Law implementing Regulation (EU) 2016/679 in Portugal
More than three years after the entry into force of the General Data Protection Regulation (May 2016) and more than one year on the date of its application (May 2018), the law ensuring enforcement in the national legal order of Regulation (EU) 2016/679 (General Data Protection Regulation) was finally published: Law No. 58/2019 of August 8.
The diploma enters today, August 9, in force.
We highlight the main novelties of this law:
A. CNPD DESIGNATION : NATIONAL SUPERVISORY AUTHORITY
The National Data Protection Commission (CNPD) is designated as a national supervisory authority for the purposes of the GDPR and the law.
The law introduces changes to the law of organization and functioning of the CNPD (and republishs it) and provides for new tasks in addition to those set out in Article 57 of the GDPR.
B. DATA PROTECTION OFFICER : MANDATORY FOR PUBLIC ENTITIES
In order to comply with article 37 of the GDPR, the law clarifies which public entities are required to appoint a Data Protection Officer:
- State
- Autonomous regions (Azores and Madeira)
- Local authorities and the supra-municipal entities provided for by law
- Independent administrative entities
- Bank of Portugal
- Public institutes
- Public higher education institutions
- Companies in the state business sector and regional and local business sectors
- Public associations.
C. DATA PROTECTION OFFICER : MANDATORY FOR SOME PRIVATE ENTITIES
It stipulates that it is mandatory to appoint a Data Protection Officer where the private activity carried out, principally, involves processing requiring regular and systematic monitoring of large-scale data subjects or large-scale processing of special categories of data pursuant to Article 9 of the GDPR, or personal data relating to criminal and counterordenational convictions under Article 10 of that Regulation.
D. DATA PROTECTION OFFICER : EXEMPTION FROM PROFESSIONAL CERTIFICATION
It clarifies that the performance of the functions of data protection officer does not require professional certification and stresses that, regardless of the nature of its legal relationship with the data controller, it maintains technical autonomy.
E. CERTIFICATION : PORTUGUESE ACCREDITATION INSTITUTE
It is determined that the Portuguese Accreditation Office (IPAC, I.P.) is the competent authority for the accreditation of data protection certification bodies as required by Article 43 of the GDPR.
The accreditation of iPAC certification bodies must take into account the requirements laid down in the GDPR and the additional requirements laid down by the CNPD. These bodies will certify entities whose procedures implemented comply with the provisions of the GDPR and the legal diploma herein approved.
F. CONSENT OF MINORS : SERVICES OF THE INFORMATION SOCIETY
The consent provided by minors with regard to the direct provision of information society services is lawful if minors are at least 13 years of age.
If the minor is under the age of 13, treatment is only lawful if consent is given by the holders of parental responsibilities, using means of secure authentication.
G. VIDEO SURVEILLANCE : PRIOR AUTHORIZATION OF THE CNPD FOR SOUND CAPTURE
A ban on sound capture by video surveillance cameras is determined, except during the period when the supervised installations are closed or authorized by the CNPD.
H. DATA FOR SOCIAL SECURITY : RETENTION PERIODS
The possibility of retention without time limit of data relating to social security declarations for retirement or retirement is determined.
I. PUBLIC ENTITIES : EXCEPTIONAL PROCESSING OF PERSONAL DATA FOR DIFFERENT PURPOSES
It allows, exceptionally:
- The processing of personal data by public entities for purposes other than those determined by the collection. The basis for processing must lie in the pursuit of the public interest which cannot otherwise be taken care of; and
- The transmission of personal data between public entities for purposes other than those determined by the collection. The processing shall be the subject of a protocol establishing the responsibilities of each intervening entity, either in the act of transmission or in other treatments to be carried out.
J. ACCESS TO ADMINISTRATIVE DOCUMENTS : APPLICATION OF ITS OWN DIPLOMA
Access to administrative documents containing personal data is governed by the provisions of Law No. 26/2016 of 22 August, which approves the regime of access to administrative and environmental information and reuse of administrative documents, which was, punctually, amended by this new law.
K. HEALTH AND GENETICS : DATA PROCESSING
It is established that the processing of health data and genetic data must be governed by the principle of the need to know the information, and the data controller is obliged to notify the data subject of any access to his personal data, which means that he will necessarily have to implement a traceability and notification mechanism.
L. DECEASED PERSONS : PROTECTION OF PERSONAL DATA
It is established that the personal data of deceased persons who are part of the special categories of personal data, in accordance with Article 9 of the GDPR, will also be protected.
M. LABOR RELATIONS : WORKERS ' DATA
Specific rules are laid down on the processing of workers' data in the context of industrial relations, in particular in relation to the following matters:
- Worker's consent: it is not lawful if the treatment results in legal or economic advantage for the worker.
- Video surveillance systems: remote surveillance images may only be used in disciplinary proceedings if they have been previously used in criminal proceedings.
- Biometric data: processing is considered lawful only for attendance control and access control to the premises.
N. JUDICIAL PROTECTION : ADMINISTRATIVE COURTS
It stipulates that it is the administrative courts that have jurisdiction to decide the proposed actions against the CNPD.
O. PUBLIC ENTITIES : EXEMPTION FROM IMPOSITION OF FINES
The possibility of exemption from imposing fines for a period of three years from the entry into force of the law is determined upon reasoned request to the CNPD. The legal provision of this prerogative should be reassessed three years after the date of August 9.
All other rules, including the powers of correction provided for in the GDPR, will apply to public entities.
P. MISDEEDS : WARNING IN ADVANCE FOR COMPLIANCE
In the case of infringement proceedings, it is established that, except in cases of intent, the initiation of infringement proceedings always depends on the cnpd's prior warning to the infringer so that, within a reasonable period, he can comply with the omitted obligation or to reinstate the violated prohibition.
It provides for additional orretions to those provided for in the GDPR.
The minimum and maximum limits of fines for the commission of serious and very serious offences vary depending on the type of infringer:
- Large companies (the ceiling matches the amount stipulated in the GDPR);
- Small and medium-sized enterprises (the ceiling matches the value stipulated in the GDPR);
- Natural persons.
It stipulates as a subsionregime the provisions of the general regime of the illicit of mere social ordination.
Q. CRIMES : FEW CHANGES
Typifies personal data crimes: the use of data incompatible with the purpose of collection; undue access; data diversion; data-addicting or destruction; insertion of false data; violation of the duty of secrecy; disobedience.
The criminal frameworks, as well as the types of crimes, are similar to those provided for in Law No. 67/98 of October 26 (LPDP), except for the crime of violation of the duty of professional secrecy, the maximum limit of which is halved.
Trying is always punishable.
A. REVOCATION : LAW No. 67/98, FROM 26 OCTOBER (LPDP)
Law No 67/98 of 26 October (LPDP) which transposed into the Portuguese legal order Directive 95/45/EC of the European Parliament and the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of such data into the Portuguese legal order of 24 October 1995.