The government office for national statistics in Portugal was assessed a fine of 4.3 million euros (U.S. $4.6 million) by the country’s data protection authority (DPA) for multiple violations of the General Data Protection Regulation (GDPR) that occurred during its 2021 census work.

The National Data Protection Commission (CNPD) announced the penalty Monday against the Instituto Nacional de Estatística (INE). The fine total is a record under the GDPR within the country, with the previous high of €1.25 million (then-U.S. $1.4 million) having been issued in December 2021 against the Municipality of Lisbon, according to the GDPR Enforcement Tracker.

A spokeswoman for the INE confirmed the office was aware of and disagreed with the CNPD’s decision. It is preparing a judicial appeal.

The details: The CNPD said it launched an investigation into the INE regarding the 2021 census after receiving multiple complaints from citizens concerned about the protection of their personal data. During its probe, the DPA said it uncovered five separate violations of the GDPR:

  • Processing of personal data relating to health and religion unlawfully. Questions that were optional were not identified clearly, according to the CNPD;
  • Failure by the INE to fulfill its duties of informing respondents of the 2021 census questionnaire;
  • Violation of duties of diligence in choosing a subcontractor;
  • Infringement of legal provisions relating to the international transfer of data; and
  • Failure to carry out an impact assessment on data protection related to the census operation.

Regarding the international transfer of data, the CNPD noted the INE reached a contract with a U.S. company that permitted the transfer of data through servers outside the European Economic Area. The contract included standard contractual clauses (SCCs) that allow the transfer of personal data to the United States—a popular mechanism following the July 2020 Schrems II ruling that scrapped the EU-U.S. Privacy Shield—but the agreement did not provide “any additional measures that prevent access to data by government entities of the third country,” the CNPD said in its translated release.

The DPA further faulted the INE for engaging with the U.S. office of the company it contracted despite the company having an office in Lisbon.

A new version of the Privacy Shield was agreed to in principle by the United States and European Union earlier this year and fleshed out from the U.S. side in an October executive order by President Joe Biden. The European Commission launched the process to adopt an adequacy decision on the framework Tuesday.