The Portuguese Data Protection Agency (CNPD, pursuant to its Portuguese acronym) has imposed a 400,000 euro fine on Centro Hospitalario Barreiro-Montijo due to two breaches of the General Data Protection Regulation (GDPR) which has been in force since May 25, 2018.
In this article we highlight the implications for parties, counsel, arbitral institutions and third party providers and consider how to best deal with GDPR compliance including assessing if consent is necessary, obtaining consent when and if needed, gathering documents, rights of access, denial and deletion, and transfer of personal data outside the EU.
One of the consequences for businesses is that they will have to (and have already begun to) reduce their databases by half. But this does not have to be a bad thing, it may mean more robust, more useful and more valuable databases.
Alejandro Padín, counsel in the Commercial Department and head of Privacy and Data Protection, when he spoke on Tuesday 6 March to the Congress of Deputies Justice Commission, in view of the imminent application of the new GDPR on 25 May.