Portugal: CNPD fines Municipality of Lisbon €1.25M for processing of personal data of protestors
The Portuguese data protection authority ('CNPD') published, on 14 December 2021, its decision in case No. 2021/569, in which it imposed €1.25 million on the Municipality of Lisbon for its multiple violations of the law and particularly of Articles 5(1)(a), (c), and (e), 6, 9(1), 13, and 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following its processing of protestors' sensitive personal data in violation of data protection rules.
Background to the decision
In particular, the decision relates to the Municipality's conduct in collecting the personal data of protestors, including sensitive personal data, when they apply for protests, and sharing such data internally and externally with third parties.
Findings of the CNPD
Notably, the CNPD found that the Municipality, in sending notice of protest demonstrations, containing the personal data of protestors, to external third party entities, internal services, and advisors of the City Council, it had processed sensitive personal data without a legal basis. Furthermore, the CNPD found that the Municipality had undertaken the processing without informing the relevant data subjects, without defining a policy of conservation of their personal data, and without having carried out a Data Protection Impact Assessment ('DPIA') as required in this situation.
In this regard, the CNPD specified that the €1.25 million fine is the sum of 225 fines from different violations the Municipality's conduct had had amounted to since 2018, namely:
- 111 violations of Articles 5(1)(a), 6, and 9(1)(a) of the GDPR;
- 111 violations of Articles 5(1)(c);
- a violation of Article 13(1) and (2) of the GDPR;
- a violation of Article 35(3) of the GDPR; and
- a violation of Article 5(1)(e) of the GDPR.
Moreover, with regards to the numerous fines, the CNPD noted that the duration of the violations and the number of data subjects affected serve as factors that aggravate the fines as they reveal a persistent lack of commitment to the legal obligations that the Municipality was supposed to fulfil.
The CNPD further noted that the fines attached to each violation are listed in point 255 to 266 of the decision.
Ultimately, the decision notes that the fine of €1.25 million becomes final and enforceable if it is not judicially challenged by the Municipality, and must be paid within a maximum period of ten days after it is finalised, with the respective payment slips being sent to the CNPD.