Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=VDAI |DPA_With_Country=VDAI (Lithuania) |Case_Number_Name=Nr. 3R-206 (2.13-1 E) |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770620497/1266/2026-02-04%20Sprendimas%20Nr.%203R-206%20(2.13-1.E).pdf |Original_Source_Language_1=Lithuanian |Original_Source_Language__Code_1=LT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour…”
|Jurisdiction=Lithuania
|DPA-BG-Color=
|DPAlogo=
|DPA_Abbrevation=VDAI
|DPA_With_Country=VDAI (Lithuania)
|Case_Number_Name=Nr. 3R-206 (2.13-1 E)
|ECLI=
|Original_Source_Name_1=VDAI
|Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770620497/1266/2026-02-04%20Sprendimas%20Nr.%203R-206%20(2.13-1.E).pdf
|Original_Source_Language_1=Lithuanian
|Original_Source_Language__Code_1=LT
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Partly Upheld
|Date_Started=
|Date_Decided=
|Date_Published=
|Year=
|Fine=
|Currency=
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_2=Article 5(1)(e) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1e
|GDPR_Article_3=Article 13 GDPR
|GDPR_Article_Link_3=Article 13 GDPR
|GDPR_Article_4=Article 15 GDPR
|GDPR_Article_Link_4=Article 15 GDPR
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=lde
|
}}
The DPA issued a reprimand to a dental clinic which unlawfully retained personal data for over ten years, failed to fully comply with an access request, and used non-essential cookies without valid consent.
== English Summary ==
=== Facts ===
The data subject received from a dental clinic (the controller) an appointment reminder via SMS messages in 2024, despite not having used the clinic’s services for more than a decade. He filed a complaint with the DPA, arguing that the controller unlawfully retained his personal data, failed to properly respond to his access request, ignored his request not to be contacted, and processed cookies on its website without providing information or obtaining consent.
The controller explained that the data subject had registered for a visit in 2013 but never attended, and that only his name, surname, and telephone number were stored. The reminder messages were sent by mistake due to a human error in selecting a patient with the same name. The controller deleted the data upon request and stated that long-term storage resulted from a technical limitation of the registration system. It also acknowledged deficiencies in cookie consent mechanisms on its website.
=== Holding ===
The DPA held that the reminder SMS messages were not sent for direct marketing purposes and therefore did not breach the purpose limitation principle contained in [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The complaint concerning transparency at the time of data collection in 2013 was dismissed due to the statute of limitations.
However, the DPA found that the controller violated the principle of storage limitation by retaining the data subject’s personal data for more than ten years after an uncompleted registration. It also held that the controller failed to fully comply with the data subject’s right of access by not providing information on data recipients and storage periods. Thus, the DPA has found violations of Articles 5(1)(a), 5(1)(e), Article 13, and [[Article 15 GDPR|Article 15 GDPR]].
In addition, the DPA found that the controller processed non-essential cookies without valid consent and failed to provide clear and accurate information about cookie use. The controller was ordered to implement corrective measures regarding cookie consent and transparency and was issued a formal reprimand for the identified violations.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
<pre>
Extract of electronic document
STATE DATA PROTECTION INSPECTORATE
DECISION
2026 m. January 4. No. 3R-206 (2.13-1 E)
Vilnius
The State Data Protection Inspectorate (hereinafter – the Inspectorate) on 2024-09-11 received [DATA NOT PUBLISHED] (hereinafter – the Applicant) complaint dated 2024-09-10 (Inspection reg. No. 1R-5777 (2.13 Mr)) and
its clarification dated 2024-10-01 (Inspection reg. No. 1R-6297 (2.13 Mr)) (hereinafter collectively – the Complaint) regarding
the actions of
UAB „Neodenta“ (hereinafter – the Complainant or the Clinic).
