CNPD (Portugal) - Deliberação 2022/1072: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Portugal) |Case_Number_Name...") |
m (Ar moved page CNPD (Portugal) - 2022/1072 to CNPD (Portugal) - Deliberação 2022/1072) |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 91: | Line 91: | ||
}} | }} | ||
The Portuguese DPA | The Portuguese DPA fined the Portuguese National Statistics Institute €4,300,000 for multiple GDPR violations. Among the others, the Institute processed special categories of personal data without a legal basis, did not conduct a proper DPIA and provided insufficient information regarding its processing operations. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The National Statistical Institute, the national statistical authority of Portugal (controller) organised a census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms (both physical forms and digital forms) with questions which were mandatory to answer. Providing inaccurate information or not answering the questions at all was punishable by a fine between €500 and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million submitted forms, which concerned personal data of more than 6 million data subjects. | |||
Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which brought to different conclusions. The DPA, for instance, stated that the controller used the forms to ask for health-related problems and religious beliefs without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a proper DPIA, which contained or otherwise dealt with only 4 processing operations. Further, it also emerged from the investigation that the controller had also hired Cloudface Inc, a company located in the United States, which offered a content delivery network and internet security services. The controller simply subscribed online to Cloudflare's service. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare Inc, which were potentially also located in countries without an adequate level of protection for personal data. The controller also authorised Cloudflare to transfer personal data to the USA. Successive subcontracting by Cloudflare had also been authorised by the controller under this contract. The DPA assessed the technical workings of the Cloudflare service and determined that it was impossible for the controller to know where personal data would be stored as soon as this data had entered Cloudflare's network. By recalling the Schrems II judgement, the DPA also highlighted that US law did not provide a level of protection of personal data that was equivalent to the level of protection provided by the GDPR. | |||
Between April | |||
a | |||
=== Holding === | === Holding === | ||
The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated [[Article 9 GDPR|Articles 9(1) GDPR]] out of negligence. The DPA fined the controller €1,600,000 pursuant of Article [[Article 83 GDPR|83(5)(a) GDPR]] and considered this a high gravity fine. | |||
The DPA also found that the controller did not provide clear, highlighted an easily accessible information which would enable the data subject to know the circumstances of the processing being conducted by the controller. The controller did not provide this information in the forms, on the main webpage or in a hyperlink. This resulted in a violation of [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of [[Article 83 GDPR|Article 83(5)(b) GDPR]], which it considered a high gravity fine. | |||
The DPA also fined the controller €200,000 pursuant of [[Article 83 GDPR|Article 83(4)(a) GDPR]], for a violation of the rules applicable to subcontracting entities, in this case Cloudflare Inc. ([[Article 28 GDPR|Articles 28(1)]], [[Article 28 GDPR|28(6)]] and [[Article 28 GDPR|28(7) GDPR]]). The controller had simply subscribed online to Cloudflare's service without any negotiations and without any due diligence on the side of the controller. The DPA stated that this violation had been committed intentionally. | |||
The DPA issued another fine of €2,400,000 pursuant of [[Article 83 GDPR|Article 83(5)(c) GDPR]] for the breach of the international personal data transfer regime [[Article 44 GDPR|(Articles 44]] and [[Article 46 GDPR|46(2) GDPR)]]. The service that was contracted by the controller did not meet the legal requirements for the transfer of data to a third country. The DPA considered this a high gravity fine and stated that this violation was also committed intentionally. | |||
Lastly, the DPA fined the controller €400,000 pursuant of [[Article 83 GDPR|Article 83(4)(a) GDPR]] for the failure to conduct a DPIA in violation with [[Article 35 GDPR|Articles 35(1)]], [[Article 35 GDPR|35(2), and 35(3)(b).]] The DPA stated that the DPIA provided by the controller was limited and insufficient in scope because it did not cover the entire processing, or even relevant dimensions of processing operations. The DPA stated that this last violation had been committed intentionally. | |||
The total amount of | The total amount of all fines combined was €6,500.000. However, the DPA applied a sole fine of €4,300.000 after legal cumulation pursuant of [[Article 83 GDPR|Article 83(3) GDPR]] and [https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=166&tabela=leis Article 19 of Decree-Law 433/82]. | ||
== Comment == | == Comment == | ||
Previously, during the Census 2021, the CNPD received several complaints and immediately started an investigation and issued an order to suspend the sending of personal data from the census operation to the USA and other third countries without an adequate level of protection, as per [[CNPD - Deliberação/2021/533|Deliberation/2021/533]]. | |||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == |
Latest revision as of 16:54, 6 December 2023
CNPD - 2022/1072 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Article 9(1) GDPR Article 12 GDPR Article 13 GDPR Article 28(1) GDPR Article 28(6) GDPR Article 28(7) GDPR Article 35(1) GDPR Article 35(2) GDPR Article 35(3) GDPR Article 44 GDPR Article 46(2) GDPR Article 83(3) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR Article 83(5)(b) GDPR Article 19 Decree-Law 433/82 |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 19.04.2021 |
Decided: | |
Published: | 12.12.2022 |
Fine: | n/a |
Parties: | Instituto Nacional de Estatística |
National Case Number/Name: | 2022/1072 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Portuguese |
Original Source: | CNPD (in PT) |
Initial Contributor: | Mgrd |
The Portuguese DPA fined the Portuguese National Statistics Institute €4,300,000 for multiple GDPR violations. Among the others, the Institute processed special categories of personal data without a legal basis, did not conduct a proper DPIA and provided insufficient information regarding its processing operations.
English Summary
Facts
The National Statistical Institute, the national statistical authority of Portugal (controller) organised a census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms (both physical forms and digital forms) with questions which were mandatory to answer. Providing inaccurate information or not answering the questions at all was punishable by a fine between €500 and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million submitted forms, which concerned personal data of more than 6 million data subjects.
Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which brought to different conclusions. The DPA, for instance, stated that the controller used the forms to ask for health-related problems and religious beliefs without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a proper DPIA, which contained or otherwise dealt with only 4 processing operations. Further, it also emerged from the investigation that the controller had also hired Cloudface Inc, a company located in the United States, which offered a content delivery network and internet security services. The controller simply subscribed online to Cloudflare's service. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare Inc, which were potentially also located in countries without an adequate level of protection for personal data. The controller also authorised Cloudflare to transfer personal data to the USA. Successive subcontracting by Cloudflare had also been authorised by the controller under this contract. The DPA assessed the technical workings of the Cloudflare service and determined that it was impossible for the controller to know where personal data would be stored as soon as this data had entered Cloudflare's network. By recalling the Schrems II judgement, the DPA also highlighted that US law did not provide a level of protection of personal data that was equivalent to the level of protection provided by the GDPR.
Holding
The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high gravity fine.
The DPA also found that the controller did not provide clear, highlighted an easily accessible information which would enable the data subject to know the circumstances of the processing being conducted by the controller. The controller did not provide this information in the forms, on the main webpage or in a hyperlink. This resulted in a violation of Articles 12 and 13 GDPR. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of Article 83(5)(b) GDPR, which it considered a high gravity fine.
The DPA also fined the controller €200,000 pursuant of Article 83(4)(a) GDPR, for a violation of the rules applicable to subcontracting entities, in this case Cloudflare Inc. (Articles 28(1), 28(6) and 28(7) GDPR). The controller had simply subscribed online to Cloudflare's service without any negotiations and without any due diligence on the side of the controller. The DPA stated that this violation had been committed intentionally.
The DPA issued another fine of €2,400,000 pursuant of Article 83(5)(c) GDPR for the breach of the international personal data transfer regime (Articles 44 and 46(2) GDPR). The service that was contracted by the controller did not meet the legal requirements for the transfer of data to a third country. The DPA considered this a high gravity fine and stated that this violation was also committed intentionally.
Lastly, the DPA fined the controller €400,000 pursuant of Article 83(4)(a) GDPR for the failure to conduct a DPIA in violation with Articles 35(1), 35(2), and 35(3)(b). The DPA stated that the DPIA provided by the controller was limited and insufficient in scope because it did not cover the entire processing, or even relevant dimensions of processing operations. The DPA stated that this last violation had been committed intentionally.
The total amount of all fines combined was €6,500.000. However, the DPA applied a sole fine of €4,300.000 after legal cumulation pursuant of Article 83(3) GDPR and Article 19 of Decree-Law 433/82.
Comment
Previously, during the Census 2021, the CNPD received several complaints and immediately started an investigation and issued an order to suspend the sending of personal data from the census operation to the USA and other third countries without an adequate level of protection, as per Deliberation/2021/533.
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
DELIBERATION/2022/1072 🇧🇷 Report 1. The National Commission for Data Protection (hereinafter “CNPD” prepared the Project of Deliberation/2021/22, on October 19, 2021, in which the National Institute of Statistics, I.P. (hereinafter “INE”, the practice, in material authorship and in the consummated form, of ten administrative offenses arising from the violation of various provisions of Regulation (EU) 2016/679, of April 27 - General Regulation on Data Protection (hereinafter “ RGPD9), referring to personal data processing activities carried out in the context of the “2021 Census” census operation, namely: The. An offense provided for and punished by the combined provisions of paragraph 2 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, for violation of the liability principle; B. An offense provided for and punished by the combined provisions of paragraph a) of paragraph 1 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of annual turnover, for violating the principle of lawfulness, loyalty and transparency; ç. An offense provided for and punished by the combined provisions of Article 9(1) and Article 83(5)(a), both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, due to violation of the prohibition on processing special categories of personal data; d. An offense provided for and punished by the combined provisions of paragraph c) of paragraph 1 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of annual turnover, due to violation of the principle of minimization; and. An offense provided for and punished by the combined provisions of Article 32(1) and Article 83(4)(a), both of the RGPD, with a fine of up to €10,000,000 or up to 2% of the annual turnover, due to violation of the application of personal data security measures; f. An offense provided for and punished by the combined provisions of articles 12 and 13 and point b) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the volume annual business, for violation of the duties of informing data subjects; g. An offense provided for and punished by the combined provisions of paragraphs 1, 6 and 7 of article 28 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to €10,000,000 or up to 2% of annual turnover, for breaching compliance with the rules applicable to contracting subcontracting entities; H. An offense provided for and punished by the combined provisions of article 44, paragraph 2 of article 46 and paragraph c) of paragraph 5 of article 83, both of the RGPD, with a fine of up to 20,000,000 € or up to 4% of the annual turnover, for violation of the transfer regime; i. An administrative offense provided for and punished by the combined provisions of paragraphs 1 and 2 and paragraph b) of paragraph 3, all of article 35, and paragraph a) of paragraph 4 of article 83, all GDPR, with a fine of up to €20,000,000 or up to 4% of annual turnover, for breach of an impact assessment on the protection of personal data; j. An offense provided for and punished by the combined provisions of paragraph 7 of article 37 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, due to breach of the duty to communicate, to the Control Authority, the designation of the Data Protection Officer (hereinafter “EPD”). 2. The Defendant was notified of the content of the said Draft Deliberation and invited, if he wished, to present a defense [of. article 50 of Decree-Law no. 433/82, of October 27 (General Regime of Administrative Offenses and Fines, hereinafter “RGCO9]. 3. The Defendant, in this sequence, alleges, in short, that: The CNPD does not have the power to syndicate INE, because its powers have to be exercised ex ante within the organic-institutional framework of the Superior Council of Statistics; ii. The Deliberation Project is void due to lack of representation of the assumptions of the attribution to the Defendant of the committed infractions; iii. The Draft Resolution is inadmissible for lack of prior warning, under the terms the provisions of paragraph 3 of article 39 of Law no. 58/2019, of 8 August; iv. The Deliberation Project violates the technical independence of the Defendant and as such must be declared null; v. The Defendant cannot be punished twice for committing the same act; saw. The data processing was lawful; vii. The Defendant did not violate the principle of minimization, in the operations considered as optional; viii. The Defendant complied with the duties of informing the holders of personal data; ix. The Defendant did not breach the duties of due diligence in choosing its subcontractor; x. There was no transfer of data to third States, so the Defendant did not violate the data transfer regime; xi. The Defendant was not required to carry out a Data Impact Assessment Personal, since the assessment would have already been made in Authorization n.º 2600/2011, issued by the CNPD, which was not subject to any alteration; xii The EPD contacts were communicated to the Control Authority, on 22 May from 2018; The Defendant requests waiver of the fine, pursuant to article 44, paragraph 2, of Law no. 58/2019 of August 8th. 4. As the CNPD detected that, from the copy of the file sent via email on 24 January of 2022, the evidence collected and attached to information 2021/109, of September 16, 2021, were the same sent by order of September 15, 2022, granting a new deadline for defense. 5. On September 29, 2022, the agent responded by informing that she maintained her previous defense. II. appreciation 6. The CNPD is competent under the terms of paragraph a) of paragraph 1 of article 57 and paragraph 2 of article 58 of the Regulation (EU) 2016/679, of April 27, 2016 - General Data Protection Regulation (GDPR), in conjunction with article 3.º, n.º 2 of article 4.º, and line b) of n.º 1 of article 6.º, all of Law n.º 58/2019, of August 8 (LERGPD). 7. It should also be said that, in everything that is not provided for in the LERGPD, the RGCO is applicable on a subsidiary basis (for pursuant to the provisions of Article 45 of that law). 8. In view of the Defense presented by the Defendant, it is necessary to assess the arguments in fact and in law exposed there. So: On the incompetence of the CNPD to syndicate the INE 9. The Defendant begins by alleging, in points 7 to 16 of his Defense, an argument that he later develops in the points 39 to 148, that the CNPD “[...] had the opportunity to exercise its powers of ex ante control, within an organic-institutional framework specifically shaped for the purpose of integrating the contributions of the CNPD regarding matters relating to the processing of personal data in the context of the census operation, "but chose to act outside the institutional framework for the established effect and contrary to the deliberations adopted by the bodies in which it is integrated - and to which it should be considered bound -, attributing ex post the practice of a set of infractions that - having been verified, which is not granted -, the very CNPD should unofficially have contributed to anticipate and prevent.” (points 14 and 15 of the Defense). 10. It is important, first of all, to clarify the misunderstanding in which the Defendant works in the Defense, perhaps the result of the their poor understanding of the legal regime for the protection of personal data to which they are subject. 11. The legally foreseen participation of the CNPD within the Higher Statistics Council (CSE) is restricted to to the powers of this body, which are provided for in article 13 of the Law on the National Statistical System (Law No. 22/2008, of May 13). The Defendant highlights, in point 43 of his Defence, two of these competences, although incompletely, thus misrepresenting its real scope, which is why the wording is left here of these two competences: "To define and approve the general lines of the official statistical activity and respective priorities;” “Formulate recommendations in the context of defining methodologies, concepts and statistical nomenclatures for the use of administrative acts for the production of statistics official documents and ensure their application”. N 12. Now, an interpretation of that legal diploma that would lead to the conclusion that, regarding the processing of personal data carried out by INE within the scope of the statistical activity of the entity, the CNPD must exercise the powers conferred by the RGPD and the LERGPD only within the Superior Council of Statistical, would mean the exclusion of those treatments from the successive supervisory and corrective powers that the GDPR explicitly assigns to any national supervisory authority — cf. paragraphs 1 and 2 of article 58 of the RGPD -, exclusion that the national legislator did not foresee and that, moreover, would not be admissible in the legal system national legal framework vis-à-vis European Union law. 13. What the Defendant persists in ignoring is that the function of the CNPD is, since the application of the new legal data protection regime, essentially supervision or successive control of processing of personal data, with prior control focusing on generic guidelines regarding data processing personal. 