The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of EUR 15,000 applied to Vilnius City Municipality Administration by State Data Protection Inspectorate of the Republic of Lithuania, for infringements of the General Data Protection Regulation (GDPR). The fine was imposed for infringements of Articles 5(1)(d) and 5(1)(f) of the GDPR, namely a failure to implement appropriate technical and organisational measures, thus, failing to ensure the accuracy of processed personal data when processing personal data of the parents of an adopted child.
Having carried out an investigation, the State Data Protection Inspectorate of the Republic of Lithuania, has determined that when filling in an application for education of the adopted child in the Centralised Application Submission and Population Information System of the Municipality Administration, the applicant indicated his personal data, data automatically updated monthly. When personal data was automatically updated, the contact personal data of the applicant was updated and replaced with the contact data (e-mail address) of one of the biological parents of the child available in the Population Register of the Republic of Lithuania.
When processing personal data, the Municipality Administration must follow the principle of accuracy which provides for that the data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Article 5(1)(d) of the GDPR), and the principle of integrity and confidentiality providing for that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) of the GDPR).
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.