The Applicant stated in the Complaint that the Complainant, who provided the Applicant with a service more than a decade ago, contacted him by SMS and phone call on 2024-06-28 and 2024-08-09, reminding him of a visit for which the Applicant did not register. The Applicant believes that the Complainant illegally accumulates and disposes of large amounts of personal data of clients for an unreasonably long time. The Applicant noted that a decade ago he provided the Complainant with the following data: name, surname, residential address, telephone number, information related to the person’s health. The Complaint states that the Complainant did not allow him to access personal data, the period of their processing, categories, method of obtaining personal data, storage period for recording telephone conversations, etc. information; that the Complainant did not respond to the restriction of data management, requesting not to contact him by SMS and telephone. The Applicant requested the Inspectorate to investigate whether the Complainant processed his personal data for a purpose other than that for which they were collected. The Applicant believes that the Complainant is advertising his services in such a false manner. In the Complaint Form, the Applicant noted that he was also complaining about his, as a data subject, right to receive information about data processing, right to access data and right to restrict data processing. The Applicant attached to the Complaint: evidence of the 2024-06-28 phone call and 2024-06-28 and 2024-08-09 SMS messages; his 2024-08-09 e-mail the request submitted to the Complainant by e-mail,
“to provide what personal data of mine you have at your disposal and for what purposes (providing full
information). I also ask you to provide a description of your company’s data protection data management”
(hereinafter referred to as Request 1) and the Complainant’s response of 2024-08-14.
In accordance with the Inspectorate’s request, clarifying the subject of the Complaint, the Applicant indicated that on 2024-09-13
he contacted the Complainant repeatedly (hereinafter referred to as Request 2) and received his response on 2024-09-13,
which he attached to the Complaint.
The Applicant indicated that he learned from the Complainant’s response that the Complainant
had been disposing of his personal data for an unreasonably long time, i.e. since 2013-05-30; also that the Complainant
attached to the response to the Applicant a Notice on the processing of personal data in the implantology and aesthetic dentistry clinic “NEODENTA”, with which the Applicant was not
acquainted during registration.
In addition, the Applicant attached to the Complaint the “cookies” installed in his computer’s internet browser and pointed out that the Complainant’s website did not provide
information about cookies and there was no possibility to refuse them.
The Inspectorate, having examined the Complainant’s Complaint within its competence,
2
declared:
On 2024-10-28 the Inspectorate received the Complainant’s response (Inspection reg. No. 1R-6956 (2.13
Mr)) (hereinafter – the Response).
In the response, the Complainant pointed out that the Applicant was never a patient of the Complainant; that the Applicant applied to the Clinic on 2013-05-30 to register for a visit to the doctor, but did not arrive and no additional personal data was collected.
The Complainant emphasizes that if the Applicant were a patient of the Complainant, he would know what data and what forms patients sign before entering the doctor’s office.
The Complainant explained that the patient’s name and surname and telephone number are entered into the registration system at the time the patient calls or comes directly to register for treatment.
No additional data is collected from patients during registration. The Complainant indicated that he processes the patients’ name, surname, and telephone number in order to organize smooth access to the doctor. The patient himself provides his surname, first name, and telephone number during registration.
The Clinic submitted the texts of its responses to the Applicant dated 2024-08-14 and 2024-09-13, in which an apology for the error was provided and an explanation was provided as to the circumstances under which the Applicant’s data (name, surname and telephone number) were entered into the Complainant’s database. The Applicant was informed that the doctor, while registering another patient with a similar name and surname, had mistakenly selected the Applicant. The Clinic provided the Applicant with a data processing policy for review and indicated that “After checking the program data, your data was entered into the system on 2013.05.30. Patient data is entered into our system only if the patient himself/herself contacted our clinic. At your request, the data was deleted.” In its response to the Inspectorate, the Respondent pointed out that the data specified in the Complaint of the Applicant, such as the address of residence and information related to the personal health condition, were never processed by the Clinic; no treatment agreement was concluded with the Applicant.
The Respondent emphasized that information on the processing of personal data was provided to the Applicant (sent by e-mail) on 2024-09-13.
The Respondent also emphasized that the Clinic does not have the practice of notifying about a visit by phone, therefore no one contacted the Applicant about the visit by phone.
The Clinic acknowledged that in the case specified in the Complaint, a human error occurred in relation to the Applicant when the employee selected a patient with the same first and last name in the registration system, but the error was promptly corrected. The head of the Clinic submitted responses to the Applicant on 2024-08-14 and 2024-09-13, providing the requested information. The Complainant reiterated that the situation indicated in the Complaint arose due to the doctor’s mistake in selecting the wrong patient with the same first and last name. In this way, an information message was sent to the Applicant regarding the visit, since the Clinic’s registration system is programmed in such a way that after selecting the patient’s first and last name, the program automatically sends a message about the time when to come to the doctor. It also noted that there is no advertising content in this message. The Complainant emphasized that it never uses patient data for marketing purposes, that the Applicant has never received information sent for marketing purposes. It also noted that the Clinic’s website provides a privacy policy1. The Clinic attached to the Response: Notice on the processing of personal data; 2024-08-14 and
2024-09-13 letters to the Applicant.
The Complainant submitted
additional information regarding the duration of storage of the processed personal data in a letter dated 2025-09-29 (Inspection reg. No. 1R-6545 (2.13 Mr)). The Clinic explained that
after checking the registration system, it was determined that the Applicant’s name, surname and telephone number were
entered during the registration visit on 2013-05-30; the visit did not take place, additional data was not collected,
1 https://neodenta.lt/privatumo-politika/
3
healthcare services were not provided. The Applicant’s data were stored until 2024,
because the registration system did not have an automatic data deletion function, and due to a technical
error, personal data were not deleted from the system in time. The complainant indicated that
at the request of the Applicant, his personal data was deleted on 13 September 2024.
The complainant also indicated that the following
measures have already been implemented and are planned to be implemented: a) A clause will be included in the Personal Data Processing Rules that registration
data, when healthcare services have not been provided, are stored for no longer than 12 months from the date of registration. b) It is planned to install a technical measure – automatic deletion of data
after the expiry of the established deadline (implementation is planned by 31 December 2025). c) All employees will
be introduced to the updated procedure and GDPR2 requirements. The Clinic undertakes to regularly review
data processing processes and ensure compliance with the GDPR principles.
The processing of personal data is regulated by the GDPR and the Law of the Republic of Lithuania on the Legal Protection of Personal Data (hereinafter referred to as the ADTAĮ). Pursuant to the GDPR, the processing of personal data is deemed lawful only if the principles relating to the processing of personal data set out in Article 5 of the GDPR and at least one of the conditions set out in Article 6 of the GDPR are applied.
According to Article 5(2) of the GDPR, the data controller is responsible for compliance with Article 1 of the GDPR and must be able to demonstrate compliance (accountability principle).
It is noteworthy that the Applicant does not deny that he himself provided his personal data to the Complainant ten years ago in order to use the services of the Clinic. Thus, in this case, the decision will not assess the lawfulness of the processing of the Applicant’s personal data, but will assess the principles of purpose limitation, transparency and storage limitation, as well as the implementation of certain rights of the data subject.
1. Regarding the purpose of processing the Applicant’s personal data
The Applicant indicates in the Complaint that the Complainant processed his personal data in a fictitious manner
by advertising his services and, as evidence, provides the SMS messages received on 2024-06-28 and 2024-08-09: “We kindly remind you that on 07-01 at 12:00 we are waiting for you at Neodenta. Confirm your arrival
by writing the word YES or NO. Information by phone <…>.” and “”We kindly remind you that on 08-12 at 11:00
we are waiting for you at Neodenta <…>” (errors not corrected) (hereinafter referred to as the Messages).
The Complainant admitted that the Notice to the Applicant was sent by mistake, as the doctors
selected the wrong patient whose first and last name coincided, but categorically denied any actions of the Clinic related to marketing (direct marketing) purposes.
Article 2, paragraph 1 of the ADTAĮ establishes that direct marketing is an activity the purpose of which is to offer goods or services to individuals by mail,
telephone or in another direct manner and/or to inquire about their
opinion on the goods or services offered.
According to Article 5, paragraph 1, point b of the GDPR, personal data must be collected for specified,
clearly defined and legitimate purposes and not further processed in a manner incompatible with those purposes;
further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) shall not be considered incompatible with the initial purposes (purpose limitation principle).
Therefore, as already established in this decision, the Applicant’s personal data was received and further processed by the Complainant after the Applicant registered for the Clinic’s services, i.e. for the purpose of providing the Clinic’s services.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR)
4
When assessing the content of the Notifications received from the Complainant specified in the Applicant’s Complaint,
the Inspectorate has no reason to conclude that the Clinic, by sending the Notifications, offered its services or goods to the Applicant by such actions, since SMS of this type (content) are usually sent by the majority of healthcare institutions, reminding the patient of an upcoming visit.
