According to the CNPD decision, violations by INE in the treatment of special categories of personal data, the duties of informing data subjects, and the rules applicable to hiring a company to manage the data collected in the censuses are at stake.

Violations were also considered regarding the institute's action regarding data transfers to third countries and the failure to carry out an impact assessment on personal data.

The commission understands that INE’s action reflects the practice of five offenses “provided for and punished” by the RGPD, stressing that the infractions “assume a significant degree of gravity, given the number of data subjects concerned (...), the context in which that they were practiced, in particular, the mandatory response to the 2021 Census and the conviction that they were mandatory”.

The CNPD's decision points to the entity responsible for carrying out the censuses as a “negligent act”, by violating the duty of transparency and the duty of care due to the lack of information to data subjects about the activity in question (carrying out the censuses).

The CNPD also considers that INE acted with malice by not checking with the company that would collect and manage the personal data if it would not pass the data on to third countries.

Therefore, it concluded that two administrative offenses resulted from negligence, and another three were committed intentionally.

“Possible fraud”

“INE knew, and could not fail to know, the binding nature of its obligations and was satisfied with the possibility of carrying out the facts of which it is accused, for which they are imputed to the defendant as possible fraud”, states the deliberation of the organism dated November 02, 2022.

According to the commission, INE revealed “a disregard for the principles and obligations provided for in the GPDR, by relying on an intervention by the supervisory authority [CNPD], instead of taking the initiative to ensure that the census operation complied with that regime”.

The five offenses gave rise to five fines amounting to €6.5 million.

However, after recognising a “high degree of censorship of the defendant’s conduct” and the need for a “sanction that reflects the high censorship of this behaviour”, the body ended up revealing the absence of a record of infractions by INE, imposing a single fine of €4.3 million.

The undertaking of the 2021 censuses was shrouded in controversy after the contract with the company Cloudflare, responsible for the security of the site that collected the responses to the censuses, and which provided for the transfer of personal data to the United States of America or other countries.

The National Data Protection Commission then demanded the suspension of any transfer of personal data, with INE suspending the contract with the company.