During the last few months, the Portuguese Data Protection Commission (“CNPD”) has been particularly active in exercising its supervisory and remedial powers, granted by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“General Data Protection Regulation” or “GDPR”), applying three fines and issuing an interpretative resolution on the exemption of public entities from fines.
- Fines applied
In February and March 2019, the CNPD ended three administrative offense procedures, imposing fines for the infringement of several provisions related to the breach of data subjects’ right of access and the breach of the controller’s duty of information as protected by the GDPR.
In the first decision, resolution no. 2019/21, dated February 5, 2019, the CNPD dealt with a data subject’s request to access recordings of telephone calls with the defendant, which the defendant had recorded when acting as data controller.
The defendant relied on the impossibility of identifying the sender of the emails he received from the data subject requesting this access, which was why he had to delete one of the telephone calls in question after 90 days.
After the CNPD notified the defendant of the complaint submitted by the data subject, the defendant granted access to the other telephone calls within 15 days, invoking fulfilment of CNPD resolution no. 1154/2018 of December 18, and consequently, the data subject’s right of access.
However, the CNPD considered that denying access to calls was unjustified, as it understood that the refusal was the result of the defendant’s position as data protection officer. According to the CNPD’s decision, the defendant instructed his processor (call center management services company) to only provide copies of the recordings of telephone calls requested “by judicial order or at the request of an entity or official body such as the CNPD or police authorities.”
The CNPD fined the defendant a €20,000 fine for the breach of the data subject’s right of access to his or her data.
The second decision, resolution no. 2019/207 of March 19, 2019, dealt with a data controller’s infringement of the duty of information, as there was a video surveillance system in the commercial establishment, but the information sign was not in a visible place.
The CNPD considered that the defendant, by failing to fulfil this obligation, severely limited one of the most important rights in the area of personal data protection, and fined the defendant €2,000.
The third decision, resolution no. 2019/222 of March 2019, also concerned a controller’s breach of the duty of information. The controller acknowledged that he had not placed any notice or information on the video surveillance system at the outside door of the building concerned. The CNPD fined the defendant €2,000.
We can conclude that the CNPD has been actively monitoring compliance with the GDPR’s obligations, specifically the right of information, relating to the processing of personal data through video surveillance systems, and the exercise of the right of access, even though the monitoring was triggered by complaints from data subjects.
We also note that the amounts of the CNPD’s fines in the latter cases are much closer to the minimum amounts for fines provided under Law 58/2019 of August 8, 2019, which ensures the execution of the GDPR through the Portuguese legal system, in comparison to the maximum amounts established by the GDPR.
- Exemption of public entities from fines
On September 3, 2019, the CNPD issued resolution no. 2019/495 because several public entities had requested exemption from fines for three years, invoking article 44, no. 2 of Law 58/2019, of August 8, identified above.
This resolution is the result of several requests by public entities to be exempted of fines in the aftermath of a €400.000 fine to a public hospital in Barreiro.
This national standard is based on article 83(7) of the GDPR, which allows public authorities, with a reasoned request, to ask the CNPD to waive any fines for three years after Act 58/2019 enters into force.
According to the GDPR, Member States can determine the possibility of exempting public entities from these fines in their national implementing laws, provided these laws also establish objective criteria for these exemptions to occur.
However, without meeting any previously established legal criteria, the Portuguese legislator granted the CNPD a discretionary power to exempt public authorities from these fines during the first three years of Act 58/2019.
According to the CNPD, as issued in the interpretative resolution identified above, the exemption from fines can only occur “after an illicit conduct is verified and demonstrated.” Regarding the criteria to determine whether an applicant should benefit from the exemption, the CNPD also considered “the violated rights of the data subjects and public interests that the legal provisions seek to take into account, as well as the specific situation of the offender and the interests or public interests affected by the fine.”
The CNPD concludes that the exemption for public entities from the application of a fine “can only be required by public authorities after notification of the practice of a data protection legislation infringement, in the context of a specific administrative procedure.“
It is important for companies to have an appropriate procedure for assessing applications from data subjects to exercise their rights, as well as an appropriate procedure for responding to them.
Similarly, there should be general compliance with data subjects’ right of information, and the importance of signage on video surveillance systems must not be overlooked.
Public entities must also comply with these data protection obligations, as the CNPD will only exempt them from fines at the end of an infringement procedure in situations where it was impossible for them to comply with their GDPR obligations.
Authors: Sónia Queiróz Vaz, Teresa Isabel Gonçalves and João Diogo Quartilho