Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=VDAI |DPA_With_Country=VDAI (Lithuania) |Case_Number_Name=Nr. 3R-219 (2.13-1.E) |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770722929/1274/2026-02-06%20Sprendimas%20Nr.%203R-219%20(2.13-1.E).pdf |Original_Source_Language_1=Lithuanian |Original_Source_Language__Code_1=LT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour…”
|Jurisdiction=Lithuania
|DPA-BG-Color=
|DPAlogo=
|DPA_Abbrevation=VDAI
|DPA_With_Country=VDAI (Lithuania)
|Case_Number_Name=Nr. 3R-219 (2.13-1.E)
|ECLI=
|Original_Source_Name_1=VDAI
|Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770722929/1274/2026-02-06%20Sprendimas%20Nr.%203R-219%20(2.13-1.E).pdf
|Original_Source_Language_1=Lithuanian
|Original_Source_Language__Code_1=LT
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Partly Upheld
|Date_Started=
|Date_Decided=06.02.2026
|Date_Published=
|Year=2026
|Fine=
|Currency=
|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_2=Article 5(1)(c) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1c
|GDPR_Article_3=Article 5(1)(d) GDPR
|GDPR_Article_Link_3=Article 5 GDPR#1d
|GDPR_Article_4=Article 5(1)(a) GDPR
|GDPR_Article_Link_4=Article 5 GDPR#1a
|GDPR_Article_5=Article 12 GDPR
|GDPR_Article_Link_5=Article 12 GDPR
|GDPR_Article_6=Article 13 GDPR
|GDPR_Article_Link_6=Article 13 GDPR
|GDPR_Article_7=Article 15 GDPR
|GDPR_Article_Link_7=Article 15 GDPR
|GDPR_Article_8=
|GDPR_Article_Link_8=
|GDPR_Article_9=
|GDPR_Article_Link_9=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=lde
|
}}
The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete access response.
== English Summary ==
=== Facts ===
The data subjects purchased a package trip for three adults and two children through the website of the controller, a travel agency. During the booking process and subsequent correspondence, errors arose concerning the children’s dates of birth, which were reflected in the contract and later in the travel documents. Although some corrections were made by hand in the contract and passport copies were eventually provided, the inaccurate data were not rectified in time, and the trip ultimately did not take place.
Following this, the data subjects lodged a complaint with the DPA. They argued that the company had sent post-trip feedback emails without valid consent or an opt-out option, unlawfully processed and retained copies of travelers’ passports without demonstrating necessity or proportionality, failed to ensure the accuracy of personal data despite having access to corrected information, and acted without sufficient transparency by sending a third party’s privacy policy without explanation and by allegedly mishandling information about the recording of a telephone call. In addition, one data subject claimed that the response to an access request under [[Article 15 GDPR|Article 15 GDPR]] was incomplete and misleading, while another data subject alleged that their access request had not been answered at all.
The company argued that customers were contractually responsible for the accuracy of the data they provided, that passport copies were necessary to verify document validity for the trip, and that feedback emails were lawfully sent to existing customers under national electronic communications law. It also argued that the access request had been answered within the statutory time limit.
=== Holding ===
The DPA upheld the complaint for the most part.
It first concluded that the feedback emails sent to the data subjects constituted direct marketing under Lithuanian law. While such messages may be sent to existing customers, the company had failed to provide a clear and easily exercisable option to object at the time of data collection or in the emails themselves.
With regard to passport copies, the DPA found that the company had not demonstrated that collecting and continuing to process full copies of identity documents was necessary and proportionate for the performance of the travel contract. Although verification of document validity could in principle serve a legitimate purpose, the company’s own explanations undermined the claimed necessity, leading to a breach of the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
The DPA further held that the company failed to comply with the accuracy principle in [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. Despite receiving corrected information and some passport copies in advance, inaccurate birth dates remained in the travel documents. While the DPA acknowledged the partial fault of data subject by not correcting all errors in the signed contract, it emphasised that the controller had not taken all reasonable steps to ensure that the personal data it processed were accurate and up to date.
The DPA also found violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. Sending a third party’s privacy policy without clearly explaining that party’s role in the processing was considered confusing and non-transparent. In addition, the company informed an Applicant that a phone call would be recorded without providing the required information under Articles 12 and 13 GDPR and without later being able to clearly demonstrate what data processing had actually taken place.
Finally, the DPA held that the controller had improperly fulfilled the right of access under [[Article 15 GDPR|Article 15 GDPR]] in relation to one data subject, as the response failed to include all personal data actually processed, such as copies of identity documents and correspondence.
Taking into account the nature and gravity of the infringements, the DPA issued a reprimand, ordered the company to provide a complete access response, and instructed it to ensure lawful direct marketing practices.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
<pre>
Extract of an electronic document
STATE DATA PROTECTION INSPECTORATE
DECISION
February 6, 2026 No. 3R-219 (2.13-1 E)
Vilnius
The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) received on 16 September 2024
[DATA NOT PUBLISHED] (hereinafter referred to as Applicant 1) and [DATA NOT PUBLISHED] (hereinafter referred to as Applicant 2) (hereinafter collectively referred to as the Applicants) and their minor children [DATA NOT PUBLISHED] (hereinafter referred to as Applicant 3) and [DATA NOT PUBLISHED] (hereinafter referred to as Applicant 4)
2024-09-13 complaint (Inspection reg. No. 1R-5867(2.13 Mr)) (hereinafter referred to as the Complaint) regarding the actions of UAB
“Kelionių akademija” (hereinafter referred to as the Complainant or the Company).
The Applicants indicated that they are clients of the Complainant; that on 2024-02-26, the Company’s website purchased a trip for 5 people, which was supposed to take place on 2024-03-27,
however, due to the actions (inaction) of the Complainant, the Complainant did not go on the trip.
The Complaint states the following points of the Complaint:
(1) Potentially unlawful direct marketing by the Complainant 1 and Complainant 2, in violation of the provisions of the GDPR1 and the Law on Electronic Communications of the Republic of Lithuania (hereinafter referred to as the ELA). The Complainants indicated and attached evidence that on 2024-04-15
to the e-mail box [DATA NOT PUBLISHED] and on 2024-04-10 to the e-mail box [DATA NOT PUBLISHED], the Complainant’s requests (hereinafter referred to as the Notifications) to assess the quality of the services provided were received. The Applicants claim that they did not express clear and voluntary consent to the processing of their personal data for direct marketing purposes. The complaint notes that when ordering the Company’s services (booking a trip), there was no opportunity to express consent or objection to the processing of personal data for direct marketing purposes. The complaint states that the Complainant processes the Applicants’ contact details (e-mail addresses) for direct marketing purposes, but does not provide data subjects with the opportunity to exercise the right to object to the processing of this personal data. It is also stated that the Response of 2024-05-20 to the request of Applicant 1, as a data subject, states that the notification to the e-mail box on 2024-04-15 was sent automatically, based on the Privacy Policy and Terms of the Agreement of the Complainant. The Applicants
believe that by unjustifiably basing this processing of personal data on the lawful processing condition established in Article 6(1)(b) of the GDPR, data subjects are prevented from exercising the right to object established in Article 21 of the GDPR.
(2) The processing of copies of passports of persons travelling is potentially unlawful, in violation of the data processing principles established in Article 5(1)(a)-(c) of the GDPR and other GDPR requirements, as the Applicant did not indicate a clear purpose for the processing (collection, storage, etc.) of the personal data contained in the copies of the specified documents, and could not substantiate the necessity and proportionality of the processing of the personal data contained in the documents in relation to the objectives pursued (for the purpose of organising the trip). Applicants
1 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR)2 indicates and provides evidence that several requests for copies of travel passports were received from the Complainant. (3) The Complainant may not implement appropriate technical and organisational security measures to ensure the accuracy of the personal data being processed (stored, transmitted, etc.) (does not implement a process for updating/verifying personal data), which results in violations of Article 5(1)(d) (principle of accuracy) and (principle of integrity and confidentiality), Articles 25 and 32 of the GDPR, as well as a potential high risk to the rights and freedoms of data subjects (e.g. significant financial losses, stress, etc.). The Applicants believe that when placing an order on the Respondent’s website, they did not make any errors in the data, and that the errors in the children’s data (date of birth) could have occurred due to technical malfunctions of the website. The Applicants emphasize that even if they had entered incorrect personal data on the website during the travel reservation, the Respondent had and was obliged to check the personal data of the travelers specified in the travel documents prepared by the Respondent against the copies of the passports received, thus ensuring the accuracy of the processing of personal data. The Applicants also note that they verified the personal data of all travelers by phone, corrected some of them in the travel contract itself (corrections were made by hand) and informed about the errors they noticed in separate messages, but the Respondent’s employees did not take into account the observations / corrections made by the data subjects, and also, although they had copies of all travelers’ passports, they did not verify the personal data specified in them with the data specified in the prepared travel documents. (4) By failing to take appropriate measures when, on 27 March 2024, he became aware of the errors in the travel documents and the transfer of inaccurate personal data to other entities (airline, hotel, tour operator) and understood the consequences that this could have for data subjects, the Complainant may have violated the requirements of Article 5(1)(d) and (f), Articles 25 and 32 of the GDPR. The Applicants conclude that the Complainant, having learned on 27-03-2024 that the travel documents prepared contained inaccurate personal data of the Applicants and knowing that this would pose a great danger to the Applicants, as data subjects (there would be no seats on the plane, the wrong room would be reserved at the hotel, they would not go on the trip), did not take any action to control the situation and prevent the consequences (neither registered the breach of personal data security (integrity) nor informed the data subjects about it). On the contrary, on 27-03-2024, when the Applicant 2 informed the representative of the Complainant about the errors observed in the travel documents she had prepared, confirmation was received that no problems would arise as a result. (5) Possible violation of the right to receive information: (5.1) The Complaint states that after making a travel reservation, the Applicant 2 e-mailed by mail, among other things, the privacy policies of not only the Complainant, but also of another unrelated person were sent. The Complainants believe that the Complainant, by sending the privacy policy of another person and not providing more detailed information about the role of this person in processing the personal data of the Complainants for the purpose of organizing the trip, did not ensure the principles of transparency and fairness (in accordance with Article 5(1)(a) and Article 12 of the GDPR). (5.2) The Complaint states that when the Complainant’s manager called the Complainant 1 on his personal phone number on 2024-05-02, the data subject was not provided with detailed information about the processing of personal data before the conversation began (i.e. who is recording the conversation, for what purpose the conversation is recorded, where more detailed information about this personal data processing can be found, etc.), thus violating the requirements set out in Articles 12 and 13 of the GDPR. (6) Possible violation of the right to access data.
3
(6.1) Applicant 1 claims that on 2024-04-18 he applied to the Respondent with a request to provide a copy of the personal data being processed (hereinafter referred to as the Request of 2024-04-18), however, the Respondent’s response of 2024-05-20 (hereinafter referred to as the Response of 2024-05-20) did not indicate all of his personal data actually being processed (their meanings) and did not provide any arguments to support this (i.e. why his request to provide a copy of the personal data being processed was not implemented in full). For example, the list of processed personal data indicated that such personal data as bank account number, payment data, information about purchased goods, etc. were being processed, but the actual meanings of these data were not specified.
(6.2) The Complaint states that the list of processed personal data provided in the Respondent’s Response of 2024-05-20 is incomplete. It is not stated that such personal data of the Applicant 1 as the photograph (image) in the passport copy, surname, content of correspondence with the Company’s employees, recording of a telephone conversation, etc. are processed, although these personal data are known to the Respondent. (6.3) The Complaint states that the Respondent is lying in the Response of 2024-05-20 or the person who signed the Response of 2024-05-20 is not properly informed about the situation, therefore the Response of 2024-05-20 provides inaccurate information about the processing of the Applicant 1’s personal data, thus violating the principle of fairness established in Article 5(1)(1) of the GDPR. The Complaint provides an example of possible dishonesty in that copies of all the Applicants’ passports were provided to the Respondent in two separate emails (2024-02-
28 and 2024-03-27), and not only on 2024-03-27, as stated in the Respondent’s response to the Applicant 1.
(6.4) The Complaint states that on 2024-04-17, the Respondent received a request from the Applicant 2, as a data subject (hereinafter referred to as the 2024-04-17 Request), for access to the data, but the Respondent did not respond to this request from the data subject.
(6.5) Applicant 1 claims that the response to his request as a data subject dated 2024-04-18 was provided only on 2024-05-20, i.e. after missing the one-month deadline specified in the GDPR.
The Applicants attached to the Complaint:
(1) 2024-02-26 confirmation received in the Applicant 2 email box on the completed travel order for 3
adults and 2 children;
(2) 2024-02-26 request received from the Complainant’s representative to submit copies of all travelers’
passports, indicating the consequences of their failure to submit;
(3) 2024-02-28 travel contract signed by the Applicant 2 with his physical signature sent to the Complainant, in which, among other things, the incorrectly indicated dates of birth (month and day) of 3 (three)
travelers were corrected by hand;
(4) 2024-03-26 request from the Complainant’s representative to send copies of the travelers’ passports;
(5) 2024-03-27 Applicant 2’s observation regarding errors in the travel documents sent to the Respondent;
(6) 2024-03-27 confirmation that the Respondent is aware of the errors in the travel documents and confirmation that this will not cause any problems;
(7) Notifications;
(8) Applicant 2’s claim regarding the cancelled trip;
(9) Applicant 1’s Request of 2024-04-17;
(10) Applicant 2’s Request of 2024-04-18;
(11) Respondent’s response to Applicant 2’s claim regarding the cancelled trip;
(12) Respondent’s Response of 2024-05-20.
The Inspectorate, within its competence, examining the Complaint of the Applicants,
4
notifies,
On 2024-10-15, the Inspectorate received the Respondent’s response (Inspection reg. No.
1R-6649 (2.13 Mr)), which was supplemented by an e-mail message of 2026-01-30 (Inspection reg. No.
1R-
795 (2.13 Mr)), (hereinafter collectively referred to as the Response).
Regarding the implementation of the principle of accuracy. In the Response, the Respondent refers to the provisions of Part 7 of the Organized Tourist Travel Agreement (hereinafter referred to as the Agreement) signed between him and
the Applicant 2 on 2024-02-26.
The person complained about indicates that Sub-clause 7.8 of the Agreement states that the tourist
assumes full responsibility for the correctness and accuracy of his/her and other tourists’ personal
data provided to the tour operator. The tourist, by providing, editing or otherwise
processing data (including his/her and/or other tourists’ personal data), ensures that
he has the right to process the data in this way and assumes full responsibility for any losses that may arise from the illegal processing of such data to the tour operator or third parties.
According to Sub-clause 7.3.3 of the Agreement, the tourist, having contacted the tour operator and
after the tour operator has established the tourist’s identity, has the right to demand the correction of inaccurate
his/her personal data and the completion of incomplete
his/her personal data.
The person complained about notes that he has taken all necessary measures to avoid
possible inaccuracies in the personal data provided by the tourist:
a) The tourist himself fills in his own personal data and that of other tourists on the trip and has the opportunity
to check the information he has entered;
b) After the tourist has made the initial reservation (submitted an order), he is sent a
letter of confirmation of receipt of the order, which indicates the information provided by the tourist
about the traveling persons (personal data provided by the tourist);
c) Based on the data provided by the tourist, a draft Agreement is prepared, which
indicates the personal data provided by the tourist and that of other tourists. The Agreement includes a provision
that the tourist is responsible for the accuracy of the personal data provided, therefore the tourist
must and has every opportunity to correct the incorrect data provided;
d) The tourist is asked to provide copies of his and other tourists’ passports for that trip (which contain accurate information about the tourists’ personal data). Copies of documents are required to ensure that their validity period is sufficient for the organized trip to take place. At the same time, the Respondent emphasizes that in the case of the Applicants, the Applicant 2, who concluded the Agreement: a) initially indicated inaccurate personal data (dates of birth) of two tourists who planned to go on the trip; b) upon receiving the draft Agreement, she manually corrected the inaccurate days and months of birth of two persons (children) going on the trip, but left their inaccurate years of birth in the Agreement; c) provided copies of all passports of tourists going on the trip to the Respondent only on 2024-03-27 (up until then, copies of passports of several persons going on the trip had been provided, but the last necessary copies were provided only on 2024-03-27), i.e. a month after the conclusion of the Agreement and less than three calendar days before the trip, when the Company had already completed all actions regarding the organization of the trip and there was no opportunity to rectify the situation and update or correct the plane tickets and hotel reservations made. The person complained concludes that it created conditions to avoid errors or at least to correct the errors made by the Applicants themselves in a timely manner, but due to the actions of the Applicants (indicating incorrect data, failing to correct the inaccurate birth years of two children when signing the Agreement, submitting 5 copies of passports that could be used for data verification only immediately before the booked trip), the inaccuracies in the data were noticed too late, when there was no longer any opportunity to correct the reservations made. Due to the implementation of direct marketing. In its response to the direct marketing actions carried out towards the Applicants, the Respondent admitted that on 10 April 2024 it sent a request to Applicant 2 to assess the quality of the services provided. On 15 April 2024 a similar request was also sent to Applicant 1. These requests were sent automatically and only asked to answer questions related to the performance of the Agreement. The Respondent sent these requests to the Applicants as to its existing clients, using the email addresses received from the clients themselves. The Respondent notes that it did not send any other direct marketing emails to the Applicants and that the described requests to assess the services provided were intended solely for the purpose of discussing the performance of the concluded Agreement. The response draws attention to the fact that the Complainant’s right and possibility to send such letters to its clients is specified in Article 81(2) of the ERM and discussed in the privacy policy of the Complainant and the tour operator [DATA NOT PUBLISHED]2. The response emphasizes that despite the fact that the Applicants have always had the opportunity to express their objection to the use of their personal data for marketing purposes, the Applicants have not yet notified their objection to the processing of their personal data for direct marketing purposes, however, taking into account the Applicant’s 1 2024-04-18 Request, the Complainant does not send any direct marketing messages to the Applicants. Regarding the implementation of the right to access data. Commenting on its actions regarding the responses to the Applicants’ requests for access to the processed personal data, the Respondent indicates that it received the Applicant’s 1 2024-04-18 Request for information on the processing of personal data and submitted the Response to it on 2024-05-20. The Response draws attention to the fact that, unlike the Applicants’ claims, the monthly deadline specified in the GDPR was not violated when submitting the response to the Applicant’s 1 2024-04-18 Request, because 2024-05-18 was a Saturday – a non-working day. Article 1.121, paragraph 2 of the Civil Code of the Republic of Lithuania establishes that if the last day of the deadline falls on a non-working day or an official holiday, the end date of the deadline is considered the following working day. Thus, the Response on 2024-05-203 was submitted without violating the established deadline. The Respondent emphasizes that he has answered all the questions specified in the extremely extensive
2024-04-18 Request of Applicant 1.
The Respondent notes that he has not received any request from Applicant 2 and notes that he only learned about the
2024-04-17 Request of Applicant 2 from the Complaint submitted to the Inspectorate.
The Respondent noted that on 2024-04-17 a request for information on the
processing of personal data was submitted to the Respondent by another participant of the trip booked by the
Applicants and the Respondent provided a response to this request.
Regarding the recording of a telephone conversation. Speaking about the telephone conversation with Applicant 1 described in the Complaint, the Complainant confirmed that such a conversation took place, that on 2024-05-02, in order to discuss the situation (due to the failed trip) and its possible solutions, the Complainant’s manager called Applicant 1. The Complainant indicates that at the beginning of the conversation the caller introduced himself as the Complainant’s director (this circumstance is also indicated in the Complaint). This telephone conversation was not recorded from the very beginning. Later, the Complainant’s manager informed Applicant 1 about this, 2 https://kelioniuakademija.lt/asmens duomenu trėkimas ir privatumo politika https://www. [DATA NOT PUBLISHED] -privatumo-politika.lt.html
3 Monday
6
that the further conversation will be recorded, but technically the conversation was not recorded and such a recording of the conversation is not made, is not stored and is not processed.
Regarding the processing of copies of personal identity documents. In this case, the Complainant
sees contradictions in the arguments mentioned in the Complaint.
The response notes that the Complainant asks customers to provide copies of personal documents of persons going on a trip exclusively for the purpose of performing the contract concluded with such customers (primarily in order to check whether the validity period of the documents is sufficient to participate in the desired trip). The Company emphasizes that the Applicant’s
travel order example clearly shows that the timely submission of copies of passports can protect the rights and legitimate interests of the data subjects themselves.
Regarding the implementation of appropriate technical and organizational security measures.
The Complainant emphasizes that it did not record any personal data security violations in relation to the Applicants. The inaccurate data about the trip participants was provided by the Applicant herself
2. As soon as the Applicants clarified the dates of birth (including the year of birth) of the persons participating in the trip, the Complainant promptly clarified the processed personal data
and tried to correct the situation and reduce the Applicants’ losses, however, due to the extremely late provision of accurate information (less than three calendar days before the reserved trip), it was no longer possible to obtain additional seats on the plane and change the conditions of the trip reservation.
The Complainant emphasizes once again that the mistake made by the Applicants when booking the trip and signing the travel documents is clearly confirmed by the signed Agreement,
in which the Applicants corrected the month and day of birth of the two children, but did not correct the inaccurately specified year of birth.
In all cases, the client himself is responsible for providing correct and accurate data, and this is clearly stated in the Agreement. The Complainant reiterated that copies of tourists’ personal documents are necessary to ensure the proper validity of the documents and to provide the necessary data to the tour operator. When copies of all travelers’ documents are submitted at least seven days before the trip, the Complainant’s employees have the opportunity to verify the personal data provided by the tourists with the information specified in the documents and take the necessary actions to ensure the provision of the ordered services if inaccuracies in the provided data are noticed. The Complainant emphasizes that the Applicants themselves admit in the Complaint that the Complainant learned about the inaccurate personal data only on 2024-03-27 (less than 3 calendar days before the trip, when the Applicants finally sent copies of the missing personal documents); that the Applicants themselves confirm that the Respondent’s representatives requested the Applicants several times to provide copies of all (and not just some) travelers’ passports, but the Applicants provided the missing documents only very shortly before the start of the trip.
The Complainant concludes that, having received accurate information, he promptly took all possible actions to clarify the available data and tried to protect the interests of the Applicants and
correct (revise) the reservation conditions, however, due to the late submission of accurate data,
it was no longer possible to change the reservation conditions.
Regarding the submission of the privacy policy of UAB [DATA NOT DISCLOSED] to the Applicants.
The Complainant notes that the Applicants indicate in the Complaint that the sending of the privacy policy of UAB [DATA NOT DISCLOSED] to the Applicants in some way
did not ensure transparency and fairness, although the Applicants do not explain how the sending of such a document could
violate their rights.
7
The Response notes that in response to the Request of Applicant 1 dated 18 April 2024, it was stated that information about the privacy policy of UAB [DATA NOT PUBLISHED]
was forwarded to Applicant 2, who signed the Agreement, for information purposes, since this company is a partner of the Respondent.
The Respondent, among other things, attached to the Response: a copy of the Agreement and
the travel documents sent to the Applicants.
The following is the assessment of the Inspection.
1. Regarding the implementation of direct marketing and the implementation of the right to object
Article 81 of the Electronic Communications Act provides for two conditions under which electronic communications services may be lawfully used for the purpose of direct marketing. Article 81(1) of the Electronic Communications Act establishes that the use of electronic communications services, including the sending of electronic mail messages, for the purpose of direct marketing is permitted only with the prior consent of the subscriber or recipient of public electronic communications services. Article 81(2) of the EPR Act provides that a person who, in the course of providing services or selling goods in accordance with the procedure and conditions established by the GDPR, receives e-mail contact details from his customers may use these contact details for the marketing of his own similar goods or services, provided that the customers are given a clear, free and easily implementable opportunity to object to or refuse such use of contact details for the abovementioned purposes when these data are collected and, if the customer has not initially objected to such use of data, with each message being sent. Article 3(102) of the EPR Act provides that the terms used in Section 9 of this Law that are not defined in this Law shall be understood as defined in the Law of the Republic of Lithuania on the Legal Protection of Personal Data (hereinafter referred to as the LPD). Article 2, paragraph 3 of the ADTAĮ establishes that the terms used in this law (except for the terms
“direct marketing” and “public authorities and bodies”) shall be understood as they
are defined in the GDPR. Article 2, paragraph 1 of the ADTAĮ establishes that direct marketing is an activity,
the purpose of which is to offer goods or
services to individuals by mail, telephone or in another direct manner and/or to inquire about their opinion on the goods or services offered.
The person complained to Applicant 1 and Applicant 2 by e-mail sent by mail Messages of the same content
2024-04-10 and 2024-04-15:
“Since you have recently returned from a trip, we would like to know how you did. It is very important for us to hear customer feedback, to assess what we are doing well and where we could still improve. We would be very grateful if you would take 2-3 minutes of your time and answer the questions in the questionnaire.”
Considering the content of the Messages – a request to provide an opinion on the services provided4,
it can be concluded that these Messages are to be considered direct marketing activities.
According to the explanations of the Complainant: The Messages are intended only for the discussion of the performance of the Agreement, the evaluation of the services provided; The right and possibility of the Complainant to send
letters of this nature to its clients is established in Article 81, Part 2 of the EER and discussed in the privacy policy of the Complainant and the tour operator [DATA NOT PUBLISHED]5.
The Inspectorate agrees that the Notifications were sent to the Applicants as the Company’s clients, however, Article 81(2) of the EIA also establishes other conditions for sending direct marketing notifications to clients, i.e. clients must be given a clear, free and
4 in the case under consideration – not provided
5 https://kelioniuakademija.lt/asmens duomenu vykladymas ir privadumo politika
https://www. [DUOMENYS NESKELBTINI] -privatumo-politika.lt.html
8
easily implemented opportunity to object to or refuse such use of contact data for the above-mentioned purposes, when these data are collected and, if the client did not initially object to such use of data, when sending each message.
In the case under consideration, the Complainant did not provide any evidence that the Applicants were given the opportunity to object to or refuse the use of their contact data for direct marketing purposes during the collection of their data. It should also be noted that such an opportunity was not provided to the Applicants when sending the Notifications. This circumstance is evidenced by the copies of the Notifications attached to the Complaint – the Notifications do not provide any information about the possibility of not agreeing (objecting). When assessing the application of the provisions of Article 81, Part 2 of the ELA in relation to the Applicants as clients of the Complainant, and taking into account the circumstances established in this part of the decision, the Inspectorate concludes that the Complainant, by not implementing a clear, free and easily implementable opportunity to disagree or refuse to use the Applicants’ data for direct marketing purposes, violated Article 81, Part 2 of the ELA, therefore the Applicants’ Complaint in this part must be recognized as justified. The Applicants, as a separate subject of the Complaint, indicate that they were not given the opportunity to object to the processing of their personal data for direct marketing purposes in accordance with Article 21 of the GDPR, since the Complainant unreasonably bases the processing of personal data for direct marketing purposes on the condition of lawful processing established in Article 6(1)(b) of the GDPR. Considering that the lawfulness of direct marketing actions, including the processing of personal data, is established by both the EIA and the GDPR, and in addition, both these legal acts establish the right of the data subject (customer) to object to the implementation of direct marketing, after the actions of the Complainant have been assessed in accordance with the EIA, the same actions cannot be assessed repeatedly in accordance with the GDPR. Accordingly, the Inspectorate will not assess the actions of the Complainant in this decision in accordance with Article 2(1) of the GDPR. At the same time, the Inspectorate notes that the implementation of direct marketing cannot be assessed in accordance with the condition of lawfulness set out in Article 6(1)(b) of the GDPR, since direct marketing actions are not necessary to perform a contract concluded for the purpose of organizing a trip. 2. Regarding the application of the principle of data minimization when processing copies of personal identification documents, the Applicants indicate in the Complaint that the Complainant did not indicate a clear purpose for the processing (collection, storage, etc.) of the personal data contained in the copies of the documents, and also could not justify the necessity and proportionality of the processing of the personal data contained in the documents for the purpose of organizing the trip. The Complainant indicates that the tourist is asked to provide copies of his and other tourists’ passports (which contain accurate personal data of the tourists) for the purpose of performing the contract concluded with the clients – primarily in order to verify whether the validity period of the documents is sufficient to participate in the desired trip. Despite this explanation, the Respondent noted in its response to the Applicant’s claim No. 2 on 10 April 2024 that the Company “does not necessarily have to enter passport data before the trip, they can be entered at the airport”. It also indicated that the travel documents provide information that the tourist must have a passport valid for at least 150 days from the start of the trip on the day of departure, therefore the incorrect entry in the travel documents about the invalidity of the documents did not affect their failure to depart. The Complainant emphasized that the Applicant’s travel order example clearly
shows that timely submission of passport copies can protect the rights
and legitimate interests of the data subjects themselves, however, it is evident from the Complaint materials that although the copies of the documents of two children 6
6 [DATA NOT PUBLISHED]
9 were submitted on time, and the months and days of birth of the Applicant’s children specified in the Agreement were corrected even before the Agreement was signed, the original inaccurate data remained in the travel documents.
The Company’s Privacy Policy7 states that, among other data, identification information (personal identification number, date of birth, age, gender, personal identification card (passport) number, date and place of issue) is processed, but it does not state that a copy of the identity document with data on the validity of the document, etc., is processed.
Article 5(1)(c) of the GDPR provides that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed (principle of data minimisation).
According to the information provided by the Complainant, the copies of the documents of the Applicants and their children and the data contained therein were necessary for the purpose of the performance of the Contract.
Article 6(1)(b) of the GDPR provides that data processing is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Article 25(2) and (3) of the Law on Tourism of the Republic of Lithuania (hereinafter referred to as the Law on Tourism) provides:
(2) Where the tourism service provider referred to in paragraph 1 of this Article has agreed to book an organised tourist trip or to assist in the purchase of a package of tourist services, he shall be liable for any errors made during the booking process.
(3) The liability established in Part 2 of this Article shall not apply when booking errors
occurred due to the fault of the traveler or were caused by force majeure circumstances.
Thus, when assessing the information and legal regulation provided in this part of the decision,
a situation arises that the Complainant, in accordance with Part 2 of Article 25 of the Law on Tourism
being responsible for errors made during the booking process, and accordingly
the correctness of the booking data, would have the right to verify the information provided by the tourists according to
documents and to store copies of documents as evidence, however, the Complainant himself
according to the documents attached to the Complaint and the Response denies the necessity of his actions,
requiring a copy of the document and processing the data provided therein, since
he did not present a single argument that would prove that even copies of the documents of three individuals with the data entered therein, received in a timely manner from the Applicants, would be used for the performance of the Agreement or other purposes.
Taking into account the circumstances set out in this part of the decision, the Inspectorate concludes that the Respondent has not proven that in the case at hand it was necessary for him to obtain and further process copies of the identity documents of the Applicants and their children with the data contained therein, therefore, by demanding copies of the identity documents and further processing the data contained therein, the Respondent has violated the principle of data minimisation set out in Article 5(1)(c) of the GDPR. Accordingly, the Complaint in this part shall be recognised as justified.
3. Regarding the implementation of the principles of accuracy, integrity and confidentiality, the Applicants believe that when placing an order on the website of the Respondent, they did not make any errors in the data, and that the errors in the children’s data (dates of birth) could have been introduced due to technical disruptions of the website. The applicants emphasize that even if the travel
7
https://kelioniuakademija.lt/asmens_duomenu_tvarkymas_ir_privatumo_politika?_gl=1*1eg7mlf*_up*MQ..*_gs*MQ
..&gclid=EAIaIQobChMIsbfE7oywkgMVWLCDBx0HgQEqEAAYASAAEgJEFvD_BwE&gbraid=0AAAAADm2kx7eynlE9K8Xjf
GiWn_1cq2mg
10
reservations had been made on the website,
the Respondent had and was obliged to verify the personal data of the travelers specified in the travel documents prepared by the Respondent against the copies of the passports received, thus ensuring the accuracy of the processing of personal data.
The Respondent emphasized in the Response that in the case of the Applicants, the Applicant 2, who concluded the Agreement:
(1) herself indicated inaccurate personal data (dates of birth) of the two tourists who planned to go on the trip;
(2) upon receiving the draft Agreement, she manually corrected the inaccurate days and months of birth of the two persons (children) going on the trip, but left their year of birth inaccurately indicated in the Agreement;
(3) provided the missing copies of the passports, which caused the incident, to the Respondent only on 2024-03-27, i.e. one month after the conclusion of the Agreement and less than three calendar days before the departure for the trip, when the Company had already completed all actions regarding the organization of the trip and there was no possibility to rectify the situation and to renew or adjust the plane ticket and hotel reservations made.
The Complainant concludes that it created conditions to avoid errors or at least to timely correct the errors made by the Applicants themselves, but due to the actions of the Applicants (indicating incorrect data, failing to correct the inaccurate birth years of two children when signing the Agreement, submitting copies of passports that could be used for data verification only immediately before the booked trip), the inaccuracies in the data were noticed too late, when it was no longer possible to correct the reservations made. Article 5(1)(d) and (f) of the GDPR stipulate that personal data must be: (d) accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes of their processing, are erased or rectified without delay (principle of accuracy); (f) processed in such a way that, by applying appropriate technical or organisational measures, appropriate security of personal data is ensured, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality).
Article 25(1) of the Law on Tourism establishes that a tourism service provider providing tourism services referred to in Article 3(1) of this Law shall be liable for any technical deficiencies in the booking system that have arisen due to its fault when concluding a contract for a package tour or assisting in the purchase of a package tour.
The Respondent submitted evidence – the Agreement signed by Applicant 2 on 26-02-2024, in which the year of birth of the Applicants’ children was incorrectly indicated, and in subparagraph 7.8 of which it is stated that the tourist assumes responsibility for the correctness and accuracy of his or her and other tourists’ personal data provided to the tour operator, and assumes responsibility for any losses incurred. In the Response, the Respondent neither confirmed nor denied whether technical malfunctions could have occurred in the Company’s system when Applicant 2 filled out the travel order online on 26-02-2024, which could have influenced the inaccuracies of the entered information, but emphasized that the Applicants were provided with the Agreement, in which Applicant 2 confirmed the correctness of the provided data with her signature and later did not submit any comments (claims) to the Respondent regarding the year of birth of the two tourists who are considered infants8 in the travel documents. According to the material received during the examination of the Complaint, it was established that the Contract
printed the same dates of birth of the Applicants’ children – 2024-02-26, which were corrected
by hand by correcting the month and day: [DATA NOT PUBLISHED] – 2024-10-29, [DATA
8 Not born in 2024
11
NOT PUBLISHED] – 2024-09-07. According to the date entered in the Contract, the Contract was signed on 2024 -02-26.
Attached to the Complaint is a letter sent by Applicant 2 to the representative of the Company on 2024 -02-28, to which
the signed Contract and copies of her and [DATA NOT PUBLISHED] passports
with the correct [DATA NOT PUBLISHED] date of birth are attached. The same letter
indicated that copies of [DATA NOT PUBLISHED] passports would be submitted later, respectively
these copies were submitted on 2024-03-27.
It was established that the inaccuracy9 in the travel documents indicated by the Applicant 2 on 2024-03-27 by e-mail to the Complainant was limited to the error that the document was invalid,
however, this information is not specified in the Agreement, while there is no evidence that
the Applicants had contacted the Complainant regarding the dates of birth of the children incorrectly specified in the Agreement or travel documents. It was established that in the travel documents sent to the Applicants on 2024-03-27, the dates of birth of both Applicants’ children remained
unchanged from the original version of the Agreement, i.e. the same birth date of both children is indicated – 2024-02-26, despite the fact that on 2024-02-28 the months and days of birth of the children were already corrected by hand in the Agreement and a copy of the identity document of one of the children was submitted, and on 2024-03-27 a copy of the identity document of the other child was also submitted.
When assessing the circumstances established in this part of the decision, the Inspectorate concludes that the Complainant has not proven that he has taken all reasonable measures to ensure that the personal data of the Applicants’ children are accurate, at least as specified in the Agreement signed by the Applicant 2, therefore it decides that the Complainant has violated the principle of accuracy set out in Article 5, Paragraph 1, Point d) of the GDPR, therefore the Complaint in this part is recognized as justified.
Nevertheless, in this situation, the Inspectorate also notes the negligence of the Applicants themselves,
since in the Agreement signed by the Applicant 2, only the months and days of birth of the children were corrected, but the year of birth remained uncorrected, and it was precisely the year of birth that had a fundamental
importance that the trip did not take place.
At the same time, the Inspectorate notes that the information received during the examination of the Complaint
does not constitute a basis for the Inspectorate to decide on a violation of the principle of integrity established in Article 5, paragraph 1, point f of the GDPR, i.e. whether the technical or organizational measures used by the Complainant could have influenced the entry of inaccurate data into the Agreement and travel documents.
4. Regarding the right to receive information, i.e. ensuring the principle of transparency
4.1. Regarding the provision of a third party’s privacy policy, the Applicants believe that the Respondent, by sending them the privacy policy of another person and without providing more detailed information about the role of this person in the processing of the Applicants’ personal data for the purpose of organising the trip, failed to ensure the principles of transparency and fairness (pursuant to Article 5(1)(a) and Article 12 of the GDPR). Meanwhile, the Respondent noted that the [DATA NOT PUBLISHED] privacy policy was forwarded to Applicant 2 for information purposes, as this company is a partner of the Applicant. Article 5(1)(a) of the GDPR states that personal data must be processed lawfully, fairly and transparently in relation to the data subject (principle of lawfulness, fairness and transparency). Article 12(1) of the GDPR provides that the controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 of the GDPR and any communication pursuant to Articles 15 to 22 and 34 of the GDPR relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, in particular where the information is specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. Point 39 of the GDPR provides that any processing of personal data should be lawful and fair. In applying the principle of transparency, individuals should be clear about how personal data relating to them are collected, used, accessed or otherwise processed, as well as the extent to which those personal data are or will be processed. According to the principle of transparency, information and communications relating to the processing of those personal data must be easily accessible and understandable, and presented in clear and plain language. Point 60 of the preamble to the GDPR states that the principles of fair and transparent data processing require that the data subject be informed of the data processing operation and its purposes. The data controller must provide the data subject with all additional information necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of the processing of personal data. Assessing the information provided by the Applicants and the Complainant and taking into account the legal regulation provided, the Inspectorate agrees with the Applicants and decides that the specified actions of the Complainant – the presentation of the privacy policy of a third person unknown to the Applicants during correspondence on the issues of the organized trip – were not clear and understandable to the Applicants in relation to the processing of the Applicants’ personal data for the purpose of organizing the trip, therefore the Inspectorate concludes that the actions of the Complainant specified in this part of the decision are to be assessed as a violation of the principle of transparency established in Article 5, paragraph 1, subparagraph a of the GDPR. Accordingly, the Complainant’s Complaint in this part is to be recognized as justified.
4.2. Regarding information on the recording of a telephone conversation, Article 5(1)(a) of the GDPR provides that personal data shall be processed lawfully, fairly and transparently in relation to the data subject (principle of lawfulness, fairness and transparency).
Article 13(1) of the GDPR provides that, where personal data are collected from a data subject, the controller shall provide the data subject with all the information referred to in Article 13(1) and (2) of the GDPR at the time of obtaining the personal data. The Article 29 Working Party’s Transparency Guidelines under Regulation 2016/679 (wp260rev.01) 10 explains that, taking into account the amount of information required to be provided to the data subject, controllers may apply a tiered approach by choosing a certain combination of transparency measures to be used. Such coordination is also relevant in the case where information on the processing is provided during a telephone conversation.
The complaint states that when the Complainant’s manager called Applicant 1 on his personal phone number on 2024-05-02, he was not provided with detailed information about the processing of personal data before the conversation began (i.e. who is recording the conversation, for what purpose the conversation is being recorded, where more detailed information about this processing of personal data can be found, etc.). The applicants believe that this violated the requirements set out in Articles 12 and 13 of the GDPR. Speaking about the telephone conversation with Applicant 1 described in the Complaint, the Complainant confirmed that such a conversation took place, that on 2024-05-02, in order to discuss the situation (due to the failed trip) and its possible solutions, the Complainant’s manager called Applicant 1. The Complainant indicates that at the beginning of the conversation, the caller introduced himself as the Complainant’s director (this circumstance is also indicated in the Complaint). This telephone conversation was not recorded from its very beginning. Later, the Complainant’s manager informed Applicant 1 that the subsequent conversation would be recorded, but technically the conversation was not recorded and such a recording of the conversation was not made, is not stored and is not processed. In the case under consideration, both the Applicants and the Respondent provide the same
information that the Respondent’s manager introduced himself at the beginning of the conversation and informed
that the conversation would be recorded, however, the Respondent denies the recording of the conversation,
about which he himself informed the Applicants.
In this case, the Inspectorate does not have
the possibility to determine whether the conversation was actually recorded or not, but according to Article 5(2) of the GDPR, it is the data controller who is
responsible for ensuring that the principles set out in paragraph 1 are complied with and must be able to prove
that they are complied with (principle of accountability).
Evaluating the circumstances established in this part of the decision, the Inspectorate concludes that
the Respondent admitted that, after informing about the recording of the conversation, he did not provide the Applicants with the information set out in Article 13 of the GDPR. Taking into account the conclusion made in this paragraph and the fact that the Complainant did not provide the Inspectorate with any arguments as to why he decided not to record the conversation and why he provided the Applicants with false information regarding the recording of the conversation, the Inspectorate decides that the Complainant, by such actions (omissions), violated not only the principle of transparency established in Article 5, paragraph 1, subparagraph a) of the GDPR, but also the principle of fairness, therefore the Applicants’ Complaint in this paragraph shall be recognized as justified. 5. Regarding the implementation of the right to access data The right to access data is regulated by Article 15 of the GDPR. Paragraph 1 of this Article establishes that the data subject has the right to obtain confirmation from the data controller whether personal data relating to him or her are being processed, and if such data are being processed, he or she has the right to access personal data and the information established in Article 15, paragraph 1, subparagraphs a – h of the GDPR. In accordance with Article 15(3) of the GDPR, the data controller shall provide a copy of the personal data being processed.
5.1. Regarding the Request of Applicant 1 dated 18 April 2024, Applicant 1 states and encloses evidence that he submitted the Request to the Complainant on 18 April 2024 and received the Response of the Complainant on 20 May 2024, and provides his arguments as to why the Response of the Complainant on 20 May 2024 is not satisfactory:
(1) the categories of data being processed were specified, but the actual significance of these data was not provided;
(2) the list of personal data being processed provided is incomplete, i.e. it is not specified that the photograph (image) in the passport copy, surname, content of correspondence with the Company’s employees, telephone conversation recording, etc. are being processed;
(3) false information is provided about data processing, i.e. copies of the Applicants’ passports were provided to the Complainant in two separate emails (2024-02-28 and 2024-03-27), and not only on 2024-03-27, as stated in the Complainant’s 2024-05-20 Response;
(4) since the 2024-05-20 Response was submitted after the one-month deadline specified in the GDPR.
Commenting on its actions regarding the response to the Applicant’s 2024-04-18 Request for access to the processed personal data, the Complainant indicates that it received the Applicant’s 2024-04-18 Request for information about the processing of personal data and submitted the 2024-05-20 Response to it.
The response draws attention to the fact that, contrary to what the Applicants claim, the monthly deadline specified in GDPR
14 was not violated when submitting the Response of 2024-05-20 to the Request of Applicant 1 of 2024-04-18, because 2024-05-18 was a Saturday – a non-working day. Article 1.121, Part 2 of the Civil Code of the Republic of Lithuania establishes that if the last day of the deadline falls on a non-working day or an official holiday, the end date of the deadline is the following working day. Thus, the response submitted on 2024 -05-20 (Monday) is submitted without violating the established deadline.
The Respondent emphasizes that it answered all the questions specified in the extremely extensive Request of Applicant 1 of 2024-04-18.
Assessing the information provided in the Complaint and the Response and the attached evidence in accordance with the arguments provided by Applicant 1, the Inspectorate draws the following conclusions:
(1) In the Response of 2024-05-20, the Respondent not only provided the categories of data processed by Applicant 1, but also indicated the following personal data of Applicant 1 that were actually processed: name, surname, personal identification number, date of birth, gender, citizenship, passport number, date and place of passport issue, passport expiration date, e-mail address and telephone number.
Contrary to what Applicant 1 claims about the failure to provide the bank account number and payment data, the Inspectorate has determined that the Response of 2024-05-20 only indicated that such data may be processed in accordance with the Privacy Policy, however, the scope of the processed data depends on the data received by the Company. In the case under consideration, according to the Contract, the buyer of the goods (travel) of the Complainant is Applicant 2, but not Applicant 1, therefore, the Inspectorate concludes that the Complainant does not process these Applicant’s data. (2) In this case, the Inspectorate agrees that the Complainant did not indicate either that it processes a copy of Applicant 1’s identity document or that it processes the data contained in the copy, nor did it provide information about correspondence with the Company’s representatives, i.e. it provided an incomplete list of processed data, although in the Request of 2024-04-18 Applicant 1 requested to provide a detailed list of my processed personal data, along with copies of the processed personal data. (3) 2024-05-20 The Response states that “copies of passports of all tourists going on a trip were submitted to the Academy only on 27 March 2024”, therefore the Inspectorate decides that this phrase of the Complainant cannot be considered false, because it was precisely after the submission of copies of the identity documents of the remaining two tourists on 27 March 2024 that the documents of all tourists were collected. At the same time, it should be noted that the right to access data is directed to the person who submitted such a request, but not to a group of persons, and according to the Complaint materials, a copy of the document of Applicant 1 was submitted precisely on 27 March 2024. Accordingly, the Inspectorate concludes that this argument of Applicant 1 regarding the improper implementation of the right to access should be rejected as unfounded. (4) In this case, the Inspectorate agrees with the explanations provided by the Complainant that the Response of 2024-05-20 to the Request of 2024-04-18 was submitted within the one-month deadline established by the GDPR, since 2024-05-18 / 19 were non-working days. Summarizing the circumstances established in this part of the decision, the Inspectorate concludes that the Complainant, by not providing detailed information in the Response of 2024-05-20 about the personal data processed by the Applicant 1, improperly implemented his right to access the data and by such actions violated Article 15(1) of the GDPR, therefore the Complaint in this part should be recognized as justified. 5.2. Regarding the Request of Applicant 2 dated 17 April 2024
The Complaint states that the Respondent did not respond to the Request of Applicant 2, as a data subject, dated 17 April 2024 for access to data.
