2 years of GDPR, 1 year of Portuguese implementation law
In addition to the fines imposed as a result of the GDPR violations, several opinions and guidelines have been issued by the Portuguese Supervisory Authority, Comissão Nacional de Proteção de Dados (hereinafter “CNPD”), on the protection of personal data in different areas. Moreover, given the epidemiological situation of COVID-19, the protection of personal data has taken particular significance in the lifting of containment measures.
In Portugal, the National Law that implemented the GDPR (Law no. 58/2019, of August 8.) was only approved 1 year ago, in June 2019, having entered into force in August 2019. However, until that date, the CNPD had already imposed 4 fines for GDPR violations. These amounted to a total of EUR 420,000.00.
In compliance with Article 35 of the GDPR, the CNPD adopted Regulation Nr. 1/2018, which establishes an illustrative list of personal data processing operations that must be subject to a Data Protection Impact Assessment before being carried out.
Taking also into account the obligation for Controllers and Processors to maintain a record of processing activities under its responsibility, the CNPD has made registration templates available on its website in order to facilitate compliance with such obligation.
Throughout these two years and at the request of public bodies, the CNPD has issued several opinions on a wide range of topics, including video surveillance by the Public Security Forces and the collection of images by mobile cameras supported by drones.
The CNPD also issued guidelines on the availability of students and other workers personal data on Educational Institutions web sites; the processing of personal data in the context of electoral campaigns and political marketing and the processing of personal data in the context of intelligent electricity distribution networks.
Finally, the new coronavirus pandemic has presented many challenges, exposing the difficulties striking a balance between the use of technology and privacy. In this regard, the CNPD has issued several guidelines in the Labour, Educational and Public Administration context in order to ensure the collection and processing of personal data in accordance with the current legislation:
- In the labor context: The CNPD had the opportunity to address some issues that arose from the use of telework and the admissibility of the collection of workers' health data (body temperature) when returning to their workspace.
- In the educational context: In order to clarify any doubts regarding the admissibility of certain tools used in distance learning, the CNPD has issued guidelines for the different actors involved in the processing of personal data carried out in this context.
- In the context of Public Administration: the CNPD provided guidelines to ensure that the disclosure of personal data regarding persons diagnosed with COVID-19, respected the legislation in force.
Notwithstanding, the CNPD also mentions the difficulties in cases of data protection violations that go beyond the national territory due to the differences in the legal regimes and applicable procedures in this matter. In this regard, in the last two years the CNPD has conducted more than 2,000 investigations, received notice of 557 data breaches, and the number of cross-border cases registered exceeds 1,550. Nevertheless, the CNPD expects that next year - on the 3rd year anniversary of the implementation of the GDPR – a more positive outcome.
Article provided by: Ricardo Henriques (Abreu Advogados, Portugal)
Dr. Tobias Höllwarth (Managing Director INPLP)