GDPR and AI: What Lithuanian Businesses Must Know in 2026
TL;DR
- ✓ GDPR applies to every AI tool that touches personal data — you are responsible as data controller
- ✓ The EU AI Act's main deadline for high-risk AI is 2 August 2026
- ✓ Lithuania's VDAI (State Data Protection Inspectorate) enforces both GDPR and the AI Act
- ✓ Maximum combined fines: €35M or 7% of global turnover under the AI Act
Why GDPR matters more than ever for AI-powered businesses
When GDPR came into force in 2018, most Lithuanian businesses treated it as a box-ticking exercise — update the cookie banner, add a privacy policy, move on. AI changes everything. Modern AI systems are, at their core, data-processing engines. Every chatbot conversation, every AI-generated customer profile, every automated decision about a person — all of it is GDPR-regulated activity.
European regulators issued more GDPR fines between 2023 and 2026 than in the entire preceding five years combined. The enforcement focus has shifted from paperwork compliance to operational reality: do your systems actually process data lawfully, or just your policies say they do?
For Lithuanian businesses, the stakes are real. The State Data Protection Inspectorate (VDAI — Valstybinė duomenų apsaugos inspekcija) has become more active, and with the EU AI Act adding a second regulatory layer from August 2026, the compliance landscape is the most complex it has ever been.
The 5 core GDPR principles that apply to AI
Article 5 of the GDPR sets out six principles for lawful processing. Five of them create direct, practical obligations for any business using AI:
Lawfulness, Fairness & Transparency
You need a legal basis for every piece of personal data your AI touches. Consent, contract, or legitimate interest — all must be documented. Users must know their data is being processed by AI.
Purpose Limitation
Data collected for one purpose cannot be silently fed into your AI for a different one. If you collected emails for invoicing, you cannot train a marketing model on them without fresh consent.
Data Minimisation
Your AI should use only the data it strictly needs. Feeding full customer profiles into a chatbot that only needs order status is a GDPR red flag regulators are actively targeting.
Accuracy
AI systems must not make decisions based on outdated or incorrect data. You are responsible for the quality of data fed to your AI — including data from third-party sources.
Storage Limitation & Security
Personal data cannot be kept indefinitely. Set retention limits, delete on schedule, and ensure your AI vendor meets security standards. Your processor agreements must document this.
EU AI Act overview: what changes in 2026
The EU AI Act is the world's first comprehensive AI regulation, and it applies to any business operating in the EU — including every company in Lithuania that uses, deploys, or imports AI systems. The rollout has happened in phases:
February 2025
AI literacy obligation (Article 4) in force. All staff using AI must receive appropriate training on how AI works, its risks and limitations. Already law.
August 2025
Obligations for providers of general-purpose AI models (like GPT-4o, Claude) took effect.
2 August 2026
Main compliance deadline. High-risk AI system rules come fully into force: risk management systems, data governance requirements, technical documentation, automatic activity logging, human oversight.
SME relief measures: The EU AI Act includes meaningful simplifications for smaller businesses. Simplified technical documentation templates, priority access to regulatory sandboxes (free for SMEs), and proportional fines. The definition of SME for AI Act purposes has been extended to companies with up to 750 employees and €150M annual revenue.
But "simplified" does not mean "exempt." If your business uses AI in a high-risk category — hiring, credit decisions, safety-critical functions — you face the same substantive requirements as large corporations. The simplification is in documentation format, not in obligations.
AI risk categories under the EU AI Act
The AI Act classifies every AI system into one of four risk levels. Your obligations depend entirely on which category your system falls into:
| Risk level | Examples | Rules |
|---|---|---|
| Prohibited | Social scoring by governments, real-time biometric surveillance in public, subliminal manipulation, exploiting vulnerabilities of specific groups | Completely banned in the EU — no exceptions |
| High-risk | HR recruitment & CV screening AI, credit scoring, safety-critical systems, medical diagnosis tools, educational assessment AI | Mandatory risk assessment, data governance, technical documentation, human oversight, registration in EU database |
| Limited-risk | Chatbots & virtual assistants, AI-generated content (deepfakes), emotion recognition systems | Must disclose to users that they are interacting with AI; deepfake content must be labelled |
| Minimal-risk | Spam filters, AI in video games, basic recommendation engines, AI-assisted grammar checkers | No specific EU AI Act obligations — standard GDPR and consumer law apply |
Most Lithuanian SMEs using off-the-shelf AI tools fall into the Limited-risk or Minimal-risk categories. However, if you use AI for hiring, lending decisions, or safety systems, you are in High-risk territory regardless of company size.
Lithuanian DPC: key requirements and enforcement
Lithuania's supervisory authority is the Valstybinė duomenų apsaugos inspekcija (VDAI) — State Data Protection Inspectorate. The VDAI is responsible for monitoring GDPR compliance and, from 2026, for coordinating AI Act enforcement alongside the national market surveillance authorities.
