Data & Privacy · Lithuania
Data protection & GDPR compliance in Lithuania (2026)
Lithuania shaded by its data & privacy status
Data protection in Lithuania: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable, supplemented by the Republic of Lithuania Law on Legal Protection of Personal Data (in force 16 July 2018); supervised by the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI).
Lithuania's data protection regime rests on the directly applicable GDPR as the primary instrument, supplemented by the national Law on Legal Protection of Personal Data (2018), which exercises GDPR opening clauses on employment, journalistic freedom, children's consent age, personal codes, and public-sector fines. A separate national act transposes Directive (EU) 2016/680 for law-enforcement data processing. The independent VDAI is the primary supervisory authority, with the Inspector of Journalist Ethics holding concurrent jurisdiction over press-related processing.
GDPR & data protection in Lithuania
In Lithuania, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the State Data Protection Inspectorate (VDAI).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the State Data Protection Inspectorate (VDAI)
- Applies to
- any organisation processing the personal data of people in Lithuania, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Lithuania supplements it with a national data-protection act and its own supervisory authority.
GDPR in Lithuania: FAQ
Yes. As an EU/EEA member, Lithuania applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the State Data Protection Inspectorate (VDAI).
The State Data Protection Inspectorate (VDAI).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
EU Regulation 2016/679 (GDPR) is directly applicable and constitutes the backbone of Lithuania's data protection law, enforced since 25 May 2018. It governs lawfulness bases, data-subject rights, controller/processor obligations, and cross-border transfers.
The Law on Legal Protection of Personal Data (No. I-1374, as amended in force from 16 July 2018) fills GDPR derogation spaces: it sets the personal-code (ID number) processing regime, employment-context rules, journalistic/artistic exemptions, public-sector fine procedures, and transposes Directive 2016/680 for law-enforcement contexts.
The State Data Protection Inspectorate (VDAI), an independent body located in Vilnius, is the primary competent supervisory authority. It participates in the EDPB and its subgroups, handles cross-border cooperation, and in 2024 issued 123 orders, 54 reprimands, 52 recommendations, 13 fines, and 7 warnings.
Lithuania exercised the Article 8 GDPR derogation and set the minimum age for consent to information-society services at 14 years (below the GDPR default of 16), meaning children aged 14 and above can consent independently to online data processing.
Employers are prohibited from processing prospective employees' criminal-conviction data unless explicitly required by law for the specific role. Reference checks from a current employer require the candidate's prior consent; checks from former employers require only prior notification to the candidate.
VDAI has maintained active enforcement. The largest penalty to date was a €2,385,276 fine imposed on Vinted UAB in July 2024 for violations of GDPR Articles 5(1)(a), 5(2), 12(1), and 12(4) concerning transparency and accountability. In 2024, VDAI received 273 personal-data-breach notifications affecting over 1.4 million data subjects.
Lithuania - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →