On November 13, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) issued guidelines on the processing of health data regulated under Decree no. 8/2020, dated November 8, in particular, on the processing of health data carried out within the scope of (i) body temperature measurements in controlling access to workplaces, services or public institutions, education and commercial establishments, cultural or sports spaces, means of transport, residential buildings, healthcare establishments, prison establishments or centers of education and (ii) the performance of SARS-CoV-2 diagnostic tests to the data subjects listed in the aforementioned decree.
Last week, the British journalist Martin Bryant revealed through his blog that he has brought a class action before the High Court of England and Wales representing seven million guests residing in England and Wales. The purpose was to obtain compensation due to the loss of control of personal data suffered as a result of a data breach which took place between 2014 and 2018, through which there was unauthorized access to the reservation database of the Starwood Group (since acquired by the Marriott Group), including, inter alia, passport numbers, dates of birth and possibly credit card details.
The Privacy Shield is the framework that permitted international data transfers between Europe and the United States; its invalidation will cause chaos in commercial relations between the EU and the US.
Given the current situation with the global pandemic of COVID-19, the number of health professionals who offer their services through different types of applications and remote means of communication has increased, which could involve the collection, storage and use of patient’s personal data.
The Portuguese Data Protection Authority issued guidelines (available solely in Portuguese) on the collection of employees' health data by the employer in the context of the infection prevention by the new coronavirus SARS-CoV-2, in which it clarified that:
The Portuguese Data Protection Authority (CNPD, Comissão Nacional de Proteção de Dados) issued, on April 8, guidelines regarding the processing of personal data carried out through distance learning platforms driven by e-learning, MOOC (massive open online course), content/file sharing, videoconferencing and messaging technologies.
Within the context of the global spread of COVID-19 (Coronavirus), companies have discovered a new reality, which also raises questions within the scope of the processing of personal data, in particular the fulfillment of the General Data Protection Regulation (GDPR) and Act 46/2012, dated August 29 (Electronic Communications Privacy Act).
Undoubtedly, 2019 was a busy year in the area of privacy. In Portugal, the GDPR Enforcement Law was approved and the Portuguese Authority (CNPD) took the controversial decision of “disregarding” some of the respective rules. The EDPB and the TJUE were also active, issuing several decisions and opinions, some very interesting. At the end of the year, the Advocate General in case Schrems II gave us excellent news by confirming the validity of standard contractual clauses for transferring data outside the EU. Finally, both the CNPD and the other European supervisory authorities have issued the first fines under GDPR.
In order to “ensure the principle of primacy of the European Union law and the full effectiveness of the GDPR”, the Portuguese Data Protection Agency (“CNPD”) “intends to disregard, in situations of processing of personal data it may consider”, some rules of law 58 / 2019, of August 8, being the most relevant: