CNPD (Portugal) - Deliberação 548/2021

From GDPRhub
CNPD (Portugal) - Deliberação 548/2021
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 83(5) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 27.04.2021
Published: 12.07.2021
Fine: 2500 EUR
Parties: n/a
National Case Number/Name: Deliberação 548/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jennifer Vidal

The Portuguese DPA fined a municipality €2500 for sharing special category data regarding data subjects diagnosed with COVID-19 on its Facebook page.

English Summary


A Portuguese municipality started to share on its page on Facebook information about Covid 19 contention measures since the beginning of the pandemic. This municipality shared that, in March 2020, a couple of citizens had been diagnosed with Covid 19 after traveling to France, also informing their place of residence and the period of the trip. The information was deleted from social media two months later.

The Portuguese DPA (CNPD) launched an investigation on the matter. The municipality was notified about the decision's project involving violation of the GDPR, specifically lawfulness, fairness and transparency principles and the possibility of a subjection to an administrative fines up to €20,000,000 in January.

In its defense, the municipality alleged the lack of legitimacy of the original person that brought up of the facts, the lack of guidance from the CNPD on the matter, the conflict between the rights of infected people and the rights of all other people, and the impossibility of identifying the infected holders between all the inhabitants of the place where they live with the information disclosed about the displacement to France.


The CNPD concluded that the municipality had violated the GDPR by processing personal data as it did, revealing people's health information, as well as information about the trip taken by the patients and the period in which it occurred. As a controller, the municipality should be aware of how to carry out the respective processing of personal data.

The Portuguese DPA considered that the case encompasses the biggest violation that can be made to the GDPR as it violates one of the basic principles of data protection, the principle of lawfulness, and also highlighted the fact that the infringement lasted two months.

The authority also highlighted the fact that as the case involved the processing of sensitive data, which constitutes a special category of personal data which processing must be based on one of the legal bases set out in article 9, since generic processing is prohibited, and remarked that such information shall remain confidential, since sensitive data can potentially cause discrimination and stigmatization for data subjects.

The CNPD fined the Municipality €2500. In order to determine the amount, the CNPD took into account the financial situation of the public sector and, also, as a mitigating factor, the absence of economic benefit in the performance of the infringement.


This is the first fine issued by the Portuguese DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.