05.02.2021
Practice Areas: Intellectual Property and Information Technology
Services: Data Protection and Cybersecurity
CNPD Plan of Activities for 2021
The General Data Protection Regulation (henceforth “GDPR”) has given the supervisory authorities an extremely active role in ensuring that the rights of data subjects are respected. In particular, the supervisory authorities are now responsible for investigating data breaches and for monitoring and enforcing the application of the GDPR. In addition, they perform an important advisory task, in which they issue guidelines and opinions on the most controversial areas of data protection.
In an atypical year like 2020, the National Data Protection Commission (henceforth ‘CNPD’) has made every effort to fulfil its role. In fact, despite the postponement of its enforcement actions and conclusion of procedures, the Portuguese supervisory authority has played a very active role in its advisory task, in particular on matters raised in the context of teleworking, distance learning and health data processing.
For 2021, despite the constraints inherent in the epidemiological context, the CNPD has come to disclose its plan of activities, which is divided into eight topics as follows:
-
Research in Thematic Areas
In its 2021 plan of activities, the CNPD proposes to examine, in particular, the requirements and procedures for the approval of codes of conduct. On this point, it should be noted that such a task is part of the responsibilities conferredby the GDPR to CNPD, and the primary objective of such codes is to ensure the correct application of the GDPR, taking into account the characteristics of the different treatment sectors and the specific needs of micro, small and medium-sized enterprises.
Furthermore, the CNPD proposed to analyze measures and procedures to ensure Privacy by design and Privacy by default, and to study European case law on the protection of personal data and privacy in order to ensure an up-to-date interpretation and disclosure of the legal framework. In 2021, the CNPD will also pay special attention to the processing of personal data using artificial intelligence technologies. In this context, reference should be made to the 4th edition of the magazine “Forum de Proteção de Dados” published in July 2017, on data protection in the context of Artificial Intelligence.
-
Follow-up of specific matters
The CNPD undertakes to monitor, inter alia, developments in the European legislative process for the revision of the regime on privacy in electronic communications, as well as the processing of personal data by the electoral administration in the context of the presidential elections. On this subject, the CNPD Guideline No. 1/2019 on the processing of personal data in the context of election campaigns and political marketing is already in force.
In addition, given the current context, the CNPD will monitor the processing of personal data in the context of teleworking. The CNPD also undertakes to monitor the transition to the new Schengen Information System, which will become operational in 2021.
-
Guidelines
As regards the guidelines, the Portuguese supervisory authority intends to address the topics of data processing of children, cookies, and privacy policies (in this case, in order to support the data controllers). As for the first two, reference should be made to the projects already developed by the CNPD in these areas, namely the 6th edition of the magazine “ Forum de Proteção de Dados ” published in November 2019, which addresses the topics of consent and cookies, the rights of children and the protection of their personal data in the digital world.
In this context, also in force is Guideline 1/2018, on the availability of personal data of students, teachers and other employees on the Internet site of higher education institutions.
-
Audits and Controls
The Portuguese supervisory authority intends to continue to carry out actions to verify compliance with the legal regime for data protection, as it is required to do under the GDPR. The latter also refers its intention to state its standpoint on the activity of Call Centres, TVDEs, as well as on video surveillance in public space.
-
Institutional cooperation
In its plan of activities for 2021, the CNPD also expresses its intention to continue cooperation with numerous organisations, including the National Center for Cyber-security and Higher Education Institutions.
-
Disclosure and awareness
After a year highly marked by the pandemic caused by the new coronavirus, the CNPD has proposed to strengthen the disclosure and awareness of data protection in 2021. Indeed, several challenges were raised during the pandemic, with the promotion of new types of processing of personal data or with the generalisation of data processing, generated by the use of teleworking, distance learning and by the access controls to establishments that process health data.
In this regard, the CNPD undertakes to promote several initiatives of informative nature, in particular conferences and webinars, biannual publications and the disclosure of the main case law on the protection of personal data and privacy.
-
International intervention
The participation and intervention of the CNPD in European and international bodies and groups is also one of the objectives foreseen in this plan.
Emphasis is placed on the CNPD’s commitment to intervene before the European Data Protection Committee, given the growing importance of uniform application of the legal regime for data protection in the European Union, as well as the importance of cross-border data processing in people’s lives.
-
Internal organisation and functioning
Finally, the CNPD is adopting new objectives for its internal organisation and functioning.
In this context, it will b important to highlight the reorganisation of the services faced with the new challenges arising from the change in the regulatory model, imposed by the GDPR, in order to ensure maximum efficiency in the performance of its functions, namely in the effective supervision of the processing of personal data throughout the national territory.
Also noteworthy is the effort to improve interaction with citizens and data controllers, through the implementation of electronic procedures, which will allow, among others, the electronic notification of applications within the scope of accreditation and certification.
In view of the pandemic context – which is expected to continue throughout 2021 -, the proactivity of the CNPD will prove indispensable for the protection of the rights of data subjects. The question is whether the CNPD will actually be able to fulfil or enforce all that it set out to do.
Want to know more? Subscribe our newsletter here.