CNPD (Portugal) - Deliberação 2022/140
From GDPRhub
| CNPD - Deliberação 2022/140 | |
|---|---|
 | |
| Authority: | CNPD (Portugal) |
| Jurisdiction: | Portugal |
| Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 37(1) GDPR Article 37(7) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.11.2022 |
| Published: | 17.11.2022 |
| Fine: | 170000 EUR |
| Parties: | Município de Setúbal |
| National Case Number/Name: | Deliberação 2022/140 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Portuguese |
| Original Source: | CNPD (in PT) |
| Initial Contributor: | Carmen Villarroel |
The Portuguese DPA reprimanded and fined the municipality of Setubal €170,000 for violations of the integrity and confidentiality principle, the storage limitation principle, the information obligations from Article 13 GDPR and for not appointing a DPO with regard to the collection of personal data of Ukrainian refugees, who were using a helpline in Portugal.
English Summary
Facts
The Portuguese DPA started an investigation into the Municipality of Setubal (controller) after a journalistic article from the newspaper Expresso was published titled 'Ukrainians welcomed in CDU Chamber by Pro-Putin Russians' ("Ucranianos recebidos em Câmara CDU por russos Pró-Putin").
This article contained anonymous accounts of Ukrainian refugees. According to the Article, Russian citizens were present in the same room where Ukrainian refugees' personal data was stored (such as copies of identification documents). These Russian citizens - allegedly part of an Eastern European Immigrants' Association (EDINSTVO), an organisation for the support of eastern European migrants - also asked the refugees questions about the whereabouts of their relatives and what they were doing in Ukraine. In total, two members of the EDINSTVO were integrated by the controller into the Setúbal Office of Ethnicities and Immigration (SEI) in order to provide assistance, counselling and help to the refugees. According to the author of the article, these Russian citizens were accused in the article of sharing this personal data with the Russian Government.
This all happened in the framework of a Municipal Refugee Helpline (LIMAR), which was created in March 2022. The controller was responsible for the processing done by this helpline. The Helpline used two rooms of the controller's building in order to offer their services, one for the customer service and the other for archiving. Both rooms were only accessible for members of the helpline.
The helpline used two forms in order to collect the data from refugees seeking attendance: an assistance form and telephone assistance form. Using these forms, personal data was collected by the controller. Among other things, the controller collected the name, address, date of birth, marital status, information on the support network (identifying the places and people they might stay with and their respective households) and information on the period they might stay with the people in that support network, in addition to describing the specific situation of each refugee. The assistance forms were handwritten and were stored in a filing cabinet. All collected personal data was later also put into an Excel file which was protected by password.
Additionally, forms were accompanied by a declaration of consent for processing. The controller asked refugees for consent to 'authorise that the data records collected may be shared with other services or entities for the purpose of to specific responses or to provide social support adjusted to the situation adjusted to the situation, with the guarantees of privacy and non-discrimination'. Furthermore, together with the assistance forms, refugees were also offered to sign up for Portuguese language courses, for which they needed to provide a copy of an identification document.
In this context, one of the Russian citizens, who acted as a translator, was on medical leave for some time. This translator was informally substituted by her husband. The translator had given her husband her login-credentials to access the helpline's systems. This change was not documented or formalised in any way. The husband, who was not a controller's employee, helped to collect and copy personal data and documents from various refugees and acted as a translator himself.
Holding
The DPA found that the controller had violated the integrity and confidentiality principle from Article 5(1)(f) GDPR by not defining organisational measures for safeguarding information, policies or guidelines for the secure management of information. Nor did the controller determine a procedure, together with the Eastern European Immigrants' Association, that would regulate access and handling of the processed data. The exception regarding the non-existence of these policies and/or guidelines was an e-mail from the IT Division on the security of computer access passwords, email and internet. Article 5(1)(f) GDPR was also breached by allowing people outside the controller's services to access computer equipment used for processing personal data without a specific access profile, as well as by granting them access to information of refugees supported through the Helpline. The principle was further breached by the controller for its use of Excel files for the management and storage of information relating to a group of vulnerable parties (refugees). These Excel files did not have any audit records. Therefore, these files did not allow anyone to know who accessed them, when the files were accessed and what operations were carried out. The fact that the excel files were password protected did not mitigate this fact.
The DPA also found that the data storage periods had not been defined, nor were the criteria for establishing storage periods. This constituted a violation of the storage limitation principle ((Article 5(1)(e) GDPR)). Also, no information was provided to the data subjects about the identity of the controller, the purposes of the processing, the recipients or categories of recipients, the rights of the data subjects, or the right to lodge a complaint with a supervisory authority. The DPA noted that, at least, the entities that were involved in this procedure were known to the controller, so they could have been mentioned to the data subjects, together with their data subject rights. Lastly, the DPA highlighted that the only reference made to data protection legislation was obsolete. Hence, the DPA concluded that the controller also violated Article 13 GDPR. The DPA also found that the controller had not appointed a DPO which resulted in a violation of Article 37 GDPR. A DPO was only appointed after the start of this procedure, on 22 September 2022.
The DPA also found that no data protection impact assessment (DPIA) had been carried out in order to analyse the processing of personal data in this context, which was required when processing data of vulnerable data subjects, according to the EDPB Guidelines on Data Protection Impact Assessment (p. 12). However, the DPA did not specify that Article 25 GDPR had been breached.
The DPA acknowledged that this was an emergency situation and that this could mitigate the degree of gravity of the infringement with regard to some elements, such as parts of the information obligation (Articles 13(1) and 13(2) GDPR), as well as the storage limitation obligations. However, the DPA also remarked that some other violations constituted proof of structural incompliance and were therefore of more gravity. Also, according to the DPA, the Helpline project had been discussed within the Setúbal Local Council for Social Action (CLASS), and therefore important matters such as the fundamental right to privacy and data protection from vulnerable people such as refugees should have also been discussed, despite the urgency.
For the above violations, the CNPD imposed a fine of €120,000 for the violation of Article 5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e) GDPR and Article 13 GDPR. This resulted in a total fine of €220,000. The two fines were nonetheless accumulated together, following Portuguese legal principles, which resulted in a fine of €170.000.
Comment
Additionally, an investigation on this matter was carried out by the judicial police. [Source]
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
DELIBERATION/2022/1040
1. The National Commission for Data Protection (CNPD) prepared, on 14 September 2022, a draft decision in which the defendant Municipality of Setubal was accused of committing, in material authorship, in the form consummated and with negligence, i. a misdemeanour, p. e p. by Article 5(1)(f) in conjunction with Article 5(1)(f) a) don.0 5 of article 83.0 , both of the RGPD, sanctioned with a fine, up to the maximum amount of 20,000,000.00, each; ii. 0a misdemeanour, p. e p. by Article 5(1)(e) in conjunction with Article 5(1)(e) a) Article 83.0.5, both of the GDPR, will be sanctioned with a fine, up to the maximum amount of ¤ 20,000,000.00, each; iii. by Article 13(1) and (2), in conjunction with Article 13(b) , of the Treaty on European Union Article 83(5), both of the GDPR, is punished with a fine, up to the maximum amount of ¤ 20,000,000.00; iv. by Article 37(1) and (7) of the GDPR, in conjunction with Article 83(4) (a), both of the GDPR, sanctioned with a fine of up to EUR 10,000,000.00; and
2. The defendant was notified of the loom of the referred project and, in terms of the provisions of article 50 of Decree-Law 433/82, of 27th October, to present his defence, he came, through his Honourable Attorney, to allege, in sum: a) The inappropriateness of the Draft Deliberation, based, according to the Defendant, on a "factual, legal and news miscellany" and in which it is unintelligible "the connection between a significant set of facts and the legal scope of the sanctions indicated as potentially applicable; b) The invalidity of the procedure for breach of a substantial right: Article 39.0 , n.0 3 of the LERGPD; c) The invalidity of the non-application of the provisions of Articles 37.0 , n.0 2 and 39.0 , n.0 1 of the LERGPD; d) The existence of errors and incompleteness in the factual material considered; e) The need to take into account relevant facts which were not contained in the draft Decision. f) It also requested the exemption of the imposition of a fine under the terms of Article 44, paragraph 3 of the Law n. 0 58/2019, of 8 August.
3. The defendant did not deny, contradict or even contradict any element of the draft resolution regarding the lack of designation of the data protection officer of the Municipality on the date of the facts.
4. Moreover, the defendant protested to join 19 (nineteen) documents, which, to date, has not occurred.
I. Application for exemption from fines
5. The defendant requested the waiver of the imposition of fines, pursuant to Article 44(3 ) of Law 58/2019 of 8 August. However, paragraph 2 of that article 44 defines the period of "three years from the entry into force of this law" as the period of time during which public entities may request the waiver of fines, so that rule ceased to have effect on 9 August.
6. As an argument to support the maintenance of the above prerogative, he pointed out "the suspension, and later extension, of deadlines operated by the commonly called COVID-19 legislation".
7. It would be up to the defendant to clarify to what extent the legislation passed during the pandemic can be considered to enable the conclusion drawn. It is not clear how a time-limit objectively set for the exercise of an exceptional prerogative of public authorities, in the specific context of administrative offence proceedings in which it is possible that they may be sentenced to pay a fine, can be extended to a time when those proceedings are unlawful and the time-limit laid down by law for the exercise of that prerogative has already expired.
8. It should be noted that the ratio of the extensions included in the set of legislation that the defendant calls "COVID legislation", were instituted precisely to address constraints arising from the pandemic context, something that clearly does not apply to the present case, which was neither directly nor indirectly affected by the pandemic.
9. Even if the understanding was different when the impossibility of, at the present momenta, 0 In applying the regime laid down in Article 44(2) of the GDPR, the CNPD interprets the regime provided for therein as conferring on it a discretionary power to assess, in the light of the specific infringement, whether it would be justified to depart from the general rule of imposing a financial penalty on a given public body, as the controller (or processor), taking into account the different interests and rights at stake.
10. However, taking into consideration the gravity of the infractions, the weighting of the rights of the data subjects and the public interests that the violated legal rules seek to safeguard, as will be justified below, the decision of the CNPD would always be not to waive the fine in this specific case.
11. Thus, any of the arguments set out above concur in the decision not to waive the fine.
II. Appreciation
i. Regarding the alleged inappropriateness of the Draft Resolution
12. Contrary to what the defendant claims, the present administrative offence proceeding is not marked by the media hype that has undeniably surrounded all the related issues.
13. The mere fact that this is an issue to which the media have dedicated an extensive and intense attention did not condition or enhance any factual assessment that the CNPD expressed in the Draft Deliberation.
14. Moreover, the references to the fact that the media have publicly reported on the matter only serve to frame the impetus that led to the opening of the investigation procedure, since the "news" of the potential violation of the RGPD rules was made known in those same media.
15. The facts contained in the draft decision provide the basic context that allows the defendant to understand the meaning and scope of the CNPD's action, even if some of them serve to exclude what is not and cannot be the object of a decision by the national supervisory authority in matters of data protection.
16. The subjective analysis of the defendant is not, therefore, supported by the context of the facts established and the accusations made against him, which refer exclusively to the violations that, after due investigation, were found to have taken place.
17. For that reason, the references to the citizen - his conduct and behaviour any reference to his conduct and behaviour are not affected by any mention of his Russian citizenship, but are based on the facts obtained during the investigations in the course of the case.
ii. on the invalidity of the procedure for breach of a substantial right: Article 39(3) as well as Article 37(2) and 39(1) of the LERGPD
18. The Defendant disputes that the CNPD can dismiss the application of article 39. 0 , n. 0 3 of Law n. 0 58/2019, of 8 August, as this rule configures a substantial right that cannot be dismissed by the CNPD.
19. This is a legal/judicial understanding which differs from that of the Commission and which, as repeatedly explained, cannot be accepted.
20. Indeed, Regulation (EU) 2016/679, of 27 April 2016 - General Data Protection Regulation (GDPR), like any regulation issued by the European Union, has a general nature. It is binding in its entirety and directly applicable in all Member States (Article 288 of the Treaty on the Functioning of the European Union).
21. Such special features of regulations cannot be set aside by national legislation, as stated in the case law of the Court of Justice of the European Union and in the CNPD's Delibera9ao 2019/494.
22. Recently, the Constitutional Court, in case no. 422/2020, of July 15, clarified any remaining doubts about the limits (or lack of them) of application of the principle of the primacy of EU law, ruling "Under Article 8.0 , n. 4 of the CRP, the Constitutional Court can only assess and refuse application of a rule of EU law if it is incompatible with a fundamental principle of democratic rule of law.0 4, of the CRP, the Constitutional Court may only assess and refuse to apply a rule of the EUSD, if it is incompatible with a fundamental principle of the democratic rule of law which, in the proper scope of the EUSD - including, therefore, the jurisprudence of the CJEU -, does not have a parametric value materially equivalent to the one recognized in the Constitution, since such a principle is not the same as that recognized in the Constitution. necessarily imposes the very convention of "joint exercise, in cooperation or the institutions of the Union, of the powers necessary for the construction and deepening of the European Union". However, where the assessment of a rule of the TEU is concerned, in the light of a (fundamental) principle of the democratic rule of law which, in the context of the TEU, has a parametric value materially equivalent to that which is recognised in the Portuguese Constitution, which is effectively guaranteed by the CJEU (in accordance with the contentious means provided for in the TEU), the Constitutional Court refrains from assessing the compatibility of that rule with the Constitution"
23. The CNPD believes that, with regard to the applicability of the GDPR and, in particular, the direct applicability of its sanctioning regime, the existing principles under the EU Directive have a parametric value materially equivalent to that recognized in the Portuguese Constitution.
