Enforcement

€180,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has imposed a fine of EUR 170,000 on Setúbal municipality. The DPA found data protection violations regarding the collection of personal data from Ukrainian refugees. The municipality had asked refugees to fill out a form at the time of their arrival and provide various details on personal data, such as name, date of birth, marital status, etc. The DPA noted, that the municipality had not sufficiently informed the data subjects about the data processing. In addition, the DPA f

€4,300,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that

€1,250,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of

€2,000 fine - Portuguese Data Protection Authority (CNPD)

Inexistence of signalization regarding the use of CCTV systems

€2,000 fine - Portuguese Data Protection Authority (CNPD)

Inexistence of signalization regarding the use of CCTV systems

€20,000 fine - Portuguese Data Protection Authority (CNPD)

Denial of the right to access recorded phone calls by the Data Subject

€400,000 fine - Portuguese Data Protection Authority (CNPD)

Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.