✓ Estonia • Latvia • Lithuania — GDPR Compliance Hub

Baltic States GDPR Anonymization — Three Countries, One Platform

PII detection for Estonia, Latvia, and Lithuania — isikukood, personas kods, asmens kodas and 9 additional national document types, compliant with AKI, DVI, and VDAI requirements

Anonymize Now

🏛️ Three Data Protection Authorities

🇪🇪 Estonia — AKI

Authority: AKI (Andmekaitse Inspektsioon — Estonian Data Protection Inspectorate)

Applicable law: GDPR + Personal Data Protection Act (isikuandmete kaitse seadus, 2019)

Penalties: Up to EUR 20 million or 4% of global annual turnover

Specifics: Estonia is a digital-first state — e-Residency and X-Road data flows require strict PII controls. Isikukood is used in virtually all government services.

🇱🇻 Latvia — DVI

Authority: DVI (Datu valsts inspekcija — Data State Inspectorate)

Applicable law: GDPR + Personal Data Processing Law (Fizisko personu datu apstrādes likums, 2018)

Penalties: Up to EUR 20 million or 4% of global annual turnover

Specifics: Personas kods format changed in 2021 — both old (DDMMYY-NNNNN) and new (32XXXXXXXXX) formats must be detected. DVI actively enforces cross-border data transfers.

🇱🇹 Lithuania — VDAI

Authority: VDAI (Valstybinė duomenų apsaugos inspekcija — State Data Protection Inspectorate)

Applicable law: GDPR + Law on Legal Protection of Personal Data (amended 2018)

Penalties: Up to EUR 20 million or 4% of global annual turnover

Specifics: VDAI has issued significant fines for health data breaches. Asmens kodas encodes gender and birth date — particularly sensitive under GDPR Article 9.

The EU AI Act is the world's first comprehensive AI regulation. It reaches full applicability on August 2, 2026, requiring GPAI providers to document training data handling. Anonymizing PII before AI processing ensures Article 10 compliance.

NIS2 (Network and Information Security Directive 2) expands cybersecurity obligations across the EU. It applies to essential and important entities in 18 sectors. Compliance requires incident reporting within 24 hours and supply chain security measures.

Yes. Properly anonymized data falls outside GDPR scope (Recital 26). Since 2018, EU DPAs have imposed over €5.88 billion in fines. Anonymization reduces your data protection risk and simplifies DSAR responses.

🔍 12 Baltic PII entity types across 3 countries

Complete detection of Estonian, Latvian, and Lithuanian personal identifiers with algorithmic validation

Entity Code Country Format / Description Validation
Isikukood (Personal ID) EE_IK 🇪🇪 11 digits, GYYMMDDNNNN. G=gender+century (1–8), YYMMDD=birth date, NNN=sequence, last digit=checksum. Example: 38501011234 Weighted checksum algorithm
Estonian Driver License EE_DRIVER_LICENSE 🇪🇪 Estonian Transport Administration standard format Regex + length
Estonian ID Card EE_ID_CARD 🇪🇪 2 letters + 7 digits, e.g. AA1234567. New chip-ID issued since 2018. Police and Border Guard format
Estonian Passport EE_PASSPORT 🇪🇪 2 letters + 7 digits, ICAO 9303 compliant biometric passport ICAO 9303 regex
Personas kods (Personal Code) LV_PERSONAS_KODS 🇱🇻 11 digits. Old format: DDMMYY-NNNNN (dash separating birthdate from sequence). New format (post-2021): 32XXXXXXXXX. Example: 010185-12345 Checksum algorithm; both formats supported
Latvian Driver License LV_DRIVER_LICENSE 🇱🇻 Latvian Road Traffic Safety Directorate (CSDD) standard format Regex + length
Latvian ID Card LV_ID_CARD 🇱🇻 PA + 7 digits, e.g. PA1234567. Biometric eID card issued by PMLP (Office of Citizenship and Migration Affairs). PMLP format
Latvian Passport LV_PASSPORT 🇱🇻 2 letters + 7 digits, ICAO 9303 compliant biometric passport ICAO 9303 regex
Asmens kodas (Personal Code) LT_ASMENS_KODAS 🇱🇹 11 digits, GYYMMDDNNNK. G=gender+century (1–6), YYMMDD=birth date, NNN=sequence, K=checksum. Example: 38501011234. Encodes birth date and gender. Weighted checksum algorithm (Mod 11)
Lithuanian Driver License LT_DRIVER_LICENSE 🇱🇹 Lithuanian Road Administration (VĮ Regitra) standard format Regex + length
Lithuanian ID Card LT_ID_CARD 🇱🇹 8 digits, e.g. 12345678. Biometric ID card issued by the Migration Department. Migration Department format
Lithuanian Passport LT_PASSPORT 🇱🇹 2 letters + 7 digits, ICAO 9303 compliant biometric passport ICAO 9303 regex

📊 Real-Time Demo: Baltic Personal Codes Detected

See how our AI automatically identifies isikukood, personas kods, and asmens kodas across all three Baltic states

