Law No 58/2019, which ensures the implementation in Portugal of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) (3/2019)

 

YEAR 

2019

Osservatorio sulle fonti / Observatory on Sources of Law

----------------------------------------------------------------------------

Section: Sources of Law in the EU member States

Portugal

By Ana Neves

Name of the Act/s

Law No 58/2019which ensures the implementation in Portugal of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR)

.

Date of entry into force of original text

The Law No 50/2019 entered into force on the day following its publication, and so on 9 August 2019

Date of Text (Adopted)

August 8, 2019

Type of text 

(name in English / name in the official language)

Law of the Parliament / Lei

Law ensuring the implementation in the national legal order of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) / Assegura a execução, na ordem jurídica nacional, do Regulamento (UE) 2016/679 do Parlamento e do Conselho, de 27 de abril de 2016, relativo à proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados.

If federal State

No. Portugal is a unitary state. □

If Regional State 

□No. Portugal has just two autonomous regions, the Azores and the Madeira archipelagos. These have their own political and administrative statutes and self-government institutions.

Enacted by

Parliament

Reference to the Constitution (art)

Article 161 (c) 

(https://dre.pt/constitution-of-the-portuguese-republic)

Subject area

Fundamental rights; personal data; European Union.

If the act implements a source of EU Law: cite the relevant EU legal source

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GPDP).

Comment 

1. The Law 58/2019, with 68 articles, intends to implement the GDPR. It introduces some details and some specific provisions to those in this regulation. Simultaneously, it revokes the former personal data protection law, the Law No. 67/98, of 26 October, and amends and republishes the law on the organization and operation of the National Data Protection Commission (“CNPD”), Law No. 43/2004, of 18 August.

The Law 58/2019 applies to the processing of personal data in national territory, regardless of the public or private nature of the controller or processor, even if the processing of personal data is carried out in compliance with legal obligations or in the pursuit of public interest tasks, without prejudice to the exceptions provided for in Article 2 of the GDPR. It also applies, in certain cases, to the processing of personal data undertaken outside national territory.

2. Three types of provisions can be distinguished: provisions on some organisational aspects; provisions related to substantive provisions and provisions about remedies, liability and penalties.

2.1. Regarding organisational aspects, the Law 58/2019 provides new powers to CNPD in addition to those set out in Article 57 of the GDPR (Chapter II) and it has some provisions about the data protection officer (Chapter III). Mainly: i) it lists the public authorities which are obliged to have a data controllerii) repeats the provisions of Article 37(1) of the GDPR on private entities; and iii) and establishes that professional certification is not required for data protection performing his functions; that he has a duty of professional secrecy during and after the end of his term of office; and that, besides the competences specified in GDPR, he shall ensuring audits, making users aware of security issues and to ensure relations with data subjects in matters covered by the GDPR and national data protection legislation. The law also provides also about accreditation, certification and codes of conduct: the competent authority for the accreditation of certification bodies in data protection matters is the Portuguese Accreditation Institute, which has to take into account, not only the requirements set out in the GDPR, but also additional requirements established by the CNPD (Chapter IV).

2.2. As to the substantive aspects, on the one hand, the Law 58/2019 dedicates one chapter to special provisions (Chapter V), related to child's consent, personal data of deceased persons, data portability and interoperability, video surveillance, duty of secrecy, storage limitation, transfers of data to third countries to the European Union or international organisations, the processing of personal data by public authorities for purposes other than those determined by their collection. On the other hand, it has a chapter about “specific situations of processing of personal data” (Chapter VI): it has provisions about freedom of expression and information, the publication in official journal, public access to official documents, the publication of public procurement data, labour relations, treatment of health data and genetic data, centralised health databases and registers, processing for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes. 

With regard to “special provisions”, for instance, as regards the offer of information society services directly to a child, the processing of personal data is lawful through consent at the minimum age of 13, without the need for intervention by the holders of their parental responsibilities. About the right to data portability, it encompasses the data provided by the data subjects and the portability shall be processed in an open format, if possible. Concerning the sound recording by video surveillance systems, this is prohibited, except in the period in which the facilities under surveillance are closed or when a prior authorization has been obtained from the CNPD for that purpose. 

With respect to the processing of personal data in specific situations, the Law 58/2019 has provisions on conciliation of data protection with the freedom of expression and information and with public access to official documents; they mainly refer in general terms to the need of them to be respected. The provisions on the publication in official journal and on the publication of public procurement data intend to restrict to the greatest extent possible the personal information to be provided. As regards to the processing of health and genetic data, access shall be governed by the need--to-know principle, and the data controller is obliged to notify the data subject of any access to such data, and as so has to implement a traceability and notification mechanism. It provides that for purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, the access to data shall exclusively be done electronically, except for technical impossibility or express indication of the data subjection otherwise. Concerning labour matters, unless otherwise provided by law, the employee's consent does not constitute a requirement for the legitimacy of the processing of his personal data where the processing would result in a legal or economic advantage for the worker; or where such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Recorded images and other personal data may be used for the purpose of establishing disciplinary responsibility, in so far as they are used for the purposes of criminal proceedings. The processing of biometric data is only considered lawful for attendance control and access control to the premises.

