Portugal: CNPD fines National Institute of Statistics €4.3M for multiple violations of GDPR
The Portuguese data protection authority ('CNPD') published, on 12 December 2022, its decision in case No. 2022/1072, in which it imposed €4.3 million on the National Institute of Statistics, for violations of Articles 9(1), 12, 13, 28(1), 28(6), 28(7), 35(1), 35(2), 35(3)(b), 44, and 46(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.
Background to the decision
In particular, the decision relates to the National Institute conduct in collecting the personal data of citizens during the 2021 census. More specifically, the CNPD stated that the National Institute, while processing special data relating to health and religion, did not provide clear and complete information on the optional nature of its provision by citizens and did not sufficiently explain that some of the questions were optional, thus not allowing citizens to form their will, which was essential for the assumptions of the legality of processing of those special categories of data.
Moreover, the CNPD reported that the duty of diligence in choosing the subcontractor was not fulfilled because it was limited to the formal application of Standard Contractual Clauses ('SCCs'). More specifically, the CNPD explained that, despite the existence of a subcontractor's office in Lisbon, the contract stipulated with Cloudflare, Inc., a company based in the US, settled the dispute forum between them in a California court. In addition, the CNPD detailed that the aforementioned contract also permitted the transit of personal data through any of the Cloudflare's 200 servers, with both companies anticipating that the data may be processed outside the EEA. Further to the above, the CNPD reported that the contract also included the SCCs approved by the European Commission for the transfer of personal data to the US, but did not provide for any additional security measures, as the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II case') requires.
Lastly, the CNPD noted that the National Institute did not carry out any Data Protection Impact Assesment ('DPIA') relating to the processing.
Findings of the CNPD
In light of the above, the CNPD found that the National Institute processed personal data relating to health and religion unlawfully and failed to fulfil its duties of informing respondents of the 2021 Census questionnaire, thus violating the prohibition of processing special categories of data enshrined in Article 9(1) of the GDPR and the obligation to inform data subjects as per Articles 12 and 13 of the GDPR.
Furthermore, the CNPD stated that the National Institute violated the duties of diligence in choosing the subcontractor and infringed the legal provisions relating to the international transfer of data, thus violating Articles 28(1), 28(6), 28(7) of the GDPR and Articles 44 and 46(2) of the GDPR, respectively.
Lastly, the CNPD found that the National Institute failed to comply with the obligation to carry out a DPIA related to the census operation, thus violating Articles 35(1), 35(2), and 35(3)(b) of the GDPR.
Ultimately, the decision notes that the fine of €4.3 million becomes final and enforceable if it is not judicially challenged by the National Institute, and must be paid within a maximum period of ten days after it is finalised, with the respective payment slips being sent to the CNPD.
UPDATE (22 December 2022)
EDPB publishes English summary of CNPD decision
The European Data Protection Board ('EDPB') published, on 19 December 2022, a summary in English of the CNPD's decision to fine the National Institute €4.3 million.
You can read the summary here.