The Council of Ministers recently approved Draft law n.º 67/2018 (hereinafter “Draft Law”) that will ensure the implementation of the GDPR in Portugal. This draft is still subject to changes as it will have to be approved by the Parliament, with the discussion and voting scheduled for the next 3rd of May.

Nonetheless, there are some important points to highlight in respect of the choices made by the Government:

  • On a practical note, and certainly clearing a significant backlog, according to the Draft Law, all of the notifications and authorization applications pending decision, will expire when the Draft Law enters into force.
  • In contrast, the Draft Law states that all controllers that have an authorization issued pursuant current Portuguese Data Protection Law (Law n.º 67/98, of October 26), will be exempt from undertaking a Data Protection Impact Assessment.
  • Also alleviating the burden of implementation is the possibility of having a further 6 months (i.e. until November) in order to obtain new consents in line with the requirements of the GDPR.
  • According to the Draft Law the National Commission for Data Protection (Comissão Nacional de Proteção de Dados – CNPD) will remain as the Supervisory Authority in the matter of Data Protection.
  • The competent authority for the accreditation of certification bodies for data protection will be the Portuguese Accreditation Institute, I.P. (IPAC – Instituto Português de Acreditação, I.P).
  • Following the example of other countries and the opinion of those most actively discussing the matter in Portugal, the Draft Law states that in relation to the minimum age for allowing to process children’s personal data in the context of an offer of information society services is 13 years old.
  • With respect to portability, the Draft Law states that where interoperability of the data is not technically possible, the data subject has the right to demand that the data is delivered to him in an open digital format.
  • With regard to the right to erasure (“Right to be forgotten”), the draft law provides that in cases where there is a data retention period imposed by law, the right to erasure provided for in article 17 of the RGPD can only be exercised after that period.
  • The Government has also opted to impose some limitations on data processing resulting from CCTV recording, mostly to comply with the existing legal framework set by Law no. 34/2013, of May 16 and guidelines from the Portuguese Data Protection Authority.
  • In respect of data retention periods, the Draft Law clarifies that the data retention period shall be (i) the one that is established by law or regulation or (ii) the period that is necessary for the purpose of the processing. However, it also adds that: 1) where, by the nature and purpose of the processing, it is not possible to establish the data retention period, the retention of the data shall be deemed lawful; and 2) in case the Controller or Processor is required to prove compliance with obligations, they may retain the data until the the statute of limitation period defined by law elapses.
  • Some of the more controversial choices have been with respect to data processing in the context of employment, where the draft law, besides clarifying the legal grounds for processing (generally disqualifying consent), has included some important limitations on: 1) the use of CCTV recordings, as well as on other technological means of remote surveillance (restricting it for criminal proceedings, or for the purposes of establishing disciplinary liability, carried out within a criminal proceeding); 2) the processing of biometric data of employees (only allowed for the control of attendance and control of access to the premises); 3) the transfer of personal data of employees between companies (only allowing said transfer in cases of occasional transfer of the employee, as far as the transfer of the data is proportional, necessary and appropriate to the objectives to be achieved or of assignment of employees by a company of temporary work, or secondment to another State).
  • With regards to public entities, the Draft Law contains detailed indications on the possible options for appointment of a single DPO for different entities.
  • There is also an indication that processing of personal data by public entities for purposes other than those determined by the collection of the data is allowed, provided that processing is carried out in the public interest.
  • The Draft Law also contains specific provisions concerning the processing of data in the context of: 1) public procurement proceedings; 2) health databases or centralized registers; 3) archiving purposes in the public interest; 4) scientific or historical research or for statistical purposes – making reference to the principle of data minimization and to the use anonymisation or pseudonymisation of the data, whenever the purpose of the controller may be achieved with the data in the referred conditions.
  • The technical guidelines for the application of the GDPR to public entities are to be approved by resolution of the Council of Ministers, which has meanwhile been published (Council of Ministers Resolution n.º 41/2018) and establishes the minimum compulsory and recommended technical requirements applicable to the IT systems and networks of public entities, which should be adopted until 29 of September of 2019.
  • With regards to penalties, the draft law defines 3 different levels of fines, setting minimum amounts depending on the nature of the infringer or size of the company (large enterprises – from €1.000 up to €4000; SMEs – from €500 up to €2.000; or individuals – from €250 up to €1.000): 1) very serious administrative offense (with a statute of limitation period of 3 years); 2) serious administrative offense (with a statute of limitation period of 2 years); 3) minor administrative offense (with a statute of limitation period of 1 year).
  • Another controversial option was the choice of exempting the application of fines to public entities, although defining that this option should be reviewed within 3 years, after the entry into force of the Draft Law.

Finally, the draft law foresees a list of criminal offenses similar to that which was already included in the previously existing Portuguese Data Protection Law.