The National Data Protection Committee (CNPD) has issued an opinion on the 2024 State Budget proposal (OE2024), which warns of possible infringements to the Constitution namely regarding the interconnection between state databases and the consultation of the Social Security "blacklist".

Firstly, the CNPD believes consultation of the "blacklist" should be restricted, since releasing and disclosing personal data online, making it public and uncontrollably accessible, does not appear to comply with the principle of proportionality.

This due to the fact that information disclosed online can remain on the Internet far beyond what is necessary to fulfil the purpose of its disclosure. This facilitates the aggregation of personal data to establish profiles which can be used as a means of discrimination, stigmatising citizens as debtors.

Additionally, the Committee points out that there is no precise characterisation regarding the processing of personal data concerning direct consultation in enforcement proceedings, and the specific data which is to be collected or processed is not determined.

Therefore, the OE2024 provision pertaining this matter clashes with the principles of purpose limitation of data minimisation, since data must be collected for specific purposes and limited to what is necessary and it cannot be processed subsequently in a way that is incompatible with the respective purposes.

The CNPD also considers the interconnection of data provided for in the OE2024 entails a considerable risk for citizens, given the scope in which personal data is processed is not defined in this context. Moreover, the OE2024 does not establish adequate safeguards on the fundamental rights of the citizens to whom the data refers to.

Furthermore, the Committee’s opinion emphasises that leaving the definition of the object and scope of this data processing to a future protocol plan, to be carried out between administrative and/or private entities, implies a discretionary power which will result in these entities operating restrictions on citizens' fundamental rights.

Consequently, the Committee criticises the adoption of open legislative standards which delegate broad decision-making powers to administrative bodies in the field of data processing.

It should be noted that the need to implement a data protection policy arises from the General Data Protection Regulation (GDPR), which provides for liability and sanctions for entities which fail to comply with the obligations of the respective regulation.

In this regard, infringements of the GDPR may be punishable by: 

• Fines of up to €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide turnover, whichever is higher, in the event of serious administrative offences
• Fines of up to €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide turnover, whichever is higher, in the event of very serious administrative offences
• Temporary or definitive ban on processing, blocking, erasure or total or partial destruction of data.

Public entities are subject to the CNPD's corrective powers, and the fines provided for apply equally to public and private entities, in accordance with Law 58/2019.