Portuguese national law implementing Regulation (EU) 2016/679 (GDRP)

It was finally published in Portugal the internal law that comes to implement the Regulation (EU) 2016/679 (GDRP) – Law no. 58/2019 of 8 August.

In general, our national legislation does not introduce real significant changes or innovations (except the fact of extending the applicability of GDPR to some kind of processing’s of deceased persons), but clarifies less developed subjects of the EU Regulation (not all, unfortunately), concerning which there was still some legal uncertainty regarding the understanding to be followed by the entities.

We highlight in this article the main topics of this law:

Starting with the Regulator, National Data Protection Commission (CNPD) was designated as the national supervisory authority for the purposes of the GDPR and this law.

Regarding the conditions applicable to child’s consent, in Portugal, regarding the offer of information society services, consent shall be valid from 13 years of age (inclusive). For other type of services, or when minors are under 13 years of age, consent must be given by their respective legal representatives (preferably by means of secure authentication).

Concerning the DPO (Data Protection Officer), notwithstanding the performance of DPO does not require professional certification, DPO shall maintain technical autonomy and is bound by a duty of professional confidentiality. Our national law has also assigned additional duties such conducting audits (periodic or unscheduled) and work to be carried out to raise awareness to the importance of data breaches detection.  

In the context of labour relationships, this law clarifies that the consent should not be lawful for the processing of employee’s personal data, if the processing results in a legal or economic advantage for the employee. Regarding the biometric data, there shall be no more doubts regarding its lawfulness for the purposes of attendance and access control to premises. Lastly, as far as video surveillance systems are concerned, such images can only be used in the context of disciplinary proceedings insofar as these are used for criminal purposes.

Still regarding video surveillance, it reinforces the applicability of the specific requirements of article 31 of Law no. 34/2013 of 16/05, highlighting the areas where cameras cannot record (such as public roads or inside areas reserved to clients and workers), also regulating the prohibition to record sound (except when the premises are closed or with the CNPD’s prior authorization).

About health and genetic data, we highlight two provisions that will certainly impact entities processing this type of special data: regarding the processing of data necessary for health care services, this processing shall only be done by professionals subject to confidentiality duties and, as a general rule, access to this kind of data shall be made exclusively by electronic means; in addition, security measures to be implemented by entities handling such special data will be regulated.

One of the subjects that has been most debated concerns data retention periods. Our national legislation has brought some clarification on it: personal data shall be retained during the deadline determined by law or regulatory instrument or, in its absence, during the period necessary to pursue the purpose of the processing. If those data are necessary as an evidence of obligation performance, data may be retained until the end of the stipulated deadline for exercising rights. In order to ensure a greater certainty as to retention periods, we will just have to wait for future decisions of CNPD and understandings from regulatory authorities of the different sectors of activity (as an example, the Portuguese Healthcare Regulation Authority has already issued an understanding regarding retention periods to be complied concerning health data).

Finally, regarding one of the most awaited issues to be implemented: the fines. GDRP already determines the maximum amounts and our national law made the distinction between serious and very serious administrative offences, having defined different minimum and maximum fines depending on the offender (natural person, Small and medium-sized company or large company). Thus, very serious administrative offences (including here, namely, the absence of lawfulness, the failure to comply with consent rules, the non-performance of the exercises of data subject rights or the omission of relevant information), shall be punished with minimum fines between € 1 000 and € 5 000; serious administrative offences (here highlighting the absence of mandatory DPIA or DPO, the failure to comply with the obligation of notification of data breaches or the lack of contract with processors) shall be punished with minimum fines between € 500 and € 2 500.

A relevant note is that, except in cases of wilful misconduct, the opening of administrative proceedings shall depend on the prior warning of CNPD to the entity so that, within a reasonable period of time, it can comply with the omitted obligation or to replace the violated prohibition.

Still regarding fines, and notwithstanding the controversy on this topic attending to the distinction between public and private entities, our law provides, upon a reasoned request addressed to the CNPD, that public entities are exempt from paying fines for a period of three years. For now, we do not know how CNPD will manage these exemption requests (we believe it will take a conservative approach in view of the previously disclosed understanding on this subject), however we’re sure that this distinction will certainly be used as a defence in most administrative proceedings that will impose fines on private entities.

By Sara Henriques
Corporate and Commercial, Data Protection – SPS
Sara.henriques@spsadvogados.com