CNPD (Portugal) - Deliberação 2019/222: Difference between revisions

From GDPRhub
 
Line 72: Line 72:


<pre>
<pre>
DELIBERATION/2019/222


I - Report
The National Commission for Data Protection (CNPD) drafted, on January 7, 2019, a deliberation project, in which the defendant was charged with an administrative offense as stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the Regulation (EU) 2016/679, of April 27, 2016 (General Data Protection Regulation - GDPR), punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.
Pursuant to the provisions of article 50 of the General Regime of Administrative Offenses and Fines, the defendant was notified of the content of the project and given the opportunity to present a defense, summarizing the following points:
The deliberation project is void because the defendant was not notified of the copy of the administrative offense report nor all the elements accompanying it to exercise their right of defense.
The defendant claimed that informational notices about the existence and operation of the video surveillance system were displayed, providing two photographs without identification of the day and time they were taken, although acknowledging that no such informational notice was placed on the exterior door of the building.
Therefore, the defendant argued for acquittal and consequent dismissal of the case, or, failing that, the application of a reprimand as a sanction.
The defendant submitted eleven documents and listed three witnesses.
II - Consideration
The CNPD is competent under the terms of subparagraph i) of paragraph 2 of article 58 of the GDPR, combined with paragraph 1 of article 21 and paragraph 1 of article 22, both from Law No. 67/98 of October 26, amended by Law No. 103/2015 of August 24 (hereinafter referred to as LPDP).
In light of the written defense presented by the defendant, it is necessary to consider the factual arguments and the respective legal grounds presented.
Preliminary Issue
Regarding the preliminary issue raised by the defendant, it can only be dismissed. This is because there is no legal provision requiring the administrative entity to notify the defendant of the notice of infraction and other elements that compose the case file. Indeed, if the defendant wished to access these elements, they could have requested to review and examine the file, which they never did.
Moreover, if the defendant, after being notified of the deliberation project, did not have knowledge of all necessary elements to understand all relevant aspects, both in fact and in law, they would not have been able to allege the facts stated in articles 12 to 41 of the written defense. Hence, the nullity raised by the defendant is dismissed.
The defendant did not contest the notice of infraction issued by the police authority, which confirms the facts it contains, and these are considered proven as per article 169 of the Code of Criminal Procedure, ex vi paragraph 1 of article 41 of the General Regime of Administrative Offenses and Fines ex vi article 35 of the LPDP.
Notably, the defendant also submitted two photographs that do not even have the date/time they were taken. Additionally, the defendant's written defense admits that no informational notice of the video surveillance system existed on the exterior door of the building they own.
Therefore, the defense's allegations do not challenge the factual framework established in the deliberation project, nor is any fact invoked that would constitute a cause for exclusion of guilt or illegality, thus maintaining the position already assumed.
Witnesses
The listed witnesses were not questioned because the contested facts are not relevant, and further clarification or contradiction is unnecessary. Therefore, any potential testimonies are irrelevant to discovering the material truth.
Proven Facts
Based on the elements in the case file, relevant to the decision, the following facts are considered proven:
1. The defendant holds the NIPC and is headquartered at
2. The defendant operates a business under the name, located at the aforementioned address.
3. On November 5, 2018, at 10:40 AM, following an inspection by the Public Security Police at the mentioned address, a functioning video surveillance system was found.
4. The system consists of 9 cameras and 1 recorder.
5. During the said inspection, it was found that there was no informational notice of the video surveillance system's operation displayed in a visible location or any other place.
6. The defendant acted freely, voluntarily, and consciously by not placing an informational notice about the existence of cameras allowing the visualization of images, failing to act with the due care required by law, and knowing it was likely against the law.
IV - Motivation for the Decisions on the Facts
The facts deemed established result from:
- The infraction report and the photographic report prepared by the police authority, found on pages 2 to 12 of the case file; and
The written defense of the defendant.
- Based on the established facts, it is sufficiently indicated that the defendant committed an infraction as stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR, punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.
Determination of Fine
According to article 83, paragraph 1, subparagraphs a) to k) of the GDPR, the determination of the fine is based on the following criteria:
― Nature, gravity, and duration of the infraction: Considering the nature, scope, or purpose of the data processing in question, as well as the number of data subjects affected and the level of damage suffered by them, we are dealing with an infraction punishable by the most severe framework provided by the GDPR. The facts reveal a medium level of gravity. The exact number of data subjects affected by the defendant's conduct is unknown.
― Intentional or negligent character of the infraction: There is considered to be conscious negligence since the defendant did not fulfill the obligation to inform data subjects in the context of personal data processing resulting from video surveillance for the protection of people and property. The defendant did not even take care to ascertain the applicable legal framework, acting without the necessary care and knowing it was likely against the law. This is an essential right for data subjects, as other subjective rights in the processing operation are ultimately harmed by omitting the right to information (e.g., the right of access).
― Initiative taken by the controller to mitigate the damage suffered by data subjects: It is noted that the defendant sought to implement the General Data Protection Regulation, as evidenced by a declaration issued by a third party and submitted by the defendant.
― Degree of responsibility of the controller or processor considering the technical and organizational measures they have implemented under articles 25 and 32: This matter is not the subject of the present process.
― Any relevant previous infringements committed by the controller or processor: None are verified.
― Degree of cooperation with the supervisory authority to remedy the infringement and mitigate its potential adverse effects: The degree of cooperation is considered high, given the defendant's conduct toward the CNPD, which did not need to draft and enforce corrective measures.
― Categories of personal data affected by the infringement: The personal data processed do not fall into the special data categories outlined in paragraph 1 of article 9 of the GDPR.
― How the supervisory authority became aware of the infringement, especially if the controller or processor notified it, and to what extent: The infringement came to the CNPD's attention through the infraction report prepared by the police authority.
― Compliance with measures referred to in article 58, paragraph 2, if previously imposed on the controller or processor: This criterion does not apply as no corrective measures had been previously determined.
― Compliance with approved codes of conduct under article 40 or certification mechanisms under article 42: This criterion does not apply as there is no code of conduct or certification mechanism in place as mentioned.
― Any other aggravating or mitigating factor applicable to the circumstances of the case, under subparagraph k) of paragraph 2 of article 83 of the GDPR, such as financial benefits gained or losses avoided directly or indirectly through the infringement: A mitigating factor is that it is not determinable or measurable the economic benefit derived by the defendant.
- Based on the above considerations and criteria, a fine will be imposed accordingly.
As stated in the deliberation project, the infraction stipulated under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR, is punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.
In this case, due to the absence of elements that allow inferring the defendant's turnover, the maximum applicable fine is set at €20,000,000.00 (twenty million euros).
Evaluating the established facts in light of the above-mentioned criteria and considering the inability to determine the economic benefit gained by the defendant as a result of the infraction, the CNPD, under article 58, paragraph 2, subparagraph i) of the GDPR, considers it appropriate to impose a fine of €2,000.00 (two thousand euros) on the defendant for the infraction stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR.
V - Conclusion
In light of the above, the CNPD resolves to:
1. Impose a fine of €2,000.00 (two thousand euros) on the defendant for violating the right of information of the data subjects regarding the processing of personal data.
2. Inform the defendant, under the General Regime of Administrative Offenses and Fines, that:
a. The conviction becomes final and enforceable if not judicially appealed, under article 59 of the same statute.
b. In the case of a judicial appeal, the Court may decide through a hearing or, if neither the defendant nor the Public Prosecutor opposes, through a simple order.
The defendant must pay the fine within 10 days of its finalization, sending the respective payment slips to the CNPD. In case of inability to make timely payment, the defendant must communicate this fact in writing to the CNPD.
Lisbon, March 25, 2019
Signed:
José Grazina Machador (Reporter)
Luís Barroso
Pedro Mourão
Maria Teresa Naia
Filipa Galvão (President)
</pre>
</pre>

Latest revision as of 13:17, 10 July 2024

CNPD - DELIBERAÇÃO/2019/222
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 13(1) GDPR
Article 13(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.03.2019
Published: 25.03.2019
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: DELIBERAÇÃO/2019/222
European Case Law Identifier: Processo n.º 10770/2018
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: n/a

Portuguese DPA rules that not posting signage about CCTV footage collection in covered areas represents a breach of the controller's information duties under article 13 GDPR

English Summary

Facts

The controller had installed in its facilities a video surveillance system with 9 cameras and 1 recorder. During an inspection to the facilities by the public police forces, officers found that no signage warning passers-by about the functioning of such a system was posted. The situation was reported to the Portuguese DPA.

Dispute

Is posting signage about CCTV footage collection mandatory under the GDPR? And should it contain all elements from article 13 GDPR?

Holding

The Portuguese DPA stresses that the controller should have known that it was obliged to post the aforementioned signage and that such signage should have contained all elements from article 13 GDPR. When deciding on the amount of the fine, the Portuguese DPA considered that the controller fully cooperated with the police forces' and the CNPD's investigations.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

DELIBERATION/2019/222

I - Report

The National Commission for Data Protection (CNPD) drafted, on January 7, 2019, a deliberation project, in which the defendant was charged with an administrative offense as stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the Regulation (EU) 2016/679, of April 27, 2016 (General Data Protection Regulation - GDPR), punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.

Pursuant to the provisions of article 50 of the General Regime of Administrative Offenses and Fines, the defendant was notified of the content of the project and given the opportunity to present a defense, summarizing the following points:

The deliberation project is void because the defendant was not notified of the copy of the administrative offense report nor all the elements accompanying it to exercise their right of defense.
The defendant claimed that informational notices about the existence and operation of the video surveillance system were displayed, providing two photographs without identification of the day and time they were taken, although acknowledging that no such informational notice was placed on the exterior door of the building.
Therefore, the defendant argued for acquittal and consequent dismissal of the case, or, failing that, the application of a reprimand as a sanction.
The defendant submitted eleven documents and listed three witnesses.

II - Consideration

The CNPD is competent under the terms of subparagraph i) of paragraph 2 of article 58 of the GDPR, combined with paragraph 1 of article 21 and paragraph 1 of article 22, both from Law No. 67/98 of October 26, amended by Law No. 103/2015 of August 24 (hereinafter referred to as LPDP).

In light of the written defense presented by the defendant, it is necessary to consider the factual arguments and the respective legal grounds presented.

Preliminary Issue

Regarding the preliminary issue raised by the defendant, it can only be dismissed. This is because there is no legal provision requiring the administrative entity to notify the defendant of the notice of infraction and other elements that compose the case file. Indeed, if the defendant wished to access these elements, they could have requested to review and examine the file, which they never did.

Moreover, if the defendant, after being notified of the deliberation project, did not have knowledge of all necessary elements to understand all relevant aspects, both in fact and in law, they would not have been able to allege the facts stated in articles 12 to 41 of the written defense. Hence, the nullity raised by the defendant is dismissed.

The defendant did not contest the notice of infraction issued by the police authority, which confirms the facts it contains, and these are considered proven as per article 169 of the Code of Criminal Procedure, ex vi paragraph 1 of article 41 of the General Regime of Administrative Offenses and Fines ex vi article 35 of the LPDP.

Notably, the defendant also submitted two photographs that do not even have the date/time they were taken. Additionally, the defendant's written defense admits that no informational notice of the video surveillance system existed on the exterior door of the building they own.

Therefore, the defense's allegations do not challenge the factual framework established in the deliberation project, nor is any fact invoked that would constitute a cause for exclusion of guilt or illegality, thus maintaining the position already assumed.

Witnesses

The listed witnesses were not questioned because the contested facts are not relevant, and further clarification or contradiction is unnecessary. Therefore, any potential testimonies are irrelevant to discovering the material truth.

Proven Facts

Based on the elements in the case file, relevant to the decision, the following facts are considered proven:

1. The defendant holds the NIPC and is headquartered at

2. The defendant operates a business under the name, located at the aforementioned address.

3. On November 5, 2018, at 10:40 AM, following an inspection by the Public Security Police at the mentioned address, a functioning video surveillance system was found.

4. The system consists of 9 cameras and 1 recorder.

5. During the said inspection, it was found that there was no informational notice of the video surveillance system's operation displayed in a visible location or any other place.

6. The defendant acted freely, voluntarily, and consciously by not placing an informational notice about the existence of cameras allowing the visualization of images, failing to act with the due care required by law, and knowing it was likely against the law.

IV - Motivation for the Decisions on the Facts

The facts deemed established result from:

- The infraction report and the photographic report prepared by the police authority, found on pages 2 to 12 of the case file; and
The written defense of the defendant.

