Did Lisbon’s mayor break the GDPR by handing data of anti-Kremlin activists to the Russian Embassy?

Lisbon’s mayor, Fernando Medina, has faced severe criticism since his officials sent information about organisers of an anti-Kremlin demonstration to the Russian embassy in Lisbon — not the first time sensitive data was shared about protestors with foreign embassies. Did the Lisbon council break the GDPR by doing so?

Article 3(3) GDPR refers to diplomatic missions of EU Member States being treated like territories of those MSs — but I believe it is correct to conclude that a diplomatic mission of a third country should therefore, by analogy, similarly be treated, for data protection purposes, as the territory of the relevant third country.

It would follow that the sending of information on a person (any person, anywhere) from an entity in Portugal (in casu, the mayor’s office) to a diplomatic mission of a third country (anywhere) constitutes a transfer of personal data to that third country (and that applies a fortiori if the mayor knew or could and should have known that the information would be passed on to Moscow).

If the mayor was acting in a law enforcement capacity (which I doubt) the transfer would have to meet the transfer rules in the Law Enforcement Directive (which I’ll not get into). But if the mayor was acting in a civil role (as I guess was the case), the transfer would have to be justified on the basis of Chapter V GDPR. If this was a special, one-off transfer (as I assume), the most likely — really only — basis would be Article 49 that covers “Derogations for specific situations”. The first three derogations (consent and contract situations) cannot be relied on by public authorities (Art. 49(3)). I am also assuming the data were not data from a publicly accessible register (Art. 49(1)(g)).

That leaves two main bases, neither of which seems applicable:
– the transfer was necessary for the establishment, exercise or defence of legal claims (Art. 49(1)(e) – unlikely), or
– the transfer was “necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (Art. 49(1)(f) – not applicable, I assume).

There is just one more, exceptionally exceptional derogation, i.e.:

Where a transfer could not be based on a provision in Article 45 or 46 [adequacy or SCCs or BCRs], including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph [discussed above – DK] is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive [tick], concerns only a limited number of data subjects [tick], is necessary for the purposes of compelling legitimate interests pursued by the controller [the mayor? highly doubtful] which are not overridden by the interests or rights and freedoms of the data subject [clearly they are overridden], and the controller has assessed all the circumstances surrounding the data transfer [ask the mayor is he has] and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data [ask the mayor]. The controller shall inform the supervisory authority of the transfer [did he? probably not]. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued. [did he? presumably not]”

(Art. 49(1), second sub-paragraph)

As you can see, the mayor can be asked some awkward questions about this passing on of highly-sensitive information, to a government not known to react well to criticism.