lnstituto Nacional de Estatística, l.P. – Complaint Upheld (Portugal, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Portuguese Data Protection Authority found that the National Statistical Institute's use of Cloudflare for the 2021 census didn't ensure data stayed within the EU. This is important because it shows the risks of using foreign service providers without proper safeguards. Businesses should ensure their data stays protected under EU rules.
What happened
The Portuguese Data Protection Authority found that the National Statistical Institute's use of Cloudflare didn't guarantee data stayed within the EU.
Who was affected
Portuguese citizens who participated in the 2021 census and had their data potentially transferred outside the EU.
What the authority found
The authority concluded that the Institute's use of Cloudflare didn't ensure personal data would be processed only in countries with adequate protection levels.
Why this matters
This decision warns organizations about using international service providers without ensuring data protection compliance. It emphasizes the need for businesses to verify where their data is processed and stored.
GDPR Articles Cited
Entities Involved
The Portuguese National Statistical Institute ("Instituto Nacional de Estatística") was undertaking the 2021 census by collecting data through forms on their own website "[https://censos2021.ine.pt/ CENSOS 2021]", and using various website security and content delivery services of Cloudflare, a service provider headquartered in the United States. The Portuguese DPA ("Comissão Nacional de Proteção de Dados", CNPD) received various complaints from people, mainly that citizens were obliged to disclose their full name, but also that personal data was being sent to the United States, due to the use of Cloudflare as a service provider. The DPA's investigation found that the Institute's use of Cloudflare as a content delivery network did not guarantee that personal data would be processed in the European Union or in other countries, some of which may not ensure the adequate level of protection of the personal data required by the GDPR, given Cloudflare's network extended to more than one hundred countries. Cloudflare's service uses anycast to route incoming traffic to the nearest data centre to the user, using IP addresses registered in the United States. Although the algorithm that routes the traffic is supposed to chose the closest server possible to the origin of the request, it is not guaranteed that the data is not sent to other servers located in countries without such level of protection. The DPA also noted that the census website used Cloudflare's own certificates to encrypt website traffic, rather than encryption using the Institute's own private and public keys. Accordingly, the security protocol used by Cloudflare deprives the Institute of control regarding the transfer. Such protocol is fully controlled by Cloudflare, which possess both the private and public key of the encryption. At the time of the investigation, more than six million Portuguese citizens had completed the census, what amounts to more than half of the Portugal population. The 2021 national ce
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for lnstituto Nacional de Estatística, l.P. in PT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
27 April 2021
Authority
Commission Nationale pour la Protection des Données
GDPRhub ID
gdprhub-3423About this data
Cite as: Cookie Fines. lnstituto Nacional de Estatística, l.P. - Portugal (2021). Retrieved from cookiefines.eu
Last updated: