CNPD (Portugal) - Deliberação 2022/140

From GDPRhub
Revision as of 12:18, 29 November 2022 by Carmen.villarroel (talk | contribs)
CNPD - Deliberação 2022/140
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 37(1) GDPR
Article 37(7) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.11.2022
Published:
Fine: 170000 EUR
Parties: Município de Setúbal
National Case Number/Name: Deliberação 2022/140
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Carmen Villarroel

The Portuguese DPA reprimanded twice and fined the municipality of Setubal €170,000, for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from Article 13 GDPR and for not appointing a DPO with regard to the collection of the personal data of Ukrainian refugees.

English Summary

Facts

The Portuguese DPA (CNPD) started an investigation on the Municipality of Setubal after having knowledge of a journalistic article from Expresso titled 'Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin").

According to the Article, Russian citizens had collected and made copies of Ukrainian refugees' personal data (identification documents, data related to their Ukrainian relatives or their activity in Ukraine) in the framework of a Municipal Refugee Helpline (LIMAR) created in March 2022. These Russian citizens were part of an Eastern European Immigrants' Association (EDINSTVO).

These citizens were accused in the article of sharing such data with the Russian Government.

Two members of the EDINSTVO were integrated in the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees that would make use of the Helpline.

The Helpline used two rooms of a municipal building in order to offer their services. They used two forms in order to collect the data from refugees seeking attendance:

  • presential form,
  • phone form.

Through the forms, the following personal data was collected: name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they might stay with and their respective households), information on the period they might stay with the people in that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social services, among others, in addition to describing the specific situation.

Furthermore, refugees were also offered to sign up for Portuguese courses, for what they needed to provide a copy of an identification document.

Presential forms were handwritten and were stored in a cabinet. All the personal data was later included in an Excel file protected by a password. Additionally, forms were accompanied by a declaration of consent, that included a sentence to 'authorise that the data records collected may be shared with other services or entities for the purpose of to specific responses or to provide social support adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination'.

In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This person was informally substituted by another Russian citizens, not being this fact documented or formalized in any way. This person helped collect and copy personal data and documents from various refugees and acted as a translator.

Apparently, this person was the husband of the original translator (in medical leave), who shared with him her credentials to access the systems used at the Helpline, that allowed to introduce and consult the data. This fact was recognized by this person. However, the fact that refugees' information had been shared with unauthorized third parties was denied.

Holding

[in progress]

Violation of Article 5(1)(f) GDPR

The DPA found that the Municipality had breached the integrity and confidentiality principle from Article 5(1)(f) GDPR by not implementing appropriate security measures nor defining together with the Eastern European Immigrants' Association a procedure that would regulate access and handling of the processed data.

It was so found that there are no policies or guidelines in the Municipality for the secure management of information containing personal data, and that the employees of the municipality are not informed about the procedures to be adopted. The exception to the non-existence of these policies and/or guidelines is an e-mail from the IT Division on the security of computer access passwords, email and internet.

This principle was also breached by allowing people outside the municipal services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline, transporting it outside the premises of the Municipality without previously assuming any formal commitment and without defining any guidance on the management and security of the data.

This principle was also breached by using Excel files for the management and storage of information relating to a group of vulnerable parties (refugees), files that do not contain audit records, not allowing one to know who accessed them, when and what operations were carried out.

Violation of Article 5(1)(e) GDPR

Additionally, the periods for which the personal data were to be stored and conserved had not been defined, nor the criteria for establishing such periods.

Violation of Article 13 GDPR

Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority.

Violation of Article 37 GDPR

A DPO was appointed after the start of this procedure, on 22 September 2022.

Violation of Article 35 GDPR

No data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, as required when processing data of vulnerable data subjects, according to the EDPB Guidelines on Data Protection Impact Assessment (p. 12).


According to the DPA, the matter had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees could have also been discussed.

Comment

Additionally, an investigation on this matter was carried out by the judicial police. [Source]

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.