Portuguese National Statistical Institute – €4,300,000 Fine (Portugal, 2022)

€4,300,000Comissão Nacional de Proteção de Dados2 November 2022Portugal
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Portuguese National Statistical Institute was fined EUR 4.3 million for mishandling data during the 2021 census. They didn't inform people that sharing religious and health information was optional and failed to secure data transfers outside the EU. This case highlights the importance of transparency and data protection in large-scale surveys.

What happened

The Portuguese National Statistical Institute mishandled personal data during the 2021 census, including failing to inform participants about the voluntary nature of sharing certain sensitive information.

Who was affected

Participants in the 2021 Portuguese census who were asked to provide religious and health information without being informed it was optional.

What the authority found

The Portuguese DPA found that the institute violated GDPR by not informing participants properly and by failing to secure international data transfers adequately.

Why this matters

This case underscores the need for organizations to clearly communicate data collection practices and ensure robust data protection, especially when handling sensitive information in large-scale projects.

GDPR Articles Cited

AI-verified

Art. 12 GDPR
Art. 13 GDPR
Art. 44 GDPR
Art. 5(1)(a) GDPR
Art. 9(1) GDPR
Art. 28(1) GDPR
Art. 35(1) GDPR
Art. 46(2) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 9(1) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 28(1) GDPR
(6)
(7) GDPR
Art. 35(1) GDPR
(2)
(3) b) GDPR
Art. 44 GDPR
Art. 46(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
national law identified
date discrepancy
Portugal enforcementComissão Nacional de Proteção de Dados actionsAll Portuguese National Statistical Institute actions
Full Legal Summary
Detailed

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that the controller failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR. In addition, the order processing contract permitted the transfer of personal data outside the EEA without providing for additional security measures besides the SCCS approved by the European Commission, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, the DPA found that the controller failed to conduct a data protection impact assessment regarding the census.

Related Enforcement Actions (0)

No other enforcement actions found for Portuguese National Statistical Institute in PT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

2 November 2022

Authority

Comissão Nacional de Proteção de Dados

Fine Amount

€4,300,000

Enforcement Tracker ID

ETid-1524

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Portuguese National Statistical Institute - Portugal (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: