Explore all Modules

Consent and Preference Management

Consolidate your data and prioritize your relationship with customers

Data Subject Request

Turn data subjects request into an automated workflow with a clear insight into data every step of the way

Privacy 360

Clear 360 overview of all data and information regarding the individual data subject

Privacy Portal

Privacy portal allows customers to communicate their requests and preferences at any time

Data Processing Inventory

Harbor cooperation between DPO, Legal Services, IT and Marketing

Third Party Management

Guide your partners trough vendor management process workflow

Data Inventory

Discover personal data across multiple systems in the cloud or on-premise

Data Flow

Establish a business and operational control over complete personal Data Flow within your organization

Data Removal

Introducing end-to end automation of personal data removal

Risk Management

Identifying the risk from the point of view of Data Subject

Explore all Modules

Consent and Preference Management

Consolidate your data and prioritize your relationship with customers

Data Subject Request

Turn data subjects request into an automated workflow with a clear insight into data every step of the way

Privacy 360

Clear 360 overview of all data and information regarding the individual data subject

Privacy Portal

Privacy portal allows customers to communicate their requests and preferences at any time

Data Processing Inventory

Harbor cooperation between DPO, Legal Services, IT and Marketing

Third Party Management

Guide your partners trough vendor management process workflow

Data Inventory

Discover personal data across multiple systems in the cloud or on-premise

Data Flow

Establish a business and operational control over complete personal Data Flow within your organization

Data Removal

Introducing end-to end automation of personal data removal

Risk Management

Identifying the risk from the point of view of Data Subject

Focus on your priorities

4 Tips to Improve Data Breach Response

16/06/2021

Learn the terms

Article 11 GDPR; Processing which does not require identification

Article 10 GDPR; Processing of personal data relating to criminal convictions and offences

Article 9 GDPR; Processing of special categories of personal data

Article 8 GDPR; Conditions applicable to child’s consent in relation to information society services

Article 7 GDPR; Conditions for consent

Article 6 GDPR; Lawfulness of processing

Article 5 GDPR; Principles relating to processing of personal data

Article 3 GDPR; Territorial scope

Article 2 GDPR; Material scope

Article 1 GDPR; Subject-matter and objectives

Latest Papers

4 Tips to Improve Data Breach Response

16/06/2021

Learn the terms

Article 11 GDPR; Processing which does not require identification

Article 10 GDPR; Processing of personal data relating to criminal convictions and offences

Article 9 GDPR; Processing of special categories of personal data

Article 8 GDPR; Conditions applicable to child’s consent in relation to information society services

Article 7 GDPR; Conditions for consent

Article 6 GDPR; Lawfulness of processing

Article 5 GDPR; Principles relating to processing of personal data

Article 3 GDPR; Territorial scope

Article 2 GDPR; Material scope

Article 1 GDPR; Subject-matter and objectives

European Data Protection Supervisor (EDPS)

Latest Papers

Consent and Preference Management

Consolidate your data and prioritize your relationship with customers

Data Subject Request

Turn data subjects request into an automated workflow with a clear insight into data every step of the way

Privacy 360

Clear 360 overview of all data and information regarding the individual data subject

Privacy Portal

Privacy portal allows customers to communicate their requests and preferences at any time

Data Processing Inventory

Harbor cooperation between DPO, Legal Services, IT and Marketing

Third Party Management

Guide your partners trough vendor management process workflow

Data Inventory

Discover personal data across multiple systems in the cloud or on-premise

Data Flow

Establish a business and operational control over complete personal Data Flow within your organization

Data Removal

Introducing end-to end automation of personal data removal

Risk Management

Identifying the risk from the point of view of Data Subject

Explore all Modules

Consent and Preference Management

Consolidate your data and prioritize your relationship with customers

Data Subject Request

Turn data subjects request into an automated workflow with a clear insight into data every step of the way

Privacy 360

Clear 360 overview of all data and information regarding the individual data subject

Privacy Portal

Privacy portal allows customers to communicate their requests and preferences at any time

Data Processing Inventory

Harbor cooperation between DPO, Legal Services, IT and Marketing

Third Party Management

Guide your partners trough vendor management process workflow

Data Inventory

Discover personal data across multiple systems in the cloud or on-premise

Data Flow

Establish a business and operational control over complete personal Data Flow within your organization

Data Removal

Introducing end-to end automation of personal data removal

Risk Management

Identifying the risk from the point of view of Data Subject

Focus on your priorities

4 Tips to Improve Data Breach Response

16/06/2021

Learn the terms

Article 11 GDPR; Processing which does not require identification

Article 10 GDPR; Processing of personal data relating to criminal convictions and offences

Article 9 GDPR; Processing of special categories of personal data

Article 8 GDPR; Conditions applicable to child’s consent in relation to information society services

Article 7 GDPR; Conditions for consent

Article 6 GDPR; Lawfulness of processing

Article 5 GDPR; Principles relating to processing of personal data

Article 3 GDPR; Territorial scope

Article 2 GDPR; Material scope

Article 1 GDPR; Subject-matter and objectives

Latest Papers

4 Tips to Improve Data Breach Response

16/06/2021

Learn the terms

Article 11 GDPR; Processing which does not require identification

Article 10 GDPR; Processing of personal data relating to criminal convictions and offences

Article 9 GDPR; Processing of special categories of personal data

Article 8 GDPR; Conditions applicable to child’s consent in relation to information society services

Article 7 GDPR; Conditions for consent

Article 6 GDPR; Lawfulness of processing

Article 5 GDPR; Principles relating to processing of personal data

Article 3 GDPR; Territorial scope

Article 2 GDPR; Material scope

Article 1 GDPR; Subject-matter and objectives

European Data Protection Supervisor (EDPS)

Latest Papers

Consent and Preference Management

4 Tips to Improve Data Breach Response

16/06/2021

Learn the terms

Article 8 GDPR; Conditions applicable to child’s consent in relation to information society services

General Data Protection Regulation

Portuguese Data Protection Authority suspends transfers of Census 2021 data to the U.S.

03/05/2021
in Blog

On April 27, 2021, CNPD- the Portuguese Data Protection Authority, ordered a suspension of any transfer of personal data from the Census 2021 questionnaire to the U.S., or any other third countries, without an adequate level of protection.

Interestingly, the CNPD ordered an almost immediate suspension (within 12 hours), basing their decision on the principles contained in the Schrems II case.

Backstory

The National Institute of Statics (INE) collects and process personal data from the Portuguese Census surveys.

The Census data includes personal data of the entire Portuguese population (more than 10 million data subjects), including sensitive personal data like data about religious beliefs and health data.

The INE outsourced the operation of the census questionnaire to Cloudflare– U.S. based company, which by itself would not be problematic since there were SCCs put in place.

However, by the type of service it provides, Cloudflare is directly subjected to U.S. surveillance legislation for national security purposes, which imposes a legal obligation to unrestricted access to personal data to the US authorities, without any obligation to inform their clients about it.

CNPD investigation & conlusion

Following several complaints regarding the way personal data was collected online, CNPD carried out a quick investigation, concluding that such legislation implies a disproportionate interference in the fundamental rights of data subjects, not ensuring a level of data protection equivalent to that guaranteed in the EU.

The CNPD heavily relied on the Schrems II case and concluded that, even though the transfer of personal data outside of the EEA is based on the SCCs, the INE had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards when using the SCCs.