Accordingly, the Inspectorate concludes that the Complainant, by sending the Notifications to the Applicant, did not violate the purpose limitation principle set out in Article 5(1)(b) of the GDPR, as the Notifications were sent for the purpose of providing services, but due to an employee’s error, they were sent to the Applicant, and not to the patient who ordered the Clinic’s services. Taking into account the indicated circumstances, the Applicant’s Complaint in this part should be rejected as unfounded. 2. Regarding the transparency of the Applicant’s personal data processing, the Applicant indicates that at the time of the collection of his personal data (in 2013), he was not acquainted with information about the processing of his personal data, that this information was provided to him only in September 2024. The Complainant also indicated that information about the processing of personal data was provided to the Applicant (sent by e-mail) on 13 September 2024. According to Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and transparently in relation to the data subject (principle of lawfulness, fairness and transparency).
Article 13(1) of the GDPR stipulates that when personal data are collected from a data subject, the data controller shall, at the time of receiving the personal data, provide the data subject with all the information on data processing specified in Article 13(1) of the GDPR, however, it should be noted that the GDPR has been in force only since 2018-05-25.
It should be noted that Article 27(1)(8) of the Law on the Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the “Law on the Legal Protection of Personal Data”) stipulates that the Inspectorate shall adopt a decision to refuse to examine a complaint or part thereof if more than 2 years have passed since the commission of the violations specified in the complaint or part thereof until the submission of the complaint. According to Article 29, Part 1, Item 2 of the ADTAĮ, the supervisory
authority shall adopt a decision to terminate the examination of a complaint or a part thereof, if, during the examination of the complaint or a part thereof, it becomes apparent that there are grounds specified in Article 27, Part 1, Items 2–6, 8, 9 of this Law (the specified grounds) for refusing to examine the complaint or a part thereof.
In this case, it is important to note that the Inspectorate currently no longer has the opportunity to determine whether in 2013 the Complainant provided information on its website or in other ways about the processing of its clients’ (patients’) personal data.
Accordingly, the Inspectorate decides that the examination of the Applicant’s Complaint in this part shall be terminated in accordance with Article 29, Part 1, Item 2 of the ADTAĮ and Article 27, Part 1, Item 8 of the ADTAĮ due to the statute of limitations, more than 11 years having passed since the actions complained of until the submission of the Complaint.
3. Regarding the implementation of the principle of limitation of the storage period
The Applicant indicated that the Complainant had been in possession of his personal data for an unreasonably long time, i.e. from 2013-05-30.
The Complainant acknowledged that the Applicant’s personal data were not deleted from the system due to a technical error when the registered visit did not take place and explained that at that time the Clinic’s registration system did not have an automatic data deletion function, which is planned to be implemented by 2025-
12-31.
According to Article 5(1)(e) of the GDPR, personal data must be stored in a form that allows the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), after implementing appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject (principle of storage limitation). Taking into account the explanations of the Complainant and the established circumstances that the Applicant has never been a patient of the Clinic and has not used its services, the Inspectorate decides that the processing of the Applicant’s personal data – name, surname and telephone number – from 2013-05-30 to 2024-09-13 was not necessary for the purpose of processing a registration visit that did not take place, therefore the Complainant has violated the principle of storage limitation set out in Article 5(1)(e) of the GDPR by its inaction. Accordingly, the Applicant’s Complaint in this part shall be recognized as justified.
4. Regarding the implementation of the Applicant’s right to access data and the right to restrict data processing,
the Complaint states that the Complainant did not allow the Applicant to access personal
data, the period of their processing, categories, method of obtaining personal data, the term of storage of telephone recording, etc. information; that the Complainant did not respond to the restriction of data management, asking not to contact him by SMS and telephone.
The Applicant attached to the Complaint Request 1 of the already specified content3, the Clinic’s response of 2024-08-14, the recorded telephone calls of 2024-06-28 and 2024-08-09, Request 2 of 2024-09-13 and the Complainant’s response of 2024-09-13.
4.1. Regarding the Applicant’s right to access data, the Clinic’s response of 2024-08-14 stated: “you are in our system because you have registered for a visit to the doctor. However, you have either cancelled the visit or did not show up, because we only have your Name, Surname and telephone number. Primary data provided by the patient during registration.” Article 15(1) of the GDPR provides that the data subject shall have the right to obtain from the data controller confirmation as to whether personal data relating to him or her are being processed, and, if such personal data are being processed, the right to access the personal data and the following information: (a) the purposes of the data processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period; (e) the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, all available information about their sources; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logical justification for it, as well as the significance and envisaged consequences of such processing for the data subject. When assessing the content of Request 1, the Inspectorate decides that the first part of the Applicant’s Request complied with the scope set out in Article 15(1)(a) and (b) of the GDPR. Accordingly, assessing the Clinic’s response of 2024-08-14, the Inspectorate concludes that the Clinic indicated in its response both the purpose of processing the Applicant’s personal data – registration with a doctor, and the categories of personal data processed – name, surname and phone number. Meanwhile, the Applicant’s request to submit a “data protection data procedure description” does not fall within the scope of the right to access data set out in Article 15 of the GDPR. The Applicant repeatedly contacted the Complainant on 2024-09-13, submitting Request 2, in which he requested the Complainant to submit the information specified in Article 15, paragraph 1, points a, b, c, d and g of the GDPR and evidence that the Applicant’s personal data were obtained from him. 3 “provide what personal data of mine you have at your disposal and for what purposes (providing complete information). I also
please provide a description of your company’s data protection data management”
6
On the same day, the Clinic submitted a response, in which it stated: “After checking the program data,
Your data was entered into the system on 2013.05.30. Patient data is entered into our system
only if the patient himself/herself contacted our clinic. At your request, the data was deleted.”
When assessing this response of the Complainant, the Inspectorate decides that the Complainant
did not provide all the information specified in Request 2, i.e.: did not provide any information about the recipients of the data and about the data storage period (in accordance with Article 15, paragraph 1, subparagraphs c and d of the GDPR).
It is noteworthy that in the event that the Applicant’s personal data were not provided to any recipients of the data, the Complainant should have provided this information to the Applicant. It was also required to provide an explanation regarding the retention period of the Applicant’s personal data exceeding 10 years. It is noteworthy that the Notice on Data Processing attached to the Clinic’s response of 2024-09-13 does not provide any information on the processing of registration data when no services are provided to the patient. Accordingly, the Inspectorate decides that the Respondent’s response of 2024-09-13 to the Applicant’s Request 2 is incomplete, therefore the Inspectorate concludes that the Respondent, by incompletely responding to the Applicant’s Request 2, violated Article 15(1)(c) and (d) of the GDPR, therefore the Applicant’s Complaint regarding the right to access data under Request 2 must be recognized as justified. 4.2. Regarding the implementation of the Applicant’s right to restrict data processing
When assessing the Complaint materials, it was established that neither the Applicant’s Request 1 nor Request 2 can
be linked to the right to restrict data processing, as provided for in Article 18 of the GDPR.
The annexes attached to the complaint, which record telephone calls, cannot be recognized
as the information (documents) referred to in Article 24(6) of the ADTAĮ, since these annexes
do not disclose the content of the requests (if they were submitted orally). Accordingly, the Inspectorate has no grounds
to assess the implementation of the right to restrict data processing, therefore the Applicant’s Complaint in this part
must be rejected as unfounded.
5. Regarding the lawfulness and transparency of the processing of the Applicant’s personal data by recording cookie information, the Applicant attached to the Complaint the “cookies” installed in the Internet browser of his computer and indicated that the Complainant’s website did not provide information about cookies and there is no possibility to refuse them.
Article 73, paragraph 4, of the Law on Electronic Communications of the Republic of Lithuania (hereinafter referred to as the “ELC”) establishes that storing information or providing access to already stored information in the terminal equipment of a subscriber or actual recipient of public electronic communications services is permitted only on the condition that the relevant subscriber or actual recipient of public electronic communications services, who was provided with clear and comprehensive information, including information on the purposes of processing, in accordance with the GDPR, has given his consent. These provisions shall not prohibit the technical storage or use of data for the sole purpose of transmitting information over an electronic communications network, as well as, where necessary, for the provision of information society services requested by a subscriber or an actual recipient of a public electronic communications service. Article 4(11) of the GDPR provides that consent of the data subject shall mean any freely given, specific and unambiguous indication of the data subject’s wishes, by which he or she, by a statement or by a clear and unambiguous indication of his or her wishes, by which he or she, by means of a statement or by a clear action, signifies agreement to the processing of personal data relating to him or her. Article 7(2) of the GDPR provides that where the data subject’s consent is given in a written statement which also covers other matters, the request for consent shall be given in such a way that it is clearly distinguishable from other matters, in an intelligible and easily accessible form, and in clear and plain language. No part of such a statement which infringes this Regulation shall be mandatory. Preamble 43 of the GDPR states that consent is not freely given if it is not permitted to give separate consent for individual processing operations of personal data, even if it is appropriate in individual cases. 7 Point 13 of the Guidelines 05/2020 of the European Data Protection Board of 4 May 2020 on consent under Regulation 2016/6794 (hereinafter referred to as the Guidelines) states that the element of the concept of consent, ‘free’, means that data subjects have a real choice and control. Point 26 of the Guidelines explains that Article 7(4) of the GDPR aims to ensure that the purpose of the processing of personal data is not obscured or inseparably linked to the performance of a contract for the provision of a service for which the data in question are not necessary. Recital 30 of the GDPR states that individuals may be linked to internet identifiers of their devices, applications, tools and protocols, such as IP addresses, cookie identifiers or other identifiers, such as radio frequency identification tags. This may leave traces which, in particular, together with unique identifiers and other information received by servers, can be used to create profiles of individuals and identify them. On 17 January 2023, the European Data Protection Board adopted the report of the Working Party on Cookies in Banner Ads5 (hereinafter referred to as the Report)6. The report states that where complaints before the supervisory authority concern the placing or reading of cookies, national law, which incorporates the provisions of Directive 2009/11/EC of 25 November 2009, shall apply. Directive 2009/136/EC of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (hereinafter referred to as the ePrivacy Directive). The report, among other things, also sets out the requirements applicable to cookie banners. Upon receipt of the Applicant’s Complaint, the Information Technology Department of the Inspectorate prepared Conclusion No. 2024-10-03 on 2024-10-03. 4R-568 (2.14.E) Regarding the use of cookies https://neodenta.lt/ (hereinafter referred to as the Website) (hereinafter referred to as Conclusion 1). The Website was inspected on 2024-09-
12, assessing the cookies stored on the visitor’s computer only after accessing the main page of the Website.
Conclusion 1 established that the Website:
(1) does not have a pop-up window in which the Website visitor is given the opportunity to choose which cookies he wants to accept;
(2) without consent, 8 cookies are stored on the computer;
(3) marketing and other cookies of unknown purpose are stored, which are not necessary cookies,
required for the technical correct operation of the Website.
It was also established that on 2024-09-12 the Website did not provide information about cookies.
Repeatedly, the Conclusion No. 4R-4 (2.14 E) was prepared on 2026-
01-08 (hereinafter referred to as Conclusion 2). Conclusion 2 establishes that the Website:
(1) has a pop-up window in which the Website visitor is given the opportunity to choose which cookies he wants to accept/disagree with;
(2) upon first visit to the Website and without confirming the processing of cookies, 1 necessary (Functional) cookie _lscache_vary is stored on the visitor’s
computer.
(3) If the Website visitor selects the “Reject” button (Reject cookies), 13 cookies are stored on the visitor’s
computer, of which: 8 necessary cookies; 3 statistical cookies; 2 marketing cookies.
(4) If the Website visitor selects the “Accept” button (Accept cookies), 36 cookies are stored on the computer, of which: 8 necessary cookies; 14 statistical cookies; 6 marketing cookies; 8
unknown purpose cookies.
4 GDPR
5 https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf
6 Based on the report, the Inspectorate has prepared Practical Aspects of Cookie Usage Requirements
https://vdai.lrv.lt/media/viesa/saugykla/2023/11/3EqHGGk8nxE.pdf
8
(5) When a website visitor chooses to save statistical cookies and clicks the
“Save settings” button, 19 cookies are saved on the computer, of which: 6 essential cookies; 7 statistical cookies; 4 marketing cookies; 2 cookies of unknown purpose,
(6) When the Website visitor chooses to save marketing cookies and clicks
the “Save settings” button, 31 cookies are saved on the computer, of which: 8 necessary cookies;
12 statistical cookies; 11 marketing cookies.
When preparing Conclusion 2 (2026-01-08) it was determined that the Website7 provides information about
cookies, but it is inaccurate and does not describe all cookies used on the Website.
Taking into account the facts proven by screenshots in the Conclusions, the Inspectorate concludes that
the Website does not properly implement cookie consent management, respectively, non-essential cookies,
i.e. statistical/marketing and unknown purpose cookies,
are saved on the visitor’s, and the Applicant’s, computer without consent, i.e. without selecting them – without performing the appropriate actions regarding cookie
management.
Summarizing the inspection results established during the inspection and recorded in the Conclusions, the Inspectorate decides that the person complained about violated Article 73(4) of the GDPR by processing (saving on the Applicant’s computer) non-essential (statistical, marketing and functional) cookies without the Applicant’s consent. Assessing whether the Applicant was provided with clear and detailed information about the processing of personal data using cookies, and taking into account the fact that at the time of receipt of the Complaint, no information about cookies was provided on the Website, the Inspectorate decides that by such actions (omissions) the person complained about violated Article 13(1) and (2) of the GDPR, and the principle of transparency established in Article 5(1)(a) of the GDPR, respectively. Taking into account the violations established in this decision, the Inspectorate concludes that the requirements of the GDPR and the GDPR regarding the use of cookies have not been properly implemented, therefore the Applicant’s Complaint in this part is recognized as justified.
In accordance with Article 31(2)(1) of the GDPR, in the event that the complaint or part thereof is deemed justified, the Inspectorate shall provide the data controller and/or data processor with reasoned instructions, recommendations and/or apply other measures specified in Article 58(2) of the GDPR, Article 33 of the GDPR and other laws regulating the protection of personal data and/or privacy <…>. When deciding on the application of enforcement measures, point 129 of the GDPR preamble shall be considered relevant, which states that each measure should be appropriate, necessary and proportionate in order to ensure compliance with the GDPR.
The Inspectorate, when assessing the nature, severity and duration of the identified violations of Article 5(1)(a) and (e) of the GDPR, Article 13(1) and (2) and Article 15(1) and Article 73(4) of the EPR, also takes into account the fact that the Clinic contacted the Applicant twice by mistake (2024-06-28 and 2024-08-09), and decides that the appropriate, necessary and proportionate measures are the instructions provided to the Complainant in accordance with Article 12(2)(5) of the ADTA and Article 58(2)(d) of the GDPR and the reprimand issued in accordance with Article 58(2)(b) of the GDPR. The Inspectorate, taking into account the above and in accordance with Article 29, Part 1, Point 2 and Article 27, Part 1, Point 8, of the ADTAĮ, Article 31, Part 1, Points 1 and 2 and Part 2 of the ADTAĮ,
Article 12, Part 2, Point 5 of the ADTAĮ and Article 58, Part 2, Points b and d of the GDPR,
decides:
1. To terminate the examination of the Applicant’s Complaint in the part regarding the transparency of the processing of the Applicant’s personal data
in 2013. by receiving data from the Applicant himself due to the statute of limitations.
7 https://neodenta.lt/privatumo-politika/
9
2. To terminate the examination of the Applicant’s Complaint in the parts regarding the processing of the Applicant’s personal data
for the purpose of direct marketing, i.e. regarding the application of the purpose limitation principle set out in Article 5(1)(b) of the GDPR, and the implementation of the Applicant’s right to restrict data processing pursuant to Article 18 of the GDPR, to be rejected as unfounded.
3. The Applicant’s Complaint in parts regarding the implementation of the storage limitation principle, regarding the Applicant’s right to access data and the lawfulness and transparency of the processing of the Applicant’s personal data by recording cookie information (pursuant to Article 5(1)(a) and (e) of the GDPR; Article 13(1) and (2) of the GDPR, Article 15 of the GDPR and Article 73(4) of the EPR), to be recognized as justified.
4. For violations of Article 5(1)(a) of the GDPR; Article 13(1) and (2) of the GDPR and Article 73(4) of the EPR, to issue an instruction to the Complainant to implement the appropriate measures no later than 2026-04-01
4.1. which would ensure that each non-essential cookie on the Website would be processed only with the voluntary consent of the data subject (Website visitor).
4.2. which would ensure that during the visit, Website visitors would be provided with clear and comprehensive information about the use of cookies in accordance with Article 13, paragraphs 1 and 2 of the GDPR.
5. For violations of Article 5, paragraph 1, point e and Article 15, paragraph 1, points c and d of the GDPR,
the Complainant shall be reprimanded.
6. To inform the Applicant and the Complainant of the decision taken.
This decision may be appealed to the Vilnius Regional Administrative Court (address: Žygimantų g. 2, Vilnius) within one month from the date of its service, in accordance with the procedure established by the Law on Administrative Procedure of the Republic of Lithuania.
Director Dijana Šinkūnienė
</pre>