09.08.2019

Practice Areas: Intellectual Property and Information Technology

General Data Protection Regulation (GDPR)

Law no. 58/2019, of August 8

Law implementing Regulation (EU) 2016/679 in Portugal

More than three years after the entry into force of the General Data Protection Regulation (May 2016) and more than one year after the date of its application (May 2018), the law ensuring the implementation into national law of Regulation (EU) 2016/679 (General Data Protection Regulation) was finally published: Law 58/2019 of August 8.

The law will enter into force today, August 9.

We highlight the main novelties of this law:

A. CNPD DESIGNATION : NATIONAL SUPERVISORY AUTHORITY

The National Data Protection Commission (CNPD) is designated as the national supervisory authority for the purposes of the GDPR and the law.

This law introduces amendments to the law on the organisation and functioning of the CNPD (republishing it) providing new powers in addition to those set out in Article 57 of the GDPR.

B. DATA PROTECTION OFFICER : MANDATORY FOR PUBLIC ENTITIES

In order to comply with Article 37 of the GDPR, the law clarifies which public entities are obliged to appoint a Data Protection Officer:

State
Autonomous Regions (Azores and Madeira)
Local authorities and other bodies provided for by law
Independent administrative entities
Bank of Portugal
Public Institutes
Public higher education institutions
State-owned and regional and local business enterprises
Public associations

C. DATA PROTECTION OFFICER : MANDATORY FOR SOME PRIVATE ENTITITES

This law stipulates that it is mandatory to appoint a Data Protection Officer where the main private activity involves data processing which requires regular and systematic monitoring of data subjects on a large scale or data processing on a large scale of special categories of data pursuant to Article 9 of the GDPR, or of personal data related to criminal convictions and administrative offences pursuant to Article 10 of the GDPR.

D. DATA PROTECTION OFFICER : EXEMPTION FROM PROFESSIONAL CERTIFICATION

It is clarified that the performance of the data protection officer’s duties does not require professional certification and reinforces that, regardless of the nature of the legal relationship with the data controller, the data protection officer shall maintain technical autonomy.

E. CERTIFICATION : PORTUGUESE ACCREDITATION INSTITUTE

It determines that the Portuguese Accreditation Institute (IPAC, I.P.) is the competent authority for the accreditation of certification bodies in data protection matters, as required by Article 43 of the GDPR.

The accreditation of certification bodies by IPAC has to take into account the requirements set out in the GDPR and the additional requirements established by the CNPD. These bodies will carry out the certification of the entities whose implemented procedures comply with the provisions of the GDPR and the legal act hereby approved.

F. CONSENT OF MINORS : INFORMATION SOCIETY SERVICES

Minors consent related with the direct provision of information society services shall be lawful when such minors are at least 13 years of age.

When the minor is less than 13 years of age, data processing shall only be lawful only when consent is given by the holders of parental responsibility, using secure authentication means.

G. VIDEO-SURVEILLANCE : CNPD’S PREVIOUS AUTHORIZATION FOR SOUND RECORDING

Establishes the prohibition of sound recording by video-surveillance systems, except in the period in which the facilities under surveillance are closed or when a prior authorization has been obtained from the CNPD for that purpose.

H. SOCIAL SECURITY DATA : RETENTION PERIODS

Established the possibility of retain, without a time limit, any data related with social security tax returns for retirement purposes.

I. PUBLIC AUTHORITIES : EXCEPTIONAL PROCESSING OF PERSONAL DATA FOR DIFFERENT PURPOSES

The new law exceptionally allows:

The processing of personal data by public authorities for purposes other than those determined by the data collection. The basis for processing must be the pursuit of a public interest that cannot otherwise be served; and
The transmission of personal data between public authorities for purposes other than those determined by the data collection. The processing shall be the subject of a protocol establishing the responsibilities of each intervening entity, both in the act of transmission and in other processing to be carried out.

J. ACCESS TO ADMINISTRATIVE DOCUMENTS : APPLICATION OF SPECIFIC LEGAL STATUTE

Access to administrative documents containing personal data is governed by the provisions of Law no. 26/2016, of August 22, which approves the regime for access to administrative and environmental information and the reuse of administrative documents, which has been amended by this new law.

K. HEALTH AND GENETICS : DATA PROCESSING

It is now established that the processing of health and genetic data must be governed by the “need to know” principle, and the data controller is obliged to notify the data subject of any access to such personal data, which means that the data subject will necessarily have to implement a traceability and notification mechanism.

L. DECEASED PERSONS : PROTECTION OF PERSONAL DATA

It is also established that the personal data of deceased persons, which falls within the special categories of personal data, in accordance with the provisions of Article 9 of the GDPR, shall also be subject to protection.

M. LABOUR RELATIONS : EMPLOYEES DATA

Specific rules are laid down concerning the processing of employees data in the context of labour relationships, in particular with regard to the following matters:

Consent by the employee: not lawful if the processing results in a legal or economic advantage for the employee.
Video-surveillance systems: remote surveillance images may only be used in disciplinary proceedings if they have been previously used in criminal proceedings.
Biometric data: the processing is only considered lawful for attendance control and access control to the premises.

N. JURISDICTION : ADMINISTRATIVE COURTS

The new law stipulates that it is the administrative courts that have jurisdiction to decide the actions brought against the CNPD.

O. PUBLIC ENTITIES : EXEMPTION FROM THE IMPOSITION OF FINES

It is established the possibility of waiving the application of fines for a period of three years as from the entry into force of the law, upon a reasoned request addressed to the CNPD. The legal provision of this prerogative shall be subject to reevaluation three years after August 9.

All other rules, including the correction powers provided for in the RGPD, will apply to public entities.

P. MISDEMEANOURS : PRIOR WARNING FOR COMPLIANCE

With regard to administrative misdemeanors proceedings, it is established that, except in cases of willful misconduct, the opening of administrative misdemeanors proceedings will always depend on the prior warning of the CNPD to the offender so that, within a reasonable period of time, it can comply with the omitted obligation or to reinstate the violated prohibition.

It provides for additional administrative offences to those provided for in the GDPR.

The minimum and maximum limits on fines for serious and very serious administrative offences vary according to the type of offender:

Large companies (the maximum limit corresponds to the value stipulated in the GDPR);
Small and medium-sized enterprises (the maximum limit corresponds to the value stipulated in the GDPR);
Individuals

It is also established the general regime of misdemeanors as a subsidiary regime.

Q. CRIMES : HARDLY ANY CHANGES

The new law typifies crimes with regard to personal data: the use of data incompatible with the purpose of the collection; improper access; data diversion; data corruption or destruction; insertion of false data; breach of the secrecy duty; disobedience.

The criminal frames, as well as the types of crimes, are similar to those provided for in Law No. 67/98, of 26 October (LPDP), except for the crime of violation of the professional secrecy duty, whose maximum limit is reduced to half.

The attempt of committing the crime is always punishable.

R. REVOCATION : LAW NO. 67/98, OF OCTOBER 26

Law No 67/98 of 26 October 1998 transposing Directive 95/45/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data into Portuguese law, is revoked by this law.

Knowledge

07 Apr 2024

Abreu News

Abreu Advogados supports and participates in GC Summit Portugal 2024

28 Mar 2024

Abreu News

Abreu Advogados featured in the latest Legal 500 ranking

27 Mar 2024

Abreu News

Ricardo Henriques contributes to the “Advertising Law: A Global Legal Perspective” publication

14 Mar 2024

Abreu News

Abreu Advogados once again recognised in Chambers Europe 2024 ranking

Cookie	Duration	Description
cookielawinfo-checkbox-analiticos	1 year	Set by the GDPR Cookie Consent plugin to store the user consent for cookies in the category "Analytics".
cookielawinfo-checkbox-funcionais	1 year	Set by the GDPR Cookie Consent plugin to store the user consent for cookies in the category "Functional".
cookielawinfo-checkbox-necessarios	1 year	Set by the GDPR Cookie Consent plugin to store the user consent for cookies in the category "Necessary".
cookielawinfo-checkbox-publicidade	1 year	Set by the GDPR Cookie Consent plugin to store the user consent for cookies in the category "Advertising".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify the unique session ID of the user, in order to manage the session of the user on the website. This is a session cookie and is deleted when all browser windows are closed.
viewed_cookie_policy	1 year	Set by the GDPR plugin to store if the cookie banner was presented to and seen by the user.
wp-wpml_current_language	session	Cookie from the "WPML" plugin that stores the current language of the website.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4754890_23	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.