CNPD (Portugal) - Deliberação 2022/1072
|CNPD - 2022/1072|
|Relevant Law:||Article 9(1) GDPR|
Article 12 GDPR
Article 13 GDPR
Article 28(1) GDPR
Article 28(6) GDPR
Article 28(7) GDPR
Article 35(1) GDPR
Article 35(2) GDPR
Article 35(3) GDPR
Article 44 GDPR
Article 46(2) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Article 19 Decree-Law 433/82
|Parties:||Instituto Nacional de Estatística|
|National Case Number/Name:||2022/1072|
|European Case Law Identifier:||n/a|
|Original Source:||CNPD (in PT)|
The Portuguese DPA fined the Portuguese National Statistics Institute €4,300,000 for multiple GDPR violations. Among the others, the Institute processed special categories of personal data without a legal basis, did not conduct a proper DPIA and provided insufficient information regarding its processing operations.
English Summary[edit | edit source]
Facts[edit | edit source]
The National Statistical Institute, the national statistical authority of Portugal (controller) organised a census operation ("Census 2021"), which took place between April 19 and May 31 2021. The controller sent Portuguese data subjects forms (both physical forms and digital forms) with questions which were mandatory to answer. Providing inaccurate information or not answering the questions at all was punishable by a fine between €500 and €25,000. The goal of the census operation was to obtain information on the entire population and housing stock in Portugal. On April 26 2021, the controller had received 2.5 million submitted forms, which concerned personal data of more than 6 million data subjects.
Between 17 April and 7 May 2021, the DPA received a large number of complaints related to this census operation. The DPA conducted an investigation into the controller which brought to different conclusions. The DPA, for instance, stated that the controller used the forms to ask for health-related problems and religious beliefs without making it clear if it was mandatory to provide this information. The DPA also found that the controller did not provide enough information regarding its processing in general and did not conduct a proper DPIA, which contained or otherwise dealt with only 4 processing operations. Further, it also emerged from the investigation that the controller had also hired Cloudface Inc, a company located in the United States, which offered a content delivery network and internet security services. The controller simply subscribed online to Cloudflare's service. Under the hosting contract, the controller authorised Cloudflare to process personal data outside the European Economic Area (EEA) and send it to any of the 200 servers used by Cloudflare Inc, which were potentially also located in countries without an adequate level of protection for personal data. The controller also authorised Cloudflare to transfer personal data to the USA. Successive subcontracting by Cloudflare had also been authorised by the controller under this contract. The DPA assessed the technical workings of the Cloudflare service and determined that it was impossible for the controller to know where personal data would be stored as soon as this data had entered Cloudflare's network. By recalling the Schrems II judgement, the DPA also highlighted that US law did not provide a level of protection of personal data that was equivalent to the level of protection provided by the GDPR.
Holding[edit | edit source]
The DPA found that the controller requested special categories of personal data in the forms, specifically data regarding health problems and religion. In the forms, the controller was not clear whether it was optional or mandatory to provide this information to the controller. The DPA stated that the controller lacked a legal basis for the collection of this data and had therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high gravity fine.
The DPA also found that the controller did not provide clear, highlighted an easily accessible information which would enable the data subject to know the circumstances of the processing being conducted by the controller. The controller did not provide this information in the forms, on the main webpage or in a hyperlink. This resulted in a violation of Articles 12 and 13 GDPR. The DPA stated that this violation was also committed out of negligence. It fined the controller €1,600,000 pursuant of Article 83(5)(b) GDPR, which it considered a high gravity fine.
The DPA also fined the controller €200,000 pursuant of Article 83(4)(a) GDPR, for a violation of the rules applicable to subcontracting entities, in this case Cloudflare Inc. (Articles 28(1), 28(6) and 28(7) GDPR). The controller had simply subscribed online to Cloudflare's service without any negotiations and without any due diligence on the side of the controller. The DPA stated that this violation had been committed intentionally.
The DPA issued another fine of €2,400,000 pursuant of Article 83(5)(c) GDPR for the breach of the international personal data transfer regime (Articles 44 and 46(2) GDPR). The service that was contracted by the controller did not meet the legal requirements for the transfer of data to a third country. The DPA considered this a high gravity fine and stated that this violation was also committed intentionally.
Lastly, the DPA fined the controller €400,000 pursuant of Article 83(4)(a) GDPR for the failure to conduct a DPIA in violation with Articles 35(1), 35(2), and 35(3)(b). The DPA stated that the DPIA provided by the controller was limited and insufficient in scope because it did not cover the entire processing, or even relevant dimensions of processing operations. The DPA stated that this last violation had been committed intentionally.
Comment[edit | edit source]
Previously, during the Census 2021, the CNPD received several complaints and immediately started an investigation and issued an order to suspend the sending of personal data from the census operation to the USA and other third countries without an adequate level of protection, as per Deliberation/2021/533.
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.