Portugal has not yet approved a local law implementing the General Data Protection Regulation (GDPR).
On March 2018, the Portuguese Council of Ministers presented a bill to the Portuguese Parliament. The new law was supposed to come into force on the same application date of the GDPR, 25 May 2018. A year later, we are still waiting for the bill to be voted.
During the last year, the Portuguese GDPR bill was criticized by many, including the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD), which had no say on the drafting of the bill.
Among other issues, the Government’s proposal replicated several provisions of the GDPR and, in some cases, contravened the GDPR. For instance, the bill proposal stated that the local law would apply to “the processing of personal data of data subjects resident in Portugal”, instead of referring to the data subjects who are in Portugal, irrespectively whether they are (or not) resident in Portugal, which limits the scope of the law and leaves unprotected non-residents that happen to be in Portugal.
After the discussion period and a review by Portuguese Parliament members, the territorial scope provision was amended to comply with the GDPR. The current version also shows some effort in avoiding useless duplications of the GDPR text.
The exemption of fines to public entities was another provision receiving a strong disapproval by the Portuguese supervisory authority. In this regard, Article 83/7 of the GDPR states that “(…) each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.”
In Portugal, there is no tradition of exempting public entities from fines. There is no material reason for a different treatment between public and private entities. In fact, the proposed exemption gave many public entities the idea that controls would not apply to them and that they would have more time to implement the GDPR. As a consequence, the public sector, along with the SMEs, have been delaying implementing the GDPR.
In the meantime, answering to the public criticism, the Portuguese Parliament proposed a compromise. In the current draft bill, the exemption will be applicable under justified grounds on a case by case basis by the Portuguese supervisory authority and for a maximum period of three years. All the other rules, including corrective GDPR measures, will apply to public entities.
However, this compromise solution is still considered a sensitive matter. If this provision was approved, it is very likely that the Portuguese supervisory authority will apply the exemption in very exceptional cases only.
The Portuguese bill also includes specific provisions on the Data Protection Officer (DPO), including secrecy and confidentiality duties, tasks, and which public entities are obliged to appoint a DPO.
In general terms, the GDPR establishes that public authorities are required to appoint a DPO. In order to determine which public entities have to fulfil this obligation, the Portuguese GDPR bill provides a list of public entities, including the Portuguese State, the Autonomous Region of Madeira, the Autonomous Region of Azores, municipalities, independent supervisory authorities, public institutes, public law schools, State, municipal business sectors and public associations.
Between the earlier version and the latest one, there are two major differences. Portuguese parish councils (juntas de freguesia) with more than 750 inhabitants are obliged to appoint a DPO. Earlier, the appointment of a DPO was decided by each parish on a case by case basis.
There is also another change, which may have a significant impact on the State business sector (sector empresarial do Estado – «SEE»): while the first proposal provided that only the public undertakings (entidades públicas empresariais – «EPE») were obliged to appoint a DPO, the new version includes all public business entities of the SEE, all of them must have a DPO.
The Portuguese bill also provides the following:
(a) GPDR codes of conduct or certification mechanisms must be approved by a certification body recognized by Instituto Português de Acreditação (IPAC, I.P.) and in accordance with the requirements established by the Portuguese supervisory authority. As far as we know, no codes of conduct or certification mechanisms about GDPR are in place until now;
(b) In relation to the offer of information society services, the Portuguese bill establishes that data processing of a child above the age of 13 years will not require consent given by the parents. Although Portuguese law usually adopts a conservative approach on minors’ rights establishing the age of 16 years, as a reference age, the Portuguese bill opted to follow the majority of the Member States, which consider the age of 13 years old for information society services;
(c) The Portuguese bill provides for specific rules on the processing of employees’ personal data in the employment context, in particular as regards the conditions under which employees’ personal data may be processed on the basis of the employee’s consent, as well on the use of video surveillance systems and employees’ biometric data. Generally, the employee’s consent is not a lawful basis for employees’ data processing if: (i) from the employee’s data processing results a legal or financial advantage for the employee; or (ii) the data processing is necessary for the performance of the employment contract. Video surveillance systems may only be used against employees in the scope of a criminal lawsuit. The use of employees’ biometric data is only lawful for purposes of employees’ attendance and access controls to the employer’s premises.
(d) The processing of genetic data and data concerning health rules are subject to the principle of “need-to-know” the data. Data controllers are obliged to give notice to data subjects of all accesses to their personal data concerning health. This means that data controllers will have then to implement such traceability mechanism;
(e) No data retention deadlines are applicable for data concerning Social Security contributions for retirement purposes;
(f) Except for willful cases, the starting of a misdemeanor proceeding by the Portuguese supervisory authority must be preceded by a warning for the remedy of the breach within a reasonable deadline. For very serious infringements, the fines thresholds are divided into three different recipients categories: (i) €5,000 to €20,000,000 or 4% of the annual turnover, for large companies; (ii) €2,000 to €2,000,000 or 4% of the annual turnover, for SMEs; and (iii) €1,000 to €500,000 for individuals. Half of these amounts are applicable in case of serious infringements.
In some matters, the Portuguese GDPR bill is silent. For instance, the bill does not establish specific rules applicable to private life data, including solvency and creditworthiness. This data was considered similar to sensitive data (now, special categories of data) under the former Portuguese data protection law.
The Portuguese GDPR bill also does not contain specific provisions about the relationship between the GDPR provisions and the access right to public documents, nor private enforcement rules in relation to the decisions taken by the supervisory authority.
Moreover, the Portuguese bill surprisingly establishes a «standstill» period for new consents, entitling data controllers, either private or public entities, to obtain new data subjects’ consents within an additional period of six months from the effective date of the local law. This provision, which remains unchanged in both versions of the bill, clearly contravenes the GDPR, which is directly applicable in all Member States, including Portugal. The GDPR does not include any special rules on consent matter, which allow Portugal to set a different deadline beyond 25 May 2018. Therefore, it is expected that this provision is not incorporated into the statutes of law.
Although some sensitive issues still remain, the final text should be voted and approved by the Portuguese Parliament’s members during next month.
Cláudia Fernandes Martins
Macedo Vitorino & Associados