We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Portuguese data protection authority shows its claws with 4,5 million euro fine

27 February 2014

In its biggest ever fine so far, the Portuguese Data Protection Authority (DPA) fined the mobile phone company Optimus (now Zon - the controller) a staggering €4,503,000 for breaches of the Data Protection Act, the E-Privacy Law and the Data Retention Law.

The case goes back to 2010, when it was reported by the Portuguese mass media that the Portuguese Government Intelligence Agency (the SIS now SIED) had allegedly obtained the itemised bills for a journalist's mobile phone in an unlawful manner.

Whereas the criminal proceeding against the individual who actively obtained the itemised bills was recently dismissed, the DPA went in the opposite direction and fined Optimus for €4,5 million.

The breaches in question mainly relate to information security and data retention periods, however the decision has some very relevant considerations for businesses operating in Portugal:

  • location and traffic data are sensitive personal data
  • traffic data kept for invoicing purposes should only be kept for 6 months from the date of the relevant invoice
  • when providing itemised bills to clients who are not the mobile phones' users, the last digits of the called mobile numbers should be deleted
  • automatic software logs are not appropriate to protect personal data
  • not having access controls based on a need to know and least privilege principles is very likely to be a breach of the controller's obligation to implement appropriate technical and organisational security measures.

In order to be compliant, audit trails must:

  • have timestamps
  • have a digital signature
  • be encrypted
  • be centrally kept (Syslog)
  • have software to ensure the logs are not modified.

This fine was issued not because there was a data breach, but because the controller did comply with its obligation to implement appropriate organisational and technical measures to ensure the confidentiality of the sensitive personal data it processed and also to avoid keeping the data for longer than necessary.

The latest reports from the Portuguese media say that the controller will appeal this fine. As such, it will be very interesting to see how the Portuguese Courts of Law deal with the DPA's very technical decision, especially in light of the PRISM scandal and the re-design of the EU Data Protection framework.

This article was written by Robert Bond.

For more information contact Robert on +44 (0)20 7427 6660 or robert.bond@crsblaw.com