29-01-2025

A fine imposed on the Employment Service

The State Data Protection Inspectorate (hereinafter referred to as the “SDPI”) has imposed a fine of EUR 9,000 on the Employment Service under the Ministry of Social Security and Labour of the Republic of Lithuania for breaches of personal data security.

The SDPI launched an investigation in July 2024 after receiving a report from the Employment Service regarding a personal data security breach, during which the personal data of 29,636 data subjects was unlawfully disclosed. The Employment Service reported that the breach occurred due to human error by an employee, who mistakenly attached an Excel document containing clients' personal data to an email. The email was sent to 292 clients of the Employment Service.

The investigation by the SDPI found that the technical and organisational data protection measures put in place at the Employment Service were inadequate: a failure to conduct thorough risk assessments or test data loss prevention measures for document handling; the employee who sent the Excel document was not included in the group of employees who had tested the data classification function; and inadequate training on data security protocols for the employee involved.

Considering the findings of the inspection and the applicable legal framework, the SDPI concluded that the Employment Service, as the data controller, had failed to ensure the confidentiality of processed personal data by disclosing personal data of a large number and a large volume of its clients, including health data. By failing to implement appropriate organisational and technical security measures to prevent the loss of confidentiality, the Employment Service, through its actions (or inaction), violated the requirements of Articles 24(1), 32(1)(b) and (d) GDPR and the principle of confidentiality laid down in Article 5(1)(f) of the GDPR by its actions/omissions. A fine has been imposed for these violations.

The decision to impose a fine may be appealed to the Regional Administrative Court in accordance with the procedure established by the Law on Administrative Proceedings of the Republic of Lithuania within one month from the date of its notification.