“Personal data” means all information relating to an identified or identifiable natural person: name, identification number, location data, and identifiers by electronic means, as well as one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of the person and also the genetic and biometric data.
With the aim of harmonising legislation in the field of Data Protection in all countries in the European Union, the new General Data Protection Regulation will be applied from May 25, 2018. Being a European Regulation, it is directly applicable to all Member States without the need for any transposition to each country.
Companies should adapt their rules to the European regulation during the two-year transitional period in order to avoid the application of heavy fines. Organisations are subjected to fines of up to € 20,000,000, or up to 4% of their annual worldwide turnover for the previous financial year, whichever is the greater.
The Regulation introduces important innovations at the organisational level such as the introduction of accountability, the implementation of Privacy Impact Assessments (PIA), the mandatory notification to Data Protection Authorities (CNPD) in case of data breaches, the appointment of Data Protection Officers, or enhancing data security.
According to the new regulation, processing of personal data is lawful when: a) the data owner’s consent is granted; b) it is necessary for the performance of a contract in which the data subject is a party; c) it is necessary for the fulfillment of a legal obligation to which the controller is subject; d) it is necessary for the protection of vital interests of the data owner or another natural person; e) it is necessary for the performance of functions of public interest or for the exercise of public authority; f) it is necessary for the legitimate interests pursued by the controller or by third parties.
Consent must consist of a manifestation of will which must be free, specific, informed and explicit. Tacit consent is considered invalid.
The Regulation applies to all entities dealing with personal data, ie transactions involving personal data, as well as to subcontractors, as well as processing operations involving European personal data holders, irrespective of whether the controller (or the subcontractor) is located in the EU or not.
It is mandatory to provide more information to data owners, in writing or by telephone, in the area of data collection, in particular the legal basis for data processing, the period of retention of data, more detailed information on international transfers, the possibility to file a complaint with the CNPD.
Information should be provided to citizens in a concise, intelligible and easily accessible way, using clear and simple language. Particular care should be taken when the information is directed at children. Thus, printed forms, privacy policies and all texts that provide information to data owners have to be reformulated.
In the event of a breach of personal data, the controller must notify the competent control authority of the breach of personal data within 72 hours of becoming aware of it. If this deadline is not met, notification to the supervisory authority must be accompanied by information on the reasons for the delay.
Any violations of personal data must be documented, including the facts related to them, their effects and the remedy adopted.
Owners’ rights have been extended to include the rights to forgetfulness, to the limitation of treatment and the right to portability, as well as new requirements regarding the right to delete data and notification of third parties regarding rectification or erasure or limitation of treatment requested by the data owners.
By Dr Eduardo Serra Jorge
|| [email protected]
Dr Eduardo Serra Jorge is founding member, senior partner and CEO of lawyers firm Eduardo Serra Jorge & Maria José Garcia – Sociedade de Advogados, R.L., created in 1987.
In his column, he addresses legal issues affecting foreign residents in Portugal.
Faro office at Gaveto das Ruas Pedro Nunes e José de Matos, 5 R/C
289 829 326
www.esjmjgadvogados.com