BEFORE (original text):
Estonia: Jaan Tamm, isikukood 38501011234, ID card AA1234567, Tallinn. Driver license EE12345678. Passport EE1234567. Latvia: Jānis Bērziņš, personas kods 010185-12345, ID card PA1234567, Rīga. Driver license LV12345678. Passport LV1234567. Lithuania: Jonas Kazlauskas, asmens kodas 38501011234, ID card 12345678, Vilnius. Driver license LT12345678. Passport LT1234567.
⬇️
AFTER (anonymized):
Estonia: [NAME], isikukood [EE_IK], ID card [EE_ID_CARD], Tallinn. Driver license [EE_DRIVER_LICENSE]. Passport [EE_PASSPORT]. Latvia: [NAME], personas kods [LV_PERSONAS_KODS], ID card [LV_ID_CARD], Rīga. Driver license [LV_DRIVER_LICENSE]. Passport [LV_PASSPORT]. Lithuania: [NAME], asmens kodas [LT_ASMENS_KODAS], ID card [LT_ID_CARD], Vilnius. Driver license [LT_DRIVER_LICENSE]. Passport [LT_PASSPORT].

Detected entities — all 3 countries:

  • EE_IK 38501011234 (Estonia)
  • EE_ID_CARD AA1234567
  • LV_PERSONAS_KODS 010185-12345 (Latvia)
  • LV_ID_CARD PA1234567
  • LT_ASMENS_KODAS 38501011234 (Lithuania)
  • LT_ID_CARD 12345678
  • NAME Jaan Tamm / Jānis Bērziņš / Jonas Kazlauskas
Try It Live

⚖️ Key GDPR Provisions for the Baltic States

Article 9 — Special Categories of Personal Data

The asmens kodas (Lithuania) and isikukood (Estonia) encode birth date and gender, making them potentially sensitive under Article 9. The personas kods (Latvia, old format) also embeds birth date. Systems that process these codes may be handling special category data without realizing it.

⚠️ Anonymization of national personal codes is required before sharing data with third parties in all three Baltic states

Article 17 — Right to Erasure

Data subjects in Estonia, Latvia, and Lithuania can request deletion of their personal data. Anonymization is a legally recognized equivalent — anonymized data is no longer personal data under GDPR.

Deadline: Without undue delay, at most within 30 days

Article 32 — Security of Processing

Controllers and processors must implement appropriate technical and organizational measures. Pseudonymization and anonymization are explicitly listed as appropriate safeguards in all three national GDPR implementations.

National Implementation Laws — Country-Specific Rules

  • Estonia (AKI): E-governance act mandates PII protection in all digital public services. X-Road data exchange platform data must be anonymized in logs.
  • Latvia (DVI): New personas kods format (post-2021) must be handled alongside the old format — systems must detect both. DVI actively investigates cross-border transfers.
  • Lithuania (VDAI): Specific provisions for health data (asmens kodas linked to health insurance). VDAI has imposed multi-million EUR fines in the healthcare and financial sectors.
  • All three: DPO mandatory for public authorities and large-scale data processors. ROPA records required for all controllers. 72-hour breach notification to respective DPA.

⚡ Common Data Protection Challenges in the Baltic States

🔴 Problem: Global tools miss Baltic personal codes

International DLP solutions focus on US SSN, UK NI, and EU passports. Estonian isikukood, Latvian personas kods, and Lithuanian asmens kodas — all with unique structural formats encoding birth date and gender — are systematically missed.

Solution: Country-specific NLP models with checksum validation for all three personal code formats including the new Latvian 32XXXXXXXXX format

🔴 Problem: Latvia's dual personas kods formats

Latvia changed its personal code format in 2021 from date-based (DDMMYY-NNNNN) to randomized (32XXXXXXXXX). Systems using only old format regex miss all new-format codes — covering anyone born after mid-2021 or who renewed their ID.

Solution: Dual-format detection supporting both old and new Latvian personas kods with automatic format detection

🔴 Problem: Estonia's digital-first infrastructure

Estonia's X-Road, e-Residency, and e-government services generate massive volumes of log data containing isikukood. These system logs often end up in analytics pipelines without anonymization, violating GDPR and AKI guidelines.

Solution: Automated log scrubbing with isikukood detection before data enters analytics or data warehousing systems

🔴 Problem: Cross-Baltic data sharing without anonymization

Companies operating across all three Baltic states share employee and customer data between entities. Personal codes from all three countries appear in shared HR, CRM, and finance documents without being anonymized first.

Solution: Simultaneous multi-country detection — one scan identifies EE, LV, and LT personal identifiers in a single document

See GDPR Anonymization In Action

Watch how anonym.legal detects EU personal data and anonymizes it

GDPR Compliance Across All Three Baltic States

Analyze • Anonymize • Audit

Start Free Now

Also from anonym.legal

Global Anonymization Platform → Legal Redaction Suite → Enterprise DLP for AI → Developer Privacy API → Compliance Command Center → Customer Data Protection → Privacy-as-a-Service →

Frequently Asked Questions

Estonia (AKI), Latvia (DVI), and Lithuania (VDAI) each enforce GDPR independently but cooperate under the EDPB consistency mechanism. Data transfers between Baltic states follow standard GDPR rules — no additional restrictions within the EU/EEA.

Estonian Isikukood (11 digits), Latvian Personas kods (11 digits, dash format), Lithuanian Asmens kodas (11 digits). All with Modulus-based check-digit validation.

Published by George Curta, Founder of anonym.legal ·