GRDP: fines hunt or the right decision?

In the month that marks the anniversary of the General Regulation on Data Protection (GRDP), we recall one of the most discussed decisions of the National Commission for Data Protection (NCDP).
Articles 07/06/2023

The National Commission for Data Protection imposed a fine of 4.3 million euros on the National Statistics Institute (INE) for five offences against the GDPR in December 2022.

This fine was imposed due to alleged lousy information management practices, explicitly hiring a US company, Cloudflare, to be responsible for the Census 2021 collection site. As a result, the data collected from about 1.8 million Portuguese were transferred to third countries, namely the USA and other countries with hundreds of servers allocated (Mexico, Russia, South Africa, and China, among others). INE announced that it would appeal the decision.

Given that this was a historic decision whose outcome seems far from finalized, it is essential to recall the arguments used to make it. After numerous complaints, the CNPD initiated an investigation process regarding the Census 2021, carried out by INE, since the census operation would request the mandatory provision of citizens’ identification data, allegedly transferred to a company based in the USA.

Deliberation 2021/533 concluded that the citizen, when accessing the Census 2021 form, would be forwarded to one of Cloudfare’s servers, which according to the contract between the parties, could be any server, emphasizing that this company has more than 200 data centres located not only in the US but also in the rest of the world and not all of them are in harmony with the RGPD legislation.

The company in question held private and public keys, able to encrypt and decrypt all communications between citizens who access the form and send their data; some of this data is even considered unique personal data. In other words, INE would need to be made aware of this procedure and transmission, with Cloudflare having total control of the data and sending it to INE.

The CNPD also concludes that a complete and correct AIPD – Data Protection Impact Assessment – under the terms of article 35 of the RGPD was not duly carried out, encompassing all operations on personal data in the context of the outsourcing relationship, i.e., the process an Impact assessment on the transport of information to and from Cloudflare’s servers.

Nor would the standard contractual clauses for transferring data from INE to Cloudfare in the USA be respected since these would not bind the US authorities as these authorities could access the information in the context of national security activities.

Therefore, the CNPD decided under article 58, paragraph 2, j) of the GDPR that the National Statistics Institute, within a maximum period of 12 hours, should immediately suspend the sending, by any means, of personal data from the Census 2021 to the USA and to any other third country, without a duly adequate level of protection. Furthermore, INE should ensure that subcontractors are not obliged to comply with legislation that prevents compliance with the GDPR.

This Deliberation/2021/533 was considered urgent. However, it was taken without a prior hearing under the terms of Article 124(1)(a) of the Administrative Procedure Code since the Census was still being collected and would continue to put at risk the rights, freedoms and guarantees of more than four million citizens.

The case was finalized with Deliberation/2022/1072 after Statistics Portugal was notified, as the defendant, of the content of the Draft Deliberation in which ten administrative offences, arising from the breach of the provisions set out in the RGPD, were alleged to have been committed by way of material authorship and in the form of consummation. Accordingly, INE was invited to present its defence under Article 50 of Decree-Law 433/82 of October 27.

In exercising its defence, INE claimed:

  • the lack of competence of the CNPD
  • the nullity of the Draft Deliberation;
  • that the processing was licit;
  • that there was no transfer of data to third countries
  • that there was no breach of duties of diligence or information
  • that the minimization principle was violated in the operations considered optional and that an AIPD would not be necessary since the CNPD had already assessed in Authorization no. 2600/2011.

The CNPD concluded by imposing a single fine of €4,300,000 (four million and three hundred thousand euros) on INE for the following administrative offences:

  • Violation of the prohibition of processing special categories of personal data under Articles 9(1) and 83(5)(a) of the RGPD;
  • Breach of the duties to inform the data subjects under articles 12, 13 and 83(5)(b) of the RGPD
  • Breach of compliance with the rules applicable to the contracting of subcontractors under the terms of articles 28(1), (6) and (7) and 83(4)(a) of the RGPD
  • Violation of the transfer regime under articles 44(2), 46 and 83(5)(c) of the RGPD;
  • Breach of the obligation to conduct a personal data protection impact assessment according to Articles 35(1), (2), (3)(b) and 83(4)(a).

The CPND determined the amount of the fine taking into account the criteria set out in Article 83(1)(a) to (k) of the GDPR, considering, in summary, that the breach of the prohibition on processing special categories of personal data and the breaking of the duties to inform data subjects were committed negligently. The remaining violations (of compliance with the rules applicable to the contracting of subcontractors, the transfer regime and the obligation to conduct an impact assessment on personal data protection) were committed intentionally in competition.

As a result of these criteria, the CPND considered it necessary to impose five fines on INE, which, when added together, would result in €6,500,000 (six million five hundred thousand euros) under the terms of Article 58(b)(2) of the GDPR. Furthermore, under Article 83(3) of the GDPR, the total amount of the fine cannot exceed the amount specified for the most serious breach, in this case, €20,000. 000, and this would have to be the abstract maximum limit applicable. The amount cannot be lower than the highest of the fines applied explicitly to the various administrative offences, which in this case was €2,4000,000, according to Article 19(3) of the GBER, which would use subsidiarily, ex vi article 45 of Law 58/2019 of August 8.

However, the CNPD decided to apply a single fine for €4,300,000 (four million and three hundred thousand euros) as legal cumulation was verified (existence of a practical or pure contest, either in the natural or ideal tender), taking into account the high degree of reprehensibility of the defendant’s conduct, indifference in the applicable legislation but also the fact that the defendant does not have a prior record of misdemeanours for violation of data protection rules.

The decision taken in December 2022 can and was challenged under Article 59 of the GDPR by INE. The fine imposed by the CNPD on Statistics Portugal was, in fact, the highest in data protection. Notwithstanding the possibility of challenging the decision, it is indeed an unprecedented event that leads us to rethink and increasingly respect the legislative measures regarding data protection and create preventive means within organizations.

A historic decision, in itself, not only because of the large number of citizens’ data at stake but also because of the risk of undue and illicit obtaining of personal data by third parties that do not respect the RGPD rules.


The content of this information does not constitute any specific legal advice; the latter can only be given when faced with a specific case. Please contact us for any further clarification or information deemed necessary in what concerns the application of the law.


  • Ana Cristina Vargas
  • Anthony Meira

Practice Areas

  • Intellectual Property