CNPD (Portugal) - Deliberação 2022/140

From GDPRhub
Revision as of 17:48, 29 November 2022 by Carmen.villarroel (talk | contribs)
CNPD - Deliberação 2022/140
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 37(1) GDPR
Article 37(7) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.11.2022
Published:
Fine: 170000 EUR
Parties: Município de Setúbal
National Case Number/Name: Deliberação 2022/140
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Carmen Villarroel

The Portuguese DPA reprimanded twice and fined the municipality of Setubal €170,000 for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from Article 13 GDPR and for not appointing a DPO with regard to the collection of personal data of Ukrainian refugees.

English Summary

Facts

The Portuguese DPA (CNPD) started an investigation on the Municipality of Setubal after having knowledge of a journalistic article from Expresso titled 'Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin").

According to the Article, Russian citizens had collected and made copies of Ukrainian refugees' personal data (identification documents, data related to their Ukrainian relatives or their activity in Ukraine) in the framework of a Municipal Refugee Helpline (LIMAR) created in March 2022. These Russian citizens were part of an Eastern European Immigrants' Association (EDINSTVO).

These citizens were accused in the article of sharing such data with the Russian Government.

Two members of the EDINSTVO were integrated in the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees that would make use of the Helpline.

The Helpline used two rooms of a municipal building in order to offer their services. They used two forms in order to collect the data from refugees seeking attendance:

  • presential form,
  • phone form.

Through the forms, the following personal data was collected: name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they might stay with and their respective households), information on the period they might stay with the people in that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social services, among others, in addition to describing the specific situation.

Furthermore, refugees were also offered to sign up for Portuguese courses, for what they needed to provide a copy of an identification document.

Presential forms were handwritten and were stored in a cabinet. All the personal data was later included in an Excel file protected by a password. Additionally, forms were accompanied by a declaration of consent, that included a sentence to 'authorise that the data records collected may be shared with other services or entities for the purpose of to specific responses or to provide social support adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination'.

In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This person was informally substituted by another Russian citizens, not being this fact documented or formalized in any way. This person helped collect and copy personal data and documents from various refugees and acted as a translator.

Apparently, this person was the husband of the original translator (in medical leave), who shared with him her credentials to access the systems used at the Helpline, that allowed to introduce and consult the data. This fact was recognized by this person. However, the fact that refugees' information had been shared with unauthorized third parties was denied.

Holding

Violation of Article 5(1)(f) GDPR

The DPA found that the Municipality of Setubal had violated the integrity and confidentiality principle from Article 5(1)(f) GDPR by not implementing appropriate security measures nor defining together with the Eastern European Immigrants' Association a procedure that would regulate access and handling of the processed data.

In this sense, it was found that there were no policies or guidelines in the Municipality for the secure management of information and personal data, and that the employees of the Municipality were not informed about the procedures in this regard. The exception to the non-existence of these policies and/or guidelines was an only e-mail from the IT Division on the security of computer access passwords, email and internet.

The integrity and confidentiality principle was also breached by allowing people outside the municipal services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline, that was transported outside the premises of the Municipality without previously arranging any formal commitment and without defining any guidance on the management and security of the data.

This principle was also breached by using Excel files for the management and storage of information relating to a group of vulnerable parties (refugees), files that do not contain audit records, not allowing one to know who accessed them, when and what operations were carried out.

Violation of Article 5(1)(e) GDPR

The DPA found that the periods for which the personal data were to be stored and conserved had not been defined, nor the criteria for establishing such periods. Therefore, this constituted a violation of the storage limitation principle from Article 5(1)(e) GDPR.

Violation of Article 13 GDPR

Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority.

The DPA remarked that an informed consent had been obtained when collecting the data, and that there was no reason not to use it to provide the mandatory information.

Also, the DPA noted that, at least, the entities that were involved in this procedure were known to the Municipality, so they could have been mentioned to the data subjects, together with their data protection rights available.

Lastly, the DPA highlighted that the only reference made to data protection legislation was obsolete.

Hence, the DPA concluded that the Municipality violated Article 13 GDPR.

Violation of Article 37 GDPR

The DPA also found that the Municipality had not appointed a DPO as required by Article 37 GDPR, and hence this provision had been breached.

A DPO was appointed after the start of this procedure, on 22 September 2022.

Violation of Article 35 GDPR

The CNPD also found that no data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, as required when processing data of vulnerable data subjects, according to the EDPB Guidelines on Data Protection Impact Assessment (p. 12). However, the DPA did not specify that Article 25 GDPR had been breached.

Sanction

The DPA acknowledged that this was an emergency situation and that such fact may mitigate the degree of gravity of the infringement with regard to some elements such as part of the information obligation from Article 13 GDPR, paragraphs 1 and 2, as well as the storage limitation obligations.

However, the CNPD also remarked that some other violations constituted proof of structural incompliance and were therefore of more gravity. Also, according to the DPA, the Helpline project had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees should have also been discussed, despite the urgency.

For the above violations, the CNPD imposed the Municipality of Setubal the following sanctions:

The two fines were nonetheless accumulated together, following Portuguese legal principles, and resulted in an only fine of €170.000

Comment

Additionally, an investigation on this matter was carried out by the judicial police. [Source]

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.