GDPR Guide to National Implementation: Portugal - A practical guide to national GDPR compliance requirements across the EEA

SUMMARY

Q1/ Applicable legislation - (a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation? New legislation has been passed.

 
FREE EXCERPT

[co-authors: António Vigário and João Paulo Pimenta, VC Associados]

Portugal

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • Act 58/2019 of 8 August (the “Data Protection Act”)
    • Date in force: 9 August 2019
    • Link: In Portuguese: see here
  • Act 43/2004 of 18 August – Comissão Nacional de Proteção de Dados (Portuguese DPA) Organisation and Function (the “Portuguese DPA Act”), as amended by the Data Protection Act
    • Date in force: 23 August 2004
    • Link: In Portuguese: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full. The Data Protection Act has modified the Portuguese DPA Act and has not repealed other legislation containing data protection provisions.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The legislation relating to genetic data and health data regulates the processing of such data for both living and deceased persons.

The Data Protection Act provides that:

  • the sensitive personal data of deceased persons are protected in accordance with the GDPR and the Data Protection Act;
  • the rights referring to personal data of deceased persons must be exercised by someone appointed by the deceased person for that purpose, or by their heirs; and
  • the data subject may decide that the rights in relation to personal data may not be exercised after his or her death.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The following rules govern the processing of personal data for the performance of tasks carried out in the public interest:

  • processing of personal data by a public entity for another purpose than that for which the personal data were initially collected is permitted if carried out in the public interest, in accordance with Arts. 6(1)(e), (4) & 9(2)(g) GDPR;
  • the transmission of personal data between public entities for purposes different than those for which the personal data were initially collected must be subject to a protocol setting out the responsibilities for each entity; and
  • where personal data are published in an official journal, or published in the context of public procurement, and the disclosure of the data subject’s name is sufficient for the purposes of the processing, no other personal data should be disclosed.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

See Q3(b) above.

The transfer of personal data to third countries or international organisations to comply with legal obligations carried out by public authorities in the exercise of their powers is considered to be in the public interest.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

Employers are not permitted to process employees’ genetic data, even if the data subject’s consent has been obtained, except when the workplace involves exposure to significant risks.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employers may not require job candidates or employees to provide information regarding:

  • their private lives, except where such information is strictly necessary and relevant in order to assess their capability to perform the labour contract, and such grounds are supplied in writing; or
  • their state of health or pregnancy, except when the particular circumstances of the profession justify certain requirements, and the grounds are supplied in writing, in which case the information must be supplied to a doctor, who will only inform the employer of whether or not the employee is fit to perform the job.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

Employers may not, for purposes of admission or continuation of work, require that a job candidate or employee present the result of tests or medical exams of any nature to prove physical or mental condition, except when the results are intended to ensure the protection and safety of the employee or third parties, or when justified by particular requirements of the activity, provided that the grounds are supplied in writing to the candidate or employee.

The doctor responsible for the medical exams and tests can only inform the employer of whether or not the employee is fit to perform the activity. Doctors, as well as medical staff and professionals responsible for processing such data, should be subject to a duty of secrecy.

In no circumstances may the employer demand that the candidate or employee perform or present the results of a pregnancy test or exam.

Health data should only be accessible by electronic means, except where: (i) this is not permitted by law, (ii) it is technically impossible; or (iii) the data subject has specified otherwise. The data subject must be notified of any access to their personal data, and the controller should ensure that a mechanism of traceability and notification is put in place.

(iv) Public interest in the area of public health

Processing for the purpose of preventing and controlling contagious diseases and public health risks is permitted to ascertain whether a person’s state of health presents a potential risk to public health.

When the processing and internal disclosure of personal data is considered essential to the evaluation and management of public health risks, personal data may only be processed by health professionals trained in the exercise of preventive medicine, medical diagnosis, provision of health or social care, or management of health services.

Processing must be carried out by persons subject to a duty of secrecy.
See Q5(b)(iii) regarding restrictions on access to health data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

In the context of clinical research, national law regulates issues of informed consent and consent by minors.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the...

To continue reading

REQUEST YOUR TRIAL