Analysis of National Commission for Data Protection 2021 Activities Report

Six years after the publication and entry into force of the General Data Protection Regulation (hereinafter “GDPR”), and in a context of digital transition in which data protection is increasingly becoming one of the most relevant rights in the lives of data subjects, the National Commission for Data Protection (hereinafter “CNPD”) has published its 2021 activities report.

With an ambitious activity plan, which we have previously commented on here, the annual report did not fall short of expectations.

In this context, we highlight a few points from the referred report, which you can find below:

  • Procedural Activity

In terms of procedural activity, we highlight the 30% growth over the previous year, with regard to requests for opinions handled by CNPD. As for the volume of deliberative processes, there was also an increase, in this case of 11% over the previous year.

On the other hand, with regard to inspection activity, there was a 51% decrease. In its report, CNPD states that the main reasons for this decrease were related to two factors: firstly, the constraints caused by the pandemic and secondly the concentration of human resources in the analysis and investigation of three highly complex cases, namely related to international transfers of personal data.

As for cases related to personal data breaches, the numbers remained relatively stable compared to last year’s activity, with CNPD opening 318 cases of this nature, of which 250 came from private entities and 68 from public entities. Regarding the origin of these incidents, the CNPD highlights human error and ramsonware.


  • Advisory Activity

During the year 2021, 163 opinions were issued, in the context of which CNPD highlights the Opinion 2021/143, on the use of video camera surveillance systems by security forces and services; the Opinion 2021/53, which focused on the draft law approving the Electronic Communications Law and transposing the Directive establishing the European Electronic Communications Code; and the Opinion 2021/30, on electronic voting within the scope of the 2019 European Parliament elections.

With regard to cooperation processes relating to cross-border cases in which CNPD was the supervisory authority concerned, it is worth noting two objections made by Portugal to the draft decision of the Irish supervisory authority in a case concerning WhatsApp, which were accepted by the European Data Protection Board.

In the scope of deliberations, CNPD highlights, among others, Deliberation 2021/533, ordering the suspension of international flows of personal data within the scope of the Census 2021 operation; Deliberation 2021/1566, ordering the availability of an alternative means to the citizen card and the digital mobile key for the certification of workers in the exercise of professional functions; and Deliberation 2021/1569, on the communication of personal data of organizers of protest rallies by a Municipality

In 2021, CNPD applied 60 fines, mostly for marketing communications sent in violation of the legislation applicable to privacy in electronic communications.


  • Activity vis-a-vis the data subjects

Compared to 2020, in 2021, there was an increase of about 30% in requests for information and participation, mainly from citizens, through the channels provided by CNPD on its website, with the most reported issues being  video surveillance in the workplace and in the context of neighborhood relations, unsolicited electronic communications and securing the rights of data controllers.

Under the pillar of guidance and awareness-raising activity, we highlight the informative note issued by CNPD regarding the massive exposure of personal data of users of the social networks Facebook and Linkedin, in April 2020.

Finally, it should be mentioned the awareness-raising process regarding the rights of children in the digital environment, in the scope of which CNPD participated in the issuing of a Resolution on Children’s Digital Rights at the Global Privacy Assembly.

In this regard, the outcome is positive, with CNPD having addressed and collaborated on several key issues on the country’s agenda, which demonstrates the growing centrality attributed to data protection.