The Complaint stated that it did not receive any request from Applicant 2 and notes that it only learned about the Request of Applicant 2 dated 17 April 2024 from the Complaint submitted to the Inspectorate.
15
The Complaint noted that on 17 April 2024, another participant of the trip booked by the Applicants submitted a request for information on the processing of personal data to the Complaint and that the Complaint responded to this request.
When assessing the actions of the Complainant regarding the implementation of the Request of Applicant 2 2024 -04-17 for access to data and taking into account the fact that: (1) the Request in pdf format 2024-04-17 was attached to the Complaint, which indicates the Company’s postal address, but no evidence was provided as to when and how it was sent, especially since at the end of the Request of 2024 -04-
17, Applicant 2 requests confirmation of receipt of this request, but such confirmation was not attached to the Complaint; (2) the Company indicated in the Response that it did not receive the Request of 2024 -04-17, but received the request of 2024-04-17 from another tourist who traveled with it, the Inspectorate has no grounds to conclude that the Complainant received the Request of Applicant 2 2024 -04-17, and accordingly has no grounds to conclude that it was obliged to respond to it.
Article 29, paragraph 1, point 4 of the ADTAĮ establishes that the supervisory authority shall adopt a decision to terminate the examination of a complaint or part thereof if, during the examination of the complaint or part thereof, it becomes apparent that the complaint or part thereof cannot be examined due to lack of information or other significant circumstances.
When assessing the circumstances established during the examination of the Complaint, namely that
the Inspectorate has no evidence that the Applicant 2 sent the Request of 2024 -04-17
to the Complainant, the Inspectorate concludes that the examination of the Applicants’ Complaint in this part
should be terminated on the basis of Article 29, Part 1, Point 4 of the ADTAĮ, i.e. due to the lack of information
and the inability to obtain such information.
In accordance with Article 31, Part 2, Point 1 of the ADTAĮ, in the event that the complaint or part thereof
is recognized as justified, the Inspectorate shall provide the data controller and/or the data processor with reasoned instructions, recommendations and/or apply other measures specified in Article 58, Part 2 of the GDPR, Article 33 of the ADTAĮ and other laws regulating the protection of personal data and
(or) privacy <…>. When deciding on the application of sanctions, point 129 of the GDPR preamble should be considered relevant, which states that each measure should be appropriate, necessary and proportionate to ensure compliance with the GDPR. When deciding on the imposition of sanctions on the Complainant, the Inspectorate takes into account the fact that the Inspectorate has not received any other complaints regarding the actions of the Complainant since 2020, as well as the fact that both parties are to blame for the inaccuracy of the data provided in the Agreement and travel documents. Meanwhile, the other violations of the Complainant identified in this decision cannot be assessed as serious due to their nature and severity. Assessing the circumstances established, the Inspectorate decides that the appropriate remedial measures for the violations of the principles of transparency and fairness, data minimization and accuracy set out in Article 5, Paragraph 1, Points a, c and d of the GDPR, as well as for the improper implementation of the right of access to data under Article 15, Paragraph 1 of the GDPR, are a reprimand issued in accordance with Article 58, Paragraph 2, Point b of the GDPR and an instruction issued in accordance with Article 58, Paragraph 2, Point c of the GDPR to properly respond to the Request for Access to Data of Applicant 1 by providing detailed information on the processing of Applicant 1’s personal data. Accordingly, for the violations of Article 81(2) of the ERM, the Respondent shall be ordered, pursuant to Article 12(2)(5) of the ADTA, to: (1) ensure that, prior to the use of its customers’ email contact details for direct marketing purposes, customers are given a clear and easily implementable opportunity to object to or opt out of such use of contact details for direct marketing purposes, including 16 surveys on the evaluation of goods or services; (2) cease the use of the Applicant’s 211 contact details for direct marketing purposes. The Inspectorate, taking into account the above and in accordance with Article 29, Paragraph 1, Point 4, Article 31, Paragraph 1, Point 1 and Paragraph 2, Point 1 of the same Article, Article 58, Paragraph 2, Points b and c of the GDPR and Article 12, Paragraph 2, Point 5 of the GDPR, has decided:
1. To terminate the examination of the Applicants’ Complaint in the part regarding the Applicant’s 2 2024-04-17 Request for access to the data.
2. To declare the Applicants’ Complaint justified in other parts.
3. To issue a reprimand to the Complainant for violations of the principles of transparency and fairness, data minimization and accuracy set out in Article 5, Paragraph 1, Points a, c and d of the GDPR.
4. Order the Complainant for the violation of Article 15(1) of the GDPR no later than 10-03-2026 to properly respond to the Request for Access to Data by Applicant 1, providing detailed information on the processing of Applicant 1’s personal data.
5. Order the Complainant for the violation of Article 81(2) of the EPR immediately, but no later than 10-03-2026:
5.1. Ensure that, before using their customers’ email contact details for direct marketing purposes, customers are given a clear and easily implementable opportunity to object to or refuse such use of their contact details for direct marketing purposes, including surveys on the evaluation of goods or services;
5.2. Terminate the use of Applicant 2’s contact details for direct marketing purposes.
6. Inform the Applicants and the Complainant about the decision.
This decision may be appealed to the Regional Administrative Court (address: Žygimantų g. 2, Vilnius) within one month from the date of its delivery in accordance with the procedure established by the Law on Administrative Proceedings of the Republic of Lithuania.
Director Dijana Šinkūnienė
11 The person being appealed indicated that he terminated the use of Applicant 1’s data for direct marketing purposes upon receipt of the Applicant 1’s 2024-04-18 Request
</pre>