CNPD (Portugal) - Deliberação 2021/1569: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD (Portugal) |DPA_With_Country=CNPD (Portugal) |Case_...")
 
(Uploaded a comment regarding recent court decision.)
 
(18 intermediate revisions by 5 users not shown)
Line 23: Line 23:
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 5(1)(e) GDPR
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1e
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_2=Article 5(1)(c) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_Link_2=Article 5 GDPR#1c
|GDPR_Article_3=Article 9(1) GDPR
|GDPR_Article_3=Article 5(1)(e) GDPR
|GDPR_Article_Link_3=Article 9 GDPR#1
|GDPR_Article_Link_3=Article 5 GDPR#1e
|GDPR_Article_4=Article 13(1) GDPR
|GDPR_Article_4=Article 9(1) GDPR
|GDPR_Article_Link_4=Article 13 GDPR#1
|GDPR_Article_Link_4=Article 9 GDPR#1
|GDPR_Article_5=Article 13(2) GDPR
|GDPR_Article_5=Article 13 GDPR
|GDPR_Article_Link_5=Article 13 GDPR#2
|GDPR_Article_Link_5=Article 13 GDPR
|GDPR_Article_6=Article 35(3)(b) GDPR
|GDPR_Article_6=Article 83(7) GDPR
|GDPR_Article_Link_6=Article 35 GDPR#3b
|GDPR_Article_Link_6=Article 83 GDPR#7
|GDPR_Article_7=Article 83(5)(a) GDPR
|GDPR_Article_7=Article 83(3) GDPR
|GDPR_Article_Link_7=Article 83 GDPR#5a
|GDPR_Article_Link_7=Article 83 GDPR#3
|GDPR_Article_8=Article 35(3)(b) GDPR
|GDPR_Article_Link_8=Article 35 GDPR#3b




|National_Law_Name_1=Decreto-Lei n. 433/82
|National_Law_Link_1=https://dre.pt/dre/detalhe/decreto-lei/433-1982-376273
|National_Law_Name_2=Lei n. 58/2019  
|National_Law_Name_2=Lei n. 58/2019  
|National_Law_Link_2=https://dre.pt/dre/detalhe/lei/58-2019-123815982%20
|National_Law_Link_2=https://dre.pt/dre/detalhe/lei/58-2019-123815982


|Party_Name_1=
|Party_Name_1=
Line 64: Line 64:
}}
}}


The CNPD imposed a €1,250,000,00 euros fine on the Lisbon City Council due to the data processing activities of protests promoters including sharing with third parties such as embassies and foreign ministers of third countries.
The Portuguese DPA issued a €1,250,000 fine against the Lisbon Municipality for sharing personal and sensitive data of protestors with third parties, including the embassies and foreign ministers of the countries targeted by the protests.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The CNPD imposed a €1,250,000,00 euros fine on the Lisbon City Council for breaching the GDPR principles of lawfulness, loyalty and transparency, minimization of data (in terms of "need to know"), breach of the duty of providing information mentioned in article 13 GDPR, violation of limitation storage’s principle and violation of the obligation to carry out a data protection impact assessment.  
The case has its origins in what became known in the Portuguese media as “Russiagate”, when it became known that the Lisbon Municipality (the Municipality) had collected and shared personal data belonging to a promoter of a demonstration in Lisbon in favour of Russian dissident Alexei Navalny, and whose personal data was subsequently shared with Russian authorities. It was then revealed that data from many other protest promoters had been shared with a vast set of third parties in the past, including the offices of the Portuguese Prime Minister, the Minister of Internal Administration (MAI) and the Public Security Police (PSP), as well as embassies and foreign ministers from third countries targeted by protests in Lisbon.  


The case has its origins in what became known in the media as “Russiagate” – sharing of personal data of protesters with a “vast set of third parties”, including the offices of the prime minister, minister of internal administration, security coordinator, embassies, and foreign ministers from third countries. The Portuguese authority also considered the communication of personal data of protesters to various services of the municipality as GDPRs violation.
Although this practice was carried out at least since 2012, and up until 2021 (as an internal database of the  Municipality showed), the decision focuses on cases that occurred from 2018 and onward, corresponding to the entry into force of the GDPR. Within the decision is a list of 111 specific protests, and the data that was collected and shared in each case. The data collected from the protestors included name, address (postal or electronic), profession, telephone number, nationality, date of birth, affiliations, marital status, tax identification number, civil identification number, residence permit details, and sometimes even copies of civil identification documents.


The fact that the data are related to political convictions leads to their classification in the category of sensitive data, which would lead to an even greater care, by the municipality, in carrying out data processing activities, which, in the view of the authority, did not occur (having the municipality requested in its allegations the non-qualification of the personal data of the protesters as sensitive data).
After an initial draft decision by the Portuguese DPA (CNPD), the Municipality presented its defense, in which they argued, among other things, that their actions did not constitute willful misconduct but were rather based on a per-existing tradition within civil governments, and the execution of  a "bureaucratic procedure" that was not detected as problematic when evaluating internal conformity with GDPR. It also stated that the Mayor had issued an order dated April 3 2013, in which it was established that the data collected on protestors should only be shared with the MAI and PSP, which was justified in order to ensure not only the safety of the protest, but also the provision of additional public services such as electricity and urban cleaning. The Municipality claimed that any sharing of data beyond these agencies was attributable to officials acting contrary to the Mayor's order, and that any assessment on the subjectivity of these actions should find them to be slightly censurable, but not malicious.  
 
During the investigation, the CNPD found that the practice of this kind of sharing had been going on for a long time, and a list of events that occurred between January 2012 and at least June 2021 was saved in an excel file.


With regards to its potential obligation to carry out a Data Protection Impact Assessment (DPIA), the Municipality argued that this obligation had legally prescribed. They also argued that the data shared should not be considered sensitive data under [[Article 9 GDPR#1|Article 9(1) GDPR]] as it does not reveal any of the dimensions protected within this provision, and that the adherence of promoters to the causes defended in the demonstrations were made manifestly public, including on social networks, which constitutes an exception to the processing of this kind of data under [[Article 9 GDPR#2e|Article 9(2)(e) GDPR]].


Additionally, the Municipality claimed that there was no applicable rule to sanction them, because according to [[Article 83 GDPR#7|Article 83(7) GDPR]], the imposition of fines only apply to the public sector when established by a national law, and that there is no sanctioning rule applicable to non-business entities in the public sector under [https://dre.pt/dre/detalhe/lei/58-2019-123815982 Portuguese GDPR National Implementation Law (Law 58/2019)]. The Municipality also requested an exemption of any potential fine against them according to the terms of Article 44(3) of the aforementioned national law.
=== Holding ===
=== Holding ===
Lisbon City Council's arguments:
On the allegation by the Municipality that these data sharing practices were based on tradition already established under the jurisdiction of civil governments, the CNDP noted that an initial procedure was established in 2012  by the Mayor of Lisbon at the time through Protocol No. GPCML/1/2012, in which the protest promoter's data was shared with the Prime Minister's Office, the MAI, the PSP, the Lisbon Municipal Police, the Security Coordination Office, the Office of the Deputy Minister for Parliamentary Affairs, municipal services, and in case they were targeted, the Parliament, ministries and embassies.


When notified about the content of the Draft Deliberation/2021/16 and in accordance with the Portuguese rule called General Regime for Administrative Offenses (RGCO – Decreto-Lei nº 433/82), the Municipality of Lisbon presented its defense, saying that:
The CNPD also recalled that the Municipality itself recognized the disorganisation of the data remittance procedure when the Mayor issued the order dated April 13, 2013, in which the aforementioned protocol was amended. This new protocol limited the sending of notices to the MAI and the PSP. However, as the facts in the case show, in practice this order was not complied with. Hence, the CNDP held that merely issuing an order without a proper evaluation to ensure its compliance was a clearly insufficient measure. The CNPD also rejected the Municipality's attempt to remove responsibility from itself based on their employee's non-compliance with this new order.


1. That the offense attributed for not having prepared a Data Protection Impact Assessment was prescribed;
Regarding the subjective elements in the Municipality's conduct, the CNPD held that willful misconduct can be established through inferences from the factual circumstances in the case. The CNPD highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD with numerous examples, including the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019. The CNDP attributes circumstances observed in the operational procedures of the Municipality, including the non-verification of compliance with data protection rules, to an “organizational culture, at the very least, very deficient”, and acting contrary to the principle of responsibility.  
2. That the CNPD had not previously warned Lisbon City Council under the terms of article 39 (3) of Law No. 58/2019;
3. Nullity of the accusation for omission of the subjective elements of the type;
4. Action was based on the already established tradition under the jurisdiction of civil governments;
5. That it had dedicated financial and human resources to adequate its internal practices to the requirements of the GDPR;
6. The procedure was corrected when the complaint was fullfilled on 03/18/2021;
7. Disagreement with the allegation about “intention” (subjective element)
8. That there is no sanctioning rule that applies to the Lisbon City Council as a public entity, as it understands that the national legislator was responsible for defining “if” and “when” applicable sanctions in accordance with the wording of article 83 (7) of the GDPR. It argues that there is no sanctioning rule applicable to non-business entities in the public sector in Law No. 58/2019 - which enforces the implementation of the GDPR in the national legal system.
9. That, in the case of a violation, which occurred, in part, as in the case of sending notices to entities without legitimacy to have access to them, this was due to employees who acted contrary to an internal rule issued by the Mayor of Lisbon, called Decreto de 13 April 2013, in which it was determined that notices of demonstrations should only be sent to the Ministry of Internal Administration (MAI) and to the Public Security Police (PSP);
10. That the information referring to the promoters of demonstrations in the contents of the Notices should not, in certain cases, be considered special categories of data, as provided for in article 9 (1) of the GDPR, as they do not reveal specially protected dimensions. It also argued that the information on the supporters of protests and the promoted causes were made public on social media, in which case the derogation of article 9 (2) (e) of the GDPR applied;
11. That there was a public interest in justifying the lawfulness of the processing operations and that the domestic Portuguese rule that regulates the right of assembly, Decreto Lei No. 406/74, should take into account the current municipal reality of not having competence to guarantee its normative requirements to manage the routes and the prerogatives of authority;
12. That the Ministry of Internal Administration and the Public Security Police have competence and are based on guaranteeing the security force to receive shared contact data;
13. That the municipal services received information because they are linked to the same entity, the Municipal Police, and because of the need to coordinate urban cleaning services or provide electricity for demonstrations directly with the promoters within the legal short term of 2 working days;
14. That there was no fault or intent on the part of the Municipality as it was complying with a bureaucratic procedure that out the treatments considered undue;
15. That it must be considered a single breach, evaluating them jointly under the terms of article 83 (3) of the GDPR, since all the offenses charged are strictly connected;
16. That the imposition of fines be waived in accordance with the rule of execution of the GDPR in the internal order of Portugal, Law nº 58/2019, in its article 44 (3).


Consideration of the arguments by CNPD:
The CNPD held that a person's registration with the Municipality as the organiser of a protest should be considered a special category of data protected under [[Article 9 GDPR#1|Article 9(1) GDPR]]. The CNDP also highlighted the mistake made by the Municipality in confusing the purpose of the demonstrations with the purpose of collecting the organiser's personal data. Hence, the CNDP stated that regardless of the fact that a person publicly manifests it will participate in a protest, this does not authorize any entity to then proceed with the processing and sharing of their personal data collected for the purpose of organising the event. The CNPD also warned that this publicity should not be taken advantage of in order to categorise people according to their ideas, orientations and religions, or put them in danger by sharing their data with third parties against which they are protesting. The CNDP considered the fact that more and more protesters around the world are concerned about revealing their identities, and that the growing array of means of identifying, recording and preserving personal information in public places should lead to the updated consideration of the risks that these means pose to freedom of assembly and expression.


1. On the allegation that the offense attributed to not having prepared a DPIA is time-barred;
The CNDP held that there was no justification for the failure to comply with the duty of carrying out a DPIA provided for in [[Article 35 GDPR#3b|Article 35(3)(b) GDPR]] because, among other things, Law 58/2019 does not have any mention of a prescription period, and even maintains this obligation after fines have been imposed. The CNPD  also pointed out that the need to carry out a DPIA is not restricted to the presence of processing of special categories of data, and that a potential violation or risk to the exercise of fundamental rights such as freedom of assembly in itself, would justify the realization of a DPIA.


The Portuguese Authority understood that it is unacceptable to say that the violation is prescribed for failure to comply with the duty to prepare a DPIA provided for in article 35 (3) (b) GDPR , on personal data processing activities, because, among other reasons, the rule that implements the provisions of the GDPR in the Portuguese legal system, Law No. , in this case the preparation of DPIA, even after payment of fines related to the sanction applied, if possible;
Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD noted that indeed [[Article 83 GDPR#7|Article 83(7) GDPR]] states that each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities, and that Article 44(1) of Law 58/2019 is crystal clear in its wording establishing that "the fines provided for in the GDPR and in this law apply equally to public and private entities”.


Thus, there is no mention of prescription, also because the Municipality of Lisbon admitted that it is a necessary and enforceable obligation in its defense, by claiming to have initiated a procedure for the preparation of DPIA on the processing of personal data and for the definition of storage periods applicable to them. , enabling the erasure of personal data unnecessary for the purposes;
To establish its fine on the Municipality, the CNPD, applied [[Article 83 GDPR#3|Article 83(3) GDPR]]  taking into account that the infringements were related to the same or linked processing operations, and issued a single fine of € 1,250,000 for the violation of the principle of lawfulness, fairness and transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the principle of data minimization (in terms of "need to know") under [[Article 5 GDPR#1c|Article 5 (1)(c) GDPR]], the principle of storage limitation under [[Article 5 GDPR#1e|Article 5 (1)(e)GDPR]],  the duty to provide information under [[Article 13 GDPR]], and the obligation to carry out a DPIA under [[Article 35 GDPR|Article 35(3)(b) GDPR]]. The CNDP also highlighted the fact that it took the financial difficulties faced by public entities due to the COVID19 pandemic into consideration, and that if it had not done so, the severity of the fines imposed would certainly be much higher.


Still regarding the performance of DPIA, the CNPD pointed out that the need to carry out a DPIA is not restricted to the presence of processing of special categories of data and that the potential violation or danger of the exercise of fundamental rights, such as freedom of assembly and of demonstration, in itself, would justify, regarding the processing of data of the promoters of demonstration, the realization of a DPIA;
== Comment ==
 
Câmara Municipal de Lisboa (Lisbon City Hall) appealed CNPD's Deliberation.
2. On the allegation of lack of prior warning under the terms of article 39 (3) of Law No. 58/2019, the Portuguese DPA imputed all violations (offending conduct, which violate the national rule of the General Regime of Administrative Offenses - RGCO) to deceit title. The obligation of prior warning is given, pursuant to article 39 (3) of Law No. 58/2019, when the alleged conduct is not malicious.
 
3. On the nullity by omission of subjective elements of the type:
The Municipality of Lisbon alleges that the indictment does not specify the revealing facts/indicators of the subjective elements of the type of administrative offence.


In this argument, the CNPD says that what there should be is a sequential description, narratively oriented and spatio-temporally circumstantial, of the essential elements for the singularization of the behavior relevant to administrative offences, and that this description must contemplate the objective and subjective characterization of the action and omission whose imputation is involved. The authority described the facts and behavior of the Municipality of Lisbon - the CNPD invokes the jurisprudence of the Court of Appeal of Coimbra to corroborate the reasoning.
On 21 July 2024, the Lisbon Administrative Court sentenced Câmara Municipal de Lisboa (Lisbon City Hall) to pay €1.027.500,00 for the Russiagate incident, partially confirming CNPD's aforementioned fine - the remainder was upheld due to the prescription of some of the sanctions.
 
4. On the allegation that the action was based on the tradition already established under the jurisdiction of civil governments
 
The Municipality of Lisbon says that the way in which they were sent and the destination of notices of demonstrations were based on the procedure established in 2012 through Protocol No. GPCML/1/2012 by the then Mayor of Lisbon, at the time notices - containing personal data of the prosecutors - for the Prime Minister's Office, the Security Coordinating Office, the Office of the Minister of Internal Affairs, the Office of the Deputy Minister for Parliamentary Affairs, the Public Security Police, the Territorial and the Lisbon Municipal Police. In case they were targeted, Parliament, Ministries, Embassies and municipal services were added;
 
The CNPD recalled, in its Deliberation, that the Municipality of Lisbon itself recognized this disorganization of the remittance service, when the Mayor issued, on April 13, 2013, an order (Annex III) that amended the protocol of the previous year. The new order limited the sending of notices to the Ministry of Internal Administration (MAI) and the Public Security Police (PSP), although, in the CNPD's understanding, it was insufficient and was silent on the real destination of personal data;
 
The fact that the project team's action plan for the implementation of the general regulation was approved only on August 1, 2019, corroborates the understanding of lack of concern with compliance with the data protection regulation. In the CNPD's view, there is consistency in the disregard for personal data protection rules and notorious laxity on data protection management. The point is exhaustively substantiated by the CNPD.
 
Regarding the commitment of means to comply with the requirements of the RGPD, the CNPD highlights the fact that the Lisbon Chamber remained inactive during the two years of vacatio legis to start adapting its procedures to the regulation, which only reveals , in addition, the high censorship of the agency's conduct.
 
5. Regarding the correction of the procedure after the complaint of 03/18/2021, the CNPD once again highlights the need to carry out a DPIA and reinforces that the limitation on sending notices to the PSP and MAI is in disagreement with the Decreto Lei, being the sending of such information is disproportionate.
 
6. Regarding the subjective elements pointed out to the Municipality's conduct, the CNPD mentions that the proof of intent is made through inferences from the factual circumstances of the specific case, being certain what is translated from the actions of the Municipality of Lisbon is their lack of concern regarding the obligations arising from the legislation of data protection. The CNPD also mentions that the Order of 03/13/2013 only reveals the manifest violation of the protective rules for personal data and that there is no need to justify the violation of personal data legislation in the action of Lisbon City Council officials. The authority points out circumstances observed in the operational procedure of the body, including the non-verification, in an active way, of compliance with data protection rules to an “organizational culture, at the very least, very deficient” - acting contrary to the principle of responsibility.
 
7. Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD argues that the imposition of fines on public entities is regulated in Law No. this law apply equally to public and private entities”.
 
8. Regarding the responsibility of the Lisbon City Council and its employees, the CNPD rejects the Lisbon City Council's attempt to remove responsibility from itself, even more considering that this allegation is based on the non-compliance, by the said employees, of the Order issued in April /2013. The CNPD, on grounds already presented in other topics, considers the order itself insufficient and silent on the destination of the personal data contained in the notices about protesters;
 
9. Regarding the categorization of personal data as special category data, the CNPD highlights the mistake made by the City Council, including, in defense, of confusing the purpose of the demonstrations with the purpose of the demonstrations notices - as if it were not a problem the issue of notices/reports shared about data from Protestants as they have already gone public expressing their opinion.
 
The authority considers the fact that more and more protesters around the world are concerned about revealing their identities, since “the growing array of means of identifying, recording and preserving personal information in public places should lead to the updated consideration of the risks that these means pose to freedom of expression and that the fact that a person goes to a demonstration is made public does not authorize any entity to proceed with the processing of that person's personal data" and that publicity should not be taken advantage of. the position of protesters to catalog people according to their ideas, orientations and religions;
 
10. Regarding the exemption from the application of fines on the grounds of financial difficulties faced because of the pandemic, the CNPD informs that it took this circumstance into account and, if it had not done so, the severity of the fines imposed would certainly be much higher.
 
FINE:
i. Considering that the essential presupposition to carry out the legal accumulation of partial fines is the practice of several infractions by the Lisbon City Council, before the conviction for any of them becomes final, and that the partial sanctions are of the same type, the CNPD, in addition under the combined provisions of article 83 (3) GDPR and article 19 (3) of the Portuguese RGCO, a single fine of € 1,250,000.00 (one million, two hundred and fifty thousand euros), due to the violation the principle of lawfulness, loyalty and transparency, violation of the principle of data minimization, in terms of "need to know", violation of the duty to provide the information provided for in article 13 GDPR, violation of the principle limitation of retention and breach of the obligation to carry out a data protection impact assessment.
 
 
 
== Comment ==
''Share your comments here!''


== Further Resources ==
== Further Resources ==

Latest revision as of 14:57, 14 August 2024

CNPD (Portugal) - Deliberação/2021/1569
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 9(1) GDPR
Article 13 GDPR
Article 83(7) GDPR
Article 83(3) GDPR
Article 35(3)(b) GDPR
Lei n. 58/2019
Type: Other
Outcome: n/a
Started:
Decided: 21.12.2021
Published: 14.01.2022
Fine: 1250000,00 EUR
Parties: n/a
National Case Number/Name: Deliberação/2021/1569
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Jennifer Vidal Ferreira and Giovanna Lahude

The Portuguese DPA issued a €1,250,000 fine against the Lisbon Municipality for sharing personal and sensitive data of protestors with third parties, including the embassies and foreign ministers of the countries targeted by the protests.

English Summary

Facts

The case has its origins in what became known in the Portuguese media as “Russiagate”, when it became known that the Lisbon Municipality (the Municipality) had collected and shared personal data belonging to a promoter of a demonstration in Lisbon in favour of Russian dissident Alexei Navalny, and whose personal data was subsequently shared with Russian authorities. It was then revealed that data from many other protest promoters had been shared with a vast set of third parties in the past, including the offices of the Portuguese Prime Minister, the Minister of Internal Administration (MAI) and the Public Security Police (PSP), as well as embassies and foreign ministers from third countries targeted by protests in Lisbon.

Although this practice was carried out at least since 2012, and up until 2021 (as an internal database of the Municipality showed), the decision focuses on cases that occurred from 2018 and onward, corresponding to the entry into force of the GDPR. Within the decision is a list of 111 specific protests, and the data that was collected and shared in each case. The data collected from the protestors included name, address (postal or electronic), profession, telephone number, nationality, date of birth, affiliations, marital status, tax identification number, civil identification number, residence permit details, and sometimes even copies of civil identification documents.

After an initial draft decision by the Portuguese DPA (CNPD), the Municipality presented its defense, in which they argued, among other things, that their actions did not constitute willful misconduct but were rather based on a per-existing tradition within civil governments, and the execution of a "bureaucratic procedure" that was not detected as problematic when evaluating internal conformity with GDPR. It also stated that the Mayor had issued an order dated April 3 2013, in which it was established that the data collected on protestors should only be shared with the MAI and PSP, which was justified in order to ensure not only the safety of the protest, but also the provision of additional public services such as electricity and urban cleaning. The Municipality claimed that any sharing of data beyond these agencies was attributable to officials acting contrary to the Mayor's order, and that any assessment on the subjectivity of these actions should find them to be slightly censurable, but not malicious.

With regards to its potential obligation to carry out a Data Protection Impact Assessment (DPIA), the Municipality argued that this obligation had legally prescribed. They also argued that the data shared should not be considered sensitive data under Article 9(1) GDPR as it does not reveal any of the dimensions protected within this provision, and that the adherence of promoters to the causes defended in the demonstrations were made manifestly public, including on social networks, which constitutes an exception to the processing of this kind of data under Article 9(2)(e) GDPR.

Additionally, the Municipality claimed that there was no applicable rule to sanction them, because according to Article 83(7) GDPR, the imposition of fines only apply to the public sector when established by a national law, and that there is no sanctioning rule applicable to non-business entities in the public sector under Portuguese GDPR National Implementation Law (Law 58/2019). The Municipality also requested an exemption of any potential fine against them according to the terms of Article 44(3) of the aforementioned national law.

Holding

On the allegation by the Municipality that these data sharing practices were based on tradition already established under the jurisdiction of civil governments, the CNDP noted that an initial procedure was established in 2012 by the Mayor of Lisbon at the time through Protocol No. GPCML/1/2012, in which the protest promoter's data was shared with the Prime Minister's Office, the MAI, the PSP, the Lisbon Municipal Police, the Security Coordination Office, the Office of the Deputy Minister for Parliamentary Affairs, municipal services, and in case they were targeted, the Parliament, ministries and embassies.

The CNPD also recalled that the Municipality itself recognized the disorganisation of the data remittance procedure when the Mayor issued the order dated April 13, 2013, in which the aforementioned protocol was amended. This new protocol limited the sending of notices to the MAI and the PSP. However, as the facts in the case show, in practice this order was not complied with. Hence, the CNDP held that merely issuing an order without a proper evaluation to ensure its compliance was a clearly insufficient measure. The CNPD also rejected the Municipality's attempt to remove responsibility from itself based on their employee's non-compliance with this new order.

Regarding the subjective elements in the Municipality's conduct, the CNPD held that willful misconduct can be established through inferences from the factual circumstances in the case. The CNPD highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD with numerous examples, including the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019. The CNDP attributes circumstances observed in the operational procedures of the Municipality, including the non-verification of compliance with data protection rules, to an “organizational culture, at the very least, very deficient”, and acting contrary to the principle of responsibility.

The CNPD held that a person's registration with the Municipality as the organiser of a protest should be considered a special category of data protected under Article 9(1) GDPR. The CNDP also highlighted the mistake made by the Municipality in confusing the purpose of the demonstrations with the purpose of collecting the organiser's personal data. Hence, the CNDP stated that regardless of the fact that a person publicly manifests it will participate in a protest, this does not authorize any entity to then proceed with the processing and sharing of their personal data collected for the purpose of organising the event. The CNPD also warned that this publicity should not be taken advantage of in order to categorise people according to their ideas, orientations and religions, or put them in danger by sharing their data with third parties against which they are protesting. The CNDP considered the fact that more and more protesters around the world are concerned about revealing their identities, and that the growing array of means of identifying, recording and preserving personal information in public places should lead to the updated consideration of the risks that these means pose to freedom of assembly and expression.

The CNDP held that there was no justification for the failure to comply with the duty of carrying out a DPIA provided for in Article 35(3)(b) GDPR because, among other things, Law 58/2019 does not have any mention of a prescription period, and even maintains this obligation after fines have been imposed. The CNPD also pointed out that the need to carry out a DPIA is not restricted to the presence of processing of special categories of data, and that a potential violation or risk to the exercise of fundamental rights such as freedom of assembly in itself, would justify the realization of a DPIA.

Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD noted that indeed Article 83(7) GDPR states that each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities, and that Article 44(1) of Law 58/2019 is crystal clear in its wording establishing that "the fines provided for in the GDPR and in this law apply equally to public and private entities”.

To establish its fine on the Municipality, the CNPD, applied Article 83(3) GDPR taking into account that the infringements were related to the same or linked processing operations, and issued a single fine of € 1,250,000 for the violation of the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, the principle of data minimization (in terms of "need to know") under Article 5 (1)(c) GDPR, the principle of storage limitation under Article 5 (1)(e)GDPR, the duty to provide information under Article 13 GDPR, and the obligation to carry out a DPIA under Article 35(3)(b) GDPR. The CNDP also highlighted the fact that it took the financial difficulties faced by public entities due to the COVID19 pandemic into consideration, and that if it had not done so, the severity of the fines imposed would certainly be much higher.

Comment

Câmara Municipal de Lisboa (Lisbon City Hall) appealed CNPD's Deliberation.

On 21 July 2024, the Lisbon Administrative Court sentenced Câmara Municipal de Lisboa (Lisbon City Hall) to pay €1.027.500,00 for the Russiagate incident, partially confirming CNPD's aforementioned fine - the remainder was upheld due to the prescription of some of the sanctions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.