Data protectioni Requirements for registration
The LC has several provisions concerning processing employees' personal data, but there are no specific provisions concerning processing employees' personal data within the employment relationship other than normal data processed by the company's human resources department.
This means that all situations of data processing that fall outside this limited scope may be subject to notification to the Portuguese Data Protection Authority (CNPD) and require prior written authorisation from the employee. The notification must identify what data is being processed and for what purpose, along with the identification of any data processors to whom the information is disclosed, and measures related to security and transparency of the data processing. The consent of the employee is not necessary if the data processing is considered necessary for the performance of the contract. In any case, as it is difficult to determine exactly what data is strictly necessary, it is prudent to obtain consent from the employee to process his or her data.
The CNPD can, however, exempt certain specific data processing from notification, and it has issued general exemption decisions that cover the basic processing of employees' data that is necessary for the management of the staff and for payroll purposes.
The employer, as data controller, must ensure that the personal data of the employees is processed in secure technical conditions and that access to the information is limited to those staff members who need to access this information to perform their job functions.ii Cross-border data transfers
Any transfer of an employee's data from the employer to another entity must be authorised by the employee.
Cross-border data transfers must be disclosed to the CNPD when registering data processing. The transfer will require the CNPD's prior approval if it is made to a country that is not an EU Member State, unless it is a country listed by the EU as guaranteeing an adequate level of protection. Additionally, onward transfers are restricted to parties that are bound by agreements setting a minimum level of protection.iii Sensitive data
Portuguese law considers information revealing philosophical or political beliefs, political views, trade union membership, religion, privacy, racial or ethnic origin, or health or sexual life, including genetic data, as sensitive data.
Processing sensitive data is prohibited unless there is a prior approval of the data processing by the CNPD. In the employment field, there are some other kinds of data processing that are subject to prior approval, such as the use of remote surveillance mechanisms.iv Background checks
The Constitution contains a general right to privacy regarding personal and family life, which is confirmed by the LC. The employer may not demand from an applicant or employee to provide information related to his or her private life, except when the information is strictly necessary and relevant to evaluate the person's aptitude for the performance of employment, and the respective motivation is provided in writing. However, no background checks are allowed unless the information is strictly necessary because of the nature of the job and is authorised by the candidate or the employee.