The Legal 500

Twitter Logo Youtube Circle Icon LinkedIn Icon

VDA

RUA DOM LUÍS I, 28, 1200-151 LISBOA, PORTUGAL
Tel:
Work +351 21 311 34 00
Fax:
Fax +351 21 311 34 06
Email:
Web:
www.vda.pt
Lisbon, Oporto

Show all Press releases

PRIVACY, DATA PROTECTION & CYBERSECURITY

March 2019

19 February 2018

COMMISSION COMMUNICATION – GUIDANCE ON THE DIRECT APPLICATION OF THE GENERAL DATA PROTECTION REGULATION

The European Commission (the “Commission”) has issued, on the 24 January, a Communication containing guidance in view of facilitating the direct application of the General Data Protection Regulation (“GDPR”) in all the European Union (the “EU”) as of 25 May 2018 (the “Communication”). Simultaneously, the Commission has also published a set of GDPR-related Q&A and an online tool to help companies – focusing on SMEs -, citizens and public administrations understand the new rules.

The Communication deemed to lay out (i) the main novelties and opportunities stemming from the GDPR, (ii) the preparatory work undertaken so far at EU level to ensure the application of the Regulation as of 25 May, (iii) what is still to be done at European and national level and (iv) what are the measures the Commission will adopt in the near future.

From the harmonization of the European data protection legal framework, to the strengthening of individuals’ rights (with a highlight on the right to data portability), to the protection of individuals against personal data breaches, to the aggravated fining regime, to reinforcing data processor accountability, to the new international data transfer mechanisms, there are several novelties brought by the GDPR which are mentioned in the Communication.

The Commission also refers to the Expert Group it has been gathering for the sharing of expertise in data protection matters and to the ongoing talks with third countries – notably, Japan and South Korea - in view of issuing an adequacy decision (which would allow the free flow of personal data towards said countries), as well as to the several Article 29 Working Party Guidelines being finalized, covering topics such as Consent, Transparency, Binding Corporate Rules (article 47 GDPR), data breach notifications and automated individual decision-making.

The Commission notes that, on the date of this notice, only two Member States (Austria and Germany) had adopted the relevant national laws towards adapting their legal systems to the GDPR (in the meantime, other Member-States have initiated this process). The Commission notes that there is some discretion for national legislators in this regard that measures may not undermine the direct, simultaneous and uniform application of the GDPR in all the EU.

The Commission further notes the following:

  • The current lack of the national Data Protection Authorities’ (“DPAs”) financial and human resources may “jeopardize their effectiveness and ultimately the complete independence required under the Regulation”, notably in light of their reinforced investigative powers. Thus, the Commission urges the Member States to vest the DPAs with the “human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. This is without prejudice to the Commission’s pledge to award EUR 2 million to the DPAs, in order to assist in with their awareness-raising efforts among SMEs and the general public.
  • The importance for SME of mapping the categories of personal data they process, the purposes of said processing and the applicable legal basis for processing, as well as the relevance of revising their contracts with data processors and their international data transfers mechanisms. In regard to the specificities of data processing operations in different sectors, the Commission suggests that companies benefit from the new GDPR instruments, such as codes of conduct or certification by a DPA, as elements towards demonstrating compliance.
  • Levels of awareness among citizens concerning their new rights, and of SMEs concerning their new challenges are still low. In light of this, the Commission launches an online tool with useful Q&A for the clarification of frequently- asked GDPR questions. The tool will be regularly updated on the basis of the feedback received by the Commission and contains information about the legal bases for the processing of special categories of personal data and the available remedies for data subjects when they consider the processing of personal data infringes the GDPR. The tool also provides examples of cases in which companies will have to, inter alia, carry out a Data Protection Impact Assessment (“DPIA”) or appoint a Data Protection Officer (“DPO”).

Finally, the Commission outlines the next steps it will take to guarantee the effective application of the GDPR, though the possible adoption of implementing or delegated acts (on what concerns, notably, the issue of certification) and the integration of the GDPR into the EEA-Agreement – allowing for the free flow of data between the EU, Iceland, Liechtenstein and Norway. Moreover, the Commission notes the enforcement of the GDPR in the United Kingdom until the EU-withdrawal date and notes its intention to follow-up on the first year of GDPR application in May 2019, during an event which will precede the report to be prepared by the Commission in 2020, on the evaluation and review of the GDPR.

