Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
Yes. Articles 17(d) and 18(b) of Law 1581/2012 provide that data controllers and processors must maintain personal data under the required conditions to prevent its use, adulteration, loss or unauthorised or fraudulent consultation.
Are data owners/processors required to notify individuals in the event of a breach?
No. However, the Data Protection Authority’s accountability guidelines regarding the processing of personal data state that data controllers and processors must establish a management system for any potential security incidents involving personal data stored in their databases. This system should require that any such breach (and details of any measures taken to minimise its impact) be reported to the Superintendence of Industry and Commerce and the data subjects in question.
While notifying data subjects is not mandatory, it is suggested best practice under the accountability guidelines. There are no penalties for non-compliance with the accountability guidelines. However, if the Superintendence of Industry and Commerce finds during an investigation that the data controller or processor under review has followed the accountability guidelines, more lenient penalties must be applied.
Are data owners/processors required to notify the regulator in the event of a breach?
Yes. Articles 17(n) and 18(k) of Law 1581/2012 provide that any security breach and risk to the management of data must be reported to the Data Protection Authority.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
No. General data protection laws apply (ie, Law 1581/2012 and Decree 13377/2013) and the delivery of unsolicited electronic marketing therefore breaches such laws.
Click here to view the full article.