24. As Paulo Pinto de Albuquerque notes (in his "Comentario do Regime Geral das Contraordena96es a luz da Constitui9ao da Republica e da Conven9ao Europeia dos Direitos do Homem"), "According to the jurisprudence of the CJEU, the fundamental rights of the person concerned in a the right to a hearing before the administrative authority, (2) the right to non-self incrimination, (3) the right to a statement of reasons for decisions, (4) the right of access to documents, (5) the right to legal representation, which includes the right to confidentiality of communication between the lawyer and the sanctioning authority. and the client, and (6) the right of access to an independent and impartial tribunal within a reasonable time" (see footnote 28 to Article 1.0 ).
25. These rights "may be invoked not only before European judicial bodies but also before national judicial bodies when the latter are empowered to apply the law of the European Union ...". (see footnote 31, ibid.).
26. What the defendant seems to advocate is not so much the compatibility of the national legislation with the provisions of the RGPD, but rather the priority of an internal regime that effectively removes the law by creating a step prior to its application, which was never intended or authorised by the European legislator.
27. However, to consider that a condition which national law imposes as indispensable for the implementation of EU law (through a regulation which, as stated above, is binding in all its aspects) is to be regarded as elements is directly applicable in all member states) does not create an area of non conformity and inequality in the application of that regime in the various countries of the Union, it cannot be considered a relevant argument.
28. To accept this argument would mean allowing any EU country to create similar regimes for any EU regulation, thereby preventing them from being directly applicable.
29. By pointing to the existence of a substantial right denied to him, the Defendant rightly refers us to the field of application of EU law, to the consideration of the effects of the principle of primacy and to the field of application of the most recent constitutional jurisprudence, which, as we have seen, does not support his interpretation.
30. For the rest, reference is made to the contents of the CNPD's Deliberation 2019/494, in particular regarding the binding nature of this Commission to the principle of loyal cooperation provided for in Article 4(3) of the Treaty on European Union,
31. as well as on the manifest inappropriateness of this rule in comparison with the consistency mechanism provided for in the RGPD and, furthermore
32. on the fact that administrative authorities are also obliged to disapply national rules which are contrary to EU law.
33. Remember that all these principles are expressly provided for in the Treaties.
34. And that the CNPD's deliberation 2019/494 was published precisely with the aim of warning those affected by the national legislation, in order to increase legal certainty regarding the decisions that would be issued.
35. Furthermore, in concrete cases, with final decisions and publicly available (see https://www.enpd. pt/comunicacao-pubIica/noticias/cnpd-apIica-sancao-ao-municipio-de- 1 i sboa/) the CNPD has reaffirmed this understanding.
36. It is also clear that the argument that the CNPD "annihilated a right" cannot be considered admissible, since such a right (if it existed) never existed.
37. It is, for all the above, incomprehensible the accusation that the CNPD "does nothing to ensure that the mechanisms of primacy, intended to ensure the modification of the regime (if due), with respect for the rules of legal certainty, are triggered".
38. As regards the non-application of Articles 37(2) and 39(2), the arguments set out above and in point 5 of Resolution 2019/494 also apply. iii. As to the existence of errors and incompleteness in the matter of fact considered
39. The CNPD's allegation of a lack of information is incomprehensible.
40. In fact, and as Augusto Silva Dias teaches "The instruction begins with an investigation aimed at collecting evidence, but it is not necessary to do so" (in Direito das Contra ordena9oes, publisher Almedina, reprint, 2020, p. 215).
41. In any case, the CNPD not only instructed the case, gathering the necessary elements to take a decision, but also proceeded with the investigation.
42. The reports in the case file bear this out and the evidence referred to in the draft Decision confirms this concern.
43. At no time was any factual element denied or postponed in favour of the Municipality.
44. It is up to the final decision to duly consider all these elements and circumstances, which will be done in parts V and VI of this deliberation.
45. Again citing Augusto Silva Dias, it should be recalled that "the finding of illegality is not yet the final decision of the administrative authority" although "it does, however, delimit to a certain extent the object of the procedure in the administrative phase" (p. 225 of the quoted work).
46. However, the information which must necessarily be disclosed to the defendant is the same as that which has already been provided. well known and jurisprudentially established: "communication of the alleged facts with a "sequential description, narratively oriented and spatio-temporally of the elements indispensable to the singularization of the conduct that is against ordinally relevant and this description must contemplate the objective characterization and the action or omission to which the accusation relates (TC ruling n. 0 99/2009). Said in the formula used by the ruling of the ETS n. 1/2003, the rights of defence and hearing ensured within the scope of the misdemeanour procedure will imply, in summary, that the defendant will be given prior knowledge of "all the relevant aspects for the decision, in matters of fact and law" (note 4 to article 50, of the already quoted work of Paulo Pinto de Albuquerque).
47. Which, s.m.o. has been implemented in the draft resolution.
48. As regards the allegation that the CNPD disregarded the collaborative nature of the intervention The delegation of tasks and the existence of an inter-administrative contractualisation (even if not formalised), in which the task of the municipality, especially with regard to respects data collection was essentially an instrumental task (parallel or The terms of the CNPD's censure of the municipality should be precise.
49. This is not to disregard any degree of interadministrativeness or joint action with other public and, it should be remembered, private entities, with which Setubal Municipality decided to promote collaborative actions.
50. What deserves censure is the action of the Municipality, as the controller, to the strict extent of its responsibilities, including, as is the law, the provision of essential information on the processing.
51. The municipality itself, through LIMAR, has developed its own service forms which it is responsible for maintaining and managing autonomously.
52. Also the intervention of is not censured as a member of the association with which the Municipality established the partnership, but rather for the fact that this partnership was not properly formalised in order to frame its participation in the context of LIMAR.
53. Moreover, it should be made clear to the defendant that the fact of entering into a partnership with a third party entity does not automatically mean that it ceases to be regarded as a third party. Its qualification will depend on the extent to which it operates in the area of processing of personal data.
54. What is reprehensible, then, is the fact that the minimum care required is not taken, either from a formal point of view - with the agreement or subcontracting contract - or from a substantive point of view, with the implementation of minimum measures to control access by persons outside the services of the Municipality to equipment containing personal data.
55. Especially when the data relates to especially vulnerable data subjects such as refugees.
56. The CNPD has not commented on the number and quality of data that refugees would have to provide in order to obtain support, which makes it redundant to argue, as the defendant does, that this information was indispensable.
57. Note that the defendant never denies or justifies why excel files were used for the management and conservation of the personal information of refugees who came to LIMAR.
58. As for the existence of training, it is admitted what is alleged by the defendant in points 106 to 109, where it is detailed the two training courses given (although reduced), the target audience (although imitated), their duration and date of occurrence, although the documents proving these courses have not, to date, entered the services of the CNPD.
59. However, it should be stressed that there is a clear lack of training for a relatively small number of employees given after the GDPR has come into force and well after its entry into force, in this case in September 2018 and April 2019.
60. The factual material on that specific point will therefore be corrected.
61. Concerning the appointment of the Data Protection Officer, it is confirmed that he has already been appointed, albeit only on 22 September 2022.
62. The accused defends that also the declaration of consent was, in the meantime, altered, which is admitted, but which, due to its non-joinder to the case file or insertion in the body of the defense, cannot be relevant.
v. On the objective elements of the types of offence
63. The defendant believes that the CNPD should choose to frame the violations of of Article 5. 1. 0 in the concrete provisions of Articles 28 and 32. 0 of the RGPD.
64. However, Article 28 sets out the conditions under which a subcontracting relationship must occur and does not seek to punish those in which formalisation has not taken place.
65. Article 32 also defines a set of specific, but not exhaustive, safety measures to be implemented in order to guarantee the safety of the treatments.
66. 0 what the CNPD censured in the draft decision was a set of procedures to which not even the minimum security measures were applied, revealing a censurable behaviour not due to the inadequacy of concrete measures but rather due to a coherent and consistent action of total disregard for the principle enshrined in Article 5(1)(0) of the RGPD v.
On violations of Article 13
67. The Municipality of Setubal argued that the data collection it carried out was merely instrumental and dependent on the instructions or definitions of third parties.
68. He therefore maintains that it cannot be said that the data controller or the recipients of the data were not known.
69. It is factual that, in several cases, the Municipality collected information framed in forms from third parties.
70. The CNPD does not censure this reality, but rather the circumstance that, by creating a specific service to support refugees, the Municipal Refugee Helpline (LIMAR), the CNPD has not, in this context, informed the owners of the data of various elements provided for in Article 13(1) and (2) of the RGPD, as is their obligation, regardless of the context in which the collection of data is carried out.
71. Admitting that the emergency context in which it found itself could make the availability of these elements a non-priority, the emergency should always be framed within the existing framework of preparation.
72. Even so, this framework allowed for the existence of previous meetings of the Setubal Local Council for Social Action - CLASS and the definition of action procedures which could and should have included the matter of data protection within its scope.
73. It is precisely in the context of supporting data subjects in particularly vulnerable situations and in a context of atypicality, as was the case here, that the protection of fundamental rights such as the protection of personal data becomes more urgent.
74. Regarding the lack of mention of the Data Protection Officer in the information to be provided, the defendant has the argument that, in the absence of such a person, he could not be informed, but this does not exempt him from the obligation of designation, nor does it contribute to the mitigation of this original violation.
75. An obligation that had been binding on him since 25 May 2018, but whose designation process only began on 3 May this year.
76. Obligation, moreover, reinforced by Lein. 0 58/2019, of 8 August, which expressly repeats the imperative nature of the designation of the EPD.
77. Furthermore, one cannot accept the argument that the "oversight" in the mention of the data protection legislation in force in the declaration of consent is excusable in the context of the ongoing "systematic implementation of the GDPR".
78. Firstly, because the defendant has failed to demonstrate that there was any systematic implementation in progress and,
79. Secondly, because even if such an implementation did exist, it would always be late and, therefore, of little relevance to the facts established.
80. It should be noted that Regulation 2016/679 of 27 April 2016 entered into force on 24 May 2016 and its application was deferred to 25 May 2018 (cf. Article 99(2)).
81. At most, it could even serve as an aggravating factor, since it becomes less excusable that an organisation which is in the process of implementing the RGPD is not concerned with updating basic information such as that which it provides to data subjects.
82. 0As described in point 64, also with regard to the breach of the principle enshrined in Article 5(1)(e) and Article 13(2)(a) of the GDPR, there is a relation of precedence, and therefore the violation of the aforementioned duty of information will not be taken into account in the final decision.
83. Also with regard to the definition of time limits for the preservation of information, we accept the argument raised by the Defendant regarding the urgency and emergency of the situation experienced at However, this does not mean that the possibility of at least establishing minimum guidelines for the conservation of information should be disregarded.
84. Finally, the absence of an impact assessment on data protection in relation to the processing carried out in the context of LIMAR is noted, not because of the It is not necessary to carry out such an assessment, but because it is not legally required for this particular treatment.
85. With the elements in the file, of interest for the decision, we consider the following to be proven:
iii. Facts
86. On 29 April 2022, the Expresso newspaper published a headline with the headline "Ukrainians received in CDU chamber by pro-Putin Russians" (see document attached).
87. It contained testimonies of refugees from Ukraine, displaced in Portugal as a result of the ongoing military conflict between that country and the Russian Federation.
88. These testimonies, offered anonymously, stated that in the City Hall of Setubal, Russian citizens, on the pretext of helping Ukrainian refugees who came to ask for help, asked the latter questions about the whereabouts of their relatives and what they were doing in Ukraine.
89. The Municipality of Setubal, legal entity with NIPC 510294104 has its headquarters at Pra9a do Bocage, 2901-866 Setubal
90. In the news reports mentioned above, it was also reported that documents belonging to the refugees were copied in the presence of the so-called Russian citizens.
91. The citizens specifically mentioned in the news were
92. This and similar news items have been published in various media (cf. news reports attached to the case).
93.- has Portuguese nationality and is a member of the Associacao de lmigrantes dos pafes de Leste - EDINSTVO.
94. association.
95. is also of Portuguese nationality and president of the aforementioned and Ourista worker) from Setubal City Council.
96. The Associacao de lmigrantes dos Paises de Leste EDINSTVO, collective person with NIPC 506204367 and headquarters at Rua de Sao Tomee Principe, 18 r/c Oto. , 2900-087 Setubal, dedicates itself to support for immigrants from the Eastern European countries, but also from Brazil, by promoting initiatives to help integration in the community and solidarity, culture and entertainment.
97. EDINSTVOwas founded in 2002 by_e_.
98. Since then, several initiatives within the scope of the Association have been promoted, being included in the Conselho Local de A9ao Social de Setubal - CLASS (cf. record of statements and minutes of the CLASS meeting of 11th March 2022, attached to the CMS Inspection Report, as Annex VIII - pages 2 to 7 and Annex VI).
99. In 2004, Setubal City Council signed a protocol with ED!NSTVO to place two of the latter's employees in the "SEI - Setubal Etnias e lmigra9cfo" (SEI) Office team, with the aim of providing assistance, advice and help to immigrants who present themselves.
100. The SEI is integrated in the Department of Culture, Sports, Social Rights, Health and Youth of CMS.
101. The protocol was successively renewed and remained in force until May 2022.
102. There are no provisions in the protocol on the protection of personal data or the responsibilities of the parties in the management of such information.
103. The CMS, in view of the imminent arrival of a considerable influx of Ukrainian refugees, has decided to set up a Municipal Refugee Helpline (LIMAR) in March 2022, with telephone and face-to-face service.
104. The Municipality of Setubal has thus assumed the responsibility for the processing of the information processed in the context of the services provided through LIMAR.
105. In order for LIMAR to be able to provide the services for which it was established, two rooms were made available in the building of the Livramento Market, a municipal public building located in Setubal, one for customer service and the other to support and archive the documentary record.
106. The support and archive room had its own filing cabinets and was only accessible to LIMAR members.
107. The CMS team created specific forms - the "assistance" and "telephone assistance" forms - (see Annexes Ille IV of the CMS Inspection Report), for the collection of the necessary elements for the support required under LIMAR.
108. These forms contained various personal information about the refugees, from name, address, date of birth, marital status, contacts, household, information on identification documents, on the support network (identifying the places and people they could stay with and their respective households), information on the period they could stay with the people in that support network and identification on the needs of those people in terms of housing, essential goods, food, health, education, childcare facilities, employment, social responses, among others other than the description of the specific situation (cf. Annexes Ill and IV of the lnspection Report to the CMS).
109. Together with the attendance forms, the enrolment form for the Portuguese as a Host Language - PLA courses of the IEFP (Instituto de Emprego e Forma9ao Profissional) could be filled in for those refugees who expressed the desire to learn Portuguese, and a copy of the biography page of the passport or other identification document was attached.
11O. The IEFP enrolment forms contain, among others, the following tables concerning the personal information of the applicants: full name, address, date of birth, marital status, sex, mobile phone number, country of origin, ID card number, academic qualifications, profession in the country of origin, current job or profession, employment situation in Portugal (see Annex VII of the CMS Inspection Report).
111.The attendance forms were handwritten, and the processes were filed on paper. A digital record of the collected data was also created, on the "Microsoft" platform, in Excel format - file "LIMAR_BASE. DATA. xlxs", which requires a password for access (see Annex XII of the CMS Inspection Report).
112. The file included the application form, the Temporary Protection Certificate1 , copy of identification documents, birth certificates of minors, enrolment file in the Portuguese as a Host Language - PLA. The copies of the documents sent to the IEFP, and the receipts of communications to the various public services for the support due, namely to the IEFP for job search, to the Setubal Social Security Office for the receipt of the Social Income and other benefits, to the Setubal Health Centres Grouping and to the Hospital Centre and to other public and private entities that guarantee the support requested, namely of food, clothes and other essential goods.
113. The file also included the "Declaration of Consent", regarding the processing of personal data provided to CMS in the context of support for refugees, in which, in the part relating to the communication of data to third parties, it is stated: "[...] I further authorize that the data records collected may be shared with other services or entities within the specific responses or the provision of social support adjusted to the situation, with guarantees of privacy and non-discrimination. (cfr. Annex Ill - page 4 of the CMS Inspection Report).
114. The text of the declaration was written in Portuguese, Ukrainian and Russian.
115. During the due diligence, the case "A72", created by the team, was randomly checked "FN / YK" and , with cover page "Service Record" and which included the copy of the passport (biographical data sheet), the copy of the temporary protection certificate and the copies of the e-mails sent to the entities for the necessary support, as well as the declaration of consent.
116. At the top of each service file, the initials of the elements that carried out the service are written as follows: "--/YK" or "--/IK", and where the initials of the social service technician of the Municipality were present.
117. The procedures for the management of cases concerning refugees and their referral to the competent authorities were discussed and fixed in a meeting of the CLASS network, chaired by the Councillor for Culture. Sports, Social Rights. Saude e Juventud da Camara Municipal de Setubal,-(cfr. Annex VI of the Inspection Report the CMS).
118. In it, the subject of the PLA courses was mentioned, but the transport of the enrolment forms to the IEFP was not fixed or advised (cfr. Annex VI of the CMS Inspection Report).
119. Instead, a model email was agreed upon to be used for situations of precariousness or need of support - employment, social service and support, health - which did not contemplate the situation of refugees who wanted to learn Portuguese as a host language (see Annex V - page 3).
120. LIMAR operated from March 1990 onwards with the help of SEI staff. 121. The assistance teams of the CMS consisted of two collaborators, a social technician and a translator, who in this case wereor
122. During the period from 11 to 28 March 1990, due to illness. was absent
123. During this period, I only collaborated in the services involving translation (cf. Annex VIII- pages 2 to 4 of the CMS Inspection Report).
124. The participation of- participation in the team was not based on any formal or contractual decision, although he had no function in the Municipality.
125.-supported LIMAR by assisting in the translation and, at the request of the refugees, in the completion of documentation for the courses "Portuguese as the language of Acolhimento - PLA" (learning Portuguese) from IEFP and the SEF forms for obtaining the temporary protection title as a volunteer (see Annex VIII - pages 2 to 4 of the CMS Inspection Report).
126.Scanned and uploaded to the SEF form the passports and birth certificates of the children for whom the refugees themselves had requested assistance (see Annex VIII, pages 2 to 4 of the lnspectation Report to the CMS).
127.Organized and transported the enrolment forms for the PLA courses to the IEFP (see Annex VIII). - fls. 1 to 7 of the CMS Innspection Report and IEFP Innspection Report).
128.It has not been possible to ascertain the exact number of enrolment forms for the PLA courses carried by-.
129.-supported as interpreter the initial information provided to the refugees, regarding social support and procedures for the payment of transport and food allowances and the training grant, at the IEFP Setubal facilities (cfr. electronic communication from the Director of the IEFP Setubal attached to the records).
130. He had access to LIMAR computer equipment, using his wife's credentials, enabling him to use the CMS computer and laptop to access web portals where he would insert documents (cf. statement annexed to the case file).
131. gave her husband the credentials to access such equipment (cf. statement attached to the case).
132.- continued to collaborate as an interpreter in the context of the reception of refugees and did not record data in internal processes (see Annex VIII - pages 5 to 7 of the Inspection Report to the CMS).
133. This collaboration ended on 7 April 2022 (cf. Annex VIII - page 1 of the report to the CMS).
134. On the 3rd May 2022, the Mayor of Setubal, by order of No 153/2022, appointed as EPD an employee of the Municipality who also held managerial positions.
135. As doubts about the appropriateness of this designation arose, the CNPD was asked, on 10 May 2022, to issue an opinion on its conformity.
136. Later, a public hiring procedure was launched to fill the position of Data Protection Officer for Setubal Municipality.
137. This competition resulted in the appointment of the new Data Protection Officer on 22 September 2022.
138. It was found that there are no policies or guidelines in the CMS for the secure management of information containing personal data, and the employees of the municipality are not informed about the procedures to be adopted.
139. The exception to the absence of such policies and/or guidelines is an email from the IT Division on the security of computer, email and internet access passwords, which the municipality made available to the CNPD during the inspection (see Annex IX of the Inspection Report to CMS).
140. No Data Protection Impact Assessment has been carried out, despite the fact that refugees (as well as asylum seekers) are considered vulnerable persons according to the European Data Protection Supervisor's Guidelines on Data Protection Impact Assessments (see criteria 7 for the assessment of the need for an DPIA, p. 12 of the Guidelines2 ).
141. There are no retention periods defined for the information collected by LIMAR.
142. No information is provided to the data subjects (refugees) at the time of collection about who is the controller, the purposes of the processing, the recipients or categories of recipients of the personal data, the rights of the data subjects, the right to lodge a complaint with a supervisory authority.
