While the Draft Bill that will implement and approve derogations to the General Data Protection Regulation (GDPR) is still in the Parliament to be discussed and approved, on May 25th, the Portuguese Data Protection Authority (CNPD), released a statement along with a list of New Frequently Asked Questions (FAQs), as well as the forms to report the appointment of the Data Protection Officer (DPO) and data breaches.
CNPD clarified that while the adoption of national legislation implementing the GDPR in Portugal, the current Portuguese Data Protection Law (Law 67/1998, of October 26) will remain in force to the extent it does not conflict with the GDPR. With regards to the processing of personal data related to crime prevention, investigation and prosecution, Portuguese Data Protection Law will remain fully applicable until Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 is implemented in Portugal. Therefore, CNPD remains with the powers conferred by Law 67/98 in relation to processing of personal data relating to the prevention, investigation and criminal prosecution and, in what concerns to processing of personal data covered by the GDPR, CNPD shall proceed according to the tasks and powers given by the new regulation.
The CNPD also announced that will provide a template for the record of processing activities, targeted mainly to help micro and small enterprises.
In what concerns to CNPD’s guidelines issued so far, they shall remain in force and apply, mutatis mutandis, without the prejudice of being updated in the near future to be in accordance with the GDPR.
Last, CNPD’s highlights that the GDPR’s sanctions framework is directly applicable.
• Do the authorisations issued by the CNPD before the GDPR remain valid?
Yes, in everything that does not conflict the provisions of the GDPR, in particular, the conditions of lawfulness of processing.
• Is there any registration required with the CNPD?
No. The previous notification requirement to CNPD no longer applies nor the prior authorisation request to carry out processing of certain personal data (e.g. sensitive data).
• Are controllers required to obtain new consent from its clients to process their data?
First, it must be checked whether the consent is the legal basis because within a contractual relationship with a customer as the data processing for the performance of a contract does not require the consent from the customer.
In case the data processed is beyond the data required for the performance of the contract and if the consent previously obtained was given implicitly, new consent compliant with the GDPR must be obtained.
Consent must be explicit, that is, the person must express the will to authorize and must be provided with the information referred to in Article 13 of the GDPR, including the right to withdraw consent and how at any time.
Consent must also be specific, which means it also must be differentiated, for example when data is used for different purposes or when data is disclosed to third parties, and always accompanied by the necessary information for each situation.
Finally, the CNPD highlights that it is also not possible to make the execution of a contract subject to obtaining consent from the data subject.
• Are controllers required to obtain workers’ consent in the context of administrative management or payroll processing?
No. The legal basis for processing of personal data, within the scope of human resources management, shall be the execution of the employment contract and the law as consent within an employment relationship is unlikely to be freely given due to the imbalance of power.
• Is there any template to inform data subjects of their rights?
For the moment no. Nevertheless, CNPD does not exclude the possibility of providing some standard wording applicable for basic data processing.
• Are DPOs required to have any certification?
No. The DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.
Notification of the DPO to the CNPD
In compliance of Article 37, no. 7 of the GDPR, controllers and processors must communicate to the Data Protection Authority the contact details of the appointed DPO. To comply with this obligation, CNPD released a specific form in Portuguese language which, for now, is made available in excel format that after completed should be sent to a specific e-mail (email@example.com). Soon, this form will be able to be submitted on-line.
This form requests mandatory information on the controller and/or processor as well as on the DPO appointed.
CNPD emphasizes that the GPDR requires controllers and processors to publish the contacts of the DPO appointed and to inform data subjects of those contacts along with the information referred to in Articles 13 and 14 of the GDPR.
Notification of data breaches to the CNPD
Article 33 of the GDPR establishes the obligation for controllers to notify the supervisory authority of personal data breaches, not later than 72 hours after having become aware of it. To comply with this obligation, CNPD made available a notification form to be submitted online in Portuguese language. This form also allows to amend previous notifications.
The form requires mandatory information on the following:
(ii) Contact details
(iii) Data breach description
(iv) Data breach consequences
(v) Personal data affected
(vi) Data subjects affected
(vii) Information provided to data subjects
(viii) Preventive and corrective measures adopted
(ix) Cross-border processing
Finally, CNPD is currently moving to new premises at Avenida D. Carlos I, n.º 134, 1.º, 1200-651 Lisboa.