CNPD (Portugal) - Deliberação 2021/548
CNPD (Portugal) - Deliberação 548/2021 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Article 5(1) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 83(5) GDPR Article 83(5) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 27.04.2021 |
Published: | 12.07.2021 |
Fine: | 2500 EUR |
Parties: | n/a |
National Case Number/Name: | Deliberação 548/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Portuguese |
Original Source: | CNPD Website (in PT) |
Initial Contributor: | Jennifer Vidal |
The Portuguese DPA considered that a municipality must not share sensitive data about data subjects which were diagnosed with Covid-19 on social media because these is information protected by confidentiality for health agents and information under data protection rules specially because sensitive data can potentially cause discrimination and stigmatization for data subjects.
English Summary
Facts
A Portuguese municipality started to share on its page on Facebook information about Covid 19 contention measures since the beginning of the pandemic. This municipality shared that, in March 2020, a couple of citizens were diagnosed with Covid 19 after traveling to France, also informing their place of residence and the period of the trip. The information was deleted from social media two months later.
The municipality was notified about the decision's project involving violation of the GDPR, specifically lawfulness, fairness and transparency principles and the possibility of a subjection to an administrative fines up to €20,000,000 in January.
In its defense, the municipality alleged the lack of legitimacy of the denouncer of the facts, the lack of guidance from the CNPD on the matter, conflict between the rights of infected people and the rights of all other people, the impossibility of identifying the infected holders between the members of the place where they live with the information disclosed about the displacement to France.
The municipality violated the GDPR by processing personal data as it did, revealing people's health information, as well as information about the trip taken by the patients and the period. As a processing agent, the municipality should be aware of how to carry out the respective processing of personal data.
Holding
The Portuguese DPA considered that the case encompasses the biggest violation that can be made to the GDPR as it violates one of the basic principles of data protection, the principle of lawfulness, and also highlighted the fact that the infringement lasted for two months .
The authority highlighted the fact that as the case involves the processing of sensitive data, which constitute a special category of personal data that must be based on one of the legal bases set out in article 9, i, since generic processing is prohibited.
The CNPD fined the Municipality €2500 and understood that this amount took into account the financial situation of the public sector and, also, as a mitigating factor, the absence of economic benefit in the practice of the infraction.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.