Data protection & privacy laws in Lithuania (2026)

EU Regulation 2016/679 (GDPR) is directly applicable and constitutes the backbone of Lithuania's data protection law, enforced since 25 May 2018. It governs lawfulness bases, data-subject rights, controller/processor obligations, and cross-border transfers.

The Law on Legal Protection of Personal Data (No. I-1374, as amended in force from 16 July 2018) fills GDPR derogation spaces: it sets the personal-code (ID number) processing regime, employment-context rules, journalistic/artistic exemptions, public-sector fine procedures, and transposes Directive 2016/680 for law-enforcement contexts.

The State Data Protection Inspectorate (VDAI), an independent body located in Vilnius, is the primary competent supervisory authority. It participates in the EDPB and its subgroups, handles cross-border cooperation, and in 2024 issued 123 orders, 54 reprimands, 52 recommendations, 13 fines, and 7 warnings.

Lithuania exercised the Article 8 GDPR derogation and set the minimum age for consent to information-society services at 14 years (below the GDPR default of 16), meaning children aged 14 and above can consent independently to online data processing.

Employers are prohibited from processing prospective employees' criminal-conviction data unless explicitly required by law for the specific role. Reference checks from a current employer require the candidate's prior consent; checks from former employers require only prior notification to the candidate.

VDAI has maintained active enforcement. The largest penalty to date was a €2,385,276 fine imposed on Vinted UAB in July 2024 for violations of GDPR Articles 5(1)(a), 5(2), 12(1), and 12(4) concerning transparency and accountability. In 2024, VDAI received 273 personal-data-breach notifications affecting over 1.4 million data subjects.