CNPD (Portugal) - Deliberação 2022/140: Difference between revisions

From GDPRhub
 
(7 intermediate revisions by 2 users not shown)
Line 23: Line 23:
|Date_Started=
|Date_Started=
|Date_Decided=02.11.2022
|Date_Decided=02.11.2022
|Date_Published=
|Date_Published=17.11.2022
|Year=2022
|Year=2022
|Fine=170000
|Fine=170000
Line 71: Line 71:
}}
}}


The Portuguese DPA reprimanded twice and fined the municipality of Setubal €170,000 for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from Article 13 GDPR and for not appointing a DPO with regard to the collection of personal data of Ukrainian refugees.  
The Portuguese DPA reprimanded and fined the municipality of Setubal €170,000 for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from [[Article 13 GDPR]] and for not appointing a DPO with regard to the collection of personal data of Ukrainian refugees, who were using a helpline in Portugal.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Portuguese DPA (CNPD) started an investigation on the Municipality of Setubal after having knowledge of a journalistic article from Expresso titled 'Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin").  
The Portuguese DPA started an investigation into the Municipality of Setubal (controller) after a journalistic article from the newspaper Expresso was published titled '''Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin"'').  


According to the Article, Russian citizens had collected and made copies of Ukrainian refugees' personal data (identification documents, data related to their Ukrainian relatives or their activity in Ukraine) in the framework of a Municipal Refugee Helpline (LIMAR) created in March 2022. These Russian citizens were part of an Eastern European Immigrants' Association (EDINSTVO).
This article contained anonymous accounts of Ukrainian refugees. According to the Article, Russian citizens were present in the same room where Ukrainian refugees' personal data was stored (such as copies of identification documents). These Russian citizens - allegedly part of an Eastern European Immigrants' Association (EDINSTVO), an organisation for the support of eastern European migrants - also asked the refugees questions about the whereabouts of their relatives and what they were doing in Ukraine. In total, two members of the EDINSTVO were integrated by the controller into the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees. According to the author of the article, these Russian citizens were accused in the article of sharing this personal data with the Russian Government.  


These citizens were accused in the article of sharing such data with the Russian Government.  
This all happened in the framework of a Municipal Refugee Helpline (LIMAR), which was created in March 2022. The controller was responsible for the processing done by this helpline. The Helpline used two rooms of the controller's building in order to offer their services, one for the customer service and the other for archiving. Both rooms were only accessible for members of the helpline.


Two members of the EDINSTVO were integrated in the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees that would make use of the Helpline.
The helpline used two forms in order to collect the data from refugees seeking attendance: an ''assistance form'' and ''telephone assistance form''. Using these forms, personal data was collected by the controller. Among other things, the controller collected the name, address, date of birth, marital status, information on the support network (identifying the places and people they might stay with and their respective households) and information on the period they might stay with the people in that support network, in addition to describing the specific situation of each refugee. The ''assistance form''s were handwritten and were stored in a filing cabinet. All collected personal data was later also put into an Excel file which was protected by password.  


The Helpline used two rooms of a municipal building in order to offer their services. They used two forms in order to collect the data from refugees seeking attendance:
Additionally, forms were accompanied by a declaration of consent for processing. The controller asked refugees for consent to '''authorise that the data records collected may be shared with other services or entities for the purpose of <u>to specific responses or to provide social support</u> adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination''<nowiki/>'. Furthermore, together with the ''assistance forms'', refugees were also offered to sign up for Portuguese language courses, for which they needed to provide a copy of an identification document.
 
* presential form,
* phone form.
 
Through the forms, the following personal data was collected: name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they might stay with and their respective households), information on the period they might stay with the people in that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social services, among others, in addition to describing the specific situation.
 
Furthermore, refugees were also offered to sign up for Portuguese courses, for what they needed to provide a copy of an identification document.
 
Presential forms were handwritten and were stored in a cabinet. All the personal data was later included in an Excel file protected by a password. Additionally, forms were accompanied by a declaration of consent, that included a sentence to 'authorise that the data records collected may be shared with other services or entities for the purpose of to specific responses or to provide social support adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination'.
 
In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This person was informally substituted by another Russian citizens, not being this fact documented or formalized in any way. This person helped collect and copy personal data and documents from various refugees and acted as a translator.
 
Apparently, this person was the husband of the original translator (in medical leave), who shared with him her credentials to access the systems used at the Helpline, that allowed to introduce and consult the data. This fact was recognized by this person. However, the fact that refugees' information had been shared with unauthorized third parties was denied.


In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This translator was informally substituted by her husband. The translator had given her husband her login-credentials to access the helpline's systems. This change was not documented or formalised in any way. The husband, who was not a controller's employee, helped to collect and copy personal data and documents from various refugees and acted as a translator himself.
=== Holding ===
=== Holding ===
==== Violation of Article 5(1)(f) GDPR ====
The DPA found that the controller had violated the integrity and confidentiality principle from [[Article 5 GDPR|Article 5(1)(f) GDPR]] by not defining organisational measures for safeguarding information, policies or guidelines for the secure management of information. Nor did the controller determine a procedure, together with the Eastern European Immigrants' Association, that would regulate access and handling of the processed data. The exception regarding the non-existence of these policies and/or guidelines was an e-mail from the IT Division on the security of computer access passwords, email and internet. [[Article 5 GDPR|Article 5(1)(f) GDPR]] was also breached by allowing people outside the controller's services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline. The principle was further breached by the controller for its use of Excel files for the management and storage of information relating to a group of vulnerable parties (refugees). These Excel files did not have any audit records. Therefore, these files did not allow anyone to know who accessed them, when the files were accessed and what operations were carried out. The fact that the excel files were password protected did not mitigate this fact.  
The DPA found that the Municipality of Setubal had violated the integrity and confidentiality principle from [[Article 5 GDPR|Article 5(1)(f) GDPR]] by not implementing appropriate security measures nor defining together with the Eastern European Immigrants' Association a procedure that would regulate access and handling of the processed data.
 
In this sense, it was found that there were no policies or guidelines in the Municipality for the secure management of information and personal data, and that the employees of the Municipality were not informed about the procedures in this regard. The exception to the non-existence of these policies and/or guidelines was an only e-mail from the IT Division on the security of computer access passwords, email and internet.
 
The integrity and confidentiality principle was also breached by allowing people outside the municipal services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline, that was transported outside the premises of the Municipality without previously arranging any formal commitment and without defining any guidance on the management and security of the data.
 
This principle was also breached by using Excel files for the management and storage of information relating to a group of vulnerable parties (refugees), files that do not contain audit records, not allowing one to know who accessed them, when and what operations were carried out.
 
==== Violation of Article 5(1)(e) GDPR ====
The DPA found that the periods for which the personal data were to be stored and conserved had not been defined, nor the criteria for establishing such periods. Therefore, this constituted a violation of the storage limitation principle from [[Article 5 GDPR|Article 5(1)(e) GDPR]].
 
==== Violation of Article 13 GDPR ====
Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority.
 
The DPA remarked that an informed consent had been obtained when collecting the data, and that there was no reason not to use it to provide the mandatory information.
 
Also, the DPA noted that, at least, the entities that were involved in this procedure were known to the Municipality, so they could have been mentioned to the data subjects, together with their data protection rights available.
 
Lastly, the DPA highlighted that the only reference made to data protection legislation was obsolete.
 
Hence, the DPA concluded that the Municipality violated [[Article 13 GDPR]].


==== Violation of Article 37 GDPR ====
The DPA also found that the data storage periods had not been defined, nor were the criteria for establishing storage periods. This constituted a violation of the storage limitation principle (([[Article 5 GDPR|Article 5(1)(e) GDPR))]].  Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority. The DPA noted that, at least, the entities that were involved in this procedure were known to the controller, so they could have been mentioned to the data subjects, together with their data subject rights. Lastly, the DPA highlighted that the only reference made to data protection legislation was obsolete. Hence, the DPA concluded that the controller also violated [[Article 13 GDPR]]. The DPA also found that the controller had not appointed a DPO which resulted in a violation of [[Article 37 GDPR]]. A DPO was only appointed after the start of this procedure, on 22 September 2022.
The DPA also found that the Municipality had not appointed a DPO as required by [[Article 37 GDPR]], and hence this provision had been breached.


A DPO was appointed after the start of this procedure, on 22 September 2022.  
The DPA also found that no data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, which was required when processing data of vulnerable data subjects, according to the [https://ec.europa.eu/newsroom/article29/items/611236 EDPB Guidelines on Data Protection Impact Assessment] (p. 12). However, the DPA did not specify that [[Article 25 GDPR]] had been breached.


==== Violation of Article 35 GDPR ====
The DPA acknowledged that this was an emergency situation and that this could mitigate the degree of gravity of the infringement with regard to some elements, such as parts of the information obligation ([[Article 13 GDPR|Articles 13(1) and 13(2) GDPR)]], as well as the storage limitation obligations. However, the DPA also remarked that some other violations constituted proof of structural incompliance and were therefore of more gravity. Also, according to the DPA, the Helpline project had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees should have also been discussed, despite the urgency.
The CNPD also found that no data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, as required when processing data of vulnerable data subjects, according to the [https://ec.europa.eu/newsroom/article29/items/611236 EDPB Guidelines on Data Protection Impact Assessment] (p. 12). However, the DPA did not specify that [[Article 25 GDPR]] had been breached.


==== Sanction ====
For the above violations, the CNPD imposed a fine of €120,000 for the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] and a fine of €100,000 for the violation of [[Article 37 GDPR]]. The DPA issued a reprimand for the violations of [[Article 5 GDPR|Article 5(1)(e) GDPR]] and [[Article 5 GDPR|Article 13 GDPR]]. This resulted in a total fine of €220,000. The two fines were nonetheless accumulated together, following Portuguese legal principles, which resulted in a fine of €170.000.
The DPA acknowledged that this was an emergency situation and that such fact may mitigate the degree of gravity of the infringement with regard to some elements such as part of the information obligation from [[Article 13 GDPR]], paragraphs 1 and 2, as well as the storage limitation obligations. 
 
However, the CNPD also remarked that some other violations constituted proof of structural incompliance and were therefore of more gravity. Also, according to the DPA, the Helpline project had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees should have also been discussed, despite the urgency.
 
For the above violations, the CNPD imposed the Municipality of Setubal the following sanctions:
 
* For the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]]: €120.000.
* For the violation of [[Article 5 GDPR|Article 5(1)(e) GDPR]]: a reprimand.
* For the violation of [[Article 5 GDPR|Article 13 GDPR]]: a reprimand.
* For the violation of [[Article 5 GDPR|Article 37 GDPR]]: €100.000.
 
The two fines were nonetheless accumulated together, following Portuguese legal principles, and resulted in an only fine of €170.000


== Comment ==
== Comment ==
Line 155: Line 108:


<pre>
<pre>
Processo AVG/2022/71211
 
p
DELIBERATION/2022/1040  
Comissão Nacional
1. The National Commission for Data Protection (CNPD) prepared, on 14 September 2022, a draft decision in which the defendant Municipality of Setubal was accused of committing, in material authorship, in the form consummated and with negligence, i. a misdemeanour, p. e p. by Article 5(1)(f) in conjunction with Article 5(1)(f) a) don.0 5 of article 83.0 , both of the RGPD, sanctioned with a fine, up to the maximum amount of 20,000,000.00, each; ii. 0a misdemeanour, p. e p. by Article 5(1)(e) in conjunction with Article 5(1)(e) a) Article 83.0.5, both of the GDPR, will be sanctioned with a fine, up to the maximum amount of ¤ 20,000,000.00, each; iii. by Article 13(1) and (2), in conjunction with Article 13(b) , of the Treaty on European Union Article 83(5), both of the GDPR, is punished with a fine, up to the maximum amount of ¤ 20,000,000.00; iv. by Article 37(1) and (7) of the GDPR, in conjunction with Article 83(4) (a), both of the GDPR, sanctioned with a fine of up to EUR 10,000,000.00; and
de Proteção de Dados
2. The defendant was notified of the loom of the referred project and, in terms of the provisions of article 50 of Decree-Law 433/82, of 27th October, to present his defence, he came, through his Honourable Attorney, to allege, in sum: a) The inappropriateness of the Draft Deliberation, based, according to the Defendant, on a "factual, legal and news miscellany" and in which it is unintelligible "the connection between a significant set of facts and the legal scope of the sanctions indicated as potentially applicable; b) The invalidity of the procedure for breach of a substantial right: Article 39.0 , n.0 3 of the LERGPD; c) The invalidity of the non-application of the provisions of Articles 37.0 , n.0 2 and 39.0 , n.0 1 of the LERGPD; d) The existence of errors and incompleteness in the factual material considered; e) The need to take into account relevant facts which were not contained in the draft Decision. f) It also requested the exemption of the imposition of a fine under the terms of Article 44, paragraph 3 of the Law n. 0 58/2019, of 8 August.  
DELIBERAÇÃO/2022/1040
3. The defendant did not deny, contradict or even contradict any element of the draft resolution regarding the lack of designation of the data protection officer of the Municipality on the date of the facts.
1. A Comissão Nacional de Proteção de Dados (CNPD) elaborou, em 14 de setembro de 2022,
4. Moreover, the defendant protested to join 19 (nineteen) documents, which, to date, has not occurred.  
projeto de deliberação, no qual foi imputada ao arguido Município de Setúbal, a prática, em
I. Application for exemption from fines
autoria material, na forma consumada e com negligência,
5. The defendant requested the waiver of the imposition of fines, pursuant to Article 44(3 ) of Law 58/2019 of 8 August. However, paragraph 2 of that article 44 defines the period of "three years from the entry into force of this law" as the period of time during which public entities may request the waiver of fines, so that rule ceased to have effect on 9 August.  
i. de uma contraordenação, p. e p. pela alínea f) do n. 0 1 do artigo 5. 0
6. As an argument to support the maintenance of the above prerogative, he pointed out "the suspension, and later extension, of deadlines operated by the commonly called COVID-19 legislation".  
, conjugada com a alínea
7. It would be up to the defendant to clarify to what extent the legislation passed during the pandemic can be considered to enable the conclusion drawn. It is not clear how a time-limit objectively set for the exercise of an exceptional prerogative of public authorities, in the specific context of administrative offence proceedings in which it is possible that they may be sentenced to pay a fine, can be extended to a time when those proceedings are unlawful and the time-limit laid down by law for the exercise of that prerogative has already expired.  
a) do n. 0 5 do artigo 83. º, ambos do RGPD, sancionadas com coima, até ao montante máximo
8. It should be noted that the ratio of the extensions included in the set of legislation that the defendant calls "COVID legislation", were instituted precisely to address constraints arising from the pandemic context, something that clearly does not apply to the present case, which was neither directly nor indirectly affected by the pandemic.
de€ 20.000.000,00, cada;
9. Even if the understanding was different when the impossibility of, at the present momenta, 0 In applying the regime laid down in Article 44(2) of the GDPR, the CNPD interprets the regime provided for therein as conferring on it a discretionary power to assess, in the light of the specific infringement, whether it would be justified to depart from the general rule of imposing a financial penalty on a given public body, as the controller (or processor), taking into account the different interests and rights at stake.
ii. de uma contraordenação, p. e p. pela alínea e) do n.0 1 do artigo 5. 0
10. However, taking into consideration the gravity of the infractions, the weighting of the rights of the data subjects and the public interests that the violated legal rules seek to safeguard, as will be justified below, the decision of the CNPD would always be not to waive the fine in this specific case.  
, conjugada com a alínea
11. Thus, any of the arguments set out above concur in the decision not to waive the fine.
a) do n. 0 5 do artigo 83. º, ambos do RGPD, sancionadas com coima, até ao montante máximo
II. Appreciation
de€ 20.000.000,00, cada;
i. Regarding the alleged inappropriateness of the Draft Resolution
iii. de uma contraordenação, p. e p. pelos n.ºs 1 e 2 do artigo 13.º, conjugado com alínea b) do
12. Contrary to what the defendant claims, the present administrative offence proceeding is not marked by the media hype that has undeniably surrounded all the related issues.  
n. 0 5 do artigo 83. 0
13. The mere fact that this is an issue to which the media have dedicated an extensive and intense attention did not condition or enhance any factual assessment that the CNPD expressed in the Draft Deliberation.  
, ambos do RGPD, sancionada com coima, até ao montante máximo de€
14. Moreover, the references to the fact that the media have publicly reported on the matter only serve to frame the impetus that led to the opening of the investigation procedure, since the "news" of the potential violation of the RGPD rules was made known in those same media.  
20.000.000,00;
15. The facts contained in the draft decision provide the basic context that allows the defendant to understand the meaning and scope of the CNPD's action, even if some of them serve to exclude what is not and cannot be the object of a decision by the national supervisory authority in matters of data protection.
iv. de uma contraordenação, p. e p. pelos n.ºs 1 e 7 do artigo 37.º do RGPD, conjugados com a
16. The subjective analysis of the defendant is not, therefore, supported by the context of the facts established and the accusations made against him, which refer exclusively to the violations that, after due investigation, were found to have taken place.
alínea a) do n. 0 4 do artigo 83. 0
17. For that reason, the references to the citizen - his conduct and behaviour any reference to his conduct and behaviour are not affected by any mention of his Russian citizenship, but are based on the facts obtained during the investigations in the course of the case.
, ambos do RGPD, sancionada com coima, até ao montante
ii. on the invalidity of the procedure for breach of a substantial right: Article 39(3) as well as Article 37(2) and 39(1) of the LERGPD
máximo de€ 10.000.000,00; e
18. The Defendant disputes that the CNPD can dismiss the application of article 39. 0 , n. 0 3 of Law n. 0 58/2019, of 8 August, as this rule configures a substantial right that cannot be dismissed by the CNPD.  
2. Notificado o arguido do teor do referido projeto e, nos termos do disposto no artigo 50. 0 do
19. This is a legal/judicial understanding which differs from that of the Commission and which, as repeatedly explained, cannot be accepted.  
Decreto-Lei n. 0 433/82, de 27 de outubro, para apresentar a sua defesa, veio, através de Ilustre
20. Indeed, Regulation (EU) 2016/679, of 27 April 2016 - General Data Protection Regulation (GDPR), like any regulation issued by the European Union, has a general nature. It is binding in its entirety and directly applicable in all Member States (Article 288 of the Treaty on the Functioning of the European Union).  
Mandatário alegar, em suma:
21. Such special features of regulations cannot be set aside by national legislation, as stated in the case law of the Court of Justice of the European Union and in the CNPD's Delibera9ao 2019/494.  
a) O despropósito do Projeto de Deliberação, alicerçado, segundo o Arguido, numa "miscelânea
22. Recently, the Constitutional Court, in case no. 422/2020, of July 15, clarified any remaining doubts about the limits (or lack of them) of application of the principle of the primacy of EU law, ruling "Under Article 8.0 , n. 4 of the CRP, the Constitutional Court can only assess and refuse application of a rule of EU law if it is incompatible with a fundamental principle of democratic rule of law.0 4, of the CRP, the Constitutional Court may only assess and refuse to apply a rule of the EUSD, if it is incompatible with a fundamental principle of the democratic rule of law which, in the proper scope of the EUSD - including, therefore, the jurisprudence of the CJEU -, does not have a parametric value materially equivalent to the one recognized in the Constitution, since such a principle is not the same as that recognized in the Constitution. necessarily imposes the very convention of "joint exercise, in cooperation or the institutions of the Union, of the powers necessary for the construction and deepening of the European Union". However, where the assessment of a rule of the TEU is concerned, in the light of a (fundamental) principle of the democratic rule of law which, in the context of the TEU, has a parametric value materially equivalent to that which is recognised in the Portuguese Constitution, which is effectively guaranteed by the CJEU (in accordance with the contentious means provided for in the TEU), the Constitutional Court refrains from assessing the compatibility of that rule with the Constitution"
fática, jurídica e noticiosa" e no qual é ininteligível "a ligação entre um conjunto expressivo
23. The CNPD believes that, with regard to the applicability of the GDPR and, in particular, the direct applicability of its sanctioning regime, the existing principles under the EU Directive have a parametric value materially equivalent to that recognized in the Portuguese Constitution.  
de factos e o âmbito normativo das sanções indicadas como potencialmente aplicáveis;
24. As Paulo Pinto de Albuquerque notes (in his "Comentario do Regime Geral das Contraordena96es a luz da Constitui9ao da Republica e da Conven9ao Europeia dos Direitos do Homem"), "According to the jurisprudence of the CJEU, the fundamental rights of the person concerned in a the right to a hearing before the administrative authority, (2) the right to non-self incrimination, (3) the right to a statement of reasons for decisions, (4) the right of access to documents, (5) the right to legal representation, which includes the right to confidentiality of communication between the lawyer and the sanctioning authority. and the client, and (6) the right of access to an independent and impartial tribunal within a reasonable time" (see footnote 28 to Article 1.0 ).
b) A invalidade do procedimento, por violação de um direito substancial: artigo 39. 0
25. These rights "may be invoked not only before European judicial bodies but also before national judicial bodies when the latter are empowered to apply the law of the European Union ...". (see footnote 31, ibid.).
, n.0 3 da
26. What the defendant seems to advocate is not so much the compatibility of the national legislation with the provisions of the RGPD, but rather the priority of an internal regime that effectively removes the law by creating a step prior to its application, which was never intended or authorised by the European legislator.
LERGPD;
27. However, to consider that a condition which national law imposes as indispensable for the implementation of EU law (through a regulation which, as stated above, is binding in all its aspects) is to be regarded as elements is directly applicable in all member states) does not create an area of non conformity and inequality in the application of that regime in the various countries of the Union, it cannot be considered a relevant argument.
c) A invalidade da desaplicação do disposto nos artigos 37. 0
28. To accept this argument would mean allowing any EU country to create similar regimes for any EU regulation, thereby preventing them from being directly applicable.  
, n. 0 2 e 39. 0
29. By pointing to the existence of a substantial right denied to him, the Defendant rightly refers us to the field of application of EU law, to the consideration of the effects of the principle of primacy and to the field of application of the most recent constitutional jurisprudence, which, as we have seen, does not support his interpretation.
, n. 0 1 da LERGPD;
30. For the rest, reference is made to the contents of the CNPD's Deliberation 2019/494, in particular regarding the binding nature of this Commission to the principle of loyal cooperation provided for in Article 4(3) of the Treaty on European Union,  
d) A existência de erros e incompletudes na matéria de facto ponderada;
31. as well as on the manifest inappropriateness of this rule in comparison with the consistency mechanism provided for in the RGPD and, furthermore
e) A necessidade de levar em conta factos relevantes que se não encontravam vertidos no
32. on the fact that administrative authorities are also obliged to disapply national rules which are contrary to EU law.
projeto de deliberação.
33. Remember that all these principles are expressly provided for in the Treaties.  
Av. D. Carlos 1, 134, 1 °
34. And that the CNPD's deliberation 2019/494 was published precisely with the aim of warning those affected by the national legislation, in order to increase legal certainty regarding the decisions that would be issued.
1200-651 Lisboa
35. Furthermore, in concrete cases, with final decisions and publicly available (see https://www.enpd. pt/comunicacao-pubIica/noticias/cnpd-apIica-sancao-ao-municipio-de- 1 i sboa/) the CNPD has reaffirmed this understanding.  
T (+351) 213 928 400
36. It is also clear that the argument that the CNPD "annihilated a right" cannot be considered admissible, since such a right (if it existed) never existed.
F (+351) 213 976 832
37. It is, for all the above, incomprehensible the accusation that the CNPD "does nothing to ensure that the mechanisms of primacy, intended to ensure the modification of the regime (if due), with respect for the rules of legal certainty, are triggered".
geral@cnpd.pt
38. As regards the non-application of Articles 37(2) and 39(2), the arguments set out above and in point 5 of Resolution 2019/494 also apply. iii. As to the existence of errors and incompleteness in the matter of fact considered
Processo AVG/2022/712 , 1v r
39. The CNPD's allegation of a lack of information is incomprehensible.
f) Requereu, ainda, a dispensa da aplicação de coima nos termos do n. 0 3 do artigo 44. 0 da Lei
40. In fact, and as Augusto Silva Dias teaches "The instruction begins with an investigation aimed at collecting evidence, but it is not necessary to do so" (in Direito das Contra ordena9oes, publisher Almedina, reprint, 2020, p. 215).  
n. 0 58/2019, de 8 de agosto.
41. In any case, the CNPD not only instructed the case, gathering the necessary elements to take a decision, but also proceeded with the investigation.  
3. O arguido não negou, não contradisse, nem sequer contrariou qualquer elemento do projeto
42. The reports in the case file bear this out and the evidence referred to in the draft Decision confirms this concern.  
de deliberação quanto à inexistência de designação do encarregado da proteção de dados do
43. At no time was any factual element denied or postponed in favour of the Municipality.  
Município, à data dos factos.
44. It is up to the final decision to duly consider all these elements and circumstances, which will be done in parts V and VI of this deliberation.  
4. Ademais, o arguido protestou juntar 19 (dezanove) documentos, o que, até à presente data,
45. Again citing Augusto Silva Dias, it should be recalled that "the finding of illegality is not yet the final decision of the administrative authority" although "it does, however, delimit to a certain extent the object of the procedure in the administrative phase" (p. 225 of the quoted work).  
não ocorreu.
46. However, the information which must necessarily be disclosed to the defendant is the same as that which has already been provided. well known and jurisprudentially established: "communication of the alleged facts with a "sequential description, narratively oriented and spatio-temporally of the elements indispensable to the singularization of the conduct that is against ordinally relevant and this description must contemplate the objective characterization and the action or omission to which the accusation relates (TC ruling n. 0 99/2009). Said in the formula used by the ruling of the ETS n. 1/2003, the rights of defence and hearing ensured within the scope of the misdemeanour procedure will imply, in summary, that the defendant will be given prior knowledge of "all the relevant aspects for the decision, in matters of fact and law" (note 4 to article 50, of the already quoted work of Paulo Pinto de Albuquerque).
1. Sobre o pedido de dispensa da aplicação de coima
47. Which, s.m.o. has been implemented in the draft resolution.  
5. O arguido requereu a dispensa de aplicação de coimas, nos termos do n. 0 3 do artigo 44. 0 da
48. As regards the allegation that the CNPD disregarded the collaborative nature of the intervention The delegation of tasks and the existence of an inter-administrative contractualisation (even if not formalised), in which the task of the municipality, especially with regard to respects data collection was essentially an instrumental task (parallel or The terms of the CNPD's censure of the municipality should be precise.  
Lei n. 0 58/2019, de 8 de agosto. Ora, o n. 0 2 daquele artigo 44. 0 define o prazo de "três anos a
49. This is not to disregard any degree of interadministrativeness or joint action with other public and, it should be remembered, private entities, with which Setubal Municipality decided to promote collaborative actions.  
contar da entrada em vigor da presente lei" como o período de tempo durante o qual as
50. What deserves censure is the action of the Municipality, as the controller, to the strict extent of its responsibilities, including, as is the law, the provision of essential information on the processing.  
entidades públicas têm a faculdade de solicitar a dispensa de coima, pelo que aquela norma
51. The municipality itself, through LIMAR, has developed its own service forms which it is responsible for maintaining and managing autonomously.
deixou de produzir efeitos no passado dia 9 de agosto.
52. Also the intervention of is not censured as a member of the association with which the Municipality established the partnership, but rather for the fact that this partnership was not properly formalised in order to frame its participation in the context of LIMAR.  
6. Como argumento para sustentar a manutenção da prerrogativa supradescrita, apontou "a
53. Moreover, it should be made clear to the defendant that the fact of entering into a partnership with a third party entity does not automatically mean that it ceases to be regarded as a third party. Its qualification will depend on the extent to which it operates in the area of processing of personal data.
suspensão, e ulterior prorrogação, dos prazos operada pela vulgarmente designada legislação
54. What is reprehensible, then, is the fact that the minimum care required is not taken, either from a formal point of view - with the agreement or subcontracting contract - or from a substantive point of view, with the implementation of minimum measures to control access by persons outside the services of the Municipality to equipment containing personal data.  
COVID-19".
55. Especially when the data relates to especially vulnerable data subjects such as refugees.  
7. Competiria ao arguido melhor densificar em que medida a legislação aprovada durante a
56. The CNPD has not commented on the number and quality of data that refugees would have to provide in order to obtain support, which makes it redundant to argue, as the defendant does, that this information was indispensable.
pandemia pode ter-se por habilitadora da conclusão oferecida. Não se vê como possa um prazo
57. Note that the defendant never denies or justifies why excel files were used for the management and conservation of the personal information of refugees who came to LIMAR.  
fixado objetivamente para que vigore uma prerrogativa de caráter excecional das entidades
58. As for the existence of training, it is admitted what is alleged by the defendant in points 106 to 109, where it is detailed the two training courses given (although reduced), the target audience (although imitated), their duration and date of occurrence, although the documents proving these courses have not, to date, entered the services of the CNPD.  
públicas, no concreto contexto de um processo contraordenacional em que a sua hipotética
59. However, it should be stressed that there is a clear lack of training for a relatively small number of employees given after the GDPR has come into force and well after its entry into force, in this case in September 2018 and April 2019.  
condenação ao pagamento de uma coima se configure como possível, seja alargável a um
60. The factual material on that specific point will therefore be corrected.  
momento em que esse processo redunde numa nota de ilicitude e esteja já ultrapassado o prazo
61. Concerning the appointment of the Data Protection Officer, it is confirmed that he has already been appointed, albeit only on 22 September 2022.
previsto na lei para o exercício dessa prerrogativa.
62. The accused defends that also the declaration of consent was, in the meantime, altered, which is admitted, but which, due to its non-joinder to the case file or insertion in the body of the defense, cannot be relevant.
8. Note-se que a ratio das prorrogações incluídas no conjunto de legislação que o arguido
v. On the objective elements of the types of offence
apelida de "legislação COVID", foram instituídas justamente para fazer face a constrangimentos
63. The defendant believes that the CNPD should choose to frame the violations of of Article 5. 1. 0 in the concrete provisions of Articles 28 and 32. 0 of the RGPD.
decorrentes do contexto pandémico, algo que manifestamente não é aplicável ao presente
64. However, Article 28 sets out the conditions under which a subcontracting relationship must occur and does not seek to punish those in which formalisation has not taken place.
processo, o qual nem direta nem indiretamente se viu afetado pela pandemia.
65. Article 32 also defines a set of specific, but not exhaustive, safety measures to be implemented in order to guarantee the safety of the treatments.  
Processo AVG/2022/712 j 2
66. 0 what the CNPD censured in the draft decision was a set of procedures to which not even the minimum security measures were applied, revealing a censurable behaviour not due to the inadequacy of concrete measures but rather due to a coherent and consistent action of total disregard for the principle enshrined in Article 5(1)(0) of the RGPD v.  
í
On violations of Article 13
Comissão Nacional
67. The Municipality of Setubal argued that the data collection it carried out was merely instrumental and dependent on the instructions or definitions of third parties.  
de Proteção de Dados
68. He therefore maintains that it cannot be said that the data controller or the recipients of the data were not known.  
9. Ainda que outro fosse o entendimento quando à impossibilidade de, no momento presente,
69. It is factual that, in several cases, the Municipality collected information framed in forms from third parties.  
aplicar o regime vertido no n. 0 2 do artigo 44. 0 da LEGPD, a CNPD interpreta o regime aí previsto
70. The CNPD does not censure this reality, but rather the circumstance that, by creating a specific service to support refugees, the Municipal Refugee Helpline (LIMAR), the CNPD has not, in this context, informed the owners of the data of various elements provided for in Article 13(1) and (2) of the RGPD, as is their obligation, regardless of the context in which the collection of data is carried out.
no sentido de este lhe conferir um poder discricionário de apreciar, perante a concreta infração,
71. Admitting that the emergency context in which it found itself could make the availability of these elements a non-priority, the emergency should always be framed within the existing framework of preparation.
se se justificaria afastar a regra geral de aplicação de uma sanção pecuniária a um determinado
72. Even so, this framework allowed for the existence of previous meetings of the Setubal Local Council for Social Action - CLASS and the definition of action procedures which could and should have included the matter of data protection within its scope.  
organismo público, enquanto responsável pelo tratamento (ou a um subcontratante), tendo em
73. It is precisely in the context of supporting data subjects in particularly vulnerable situations and in a context of atypicality, as was the case here, that the protection of fundamental rights such as the protection of personal data becomes more urgent.  
conta os diferentes interesses e direitos em presença.
74. Regarding the lack of mention of the Data Protection Officer in the information to be provided, the defendant has the argument that, in the absence of such a person, he could not be informed, but this does not exempt him from the obligation of designation, nor does it contribute to the mitigation of this original violation.  
1 O. Ora, tendo em consideração a gravidade das infrações, a ponderação dos direitos dos
75. An obligation that had been binding on him since 25 May 2018, but whose designation process only began on 3 May this year.  
titulares de dados e os interesses públicos que as normas legais violadas procuram acautelar,
76. Obligation, moreover, reinforced by Lein. 0 58/2019, of 8 August, which expressly repeats the imperative nature of the designation of the EPD.
como abaixo se fundamentará, a decisão da CNPD sempre seria de não dispensa de coima
77. Furthermore, one cannot accept the argument that the "oversight" in the mention of the data protection legislation in force in the declaration of consent is excusable in the context of the ongoing "systematic implementation of the GDPR".
neste caso concreto.
78. Firstly, because the defendant has failed to demonstrate that there was any systematic implementation in progress and,  
11. Deste modo, qualquer dos argumentos acima explicitados comungam na decisão de não
79. Secondly, because even if such an implementation did exist, it would always be late and, therefore, of little relevance to the facts established.  
dispensa de coima.
80. It should be noted that Regulation 2016/679 of 27 April 2016 entered into force on 24 May 2016 and its application was deferred to 25 May 2018 (cf. Article 99(2)).
li. Apreciação
81. At most, it could even serve as an aggravating factor, since it becomes less excusable that an organisation which is in the process of implementing the RGPD is not concerned with updating basic information such as that which it provides to data subjects.  
i. Quanto ao alegado despropósito do Projeto de Deliberação
82. 0As described in point 64, also with regard to the breach of the principle enshrined in Article 5(1)(e) and Article 13(2)(a) of the GDPR, there is a relation of precedence, and therefore the violation of the aforementioned duty of information will not be taken into account in the final decision.  
12. Ao contrário do que o arguido afirma, o presente processo contraordenacional não é
83. Also with regard to the definition of time limits for the preservation of information, we accept the argument raised by the Defendant regarding the urgency and emergency of the situation experienced at However, this does not mean that the possibility of at least establishing minimum guidelines for the conservation of information should be disregarded.
marcado pelo mediatismo que inegavelmente rodeou todas as questões que com ele se
84. Finally, the absence of an impact assessment on data protection in relation to the processing carried out in the context of LIMAR is noted, not because of the It is not necessary to carry out such an assessment, but because it is not legally required for this particular treatment.
conexionam.
85. With the elements in the file, of interest for the decision, we consider the following to be proven:
13. O mero facto de se tratar de matéria a que os órgãos de comunicação social dedicaram uma
iii. Facts
extensa e intensa atenção não condicionou nem potenciou qualquer valoração fáctica que a
86. On 29 April 2022, the Expresso newspaper published a headline with the headline "Ukrainians received in CDU chamber by pro-Putin Russians" (see document attached).  
CNPD veio a expressar no Projeto de Deliberação.
87. It contained testimonies of refugees from Ukraine, displaced in Portugal as a result of the ongoing military conflict between that country and the Russian Federation.  
14. De resto, as referências que se dedicam à circunstância de os meios de comunicação social
88. These testimonies, offered anonymously, stated that in the City Hall of Setubal, Russian citizens, on the pretext of helping Ukrainian refugees who came to ask for help, asked the latter questions about the whereabouts of their relatives and what they were doing in Ukraine.  
terem dado eco público da matéria existem apenas para enquadrar o impulso que levou à
89. The Municipality of Setubal, legal entity with NIPC 510294104 has its headquarters at Pra9a do Bocage, 2901-866 Setubal
abertura do processo de averiguações, uma vez que a "notícia" da potencial violação de normas
90. In the news reports mentioned above, it was also reported that documents belonging to the refugees were copied in the presence of the so-called Russian citizens.
do RGPD foi dada a conhecer nesses mesmos meios de comunicação social.
91. The citizens specifically mentioned in the news were
15. Os factos constantes do projeto de deliberação fornecem o contexto básico que permite ao
92. This and similar news items have been published in various media (cf. news reports attached to the case).  
arguido perceber o sentido e alcance da atuação da CNPD, ainda que parte deles sirvam para
93.- has Portuguese nationality and is a member of the Associacao de lmigrantes dos pafes de Leste - EDINSTVO.
excluir o que não é nem pode ser objeto de pronúncia por parte da autoridade de controlo
94. association.
nacional em matéria de proteção de dados.
95. is also of Portuguese nationality and president of the aforementioned and Ourista worker) from Setubal City Council.  
Av. D. Carlos 1, 134, 1 °
96. The Associacao de lmigrantes dos Paises de Leste EDINSTVO, collective person with NIPC 506204367 and headquarters at Rua de Sao Tomee Principe, 18 r/c Oto. , 2900-087 Setubal, dedicates itself to support for immigrants from the Eastern European countries, but also from Brazil, by promoting initiatives to help integration in the community and solidarity, culture and entertainment.  
1200-651 Lisboa
97. EDINSTVOwas founded in 2002 by_e_.
T (+351) 213 928 400
98. Since then, several initiatives within the scope of the Association have been promoted, being included in the Conselho Local de A9ao Social de Setubal - CLASS (cf. record of statements and minutes of the CLASS meeting of 11th March 2022, attached to the CMS Inspection Report, as Annex VIII - pages 2 to 7 and Annex VI).  
F (+351) 213 976 832
99. In 2004, Setubal City Council signed a protocol with ED!NSTVO to place two of the latter's employees in the "SEI - Setubal Etnias e lmigra9cfo" (SEI) Office team, with the aim of providing assistance, advice and help to immigrants who present themselves.  
geral@cnpd.pt
100. The SEI is integrated in the Department of Culture, Sports, Social Rights, Health and Youth of CMS.
www.cnpd.pt
101. The protocol was successively renewed and remained in force until May 2022.
Processo AVG/2022/712 1 2v
102. There are no provisions in the protocol on the protection of personal data or the responsibilities of the parties in the management of such information.
16. A análise subjetiva do arguido não tem, por isso, respaldo no contexto dos factos dados
103. The CMS, in view of the imminent arrival of a considerable influx of Ukrainian refugees, has decided to set up a Municipal Refugee Helpline (LIMAR) in March 2022, with telephone and face-to-face service.  
como assentes e nas imputações que lhe são atribuídas, as quais se remetem exclusivamente
104. The Municipality of Setubal has thus assumed the responsibility for the processing of the information processed in the context of the services provided through LIMAR.  
às violações que, após devida investigação, se apuraram.
105. In order for LIMAR to be able to provide the services for which it was established, two rooms were made available in the building of the Livramento Market, a municipal public building located in Setubal, one for customer service and the other to support and archive the documentary record.  
17. Por essa razão, jamais as referências ao cidadão - às suas condutas e
106. The support and archive room had its own filing cabinets and was only accessible to LIMAR members.  
comportamentos são enfermadas por qualquer menção à sua cidadania russa, mas antes se
107. The CMS team created specific forms - the "assistance" and "telephone assistance" forms - (see Annexes Ille IV of the CMS Inspection Report), for the collection of the necessary elements for the support required under LIMAR.
estribam na factualidade obtida das averiguações levadas a cabo durante a instrução do
108. These forms contained various personal information about the refugees, from name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they could stay with and their respective households), information on the period they could stay with the people in that support network and identification on the needs of those people in terms of housing, essential goods, food, health, education, childcare facilities, employment, social responses, among others other than the description of the specific situation (cf. Annexes Ill and IV of the lnspection Report to the CMS).  
processo.
109. Together with the attendance forms, the enrolment form for the Portuguese as a Host Language - PLA courses of the IEFP (Instituto de Emprego e Forma9ao Profissional) could be filled in for those refugees who expressed the desire to learn Portuguese, and a copy of the biography page of the passport or other identification document was attached.
ii. Quanto à invalidade do procedimento, por violação de um direito substancial:
11O. The IEFP enrolment forms contain, among others, the following tables concerning the personal information of the applicants: full name, address, date of birth, marital status, sex, mobile phone number, country of origin, ID card number, academic qualifications, profession in the country of origin, current job or profession, employment situation in Portugal (see Annex VII of the CMS Inspection Report).  
artigo 39. 0 , n.0 3 e, bem assim, do 37.0
111.The attendance forms were handwritten, and the processes were filed on paper. A digital record of the collected data was also created, on the "Microsoft" platform, in Excel format - file "LIMAR_BASE. DATA. xlxs", which requires a password for access (see Annex XII of the CMS Inspection Report).  
, n.0 2 e 39.0
112. The file included the application form, the Temporary Protection Certificate1 , copy of identification documents, birth certificates of minors, enrolment file in the Portuguese as a Host Language - PLA. The copies of the documents sent to the IEFP, and the receipts of communications to the various public services for the support due, namely to the IEFP for job search, to the Setubal Social Security Office for the receipt of the Social Income and other benefits, to the Setubal Health Centres Grouping and to the Hospital Centre and to other public and private entities that guarantee the support requested, namely of food, clothes and other essential goods.  
, n.0 1 da LERGPD
113. The file also included the "Declaration of Consent", regarding the processing of personal data provided to CMS in the context of support for refugees, in which, in the part relating to the communication of data to third parties, it is stated: "[...] I further authorize that the data records collected may be shared with other services or entities within the specific responses or the provision of social support adjusted to the situation, with guarantees of privacy and non-discrimination. (cfr. Annex Ill - page 4 of the CMS Inspection Report).  
18. Conitesta o Arguido que a CNPD possa afastar a aplicação do artigo 39.º, n. 0 3 da Lei n. 0
114. The text of the declaration was written in Portuguese, Ukrainian and Russian.  
58/2019, de 8 de agosto, porquanto tal norma configura um direito substancial que não pode
115. During the due diligence, the case "A72", created by the team, was randomly checked "FN / YK" and , with cover page "Service Record" and which included the copy of the passport (biographical data sheet), the copy of the temporary protection certificate and the copies of the e-mails sent to the entities for the necessary support, as well as the declaration of consent.  
ser afastado pela CNPD.
116. At the top of each service file, the initials of the elements that carried out the service are written as follows: "--/YK" or "--/IK", and where the initials of the social service technician of the Municipality were present.
19. Trata-se de um entendimento jur/dico distinto do da Comissão e que, como repetidamente
117. The procedures for the management of cases concerning refugees and their referral to the competent authorities were discussed and fixed in a meeting of the CLASS network, chaired by the Councillor for Culture. Sports, Social Rights. Saude e Juventud da Camara Municipal de Setubal,-(cfr. Annex VI of the Inspection Report the CMS).  
explicado, não pode colher.
118. In it, the subject of the PLA courses was mentioned, but the transport of the enrolment forms to the IEFP was not fixed or advised (cfr. Annex VI of the CMS Inspection Report).  
20. Com efeito, o Regulamento (UE) 2016/6 79, de 27 de abril de 2016 - Regulamento Geral
119. Instead, a model email was agreed upon to be used for situations of precariousness or need of support - employment, social service and support, health - which did not contemplate the situation of refugees who wanted to learn Portuguese as a host language (see Annex V - page 3).
sobre a Proteção de Dados (RGPD), como qualquer regulamento emanado da União Europeia,
120. LIMAR operated from March 1990 onwards with the help of SEI staff. 121. The assistance teams of the CMS consisted of two collaborators, a social technician and a translator, who in this case wereor
tem caréter geral. É obrigatório em todos os seus elementos e diretamente aplicável em todos os
122. During the period from 11 to 28 March 1990, due to illness. was absent
Estados-Membros. (artigo 288. 0 do Tratado sobre o Funcionamento da União Europeia).
123. During this period, I only collaborated in the services involving translation (cf. Annex VIII- pages 2 to 4 of the CMS Inspection Report).
21. Não podendo tais características primaciais dos regulamentos ser afastadas pela legislação
124. The participation of- participation in the team was not based on any formal or contractual decision, although he had no function in the Municipality.
nacional, como o refere a jurisprudência constante do Tribunal de Justiça da União Europeia e
125.-supported LIMAR by assisting in the translation and, at the request of the refugees, in the completion of documentation for the courses "Portuguese as the language of Acolhimento - PLA" (learning Portuguese) from IEFP and the SEF forms for obtaining the temporary protection title as a volunteer (see Annex VIII - pages 2 to 4 of the CMS Inspection Report).
que con1sta da Del iberação 2019/494 da CNPD.
126.Scanned and uploaded to the SEF form the passports and birth certificates of the children for whom the refugees themselves had requested assistance (see Annex VIII, pages 2 to 4 of the lnspectation Report to the CMS).
22. Recentemente, o Tribunal Constitucional, no acórdão n.0 422/2020, de 15 de julho, aclarou
127.Organized and transported the enrolment forms for the PLA courses to the IEFP (see Annex VIII). - fls. 1 to 7 of the CMS Innspection Report and IEFP Innspection Report).  
qualquer dúvida que pudesse restar sobre os limites (ou falta deles) de aplicação do princípio
128.It has not been possible to ascertain the exact number of enrolment forms for the PLA courses carried by-.
do primado do Direito da UE, assim decidindo "Nos termos do artigo 8. 0
129.-supported as interpreter the initial information provided to the refugees, regarding social support and procedures for the payment of transport and food allowances and the training grant, at the IEFP Setubal facilities (cfr. electronic communication from the Director of the IEFP Setubal attached to the records).  
, n. 0 4, da CRP, o Tribunal
130. He had access to LIMAR computer equipment, using his wife's credentials, enabling him to use the CMS computer and laptop to access web portals where he would insert documents (cf. statement annexed to the case file).
Constitucional só pode apreciar e recusar aplicação a uma norma de DUE, caso a mesma seja
131. gave her husband the credentials to access such equipment (cf. statement attached to the case).  
incompatível com um princípio fundamental do Estado de direito democrático que, no âmbito
132.- continued to collaborate as an interpreter in the context of the reception of refugees and did not record data in internal processes (see Annex VIII - pages 5 to 7 of the Inspection Report to the CMS).  
próprio do DUE - incluindo, portanto, a jurisprudência do T JUE -, não goze de valor paramétrico
133. This collaboration ended on 7 April 2022 (cf. Annex VIII - page 1 of the report to the CMS).
materialmente equivalente ao que lhe é reconhecido na Constituição, já que um tal princípio se
134. On the 3rd May 2022, the Mayor of Setubal, by order of No 153/2022, appointed as EPD an employee of the Municipality who also held managerial positions.
impõe necessariamente à própria convenção do "{...] exercício, em comum, em cooperação ou
135. As doubts about the appropriateness of this designation arose, the CNPD was asked, on 10 May 2022, to issue an opinion on its conformity.
Processo AVG/2022/712 1 3 1
136. Later, a public hiring procedure was launched to fill the position of Data Protection Officer for Setubal Municipality.
Comissão Nacional
137. This competition resulted in the appointment of the new Data Protection Officer on 22 September 2022.  
de Proteção de Dados
138. It was found that there are no policies or guidelines in the CMS for the secure management of information containing personal data, and the employees of the municipality are not informed about the procedures to be adopted.
pelas instituições da União, dos poderes necessários à construção e aprofundamento da União
139. The exception to the absence of such policies and/or guidelines is an email from the IT Division on the security of computer, email and internet access passwords, which the municipality made available to the CNPD during the inspection (see Annex IX of the Inspection Report to CMS).  
Europeia". Ao invés, sempre que esteja em causa a apreciação de uma norma de OUE à luz de um
140. No Data Protection Impact Assessment has been carried out, despite the fact that refugees (as well as asylum seekers) are considered vulnerable persons according to the European Data Protection Supervisor's Guidelines on Data Protection Impact Assessments (see criteria 7 for the assessment of the need for an DPIA, p. 12 of the Guidelines2 ).
princípio (fundamental) do Estado de direito democrático que, no âmbito do DUE, goze de um
141. There are no retention periods defined for the information collected by LIMAR.  
valor paramétrico materialmente equivalente ao que lhe é reconhecido na Constituição
142. No information is provided to the data subjects (refugees) at the time of collection about who is the controller, the purposes of the processing, the recipients or categories of recipients of the personal data, the rights of the data subjects, the right to lodge a complaint with a supervisory authority.  
portuguesa, funciona/mente assegurado pelo T JUE (segundo os meios contenciosos previstos no
143. The Attendance Register contains a "Declaration of Consent" which reads as follows: I declare that I consent that the information and data provided by me to Camara Municipal de Setubal, within the scope of the Municipal Refugee Helpline, be processed by automated means or others, with the appropriate guarantees of privacy and non discrimination. I also authorise that the records and data collected may be shared with other services and entities in order to direct them to specific responses or to provide social support adjusted to the situation, with the guarantees of privacy and non-discrimination. discrimination. I also inform you that the confidentiality and security of the personal data I have provided will be ensured, and that I may access and/or rectify them whenever necessary, in accordance with Law 67/98 of 26 October, as amended by Law 103/2015 of 24 August, and that false statements are punishable by law
DUE), o Tribunal Constitucional abstém-se de apreciar a compatibilidade daquela norma com a
144. In that statement there is no reference to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Constituição."
145. By allowing people outside the municipal services to access the IT equipment used for the processing of personal data without a specific access profile, as well as by granting them access to information of the refugees supported through LIMAR, contained in the forms of the PLA courses, transporting them outside the premises of the Municipality without previously assuming any formal commitment and without defining any guidance on the management and security of the information thus accessed and transported, the defendant did not act with the care he is obliged to, and was capable of, representing as possible that he was acting against the law.
23. A CNPD entende que, em matéria de aplicabilidade do RGPD e, designadamente, de
146. By using Excel files for the management and conservation of information relating to a set of vulnerable holders (refugees), files that do not include audit records, not allowing to know who accessed them, when and what operations were performed, the accused did not act with the care he is obliged to, and that he was capable of, representing as possible that he was acting against the law.  
aplicabilidade direta do seu regime sancionatório, os princípios existentes no âmbito do DUE,
147. By failing to set the time limits for retaining the information collected through LIMAR, and by retaining the information longer than necessary, the defendant failed to act with the care that he was obliged and capable of exercising, and it is possible that he was acting against the law.
gozam de um valor paramétrico materialmente equivalente ao que lhe é reconhecido na
148. By failing to provide mandatory information about the processing of personal data in a concise, transparent, intelligible and easily accessible form, the defendant has not acted with the care that it is obliged to, and that it was capable of, representing as possible that it was acting against the law.  
Constituição portuguesa.
149. By failing to appoint a Data Protection Officer, the defendant has failed to act with the care that it is obliged to exercise, and that it is capable of exercising, and has arguably acted against the law.
24. Como nota Paulo Pinto de Albuquerque (no seu "Comentário do Regime Geral das
150. The defendant has always acted voluntarily and consciously.
Contraordenações à luz da Constituição da República e da Convenção Europeia dos Direitos do
IV. Evidentiary Conviction
Homem"), "De acordo com a jurisprudência do T JUE, os direitos fundamentais do visado num
151. The facts found to be proven were based on a critical analysis of the evidence produced, both oral and documentary, as well as the inspection reports that the CNPD carried out at the ACM, SEF, IEFP of Setubal and CMS and the testimonies collected. Of the latter, the following are noteworthy (cf. statement minutes attached to the CMS Inspection Report): a. The statements of - who denied having copied the refugees' identification documents into CMS's internal file; b. who confirmed having provided her husband with access credentials to the computer equipment; c. From third parties; which denied having shared refugees' personal data with d. He denies having copied for himself or for third parties, as well as he denies having made available to entities other than those indicated by the Municipality the documentation concerning the refugees to which he had access; e. From the CMS Head of the Social Rights and Health Division, , who stated that she- collaborated as an interpreter in the context of the reception of refugees and that it did not register data in internal files; f. And that, given the direct articulation with the IEFP- CE Setubal, which was due to the relationship that it maintained with the IEFP delegation as a manager of the EDINSTVO association and trainer, it was he who took the enrolments and copies of identification documents to attend the PLA courses; g. Finally, he stated that he had not received any complaints about the assistance provided to the refugees; h. From the president of the Association of Ukrainians in Portugal, who stated that he had not received any complaints from refugees regarding the service provided in Setubal; i. It is not aware of any case of data collection or transfer of Ukrainian refugees to Russia, even if it admits the existence of such a risk.
processo sancionatório da ordem jurídica da União Europeia são: (1) o direito uma audiência
V. Law
diante da autoridade administrativa; (2) o direito à não-auto-inculpação, (3) o direito à
152. The CNPD is competent pursuant to Article 58.0(2) of Regulation (EU) 2016/679, of 27 April 2016 - General Regulation on Data Protection (RGPD), in conjunction with Article 3, Article 4.0 (2), and Article 6.0 (1)(b), all of Law n.0 58/2019, of 8 August (LERGPD). i. 0 Infringement of the principle of integrity/confidentiality (Article 5(1)(f) of the EU Treaty). 0 of the GDPR)
fundamentação das decisões, (4) o direito de acesso a documentos, (5) o direito à
153. Article 5.1 of the GDPR requires that personal data is 'Processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality")'.  
representação legal, que inclui o direito à confidencialidade da comunicação entre o advogado
154. However, CMS has not defined organisational measures for safeguarding information, policies or guidelines for the secure management of information, nor has it formally defined any commitment with EDVINSTO to regulate access to and the transport of information containing personal data.  
e o cliente, e (6) o direito de acesso a um tribunal independente e imparcial num tempo razoável"
155. Moreover, by making it possible for persons outside the municipality's services to use the equipment, without a specific profile, on which personal data entrusted to the municipality are stored without any contract or formal agreement setting out the parties' obligations as regards the protection of personal data, the Municipality of Setubal has breached the principle of integrity and confidentiality.
(cf. nota 28 ao artigo 1.0).
156. lso, by storing information containing personal data on refugees in Excel files, even with access made conditional by password, the Municipality of Setubal has infringed that same principle, given that the unstructured storage of data in files where access and modification traceability is clearly reduced or non-existent, represents in itself a risk to security, integrity and confidentiality.
25. Direitos esses que "podem ser invocados não só diante das instâncias judiciais europeias,
ii. Infringement of the principle of limitation of retention (Article 5(1)(e) of the GDPR)
mas também diante das instâncias judiciais nacionais, quando estas tenham competência para
157. Article 5.0 (1)(e) of the GDPR requires that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods provided that they are processed solely for 0 for archiving purposes in the public interest, or for the purposes of scientific or historical research or statistical purposes in accordance with Article 89(1), subject to the application of appropriate technical and organisational measures as required by this Regulation with a view to safeguarding the rights and freedoms of the data subject ("restriction of retention")".  
aplicar a lei da União Europeia ... " (cf. nota 31 ibidem).
158. The Municipality of Setubal has not defined any retention period for personal data collected through the Municipal Refugee Helpline nor the criteria used to define these periods.
26. O que o arguido parece advogar não é tanto a compatibilidade do normativo nacional com
iii. Breach of Article 13.0 of the GDPR Case AVG/2022/712112
o previsto no RGPD, mas antes a prioridade de um regime interno que efetivamente afasta o
159. Recital 60 of the GDPR explains that "The principles of fair and transparent processing require that the data subject must be informed of the data processing operation and its purposes".  
direito da UE, criando um passo prévio à sua aplicação, nunca pretendido ou autorizado pelo
160. Article 12.0.1 of the GDPR states that: "The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13.0 and 14.0 and any communication provided for in Articles 15.0 to 22.0 and 34.0 regarding the processing in a concise, transparent, intelligible and easily accessible form using clear and plain language, in particular where the information is specifically addressed to children."
legislador europeu.
161. 0Article 13(1) and (2) of the GDPR obliges data controllers to provide data subjects with a specific set of information, including, relevant to the case, the following: II-1 (...): a) the identity and contact details of the controller and, where applicable, his representative; (...) c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the treatment; (...) (e) the recipients or categories of recipients of the personal data, if any (...) 2. (... ): (...) b) The existence of the right to request from the controller access to and rectification or erasure of personal data concerning him/her, and to restrict processing insofar as it relates to the data subject, as well as the right to object to processing, as well as the right to data portability; c) If the processing of the data is based on Article 6(7)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent previously given; d) The right to lodge a complaint with a supervisory authority; e) Whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement for entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to do so.
27. Ora, considerar que uma condição que a lei nacional impõe como indispensável à aplicação
162. The declaration of consent attached to the file, which was collected with the intention of legitimising the processing of the refugees' personal data, does not contain any of the information provided for in Article 13(1)(a), (c) and (e) or in Article 13(2)(b), (c), (d) and (e) of the GDPR .  
do direito da UE (através de um regulamento que, como se disse, é obrigatório em todos os seus
163. Furthermore, the legal basis explained refers to Law 67/98, of 26 August, which is legislation that has already been repealed, and therefore the provision of information provided for in paragraph c) of Article 13. 0.1 must be considered to be defective,  
Av. O. Carlos 1, 134, 1 °
164. And this is because the RGPD came into force on 25 May 2018, implicitly repealing a good part of the rules of that national law, and Law No. 0 58/2019 of 8 August, which came into force on 9 August 2019, expressly repealed the aforementioned Law No. 0 67/98 of 26 August.
1200-651 Lisboa
165. Equally defective is the delimitation of third parties to whom personal data may be transmitted, as provided for in Article 13(1)(e). Although it is admitted that the range of such recipients is extensive, CMS cannot fail to recognise that at least the entities defined in the procedures established by CLASS at its meeting on 11 March 2022 could and should be made known to the data subjects.  
T (+351) 213 928 400
166. 0Finally, with regard to Article 13(2)(b) of the GDPR, the reference to the possibility of requesting the erasure of data or the limitation of processing, or even the possible possibility of requesting the right to portability, has been omitted.
F (+351) 213 976 832
167. Regarding this set of violations, it is important to note the provisions of Article 83.5 of the GDPR, which states that "Breach of the provisions listed below shall be subject, pursuant to paragraph 2, to fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of the total amount of the fine" a) the basic principles of processing, including the conditions of consent where that is the basis of legitimacy pursuant to Articles 5, 6 , 7 and 9; (b) the rights of the data subject pursuant to Articles 12 to 22. iv. Violation of Article 37(1) of the GDPR
geral@cnpd.pt
168. According to Article 37(01)(a) of the GDPR, "The controller and the processor shall designate a data protection officer where processing is carried out by a public authority or body with the exception of courts in the exercise of their functions". of its judicial function".
www.cnpd.pt
169. 0 Municipality of Setubal, by failing to appoint a Data Protection Officer, breached this provision.  
Processo AVG/2022/7121 3v (
170. As regards infringement of Article 37, it should be noted that Article 83(4) states: "Infringement of the provisions set out below shall, in accordance with paragraph 2, be subject to fines of up to EUR 1O 000 000 or, in the case of an undertaking, up to 2% of its annual world-wide turnover for the preceding financial year, whichever is the lower. (a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39 and 42 and 43".  
elementos e diretamente aplicável em todos os Estados-membros) não cria um espaço de
171. The CNPD has the powers of correction enshrined in Article 58.0 , paragraph 2, of the GDPR.
desconformidade e desigualdade na aplicação desse regime nos vários países da União, não
172. Moreover, it follows from the principle of the primacy of Union law, reflected in Article 288 of the Treaty on the Functioning of the European Union, that regulations are binding and directly applicable in all Member States, thus precluding any possibility for a "State [....] unilaterally nullify their effects by a legislative act that can be relied upon against the Community texts" - CJEU Costa v ENEL, Case No 6/64; Commission v Italian Republic, Case No 39/72; Variola v Italian Financial Administration, Case No 34/73.
pode ser tido como um argumento pertinente.
173. Thus, the CNPD and on the grounds best expressed in its Delibera9ao/2019/494, of 3 September (accessible at https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121704), decides not to apply, in the case at hand, by virtue of the principle of primacy of European Union Law, in conjunction with the provisions of article 8, no. 4 of the Portuguese Constitution, the provisions of articles 37(2), 38(2) and 39(1) and (3) of the Portuguese Constitution.0Article 37(2), Article 38(2) and Article 39(1) and (3) , all of the Portuguese Constitution n. 0 58/2019, of 8 August (hereinafter LERGPD).
28. Acolher este argumentário significaria permitir que qualquer país da UE pudesse criar
v. Sarn;:6es
regimes semelhantes, para qualquer regulamento da União, obstando à sua aplicabilidade
174. It can therefore be seen, in view of the facts established, that the defendant has processed personal data without taking care to ensure the security and integrity of such data, namely by not establishing organisational measures and not signing binding commitments with entities and/or persons outside the municipal services who could access such personal data.  
direta.
175. It is also noted that the defendant did not define the period for which the information is to be kept or the criteria used to establish this period, as it was obliged to do, nor did it erase the information containing personal data as soon as it ceased to be relevant to the purpose for which it was intended and should therefore be deleted.  
29. Ao apontar para a existência de um direito substancial que a si é negado, o Arguido remetenos
176. Moreover, in view of the facts established, it appears that the defendant has disregarded specific obligations imposed on it by the GDPR, namely the obligation to inform the data subjects.  
justamente para o campo de aplicação do direito da UE, para a consideração dos efeitos do
177. Finally, it is also noted that the defendant failed to appoint a Data Protection Officer.  
princípio do primado e para o campo de aplicação da mais recente jurisprudência constitucional,
178. This means that there are sufficient indications that the defendant has committed three established and punishable offences, i. the first by the combined provisions of Article 5(1)(0)0 , in the context of the inability to ensure the security of processing and the integrity and confidentiality of personal data processed, and of Article 83(5)(a) ii. the second by the combined provisions of Article 5(1)(e) for failure to comply with the principle of limitation of retention and Article 83(5)(a)
que, como vimos, não cauciona a sua interpretação.
179. the third by the combined provisions of Article 13(1) and (2)0 (information to be provided when personal data are collected from the data subject) and Article 13(b) Article 83(5),
30. No mais, remete-se para o conteúdo da Deliberação 2019/ 494 da CNPD, em especial sobre
180. all of the RGPD, each of which will be sanctioned with a fine of up to €20,000,000.00.  
a vinculação desta Comissão ao princípio da cooperação leal, previsto no n. 0 3 do artigo 4. 0 do
181. We also find, in view of this fact, that there is sufficient evidence that the defendant has committed an administrative offence provided for and punishable by the combined provisions of Article 37(1) (designation of the Data Protection Officer) and Article 83(4)(a),  
Tratado da União Europeia,
182. all of the RGPD, sanctioned with a fine of up to €10,000,000.00.  
31. bem como sobre a manifesta desadequação desta norma em confronto com o mecanismo
183. All the violations listed here were committed with negligence, wilfully and knowingly. The CNPD has the corrective powers provided in Article 58.2 of the GDPR, namely to "reprimand the controller or processor when the processing operations have violated the provisions of this Regulation" (Article 58.2.b)) and to "impose a fine under Article 83" (Article 58.2.b)).The Commission will be able to impose a fine, in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each case" (Article 83(i)).
de coerência previsto no RGPD e, ainda,
184. 0The breaches of the principle of limitation of retention (Article 5(1)(e) of the GDPR) and of the duties to provide a set of information to the data subject when the collection is carried out directly by the controller (Article 13(1) and (2)) should be deprived of their value differently from the others, given the context of emergency that existed at the time of the facts that prove them. This is because the former are intrinsically linked to the process of receiving refugees, admitting, in this situation, an epis6dico, although always censurable, carelessness or less care in the fulfillment of rules that did not appear to be of equal priority given the concrete needs to provide the rapid humanitarian response that was sought.
32. sobre o facto de também as entidades administrativas estarem obrigadas a desaplicar
185. The other violations are different, not because the context is different, but because their existence does not depend and does not reflect the specific situation of response to requests from refugees. Rather, they reveal a structural attitude and behaviour of the organisation, which has serious deficiencies in the assumption of critical principles of data protection that go beyond these specific processes.  
normas nacionais que contrariem o direito da União Europeia.
186. According to Article 83(1)(a) to (k), the measure of the fine is determined on the basis of the following criteria: i. The nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected and the level of damage suffered by them - The infringements committed by the defendant are considered to have a significant degree of gravity, It is considered that the breaches committed by the defendant have a significant degree of seriousness, given the number of data subjects concerned (especially vulnerable), of which the specific number has not been ascertained, even though the context in which they occurred, in which the humanitarian emergency required more expeditious procedures, makes their assessment less severe. The violations detected in relation to the principle of limitation of conservation occurred in a relatively short period of time (about two months). The infringement of the EPD's designation lasted from 25 May 2018 until 3 May 2022 and therefore merits a higher degree of censure, although it has been corrected. ii. No harm has been caused to the data subjects; iii. Only one of the offences with which the defendant is charged is not punishable by the most severe framework provided for in the GDPR (in this case, breach of the obligation to appoint a data protection officer); iv. The intentional or negligent character of the infringement - as already explained above, the conduct relating to the infringements detected is considered to be negligent; v. The initiative taken by the controller or processor to mitigate the damage suffered by the data subjects - in this regard, the initiative of the defendant to designate a data protection officer and to terminate the protocol with the EDVINSTO association is relevant, even if as regards the latter, the correction could have been limited to compliance with the provisions of Article 28 of the GDPR; vi. the degree of responsibility of the controller or processor in view of the technical or organisational measures implemented by the controller or processor under Articles 25 and 32 defendant by failing to define technical and organisational measures that are minimally sufficient and suitable for protecting the personal information processed; vii. Any relevant breaches previously committed by the controller or processor - which do not occur; viii. the degree of cooperation with the supervisory authority to remedy the infringement and mitigate any negative effects it may have - which is considered adequate in view of provision of the required information and cooperation at all stages of the enquiry process; ix. The specific categories of personal data affected by the infringement - in this case there is a wide range of information about refugees who came to LIMAR, providing name, address, through date of birth, marital status, contacts, household, information on identification documents, on the support network (identification of places and people they could stay with and their respective households), information on the period they could stay with the people from that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social responses, among others, in addition to the description of the concrete situation. x. Among these data are some - those relating to health - which fall within the special categories of data provided for in Article 9(1) of the GDPR. xi. The manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified it, and if so, to what extent - which in this case resulted from the publication in the media of the suspected infringements relating to the processing of personal data of refugees, does not constitute a mitigating circumstance for the defendant; xii. Compliance with the measures referred to in Article 58.0 , n.0 2, if they have been previously imposed on the controller or the subcontractor concerned in respect of the same matter - this criterion does not apply, as no corrective measures had been determined beforehand; xiii. Compliance with codes of conduct approved under article 40 or certification procedures approved under article 42 - criteria which also do not apply, as there is no code of conduct or certification procedure, under the terms indicated; and xiv. Any other aggravating or mitigating factor applicable to the circumstances of the case, in light of Article 83(2)(k) of the GDPR. 0 do RGPD, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement - As a mitigating factor, the specific context in which the breaches occurred must always be taken into account, at a time when the arrival of Ukrainian refugees in Portugal was intense and public and private institutions were faced with the urgent need to respond to them. xv. The financial situation of the Municipality will also be taken into account, as reflected in the information provided in points 184 to 186 of the defence, which shows a significant drop in executed revenue compared to 2021.
33. Lembre-se que todos estes princípios se encontram expressamente previstos nos Tratados.
187. In view of the criteria mentioned above, the CNPD considers it necessary to apply, in this case, two reprimands and a fine to the defendant, considering this to be an effective, proportionate and dissuasive measure, given the specific circumstances in which the offences occurred.  
34. E que a deliberação 2019/494 da CNPD foi publicada justamente com o intuito de precaver
188. The fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 5.0 (1) (0) , in the area of failure to ensure the security of processing and the integrity and confidentiality of data personal data processed, and of Article 83, paragraph 5, sub-paragraph a) of0 and will have a maximum limit of 20.000. 000,00 euros.  
os visados pela legislação nacional, por forma a incrementar a segurança jurídica quanto às
189. Whereas the abstract fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 37(1) 00 (designation of the data protection officer) and Article 83(4)(a), all of the GDPR, has a maximum limit of € 10,000,000.00
decisões que viessem a ser proferidas.
190. Evaluating the facts established in the light of the criteria set out above, the CNPD, - in our Article 58. 0 , n . 2, al. b) of the RGPD, considers, also, adjusted, the application to the defendant of i. a fine in the amount of EUR 120,000 (one hundred and twenty thousand euros) for breach of alpha 0 of Article 5.0.1, in the area of failure to ensure the security of processing and integrity and confidentiality of personal data processed, and of alpha a) of Article 83.0.5 of the RGPD; ii. a reprimand for breach of Article 5.1(e) in conjunction with Article 58.2 (b) of the GDPR; iii. a reprimand for breach of Article 13(1) and (2) in conjunction with Article 58(2)(b ) of the GDPR; iv. a fine of EUR 100,000 (one hundred thousand euros) for breach of Article 37 (designation of the Data Protection Officer) in conjunction with Article 83(4)(a). 191. Adding up the fines in tranches, the result is a total of EUR 220,000 (two hundred and twenty thousand euros).
35. Para além de que, em processos concretos, com decisão final e publicamente disponíveis
192. Once the framework of the partial fines has been established, it is important to determine the single fine applicable to the specific case.  
( cf. https://www. cn pd. pt/ comu n i caca o-pu b I ica/noti ci as/ cnpd-a p I ica-sa n cao-ao-mu n ici pio-de-
193. It is noted that the GDPR provides in Article 83(3) that, "[w]here a controller or processor intentionally or negligently infringes, in the context of the same processing operations or linked operations, several provisions of this Regulation, the total amount of the fine shall not exceed the amount specified for the most serious infringement". As literally expressed, such normative must only be called upon in cases in which the infringements have been committed "within the scope of the same processing operations", or of "linked operations", which is not the case here, and the General Regime of Administrative Offences (RGCO), ex vi article 45 of Law no. 58/2019, of 8 August, applies.  
1 i sboa/) a CNPD reafirmou esse entendimento.
194. Article 19 of the RGCO establishes the legal criteria for the legal cumulation of fines, which means that the single fine to be imposed in a guilty verdict must be set between a minimum limit constituted by the highest fine actually imposed on each of the administrative offences (no. 3), in this case EUR 120,000 (one hundred and twenty thousand euros), and with a maximum limit consisting of the sum of the fines actually imposed on each of the administrative offences (no. 1), in this case EUR 220,000 (two hundred and twenty thousand euros).  
36. Sendo, ainda, evidente que o argumento segundo o qual a CNPD "aniquilou um direito" não
195. So, the abstract frame of the single fine to be applied is between a minimum of 100,000 (one hundred thousand euros) and a maximum of 220,000 (two hundred and twenty thousand euros). vi. Grounds for the imposition of the single fine
pode ter-se por admissível, porquanto tal direito (a sê-lo) nunca existiu.
196. The essential prerequisite for the legal cumulation of fines in instalments is the the same Defendant committed several offences before a conviction for any of them became final and unappealable.  
Processo AVG/2022/712 1 4
197. In this sense, in order to proceed to the legal cumulation it is necessary to verify the following requirements, of procedural and material nature: (i) that the sanctions are related to administrative offences committed before the final judgment of any of them, (ii) that they have been committed by the same defendant and that the individual penalties are of the same kind.
Comissão Nacional
198. What is cumulatively verified in the present case, merits the existence of effective or pure competition, either in the aspect of real competition, or in the aspect of ideal competition.  
de Proteção de Dados
199. The accused was found to have acted freely and knowingly, albeit negligently, in i. not ensure that the data it processes is "secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking appropriate technical or organisational measures. ii. not to designate a data protection officer.  
37. E é, por todo o exposto, incompreensível a imputação de que a CNPD "nada faz para que os
200. The concrete context in which the violations occurred, together with the fact that the Municipality acted in order to obviate humanitarian and emerging constraints, should be highlighted here. These constraints assume a degree of originality that may explain some of the unpreparedness shown.
mecanismos do primado, destinados a assegurar a modificação do regime (caso seja devida),
201. In any case, the breach of the obligation to designate the Data Protection Officer is not directly linked to that emergency, so the same cannot be admitted degree of devaluation of the action which is attributed to another violation.  
com respeito pelas regras da segurança jurídica, sejam acionados".
202. Considering the legal assets protected by the administrative offences in question, which the defendant committed, it seems effective, proportional and dissuasive to apply to the defendant, in legal cumulation, under the combined provisions of Article 83. 0 , paragraph 3 of the GDPR and Article 19, n. 0 3 of the RGCO, a single fine of EUR 170,000.00 (one hundred and seventy thousand Euros). vi. Conclusion
38. Sobre a desaplicação do n. 0 2 do artigo 37. 0 e n. 0 2 do 39. 0
203. In view of the above, the CNPD deliberates: Apply to the defendant Municipio de Setubal, a) in accordance with the provisions of Article 19 of the RGCO, a single fine of EUR EUR 170,000 (one hundred and seventy thousand euros) for breach of the principle of integrity and confidentiality and breach of the obligation to appoint a data protection officer; b) in compliance with Article 58.2 b ) of the GDPR, two reprimands, I. One for the violation of the principle of limitation of conservation; II. One for breach of the obligation to provide essential information when personal data are collected from the data subject.
, valem igualmente os argumentos
204. Under the terms of Article 58, paragraphs 2 and 3 of the General Regime of Administrative Offences, inform the defendant that a) The conviction becomes final and enforceable if it is not contested in court, under the terms of Article 59 of the same diploma; b) In case of a judicial objection, the Court may decide by hearing or, if the accused and the Public Prosecutor do not object, by simple order.
acima expostos e o que consta do ponto 5 da Deliberação 2019/494 já citada.
205. The defendant must pay the fine within 10 days of its final settlement, sending the respective payment slips to the CNPD. Should it not be possible to make payment in due time, the defendant must communicate such fact, in writing, to the CNPD.
iii. Quanto à existência de erros e incompletudes na matéria de facto ponderada
 
39. Não se compreende a alegação de qualquer insuficiência instrutória por parte da CNPD.
 
40. Com efeito, e como ensina Augusto Silva Dias "A instrução começa com uma investigação
dirigida à recolha de prova, mas não é necessário que assim seja" (in Direito das Contraordenações,
editora Almedina, reimpressão, 2020, p. 215).
41. De todo o modo, a CNPD não só procedeu à instrução do processo, colhendo os elementos
necessários à tomada de decisão, como procedeu a diligências de investigação.
42. De resto, os relatórios juntos ao processo dão boa nota disso mesmo e os elementos de
prova referidos no projeto de deliberação confirmam essa preocupação.
43. Em nenhum momento se negou ou postergou qualquer elemento factual que abonasse em
favor do Município.
44. Sendo que cabe, em sede de decisão final, ponderar devidamente todos esses elementos e
circunstancialismos, o que se fará nas partes V e VI desta deliberação.
45. Recorde-se, novamente citando Augusto Silva Dias, que "a nota de ilicitude não constitui
ainda a decisão final da autoridade administrativa" se bem que ela "procede, todavia, a uma
certa delimitação do objeto do processo na fase administrativa" (p. 225 da ob. cit.).
46. Ora, os elementos que devem impreterivelmente ser dados a conhecer ao arguido são os já
sobejamente conhecidos e jurisprudencialmente fixados: "comunicação dos factos imputados
com a "descrição sequencial, narrativamente orientada e espácio-temporalmente
circunstanciada, dos elementos imprescindíveis à singularização do comportamento contraordenacionalmente
relevante e essa descrição deve contemplar a caracterização objetiva e
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351)213 976832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 1 4v
subjetiva, da ação ou omissão de cuja imputação se trate (acórdão do TC n.0 99/2009). Dito na
fórmula utilizada pelo assento do STE n. 0 1 /2003, os direitos de defesa e audiência assegurados
no âmbito do processo contra-ordenacional implicarão, em síntese, que ao arguido seja dada
previamente a conhecer "a totalidade dos aspetos relevantes para a decisão, nas matérias de
facto e de direito"." (nota 4 ao artigo 50. 0
, da obra já citada de Paulo Pinto de Albuquerque}.
47. O que, s.m.o., foi concretizado no projeto de deliberação.
48. Já quanto à alegação de que a CNPD desconsiderou a "natureza colaborativa da intervenção
pública no Município", bem como "a delegação de tarefas e a existência de uma contratualização
interadrninistrativa (ainda que não formalizada), em que a tarefa do Município, sobretudo no que
respeita à recolha de dados era, essencialmente, uma tarefa instrumental (paralela ou
propedéutica) da intervenção, absolutamente necessária, de outras entidades públicas •
convirá precisar os termos da censura que a CNPD crê ser devida ao Município.
49. Não se trata de desconsiderar qualquer grau de interadministratividade ou atuação conJunta
com oui tras entidades públicas e, relembre-se, privadas, com quem a Câmara Municipal de
Setúbal entendeu promover ações colaborativas.
50. O que merece censura é a atuação do Município, enquanto responsável pelo tratamento, na
estrita medida das suas responsabilidades, onde se inclui, como é de lei, a de prestação das
informações essenciais sobre o tratamento.
51. É que o próprio Município desenvolveu, através da LIMAR, formulários próprios de
atendimento que lhe cabiam conservar e gerir autonomamente.
52. Também a intervenção de - não é censurada enquanto membro da associação
com a qual o Município estabeleceu a parceria, mas antes pelo facto de essa parceria não ter
sido devidamente formalizada por forma a enquadrar a sua participação no contexto da LIMAR.
53. De resto, importa esclarecer o arguido que o facto de se estabelecer uma parceria com uma
entidad1e terceira não significa automaticamente que ela deixe de se ter por terceira. A sua
qualificação dependerá do grau e função da sua atuação em matéria de tratamento de dados
pessoais.
Processo AVG/2022/712 j 5 r
Comissão Nacional
de Proteção de Dados
54. O que é, então, censurável é que não existam os cuidados mínimos exigíveis, quer do ponto
de vista formal - com o acordo ou contrato de subcontratação -, quer do ponto de vista
substantivo, com a implementação de medidas mínimas de controlo do acesso de pessoas
estranhas aos serviços do Município a equipamentos contendo dados pessoais.
55. Sobretudo quando esses dados se reportam a titulares de dados especialmente vulneráveis
como o são os refugiados.
56. A CNPD não se pronunciou sobre o número e qualidade de dados que os refugiados teriam
de prestar para obter apoio, pelo que se torna redundante defender, como faz o arguido, que
essa informação era imprescindível.
57. Note-se que o arguido nunca nega ou justifica o porquê de se terem utilizado ficheiros exce/
para a gestão e conservação da informação pessoal dos refugiados que acorriam à LIMAR.
58. Já quanto à existência de formação, admite-se o que vem alegado pelo arguido nos pontos
106 a 109, onde se detalham as duas formações ministradas (se bem que reduzidas), o público
alvo (se bem que imitado), a sua duração e data de ocorrência, ainda que os documentos
comprovativos dessas formações não tenham, até à data, dado entrada nos serviços da CNPD.
59. Deve, todavia, sublinhar-se a manifesta insuficiência de formações dirigidas a um universo
relativamente !imitado de funcionários e ministradas já depois de o RGPD ter entrado em
aplicação e muito depois da sua entrada em vigor, no caso em setembro de 2018 e abril de
2019.
60. Será, por isso, corrigida a matéria de facto sobre esse ponto específico.
61. Sobre a designação do Encarregado da Proteção de Dados, confirma-se que o mesmo foi já
designado, ainda que apenas a 22 de setembro de 2022.
62. Defende o arguido que também a declaração de consentimento foi, entretanto, alterada, o
que se admite, mas que, face à sua não junção aos autos nem inserção no corpo da defesa, não
pode relevar-se.
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/7121 5v r
iv. Sobre os elementos objetivos dos tipos de ilícito
63. Entende o arguido que a CNPD deveria optar por enquadrar as violações do princípio da
alínea 0 do n. 0 1 do artigo 5. 0 nas disposições concretas dos artigos 28.º e 32.º do RGPD.
64. Sucede, porém, que o artigo 28. 0 estabelece as condições em que uma relação de
subcontratação deve ocorrer, não se ocupando de punir aquelas em que a formalização não
chegou a ocorrer.
65. Igualmente, o artigo 32. 0 define um conjunto de medidas de segurança específicas ainda
que não taxativas a implementar para garantir a segurança dos tratamentos.
66. O que a CNPD censurou no projeto de deliberação foi um conjunto de procedimentos aos
quais não foram sequer aplicadas as mínimas medidas de segurança, revelando um
comportamento censurável não por conta da desadequação de medidas concretas
eventualmente congemináveis, mas antes por força de uma ação coerente e consistente de total
desrespeito pelo princípio inscrito na alínea 0 do n. 0 1 do artigo 5. 0 do RGPD
v. Sobre as violações do artigo 13.0
67. O Município de Setúbal arguiu que a recolha de dados que levava a cabo era meramente
instrumental e dependente das instruções ou definições de entidades terceiras.
68. Defende, por isso, que se não pode afirmar que não era conhecido o responsável pelo
tratamento ou os destinatários dos dados.
69. É factual que, em vários casos, o Município recolhia informação enquadrada em formulários
de entidades terceiras.
70. O que a CNPD censura não é essa realidade, mas antes a circunstância de, criando um
serviço específico para apoio aos refugiados, a Linha Municipal de Apoio a Refugiados (LIMAR),
não ter, nesse contexto, informado os titulares dos dados de vários elementos previstos nos n°s
1 e 2 do artigo 13.0 do RGPD, como é sua obrigação, independentemente do contexto em que a
recolha de dados é concretizada.
Processo AVG/2022/71216 r
Comissão Nacional
de Proteção de Dados
71. Admitindo-se que o contexto de emergência em que se encontrava, pudesse colocar como
não prioritária a disponibilização desses elementos, convirá sempre enquadrar a emergência no
quadro de preparação existente.
72. Um quadro que, ainda assim, permitiu a existência prévia de reuniões do Conselho Local de
Ação Social de Setúbal - CLASS e a definição de procedimentos de atuação que poderiam e
deveriam ter incluído a matéria de proteção de dados no seu âmbito.
73. É que é justamente no âmbito do apoio a titulares de dados em situação de especial
vulnerabilidade e num contexto de atípicidade, como era o caso, que se torna mais premente a
proteção de direitos fundamentais como o da proteção de dados pessoais.
7 4. Sobre a falta da menção ao Encarregado da Proteção de Dados nas informações a prestar,
concede-se o argumento ao arguido de que, não existindo, não poderia ser comunicado, mas tal
não o desonera da obrigação de designação, nem concorre para a atenuação dessa violação
original.
75. Uma obrigação que o vinculava desde 25 de maio de 2018, mas a cujo processo de
designação apenas deu início em 3 de maio do presente.
76. Obrigação, de resto, reforçada pela Lei n. 0 58/2019, de 8 de agosto, onde expressamente se
repete o caráter imperativo da designação do EPD.
77. Não se pode, ainda, aceitar o argumento de que o "lapso" na menção à legislação de
proteção de dados vigente na declaração de consentimento seja desculpável atento o contexto
de "implementação, sistematizada do RGPD" que estaria em curso.
78. Primeiramente, porque o arguido não logrou demonstrar que existisse qualquer
implementação sistematizada em curso e,
79. Depois, porque ainda que existisse tal implementação, ela sempre seria tardia e, por isso,
de reduzida relevância para a factualidade apurada.
80. Note-se que o Regulamento 2016/679, de 27 de abril de 2016, entrou em vigor no dia 24 de
maio de 2016, tendo a sua aplicação sido diferida para o dia 25 de maio de 2018 (cf. n.0 2 do
artigo 99. 0
).
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd pt
wwwcnpdpt
Processo AVG/2022/7121 6v (
81. Quando muito, poderia, até, servir como agravante, porquanto se torna menos desculpável
que uma organização que tenha em curso a implementação do RGPD, não tenha a preocupação
de atualizar informação básica como aquela que presta aos titulares dos dados.
82. Tal como descrito no ponto 64, também quanto à violação do princípio inscrito na alínea e)
do n. 0 1 do artigo 5. 0 e da alínea a) do n. 0 2 do artigo 13. 0 do RGPD, existe uma relação de
precedência, pelo que se não relevará na decisão final a violação do dever de informação citado.
83. Ainda no que respeita à definição de limites temporais para a conservação da informação,
acolhe-se o argumento relevado pelo Arguido da urgência e emergência da situação vivida à
altura sem que, contudo, se desmereça a possibilidade de, pelo menos, se estabelecerem
parâmetros mínimos de orientação para a conservação da informação.
84. Finalmente, retira-se a menção à inexistência de uma avaliação de impacto sobre a proteção
de dados relativamente aos tratamentos levados a cabo no contexto da LIMAR, não pela
inutilidade da realização dessa avaliação, mas porque não é legalmente enquadrável a sua
obrigatoriedade neste tratamento em específico.
85. Com os elementos constantes dos autos, com interesse para a decisão, consideramos
provados os seguintes:
iii. Factos
86. No dia 29 de abril de 2022, o jornal Expresso publicou como manchete a notícia assim
titulada "Ucranianos recebidos em Câmara CDU por russos pró-Putin" (cf. doe. junto ao
processo).
87. Na mesma constavam testemunhos de refugiados provenientes da Ucrânia, deslocados em
Portugal em resultado do conflito militar em curso entre aquele país e a Federação Russa.
88. Tais testemunhos, oferecidos sob anonimato, davam conta de que, na Câmara Municipal de
Setúbal, cidadãos russos, a pretexto da prestação de auxílio aos refugiados ucranianos que aí
chegavam para pedir apoio, colocavam questões a estes últimos sobre o paradeiro dos seus
familiares bem como sobre o que haviam ficado a fazer na Ucrânia.
89. O Município de Setúbal, pessoa coletiva, com o NIPC 510294104 tem como sede a Praça do
Bocage, 2901-866 Setúbal.
rJ Processo AVG/2022/7121 7 r
CNPD
Comissão Nacional
de Proteção de Dados
90. Nas notícias citadas era também retratada a execução de cópias de documentos
pertencentes aos refugiados na presença dos ditos cidadãos russos.
91. Os cidadãos expressamente referidos na notícia eram_ e_
92. Esta notícia e outras semelhantes foram sendo publicadas em vários órgãos de
comunicação social (cfr. notícias juntas ao processo).
93 .■-tem nacionalidade portuguesa-e é membro da Associação de Imigrantes dos
países de Leste - EDINSTVO.
94 ___ tem também nacionalidade portuguesa e é presidente da referida
associação.
95.--é trabalhadora Ourista) da Câmara Municipal de Setúbal.
96. A Associação de Imigrantes dos Países de Leste EDINSTVO, pessoa coletiva com o NIPC
506204:367 e sede na Rua de São Tomé e Príncipe, 18 r/c Dto., 2900-087 Setúbal, dedica-se ao
apoio a imigrantes provindos dos países de leste, mas também do Brasil, promovendo iniciativas
de auxílio à integração na comunidade e de índole solidária, cultural e lúdica.
97. A EDINSTVO foi fundada em 2002 por_ e_ .
98. Desde essa data, foram promovidas várias iniciativas inseridas no objeto da Associação,
estando incluída no Conselho Local de Ação Social de Setúbal - CLASS (cfr. autos de
declarações e ata da reunião do CLASS de 11 de março de 2022, juntos ao Relatório de Inspeção
à CMS, como Anexo VIII - fl. 2 a 7 e Anexo VI).
99. Em 2004 a Câmara Municipal de Setúbal protocolou com a ED!NSTVO a colocação de dois
colaboradores desta última para integração na equipa do Gabinete "SEI - Setúbal Etnias e
lmigraçÊío" (SEI), tendo como objetivo garantir o atendimento, aconselhamento e ajuda aos
imigrantes que naquele se apresentassem.
100. O SEI está integrado no Departamento de Cultura, Desporto, Direitos Sociais, Saúde e
Juventude da CMS.
101. O protocolo foi sucessivamente renovado, tendo-se mantido em vigor até maio de 2022.
Av. D. Carlos 1, 134, 1°
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 1 7v
102. lnexiste qualquer disposição no protocolo sobre proteção de dados pessoais ou que regule
as responsabilidades das partes na gestão desse tipo de informação.
103. A CMS, em face da iminente chegada de um fluxo considerável de refugiados ucranianos,
decidiu criar uma Linha Municipal de Apoio a Refugiados (LIMAR), em março de 2022, com
atendimento telefónico e presencial.
104. O Município de Setúbal assumiu, deste modo, a qualidade de responsável pelo tratamento
da informação tratada no âmbito dos serviços prestados através da LIMAR.
105. Para a LIMAR poder prestar o serviço para que foi constituída, foram disponibilizadas duas
salas no edifício do Mercado do Livramento, edifício público municipal, localizado em Setúbal,
uma para o atendimento e outra para apoio e arquivo do registo documental.
106. A sala de apoio e arquivo dispunha de armários próprios para conservação da
documentação e apenas era acedida pelos membros da LIMAR.
107. A equipa da CMS criou formulários específicos - formulário de "atendimento" e de
"atendimento telefónico" - (cf. Anexos Ili e IV do Relatório de Inspeção à CMS), para a recolha
dos elementos necessários ao apoio requerido no âmbito da LIMAR.
108. Estes formulários continham várias informações pessoais sobre os refugiados, desde o
nome, à morada, passando pela data de nascimento, estado civil, contactos, agregado familiar,
informação sobre os documentos de identificação, sobre a rede de suporte (identificação dos
locais e das pessoas com quem pudessem ficar e seus respetivos agregados), informação
sobre o período em que poderiam ficar com as pessoas dessa rede de suporte e identificação
sobre as necessidades dessas pessoas em matéria de alojamento, bens essenciais,
alimentação, saúde, educação, equipamentos de infância, emprego, respostas sociais, entre
outros, para além da descrição da situação concreta (cfr. Anexos Ili e IV do Relatório de
Inspeção à CMS).
109. Juntamente com os formulários de atendimento, poderia ser preenchida a ficha de
inscrição nos cursos de Português Língua de Acolhimento - PLA, do Instituto de Emprego e
Formação Profissional (IEFP), para os refugiados que manifestaram desejo de aprendizagem
da língua portuguesa, e era associada a cópia da página biográfica do passaporte ou de outro
documento de identificação.
rJ
CNPD
comissão Nacional
de Proteção de Dados
Processo AVG/2022/712 1 8
11 O. As fichas de inscrição do IEFP contêm, entre outros, os seguintes quadros relativos à
informa,ção pessoal dos requerentes: nome completo, morada, data de nascimento, estado civil,
sexo, n.0 de telemóvel, país de origem, número do documento de identificação, habilitações
literárias, profissão no país de origem, função ou profissão atual, situação laboral em Portugal
(cfr. An,exo VII do Relatório de Inspeção à CMS).
111. Os formulários de atendimento eram manuscritos, sendo arquivados os processos em
papel. Foi também criado um registo digital dos dados recolhidos, na plataforma "Microsoft",
em formato Excel - ficheiro "LIMAR_BASE.DADOS.xlxs", que exige palavra-passe para acesso
(ver Anexo XII do Relatório de Inspeção à CMS).
112. Do processo constava o formulário de atendimento, o Certificado de Proteção Temporária 1,
cópia dos documentos de identificação, certidões de nascimento de menores, ficha de inscrição
nos cursos de Português Língua de Acolhimento - PLA. do IEFP, e os comprovativos das
comunicações para os diversos serviços públicos para os apoios devidos, designadamente para
o IEFP para procura de emprego, para a Segurança Social de Setúbal, para o recebimento do
Rendim,ento Social de Inserção e outras prestações, para o Agrupamento dos Centros de Saúde
de Setúbal e para o Centro Hospitalar e para outras entidades públicas e privadas que garantem
os apoios solicitados, designadamente de alimentos, roupas e outros bens essenciais.
113. Do processo constava também a "Declaração de Consentimento", relativamente ao
tratamento de dados pessoais fornecidos à CMS no âmbito do apoio aos refugiados, na qual,
na parte relativa à comunicação de dados a terceiros, se afirma: "[ ... ] Mais autorizo que os
registos de dados recolhidos possam ser partilhados com outros serviços ou entidades no
sentido do encaminhamento para respostas específicas ou da prestação de apoio social
ajustados à situação, com as garantias de privacidade e não discriminação.[ ... ]" (cfr. Anexo Ili -
fl.4 do Relatório de Inspeção à CMS).
114. O texto da declaração encontrava-se redigido em português, ucraniano e russo.
115. Durante as diligências, foi verificado aleatoriamente o processo "A72", criado pela equipa
"FN / YK" e , com folha de rosto "Registo de Atendimento" e
1 Emitido na sequência do preenchimento online, em principio pelo interessado, do formulário do Serviço de Estrangeiros e Fronteiras
disponível em https://sefforukraine.sef.pt. Nos termos legais, devem ser submetidas cópias (dos dados' biográficos) dos documentos de
identificação e, no caso de menores, certidões de nascimento (cfr. Relatório de Inspeção ao SEF).
r
Av. D. Garlos 1,134, 1°
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 1 8v
no qual constava a cópia de passaporte (folha de dados biográficos), a cópia do certificado de
proteçzio temporária e as cópias dos emails enviados para as entidades para o apoio necessário.
bem como a declaração de consentimento.
116. No topo de cada processo de atendimento constam as iniciais dos elementos que
efetuar,am o atendimento, como segue: "--/YK" ou "--/IK", sendo que onde se encontra " ..
constavam as iniciais do técnico do serviço social do Município.
117. Os procedimentos para a gestão dos processos relativos aos refugiados e o seu
encaminhamento para as entidades competentes foram alvo de discussão e fixação em reunião
da redEi do CLASS, presidido pelo Vereador da Cultura, Desporto, Direitos Sociais, Saúde e
Juventude da Câmara Municipal de Setúbal,- (cfr. Anexo VI do Relatório de Inspeção
à CMS).
118. Nela foi referida a matéria relativa aos cursos de PLA. mas não foi fixado ou aconselhado
o transporte das fichas de inscrição para o IEFP (cfr. Anexo VI do Relatório de Inspeção à CMS).
119. Sendo, antes, acordado um modelo de email a utilizar para situações de precariedade ou
necessidade de apoio - emprego, atendimento e apoio social, saúde· o qual não contemplava
a situação dos refugiados que pretendiam aprender português como língua de acolhimento (cfr.
Anexo V - fl. 3).
120. A LIMAR funcionou, a partir do mês de março de 2022, com recurso a funcionários do SEI.
121. As equipas de atendimento da CMS eram constituídas por dois colaboradores, um técnico
social e um tradutor, que no caso eram ou-
122. No período compreendido entre os dias 11 e 28 de março,
por doença.
esteve ausente
123. Nesse período apenas- colaborou nos atendimentos que envolviam tradução
(cf. Anexo VIII - fls. 2 a 4 do Relatório de Inspeção à CMS).
124. A participação de- na equipa não foi alicerçada em qualquer decisão formal
ou contratual, embora este não desempenhasse qualquer função no Município.
125.■-prestou apoio no âmbito da LIMAR, auxiliando à tradução e, a pedido dos
refugiados, no preenchimento de documentação para os cursos "Português Língua de
r
rJ Processo AVG/2022/712 1 9 (
CNPD
Comissão Nacional
de Proteção de Oados
Acolhimento - PLA" (aprendizagem da língua portuguesa) do IEFP e dos formulários SEF para
obtençiío do título de proteção temporária, na condição de voluntário (cf. Anexo VIII - fls. 2 a 4
do Relatório de Inspeção à CMS).
126. Diqitalizou e procedeu ao carregamento para o formulário SEF do passaporte e certidão de
nascimento das crianças para as quais foi, pelos próprios refugiados solicitado auxílio (cf.
Anexo VIII - fls. 2 a 4 do Relatório de Inspeção à CMS).
127. On~anizou e transportou fichas de inscrição nos cursos de PLA para o IEFP (cf. Anexo VI II
- fls. 1 a 7 do Relatório de Inspeção à CMS e Relatório de Inspeção ao IEFP).
128. Não foi possível apurar o número exato de fichas de inscrição para os cursos de PLA
transportadas por- .
1 29.■-prestou apoio como intérprete na informação inicial prestada aos refugiados,
referente aos apoios sociais e procedimentos de pagamento dos subsídios de transporte e
alimentação e da bolsa de formação, nas instalações do IEFP de Setúbal (cfr. comunicação
eletrónica do Diretor do IEFP de Setúbal junta aos autos).
130. Teve acesso aos equipamentos informáticos do LIMAR, usando credenciais da mulher,
habilitando-o a utilizar o computador e o portátil da CMS para acesso a portais Web onde
inseriria documentos (cf. auto de declarações junto ao processo).
131 .■-cedeu ao marido as credenciais de acesso a tais equipamentos (cf. auto de
declarações junto ao processo).
1 32.■-manteve colaboração como intérprete no contexto do acolhimento aos
refugiados e não procedeu a registo de dados nos processos internos (cf. Anexo VIII - fls. 5 a 7
do Relatório de Inspeção à CMS).
133. Essa colaboração terminou a 7 de abril de 2022 (cfr. Anexo VIII - fl. 1 do Relatório de
Inspeção à CMS).
134. A 3 de maio de 2022, o Presidente da Câmara Municipal de Setúbal, através do despacho
n. 0 153/2022, designou como EPD um trabalhador do Município que ocupava igualmente
funções dirigentes.
Av. D. Carlos 1, 134,
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpdpt
Processo AVG/2022/712 1 9v
135. Tendo surgido dúvidas sobre a adequação dessa designação, foi solicitado à CNPD, a 1 O
de maio de 2022, pronúncia sobre a sua conformidade.
136. Ulteriormente, foi lançado um procedimento de contratação pública para prover ao cargo
de Encarregado da Proteção de Dados do Município de Setúbal.
137. Tal concurso veio a resultar na designação do novo Encarregado da Proteção de Dados, no
dia 22 de setembro de 2022.
138. Foi apurado não existirem na CMS políticas ou orientações de gestão segura da
informação que contenha dados pessoais, não sendo os funcionários da autarquia informados
sobre os procedimentos a adotar.
139. A exceção à inexistência das referidas políticas e/ou orientações é um correio eletrónico
da Divisão de Informática sobre a segurança das palavras-passe de acesso ao computador,
email e internet, que a autarquia disponibilizou à CNPD durante a ação inspetiva (cfr. Anexo IX
do Relatório de Inspeção à CMS)).
140. Não foi realizada nenhuma Avaliação de Impacto sobre a Proteção de Dados, não obstante
os refugiados (que se equiparam aos requerentes de asilo) serem considerados pessoas
vulneráveis de acordo com as Diretrizes sobre Avaliações de Impacto sobre a Proteção de
Dados do Comité Europeu para a Proteção de Dados (cf. critério 7 para a avaliação da
necessidade de realização de uma AIPO, pp. 12 das Diretrizes2).
141. Não estão definidos prazos de conservação para a informação recolhida pela LI MAR.
142. Não é prestada aos titulares dos dados (refugiados), no momento da recolha, informação
de quem é o responsável pelo tratamento, das finalidades do tratamento, dos destinatários ou
categorias de destinatários dos dados pessoais, dos direitos dos titulares dos dados, do direito
de apresentar reclamação a uma autoridade de controlo.
143. Do Registo de Atendimento consta uma "Declaração de Consentimento" com o seguinte
teor: Declaro que consinto que as informações e dados por mim fornecidos à Câmara Municipal
de Setúbal, no âmbito da Linha Municipal de Apoio aos Refugiados, sejam tratados por meios
automatizados ou outros, estando asseguradas as devidas garantias de privacidade e de não
2 Disponíveis em https://ec.europa.eu/newsroom/article29/items/61 l 236/en.
r
ProcessoAVG/2022/712110 r
Comissão Nacional
de Proteção de Dados
discriminação. Mais autorizo que os registos e dados recolhidos possam ser partilhados com
outros serviços e entidades no sentido de encaminhamento para respostas específicas ou da
prestação de apoio social ajustados à situação, com as garantias de privacidade e não
discriminação. Tomo igualmente conhecimento que será assegurada a confidencialidade e
segurança dos dados pessoais por mim fornecidos, podendo aceder-lhes e/ou retificar os
mesmos sempre que tal se justifique, nos termos da Lei n. 0 67/98, de 26 de outubro, na versão
da Lei n.0 103/2015, de 24 de agosto, e que as falsas declarações são punidas por lei.
144. Nessa declaração não consta qualquer referência ao Regulamento (UE) 2016/679 do
Parlamento Europeu e do Conselho, de 27 de abril de 2016, relativo à proteção das pessoas
singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses
dados e que revoga a Diretiva 95/46/CE (Regulamento Geral sobre a Proteção de Dados).
145. Ao permitir que pessoas estranhas aos serviços municipais pudessem aceder a
equipamentos informáticos utilizados para o tratamento de dados pessoais sem perfil de
acesso específico e, bem assim, ao conceder-lhes acesso a informação dos refugiados
apoiados através da LIMAR, constante dos formulários dos cursos PLA, transportando-os para
o exterior das instalações do Município sem previamente assumir qualquer compromisso formal
e sem definir qualquer orientação sobre a gestão e segurança da informação assim acedida e
transportada, o arguido não atuou com os cuidados a que está obrigado, e de que era capaz,
representando como possível que estava a agir contra a lei.
146. Ao utilizar ficheiros Excel para a gestão e conservação da informação relativa a um
conjunto de titulares vulneráveis (refugiados), ficheiros que não comportam registos de
auditoria, não permitindo saber quem a eles acedeu, quando e que operações efetuou, o arguido
não atuou com os cuidados a que está obrigado, e de que era capaz, representando como
possível que estava a agir contra a lei.
147. Ao não definir os prazos de conservação da informação recolhida através da LIMAR,
mantendo a informação conservada para além do necessário, o arguido não atuou com os
cuidados a que está obrigado, e de que era capaz, representando como possível que estava a
agir contra a lei.
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T(+351)213928400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 , 10v r
148. Ao não disponibilizar as informações obrigatórias sobre os tratamentos de dados pessoais
de forma concisa, transparente, inteligível e de fácil acesso, o arguido não atuou com os
cuidados a que está obrigado, e de que era capaz, representando como possível que estava a
agir contra a lei.
149. Ao não designar o Encarregado da Proteção de Dados, o arguido não atuou com os
cuidados a que está obrigado, e de que era capaz, representando como possível que estava a
agir contra a lei.
150. O arguido agiu sempre de modo voluntário e consciente dos atos praticados.
IV. Convicção probatória
151. Os factos dados como provados tiveram por base a análise crítica da prova produzida.
tanto oral, como documentalmente, bem como os relatórios de inspeção que a CNPD real izou
no ACM, SEF, IEFP de Setúbal e CMS e os depoimentos recolhidos.
Destes últimos, destacam-se os seguintes (cf. autos de declarações juntos ao Relatório de
Inspeção à CMS):
a. As declarações de - que negou ter copiado os documentos de
identificação dos refugiados para o processo interno da CMS;
b. que confirmou ter cedido ao marido as credenciais de acesso aos
equipamentos informáticos;
c. De
terceiros;
que negou ter partilhado dados pessoais dos refugiados com
d. De- que nega ter copiado para si ou para terceiros, bem como rejeita ter
disponibilizado a entidades que não as indicadas pelo Município, a documentação
relativa aos refugiados a que teve acesso;
e. Da Chefe de Divisão de Direitos Sociais e Saúde da CMS, , que
afirmou que- manteve colaboração como intérprete no contexto do
:J
CNPD
comissão Nacional
de Proteção de Dados
Processo AVG/2022/712 i 11
acolhimento aos refugiados e que não procedeu a registo de dados nos processos
internos;
f. E que, atenta a ·articulação direta· de- com o IEFP - CE Setúbal, a qual
se devia à relação que aquele firmou mantinha com a delegação do IEFP enquanto
dirigente da associação EDINSTVO e formador, era este quem levava as inscrições
e cópias dos documentos de identificação para a frequência de cursos de PLA;
g. Finalmente, afirmou não ter recebido qualquer reclamação sobre o atendimento
efetuado aos refugiados;
h. Do presidente da Associação dos Ucranianos em Portugal, que
declarou não ter recebido qualquer queixa por parte de refugiados quanto ao
atendimento prestado em Setúbal;
i. E não ter conhecimento de qualquer caso de recolha ou envio de dados de
refugiados ucranianos para a Rússia, ainda que admitisse a existência desse risco.
V. D-ireito
152. A CNPD é competente nos termos do n.0 2 do artigo 58.º do Regulamento (UE) 2016/679,
de 27 de abril de 2016 - Regulamento Geral sobre a Proteção de Dados (RGPD), conjugado com
o artigo 3. 0, o n. 0 2 do artigo 4. 0, e a alínea b) do n. 0 1 do artigo 6. 0 , todos da Lei n. 0 58/2019, de
8 de agosto (LERGPD).
i. Violação do princípio da integridade/confidencial idade (ai. f) do n.0 1 do artigo 5.0
do RGPD)
153. A alínea n do n. 0 1 do artigo 5. 0 do RGPD demanda que os dados pessoais sejam 'Tratados
de uma forma que garanta a sua segurança, incluindo a proteção contra o seu tratamento não
autorizado ou ilícito e contra a sua perda, destruição ou danificação acidental, adotando as
medidas técnicas ou organizativas adequadas («integridade e confidencialidade»)".
154. Ora, a CMS não definiu medidas organizativas de salvaguarda da informação, políticas ou
orientaçiSes de gestão segura da informação, nem definiu formalmente qualquer compromisso
r
Av. O.Ca rlos 1,1 34, 1°
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 i 11v
com a EDVINSTO que regulasse o acesso e o transporte da informação contendo dados
pessoais.
155. De resto, ao possibilitar a pessoas estranhas aos serviços do Município a utilização dos
equipamentos, sem perfil específico, onde dados pessoais confiados ao Município se
encontram alojados sem qualquer contrato ou acordo formal onde constem as obrigações das
partes em matéria de proteção de dados pessoais, o Município de Setúbal violou o princípio da
integridade e confidencialidade.
156. Igualmente, ao conservar a informação contendo dados pessoais sobre os refugiados em
ficheiros Excel, ainda que com acesso condicionado por palavra passe, o Município de Setúbal
violou este mesmo princípio atendendo a que a conservação de modo não estruturado de dados
pessoais, em ficheiros cuja rastreabilidade de acessos e alterações é manifestamente reduzida
ou inexistente, representa, por si só, um risco à sua segurança, integridade e confidencialidade.
ii. Violação do princípio da limitação da conservação (ai. e) do n. 0 1 do artigo 5. 0 do
RGPD)
157. A alínea e) do n. 0 1 do artigo 5. 0 do RGPD obriga a que os dados pessoais sejam
"Conservados de uma forma que permita a identificação dos titulares dos dados apenas durante
o período necessário para as finalidades para as quais são tratados; os dados pessoais podem
ser conservados durante períodos mais longos, desde que sejam tratados exclusivamente para
fins de arquivo de interesse público, ou para fins de investigação científica ou histórica ou para
fins estatísticos, em conformidade com o artigo 89. 0
, n. 0 1, sujeitos à aplicação das medidas
técnicas e organizativas adequadas exigidas pelo presente regulamento, a fim de salvaguardar
os direitos e liberdades do titular dos dados («limitação da conservação»)".
158. O Município de Setúbal não definiu qualquer período de conservação dos dados pessoais
recolhidos através da Linha Municipal de Apoio a Refugiados nem tampouco delimitou os
critérios usados para definir esses prazos.
r
p
Comissão Nacional
de Proteção de Dados
Processo AVG/2022/712 i 12
iii. Violação do artigo 13. 0 do RGPD
159. O considerando 60 do RGPD explicita que "Os princípios do tratamento equitativo e
transparente exigem que o titular dos dados seja informado da operação de tratamento de
dados e das suas finalidades.".
160. O artigo 12. 0
, n.0 1, do RGPD dispõe que: "O responsável pelo tratamento toma as medidas
adequadas para fornecer ao titular as informações a que se referem os artigos 13. 0 e 14. 0 e
qualquer comunicação prevista nos artigos 15. 0 a 22. 0 e 34. 0 a respeito do tratamento, de forma
concisa, transparente, inteligível e de fácil acesso, utilizando uma linguagem clara e simples, em
especial quando as informações são dirigidas especificamente a crianças.".
161. Os n.ºs 1 e 2 do artigo 13. 0 do RGPD obrigam os responsáveis pelo tratamento a fornecer
aos titulares dos dados um conjunto específico de informações, entre as quais, com relevância
para o caso, se encontram as seguintes:
li 1. (...):
a) A identidade e os contactos do responsável pelo tratamento e, se for caso disso, do seu
representante;
(...)
c) As finalidades do tratamento a que os dados pessoais se destinam, bem como o
fundamento jurídico para o tratamento;
(...)
e) Os destinatários ou categorias de destinatários dos dados pessoais, se os houver;
(...)
2. (. .. ):
(...)
b) A existência do direito de solicitar ao responsável pelo tratamento acesso aos dados
pessoais que lhe digam respeito, bem como a sua retificação ou o seu apagamento, e a
limitação do tratamento no que disser respeito ao titular dos dados, ou do direito de se opor
ao tratamento, bem como do direito à portabilidade dos dados;
r
Av. D. Carlos 1, 134, 1 °
1200-657 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 i 12v
c) Se o tratamento dos dados se basear no artigo 6. º, n. 0 7, alínea a), ou no artigo 9. 0
, n. 0 2,
alínea a), a existência do direito de retirar consentimento em qualquer altura, sem
comprometer a licitude do tratamento efetuado com base no consentimento previamente
dado;
d) O direito de apresentar reclamação a uma autoridade de controlo;
e) Se a comunicação de dados pessoais constitui ou não uma obrigação legal ou contratual,
ou um requisito necessário para celebrar um contrato, bem como se o titular está obrigado a
fornecer os dados pessoais e as eventuais consequências de não fornecer esses dados.
162. A declaração de consentimento anexa aos autos recolhida com a pretensão de legitimar o
tratamento de dados pessoais dos refugiados não apresenta qualquer elemento relativo às
informações previstas na ai. a), c) e e) do n. 0 1 e nas ais. b), c), d) e e) do n. 0 2, todos do artigo
13.ºdoRGPD.
163. Ademais, o fundamento jurídico explicitado refere a Lei n. 0 67 /98, de 26 de agosto, que se
trata de legislação já revogada, no que deve ter-se por defeituosamente cumprida a prestação
da informação prevista na ai. c) do n. 0 1 do artigo 13. º,
164. E isto porque o RGPD passou a ser aplicado no dia 25 de maio de 2018, revogando
implicitamente boa parte das normas daquele diploma nacional, tendo a Lei n. 0 58/2019, de 8
de agosto, que entrou em vigor no dia 9 de agosto de 2019, revogado expressamente a referida
Lei n. 0 6 7 /98, de 26 de agosto.
165. Igualmente defeituosa é a delimitação das entidades terceiras para quem os dados
pessoais podem ser transmitidos, tal como prevista na ai. e) do n. 0 1 do artigo 13. 0 . Ainda que
se admita que o leque desses destinatários seja extenso, a CMS não pode deixar de reconhecer
que pelo menos as entidades definidas nos procedimentos fixados pelo CLASS, na reunião de
11 de março de 2022, poderiam e deveriam ser dadas a conhecer aos titulares dos dados.
166. Finalmente e quanto à alínea b) do n. 0 2 do artigo 13.0 do RGPD, é omitida a referência à
possibilidade de requerer o apagamento dos dados ou a limitação do tratamento, ou, ainda, à
eventual possibilidade de requerer o direito à portabilidade.
167. Quanto a este conjunto de violações, releva o disposto no n. 0 5 do artigo 83. 0 do RGPD,
onde se determina que "A violação das disposições a seguir enumeradas está sujeita, em
conformidade com o n. 0 2, a coimas até 20 000 000 EUR ou, no caso de uma empresa, até 4 %
r
Processo AVG/2022/712 l 13 r
p
Comissão Nacional
de Proteção de Dados
do seu volume de negócios anual a nível mundial correspondente ao exercício financeiro
anterior, consoante o montante que for mais elevado: a) Os princípios básicos do tratamento,
incluindo as condições de consentimento, quando este seja o fundamento de licitude, nos
termos dos artigos 5. 0
, 6. 0
, 7. 0 e 9. 0 ; b) Os direitos dos titulares dos dados nos termos dos
artigos 12. 0 a 22. 0
".
iv. Violação do n. 0 1 do artigo 37. 0 do RGPD
168. De acordo com a alínea a) do n. 0 1 do artigo 37.º do RGPD, "O responsável pelo tratamento
e o subcontratante designam um encarregado da proteção de dados sempre que: O tratamento
for efetuado por uma autoridade ou um organismo público, excetuando os tribunais no exercício
da sua função jurisdicional".
169. O Município de Setúbal, ao não designar o Encarregado da Proteção de Dados, violou esta
disposição.
170. Sobre a violação do artigo 37. 0 , sublinha-se que o n. 0 4 do artigo 83.º assim dispõe: "A
violação das disposições a seguir enumeradas está sujeita, em conformidade com o n. 0 2, a
coimas até 1 O 000 000 EUR ou, no caso de uma empresa, até 2% do seu volume de negócios
anual a nível mundial correspondente ao exercício financeiro anterior, consoante o montante
que for mais elevado: a) As obrigações do responsável pelo tratamento e do subcontratante nos
termos dos artigos 8. 0
, 11.0
, 25. 0 a 39. 0 e 42.º e 43. 0
".
171. A CNPD dispõe de poderes de correção consignados no artigo 58. 0
, n. 0 2, do RGPD.
172. Acresce que do princípio do primado do Direito da União, refletido no artigo 288. 0 do
Tratado sobre o Funcionamento da União Europeia, decorre que os regulamentos têm valor
obrigatório e são diretamente aplicáveis em todos os Estados-Membros, afastando com isso
qualquer possibilidade de um «Estado[ ... ], unilateralmente, anular os seus efeitos através de um
ato legislativo oponível aos textos comunitários» - acórdãos do T JUE Costa/ENEL, Proc. n.0
6/64; Comissão/República Italiana , Proc. n. 0 39/72; Vario la / Administração Finanças Italiana,
Proc. n. 0 34/73.
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928400
F (+351) 213 976 832
geral@cnpd pt
www.cnpd.pt
Processo AVG/2022/712 l 13v (
173. Deste modo, a CNPD e com os fundamentos melhor expressos na sua
Deliberação/2019/494, de 3 de setembro (acessível em
https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121704), decide não aplicar,
no caso em apreço, por força do princípio do primado do Direito da União Europeia, em
conjugação com o preceituado no artigo 8. 0
, n. 0 4, da Constituição da República Portuguesa, o
disposto no n. 0 2 dos artigos 37. 0 e 38. º, assim como nos n. ºs 1 e 3 do artigo 39. º, todos da Lei
n. 0 58/2019, de 8 de agosto (doravante LERGPD).
v. Sanções
17 4. Verifica-se assim, em face da factualidade apurada, que o arguido procedeu a tratamentos
de dados pessoais sem cuidar de assegurar as condições de segurança e integridade dos
mesmos, designadamente não estabelecendo medidas organizativas e não subscrevendo
compromissos vinculativos com entidades e/ou pessoas estranhas aos serviços municipais que
pudessem aceder a esses dados pessoais.
175. Verifica-se, ainda, que o arguido não delimitou o prazo de conservação da informação ou
os critérios utilizados para o fixar, como era sua obrigação, nem procedeu ao apagamento da
informação contendo dados pessoais assim que esta deixasse de apresentar pertinência para
a finalidade prosseguida, devendo assim ser eliminada.
176. Ademais, em face da factualidade apurada, verifica-se que o arguido desrespeitou
obrigações específicas que lhe são impostas pelo RGPD, designadamente as de informação aos
titulares dos dados.
177. Finalmente, verifica-se, também, que o arguido não procedeu à designação do Encarregado
da Proteção de Dados.
178. Tal significa que se mostra suficientemente indiciada a prática pelo arguido de três
contraordenações previstas e puníveis,
i. a primeira pelas disposições conjugadas da alínea 0 do n. 0 1 do artigo 5. º, na
vertente da incapacidade de garantir a segurança dos tratamentos e a integridade e
confidencialidade dos dados pessoais tratados, e da alínea a) do n. 0 5 do artigo 83. 0
;
Comissão Nacional
de Proteção de Dados
Processo AVG/2022/712 l 14
ii. a segunda pelas disposições conjugadas da alínea e) do n. 0 1 do artigo 5. 0
, por
desrespeito do princípio da limitação da conservação e da alínea a) do n. 0 5 do artigo
83. 0
,
179. a terceira pelas disposições conjugadas dos n. ºs 1 e 2 do artigo 13. 0 (Informações a
facultar quando os dados pessoais são recolhidos junto do titular dos dados) e da alínea b) do
n.º 5 do artigo 83. 0
,
180. todos do RGPD, cada uma delas sancionada com coima até€ 20.000.000,00.
181. Verifica-se, igualmente, em face dessa mesma factualidade, que se mostra
suficientemente indiciada a prática pelo arguido de uma contraordenação prevista e punível
pelas disposições conjugadas do n. 0 1 do artigo 37.º (designação do encarregado da proteção
de dados) e da alínea a) do n. 0 4 do artigo 83. 0 ,
182. todos do RGPD, sancionada com coima até€ 10.000.000,00.
183. Todas as violações aqui listadas foram cometidas com negligência, de modo voluntário e
consciente. A CNPD dispõe dos poderes de correção previstos no artigo 58. º, n. 0 2, do RGPD,
designadamente, os de "Fazer repreensões ao responsável pelo tratamento ou ao
subcontratante sempre que as operações de tratamento tiverem violado as disposições do
presente regulamento" (alínea b) do artigo citado) e os de "Impor uma coima nos termos do
artigo 83.o, para além ou em vez das medidas referidas no presente número, consoante as
circunstâncias de cada caso" (alínea i) do artigo citado).
184. As violações do princípio da limitação da conservação (alínea e) do n. 0 1 do artigo 5. 0 do
RGPD) e dos deveres de facultar um conjunto de informações ao titular dos dados quando a
recolha é realizada diretamente pelo responsável pelo tratamento (n. ºs 1 e 2 do artigo 13. 0
)
devem merecer um grau de desvalor distinto das demais, atento o contexto de emergência que
se observava à altura da factualidade que as comprova. Isto porque as primeiras estão
intrinsecamente ligadas ao processo de acolhimento dos refugiados, admitindo-se, nessa
situação, um episódico, ainda que sempre censurável, descuido ou menor cuidado no
cumprimento de regras que não aparecessem como de igual prioridade face às concretas
necessidades de prover pela resposta humanitária rápida que era procurada.
r
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd pt
www.cnpd.pt
Processo AVG/2022/712 l 14v
185. Distintamente se dirá das demais violações, não porque o contexto seja outro, mas porque
a sua existência não depende e não reflete a situação pontual de resposta às solicitações dos
refugiados. Antes sendo reveladoras de uma postura e comportamento estruturais da
organização, a qual apresenta deficiências graves na assunção de princípios críticos da
proteção de dados que se projetam para lá destes específicos tratamentos.
186. De acordo com o disposto no artigo 83. 0
, n.º 1, alíneas a) a k), a determinação da medida
da coima é feita em função dos seguintes critérios:
i. A natureza, a gravidade e a duração da infração tendo em conta a natureza, o âmbito
ou o objetivo do tratamento de dados em causa, bem como o número de titulares de
dados afetados e o nível de danos por eles sofridos - Considera-se que as violações
cometidas pelo arguido assumem um grau de gravidade significativo, atento o
universo de titulares de dados em causa (especialmente vulneráveis), do qual se não
apurou o número em concreto, ainda que o contexto em que as mesmas ocorreram,
no qual a emergência humanitária obrigava a procedimentos mais expeditos, tornem
menos gravosa a sua avaliação. As violações detetadas quanto ao princípio da
limitação da conservação decorreram num período relativamente curto (cerca de dois
meses). Já a violação da designação do EPD prolongou-se desde 25 de maio de 2018
e até 3 de maio de 2022, merecendo, por isso um maior grau de censura, embora
tenha sido corrigida.
ii. Não se detetaram quaisquer danos causados aos titulares dos dados;
iii. Apenas uma das contraordenações por que vem acusado o arguido não é punida pela
moldura mais gravosa prevista no RGPD (no caso, a violação da obrigação de
designação do encarregado da proteção de dados);
iv. O caráter intencional ou negligente da infração - como já se explicitou supra,
considera-se ser negligente a conduta relativa às infrações detetadas;
v. A iniciativa tomada pelo responsável pelo tratamento ou pelo subcontratante para
atenuar os danos sofridos pelos titulares - a este título releva a iniciativa do arguido
de designar um encarregado da proteção de dados e de cessar o protocolo com a
associação EDVINSTO, ainda que quanto a esta última, a correção pudesse ter-se
limitado ao respeito pelo previsto no artigo 28.0 do RGPD;
r
Comissão Nacional
de Proteção de Dados
Processo A VG/2022/712 1 15 f
vi. O grau de responsabilidade do responsável pelo tratamento ou do subcontratante
tendo em conta as medidas técnicas ou organizativas por ele implementadas nos
termos dos artigos 25. 0 e 32. 0
- considera-se ser elevada a responsabilidade do
arguido ao não ter definido medidas técnicas e organizativas minimamente
suficientes e idóneas à proteção da informação pessoal tratada;
vii. Quaisquer infrações pertinentes anteriormente cometidas pelo responsável pelo
tratamento ou pelo subcontratante - que não se verificam;
viii. O grau de cooperação com a autoridade de controlo, a fim de sanar a infração e
atenuar os seus eventuais efeitos negativos - que se reputa de adequado, face à
disponibilização da informação requerida e a cooperação em todos os momentos do
processo de averiguações;
ix. As categorias específicas de dados pessoais afetadas pela infração - no caso, existe
um vasto conjunto de informação sobre os refugiados que se dirigiam à LIMAR,
disponibilizando o nome, a morada, passando pela data de nascimento, estado civil,
contactos, agregado familiar, informação sobre os documentos de identificação,
sobre a rede de suporte (identificação dos locais e das pessoas com quem pudessem
ficar e seus respetivos agregados), informação sobre o período em que poderiam ficar
com as pessoas dessa rede de suporte e identificação sobre as necessidades dessas
pessoas em matéria de alojamento, bens essenciais, alimentação, saúde, educação,
equipamentos de infância, emprego, respostas sociais, entre outros, para além da
descrição da situação concreta.
x. Entre estes dados, contam-se alguns - os relativos à saúde - que se enquadram nas
categorias especiais de dados previstas no n. 0 1 do artigo 9. 0 do RGPD.
xi. A forma como a autoridade de controlo tomou conhecimento da infração, em especial
se o responsável pelo tratamento ou o subcontratante a notificaram, e em caso
afirmativo, em que medida o fizeram - que, no caso, resultou da publicação pelos
meios de comunicação social das suspeitas de violações em matéria de tratamentos
de dados pessoais dos refugiados, não advindo daqui qualquer circunstância
atenuante para a arguido;
xii. O cumprimento das medidas a que se refere o artigo 58. 0
, n. 0 2, caso as mesmas
tenham sido previamente impostas ao responsável pelo tratamento ou ao
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 i 1 sv /
subcontratante em causa relativamente à mesma matéria - não se aplicando este
critério, já que inexistiam quaisquer medidas corretivas previamente determinadas;
xiii. O cumprimento de códigos de conduta aprovados nos termos do artigo 40. 0 ou de
procedimento de certificação aprovados nos termos do artigo 42. 0
- critério que
também não se aplica, por inexistir qualquer código de conduta ou procedimento de
certificação, nos termos apontados; e
xiv. Qualquer outro fator agravante ou atenuante aplicável às circunstâncias do caso, à
luz da alínea k) do n. 0 2 do artigo 83. 0 do RGPD, como os benefícios financeiros
obtidos ou as perdas evitadas, direta ou indiretamente, por intermédio da infração -
Como fator atenuante, terá sempre de se relevar o concreto contexto em que as
violações ocorreram, num momento em que a chegada de refugiados ucranianos a
Portugal era intensa e as instituições públicas e privadas se deparavam com a
urgência de lhes dar resposta.
xv. Também se levará em conta a situação financeira do Município, espelhada nas
informações prestadas nos pontos 184 a 186 da defesa que apresentam uma quebra
da receita executada de montante significativo face ao ano de 2021.
187. Atentos os critérios supramencionados, a CNPD entende como necessária a aplicação, no
caso concreto, de duas repreensões e de uma coima ao arguido, considerando ser esta a medida
efetiva proporcionada e dissuasiva que se impõe dadas as concretas circunstâncias em que
ocorreram as infrações.
188. A moldura da coima abstratamente aplicável ao arguido pela infração prevista e punível
nos termos das disposições conjugadas da alínea 0 do n. 0 1 do artigo 5. 0
, na vertente da
incapacidade de garantir a segurança dos tratamentos e a integridade e confidencialidade dos
dados pessoais tratados, e da alínea a) do n. 0 5 do artigo 83. 0 e tem como limite máximo €
20.000.000,00.
189. Enquanto que a moldura da coima abstratamente aplicável ao arguido pela infração
prevista e punível nos termos das disposições conjugadas do n.0 1 do artigo 37. 0 (designação
do encarregado da proteção de dados) e da alínea a) do n.º 4 do artigo 83. 0
, todos do RGPD,
tem como limite máximo€ 10.000.000,00.
Processo AVG/2022/712 i 16
Comissão Nacional
de Proteção de Dados
190. Valorando a factualidade apurada à luz dos critérios acima enunciados, a CNPD, - nos
termos do artigo 58. 0
, n. 0 2, ai. b) do RGPD, considera, ainda, ajustada, a aplicação ao arguido
de:
i. uma coima, no valor de €120.000 (cento e vinte mil euros) por violação da alínea 0
do n. 0 1 do artigo 5. 0
, na vertente da incapacidade de garantir a segurança dos
tratamentos e a integridade e confidencialidade dos dados pessoais tratados, e da
alínea a) do n. 0 5 do artigo 83. 0 do RGPD;
ii. uma repreensão, por violação da alínea e) do n. 0 1 do artigo 5. 0 em conjugação com
a alínea b) do n. 0 2 do artigo 58. 0 do RGPD;
iii. uma repreensão, por violação dos n. ºs 1 e 2 do artigo 13. 0 em conjugação com a
alínea b) do n.º 2 do artigo 58.º do RGPD;
iv. uma coima no valor de €100.000 (cem mil euros) por violação do n. 0 1 do artigo
37. 0 (designação do encarregado da proteção de dados) em conjugação com a
alínea a) do n. 0 4 do artigo 83. 0
.
191. Somadas as coimas parcelares, resulta um total de€ 220.000 (duzentos e vinte mil euros).
192. Feito o enquadramento das coimas parcelares, importa determinar a coima única aplicável
ao caso concreto.
193. Verifica-se que o RGPD estabelece no n.0 3 do artigo 83. º, que, "[s]e o responsável pelo
tratamento ou o subcontratante violar, intencionalmente ou por negligência, no âmbito das
mesmas operações de tratamento ou de operações ligadas entre si, várias disposições do
presente regulamento, o montante total da coima não pode exceder o montante especificado
para a violação mais grave". Como literalmente expresso, tal normativo apenas deve ser
convocado nos casos em que as infrações tenham sido praticadas "no âmbito das mesmas
operações de tratamento", ou de "operações ligadas entre si", o que não se verifica no caso
concreto, aplicando-se, então, o Regime Geral das Contraordenações (RGCO), ex vi artigo 45. 0
da Lei n. 0 58/2019, de 8 de agosto.
194. O RGCO fixa no artigo 19. 0 os critérios legais do cúmulo jurídico das condenações em
coimas, que se traduz em que a coima única a aplicar na decisão condenatória deve ser fixada
entre um limite mínimo constituído pela mais elevada das coimas concretamente aplicadas a
Av. O. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 l 16v (
cada uma das contraordenações (n.º 3), no caso€ 120.000 (cento e vinte mil euros), e com um
limite máximo constituído pela soma das coimas concretamente aplicadas a cada uma das
contraordenações (n.º 1), sendo esse total de€ 220.000 (duzentos e vinte mil euros).
195. Temos, então, que a moldura abstrata da coima única a aplicar se situa entre o mínimo de
€ 100.000 (cem mil euros) e o máximo de€ 220.000 (duzentos e vinte mil euros).
vi. Fundamentação da aplicação da coima única
196. O pressuposto essencial para a efetuação do cúmulo jurídico de coimas parcelares é a
prática de diversas infrações pelo mesmo Arguido antes de transitar em julgado a condenação
por qualquer delas.
197. Nesse sentido, para se proceder ao cúmulo jurídico é necessária a verificação dos
seguintes requisitos, de natureza processual e material, (i) que se trate de sanções relativas a
contraordenações praticadas antes do trânsito em julgado da condenação por qualquer deles,
(ii) que tenham sido cometidas pelo mesmo arguido e que as sanções parcelares se
reconduzam à mesma espécie.
198. O que se verifica cumulativamente nos presentes autos, mercê da existência do concurso
efetivo ou puro, quer na vertente de concurso real, quer na vertente de concurso ideal.
199. Apurou-se ter o arguido agido livre e conscientemente, ainda que de modo negligente, ao
i. não garantir que os dados por si tratados o fossem "de uma forma que garant[isse]
a sua segurança, incluindo a proteção contra o seu tratamento não autorizado ou
ilícito e contra a sua perda, destruição ou danificação acidental, adotando as
medidas técnicas ou organizativas adequadas.
ii. não designar o encarregado da proteção de dados.
200. Releva-se aqui o contexto concreto em que as violações ocorreram, em conjunto com o
facto de o Município ter atuado por forma a obviar a constrangimentos de natureza humanitária
e emergentes. Constrangimentos esses que assumem um grau de originalidade que pode
explicar alguma da impreparação demonstrada.
Processo AVG/2022/712 l 17 (
Comissão Nacional
de Proteção de Dados
201. De todo o modo, a violação da obrigação da designação do Encarregado da Proteção de
Dados não está diretamente ligada a essa emergência, pelo que se não pode admitir o mesmo
grau de desvalorização da ação que se atribui à outra violação.
202. Ora, atendendo, ainda, aos bens jurídicos protegidos pelas contraordenações em causa,
que o arguido cometeu, afigura-se efetiva, proporcional e dissuasiva, a aplicação ao arguido, em
cúmulo jurídico, nos termos das disposições conjugadas do artigo 83. 0
, n. 0 3 do RGPD e 19. º,
n. 0 3 do RGCO, uma coima única de€ 170.000,00 (cento e setenta mil euros).
vi. Conclusão
203. Face ao exposto, a CNPD delibera:
Aplicar ao arguido Município de Setúbal,
a) observando o disposto no artigo 19.0 do RGCO, uma coima única, no valor de €
€170.000 (cento e setenta mil euros) em razão da violação do princípio da
integridade e confidencialidade da violação da obrigação de designação do
encarregado da proteção de dados;
b) observando o disposto na alínea b) do n.0 2 do artigo 58.º do RGPD, duas
repreensões,
1. Uma pela violação do princípio da limitação da conservação;
li. Uma pela violação do dever de facultar as informações imprescindíveis
quando os dados pessoais são recolhidos junto do titular.
204. Nos termos preceituados no artigo 58. 0
, n.ºs 2 e 3 do Regime Geral das Contraordenações,
informar o arguido que:
a) A condenação se torna definitiva e exequível se não for judicialmente impugnada, nos termos
do artigo 59° do mesmo diploma;
b) Em caso de impugnação judicial o Tribunal pode decidir mediante audiência ou, caso a
arguido e o Ministério Público não se oponham, mediante simples despacho.
*
Av. D. Carlos 1, 134, 1 °
1200-651 Lisboa
T (+351) 213 928 400
F (+351) 213 976 832
geral@cnpd.pt
www.cnpd.pt
Processo AVG/2022/712 l 17v
205. Deverá a arguido proceder ao pagamento da coima no prazo máximo de 1 O dias após o
seu carácter definitivo, enviando à CNPD as respetivas guias de pagamento. No caso de
impossibilidade do respetivo pagamento tempestivo, deve o arguido comunicar tal facto, por
escrito, à CNPD.
Aprovg;: de 2 de novembro de 2022
Ana Paula Lourenço (relatara)
Luís Barroso
~ h<'\~ LA-=> U.,Ul\-.u.J...:. 6J...,. - .LA&.)
Maria Cândida Guedes de Oliveira ~ ai.~~4- rW t...J:" (""y • - ~,. ---
~- ~
JoséGraz~
~\._>-.~(._~_\..9-..Jô--
Maria da Conceição Diniz
Filipa Galvão (Presidente)
</pre>
</pre>

Latest revision as of 10:02, 21 December 2022

CNPD - Deliberação 2022/140
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 37(1) GDPR
Article 37(7) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.11.2022
Published: 17.11.2022
Fine: 170000 EUR
Parties: Município de Setúbal
National Case Number/Name: Deliberação 2022/140
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Carmen Villarroel

The Portuguese DPA reprimanded and fined the municipality of Setubal €170,000 for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from Article 13 GDPR and for not appointing a DPO with regard to the collection of personal data of Ukrainian refugees, who were using a helpline in Portugal.

English Summary

Facts

The Portuguese DPA started an investigation into the Municipality of Setubal (controller) after a journalistic article from the newspaper Expresso was published titled 'Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin").

This article contained anonymous accounts of Ukrainian refugees. According to the Article, Russian citizens were present in the same room where Ukrainian refugees' personal data was stored (such as copies of identification documents). These Russian citizens - allegedly part of an Eastern European Immigrants' Association (EDINSTVO), an organisation for the support of eastern European migrants - also asked the refugees questions about the whereabouts of their relatives and what they were doing in Ukraine. In total, two members of the EDINSTVO were integrated by the controller into the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees. According to the author of the article, these Russian citizens were accused in the article of sharing this personal data with the Russian Government.

This all happened in the framework of a Municipal Refugee Helpline (LIMAR), which was created in March 2022. The controller was responsible for the processing done by this helpline. The Helpline used two rooms of the controller's building in order to offer their services, one for the customer service and the other for archiving. Both rooms were only accessible for members of the helpline.

The helpline used two forms in order to collect the data from refugees seeking attendance: an assistance form and telephone assistance form. Using these forms, personal data was collected by the controller. Among other things, the controller collected the name, address, date of birth, marital status, information on the support network (identifying the places and people they might stay with and their respective households) and information on the period they might stay with the people in that support network, in addition to describing the specific situation of each refugee. The assistance forms were handwritten and were stored in a filing cabinet. All collected personal data was later also put into an Excel file which was protected by password.

Additionally, forms were accompanied by a declaration of consent for processing. The controller asked refugees for consent to 'authorise that the data records collected may be shared with other services or entities for the purpose of to specific responses or to provide social support adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination'. Furthermore, together with the assistance forms, refugees were also offered to sign up for Portuguese language courses, for which they needed to provide a copy of an identification document.

In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This translator was informally substituted by her husband. The translator had given her husband her login-credentials to access the helpline's systems. This change was not documented or formalised in any way. The husband, who was not a controller's employee, helped to collect and copy personal data and documents from various refugees and acted as a translator himself.

Holding

The DPA found that the controller had violated the integrity and confidentiality principle from Article 5(1)(f) GDPR by not defining organisational measures for safeguarding information, policies or guidelines for the secure management of information. Nor did the controller determine a procedure, together with the Eastern European Immigrants' Association, that would regulate access and handling of the processed data. The exception regarding the non-existence of these policies and/or guidelines was an e-mail from the IT Division on the security of computer access passwords, email and internet. Article 5(1)(f) GDPR was also breached by allowing people outside the controller's services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline. The principle was further breached by the controller for its use of Excel files for the management and storage of information relating to a group of vulnerable parties (refugees). These Excel files did not have any audit records. Therefore, these files did not allow anyone to know who accessed them, when the files were accessed and what operations were carried out. The fact that the excel files were password protected did not mitigate this fact.

The DPA also found that the data storage periods had not been defined, nor were the criteria for establishing storage periods. This constituted a violation of the storage limitation principle ((Article 5(1)(e) GDPR)). Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority. The DPA noted that, at least, the entities that were involved in this procedure were known to the controller, so they could have been mentioned to the data subjects, together with their data subject rights. Lastly, the DPA highlighted that the only reference made to data protection legislation was obsolete. Hence, the DPA concluded that the controller also violated Article 13 GDPR. The DPA also found that the controller had not appointed a DPO which resulted in a violation of Article 37 GDPR. A DPO was only appointed after the start of this procedure, on 22 September 2022.

The DPA also found that no data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, which was required when processing data of vulnerable data subjects, according to the EDPB Guidelines on Data Protection Impact Assessment (p. 12). However, the DPA did not specify that Article 25 GDPR had been breached.

The DPA acknowledged that this was an emergency situation and that this could mitigate the degree of gravity of the infringement with regard to some elements, such as parts of the information obligation (Articles 13(1) and 13(2) GDPR), as well as the storage limitation obligations. However, the DPA also remarked that some other violations constituted proof of structural incompliance and were therefore of more gravity. Also, according to the DPA, the Helpline project had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees should have also been discussed, despite the urgency.

For the above violations, the CNPD imposed a fine of €120,000 for the violation of Article 5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e) GDPR and Article 13 GDPR. This resulted in a total fine of €220,000. The two fines were nonetheless accumulated together, following Portuguese legal principles, which resulted in a fine of €170.000.

Comment

Additionally, an investigation on this matter was carried out by the judicial police. [Source]

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.


DELIBERATION/2022/1040 
1. The National Commission for Data Protection (CNPD) prepared, on 14 September 2022, a draft decision in which the defendant Municipality of Setubal was accused of committing, in material authorship, in the form consummated and with negligence, i. a misdemeanour, p. e p. by Article 5(1)(f) in conjunction with Article 5(1)(f) a) don.0 5 of article 83.0 , both of the RGPD, sanctioned with a fine, up to the maximum amount of 20,000,000.00, each; ii. 0a misdemeanour, p. e p. by Article 5(1)(e) in conjunction with Article 5(1)(e) a) Article 83.0.5, both of the GDPR, will be sanctioned with a fine, up to the maximum amount of ¤ 20,000,000.00, each; iii. by Article 13(1) and (2), in conjunction with Article 13(b) , of the Treaty on European Union Article 83(5), both of the GDPR, is punished with a fine, up to the maximum amount of ¤ 20,000,000.00; iv. by Article 37(1) and (7) of the GDPR, in conjunction with Article 83(4) (a), both of the GDPR, sanctioned with a fine of up to EUR 10,000,000.00; and 
2. The defendant was notified of the loom of the referred project and, in terms of the provisions of article 50 of Decree-Law 433/82, of 27th October, to present his defence, he came, through his Honourable Attorney, to allege, in sum: a) The inappropriateness of the Draft Deliberation, based, according to the Defendant, on a "factual, legal and news miscellany" and in which it is unintelligible "the connection between a significant set of facts and the legal scope of the sanctions indicated as potentially applicable; b) The invalidity of the procedure for breach of a substantial right: Article 39.0 , n.0 3 of the LERGPD; c) The invalidity of the non-application of the provisions of Articles 37.0 , n.0 2 and 39.0 , n.0 1 of the LERGPD; d) The existence of errors and incompleteness in the factual material considered; e) The need to take into account relevant facts which were not contained in the draft Decision. f) It also requested the exemption of the imposition of a fine under the terms of Article 44, paragraph 3 of the Law n. 0 58/2019, of 8 August. 
3. The defendant did not deny, contradict or even contradict any element of the draft resolution regarding the lack of designation of the data protection officer of the Municipality on the date of the facts. 
4. Moreover, the defendant protested to join 19 (nineteen) documents, which, to date, has not occurred. 
I. Application for exemption from fines 
5. The defendant requested the waiver of the imposition of fines, pursuant to Article 44(3 ) of Law 58/2019 of 8 August. However, paragraph 2 of that article 44 defines the period of "three years from the entry into force of this law" as the period of time during which public entities may request the waiver of fines, so that rule ceased to have effect on 9 August. 
6. As an argument to support the maintenance of the above prerogative, he pointed out "the suspension, and later extension, of deadlines operated by the commonly called COVID-19 legislation". 
7. It would be up to the defendant to clarify to what extent the legislation passed during the pandemic can be considered to enable the conclusion drawn. It is not clear how a time-limit objectively set for the exercise of an exceptional prerogative of public authorities, in the specific context of administrative offence proceedings in which it is possible that they may be sentenced to pay a fine, can be extended to a time when those proceedings are unlawful and the time-limit laid down by law for the exercise of that prerogative has already expired. 
8. It should be noted that the ratio of the extensions included in the set of legislation that the defendant calls "COVID legislation", were instituted precisely to address constraints arising from the pandemic context, something that clearly does not apply to the present case, which was neither directly nor indirectly affected by the pandemic.
9. Even if the understanding was different when the impossibility of, at the present momenta, 0 In applying the regime laid down in Article 44(2) of the GDPR, the CNPD interprets the regime provided for therein as conferring on it a discretionary power to assess, in the light of the specific infringement, whether it would be justified to depart from the general rule of imposing a financial penalty on a given public body, as the controller (or processor), taking into account the different interests and rights at stake.
10. However, taking into consideration the gravity of the infractions, the weighting of the rights of the data subjects and the public interests that the violated legal rules seek to safeguard, as will be justified below, the decision of the CNPD would always be not to waive the fine in this specific case. 
11. Thus, any of the arguments set out above concur in the decision not to waive the fine.
II. Appreciation 
i. Regarding the alleged inappropriateness of the Draft Resolution 
12. Contrary to what the defendant claims, the present administrative offence proceeding is not marked by the media hype that has undeniably surrounded all the related issues. 
13. The mere fact that this is an issue to which the media have dedicated an extensive and intense attention did not condition or enhance any factual assessment that the CNPD expressed in the Draft Deliberation. 
14. Moreover, the references to the fact that the media have publicly reported on the matter only serve to frame the impetus that led to the opening of the investigation procedure, since the "news" of the potential violation of the RGPD rules was made known in those same media. 
15. The facts contained in the draft decision provide the basic context that allows the defendant to understand the meaning and scope of the CNPD's action, even if some of them serve to exclude what is not and cannot be the object of a decision by the national supervisory authority in matters of data protection.
16. The subjective analysis of the defendant is not, therefore, supported by the context of the facts established and the accusations made against him, which refer exclusively to the violations that, after due investigation, were found to have taken place. 
17. For that reason, the references to the citizen - his conduct and behaviour any reference to his conduct and behaviour are not affected by any mention of his Russian citizenship, but are based on the facts obtained during the investigations in the course of the case. 
ii. on the invalidity of the procedure for breach of a substantial right: Article 39(3) as well as Article 37(2) and 39(1) of the LERGPD 
18. The Defendant disputes that the CNPD can dismiss the application of article 39. 0 , n. 0 3 of Law n. 0 58/2019, of 8 August, as this rule configures a substantial right that cannot be dismissed by the CNPD. 
19. This is a legal/judicial understanding which differs from that of the Commission and which, as repeatedly explained, cannot be accepted. 
20. Indeed, Regulation (EU) 2016/679, of 27 April 2016 - General Data Protection Regulation (GDPR), like any regulation issued by the European Union, has a general nature. It is binding in its entirety and directly applicable in all Member States (Article 288 of the Treaty on the Functioning of the European Union). 
21. Such special features of regulations cannot be set aside by national legislation, as stated in the case law of the Court of Justice of the European Union and in the CNPD's Delibera9ao 2019/494. 
22. Recently, the Constitutional Court, in case no. 422/2020, of July 15, clarified any remaining doubts about the limits (or lack of them) of application of the principle of the primacy of EU law, ruling "Under Article 8.0 , n. 4 of the CRP, the Constitutional Court can only assess and refuse application of a rule of EU law if it is incompatible with a fundamental principle of democratic rule of law.0 4, of the CRP, the Constitutional Court may only assess and refuse to apply a rule of the EUSD, if it is incompatible with a fundamental principle of the democratic rule of law which, in the proper scope of the EUSD - including, therefore, the jurisprudence of the CJEU -, does not have a parametric value materially equivalent to the one recognized in the Constitution, since such a principle is not the same as that recognized in the Constitution. necessarily imposes the very convention of "joint exercise, in cooperation or the institutions of the Union, of the powers necessary for the construction and deepening of the European Union". However, where the assessment of a rule of the TEU is concerned, in the light of a (fundamental) principle of the democratic rule of law which, in the context of the TEU, has a parametric value materially equivalent to that which is recognised in the Portuguese Constitution, which is effectively guaranteed by the CJEU (in accordance with the contentious means provided for in the TEU), the Constitutional Court refrains from assessing the compatibility of that rule with the Constitution"
23. The CNPD believes that, with regard to the applicability of the GDPR and, in particular, the direct applicability of its sanctioning regime, the existing principles under the EU Directive have a parametric value materially equivalent to that recognized in the Portuguese Constitution. 
24. As Paulo Pinto de Albuquerque notes (in his "Comentario do Regime Geral das Contraordena96es a luz da Constitui9ao da Republica e da Conven9ao Europeia dos Direitos do Homem"), "According to the jurisprudence of the CJEU, the fundamental rights of the person concerned in a the right to a hearing before the administrative authority, (2) the right to non-self incrimination, (3) the right to a statement of reasons for decisions, (4) the right of access to documents, (5) the right to legal representation, which includes the right to confidentiality of communication between the lawyer and the sanctioning authority. and the client, and (6) the right of access to an independent and impartial tribunal within a reasonable time" (see footnote 28 to Article 1.0 ). 
25. These rights "may be invoked not only before European judicial bodies but also before national judicial bodies when the latter are empowered to apply the law of the European Union ...". (see footnote 31, ibid.). 
26. What the defendant seems to advocate is not so much the compatibility of the national legislation with the provisions of the RGPD, but rather the priority of an internal regime that effectively removes the law by creating a step prior to its application, which was never intended or authorised by the European legislator. 
27. However, to consider that a condition which national law imposes as indispensable for the implementation of EU law (through a regulation which, as stated above, is binding in all its aspects) is to be regarded as elements is directly applicable in all member states) does not create an area of non conformity and inequality in the application of that regime in the various countries of the Union, it cannot be considered a relevant argument.
28. To accept this argument would mean allowing any EU country to create similar regimes for any EU regulation, thereby preventing them from being directly applicable. 
29. By pointing to the existence of a substantial right denied to him, the Defendant rightly refers us to the field of application of EU law, to the consideration of the effects of the principle of primacy and to the field of application of the most recent constitutional jurisprudence, which, as we have seen, does not support his interpretation. 
30. For the rest, reference is made to the contents of the CNPD's Deliberation 2019/494, in particular regarding the binding nature of this Commission to the principle of loyal cooperation provided for in Article 4(3) of the Treaty on European Union, 
31. as well as on the manifest inappropriateness of this rule in comparison with the consistency mechanism provided for in the RGPD and, furthermore 
32. on the fact that administrative authorities are also obliged to disapply national rules which are contrary to EU law. 
33. Remember that all these principles are expressly provided for in the Treaties. 
34. And that the CNPD's deliberation 2019/494 was published precisely with the aim of warning those affected by the national legislation, in order to increase legal certainty regarding the decisions that would be issued. 
35. Furthermore, in concrete cases, with final decisions and publicly available (see https://www.enpd. pt/comunicacao-pubIica/noticias/cnpd-apIica-sancao-ao-municipio-de- 1 i sboa/) the CNPD has reaffirmed this understanding. 
36. It is also clear that the argument that the CNPD "annihilated a right" cannot be considered admissible, since such a right (if it existed) never existed.
37. It is, for all the above, incomprehensible the accusation that the CNPD "does nothing to ensure that the mechanisms of primacy, intended to ensure the modification of the regime (if due), with respect for the rules of legal certainty, are triggered". 
38. As regards the non-application of Articles 37(2) and 39(2), the arguments set out above and in point 5 of Resolution 2019/494 also apply. iii. As to the existence of errors and incompleteness in the matter of fact considered 
39. The CNPD's allegation of a lack of information is incomprehensible. 
40. In fact, and as Augusto Silva Dias teaches "The instruction begins with an investigation aimed at collecting evidence, but it is not necessary to do so" (in Direito das Contra ordena9oes, publisher Almedina, reprint, 2020, p. 215). 
41. In any case, the CNPD not only instructed the case, gathering the necessary elements to take a decision, but also proceeded with the investigation. 
42. The reports in the case file bear this out and the evidence referred to in the draft Decision confirms this concern. 
43. At no time was any factual element denied or postponed in favour of the Municipality. 
44. It is up to the final decision to duly consider all these elements and circumstances, which will be done in parts V and VI of this deliberation. 
45. Again citing Augusto Silva Dias, it should be recalled that "the finding of illegality is not yet the final decision of the administrative authority" although "it does, however, delimit to a certain extent the object of the procedure in the administrative phase" (p. 225 of the quoted work). 
46. However, the information which must necessarily be disclosed to the defendant is the same as that which has already been provided. well known and jurisprudentially established: "communication of the alleged facts with a "sequential description, narratively oriented and spatio-temporally of the elements indispensable to the singularization of the conduct that is against ordinally relevant and this description must contemplate the objective characterization and the action or omission to which the accusation relates (TC ruling n. 0 99/2009). Said in the formula used by the ruling of the ETS n. 1/2003, the rights of defence and hearing ensured within the scope of the misdemeanour procedure will imply, in summary, that the defendant will be given prior knowledge of "all the relevant aspects for the decision, in matters of fact and law" (note 4 to article 50, of the already quoted work of Paulo Pinto de Albuquerque). 
47. Which, s.m.o. has been implemented in the draft resolution. 
48. As regards the allegation that the CNPD disregarded the collaborative nature of the intervention The delegation of tasks and the existence of an inter-administrative contractualisation (even if not formalised), in which the task of the municipality, especially with regard to respects data collection was essentially an instrumental task (parallel or The terms of the CNPD's censure of the municipality should be precise. 
49. This is not to disregard any degree of interadministrativeness or joint action with other public and, it should be remembered, private entities, with which Setubal Municipality decided to promote collaborative actions. 
50. What deserves censure is the action of the Municipality, as the controller, to the strict extent of its responsibilities, including, as is the law, the provision of essential information on the processing. 
51. The municipality itself, through LIMAR, has developed its own service forms which it is responsible for maintaining and managing autonomously. 
52. Also the intervention of is not censured as a member of the association with which the Municipality established the partnership, but rather for the fact that this partnership was not properly formalised in order to frame its participation in the context of LIMAR. 
53. Moreover, it should be made clear to the defendant that the fact of entering into a partnership with a third party entity does not automatically mean that it ceases to be regarded as a third party. Its qualification will depend on the extent to which it operates in the area of processing of personal data.
54. What is reprehensible, then, is the fact that the minimum care required is not taken, either from a formal point of view - with the agreement or subcontracting contract - or from a substantive point of view, with the implementation of minimum measures to control access by persons outside the services of the Municipality to equipment containing personal data. 
55. Especially when the data relates to especially vulnerable data subjects such as refugees. 
56. The CNPD has not commented on the number and quality of data that refugees would have to provide in order to obtain support, which makes it redundant to argue, as the defendant does, that this information was indispensable. 
57. Note that the defendant never denies or justifies why excel files were used for the management and conservation of the personal information of refugees who came to LIMAR. 
58. As for the existence of training, it is admitted what is alleged by the defendant in points 106 to 109, where it is detailed the two training courses given (although reduced), the target audience (although imitated), their duration and date of occurrence, although the documents proving these courses have not, to date, entered the services of the CNPD. 
59. However, it should be stressed that there is a clear lack of training for a relatively small number of employees given after the GDPR has come into force and well after its entry into force, in this case in September 2018 and April 2019. 
60. The factual material on that specific point will therefore be corrected. 
61. Concerning the appointment of the Data Protection Officer, it is confirmed that he has already been appointed, albeit only on 22 September 2022. 
62. The accused defends that also the declaration of consent was, in the meantime, altered, which is admitted, but which, due to its non-joinder to the case file or insertion in the body of the defense, cannot be relevant.
v. On the objective elements of the types of offence 
63. The defendant believes that the CNPD should choose to frame the violations of of Article 5. 1. 0 in the concrete provisions of Articles 28 and 32. 0 of the RGPD. 
64. However, Article 28 sets out the conditions under which a subcontracting relationship must occur and does not seek to punish those in which formalisation has not taken place. 
65. Article 32 also defines a set of specific, but not exhaustive, safety measures to be implemented in order to guarantee the safety of the treatments. 
66. 0 what the CNPD censured in the draft decision was a set of procedures to which not even the minimum security measures were applied, revealing a censurable behaviour not due to the inadequacy of concrete measures but rather due to a coherent and consistent action of total disregard for the principle enshrined in Article 5(1)(0) of the RGPD v. 
On violations of Article 13 
67. The Municipality of Setubal argued that the data collection it carried out was merely instrumental and dependent on the instructions or definitions of third parties. 
68. He therefore maintains that it cannot be said that the data controller or the recipients of the data were not known. 
69. It is factual that, in several cases, the Municipality collected information framed in forms from third parties. 
70. The CNPD does not censure this reality, but rather the circumstance that, by creating a specific service to support refugees, the Municipal Refugee Helpline (LIMAR), the CNPD has not, in this context, informed the owners of the data of various elements provided for in Article 13(1) and (2) of the RGPD, as is their obligation, regardless of the context in which the collection of data is carried out.
71. Admitting that the emergency context in which it found itself could make the availability of these elements a non-priority, the emergency should always be framed within the existing framework of preparation. 
72. Even so, this framework allowed for the existence of previous meetings of the Setubal Local Council for Social Action - CLASS and the definition of action procedures which could and should have included the matter of data protection within its scope. 
73. It is precisely in the context of supporting data subjects in particularly vulnerable situations and in a context of atypicality, as was the case here, that the protection of fundamental rights such as the protection of personal data becomes more urgent. 
74. Regarding the lack of mention of the Data Protection Officer in the information to be provided, the defendant has the argument that, in the absence of such a person, he could not be informed, but this does not exempt him from the obligation of designation, nor does it contribute to the mitigation of this original violation. 
75. An obligation that had been binding on him since 25 May 2018, but whose designation process only began on 3 May this year. 
76. Obligation, moreover, reinforced by Lein. 0 58/2019, of 8 August, which expressly repeats the imperative nature of the designation of the EPD. 
77. Furthermore, one cannot accept the argument that the "oversight" in the mention of the data protection legislation in force in the declaration of consent is excusable in the context of the ongoing "systematic implementation of the GDPR". 
78. Firstly, because the defendant has failed to demonstrate that there was any systematic implementation in progress and, 
79. Secondly, because even if such an implementation did exist, it would always be late and, therefore, of little relevance to the facts established. 
80. It should be noted that Regulation 2016/679 of 27 April 2016 entered into force on 24 May 2016 and its application was deferred to 25 May 2018 (cf. Article 99(2)).
81. At most, it could even serve as an aggravating factor, since it becomes less excusable that an organisation which is in the process of implementing the RGPD is not concerned with updating basic information such as that which it provides to data subjects. 
82. 0As described in point 64, also with regard to the breach of the principle enshrined in Article 5(1)(e) and Article 13(2)(a) of the GDPR, there is a relation of precedence, and therefore the violation of the aforementioned duty of information will not be taken into account in the final decision. 
83. Also with regard to the definition of time limits for the preservation of information, we accept the argument raised by the Defendant regarding the urgency and emergency of the situation experienced at However, this does not mean that the possibility of at least establishing minimum guidelines for the conservation of information should be disregarded. 
84. Finally, the absence of an impact assessment on data protection in relation to the processing carried out in the context of LIMAR is noted, not because of the It is not necessary to carry out such an assessment, but because it is not legally required for this particular treatment. 
85. With the elements in the file, of interest for the decision, we consider the following to be proven:
iii. Facts 
86. On 29 April 2022, the Expresso newspaper published a headline with the headline "Ukrainians received in CDU chamber by pro-Putin Russians" (see document attached). 
87. It contained testimonies of refugees from Ukraine, displaced in Portugal as a result of the ongoing military conflict between that country and the Russian Federation. 
88. These testimonies, offered anonymously, stated that in the City Hall of Setubal, Russian citizens, on the pretext of helping Ukrainian refugees who came to ask for help, asked the latter questions about the whereabouts of their relatives and what they were doing in Ukraine. 
89. The Municipality of Setubal, legal entity with NIPC 510294104 has its headquarters at Pra9a do Bocage, 2901-866 Setubal
90. In the news reports mentioned above, it was also reported that documents belonging to the refugees were copied in the presence of the so-called Russian citizens. 
91. The citizens specifically mentioned in the news were 
92. This and similar news items have been published in various media (cf. news reports attached to the case). 
93.- has Portuguese nationality and is a member of the Associacao de lmigrantes dos pafes de Leste - EDINSTVO. 
94. association. 
95. is also of Portuguese nationality and president of the aforementioned and Ourista worker) from Setubal City Council. 
96. The Associacao de lmigrantes dos Paises de Leste EDINSTVO, collective person with NIPC 506204367 and headquarters at Rua de Sao Tomee Principe, 18 r/c Oto. , 2900-087 Setubal, dedicates itself to support for immigrants from the Eastern European countries, but also from Brazil, by promoting initiatives to help integration in the community and solidarity, culture and entertainment. 
97. EDINSTVOwas founded in 2002 by_e_. 
98. Since then, several initiatives within the scope of the Association have been promoted, being included in the Conselho Local de A9ao Social de Setubal - CLASS (cf. record of statements and minutes of the CLASS meeting of 11th March 2022, attached to the CMS Inspection Report, as Annex VIII - pages 2 to 7 and Annex VI). 
99. In 2004, Setubal City Council signed a protocol with ED!NSTVO to place two of the latter's employees in the "SEI - Setubal Etnias e lmigra9cfo" (SEI) Office team, with the aim of providing assistance, advice and help to immigrants who present themselves. 
100. The SEI is integrated in the Department of Culture, Sports, Social Rights, Health and Youth of CMS. 
101. The protocol was successively renewed and remained in force until May 2022.
102. There are no provisions in the protocol on the protection of personal data or the responsibilities of the parties in the management of such information. 
103. The CMS, in view of the imminent arrival of a considerable influx of Ukrainian refugees, has decided to set up a Municipal Refugee Helpline (LIMAR) in March 2022, with telephone and face-to-face service. 
104. The Municipality of Setubal has thus assumed the responsibility for the processing of the information processed in the context of the services provided through LIMAR. 
105. In order for LIMAR to be able to provide the services for which it was established, two rooms were made available in the building of the Livramento Market, a municipal public building located in Setubal, one for customer service and the other to support and archive the documentary record. 
106. The support and archive room had its own filing cabinets and was only accessible to LIMAR members. 
107. The CMS team created specific forms - the "assistance" and "telephone assistance" forms - (see Annexes Ille IV of the CMS Inspection Report), for the collection of the necessary elements for the support required under LIMAR. 
108. These forms contained various personal information about the refugees, from name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they could stay with and their respective households), information on the period they could stay with the people in that support network and identification on the needs of those people in terms of housing, essential goods, food, health, education, childcare facilities, employment, social responses, among others other than the description of the specific situation (cf. Annexes Ill and IV of the lnspection Report to the CMS). 
109. Together with the attendance forms, the enrolment form for the Portuguese as a Host Language - PLA courses of the IEFP (Instituto de Emprego e Forma9ao Profissional) could be filled in for those refugees who expressed the desire to learn Portuguese, and a copy of the biography page of the passport or other identification document was attached.
11O. The IEFP enrolment forms contain, among others, the following tables concerning the personal information of the applicants: full name, address, date of birth, marital status, sex, mobile phone number, country of origin, ID card number, academic qualifications, profession in the country of origin, current job or profession, employment situation in Portugal (see Annex VII of the CMS Inspection Report). 
111.The attendance forms were handwritten, and the processes were filed on paper. A digital record of the collected data was also created, on the "Microsoft" platform, in Excel format - file "LIMAR_BASE. DATA. xlxs", which requires a password for access (see Annex XII of the CMS Inspection Report). 
112. The file included the application form, the Temporary Protection Certificate1 , copy of identification documents, birth certificates of minors, enrolment file in the Portuguese as a Host Language - PLA. The copies of the documents sent to the IEFP, and the receipts of communications to the various public services for the support due, namely to the IEFP for job search, to the Setubal Social Security Office for the receipt of the Social Income and other benefits, to the Setubal Health Centres Grouping and to the Hospital Centre and to other public and private entities that guarantee the support requested, namely of food, clothes and other essential goods. 
113. The file also included the "Declaration of Consent", regarding the processing of personal data provided to CMS in the context of support for refugees, in which, in the part relating to the communication of data to third parties, it is stated: "[...] I further authorize that the data records collected may be shared with other services or entities within the specific responses or the provision of social support adjusted to the situation, with guarantees of privacy and non-discrimination. (cfr. Annex Ill - page 4 of the CMS Inspection Report). 
114. The text of the declaration was written in Portuguese, Ukrainian and Russian. 
115. During the due diligence, the case "A72", created by the team, was randomly checked "FN / YK" and , with cover page "Service Record" and which included the copy of the passport (biographical data sheet), the copy of the temporary protection certificate and the copies of the e-mails sent to the entities for the necessary support, as well as the declaration of consent. 
116. At the top of each service file, the initials of the elements that carried out the service are written as follows: "--/YK" or "--/IK", and where the initials of the social service technician of the Municipality were present. 
117. The procedures for the management of cases concerning refugees and their referral to the competent authorities were discussed and fixed in a meeting of the CLASS network, chaired by the Councillor for Culture. Sports, Social Rights. Saude e Juventud da Camara Municipal de Setubal,-(cfr. Annex VI of the Inspection Report the CMS). 
118. In it, the subject of the PLA courses was mentioned, but the transport of the enrolment forms to the IEFP was not fixed or advised (cfr. Annex VI of the CMS Inspection Report). 
119. Instead, a model email was agreed upon to be used for situations of precariousness or need of support - employment, social service and support, health - which did not contemplate the situation of refugees who wanted to learn Portuguese as a host language (see Annex V - page 3). 
120. LIMAR operated from March 1990 onwards with the help of SEI staff. 121. The assistance teams of the CMS consisted of two collaborators, a social technician and a translator, who in this case wereor 
122. During the period from 11 to 28 March 1990, due to illness. was absent 
123. During this period, I only collaborated in the services involving translation (cf. Annex VIII- pages 2 to 4 of the CMS Inspection Report). 
124. The participation of- participation in the team was not based on any formal or contractual decision, although he had no function in the Municipality. 
125.-supported LIMAR by assisting in the translation and, at the request of the refugees, in the completion of documentation for the courses "Portuguese as the language of Acolhimento - PLA" (learning Portuguese) from IEFP and the SEF forms for obtaining the temporary protection title as a volunteer (see Annex VIII - pages 2 to 4 of the CMS Inspection Report). 
126.Scanned and uploaded to the SEF form the passports and birth certificates of the children for whom the refugees themselves had requested assistance (see Annex VIII, pages 2 to 4 of the lnspectation Report to the CMS). 
127.Organized and transported the enrolment forms for the PLA courses to the IEFP (see Annex VIII). - fls. 1 to 7 of the CMS Innspection Report and IEFP Innspection Report). 
128.It has not been possible to ascertain the exact number of enrolment forms for the PLA courses carried by-. 
129.-supported as interpreter the initial information provided to the refugees, regarding social support and procedures for the payment of transport and food allowances and the training grant, at the IEFP Setubal facilities (cfr. electronic communication from the Director of the IEFP Setubal attached to the records). 
130. He had access to LIMAR computer equipment, using his wife's credentials, enabling him to use the CMS computer and laptop to access web portals where he would insert documents (cf. statement annexed to the case file). 
131. gave her husband the credentials to access such equipment (cf. statement attached to the case). 
132.- continued to collaborate as an interpreter in the context of the reception of refugees and did not record data in internal processes (see Annex VIII - pages 5 to 7 of the Inspection Report to the CMS). 
133. This collaboration ended on 7 April 2022 (cf. Annex VIII - page 1 of the report to the CMS). 
134. On the 3rd May 2022, the Mayor of Setubal, by order of No 153/2022, appointed as EPD an employee of the Municipality who also held managerial positions.
135. As doubts about the appropriateness of this designation arose, the CNPD was asked, on 10 May 2022, to issue an opinion on its conformity. 
136. Later, a public hiring procedure was launched to fill the position of Data Protection Officer for Setubal Municipality. 
137. This competition resulted in the appointment of the new Data Protection Officer on 22 September 2022. 
138. It was found that there are no policies or guidelines in the CMS for the secure management of information containing personal data, and the employees of the municipality are not informed about the procedures to be adopted. 
139. The exception to the absence of such policies and/or guidelines is an email from the IT Division on the security of computer, email and internet access passwords, which the municipality made available to the CNPD during the inspection (see Annex IX of the Inspection Report to CMS). 
140. No Data Protection Impact Assessment has been carried out, despite the fact that refugees (as well as asylum seekers) are considered vulnerable persons according to the European Data Protection Supervisor's Guidelines on Data Protection Impact Assessments (see criteria 7 for the assessment of the need for an DPIA, p. 12 of the Guidelines2 ). 
141. There are no retention periods defined for the information collected by LIMAR. 
142. No information is provided to the data subjects (refugees) at the time of collection about who is the controller, the purposes of the processing, the recipients or categories of recipients of the personal data, the rights of the data subjects, the right to lodge a complaint with a supervisory authority. 
143. The Attendance Register contains a "Declaration of Consent" which reads as follows: I declare that I consent that the information and data provided by me to Camara Municipal de Setubal, within the scope of the Municipal Refugee Helpline, be processed by automated means or others, with the appropriate guarantees of privacy and non discrimination. I also authorise that the records and data collected may be shared with other services and entities in order to direct them to specific responses or to provide social support adjusted to the situation, with the guarantees of privacy and non-discrimination. discrimination. I also inform you that the confidentiality and security of the personal data I have provided will be ensured, and that I may access and/or rectify them whenever necessary, in accordance with Law 67/98 of 26 October, as amended by Law 103/2015 of 24 August, and that false statements are punishable by law 
144. In that statement there is no reference to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). 
145. By allowing people outside the municipal services to access the IT equipment used for the processing of personal data without a specific access profile, as well as by granting them access to information of the refugees supported through LIMAR, contained in the forms of the PLA courses, transporting them outside the premises of the Municipality without previously assuming any formal commitment and without defining any guidance on the management and security of the information thus accessed and transported, the defendant did not act with the care he is obliged to, and was capable of, representing as possible that he was acting against the law. 
146. By using Excel files for the management and conservation of information relating to a set of vulnerable holders (refugees), files that do not include audit records, not allowing to know who accessed them, when and what operations were performed, the accused did not act with the care he is obliged to, and that he was capable of, representing as possible that he was acting against the law. 
147. By failing to set the time limits for retaining the information collected through LIMAR, and by retaining the information longer than necessary, the defendant failed to act with the care that he was obliged and capable of exercising, and it is possible that he was acting against the law.
148. By failing to provide mandatory information about the processing of personal data in a concise, transparent, intelligible and easily accessible form, the defendant has not acted with the care that it is obliged to, and that it was capable of, representing as possible that it was acting against the law. 
149. By failing to appoint a Data Protection Officer, the defendant has failed to act with the care that it is obliged to exercise, and that it is capable of exercising, and has arguably acted against the law. 
150. The defendant has always acted voluntarily and consciously.
IV. Evidentiary Conviction 
151. The facts found to be proven were based on a critical analysis of the evidence produced, both oral and documentary, as well as the inspection reports that the CNPD carried out at the ACM, SEF, IEFP of Setubal and CMS and the testimonies collected. Of the latter, the following are noteworthy (cf. statement minutes attached to the CMS Inspection Report): a. The statements of - who denied having copied the refugees' identification documents into CMS's internal file; b. who confirmed having provided her husband with access credentials to the computer equipment; c. From third parties; which denied having shared refugees' personal data with d. He denies having copied for himself or for third parties, as well as he denies having made available to entities other than those indicated by the Municipality the documentation concerning the refugees to which he had access; e. From the CMS Head of the Social Rights and Health Division, , who stated that she- collaborated as an interpreter in the context of the reception of refugees and that it did not register data in internal files; f. And that, given the direct articulation with the IEFP- CE Setubal, which was due to the relationship that it maintained with the IEFP delegation as a manager of the EDINSTVO association and trainer, it was he who took the enrolments and copies of identification documents to attend the PLA courses; g. Finally, he stated that he had not received any complaints about the assistance provided to the refugees; h. From the president of the Association of Ukrainians in Portugal, who stated that he had not received any complaints from refugees regarding the service provided in Setubal; i. It is not aware of any case of data collection or transfer of Ukrainian refugees to Russia, even if it admits the existence of such a risk.
V. Law 
152. The CNPD is competent pursuant to Article 58.0(2) of Regulation (EU) 2016/679, of 27 April 2016 - General Regulation on Data Protection (RGPD), in conjunction with Article 3, Article 4.0 (2), and Article 6.0 (1)(b), all of Law n.0 58/2019, of 8 August (LERGPD). i. 0 Infringement of the principle of integrity/confidentiality (Article 5(1)(f) of the EU Treaty). 0 of the GDPR) 
153. Article 5.1 of the GDPR requires that personal data is 'Processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality")'. 
154. However, CMS has not defined organisational measures for safeguarding information, policies or guidelines for the secure management of information, nor has it formally defined any commitment with EDVINSTO to regulate access to and the transport of information containing personal data. 
155. Moreover, by making it possible for persons outside the municipality's services to use the equipment, without a specific profile, on which personal data entrusted to the municipality are stored without any contract or formal agreement setting out the parties' obligations as regards the protection of personal data, the Municipality of Setubal has breached the principle of integrity and confidentiality. 
156. lso, by storing information containing personal data on refugees in Excel files, even with access made conditional by password, the Municipality of Setubal has infringed that same principle, given that the unstructured storage of data in files where access and modification traceability is clearly reduced or non-existent, represents in itself a risk to security, integrity and confidentiality.
ii. Infringement of the principle of limitation of retention (Article 5(1)(e) of the GDPR) 
157. Article 5.0 (1)(e) of the GDPR requires that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods provided that they are processed solely for 0 for archiving purposes in the public interest, or for the purposes of scientific or historical research or statistical purposes in accordance with Article 89(1), subject to the application of appropriate technical and organisational measures as required by this Regulation with a view to safeguarding the rights and freedoms of the data subject ("restriction of retention")". 
158. The Municipality of Setubal has not defined any retention period for personal data collected through the Municipal Refugee Helpline nor the criteria used to define these periods.
iii. Breach of Article 13.0 of the GDPR Case AVG/2022/712112 
159. Recital 60 of the GDPR explains that "The principles of fair and transparent processing require that the data subject must be informed of the data processing operation and its purposes". 
160. Article 12.0.1 of the GDPR states that: "The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13.0 and 14.0 and any communication provided for in Articles 15.0 to 22.0 and 34.0 regarding the processing in a concise, transparent, intelligible and easily accessible form using clear and plain language, in particular where the information is specifically addressed to children." 
161. 0Article 13(1) and (2) of the GDPR obliges data controllers to provide data subjects with a specific set of information, including, relevant to the case, the following: II-1 (...): a) the identity and contact details of the controller and, where applicable, his representative; (...) c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the treatment; (...) (e) the recipients or categories of recipients of the personal data, if any (...) 2. (... ): (...) b) The existence of the right to request from the controller access to and rectification or erasure of personal data concerning him/her, and to restrict processing insofar as it relates to the data subject, as well as the right to object to processing, as well as the right to data portability; c) If the processing of the data is based on Article 6(7)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent previously given; d) The right to lodge a complaint with a supervisory authority; e) Whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement for entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to do so.
162. The declaration of consent attached to the file, which was collected with the intention of legitimising the processing of the refugees' personal data, does not contain any of the information provided for in Article 13(1)(a), (c) and (e) or in Article 13(2)(b), (c), (d) and (e) of the GDPR . 
163. Furthermore, the legal basis explained refers to Law 67/98, of 26 August, which is legislation that has already been repealed, and therefore the provision of information provided for in paragraph c) of Article 13. 0.1 must be considered to be defective, 
164. And this is because the RGPD came into force on 25 May 2018, implicitly repealing a good part of the rules of that national law, and Law No. 0 58/2019 of 8 August, which came into force on 9 August 2019, expressly repealed the aforementioned Law No. 0 67/98 of 26 August. 
165. Equally defective is the delimitation of third parties to whom personal data may be transmitted, as provided for in Article 13(1)(e). Although it is admitted that the range of such recipients is extensive, CMS cannot fail to recognise that at least the entities defined in the procedures established by CLASS at its meeting on 11 March 2022 could and should be made known to the data subjects. 
166. 0Finally, with regard to Article 13(2)(b) of the GDPR, the reference to the possibility of requesting the erasure of data or the limitation of processing, or even the possible possibility of requesting the right to portability, has been omitted. 
167. Regarding this set of violations, it is important to note the provisions of Article 83.5 of the GDPR, which states that "Breach of the provisions listed below shall be subject, pursuant to paragraph 2, to fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of the total amount of the fine" a) the basic principles of processing, including the conditions of consent where that is the basis of legitimacy pursuant to Articles 5, 6 , 7 and 9; (b) the rights of the data subject pursuant to Articles 12 to 22. iv. Violation of Article 37(1) of the GDPR 
168. According to Article 37(01)(a) of the GDPR, "The controller and the processor shall designate a data protection officer where processing is carried out by a public authority or body with the exception of courts in the exercise of their functions". of its judicial function". 
169. 0 Municipality of Setubal, by failing to appoint a Data Protection Officer, breached this provision. 
170. As regards infringement of Article 37, it should be noted that Article 83(4) states: "Infringement of the provisions set out below shall, in accordance with paragraph 2, be subject to fines of up to EUR 1O 000 000 or, in the case of an undertaking, up to 2% of its annual world-wide turnover for the preceding financial year, whichever is the lower. (a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39 and 42 and 43". 
171. The CNPD has the powers of correction enshrined in Article 58.0 , paragraph 2, of the GDPR. 
172. Moreover, it follows from the principle of the primacy of Union law, reflected in Article 288 of the Treaty on the Functioning of the European Union, that regulations are binding and directly applicable in all Member States, thus precluding any possibility for a "State [....] unilaterally nullify their effects by a legislative act that can be relied upon against the Community texts" - CJEU Costa v ENEL, Case No 6/64; Commission v Italian Republic, Case No 39/72; Variola v Italian Financial Administration, Case No 34/73.
173. Thus, the CNPD and on the grounds best expressed in its Delibera9ao/2019/494, of 3 September (accessible at https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121704), decides not to apply, in the case at hand, by virtue of the principle of primacy of European Union Law, in conjunction with the provisions of article 8, no. 4 of the Portuguese Constitution, the provisions of articles 37(2), 38(2) and 39(1) and (3) of the Portuguese Constitution.0Article 37(2), Article 38(2) and Article 39(1) and (3) , all of the Portuguese Constitution n. 0 58/2019, of 8 August (hereinafter LERGPD).
v. Sarn;:6es 
174. It can therefore be seen, in view of the facts established, that the defendant has processed personal data without taking care to ensure the security and integrity of such data, namely by not establishing organisational measures and not signing binding commitments with entities and/or persons outside the municipal services who could access such personal data. 
175. It is also noted that the defendant did not define the period for which the information is to be kept or the criteria used to establish this period, as it was obliged to do, nor did it erase the information containing personal data as soon as it ceased to be relevant to the purpose for which it was intended and should therefore be deleted. 
176. Moreover, in view of the facts established, it appears that the defendant has disregarded specific obligations imposed on it by the GDPR, namely the obligation to inform the data subjects. 
177. Finally, it is also noted that the defendant failed to appoint a Data Protection Officer. 
178. This means that there are sufficient indications that the defendant has committed three established and punishable offences, i. the first by the combined provisions of Article 5(1)(0)0 , in the context of the inability to ensure the security of processing and the integrity and confidentiality of personal data processed, and of Article 83(5)(a) ii. the second by the combined provisions of Article 5(1)(e) for failure to comply with the principle of limitation of retention and Article 83(5)(a) 
179. the third by the combined provisions of Article 13(1) and (2)0 (information to be provided when personal data are collected from the data subject) and Article 13(b) Article 83(5), 
180. all of the RGPD, each of which will be sanctioned with a fine of up to €20,000,000.00. 
181. We also find, in view of this fact, that there is sufficient evidence that the defendant has committed an administrative offence provided for and punishable by the combined provisions of Article 37(1) (designation of the Data Protection Officer) and Article 83(4)(a), 
182. all of the RGPD, sanctioned with a fine of up to €10,000,000.00. 
183. All the violations listed here were committed with negligence, wilfully and knowingly. The CNPD has the corrective powers provided in Article 58.2 of the GDPR, namely to "reprimand the controller or processor when the processing operations have violated the provisions of this Regulation" (Article 58.2.b)) and to "impose a fine under Article 83" (Article 58.2.b)).The Commission will be able to impose a fine, in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each case" (Article 83(i)). 
184. 0The breaches of the principle of limitation of retention (Article 5(1)(e) of the GDPR) and of the duties to provide a set of information to the data subject when the collection is carried out directly by the controller (Article 13(1) and (2)) should be deprived of their value differently from the others, given the context of emergency that existed at the time of the facts that prove them. This is because the former are intrinsically linked to the process of receiving refugees, admitting, in this situation, an epis6dico, although always censurable, carelessness or less care in the fulfillment of rules that did not appear to be of equal priority given the concrete needs to provide the rapid humanitarian response that was sought.
185. The other violations are different, not because the context is different, but because their existence does not depend and does not reflect the specific situation of response to requests from refugees. Rather, they reveal a structural attitude and behaviour of the organisation, which has serious deficiencies in the assumption of critical principles of data protection that go beyond these specific processes. 
186. According to Article 83(1)(a) to (k), the measure of the fine is determined on the basis of the following criteria: i. The nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected and the level of damage suffered by them - The infringements committed by the defendant are considered to have a significant degree of gravity, It is considered that the breaches committed by the defendant have a significant degree of seriousness, given the number of data subjects concerned (especially vulnerable), of which the specific number has not been ascertained, even though the context in which they occurred, in which the humanitarian emergency required more expeditious procedures, makes their assessment less severe. The violations detected in relation to the principle of limitation of conservation occurred in a relatively short period of time (about two months). The infringement of the EPD's designation lasted from 25 May 2018 until 3 May 2022 and therefore merits a higher degree of censure, although it has been corrected. ii. No harm has been caused to the data subjects; iii. Only one of the offences with which the defendant is charged is not punishable by the most severe framework provided for in the GDPR (in this case, breach of the obligation to appoint a data protection officer); iv. The intentional or negligent character of the infringement - as already explained above, the conduct relating to the infringements detected is considered to be negligent; v. The initiative taken by the controller or processor to mitigate the damage suffered by the data subjects - in this regard, the initiative of the defendant to designate a data protection officer and to terminate the protocol with the EDVINSTO association is relevant, even if as regards the latter, the correction could have been limited to compliance with the provisions of Article 28 of the GDPR; vi. the degree of responsibility of the controller or processor in view of the technical or organisational measures implemented by the controller or processor under Articles 25 and 32 defendant by failing to define technical and organisational measures that are minimally sufficient and suitable for protecting the personal information processed; vii. Any relevant breaches previously committed by the controller or processor - which do not occur; viii. the degree of cooperation with the supervisory authority to remedy the infringement and mitigate any negative effects it may have - which is considered adequate in view of provision of the required information and cooperation at all stages of the enquiry process; ix. The specific categories of personal data affected by the infringement - in this case there is a wide range of information about refugees who came to LIMAR, providing name, address, through date of birth, marital status, contacts, household, information on identification documents, on the support network (identification of places and people they could stay with and their respective households), information on the period they could stay with the people from that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social responses, among others, in addition to the description of the concrete situation. x. Among these data are some - those relating to health - which fall within the special categories of data provided for in Article 9(1) of the GDPR. xi. The manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified it, and if so, to what extent - which in this case resulted from the publication in the media of the suspected infringements relating to the processing of personal data of refugees, does not constitute a mitigating circumstance for the defendant; xii. Compliance with the measures referred to in Article 58.0 , n.0 2, if they have been previously imposed on the controller or the subcontractor concerned in respect of the same matter - this criterion does not apply, as no corrective measures had been determined beforehand; xiii. Compliance with codes of conduct approved under article 40 or certification procedures approved under article 42 - criteria which also do not apply, as there is no code of conduct or certification procedure, under the terms indicated; and xiv. Any other aggravating or mitigating factor applicable to the circumstances of the case, in light of Article 83(2)(k) of the GDPR. 0 do RGPD, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement - As a mitigating factor, the specific context in which the breaches occurred must always be taken into account, at a time when the arrival of Ukrainian refugees in Portugal was intense and public and private institutions were faced with the urgent need to respond to them. xv. The financial situation of the Municipality will also be taken into account, as reflected in the information provided in points 184 to 186 of the defence, which shows a significant drop in executed revenue compared to 2021.
187. In view of the criteria mentioned above, the CNPD considers it necessary to apply, in this case, two reprimands and a fine to the defendant, considering this to be an effective, proportionate and dissuasive measure, given the specific circumstances in which the offences occurred. 
188. The fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 5.0 (1) (0) , in the area of failure to ensure the security of processing and the integrity and confidentiality of data personal data processed, and of Article 83, paragraph 5, sub-paragraph a) of0 and will have a maximum limit of 20.000. 000,00 euros. 
189. Whereas the abstract fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 37(1) 00 (designation of the data protection officer) and Article 83(4)(a), all of the GDPR, has a maximum limit of € 10,000,000.00
190. Evaluating the facts established in the light of the criteria set out above, the CNPD, - in our Article 58. 0 , n . 2, al. b) of the RGPD, considers, also, adjusted, the application to the defendant of i. a fine in the amount of EUR 120,000 (one hundred and twenty thousand euros) for breach of alpha 0 of Article 5.0.1, in the area of failure to ensure the security of processing and integrity and confidentiality of personal data processed, and of alpha a) of Article 83.0.5 of the RGPD; ii. a reprimand for breach of Article 5.1(e) in conjunction with Article 58.2 (b) of the GDPR; iii. a reprimand for breach of Article 13(1) and (2) in conjunction with Article 58(2)(b ) of the GDPR; iv. a fine of EUR 100,000 (one hundred thousand euros) for breach of Article 37 (designation of the Data Protection Officer) in conjunction with Article 83(4)(a). 191. Adding up the fines in tranches, the result is a total of EUR 220,000 (two hundred and twenty thousand euros). 
192. Once the framework of the partial fines has been established, it is important to determine the single fine applicable to the specific case. 
193. It is noted that the GDPR provides in Article 83(3) that, "[w]here a controller or processor intentionally or negligently infringes, in the context of the same processing operations or linked operations, several provisions of this Regulation, the total amount of the fine shall not exceed the amount specified for the most serious infringement". As literally expressed, such normative must only be called upon in cases in which the infringements have been committed "within the scope of the same processing operations", or of "linked operations", which is not the case here, and the General Regime of Administrative Offences (RGCO), ex vi article 45 of Law no. 58/2019, of 8 August, applies. 
194. Article 19 of the RGCO establishes the legal criteria for the legal cumulation of fines, which means that the single fine to be imposed in a guilty verdict must be set between a minimum limit constituted by the highest fine actually imposed on each of the administrative offences (no. 3), in this case EUR 120,000 (one hundred and twenty thousand euros), and with a maximum limit consisting of the sum of the fines actually imposed on each of the administrative offences (no. 1), in this case EUR 220,000 (two hundred and twenty thousand euros). 
195. So, the abstract frame of the single fine to be applied is between a minimum of 100,000 (one hundred thousand euros) and a maximum of 220,000 (two hundred and twenty thousand euros). vi. Grounds for the imposition of the single fine 
196. The essential prerequisite for the legal cumulation of fines in instalments is the the same Defendant committed several offences before a conviction for any of them became final and unappealable. 
197. In this sense, in order to proceed to the legal cumulation it is necessary to verify the following requirements, of procedural and material nature: (i) that the sanctions are related to administrative offences committed before the final judgment of any of them, (ii) that they have been committed by the same defendant and that the individual penalties are of the same kind. 
198. What is cumulatively verified in the present case, merits the existence of effective or pure competition, either in the aspect of real competition, or in the aspect of ideal competition. 
199. The accused was found to have acted freely and knowingly, albeit negligently, in i. not ensure that the data it processes is "secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking appropriate technical or organisational measures. ii. not to designate a data protection officer. 
200. The concrete context in which the violations occurred, together with the fact that the Municipality acted in order to obviate humanitarian and emerging constraints, should be highlighted here. These constraints assume a degree of originality that may explain some of the unpreparedness shown.
201. In any case, the breach of the obligation to designate the Data Protection Officer is not directly linked to that emergency, so the same cannot be admitted degree of devaluation of the action which is attributed to another violation. 
202. Considering the legal assets protected by the administrative offences in question, which the defendant committed, it seems effective, proportional and dissuasive to apply to the defendant, in legal cumulation, under the combined provisions of Article 83. 0 , paragraph 3 of the GDPR and Article 19, n. 0 3 of the RGCO, a single fine of EUR 170,000.00 (one hundred and seventy thousand Euros). vi. Conclusion 
203. In view of the above, the CNPD deliberates: Apply to the defendant Municipio de Setubal, a) in accordance with the provisions of Article 19 of the RGCO, a single fine of EUR EUR 170,000 (one hundred and seventy thousand euros) for breach of the principle of integrity and confidentiality and breach of the obligation to appoint a data protection officer; b) in compliance with Article 58.2 b ) of the GDPR, two reprimands, I. One for the violation of the principle of limitation of conservation; II. One for breach of the obligation to provide essential information when personal data are collected from the data subject. 
204. Under the terms of Article 58, paragraphs 2 and 3 of the General Regime of Administrative Offences, inform the defendant that a) The conviction becomes final and enforceable if it is not contested in court, under the terms of Article 59 of the same diploma; b) In case of a judicial objection, the Court may decide by hearing or, if the accused and the Public Prosecutor do not object, by simple order.
205. The defendant must pay the fine within 10 days of its final settlement, sending the respective payment slips to the CNPD. Should it not be possible to make payment in due time, the defendant must communicate such fact, in writing, to the CNPD.