According to the CNPD decision, violations by INE in the
treatment of special categories of personal data, the duties of informing data
subjects, and the rules applicable to hiring a company to manage the data
collected in the censuses are at stake.
Violations were also considered regarding the institute's
action regarding data transfers to third countries and the failure to carry out
an impact assessment on personal data.
The commission understands that INE’s action reflects the
practice of five offenses “provided for and punished” by the RGPD, stressing
that the infractions “assume a significant degree of gravity, given the number
of data subjects concerned (...), the context in which that they were
practiced, in particular, the mandatory response to the 2021 Census and the
conviction that they were mandatory”.
The CNPD's decision points to the entity responsible for
carrying out the censuses as a “negligent act”, by violating the duty of
transparency and the duty of care due to the lack of information to data
subjects about the activity in question (carrying out the censuses).
The CNPD also considers that INE acted with malice by not
checking with the company that would collect and manage the personal data if it
would not pass the data on to third countries.
Therefore, it concluded that two administrative offenses
resulted from negligence, and another three were committed intentionally.
“Possible fraud”
“INE knew, and could not fail to know, the binding nature of
its obligations and was satisfied with the possibility of carrying out the
facts of which it is accused, for which they are imputed to the defendant as
possible fraud”, states the deliberation of the organism dated November 02,
2022.
According to the commission, INE revealed “a disregard for
the principles and obligations provided for in the GPDR, by relying on an
intervention by the supervisory authority [CNPD], instead of taking the
initiative to ensure that the census operation complied with that regime”.
The five offenses gave rise to five fines amounting to €6.5
million.
However, after recognising a “high degree of censorship of
the defendant’s conduct” and the need for a “sanction that reflects the high
censorship of this behaviour”, the body ended up revealing the absence of a record
of infractions by INE, imposing a single fine of €4.3 million.
The undertaking of the 2021 censuses was shrouded in
controversy after the contract with the company Cloudflare, responsible for the
security of the site that collected the responses to the censuses, and which
provided for the transfer of personal data to the United States of America or other
countries.
The National Data Protection Commission then demanded the
suspension of any transfer of personal data, with INE suspending the contract
with the company.