VDAI (Lithuania) - 3R-1040

Summary

Lithuania's Data Protection Authority (DPA) has fined a doctor €1,153 for unlawfully accessing the personal data of over 1,200 patients. The doctor, acting as a controller, accessed patient records to invite them to a new medical institution where they planned to work. The DPA found this to be a violation of GDPR articles related to lawful processing and special categories of data, as the doctor lacked a legal basis for processing the data for personal reasons.

Full text

Help VDAI (Lithuania) - 3R-1040: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:32, 12 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators688 editsmTag: Visual edit← Older edit Latest revision as of 14:49, 16 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators688 editsmTag: Visual edit Line 67: Line 67: }}}} The DPA fined a doctor €1,153 for unlawfully accessing the data of over 1,200 patients in order to invite them to the new medical institution they will work in. The DPA found that the doctor acted as a controller.The DPA fined a doctor €1,153 for unlawfully accessing the data of over 1,200 patients of a medical centre the doctor worked for. Acting as a controller, the doctor invited the patients to a new medical institution they planned to move to. == English Summary ==== English Summary == Latest revision as of 14:49, 16 June 2026 VDAI - 3R-1040 Authority: VDAI (Lithuania) Jurisdiction: Lithuania Relevant Law: Article 4(7) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 9(2) GDPR Article 32(4) GDPR Type: Investigation Outcome: Violation Found Started: 17.12.2024 Decided: 05.06.2026 Published: Fine: 1,153 EUR Parties: n/a National Case Number/Name: 3R-1040 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Lithuanian Original Source: VDAI (in LT) Initial Contributor: ap The DPA fined a doctor €1,153 for unlawfully accessing the data of over 1,200 patients of a medical centre the doctor worked for. Acting as a controller, the doctor invited the patients to a new medical institution they planned to move to. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Šakiai Primary Health Care Center (the medical centre) is a medical centre. In 2024, the medical centre reported a data breach to the DPA. The DPA later initiated an ex-officio investigation, and found that the data breach affected approximately 1,200 data subjects. In 2025, the DPA initiated an investigation regarding one of the doctors working at the centre (the controller), as it suspected that they had unlawfully processed the personal data of their patients in relation to the data breach. The controller claimed that they accessed data subjects’ data in order to inform them that they would no longer be working at the centre, as there were no procedures in place to inform data subjects of such changes. In addition, they stated that they only made a list of the data subjects and did not access their medical files. Finally, the controller stated that they only contacted the data subjects by email. During its investigations, the DPA found that the controller had accessed the system several times, and had also contacted data subjects through SMS. Holding The DPA first clarified that the doctor was a controller. According to EDPB Guidelines[1], employees that have access to personal data are generally not considered controllers or processors. Instead, they would be considered as acting under the authority of a controller or processor (Article 29 GDPR). However, in exceptional cases an employee can be considered a controller if they process personal data for their own purposes. The DPA found that the controller accessed the data for personal reasons, as they had invited data subjects to continue to visit them. The DPA considered that the medical centre had fulfilled its obligations under Article 32(4) GDPR to implement appropriate organisational and technical measures. The DPA also noted that the doctor did not contact the data subjects under instructions of their employer. The DPA found a violation of Articles 5(1)(a), 6(1) and 9(2) GDPR, as the controller did not have a legal basis to process the data subjects’ personal data. The DPA stated that the controller could not rely on any legal basis under Article 6(1) GDPR, or any of the exceptions to process sensitive personal data under Article 9(2) GDPR. Finally, the DPA stated that the data subjects’ right to be informed about healthcare professionals under national law did not include the right to know that the healthcare professional will be working in a different institution. The DPA fined the controller €1,153. The DPA considered the number of affected data subjects and the fact that health data was processed as aggravating factors. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details. Extract of an electronic document STATE DATA PROTECTION INSPECTORATE DECISION June 5, 2026 No. 3R-1040 (2.13-1.E) Vilnius The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) having examined the case regarding the imposition of an administrative fine on Reda Naujokaitienė in the written procedure, determines: 1. Circumstances for initiating the inspection by the Inspectorate On 2024-11-06, the Inspectorate received a notification from the Public Institution Šakiai Primary Personal Health Care Centre (hereinafter referred to as the Institution) about a personal data security breach (Inspection reg. No. 1R-7139 (2.23 K)) (hereinafter referred to as the Notification) and the Director of the State Data Protection Inspectorate by order No. of December 17, 2024 1T-105 (1.12 E) on its own initiative initiated an investigation into the Institution regarding a possible violation of the provisions of the GDPR1. The Inspectorate, having conducted an investigation into the Institution on its own initiative, taking into account the Notification and the information submitted to the Inspectorate regarding the loss of confidentiality of 1,231 personal data subjects of the Institution and the circumstances established during the investigation conducted by the Inspectorate that doctor Reda Naujokaitienė may have unlawfully processed the personal data of the Institution's patients, decided by order No. 1T-62 (1.12 E) of the Director of the State Data Protection Inspectorate of 7 August 2025 to initiate an investigation into a possible violation of the provisions of the GDPR. 2. Explanations received during the inspection The inspected person, in his response to the Inspection on 18 November 2025 (Inspection reg. No. 1R-8008 (2.13 Mr)), indicated that he knew that from 08 November 2024 he would no longer work at the Institution, and that there was no procedure in place to inform patients about the healthcare specialist providing healthcare services and their change, therefore, in accordance with Article 5(2) of the PTŽSAĮ2, which establishes that a patient has the right to receive information about the healthcare specialist providing healthcare services to him (name, surname, position) and information about his professional qualifications, and subparagraph 23.3 of the Rules3, he logged in once to the information system "Foxus" (hereinafter referred to as the System) on the day before the incapacity for work or the first day of incapacity for work, in order to generate a list of patients and see how many patients in the Institution were assigned to him. They did not review individual patient cards and did not store any data, but only generated a general list of assigned patients. No other connections to 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR). 2 Law of the Republic of Lithuania on Patients' Rights and Compensation for Damage to Health (hereinafter referred to

Entities