The Lithuanian Supreme Administrative Court has ruled on the supremacy of the application of the GDPR over national law

During a planned inspection in 2020 of an institution providing pre-school and pre-primary education (hereinafter referred to as the “Educational Institution”), the State Data Protection Inspectorate (hereinafter referred to as the “Inspectorate”) found that the Educational Institution collected such data as the parents' (guardians') place of work, the schedules of the parent's (guardian's) place of work, and the fact of the child's attendance at the medical facility in order to find out the reasons for child's non-attendance at the Educational Institution, if the non-attendance lasted for more than 10 working days. The Educational Institution acted in accordance with the description of the procedure for setting the fee for child maintenance in Vilnius City Municipality schools implementing pre-school and pre-primary education programs, approved by the Vilnius City Municipal Council (hereinafter referred to as the “Description”).

In the light of the findings of fact, on 18 December 2020 the Inspectorate adopted a decision (hereinafter referred to as the “Decision”), according to which the Educational Institution had infringed the principles of data minimization and purpose limitation of the GDPR and obliged the Educational Institution to: (1) not to collect documents from the child's parents/guardians justifying the reason for non-attendance at the Educational Institution for the purpose of calculating the amount of the fee payable for the Educational Institution; (2) to revise the operational records with regard to the scope of the data to be processed, taking into account the conclusions of the Inspectorate's Decision on the scope of the personal data that can be processed for these purposes; and (3) to inform the Inspectorate of the implementation of the instructions by submitting supporting evidence. The Inspectorate also informed the Educational Institution that in case of non-compliance with the above-mentioned obligations, the Inspectorate will have the right to initiate administrative offence proceedings against the Educational Institution.

The Educational Institution disagreed with the Inspectorate's Decision and appealed to the court. In the appeal it stated that by implementing the Decision it would violate the normative legal act – the Description, which is binding on the Educational Institution. According to the Educational Institution, it would thus be exceeding the powers conferred on it and the Head of the Educational Institution could be held liable as a result of such a violation, since he would be in breach of the established internal procedures by implementing the Decision. The Educational Institution also pointed out that the Decision does not justify the finding that the collection and processing of mentioned additional data is disproportionate to the objective pursued and reveals redundant data, and added that without obtaining such data, it would be difficult to establish the reasons for the child's non-attendance. Lastly, the Educational Institution stated that it was justified in collecting the data supporting the reasons for non-attendance and in following the provisions of the Description, and that the Inspectorate's Decision was unlawful as it did not consider the welfare, health and factual circumstances of the children attending the Educational Institution.

In its response to the complaint, the Inspectorate noted that the collection and processing of the aforementioned data (parents'/guardians' workplace, parents'/guardians' work schedules, the fact that the child has visited and when he/she has visited a medical institution) is disproportionate to the purpose pursued and stated that the processing of personal data carried out by the Educational Institution is not in line with the principles of purpose limitation and data minimization set out in GDPR.

The interested third party Vilnius City Municipality supported the complaint of the Educational Institution and requested to upheld it. Vilnius City Municipality stated that the Inspectorate had unjustifiably obliged the Educational Institution not to comply with the Description as it is valid, and its norms are binding for all kindergartens in Vilnius. The interested third party also noted that upholding the Decision would not only lead to an unjustified finding that the applicant had infringed the requirements of the GDPR, but would also restrict the child's right to education, proper health care, and would fail to ensure that the kindergarten's finances were properly managed. Finally, Vilnius City Municipality accepted the argument of the Educational Institution that the head of the Educational Institution would be in breach of the internal procedures if he or she failed to comply with the provisions of the Description.

The Vilnius Regional Administrative Court dismissed the complaint. The Court emphasized that the principle of data minimization, meaning that personal data processed must be adequate, relevant and limited to what is necessary for the purposes they are processed, is of particular relevance in the present case. This purpose limits the scope of the data processed. The Court noted that the Court of Justice of the European Union has held that the GDPR is of a general nature and directly applicable in all Member States, which makes it, by its very nature and its place in the system of sources of European Union law, immediately effective and capable of conferring on natural persons rights which national courts are obliged to uphold.

The direct applicability of the GDPR means that its entry into force and its favorable or unfavorable application to certain legal entities is not dependent on the adoption of any national legislative measures since strict compliance with this obligation is a sine qua non for the simultaneous and uniform application of the regulations throughout the European Union. The Court also emphasized that, according to the interpretations of the Lithuanian Supreme Administrative Court (hereinafter referred to as the “LSAC”), where the same legal relationship is governed by the provisions of both a regulation and national law, the provisions of the regulation are to be applied in the first place. It is the regulation which is the main legal act in such a case, and which is directly applicable to the rules laid down therein. The Court also noted that, in the present case, the head of the Educational Institution could potentially be held liable not the infringement of the provisions of the Description, but rather the principles laid down in the GDPR.

Educational Institution appealed to LSAC, but on 2 February 2022 the panel of judges of the LSAC rejected this appeal and upheld the decision of the first instance court. After assessing the rule on the limits of the appeal, the LSAC considered only the supremacy of the application of the GDPR over national law and held that the GDPR is an act of direct application of European Union law and ensures the uniform application of European Union law in all Member States. The LSAC supported its decision by the judgment of the Grand Chamber of the Court of Justice of the European Union of 25 June 2019 in Case C-573/17 Daniel Adam Popławski, where it was held that each national court, in its capacity as an institution of a Member State, is obliged not to apply any provision of national law which is contrary to a rule of European Union law which is directly applicable to the case before it, when dealing with a case falling within its jurisdiction. In accordance with the above-mentioned, the LSAC held that the Inspectorate was not obliged to assess the compliance of the Description with the GDPR and to declare its contravention to the GDPR. However, according to the LSAC, the Inspectorate was obliged to qualify the found infringement directly under the provisions of the GDPR.

It is worth mentioning that as soon as the Inspectorate carried out the planned inspection, it immediately addressed the Vilnius City Municipal Council with a proposal to amend the provisions set out in the Description. However, the clauses of the Description have been found to be in breach of the provisions of the GDPR are not yet in compliance with the GDPR requirements, although the Description has already been amended 7 times since its approval in December 2019. It is to be hoped that the above-mentioned decision of the LSAC will be the impetus that is needed to make corrections to the Description, eliminating the inconsistency of its provisions with the GDPR.