This website uses cookies to improve performance and your user experience on our website. If you do not agree with the use of cookies other than the essential ones, you can manage your preferences by clicking on "Cookie Settings"
The Law No. 58/2019, of August 8, on the implementation in the national law of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data has entered into force.
One year after the enforcement of the GDPR, which was completed on May 25, there is now finally a national law so that the Community Regulation can be properly enforced.
See the highlights below:
Territorial scope
This Law applies to the processing of personal data in the national territory by any public or private entity and outside the national territory when it is carried out within the scope of the activity of a business place located in the national territory or when it affects data subjects who are in the national territory performing activities falling within the scope of enforcement provided for in the GDPR.
In addition to what is provided for in the GDPR, the Law also applies to the processing of personal data carried out outside the national territory, affecting data of national data subjects residing abroad whose data are registered at consular offices.
Supervisory authority
The National Data Protection Commission (CNPD) is the national supervisory authority for the purposes of the GDPR and of the Law 58/2019, of August 8.
Data protection officer
The data protection officer now has further roles in addition to those provided for in the GDPR, namely to ensure both regular and unscheduled audits, to raise awareness among users of the importance of the timely detection of security incidents and of the need to immediately inform the information security officer and to ensure relationships with data subjects in matters covered by the GDPR and by the national data protection legislation.
Accreditation and certification
The Portuguese Accreditation Institute (IPAC – Instituto Português de Acreditação I.P.) is the competent authority in terms of data protection for the accreditation of certification bodies, seals and marks.
Consent
With regard to consent, it is defined that there is no need to renew consents that already comply with the provisions of the GDPR. However, the possibility of the expiry of consent is mentioned as a reason for the termination of the contract, in which case the data processing is lawful until the termination of the contract.
The minimum age for consent of minors is 13 years for the lawful (self) consent to the processing of personal data in relation to information society services. For children under the age of 13, consent must be given by their legal representatives.
Video surveillance
As for video surveillance, the law refers to the law on private security services (Law No. 34/2013, of May 16) and further includes a list of places where the capture of sound and images is forbidden, namely public roads, neighbouring properties or other places that are not the exclusive domain of the person in charge, except to the extent strictly necessary to cover access areas to the property; the ATM keyboard area or other ATM payment terminals; areas reserved for customers or users where privacy must be respected, namely sanitary facilities, waiting rooms and fitting rooms, and areas reserved for workers, namely dining areas, locker rooms, gymnasiums, sanitary facilities and leisure areas.
Personal data retention period
The period for which personal data may be retained is that laid down by the law or regulation or, in its absence, for as long as deemed necessary for their purpose.
Where personal data are required for the controller or the processor to prove compliance with contractual or other obligations, they may be retained as long as the limitation period of the corresponding rights does not expire.
Processing in the context of employment
In the context of employment, and in line with the best data protection guidelines, the Law clarifies that the consent of the employee does not legitimise processing of personal data, if the employee may obtain a legal or economic advantage from the processing, or if such processing is required for the performance of a contract to which the data subject is party.
As for the processing of employee’s biometric data, it shall only be lawful for the purpose of attendance and access control to the employer’s premises.
Processing of health and genetic data
Processing of this type of data shall be carried out only by a professional under the obligation of secrecy, or by another person under the obligation of confidentiality or secrecy, and it shall be ensured that adequate security measures are implemented as well as the minimum technical security requirements for data processing, which are approved by an ordinance of the members of the Government responsible for the areas of health and justice.
Administrative fines
In terms of penalties, the law adapts the penalty framework according to the (corporate) size of the offender and provides for weighting criteria when determining the fine to be imposed. In the GDPR, administrative fines can be up to €20,000,000 or 4% of the company’s turnover, but the national enforcement law introduces a minimum value: €5,000 for very serious administrative offences and €2,500 for serious administrative offences of large companies. The minimum values for small and medium-sized enterprises range from €1 000 to €2000.
Crimes
The use of data in a manner incompatible with the purpose of collection, unauthorised access, diversion of data, violation or destruction of data, insertion of false data, violation of the obligation of secrecy, are conducts that are now classified as a crime and are punishable with imprisonment. Attempt is always punishable.
