (news)- annual reports of activities
• consultations, newsletter• full information in Lithuanian, part in English• updated and managed on regular basis
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius75
VIII. Awareness
Conferences, seminars, meetings:
• seminars for public and private entities, including:- schools - municipalities- health sector - judges - law enforcement institutions
• meetings with data controllers, processors (public, private sectors) and data subjects
• International conference “E-commerce and Data Protection” in Vilnius in 2005
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius76
VIII. Awareness
Future activities:
• selection of the professional partner in the advertising/public relations• creation long-term strategy for public awareness• organization of public awareness campaigns• creation of logo• improvement of online communications• increasing of human resources
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius77
Awareness Survey carried out in July, 2006 by market and opinion research
center ,,Vilmorus’’. Over 1000 inhabitants beyond 18 years of age participated in the poll
Interest of data protection43 % take interest how personal data are processed and stored37 % care about what personal data are processed 25 % care who processes personal data
Awereness of personal data security80 % insufficiently informed19 % informed on an average1 % well informed
Awareness of person’s rights in this field74 % have no knowledge of person’s rights regulated by laws23 % know, but never exercised them3 % know and exercised
STATE DATA PROTECTIONINSPECTORATE OF THE REPUBLIC OF
LITHUANIA
18.09.2006, Vilnius78
Awareness
Awareness of Inspectorate activities26 % know that it is responsible for personal data protection74 % do not know
Sources of information54 % from TV46 % from press23 % from other persons15 % from legal acts15 % from the radio broadcasting13 % from Internet
Evaluation of Inspectorate activities71 % satisfactory16 % good13 % poor