On the 14th of June 2019 (one year later than expected) Portugal finally approved Draft Law no. 120/XIII/3.ª (GOV), implementing the (EU) Regulation 2016/679 (General Data Protection Regulation or GDPR) in Portugal.
The Draft Law shall enter into force on the day following that of its publication in the Portuguese Official Journal, which is dependent of previous ratification by the President of the Republic of Portugal.
Throughout the preparation and approval process of the Draft Law, several concerns were raised, namely by the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), which, rather strangely, was not actively involved on the drafting of the Law.
Although some of those concerns were subject of revision and amendment, the final version of the Draft Law kept several controversial provisions, which we will address in detail below.
A. PUBLIC ENTITIES : MANDATORY DATA PROTECTION OFFICER
In order to comply with Article 37 of the GDPR, the Draft Law established an exhaustive list of the public entities required to appoint a DPO, including, amongst others, Municipalities, Public Institutes, Public Schools and State, Regional and Local Business Sector Entities (Setor Empresarial do Estado).
B. CERTIFICATION MECHANISMS : PORTUGUESE ACCREDITATION INSTITUTE
As provided in Article 43 of GDPR, the Draft Law also determines the accreditation and certification process. Accordingly, GDPR related codes of conduct or certification mechanisms must be approved by a certification body which shall be recognized by the (IPAC, I.P.). The requirements established by the Portuguese Supervisory Authority (CNPD) shall be considered by IPAC, IP on the approval decision.
C. MINORS CONSENT : INFORMATION SOCIETY SERVICES
Pursuant to Article 8 of GDPR, regarding the offer of information society services, the Draft Law establishes that personal data processing of a child above the age of 13 years will not require consent by the respective legal representatives.
D. PUBLIC ENTITIES : EXEMPTION
The exemption granted to public entities was another provision which received a strong disapproval by the Portuguese supervisory authority when the first draft of the law was made public. Regarding this topic, GDPR left to each Member State the decision on whether and to what extent administrative fines should be imposed on public authorities and bodies. The Portuguese Parliament came up with a compromise solution, establishing that such exemption will only be applicable for a maximum period of three years. All other rules, including corrective measures, will be applicable to public entities.
E. SOCIAL SECURITY DATA : DATA RETENTION DEADLINES
Data related with Social Security relating to contributions for retirement purposes shall be exempt of data retention deadlines. However, appropriate technical and organizational measures shall be adopted in order to ensure the rights of the data subjects.
F. DECEASED INDIVIDUALS : PERSONAL DATA
Although GDPR expressly states that its provisions are not applicable to deceased individuals personal data, the Draft Law includes an innovative provision establishing that the deceased individuals personal data which integrates the special categories of personal data, as provided under Article 9 of GDPR, shall also be protected.
G. LABOUR RELATIONS : EMPLOYEES DATA
The Draft Law established specific rules as regards to the processing of employees’ personal data in the employment context, in particular, regarding the following topics: Employees’ Consent, Video Surveillance Systems and Biometric Data.
H. HEALTH & GENETIC : DATA PROCESSING
The Draft Law determined that processing of health and genetic data shall be limited to the “need-to-know” principle. Moreover, data controllers are obliged to give notice to data subjects of all accesses to their personal health related data, which means that data controllers will have to implement a traceability mechanism.
I. MISDEMEANOR PROCEEDINGS : PREVIOUS REMEDY WARNING
As regards to Misdemeanor Proceedings, the Draft Law provides that, except for willful misconduct cases, the opening of a misdemeanor proceeding by the Portuguese supervisory authority must be preceded by a warning for the remedy of the breach by the infringer within a reasonable deadline.
For very serious infringements, three different recipients’ categories have been defined: Large Companies, SME’s and Individuals. In case of serious infringements the applicable amounts shall be reduced to half.
The amount of the fines collected shall revert in 60% for the Portuguese State and 40% for CNPD. The fact that the CNPD collects 40% of the amount of the fines that itself decides to impose, raises some concerns of possible conflicts of interest, although it is similar to other existing laws in Portugal.
J. CONSENT RENEWAL : NO DEADLINE EXTENSION
Contrary to what was announced, the Draft Law has not established a new deadline for consent renewal. Although the original intention was to grant a six months deadline extension, the Portuguese parliament ended up eliminating such provision.