Portugal
Lisbon City Council
GDPR enforcement action by Portuguese Data Protection Authority (CNPD) on 2021-12-21.
Case details
- Authority
- Portuguese Data Protection Authority (CNPD)
- Date
- 2021-12-21
- Controller / Processor
- Lisbon City Council
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 (1) a) GDPR, Art. 13 (1), (2) GDPR, Art. 35 (3) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018.
The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment.
---Update---
The Portuguese Constitutional Court rejected the controller's appeal, ruling that the fine was unconstitutional and thus confirming the decision by the DPA.
Related fines