Data privacy and data protection

APPLICABLE LAW

The personal data protection regime currently in force in Portugal is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, commonly known as the General Data Protection Regulation or GDPR. This Regulation is complemented by Law no. 58/2019, of 8 August and by Law no. 59/2019, of 8 August and by Law no. 41/2004, of 18 August. These diplomas, which constitute the backbone of the legal regime in force in Portugal, are also complemented by scattered legal and regulatory provisions. This regime aims to protect individuals in relation to the processing of personal data, protection that constitutes, for the lawmaker, a fundamental right of individuals. We cannot forget that, in Portugal, this fundamental right is constitutionally enshrined, as article 35 of the Constitution of the Portuguese Republic, entitled “Use of information technology” establishes that:

• All citizens shall have the right to access computerized data concerning them, being able to demand their rectification and updating, and the right to know the purpose for which they are intended, in accordance with the law;
• The law shall define the concept of personal data, as well as the conditions applicable to its automated processing, connection, transmission and use, and guarantees its protection, namely through an independent administrative entity;
• Information technology shall not be used to process data relating to philosophical or political beliefs, party or union affiliation, religious faith, private life and ethnic origin, except with the express consent of the holder, authorization provided by law with guarantees of non-discrimination or for processing of non-individually identifiable statistical data;
• Access to third party personal data is prohibited, except in exceptional cases provided for by the law.

As can be observed, the Constitution does not just enshrine a fundamental right to the protection of personal data, requiring ordinary law to define the terms under which citizens can access computerized data concerning them and the terms under which they can demand rectification. and updating, as well as exercising the right to know the purpose for which they are intended. The Constitution also requires that ordinary law defines the terms under which data subjects will provide the necessary consent to the processing of data relating to philosophical or political beliefs, party or union affiliation, religious faith, private life and ethnic origin and that ordinary law defines the concept of personal data, as well as the conditions applicable to its automated processing, connection, transmission and use, and guarantees its protection. The constitutional norm constitutes a true and extensive specification for the ordinary legislator, who saw his task substantially facilitated as the European Union adopted a Regulation (the GDPR) that also regulates all these matters. The constitutional text also determines the existence of an independent administrative entity aimed at supervising the right to data protection. This administrative entity is the Comissão Nacional de Protecção de Dados, commonly known as CNPD. Under the terms of the law, this entity is responsible for supervising and controlling the personal data protection regime, being for the purposes of the GDPR the national control entity. Among the powers granted to the CNPD, it is worth highlighting the power to monitor compliance with the provisions of the GDPR and other legal and regulatory provisions relating to personal data protection and the rights and guarantees of data subjects, and to correct and sanction their breach. In this context, the CNPD has investigative and sanctioning powers, and is responsible for instructing and deciding processes regarding faults to comply with the GDPR and other data protection legislation. Once the main applicable laws are known and the entity that controls their application has been identified, it is now necessary to identify some of the essential concepts regarding the processing of personal data.  

WHAT DOES “PERSONAL DATA” MEAN?

Personal data is information relating to an identified or identifiable natural person, the “data subject”. An identifiable natural person is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data are, for example:

• name and surname;
• the home address;
• an email address consisting of [email protected];
• the number of an identification document;
• an IP address (internet protocol);
• data held by a hospital or doctor, which allows a person to be unequivocally identified.

On the contrary, the following shall not be considered as personal data:

• an email address consisting of [email protected] or [email protected];
• anonymized data.

 

THE PARTIES INTERVENING IN DATA PROCESSING

As already stated, the person to whom the personal data refers is the data subject. The natural or legal person, public authority, agency or other body that, individually or jointly with others, determines the purposes and means of processing personal data is called the “controller”. It is this person – usually a company or public entity – who is responsible for the set of obligations aimed at protecting personal data. We also think it is useful to convey what should be understood as “Data Processing”. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. We can thus identify two main subjects in the personal data processing relationship: the data subject and the controller; an object – personal data - and an activity – data processing. This processing relationship is, as already mentioned, subject to a set of rules, designed to ensure that personal data are processed in a lawful, fair and transparent manner; that are collected for specific, explicit and legitimate purposes and cannot be further processed in a way that is incompatible with those purposes; that they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; that they are accurate and updated whenever necessary, and all appropriate measures must be adopted so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay; which are stored in a way that allows the identification of data subjects only for the period necessary for the purposes for which they are processed and which are processed in a way that guarantees their security, including protection against unauthorized or illegal processing and against its accidental loss, destruction or damage. The controller shall adopt the appropriate technical or organizational measures for those purposes.  

THE EXERCISE OF RIGHTS BY THE DATA HOLDERS

The “set of specifications” for data controllers are demanding and this has been proven in practice. There are countless cases in which the intervention of national data protection authorities has been required and this also results from the increasing visibility of the data protection issues, which has given rise to a growing number of complaints by data subjects when they consider that their rights have been breached. However, many of these complaints indicate a high lack of knowledge on the part of data subjects, those complaints have no grounds and end up being archived without any action being taken. Even so, they still cause some constraints and involve some work for those responsible for the controllers and their teams, particularly their legal teams. Other complaints are accepted by the administrative authority, requiring a defence from the entity concerned both in the administrative phase of the process, and in its judicial challenge, if the administrative phase concludes with the application of a sanction not accepted by the targeted entity. We must bear in mind that the amounts of applicable fines are, in many cases, extremely high and that, in the most serious and visible cases, national authorities have chosen to make a dissuasive example of them by applying high penalties. Regarding the exercise of the corresponding rights by data subjects, particularly next to the controllers, the CNPD has been informing the following:

• The exercise of rights shall be free.
• The rights are exercised with the controller, preferably through the specific channel indicated in their privacy policy or in equivalent notice.
• The data subject must be accurately identified and shall be able to its identity when exercising the rights, but it shall not have to provide more personal data than those processed by the controller, within the scope of a contractual relationship, for example.
• The data subject must keep proof that it has filed a request to exercise its rights.
• The controller must facilitate the exercise of rights.
• Responses to the data subject must be provided concisely, in clear and simple language.
• Data subjects must obtain a response within one month from the date on which their request is received.
• This period can also be extended for another two months, if necessary. If so, the controller shall inform the data subject of this extension, justifying the delay of the initial deadline.
• If the data subject's request is made by electronic means, the response must be given, whenever possible, by electronic means.
• The exercise of the data subject rights cannot harm the rights and freedoms of third parties.
• The controller may refuse to comply with a request when it appears to be manifestly unfounded or excessive, particularly due to its repetitive nature. In these situations, the controller may also require payment of a reasonable fee to cover the inherent administrative costs.

 

SOME OBLIGATIONS OF THE CONTROLLER’S OBLIGATIONS

The obligations imposed on data controllers is so vast that it would be impossible to address them all in a text like this. Therefore, and in light of what is done by the CNPD, we will only refer to a small set of obligations that, for different reasons, give rise to an interaction with the aforementioned administrative authority and which, also for this reason, are of the greatest relevance.   Firstly, we refer to the obligation to record processing activities, foreseen in article 30 of the GDPR. Each controller and, where applicable, the controller's representative, shall maintain a written record (which includes the electronic format) of processing activities under its responsibility. That record shall contain the following information:

1. the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
6. where possible, the envisaged time limits for erasure of the different categories of data;
7. where possible, a general description of the technical and organisational security measures in place.

Without prejudice to the fulfilment of this obligation being imposed by the GDPR, we have verified that the preparation of this record has allowed companies to become more aware of all the processing activities they carry out, many of which were not adequately perceived, and has allowed to eliminate some processing activities that were unnecessary and concentrating efforts and resources on those processing activities that are actually important for the business activities carried out. The preparation of the record of processing activities has, from a practical point of view, been an important aid for companies in reorganizing their processing practices and activities. Regarding the obligation to appoint a Data Protection Officer (DPO), an obligation on which we have been consulted several times, it should be clarified that this appointment is only mandatory in some cases. For companies, this obligation only exists when they process sensitive data or data relating to criminal convictions and infractions, on a large scale or when they carry out large-scale processing relating to the regular and systematic control of data subjects. The DPO does not require professional certification for this purpose and regardless of the nature of their legal relationship, they carry out their functions with technical autonomy vis-à-vis the entity responsible for the processing. The CNPD does not specifically assess whether a data controller must appoint a DPO. It is the controller who is responsible for assessing, in each situation, whether the data processing carried out by the organization requires the appointment of a DPO. However, the CNPD will not fail to apply the corresponding sanction if it is called upon to assess a situation of lack of appointment of a DPO, when this appointment would be mandatory. The appointment of the DPO must be registered with the CNPD, by filling out a specific form. It is also important to bear in mind that different companies can share the same DPO, either because they belong to the same business group, or because they belong to associations or other bodies representing companies that have chosen to appoint a common DPO. It should be noted that, if the company belongs to an international group, the DPO that is in another EU Member State can be shared. Another important obligation of data controllers, which translates into a need for interaction with the supervisory authority, is the impact assessment on data protection. Some data processing activities, due to the volume of data that are processed and the nature of the data that are processed, particularly if they belong to categories of sensitive data (health data, biometric data, data that reveal racial or ethnic origin, political opinions, among others) or when profiles have been defined and, as a result, automated decision-making is carried out, require (before beginning) a prior assessment of the impact that these processing activities may have. The objective of this assessment is to identify the risks of the intended processing activities and to identify the measures that allow mitigating those risks. If, despite the mitigation measures that may have been identified, the processing is considered to pose a high risk to the rights and freedoms of individuals, the controller must prior consult with the CNPD. This obligation is an exception to the paradigm introduced by the GDPR which, from a prior authorization regime, now enshrines an a posteriori supervision regime, which allows, as a rule, processing activities to be continued without the need for any prior authorization by part of an administrative supervisory authority. Once again, these impact assessments have an important practical effect, raising awareness among entities, and their employees and managers, about the data processing activities they carry out, their effects and their actual need. A final obligation, one that involves close interaction with the CNPD, is the obligation to report data breaches – the obligation that everyone will want to avoid. In the event of a security breach that causes, accidentally or unlawfully, the unauthorized destruction, loss, alteration, disclosure, or access to personal data transmitted, preserved or subject to any other type of processing, likely to constitute a risk to the rights and freedoms of data subjects, the controller is obliged to report such incidents within a maximum period of 72 hours after becoming aware of them. This report is made online, using a specific form provided by the CNPD. There are several elements of information that must be provided, particularly those relating to the nature of the incident, the type of data accessed, the number of data subjects affected, whether and how they have already been informed about the incident, what are the measures that were implemented by the controller, among many others. The moment of reporting a data breach can also be used by the controller as a moment to revisit the security measures it has in place, to assess whether they are adequate or whether, alternatively or in a complementary way, other measures should be adopted. The regime applicable to the processing of personal data is a demanding regime that involves an enormous effort of self-evaluation. We are all aware of the self-forgiveness we have in evaluating ourselves and our processes. Therefore, the moments when we must comply with a certain type of reporting/information obligations are of the greatest relevance. Those are moments when we necessarily must pause and consider, to properly assess the methods and procedures adopted. This rigor will be an important ally in complying with data protection laws and regulations!   Contributors: Data Privacy and Data Protection department of Raposo Bernardo | please contact [email protected]