On Aug. 8, the long-awaited data protection law for Portugal was published. The Execution Law of the General Data Protection Regulation was first approved in June but did not go into force until it was sanctioned and published in early August. Portugal has followed the guidance offered to member states by the EU General Data Protection Regulation regarding the age of consent, criminal sanctions and limits to penalties, data protection officers, accreditation and certification, data subjects’ rights and the powers of the data protection authority. The scope encompasses all processing activity carried out in Portugal, regardless of the private or public nature of the controller, even if the processing is made for compliance with legal obligations or within a mission in the public interest. The main elements of the new regime are discussed below.

Data protection officer

The data protection officer must be appointed based on professional qualities and have specialized knowledge in the law and practices of data protection, but a professional certification is not required. Regardless of the nature of the legal relationship, the DPO exercises their function with technical autonomy. There are three functions for the DPO: ensure audits are conducted, create awareness for the importance of the early detection of security incidents, and ensure the relations with the data subjects in terms of data protection. As the Comissão Nacional de Protecção de Dados has noted, these additional functions constitute a violation of the GDPR as they are not provided for in the GDPR.

Consent

The age of consent is 13 years old. Processing personal data for a child under the age of 13 is only legal if their representatives have consented through a means of secure authentication.

Deceased

There is a special provision to protect the deceased — when the data relates to special categories or the intimacy of private life, the image or data pertaining to communications. There is also the right of access, rectification and the right to be forgotten that will be exercised by those appointed by the deceased or the respective heirs.

Portability and interoperability

The legislator clarifies this right only applies to data provided by the data subject, thus not adopting the position of the Article 29 Working Party that mentions this could also include inferred data. Also, it clarifies that whenever possible, the portability of the data must be in an open format.

Video surveillance

Video surveillance is restricted to the need to protect people and assets, which is in line with the CNPD’s position in relation to video surveillance. The law establishes the cameras cannot target public roads, interior of areas reserved to clients, users or workers, such as bathrooms, waiting rooms and dressing rooms, nor can it point to ATMs in such a manner that it captures the keyboard.

Secrecy duty

The rights to information and access to personal data provided in Articles 13 to 15 of the GDPR cannot be exercised when the law imposes to the controller or processor a secrecy duty that is opposable to the data subject.

Data retention periods

The retention period is what the law sets forth or, if there is no applicable law, the period that is necessary for the respective purpose. Controllers and processors may retain personal data if it is necessary to prove obligations of a contractual nature or other nature if the prescription period of the corresponding rights has not yet elapsed.  The right to be forgotten can only be exercised at the end of the retention period.

Personal data relating to social security contributions for purposes of retirement can be retained forever, as long as adequate technical and organizational measures in order to guarantee the data subjects rights. Note: The retention ad eternum of data is not in compliance with the GDPR.

Freedom of speech

Data protection does not hinder the exercise of freedom of speech, information and press, including the processing of data for journalistic purposes and purposes of literary, artistic or academic expression. The exercise of the freedom of speech when it reveals personal data provided for in Article 9 of the GDPR or pertain to deceased individuals must respect the principle of the dignity of the individual and their personality rights as provided in the Portuguese Constitution.

The exercise of the freedom of speech does not legitimize the disclosing of personal data, such as addresses and contacts, except those that are of common knowledge.

Publicizing data in the official gazettes must comply with the minimization and purpose limitation principles. If the personal data “name” is enough to guarantee the identification of the data subject and the effectiveness of the processing, then no other personal data should be published. The right to be forgotten in this case has an exceptional nature and is executed through deindexation of the personal data in the search engines.

Labor relations

Unless there is a legal provision, the consent of the employee does not constitute a legitimacy requirement for the processing of its personal data unless the processing results in a legal or economical advantage to the employee or if the processing is necessary for the performance of a contract. The wording of this article is not clear and can be interpreted in such a way that the consent of employees will never be legitimate.

Using biometric data of employees is considered legitimate for access control purposes or attendance control purposes. Only representations of the biometric data should be used, and the collection process does not allow the reversibility of the data.

Health and genetic data

Access to this type of data must comply with the need-to-know principle. The data subject must be notified of any access to his data, and it is up to the controller to ensure the availability of this traceability and notification. Measures and minimum technical requirements that should be applied to this treatment will be later approved by the government.  This provision is likely the result of the fine that was applied to Hospital do Barreiro and is common to most of the public health institutions, which related to a lack of traceability in the system that managed the health data.

Administrative fines

The DPA must consider the following when determining the fine: the economic situation of the entity, if the violation is of a continuous nature, severity of the situation, number of employees and nature of services provided. Large companies may be subject, for very serious offenses, to fines between 5,000 and 20 million euros or 4% of the total worldwide annual turnover, whichever is higher. Small and medium enterprises may be subject to fines between 2,000 and 2 million euros or 4% of the total worldwide annual turnover, whichever is higher.

Public entities may also be subject to fines, although they may request an exemption for a period of three years from the application of the fine. However, the position of the CNPD has been that both types of institutions should have the same treatment based on the principle of equality.

Dependent on the crime, the entity may be subject to imprisonment up to one or two years or 120 up to 240 days criminal fine, whichever is applicable.

Collective and equivalent persons may responsible for any of these crimes, except the state and collective persons when exercising public power prerogatives.

Final words

The DPA applied a major fine of 400,000 euros to Hospital do Barreiro in 2018 and in 2019 applied other fines, one amounting to 20,000 euros for noncompliance with the data subject's right of access, two fines of 2,000 for noncompliance with Article 13 of the GDPR and another, also of 2,000 euros, for violation of the information rights of a data subject.

photo credit: Debarshi Ray Lisbon via photopin (license)