143. The Attendance Register contains a "Declaration of Consent" which reads as follows: I declare that I consent that the information and data provided by me to Camara Municipal de Setubal, within the scope of the Municipal Refugee Helpline, be processed by automated means or others, with the appropriate guarantees of privacy and non discrimination. I also authorise that the records and data collected may be shared with other services and entities in order to direct them to specific responses or to provide social support adjusted to the situation, with the guarantees of privacy and non-discrimination. discrimination. I also inform you that the confidentiality and security of the personal data I have provided will be ensured, and that I may access and/or rectify them whenever necessary, in accordance with Law 67/98 of 26 October, as amended by Law 103/2015 of 24 August, and that false statements are punishable by law
144. In that statement there is no reference to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
145. By allowing people outside the municipal services to access the IT equipment used for the processing of personal data without a specific access profile, as well as by granting them access to information of the refugees supported through LIMAR, contained in the forms of the PLA courses, transporting them outside the premises of the Municipality without previously assuming any formal commitment and without defining any guidance on the management and security of the information thus accessed and transported, the defendant did not act with the care he is obliged to, and was capable of, representing as possible that he was acting against the law.
146. By using Excel files for the management and conservation of information relating to a set of vulnerable holders (refugees), files that do not include audit records, not allowing to know who accessed them, when and what operations were performed, the accused did not act with the care he is obliged to, and that he was capable of, representing as possible that he was acting against the law.
147. By failing to set the time limits for retaining the information collected through LIMAR, and by retaining the information longer than necessary, the defendant failed to act with the care that he was obliged and capable of exercising, and it is possible that he was acting against the law.
148. By failing to provide mandatory information about the processing of personal data in a concise, transparent, intelligible and easily accessible form, the defendant has not acted with the care that it is obliged to, and that it was capable of, representing as possible that it was acting against the law.
149. By failing to appoint a Data Protection Officer, the defendant has failed to act with the care that it is obliged to exercise, and that it is capable of exercising, and has arguably acted against the law.
150. The defendant has always acted voluntarily and consciously.
IV. Evidentiary Conviction
151. The facts found to be proven were based on a critical analysis of the evidence produced, both oral and documentary, as well as the inspection reports that the CNPD carried out at the ACM, SEF, IEFP of Setubal and CMS and the testimonies collected. Of the latter, the following are noteworthy (cf. statement minutes attached to the CMS Inspection Report): a. The statements of - who denied having copied the refugees' identification documents into CMS's internal file; b. who confirmed having provided her husband with access credentials to the computer equipment; c. From third parties; which denied having shared refugees' personal data with d. He denies having copied for himself or for third parties, as well as he denies having made available to entities other than those indicated by the Municipality the documentation concerning the refugees to which he had access; e. From the CMS Head of the Social Rights and Health Division, , who stated that she- collaborated as an interpreter in the context of the reception of refugees and that it did not register data in internal files; f. And that, given the direct articulation with the IEFP- CE Setubal, which was due to the relationship that it maintained with the IEFP delegation as a manager of the EDINSTVO association and trainer, it was he who took the enrolments and copies of identification documents to attend the PLA courses; g. Finally, he stated that he had not received any complaints about the assistance provided to the refugees; h. From the president of the Association of Ukrainians in Portugal, who stated that he had not received any complaints from refugees regarding the service provided in Setubal; i. It is not aware of any case of data collection or transfer of Ukrainian refugees to Russia, even if it admits the existence of such a risk.
V. Law
152. The CNPD is competent pursuant to Article 58.0(2) of Regulation (EU) 2016/679, of 27 April 2016 - General Regulation on Data Protection (RGPD), in conjunction with Article 3, Article 4.0 (2), and Article 6.0 (1)(b), all of Law n.0 58/2019, of 8 August (LERGPD). i. 0 Infringement of the principle of integrity/confidentiality (Article 5(1)(f) of the EU Treaty). 0 of the GDPR)
153. Article 5.1 of the GDPR requires that personal data is 'Processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality")'.
154. However, CMS has not defined organisational measures for safeguarding information, policies or guidelines for the secure management of information, nor has it formally defined any commitment with EDVINSTO to regulate access to and the transport of information containing personal data.
155. Moreover, by making it possible for persons outside the municipality's services to use the equipment, without a specific profile, on which personal data entrusted to the municipality are stored without any contract or formal agreement setting out the parties' obligations as regards the protection of personal data, the Municipality of Setubal has breached the principle of integrity and confidentiality.
156. lso, by storing information containing personal data on refugees in Excel files, even with access made conditional by password, the Municipality of Setubal has infringed that same principle, given that the unstructured storage of data in files where access and modification traceability is clearly reduced or non-existent, represents in itself a risk to security, integrity and confidentiality.
ii. Infringement of the principle of limitation of retention (Article 5(1)(e) of the GDPR)
157. Article 5.0 (1)(e) of the GDPR requires that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods provided that they are processed solely for 0 for archiving purposes in the public interest, or for the purposes of scientific or historical research or statistical purposes in accordance with Article 89(1), subject to the application of appropriate technical and organisational measures as required by this Regulation with a view to safeguarding the rights and freedoms of the data subject ("restriction of retention")".
158. The Municipality of Setubal has not defined any retention period for personal data collected through the Municipal Refugee Helpline nor the criteria used to define these periods.
iii. Breach of Article 13.0 of the GDPR Case AVG/2022/712112
159. Recital 60 of the GDPR explains that "The principles of fair and transparent processing require that the data subject must be informed of the data processing operation and its purposes".
160. Article 12.0.1 of the GDPR states that: "The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13.0 and 14.0 and any communication provided for in Articles 15.0 to 22.0 and 34.0 regarding the processing in a concise, transparent, intelligible and easily accessible form using clear and plain language, in particular where the information is specifically addressed to children."
161. 0Article 13(1) and (2) of the GDPR obliges data controllers to provide data subjects with a specific set of information, including, relevant to the case, the following: II-1 (...): a) the identity and contact details of the controller and, where applicable, his representative; (...) c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the treatment; (...) (e) the recipients or categories of recipients of the personal data, if any (...) 2. (... ): (...) b) The existence of the right to request from the controller access to and rectification or erasure of personal data concerning him/her, and to restrict processing insofar as it relates to the data subject, as well as the right to object to processing, as well as the right to data portability; c) If the processing of the data is based on Article 6(7)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent previously given; d) The right to lodge a complaint with a supervisory authority; e) Whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement for entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to do so.
162. The declaration of consent attached to the file, which was collected with the intention of legitimising the processing of the refugees' personal data, does not contain any of the information provided for in Article 13(1)(a), (c) and (e) or in Article 13(2)(b), (c), (d) and (e) of the GDPR .
163. Furthermore, the legal basis explained refers to Law 67/98, of 26 August, which is legislation that has already been repealed, and therefore the provision of information provided for in paragraph c) of Article 13. 0.1 must be considered to be defective,
164. And this is because the RGPD came into force on 25 May 2018, implicitly repealing a good part of the rules of that national law, and Law No. 0 58/2019 of 8 August, which came into force on 9 August 2019, expressly repealed the aforementioned Law No. 0 67/98 of 26 August.
165. Equally defective is the delimitation of third parties to whom personal data may be transmitted, as provided for in Article 13(1)(e). Although it is admitted that the range of such recipients is extensive, CMS cannot fail to recognise that at least the entities defined in the procedures established by CLASS at its meeting on 11 March 2022 could and should be made known to the data subjects.