Public entities may process personal data for purposes other than those determined by the collection, but this is must exceptional and must be duly justified with a view to ensuring the pursuit of the public interest that cannot otherwise be safeguarded, under the terms of subparagraph e) of paragraph 1, paragraph 4 of Article 6 and subparagraph g) of paragraph 2 of Article 9 of the GDPR. On the other hand, they may, under the terms of article 83(7) of the GDPR, upon a duly reasoned request, request the CNPD to waive the imposition of fines for a period of three years from the entry into force of this law.

2.3. The Law 58/2018 has a chapter about remedies, liability and penalties (Chapter VII - administrative and jurisdictional protection). It is stablished that CNPD is entitled to intervene in legal proceedings in the event of a violation of the provisions of the GDPR and of the Law 58/2019, and shall report to the Public Prosecutor's Office criminal offences of which it is aware, in the exercise of its functions and because of them, as well as to perform the necessary and urgent precautionary acts to ensure the means of evidence. The new law stipulates that it is the administrative courts that have jurisdiction to decide the actions brought against the CNPD. 

There is a section (Section II) that identifies administrative infractions and another that identifies criminal offenses (Section III). The minimum amounts of the administrative fines are set out, depending on whether the offender is a natural person, a SME or a large company, and may vary from €500 for serious offenses committed by natural persons to €20,000,000 or 4% of the total worldwide annual turnover, in the case of very serious breaches by large companies. The crimes penalties - that are similar to those provided for in the previous personal data protection law, except for the crime of violation of the professional secrecy duty, whose maximum limit is reduced to half - are up to 2 years imprisonment or a fine of 240 days.

3. The GDPR is having a major impact and is motivating to some extent an excessive practice and similar positions. On the one hand, regarding public administration, the GDPR is being used to difficult even more the access to administrative information and the public access to official documents (for instance, see OECD, Reviewing and supporting Regulatory Impact Assessment in Portugal. Project Inception Report. Final draft, 2017 (https://www.jurisapp.gov.pt/custa-quanto/relat%C3%B3rios-de-atividade/), p. 24 - (“Open data is scarce in Portugal. Within the public administration, one factor aggravating the difficulty to generate relevant data is the confidentiality regime which hampers the establishment of common databases and data sharing.”). On the other hand, the National Data Protection Commission, on September 3rd, 2019, by the Deliberation 2019/494, has defined its understanding of fifteen rules of the Law 58/209 and informed that it will not apply them in future cases concerning the processing of data and the conduct of controllers and processors (https://www.cnpd.pt/bin/decisoes/Delib/DEL_2019_494.pdf)Among these rules is, for instance, the one that allows the processing of personal data by public entities to be carried out for purposes other than those justifying data collection (Article 23 (1)), which, in the view of the CNPD, does not comply with the requirements imposed by article 6 (4) of the GDPR, and the principle of purposes of collection. Regarding Article 28 (3) (a), CNPD understands that this is an excessively restrictive limitation of worker consent, which does not guarantee the dignity and fundamental rights of workers. According to CNPD, the territorial scope of the law compromises the application of procedural rules and the distribution of powers between national supervisory authorities, where cross-border processing is concerned (Article 2 (1) and (2)).

It also worthy to highlight that on 25th September 2018, the European Data Protection Board delivered the Opinion 18/2018, on the draft list of the National Data Protection Commission regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR). The Board concluded that the draft list of the Portuguese supervisory authority may lead to an inconsistent application of the requirement for a data protection impact assessment and proposed some changes. The main issue related to the fact that it had included in the list of types of processing operations that should not be included (https://edpb.europa.eu/our-work-tools/our-documents/valdybos-nuomone-64-str/opinion-182018-draft-list-competent-supervisory_pt).

Secondary sources/ doctrinal works (if any)

Several doctrinal works, for instance, UNIO, EU Law Journal, Vol. 4, no. 2, July 2018, https://doi.org/10.21814/unio.4.2; and Forum de Proteção de dados, CNPD, n.º 1, julho de 2015; n.º 5, novembro 2018,https://www.cnpd.pt/bin/revistaforum/revistaforum.htm.

Available Text

https://dre.pt/web/guest/pesquisa/-/search/123815982/details/maximized

Osservatorio sulle fonti

Rivista telematica registrata presso il Tribunale di Firenze (decreto n. 5626 del 24 dicembre 2007). ISSN 2038-5633.

L’Osservatorio sulle fonti è stato riconosciuto dall’ANVUR come rivista scientifica e collocato in Classe A.

Contatti

Per qualunque domanda o informazione, puoi utilizzare il nostro form di contatto, oppure scrivici a uno di questi indirizzi email:

Direzione scientifica: direzione@osservatoriosullefonti.it
Redazione: redazione@osservatoriosullefonti.it

Il nostro staff ti risponderà quanto prima.

© 2017 Osservatoriosullefonti.it. Registrazione presso il Tribunale di Firenze n. 5626 del 24 dicembre 2007 - ISSN 2038-5633