Data Protection

The Council of the European Union announced yesterday in a press release that Member States have agreed at negotiating a mandate for the revision of the rules on the protection of privacy and confidentiality in the use of electronic communications services, which include rules on the processing of metadata, the use of cookies and the sending of marketing communications.
On International Data Protection Day, the Spanish Data Protection Agency (AEPD) honored Foundation 29 as one of the two recipients tying for the Award for Proactivity and Best Practices in comply with the General Data Protection Regulation and the Spanish Law on Personal Data Protection and the Safeguard of Digital Rights (Category A) for its project HealthData 29 Playbook, a guide to creating a public data repository of health systems, in which Garrigues advised.
On November 13, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) issued guidelines on the processing of health data regulated under Decree no. 8/2020, dated November 8, in particular, on the processing of health data carried out  within the scope of (i) body temperature measurements in controlling access to workplaces, services or public institutions, education and commercial establishments, cultural or sports spaces, means of transport, residential buildings, healthcare establishments, prison establishments or centers of education and (ii) the performance of SARS-CoV-2 diagnostic tests to the data subjects listed in the aforementioned decree.
Last week, the British journalist Martin Bryant revealed through his blog that he has brought a class action before the High Court of England and Wales representing seven million guests residing in England and Wales. The purpose was to obtain compensation due to the loss of control of personal data suffered as a result of a data breach which took place between 2014 and 2018, through which there was unauthorized access to the reservation database of the Starwood Group (since acquired by the Marriott Group), including, inter alia, passport numbers, dates of birth and possibly credit card details.
Given the current situation with the global pandemic of COVID-19, the number of health professionals who offer their services through different types of applications and remote means of communication has increased, which could involve the collection, storage and use of patient’s personal data. 
The Portuguese Data Protection Authority issued guidelines (available solely in Portuguese) on the collection of employees' health data by the employer in the context of the infection prevention by the new coronavirus SARS-CoV-2, in which it clarified that:
The Portuguese  Data Protection Authority (CNPD, Comissão Nacional de Proteção de Dados) issued, on April 8, guidelines regarding the processing of personal data carried out through distance learning platforms driven by e-learning, MOOC (massive open online course), content/file sharing, videoconferencing and messaging technologies.
Within the context of the global spread of COVID-19 (Coronavirus), companies have discovered a new reality, which also raises questions within the scope of the processing of personal data, in particular the fulfillment of the General Data Protection Regulation (GDPR) and Act 46/2012, dated August 29 (Electronic Communications Privacy Act).
Undoubtedly, 2019 was a busy year in the area of privacy. In Portugal, the GDPR Enforcement Law was approved and the Portuguese Authority (CNPD) took the controversial decision of “disregarding” some of the respective rules. The EDPB and the TJUE were also active, issuing several decisions and opinions, some very interesting. At the end of the year, the Advocate General in case Schrems II gave us excellent news by confirming the validity of standard contractual clauses for transferring data outside the EU. Finally, both the CNPD and the other European supervisory authorities have issued the first fines under GDPR.