Transfer of personal data to third parties

Personal data are transferred to third parties if this is necessary for compliance with a legal obligation to which the Ministry is subject; also for the exercise of official authority vested in the Ministry of Finance or for other legitimate reasons.

Personal data processed by the Ministry of Finance may be transferred on the basis of requests from data recipients (in case of a one-off transfer) or on the basis of personal data transfer agreements concluded between the Ministry of Finance and data recipients (in case of a multiple transfer). A personal data transfer agreement must specify the purpose of the use of personal data, legal basis for transfer and receipt, conditions, procedure and scope of personal data transferred.

A request from the data recipient submitted to the Ministry of Finance for the transfer of personal data should include the following:

1. Specific and explicit purpose for receipt of personal data;

2. Legal act of the Republic of Lithuania or of the European Union and a specific provision thereof granting the right to the data recipient to receive personal data, if there is such a legal basis;

3. Lawful basis for receiving personal data laid down in Article 6(1) or Article 9(2) of Regulation (EU) 2016/679 or in the Republic of Lithuania Law on the Legal Protection of Personal Data Processed for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences, the Execution of Criminal Penalties, or National Security or Defence, under which the data recipient is granted the right to receive personal data. Where personal data are requested pursuant to point (f) of Article 6(1) of Regulation (EU) 2016/679, the request should contain a detailed justification as to why legitimate interests of the data recipient are overridden by the interests or fundamental rights and freedoms of the data subject;

4. Specific scope of personal data requested (i.e. categories of personal data concerned, which specific personal data are requested and/or for which period) and a justification as to why these very specific personal data are necessary for the specific purpose of the processing of personal data. Requests for all available information on a person are not to be considered as specific requests.

In cases and by the procedure laid down by law, personal data are provided to third parties in accordance with the requirements of Regulation (EU) 2016/679:

1. Personal data of persons who have lodged a complaint with or a request to the Ministry for the purpose of processing a complaint or a request – to legal and natural persons;

2. Personal data of persons involved in the case, for the purpose of examining a dispute concerning the legality of the decision made by the Ministry – to courts, the Lithuanian Administrative Disputes Commission and its territorial units, the Labour Disputes Commission and other institutions authorised by the State to examine disputes;

3. Video-surveillance data (video data of persons who have entered the video-surveillance field of the Ministry), data on the control of access to the building in order to reveal criminal offences, administrative offences, to prove the damage caused by the damage to the employees of the Ministry, visitors to the Ministry or the property of the Ministry or as evidence in a pre-trial or other investigation, civil, administrative or criminal case or in other cases established by law – to pre-trial investigation bodies, prosecutor's office, courts, other legal and natural persons to whom the law grants the right to receive such data;

4. Data on media representatives for the purpose of examining a dispute concerning non-compliance with the principles of public information laid down in the Republic of Lithuania Law on the Provision of Information to the Public and other laws regulating the provision of information to the public – to the Office of the Inspector of Journalist Ethics, courts or other institutions authorised by the State;

5. Personal data of persons using the Ministry's Internet network (IP addresses, e-mail addresses (using unencrypted connection), email headers (using unencrypted connection), website addresses for the purpose of identifying cyber incidents – to the National Cyber Security Centre under the Ministry of National Defence;

6. Personal data processed by the Ministry which the Ministry is obliged to provide by law or which must be provided in the exercise of the functions vested with the Ministry – to managers and/or operators of state information systems and information systems of registers, state and municipal institutions, bodies, organisations and other persons.

Personal data processed by the Ministry of Finance may be provided to data processors who, on the basis of contracts, provide the Ministry of Finance with services of development, installation, modernisation, supervision and maintenance of information systems, services of data centres and similar services, as well as services of organisation of training, asset maintenance and servicing, servicing of delegations and the organisation of events, bibliographical and information services, also other services or other work, and, in that connection, process personal data on behalf of the Ministry of Finance. 

Data processors have the right to process personal data only in accordance with the instructions of the Ministry of Finance and only to the extent necessary for the proper fulfilment of the obligations laid down by law or service contracts, except for cases, when the processing of personal data by the data processor is regulated by law. Provisions relating to the processing of personal data and data protection are laid down by law and/or included in contracts concluded with data processors.