14. It is true that the CNPD has some competences in terms of concrete prior control (listed in paragraph 3 of article 58 of the RGPD), but the essential part of these competences presupposes the initiative of the person responsible processing, upon submission of an application to the CNPD, in accordance with the principle proactive responsibility (accountability) enshrined in Article 5(2) and Article 24 of the RGPD. 15. In any case, within the scope of meetings of the CSE and its sections, the function of the CNPD is not, strictly speaking, of supervision or prior control of the processing of personal data carried out by INE, but only that of contribute with its specialized knowledge and experience in the application of the principles and rules of protection of personal data for defining the general lines of statistical activity, as well as methodologies, concepts and statistical nomenclatures for the use of administrative acts for the production of official statistics. In particular, within this body, the CNPD contributed to the established between INE and the relevant public entities a procedure for accessing data on citizens to streamline the 2021 census operation and mitigate the impact on the rights of holders of data, promoting the pseudonymization of the data, a contribution that, after all, was not used. 16. For this reason and also because neither the RGPD nor national and European legislation relating to the activity statistics remove the personal data protection regime from statistical operations — rectius, because this legislation expressly safeguards the personal data protection regime -, remain untouched the powers of the CNPD, whether in the context of prior control or in the context of successive supervision, maximum those of supervision and sanctions. 17. Furthermore, and contrary to what the Defendant seems to intend, there is no contradiction between the different contributions from the CNPD within the CSE or its sections and the draft deliberation, since the CNDP at no point in the project questioned or censored the variables defined by INE, nor the Internet data collection option. Furthermore, the consistency of the CNPD is evident, taking into account that, within of the Eventual Section for Monitoring the 2021 Censuses (SEAC), warned of the specific risks resulting from the online collection of responses to surveys. 18. What the CNPD found and is analyzing is not whether the variables are necessary for the census activity - provided that the judgment of necessity was explicitly attributed to INE by national law and that the name of respondents is not a variable, as is evident from the Annex to Regulation (EC) 1201/2009, of November 30, 2009!-, nor the methodology and procedure for collecting these data; what to CNPD has investigated and is analyzing the conditions and limits legally defined for the processing of personal data, in particular respect for the principles of legality of processing and minimization of data and risks to the rights of data subjects, which include, for example, issues related to the identification of respondents and their family members (full name) and the pseudonymization of data. 19. And the investigation and eventual sanction of the disrespect for such conditions and limits fall within the powers and powers of the CNPD, as set out in articles 55 and 58 of the RGPD and in articles 3 and 6 of the LERGPD, so the allegations in points 7 to 16 and 39 to 148 of the Defense do not deserve merit. 20. Furthermore, in previous census operations, although the CNPD was already a member of the CSE, INE never had doubts about the need to apply for the then necessary authorizations for the processing of data, nor did he question the role of the CNPD for inspection within the scope of these operations”. That is, despite the participation of the CNPD in the CSE, INE has always considered that the intervention of the CNPD as a national authority data protection was not limited to participation in that body. 21. In short, the collegial decisions of the CSE, in which the CNPD is one among more than twenty members, cannot condition the role of supervisory authority regarding the processing of personal data, under penalty of deflate its power recognized by the GDPR and national legislation. 22. It is also important to clarify that the definition of the concrete technical and organizational measures that will be applied in the census operation with reflection on the processing of personal data does not fall within the competences of the CSE, nor has it ever been raised in it. ii. The lack of representation of the attribution assumptions 23. The Defendant alleges that, in the Draft Decision, there is no indication of the facts of the unlawful act, based on the provisions of article 50 of the RGCO, paragraph 10 of article 32 of the Constitution of the Republic Portuguese (hereinafter “CRP” and in articles 120.º, no. 1, no. 2, subparagraph d), and no. 3, subparagraph c), of the Code of Criminal Procedure, applicable by reference to the provisions of article 41 of the RGCO. 24. The Defendant considers, in the Defense presented, that the Draft Deliberation is silent regarding elements relevant to the attribution of infractions, with only a generic indication of administrative offenses being made that are imputed to him. 25. In the opinion of the Defendant, the motivation with which he acted should be included in the Draft Deliberation, the circumstances in which the offense was committed and on what basis the charge is made to the Defendant (intent or negligence). 26. In short, the Defendant understands that the Draft Deliberation does not contain the objective and subjective factors that allow him to be accused of committing an administrative offence. 27. As a result, he alleges that he is unable to exercise his right of defense fully and effective, which, in his opinion, should lead to the nullity of the present administrative proceeding, after the delivery of the Deliberation Project. 28. Such an understanding is not acceptable. Let's see, 29. Contrary to what the Defendant argues, the Draft Deliberation did not omit any elements that should be included therein, the objective facts integrating the misdemeanor. It is further noted that, in the Draft Resolution, reference is made to the facts that reflect the subjective attribution and those that may have influence in the concrete determination of the sanction to be applied. 30. It should also be remembered that a Draft Deliberation does not correspond to a final decision, so the The presentation of grounds can - and should, for simplification of the procedure - be done succinctly. 31. Now, evaluating the Defense presented, it is easily verified that the Defendant knows all the grounds of the proposed decision, it being undeniable that he is aware of the cognitive and evaluative iter of the decision, and the entire context that applies to it. 32. Pursuant to Decision No. 1/2003 of the Supreme Court of Justice, the authority is not required to administrative than in the “accusation” (or, as the law determines, in the “counterordination that [..] is imputed” to the defendant) an evaluation of the evidence should be carried out immediately. 33. In other words, it is not required that the administrative authority, right in the “accusation”, has to qualify the specific degree of seriousness or degree of guilt of the agent. 34. What is required is that, depending on the facts established and imputed to the defendant, the qualification of the infraction, that is, of the administrative offence, identifying the corresponding applicable legal type (principle of typicality). 35. For example, if a rule establishes that a certain infraction is punishable by way of willful misconduct, “accusation” must contain the integrative facts of this legal type (the facts imputed to the defendant must allow extracting this legal misdemeanor classification). On the other hand, the determination of the degree of severity of the infraction - and, therefore, the agent's degree of guilt - will have to result from a specific assessment of the test to be done in the instructional phase”. 36. Now, in the Draft Resolution it is clearly defined to which subjective title the infractions are imputed to the agent, either by identifying the elements that frame it 37. See, in particular, points 129, 130, 131, where it is expressly stated that “the defendant does not acted with the precautions to which he was bound and of which he was capable, representing as possible that he was to act against the law”, description corresponding to the attribution by way of negligence and points 132,133€ 134, where it is expressed that "configuring a performance that fits in the modality of eventual fraud". 38. In these terms, the argument that the Draft Resolution is tainted by any defect procedural. iii. The obligation of prior warning of the Defendant 39. The Defendant alleges that paragraph 3 of article 39 of the LERGPD enshrines an obligation for the authority to control to issue a prior warning before initiating an administrative offence. 40. In the understanding, postulated in the written Defense, the Defendant considers that such prior warning is a procedural assumption or a condition of proceedability. 41. Failure to verify the aforementioned prior warning, according to the Defendant, entails the inadmissibility of the administrative proceeding. 42. The Defendant concludes that the Deliberation Project must be declared null and void, due to violation of the principle of legality. Let's see, 43. Article 39(3) of the LERGPD establishes that “(...) [except in cases of fraud, the initiation of proceedings of an administrative offense depends on prior warning of the agent, by the CNPD, for compliance with the omitted obligation or reinstatement of the violation violated within a reasonable time (. 44, From the outset, this provision would always be excluded in situations where there are infractions intentional acts committed by the person responsible for the treatment, as is the case with some of the infringements in question. 45. In any case, regarding the infractions imputed by way of negligence, that legal provision does depending on the prior warning of the possibility of “(...) fulfillment of the omitted obligation or reinstatement of the prohibition violated within a reasonable time (...)”. 46. The violations that support the present administrative offense proceeding relate, roughly speaking, to the collection of data from Portuguese citizens, within the scope of the 2021 Census activity. 47. Which, as can be seen from the nomenclature, took place during the year 2021, and was already concluded when notification of the Draft Resolution. 48. Therefore, the Defendant's obligations have already been irremediably breached, and this default has already materialized - and expired - until the conclusion of that activity, in 2021. 49. The useful effect of a prior warning is not achieved to have a treatment corrected or stopped when this is no longer ongoing, as it has already been verified. 50. The ratio legis of this provision is to ensure the correction of the infraction, when there is the possibility that the responsible for the treatment also correct its conduct, thus reducing the risks to the legal sphere of the holder of the personal data. 51. Something that, in casu, would no longer be, nor is, possible to achieve. 52. It should also be noted that the rules must be interpreted taking into account the rules of interpretation and application of laws, which invite one to assess, among other aspects, the intention of the legislator (cf. articles 1 to 13 of the Civil Code). 53. The interpretation of the law should not be limited to exploring only the literal meaning of the provisions. 54. Now, if the infraction has already been consolidated, and it is not possible to prevent its occurrence nor the damage that the breach of the Defendant's obligation produced in the sphere of the holder of personal data, does not make any it makes sense to call for the application of a prior warning. 55. Regardless of that, even if it were applicable, the CNPD decides not to apply the provisions of paragraph 3 of the Article 39 of Law No. 58/2019, of August 8, in the case at hand, by virtue of the principle of the rule of law of the European Union and with the grounds contained in Deliberation/2019/494, of September 3", once that such a norm, by imposing on the CNPD a step prior to the decision to open a sanctioning procedure, which is embodied in a warning for the correction of the illegality within a reasonable period, establishes a special regime for illegal conduct practiced with negligence that is not compatible with the regime provided for in the GDPR. 56. In reality, as is clear from the body of paragraph 2 of article 83 of the GDPR, the Union legislator confers on the concrete decision-maker, depending on the circumstances of each case, a discretionary power to apply items a) to h) and j) of paragraph 2 of article 58 of the RGPD. fines for or instead of the measures referred to in a 57. Indeed, by determining that «depending on the circumstances of each case, the fines are applied in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) [..)', Article 83(2) of the GDPR recognizes the power of the national supervisory authorities to, on a case-by-case basis, choose to apply only fine, application of fine and corrective measure, or isolated application of one or more measures corrective measures provided for in paragraph 2 of article 58. It is this discretionary power that is arguably attributed to the national control authorities, that the rule contained in paragraph 3 of article 39 of Law no. 58/2019 is restrict, imposing in abstract to the CNPD the adoption of a specific measure, regardless of the circumstances of each case (since it only meets the negligent nature of the infringement) and without allowing immediately accrue the application of a sanction. 58. However, such an imposition deprives the supervisory authority of the discretion granted by the GDPR, considerably withdrawing or diminishing the useful effect of the norm that assigns itº. 59. In addition, the national legislature cannot require its supervisory authority to adopt a measure paragraph a) of paragraph 2 of article 58 of the GDPR for cases in which a correction is foreseen, determined in a data processing operation (therefore not yet carried out) that is likely to violate the rules of the Regulation, in situations where the assumptions of that measure are not fulfilled. for others In other words, if the RGPD defines, in paragraph a) of paragraph 2 of article 58, the assumptions of the warning decision, national law cannot impose the practice of this act when there is a situation that is not subsumed on these assumptions and fulfills another legal type for which the RGPD provides for a decision with the same designation. 60. In the light of such arguments, the CNPD does not apply in this case paragraph 3 of article 39 of Law no. 58/2019, of August 8th. 61. Moreover, the limited understanding of the principle of legality of the activity is not followed administrative, revealed by the Defendant in point 186 of the Defense, as it is not consistent with the current legal-constitutional framework. 62. The principle of legality, enshrined in article 266 of the CRP, is today affirmed as a principle of legality, in the sense that Public Administration is bound by the different normative provisions heterodetermined and therefore determined not only by the national legislator but also by the European Union legislator; as, by the way, derives from paragraph 4 of article 8 of the CRP, which is directly included in the national legal order to EU law. And, in the application of internal and Union legal norms, it cannot no longer consider the principle of the primacy of Union law, as it has been interpreted by the Court of Justice of the European Union, which obliges the non-application of internal legislative rules whenever they contradict Union law or undermine its practical effect. 63. And the Defendant should not claim that the CNPD, as an administrative entity, has no competence to disapply the rule in question. 64. For it is important to remember the understanding of the Constitutional Court, expressed recently in the judgment 268/2022, commonly known as the Metadata Decision, which reads: “As a result, the eventual conflict between the norms now in crisis with the rules of Union law European Union that can be relied on internally will have as a response from the judicial system national law the non-application of internal rules - without these being expurgated from the legal system or that, for that purpose, its invalidity is generated. That is precisely what the Commission decided National Data Protection Agency (CNPD): considering in its deliberation no. 641/2017, of May 9 2017, that the regime contained in Law No. 32/2008 is contrary to European Union Law - for disproportionate transgression of articles 7 and 8 of the CDFUE - decided to disapply Law 32/2008, based on the rule of law of the European Union (Deliberation No. 1008/2017, of July 18 of 2017). our underlining. 65. Subsequently, that Court renewed this understanding, in Judgment No. 382/2022, where reads: '4. Secondly, it will always be said that the grounds invoked for the nullity of the Judgment 268/2022 are manifestly unfounded. On the one hand, because the norms that determine an undifferentiated obligation to conserve metadata could no longer be applied by any national authority since 2014, when which was found to be incompatible with the Charter of Fundamental Rights of the Union European Union (Judgments of the Court of Justice of the European Union of April 8, 2074, Digital Rights Ireland, proc. 0-293/12 and 0-594/12; and of December 21, 2016, Tele2 Sverige and Watson, proc. C203/15 and 0-698/15) and the obligation arose, for all national authorities (including judicial) to refuse its application, pursuant to the provisions of paragraph 4 of article 8 of the Constitution and as was decided by the National Data Protection Commission in Deliberation n.º 1008/2017, of 18th of July 2017." - emphasis added. 66. That is, the CNPD not only has the power to decide on the non-application of rules that are in contradiction with the Law of the European Union, as it has the obligation to do so, for what, in these terms there is no violation of the principle of legality. 67. The Defendant also adds, in paragraph 182 of the Defense, that “[..] the norms contained, namely, in the article 83 of the RGPD, cannot be interpreted in the sense of directly targeting the competent authorities national supervisory authorities, to the extent that, as provided for in Article 83.9, paragraph 9, sanctions provided for in the GDPR are only applicable when the legal system of the Member States does not provide for fines; that they are “effective, proportionate and dissuasive”. 68. Now, the Defense reveals a wrong reading of the RGPD, and the lack of knowledge of recital 151 of the same European diploma. In fact, paragraph 9 of article 83 of the RGPD aims to remedy the non-existence of fines 'such as provided for in the [GDPR]" in the legal systems of Denmark and Estonia, as explained in that recital, which only reinforces that article 83 is addressed to the specific applicators of sanctions, that is, national supervisory authorities and courts - as referred to by the CNPD in the resolution cited by the Defendant (Deliberation 2019/494). 69. Moreover, what was stated in point 183 of the Defense does not add anything to the Defendant's argument, corresponding to the mere observation of a norm that explains the principle of the rule of law; to On the contrary, it reveals an irremediable contradiction in the Defendant's arguments, since paragraph 8 of article 83 of the GDPR specifically states that this article is addressed to national supervisory authorities ('lo] exercise of the powers conferred upon it by this Article by the supervisory authority [..]9. iv. Nullity of the Deliberation Project due to violation of the Defendant's technical independence 70. The Defendant alleges that technical independence constitutes a basic principle of statistical activity official, which is established in national and European legislation. 71. This is why the Defendant, in the pursuit of his public interest mission, can freely define processes, methods, standards and statistical procedures, without being subject to any external interference, namely by any other administrative authorities. 72. Therefore, according to the Defendant's understanding, the definition of personal data processed within the scope of Census 2021 census activity, as well as the respective data processing, is an exclusive competence its own, not susceptible of being syndicated by other administrative authorities. 73. With this argument, it concluded that the CNPD does not have the competence to syndicate the adequacy, pertinence or need, nor the methodologies and procedures for collecting and processing data for statistical purposes. 74. In doing so, the Defendant considers that the Draft Deliberation will have to be void. 75, Such an argument is unfounded. Let's see, 76. Firstly, at no time is it called into question by the Draft Resolution - as claimed the Defendant, several times throughout the Defense -, the regulatory and institutional framework (national and European) under which the 2021 Census activity was carried out. 77. Nor the technical independence of the Defendant in carrying out that census activity. 78. In fact, and as explained above, at no point in the project does the CNPD question or censor the statistical variables defined by INE, as well as the option of collecting data via the Internet. 79. What the CNPD found, and is analyzing, is not whether those variables are necessary for the activity census - given that the judgment of need was explicitly attributed to INE by national law —, nor the methodology and procedure for collecting these data. 80. On these aspects of the census operation, the CNPD spoke within the CSE, whether in meetings of this council, or at SEAC, recognizing the legal limits to the fulfillment of its mission at this headquarters. Even so, he did not fail to affirm the intrusive nature of the collection of information related to religion and warned for the specific risks arising from the online collection of survey responses. 81. Specifically regarding the variables that correspond to special categories of personal data, the CNPD does not question INE's competence and technical autonomy for defining them and for their treatment, under the terms recognized by number 2 of article 18 of the National Statistical System Law. 82. And, therefore, it is not reached because INE was tired in a long argument in points 329 to 377 of the your Defense. 83. But the fact that the law recognizes INE's technical autonomy to define the variables necessary for pursuit of the statistical public interest and to legitimize it to process the corresponding personal data, does not mean that INE can require citizens to provide such data when they are included in the category of special or sensitive data (sensitive personal data not only related to respondents as well as members of the respective household). 84. In fact, the same Law of the National Statistical System, in paragraph 3 of article 4, is clear to exclude sensitive personal data categories of information whose provision may be required, as mandatory, by INE. 85. It is this aspect of the processing of personal data that the CNPD analyzes and highlights for this purpose administrative offence: the fact that sensitive personal data has been presented as being mandatory to respondents, when the law imposes the optional nature of its collection and establishes a set of obligations of information to respondents (cf. paragraphs 3 and 4 of article 4 of the Law on the National Statistical System). 6. In short, regarding the variables that correspond to special categories of data, it is only a matter of an aspect of the processing of personal data that is not covered by the technical autonomy of Statistics Portugal, rather is legally defined - by the Law of the National Statistical System - and, therefore, the verification of respect for such a condition or legal link to the processing of personal data is, obviously, to the CNPD. 87. At the same time, the fact that respondents and members of their households have to be identified by full name goes beyond the technical autonomy that the law recognizes to INE, contrary to the which the Defendant states in point 326 of the Defense. 88. This is an aspect of the processing of personal data that national and European legislation does not assign specifically to INE, nor does it qualify as part of its technical autonomy. And it doesn't, because In reality, it is the personal data protection regime that imposes the minimization of personal data and the mitigation of risks to the rights of holders. 89. In fact, the respondents' identification data are not part of the concept of statistical variable (cf. Annex to Regulation (EC) 1201/2009, of November 30, 2009), not being, in this way, submitted to the technical autonomy of INE, being, therefore, an aspect of data processing, in the context of census operation, which the CNPD can inspect and assess from the perspective of its compliance with the data protection principles. 90. Just consider the provisions of paragraph 5 of article 18 of Decree-Law no. 54/2019, where, although recognizes INE's competence to assess the need for personal data in the information collected from the administrative databases, with due regard for the competences legally attributed to the CNPD in this regard. context. 97. Moreover, the fact that INE enjoys autonomy and technical independence for defining solutions techniques, in the regulatory and institutional framework - national and European - does not imply that the behaviors of the Defendant are no longer subject to respect for other diplomas of the Portuguese legal system. 92. Autonomy and technical independence are not synonymous with legality or activity exempt from regulation, therefore having to be framed by the legal regimes applicable to census activity, such as with the legal regime for the protection of personal data. 93. In other words, it is not because the Defendant is recognized for technical autonomy, in statistical terms, that he is no longer subject to the respect and fulfillment of legal obligations resulting from numerous legal diplomas and, from the outset, the Constitution of the Portuguese Republic, the European Charter of Rights Fundamentals of the European Union and, of course, of the GDPR. 94. Admit that, as technical autonomy was recognized, the Defendant's conduct could not be subject to to any external control - as seems to be the understanding postulated in the Defense - would be to admit that the statistical activity would be removed from the bonds of the rule of law. 95. Namely, and in the limit, within the scope of his technical autonomy, the Defendant could disrespect the rights of Portuguese citizens enshrined in the CRP, provided that its action aimed at carrying out a census operation - which is inconceivable. 96. Therefore, it is concluded that, despite the technical autonomy, when carrying out statistical activities, the Defendant it is, however, subject to compliance with the applicable legal norms and their inspection by the entities competent. 97. As we have seen, in this case, the CNPD is competent to ensure compliance and monitor compliance with the rules contained in the GDPR. 98. Reason why, due to his technical autonomy, the Defendant cannot thwart his decisions and actions regarding the processing of personal data to the inquiry by the CNPD. 99. Especially because, if that were possible, the CNPD would no longer have powers and competences before any public entity endowed with autonomy or technical independence. 100. In this matter, attention should be drawn to the provisions of Regulation (EC) 763/2008, of 9 July of 2008, concerning population and housing censuses, which exhaustively establishes in article 4, under the heading “Data sources”, the following: "- Member States may compile their statistics from different sources of data, namely...] 2- Member States take all necessary measures to comply with the requirements relating to data protection. This Regulation does not affect Member States' legislation on data protection.” - our underlining. 101. In addition, the same obligation to respect the RGPD, in the execution of the 2021 Census operation, is expressly enshrined in Decree-Law n.º 54/2019, of April 18, which reads, in n.º 4 of article 4.º, Following: "4- The responses to the 2021 Census questionnaires are kept by INE, !.P., under conditions of absolute security, and can only be used for exclusively statistical purposes, in compliance with the provisions of Law No. 22/2008, of May 13, and Regulation (EU) No. 2016/679, of the European Parliament and of the Council of 27 April 2016." 102. As it is known that national legislation (Decree-Law No. 54/2019, of April 18) cannot contradict the provisions of Regulation 763/2008, from the combination of the two mentioned rules, it is clear need for the Defendant to comply with the principles and rules relating to the protection of personal data. 103. For this reason, the Defendant's activity could never be frustrated by the inspection of the CNPD, in terms of compliance with the GDPR rules. 104. Although the Defendant intends to hyperbolize his concept of technical independence, to the point of acting without any need to respect legal norms - which, of course, cannot proceed - legislation, national and European, subject the Defendant's action to the control and inspection of the authority national control (cf. article 55.º of the RGPD), which, in Portugal, is the CNPD (cf. article 3.º of Law n.º 58/2019, August 8th). 105. On the other hand, the CNPD has always considered and defended that data should be collected in a format that was not based on the identification of the respective holders by their full name, in order to minimize the risk to citizens' rights. 106. This was expressly assumed by the CNPD regarding the data collection model from the administrative bases, in Deliberation no. 929/2014, which the Defendant cites in his Defense, with the CNPD determined that the personal data were encoded or pseudonymized - so it is not accurate stated in point 304 of the Defense. In that Deliberation, as the Defendant portrays in points 314 to 317, it was determined that the data were collected and integrated based on numerical identifiers, admitting, at the limit, the use of letters from the first and last name (the first three letters) — which is quite different from requiring and treating the full name of respondents or members of the respective household. 107. The CNPD expressed itself in the same sense in Opinion no. 28/2018, of June 11, p. 4, document that the Defendant does not ignore, and which, moreover, he cites in his Defense, where he states: “It should be underlined, however, that the result of painstaking and successive work, over several years, the CNPD and the INE have reached fruitful understandings for this purpose. A good example of this is narrated in deliberation n.º 129/2018, of January 30, where the CNPD looked into a data exchange protocol between the Tax Administration and INE. there if listed the procedures already introduced in the processing of information prior to the of its submission to INE. Of these, the pseudonymization procedure stands out, better detailed in deliberation n.º 929/2014, which guarantees that INE, being able to relate the information received, does not still have access to the identification of data subjects. It is precisely in this sense that we understand that the future path of taking advantage of of this administrative information, combining, in the most harmonious way possible, the purposes statistics and respect for the protection of personal data”, 108. In reality, the Defendant persists in trying to confuse two different concepts, equating the data individualized to data identified by full name, when it is certain that there are other data (from numerical logos) that allow the association of information to a certain citizen and that, moreover, ensure greater rigor in the relationship of personal data (since it is known that the use of the name as connection key between the data is error-generating, because of the spelling - in particular, with respect to the linking particles existing in the names), therefore, guaranteeing the respect for the principle of accuracy of the 2 personal data (principle enshrined in Article 5(1)(d) of the RGPD). In other words, it is possible to individualize the information in terms that allow the relationship with other information relating to the same subject, without resorting to data of direct identification of the data subject. ias, confuses or intends to confuse the identifiability of the respondents (and members of the 109. How, the household), through certain identification data, with your identification by name complete (as happens, again, in point 889 of the Defense). 110. The argument of the absence of a unique citizen number — invoked in point 309 of the Defense - does not determines that citizens have to identify themselves by name, in order to be able to aggregate the information existing in Public Administration databases. The constitution of an individualized database paragraph c) of article 3 of Law no. 54/2019 does not require, contrary to what the Defendant claims, the collecting the full name of citizens - which is why what is stated in point 312 of the Defense is inaccurate. iás, the work carried out by CNPD and INE, in the context of the procedure that gave rise to 111.4 aforementioned Deliberation 929/2014, aimed to ensure that the census operation did not depend on the collection of the full name, so the Defendant cannot ignore the pseudonymization technique, nor the several paths that the CNPD has pointed out to him towards this pseudonymization. 112. In short, the arguments of the Defendant, in this matter, cannot, of course, be accepted. v. Violation of the principle of ne bis in idem 113. The Defendant alleges that the imputation of four of the offenses contained in the Project - and identified by the Defendant in point 211 of the Defense - violate the legal-constitutional principle established in paragraph 5 of article 29 of the CRP and in article 4 of Protocol nº 7 to the European Convention on Human Rights, which prohibits double punishment for the same act. 114. In order to try to demonstrate such double punishment, the Defendant alleges that he is charged with the practice of a subparagraph a) of paragraph 1 of article 5 of the RGPD and similarly an administrative offense for violating the provisions of a an administrative offense is charged for violating the provisions of articles 12 and 13 of the RGPD. 115. The Defendant considers that Articles 12 and 13 of the RGPD are a mere specification of the inherent principle in paragraph a) of paragraph 1 of article 5 of the RGPD, and thus cannot be punished twice. 116. According to the Defendant, so much so that the Draft Deliberation describes the same relevant fact to consider the objective type of offense verified, that is, the failure to provide information to holders in a concise, transparent, intelligible and easily accessible manner. 117. It also adds that it will have to be concluded that the conviction for any of the alleged offenses already expresses the legal worthlessness of the behavior. Let's see, 118. We agree with the Defendant when he alleges that sanctioning breaches of defined obligations in the RGPD and which correspond to the densification of some of the principles enshrined in number 1 of article 5 of the GDPR must remove sanctions from violating the principle itself. 119. This occurs with regard to the relationship between subparagraphs a) and c) of paragraph 1 of article 5 of the RGPD and article 9 of the RGPD, which were included in the indictment as autonomous offences, which is now reviewed. 120. Thus, the CNPD does not sanction, after all, the violation of the principle of loyalty, nor the principle of minimization of personal data, focusing on the violation of paragraph 1 of article 9 of the RGPD, due to lack of grounds for lawfulness for the processing of special data of optional collection. 121. But it maintains, as it is autonomously cut by the Union legislator, in articles 12 and 13 ena paragraph b) of paragraph 5 of article 83 of the RGPD, the violation of the right to information regarding the whole of the processing of personal data carried out in the context of the census operation. 122. Reason why the alleged by the Defendant only partially succeeds. saw. On the existence of legal basis for the treatment of special categories of Dice 123. The Defendant understands that the imputation directed at him, resulting from the illicit processing of data of special categories, is based on an inadequate understanding of the nature of the data to which the questions 29.3 to 29.6 and 30 concern. 124. The Defendant further alleges that he exercises public interest functions in the field of official statistical activity, therefore there is a basis of lawfulness for the processing of that data. 125. Regarding the question regarding the degree of difficulty felt in carrying out activities by respondents, in the opinion of the Defendant, it does not constitute a special health data, as it is not you are questioning what kind of problems or illnesses the data subject has or suffers from. 126. It also invokes Authorization No. 2600/11, of March 24, 2011, to claim that items 29.3 to 29.6 do not constitute data relating to health. 197. Subsequently, the Defendant alleges that, as a national statistical authority, its activity is item j) of paragraph 2 of article 9 of the RGPD, so that, as it aims at statistical purposes, it comprises within the scope of the of public interest, does not require the consent of the data subject for that treatment. 128. Invoking, to support its position, CNPD Opinion No. 28/2018. 129. The Defendant considers that such a conclusion also takes the provisions of paragraph 2 of article 18 of the Law of National Statistical System (Law No. 22/2008, of May 13), although with the caveat that within the scope of that Law the data referring to philosophical or political convictions, party or union affiliation, faith religion, private life and ethnic origin and personal data relating to health and sex life, cannot have mandatory character. 130. However, it states that the personal data contained in questions 29.3 to 29.6 and 30. were treated as optional answer. 131. The Defendant also argues, further on in his Defense, that in the statistical variables included in items 29 and 30. there was a warning in the header, in the form of a banner informing the Optional nature of all subsequent questions. 132. Since this information is provided to the data subject, either in the printed form or in the form in line. Let's see, 133. In light of the RGPD, it is not understood how the Defendant can currently consider that the collection of data personal data that make it possible to identify whether someone has difficulty moving around, concentrating, getting dressed or bathing, or that expressly indicate a given religion, do not constitute special categories of data, as specified in Article 9(1) GDPR (cf. point 244 of Defense). 134. Indeed, under the terms of the RGPD, personal data are special categories, and it is quoted, “that reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well such as the processing of genetic data, biometric data to uniquely identify a person, data relating to health or data relating to a person's sexual life or sexual orientation” (cf. n.º 1 of the Article 9 GDPR). 135. It is important to emphasize that the Defendant, also in what he considers to be valid arguments for his defense, comes to show the weaknesses in monitoring the normative changes operated with the entry The individual form of the 2021 Censuses must be taken into effect by the GDPR, from the outset, considering that the individual form of the 2021 Censuses must be considered valid because it is written in terms that are entirely congruent with the form of the 2011 Census (cf. points 240 and 241 of the Defense). 136. In fact, article 7 of the Personal Data Protection Law (Law No. 67/98, of October 26) provided for a regime for the processing of sensitive data which, despite some similarities, is not identical to the enshrined in article 9 of the RGPD, given that the fact that the Defendant considers a favorable argument In his defense, the congruence existing between the 2011 and 2021 Census forms shows a total ignorance and high disregard for the current data protection legal regime. 137. If it is true that the CNPD, in Authorization No. 2600/11, of March 24, 2011, did not consider that that Z information was subsumed under the concept of health data, it is no less true that the RGPD came explicitly define the concept of “health data” in Article 4(75) of the GDPR. 138. Faced with such a legal definition, it cannot but be considered that personal data relating to difficulties locomotion, concentration, dressing or bathing correspond to “personal data related to with the physical or mental health of a natural person” (item 75) of article 4 of the RGPD) or “[...] data relating to health status that reveal information about your past, present or past physical or mental health. in the future. The foregoing includes information about a natural person [..) e.g. an illness, disability, a risk of illness [...] or physiological or biometric status of the data subject, irrespective of from its source [...]' (cf. recital 35 of the RGPD) and therefore are personal health-related data. 139. Therefore, the argument presented by the Defendant, which is based on an understanding of the CNPD, does not apply expressed in 2011, when, however, there was a profound reform of the legal regime for the protection of personal data, reform that the Defendant cannot ignore - in particular, after the European Committee for the Data Protection have clarified this concept (cf. point 3.1 “Data concerning health” of the “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak”*). 