Given the current situation with the global pandemic of COVID-19, the number of health professionals who offer their services through different types of applications and remote means of communication has increased, which could involve the collection, storage and use of patient’s personal data.
The Portuguese Data Protection Authority issued guidelines (available solely in Portuguese) on the collection of employees' health data by the employer in the context of the infection prevention by the new coronavirus SARS-CoV-2, in which it clarified that:
The Portuguese Data Protection Authority (CNPD, Comissão Nacional de Proteção de Dados) issued, on April 8, guidelines regarding the processing of personal data carried out through distance learning platforms driven by e-learning, MOOC (massive open online course), content/file sharing, videoconferencing and messaging technologies.
Within the context of the global spread of COVID-19 (Coronavirus), companies have discovered a new reality, which also raises questions within the scope of the processing of personal data, in particular the fulfillment of the General Data Protection Regulation (GDPR) and Act 46/2012, dated August 29 (Electronic Communications Privacy Act).
Undoubtedly, 2019 was a busy year in the area of privacy. In Portugal, the GDPR Enforcement Law was approved and the Portuguese Authority (CNPD) took the controversial decision of “disregarding” some of the respective rules. The EDPB and the TJUE were also active, issuing several decisions and opinions, some very interesting. At the end of the year, the Advocate General in case Schrems II gave us excellent news by confirming the validity of standard contractual clauses for transferring data outside the EU. Finally, both the CNPD and the other European supervisory authorities have issued the first fines under GDPR.
In order to “ensure the principle of primacy of the European Union law and the full effectiveness of the GDPR”, the Portuguese Data Protection Agency (“CNPD”) “intends to disregard, in situations of processing of personal data it may consider”, some rules of law 58 / 2019, of August 8, being the most relevant:
The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) published, on 23 April 2019, its 2017-2018 activity report. This report provide us an overview of CNPD’s activities during the year of 2017 and two periods of the year 2018: from 1 January to 24 May (before the GDPR’s applicability) and from 25 May to 31 December (after the GDPR’s applicability). Among the information provided by the CNPD we highlight the following:
The National Data Protection Commission has published on its website a model of record of processing activities for controllers and a model for processors, in accordance with the requirements set forth in article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679), which can be consulted aqui.