166. 0Finally, with regard to Article 13(2)(b) of the GDPR, the reference to the possibility of requesting the erasure of data or the limitation of processing, or even the possible possibility of requesting the right to portability, has been omitted.
167. Regarding this set of violations, it is important to note the provisions of Article 83.5 of the GDPR, which states that "Breach of the provisions listed below shall be subject, pursuant to paragraph 2, to fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of the total amount of the fine" a) the basic principles of processing, including the conditions of consent where that is the basis of legitimacy pursuant to Articles 5, 6 , 7 and 9; (b) the rights of the data subject pursuant to Articles 12 to 22. iv. Violation of Article 37(1) of the GDPR
168. According to Article 37(01)(a) of the GDPR, "The controller and the processor shall designate a data protection officer where processing is carried out by a public authority or body with the exception of courts in the exercise of their functions". of its judicial function".
169. 0 Municipality of Setubal, by failing to appoint a Data Protection Officer, breached this provision.
170. As regards infringement of Article 37, it should be noted that Article 83(4) states: "Infringement of the provisions set out below shall, in accordance with paragraph 2, be subject to fines of up to EUR 1O 000 000 or, in the case of an undertaking, up to 2% of its annual world-wide turnover for the preceding financial year, whichever is the lower. (a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39 and 42 and 43".
171. The CNPD has the powers of correction enshrined in Article 58.0 , paragraph 2, of the GDPR.
172. Moreover, it follows from the principle of the primacy of Union law, reflected in Article 288 of the Treaty on the Functioning of the European Union, that regulations are binding and directly applicable in all Member States, thus precluding any possibility for a "State [....] unilaterally nullify their effects by a legislative act that can be relied upon against the Community texts" - CJEU Costa v ENEL, Case No 6/64; Commission v Italian Republic, Case No 39/72; Variola v Italian Financial Administration, Case No 34/73.
173. Thus, the CNPD and on the grounds best expressed in its Delibera9ao/2019/494, of 3 September (accessible at https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121704), decides not to apply, in the case at hand, by virtue of the principle of primacy of European Union Law, in conjunction with the provisions of article 8, no. 4 of the Portuguese Constitution, the provisions of articles 37(2), 38(2) and 39(1) and (3) of the Portuguese Constitution.0Article 37(2), Article 38(2) and Article 39(1) and (3) , all of the Portuguese Constitution n. 0 58/2019, of 8 August (hereinafter LERGPD).
v. Sarn;:6es
174. It can therefore be seen, in view of the facts established, that the defendant has processed personal data without taking care to ensure the security and integrity of such data, namely by not establishing organisational measures and not signing binding commitments with entities and/or persons outside the municipal services who could access such personal data.
175. It is also noted that the defendant did not define the period for which the information is to be kept or the criteria used to establish this period, as it was obliged to do, nor did it erase the information containing personal data as soon as it ceased to be relevant to the purpose for which it was intended and should therefore be deleted.
176. Moreover, in view of the facts established, it appears that the defendant has disregarded specific obligations imposed on it by the GDPR, namely the obligation to inform the data subjects.
177. Finally, it is also noted that the defendant failed to appoint a Data Protection Officer.
178. This means that there are sufficient indications that the defendant has committed three established and punishable offences, i. the first by the combined provisions of Article 5(1)(0)0 , in the context of the inability to ensure the security of processing and the integrity and confidentiality of personal data processed, and of Article 83(5)(a) ii. the second by the combined provisions of Article 5(1)(e) for failure to comply with the principle of limitation of retention and Article 83(5)(a)
179. the third by the combined provisions of Article 13(1) and (2)0 (information to be provided when personal data are collected from the data subject) and Article 13(b) Article 83(5),
180. all of the RGPD, each of which will be sanctioned with a fine of up to €20,000,000.00.
181. We also find, in view of this fact, that there is sufficient evidence that the defendant has committed an administrative offence provided for and punishable by the combined provisions of Article 37(1) (designation of the Data Protection Officer) and Article 83(4)(a),
182. all of the RGPD, sanctioned with a fine of up to €10,000,000.00.
183. All the violations listed here were committed with negligence, wilfully and knowingly. The CNPD has the corrective powers provided in Article 58.2 of the GDPR, namely to "reprimand the controller or processor when the processing operations have violated the provisions of this Regulation" (Article 58.2.b)) and to "impose a fine under Article 83" (Article 58.2.b)).The Commission will be able to impose a fine, in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each case" (Article 83(i)).
184. 0The breaches of the principle of limitation of retention (Article 5(1)(e) of the GDPR) and of the duties to provide a set of information to the data subject when the collection is carried out directly by the controller (Article 13(1) and (2)) should be deprived of their value differently from the others, given the context of emergency that existed at the time of the facts that prove them. This is because the former are intrinsically linked to the process of receiving refugees, admitting, in this situation, an epis6dico, although always censurable, carelessness or less care in the fulfillment of rules that did not appear to be of equal priority given the concrete needs to provide the rapid humanitarian response that was sought.
185. The other violations are different, not because the context is different, but because their existence does not depend and does not reflect the specific situation of response to requests from refugees. Rather, they reveal a structural attitude and behaviour of the organisation, which has serious deficiencies in the assumption of critical principles of data protection that go beyond these specific processes.
186. According to Article 83(1)(a) to (k), the measure of the fine is determined on the basis of the following criteria: i. The nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected and the level of damage suffered by them - The infringements committed by the defendant are considered to have a significant degree of gravity, It is considered that the breaches committed by the defendant have a significant degree of seriousness, given the number of data subjects concerned (especially vulnerable), of which the specific number has not been ascertained, even though the context in which they occurred, in which the humanitarian emergency required more expeditious procedures, makes their assessment less severe. The violations detected in relation to the principle of limitation of conservation occurred in a relatively short period of time (about two months). The infringement of the EPD's designation lasted from 25 May 2018 until 3 May 2022 and therefore merits a higher degree of censure, although it has been corrected. ii. No harm has been caused to the data subjects; iii. Only one of the offences with which the defendant is charged is not punishable by the most severe framework provided for in the GDPR (in this case, breach of the obligation to appoint a data protection officer); iv. The intentional or negligent character of the infringement - as already explained above, the conduct relating to the infringements detected is considered to be negligent; v. The initiative taken by the controller or processor to mitigate the damage suffered by the data subjects - in this regard, the initiative of the defendant to designate a data protection officer and to terminate the protocol with the EDVINSTO association is relevant, even if as regards the latter, the correction could have been limited to compliance with the provisions of Article 28 of the GDPR; vi. the degree of responsibility of the controller or processor in view of the technical or organisational measures implemented by the controller or processor under Articles 25 and 32 defendant by failing to define technical and organisational measures that are minimally sufficient and suitable for protecting the personal information processed; vii. Any relevant breaches previously committed by the controller or processor - which do not occur; viii. the degree of cooperation with the supervisory authority to remedy the infringement and mitigate any negative effects it may have - which is considered adequate in view of provision of the required information and cooperation at all stages of the enquiry process; ix. The specific categories of personal data affected by the infringement - in this case there is a wide range of information about refugees who came to LIMAR, providing name, address, through date of birth, marital status, contacts, household, information on identification documents, on the support network (identification of places and people they could stay with and their respective households), information on the period they could stay with the people from that support network and identification of the needs of those people in terms of housing, essential goods, food, health, education, child care facilities, employment, social responses, among others, in addition to the description of the concrete situation. x. Among these data are some - those relating to health - which fall within the special categories of data provided for in Article 9(1) of the GDPR. xi. The manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified it, and if so, to what extent - which in this case resulted from the publication in the media of the suspected infringements relating to the processing of personal data of refugees, does not constitute a mitigating circumstance for the defendant; xii. Compliance with the measures referred to in Article 58.0 , n.0 2, if they have been previously imposed on the controller or the subcontractor concerned in respect of the same matter - this criterion does not apply, as no corrective measures had been determined beforehand; xiii. Compliance with codes of conduct approved under article 40 or certification procedures approved under article 42 - criteria which also do not apply, as there is no code of conduct or certification procedure, under the terms indicated; and xiv. Any other aggravating or mitigating factor applicable to the circumstances of the case, in light of Article 83(2)(k) of the GDPR. 0 do RGPD, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement - As a mitigating factor, the specific context in which the breaches occurred must always be taken into account, at a time when the arrival of Ukrainian refugees in Portugal was intense and public and private institutions were faced with the urgent need to respond to them. xv. The financial situation of the Municipality will also be taken into account, as reflected in the information provided in points 184 to 186 of the defence, which shows a significant drop in executed revenue compared to 2021.
187. In view of the criteria mentioned above, the CNPD considers it necessary to apply, in this case, two reprimands and a fine to the defendant, considering this to be an effective, proportionate and dissuasive measure, given the specific circumstances in which the offences occurred.
188. The fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 5.0 (1) (0) , in the area of failure to ensure the security of processing and the integrity and confidentiality of data personal data processed, and of Article 83, paragraph 5, sub-paragraph a) of0 and will have a maximum limit of 20.000. 000,00 euros.
189. Whereas the abstract fine applicable to the defendant for the infringement provided for and punishable under the combined provisions of Article 37(1) 00 (designation of the data protection officer) and Article 83(4)(a), all of the GDPR, has a maximum limit of € 10,000,000.00
190. Evaluating the facts established in the light of the criteria set out above, the CNPD, - in our Article 58. 0 , n . 2, al. b) of the RGPD, considers, also, adjusted, the application to the defendant of i. a fine in the amount of EUR 120,000 (one hundred and twenty thousand euros) for breach of alpha 0 of Article 5.0.1, in the area of failure to ensure the security of processing and integrity and confidentiality of personal data processed, and of alpha a) of Article 83.0.5 of the RGPD; ii. a reprimand for breach of Article 5.1(e) in conjunction with Article 58.2 (b) of the GDPR; iii. a reprimand for breach of Article 13(1) and (2) in conjunction with Article 58(2)(b ) of the GDPR; iv. a fine of EUR 100,000 (one hundred thousand euros) for breach of Article 37 (designation of the Data Protection Officer) in conjunction with Article 83(4)(a). 191. Adding up the fines in tranches, the result is a total of EUR 220,000 (two hundred and twenty thousand euros).
192. Once the framework of the partial fines has been established, it is important to determine the single fine applicable to the specific case.
193. It is noted that the GDPR provides in Article 83(3) that, "[w]here a controller or processor intentionally or negligently infringes, in the context of the same processing operations or linked operations, several provisions of this Regulation, the total amount of the fine shall not exceed the amount specified for the most serious infringement". As literally expressed, such normative must only be called upon in cases in which the infringements have been committed "within the scope of the same processing operations", or of "linked operations", which is not the case here, and the General Regime of Administrative Offences (RGCO), ex vi article 45 of Law no. 58/2019, of 8 August, applies.
194. Article 19 of the RGCO establishes the legal criteria for the legal cumulation of fines, which means that the single fine to be imposed in a guilty verdict must be set between a minimum limit constituted by the highest fine actually imposed on each of the administrative offences (no. 3), in this case EUR 120,000 (one hundred and twenty thousand euros), and with a maximum limit consisting of the sum of the fines actually imposed on each of the administrative offences (no. 1), in this case EUR 220,000 (two hundred and twenty thousand euros).
195. So, the abstract frame of the single fine to be applied is between a minimum of 100,000 (one hundred thousand euros) and a maximum of 220,000 (two hundred and twenty thousand euros). vi. Grounds for the imposition of the single fine
196. The essential prerequisite for the legal cumulation of fines in instalments is the the same Defendant committed several offences before a conviction for any of them became final and unappealable.
197. In this sense, in order to proceed to the legal cumulation it is necessary to verify the following requirements, of procedural and material nature: (i) that the sanctions are related to administrative offences committed before the final judgment of any of them, (ii) that they have been committed by the same defendant and that the individual penalties are of the same kind.
198. What is cumulatively verified in the present case, merits the existence of effective or pure competition, either in the aspect of real competition, or in the aspect of ideal competition.
199. The accused was found to have acted freely and knowingly, albeit negligently, in i. not ensure that the data it processes is "secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking appropriate technical or organisational measures. ii. not to designate a data protection officer.
200. The concrete context in which the violations occurred, together with the fact that the Municipality acted in order to obviate humanitarian and emerging constraints, should be highlighted here. These constraints assume a degree of originality that may explain some of the unpreparedness shown.
201. In any case, the breach of the obligation to designate the Data Protection Officer is not directly linked to that emergency, so the same cannot be admitted degree of devaluation of the action which is attributed to another violation.
202. Considering the legal assets protected by the administrative offences in question, which the defendant committed, it seems effective, proportional and dissuasive to apply to the defendant, in legal cumulation, under the combined provisions of Article 83. 0 , paragraph 3 of the GDPR and Article 19, n. 0 3 of the RGCO, a single fine of EUR 170,000.00 (one hundred and seventy thousand Euros). vi. Conclusion
203. In view of the above, the CNPD deliberates: Apply to the defendant Municipio de Setubal, a) in accordance with the provisions of Article 19 of the RGCO, a single fine of EUR EUR 170,000 (one hundred and seventy thousand euros) for breach of the principle of integrity and confidentiality and breach of the obligation to appoint a data protection officer; b) in compliance with Article 58.2 b ) of the GDPR, two reprimands, I. One for the violation of the principle of limitation of conservation; II. One for breach of the obligation to provide essential information when personal data are collected from the data subject.
204. Under the terms of Article 58, paragraphs 2 and 3 of the General Regime of Administrative Offences, inform the defendant that a) The conviction becomes final and enforceable if it is not contested in court, under the terms of Article 59 of the same diploma; b) In case of a judicial objection, the Court may decide by hearing or, if the accused and the Public Prosecutor do not object, by simple order.
205. The defendant must pay the fine within 10 days of its final settlement, sending the respective payment slips to the CNPD. Should it not be possible to make payment in due time, the defendant must communicate such fact, in writing, to the CNPD.
