On 28 January 2017, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados/CNPD) published a document establishing ten measures aimed at helping entities prepare for the application of the General Data Protection Regulation (GDPR). Since the GDPR will apply from 25 May 2018 onwards, the CNPD points out that public and private entities should begin to swiftly implement internal procedures and mechanisms in order to ensure compliance with the new obligations.
The European Commission has adopted the legal framework for international data transfers between the US and the European Union. The framework concerns the new data protection agreement ´privacy shield´, which concerns international transfers made to US entities. US entities can be certified from 1 August, and may import personal data without the need for exporting European entities to have to seek authorisation from the various European authorities on data protection.
The data privacy scenario in Portugal has gone through a number of changes in 2015, in light of the European Court of Justice’s (ECJ’s) October 2015 ruling on the invalidity of the European Commission Decision 2000/520/CE (Safe Harbour Decision) as a basis for data transfers to the USA.
The Spanish Data Protection Agency (SDPA) recently fined two small to medium size companies (SMEs) for non-compliance of the relevant duties on ‘cookies’ requirements, in the amounts of €3,000 and €500 respectively. In particular, as further described below, said fines arise from the infringement of the obligations laid down under article 22.2 of the Spanish E-Commerce Act (LSSI). These companies included information storage devices or cookies on their websites, but the information provided to users on cookies use and purposes, or the reference thereof, was confusing. Consequently, the consumers´ consent, as understood by the SDPA, was not provided under the conditions legally required.
The new Data Protection Regulation proposal developed by the EU will be applicable to European and foreign organisations and to those that, although not based in Spain, commercialise products and services targeted at European citizens.