More than a year after the entry into force of the General Data Protection Regulation (GDPR), a European regulation of direct implementation in all EU countries, today enters into force our implementing law, the aim of which is to frame the organic implementation of the GDPR in Portugal, clarifying some points that lacked a local context.
We highlight, in a simplified way, the main provisions of Law No. 58/2019:
- Competent Entities:
- the CNPD has been appointed the national supervisory authority for the purposes of the GDPR;
- the authority designated for the accreditation of data protection certification bodies is IPAC, I.P.;
- Public Entities
- public entities may be exempt ed from fines for three years with a prior application for dismissal, which depends on the approval of the CNPD;
- it is admitted that the processing can be carried out for purposes other than those justifying data collection, provided that the public interest is concerned;
- Smaller
- the age considered for the consent of minors is 13 years for the purposes of free, specific, informed and explicit consent for the processing of personal data;
- if the child is under the age of 13, treatment is only lawful if consent is given by his legal representatives, preferably through means of secure authentication;
- Employment relationship
- the collection of biometric data may only be carried out for the purposes of monitoring attendance and access to the premises and their use complies with specific and defined rules;
- video images or other technological means of surveillance may only be used in criminal proceedings;
- Deceased holders
- the personal data of deceased persons are protected when they are part of the special categories of personal data or when they relate to the intimacy of private life, image or communications data;
- Health
- health and genetic data may only be accessed by professionals duly covered by the obligation of secrecy and exclusively through electronic means, and access to such data must be communicated to the holder;
- Data Protection Officer (DPO)
- additional functions are defined for the DPO, namely:
- (a) ensure audits, whether periodic or unscheduled;
- (b) raise awareness among users of the importance of detecting safety incidents in a timely manner and the need to immediately inform the security officer;
- c) ensure relations with data subjects;
- additional functions are defined for the DPO, namely:
- Fines
- in the case of large companies, very serious counter-ordering will have a minimum amount of fines of €5,000 and the serious amounts of €2,500. For SMEs, minimum values range from €1,000 to €2,000;
- for the determination of the fine measure, the turnover and the company’s annual balance sheet, the continued nature of the infringement and the size of the entity should be considered;
- crimes relating to personal data, including the use of data for a purpose other than collection, improper access, data diversion, breach of duty of confidentiality and disobedience, punishable by imprisonment of up to two years or with penalty fine up to 240 days.