In Lithuania, the open data processes are taking place, and it is so important that this happen in a correct way since the beginning and also that personal data are opened without breaching the personal data processing legislation established into the General Data Protection Regulation (GDPR).
The State Data Protection Inspectorate (VDAI) meanwhile is controlling the GDPR application in order to guarantee adequate personal data protection in Lithuania, recalls the attention on possible breaches of the personal data processing due to personal data which have been shared and to data opening processes in progress.
“The aim of the Government is to provide structured data in order that it is easy to access and comprensible to the public. We are aware that the data digitization is inseparable from today’s issues, for this reason is very important that the process is carrying out without obstacles” – affirms the Minister of Justice Evelina Dobrovolska.
According to Raimondas Andrijausks, the VDAI director: “actually there are more and more situations in which organizations of open data face the problem of separation between open data and personal data.
It is our duty as data protection supervisory authority to stress once again that personal data can only be involved in the process of opening data in strict compliance with GDPR requirements.”
Open data is data that can be freely used and shared by anyone for any purpose and that can be reused in open formats. Open data are various sets of primary information for organisations, published primarily in appropriate formats, such as CSV, XML or other structured data sets or geographic information systems for manual or automated processing for analysis, research or any other purpose.
The processing of personal data, on the other hand, is subject to the requirements set out in the GDPR. Personal data must, firstly, be used only for the legitimate and specific purpose for which the person must be informed in the collection of his personal data.
The organisation that processes personal data must ensure that they are adequately protected. The publication of data in an open format completely loses control of the data, so if personal data were published in an open format, their protection mechanisms would not function properly. Therefore, personal data can not, due to their nature, namely the right to privacy and the right to the protection of personal data, be considered as open or made public in formats open on the Internet .
The reuse of personal data is only possible in accordance with the GDPR.
The Open Data Directive (EU) 2019/1024 stresses that the re-use of personal data is only allowed in accordance with the purpose limitation principle laid down in the GDPR and the rules on further processing of personal data. Ensuring adequate protection of personal data is a condition for the reuse of personal data. For example, a law could be drawn up to provide that certain health data contained in public information systems may be used for research, provided that adequate safeguards are in place, such as authorisation, depersonalisation, pseudonymization, etc.
Publicly disclosed personal data may only be used for the purpose for which they were lawfully disclosed.
It is important to note that contact lists on public authorities’ websites, lists of students or pupils in educational institutions or any other set of personal data are not open data.. Therefore, such publicly available personal data cannot be processed indefinitely. The publication of personal data, regardless of the legal basis for their publication, does not in itself confer the right to use them for indefinite and unlimited purposes. Every publication of personal data is made for a specific purpose, therefore the published personal data can only be used for specific legitimate purposes and should not, for example, be collected and disclosed elsewhere without a legitimate and specific purpose.