Within the context of the global spread of COVID-19 (Coronavirus), companies have discovered a new reality, which also raises questions within the scope of the processing of personal data, in particular the fulfillment of the General Data Protection Regulation (GDPR) and Act 46/2012, dated August 29 (Electronic Communications Privacy Act).
Undoubtedly, 2019 was a busy year in the area of privacy. In Portugal, the GDPR Enforcement Law was approved and the Portuguese Authority (CNPD) took the controversial decision of “disregarding” some of the respective rules. The EDPB and the TJUE were also active, issuing several decisions and opinions, some very interesting. At the end of the year, the Advocate General in case Schrems II gave us excellent news by confirming the validity of standard contractual clauses for transferring data outside the EU. Finally, both the CNPD and the other European supervisory authorities have issued the first fines under GDPR.
In order to “ensure the principle of primacy of the European Union law and the full effectiveness of the GDPR”, the Portuguese Data Protection Agency (“CNPD”) “intends to disregard, in situations of processing of personal data it may consider”, some rules of law 58 / 2019, of August 8, being the most relevant:
The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) published, on 23 April 2019, its 2017-2018 activity report. This report provide us an overview of CNPD’s activities during the year of 2017 and two periods of the year 2018: from 1 January to 24 May (before the GDPR’s applicability) and from 25 May to 31 December (after the GDPR’s applicability). Among the information provided by the CNPD we highlight the following:
The National Data Protection Commission has published on its website a model of record of processing activities for controllers and a model for processors, in accordance with the requirements set forth in article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679), which can be consulted aqui.
The European Parliament's Civil Liberties Committee has filed a motion for resolution for approval in plenary session, requesting that the European Commission suspend the “Privacy Shield” agreement between the European Union and the USA, in force since July 2016, designed to facilitate international data transfer between these two zones.
The General Data Protection Regulation (GDPR), which is compulsory as from today, is a complex regulation that extends beyond the borders of Europe. The new rules will affect all companies, regardless of their location, that handle data of individuals living in the European Union, even if the company in question has neither a physical nor a legal presence in Europe.