140. All the more so as it is the Defendant himself who, in the survey made available to citizens in the Census operation 2021, refers to such data as variables related to “health problems” (cf. image Q3.29.1. of the annex "Screenshots from the 2021 Census form, available at https://censos2021.ine.pt to the report “Info UL AVG 2021 407 Il v1.0.docx”. 141. Thus, it is now indisputable that the data provided for in questions 29.3 to 29.6 and 30 of the survey are data special personal data, under the terms of paragraph 1 of article 9 of the RGPD, so that their collection is not enough with the need for these personal data for the pursuit of the public interest by INE (i.e. fulfillment of the condition provided for in subparagraph e) of paragraph 1 of article 6 of the RGPD), still depending on the verification of one of the conditions provided for in paragraph 2 of article 9 of the RGPD. 142. It is agreed with what is alleged in the Defense that the processing operations in question are supported, in order to lawful purposes, in the public interest. However, as the CNPD warned in due time in its Opinion no. 28/2018, of June 11 (p. 1v), not unrestricted. It is true that the pursuit of a public interest legitimizes the processing of special categories of data for statistical purposes [although not unrestrictedly, as such processing "must be proportionate to the objective pursued, respect the essence of the right to the protection of personal data and provide for appropriate and specific measures to defend the rights fundamental and interests of the data subject. - opinion, moreover, cited by the Defendant in her Defence. 143. Therefore, the legal classification of the facts committed by the Defendant is changed, accepting that 0 legal basis for the processing of personal data is not consent under the terms of paragraph a) of Article 9(2) of the GDPR. 144. But it is not ignored that the Law on the National Statistical System (Law n.º 22/2008, of May 13), in n.º 1 of article 4, recognizes that INE has the power to demand the provision, on a mandatory basis, of personal data, unless these are part of the special categories of data (cf. no. 3 of the same article), in which case that supply depends on the will of the data subjects. 145. Moreover, the INE has the obligation to inform respondents of the mandatory or optional nature the response to questions relating to sensitive data (cf. paragraph 4 of article 4 of the Law on the Statistical System National). 146. It follows, therefore, that the national legislature, in balancing the public interest associated with the statistical activity, on the one hand, and the fundamental rights to informational self-determination and the reservation of private life, on the other hand, considered it excessive to impose the provision of sensitive personal data, thus making its collection dependent on the will of the respective holders. 147. Thus, even if it is claimed to be paragraph j) of paragraph 2 of article 9 of the RGPD or, perhaps, paragraph 9) of the same number, the basis for the lawfulness of the collection of personal data in this statistical operation, the The truth is that, given the requirement - today reflected in those paragraphs as well as in article 89 of the RGPD - that the forecast of processing is accompanied by adequate measures to guarantee proportionality of the treatment in view of the intended purpose, the minimization of personal data and respect for the rights of data subjects, the national legislature has explicitly established, as an appropriate measure, dependence on an expression of the holder's will regarding the collection of sensitive data. 148. Thus, the realization of the public interest is subject to the will of the data subject. And therefore the public interest is clearly not sufficient to legitimize the collection of data provided for in paragraph 1 of the article 9 of the RGPD, which is why the collection of such data is not mentioned which, due to lack of information, allows the free formation of the will of the respective holder. 149. And the point is that, even if INE was aware that the special data relating to health and religion could only be collected on an optional basis, the fact of not having provided clear and information about the optional character of its provision by citizens, in disrespect for the obligation provided for in paragraph 4 of article 4 of the Law on the National Statistical System, impaired the understanding by respondents that questions 29.3. to 29.6. and 30. of the 2021 Census questionnaire were answered optional. 150. It should be noted that it is relevant, for the purpose of verifying the legal assumption that the collection of this data special or sensitive personal data is optional, it is not INE's conviction (contrary to what the Defendant in point 259 of the Defense), but rather the conviction of the respondents: the legal assumption, defined in the number 3 of article 4 of the Law on the National Statistical System, is that respondents wish to provide such data to INE. And wanting depends on a free formation of that will, not conditioned by omission of information or for providing incomplete or erroneous information. 151. To that extent, the mere de facto possibility of browsing the online form continuing in lack of response to such questions - which was not allowed by the system in the mandatory questions - and still proceeding with the delivery of the questionnaire without filling out the answers to questions 29.3. to 29.6. and 30. 2021 Census questionnaire (cf. as invoked in points 266 and 267 of the Defense) is irrelevant to effect of the formation of the will of the respondents, because, in the absence of information about the character optional answer to those questions, it is not even expected, let alone required, that they try to continue navigating the form or submitting it without filling out those responses. 152. In fact, as mentioned in the Draft Deliberation and not contested by the Defense, in online questionnaire: "Question 30 was an optional answer. However, it did not provide any information about the non-mandatory nature of the response.” "Point 29 of the questionnaire consisted of six questions framed in three pages, two questions in each of them. Only on the first of these pages is information about the character optional answers. On the next two pages, no such information was presented to the respondent. [..]". (cf. images Q3.29.1 to Q3.30, from the annex “Screenshots of the 2021 Census form, available at https://censos2021.ine.pt” to the report “Info UI AVG 2021 401 | v1.0.docx”. 153. It must be concluded that the fact that the system allows navigating to the next page without selecting an answer does not guarantee the data subject information regarding the optional nature of the question presented. 154. Also because, remember, the data subject is answering the questionnaire to avoid being sanctioned, which at the outset leads him to consider all the questions presented in the form as imperative. 155. That is, the data subject hardly tests the possibility of moving on to the next question without respond previously to the previous one. 156. Being logical the difficulty of apprehending the optional character, if this information was not included in the questions screen 29.3. to 29.6. and 30. 157. The truth is that the lack of information about the optional character of the 29.3. to 29.6. and 30. 2021 Census questionnaire generated or, at least, is likely to have generated the conviction that the answer to them was mandatory, so the effective response to those questions by the respondents cannot correspond to a manifestation of free will, since it was based, or may have been based, on error about the mandatory character of the provision of such data. 158. It follows from the general rules of law that the expressed will is only legally relevant and valid if freely formed and manifested, and that error harms this freedom, especially when it affects a essential element of the will: the mandatory character of the conduct dependent on the manifestation of the will. 159. Now, in this case, the error in forming the will of respondents is caused by INE, by not having the requirement of no. 3 of article 4 of the Law on the National Statistical System was met. 160. Therefore, the Defendant is in error when, in points 261 and 262 of the Defense, he considers that they are different these two questions, that is, the lack of information about the optional character of the questions and the optional of the same; on the contrary, in this context, they cannot be made autonomous, because that is what O national legislature, in the Law on the National Statistical System (cf. paragraphs 3 and 4 of article 4), when it made it depend the lawfulness of the collection of optional sensitive personal data and the provision of information about this optional nature. 161. In these terms, the collection by INE of special personal data through the response to questions 29.3. line j) (or even from 9) to 29.6. and 30. of the 2021 Census questionnaire was unlawful, because, under the terms of subparagraph j) (or even 9) of article 9.2 of the RGPD, the national legislator, in article 4, no. 3 and 4 of the Statistical System Law National, when it provided for the collection of special data for the purpose of statistical public interest fixed, as an adequate and specific measure for the defense of the fundamental rights and interests of the holder of the data, the optional character of the same, thus requiring the manifestation of a concordant will informed and free, which, in this case, did not occur due to the lack of clear and complete information on all questions that were optional. 162. In view of the above, the Defendant's understanding cannot be upheld, maintaining that the collection of such personal data violated the prohibition contained in paragraph 1 of article 9 of the RGPD, as there was no of the legality conditions provided for in paragraph 2 of the same article. vii. Violation of the principle of minimization of personal data 163. The Defendant alleges that he did not infer from the Draft Deliberation whether the imputation formulated concerns the delimitation of the information to be obligatorily provided to the data subject - matter which, according to him, it would only fit into the legal framework relating to the principle of transparency and compliance of information duties - or if you are also charged with an infringement resulting from the processing of data of special categories. 164. Even so, it argues that any failure to provide information about the optional nature of the answers to questions 29.3 to 29.6 and 30. would constitute an infringement only likely to be included in the framework of the respective duty to inform, as the questions were treated as being optional. 165. That is, the Defendant seeks to justify that the data collected in response to questions 29.3 to 29.6 and 30. did not involve a violation of the principle of data minimization, under the terms and for the purposes of the stipulated in subparagraph c) of paragraph 1 of article 5 of the RGPD, as they are essential and justifiable in the light of the statistical needs and numerous international recommendations produced by reference, in census matters (cf. points 329 to 377 of the Defense). 166. With regard to this point, the CNPD concedes that this fact does not correspond to a violation of that principle. O which does not exclude its relevance for the purpose of verifying the non-fulfillment of the legality condition in the terms of paragraph 2 of article 9 of the RGPD, in the terms set out above. viii. The Defendant complied with the information duties towards the holders of personal data 167. The Defendant claims to have provided the data subjects with all the necessary and required information, under the terms and for the purposes of paragraph a) of paragraph 1 of article 5, in conjunction with the provisions of articles 12 and 13. all GDPR. 168. Even so, the Defendant understands that he fulfilled all the information duties, whether in the printed version, either in the digital version. 169. It alleges that, for this purpose, it made its Privacy and Protection Policy available on its website of Personal Data, under the terms of which are the contacts of INE and EPD, from which the holder could get more clarification. 170. The Defendant also argues that in the statistical variables included in items 29 and 30. a warning appeared in the header, in the form of a banner informing the optional character and all questions subsequent. 171. Since this information is provided to the data subject, either in the printed form or in the form in line. 172. Furthermore, the Defendant considers that the online system itself led to the conclusion of the optional character of the questions, since it allowed navigating to the next page without selecting any answer, which was not allowed by the system in the mandatory requirements. Let's see, 173. As for the duty to provide information on the optional nature of special data, it has already been refuted above the arguments presented, granting now, only, that its non-compliance is consumed by the lack of grounds for the lawfulness of the collection of such data, since that is a specific requirement of the norm of the RGPD that INE invokes to legitimize its treatment. 174. But the question of whether there was compliance with the duty to provide information under of Article 13 of the GDPR. 175. It is important to clarify that the duty of information provided for in articles 13 and 14 of the RGPD aims to carry out principles of transparency and loyalty, enshrined in Article 5(1)(a) of the RGPD. 176. Articles 12 and 13 of the GDPR are clear in requiring the controller to provide the data subject with of data the information in a “concise, transparent, intelligible and easily accessible way, using a clear and simple language[...]". 177. Contrary to these legal commands, the Defendant opted to inform data subjects through a document available on its website. 178. However, such document refers to all processing of personal data under the responsibility of the INE and not specifically to the treatment resulting from the census operation, being silent about this — By the way, just see that the so-called Privacy and Personal Data Protection Policy is dated 2019, more than two years before the said operation was carried out. 179. In addition, the location of the aforementioned privacy policy on the INE's institutional website makes it, in practical, inaccessible. 180. Otherwise, let's see: to find it, you need to get to the bottom of the page, and select "About INE" — given that, for the common citizen, it is not expected that the privacy policy is kept there; even after accessing the “About INE” link, the “Ethics and Policies” tab must be opened, so that, after select the seventh of eleven options, navigate to another page where a small text appears, which, in turn, refers to a PDF document which contains, finally, the so-called Privacy Policy and Personal Data Protection. 181. The lack of transparency in the processing of personal data carried out by INE is evident and, specifically, on the processing of data from the 2021 Census, given the complex and labyrinthine path what the citizen has to do, almost being required to have divinatory qualities, to find the information required by law. 182. Also because, in the case of the 2021 Census operation, what the data subject wanted was to access to a form, in order to respond and avoid being sanctioned for the lack of response, insufficiency or its inaccuracy. 183.And it is the Defendant himself who mentions that that same form did not contain the information to which was legally obliged, pursuant to the provisions of Articles 12 and 13 of the GDPR. 184. Since the direct collection of personal data is at stake, article 13(1) of the RGPD requires that the responsible for the treatment at the time of collection, provide the information listed there, which manifestly did not happen. 185. As the requirement to provide information concisely was also not met, transparent, intelligible and easily accessible, pursuant to paragraph 1 of article 12 of the RGPD. 186.From all of the foregoing, it is necessary to conclude that the Defendant did not fulfill the information duties to which he was obliged, thus violating the obligation arising from Articles 12 and 13 of the GDPR. ix. Breach of due diligence in choosing subcontractor 187. The Defendant considers, in his Defense, that the services subcontracted to Cloudflare, Inc., respect all the requirements for information security and protection of personal data, as provided for in the RGPD and the rest data protection legislation. 188. And, therefore, they constituted the best option for the success of the 2021 census operation in time logical, compared to useful and with greater security and better performance of services and techno infrastructures expected global threats. 189. The contractual relationship established between the Defendant and the subcontractor was governed by a contract between the parties, which includes clauses that contain all the information and obligations legally required under the terms of Article 28(3) of the GDPR. 190. Furthermore, the Defendant alleges that there are not numerous alternative solutions available on the market that provide performance and safety services with the level of excellence, rigor and concern for security and privacy of personal data, such as the subcontractor. 191.And the Defendant concludes that the solution contractualized between him and the subcontractor not only allowed the increase security of the collected information and a better performance of the Censos 2021 website, through the resource to services of excellence recognized as such in the market, as it does not seem to exist, and consequently need, of any other solutions available on the market that could have been contracted. Let's see, 192. In his Defence, the Defendant was unable to add anything to what was found during the proceedings inspection, and which led, incidentally, to the suspension order of sending personal data from the census operation 2021 Censuses for the United States of America (hereinafter USA) and for other Third States without a adequate level of protection, whether through Cloudflare, Inc., or through any other company, in the maximum period of 12 hours (cf. point 42 of Deliberation 2021/533, of April 27, of the CNPD, issued under point j) of paragraph 2 of article 58 of the RGPD). of the powers conferred upon it by the 193. As the CNPD has already clarified, in point 76 of Directive No. 2022/1, if it is true that the relationship between controller and processor and between this and other processors has to be regulated by writing (cf. paragraphs 3 and 4 of article 28 of the GDPR), verification of the requirements set out in article 28 of the GDPR it must be substantive and not just formal, not limited to the choice of any standard clause. 194. For this reason, when selecting the subcontractor and the means it makes available for the data processing (e.g. services, products, tools, technologies), the controller had to apply or require the contracting party to adopt adequate protection measures of personal data and that mitigate the risks arising therefrom. 195.And the Defendant's defense proves that he did not carry out the necessary due diligence to ensure the adoption of measures capable of guaranteeing respect for the principles and rules of the RGPD. 196. It will suffice to check paragraphs 457 et seq. of the Defense to conclude it. At these points the Defendant justifies the choice of solutions from Cloudflare, Inc., as this company is almost the only reference in the market. 197. However, this fact is not true, there are several European companies that provide Content services Delivery Network (CDN) that meet GDPR requirements. 198. Nor can the Defendant base his choice on the Cloudflare service, Inc., in the fact that it has an office in Lisbon (cf. points 642 et seq. from Defense), when the contract was entered into with the company headquartered in the USA and, under contractual terms, the forum for settling disputes between INE and Cloudflare, Inc. is the California Court. 199. Furthermore, the latency service subscribed to by INE, in the contract, makes it clear that, as demonstrated in the Deliberation Project, it will be supported on numerous servers located in multiple geographies, most of them located outside the European Union and in jurisdictions that are not compatible with European legislation. 200. For greater clarity of the reasons for this determination, the CNPD recalls here that in the contract entered into, in the “Business” package modality, governed by the “Self-Serve Subscription Agreement” and by the addendum on data processing (Data Processing Addendum version 3.0, dated October 1, 2020), which forms part of the agreement (which was available on the Cloudflare, Inc. website in April 2021, and which corresponds to evidence No. 66 presented in the Defense), it is stated “(...) [elm connection with the Service, the parties anticipate that Cloudflare, Inc., (and its subcontractors) may handle, outside the European Economic Area (EEA) (..) certain personal data protected by European data protection legislation in relation to which the client or member of the Client Group is considered responsible for the treatment (...)' — cf. point 6.1 of the Data Processing Addendum version 3.0 (in a free translation from the original, written in English). 201. That is, the contract signed by INE and Cloudflare, Inc., allows the transit of personal data to any of the 200 servers used by it, as well as the transfer of personal data to USA, and INE, upon entering into such a contract, accepted such processing of personal data. 202. In fact, under the terms of the Data Processing Addendum version 3.0, which, remember, is part of the contract, personal data is transferred from the customer (data exporter) to Cloudflare, Inc, (data importer) data), in the USA, using the standard contractual clauses as an international transfer mechanism based on Commission Decision 2010/87/EU of 5 February 2010 applicable to transfers of personal data for subcontractors established in third countries”, which are an integral part of the clause 1.1 of the Data Processing addendum and are, to that extent, subscribed by the customer (cf. paragraph m) of c Addendum version 3.0)8. 203. Thus, by (sub)contracting the services of Cloudflare, Inc., INE, in its capacity as responsible for the treatment and simultaneously a customer of Cloudflare, Inc. accepted the conditions of use of the service, including the addendum to the terms of processing of personal data, which also regulates the transfer of personal data for the USA. 204. Also in accordance with the terms of the Data Processing Addendum version 3.0, INE granted a general authorization to Cloudflare, Inc., so that it can use other (sub-) subcontractors, whether companies inside or outside the Group (clause 4.2)º, recognizing and accepting that it might be necessary for the provision of the service the use of (sub) subcontractors established in third countries (clause 6.49. 205. If standard contractual clauses are, in general, a legal instrument for the transfer of data personal data to third countries, pursuant to the combined provisions of article 46.º, n.º 2, item c), n.º5, of the RGPD, it is necessary to verify, however, if the legislation of the third State, which obviously overlaps with an instrument of a contractual nature, does not diminish or void the guarantees offered by these clauses, which are precisely intended to compensate for the lack of an adequate level of protection in the country of destination of the data (cf. articles 44 and 46 of the RGPD)". 206. According to the Court of Justice of the European Union (CJEU), it is the data exporter (INE) that competes, on a case-by-case basis, with the collaboration of the data importer (Cloudflare, Inc.), to verify that the country of specific destination ensures a level of data protection essentially equivalent to that guaranteed by EU, and should, if possible, adopt additional safeguards to overcome obstacles and guarantee that data protection remains'?. This obligation also stems from compliance with the principle of responsibility enshrined in Article 5(2) of the GDPR. ise of the CJEU in the case Schrems !|, the law of the USA - which is the country of destination standard contractual clauses - allows 207. According to the anna of Cloudflare, Inc.'s international transfers pursuant to the interferences in the fundamental rights of people, based on requirements related to national security and the public interest, which may result in access to personal data transferred from the EU to the US and from use of such data in the framework of surveillance programs, based on Section 702 of FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333". 208. The CJEU concluded that such interference is not proportionate, under EU law, insofar as that the scope of limitations on people's rights is not defined, there are no clear and precise rules regarding the application of these measures or minimum requirements to protect against risks of abuse, it is not verifies a judgment of necessity, and no opposable rights are conferred on data subjects or of legal recourse, therefore limitations on data protection arising from US law do not apply. meet the requirements of the EU Charter of Fundamental Rights!” (cf. articles 7.º, 8.º, 47.º and 52, no. 1). 209. Therefore, it would only be possible to carry out a transfer of personal data to the USA if the legislation in question here, and expressly referred to by the CJEU, were not directly or indirectly applicable to the Cloudflare, Inc., or its (sub-)subcontractors, and then only by taking appropriate measures that could demonstrably prove that this legislation would not apply or not would have a practical effect on transfers of personal data. 210. However, the services provided by Cloudflare, Inc., namely those contracted by INE when you signed up to the Business Plan, bring the company directly under the purview of US law that imposes on you the obligation to grant mass access to the personal data processed by you, from the outset as an electronic communications service provider!º, without prejudice to other types of services being also covered by other provisions of US surveillance legislation. 211. Cloudflare, Inc. acknowledges in point 7 of the Data Processing Addendum version 3.0 that, in its role as subcontractor, may be subject to requests for access to personal data by third parties within the scope of of legal procedures, which may be "inconsistent" with the law applicable to your customer, i.e. the GDPR. In such event, where there is a conflict of laws, Cloudflare, Inc., declares that it will immediately inform the customer, "unless that such notification is legally prohibited» (cf. point a) clause 7.1)'º. 212. This is precisely the case with this US legislation which prevents US companies from inform their customers of the access made by the US authorities for the purpose of collecting information about foreigners, in the context of national security activity, 213. It appears, therefore, that there is no guarantee in the contract that the personal data of citizens residing in Portugal, collected by INE through its website, within the scope of the 2021 Census, are not accessed by US authorities through Cloudflare, Inc., due to services provided by Cloudflare, Inc. provided to INE and which imply, according to the signed contract, the transfer of these personal data to USA. 214, Thus, what is stated in points 668 et seq. of the Defense is irrelevant, since what is in question here concerned is the fact that Cloudflare, Inc., is bound to comply with US law, which, including the prevents you from informing the controller about the request for access by certain US authorities. 215. Furthermore, the explanations presented by Cloudflare, Inc., and by the Defendant, which give the “Business” service an expression that is not accepted in the adhesion contract itself that the support. 216. When it is stated (cf. point 475 of the Defense) that each user is forwarded to the server most close to your location, in order to justify that “Portuguese” users will be forwarded, with high probability (in the expression presented, “would likely be directed”), for servers in Lisbon, seems to want to ignore that this will never happen if there is a saturation of the server, at a given moment, in Lisbon. 217. Something that, in massive treatment operations, such as a census operation, occurs in numerous situations. 218. But neither is it correct to state that all the traffic generated when accessing the website 'censos2021.ine.pt', using the CDN service from Cloudflare, Inc., it would always be connected to the closest server: the one in Lisbon (cf. point 476 of the Defense). 219. The statement that the “Business” plan does not allow routing to other servers with less “cargo” other than that of Lisbon (cf. point 477 of the Defense), is completely dissonant with the content of the "Self-Serve Subscription Agreement” and the respective addendum on data processing (Data Processing Addendum version 3.0. — cf. Defense Exhibit No. 66). 220. The allegation, in paragraph 658 of the Defense, that “[it flows based on the information made available by the Cloudflare, Inc., namely in its Privacy Policy (cf. Policy attached as document no. 68), in Transparency Report (cf. Transparency Report which is attached as document no. 73) and in your Cloudsflare's commitment to GDPR compliance [...], that INE withdrew its conclusions about the legislation and practices applicable to Cloudflare, Inc. in the context of contracted services” could be considered was not the fact that INE signed the contract in "February/March 2020" (cf. point 617 Defense) and the two documents invoked here are later, while Cloudsflare's commitment to GDPR compliance does not exclude, as shown, the application of US legislation. 221. And, therefore, in view of the content of the contract signed by INE, it is incomprehensible that he should now claim, in the point 682 of the Defense, which, '[...] according to its understanding based on the information given to it made available, these data were never in American territory, nor in the possession of the subcontractor”. In effect, at this point of the Defense only a conviction of INE is invoked, not supported by facts, such as demonstrated. 222. As for the defense's invocation of what it calls the European Committee's Guidelines for Data Protection (CEPD) - and which correspond to Recommendation 01/2020 -, nothing in this document contradicts the interpretation that the CNPD makes of the RGPD, which strictly follows the judgment of the TJUE Schrems Il, of July 16, 2020, given that the CNPD never stated that there could be no flows of personal data to the USA; he only reaffirmed that they depend on the adoption of complementary measures. 2923. Furthermore, the CEPD document has a merely guiding nature, in the sense of supporting the responsible for the application of the RGPD, so the absence of these guidelines cannot justify the However, these guidelines do not exist in breach of the obligations arising from that Regulation — the in relation to other obligations that fall on the person responsible, and this does not mean that he is released from the to accomplish. 224. Regardless of the date of final approval of said CEPD Recommendation 01/2020, the truth is that they were approved and made available for public consultation on November 10, 2020, by the that, right there, INE had the opportunity to learn about CEPD's recommendations on this matter, very before carrying out the census operation. 225. The Defense's lengthy claim that, at the time Cloudflare, Inc. was the transfer of personal data safeguarded by the adequacy decision of the European Commission (Privacy Shield), which was only declared invalid by the Schrems Il judgment of July 16, 2020, not removes the obligation that falls on any person responsible for the processing of personal data of verify that the treatments it performs comply with the conditions and limits set out in the RGPD, requiring the an entity such as INE, which processes personal data with special sensitivity and on a large scale, permanent attention to the legal framework of its treatments. 226. In any case, the Schrems !l judgment was published long before the 2021 Census operation was carried out (on July 16, 2020), however, the Defendant is obliged to comply with the data processing personal projected with the said judgment, and had enough time for the effect. 997. Incidentally, the contract with Cloudflare, Inc., which is alleged to have been entered into in February/March 2020 (cf. point 617 of the Defense) was concluded only for 11 (eleven) months, therefore, in effect, at best until the end of February 2021. On the date of the possible renewal of the contract, the judgment of the CJEU to be declared the adequacy of the European Commission (Privacy Shield) had already been handed down for more than seven months, invalid therefore, both parties cannot ignore its content. 228. The Defendant further alleges that the contracted service ensured a set of technical measures able to ensure compliance with GDPR (cf. point 677), namely: pseudonymization of personal data and encryption of information. 229.From the outset, the Defendant refers to Annex 2 of the Data Processing Addendum, not attaching the aforementioned annex, which contains the technical and organizational security measures to be adopted by Cloudflare, Inc., not thus demonstrating that they were relevant to the formation of the will to hire on the part of from INE. 230. Regardless, none of the measures invoked was actually applied in the contract concluded by INE, nor could it be due to the nature of the contracted service (of CDN). 231. On the one hand, there was no pseudonymization of personal data. 232. On the other hand, regarding encryption, as will be better demonstrated in the next point, the service contracted by INE implied that Cloudflare, Inc., had the encryption key and decrypted the data packages. 233. The alleged data protection considerations in hiring Cloudflare, Inc., did not, thus demonstrated; on the contrary, what the facts demonstrate is a lack of care, not to say contempt, by the personal data protection regime and by the relevant jurisprudence in this matter. 234. In view of the above, the Defendant resorted to a subcontractor that does not provide sufficient guarantees of execution of appropriate technical and organizational measures to comply with the RGPD, at most its chapter V, which is clearly demonstrated by the clause of the contract itself, in violation of the obligation set forth in Article 28 of the GDPR. x. There were no data transfers to third countries 235. Following the explanation above, the Defendant sustains, in several points of the Defense (for example, points 531 et seq.), that the holders' data would never pass through servers other than those in Lisbon, this being the server that would be geographically closest to the holder. 236. For what it considers impossible and impractical, from a technical point of view that data from the census operation Censuses 2021 may have transited through servers located outside the European Union (cf. point 591 of the Defense). 237. Finally, the Defendant argues that the CNPD was unable to produce proof of any transfer of data for third countries. Analyzing, 238. Firstly, it is evident, from the Defense presented, that the Defendant does not know whether the data holders' personal data, in response to the census operation Censos 2021, transited or not through servers from third countries. 239.Based on mere presumptions, the Defendant argues that this probability is very low, as where there is a Cloudflare, Inc. in Lisbon and, given the criterion of geographical proximity, it would be this to be used. 240. The Defendant also assumes the possibility that personal data, in the event of a "load" on the server, may have status in “mere transit” - an expression used in the Defense - on servers located in third countries. 241. The Defendant did not provide proof that he adopted the appropriate guarantees, within the scope of the operation Census 2021 census taker, in accordance with Chapter V of the RGPD, as required, and therefore violated article 44 of the GDPR. Otherwise, let's see, 242. Firstly, it is clarified that the CNPD never questioned that “personal and other data information collected in response to the 2021 Census via the internet [..] were always [..] housed in the systems and infrastructure of INE itself [..]' (cf. points 527 and 528 of Defense). what has always been concerned was the transit of personal data. 243. The use of a CDN aims to reduce the latency of invocations to websites, reducing the time of loading. A web page can be composed of a set of resources that are requested by the user. client to server when rendering"? of the page on the browser screen (or another type of application used to access HTML pages made available online). How many more resources are needed (e.g., images, style files, code files, video and/or audio files), and the longer the time for download them to the client's machine, the longer the graphical presentation of the page will take be completed. 244. Considering the majority of websites, the time the page is displayed to the visitor/user depends, to a large extent, on the delay in delivering these resources when they are requested (from the browser/Internet browser side) to the server, and then sent back from the server to the browser. Once the Internet communications are materialized by electrical circuits with electronic components such as "routers" along the path, the transit time is very dependent on the number of hops (hops'*) that the packets of information have to go through when being "routed!*" from one point to the other. The greater the geographic distance between nodes, the greater the probability that the number of forwarders increase, and thus also the time it takes the packet to go from source to destination. 245. The use of CDNs is intended to reduce the page loading time, acting precisely on this transmission time, as explained below. 246. Resources or content can be divided into two types: static and dynamic. The contents static files (e.g., images, audio, video, CSS style files, javascript code files) do not vary and are always the same, remaining unchanged for any of the invocations. Dynamic content (e.g., HTML pages, in this case, the forms) are processed in each request, being able to produce a distinct result each time; may vary, for example, depending on the parameters sent in the request to the server (e.g. querystring, POST parameters, cookies). 247. In this way, static content can be cached and reused over and over again without becoming outdated, without causing any damage to the user experience. not the same happens with dynamic contents, which have to be processed with each invocation. 248. CDNs aim to reduce loading times and for that they make content available static files faster by keeping them cached. Since these contents do not change after the first request has been served, the remaining requests can reuse the content that was stored locally, without having to request it again from the server where the website resides. 249. For this to happen, traffic from the client (browser) to the server is directed to a network of provision of content (in this case, the CDN), made up of several machines connected to each other. If the order that arrives at one of these machines, possibly the closest geographically to the customer, is related to static content, and if it has previously been cached on that machine, the CDN will no longer forwards the request to the server and serves the resource directly to the client (browser), reducing noticeably response time. 250. As for requests for dynamic content, this cannot be done. The order arrived at of these machines, it is forwarded to the server that awarded the CDN service (in this case, INE) and processed at each invocation, therefore, due to its nature, it cannot be stored and reused for future requests. 251. As is understood, CDN machines only store static content, once since the dynamics would be of no use to them because they cannot be reused. 252. In the aforementioned paragraph 469 of the Defense, later reaffirmed in paragraph 479, the Defendant alleges that “the contents dynamic features of the 2021 Census website - more specifically, the specific electronic form for collection of the questionnaire [..] which contained personal data of citizens [..] were never stored in the cache from Cloudflare, nor was it demonstrated that your traffic was carried out through the CDN of CLoudflare LJ 253. The first part of the allegation is correct, given that the CNPD never stated that the contents dynamics were cached. In fact, to make a CDN useful, only static resources need to be kept in cache. 254. The second part of the above statement, which states that the transit of requests for content dynamics, and respective responses, by the CDN of Cloudflare, Inc., has not been demonstrated, is not true, as This is demonstrated by the evidence collected by the CNPD, relating to the traffic of requests for dynamic content, with responses to the Specific Electronic Form (FEE), by the servers of Cloudlflare, Inc. 255. In order to verify this fact, the CNPD carried out several investigations, which focused on the operation of the form available at censos2021.ine.pt. The form was tested and the respective sessions were recorded, extracting images that demonstrate the opposite of what was stated by the Defendant in the Defense (cf. Attachments to the document Info UI AVG 2021 401 Il v1.0.docx, “Screenshots showing the data packets exchanged between the client and the servers (*.ine.pt), while completing the 2021 Census form", fis. 29 and 30). 256. Indeed, by accessing the 2021 Census questionnaire online, available at censos2021.ine.pt, the user was prompted to enter the code and password contained in the letter he received at his residence. Submission of the form would send this data back to the address censos2021.ine.pt, as appears in the images of the session maintained between the browser and the server (cf. Attachments to the document Info ULAVG 2021 401 Il v1.0.docx, “Screenshots showing the data packets exchanged between the client and 2027 Census Report”, pgs. 29 and 30). the servers (*.ine.pt), when filling out the form 257. After completing, in the online form, the answers to the questions that made up the 2021 Census questionnaire, which collected personal data, the data was sent to another server web at fee.ine.pt, as can also be seen in the images of the session (cf. Attachments to the document Info UI AVG 2021 401 Il v1.0.docx, “Screen captures showing the data packets exchanged between the client and the servers (*.ine.pt), when filling out the 2027 Census form", pages 29 and 30). This server implemented the FEE whose purpose was to collect data from respondents. 258. Both the censos2021.ine.pt website and fee.ine.pt were being, until April 26, 2021, resolved to IPs assigned to Cloudflare, Inc., as attested by DNS20 lookup queries performed during the expertise, some of which were collected as evidence (cf. Annexes to the document Info Ul AVG 2021 401 v1.0.docx, "Domain name resolution, IP lookup, reverse DNS, routing/, pages 22 to 28). 259. It is thus proven that requests for both static and dynamic resources (the latter containing personal data of census respondents) were being forwarded to the machines under responsibility of Cloudflare, Inc. 260. As stated in point 470 of the Defense, that personal data would not be being forwarded to Cloudflare, Inc.'s servers is not true. 261. It should be added, for better clarification, that what the CNPD presents, in the information dated 16 September 2021, is a compliance scenario for the use of the CDN, which went through the submission of requests for dynamic content to be sent directly to the INE server in Lisbon; just in case Concretely, this scenario did not materialize. 262. Therefore, the conclusion advanced in point 482 of the Defense is also unfounded. In terms technicians, as the CNPD well explained in that information, the use of CDNs was never in crisis, but the way in which the online data collection for the 2021 Census was carried out. It is technically possible, and yet thus advantageous in terms of performance and security, maintaining the use of the CDN for storage and availability of static resources, and the submission of data can and should be done directly to the controller's end server. 263. And what is stated in point 552 of the Defense is also inaccurate, where it says “[..] on the contrary, the data personal data and other information collected in response to the 2021 Census via the internet [..] were directly directed to the INE data center”. 264. In the "Communication from Cloudflare of 04-05-2021" (according to point 537 of the Defense), the company assumes that [.] Portuguese citizens seeking to provide information to INE for the census would have been directed to INE's website through the Cloudflare data center closest to the user, scanned for malicious code or activity as directed by INE, and sent directly to INE's hosting servers LJ". 265. This statement is in line with the analysis and conclusions of the CNPD on the process of forwarding information from the client to the server and contradicts the Defense of that requests for the dynamic contents of the site, which include participants' responses to the questionnaire, would not be being forwarded by Cloudflare, Inc.'s CDN. 266. As Cloudflare, Inc. admits, participant responses would be forwarded to 0 data center closest to the user (which for citizens filling out the questionnaire in Portugal allegedly the Lisbon data center) and analyzed to detect malicious activity or code [through the WAF (Web Application Firewall) service, subscribed by INE to Cloudflare, Inc.], and only then sent to INE's servers, according to INE's own instructions, which, therefore, could not unaware of this fact - contrary to what he is now claiming. 267. The communication from Cloudflare, Inc., contradicts the claim that the submission of personal data collected in the online survey would not pass through the servers of Cloudflare, Inc., but would be forwarded directly to the INE server. 268. It is important to clarify that any of the services provided, CDN or WAF, oblige the machines of the Cloudflare, Inc., who receive the requests, to have access to the packet data to know the destination they will be given. If in the case of CDN the package is opened to determine if the requested resource is static and if it is in cache, in the case of WAF the package is opened to verify the possibility of attack, such as malicious code injection. 269. Just as what was written in point 553 of the Defense is also not true. The evidence taken from the forensics carried out maintain that from the beginning of the online questionnaire collection operation until the end of the day of the CNPD inspection of INE, or the address censos2021.ine.pt, where the user is prompted to enter data personal information such as the code assigned to your home and the respective password, or the address fee.ine.pt, to where data from the answers to the 2021 Census questionnaire would be submitted, were being resolved to IP addresses assigned to Cloudflare, Inc., which would cause traffic to those addresses to be routed to machines under the control of that company. 270. In points 558 to 561 of Defense, it is admitted that the WAF service, subscribed by INE to Cloudflare, Inc., ise of “specific elements associated with the communicated information”. subjects information packets to analysis In order to collect information from respondents, they [..] enter their answers in the FEE application [..] made available on that same website [censos2021.ine.pt and fee.ine.pt|”, and then “the data (personal and non-personal) contained in these responses must be transmitted to the data center from INE.”. It goes on to say that “it is in this transmission that attacks can occur [..]. In order to prevent these attacks [..] the WAF acts as [..] [a] shield placed between the user and the server, in such a way that the network traffic (namely, responses entered by citizens in the FEE) must pass through first through this firewall before reaching the INE server.”. 271. It follows that information packages with personal data are opened and inspected by the WAF service from Cloudflare, Inc., which turns out to be recognized by the Defense, in clear contradiction with the previously claimed. 272. Indeed, in paragraph 562 of the Defense, the Defendant states that this operation is carried out “without accessing the content of the transmitted information”, which would be a contradiction and obviously does not correspond to the truth. In fact, all packages are opened and for the analysis of the content to be done, “automatically”, the WAF will focus on the elements that are in the body of the request. These elements include the input fields constant data on the pages of the questionnaire with the values filled in by the respondents. To analyze the body of the request, the WAF has access to all the information entered by the respondent in the fields that you have at your disposal. 273. Again, Defense point 564 is untrue. Here it is said that “WAF does not access the content of the information in traffic, and there is no [..] any possibility of accessing or consulting personal data contained in the responses transmitted to the INE server”. This statement even enters into contradiction with other allegations of the Defense, specifically in point 561, where it is said that “the firewall of the Cloudflare analyzes specific elements associated with the communication that may indicate attacks [..]". 274. At the same time, point 569 of the Defense is, for the same reasons, false. Here it is said that “in the use of the three Cloudflare services [WAF, CDN, Rate Limit], no access or transmission, to Cloudflare, of responses entered by respondents, namely responses inserted by them in the FEE available on the website «CENSOS2021.INE.PT», being redundant to refute this statement, given the exhaustive explanation already provided here. 275. Regarding the alleged impossibility and impracticability, from a technical point of view, of the data from the Census 2021 census operation having transited through servers located outside the Union Union (cf. point 591 of Defense), it is important to compare the content of the communiqué from Cloudflare, Inc., with the Defense allegations, to reach the opposite conclusion. 276. Although Cloudflare, Inc., has registered IPs in the European Union, the IPs for which the address censos2021.ine.pt Resolve are registered in the USA - 104.22.20.250 and 104.22.21.250 (cf. https://bgpview.io/asn/13335%prefixes-v4 ). 977. The fact that the servers are using IPs from Cloudflare, Inc., registered in the USA, when the company has IPs registered in the territory of the European Union, it is in itself demonstrative that there was no care to ensure that personal data would only circulate within the territory of the Union. 278. Incidentally, evidence that Cloudflare, Inc. transmitted and transmitted personal data to the US even in contracts that guaranteed customers access service restricted by geographic area (Cloudflare Data Localization Suite) can be easily found on the company's website, in the made available. There, at the time of the facts, it was reported that: "Regional Services. Cloudflare has data centers in over 200 cities across 100+ countries. Regional Services together with our Geo Key Manager solution allows Customers to pick the data center locations where TLS keys are stored and TLS termination takes place. Traffic is ingested globally, applying L3/L4 DDoS mitigations, while security, performance, and reliability functions (such as, WAF, CDN, DDoS mitigation, etc.) are serviced at designated Cloudflare data centers only. With Regional Services, some metadata will still be transmitted to our core data center in Portland, Oregon. However, the only Personal Data we collect in these logs are IP addresses. [..]" (emphasis added) — cf. httns://web.archive. org/web/20210426141842/hitps://www.cloudflare.com/gdpr/introduction/? 279. In other words, the metadata, in which is personal IP data included? of the respondents, collected by the Cloudflare, Inc. in the audit logs, were transmitted to the US. 280. It is also significant that, however, the information made available on that website has changed, failing to state that the metadata is transmitted to the US (cf. https://www.cloudflare.com/gdpr/introduction/), which perhaps occurred as a result of the deliberation of the CNPD and also of other draft decisions of other supervisory authorities of Member States of the European Union. 281. It is also true that the services provided by Cloudflare, Inc., namely those contracted by INE when it subscribed to the Business Plan, place the company directly under the jurisdiction of the USA, which imposes on you the obligation to grant mass access to the personal data you process, from the outset as a provider of electronic communications services?, without prejudice to other types of services also be covered by other provisions of US surveillance and security legislation national. 282. Cloudflare, Inc. acknowledges in point 7 of the Data Processing Addendum version 3.0 that, in its role as subcontractor, may be subject to requests for access to personal data by third parties within the scope of of legal procedures, which may be "inconsistent" with the law applicable to your customer, i.e. the GDPR. In such event, where there is a conflict of laws, Cloudflare, Inc., declares that it will immediately inform the customer, "unless that such notification is legally prohibited' (cf. point a) clause 7.1). 283. Well, it is precisely this US legislation that prevents US companies from inform their customers of the access made by the US authorities for the purpose of collecting information about foreigners, in the context of national security activity. 284. Faced with these facts, the person responsible was not able to demonstrate, as required by paragraph 2 of article 5. and by paragraph 1 of article 24 of the RGPD, which applied the appropriate measures to ensure and be able to prove that the processing of personal data was carried out in accordance with the GDPR, in particular with article 44. of the GDPR. 285. It is also important to emphasize that the Defendant, also in what he considers to be valid arguments for the its Defense, comes again to show the weaknesses of monitoring the normative changes operated with the entry into force of the RGPD, from the outset, when it insists that the mere transit of personal data through third countries is not legally relevant today. 286. In fact, paragraph c) of paragraph 1 of article 4 of Directive EC/95/46, of October 24, 1995, as well as aa fnea c) of paragraph 3 of article 4 of Law 67/98, of 26 October, which transposed the Directive, excludes from the scope of application of data protection legislation, if the person responsible is not established in the territory national, the processing of personal data when the means were used for transit. 287. However, this provision was not included in the RGPD, and therefore the transit of personal data was not excluded from its objective scope of application, given that it corresponds to an operation on data personal data, pursuant to paragraph 2) of article 4 of the GDPR. 288. Incidentally, in paragraphs 602 et seq. of the Defense, the invocation of CJEU jurisprudence to substantiate that the transmission of personal data to third countries would not fall within the scope of objective application of the current data protection legal regime is, strangely, reduced to a judgment of 2003, which identifies itself as “[..] one of the only cases decided by the CJEU on restrictions on data transfers to third countries [...]" (cf. point 602 et seq. of Defense), when it is certain that there is numerous jurisprudence of this Court on the transmission of personal data to third countries, part of which already considering the RGPD - Judgment Maximillian Schrems c. Data Protection Commissioner (Schrems 1), proc. 0-362/14, of October 6, 2015, the judgment Data Protection Commissioner c. Facebook Ireland Ltd and Maximilian Schrems (Schrems !l), proc. C- 311/18, of July 16, 2020, and also from the TJUE the Opinion 1/15, of July 26, 2017, on the PNR agreement between Canada and the EU. 289.Being also certain that there is no parallelism, nor basis for analogy, between the case considered in that judgment mentioned by the Defense and the case analyzed here. 290. On the other hand, what is stated in paragraphs 610 and following of the Defense is not relevant to the case in question. appreciation, since the aforementioned position of the UK supervisory authority is based on the assumption, explained in the aforementioned quote, that there is no access or manipulation of personal data when the they arrive at the server located in the territory of a third country. However, the CNPD has already demonstrated that the services from Cloudflare, Inc., hired by the Defendant, require the opening and verification of information packages, so that position is, in this context, irrelevant. 297. Regarding the invocation of the European Data Protection Board (ECPD) document that the Defendant identifies by “Guidelines 1/2020" - rectius, the Recommendations 1/2020 regarding complementary measures to the transfer instruments to ensure compliance with the level of protection of the personal data of the EU -, nothing in this document contradicts the CNPD's interpretation of the RGPD, which strictly follows the judgment of TJUE Schrems ||, of July 16, 2020, given that the CNPD never stated that there could be no flows of personal data to the US; only reaffirmed that they depend on the adoption of measures complementary. 299.Furthermore, the CEPD document has a merely guiding nature, and the person responsible is not exempted from complying with the obligations arising from the RGPD as long as there are no guidelines or recommendations of that body.293. Regardless of the date of final approval of the CEPD Recommendations 1/2020, the The truth is that they were approved and made available for public consultation on November 10, 2020, so that, right then, INE had the opportunity to learn about CEPD's recommendations on this matter, convening, at this venue, what was said above, in points 223 to 225 of this Resolution. 294. In summary, the Defendant did not apply the appropriate measures to ensure and be able to prove that the processing of personal data was carried out in accordance with the GDPR, in particular with article 44 and the 2 of article 46 of the RGPD, but the CNPD considers the breach of obligation to be consumed in this infraction adoption of appropriate security measures provided for in article 32 of the RGPD. xi. About the mandatory Impact Assessment on Personal Data 295. The Defendant alleges that in the 2021 Census statistical operation the Impact Assessment on the Data (AIPD) may be waived. 296. Namely when there is a pre-existing AIPD already carried out for a previous statistical operation identical. 297. In the opinion of the Defendant, this is what happens, in casu, insofar as he has an authorization issued by the CNPD under the terms of Law No. 67/98, of October 26, specifically Authorization No. 2600/2011, which refers precisely to the General Population and Housing Census operation. 298. Authorization No. 2600/2011 was never subject to alteration, replacement or revocation. 299. Therefore, in the opinion of the Defendant, he was exempt from preparing an AIPD prior to the operation of processing of personal data. 300. Also because, in his opinion, the only change verified, from the 2011 Census census operation to the Census 2021 census operation, included adopting risk mitigation measures. 301. The Defendant argues that the very concept of an AIPD cannot necessarily mean that this is definitely formalized and reduced to writing even before the beginning of the operation of treatment. 302. The Defendant did not postpone or fail to carry out an AIPD prior to the start of the operation census. 303. It only proceeded diligently, in seeking to ensure its improvement and updating throughout of the 2021 Census process. 304. The Defendant also argues that, before the performance of an AIPD can be definitively given by completed, it must be progressively updated - which the Defendant did, although such AIPD was not chargeable. 305. Therefore, it cannot be considered that the Defendant carried out the AIPD at a late time, but rather that he must if it is considered that the Defendant has diligently fulfilled an obligation that was not so inapplicable to him. 306. It was only possible in the context of the main census operation Census 2021, due to the pandemic context and health emergencies, definitively decide on collection processes and application functionalities used, therefore, only at that moment was it justified to carry out the DPIA. 307. This does not justify any failure of the DPIA, being only the result of the context of uncertainty constant experience due to the Covid-19 pandemic. 308. The Defendant further alleges that the fact that the main census operation Census 2021 includes, in itself same, different personal data processing operations, does not mean that all these operations entail such a risk and that all require an DPIA. 309. With the exception of the operation of collecting and processing data on respondents to the Census questionnaire 2021" - duly reflected in the AIPD carried out - there does not appear to be any other data operation carried out that constitutes any risk, for the holders of personal data. 310. Therefore, the AIPD carried out is not insufficient. 311. It also adds on the AIPD that it punctually complied with the minimum content to which it was bound pursuant to Article 35(7) of the GDPR. Let's see, 312. It should be noted, from the outset, that CNPD Authorization No. 2600/2011 had the purpose of processing personal data carried out in a temporally delimited census operation — year 2011 +, reason why that that authorization has exhausted its effects, or if you prefer, expired, ipso iure, with the expiry of said operation. going specifically for the 2011 census operation and in accordance with 313. Furthermore, the authorization was valid the elements notified by INE to the CNPD at the time, so that, due to the changes produced in the operation census of 2021 compared to that of 2011, it would always have to be concluded by the expiry of that authorization. 314. Namely, that authorization does not include any reference to the collection of responses to surveys via the Internet, nor transfers of personal data to third countries - which, as seen above should be analyzed and mitigated - as it does not even mention the existence of any subcontractor, much less based in a third country, all novelties introduced in the processing of personal data carried out in the 2021 census operation, which potentiate risks to the rights of holders. 315. Furthermore, the Defendant himself acknowledges, with regard to the 2021 Census operation, the need to adopt “(...) a new census model in 2021”, a model that “(..) based, totally or partially, on the use of administrative information”. (cf. points 56 and 57 of the Defence). 316. In effect, [the] transition to an administrative-based census model would therefore have in view (...) the reinforcement of the integration of census data in INE's statistical information system on families (...)" (cf. point 58 of the Defense). 317. From which it is clear that, clearly, the conditions in which the 2011 census took place are not identical to the 2021 census operations, so that it would always have to be considered expired authorization. 318. And an expired administrative act does not produce legal effects for the future, and therefore cannot be subject to revocation or replacement, as a result of paragraph 2 of article 166 and paragraph 1 of article 173 of the Code of the Administrative Procedure, so the Defendant could never have the expectation that the non-revision of the authorization by the CNPD would mean the confirmation or extension of its content for the census operation from 2021. 319. Incidentally, the fact that each census operation is regulated specifically and autonomously by a diploma legal - see Decree-Law No. 226/2009, of September 14th, and Decree-Law No. 54/2019, of September 18th April - demonstrates that each census operation implies an autonomous and distinct and therefore has a specific legislative framework. 320. Moreover, this conclusion is reinforced by the fact that Decree-Law No. 54/2019 does not even have to revoke Decree-Law No. 226/2009, just as this diploma did not revoke the Decree-Law on the 2007 Census. 321. It cannot, therefore, be claimed that the processing of personal data arising from the census operation 2021 is the same treatment, not even equivalent, to that carried out in the context of the 2011 Censuses. 322. Reasons for which the arguments of the Defendant, contained in points 710 to 745 of the Defense, on the use of the content of Authorization No. 2600/2011 in the context of the 2021 census operation to claim to be exempt from an obligation provided for in the RGPD and applicable to it since May 25, 2018. 323. Furthermore, the Defendant was obliged to carry out the AIPD, under the terms explained in paragraph 1 and paragraph b) of n.º 3 of article 35 of the RGPD, it being clear that the 2021 census operation involved the collection and subsequent treatment on a large scale (the entire population residing in the national territory) of special personal data, more specifically, data relating to religion and health. 324. It is also important to remember that the AIPD corresponds to a joint evaluation of the data processing personal data, so it should not be restricted only to the conditions for processing special data, leaving outside the processing of other personal data. iás, Regulation no. 798/2018, of 14 November, on the list of processing of personal data 325. À subject to an Impact Assessment on Data Protection, approved by the CNPD under paragraph 4 of article 35 and paragraph k) of paragraph 1 of article 57, both of the RGPD, provides in paragraph 2 the obligation to carry out an DPIA when in question is a "[...] processing that relates personal data provided for in paragraph 1 of the Article 9 or Article 10 of the GDPR or data of a highly personal nature", as is clearly the case in the 2021 Census. in addition to the Defendant collecting personal data that fall under the category of data 326. special conditions, provided for in paragraph 1 of article 9 of the RGPD, also collects personal data that reveal the private life and family, in their most intimate redoubt of daily life, corresponding to the data category of highly personal nature that the Article 29 Working Group highlights to consider them a criterion covered by Article 35(1) of the GDPR (cf. point 4. of the Impact Assessment Guidelines on Data Protection and which determine whether the processing is "likely to result in a high risk" for the purposes of Regulation (EU) 2016/679 - WP248 rev.01, revised and adopted on 4 October 2017), which was assumed by CEPD on May 25, 2018. 327. Criterion that is also set out in no. 2 of Regulation no. 798/2018, of 30 November, concerning the list of personal data processing subject to a Data Protection Impact Assessment. 328. Therefore, the obligation to carry out the AIPD is not restricted to formally special personal data or sensitive, and should extend to all personal data subject to processing in the 2021 Census operation, point 2) of article 4 of the RGPD, also because the processing of personal data, as defined in the comprises the completeness of the operations carried out on personal data in the context of a particular activity or operation. 329. As for the relevant moment for carrying out an DPIA, it is clear that it must be prior to the start of the processing of personal data, as is explicitly stated in article 35(1) of the RGPD (l...] the person responsible for the treatment carries out, before starting the treatment, an assessment of the impact on the protection of personal data. [...]" (emphasis added), and also in recital 90 of the RGPD, irrespective of the fact that it may be subsequently revised according to the needs 330. Now, on April 26, 2021, during the inspection, the CNPD asked the Defendant to provide the AIPD, the correspondent opinion of the data protection officer (DPO), copy of the contract signed with the contracted company to, on a technical level, develop the form for collecting and further processing personal data associated with the 2021 Census (AGAP2IP) and copy of the Audit Report carried out by the National Office of security. 331. That same day, at 9:12 pm, the Defendant sent the CNPD, by email, the elements mentioned, with the exception of the AIPD and the Opinion of the EPD. 332. On May 27, 2021, the CNPD insisted on sending the missing elements, which were Received only on June 28, 2021. 333. The document designated AIPD is not dated, indicating only the year. 334. However, it is INE itself that assumes that it has not formalized the AIPD, although it claims to have gathered the “elements materially characterizing an AIPD, such as the risk assessment of the assets involved in the various treatments carried out, which is integrated into this AIPD and which was revised in 2020 and in 2021 (before the start of the census operation)”. 335. Thus, no documentation was delivered to the CNPD demonstrating that a previous AIPD had been carried out and completed at the start of data processing to be carried out within the scope of the 2021 Census operation. 336. In addition, the document sent to the CNPD under the title “Opinion on the Impact Assessment on the Data Protection of the statistical operation Censuses 2021" of the EPD, is dated May 12, 2021, i.e. after the date on which the census operation began and after the inspection by the CNPD. 337. Annex 20 to the AIPD, without identification, but recorded as “Treatment of risks”, indicates, as a date Last update, May 3, 2021. Strangely, no version of the last one was presented. document with an earlier date, nor with a date before the beginning of the census operation. Furthermore, it is inexplicable that an updated version of the risks is made in May 2021 while maintaining the protection risks of data related to the data processing operation that had already been suspended on April 26, 2021 by INE, following inspection by the CNPD and before formal knowledge of the order of suspension. 338. Notwithstanding that said annex does not comply with the rule of article 54 of the Code of Procedure Administrative, according to which “the language of the procedure is Portuguese”, a rule that INE does not follows with regard to a document prepared, apparently, by its own services and marked at the top ise of the risks prior to the beginning of the as “Uso interna - Internal use”, this document does not prove an analysis treatment. 339. Neither the few references to the document, in the so-called AIPD, in three short paragraphs, on pages 46 and 47 demonstrate the effective assessment of these risks or the adequacy of mitigating measures for them. 340. Now, it is clear that an AIPD must be documented, which is of no use when it is mandatory to its implementation, an AIPD that is only “in the head” of the person responsible for the treatment. 341. This is precisely the result of several provisions of article 35 of the RGPD, which presuppose that documentation. As an example, consider the minimum content of an AIPD, specified in no. said article - firstly, the requirement for a systematic description of processing operations provided -; or the request for an opinion from the data protection officer imposed by paragraph 2 of the same article. 342. And it also follows from the joint reading of article 35 of the RGPD with the principle of responsibility, enshrined in paragraph 2 of article 5 of the same diploma, which determines that the person responsible must be able to prove that it complies with data protection principles, here directly highlighting the principles of legality, loyalty and transparency, minimization of data and integrity and confidentiality, whether with the 1 of article 24, all of the RGPD, which provides for the duty to adopt “[...| the technical and organizational measures that are adequate to ensure and be able to prove that the treatment is carried out in accordance with this Regulation'. 343. Proof of respect for the GDPR, whether specific obligations or protection principles of data, implies that the person responsible has elements that demonstrate such compliance, which in the case the obligation to carry out an DPIA depends on any documented process, whatever the its support (v.9., paper, digital). It is not, therefore, a question of demanding the “formalization” of the AIPD, but rather of obligation provided for in article 35 of the RGPD to assume any materialization thereof, which allows demonstrate its achievement, which the Defendant was clearly unable to do, nor when the CNPD requested, nor at a prior hearing in this proceeding. Nor is it discussed that an AIPD it represents a continuous process (cf. point 767 of the Defense). There is no legal basis for the Defendant to consider that, at the start of the census operation, the existence of comprehensive documentation and complete information on the AIPD, with the elements available, was not required. 344. Furthermore, the argument that the AIPD must be dynamic, subject to revisions and updates whenever necessary, obviously this does not affect the duty to document the assessment already carried out before the time of such revision or update. 345.Moreover, in his Defence, the Defendant does not demonstrate that he actually carried out any AIPD before the start of the operation, nor a full assessment of the risk of transferring personal data to countries the 3rd. 346. Furthermore, the document called AIPD is not complete, since it only refers to four data processing, namely: “Processing 1(T1) Data necessary for contact with the representative of the aggregate (data taken from the National Accommodation File)"; “Treatment 2 (T2) Respondent data (statistical data provided by respondents when completing the Census form, regardless of the means of transmission of information)"; "Processing 3 (T3) Data from subcontractors involved in Census activities”; “Treatment 4 (T4) Base Resident Population (BPR) - Only as reinforcement of the quality of the census results, in the statistical treatment phase, and, within the scope of the contingency arising from the COVID 19 pandemic, allow imputations in case of non-response; 347. It should also be considered and emphasized that the pandemic period experienced did not suspend the obligations resulting from the GDPR for those responsible for the processing of personal data and, in particular, do not suspended the duties and obligations imposed on administrative entities. 348. Therefore, it can only be considered that the Defendant confirms, with his Defense, the lack of carrying out a DPIA, confirming the non-compliance with the provisions of article 35 of the RGPD. xii. Lack of communication from the EPD 349. The Defendant alleges that he communicated the contact details of his EPD to the CNPD. 350. On 22.05.2018, the Secretariat of the INE's Board of Directors sent, to the email address geral(menpd.pt, a communication informing that the law graduate Ana Dulce Pinto, Superior Technician Specialist in Statistics at INE, appointed in charge of data protection at INE, from 25 May 2018. 351. On 19.05.2021, INE's Board of Directors decided to renew the mandate of Dr. Ana Dulce Pinto position of EPD at INE, for the three-year period 2021/2028. Let's see, 352. It should be noted that the Defendant provided sufficient proof of the practice of the obligations resulting from the provisions of 1 and 7 of article 37 of the GDPR. 353. Namely by attaching an e-mail to the present case file. 354. This is why the CNPD understands that the infringement for which it was accused has not been verified. xiii. Exemption from fine, under the terms of 44.º n.º 2 of Law 58/2019 355. The Defendant considers that the specificity of the processing of personal data carried out in the context of Census 2021 census operation does not raise particular needs for general or special prevention, which oppose the waiver of a fine, pursuant to the provisions of Article 44(2) of the LERGPD. Let's see if such a regime can be applied to the Defendant, 356. The mechanism provided for in paragraph 2 of article 44, now requested by the Defendant, does not constitute any principle-rule of waiving the application of fines to public entities. 357. Nor could it be, under penalty of seriously contradicting the provisions of paragraph 1 of the same article 44.º. 358. In fact, the national legislator, via paragraph 2 of article 44, created a mechanism that can be used only and only by public entities. 359. This mechanism is not the general rule, as it is contained in paragraph 1 of article 44, which provides for the application of fines to public and private entities alike. 360. Paragraph 2 of that article represents only an exceptional regime for public entities. 361. Which is still dependent on a “duly substantiated request” to the Control Authority. 362. 0 which, incidentally, was clarified in Deliberation/2019/945 issued by the CNPD, which made explicit that the waiver of imposing a fine on public entities depends, under the terms of article 44(2) of the LERGPD, of a discretionary (or autonomous, in the sense of not predetermined by law) assessment by the CNPD of the grounds invoked by the applicant. 363.Now, in the case of the Defendant, it should be noted that we are facing a high number of administrative offences, practiced within the scope of the same census operation Census 2021. 364. On the other hand, we are facing a massive data processing operation, that is, the universe of affected personal data holders is very broad (the entire population in Portugal in terms of generality of data processing, and more than 6 million people regarding transfers international data). 365. In addition, some of the infringements concern the processing of specially protected data by GDPR. 366. It should also be noted that the Defendant was charged with several violations of the provisions of the RGPD, which are classified as severe and punishable by the highest penalty provided for in the GDPR. 367.All in all, it is concluded that there are weighty reasons for imposing a fine on the Defendant, not envisioning any exceptional circumstance that deserves consideration for the purpose of its non-application. 368. In view of the lack or insufficiency of grounds for the application and considering the nature and extension of the processing of personal data, as well as the seriousness of the infractions, the CNPD rejects the request waiver of fine formulated by the Defendant. ill. Facts 369. Of the elements contained in the file, with interest for the decision, it is considered partially reproduced the constant fact of the Draft Deliberation. 370. It should, however, be mentioned that it is considered proven, contrary to what is contained in the Draft Deliberation, that the Defendant published his EPD data and communicated them via e-mail to the CNPD. 371. Therefore, the following facts are considered as proven and of interest for this Deliberation: Between April 19 and May 31, 2021, the census operation “Census 2027” took place; ii. It aimed to obtain information about the entire population residing in Portugal, the families and the Portuguese housing stock; iii. The response to the 2021 Census by the holders of personal data was mandatory and failure to provide of information or providing inaccurate information punishable by a fine of between €500 and €25,000, iv. Until April 26, 2021, the date on which the CNPD began investigative measures, had around 2.5 million forms were submitted online; v. Which covered the processing of personal data of more than 6 million people; vi INE, as a national statistical authority and responsible for data processing personal, organized the entire census procedure; vii — By option of INE, the treatment of information by digital means was privileged, to the detriment of the completion and delivery of physical forms, viil. Between April 17 and May 7, 2021, a large number of complaints related to the census operation Census 2021, ix. The complaints filed relate to four aspects: The. The legality of the processing of personal data that explicitly identified the their holders by name; B. Applicability of collecting special categories of data, such as those relating to religion, underlining the apparently obligatory nature of the response; ç. The security of the information handled; and d. The existence of international flows to countries that may not ensure a adequate level of protection of processed personal data, compatible with the European legislation; x. Within the scope of the powers conferred on it by law, the CNPD carried out the inspection, having gone, on the 26th of April, to the premises of the INE headquarters, for that purpose. And still i Lack of legal basis for the treatment of special categories of data personal 372. We formed Censuses 2021 (questions 29.1 to 30) required personal data from special categories. presented to data subjects, in order to comply with the obligation to respond to 373. Namely, data relating to health problems and religion of respondents. 374. Respondents were asked about special categories of data in the items in block 3 “Individual” (cf. printing of the online census form with the file): a.20 ('He did not work from April 12th to April 18th because: (...) He is permanently unable to work the work"); b.29 (relating to the physical difficulties of the respondents); and c.30 (“Indicate your religion”. 375. The forms were not clear in delimiting the information to be obligatorily provided in view of the optional information. 376. There was no information that the answer to questions 29.3 to 29.6 and 30 was optional. 377. The questions in group 29. consisted of 6 questions, framed in 3 pages, with two questions in each of them. 378. Only the first page had information about the optional character. 379. On the next two pages (questions 29.3 to 29.6), the optional nature of the answer was not informed. 380. Item 30., although optional, did not provide any information. ii. Violation of the duties of informing data subjects 381. INE did not make available on the Census page, nor on the forms, an obvious, highlighted and easily accessible information where the data subject could know, with the necessary detail, the circumstances in which the processing of your personal data would take place, or even a hyperlink on that topic that referred to another page, where such information was provided. 382. Nor was this information about this processing of personal data available on the website institution of the INE. iii. Violation of the rules applicable to the employment of Cloudflare, Inc. 383. The contracting of Cloudflare, Inc., did not deserve any prior negotiation or due diligence by INE. 384. INE limited itself to subscribing online to the services provided, in a package, by Cloudflare, Inc. 385. INE opted to subscribe to the “Business” package with Cloudflare, Inc., headquartered in the USA. 386. The “Business” package was, at the time, governed by the "Self-Serve Subscription Agreement", and by the relative addendum to the processing of personal data (Data Processing Addendum version 3.0, dated 1 October 2020) which forms an integral part of the contract. 387. Under this contract, INE authorized Cloudflare, Inc. to process personal data outside the Zone European Economic Agency, to any of the 200 servers used by it, as well as the transfer of personal data for the USA. 388. The Defendant had at his disposal the “Cloudflare Data Localization Suite”, which contractually allowed him to geographically circumscribe the servers to be used. 389. Successive subcontracting by resorting to entities established in countries the 3rd. 390. Under the terms of the contract, the forum for settling disputes between INE and Cloudflare, Inc. is the Court of California. iv. Violation of the transfer regime 391. The Defendant contracted the "Content Delivery Network" (CDN) services with the entity Cloudflare, Inc., which was required to comply with legislation that removes the protection conferred by the GDPR. 392. Services that do not meet the requirements required by law in terms of data transfers personal data to third countries. 393. On April 27, 2021, the CNPD, through Deliberation/2021/533, ordered the suspension within the maximum period 12 hours of sending personal data from the 2021 Census operation to the US and other third countries without an adequate level of personal data protection. 394. On April 28, 2021, the Defendant informed the CNPD of the termination, the previous day, of the contract entered into with Cloudflare, Inc. 395. Cloudflare, Inc.'s “Business” suite provides its own network of servers, many of which are located in countries that do not ensure adequate protection of personal data. 396. INE authorized Cloudflare, Inc., to process personal data outside the European Economic Area, to any of the 200 servers used by it, as well as the transfer of personal data to USA. 397. The decision on which server is used by the citizen who accessed the census form is made by a algorithm, bearing in mind two criteria: the closest proximity of the servers to the place of origin access to the form and availability at any time. 398. Once the data entered Cloudflare, Inc.'s network, it was not possible for the Defendant to know and control where the personal data of the respondents circulated. 399. The domain “censos202L.ine.pt” was resolved to the IP 172.67.41.182, assigned to Cloudflare, Inc., with headquartered in San Francisco, USA. 400. US law does not enshrine a level of protection of personal data at least equivalent to that guaranteed by the GDPR. v. Violation of carrying out an impact assessment on personal data 401. INE did not carry out a DPIA prior to the start of data processing. 402. The document called AIPD sent by the Defendant had a circumscribed scope and insufficient, as it does not cover the entirety of the treatment, not even relevant dimensions of the operations of personal data processing. 403. That document only referred to four personal data processing operations: Processing 1(T1) Data necessary for contacting the household representative; Treatment 2 (T2) Respondent data (statistical data provided by respondents when completing the Census form, regardless of the means of transmission of information); Treatment 3 (T3) Data from subcontractors involved in Census activities; Treatment 4 (T4) Resident Population Base. IV. Decision motivation 404. The facts given as proven resulted from the participation of the CNPD inspection activity, and from the Constant defense of the cars. 405. After analyzing the evidence produced in the case file, jointly and critically, it was formed conviction, based on proven facts. 406. Thus, it is understood that the Defendant's performance configures the practice of 5 foreseen and punished by the GDPR. 407. As a result, and in view of the factuality found, the practice is sufficiently indicted by the Defendant, in material authorship, in the consummated form and with eventual intent of the following administrative offences: An administrative offense provided for and punished by the combined provisions of paragraph 1 of article 9 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 for violating the ban on processing special categories of personal data; ii. An offense provided for and punished by the combined provisions of articles 12 and 13 and paragraph b) of paragraph 5 of article 83, both of the RGPD, with a fine of up to £20,000,000 for breach of duty to inform data subjects; iii. An offense provided for and punished by the combined provisions of paragraphs 1, 6 and 7 of article 28 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with fine of up to £10,000,000 for breach of compliance with the rules applicable to the contracting subcontractors, iv. An offense provided for and punished by the combined provisions of article 44, paragraph 2 of article 46 and paragraph c) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 for violation of the transfer regime; v. An offense provided for and punished by the combined provisions of paragraphs 1 and 2 and paragraph b) of paragraph 3, all of article 35 and paragraph a) of paragraph 4 of article 83, all of the RGPD, with a fine of up to €20,000,000, for breach of the obligation to carrying out an impact assessment on the protection of personal data. V. Determination of the amount of the fine 408. In accordance with the provisions of article 83, paragraph 1, items a) to k), of the RGPD, the determination of the measure of fine is made according to the following criteria: i — Nature, gravity and duration of the infringement taking into account the nature, scope and the purpose of the data processing in question, as well as the number of data subjects affected and the level of harm suffered by them - Violations are considered to be committed by the defendant assume a significant degree of gravity, bearing in mind the number data subjects concerned (the entire population in Portugal in terms of generality of data processing, and more than 6 million people regarding the international data transfers), the context in which they were practiced, in particular, the mandatory response to the 2021 Census and the conviction that questions 29.3 to 29.6 and 30 generated by the conduct were mandatory from INE. It is also considered the fact that only two of the offenses for which accused by the Defendant that they are not punishable by the most serious framework provided for in the RGPD (in this case, violation of compliance with the rules applicable to the hiring of entities subcontractors and the failure to carry out a prior and thorough impact assessment on the protection of personal data). ii. Intentional or negligent nature of the infractions and degree of fault: The. In the case of items i. and ii. of point 407, as a result of a performance negligent, for not allowing the free formation of the will in the answers to the questions 29.3 to 29.6 and 30, and for having violated the duty of transparency embodied in the lack of information to data subjects about the census operation, acting in violation of the duty of care that according to the circumstances he was bound and of which he was capable, acting with awareness of the illegality of the fact; B. In the case of the offenses indicated in paragraphs iii., iv. and v. of point 407, acted the Accused intentionally, insofar as he did not proceed with the required “due diligence” in the choice of subcontractor and signed contract, did not take care of ensure that personal data was only transferred to third countries with adequate protection, nor has it taken measures to ensure that the data would always be treated with an adequate level of protection in a third country, in addition to not having performed the full AIPD prior to the start of treatment for Dice; INE knew, and could not fail to know, the binding character of its obligations and accepted the possibility of carrying out the facts of which he is accused, for which they are imputed to the Defendant by way of fraud eventual; iii. The initiative taken by the controller or processor to mitigate the damage suffered by the holders - Before being formally notified by the CNPD of the decision ordering the suspension of the transfer of personal data, the Defendant, knowing the meaning of the Deliberation, suspended the contract with Cloudflare, Inc; iv. Degree of responsibility of the controller or processor having into account the technical or organizational measures implemented by it under the terms of the articles 25 and 32 - the defendant is considered to be highly responsible for not having defined technical and organizational measures that are minimally sufficient and suitable for the protection of processed personal information; v. Any relevant infringements previously committed by the person responsible for the treatment or by the subcontractor - which do not occur; saw. Degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible negative effects - which cannot be considered adequate, as in which it was necessary to insist on the delivery of the requested elements at the time of the inspection; saw. The specific categories of personal data affected by the infringement - all data personal data collected through the 2021 Census forms relating to private life holders, including data classified as special (n.º 1 9 GDPR) and data of a highly personal nature? viii. How the supervisory authority became aware of the infringement, in particular whether the controller or processor has notified it, and in case If so, to what extent did they do so which, in this case, resulted from complaints filed by citizens; ix. Compliance with the measures provided for in article 58, paragraph 2, of the RGPD - Following the inspection, and before formal knowledge of the CNPD's deliberation, the defendant suspended the sending of personal data from the 2021 Census to the United States and to other countries without an adequate level of protection and suspended subcontracting with Cloudflare, Inc., which was required to comply with legislation that removes the protection conferred by the GDPR. Compliance with codes of conduct approved under the terms of the article 40 or the certification procedure approved under the terms of article 42 - criterion that also does not apply, as there is no code of conduct or certification procedure, under the terms indicated; and x. Any other aggravating or mitigating factor applicable to the circumstances of the case, in light of Article 83(2)(k) of the GDPR, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infraction - With the practice of the administrative offenses against him, the value of the economic advantage obtained by the Defendant through the infractions is unknown, but it was found that in the year 2021, the total budgeted income of INE was €68,830,999 (sixty-eight million, eight hundred and thirty thousand, nine hundred and ninety-nine euros); it was considered also, as an aggravating factor, the behavior of the Defendant, during the preparation of the census operation, which revealed a lack of value for the principles and obligations foreseen in the GDPR, by relying on intervention by the supervisory authority, rather than taking the initiative to ensure that the census operation complied with that regime and to create procedures for that purpose, as well as for the purpose of proving it. 409. In the specific case, we are in the presence of the practice of five offenses, in material authorship and in the consummated form, with two administrative offenses committed with negligence and three with intent, in competition effective. 410. In view of the aforementioned criteria, the CNPD considers it necessary to apply, in the case concretely, of five fines to the Defendant, considering this to be the effective, proportionate and dissuasive measure which is necessary given the specific circumstances in which the infractions occurred. 411. The framework of fines abstractly applicable to the Defendant is as follows: i The combined provisions of paragraph 1 of article 9 and paragraph a) of paragraph 5 of article 83 both GDPR; ii. The combined provisions of Articles 12 and 13 and Article 83(5)(b) both GDPR; iii. The combined provisions of article 44, paragraph 2 of article 46 and paragraph c) of paragraph 5 Article 83 of both GDPR; It has a maximum limit of € 20,000,000.00 412. While the framework of the fine abstractly applicable to the following infractions is as follows: i The combined provisions of paragraphs 1, 6 and 7 of article 28 and paragraph a) of paragraph 4 of article 83.º both of the GDPR; ii. The combined provisions of paragraphs 1 and 2 and paragraph b) of paragraph 3 of article 35 and paragraph c) Article 83(4) both of the GDPR; It has a maximum limit of €10,000,000.00. 413. Assessing the facts found in the light of the above criteria, the CNPD, under the terms of paragraph b) of paragraph 2 of article 58 of the RGPD, considers that the application to the Defendant of: i A very serious fine, due to lack of legal basis for the collection of special data, the infringement of which was committed negligently, in the amount of €1,600,000 (one one million six hundred thousand euros); ii. A very serious fine, for breach of the duty to inform holders of personal data, the infringement of which was committed negligently, in the amount of €1,600,000 (one one million six hundred thousand euros); iii. A fine for breaching the rules applicable to the contracting of subcontracting entities, whose infraction was practiced with malice in the amount of €200,000 (two hundred thousand euros). iv. A very serious fine, for violation of the data transfer regime personal, whose infraction was committed with intent, amounting to €2,400,000 (two million and four hundred thousand euros); v. A fine for breach of the obligation to carry out an impact assessment on the protection of personal data, the infringement of which was committed with intent, in the amount of €400,000 (four hundred thousand euros); 414, Added to the 5 partial fines, it results in a value of €6,500,000 (six million, five hundred thousand euros). 415. After framing the partial sanctions, it appears, in accordance with paragraph 3 of article 83 of the GDPR, that “[if the controller or processor violates, intentionally or by negligence, within the framework of the same processing operations or operations linked to each other, various provisions of this Regulation, the total amount of the fine may not exceed the amount specified for the most serious violation”. 416. In the present case, the amount specified for the most serious breach is €20,000,000 (twenty million euros), which constitutes the abstractly applicable maximum limit. 417. It also provides for paragraph 3 of article 19 of the RGCO, applicable alternatively, ex vi article 45 of Law no. 58/2019, of August 8, that «The fine to be applied cannot be less than the highest of the fines concretely applied to the various administrative offences", that is to say €2,400,000 (two million and four hundred thousand euros).418. We have, then, that the abstract frame of the single fine to be applied is between the minimum of 2,400,000 € (two million four hundred thousand euros) and a maximum of €20,000,000 (twenty million euros). SAW. Grounds for applying the single fine 419. The essential assumption for the effectuation of the legal accumulation of partial fines is the practice of several offenses by the same Defendant before the conviction for any of them becomes final. 420. In this sense, in order to proceed with the legal combination, it is necessary to verify the following requirements, of a procedural and material nature, (i) that they are sanctions related to administrative offenses practiced before the final and unappealable conviction for any of them, (ii) that have been committed by the same Defendant and that the sanctions are of the same nature. 421. What is verified cumulatively in the present case, thanks to the existence of the effective competition or pure, either in terms of a real competition or an ideal competition. 422. Given the conduct expressed by the vast and serious set of offenses committed, by the vast and extended number of potential holders of personal data affected and very specifically by the lack of freedom for citizens to provide their special or sensitive data - insofar as that the response to the censuses is mandatory and the provision of such data appeared to be - it is understood to be a sanction that reflects the high censure of this behavior, which will translate into a concrete fine whose value will serve as a dissuasive effect of identical behavior in the next operation census. 423. In the weighting carried out to decide on the single fine to be applied, and without prejudice to the high degree of censorship of the Defendant's conduct, reflected in the indifference of the new applicable legal framework, the CNPD considers relevant the fact that the Defendant has no history of application of administrative offenses for violating data protection regulations. 424.Now, taking into account, also the legal assets protected by the administrative offenses in question, that the same committed, it seems effective, proportionate and dissuasive, the application to the Defendant: i In legal terms, pursuant to the combined provisions of paragraph 3 of article 83 of the RGPD and paragraph 3 of article 19 of the General Regime of Offenses, a single fine of €4,300,000.00 (four million, three hundred thousand euros). VII. Conclusion 425. In view of the above, the CNPD decides: i Do not sanction the Defendant for the practice of the following offenses: The. An offense provided for and punishable by the combined provisions of paragraph 2 of the article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 for breach of the liability principle; B. An offense provided for and punishable by the combined provisions of paragraph a) of paragraph 1 of article 5 and of paragraph a) of paragraph 5 of article 83, both of the RGPD, with fine of up to €20,000,000, for violation of the principle of lawfulness, loyalty and transparency; ç. An offense provided for and punished by the combined provisions of paragraph 7 of the article 37 and paragraph a) of article 83, paragraph 4, both of the RGPD, with a fine of up to €10,000,000, for breach of the duty to notify the Control Authority of the designation of the Data Protection Officer; d. An offense provided for and punishable by the combined provisions of paragraph c) of paragraph 1 of article 5 and of paragraph a) of paragraph 5 of article 83, both of the RGPD, with fine of up to £20,000,000 for breach of the data minimization principle; and. An offense provided for and punished by the combined provisions of article 37 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to €10,000,000 for breach of duty; Apply to the Defendant National Institute of Statistics: The. A single fine, in the amount of £4,300,000 (four million, three hundred thousand euros); 496. Pursuant to paragraphs 2 and 3 of article 58 of the General Regime on Offenses, inform the Defendant that the conviction becomes final and enforceable if it is not judicially contested under the terms of article 59 of the same diploma, within 20 working days after notification. 427. The Defendant must pay the fine, within a maximum period of 10 days, after it becomes definitive, sending the respective payment slip to the CNPD. In case of impossibility of payment In a timely manner, the Defendant must communicate this fact, in writing, to the CNPD. Approved at the meeting on November 2, 2022. Pursuant to paragraph h) of paragraph 1 of article 19 of Law no. 43/2004, of 18 August, and by grounds contained in Resolution/2022/1072 of this Commission, of November 2, I ratify said Deliberation and, consequently, I apply, to the defendant, National Institute of Statistics, |.P. by the practice of five offenses, in legal combination, under the terms of the combined provisions of paragraph 3 of article 83. of the RGPD and paragraph 3 of article 19 of the General Regime of Offenses, the single fine of €4,300,000.00 (four million and three hundred thousand euros). Notify d.s. The president, w " (Filipa Calvao)
- CNPD (Portugal)
- Portugal
- Article 9(1) GDPR
- Article 12 GDPR
- Article 13 GDPR
- Article 28(1) GDPR
- Article 28(6) GDPR
- Article 28(7) GDPR
- Article 35(1) GDPR
- Article 35(2) GDPR
- Article 35(3) GDPR
- Article 44 GDPR
- Article 46(2) GDPR
- Article 83(3) GDPR
- Article 83(4)(a) GDPR
- Article 83(5)(a) GDPR
- Article 83(5)(b) GDPR
- Portuguese