Lisbon's city hall has in the past three years illegally shared personal data of the organizers of 52 protests with embassies of countries they were protesting against, Mayor Fernando Medina said on Friday after an internal investigation.
Data on organizers of 182 protests has been shared with the embassies since 2012, the investigation concluded, 52 of which occurred after the EU's General Data Protection Regulation - which bans such data sharing - came into force in 2018.
The mayor's office came under fire last week when the Russian-Portuguese organizer of a protest rally in Lisbon revealed to local media that she had received an email showing the city hall shared data on her and her fellow organizers with the Russian embassy and foreign ministry in Moscow.
Subsequent media reports showed the city hall had also shared data of protesters in front of the Cuban, Angolan and Venezuelan embassies with the respective embassies, as well as data on pro-Palestinian protesters with the Israeli embassy.
The data protection officer and cabinet in charge of handling protesters' information has been dismissed, Medina told a news conference announcing the results of an internal inquiry.
An external audit of the city hall's data protection policies will also take place.
Medina last week ruled out stepping down himself over the incident.
"This was an inadequate policy which should never have happened," Medina said.
He did not say whether the policy had had any consequences for those whose data had been shared, such as being targeted by the governments they had protested against.
The Russian-Portuguese woman, Ksenia Ashrafullina, said she did not know now whether she would be allowed back into Russia again as a result of the data-sharing.
The policy, implemented in 2011 when current Prime Minister Antonio Costa was mayor of Lisbon, should have been halted when an internal review in 2013 concluded that data should be shared only with the police and the interior ministry, Medina said.
It was again reviewed and ordered to be halted in 2018 when the EU's GDPR was implemented.
"There was repeated non-compliance with express orders," Medina said.