Analysis of the recent activity of the Portuguese Supervisory Authority - What to expect?

It has been perceived that the sanctioning activity of the Portuguese Supervisory Authority has been fundamentally focused on public entities, which may suggest that for private companies the verification of compliance with GDPR has been less demanding. An example is the recent CNPD's Resolution that applied a fine of EUR 170,000 as well as two reprimands, for the practice of four administrative offences related to the processing of personal data of refugees from Ukraine displaced in Portugal. This sanction originated from a news article published by a Portuguese newspaper which, among other aspects, portrayed the execution of copies of documents belonging to refugees, in the presence of Russian citizens, in a Portuguese City Hall.

I. The recent sanctioning activity by the CNPD

It has been 3 years since the entry into force of Law 58/2019 (which ensures the implementation in Portugal of the GDPR). Since then, the National Supervisory Authority (Comissão Nacional de Proteção de Dados, hereinafter "CNPD") has made its efforts to prove its activeness. Nevertheless, its sanctioning performance has been lower than other European Supervisory Authorities, reason for wondering whether Portugal stakeholders are really that compliant with the GDPR.

According to the CNPD's activity report for the year 2021, the CNPD applied 60 fines amounting to €1,491,500, only 13 of which under the GDPR. Recognising that there will certainly be decisions of the CNPD not accessible to the public, the recent sanctioning activity of the CNPD has fundamentally focused on a pattern: the imposition of fines for breaches of the GDPR on public entities and, most often, as a result of media exposure of data breach situations. For instance, the following:

(a) €2,500 applied to a Municipality for disclosing on their Facebook page personal data of two people who had been diagnosed with covid-19, on the basis of Article 5(1)(a) of the GDPR (Resolution 2021/548).

(b) €1,250,000 applied to the Municipality of Lisbon in the scope of the case known as "Russiangate", for having disclosed personal data of protesters to embassies of several countries. This sanction corresponds to the total of 225 fines individually considered, for violation of several provisions of the GDPR, namely Articles 5(1)(a), (c), (e); 6; 9(1); 13(1), (2) and 35(3)(b) (Resolution 2021/1569).

(c) €400,000 applied to the Barreiro-Montijo Hospital Centre for insufficient technical and organizational measures to ensure information security (articles 5(1)(f) and 32 GDPR). After the fine was imposed, the hospital center submitted to the CNPD a request for a fine waiver, in its quality as a public entity. The request was rejected in March 2020. The CNPD considered that the hospital's economic situation did not justify the waiver of the fine payment. However, in July 2020, the CNPD reviewed the situation and accepted the request for waiver of the fine, admitting that, in a pandemic context, the specific situation of the offender and the specific public interest affected by the application of the fine prevails, in these exceptional circumstances, over the public interest of punishing the offender.


II. Resolution 2022/1040

Resolution no. 2022/1040, of 2 November was recently published, whereby the CNPD applied a single fine of €170,000 to Setúbal Municipality, as well as two reprimands, for the practice of four administrative offences related to the processing of personal data of refugees from Ukraine relocated in Portugal, under the Municipal Refugee Helpline ("LIMAR").

This sanction originated in a report published in a Portuguese newspaper in which witnesses stated that, in Setubal Town Hall, Russian citizens were asking questions about the relatives of Ukrainian refugees. The press report and similar ones published in various media also showed that copies of documents belonging to the refugees were being made in the presence of the Russian citizens. Accordingly, the CNPD’s resoution was based on the fact that Setúbal Municipality had allowed people from outside the municipal services to access the computer equipment used for data processing, which contained a series of information about vulnerable data subjects (refugees), collected in the context of LIMAR. Moreover, no specific access profile has been assigned to those persons nor has a formal agreement been concluded to regulate their responsibilities with regard to the processing of personal data.

In this context, an Excel file was used to manage and store the information concerned, with no traceability of access or modifications. Which, in the CNPD's view, constituted in itself a non-negligible risk in terms of security, integrity and confidentiality (in breach of the principle of integrity and confidentiality, provided for in Art. 5(1)(f) GDPR).

Furthermore, it was also censured the fact that the Municipality does not appoint a Data Protection Officer ("DPO"), although it has been obliged to do so since 2018, pursuant to Article 37(1)(a) of the GDPR.

Finally, the CNPD sanctioned for the failure of the Municipality to establish any retention periods for the personal data collected in the context of LIMAR (as would be required by the principle of storage limitation - Art. 5(1)(e) GDPR), and for failing to provide the mandatory information to the data subjects under articles 13(1) and 13(2) of the GDPR.

For these reasons, the CNPD decided to impose a single fine of €170,000 for breach of the principle of integrity and confidentiality and breach of the obligation to appoint a DPO. As well as, two reprimands, for violation of the principle of storage limitation and the duty to provide the mandatory information of art. 13 of the GDPR to the data subjects.

Although the CNPD did not specify what the reprimands applied consisted of in practice, it explained that the infractions sanctioned with reprimands deserved a lower level of devaluation than the others, considering the exceptional context at the time of their practice, characterized by the intense arrival of Ukrainian refugees in Portugal and the consequent need of national institutions to respond in the most effective and expeditious manner possible.

It should be noted that this is the first time the CNPD has imposed a fine for an organization’s failure to appoint a DPO, in accordance with Article 37(1) of the GDPR.

Without underestimating the work and quality of the national Supervisory Authority, the CNPD's sanctioning action still falls short of what was expected in terms of GDPR enforcement.

More stringent sanctioning action is needed in order to provide an example, to raise awareness of the importance of respecting individuals' privacy and data protection, and to encourage entities to comply with the GDPR.

Changes are expected in the near future regarding the composition and structure of the CNPD, which may entail more resources and, consequently, more enforcement at the sanctioning level.


Article provided by INPLP member: Ricardo Henriques (Abreu Advogados, Portugal)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)