News

🚨 Failure to Appoint a DPO

27/03/2025

Portuguese Municipality Penalized 🚨

The Portuguese Data Protection Authority (APD) fined the municipality of Setúbal €170,000 for failing to appoint a Data Protection Officer (DPO).

🔍 Case Details

An investigation was launched by the APD following a press article reporting issues related to the collection of personal data from Ukrainian refugees using an assistance line. According to the article, Russian citizens, members of an association, were present in the same room where the refugees’ personal data (such as copies of identity documents) were stored.

Two members of the association were incorporated by the data controller into the Bureau of Ethnicities and Immigration of Setúbal (SEI) to provide assistance, advice, and support to refugees. According to the journalist, these members were accused of sharing this data with the Russian government.

Key Violations Identified:

  1. Breach of the Principle of Integrity and Confidentiality (Article 5.1.f of the GDPR)
    • No organizational measures were implemented to protect the information.
    • No policies or guidelines were established for secure data management.
  2. Breach of Article 5.1.e of the GDPR
    • No data retention period was defined.
  3. Breach of Article 13 of the GDPR
    • No information was provided to the data subjects regarding:
      • The identity of the data controller.
      • The purposes of processing.
      • The recipients or categories of recipients.
      • The rights of data subjects or their right to lodge a complaint with a supervisory authority.
  4. Breach of Article 37 of the GDPR
    • No DPO was appointed, despite the obligation for public authorities or bodies to do so.
  5. Lack of a Data Protection Impact Assessment (DPIA)
    • No DPIA was conducted, even though it was required due to the processing of vulnerable individuals’ data, in line with the European Data Protection Board (EDPB) guidelines on DPIAs.

📌 Consequences

  • Administrative Fine: €170,000
  • Failure to Protect: Personal data of vulnerable individuals was exposed to significant risks.

🔧 Recommended Best Practices

To avoid similar penalties, public authorities should:

  1. Appoint a DPO as required by Article 37 of the GDPR.
  2. Establish organizational policies and security measures to protect personal data.
  3. Conduct DPIAs to assess risks associated with processing sensitive data.
  4. Inform data subjects about their rights and the purposes of data processing.
Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance