The Portuguese law that applies the GDPR has come into effect: learn what’s changed
The publishing in the Diário da República of the Law num 58/2019 assures the execution, within the Portuguese judicial order, of the GDPR that came into effect on the 25th of May, 2018, in the EU. The transposition into Portuguese law of these European norms is fundamental for adopting the aspect of the General Data Protection Regulation to Portuguese reality.
One of the points that has been changed by lawmakers, when voting for the Law in the Assemble of the Republic, was the value of the fines that may go up to 20 million euros or 4% of the company’s annual business volume. The Portuguese Law imposes minimum and maximum limits. As such, the fines for very serious infractions range from five thousand euros up to 20 million euros (or 4% of business volume) in case of large companies, and from two thousand euros up to two million euros (or 4% of business volume) for Small Medium Enterprises. Individual persons are subjected to fines that range between one thousand to 500 thousand euros. In case of serious infractions, large companies can pay between 2500 and 10 million euros (or 2% of business volume) and SME can pay between one thousand and one million euros (or 2% of business volume). Individual persons can risk paying fines between 500 hundred and 250 thousand euros.
The exact value of the fines shall be defined by the National Data Protection Commission (CNPD), the authority responsible for supervising compliance with the GDPR in Portugal. The fines will take into consideration, in addition to the business volumes of the companies involved, their respective annual balances, as well as the number of employees, the types of services they provide, and the seriousness of the infraction. The Law also foresees the possibility of compensating data holders that suffer losses due to improper treatment of their data.
Public entities are also subject to fines, although they may request an exemption period. The CNPD may exempt them from the law’s application for three years, based on reasoned arguments.
It is important to note that the Law has retroactive effects up to the 25th of May, 2018, when the GDPR came into effect at the EU level. As such, new processes may emerge, regarding data violations that have occurred prior to the publication of the Portuguese Law.
At any rate, the CNDP has already applied several fines for non-compliance with the GDPR, including to private companies. The Hospital in Barreiro, Portugal, was the only publicly known case after having been condemned to a fine of 400 thousand euros for having allowed improper accesso to patients’ data. The hospital’s administration has appealed the decision and the case has not yet been closed.
At the European level, the greatest fine for non-compliance with the GDPR was applied in France, targeting Google for improper use of personal data for segmenting ads without the compulsory content of the data holders.
DPO doesn’t require professional certification
The Portuguese law published in the Diário da República, the country’s official gazette, typifies some of the crimes that can be involved with the violation of the GDPR’s norms, namely the use of data for purposes other than those that originated their processing, unwarranted access to personal data, insertion of false data, violation of secrecy, and theft of data.
On the other hand, the national Law also clarifies other relevant aspect of the European Regulation, defining, namely that Data Protection Officers (DPO) don’t need to have professional certification, only requiring direct knowledge in data protection. It also establishes that the certification of companies that comply with the GDPR will have to be conducted by entities that are recognized by the Portuguese Institute of Accreditation (IPAC) e by the CNPD.
The national norm specifies a regime for biometric data and allows the use of video surveillance cameras in workplaces; however, recordings will only be used within the scope of disciplinary processes against employees, in the of any criminal offenses.
Another point that the Law clarifies is that for anyone with at least 13 years of age can provide their free and informed consent, without requiring parental authorization.
How can companies prepare themselves
With the publication of the Portuguese Law, companies can no longer get around the application of the GDPR. It’s convenient that they adequately prepare to avoid unpleasant surprises that can reveal themselves to be more costly than the investment that is necessary for complying with the Law, in terms of human resources and technology. This process also assures greater transparency and a clearer relationship with the data holders, contributing to companies’ reputations.
As such, it is urgent to begin putting together briefing and training sessions for employees, to evangelize them regarding compliance with the GDPR. Executing an internal audit and a Privacy Impact Assessment to evaluate the impact of the Law’s application for the handling of personal data, are also fundamental steps.
Companies need to map the personal data they gather and process in detail, strengthening their security and data protection policies and practices, and clearly defining the privacy and consent processes. Nor can they ignore the proper actions in the event of data violation.
Eurotux can cooperated with your company in this process, with consulting, evaluation, and planning services, that are fundamental to guarantee compliance with the GDPR. Get in touch with us to learn how we can help you!