The Portuguese Data Protection Authority (“CNPD”) imposed a fine on and issued two reprimands against Setúbal Municipal Council for infringing several rules in the processing of the personal data of Ukrainian refugees through the Municipal Refugee Helpline (“MRH”). The administrative fine amounted to €170,000, which was imposed for breaching the principle of data integrity and confidentiality, as well as for breaching the obligation to appoint a data protection officer (“DPO”).
The reprimands concern not only the breach of the duty to inform the data subjects that the data were being processed and the terms on which this was done, but also the breach of the principle of keeping data for a limited period only.
In this resolution, the CNPD outlines and appraises the breach of the integrity/confidentiality principle established in Article 5.1.f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
This principle, according to which personal data must be processed in a way that guarantees the security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by adopting appropriate technical and organizational measures, is one of the key principles of personal data processing. The CNPD considered that, in this case, the Setúbal Municipal Council had failed to implement the organizational measures for safeguarding information and the policies and guidelines for managing information securely. Consequently, it concluded that the municipal council had breached this principle.
The CNPD also concluded that, by failing to establish the period for keeping the collected personal data, the municipal council had breached the principle of keeping data for a limited period, according to which data may only be kept for the period necessary for the purposes for which they are processed.
The CNPD also considers that there was an infringement of Article 13.1 and Article 13.2 of the GDPR, under which the data subject must be provided with information about the processing and its purposes in a concise, transparent, intelligible and easy-to-understand way (i.e., in plain and simple language). In this case, the legally required information about the terms on which Setúbal Municipal Council was processing the data was not made available to the data subjects, nor was information provided about the third parties to which the data could be transferred, or the data subjects’ rights (e.g., the right to erasure, the right to restrict processing, and the right to data portability).
The CNPD also stated that Setúbal Municipal Council should have appointed a DPO under Article 37 of the GDPR, under which a DPO must be appointed when data are processed by a public authority or body. Consequently, by failing to appoint a DPO, Setúbal Municipal Council also breached this provision.
In its decision, the CNPD decided to impose a single fine, in line with the criteria for determining the fine. Given the specifics of this case, it decided to issue two reprimands and to impose a fine of €170,000 for breaching (i) the principles of integrity and confidentiality, and (ii) the obligation to appoint a DPO. The reprimands were for breaching the principle of keeping data for a limited period only and for failing to comply with the duty to provide the data subjects with key information about the processing.