Monday, 09 September 2019 14:22

Portuguese national law implementing Regulation (EU) 2016/679 (GDRP)

Henriques Sara 125It was finally published in Portugal the internal law that comes to implement the Regulation (EU) 2016/679 (GDRP) - Law no. 58/2019 of 8 August.

In general, our national legislation does not introduce real significant changes or innovations (except the fact of extending the applicability of GDPR to some kind of processing’s of deceased persons), but clarifies less developed subjects of the EU Regulation (not all, unfortunately), concerning which there was still some legal uncertainty regarding the understanding to be followed by the entities.

We highlight in this article the main topics of this law:

Starting with the Regulator, National Data Protection Commission (CNPD) was designated as the national supervisory authority for the purposes of the GDPR and this law.

Regarding the conditions applicable to child’s consent, in Portugal, regarding the offer of information society services, consent shall be valid from 13 years of age (inclusive). For other type of services, or when minors are under 13 years of age, consent must be given by their respective legal representatives (preferably by means of secure authentication).

Concerning the DPO (Data Protection Officer), notwithstanding the performance of DPO does not require professional certification, DPO shall maintain technical autonomy and is bound by a duty of professional confidentiality. Our national law has also assigned additional duties such conducting audits (periodic or unscheduled) and work to be carried out to raise awareness to the importance of data breaches detection.  

In the context of labour relationships, this law clarifies that the consent should not be lawful for the processing of employee’s personal data, if the processing results in a legal or economic advantage for the employee. Regarding the biometric data, there shall be no more doubts regarding its lawfulness for the purposes of attendance and access control to premises. Lastly, as far as video surveillance systems are concerned, such images can only be used in the context of disciplinary proceedings insofar as these are used for criminal purposes.

Still regarding video surveillance, it reinforces the applicability of the specific requirements of article 31 of Law no. 34/2013 of 16/05, highlighting the areas where cameras cannot record (such as public roads or inside areas reserved to clients and workers), also regulating the prohibition to record sound (except when the premises are closed or with the CNPD’s prior authorization).

About health and genetic data, we highlight two provisions that will certainly impact entities processing this type of special data: regarding the processing of data necessary for health care services, this processing shall only be done by professionals subject to confidentiality duties and, as a general rule, access to this kind of data shall be made exclusively by electronic means; in addition, security measures to be implemented by entities handling such special data will be regulated.

One of the subjects that has been most debated concerns data retention periods. Our national legislation has brought some clarification on it: personal data shall be retained during the deadline determined by law or regulatory instrument or, in its absence, during the period necessary to pursue the purpose of the processing. If those data are necessary as an evidence of obligation performance, data may be retained until the end of the stipulated deadline for exercising rights. In order to ensure a greater certainty as to retention periods, we will just have to wait for future decisions of CNPD and understandings from regulatory authorities of the different sectors of activity (as an example, the Portuguese Healthcare Regulation Authority has already issued an understanding regarding retention periods to be complied concerning health data).

Finally, regarding one of the most awaited issues to be implemented: the fines. GDRP already determines the maximum amounts and our national law made the distinction between serious and very serious administrative offences, having defined different minimum and maximum fines depending on the offender (natural person, Small and medium-sized company or large company). Thus, very serious administrative offences (including here, namely, the absence of lawfulness, the failure to comply with consent rules, the non-performance of the exercises of data subject rights or the omission of relevant information), shall be punished with minimum fines between € 1 000 and € 5 000; serious administrative offences (here highlighting the absence of mandatory DPIA or DPO, the failure to comply with the obligation of notification of data breaches or the lack of contract with processors) shall be punished with minimum fines between € 500 and € 2 500.

A relevant note is that, except in cases of wilful misconduct, the opening of administrative proceedings shall depend on the prior warning of CNPD to the entity so that, within a reasonable period of time, it can comply with the omitted obligation or to replace the violated prohibition.

Still regarding fines, and notwithstanding the controversy on this topic attending to the distinction between public and private entities, our law provides, upon a reasoned request addressed to the CNPD, that public entities are exempt from paying fines for a period of three years. For now, we do not know how CNPD will manage these exemption requests (we believe it will take a conservative approach in view of the previously disclosed understanding on this subject), however we’re sure that this distinction will certainly be used as a defence in most administrative proceedings that will impose fines on private entities.

By Sara Henriques
Corporate and Commercial, Data Protection - SPS
This email address is being protected from spambots. You need JavaScript enabled to view it. 

Read 520 times Last modified on Monday, 09 September 2019 14:32

This website uses cookies

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the IberianLawyer website. However, you can change your cookie settings at any time. Learn more

I agree

What do I need to know about cookies?

A cookie is a small text file that’s stored on your computer or mobile device when you visit a website. We use them to:

  • Remember your preferences
  • Tailor our sites to your interests.

There are different types of cookies

First party cookies

These are set by the website you’re visiting. And only that website can read them.  In addition, a website might use a separate company to analyse how people are using their site. And this separate company will set their own cookie to do this.

Third party cookies

These are set by someone other than the owner of the website you’re visiting. 

Some IberianLawyer web pages may also contain content from other sites like Vimeo or Flickr, which may set their own cookies. Also, if you Share a link to a IberianLawyer page, the service you share it on (e.g. Facebook) may set a cookie on your browser.

The IberianLawyer has no control over third party cookies.

Advertising cookies

Some websites use advertising networks to show you specially targeted adverts when you visit. These networks may also be able to track your browsing across different sites.

IberianLawyer site do use advertising cookies but they won’t track your browsing outside the IberianLawyer.

Session cookies

These are stored while you’re browsing. They get deleted from your device when you close your browser e.g. Internet Explorer or Safari.

Persistent cookies

These are saved on your computer. So they don’t get deleted when you close your browser.

We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.

Other tracking technologies

Some sites use things like web beacons, clear GIFs, page tags and web bugs to understand how people are using them and target advertising at people.

They usually take the form of a small, transparent image, which is embedded in a web page or email. They work with cookies and capture data like your IP address, when you viewed the page or email, what device you were using and where you were.

How does the Iberian Lawyer use cookies?

We use different types of cookies for different things, such as:

  • Analysing how you use the IberianLawyer
  • Giving you a better, more personalised experience
  • Recognising when you’ve signed in

Strictly Necessary cookies

These cookies let you use all the different parts of Iberian Lawyer. Without them services that you have asked for cannot be provided.

Some examples of how we use these cookies are:

  • Signing into the IberianLawyer
  • Remembering previous actions such as text entered into a registration form when navigating back to a page in the same session
  • Remembering security settings which restrict access to certain content.

Performance cookies

These help us understand how people are using the IberianLawyer online, so we can make it better. And they let us try out different ideas.
We sometimes get other companies to analyse how people are using the IberianLawyer online. These companies may set their own performance cookies You can opt out of these cookies here.Some examples of how we use these cookies are:

  • To collect information about which web pages visitors go to most often so we can improve the online experience
  • Error management to make sure that the website is working properly
  • Testing designs to help improve the look and feel of the website.
Cookie nameWhat it's for
Google DoubleClick The IberianLawyer uses Google DoubleClick to measure the effectiveness of its online marketing campaigns.Opt-out of DoubleClick cookies
Google Analytics From time to time some IberianLawyer online services, including mobile apps, use Google Analytics. This is a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate use of those services and compile a report for us.Opt-out of Google Analytics cookies