On July 10, 2024, the Portuguese data protection authority (CNPD) published its decision number 279/2024, as issued on July 9, 2024, in which it recognized the Data Protection Authority of Bavaria for the Private Sector (BayLDA) as the lead supervisory authority concerning the investigation of Worldcoin Foundation's practices.

Background to the decision

The CNPD had previously decided to prohibit Worldcoin from collecting biometric data for a period of 90 days, given a preliminary analysis that demonstrated Worldcoin's failures to comply with the General Data Protection Regulation (GDPR). The CNPD also stated that it would continue its investigation and issue a final decision.

On April 2, 2024, the CNPD received an email from Worldcoin's DPO informing the CNPD that the BayLDA would be the competent supervisory authority, according to Article 56(1) of the GDPR, given that Worldcoin is established in Bavaria and has registered with the BayLDA in March 2021.

Findings of the CNPD

The CNPD found that Worldcoin's only establishment in the EU was in Bavaria. However, Worldcoin's data processing took place in multiple European countries and is thus considered cross-border processing in the meaning of Article 4(23) of the GDPR.  

Outcomes

In light of the above, the CNPD decided to:

• recognize the BayLDA as the lead supervisory authority concerning Worldcoin's data processing;
• declare the CNPD as a concerned supervisory authority in the meaning of Article 4(22) of the GDPR; and
• send all the relevant documents and information to the lead supervisory authority.

You can download the decision here and read the press release here, both only available in Portuguese.