Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Portugal: CNPD fines Municipality of Setubal €170,000 for unlawful processing of refugees' personal data

The Portuguese data protection authority ('CNPD') published, on 16 November 2022, its decision in Case No. 2022/140, in which it imposed a fine of €170,000 on the Municipality of Setubal, for violations of Articles 5(1)(f), 5(1)(e), 13(1), 13(2), 37(1), and 37(7) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.

Background to the decision

In particular, the CNPD reported that the decision relates to the Municipality's conduct in collecting the personal data of Ukrainian refugees. More specifically, the CNPD explained that the Municipality had asked the refugees to fill forms containing extensive personal information about them, including name, address, date of birth, marital status, and information on identification documents.

Findings of the CNPD

Notably, the CNPD found that the Municipality had not performed a Data Protection Impact Assessment ('DPIA'), despite the fact that refugees are considered vulnerable persons according to the European Data Protection Supervisor's ('EDPS') Guidelines on Data Protection Impact Assessment. Furthermore, the CNPD found that no retention periods were defined for the information collected by the Municipality, nor were sufficient technical and organisational measures implemented, thus violating Articles 5(1)(f) and 5(1)(e) of the GDPR respectively.

Moreover, the CNPD stated that no information was provided to the data subjects, at the time of data collection, about the controller, the purposes of the processing, the recipients or categories of recipients of the personal data, the rights of the data subjects, and the right to lodge a complaint with a supervisory authority, thus violating Articles 13(1) and 13(2) of the GDPR. Lastly, the CNPD detailed that the Municipality did not appoint a Data Protection Officer ('DPO'), thus violating Articles 37(1) and 37(7) of the GDPR.


Ultimately, the CNPD noted that the fine of €170,000 becomes final and enforceable if it is not judicially challenged by the Municipality, and must be paid within a maximum period of ten days after it is finalised, with the respective payment slips being sent to the CNPD.

You can read the press release here and download the decision here, both only available in Portuguese.