CNPD (Portugal) - Deliberação 2022/1072: Difference between revisions

From GDPRhub
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 91: Line 91:
}}
}}


The Portuguese DPA fined the Portugese National Statistics Institute €4,300,000 for multiple GDPR violations. Among other violations, the Institute processed special categorfies of personal data without a legal basis, did not conduct a propper DPIA and provided insufficient information regarding its processing.  
The Portuguese DPA fined the Portuguese National Statistics Institute €4,300,000 for multiple GDPR violations. Among the others, the Institute processed special categories of personal data without a legal basis, did not conduct a proper DPIA and provided insufficient information regarding its processing operations.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The National Statistical Institute, the natinonal statistical authority of Portugal (controller) organised the yearly census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms with questions which were of a mandatory nature. If data subjects did not answer the questions at all or provided inaquarte answers, they would face a fine between €500. and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million filled-in forms, which concerned the personal data of more than 6 million data subjects.  
The National Statistical Institute, the national statistical authority of Portugal (controller) organised a census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms (both physical forms and digital forms) with questions which were mandatory to answer. Providing inaccurate information or not answering the questions at all was punishable by a fine between €500 and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million submitted forms, which concerned personal data of more than 6 million data subjects.


Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which resulted in this decision. The DPA stated that the controller asked for special categories of data in the forms without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a propper DPIA. The document that the controller provided as DPIA did not cover all processing operations in suifficient detail. The doucment also only referred to four processing operations. The controller had also hired Cloudface, a hosting service located in the United States, by simply subscribing to the service online. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare, Inc.. The controller also authorised Cloudfare to  transfer personal data to the USA. Successive subcontracting by Cloudfare had also been authorised by the controller. The DPA assessed the technical workings of the Cloudfare service and determined that it was impossible for the controller to know where personal data would be moved, when the data had entered the network of Cloudfare. The DPA highlighted that US law does not provide a level of protection of personal data that is equivalent to the level of protection provided by the GDPR.
Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which brought to different conclusions. The DPA, for instance, stated that the controller used the forms to ask for health-related problems and religious beliefs without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a proper DPIA, which contained or otherwise dealt with only 4 processing operations. Further, it also emerged from the investigation that the controller had also hired Cloudface Inc, a company located in the United States, which offered a content delivery network and internet security services. The controller simply subscribed online to Cloudflare's service. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare Inc, which were potentially also located in countries without an adequate level of protection for personal data. The controller also authorised Cloudflare to transfer personal data to the USA. Successive subcontracting by Cloudflare had also been authorised by the controller under this contract. The DPA assessed the technical workings of the Cloudflare service and determined that it was impossible for the controller to know where personal data would be stored as soon as this data had entered Cloudflare's network. By recalling the Schrems II judgement, the DPA also highlighted that US law did not provide a level of protection of personal data that was equivalent to the level of protection provided by the GDPR.  


=== Holding ===
=== Holding ===
The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high gravity fine. The DPA also found that the controller also did not provide sufficient information regarding its processing in general. It did not provide information regarding its processing in sufficient detail in the forms, on the main webpage or in a hyperlink, which resulted in a violation of Articles 12 and 13 GDPR. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of Article 83(5)(c) GDPR, which it considered a high gravity fine. 
The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated [[Article 9 GDPR|Articles 9(1) GDPR]] out of negligence. The DPA fined the controller €1,600,000 pursuant of Article [[Article 83 GDPR|83(5)(a) GDPR]] and considered this a high gravity fine.  


The DPA also fined the controller €200,000 pursuant of Article 83(4)(a) GDPR, for a violation of the rules applicable to subcontracting entities (Artciles 28(1), 28(6) and 28(7) GDPR. The DPA stated that this violation had been committed intentionally. The DPA issued another fine of €2,400,000 pursuant of Article 83(5)(c) GDPR for the breach of the international personal data transfer regime (Articles 44 and 46(2) GDPR). The DPA considered this a high gravity fine and stated that this violation was also committed intentionally. Lastly, it fined the controller €400,000 pursuant of Article 83(4)(a) GDPR for the failure to conduct a DPIA in violation with Articles 35(1), 35(2)(b) and 35(3) GDPR. The DPA stated that this last violation had been committed intentionally.    
The DPA also found that the controller did not provide clear, highlighted an easily accessible information which would enable the data subject to know the circumstances of the processing being conducted by the controller. The controller did not provide this information in the forms, on the main webpage or in a hyperlink. This resulted in a violation of [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of [[Article 83 GDPR|Article 83(5)(b) GDPR]], which it considered a high gravity fine.   


The total amount of the fine was €6,500.000. However, the DPA applied a sole fine of €4,300.000 after legal culmulation pursuant of [[Article 83 GDPR|Article 83(3) GDPR]] and [https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=166&tabela=leis Article 19 of Decree-Law 433/82].
The DPA also fined the controller €200,000 pursuant of [[Article 83 GDPR|Article 83(4)(a) GDPR]], for a violation of the rules applicable to subcontracting entities, in this case Cloudflare Inc. ([[Article 28 GDPR|Articles 28(1)]], [[Article 28 GDPR|28(6)]] and [[Article 28 GDPR|28(7) GDPR]]). The controller had simply subscribed online to Cloudflare's service without any negotiations and without any due diligence on the side of the controller. The DPA stated that this violation had been committed intentionally. 
 
The DPA issued another fine of €2,400,000 pursuant of [[Article 83 GDPR|Article 83(5)(c) GDPR]] for the breach of the international personal data transfer regime [[Article 44 GDPR|(Articles 44]] and [[Article 46 GDPR|46(2) GDPR)]]. The service that was contracted by the controller did not meet the legal requirements for the transfer of data to a third country. The DPA considered this a high gravity fine and stated that this violation was also committed intentionally. 
 
Lastly, the DPA fined the controller €400,000 pursuant of [[Article 83 GDPR|Article 83(4)(a) GDPR]] for the failure to conduct a DPIA in violation with [[Article 35 GDPR|Articles 35(1)]], [[Article 35 GDPR|35(2), and 35(3)(b).]] The DPA stated that the DPIA provided by the controller was limited and insufficient in scope because it did not cover the entire processing, or even relevant dimensions of processing operations. The DPA stated that this last violation had been committed intentionally.   
 
The total amount of all fines combined was €6,500.000. However, the DPA applied a sole fine of €4,300.000 after legal cumulation pursuant of [[Article 83 GDPR|Article 83(3) GDPR]] and [https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=166&tabela=leis Article 19 of Decree-Law 433/82].


== Comment ==
== Comment ==

Latest revision as of 16:54, 6 December 2023

CNPD - 2022/1072
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 9(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 28(1) GDPR
Article 28(6) GDPR
Article 28(7) GDPR
Article 35(1) GDPR
Article 35(2) GDPR
Article 35(3) GDPR
Article 44 GDPR
Article 46(2) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Article 19 Decree-Law 433/82
Type: Complaint
Outcome: Partly Upheld
Started: 19.04.2021
Decided:
Published: 12.12.2022
Fine: n/a
Parties: Instituto Nacional de Estatística
National Case Number/Name: 2022/1072
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Mgrd

The Portuguese DPA fined the Portuguese National Statistics Institute €4,300,000 for multiple GDPR violations. Among the others, the Institute processed special categories of personal data without a legal basis, did not conduct a proper DPIA and provided insufficient information regarding its processing operations.

English Summary

Facts

The National Statistical Institute, the national statistical authority of Portugal (controller) organised a census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms (both physical forms and digital forms) with questions which were mandatory to answer. Providing inaccurate information or not answering the questions at all was punishable by a fine between €500 and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million submitted forms, which concerned personal data of more than 6 million data subjects.

Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which brought to different conclusions. The DPA, for instance, stated that the controller used the forms to ask for health-related problems and religious beliefs without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a proper DPIA, which contained or otherwise dealt with only 4 processing operations. Further, it also emerged from the investigation that the controller had also hired Cloudface Inc, a company located in the United States, which offered a content delivery network and internet security services. The controller simply subscribed online to Cloudflare's service. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare Inc, which were potentially also located in countries without an adequate level of protection for personal data. The controller also authorised Cloudflare to transfer personal data to the USA. Successive subcontracting by Cloudflare had also been authorised by the controller under this contract. The DPA assessed the technical workings of the Cloudflare service and determined that it was impossible for the controller to know where personal data would be stored as soon as this data had entered Cloudflare's network. By recalling the Schrems II judgement, the DPA also highlighted that US law did not provide a level of protection of personal data that was equivalent to the level of protection provided by the GDPR.

Holding

The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high gravity fine.

The DPA also found that the controller did not provide clear, highlighted an easily accessible information which would enable the data subject to know the circumstances of the processing being conducted by the controller. The controller did not provide this information in the forms, on the main webpage or in a hyperlink. This resulted in a violation of Articles 12 and 13 GDPR. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of Article 83(5)(b) GDPR, which it considered a high gravity fine.

The DPA also fined the controller €200,000 pursuant of Article 83(4)(a) GDPR, for a violation of the rules applicable to subcontracting entities, in this case Cloudflare Inc. (Articles 28(1), 28(6) and 28(7) GDPR). The controller had simply subscribed online to Cloudflare's service without any negotiations and without any due diligence on the side of the controller. The DPA stated that this violation had been committed intentionally.

The DPA issued another fine of €2,400,000 pursuant of Article 83(5)(c) GDPR for the breach of the international personal data transfer regime (Articles 44 and 46(2) GDPR). The service that was contracted by the controller did not meet the legal requirements for the transfer of data to a third country. The DPA considered this a high gravity fine and stated that this violation was also committed intentionally.

Lastly, the DPA fined the controller €400,000 pursuant of Article 83(4)(a) GDPR for the failure to conduct a DPIA in violation with Articles 35(1), 35(2), and 35(3)(b). The DPA stated that the DPIA provided by the controller was limited and insufficient in scope because it did not cover the entire processing, or even relevant dimensions of processing operations. The DPA stated that this last violation had been committed intentionally.  

The total amount of all fines combined was €6,500.000. However, the DPA applied a sole fine of €4,300.000 after legal cumulation pursuant of Article 83(3) GDPR and Article 19 of Decree-Law 433/82.

Comment

Previously, during the Census 2021, the CNPD received several complaints and immediately started an investigation and issued an order to suspend the sending of personal data from the census operation to the USA and other third countries without an adequate level of protection, as per Deliberation/2021/533.

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

DELIBERATION/2022/1072
🇧🇷 Report
1. The National Commission for Data Protection (hereinafter “CNPD” prepared the Project of
Deliberation/2021/22, on October 19, 2021, in which the National Institute of Statistics, I.P. (hereinafter “INE”, the practice, in material authorship and in the consummated form, of ten administrative offenses arising from the violation of various provisions of Regulation (EU) 2016/679, of April 27 - General Regulation on Data Protection (hereinafter “ RGPD9), referring to personal data processing activities carried out in the context of the “2021 Census” census operation, namely:
The. An offense provided for and punished by the combined provisions of paragraph 2 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, for violation of the liability principle;
B. An offense provided for and punished by the combined provisions of paragraph a) of paragraph 1 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of annual turnover, for violating the principle of lawfulness, loyalty and transparency;
ç. An offense provided for and punished by the combined provisions of Article 9(1) and Article 83(5)(a), both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, due to violation of the prohibition on processing special categories of personal data;
d. An offense provided for and punished by the combined provisions of paragraph c) of paragraph 1 of article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of annual turnover, due to violation of the principle of minimization;
and. An offense provided for and punished by the combined provisions of Article 32(1) and Article 83(4)(a), both of the RGPD, with a fine of up to €10,000,000 or up to 2% of the annual turnover, due to violation of the application of personal data security measures;
f. An offense provided for and punished by the combined provisions of articles 12 and 13 and point b) of paragraph 5 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the volume annual business, for violation of the duties of informing data subjects;
g. An offense provided for and punished by the combined provisions of paragraphs 1, 6 and 7 of article 28 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to €10,000,000 or up to 2% of annual turnover, for breaching compliance with the rules applicable to contracting subcontracting entities;
H. An offense provided for and punished by the combined provisions of article 44, paragraph 2 of article 46 and paragraph c) of paragraph 5 of article 83, both of the RGPD, with a fine of up to 20,000,000 € or up to 4% of the annual turnover, for violation of the transfer regime;
i. An administrative offense provided for and punished by the combined provisions of paragraphs 1 and 2 and paragraph b) of paragraph 3, all of article 35, and paragraph a) of paragraph 4 of article 83, all GDPR, with a fine of up to €20,000,000 or up to 4% of annual turnover, for breach of an impact assessment on the protection of personal data;
j. An offense provided for and punished by the combined provisions of paragraph 7 of article 37 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to €20,000,000 or up to 4% of the annual turnover, due to breach of the duty to communicate, to the Control Authority, the designation of the Data Protection Officer (hereinafter “EPD”).
2. The Defendant was notified of the content of the said Draft Deliberation and invited, if he wished, to present a defense [of. article 50 of Decree-Law no. 433/82, of October 27 (General Regime of Administrative Offenses and
Fines, hereinafter “RGCO9].
3. The Defendant, in this sequence, alleges, in short, that:
The CNPD does not have the power to syndicate INE, because its powers
have to be exercised ex ante within the organic-institutional framework of the Superior Council
of Statistics;
ii. The Deliberation Project is void due to lack of representation of the assumptions of the
attribution to the Defendant of the committed infractions;
iii. The Draft Resolution is inadmissible for lack of prior warning, under the terms
the provisions of paragraph 3 of article 39 of Law no. 58/2019, of 8 August;
iv. The Deliberation Project violates the technical independence of the Defendant and as such must
be declared null;
v. The Defendant cannot be punished twice for committing the same act;
saw. The data processing was lawful;
vii. The Defendant did not violate the principle of minimization, in the operations considered as
optional;
viii. The Defendant complied with the duties of informing the holders of personal data;
ix. The Defendant did not breach the duties of due diligence in choosing its subcontractor;
x. There was no transfer of data to third States, so the
Defendant did not violate the data transfer regime;
xi. The Defendant was not required to carry out a Data Impact Assessment
Personal, since the assessment would have already been made in Authorization n.º 2600/2011,
issued by the CNPD, which was not subject to any alteration;
xii The EPD contacts were communicated to the Control Authority, on 22 May
from 2018;
The Defendant requests waiver of the fine, pursuant to article 44, paragraph 2, of Law no.
58/2019 of August 8th.
4. As the CNPD detected that, from the copy of the file sent via email on 24 January
of 2022, the evidence collected and attached to information 2021/109, of September 16,
2021, were the same sent by order of September 15, 2022, granting a new deadline
for defense.
5. On September 29, 2022, the agent responded by informing that she maintained her previous defense.
II. appreciation
6. The CNPD is competent under the terms of paragraph a) of paragraph 1 of article 57 and paragraph 2 of article 58 of the
Regulation (EU) 2016/679, of April 27, 2016 - General Data Protection Regulation (GDPR),
in conjunction with article 3.º, n.º 2 of article 4.º, and line b) of n.º 1 of article 6.º, all of Law n.º 58/2019,
of August 8 (LERGPD).
7. It should also be said that, in everything that is not provided for in the LERGPD, the RGCO is applicable on a subsidiary basis (for
pursuant to the provisions of Article 45 of that law).
8. In view of the Defense presented by the Defendant, it is necessary to assess the arguments in fact and in law
exposed there.
So:
On the incompetence of the CNPD to syndicate the INE
9. The Defendant begins by alleging, in points 7 to 16 of his Defense, an argument that he later develops in the
points 39 to 148, that the CNPD “[...] had the opportunity to exercise its powers of ex ante control,
within an organic-institutional framework specifically shaped for the purpose of integrating the contributions
of the CNPD regarding matters relating to the processing of personal data in the context of the census operation,
"but chose to act outside the institutional framework for the established effect and contrary to the deliberations
adopted by the bodies in which it is integrated - and to which it should be considered bound -, attributing ex
post the practice of a set of infractions that - having been verified, which is not granted -, the very
CNPD should unofficially have contributed to anticipate and prevent.” (points 14 and 15 of the Defense).
10. It is important, first of all, to clarify the misunderstanding in which the Defendant works in the Defense, perhaps the result of the
their poor understanding of the legal regime for the protection of personal data to which they are subject.
11. The legally foreseen participation of the CNPD within the Higher Statistics Council (CSE) is restricted to
to the powers of this body, which are provided for in article 13 of the Law on the National Statistical System
(Law No. 22/2008, of May 13). The Defendant highlights, in point 43 of his Defence, two of these competences,
although incompletely, thus misrepresenting its real scope, which is why the wording is left here
of these two competences: "To define and approve the general lines of the official statistical activity and
respective priorities;” “Formulate recommendations in the context of defining methodologies, concepts and
statistical nomenclatures for the use of administrative acts for the production of statistics
official documents and ensure their application”.
N 12. Now, an interpretation of that legal diploma that would lead to the conclusion that, regarding the
processing of personal data carried out by INE within the scope of the statistical activity of the entity, the CNPD
must exercise the powers conferred by the RGPD and the LERGPD only within the Superior Council of
Statistical, would mean the exclusion of those treatments from the successive supervisory and corrective powers that
the GDPR explicitly assigns to any national supervisory authority — cf. paragraphs 1 and 2 of article 58 of the
RGPD -, exclusion that the national legislator did not foresee and that, moreover, would not be admissible in the legal system
national legal framework vis-à-vis European Union law.
13. What the Defendant persists in ignoring is that the function of the CNPD is, since the application of the new
legal data protection regime, essentially supervision or successive control of processing
of personal data, with prior control focusing on generic guidelines regarding data processing
personal.
14. It is true that the CNPD has some competences in terms of concrete prior control (listed
in paragraph 3 of article 58 of the RGPD), but the essential part of these competences presupposes the initiative of the person responsible
processing, upon submission of an application to the CNPD, in accordance with the principle
proactive responsibility (accountability) enshrined in Article 5(2) and Article 24 of the RGPD.
15. In any case, within the scope of meetings of the CSE and its sections, the function of the CNPD is not, strictly speaking,
of supervision or prior control of the processing of personal data carried out by INE, but only that of
contribute with its specialized knowledge and experience in the application of the principles and rules of
protection of personal data for defining the general lines of statistical activity, as well as
methodologies, concepts and statistical nomenclatures for the use of administrative acts for the
production of official statistics. In particular, within this body, the CNPD contributed to the
established between INE and the relevant public entities a procedure for accessing data on
citizens to streamline the 2021 census operation and mitigate the impact on the rights of holders of
data, promoting the pseudonymization of the data, a contribution that, after all, was not used.
16. For this reason and also because neither the RGPD nor national and European legislation relating to the activity
statistics remove the personal data protection regime from statistical operations — rectius, because
this legislation expressly safeguards the personal data protection regime -, remain untouched
the powers of the CNPD, whether in the context of prior control or in the context of successive supervision,
maximum those of supervision and sanctions.
17. Furthermore, and contrary to what the Defendant seems to intend, there is no contradiction between the
different contributions from the CNPD within the CSE or its sections and the draft deliberation, since
the CNDP at no point in the project questioned or censored the variables defined by INE, nor the
Internet data collection option. Furthermore, the consistency of the CNPD is evident, taking into account that, within
of the Eventual Section for Monitoring the 2021 Censuses (SEAC), warned of the specific risks
resulting from the online collection of responses to surveys.
18. What the CNPD found and is analyzing is not whether the variables are necessary for the census activity
- provided that the judgment of necessity was explicitly attributed to INE by national law and that the name
of respondents is not a variable, as is evident from the Annex to Regulation (EC) 1201/2009, of
November 30, 2009!-, nor the methodology and procedure for collecting these data; what to
CNPD has investigated and is analyzing the conditions and limits legally defined for the processing of personal data, in particular respect for the principles of legality of processing and minimization of data
and risks to the rights of data subjects, which include, for example, issues
related to the identification of respondents and their family members (full name) and the
pseudonymization of data.
19. And the investigation and eventual sanction of the disrespect for such conditions and limits fall within the
powers and powers of the CNPD, as set out in articles 55 and 58 of the RGPD and in articles 3 and 6
of the LERGPD, so the allegations in points 7 to 16 and 39 to 148 of the Defense do not deserve merit.
20. Furthermore, in previous census operations, although the CNPD was already a member of the CSE, INE never
had doubts about the need to apply for the then necessary authorizations for the processing of data,
nor did he question the role of the CNPD for inspection within the scope of these operations”. That is, despite the
participation of the CNPD in the CSE, INE has always considered that the intervention of the CNPD as a national authority
data protection was not limited to participation in that body.
21. In short, the collegial decisions of the CSE, in which the CNPD is one among more than twenty members, cannot
condition the role of supervisory authority regarding the processing of personal data, under penalty of
deflate its power recognized by the GDPR and national legislation.
22. It is also important to clarify that the definition of the concrete technical and organizational measures that will be
applied in the census operation with reflection on the processing of personal data does not fall within the competences
of the CSE, nor has it ever been raised in it.
ii. The lack of representation of the attribution assumptions
23. The Defendant alleges that, in the Draft Decision, there is no indication of the facts of the unlawful act,
based on the provisions of article 50 of the RGCO, paragraph 10 of article 32 of the Constitution of the Republic
 Portuguese (hereinafter “CRP” and in articles 120.º, no. 1, no. 2, subparagraph d), and no. 3, subparagraph c), of the Code of
Criminal Procedure, applicable by reference to the provisions of article 41 of the RGCO.
24. The Defendant considers, in the Defense presented, that the Draft Deliberation is silent regarding elements
relevant to the attribution of infractions, with only a generic indication of administrative offenses being made
that are imputed to him.
25. In the opinion of the Defendant, the motivation with which he acted should be included in the Draft Deliberation,
the circumstances in which the offense was committed and on what basis the charge is made to the Defendant (intent or
negligence).
26. In short, the Defendant understands that the Draft Deliberation does not contain the objective and
subjective factors that allow him to be accused of committing an administrative offence.
27. As a result, he alleges that he is unable to exercise his right of defense fully and
effective, which, in his opinion, should lead to the nullity of the present administrative proceeding, after the
delivery of the Deliberation Project.
28. Such an understanding is not acceptable.
Let's see,
29. Contrary to what the Defendant argues, the Draft Deliberation did not omit any
elements that should be included therein, the objective facts integrating the
misdemeanor. It is further noted that, in the Draft Resolution, reference is made to the facts that reflect
the subjective attribution and those that may have influence in the concrete determination of the sanction to be applied.
30. It should also be remembered that a Draft Deliberation does not correspond to a final decision, so the
The presentation of grounds can - and should, for simplification of the procedure - be done succinctly.
31. Now, evaluating the Defense presented, it is easily verified that the Defendant knows all the
grounds of the proposed decision, it being undeniable that he is aware of the cognitive and evaluative iter of the decision,
and the entire context that applies to it.
32. Pursuant to Decision No. 1/2003 of the Supreme Court of Justice, the authority is not required to
administrative than in the “accusation” (or, as the law determines, in the “counterordination that [..] is imputed” to the
defendant) an evaluation of the evidence should be carried out immediately.
33. In other words, it is not required that the administrative authority, right in the “accusation”, has to qualify
the specific degree of seriousness or degree of guilt of the agent.
34. What is required is that, depending on the facts established and imputed to the defendant, the qualification
of the infraction, that is, of the administrative offence, identifying the corresponding applicable legal type (principle
of typicality).
35. For example, if a rule establishes that a certain infraction is punishable by way of willful misconduct,
“accusation” must contain the integrative facts of this legal type (the facts imputed to the defendant must allow extracting this legal misdemeanor classification). On the other hand, the determination of the degree of severity of the
infraction - and, therefore, the agent's degree of guilt - will have to result from a specific assessment of the
test to be done in the instructional phase”.
36. Now, in the Draft Resolution it is clearly defined to which subjective title the infractions are imputed
to the agent, either by identifying the elements that frame it
37. See, in particular, points 129, 130, 131, where it is expressly stated that “the defendant does not
acted with the precautions to which he was bound and of which he was capable, representing as possible that he was
to act against the law”, description corresponding to the attribution by way of negligence and points 132,133€ 134,
where it is expressed that "configuring a performance that fits in the modality of eventual fraud".
38. In these terms, the argument that the Draft Resolution is tainted by any defect
procedural.
iii. The obligation of prior warning of the Defendant
39. The Defendant alleges that paragraph 3 of article 39 of the LERGPD enshrines an obligation for the authority to
control to issue a prior warning before initiating an administrative offence.
40. In the understanding, postulated in the written Defense, the Defendant considers that such prior warning is a
procedural assumption or a condition of proceedability.
41. Failure to verify the aforementioned prior warning, according to the Defendant, entails the inadmissibility
of the administrative proceeding.
42. The Defendant concludes that the Deliberation Project must be declared null and void, due to violation of the
principle of legality.
Let's see,
43. Article 39(3) of the LERGPD establishes that “(...) [except in cases of fraud, the initiation of proceedings
of an administrative offense depends on prior warning of the agent, by the CNPD, for compliance with the
omitted obligation or reinstatement of the violation violated within a reasonable time (.
44, From the outset, this provision would always be excluded in situations where there are infractions
intentional acts committed by the person responsible for the treatment, as is the case with some of the infringements in question.
45. In any case, regarding the infractions imputed by way of negligence, that legal provision does
depending on the prior warning of the possibility of “(...) fulfillment of the omitted obligation or reinstatement
of the prohibition violated within a reasonable time (...)”.
46. The violations that support the present administrative offense proceeding relate, roughly speaking, to the
collection of data from Portuguese citizens, within the scope of the 2021 Census activity.
47. Which, as can be seen from the nomenclature, took place during the year 2021, and was already concluded when
notification of the Draft Resolution.
48. Therefore, the Defendant's obligations have already been irremediably breached, and this
default has already materialized - and expired - until the conclusion of that activity, in 2021.
49. The useful effect of a prior warning is not achieved to have a treatment corrected or stopped when
this is no longer ongoing, as it has already been verified.
50. The ratio legis of this provision is to ensure the correction of the infraction, when there is the possibility that the
responsible for the treatment also correct its conduct, thus reducing the risks to the legal sphere
of the holder of the personal data.
51. Something that, in casu, would no longer be, nor is, possible to achieve.
52. It should also be noted that the rules must be interpreted taking into account the rules of interpretation and
application of laws, which invite one to assess, among other aspects, the intention of the legislator (cf.
articles 1 to 13 of the Civil Code).
53. The interpretation of the law should not be limited to exploring only the literal meaning of the provisions.
54. Now, if the infraction has already been consolidated, and it is not possible to prevent its occurrence nor the damage that the
breach of the Defendant's obligation produced in the sphere of the holder of personal data, does not make any
it makes sense to call for the application of a prior warning.
55. Regardless of that, even if it were applicable, the CNPD decides not to apply the provisions of paragraph 3 of the
Article 39 of Law No. 58/2019, of August 8, in the case at hand, by virtue of the principle of the rule of law
of the European Union and with the grounds contained in Deliberation/2019/494, of September 3", once
that such a norm, by imposing on the CNPD a step prior to the decision to open a sanctioning procedure,
which is embodied in a warning for the correction of the illegality within a reasonable period, establishes a special regime for illegal conduct practiced with negligence that is not compatible with the regime
provided for in the GDPR.
56. In reality, as is clear from the body of paragraph 2 of article 83 of the GDPR, the Union legislator
confers on the concrete decision-maker, depending on the circumstances of each case, a discretionary power to apply
 items a) to h) and j) of paragraph 2 of article 58 of the RGPD. fines for or instead of the measures referred to in a
57. Indeed, by determining that «depending on the circumstances of each case, the fines are applied
in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) [..)', Article 83(2)
of the GDPR recognizes the power of the national supervisory authorities to, on a case-by-case basis, choose to apply
only fine, application of fine and corrective measure, or isolated application of one or more measures
corrective measures provided for in paragraph 2 of article 58. It is this discretionary power that is arguably attributed to the
national control authorities, that the rule contained in paragraph 3 of article 39 of Law no. 58/2019 is
restrict, imposing in abstract to the CNPD the adoption of a specific measure, regardless of the
circumstances of each case (since it only meets the negligent nature of the infringement) and without allowing
immediately accrue the application of a sanction.
58. However, such an imposition deprives the supervisory authority of the discretion granted by the GDPR,
considerably withdrawing or diminishing the useful effect of the norm that assigns itº.
59. In addition, the national legislature cannot require its supervisory authority to adopt a measure
paragraph a) of paragraph 2 of article 58 of the GDPR for cases in which a correction is foreseen, determined in a
data processing operation (therefore not yet carried out) that is likely to violate the rules of the
Regulation, in situations where the assumptions of that measure are not fulfilled. for others
In other words, if the RGPD defines, in paragraph a) of paragraph 2 of article 58, the assumptions of the warning decision,
national law cannot impose the practice of this act when there is a situation that is not subsumed
on these assumptions and fulfills another legal type for which the RGPD provides for a decision with the same
designation.
60. In the light of such arguments, the CNPD does not apply in this case paragraph 3 of article 39 of Law no. 58/2019,
of August 8th.
61. Moreover, the limited understanding of the principle of legality of the activity is not followed
administrative, revealed by the Defendant in point 186 of the Defense, as it is not consistent with the current legal-constitutional framework.
62. The principle of legality, enshrined in article 266 of the CRP, is today affirmed as a principle of
legality, in the sense that Public Administration is bound by the different normative provisions
heterodetermined and therefore determined not only by the national legislator but also by the
European Union legislator; as, by the way, derives from paragraph 4 of article 8 of the CRP, which is directly included in the
national legal order to EU law. And, in the application of internal and Union legal norms, it cannot
no longer consider the principle of the primacy of Union law, as it has been interpreted by the
Court of Justice of the European Union, which obliges the non-application of internal legislative rules whenever
they contradict Union law or undermine its practical effect.
63. And the Defendant should not claim that the CNPD, as an administrative entity, has no competence
to disapply the rule in question.
64. For it is important to remember the understanding of the Constitutional Court, expressed recently in the judgment
268/2022, commonly known as the Metadata Decision, which reads:
“As a result, the eventual conflict between the norms now in crisis with the rules of Union law
European Union that can be relied on internally will have as a response from the judicial system
national law the non-application of internal rules - without these being expurgated from the legal system
or that, for that purpose, its invalidity is generated. That is precisely what the Commission decided
National Data Protection Agency (CNPD): considering in its deliberation no. 641/2017, of May 9
2017, that the regime contained in Law No. 32/2008 is contrary to European Union Law - for
disproportionate transgression of articles 7 and 8 of the CDFUE - decided to disapply Law 32/2008,
based on the rule of law of the European Union (Deliberation No. 1008/2017, of July 18
of 2017). our underlining.
65. Subsequently, that Court renewed this understanding, in Judgment No. 382/2022, where
reads:
'4. Secondly, it will always be said that the grounds invoked for the nullity of the Judgment
268/2022 are manifestly unfounded.
On the one hand, because the norms that determine an undifferentiated obligation to conserve
metadata could no longer be applied by any national authority since 2014, when
which was found to be incompatible with the Charter of Fundamental Rights of the Union
European Union (Judgments of the Court of Justice of the European Union of April 8, 2074, Digital Rights
Ireland, proc. 0-293/12 and 0-594/12; and of December 21, 2016, Tele2 Sverige and Watson, proc. C203/15 and 0-698/15) and the obligation arose, for all national authorities (including judicial)
to refuse its application, pursuant to the provisions of paragraph 4 of article 8 of the Constitution and as
was decided by the National Data Protection Commission in Deliberation n.º 1008/2017, of 18th of
July 2017." - emphasis added.
66. That is, the CNPD not only has the power to decide on the non-application of rules that are in
contradiction with the Law of the European Union, as it has the obligation to do so, for what, in these
terms there is no violation of the principle of legality.
67. The Defendant also adds, in paragraph 182 of the Defense, that “[..] the norms contained, namely, in the
article 83 of the RGPD, cannot be interpreted in the sense of directly targeting the competent authorities
national supervisory authorities, to the extent that, as provided for in Article 83.9, paragraph 9,
sanctions provided for in the GDPR are only applicable when the legal system of the Member States does not
provide for fines; that they are “effective, proportionate and dissuasive”.
68. Now, the Defense reveals a wrong reading of the RGPD, and the lack of knowledge of recital 151 of the same
European diploma. In fact, paragraph 9 of article 83 of the RGPD aims to remedy the non-existence of fines 'such
as provided for in the [GDPR]" in the legal systems of Denmark and Estonia, as explained
in that recital, which only reinforces that article 83 is addressed to the specific
applicators of sanctions, that is, national supervisory authorities and courts - as referred to by the CNPD
in the resolution cited by the Defendant (Deliberation 2019/494).
69. Moreover, what was stated in point 183 of the Defense does not add anything to the Defendant's argument,
corresponding to the mere observation of a norm that explains the principle of the rule of law; to
On the contrary, it reveals an irremediable contradiction in the Defendant's arguments, since paragraph 8 of article 83 of the
GDPR specifically states that this article is addressed to national supervisory authorities ('lo] exercise
of the powers conferred upon it by this Article by the supervisory authority [..]9.
iv. Nullity of the Deliberation Project due to violation of the Defendant's technical independence
70. The Defendant alleges that technical independence constitutes a basic principle of statistical activity
official, which is established in national and European legislation.
71. This is why the Defendant, in the pursuit of his public interest mission, can freely define
processes, methods, standards and statistical procedures, without being subject to any
external interference, namely by any other administrative authorities.
72. Therefore, according to the Defendant's understanding, the definition of personal data processed within the scope of
Census 2021 census activity, as well as the respective data processing, is an exclusive competence
its own, not susceptible of being syndicated by other administrative authorities.
73. With this argument, it concluded that the CNPD does not have the competence to syndicate the adequacy,
pertinence or need, nor the methodologies and procedures for collecting and processing
data for statistical purposes.
74. In doing so, the Defendant considers that the Draft Deliberation will have to be void.
75, Such an argument is unfounded.
Let's see,
76. Firstly, at no time is it called into question by the Draft Resolution - as claimed
the Defendant, several times throughout the Defense -, the regulatory and institutional framework (national and
European) under which the 2021 Census activity was carried out.
77. Nor the technical independence of the Defendant in carrying out that census activity.
78. In fact, and as explained above, at no point in the project does the CNPD question or censor the
statistical variables defined by INE, as well as the option of collecting data via the Internet.
79. What the CNPD found, and is analyzing, is not whether those variables are necessary for the activity
census - given that the judgment of need was explicitly attributed to INE by national law —,
nor the methodology and procedure for collecting these data.
80. On these aspects of the census operation, the CNPD spoke within the CSE, whether in meetings
of this council, or at SEAC, recognizing the legal limits to the fulfillment of its mission at this headquarters.
Even so, he did not fail to affirm the intrusive nature of the collection of information related to religion and warned
for the specific risks arising from the online collection of survey responses.
81. Specifically regarding the variables that correspond to special categories of personal data, the
CNPD does not question INE's competence and technical autonomy for defining them and for their
treatment, under the terms recognized by number 2 of article 18 of the National Statistical System Law.
82. And, therefore, it is not reached because INE was tired in a long argument in points 329 to 377 of the
your Defense.
83. But the fact that the law recognizes INE's technical autonomy to define the variables necessary for
pursuit of the statistical public interest and to legitimize it to process the corresponding personal data,
does not mean that INE can require citizens to provide such data when they are included in the
category of special or sensitive data (sensitive personal data not only related to respondents
as well as members of the respective household).
84. In fact, the same Law of the National Statistical System, in paragraph 3 of article 4, is clear to exclude
sensitive personal data categories of information whose provision may be required, as mandatory,
by INE.
85. It is this aspect of the processing of personal data that the CNPD analyzes and highlights for this purpose
administrative offence: the fact that sensitive personal data has been presented as being mandatory
to respondents, when the law imposes the optional nature of its collection and establishes a set of obligations
of information to respondents (cf. paragraphs 3 and 4 of article 4 of the Law on the National Statistical System).
6. In short, regarding the variables that correspond to special categories of data, it is only a matter of
an aspect of the processing of personal data that is not covered by the technical autonomy of Statistics Portugal, rather
is legally defined - by the Law of the National Statistical System - and, therefore, the
verification of respect for such a condition or legal link to the processing of personal data is,
obviously, to the CNPD.
87. At the same time, the fact that respondents and members of their households have to be
identified by full name goes beyond the technical autonomy that the law recognizes to INE, contrary to the
which the Defendant states in point 326 of the Defense.
88. This is an aspect of the processing of personal data that national and European legislation does not assign
specifically to INE, nor does it qualify as part of its technical autonomy. And it doesn't, because
In reality, it is the personal data protection regime that imposes the minimization of personal data and the
mitigation of risks to the rights of holders.
89. In fact, the respondents' identification data are not part of the concept of statistical variable
(cf. Annex to Regulation (EC) 1201/2009, of November 30, 2009), not being, in this way,
submitted to the technical autonomy of INE, being, therefore, an aspect of data processing, in the context of
census operation, which the CNPD can inspect and assess from the perspective of its compliance with the
data protection principles.
90. Just consider the provisions of paragraph 5 of article 18 of Decree-Law no. 54/2019, where, although
recognizes INE's competence to assess the need for personal data in the information collected from the
administrative databases, with due regard for the competences legally attributed to the CNPD in this regard.
context.
97. Moreover, the fact that INE enjoys autonomy and technical independence for defining solutions
techniques, in the regulatory and institutional framework - national and European - does not imply that the behaviors
of the Defendant are no longer subject to respect for other diplomas of the Portuguese legal system.
92. Autonomy and technical independence are not synonymous with legality or activity exempt from
regulation, therefore having to be framed by the legal regimes applicable to census activity, such as
with the legal regime for the protection of personal data.
93. In other words, it is not because the Defendant is recognized for technical autonomy, in statistical terms,
that he is no longer subject to the respect and fulfillment of legal obligations resulting from numerous
legal diplomas and, from the outset, the Constitution of the Portuguese Republic, the European Charter of Rights
Fundamentals of the European Union and, of course, of the GDPR.
94. Admit that, as technical autonomy was recognized, the Defendant's conduct could not be subject to
to any external control - as seems to be the understanding postulated in the Defense - would be to admit that the
statistical activity would be removed from the bonds of the rule of law.
95. Namely, and in the limit, within the scope of his technical autonomy, the Defendant could disrespect the
rights of Portuguese citizens enshrined in the CRP, provided that its action aimed at carrying out
a census operation - which is inconceivable.
96. Therefore, it is concluded that, despite the technical autonomy, when carrying out statistical activities, the Defendant
it is, however, subject to compliance with the applicable legal norms and their inspection by the entities
competent.
97. As we have seen, in this case, the CNPD is competent to ensure compliance and monitor compliance with the
rules contained in the GDPR.
98. Reason why, due to his technical autonomy, the Defendant cannot thwart his decisions and actions
regarding the processing of personal data to the inquiry by the CNPD.
99. Especially because, if that were possible, the CNPD would no longer have powers and competences before any
public entity endowed with autonomy or technical independence.
100. In this matter, attention should be drawn to the provisions of Regulation (EC) 763/2008, of 9 July
of 2008, concerning population and housing censuses, which exhaustively establishes in article
4, under the heading “Data sources”, the following:
"- Member States may compile their statistics from different sources of
data, namely...]
2- Member States take all necessary measures to comply with the requirements
relating to data protection. This Regulation does not affect Member States' legislation on data protection.” - our underlining.
101. In addition, the same obligation to respect the RGPD, in the execution of the 2021 Census operation,
is expressly enshrined in Decree-Law n.º 54/2019, of April 18, which reads, in n.º 4 of article 4.º,
Following:
"4- The responses to the 2021 Census questionnaires are kept by INE, !.P., under conditions
of absolute security, and can only be used for exclusively statistical purposes, in
compliance with the provisions of Law No. 22/2008, of May 13, and Regulation (EU) No. 2016/679,
of the European Parliament and of the Council of 27 April 2016."
102. As it is known that national legislation (Decree-Law No. 54/2019, of April 18) cannot contradict
the provisions of Regulation 763/2008, from the combination of the two mentioned rules, it is clear
need for the Defendant to comply with the principles and rules relating to the protection of personal data.
103. For this reason, the Defendant's activity could never be frustrated by the inspection of the CNPD, in terms of
compliance with the GDPR rules.
104. Although the Defendant intends to hyperbolize his concept of technical independence, to the point of acting
without any need to respect legal norms - which, of course, cannot proceed -
legislation, national and European, subject the Defendant's action to the control and inspection of the authority
national control (cf. article 55.º of the RGPD), which, in Portugal, is the CNPD (cf. article 3.º of Law n.º 58/2019,
August 8th).
105. On the other hand, the CNPD has always considered and defended that data should be collected in a
format that was not based on the identification of the respective holders by their full name, in order to
minimize the risk to citizens' rights.
106. This was expressly assumed by the CNPD regarding the data collection model from the
administrative bases, in Deliberation no. 929/2014, which the Defendant cites in his Defense, with the CNPD
determined that the personal data were encoded or pseudonymized - so it is not accurate
stated in point 304 of the Defense. In that Deliberation, as the Defendant portrays in points 314 to 317,
it was determined that the data were collected and integrated based on numerical identifiers,
admitting, at the limit, the use of letters from the first and last name (the first three letters) — which is quite
different from requiring and treating the full name of respondents or members of the respective
household.
107. The CNPD expressed itself in the same sense in Opinion no. 28/2018, of June 11, p. 4, document that
the Defendant does not ignore, and which, moreover, he cites in his Defense, where he states:
“It should be underlined, however, that the result of painstaking and successive work, over several
years, the CNPD and the INE have reached fruitful understandings for this purpose. A good
example of this is narrated in deliberation n.º 129/2018, of January 30, where the CNPD
looked into a data exchange protocol between the Tax Administration and INE. there if
listed the procedures already introduced in the processing of information prior to the
of its submission to INE. Of these, the pseudonymization procedure stands out, better detailed
in deliberation n.º 929/2014, which guarantees that INE, being able to relate the information received, does not
still have access to the identification of data subjects.
It is precisely in this sense that we understand that the future path of taking advantage of
of this administrative information, combining, in the most harmonious way possible, the purposes
statistics and respect for the protection of personal data”,
108. In reality, the Defendant persists in trying to confuse two different concepts, equating the data
individualized to data identified by full name, when it is certain that there are other data (from
numerical logos) that allow the association of information to a certain citizen and that, moreover,
ensure greater rigor in the relationship of personal data (since it is known that the use of the name as
connection key between the data is error-generating, because of the spelling - in particular, with respect to the
linking particles existing in the names), therefore, guaranteeing the respect for the principle of accuracy of the
2 personal data (principle enshrined in Article 5(1)(d) of the RGPD). In other words, it is possible to individualize the information in terms that allow the relationship with other information
relating to the same subject, without resorting to data of direct identification of the data subject.
ias, confuses or intends to confuse the identifiability of the respondents (and members of the 109. How, the
household), through certain identification data, with your identification by name
complete (as happens, again, in point 889 of the Defense).
110. The argument of the absence of a unique citizen number — invoked in point 309 of the Defense - does not
determines that citizens have to identify themselves by name, in order to be able to aggregate the information
existing in Public Administration databases. The constitution of an individualized database
paragraph c) of article 3 of Law no. 54/2019 does not require, contrary to what the Defendant claims, the
collecting the full name of citizens - which is why what is stated in point 312 of the Defense is inaccurate.
iás, the work carried out by CNPD and INE, in the context of the procedure that gave rise to 111.4
aforementioned Deliberation 929/2014, aimed to ensure that the census operation did not depend on the
collection of the full name, so the Defendant cannot ignore the pseudonymization technique, nor the
several paths that the CNPD has pointed out to him towards this pseudonymization.
112. In short, the arguments of the Defendant, in this matter, cannot, of course, be accepted.
v. Violation of the principle of ne bis in idem
113. The Defendant alleges that the imputation of four of the offenses contained in the Project - and
identified by the Defendant in point 211 of the Defense - violate the legal-constitutional principle established
in paragraph 5 of article 29 of the CRP and in article 4 of Protocol nº 7 to the European Convention on Human Rights,
which prohibits double punishment for the same act.
114. In order to try to demonstrate such double punishment, the Defendant alleges that he is charged with the practice of a
 subparagraph a) of paragraph 1 of article 5 of the RGPD and similarly an administrative offense for violating the provisions of a
an administrative offense is charged for violating the provisions of articles 12 and 13 of the RGPD.
115. The Defendant considers that Articles 12 and 13 of the RGPD are a mere specification of the inherent principle
in paragraph a) of paragraph 1 of article 5 of the RGPD, and thus cannot be punished twice.
116. According to the Defendant, so much so that the Draft Deliberation describes the same relevant fact
to consider the objective type of offense verified, that is, the failure to provide information to holders
in a concise, transparent, intelligible and easily accessible manner.
117. It also adds that it will have to be concluded that the conviction for any of the alleged offenses
already expresses the legal worthlessness of the behavior.
Let's see,
118. We agree with the Defendant when he alleges that sanctioning breaches of defined obligations
in the RGPD and which correspond to the densification of some of the principles enshrined in number 1 of article 5 of the
GDPR must remove sanctions from violating the principle itself.
119. This occurs with regard to the relationship between subparagraphs a) and c) of paragraph 1 of article 5 of the RGPD and article
9 of the RGPD, which were included in the indictment as autonomous offences, which is now reviewed.
120. Thus, the CNPD does not sanction, after all, the violation of the principle of loyalty, nor the principle of minimization
of personal data, focusing on the violation of paragraph 1 of article 9 of the RGPD, due to lack of grounds for
lawfulness for the processing of special data of optional collection.
121. But it maintains, as it is autonomously cut by the Union legislator, in articles 12 and 13 ena
paragraph b) of paragraph 5 of article 83 of the RGPD, the violation of the right to information regarding the whole of the
processing of personal data carried out in the context of the census operation.
122. Reason why the alleged by the Defendant only partially succeeds.
saw. On the existence of legal basis for the treatment of special categories of
Dice
123. The Defendant understands that the imputation directed at him, resulting from the illicit processing of data of
special categories, is based on an inadequate understanding of the nature of the data to which the questions
29.3 to 29.6 and 30 concern.
124. The Defendant further alleges that he exercises public interest functions in the field of official statistical activity,
therefore there is a basis of lawfulness for the processing of that data.
125. Regarding the question regarding the degree of difficulty felt in carrying out activities by
respondents, in the opinion of the Defendant, it does not constitute a special health data, as it is not
you are questioning what kind of problems or illnesses the data subject has or suffers from.
126. It also invokes Authorization No. 2600/11, of March 24, 2011, to claim that items 29.3 to
29.6 do not constitute data relating to health.
197. Subsequently, the Defendant alleges that, as a national statistical authority, its activity is
item j) of paragraph 2 of article 9 of the RGPD, so that, as it aims at statistical purposes, it comprises within the scope of the
of public interest, does not require the consent of the data subject for that treatment.
128. Invoking, to support its position, CNPD Opinion No. 28/2018.
129. The Defendant considers that such a conclusion also takes the provisions of paragraph 2 of article 18 of the Law of
National Statistical System (Law No. 22/2008, of May 13), although with the caveat that within the scope
of that Law the data referring to philosophical or political convictions, party or union affiliation, faith
religion, private life and ethnic origin and personal data relating to health and sex life, cannot have
mandatory character.
130. However, it states that the personal data contained in questions 29.3 to 29.6 and 30. were treated as
optional answer.
131. The Defendant also argues, further on in his Defense, that in the statistical variables
included in items 29 and 30. there was a warning in the header, in the form of a banner informing the
Optional nature of all subsequent questions.
 132. Since this information is provided to the data subject, either in the printed form or in the form
in line.
Let's see,
133. In light of the RGPD, it is not understood how the Defendant can currently consider that the collection of data
personal data that make it possible to identify whether someone has difficulty moving around, concentrating, getting dressed
or bathing, or that expressly indicate a given religion, do not constitute special categories of
data, as specified in Article 9(1) GDPR (cf. point 244 of Defense).
134. Indeed, under the terms of the RGPD, personal data are special categories, and it is quoted, “that reveal the
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well
such as the processing of genetic data, biometric data to uniquely identify a person,
data relating to health or data relating to a person's sexual life or sexual orientation” (cf. n.º 1 of the
Article 9 GDPR).
135. It is important to emphasize that the Defendant, also in what he considers to be valid arguments for his
defense, comes to show the weaknesses in monitoring the normative changes operated with the entry
 The individual form of the 2021 Censuses must be taken into effect by the GDPR, from the outset, considering that the individual form of the 2021 Censuses must be considered valid because it is written in terms that are entirely congruent with the form of the
2011 Census (cf. points 240 and 241 of the Defense).
136. In fact, article 7 of the Personal Data Protection Law (Law No. 67/98, of October 26) provided for a
regime for the processing of sensitive data which, despite some similarities, is not identical to the
enshrined in article 9 of the RGPD, given that the fact that the Defendant considers a favorable argument
In his defense, the congruence existing between the 2011 and 2021 Census forms shows a total
ignorance and high disregard for the current data protection legal regime.
137. If it is true that the CNPD, in Authorization No. 2600/11, of March 24, 2011, did not consider that that
Z information was subsumed under the concept of health data, it is no less true that the RGPD came
explicitly define the concept of “health data” in Article 4(75) of the GDPR.
138. Faced with such a legal definition, it cannot but be considered that personal data relating to difficulties
locomotion, concentration, dressing or bathing correspond to “personal data related to
with the physical or mental health of a natural person” (item 75) of article 4 of the RGPD) or “[...] data relating to
health status that reveal information about your past, present or past physical or mental health.
in the future. The foregoing includes information about a natural person [..) e.g. an illness,
disability, a risk of illness [...] or physiological or biometric status of the data subject, irrespective of
from its source [...]' (cf. recital 35 of the RGPD) and therefore are personal health-related data.
139. Therefore, the argument presented by the Defendant, which is based on an understanding of the CNPD, does not apply
expressed in 2011, when, however, there was a profound reform of the legal regime for the protection of
personal data, reform that the Defendant cannot ignore - in particular, after the European Committee for the
Data Protection have clarified this concept (cf. point 3.1 “Data concerning health” of the “Guidelines
03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the
COVID-19 outbreak”*).
140. All the more so as it is the Defendant himself who, in the survey made available to citizens in the Census operation
2021, refers to such data as variables related to “health problems” (cf. image Q3.29.1. of the annex
"Screenshots from the 2021 Census form, available at https://censos2021.ine.pt
to the report “Info UL AVG 2021 407 Il v1.0.docx”.
141. Thus, it is now indisputable that the data provided for in questions 29.3 to 29.6 and 30 of the survey are data
special personal data, under the terms of paragraph 1 of article 9 of the RGPD, so that their collection is not enough with the need for these personal data for the pursuit of the public interest by INE (i.e.
fulfillment of the condition provided for in subparagraph e) of paragraph 1 of article 6 of the RGPD), still depending on the
verification of one of the conditions provided for in paragraph 2 of article 9 of the RGPD.
142. It is agreed with what is alleged in the Defense that the processing operations in question are supported, in order to
lawful purposes, in the public interest. However, as the CNPD warned in due time in its Opinion no.
28/2018, of June 11 (p. 1v), not unrestricted. It is true that the pursuit of a public interest
legitimizes the processing of special categories of data for statistical purposes [although not
unrestrictedly, as such processing "must be proportionate to the objective pursued, respect the essence of the
right to the protection of personal data and provide for appropriate and specific measures to defend the rights
fundamental and interests of the data subject. - opinion, moreover, cited by the Defendant in her Defence.
143. Therefore, the legal classification of the facts committed by the Defendant is changed, accepting that 0
legal basis for the processing of personal data is not consent under the terms of paragraph a)
of Article 9(2) of the GDPR.
144. But it is not ignored that the Law on the National Statistical System (Law n.º 22/2008, of May 13), in n.º 1
of article 4, recognizes that INE has the power to demand the provision, on a mandatory basis, of personal data,
unless these are part of the special categories of data (cf. no. 3 of the same article), in which case that
supply depends on the will of the data subjects.
145. Moreover, the INE has the obligation to inform respondents of the mandatory or optional nature
the response to questions relating to sensitive data (cf. paragraph 4 of article 4 of the Law on the Statistical System
National).
146. It follows, therefore, that the national legislature, in balancing the public interest associated with the
statistical activity, on the one hand, and the fundamental rights to informational self-determination and the reservation of
private life, on the other hand, considered it excessive to impose the provision of sensitive personal data,
thus making its collection dependent on the will of the respective holders.
147. Thus, even if it is claimed to be paragraph j) of paragraph 2 of article 9 of the RGPD or, perhaps, paragraph
9) of the same number, the basis for the lawfulness of the collection of personal data in this statistical operation, the
The truth is that, given the requirement - today reflected in those paragraphs as well as in article 89 of the RGPD -
that the forecast of processing is accompanied by adequate measures to guarantee proportionality
of the treatment in view of the intended purpose, the minimization of personal data and respect for the rights of
data subjects, the national legislature has explicitly established, as an appropriate measure, dependence on
an expression of the holder's will regarding the collection of sensitive data. 148. Thus, the realization of the public interest is subject to the will of the data subject. And therefore the
public interest is clearly not sufficient to legitimize the collection of data provided for in paragraph 1 of the
article 9 of the RGPD, which is why the collection of such data is not mentioned which, due to lack of information,
allows the free formation of the will of the respective holder.
149. And the point is that, even if INE was aware that the special data relating to health and
religion could only be collected on an optional basis, the fact of not having provided clear and
information about the optional character of its provision by citizens, in disrespect for the obligation
provided for in paragraph 4 of article 4 of the Law on the National Statistical System, impaired the understanding by
respondents that questions 29.3. to 29.6. and 30. of the 2021 Census questionnaire were answered
optional.
150. It should be noted that it is relevant, for the purpose of verifying the legal assumption that the collection of this data
special or sensitive personal data is optional, it is not INE's conviction (contrary to what the
Defendant in point 259 of the Defense), but rather the conviction of the respondents: the legal assumption, defined in the
number 3 of article 4 of the Law on the National Statistical System, is that respondents wish to provide such data
to INE. And wanting depends on a free formation of that will, not conditioned by omission of
information or for providing incomplete or erroneous information.
151. To that extent, the mere de facto possibility of browsing the online form continuing in
lack of response to such questions - which was not allowed by the system in the mandatory questions - and
still proceeding with the delivery of the questionnaire without filling out the answers to questions 29.3. to 29.6. and 30.
2021 Census questionnaire (cf. as invoked in points 266 and 267 of the Defense) is irrelevant to
effect of the formation of the will of the respondents, because, in the absence of information about the character
optional answer to those questions, it is not even expected, let alone required, that they try to
continue navigating the form or submitting it without filling out those responses.
152. In fact, as mentioned in the Draft Deliberation and not contested by the Defense, in
online questionnaire:
"Question 30 was an optional answer. However, it did not provide any information about the
non-mandatory nature of the response.”
"Point 29 of the questionnaire consisted of six questions framed in three pages,
two questions in each of them. Only on the first of these pages is information about the character
optional answers. On the next two pages, no such information was
presented to the respondent. [..]". (cf. images Q3.29.1 to Q3.30, from the annex “Screenshots of the 2021 Census form, available at https://censos2021.ine.pt” to the report “Info
UI AVG 2021 401 | v1.0.docx”.
153. It must be concluded that the fact that the system allows navigating to the next page without selecting
an answer does not guarantee the data subject information regarding the optional nature of the question
presented.
154. Also because, remember, the data subject is answering the questionnaire to avoid being
 sanctioned, which at the outset leads him to consider all the questions presented in the form as
imperative.
155. That is, the data subject hardly tests the possibility of moving on to the next question without
respond previously to the previous one.
156. Being logical the difficulty of apprehending the optional character, if this information was not included in the
questions screen 29.3. to 29.6. and 30.
157. The truth is that the lack of information about the optional character of the 29.3. to 29.6. and 30.
2021 Census questionnaire generated or, at least, is likely to have generated the conviction that the answer
to them was mandatory, so the effective response to those questions by the respondents cannot
correspond to a manifestation of free will, since it was based, or may have been based, on
error about the mandatory character of the provision of such data.
 158. It follows from the general rules of law that the expressed will is only legally relevant and valid if
freely formed and manifested, and that error harms this freedom, especially when it affects a
essential element of the will: the mandatory character of the conduct dependent on the manifestation of the will.
159. Now, in this case, the error in forming the will of respondents is caused by INE, by not having
the requirement of no. 3 of article 4 of the Law on the National Statistical System was met.
160. Therefore, the Defendant is in error when, in points 261 and 262 of the Defense, he considers that they are different
these two questions, that is, the lack of information about the optional character of the questions and the
optional of the same; on the contrary, in this context, they cannot be made autonomous, because that is what O
national legislature, in the Law on the National Statistical System (cf. paragraphs 3 and 4 of article 4), when it made it depend
the lawfulness of the collection of optional sensitive personal data and the provision of information
about this optional nature.
161. In these terms, the collection by INE of special personal data through the response to questions 29.3.
 line j) (or even from 9) to 29.6. and 30. of the 2021 Census questionnaire was unlawful, because, under the terms of subparagraph j) (or even 9) of article 9.2 of the RGPD, the national legislator, in article 4, no. 3 and 4 of the Statistical System Law
National, when it provided for the collection of special data for the purpose of statistical public interest fixed,
as an adequate and specific measure for the defense of the fundamental rights and interests of the holder of the
data, the optional character of the same, thus requiring the manifestation of a concordant will
informed and free, which, in this case, did not occur due to the lack of clear and complete information
on all questions that were optional.
162. In view of the above, the Defendant's understanding cannot be upheld, maintaining that the collection of
such personal data violated the prohibition contained in paragraph 1 of article 9 of the RGPD, as there was no
of the legality conditions provided for in paragraph 2 of the same article.
vii. Violation of the principle of minimization of personal data
163. The Defendant alleges that he did not infer from the Draft Deliberation whether the imputation formulated concerns the
delimitation of the information to be obligatorily provided to the data subject - matter which, according to him,
it would only fit into the legal framework relating to the principle of transparency and compliance
of information duties - or if you are also charged with an infringement resulting from the processing of data
of special categories.
164. Even so, it argues that any failure to provide information about the optional nature of the
answers to questions 29.3 to 29.6 and 30. would constitute an infringement only likely to be included in the
framework of the respective duty to inform, as the questions were treated as being optional.
165. That is, the Defendant seeks to justify that the data collected in response to questions 29.3 to 29.6 and
30. did not involve a violation of the principle of data minimization, under the terms and for the purposes of the
stipulated in subparagraph c) of paragraph 1 of article 5 of the RGPD, as they are essential and justifiable in the light of the
statistical needs and numerous international recommendations produced by
reference, in census matters (cf. points 329 to 377 of the Defense).
166. With regard to this point, the CNPD concedes that this fact does not correspond to a violation of that principle. O
which does not exclude its relevance for the purpose of verifying the non-fulfillment of the legality condition in the
terms of paragraph 2 of article 9 of the RGPD, in the terms set out above. viii. The Defendant complied with the information duties towards the holders of personal data
167. The Defendant claims to have provided the data subjects with all the necessary and required information, under the terms
and for the purposes of paragraph a) of paragraph 1 of article 5, in conjunction with the provisions of articles 12 and 13.
all GDPR.
168. Even so, the Defendant understands that he fulfilled all the information duties, whether in the printed version,
either in the digital version.
169. It alleges that, for this purpose, it made its Privacy and Protection Policy available on its website
of Personal Data, under the terms of which are the contacts of INE and EPD, from which the holder
could get more clarification.
170. The Defendant also argues that in the statistical variables included in items 29 and 30.
a warning appeared in the header, in the form of a banner informing the optional character and all questions
subsequent.
 171. Since this information is provided to the data subject, either in the printed form or in the form
in line.
172. Furthermore, the Defendant considers that the online system itself led to the conclusion of the optional character
of the questions, since it allowed navigating to the next page without selecting any answer, which
was not allowed by the system in the mandatory requirements.
Let's see,
173. As for the duty to provide information on the optional nature of special data, it has already been refuted above
the arguments presented, granting now, only, that its non-compliance is consumed by the
lack of grounds for the lawfulness of the collection of such data, since that is a specific requirement of the norm
of the RGPD that INE invokes to legitimize its treatment.
174. But the question of whether there was compliance with the duty to provide information under
of Article 13 of the GDPR.
175. It is important to clarify that the duty of information provided for in articles 13 and 14 of the RGPD aims to carry out
principles of transparency and loyalty, enshrined in Article 5(1)(a) of the RGPD.
176. Articles 12 and 13 of the GDPR are clear in requiring the controller to provide the data subject with
of data the information in a “concise, transparent, intelligible and easily accessible way, using a
clear and simple language[...]". 177. Contrary to these legal commands, the Defendant opted to inform data subjects through a
document available on its website.
178. However, such document refers to all processing of personal data under the responsibility of the
INE and not specifically to the treatment resulting from the census operation, being silent about this —
By the way, just see that the so-called Privacy and Personal Data Protection Policy is dated 2019,
more than two years before the said operation was carried out.
179. In addition, the location of the aforementioned privacy policy on the INE's institutional website makes it, in
practical, inaccessible.
180. Otherwise, let's see: to find it, you need to get to the bottom of the page, and select "About INE" —
given that, for the common citizen, it is not expected that the privacy policy is kept there;
even after accessing the “About INE” link, the “Ethics and Policies” tab must be opened, so that, after
select the seventh of eleven options, navigate to another page where a small text appears, which,
in turn, refers to a PDF document which contains, finally, the so-called Privacy Policy
and Personal Data Protection.
181. The lack of transparency in the processing of personal data carried out by INE is evident and,
specifically, on the processing of data from the 2021 Census, given the complex and labyrinthine path
what the citizen has to do, almost being required to have divinatory qualities, to find the information
required by law.
182. Also because, in the case of the 2021 Census operation, what the data subject wanted was to access
to a form, in order to respond and avoid being sanctioned for the lack of response, insufficiency or
its inaccuracy.
183.And it is the Defendant himself who mentions that that same form did not contain the information to which
was legally obliged, pursuant to the provisions of Articles 12 and 13 of the GDPR.
184. Since the direct collection of personal data is at stake, article 13(1) of the RGPD requires that the
responsible for the treatment at the time of collection, provide the information listed there, which
manifestly did not happen.
185. As the requirement to provide information concisely was also not met,
transparent, intelligible and easily accessible, pursuant to paragraph 1 of article 12 of the RGPD.
186.From all of the foregoing, it is necessary to conclude that the Defendant did not fulfill the information duties to which he was
obliged, thus violating the obligation arising from Articles 12 and 13 of the GDPR.
ix. Breach of due diligence in choosing subcontractor
187. The Defendant considers, in his Defense, that the services subcontracted to Cloudflare, Inc., respect all
the requirements for information security and protection of personal data, as provided for in the RGPD and the rest
data protection legislation.
188. And, therefore, they constituted the best option for the success of the 2021 census operation in time
 logical, compared to useful and with greater security and better performance of services and techno infrastructures
expected global threats.
189. The contractual relationship established between the Defendant and the subcontractor was governed by a contract between the
parties, which includes clauses that contain all the information and obligations legally required under the terms
of Article 28(3) of the GDPR.
190. Furthermore, the Defendant alleges that there are not numerous alternative solutions available on the market
that provide performance and safety services with the level of excellence, rigor and concern for
security and privacy of personal data, such as the subcontractor.
191.And the Defendant concludes that the solution contractualized between him and the subcontractor not only allowed the increase
security of the collected information and a better performance of the Censos 2021 website, through the resource
to services of excellence recognized as such in the market, as it does not seem to exist, and consequently
need, of any other solutions available on the market that could have been contracted.
Let's see,
192. In his Defence, the Defendant was unable to add anything to what was found during the proceedings
inspection, and which led, incidentally, to the suspension order of sending personal data from the census operation
2021 Censuses for the United States of America (hereinafter USA) and for other Third States without a
adequate level of protection, whether through Cloudflare, Inc., or through any other company, in the
maximum period of 12 hours (cf. point 42 of Deliberation 2021/533, of April 27, of the CNPD, issued under
 point j) of paragraph 2 of article 58 of the RGPD). of the powers conferred upon it by the
193. As the CNPD has already clarified, in point 76 of Directive No. 2022/1, if it is true that the relationship between
controller and processor and between this and other processors has to be regulated by
writing (cf. paragraphs 3 and 4 of article 28 of the GDPR), verification of the requirements set out in article 28 of the GDPR
it must be substantive and not just formal, not limited to the choice of any standard clause.
194. For this reason, when selecting the subcontractor and the means it makes available for the
data processing (e.g. services, products, tools, technologies), the controller had to apply or require the contracting party to adopt adequate protection measures
of personal data and that mitigate the risks arising therefrom.
195.And the Defendant's defense proves that he did not carry out the necessary due diligence to ensure the adoption
of measures capable of guaranteeing respect for the principles and rules of the RGPD.
196. It will suffice to check paragraphs 457 et seq. of the Defense to conclude it. At these points the
Defendant justifies the choice of solutions from Cloudflare, Inc., as this company is almost the only reference
in the market.
197. However, this fact is not true, there are several European companies that provide Content services
Delivery Network (CDN) that meet GDPR requirements.
198. Nor can the Defendant base his choice on the Cloudflare service,
Inc., in the fact that it has an office in Lisbon (cf. points 642 et seq. from Defense), when the contract was
entered into with the company headquartered in the USA and, under contractual terms, the forum for settling disputes between
INE and Cloudflare, Inc. is the California Court.
199. Furthermore, the latency service subscribed to by INE, in the contract, makes it clear that, as
demonstrated in the Deliberation Project, it will be supported on numerous servers located in
multiple geographies, most of them located outside the European Union and in jurisdictions that are not compatible
with European legislation.
200. For greater clarity of the reasons for this determination, the CNPD recalls here that in the contract
entered into, in the “Business” package modality, governed by the “Self-Serve Subscription Agreement” and by the
addendum on data processing (Data Processing Addendum version 3.0, dated October 1,
2020), which forms part of the agreement (which was available on the Cloudflare, Inc. website in April 2021, and which
corresponds to evidence No. 66 presented in the Defense), it is stated “(...) [elm connection with the Service, the parties
anticipate that Cloudflare, Inc., (and its subcontractors) may handle, outside the European Economic Area
(EEA) (..) certain personal data protected by European data protection legislation in relation to
which the client or member of the Client Group is considered responsible for the treatment (...)' — cf.
point 6.1 of the Data Processing Addendum version 3.0 (in a free translation from the original, written in
English).
201. That is, the contract signed by INE and Cloudflare, Inc., allows the transit of personal data to
any of the 200 servers used by it, as well as the transfer of personal data to
USA, and INE, upon entering into such a contract, accepted such processing of personal data. 202. In fact, under the terms of the Data Processing Addendum version 3.0, which, remember, is part of the contract,
personal data is transferred from the customer (data exporter) to Cloudflare, Inc, (data importer)
data), in the USA, using the standard contractual clauses as an international transfer mechanism
based on Commission Decision 2010/87/EU of 5 February 2010 applicable to transfers of
personal data for subcontractors established in third countries”, which are an integral part of the
 clause 1.1 of the Data Processing addendum and are, to that extent, subscribed by the customer (cf. paragraph m) of c
Addendum version 3.0)8.
203. Thus, by (sub)contracting the services of Cloudflare, Inc., INE, in its capacity as responsible for the
treatment and simultaneously a customer of Cloudflare, Inc. accepted the conditions of use of the service,
including the addendum to the terms of processing of personal data, which also regulates the transfer of
personal data for the USA.
204. Also in accordance with the terms of the Data Processing Addendum version 3.0, INE granted a
general authorization to Cloudflare, Inc., so that it can use other (sub-) subcontractors, whether
companies inside or outside the Group (clause 4.2)º, recognizing and accepting that it might be necessary
for the provision of the service the use of (sub) subcontractors established in third countries (clause
6.49.
205. If standard contractual clauses are, in general, a legal instrument for the transfer of data
 personal data to third countries, pursuant to the combined provisions of article 46.º, n.º 2, item c), n.º5,
of the RGPD, it is necessary to verify, however, if the legislation of the third State, which obviously overlaps with
an instrument of a contractual nature, does not diminish or void the guarantees offered by these clauses, which are precisely intended to compensate for the lack of an adequate level of protection in the country of
destination of the data (cf. articles 44 and 46 of the RGPD)".
206. According to the Court of Justice of the European Union (CJEU), it is the data exporter (INE) that
competes, on a case-by-case basis, with the collaboration of the data importer (Cloudflare, Inc.), to verify that the country of
specific destination ensures a level of data protection essentially equivalent to that guaranteed by
EU, and should, if possible, adopt additional safeguards to overcome obstacles and guarantee
that data protection remains'?. This obligation also stems from compliance with the principle of
responsibility enshrined in Article 5(2) of the GDPR.
ise of the CJEU in the case Schrems !|, the law of the USA - which is the country of destination
standard contractual clauses - allows
207. According to the anna
of Cloudflare, Inc.'s international transfers pursuant to the
interferences in the fundamental rights of people, based on requirements related to national security
and the public interest, which may result in access to personal data transferred from the EU to the US and from
use of such data in the framework of surveillance programs, based on Section 702 of FISA (Foreign
Intelligence Surveillance Act) and Executive Order 12333".
208. The CJEU concluded that such interference is not proportionate, under EU law, insofar as
that the scope of limitations on people's rights is not defined, there are no clear and precise rules
regarding the application of these measures or minimum requirements to protect against risks of abuse, it is not
verifies a judgment of necessity, and no opposable rights are conferred on data subjects or
of legal recourse, therefore limitations on data protection arising from US law do not apply.
meet the requirements of the EU Charter of Fundamental Rights!” (cf. articles 7.º, 8.º, 47.º and
52, no. 1).
209. Therefore, it would only be possible to carry out a transfer of personal data to the USA if the
legislation in question here, and expressly referred to by the CJEU, were not directly or indirectly applicable to the
Cloudflare, Inc., or its (sub-)subcontractors, and then only by taking appropriate measures
that could demonstrably prove that this legislation would not apply or not
would have a practical effect on transfers of personal data. 210. However, the services provided by Cloudflare, Inc., namely those contracted by INE
when you signed up to the Business Plan, bring the company directly under the purview of US law that
imposes on you the obligation to grant mass access to the personal data processed by you, from the outset
as an electronic communications service provider!º, without prejudice to other types of services being
also covered by other provisions of US surveillance legislation.
211. Cloudflare, Inc. acknowledges in point 7 of the Data Processing Addendum version 3.0 that, in its role as
subcontractor, may be subject to requests for access to personal data by third parties within the scope of
of legal procedures, which may be "inconsistent" with the law applicable to your customer, i.e. the GDPR.
In such event, where there is a conflict of laws, Cloudflare, Inc., declares that it will immediately inform the customer, "unless
that such notification is legally prohibited» (cf. point a) clause 7.1)'º.
212. This is precisely the case with this US legislation which prevents US companies from
inform their customers of the access made by the US authorities for the purpose of collecting
information about foreigners, in the context of national security activity,
213. It appears, therefore, that there is no guarantee in the contract that the personal data of citizens
residing in Portugal, collected by INE through its website, within the scope of the 2021 Census, are not
accessed by US authorities through Cloudflare, Inc., due to services provided by Cloudflare, Inc.
provided to INE and which imply, according to the signed contract, the transfer of these personal data to
USA.
214, Thus, what is stated in points 668 et seq. of the Defense is irrelevant, since what is in question here
concerned is the fact that Cloudflare, Inc., is bound to comply with US law, which, including the
prevents you from informing the controller about the request for access by certain US authorities.
215. Furthermore, the explanations presented by Cloudflare, Inc., and by the Defendant, which
give the “Business” service an expression that is not accepted in the adhesion contract itself that the
support. 216. When it is stated (cf. point 475 of the Defense) that each user is forwarded to the server most
close to your location, in order to justify that “Portuguese” users will be forwarded,
with high probability (in the expression presented, “would likely be directed”), for servers in Lisbon,
seems to want to ignore that this will never happen if there is a saturation of the server, at a given moment,
in Lisbon.
217. Something that, in massive treatment operations, such as a census operation, occurs in
numerous situations.
218. But neither is it correct to state that all the traffic generated when accessing the website 'censos2021.ine.pt',
using the CDN service from Cloudflare, Inc., it would always be connected to the closest server: the one in Lisbon
(cf. point 476 of the Defense).
219. The statement that the “Business” plan does not allow routing to other servers with less
“cargo” other than that of Lisbon (cf. point 477 of the Defense), is completely dissonant with the content of the
"Self-Serve Subscription Agreement” and the respective addendum on data processing (Data Processing
Addendum version 3.0. — cf. Defense Exhibit No. 66).
220. The allegation, in paragraph 658 of the Defense, that “[it flows based on the information made available by the
Cloudflare, Inc., namely in its Privacy Policy (cf. Policy attached as document no. 68), in
Transparency Report (cf. Transparency Report which is attached as document no. 73) and in your Cloudsflare's
commitment to GDPR compliance [...], that INE withdrew its conclusions about the legislation and practices
applicable to Cloudflare, Inc. in the context of contracted services” could be
considered was not the fact that INE signed the contract in "February/March 2020" (cf. point 617
Defense) and the two documents invoked here are later, while Cloudsflare's commitment
to GDPR compliance does not exclude, as shown, the application of US legislation.
221. And, therefore, in view of the content of the contract signed by INE, it is incomprehensible that he should now claim, in the
point 682 of the Defense, which, '[...] according to its understanding based on the information given to it
made available, these data were never in American territory, nor in the possession of the subcontractor”.
In effect, at this point of the Defense only a conviction of INE is invoked, not supported by facts, such as
demonstrated.
222. As for the defense's invocation of what it calls the European Committee's Guidelines for
Data Protection (CEPD) - and which correspond to Recommendation 01/2020 -, nothing in this document
contradicts the interpretation that the CNPD makes of the RGPD, which strictly follows the judgment of the TJUE Schrems Il, of July 16, 2020, given that the CNPD never stated that there could be no flows of personal data to the
USA; he only reaffirmed that they depend on the adoption of complementary measures.
2923. Furthermore, the CEPD document has a merely guiding nature, in the sense of supporting the
responsible for the application of the RGPD, so the absence of these guidelines cannot justify the
 However, these guidelines do not exist in breach of the obligations arising from that Regulation — the
in relation to other obligations that fall on the person responsible, and this does not mean that he is released from the
to accomplish.
224. Regardless of the date of final approval of said CEPD Recommendation 01/2020, the truth
is that they were approved and made available for public consultation on November 10, 2020, by the
that, right there, INE had the opportunity to learn about CEPD's recommendations on this matter, very
before carrying out the census operation.
225. The Defense's lengthy claim that, at the time Cloudflare, Inc.
was the transfer of personal data safeguarded by the adequacy decision of the European Commission
(Privacy Shield), which was only declared invalid by the Schrems Il judgment of July 16, 2020, not
removes the obligation that falls on any person responsible for the processing of personal data of
verify that the treatments it performs comply with the conditions and limits set out in the RGPD, requiring the
an entity such as INE, which processes personal data with special sensitivity and on a large scale,
permanent attention to the legal framework of its treatments.
226. In any case, the Schrems !l judgment was published long before the 2021 Census operation was carried out
(on July 16, 2020), however, the Defendant is obliged to comply with the data processing
personal projected with the said judgment, and had enough time for the effect.
997. Incidentally, the contract with Cloudflare, Inc., which is alleged to have been entered into in February/March 2020 (cf.
point 617 of the Defense) was concluded only for 11 (eleven) months, therefore, in effect, at best
until the end of February 2021. On the date of the possible renewal of the contract, the judgment of the CJEU to be declared
the adequacy of the European Commission (Privacy Shield) had already been handed down for more than seven months, invalid
therefore, both parties cannot ignore its content.
228. The Defendant further alleges that the contracted service ensured a set of technical measures able to
ensure compliance with GDPR (cf. point 677), namely: pseudonymization of personal data and encryption
of information. 229.From the outset, the Defendant refers to Annex 2 of the Data Processing Addendum, not attaching the aforementioned
annex, which contains the technical and organizational security measures to be adopted by Cloudflare, Inc., not
thus demonstrating that they were relevant to the formation of the will to hire on the part of
from INE.
230. Regardless, none of the measures invoked was actually applied in the contract
concluded by INE, nor could it be due to the nature of the contracted service (of CDN).
231. On the one hand, there was no pseudonymization of personal data.
232. On the other hand, regarding encryption, as will be better demonstrated in the next point, the service
contracted by INE implied that Cloudflare, Inc., had the encryption key and decrypted the
data packages.
233. The alleged data protection considerations in hiring Cloudflare, Inc., did not,
thus demonstrated; on the contrary, what the facts demonstrate is a lack of care, not to say
contempt, by the personal data protection regime and by the relevant jurisprudence in this matter.
234. In view of the above, the Defendant resorted to a subcontractor that does not provide sufficient guarantees of
execution of appropriate technical and organizational measures to comply with the RGPD, at most its chapter V, which
is clearly demonstrated by the clause of the contract itself, in violation of the obligation set forth in
Article 28 of the GDPR.
x. There were no data transfers to third countries
235. Following the explanation above, the Defendant sustains, in several points of the Defense (for example,
points 531 et seq.), that the holders' data would never pass through servers other than those in Lisbon,
this being the server that would be geographically closest to the holder.
236. For what it considers impossible and impractical, from a technical point of view that data from the
census operation Censuses 2021 may have transited through servers located outside the European Union
(cf. point 591 of the Defense).
237. Finally, the Defendant argues that the CNPD was unable to produce proof of any transfer of
data for third countries.
Analyzing, 238. Firstly, it is evident, from the Defense presented, that the Defendant does not know whether the data
holders' personal data, in response to the census operation Censos 2021, transited or not through servers
from third countries.
239.Based on mere presumptions, the Defendant argues that this probability is very low, as
where there is a Cloudflare, Inc. in Lisbon and, given the criterion of geographical proximity, it would be
this to be used.
240. The Defendant also assumes the possibility that personal data, in the event of a "load" on the server, may have
status in “mere transit” - an expression used in the Defense - on servers located in third countries.
241. The Defendant did not provide proof that he adopted the appropriate guarantees, within the scope of the operation
Census 2021 census taker, in accordance with Chapter V of the RGPD, as required, and therefore
violated article 44 of the GDPR.
Otherwise, let's see,
242. Firstly, it is clarified that the CNPD never questioned that “personal and other data
information collected in response to the 2021 Census via the internet [..] were always [..] housed
in the systems and infrastructure of INE itself [..]' (cf. points 527 and 528 of Defense). what has always been
concerned was the transit of personal data.
243. The use of a CDN aims to reduce the latency of invocations to websites, reducing the time of
loading. A web page can be composed of a set of resources that are requested by the user.
client to server when rendering"? of the page on the browser screen (or another type of application used
to access HTML pages made available online). How many more resources are needed (e.g.,
images, style files, code files, video and/or audio files), and the longer the time for
download them to the client's machine, the longer the graphical presentation of the page will take
be completed.
244. Considering the majority of websites, the time the page is displayed to the visitor/user
depends, to a large extent, on the delay in delivering these resources when they are requested (from the browser/Internet browser side) to the server, and then sent back from the server to the browser. Once the
Internet communications are materialized by electrical circuits with electronic components such as
"routers" along the path, the transit time is very dependent on the number of hops (hops'*) that the packets of information have to go through when being "routed!*" from one point to the other.
The greater the geographic distance between nodes, the greater the probability that the number of forwarders
increase, and thus also the time it takes the packet to go from source to destination.
245. The use of CDNs is intended to reduce the page loading time, acting precisely on
this transmission time, as explained below.
246. Resources or content can be divided into two types: static and dynamic. The contents
static files (e.g., images, audio, video, CSS style files, javascript code files) do not vary and
are always the same, remaining unchanged for any of the invocations. Dynamic content (e.g.,
HTML pages, in this case, the forms) are processed in each request, being able to produce a
distinct result each time; may vary, for example, depending on the parameters sent in the request to the
server (e.g. querystring, POST parameters, cookies).
247. In this way, static content can be cached and reused over and over again
without becoming outdated, without causing any damage to the user experience. not the same
happens with dynamic contents, which have to be processed with each invocation.
248. CDNs aim to reduce loading times and for that they make content available
static files faster by keeping them cached. Since these contents do not change after
the first request has been served, the remaining requests can reuse the content that was stored
locally, without having to request it again from the server where the website resides.
249. For this to happen, traffic from the client (browser) to the server is directed to a network of
provision of content (in this case, the CDN), made up of several machines connected to each other. If the order
that arrives at one of these machines, possibly the closest geographically to the customer, is related to
static content, and if it has previously been cached on that machine, the CDN will no longer
forwards the request to the server and serves the resource directly to the client (browser), reducing
noticeably response time.
250. As for requests for dynamic content, this cannot be done. The order arrived at
of these machines, it is forwarded to the server that awarded the CDN service (in this case, INE) and processed at each invocation, therefore, due to its nature, it cannot be stored and reused
for future requests.
251. As is understood, CDN machines only store static content, once
since the dynamics would be of no use to them because they cannot be reused.
252. In the aforementioned paragraph 469 of the Defense, later reaffirmed in paragraph 479, the Defendant alleges that “the contents
dynamic features of the 2021 Census website - more specifically, the specific electronic form for
collection of the questionnaire [..] which contained personal data of citizens [..] were never stored in the cache
from Cloudflare, nor was it demonstrated that your traffic was carried out through the CDN of CLoudflare LJ
253. The first part of the allegation is correct, given that the CNPD never stated that the contents
dynamics were cached. In fact, to make a CDN useful, only static resources need
to be kept in cache.
254. The second part of the above statement, which states that the transit of requests for content
dynamics, and respective responses, by the CDN of Cloudflare, Inc., has not been demonstrated, is not true, as
This is demonstrated by the evidence collected by the CNPD, relating to the traffic of requests for dynamic content,
with responses to the Specific Electronic Form (FEE), by the servers of Cloudlflare, Inc.
255. In order to verify this fact, the CNPD carried out several investigations, which focused on the operation
of the form available at censos2021.ine.pt. The form was tested and the respective sessions were recorded,
extracting images that demonstrate the opposite of what was stated by the Defendant in the Defense (cf. Attachments to the
document Info UI AVG 2021 401 Il v1.0.docx, “Screenshots showing the data packets
 exchanged between the client and the servers (*.ine.pt), while completing the 2021 Census form",
fis. 29 and 30).
256. Indeed, by accessing the 2021 Census questionnaire online, available at censos2021.ine.pt, the
user was prompted to enter the code and password contained in the letter he received at his residence.
Submission of the form would send this data back to the address censos2021.ine.pt, as
appears in the images of the session maintained between the browser and the server (cf. Attachments to the document Info ULAVG
2021 401 Il v1.0.docx, “Screenshots showing the data packets exchanged between the client and
 2027 Census Report”, pgs. 29 and 30). the servers (*.ine.pt), when filling out the form
257. After completing, in the online form, the answers to the questions that made up the
2021 Census questionnaire, which collected personal data, the data was sent to another server
web at fee.ine.pt, as can also be seen in the images of the session (cf. Attachments to the document Info UI AVG 2021 401 Il v1.0.docx, “Screen captures showing the data packets exchanged between
the client and the servers (*.ine.pt), when filling out the 2027 Census form", pages 29 and 30).
This server implemented the FEE whose purpose was to collect data from respondents.
258. Both the censos2021.ine.pt website and fee.ine.pt were being, until April 26, 2021,
resolved to IPs assigned to Cloudflare, Inc., as attested by DNS20 lookup queries performed during
the expertise, some of which were collected as evidence (cf. Annexes to the document Info Ul AVG 2021 401
v1.0.docx, "Domain name resolution, IP lookup, reverse DNS, routing/, pages 22 to 28).
259. It is thus proven that requests for both static and dynamic resources (the latter
containing personal data of census respondents) were being forwarded to the machines under
responsibility of Cloudflare, Inc.
260. As stated in point 470 of the Defense, that personal data would not be being
forwarded to Cloudflare, Inc.'s servers is not true.
261. It should be added, for better clarification, that what the CNPD presents, in the information dated 16
September 2021, is a compliance scenario for the use of the CDN, which went through the submission of requests
for dynamic content to be sent directly to the INE server in Lisbon; just in case
Concretely, this scenario did not materialize.
262. Therefore, the conclusion advanced in point 482 of the Defense is also unfounded. In terms
technicians, as the CNPD well explained in that information, the use of CDNs was never in crisis, but
the way in which the online data collection for the 2021 Census was carried out. It is technically possible, and yet
thus advantageous in terms of performance and security, maintaining the use of the CDN for storage and
availability of static resources, and the submission of data can and should be done directly
to the controller's end server.
263. And what is stated in point 552 of the Defense is also inaccurate, where it says “[..] on the contrary, the data
personal data and other information collected in response to the 2021 Census via the internet [..] were
directly directed to the INE data center”.
264. In the "Communication from Cloudflare of 04-05-2021" (according to point 537 of the Defense), the company assumes that
[.] Portuguese citizens seeking to provide information to INE for the census would have been directed to INE's website through the Cloudflare data center closest to the user, scanned for malicious code or activity
as directed by INE, and sent directly to INE's hosting servers LJ".
265. This statement is in line with the analysis and conclusions of the CNPD on the process of
forwarding information from the client to the server and contradicts the Defense of
that requests for the dynamic contents of the site, which include participants' responses to the questionnaire,
would not be being forwarded by Cloudflare, Inc.'s CDN.
266. As Cloudflare, Inc. admits, participant responses would be forwarded to 0
data center closest to the user (which for citizens filling out the questionnaire in Portugal
allegedly the Lisbon data center) and analyzed to detect malicious activity or code
[through the WAF (Web Application Firewall) service, subscribed by INE to Cloudflare, Inc.], and only then
sent to INE's servers, according to INE's own instructions, which, therefore, could not
unaware of this fact - contrary to what he is now claiming.
267. The communication from Cloudflare, Inc., contradicts the claim that the submission of personal data collected
in the online survey would not pass through the servers of Cloudflare, Inc., but would be forwarded directly
to the INE server.
268. It is important to clarify that any of the services provided, CDN or WAF, oblige the machines of the
Cloudflare, Inc., who receive the requests, to have access to the packet data to know the
destination they will be given. If in the case of CDN the package is opened to determine if the requested resource is
static and if it is in cache, in the case of WAF the package is opened to verify the possibility of attack,
such as malicious code injection.
269. Just as what was written in point 553 of the Defense is also not true. The evidence taken from the forensics
carried out maintain that from the beginning of the online questionnaire collection operation until the end of the day of the
CNPD inspection of INE, or the address censos2021.ine.pt, where the user is prompted to enter data
personal information such as the code assigned to your home and the respective password, or the address fee.ine.pt, to
where data from the answers to the 2021 Census questionnaire would be submitted, were being resolved
to IP addresses assigned to Cloudflare, Inc., which would cause traffic to those addresses to be
routed to machines under the control of that company.
270. In points 558 to 561 of Defense, it is admitted that the WAF service, subscribed by INE to Cloudflare, Inc.,
 ise of “specific elements associated with the communicated information”. subjects information packets to analysis
In order to collect information from respondents, they [..] enter their answers in the
FEE application [..] made available on that same website [censos2021.ine.pt and fee.ine.pt|”, and then “the data (personal and non-personal) contained in these responses must be transmitted to the data center
from INE.”. It goes on to say that “it is in this transmission that attacks can occur [..]. In order to prevent these
attacks [..] the WAF acts as [..] [a] shield placed between the user and the server, in such a way that the
network traffic (namely, responses entered by citizens in the FEE) must pass through
first through this firewall before reaching the INE server.”.
271. It follows that information packages with personal data are opened and inspected by the
WAF service from Cloudflare, Inc., which turns out to be recognized by the Defense, in clear contradiction
with the previously claimed.
272. Indeed, in paragraph 562 of the Defense, the Defendant states that this operation is carried out “without accessing the content
of the transmitted information”, which would be a contradiction and obviously does not correspond to the truth. In fact,
all packages are opened and for the analysis of the content to be done, “automatically”, the WAF will
focus on the elements that are in the body of the request. These elements include the input fields
constant data on the pages of the questionnaire with the values filled in by the respondents. To
analyze the body of the request, the WAF has access to all the information entered by the respondent in the fields
that you have at your disposal.
273. Again, Defense point 564 is untrue. Here it is said that “WAF does not access the content of the
information in traffic, and there is no [..] any possibility of accessing or consulting personal data
contained in the responses transmitted to the INE server”. This statement even enters into
contradiction with other allegations of the Defense, specifically in point 561, where it is said that “the firewall of the
Cloudflare analyzes specific elements associated with the communication that may indicate attacks [..]".
274. At the same time, point 569 of the Defense is, for the same reasons, false. Here it is said that “in the use
of the three Cloudflare services [WAF, CDN, Rate Limit], no access or
transmission, to Cloudflare, of responses entered by respondents, namely responses
inserted by them in the FEE available on the website «CENSOS2021.INE.PT», being redundant to refute this
statement, given the exhaustive explanation already provided here.
275. Regarding the alleged impossibility and impracticability, from a technical point of view, of the data
from the Census 2021 census operation having transited through servers located outside the Union
Union (cf. point 591 of Defense), it is important to compare the content of the communiqué from Cloudflare, Inc., with the
Defense allegations, to reach the opposite conclusion. 276. Although Cloudflare, Inc., has registered IPs in the European Union, the IPs for which the address
censos2021.ine.pt Resolve are registered in the USA - 104.22.20.250 and 104.22.21.250 (cf.
https://bgpview.io/asn/13335%prefixes-v4 ).
977. The fact that the servers are using IPs from Cloudflare, Inc., registered in the USA, when the company
has IPs registered in the territory of the European Union, it is in itself demonstrative that there was no care
to ensure that personal data would only circulate within the territory of the Union.
278. Incidentally, evidence that Cloudflare, Inc. transmitted and transmitted personal data to the US even in
contracts that guaranteed customers access service restricted by geographic area (Cloudflare Data
Localization Suite) can be easily found on the company's website, in the
made available. There, at the time of the facts, it was reported that:
"Regional Services. Cloudflare has data centers in over 200 cities across 100+ countries. Regional
Services together with our Geo Key Manager solution allows Customers to pick the data center
locations where TLS keys are stored and TLS termination takes place. Traffic is ingested globally,
applying L3/L4 DDoS mitigations, while security, performance, and reliability functions (such as, WAF,
CDN, DDoS mitigation, etc.) are serviced at designated Cloudflare data centers only. With Regional
Services, some metadata will still be transmitted to our core data center in Portland, Oregon. However,
the only Personal Data we collect in these logs are IP addresses. [..]" (emphasis added) — cf.
httns://web.archive. org/web/20210426141842/hitps://www.cloudflare.com/gdpr/introduction/?
279. In other words, the metadata, in which is personal IP data included? of the respondents, collected by the
Cloudflare, Inc. in the audit logs, were transmitted to the US.
280. It is also significant that, however, the information made available on that website has changed,
failing to state that the metadata is transmitted to the US (cf.
https://www.cloudflare.com/gdpr/introduction/), which perhaps occurred as a result of the
deliberation of the CNPD and also of other draft decisions of other supervisory authorities of Member States of the European Union.
281. It is also true that the services provided by Cloudflare, Inc., namely those contracted
by INE when it subscribed to the Business Plan, place the company directly under the jurisdiction of the
USA, which imposes on you the obligation to grant mass access to the personal data you process, from the outset as a provider of electronic communications services?, without prejudice to other types of services
also be covered by other provisions of US surveillance and security legislation
national.
282. Cloudflare, Inc. acknowledges in point 7 of the Data Processing Addendum version 3.0 that, in its role as
subcontractor, may be subject to requests for access to personal data by third parties within the scope of
of legal procedures, which may be "inconsistent" with the law applicable to your customer, i.e. the GDPR.
In such event, where there is a conflict of laws, Cloudflare, Inc., declares that it will immediately inform the customer, "unless
that such notification is legally prohibited' (cf. point a) clause 7.1).
283. Well, it is precisely this US legislation that prevents US companies from
inform their customers of the access made by the US authorities for the purpose of collecting
information about foreigners, in the context of national security activity.
284. Faced with these facts, the person responsible was not able to demonstrate, as required by paragraph 2 of article 5.
and by paragraph 1 of article 24 of the RGPD, which applied the appropriate measures to ensure and be able to prove that
the processing of personal data was carried out in accordance with the GDPR, in particular with article 44.
of the GDPR.
285. It is also important to emphasize that the Defendant, also in what he considers to be valid arguments for the
its Defense, comes again to show the weaknesses of monitoring the normative changes operated
with the entry into force of the RGPD, from the outset, when it insists that the mere transit of personal data through
third countries is not legally relevant today.
286. In fact, paragraph c) of paragraph 1 of article 4 of Directive EC/95/46, of October 24, 1995, as well as
aa fnea c) of paragraph 3 of article 4 of Law 67/98, of 26 October, which transposed the Directive, excludes from the scope
of application of data protection legislation, if the person responsible is not established in the territory
national, the processing of personal data when the means were used for transit. 287. However, this provision was not included in the RGPD, and therefore the transit of personal data was not
excluded from its objective scope of application, given that it corresponds to an operation on data
personal data, pursuant to paragraph 2) of article 4 of the GDPR.
288. Incidentally, in paragraphs 602 et seq. of the Defense, the invocation of CJEU jurisprudence to substantiate
that the transmission of personal data to third countries would not fall within the scope of
objective application of the current data protection legal regime is, strangely, reduced to a judgment
of 2003, which identifies itself as “[..] one of the only cases decided by the CJEU on restrictions on
data transfers to third countries [...]" (cf. point 602 et seq. of Defense), when it is certain that
there is numerous jurisprudence of this Court on the transmission of personal data to third countries,
part of which already considering the RGPD - Judgment Maximillian Schrems c. Data Protection Commissioner
(Schrems 1), proc. 0-362/14, of October 6, 2015, the judgment Data Protection Commissioner c. Facebook
Ireland Ltd and Maximilian Schrems (Schrems !l), proc. C- 311/18, of July 16, 2020, and also from the TJUE the
Opinion 1/15, of July 26, 2017, on the PNR agreement between Canada and the EU.
289.Being also certain that there is no parallelism, nor basis for analogy, between the case
considered in that judgment mentioned by the Defense and the case analyzed here.
290. On the other hand, what is stated in paragraphs 610 and following of the Defense is not relevant to the case in question.
appreciation, since the aforementioned position of the UK supervisory authority is based on the assumption,
explained in the aforementioned quote, that there is no access or manipulation of personal data when the
they arrive at the server located in the territory of a third country. However, the CNPD has already demonstrated that the services
from Cloudflare, Inc., hired by the Defendant, require the opening and verification of information packages,
so that position is, in this context, irrelevant.
297. Regarding the invocation of the European Data Protection Board (ECPD) document that the Defendant
identifies by “Guidelines 1/2020" - rectius, the Recommendations 1/2020 regarding complementary measures
to the transfer instruments to ensure compliance with the level of protection of the personal data of the
EU -, nothing in this document contradicts the CNPD's interpretation of the RGPD, which strictly follows the judgment
of TJUE Schrems ||, of July 16, 2020, given that the CNPD never stated that there could be no flows
of personal data to the US; only reaffirmed that they depend on the adoption of measures
complementary.
299.Furthermore, the CEPD document has a merely guiding nature, and the person responsible is not
exempted from complying with the obligations arising from the RGPD as long as there are no guidelines or
recommendations of that body.293. Regardless of the date of final approval of the CEPD Recommendations 1/2020, the
The truth is that they were approved and made available for public consultation on November 10,
2020, so that, right then, INE had the opportunity to learn about CEPD's recommendations on this matter,
convening, at this venue, what was said above, in points 223 to 225 of this Resolution.
294. In summary, the Defendant did not apply the appropriate measures to ensure and be able to prove that the
processing of personal data was carried out in accordance with the GDPR, in particular with article 44 and the
2 of article 46 of the RGPD, but the CNPD considers the breach of obligation to be consumed in this infraction
adoption of appropriate security measures provided for in article 32 of the RGPD.
xi. About the mandatory Impact Assessment on Personal Data
295. The Defendant alleges that in the 2021 Census statistical operation the Impact Assessment on the Data
(AIPD) may be waived.
296. Namely when there is a pre-existing AIPD already carried out for a previous statistical operation
identical.
297. In the opinion of the Defendant, this is what happens, in casu, insofar as he has an authorization issued
by the CNPD under the terms of Law No. 67/98, of October 26, specifically Authorization No. 2600/2011, which
refers precisely to the General Population and Housing Census operation.
298. Authorization No. 2600/2011 was never subject to alteration, replacement or revocation.
299. Therefore, in the opinion of the Defendant, he was exempt from preparing an AIPD prior to the operation of
processing of personal data.
300. Also because, in his opinion, the only change verified, from the 2011 Census census operation to the
Census 2021 census operation, included adopting risk mitigation measures.
301. The Defendant argues that the very concept of an AIPD cannot necessarily mean that
this is definitely formalized and reduced to writing even before the beginning of the operation of
treatment.
302. The Defendant did not postpone or fail to carry out an AIPD prior to the start of the operation
census.
303. It only proceeded diligently, in seeking to ensure its improvement and updating throughout
of the 2021 Census process. 304. The Defendant also argues that, before the performance of an AIPD can be definitively given by
completed, it must be progressively updated - which the Defendant did, although such AIPD was not
chargeable.
305. Therefore, it cannot be considered that the Defendant carried out the AIPD at a late time, but rather that he must
if it is considered that the Defendant has diligently fulfilled an obligation that was not so inapplicable to him.
306. It was only possible in the context of the main census operation Census 2021, due to the pandemic context
and health emergencies, definitively decide on collection processes and application functionalities
used, therefore, only at that moment was it justified to carry out the DPIA.
307. This does not justify any failure of the DPIA, being only the result of the context of uncertainty
constant experience due to the Covid-19 pandemic.
308. The Defendant further alleges that the fact that the main census operation Census 2021 includes, in itself
same, different personal data processing operations, does not mean that all these operations
entail such a risk and that all require an DPIA.
309. With the exception of the operation of collecting and processing data on respondents to the Census questionnaire
2021" - duly reflected in the AIPD carried out - there does not appear to be any other data operation carried out
that constitutes any risk, for the holders of personal data.
310. Therefore, the AIPD carried out is not insufficient.
311. It also adds on the AIPD that it punctually complied with the minimum content to which it was bound
pursuant to Article 35(7) of the GDPR.
Let's see,
312. It should be noted, from the outset, that CNPD Authorization No. 2600/2011 had the purpose of processing
personal data carried out in a temporally delimited census operation — year 2011 +, reason why
that that authorization has exhausted its effects, or if you prefer, expired, ipso iure, with the expiry of said
operation.
going specifically for the 2011 census operation and in accordance with 313. Furthermore, the authorization was valid
the elements notified by INE to the CNPD at the time, so that, due to the changes produced in the operation
census of 2021 compared to that of 2011, it would always have to be concluded by the expiry of that
authorization. 314. Namely, that authorization does not include any reference to the collection of responses to
surveys via the Internet, nor transfers of personal data to third countries - which, as
seen above should be analyzed and mitigated - as it does not even mention the existence of any
subcontractor, much less based in a third country, all novelties introduced in the processing of
personal data carried out in the 2021 census operation, which potentiate risks to the rights of
holders.
315. Furthermore, the Defendant himself acknowledges, with regard to the 2021 Census operation, the need to adopt “(...)
a new census model in 2021”, a model that “(..) based, totally or partially, on the use of
administrative information”. (cf. points 56 and 57 of the Defence).
316. In effect, [the] transition to an administrative-based census model would therefore have in view (...) the
reinforcement of the integration of census data in INE's statistical information system on
families (...)" (cf. point 58 of the Defense).
317. From which it is clear that, clearly, the conditions in which the 2011 census took place
are not identical to the 2021 census operations, so that it would always have to be considered expired
authorization.
318. And an expired administrative act does not produce legal effects for the future, and therefore cannot be
subject to revocation or replacement, as a result of paragraph 2 of article 166 and paragraph 1 of article 173 of the Code
of the Administrative Procedure, so the Defendant could never have the expectation that the non-revision of the
authorization by the CNPD would mean the confirmation or extension of its content for the census operation
from 2021.
319. Incidentally, the fact that each census operation is regulated specifically and autonomously by a diploma
legal - see Decree-Law No. 226/2009, of September 14th, and Decree-Law No. 54/2019, of September 18th
April - demonstrates that each census operation implies an autonomous and
distinct and therefore has a specific legislative framework.
320. Moreover, this conclusion is reinforced by the fact that Decree-Law No. 54/2019 does not even have to revoke
Decree-Law No. 226/2009, just as this diploma did not revoke the Decree-Law on the 2007 Census.
321. It cannot, therefore, be claimed that the processing of personal data arising from the census operation
2021 is the same treatment, not even equivalent, to that carried out in the context of the 2011 Censuses.
322. Reasons for which the arguments of the Defendant, contained in points 710 to 745 of the
Defense, on the use of the content of Authorization No. 2600/2011 in the context of the 2021 census operation to claim to be exempt from an obligation provided for in the RGPD and applicable to it since
May 25, 2018.
323. Furthermore, the Defendant was obliged to carry out the AIPD, under the terms explained in paragraph 1 and paragraph b) of
n.º 3 of article 35 of the RGPD, it being clear that the 2021 census operation involved the collection and
subsequent treatment on a large scale (the entire population residing in the national territory) of
special personal data, more specifically, data relating to religion and health.
324. It is also important to remember that the AIPD corresponds to a joint evaluation of the data processing
personal data, so it should not be restricted only to the conditions for processing special data, leaving
outside the processing of other personal data.
iás, Regulation no. 798/2018, of 14 November, on the list of processing of personal data 325. À
subject to an Impact Assessment on Data Protection, approved by the CNPD under paragraph 4 of article
35 and paragraph k) of paragraph 1 of article 57, both of the RGPD, provides in paragraph 2 the obligation to carry out
an DPIA when in question is a "[...] processing that relates personal data provided for in paragraph 1 of the
Article 9 or Article 10 of the GDPR or data of a highly personal nature", as is clearly the case

in the 2021 Census.
 in addition to the Defendant collecting personal data that fall under the category of data 326.
special conditions, provided for in paragraph 1 of article 9 of the RGPD, also collects personal data that reveal the private life
and family, in their most intimate redoubt of daily life, corresponding to the data category of
highly personal nature that the Article 29 Working Group highlights to consider them a criterion
covered by Article 35(1) of the GDPR (cf. point 4. of the Impact Assessment Guidelines
on Data Protection and which determine whether the processing is "likely to result in a high risk"
for the purposes of Regulation (EU) 2016/679 - WP248 rev.01, revised and adopted on 4 October 2017),
which was assumed by CEPD on May 25, 2018.
327. Criterion that is also set out in no. 2 of Regulation no. 798/2018, of 30 November,
concerning the list of personal data processing subject to a Data Protection Impact Assessment.
328. Therefore, the obligation to carry out the AIPD is not restricted to formally special personal data or
sensitive, and should extend to all personal data subject to processing in the 2021 Census operation,
 point 2) of article 4 of the RGPD, also because the processing of personal data, as defined in the
comprises the completeness of the operations carried out on personal data in the context of a
particular activity or operation. 329. As for the relevant moment for carrying out an DPIA, it is clear that it must be prior to the
start of the processing of personal data, as is explicitly stated in article 35(1) of the RGPD
(l...] the person responsible for the treatment carries out, before starting the treatment, an assessment of the impact on
the protection of personal data. [...]" (emphasis added), and also in recital 90 of the RGPD,
irrespective of the fact that it may be subsequently revised according to the needs
330. Now, on April 26, 2021, during the inspection, the CNPD asked the Defendant to provide the AIPD, the correspondent
opinion of the data protection officer (DPO), copy of the contract signed with the contracted company
to, on a technical level, develop the form for collecting and further processing personal data
associated with the 2021 Census (AGAP2IP) and copy of the Audit Report carried out by the National Office
of security.
331. That same day, at 9:12 pm, the Defendant sent the CNPD, by email, the elements
mentioned, with the exception of the AIPD and the Opinion of the EPD.
332. On May 27, 2021, the CNPD insisted on sending the missing elements, which were
Received only on June 28, 2021.
333. The document designated AIPD is not dated, indicating only the year.
334. However, it is INE itself that assumes that it has not formalized the AIPD, although it claims to have gathered the “elements
materially characterizing an AIPD, such as the risk assessment of the assets involved in the
various treatments carried out, which is integrated into this AIPD and which was revised in 2020 and in
2021 (before the start of the census operation)”.
335. Thus, no documentation was delivered to the CNPD demonstrating that a previous AIPD had been carried out and
completed at the start of data processing to be carried out within the scope of the 2021 Census operation.
336. In addition, the document sent to the CNPD under the title “Opinion on the Impact Assessment on the
Data Protection of the statistical operation Censuses 2021" of the EPD, is dated May 12, 2021, i.e.
after the date on which the census operation began and after the inspection by the CNPD.
337. Annex 20 to the AIPD, without identification, but recorded as “Treatment of risks”, indicates, as a date
Last update, May 3, 2021. Strangely, no version of the last one was presented.
document with an earlier date, nor with a date before the beginning of the census operation. Furthermore, it is
inexplicable that an updated version of the risks is made in May 2021 while maintaining the protection risks
of data related to the data processing operation that had already been suspended on April 26, 2021 by INE, following inspection by the CNPD and before formal knowledge of the order of
suspension.
338. Notwithstanding that said annex does not comply with the rule of article 54 of the Code of Procedure
 Administrative, according to which “the language of the procedure is Portuguese”, a rule that INE does not
follows with regard to a document prepared, apparently, by its own services and marked at the top
 ise of the risks prior to the beginning of the as “Uso interna - Internal use”, this document does not prove an analysis
treatment.
339. Neither the few references to the document, in the so-called AIPD, in three short paragraphs, on pages
46 and 47 demonstrate the effective assessment of these risks or the adequacy of mitigating measures for them.
340. Now, it is clear that an AIPD must be documented, which is of no use when it is mandatory to
its implementation, an AIPD that is only “in the head” of the person responsible for the treatment.
341. This is precisely the result of several provisions of article 35 of the RGPD, which presuppose that
documentation. As an example, consider the minimum content of an AIPD, specified in no.
said article - firstly, the requirement for a systematic description of processing operations
provided -; or the request for an opinion from the data protection officer imposed by paragraph 2 of the
same article.
342. And it also follows from the joint reading of article 35 of the RGPD with the principle of responsibility,
enshrined in paragraph 2 of article 5 of the same diploma, which determines that the person responsible must be able to
prove that it complies with data protection principles, here directly highlighting the principles of
legality, loyalty and transparency, minimization of data and integrity and confidentiality, whether with the
1 of article 24, all of the RGPD, which provides for the duty to adopt “[...| the technical and organizational measures
that are adequate to ensure and be able to prove that the treatment is carried out in accordance with
this Regulation'.
343. Proof of respect for the GDPR, whether specific obligations or protection principles
of data, implies that the person responsible has elements that demonstrate such compliance, which in the case
the obligation to carry out an DPIA depends on any documented process, whatever the
its support (v.9., paper, digital). It is not, therefore, a question of demanding the “formalization” of the AIPD, but rather of
obligation provided for in article 35 of the RGPD to assume any materialization thereof, which allows
demonstrate its achievement, which the Defendant was clearly unable to do, nor when the CNPD
requested, nor at a prior hearing in this proceeding. Nor is it discussed that an AIPD
it represents a continuous process (cf. point 767 of the Defense). There is no legal basis for the Defendant to consider that, at the start of the census operation, the existence of comprehensive documentation
and complete information on the AIPD, with the elements available, was not required.
344. Furthermore, the argument that the AIPD must be dynamic, subject to revisions and updates
whenever necessary, obviously this does not affect the duty to document the assessment already carried out before the
time of such revision or update.
345.Moreover, in his Defence, the Defendant does not demonstrate that he actually carried out any AIPD before the start
of the operation, nor a full assessment of the risk of transferring personal data to countries
the 3rd.
346. Furthermore, the document called AIPD is not complete, since it only refers to four
data processing, namely: “Processing 1(T1) Data necessary for contact with the representative of the
aggregate (data taken from the National Accommodation File)"; “Treatment 2 (T2) Respondent data
(statistical data provided by respondents when completing the Census form,
regardless of the means of transmission of information)"; "Processing 3 (T3) Data from subcontractors
involved in Census activities”; “Treatment 4 (T4) Base Resident Population (BPR) - Only as
reinforcement of the quality of the census results, in the statistical treatment phase, and, within the scope of the
contingency arising from the COVID 19 pandemic, allow imputations in case of non-response;
347. It should also be considered and emphasized that the pandemic period experienced did not suspend the obligations
resulting from the GDPR for those responsible for the processing of personal data and, in particular, do not
suspended the duties and obligations imposed on administrative entities.
348. Therefore, it can only be considered that the Defendant confirms, with his Defense, the lack of
carrying out a DPIA, confirming the non-compliance with the provisions of article 35 of the RGPD.
xii. Lack of communication from the EPD
349. The Defendant alleges that he communicated the contact details of his EPD to the CNPD.
350. On 22.05.2018, the Secretariat of the INE's Board of Directors sent, to the email address
geral(menpd.pt, a communication informing that the law graduate Ana Dulce Pinto, Superior Technician
Specialist in Statistics at INE, appointed in charge of data protection at INE, from 25
May 2018. 351. On 19.05.2021, INE's Board of Directors decided to renew the mandate of Dr. Ana Dulce Pinto
position of EPD at INE, for the three-year period 2021/2028.
Let's see,
352. It should be noted that the Defendant provided sufficient proof of the practice of the obligations resulting from the provisions of
1 and 7 of article 37 of the GDPR.
353. Namely by attaching an e-mail to the present case file.
354. This is why the CNPD understands that the infringement for which it was accused has not been verified.
xiii. Exemption from fine, under the terms of 44.º n.º 2 of Law 58/2019
355. The Defendant considers that the specificity of the processing of personal data carried out in the context of
Census 2021 census operation does not raise particular needs for general or special prevention, which
oppose the waiver of a fine, pursuant to the provisions of Article 44(2) of the LERGPD.
Let's see if such a regime can be applied to the Defendant,
356. The mechanism provided for in paragraph 2 of article 44, now requested by the Defendant, does not constitute any
principle-rule of waiving the application of fines to public entities.
357. Nor could it be, under penalty of seriously contradicting the provisions of paragraph 1 of the same article 44.º.
358. In fact, the national legislator, via paragraph 2 of article 44, created a mechanism that can be
used only and only by public entities.
359. This mechanism is not the general rule, as it is contained in paragraph 1 of article 44, which provides for the application of
fines to public and private entities alike.
360. Paragraph 2 of that article represents only an exceptional regime for public entities.
361. Which is still dependent on a “duly substantiated request” to the Control Authority.
362. 0 which, incidentally, was clarified in Deliberation/2019/945 issued by the CNPD, which made explicit that the
waiver of imposing a fine on public entities depends, under the terms of article 44(2)
of the LERGPD, of a discretionary (or autonomous, in the sense of not predetermined by law) assessment by the
CNPD of the grounds invoked by the applicant. 363.Now, in the case of the Defendant, it should be noted that we are facing a high number of administrative offences,
practiced within the scope of the same census operation Census 2021.
364. On the other hand, we are facing a massive data processing operation, that is, the universe
of affected personal data holders is very broad (the entire population in Portugal in terms of
generality of data processing, and more than 6 million people regarding transfers
international data).
365. In addition, some of the infringements concern the processing of specially protected data
by GDPR.
366. It should also be noted that the Defendant was charged with several violations of the provisions of the RGPD, which
are classified as severe and punishable by the highest penalty provided for in the GDPR.
367.All in all, it is concluded that there are weighty reasons for imposing a fine on the Defendant, not
envisioning any exceptional circumstance that deserves consideration for the purpose of its non-application.
368. In view of the lack or insufficiency of grounds for the application and considering the nature and
extension of the processing of personal data, as well as the seriousness of the infractions, the CNPD rejects the request
waiver of fine formulated by the Defendant.
ill. Facts
369. Of the elements contained in the file, with interest for the decision, it is considered partially reproduced
the constant fact of the Draft Deliberation.
370. It should, however, be mentioned that it is considered proven, contrary to what is contained in the Draft
Deliberation, that the Defendant published his EPD data and communicated them via e-mail to the CNPD.
371. Therefore, the following facts are considered as proven and of interest for this Deliberation:
Between April 19 and May 31, 2021, the census operation “Census 2027” took place;
 ii. It aimed to obtain information about the entire population residing in Portugal, the families and
the Portuguese housing stock;
iii. The response to the 2021 Census by the holders of personal data was mandatory and failure to provide
of information or providing inaccurate information punishable by a fine of between €500 and €25,000, iv. Until April 26, 2021, the date on which the CNPD began investigative measures, had
 around 2.5 million forms were submitted online;
v. Which covered the processing of personal data of more than 6 million people;
vi INE, as a national statistical authority and responsible for data processing
personal, organized the entire census procedure;
vii — By option of INE, the treatment of information by digital means was privileged, to the detriment of the
completion and delivery of physical forms,
viil. Between April 17 and May 7, 2021, a large number of
complaints related to the census operation Census 2021,
ix. The complaints filed relate to four aspects:
The. The legality of the processing of personal data that explicitly identified the
their holders by name;
B. Applicability of collecting special categories of data, such as those relating to religion,
underlining the apparently obligatory nature of the response;
ç. The security of the information handled; and
d. The existence of international flows to countries that may not ensure a
adequate level of protection of processed personal data, compatible with the
European legislation;
x. Within the scope of the powers conferred on it by law, the CNPD carried out the inspection,
having gone, on the 26th of April, to the premises of the INE headquarters, for that purpose.
And still
i Lack of legal basis for the treatment of special categories of data
personal
372. We formed
Censuses 2021 (questions 29.1 to 30) required personal data from special categories.
 presented to data subjects, in order to comply with the obligation to respond to
373. Namely, data relating to health problems and religion of respondents.
374. Respondents were asked about special categories of data in the items in block 3
“Individual” (cf. printing of the online census form with the file): a.20 ('He did not work from April 12th to April 18th because: (...) He is permanently unable to work
the work");
b.29 (relating to the physical difficulties of the respondents); and
c.30 (“Indicate your religion”.
375. The forms were not clear in delimiting the information to be obligatorily provided in view of the
optional information.
376. There was no information that the answer to questions 29.3 to 29.6 and 30 was optional.
377. The questions in group 29. consisted of 6 questions, framed in 3 pages, with two
questions in each of them.
378. Only the first page had information about the optional character.
379. On the next two pages (questions 29.3 to 29.6), the optional nature of the answer was not informed.
380. Item 30., although optional, did not provide any information.
ii. Violation of the duties of informing data subjects
381. INE did not make available on the Census page, nor on the forms, an obvious, highlighted and easily
accessible information where the data subject could know, with the necessary detail, the
circumstances in which the processing of your personal data would take place, or even a hyperlink on that
topic that referred to another page, where such information was provided.
382. Nor was this information about this processing of personal data available on the website
institution of the INE.
iii. Violation of the rules applicable to the employment of Cloudflare, Inc.
383. The contracting of Cloudflare, Inc., did not deserve any prior negotiation or due diligence by INE.
384. INE limited itself to subscribing online to the services provided, in a package, by Cloudflare, Inc.
385. INE opted to subscribe to the “Business” package with Cloudflare, Inc., headquartered in the USA.
386. The “Business” package was, at the time, governed by the "Self-Serve Subscription Agreement", and by the relative addendum
to the processing of personal data (Data Processing Addendum version 3.0, dated 1 October 2020)
which forms an integral part of the contract. 387. Under this contract, INE authorized Cloudflare, Inc. to process personal data outside the Zone
European Economic Agency, to any of the 200 servers used by it, as well as the transfer of
personal data for the USA.
388. The Defendant had at his disposal the “Cloudflare Data Localization Suite”, which contractually allowed him to
geographically circumscribe the servers to be used.
389. Successive subcontracting by resorting to entities established in countries
the 3rd.
390. Under the terms of the contract, the forum for settling disputes between INE and Cloudflare, Inc. is the Court of
California.
iv. Violation of the transfer regime
391. The Defendant contracted the "Content Delivery Network" (CDN) services with the entity Cloudflare,
Inc., which was required to comply with legislation that removes the protection conferred by the GDPR.
392. Services that do not meet the requirements required by law in terms of data transfers
personal data to third countries.
393. On April 27, 2021, the CNPD, through Deliberation/2021/533, ordered the suspension within the maximum period
12 hours of sending personal data from the 2021 Census operation to the US and other third countries
without an adequate level of personal data protection.
394. On April 28, 2021, the Defendant informed the CNPD of the termination, the previous day, of the contract entered into
with Cloudflare, Inc.
395. Cloudflare, Inc.'s “Business” suite provides its own network of servers, many of which are
located in countries that do not ensure adequate protection of personal data.
396. INE authorized Cloudflare, Inc., to process personal data outside the European Economic Area, to
any of the 200 servers used by it, as well as the transfer of personal data to
USA.
397. The decision on which server is used by the citizen who accessed the census form is made by a
algorithm, bearing in mind two criteria: the closest proximity of the servers to the place of origin
access to the form and availability at any time.
398. Once the data entered Cloudflare, Inc.'s network, it was not possible for the Defendant to
know and control where the personal data of the respondents circulated. 399. The domain “censos202L.ine.pt” was resolved to the IP 172.67.41.182, assigned to Cloudflare, Inc., with
headquartered in San Francisco, USA.
400. US law does not enshrine a level of protection of personal data at least equivalent
to that guaranteed by the GDPR.
v. Violation of carrying out an impact assessment on personal data
401. INE did not carry out a DPIA prior to the start of data processing.
402. The document called AIPD sent by the Defendant had a circumscribed scope and
insufficient, as it does not cover the entirety of the treatment, not even relevant dimensions of the operations
of personal data processing.
403. That document only referred to four personal data processing operations: Processing 1(T1)
Data necessary for contacting the household representative; Treatment 2 (T2) Respondent data
(statistical data provided by respondents when completing the Census form,
regardless of the means of transmission of information); Treatment 3 (T3) Data from subcontractors
involved in Census activities; Treatment 4 (T4) Resident Population Base.
IV. Decision motivation
404. The facts given as proven resulted from the participation of the CNPD inspection activity, and from the
Constant defense of the cars.
405. After analyzing the evidence produced in the case file, jointly and critically, it was formed
conviction, based on proven facts.
406. Thus, it is understood that the Defendant's performance configures the practice of 5 foreseen and
punished by the GDPR.
407. As a result, and in view of the factuality found, the practice is sufficiently indicted
by the Defendant, in material authorship, in the consummated form and with eventual intent of the following administrative offences:
An administrative offense provided for and punished by the combined provisions of paragraph 1 of
article 9 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to
€20,000,000 for violating the ban on processing special categories of
personal data; ii. An offense provided for and punished by the combined provisions of articles
12 and 13 and paragraph b) of paragraph 5 of article 83, both of the RGPD, with a fine of up to
£20,000,000 for breach of duty to inform data subjects;

iii. An offense provided for and punished by the combined provisions of paragraphs 1,
6 and 7 of article 28 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with
fine of up to £10,000,000 for breach of compliance with the rules applicable to the
contracting subcontractors,
iv. An offense provided for and punished by the combined provisions of article
44, paragraph 2 of article 46 and paragraph c) of paragraph 5 of article 83, both of the RGPD,
with a fine of up to €20,000,000 for violation of the transfer regime;
v. An offense provided for and punished by the combined provisions of paragraphs 1
and 2 and paragraph b) of paragraph 3, all of article 35 and paragraph a) of paragraph 4 of article 83,
all of the RGPD, with a fine of up to €20,000,000, for breach of the obligation to
carrying out an impact assessment on the protection of personal data.
V. Determination of the amount of the fine
408. In accordance with the provisions of article 83, paragraph 1, items a) to k), of the RGPD, the determination of the measure of
fine is made according to the following criteria:
i — Nature, gravity and duration of the infringement taking into account the nature, scope and
the purpose of the data processing in question, as well as the number of data subjects
affected and the level of harm suffered by them - Violations are considered to be
committed by the defendant assume a significant degree of gravity, bearing in mind the number
data subjects concerned (the entire population in Portugal in terms of
generality of data processing, and more than 6 million people regarding the
international data transfers), the context in which they were
practiced, in particular, the mandatory response to the 2021 Census and the conviction
that questions 29.3 to 29.6 and 30 generated by the conduct were mandatory
from INE. It is also considered the fact that only two of the offenses for which
accused by the Defendant that they are not punishable by the most serious framework provided for in the RGPD (in this case, violation of compliance with the rules applicable to the hiring of entities
subcontractors and the failure to carry out a prior and thorough impact assessment
on the protection of personal data).
ii. Intentional or negligent nature of the infractions and degree of fault:
The. In the case of items i. and ii. of point 407, as a result of a performance
negligent, for not allowing the free formation of the will in the answers to the
questions 29.3 to 29.6 and 30, and for having violated the duty of transparency
embodied in the lack of information to data subjects about the
census operation, acting in violation of the duty of care that according to
the circumstances he was bound and of which he was capable, acting with
awareness of the illegality of the fact;
B. In the case of the offenses indicated in paragraphs iii., iv. and v. of point 407, acted the
Accused intentionally, insofar as he did not proceed with the required “due
diligence” in the choice of subcontractor and signed contract, did not take care of
ensure that personal data was only transferred to third countries
with adequate protection, nor has it taken measures to ensure that the data
would always be treated with an adequate level of protection in a third country,
in addition to not having performed the full AIPD prior to the start of treatment for
Dice; INE knew, and could not fail to know, the binding character
of its obligations and accepted the possibility of carrying out the
facts of which he is accused, for which they are imputed to the Defendant by way of fraud
eventual;
iii. The initiative taken by the controller or processor to
mitigate the damage suffered by the holders - Before being formally notified by the
CNPD of the decision ordering the suspension of the transfer of personal data, the
Defendant, knowing the meaning of the Deliberation, suspended the contract with Cloudflare,
Inc;
iv. Degree of responsibility of the controller or processor having
into account the technical or organizational measures implemented by it under the terms of the
articles 25 and 32 - the defendant is considered to be highly responsible for not having defined technical and organizational measures that are minimally sufficient and suitable for the
protection of processed personal information;
v. Any relevant infringements previously committed by the person responsible for the
treatment or by the subcontractor - which do not occur;
saw. Degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate
its possible negative effects - which cannot be considered adequate, as
in which it was necessary to insist on the delivery of the requested elements at the time of the
inspection;
saw. The specific categories of personal data affected by the infringement - all data
personal data collected through the 2021 Census forms relating to private life
holders, including data classified as special (n.º 1
9 GDPR) and data of a highly personal nature?
viii. How the supervisory authority became aware of the infringement, in particular
whether the controller or processor has notified it, and in case
If so, to what extent did they do so which, in this case, resulted from complaints filed
by citizens;
ix. Compliance with the measures provided for in article 58, paragraph 2, of the RGPD - Following the
inspection, and before formal knowledge of the CNPD's deliberation, the defendant
suspended the sending of personal data from the 2021 Census to the United States and to
other countries without an adequate level of protection and suspended subcontracting with
Cloudflare, Inc., which was required to comply with legislation that removes the protection
conferred by the GDPR. Compliance with codes of conduct approved under the terms of the
article 40 or the certification procedure approved under the terms of article 42 -
criterion that also does not apply, as there is no code of conduct or
certification procedure, under the terms indicated; and
 x. Any other aggravating or mitigating factor applicable to the circumstances of the case, in light of
Article 83(2)(k) of the GDPR, such as the financial benefits obtained or
the losses avoided, directly or indirectly, through the infraction - With the practice
of the administrative offenses against him, the value of the economic advantage obtained by the Defendant through the infractions is unknown, but it was found that in the year
2021, the total budgeted income of INE was €68,830,999 (sixty-eight
million, eight hundred and thirty thousand, nine hundred and ninety-nine euros); it was considered
also, as an aggravating factor, the behavior of the Defendant, during the preparation of the
census operation, which revealed a lack of value for the principles and obligations foreseen
in the GDPR, by relying on intervention by the supervisory authority, rather than taking
the initiative to ensure that the census operation complied with that regime and to create
procedures for that purpose, as well as for the purpose of proving it.
409. In the specific case, we are in the presence of the practice of five offenses, in material authorship and in the
consummated form, with two administrative offenses committed with negligence and three with intent, in competition
effective.
410. In view of the aforementioned criteria, the CNPD considers it necessary to apply, in the case
concretely, of five fines to the Defendant, considering this to be the effective, proportionate and dissuasive measure
which is necessary given the specific circumstances in which the infractions occurred.
411. The framework of fines abstractly applicable to the Defendant is as follows:
i The combined provisions of paragraph 1 of article 9 and paragraph a) of paragraph 5 of article 83
both GDPR;
ii. The combined provisions of Articles 12 and 13 and Article 83(5)(b)
both GDPR;
iii. The combined provisions of article 44, paragraph 2 of article 46 and paragraph c) of paragraph 5
Article 83 of both GDPR;
It has a maximum limit of € 20,000,000.00
412. While the framework of the fine abstractly applicable to the following infractions is as follows:
i The combined provisions of paragraphs 1, 6 and 7 of article 28 and paragraph a) of paragraph 4 of article
83.º both of the GDPR;
ii. The combined provisions of paragraphs 1 and 2 and paragraph b) of paragraph 3 of article 35 and paragraph c)
Article 83(4) both of the GDPR;
It has a maximum limit of €10,000,000.00. 413. Assessing the facts found in the light of the above criteria, the CNPD, under the terms of paragraph
b) of paragraph 2 of article 58 of the RGPD, considers that the application to the Defendant of:
i A very serious fine, due to lack of legal basis for the collection of
special data, the infringement of which was committed negligently, in the amount of €1,600,000 (one
one million six hundred thousand euros);
ii. A very serious fine, for breach of the duty to inform holders of
personal data, the infringement of which was committed negligently, in the amount of €1,600,000 (one
one million six hundred thousand euros);
iii. A fine for breaching the rules applicable to the contracting of subcontracting entities,
whose infraction was practiced with malice in the amount of €200,000 (two hundred thousand euros).
iv. A very serious fine, for violation of the data transfer regime
personal, whose infraction was committed with intent, amounting to €2,400,000 (two million and
four hundred thousand euros);
v. A fine for breach of the obligation to carry out an impact assessment on the
protection of personal data, the infringement of which was committed with intent, in the amount of €400,000
(four hundred thousand euros);
414, Added to the 5 partial fines, it results in a value of €6,500,000 (six million, five hundred thousand
euros).
415. After framing the partial sanctions, it appears, in accordance with paragraph 3 of article 83 of the
GDPR, that “[if the controller or processor violates, intentionally or by
negligence, within the framework of the same processing operations or operations linked to each other, various
provisions of this Regulation, the total amount of the fine may not exceed the amount
specified for the most serious violation”.
416. In the present case, the amount specified for the most serious breach is €20,000,000 (twenty
million euros), which constitutes the abstractly applicable maximum limit.
417. It also provides for paragraph 3 of article 19 of the RGCO, applicable alternatively, ex vi article 45 of Law no.
58/2019, of August 8, that «The fine to be applied cannot be less than the highest of the fines
concretely applied to the various administrative offences", that is to say €2,400,000 (two million and four hundred
thousand euros).418. We have, then, that the abstract frame of the single fine to be applied is between the minimum of 2,400,000
€ (two million four hundred thousand euros) and a maximum of €20,000,000 (twenty million euros).
SAW. Grounds for applying the single fine
419. The essential assumption for the effectuation of the legal accumulation of partial fines is the practice of
several offenses by the same Defendant before the conviction for any of them becomes final.
420. In this sense, in order to proceed with the legal combination, it is necessary to verify the following
requirements, of a procedural and material nature, (i) that they are sanctions related to administrative offenses
practiced before the final and unappealable conviction for any of them, (ii) that have been committed
by the same Defendant and that the sanctions are of the same nature.
421. What is verified cumulatively in the present case, thanks to the existence of the effective competition or
pure, either in terms of a real competition or an ideal competition.
422. Given the conduct expressed by the vast and serious set of offenses committed, by the
vast and extended number of potential holders of personal data affected and very specifically by the
lack of freedom for citizens to provide their special or sensitive data - insofar as
that the response to the censuses is mandatory and the provision of such data appeared to be - it is understood to be
a sanction that reflects the high censure of this behavior, which will translate into a
concrete fine whose value will serve as a dissuasive effect of identical behavior in the next operation
census.
423. In the weighting carried out to decide on the single fine to be applied, and without prejudice to the high degree of
censorship of the Defendant's conduct, reflected in the indifference of the new applicable legal framework, the
CNPD considers relevant the fact that the Defendant has no history of application of
administrative offenses for violating data protection regulations.
424.Now, taking into account, also the legal assets protected by the administrative offenses in question, that the same
committed, it seems effective, proportionate and dissuasive, the application to the Defendant:
i In legal terms, pursuant to the combined provisions of paragraph 3 of article 83 of the
RGPD and paragraph 3 of article 19 of the General Regime of Offenses, a single fine
of €4,300,000.00 (four million, three hundred thousand euros). VII. Conclusion
425. In view of the above, the CNPD decides:
i Do not sanction the Defendant for the practice of the following offenses:
The. An offense provided for and punishable by the combined provisions of paragraph 2 of the
article 5 and paragraph a) of paragraph 5 of article 83, both of the RGPD, with a fine of up to
€20,000,000 for breach of the liability principle;
B. An offense provided for and punishable by the combined provisions of paragraph a)
of paragraph 1 of article 5 and of paragraph a) of paragraph 5 of article 83, both of the RGPD, with
fine of up to €20,000,000, for violation of the principle of lawfulness, loyalty and
transparency;
ç. An offense provided for and punished by the combined provisions of paragraph 7 of the
article 37 and paragraph a) of article 83, paragraph 4, both of the RGPD, with a fine of up to
€10,000,000, for breach of the duty to notify the Control Authority of the
designation of the Data Protection Officer;
d. An offense provided for and punishable by the combined provisions of paragraph c)
of paragraph 1 of article 5 and of paragraph a) of paragraph 5 of article 83, both of the RGPD, with
fine of up to £20,000,000 for breach of the data minimization principle;
and. An offense provided for and punished by the combined provisions of article
37 and paragraph a) of paragraph 4 of article 83, both of the RGPD, with a fine of up to
€10,000,000 for breach of duty;
Apply to the Defendant National Institute of Statistics:
The. A single fine, in the amount of £4,300,000 (four million, three hundred thousand euros);
496. Pursuant to paragraphs 2 and 3 of article 58 of the General Regime on Offenses, inform
the Defendant that the conviction becomes final and enforceable if it is not judicially contested under the terms
of article 59 of the same diploma, within 20 working days after notification. 427. The Defendant must pay the fine, within a maximum period of 10 days, after it becomes
definitive, sending the respective payment slip to the CNPD. In case of impossibility of payment
In a timely manner, the Defendant must communicate this fact, in writing, to the CNPD.
Approved at the meeting on November 2, 2022.
Pursuant to paragraph h) of paragraph 1 of article 19 of Law no. 43/2004, of 18 August, and by
grounds contained in Resolution/2022/1072 of this Commission, of November 2, I ratify said
Deliberation and, consequently, I apply, to the defendant, National Institute of Statistics, |.P. by the practice of
five offenses, in legal combination, under the terms of the combined provisions of paragraph 3 of article 83.
of the RGPD and paragraph 3 of article 19 of the General Regime of Offenses, the single fine of €4,300,000.00
(four million and three hundred thousand euros).
Notify
d.s.
The president,
w "
(Filipa Calvao)