This option will force companies to pay special attention when implementing and monitoring the compliance with the rules of the GDPR.
The Law No. 58/2019, of August 8, on the implementation in the national law of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data has entered into force.
One year after the enforcement of the GDPR, which was completed on May 25, there is now finally a national law so that the Community Regulation can be properly enforced.
See the highlights below:
Territorial scope
This Law applies to the processing of personal data in the national territory by any public or private entity and outside the national territory when it is carried out within the scope of the activity of a business place located in the national territory or when it affects data subjects who are in the national territory performing activities falling within the scope of enforcement provided for in the GDPR.
In addition to what is provided for in the GDPR, the Law also applies to the processing of personal data carried out outside the national territory, affecting data of national data subjects residing abroad whose data are registered at consular offices.
Supervisory authority
The National Data Protection Commission (CNPD) is the national supervisory authority for the purposes of the GDPR and of the Law 58/2019, of August 8.
Data protection officer
The data protection officer now has further roles in addition to those provided for in the GDPR, namely to ensure both regular and unscheduled audits, to raise awareness among users of the importance of the timely detection of security incidents and of the need to immediately inform the information security officer and to ensure relationships with data subjects in matters covered by the GDPR and by the national data protection legislation.
Accreditation and certification
The Portuguese Accreditation Institute (IPAC – Instituto Português de Acreditação I.P.) is the competent authority in terms of data protection for the accreditation of certification bodies, seals and marks.
Consent
With regard to consent, it is defined that there is no need to renew consents that already comply with the provisions of the GDPR. However, the possibility of the expiry of consent is mentioned as a reason for the termination of the contract, in which case the data processing is lawful until the termination of the contract.
The minimum age for consent of minors is 13 years for the lawful (self) consent to the processing of personal data in relation to information society services. For children under the age of 13, consent must be given by their legal representatives.
Video surveillance
As for video surveillance, the law refers to the law on private security services (Law No. 34/2013, of May 16) and further includes a list of places where the capture of sound and images is forbidden, namely public roads, neighbouring properties or other places that are not the exclusive domain of the person in charge, except to the extent strictly necessary to cover access areas to the property; the ATM keyboard area or other ATM payment terminals; areas reserved for customers or users where privacy must be respected, namely sanitary facilities, waiting rooms and fitting rooms, and areas reserved for workers, namely dining areas, locker rooms, gymnasiums, sanitary facilities and leisure areas.
Personal data retention period
The period for which personal data may be retained is that laid down by the law or regulation or, in its absence, for as long as deemed necessary for their purpose.
Where personal data are required for the controller or the processor to prove compliance with contractual or other obligations, they may be retained as long as the limitation period of the corresponding rights does not expire.
Processing in the context of employment
In the context of employment, and in line with the best data protection guidelines, the Law clarifies that the consent of the employee does not legitimise processing of personal data, if the employee may obtain a legal or economic advantage from the processing, or if such processing is required for the performance of a contract to which the data subject is party.
As for the processing of employee’s biometric data, it shall only be lawful for the purpose of attendance and access control to the employer’s premises.
Processing of health and genetic data
Processing of this type of data shall be carried out only by a professional under the obligation of secrecy, or by another person under the obligation of confidentiality or secrecy, and it shall be ensured that adequate security measures are implemented as well as the minimum technical security requirements for data processing, which are approved by an ordinance of the members of the Government responsible for the areas of health and justice.
Administrative fines
In terms of penalties, the law adapts the penalty framework according to the (corporate) size of the offender and provides for weighting criteria when determining the fine to be imposed. In the GDPR, administrative fines can be up to €20,000,000 or 4% of the company’s turnover, but the national enforcement law introduces a minimum value: €5,000 for very serious administrative offences and €2,500 for serious administrative offences of large companies. The minimum values for small and medium-sized enterprises range from €1 000 to €2000.
Crimes
The use of data in a manner incompatible with the purpose of collection, unauthorised access, diversion of data, violation or destruction of data, insertion of false data, violation of the obligation of secrecy, are conducts that are now classified as a crime and are punishable with imprisonment. Attempt is always punishable.
This option will force companies to pay special attention when implementing and monitoring the compliance with the rules of the GDPR.