Magda Cocco | mpc@vda.pt

Inês Antas de Barros | iab@vda.pt

Sebastião Barros Vale | sbv@vda.pt

Legal Developments by:
VDA

  • MOZAMBIQUE | VAT CODE AMENDED

    Law no. 13/2016, of 30 December 2016, which amended and republished the Mozambican VAT Code, was recently rectified by a Notice, dated June 8th.
    - VdA- Vieira de Almeida

Legal Developments in Portugal

Legal Developments and updates from the leading lawyers in each jurisdiction. To contribute, send an email request to
  • MOZAMBIQUE | VAT CODE AMENDED

    Law no. 13/2016, of 30 December 2016, which amended and republished the Mozambican VAT Code, was recently rectified by a Notice, dated June 8th.
  • ARTICLE 29 WORKING PARTY GUIDELINES ON THE EU GENERAL DATA PROTECTION REGULATION

    In order to clarify some of the new obligations stemming from the EU General Data Protection Regulation (“GDPR”), which will apply as of 25th May 2018, the Article 29 Working Party (“WP29”) – the independent European consulting body for data protection issues – recently issued its “Guidance on Data Protection Impact Assessment (“DPIA”)”. This document will be available for public consultation until 23rd May, 2017.
  • CNPD APPROVES 10 MEASURES TO PREPARE FOR THE GENERAL DATA PROTECTION REGULATION

    On 28th January, 2017, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados/CNPD) published a document establishing 10 measures for entities to prepare for the application of the General Data Protection Regulation (“GDPR”).
  • ANGOLA | NEW REGULATION ON THE LICENSING OF ESTABLISHMENTS AND OF COMMERCIAL ACTIVITY

    Presidential Decree no. 193/17, which approves the Regulation on the Licensing of Establishments and of Commercial Activity and Market Services (“Regulation”), was published on 22 August. The Regulation, which will enter into force on 21 October (60 days after its publication), establishes the conditions and procedures governing the licensing of commercial activities and market services, as well as the licensing of the respective establishments, revoking Presidential Decree no. 288/10, of 30 November (Regulation on the Licensing of Commercial Activity and the Provision of Market Services), as well as all prior regulations on the matter contrary to the provisions of the new Regulation.
  • MOZAMBIQUE | PETROLEUM PRODUCTS SUPPLY

    Ministerial Statute 50/2017, of 11 July 2017, sets forth the measures approved by the Ministry of Mineral Resources and Energy to streamline petroleum products’ import into and supply to the country and ensure fuel supply safety, regularity and quality. The newly approved measures obviously have a direct impact on distributors, but also affect suppliers, IMOPETRO, commercial banks operating in-country and the Banco de Moçambique (“BdM”).
  • Mozambique VAT Code Amended

    Law no. 13/2016, of 30 December 2016, which amended and republished the Mozambican VAT Code, was recently rectified by a Notice, dated June 8th.
  • COMPANIES CODE AMENDED

    Decree-Law 79/2017, of 30 June 2017, was published last Friday and amends both the Insolvency and Corporate Recovery Code and the Companies Code, in order to implement the goals of the “Programa Capitalizar” approved by Council of Ministers Resolution 42/2016, of 18 August 2016
  • ANGOLA | SIGNIFICANT AMENDMENTS TO REGULATIONS ON THE PERFORMANCE OF A PROFESSIONAL

    Please be aware that a new Presidential Decree has been published on 24th of April (Presidential Decree 79/17 of 24 April) which, among others, introduces the following significant amendments to former Presidential decree 43/17 of 6 March (regulations on the performance of a professional activity by nonresident foreign employees ):
  • PROHIBITION ON ISSUE OF BEARER SHARES

    Bearer securities have been prohibited under Law 15/2017, of May 3, 2017, published today. The Companies Code and the Securities Code have been amended in order to implement this measure.
  • ANGOLA | NEW REGULATIONS ON THE PERFORMANCE OF A PROFESSIONAL ACTIVITY BY NON-RESIDENT

    Presidential Decree 43/17, of 6 March 2017 (“DP 43/17”) just enacted new regulations on the performance of a professional activity by non-resident foreign workers, repealing former Decrees 5/95, of 7 April 1995 and 6/01, of 19 January 2001.