The Portuguese Supervisory Authority fines the Portuguese National Statistics Institute (INE) 4.3 million EUR

Background information

• Date of final decision: 2/11/2022
• Cross-border case or national case: National case
• Controller: Portuguese National Statistics Institute (INE)
• Legal Reference: article 9(1) GDPR; article 12 GDPR; article 13 GDPR; article 28(1), (6) and (7) GDPR; article 35(1), (2) and (3)(b) GDPR; article 44 GDPR; article 46 GDPR; article 83 GDPR
• Decision: application of fine of 4.3 million EUR
• Key words: special categories of data; international data transfers; public body; DPIA; transparency obligations; processor engagement duties; security of processing; adequate safeguards; equivalent level of protection; fines

Summary of the Decision

Origin of the case

In 2021, the Portuguese Supervisory Authority (CNPD) received several complaints about the national census survey that was still undergoing at that moment. The census, organised by a public body, the National Statistics Institute (INE), is in general of mandatory reply, subject to infringement procedure in case of non-compliance by individuals. It was introduced the possibility for respondents to fulfil the survey online using a password provided by post mail to each family residence.

The complaints mostly concerned: the lawfulness of the processing of personal data for statistics purposes, since the survey explicitly required the complete identification of all members of the family living in the same residence; the lawfulness of the processing of special categories of data, such as religion and health data; and the existence of international data transfers to third countries without an adequate level of protection.   It should be underlined that for the performance of the census (e.g. to ensure the efficiency and security of the online fulfilment of the survey), INE used the CDN services of a US company, Cloudflare, Inc., with over 200 data centres spread over 100 countries.

In light of the complaints received, the CNPD opened an inquiry. At that point, on 26 April 2021, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE. In view of its preliminary findings, the CNPD issued, under Article 58(2)(j) GDPR, an order for INE to suspend, in 12 hours, all data flows to the US and to any other third countries that did not offer an adequate level of protection, either via Cloudflare, Inc. or via any other company.

After this corrective measure of cautionary nature, the inquiry went on about other aspects of the subject matter of the complaints. The final decision was now taken.

Key Findings

In its inquiry, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues:  

1. lack of lawfulness for the processing of special categories of personal data (article 9(1) GDPR). In the forms that respondents were required to fill in, the CNPD concluded that the questions concerning religion and health data, which were legally required to be optional, instead of mandatory like the remaining survey, were not duly flagged as optional. The lack of information prevented the respondents to form their free will and self-determination whether to reply or not to questions collecting special categories of data.   
2. lack of compliance with transparency obligations (articles 12 and 13 GDPR), in particular regarding the provision of any information concerning the processing operations, e.g. through the display of a privacy notice on the INE institutional website or on any other page.
3. lack of a DPIA (article 35(1),(2) and (3)(b) GDPR), encompassing the entirety of the processing operations and relevant dimensions of Census. The document provided by the controller as a DPIA was considered limited in scope, and insufficient in relation to the data processing.
4. lack of due diligence concerning the choice of the processor (article 28(1),(6) and (7)), namely by accepting a standard contract, that was not assessed in substance in what regards the requirements of A28(3). The controller did not ensure that the processor adopted all adequate measures to comply with the GDPR principles and rules, including guaranteeing that the risks of the processing were mitigated. Under this processing contract, INE agreed that the forum for settling disputes would be the Californian courts.
5. lack of compliance with the legal requirements for international data transfers (articles 44 and 46(2)), as interpreted by the CJEU in the Schrems II judgement. The controller authorised the processor, contractually, to transfer data to the US under the SCC without the adoption of any supplementary measures, and it also authorise the processor to engage with other (sub) processors established in third countries that do not provide an equivalent level of protection as guaranteed in the EU. The CNPD highlighted as well the lack of control and knowledge by INE of the respondents’ personal data whereabouts, once they entered the processor network, as well as the full control, by the processor, of the encryption / decryption tools securing the transmission of the data.

Decision

As a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to article 58(2)(i) and article 83 GDPR and some national provisions, to apply one single fine of 4.3 million EUR to the controller. This decision can be challenged in the national courts.

For further information: deliberation/2022/1072 (PT)