Portuguese Data Protection Authority fines the National Institute of Statistics € 4.3 million

On 2 November 2022, the Portuguese Data Protection Authority (“CNPD”) issued a Decision imposing a fine of € 4,300,000 (four million three hundred euros) to the National Institute of Statistics (“INE”) for multiple violations in the processing of data subjects’ sensitive data during the Census 2021 operation.

Background

On the 27th of April 2021, after launching an investigation into the transfer of personal data from INE to Cloudflare (a U.S. service provider engaged by INE for the operation of the Census 2021 surveys), CNPD ordered the suspension of any transfer of personal data resulting from the Census 2021 surveys to the United States or other third countries without an adequate level of protection. Please see our previous blog post.

CNPD Decision

The CNPD applied a € 4.3 million fine for five separate violations of the GDPR:

  • Article 9 (1) and 5 (1) (a): the CNPD considered that INE had processed sensitive personal data protected under article 9 (1) of the GDPR (such as health and religious data) without a legal basis, and thus violating the principles of lawfulness and fairness;
  • Article 12 and 13 (duty to provide information): by failing to provide the data subject with the information to which it was obliged under article 12 and 13 of the GDPR, the controller breached the principle of transparency;
  • Article 28 (1) (6) and (7): the CNPD argues that by engaging the services of Cloudflare (as a data processor) – which does not provide sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing complies with the principles and rules of the GDPR – INE violated the accountability principle and failed to comply with the duty of care and due diligence in the choice of the processor;
  • Article 35 (1), (2), (3)(b): INE failed to comply with the obligation to conduct a data protection impact assessment;
  • Article 44 and 46 (2): even though the transfer of personal data outside of the EEE was based on the SCCs, CNPD concluded that INE had not provided adequate additional safeguards when using the SCCs, which was essential given the fact that the data transferred included sensitive data of a large number of individuals, and thus had breached the rules for data transfers to third countries.

This decision may be appealed to the judicial courts.