Portuguese National Statistical Institute

Descripción

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that the controller failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR. In addition, the order processing contract permitted the transfer of personal data outside the EEA without providing for additional security measures besides the SCCS approved by the European Commission, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, the DPA found that the controller failed to conduct a data protection impact assessment regarding the census.