Answers of the State Data Protection Inspectorate to the frequently asked questions concerning the case of CityBee


2021 02 26

Asmens duomenų ir privatumo apsauga nuo mokyklos suolo.png

The State Data Protection Inspectorate (hereinafter referred to as the “Inspectorate”) has prepared answers to the frequently asked questions concerning the case of CityBee


1. Has my personal data been disclosed?

Information on whether your personal data was disclosed after publication of a copy of the database of CityBee (hereinafter referred to as the “database”) may and must be provided to you by  CityBee as the data controller.

The Inspectorate calls not to use any websites containing information that you can verify if you are one of the persons whose personal data has been unlawfully disclosed. Anyone can be the operator of such websites; thus, it may lead to the situation where you inadvertently provide your personal data to the persons who are going to use it unlawfully.

The Inspectorate also calls not to purchase copies of the database in order to satisfy yourself if your personal data is not available in the database. If you have already purchased a copy of such database, please provide it to the Inspectorate by e-mail [email protected] (please use the key word “CityBee” in the line of the topic of the e-mail) and don’t publish and distribute it to other persons. Distribution of a copy of the database containing personal data may be considered as unlawful processing of personal data.


2. What my personal data was available in the published database?

According to the preliminary data provided to the Inspectorate by CityBee, the database containing personal data, i.e. name, surname, e-mail address, personal identification number, address of the place of residence, telephone number, driving licence number  and encrypted password, was published.

According to the preliminary data provided by CityBee to the Inspectorate, the payment card login data was not stored. Copies of the driving licence were also not stored in the published database. The scope of the data indicated during the investigation will be further specified.


3. Do I have to address the Inspectorate for the particular case concerning me?

No. The Inspectorate has initiated an investigation on its own initiative; therefore, it is not necessary to address the Inspectorate for the incident in question. The Inspectorate will publish information on the results of the investigation and the decision taken on the website. Responses to the persons who have already addressed the Inspectorate will be provided together with the afore-mentioned information according to the contact details indicated by them.

In the light of the fact that the Inspectorate has initiated an investigation on its own initiative and following Article 57(4) of the General Data Protection Regulation and paragraph 3 of Article 3 of the Republic of Lithuania Law on Legal Protection of Personal Data, separate complaints lodged by persons will not be examined.


4. How long will the investigation initiated by the Inspectorate last?

Following legal acts, an investigation conducted by a supervisory authority may last up to 4 months with the possibility to extend it to 2 months taking into consideration the circumstances and progress of the investigation (for example, complexity of the circumstances, delay to provide responses etc.).

In case of a breach of personal data of the residents of other EU Member States, the time limits set forth in the legislation of the Republic of Lithuania shall not apply and the investigation may last longer due to coordination of the actions with other involved personal data protection supervision authorities.


5. What should I do to ensure security of my personal data?

We recommend to familiar with the advice prepared by the Inspectorate. The first step (if not taken yet) is to change the passwords in the accounts of other websites or systems, for example, e-mail etc. if the password was the same was the password used for CityBee account or was used together with the same e-mail address with which you registered for CityBee. If possible, we recommend to activate and use two-factor authentication in all websites and systems.

We also recommend to familiarise with the advice prepared by the Lithuanian Police and  information on password creation prepared by the National Cyber Security Centre at the Ministry of National Defence.


6. Do I have the right to compensation and where should I address?

The General Data Protection Regulation grants the right to any person suffering material or non-material damage to receive a compensation for the suffered damage from the data controller. In Lithuania, compensation of sustained damage is regulated by the Civil Code of the Republic of Lithuania.

Please note that the Inspectorate does not deal with the issues concerning compensation of damage to the affected data subjects (customers of CityBee); therefore, it is not necessary to address the Inspectorate for compensation of damage. Such issues are dealt with by the courts under the procedure of civil proceedings.


7. Should I block my payment card or replace it with a new card?

According to the preliminary data provided to the Inspectorate by CityBee, CityBee does not store login data to the payment cards; thus, it is not necessary to block payment cards or replace the payment cards with new payment cards. According to the best practice which should be followed despite the incident, we recommend to more carefully monitor the financial transactions, always carefully evaluate the enquiries generated by means of the electronic signature, Smart-ID etc., i.e. if the enquiries coincide with the security code displayed to you. Besides, if you do not purchase online, please switch off the payment card function.

Please also read the information of the Association of Lithuanian Banks


8. Should I block access to the internet banking?

We do not recommend this. You login to the internet banking using the respective authentication means such as mobile signature, PIN code generator etc and two-factor authentication is used; therefore, it is not appropriate to block access to the internet banking.


9. Should I replace my identity card or password?

We do not recommend this. The numbers of the afore-mentioned identity documents are not available in the published database.


10. Should I replace the driving licence?

We do not recommend this. If you replace your driving licence, only its number and date of expiry would change.

Information on replacement of the driving licence is published in Facebook account of the State Enterprise Regitra.


11. Can anyone take a quick credit or loan using the published data?

As regards this question, we recommend to familiarise with the information of the Bank of Lithuania concerning publication of data and the information of the Association of Lithuanian Banks.


12. What consequences or risks may be faced due to the published data?

It is particularly difficult to foresee and identify such scenarios. The Inspectorate recommends to be alert. Taking into account the fact that the telephone number and e-mail address are available in the published database, if they are used, you can receive more spam to your e-mail address or receive more frequent telephone calls from unknown numbers and abroad. You may receive malware e-mails, someone may attempt to defraud details of login to websites or systems by virtue of social engineering; thus, it is particularly important to act in line with internet “hygiene” practices, not to click on any links directing to some website, not to log in using login data for personal accounts (for example, social media, e-signature services etc.), not to enter any personal information and not to respond to such e-mails.

Please pay attention to the information published by the Association of Lithuanian Banks (ALB) that publication of personal data of CityBee customers “[...]may provoke cases of fraud where assistance or consultancy in relation to protection of data is offered and the provoking persons hide behind the name of competent organisations and authorities. The Association of the Lithuanian Banks ask bank customers to be alert and critically assess all received telephone calls and messages. Banks and other financial institutions or law enforcement authorities do not request to disclose any details of login to their customer personal account over telephone or by e-mail. For more information, please see the information of the Association of Lithuanian Banks.


13. Where should I apply for deletion of CityBee account?

As for deletion of CityBee account, you should address directly to the data controller CityBee.


14. Will applications for deletion of CityBee accounts be deleted?

Applications for deletion of accounts are satisfied. It should be pointed out that deletion of accounts should not be confused with deletion of personal data processed by the data controller. Even if the account is deleted, the personal data related to provision of services must be stored for the period prescribed in the legislation (e.g. billing data) or for other lawful purposes of the data controller. If you have any questions concerning processing of personal data, you should address directly to the data controller CityBee.