[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA_zAFky6QkFsKVa7505ld291Ou6aQaVRC4pyj7U20yE":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"b2d1b71c-3b89-493a-ac95-e6f86a651d8e","VDAI (Lithuania) - 3R-1040","vdai-lithuania-3r-1040-bd9fef","Created page with \"{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=VDAI |DPA_With_Country=VDAI (Lithuania) |Case_Number_Name=3R-1040 |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https:\u002F\u002Fvdai.lrv.lt\u002Fpublic\u002Fcanonical\u002F1780997432\u002F1430\u002F2026-06-05%20sprendimas%20Nr.%203R-1040%20(2.13-1.E).pdf |Original_Source_Language_1=Lithuanian |Original_Source_Language__Code_1=LT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2...\" Show changes","The Lithuanian Data Protection Authority (VDAI) has fined a doctor €1,153 for unlawfully accessing the personal data of over 1,200 patients. The doctor used the data to invite patients to a new medical institution where they would be working. The VDAI determined the doctor acted as a controller and violated GDPR articles related to lawful processing and the processing of sensitive personal data, as they lacked a legal basis for accessing and using the patient information for personal reasons.","Lithuanian DPA fines doctor €1,153 for unlawfully accessing patient data.","Help VDAI (Lithuania) - 3R-1040: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:24, 12 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators682 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 09:24, 12 June 2026 VDAI - 3R-1040 [[File:|center|250px]] Authority: VDAI (Lithuania) Jurisdiction: Lithuania Relevant Law: Article 4(7) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 9(2) GDPR Article 32(4) GDPR Type: Investigation Outcome: Violation Found Started: 17.12.2024 Decided: 05.06.2026 Published: Fine: 1,153 EUR Parties: n\u002Fa National Case Number\u002FName: 3R-1040 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Lithuanian Original Source: VDAI (in LT) Initial Contributor: ap The DPA fined a doctor €1,153 for unlawfully accessing the data of over 1,200 patients in order to invite them to the new medical institution they will work in. The DPA found that the doctor acted as a controller. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Šakiai Primary Health Care Center (the medical centre) is a medical centre. In 2024, the medical centre reported a data breach to the DPA. The DPA later initiated an ex-officio investigation, and found that the data breach affected approximately 1,200 data subjects. In 2025, the DPA initiated an investigation regarding one of the doctors working at the centre (the controller), as it suspected that they had unlawfully processed the personal data of their patients in relation to the data breach. The controller claimed that they accessed data subjects’ data in order to inform them that they would no longer be working at the centre, as there were no procedures in place to inform data subjects of such changes. In addition, they stated that they only made a list of the data subjects and did not access their medical files. Finally, the controller stated that they only contacted the data subjects by email. During its investigations, the DPA found that the controller had accessed the system several times, and had also contacted data subjects through SMS. Holding The DPA first clarified that the doctor was a controller. According to EDPB Guidelines, employees that have access to personal data are generally not considered controllers or processors. Instead, they would be considered as acting under the authority of a controller or processor (Article 29 GDPR). However, in exceptional cases an employee can be considered a controller if they process personal data for their own purposes. The DPA found that the controller accessed the data for personal reasons, as they had invited data subjects to continue to visit them. The DPA considered that the medical centre had fulfilled its obligations under Article 32(4) GDPR to implement appropriate organisational and technical measures. The DPA also noted that the doctor did not contact the data subjects under instructions of their employer. The DPA found a violation of Articles 5(1)(a), 6(1) and 9(2) GDPR, as the controller did not have a legal basis to process the data subjects’ personal data. The DPA stated that the controller could not rely on any legal basis under Article 6(1) GDPR, or any of the exceptions to process sensitive personal data under Article 9(2) GDPR. Finally, the DPA stated that the data subjects’ right to be informed about healthcare professionals under national law did not include the right to know that the healthcare professional will be working in a different institution. The DPA fined the controller €1,153. The DPA considered the number of affected data subjects and the fact that health data was processed as aggravating factors. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details. Extract of an electronic document STATE DATA PROTECTION INSPECTORATE DECISION June 5, 2026 No. 3R-1040 (2.13-1.E) Vilnius The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) having examined the case regarding the imposition of an administrative fine on Reda Naujokaitienė in the written procedure, determines: 1. Circumstances for initiating the inspection by the Inspectorate On 2024-11-06, the Inspectorate received a notification from the Public Institution Šakiai Primary Personal Health Care Centre (hereinafter referred to as the Institution) about a personal data security breach (Inspection reg. No. 1R-7139 (2.23 K)) (hereinafter referred to as the Notification) and the Director of the State Data Protection Inspectorate by order No. of December 17, 2024 1T-105 (1.12 E) on its own initiative initiated an investigation into the Institution regarding a possible violation of the provisions of the GDPR1. The Inspectorate, having conducted an investigation into the Institution on its own initiative, taking into account the Notification and the information submitted to the Inspectorate regarding the loss of confidentiality of 1,231 personal data subjects of the Institution and the circumstances established during the investigation conducted by the Inspectorate that doctor Reda Naujokaitienė may have unlawfully processed the personal data of the Institution's patients, decided by order No. 1T-62 (1.12 E) of the Director of the State Data Protection Inspectorate of 7 August 2025 to initiate an investigation into a possible violation of the provisions of the GDPR. 2. Explanations received during the inspection The inspected person, in his response to the Inspection on 18 November 2025 (Inspection reg. No. 1R-8008 (2.13 Mr)), indicated that he knew that from 08 November 2024 he would no longer work at the Institution, and that there was no procedure in place to inform patients about the healthcare specialist providing healthcare services and their change, therefore, in accordance with Article 5(2) of the PTŽSAĮ2, which establishes that a patient has the right to receive information about the healthcare specialist providing healthcare services to him (name, surname, position) and information about his professional qualifications, and subparagraph 23.3 of the Rules3, he logged in once to the information system \"Foxus\" (hereinafter referred to as the System) on the day before the incapacity for work or the first day of incapacity for work, in order to generate a list of patients and see how many patients in the Institution were assigned to him. They did not review individual patient cards and did not store any data, but only generated a general list of assigned patients. No other connections to 1 Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) (hereinafter referred to as the GDPR). 2 Law of the Republic of Lithuania on Patients' Rights and Compensation for Damage to Health (hereinafter referred to as the Law on Patients' Rights and Compensation for Damage to Health). 3 Personal Data Processing Rules No. 1, approved by Order No. V-62 of the Director of the Public Institution Šakiai Primary Personal Health Care Centre of 1 July 2024 (hereinafter referred to as the Rules). 2 There were and could not be any other connections during the system period from 2024-10-23 to 2024-10-27. The System was connected and a general list of patients was generated exclusively for the purpose of ensuring patients' rights and communicating with the patient. When connecting to the System, she used her personally assigned login name and password. She had not received a ban from her employer on","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=VDAI_(Lithuania)_-_3R-1040&diff=51865&oldid=0",null,"2026-06-12T09:24:19+00:00","2026-06-12T10:00:11.293325+00:00",7,[18,21],{"name":19,"type":20},"VDAI","vendor",{"name":22,"type":23},"GDPR","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":13,"name":26,"slug":27},"Policy","policy",[29,34,38,40],{"category":30},{"id":31,"icon":13,"name":32,"slug":33},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":35},{"id":36,"icon":13,"name":22,"slug":37},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","gdpr",{"category":39},{"id":24,"icon":13,"name":26,"slug":27},{"category":41},{"id":42,"icon":13,"name":43,"slug":44},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]