CNPD issued a Deliberation (Deliberation No. 494/2019, of September 3) stating that they will not apply some of the rules of the Portuguese Law implementing GDPR
Data Protection Alert
In order to “ensure the principle of primacy of the European Union law and the full effectiveness of the GDPR”, the Portuguese Data Protection Agency (“CNPD”) “intends to disregard, in situations of processing of personal data it may consider”, some rules of law 58 / 2019, of August 8, being the most relevant:
- Article 20 (1) that states that the information and access rights foreseen in articles 13 to 15 of the GDPR shall not be exercised when the law requires the controller or the processor a confidentiality or secrecy duty that is enforceable against the data subject;
- Article 28 (3) (a) that foresees that consent is not a lawful basis for processing employees personal data if the employee may obtain a legal or economic advantage from the processing;
- Article 37 (1) (a) that establishes that in case of breach of data protection principles (e.g. lawfulness, fairness, data minimization) negligence is not punishable;
- Article 39 (3) that rules that CNPD can only initiate negligent infringement proceedings of the GDPR/Law 58/2019 provisions upon prior warning to comply with the legal obligation that has not been fulfilled or with the reinstatement of the prohibition that was not implemented, within a reasonable time.
Regarding the reasons invoked by the CNPD to publish its deliberation, “the CNPD clarifies that it makes public its deliberation in order to ensure the transparency of its future decision-making procedures and to this extent contribute to legal certainty and certainty and also clarifies that the non-application, in future particular cases, of the legal provisions listed above, results in the direct application of the GDPR rules which were being manifestly restricted, contradicted or compromised in their useful effect”.
You may find here the full text of the deliberation (Portuguese version only).