Biržai Hospital fined for improper processing of personal data
The State Data Protection Inspectorate (hereinafter the SDPI), after conducting an investigation on the basis of a report of UAB Šiaurės Rytai regarding the video surveillance carried out on the premises of the Public Institution Biržai Hospital (hereinafter the Hospital), has imposed an administrative fine of EUR 6,000 on the Hospital for the violation of the processing of personal data in accordance with the provisions of the General Data Protection Regulation (GDPR).
The SDPI found that the video surveillance in the Hospital and the processing of personal data violated the principles set out in Article 5(1)(a), (e), (f) of the GDPR (lawfulness, storage limitation as well as integrity and confidentiality); the provisions of Article 6(1) of the GDPR and Article 9(2) of the GDPR, and that there was a lack of cooperation with the SDPI in the form of a failure to provide the requested information of relevance for the investigation.
On the lawfulness of the video surveillance
During the investigation, the Hospital stated that it carries out video surveillance in the premises of the Hospital (except for the operating theatres) in order to ensure the safety of persons and property, and it carries out video surveillance in the operating theatres in order to ensure the smooth organisation of work and to ensure more efficient provision of services.
In particular, the processing of personal data must be based on at least one of the conditions for the lawful processing of personal data set out in the GDPR. In order to determine whether the video surveillance carried out by the Hospital is lawful, three conditions were assessed, viz. the pursuit of a legitimate interest, the need to process personal data and the overriding of conflicting rights and interests.
The SDPI, after conducting an investigation and assessing the information collected during the inspection, concluded that the video surveillance of the general territory and premises of the Hospital (outdoor perimeter, entrances to the premises of the Hospital, corridors, lobbies) in the pursuit of the Hospital's legitimate interest to ensure the safety of persons and property does not unduly restrict the rights and legitimate interests of data subjects. These areas and premises are usually subject to constant movement of people and are therefore the most likely areas of the Hospital to experience incidents related to the safety of persons and property. Such processing of personal data has been recognised as lawful.
However, the video surveillance in the Hospital's operating theatre, the patient admission and examination room of the Emergency Department, and the Geriatric Day Care Unit does not comply with the provisions of the GDPR, as the video surveillance cameras cover part of the patient examination area and the staff's permanent workplaces. In the assessment of the SDPI, the right to privacy of the data subjects (patients and staff) in the case at hand clearly overrides the interest of the Hospital to organise its work more effectively.
On the lawfulness of the audio recording
The inspection found that the video surveillance cameras installed in the premises of the Hospital also record sound, except for the cameras installed outside.
The Hospital argued that the audio recording was carried out for the same purposes and in the same interests as the video surveillance, namely to ensure the safety of persons and property, as well as for the prevention of psychological violence, and that the audio broadcasting in the operating theatres was carried out in order to ensure the smooth organisation of work and to ensure more efficient provision of services.
In the assessment of the SDPI, audio recording in the premises of the Hospital in order to ensure the safety of persons and property is not the only and necessary means to achieve this objective. The physical, emotional and psychological safety of the Hospital's staff and visitors can be ensured by other means (e.g. staff training, alarm buttons in case of danger, physical protection, etc.). Furthermore, video surveillance on the premises of the Hospital, in combination with other security measures, is considered to be a sufficiently effective way of ensuring safety or resolving conflicts. The Hospital has also failed to provide any justification as to why audio recording in the Hospital's operating theatres is a necessary means of organising work. Thus, it was concluded that the audio recording in the Hospital premises (including the operating theatres) violates the GDPR.
The SDPI also noted that private conversations between Hospital visitors, patients and staff usually take place in Hospital premises such as ward corridors, foyers, etc.; therefore, it is clear that data subjects have a legitimate expectation that their private conversations will not be recorded. It should also be noted that conversations between Hospital visitors and patients may, among other things, include discussions related to their health condition, etc., which would mean that health data are being recorded and stored, which are considered to be special categories of data according to Article 9 of the GDPR, and the processing of which is subject to stricter requirements. Thus, in the present case, it is recognised that the right to privacy of data subjects (Hospital visitors, patients and staff) overrides the Hospital's interest in ensuring safety and in organising its work more efficiently.
On the duration of storage of video and audio recordings
Personal data may not be stored for longer than is necessary for the purposes for which the personal data are processed, and the storage period must be clearly defined and determined separately for each specific purpose. The data controller (in this case, the Hospital) must define the storage period and demonstrate compliance with the provisions of the GDPR, taking into account the principles of necessity and proportionality.
During the on-site inspection, violations of these requirements were also identified, viz. the storage periods for video and audio recordings were set inaccurately, and the recordings were actually stored for an obviously excessive period of time.
On the enforcing of access control
After conducting an inspection, the SDPI established that access control to video and audio broadcasting in the Hospital's operating theatres was not adequately ensured. Also, the Hospital did not sufficiently cooperate with the SDPI (did not provide all requested information), thus violating Article 58(1)(a) of the GDPR.
Solutions
After completing its inspection in December 2025, the SDPI issued instructions to the Hospital to remedy the identified shortcomings and violations (to stop the unlawful video surveillance in the Hospital's operating theatres; to stop the unlawful audio recording in the Hospital's premises; to precisely determine the storage periods for video recordings and ensure that they are complied with; to take technical measures to ensure that the video surveillance in the premises (operating theatre, the patient admission and examination room of the Emergency Department, and the Geriatric Day Care Unit) does not cover the examination of patients and the permanent workplaces of the staff) and started the procedure for imposing an administrative fine for the violation of the provisions of the GDPR.
In February 2026, after examining the case regarding the imposition of an administrative fine, the SDPI imposed a fine of EUR 6,000 on the Hospital for the identified GDPR violations.
The decision of the SDPI may be appealed to the court within one month from the date of its delivery, in accordance with the procedure established by the Law on Administrative Proceedings of the Republic of Lithuania.
All SDPI decisions from 2025 onwards are made public. You can find them under "SDPI decisions (fines, instructions, etc.)".