Key facts for Lithuanian businesses:
VDAI has published AI-specific guidance
The VDAI's FAQ covers starting with AI systems, emphasising GDPR compliance from the design stage. They recommend conducting a DPIA before deploying any AI system that processes personal data at scale.
Biometric data is a priority area
The VDAI has published explicit guidelines on biometric data processing. Using facial recognition, voice recognition, or fingerprint data in AI systems without a strict legal basis is a high enforcement priority.
Cross-border coordination
Lithuania is an EU member state, meaning the VDAI coordinates with other EU data protection authorities through the EDPB. A complaint filed in any EU country about a Lithuanian business can trigger multi-jurisdictional enforcement.
Enforcement is accelerating
The pattern across EU DPAs in 2025–2026 is clear: regulators are increasingly targeting the gap between documented compliance programmes and actual operational data flows. Having a privacy policy is not enough — your systems must match your documents.
The 7 most common GDPR + AI mistakes Lithuanian businesses make
Based on common enforcement patterns across the EU and the VDAI's published guidance:
Using customer emails or chat logs to train or fine-tune AI models without a clear legal basis and without informing users
Assuming ChatGPT or another third-party AI tool handles GDPR compliance for you — as the data controller, you remain responsible
Letting AI make legally significant decisions (credit, hiring, medical) without a human review process
Forgetting to update your privacy policy to mention AI processing, third-party AI vendors, and automated decision-making
No Data Processing Agreement with your AI vendor (OpenAI, Google, Anthropic, etc.) — Article 28 GDPR requires a written contract
Skipping a DPIA for high-risk AI processing — required under Article 35 for systematic profiling, large-scale sensitive data, or novel technology
Storing personal data in AI prompt logs, chat histories, or model outputs beyond the retention period stated in your policy
GDPR + AI compliance checklist for 2026
Use this as a starting point for your internal compliance review. Each item represents a documented, verifiable process — not just a policy statement.
Documented legal basis for every personal data processing activity involving AI
Privacy notice updated to include AI processing, third-party AI vendors, and automated decision-making
Data minimisation reviewed: your AI uses only the data it strictly needs
Data Processing Agreements signed with all AI vendors (OpenAI, Anthropic, Google, etc.)
Data retention limits set, documented, and enforced — including AI-generated outputs
Subject access request process extended to cover AI-processed data and AI-generated profiles
Human review process in place for AI decisions with legal or significant personal effects
EU AI Act risk classification completed for each AI system your business uses or deploys
DPO appointed if required (public authority, large-scale systematic monitoring, sensitive data at scale)
Staff AI literacy training documented (required under EU AI Act Article 4 since February 2025)
DPIA completed for high-risk AI processing activities
Need help working through this checklist? Browse AI compliance solutions on RaskAI or find a verified compliance specialist.
When you need a Data Protection Officer (DPO)
A Data Protection Officer is a mandatory role under Article 37 of the GDPR in three situations:
Public authority: Your organisation is a public authority or body (government, municipality, public agency).
Large-scale systematic monitoring: Your core business activity involves large-scale, regular, and systematic monitoring of individuals — for example, employee monitoring AI, customer behaviour tracking, or location profiling.
Special category data at scale: Your core business involves large-scale processing of special category data (health, biometrics, genetic data, political opinions, religion, sexual orientation) or criminal conviction data.
If you do not meet any of these thresholds, a DPO is not legally required — but many Lithuanian businesses voluntarily appoint one (or a shared DPO through a service provider) when deploying significant AI systems. The cost is typically far lower than the cost of a VDAI investigation.
Note: The DPO must be independent, cannot be instructed on how to perform their duties, and cannot be penalised for doing their job. A DPO can be an employee or an external contractor.
How to get compliant: practical steps
Compliance with both GDPR and the EU AI Act is not a one-time project. It is an ongoing operational practice. Here is a practical sequence for a Lithuanian SME starting from scratch:
Inventory your AI systems
List every AI tool your business uses — ChatGPT, Copilot, an AI CRM, email tools with AI features, etc. For each one, identify what personal data it processes and for what purpose.
Classify by EU AI Act risk level
For each system, determine whether it is Prohibited, High-risk, Limited-risk, or Minimal-risk. Your HR AI, customer scoring, or safety systems need immediate attention if they are High-risk.
Establish legal basis for each processing activity
Document why you process data in each AI system. Update your Records of Processing Activities (ROPA) — this is a GDPR Article 30 requirement that must reflect actual AI data flows.
Sign Data Processing Agreements
Contact your AI vendors and sign or review DPAs. OpenAI, Google, Microsoft, and Anthropic all offer standard DPAs — but you must actively enter into them, they do not apply automatically.
Run DPIAs for high-risk processing
For any AI system that falls into high-risk GDPR territory (Article 35), conduct a Data Protection Impact Assessment before or shortly after deployment. The VDAI can request to see these.
Update your privacy notice
Add clear, plain-language information about AI processing, the categories of data used, any automated decision-making, and how individuals can exercise their rights.
Train your team
EU AI Act Article 4 AI literacy training is already mandatory. Document who was trained, when, and on what. This is one of the first things an inspector will ask for.