Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Portugal: CNPD fines Municipality of Setubal €170,000 for unlawful processing of refugees' personal data
The Portuguese data protection authority ('CNPD') published, on 16 November 2022, its decision in Case No. 2022/140, in which it imposed a fine of €170,000 on the Municipality of Setubal, for violations of Articles 5(1)(f), 5(1)(e), 13(1), 13(2), 37(1), and 37(7) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.
Background to the decision
In particular, the CNPD reported that the decision relates to the Municipality's conduct in collecting the personal data of Ukrainian refugees. More specifically, the CNPD explained that the Municipality had asked the refugees to fill forms containing extensive personal information about them, including name, address, date of birth, marital status, and information on identification documents.
Findings of the CNPD
Notably, the CNPD found that the Municipality had not performed a Data Protection Impact Assessment ('DPIA'), despite the fact that refugees are considered vulnerable persons according to the European Data Protection Supervisor's ('EDPS') Guidelines on Data Protection Impact Assessment. Furthermore, the CNPD found that no retention periods were defined for the information collected by the Municipality, nor were sufficient technical and organisational measures implemented, thus violating Articles 5(1)(f) and 5(1)(e) of the GDPR respectively.
Moreover, the CNPD stated that no information was provided to the data subjects, at the time of data collection, about the controller, the purposes of the processing, the recipients or categories of recipients of the personal data, the rights of the data subjects, and the right to lodge a complaint with a supervisory authority, thus violating Articles 13(1) and 13(2) of the GDPR. Lastly, the CNPD detailed that the Municipality did not appoint a Data Protection Officer ('DPO'), thus violating Articles 37(1) and 37(7) of the GDPR.
Outcomes
Ultimately, the CNPD noted that the fine of €170,000 becomes final and enforceable if it is not judicially challenged by the Municipality, and must be paid within a maximum period of ten days after it is finalised, with the respective payment slips being sent to the CNPD.
You can read the press release here and download the decision here, both only available in Portuguese.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
