Skip to content
World Watch/Lithuania/Data & Privacy

Data & Privacy · Lithuania

Data protection & GDPR compliance in Lithuania (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) directly applicable, supplemented by the Republic of Lithuania Law on Legal Protection of Personal Data (in force 16 July 2018); supervised by the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI)Country index 93 · A+

Lithuania shaded by its data & privacy status

Data protection in Lithuania: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable, supplemented by the Republic of Lithuania Law on Legal Protection of Personal Data (in force 16 July 2018); supervised by the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI).

Lithuania's data protection regime rests on the directly applicable GDPR as the primary instrument, supplemented by the national Law on Legal Protection of Personal Data (2018), which exercises GDPR opening clauses on employment, journalistic freedom, children's consent age, personal codes, and public-sector fines. A separate national act transposes Directive (EU) 2016/680 for law-enforcement data processing. The independent VDAI is the primary supervisory authority, with the Inspector of Journalist Ethics holding concurrent jurisdiction over press-related processing.

GDPR & data protection in Lithuania

In Lithuania, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the State Data Protection Inspectorate (VDAI).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the State Data Protection Inspectorate (VDAI)
Applies to
any organisation processing the personal data of people in Lithuania, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Lithuania supplements it with a national data-protection act and its own supervisory authority.

GDPR in Lithuania: FAQ

Does the GDPR apply in Lithuania?

Yes. As an EU/EEA member, Lithuania applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the State Data Protection Inspectorate (VDAI).

Who enforces data protection law in Lithuania?

The State Data Protection Inspectorate (VDAI).

What are the GDPR fines in Lithuania?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Lithuania?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Lithuania?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary legal basis

EU Regulation 2016/679 (GDPR) is directly applicable and constitutes the backbone of Lithuania's data protection law, enforced since 25 May 2018. It governs lawfulness bases, data-subject rights, controller/processor obligations, and cross-border transfers.

National implementing law

The Law on Legal Protection of Personal Data (No. I-1374, as amended in force from 16 July 2018) fills GDPR derogation spaces: it sets the personal-code (ID number) processing regime, employment-context rules, journalistic/artistic exemptions, public-sector fine procedures, and transposes Directive 2016/680 for law-enforcement contexts.

Supervisory authority

The State Data Protection Inspectorate (VDAI), an independent body located in Vilnius, is the primary competent supervisory authority. It participates in the EDPB and its subgroups, handles cross-border cooperation, and in 2024 issued 123 orders, 54 reprimands, 52 recommendations, 13 fines, and 7 warnings.

Children's consent age

Lithuania exercised the Article 8 GDPR derogation and set the minimum age for consent to information-society services at 14 years (below the GDPR default of 16), meaning children aged 14 and above can consent independently to online data processing.

Employment derogations

Employers are prohibited from processing prospective employees' criminal-conviction data unless explicitly required by law for the specific role. Reference checks from a current employer require the candidate's prior consent; checks from former employers require only prior notification to the candidate.

Enforcement record

VDAI has maintained active enforcement. The largest penalty to date was a €2,385,276 fine imposed on Vinted UAB in July 2024 for violations of GDPR Articles 5(1)(a), 5(2), 12(1), and 12(4) concerning transparency and accountability. In 2024, VDAI received 273 personal-data-breach notifications affecting over 1.4 million data subjects.

Lithuania - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →