CNPD (Portugal) - Deliberação 2021/548

From GDPRhub
Revision as of 11:12, 20 July 2021 by Jennifervidal (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD (Portugal) |DPA_With_Country=CNPD (Portugal) |Case_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD (Portugal) - Deliberação 548/2021
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 83(5) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 2500 EUR
Parties: n/a
National Case Number/Name: Deliberação 548/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jennifer Vidal

The Portuguese DPA considered that a municipality must not share sensitive data about data subjects which were diagnosed with Covid-19 on social media because these are informations protected by confidentiality for health agents and informations under data protection rules specially because sensitive data can potentially cause discrimination and stigmatization for data subjects.

English Summary

Facts

A Portuguese municipality started to share on its page on Facebook information about Covid 19 contention measures since the beginning of the pandemic. This municipality shared that, in March 2020, a couple of citizens were diagnosed with Covid 19 after traveling to France, also informing their place of residence and the period of the trip. The information was deleted from social media two months later.

The municipality was notified about the decision's project involving violation of the GDPR, specifically lawfulness, fairness and transparency principles and the possibility of a subjection to an administrative fines up to €20,000,000 in January.

In its defense, the municipality alleged the lack of legitimacy of the denouncer of the facts, the lack of guidance from the CNPD on the matter, conflict between the rights of infected people and the rights of all other people, the impossibility of identifying the infected holders between the members of the place where they live with the information disclosed about the displacement to France.

The municipality violated the GDPR by processing personal data as it did, revealing people's health information, as well as information about the trip taken by the patients and the period. As a processing agent, the municipality should be aware of how to carry out the respective processing of personal data.


Dispute

Holding

The Portuguese DPA considered that the case encompasses the biggest violation that can be made to the GDPR as it violates one of the basic principles of data protection, the principle of lawfulness, and also highlighted the fact that the infringement lasted for two months .

The authority highlighted the fact that as the case involves the processing of sensitive data, which constitute a special category of personal data that must be based on one of the legal bases set out in article 9, i, since generic processing is prohibited.

The CNPD fined the Municipality €2500 and understood that this amount took into account the financial situation of the public sector and, also, as a mitigating factor, the absence of economic benefit in the practice of the infraction.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.