The Lithuanian SA adopted a decision on the right to access data exercised by the financial institution

26 January 2023

Background information

  • Date of decision: 19 May 2022
  • National case
  • Controller: Financial institution
  • Legal references: The right of access to data (Art. 15 of GDPR)
  • Decision: The complaint was upheld


Summary of the Decision


Origin of the case

The Data Controller has refused to provide the data subject (client) with a copy of the requested records of telephone conversations (that took place between the client and the employee), indicating that it provides records of the conversation only to the extent that the data subject’s right to receive his or her personal data does not adversely affect the rights and freedoms of other persons.  It stated that the requested records contained a voice record of the employee and therefore it made it possible for the data subject to hear the records only upon arrival at the data controller’s premises.


Key Findings

The State Data Protection Inspectorate (hereinafter - the Inspectorate) assessed that the data controller had not demonstrated that the submission of the requested copies of the records would cause a negative impact on the rights and freedoms of others, only stated formally that, by forwarding the full record of the conversation, it would not be able to ensure the confidentiality of the data of other persons involved in the conversation and to protect itself from the spread of confidential information more than necessary. The Inspectorate noted that the employee of the Data Controller while performing the job functions assigned to him - answering customer calls by phone, has been informed that his voice recording is being made and for what purpose, as well as that his personal data are processed in accordance with the procedure laid down in the GDPR, and during the conversations requested, only those data that are related to the performance of the employee’s job functions - customer service - were discussed. The Inspectorate drew attention to the fact that the data controller did not provide it with any evidence that the requested audio record contained data relating to the data controller’s trade secrets, intellectual property rights or copyright, which could be regarded as an important circumstance due to which the data subject's right to access the data could not be exercised or would be only partially implemented.



The Inspectorate recognised the complaint lodged by the data subject as  well-founded and decided that such actions of the data controller, enabling the data subject only to hear the recordings of the requested conversations at the premises of the data controller without providing a copy of the records of those conversations are considered to be an improper implementation of Article 15(3) of the GDPR.

 For further information: Išnagrinėjus skundą priimtas sprendimas dėl finansų įstaigoje įgyvendinamos teisės
susipažinti su duomenimis

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.