- Based on the established facts, it is sufficiently indicated that the defendant committed an infraction as stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR, punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.

Determination of Fine

According to article 83, paragraph 1, subparagraphs a) to k) of the GDPR, the determination of the fine is based on the following criteria:

― Nature, gravity, and duration of the infraction: Considering the nature, scope, or purpose of the data processing in question, as well as the number of data subjects affected and the level of damage suffered by them, we are dealing with an infraction punishable by the most severe framework provided by the GDPR. The facts reveal a medium level of gravity. The exact number of data subjects affected by the defendant's conduct is unknown. 

― Intentional or negligent character of the infraction: There is considered to be conscious negligence since the defendant did not fulfill the obligation to inform data subjects in the context of personal data processing resulting from video surveillance for the protection of people and property. The defendant did not even take care to ascertain the applicable legal framework, acting without the necessary care and knowing it was likely against the law. This is an essential right for data subjects, as other subjective rights in the processing operation are ultimately harmed by omitting the right to information (e.g., the right of access). 

― Initiative taken by the controller to mitigate the damage suffered by data subjects: It is noted that the defendant sought to implement the General Data Protection Regulation, as evidenced by a declaration issued by a third party and submitted by the defendant. 

― Degree of responsibility of the controller or processor considering the technical and organizational measures they have implemented under articles 25 and 32: This matter is not the subject of the present process. 

― Any relevant previous infringements committed by the controller or processor: None are verified. 

― Degree of cooperation with the supervisory authority to remedy the infringement and mitigate its potential adverse effects: The degree of cooperation is considered high, given the defendant's conduct toward the CNPD, which did not need to draft and enforce corrective measures. 

― Categories of personal data affected by the infringement: The personal data processed do not fall into the special data categories outlined in paragraph 1 of article 9 of the GDPR. 

― How the supervisory authority became aware of the infringement, especially if the controller or processor notified it, and to what extent: The infringement came to the CNPD's attention through the infraction report prepared by the police authority. 

― Compliance with measures referred to in article 58, paragraph 2, if previously imposed on the controller or processor: This criterion does not apply as no corrective measures had been previously determined. 

― Compliance with approved codes of conduct under article 40 or certification mechanisms under article 42: This criterion does not apply as there is no code of conduct or certification mechanism in place as mentioned. 

― Any other aggravating or mitigating factor applicable to the circumstances of the case, under subparagraph k) of paragraph 2 of article 83 of the GDPR, such as financial benefits gained or losses avoided directly or indirectly through the infringement: A mitigating factor is that it is not determinable or measurable the economic benefit derived by the defendant. 

- Based on the above considerations and criteria, a fine will be imposed accordingly.

As stated in the deliberation project, the infraction stipulated under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR, is punishable by a fine of up to 20 million euros or 4% of the annual turnover, whichever is higher.

In this case, due to the absence of elements that allow inferring the defendant's turnover, the maximum applicable fine is set at €20,000,000.00 (twenty million euros).

Evaluating the established facts in light of the above-mentioned criteria and considering the inability to determine the economic benefit gained by the defendant as a result of the infraction, the CNPD, under article 58, paragraph 2, subparagraph i) of the GDPR, considers it appropriate to impose a fine of €2,000.00 (two thousand euros) on the defendant for the infraction stipulated and punishable under the combined provisions of paragraphs 1 and 2 of article 13, with subparagraph b) of paragraph 5 of article 83 of the GDPR.

V - Conclusion

In light of the above, the CNPD resolves to:

1. Impose a fine of €2,000.00 (two thousand euros) on the defendant for violating the right of information of the data subjects regarding the processing of personal data.

2. Inform the defendant, under the General Regime of Administrative Offenses and Fines, that:

a. The conviction becomes final and enforceable if not judicially appealed, under article 59 of the same statute.

b. In the case of a judicial appeal, the Court may decide through a hearing or, if neither the defendant nor the Public Prosecutor opposes, through a simple order.

The defendant must pay the fine within 10 days of its finalization, sending the respective payment slips to the CNPD. In case of inability to make timely payment, the defendant must communicate this fact in writing to the CNPD.

Lisbon, March 25, 2019

Signed:
José Grazina Machador (Reporter)
Luís Barroso
Pedro Mourão
Maria Teresa Naia
Filipa Galvão (President)