Portuguese Law implementing GDPR finally approved

26.06.2019

On the 14th of June 2019 (one year later than expected) Portugal has finally approved Draft Law no. 120/XIII/3.ª (GOV), implementing the (EU) Regulation 2016/679 (General Data Protection Regulation or GDPR) in Portugal.

The Draft Law shall enter into force on the day following that of its publication in the Portuguese Official Journal, which is dependent of previous ratification by the President of the Republic of Portugal.

Throughout the preparation and approval process of the Draft Law, several concerns were raised, namely by the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), which, rather strangely, was not actively involved on the drafting of the Law.

Although some of those concerns were subject of revision and amendment, the final version of the Draft Law kept several controversial provisions, which we will address in detail below.

A. PUBLIC ENTITIES : MANDATORY DATA PROTECTION OFFICER

In order to comply with Article 37 of the GDPR, the Draft Law established an exhaustive list of the public entities required to appoint a DPO, including, amongst others, Municipalities, Public Institutes, Public Schools and State, Regional and Local Business Sector Entities (Setor Empresarial do Estado).

B. CERTIFICATION MECHANISMS : PORTUGUESE ACCREDITATION INSTITUTE

As provided in Article 43 of GDPR, the Draft Law also determines the accreditation and certification process. Accordingly, GDPR related codes of conduct or certification mechanisms must be approved by a certification body which shall be recognized by the (IPAC, I.P.). The requirements established by the Portuguese Supervisory Authority (CNPD) shall be considered by IPAC, IP on the approval decision.

C. MINORS CONSENT : INFORMATION SOCIETY SERVICES

Pursuant to Article 8 of GDPR, regarding the offer of information society services, the Draft Law establishes that personal data processing of a child above the age of 13 years will not require consent by the respective legal representatives.

D. PUBLIC ENTITIES : EXEMPTION

The exemption granted to public entities was another provision which received a strong disapproval by the Portuguese supervisory authority when the first draft of the law was made public. Regarding this topic, GDPR left to each Member State the decision on whether and to what extent administrative fines should be imposed on public authorities and bodies. The Portuguese Parliament came up with a compromise solution, establishing that such exemption will only be applicable for a maximum period of three years. All other rules, including corrective measures, will be applicable to public entities.

E. SOCIAL SECURITY DATA : DATA RETENTION DEADLINES

Data related with Social Security relating to contributions for retirement purposes shall be exempt of data retention deadlines. However, appropriate technical and organizational measures shall be adopted in order to ensure the rights of the data subjects.

F. DECEASED INDIVIDUALS : PERSONAL DATA

Although GDPR expressly states that its provisions are not applicable to deceased individuals personal data, the Draft Law includes an innovative provision establishing that the deceased individuals personal data which integrates the special categories of personal data, as provided under Article 9 of GDPR, shall also be protected.

G. LABOUR RELATIONS : EMPLOYEES DATA

The Draft Law established specific rules as regards to the processing of employees’ personal data in the employment context, in particular, regarding the following topics: Employees’ Consent, Video Surveillance Systems and Biometric Data.

H. HEALTH & GENETIC : DATA PROCESSING

The Draft Law determined that processing of health and genetic data shall be limited to the “need-to-know” principle. Moreover, data controllers are obliged to give notice to data subjects of all accesses to their personal health related data, which means that data controllers will have to implement a traceability mechanism.

I. MISDEMEANOR PROCEEDINGS : PREVIOUS REMEDY WARNING

As regards to Misdemeanor Proceedings, the Draft Law provides that, except for willful misconduct cases, the opening of a misdemeanor proceeding by the Portuguese supervisory authority must be preceded by a warning for the remedy of the breach by the infringer within a reasonable deadline.

For very serious infringements (1), three different recipients’ categories have been defined: Large Companies, SME’s and Individuals.

The amount of the fines collected shall revert in 60% for the Portuguese State and 40% for CNPD. The fact that the CNPD collects 40% of the amount of the fines that itself decides to impose, raises some concerns of possible conflicts of interest, although it is similar to other existing laws in Portugal.

J. CONSENT RENEWAL : NO DEADLINE EXTENSION

Contrary to what was announced, the Draft Law has not established a new deadline for consent renewal. Although the original intention was to grant a six months deadline extension, the Portuguese parliament ended up eliminating such provision.

 

Article provided by: Ricardo Henriques (Partner at Abreu advogados, Portugal)

 

References:

  1. In case of serious infringements the applicable amounts shall be reduced to half.

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.