Duyurular

The CNPD fines the Portuguese INE 4.3 million EUR

In 2021, the Portuguese Supervisory Authority (“CNPD”) received several complaints about the national census survey that was still undergoing at that moment. The census, organised by a public body, the National Statistics Institute (“INE”), is in general of mandatory reply, subject to infringement procedure in case of non-compliance by individuals. It was introduced the possibility for respondents to fulfil the survey online using a password provided by post mail to each family residence.

The complaints mostly concerned: the lawfulness of the processing of personal data for statistics purposes, since the survey explicitly required the complete identification of all members of the family living in the same residence; the lawfulness of the processing of special categories of data, such as religion and health data; and the existence of international data transfers to third countries without an adequate level of protection.

In light of the complaints received, the CNPD opened an inquiry. At that point, on 26 April 2021, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE. In view of its preliminary findings, the CNPD issued, under Article 58(2)(j) GDPR, an order for INE to suspend, in 12 hours, all data flows to the US and to any other third countries that did not offer an adequate level of protection, either via Cloudflare, Inc. or via any other company.

In its inquiry, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues:

  1. lack of lawfulness for the processing of special categories of personal data (Article 9(1) GDPR). 
  2. lack of compliance with transparency obligations (Articles 12 and 13 GDPR)
  3. lack of a DPIA (Article 35(1),(2) and (3)(b) GDPR)
  4. lack of due diligence concerning the choice of the processor (Article 28(1),(6) and (7))
  5. lack of compliance with the legal requirements for international data transfers (Articles 44 and 46(2))

As a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to Article 58(2)(i) and Article 83 GDPR and some national provisions, to apply one single fine of 4.3 million EUR to the controller.

You can reach further information here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr