COFIDIS Faces Escalation Over GDPR Violations and Systemic Non-Compliance in Handling Data Access Request

Cambridge Samuel, an independent whistleblower advocacy platform, today publicly discloses a clear pattern of egregious and continued non-compliance by COFIDIS - Sucursal em Portugal da Cofidis, S.A. with the General Data Protection Regulation (GDPR/RGPD) and Portuguese whistleblower protection law (Lei n.o 93/2021).

A protected data subject and whistleblower under Law No. 93/2021 submitted a comprehensive Article 15 GDPR data subject access request (DSAR) on 5 January 2026 to COFIDIS' designated Data Protection Officer, seeking full, structured, and electronic access to all personal data processed in relation to a credit contract.

Prior to publication, Cambridge Samuel submitted the substance of these findings to COFIDIS and formally invited the company to provide comment or clarification. As of the publication deadline, no response had been received.

The request explicitly included, inter alia:

1. credit scoring models and decision logic;

2. transmission logs to debt collection entities and other third parties;

3. internal communications and notes;

4. essation and/or assignment documentation;

5. CRC consultations;

6. records of automated decision-making and profiling; and

7. crucially, information concerning the mandatory internal whistleblowing channel pursuant to Article 8 of Law No. 93/2021.

Despite formal confirmation of receipt on 12 January 2026, COFIDIS failed to provide any substantive response within the strict one-month deadline mandated by Article 12(3) GDPR, which expired on 5 February 2026.

A belated communication sent on 6 February 2026 by COFIDIS Data Protection Officer was issued only after the whistleblower had formally notified COFIDIS, on the morning of that same day, that the statutory one-month deadline under Article 12(3) GDPR had expired without any substantive response. The communication therefore followed - rather than prevented - a clear and documented breach, and was reactive in nature.

No lawful extension was communicated within the statutory period, nor was any reasoned justification provided. As a result, any response after that date was already in flagrant breach of the GDPR.

The belated communication sent on 6 February 2026 by COFIDIS' DPO:

1. provided only generic category descriptions and copies of documents originally supplied by the data subject during the credit application process (such as identification documents, contract terms, and payment history);

2. addressed less than 5% of the specifically requested items;

3. entirely omitted core evidentiary materials required to assess the lawfulness of processing, including scoring logic, transmission timestamps, internal default or cessation notes, and profiling information;

4. invoked a vague and unsubstantiated claim of "manifestly disproportionate effort" under Article 12(5) GDPR for two unspecified request points, without any concrete proportionality analysis, alternative proposal, or case-specific justification - contrary to EDPB guidance; and

5. completely ignored the autonomous and immediate obligation to disclose information relating to the internal reporting channel under Article 8 of Law No. 93/2021, including its structure, responsible entity, confidentiality safeguards, retention periods, and whether the whistleblower's personal data appears within that system.

This conduct does not constitute administrative oversight. It represents textbook obstruction of fundamental data subject rights and whistleblower transparency obligations.

The superficial and selective response effectively prevents the data subject from verifying GDPR compliance, detecting potential unauthorised disclosures to third parties (in particular post-cessation transfers to debt collection agencies), or assessing the lawfulness and risks associated with automated decision-making in credit recovery.

Cambridge Samuel considers this case emblematic of a broader pattern of systemic disregard for GDPR transparency obligations and Lei n.o 93/2021 protections within the Portuguese consumer credit sector, where delayed or incomplete access requests are routinely used to shield opaque scoring practices and aggressive collection strategies from scrutiny.

The protected whistleblower has formally recorded the ongoing non-compliance and expressly reserves all rights, including but not limited to:

1. immediate escalation to the Comissão Nacional de Proteção de Dados (CNPD) for investigation and administrative sanctions;

2. initiation of urgent judicial proceedings before the competent courts to compel full, unredacted compliance, potentially subject to daily penalty payments;

3. support for enforcement actions under Articles 79 and 82 GDPR, including claims for material and non-material damages; and

4. further public factual disclosures should COFIDIS persist in silence or partial compliance.

Cambridge Samuel calls on COFIDIS to immediately:

1. provide full, specific, and electronic access to all requested personal data in a structured and intelligible format;

2. disclose detailed scoring logic, transmission logs, cessation documentation, and internal correspondence;

3. furnish a concrete and reasoned justification for any alleged disproportionate effort - or withdraw the refusal; and

4. fully comply with Article 8 of Law No. 93/2021 by disclosing complete information regarding the internal whistleblowing channel.

Failure to act without further delay will trigger regulatory, judicial, and public-interest consequences.

Additional correspondence and documentary evidence are available for review by competent authorities.

Media, Regulatory & Legal Enquiries

Cambridge Samuel
Advocacy & Public Accountability Platform

📧 public-relations@cambridgesamuel.com

📧 legal@cambridgesamuel.com

📧 class-action@cambridgesamuel.com

#GDPRNonCompliance #WhistleblowerProtection #Cofidis #Lei932021 #DataSubjectRights

Pç do Marquês de Pombal 14, 1250-162 Lisboa
Sofia Goncalves

Cambridge Samuel is an independent advocacy platform and not a law firm. Individuals are encouraged to seek qualified legal counsel. All disclosures are made in the public interest and in protection of fundamental rights under EU and Portuguese law.

This release was published on openPR.