Following the temporary suspension of the use of application “Karantinas” in May 2020 and after an investigation conducted by Lithuanian State Data Protection Inspectorate (DPA) in February 2021, fines for infringements of the General Data Protection Regulation (GDPR) were imposed on the National Public Health Centre (NPHC) and the developer of the application UAB “IT sprendimai sėkmei” (the Company).
A fine of EUR 12,000 was imposed on the NHPC for infringements of provisions of Articles 5, 13, 24, 32, 35 and Article 58(2)(f) of the GDPR, and a fine of EUR 3,000 was imposed on the Company for infringements of Articles 5, 13, 24, 32 and 35 of the GDPR.
In spring 2020, the DPA started monitoring activities in response to information in the media about the possible improper processing of personal data by application “Karantinas”. After an assessment of the initial information, it was decided to open an investigation and suspend the processing of personal data by the application.
The study revealed that data from 677 individuals had been collected since April 2020 when the application became operational. Not all personal data were collected to the same extent, however the application was provided for processing such personal data as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal number, telephone number, address, 2nd address, and whether the place of residence had been declared in Lithuania and other information. According to the submitted data, it was established that the processing of data of the app was performed not only in the territory of Lithuania, but also in Europe (Estonia, Switzerland, etc.) and abroad (India, USA, etc.).
After conducting an investigation, the DPA revealed that both the NHPC and the Company were joint data controllers, although both organizations denied such status.
When deciding on the imposition of the administrative fine and its amount, the DPA took into account the fact that the NHPC and the Company processed personal data intentionally, to a large extent, illegally, systematically, without providing technical and organizational means to demonstrate compliance with the requirements of the GDPR while processing personal data, and also processed special category personal data. In addition, the Company did not comply with the DPA instructions to stop the processing of personal data collected with the help of the app and deleted part of the personal data.
The decision of the DPA may be appealed in court within one month from the date of its service in accordance with the procedure established by legal acts.
For further information, please contact the Lithuanian supervisory authority: ada@ada.lt