General Data Protection Regulation (GDPR)
Law implementing Regulation (EU) 2016/679 in Portugal
More than three years after the entry into force of the General Data Protection Regulation (May 2016) and more than one year after the date of its application (May 2018), the law ensuring the implementation into national law of Regulation (EU) 2016/679 (General Data Protection Regulation) was finally published: Law 58/2019 of August 8.
The law will enter into force today, August 9.
We highlight the main novelties of this law:
A. CNPD DESIGNATION : NATIONAL SUPERVISORY AUTHORITY
The National Data Protection Commission (CNPD) is designated as the national supervisory authority for the purposes of the GDPR and the law.
This law introduces amendments to the law on the organisation and functioning of the CNPD (republishing it) providing new powers in addition to those set out in Article 57 of the GDPR.
B. DATA PROTECTION OFFICER : MANDATORY FOR PUBLIC ENTITIES
In order to comply with Article 37 of the GDPR, the law clarifies which public entities are obliged to appoint a Data Protection Officer:
- Autonomous Regions (Azores and Madeira)
- Local authorities and other bodies provided for by law
- Independent administrative entities
- Bank of Portugal
- Public Institutes
- Public higher education institutions
- State-owned and regional and local business enterprises
- Public associations
C. DATA PROTECTION OFFICER : MANDATORY FOR SOME PRIVATE ENTITITES
This law stipulates that it is mandatory to appoint a Data Protection Officer where the main private activity involves data processing which requires regular and systematic monitoring of data subjects on a large scale or data processing on a large scale of special categories of data pursuant to Article 9 of the GDPR, or of personal data related to criminal convictions and administrative offences pursuant to Article 10 of the GDPR.
D. DATA PROTECTION OFFICER : EXEMPTION FROM PROFESSIONAL CERTIFICATION
It is clarified that the performance of the data protection officer’s duties does not require professional certification and reinforces that, regardless of the nature of the legal relationship with the data controller, the data protection officer shall maintain technical autonomy.
E. CERTIFICATION : PORTUGUESE ACCREDITATION INSTITUTE
It determines that the Portuguese Accreditation Institute (IPAC, I.P.) is the competent authority for the accreditation of certification bodies in data protection matters, as required by Article 43 of the GDPR.
The accreditation of certification bodies by IPAC has to take into account the requirements set out in the GDPR and the additional requirements established by the CNPD. These bodies will carry out the certification of the entities whose implemented procedures comply with the provisions of the GDPR and the legal act hereby approved.
F. CONSENT OF MINORS : INFORMATION SOCIETY SERVICES
Minors consent related with the direct provision of information society services shall be lawful when such minors are at least 13 years of age.
When the minor is less than 13 years of age, data processing shall only be lawful only when consent is given by the holders of parental responsibility, using secure authentication means.
G. VIDEO-SURVEILLANCE : CNPD’S PREVIOUS AUTHORIZATION FOR SOUND RECORDING
Establishes the prohibition of sound recording by video-surveillance systems, except in the period in which the facilities under surveillance are closed or when a prior authorization has been obtained from the CNPD for that purpose.
H. SOCIAL SECURITY DATA : RETENTION PERIODS
Established the possibility of retain, without a time limit, any data related with social security tax returns for retirement purposes.
I. PUBLIC AUTHORITIES : EXCEPTIONAL PROCESSING OF PERSONAL DATA FOR DIFFERENT PURPOSES
The new law exceptionally allows:
- The processing of personal data by public authorities for purposes other than those determined by the data collection. The basis for processing must be the pursuit of a public interest that cannot otherwise be served; and
- The transmission of personal data between public authorities for purposes other than those determined by the data collection. The processing shall be the subject of a protocol establishing the responsibilities of each intervening entity, both in the act of transmission and in other processing to be carried out.
J. ACCESS TO ADMINISTRATIVE DOCUMENTS : APPLICATION OF SPECIFIC LEGAL STATUTE
Access to administrative documents containing personal data is governed by the provisions of Law no. 26/2016, of August 22, which approves the regime for access to administrative and environmental information and the reuse of administrative documents, which has been amended by this new law.
K. HEALTH AND GENETICS : DATA PROCESSING
It is now established that the processing of health and genetic data must be governed by the “need to know” principle, and the data controller is obliged to notify the data subject of any access to such personal data, which means that the data subject will necessarily have to implement a traceability and notification mechanism.
L. DECEASED PERSONS : PROTECTION OF PERSONAL DATA
It is also established that the personal data of deceased persons, which falls within the special categories of personal data, in accordance with the provisions of Article 9 of the GDPR, shall also be subject to protection.
M. LABOUR RELATIONS : EMPLOYEES DATA
Specific rules are laid down concerning the processing of employees data in the context of labour relationships, in particular with regard to the following matters:
- Consent by the employee: not lawful if the processing results in a legal or economic advantage for the employee.
- Video-surveillance systems: remote surveillance images may only be used in disciplinary proceedings if they have been previously used in criminal proceedings.
- Biometric data: the processing is only considered lawful for attendance control and access control to the premises.
N. JURISDICTION : ADMINISTRATIVE COURTS
The new law stipulates that it is the administrative courts that have jurisdiction to decide the actions brought against the CNPD.
O. PUBLIC ENTITIES : EXEMPTION FROM THE IMPOSITION OF FINES
It is established the possibility of waiving the application of fines for a period of three years as from the entry into force of the law, upon a reasoned request addressed to the CNPD. The legal provision of this prerogative shall be subject to reevaluation three years after August 9.
All other rules, including the correction powers provided for in the RGPD, will apply to public entities.
P. MISDEMEANOURS : PRIOR WARNING FOR COMPLIANCE
With regard to administrative misdemeanors proceedings, it is established that, except in cases of willful misconduct, the opening of administrative misdemeanors proceedings will always depend on the prior warning of the CNPD to the offender so that, within a reasonable period of time, it can comply with the omitted obligation or to reinstate the violated prohibition.
It provides for additional administrative offences to those provided for in the GDPR.
The minimum and maximum limits on fines for serious and very serious administrative offences vary according to the type of offender:
- Large companies (the maximum limit corresponds to the value stipulated in the GDPR);
- Small and medium-sized enterprises (the maximum limit corresponds to the value stipulated in the GDPR);
It is also established the general regime of misdemeanors as a subsidiary regime.
Q. CRIMES : HARDLY ANY CHANGES
The new law typifies crimes with regard to personal data: the use of data incompatible with the purpose of the collection; improper access; data diversion; data corruption or destruction; insertion of false data; breach of the secrecy duty; disobedience.
The criminal frames, as well as the types of crimes, are similar to those provided for in Law No. 67/98, of 26 October (LPDP), except for the crime of violation of the professional secrecy duty, whose maximum limit is reduced to half.
The attempt of committing the crime is always punishable.
R. REVOCATION : LAW NO. 67/98, OF OCTOBER 26
Law No 67/98 of 26 October 1998 transposing Directive 95/45/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data into Portuguese law, is revoked by this law.