Lisbon City Council – €1,250,000 Fine (Portugal, 2021)

€1,250,000Comissão Nacional de Proteção de Dados21 December 2021Portugal
appealed
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Lisbon City Council was fined EUR 1.25 million for mishandling personal data related to demonstrations. The council shared sensitive information about demonstrators without a legal basis and failed to inform them or assess the data protection risks. This case highlights the importance of proper data handling and transparency in public administration.

What happened

Lisbon City Council was fined for improperly sharing sensitive data about demonstrators without a legal basis.

Who was affected

Demonstrators whose sensitive personal data was shared by the Lisbon City Council.

What the authority found

The Portuguese DPA found that the council shared sensitive data without a legal basis and failed to inform the individuals involved.

Why this matters

This ruling stresses the need for public bodies to handle personal data responsibly and transparently, ensuring they have a legal basis and inform individuals about data processing activities.

GDPR Articles Cited

AI-verified

Art. 6(GDPR)
Art. 5(1)(a) GDPR
Art. 9(1)(a) GDPR
Art. 13(1) GDPR
Art. 35(3) GDPR
View original scraped data
Art. 5(1)(a) GDPR
c)
e) GDPR
Art. 6 GDPR
Art. 9(1)(a) GDPR
Art. 13(1) GDPR
(2) GDPR
Art. 35(3) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
date discrepancy
Portugal enforcementComissão Nacional de Proteção de Dados actionsAll Lisbon City Council actions
Full Legal Summary
Detailed

The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment. ---Update--- The Portuguese Constitutional Court rejected the controller's appeal, ruling that the fine was unconstitutional and thus confirming the decision by the DPA.

Related Enforcement Actions (0)

No other enforcement actions found for Lisbon City Council in PT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

21 December 2021

Authority

Comissão Nacional de Proteção de Dados

Fine Amount

€1,250,000

Enforcement Tracker ID

ETid-995

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Lisbon City Council - Portugal (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: