New Portuguese Data Protection Act
Data Protection Alert
Law 58/2019, of August 8, which ensures the implementation of the GDPR in Portugal, has come into force last Friday, August 9th.
Below you’ll find answers we get asked the most about the provisions of the new law.
1. If the GDPR is directly applicable in Portugal, what is the purpose of this new law?
Firstly, the GDPR gave Member States room for maneuver to legislate on certain matters, such as special category of data, employees' data processing, etc., which has happened through this law.
Secondly, according to the GDPR, Member States should appoint, by legislative act, the authority responsible for supervising the implementation of the GDPR. Through this law the Comissão Nacional de Proteção de Dados (“CNPD”) has been appointed as the supervisory authority in Portugal.
Thirdly, offenses and crimes are, according to some authors, a matter of the exclusive competence of the Portuguese Parliament, so that the rules of the GDPR imposing fines were not directly applicable, hence the need to be transposed by a national normative act.
2. Does this law impose additional obligations on companies other than those referred to in the GDPR?
Yes. We highlight the following obligations:
Data Protection Officer (DPO)
The law added two additional obligations to the DPO: (i) it should ensure that both periodic and unscheduled audits are carried out and (ii) it should make users aware of the importance of early detection of security incidents and of the need to inform the security officer immediately after.
Health and genetic data
Entities have an obligation to access health and genetic data exclusively by electronic means, except where this is not possible for technical reasons or if the data subject has expressly indicated otherwise. Further transmission of health and genetic data is prohibited.
It is also foreseen that entities have to notify the health or genetic data subject of any access to their data, and companies should be able to identify / track such accesses to fulfil this obligation.
3. What about employees’ data, which are the changes brought by the new law?
The law has proceed with the legalization / legitimization of the processing of biometric data (fingerprint, face, iris, etc.) for purposes of access control to the employer's premises and control of attendance.
It is also predicted that the employer, without legal provision, is prohibited from using the consent of its employees to process their personal data where such processing results in a legal or economic advantage for them.
Finally, the law expressly requires that employees’ personal data collected through remote surveillance technological means (such as images recorded by video surveillance cameras) may only be used in disciplinary proceedings within the scope of criminal proceedings (in practical terms, the conduct of the employee has to substantiate a crime).
4. Concerning minors, it is said that the new law establishes 13 years old as the age from which the minor can give consent for information society services. What does this really mean?
It means that if an entity offers electronic distance services (the so-called information society services) following a request from a minor that has completed 13 years old, then the minor may give consent for the processing of his personal data related to the services in question.
In all other cases, the general rules of the Civil Code apply (consent is valid if the data subject is 18 years old, apart from exceptional cases where consent may be given by a minor with at least 16 years old).
5. What about retention periods? Is there a different approach?
The new law, like the GDPR, does not set specific retention periods. However, it opens the door to the retention of personal data by the limitation period of contractual rights and obligations of entities (whether they are data controllers or data processors).
6. What are the main changes regarding fines?
The law has kept the GDPR ceilings for large companies (you can check here the qualification of your company here. However, it sets different maximums for SMEs and individuals. In order to highlight what really changed, below you may find a comparative chart.
7. Are Portuguese public entities ultimately subject to fines?
Yes, unless the CNPD decides to exempt them upon reasoned request. However, this exemption will only be effective until August 9, 2022. From this date, and unless otherwise foreseen by law, all public entities will be subject to fines.
8. It has been said that under the new law, the CNPD can only initiate negligent infringement proceedings of the GDPR/Law 58/2019' provisions upon prior warning to comply with the legal obligation that has not been fulfilled or with the reinstatement of the prohibition that was not implemented, within a reasonable time. Is this accurate?
This is effectively what the law establishes. However, CNPD has already informally stated that this rule leads to situations of disparity between companies from different member states, and has been adamant that complying with this rule is against the principle of primacy of European Union law.