TMT

In order to clarify some of the new obligations stemming from the EU General Data Protection Regulation (“GDPR”), which will apply as of 25th May 2018, the Article 29 Working Party (“WP29”) – the independent European consulting body for data protection issues – recently issued its “Guidance on Data Protection Impact Assessment (“DPIA”)”. This document will be available for public consultation until 23rd May, 2017. When is a DPIA mandatory? The GDPR states that a DPIA (data protection impact assessment) must be carried out when the envisaged data processing operations are “likely to result in high risk to the rights and freedoms of individuals” and sets a list of situations in which the DPIA is mandatory. However, the GDPR stresses that the list is not exhaustive and that, in case of doubt, data controllers must undergo a DPIA. The WP29 also identifies some factors that lead to the performance of a DPIA, such as processing data concerning vulnerable data subjects (minors and employees), the existence of daily data transfers to countries located outside European Union territory, among others. In case the data controller concludes that a DPIA is not necessary, it must document its analysis and conclusion. When and how must the DPIA be carried out? The DPIA is the responsibility of the data controller (which may or not be assisted by third parties) and must be carried out with sufficient advance of the envisaged data processing operations, so that the data controller may address and implement the recommendations arising from the DPIA. The WP29 recommends that DPIAs be reviewed every three years, except when changes are made to the data processing operations. In this case, the reassessment must be made prior to the implementation of such changes. Which processing operations are subject to a DPIA? The WP29 clarifies that only data processing operations starting after 25th May 2018 are subject to a DPIA. Data processing operations initiated prior to that date are only subject to a DPIA if the data processing operations are changed following application of the GDPR. When must the Data Protection Authority be consulted (“Prior consultation”)? The GDPR states that the Data Protection Authority (Comissão Nacional de Proteção de Dados, or “CNPD”) must be consulted prior to the data processing, whenever the processing would result in high risk, should the data controller’s mitigating actions not be implemented. The WP29 also stresses that national law may require data controllers to consult the Data Protection Authority in other situations, even in the absence of such high risk.  Furthermore, following a period of public consultation, the WP 29 approved the final versions of its Guidelines on Data Protection Officers (DPO), the right to data portability (ie, the right granting the data subject the possibility, under certain conditions, to receive his/her personal data from the controller to whom he/she had provided those data, as well as the right to transmit those data to another data controller) and on identifying the lead supervisory authority. Important changes were made to the final versions of the guidelines, among which the following: 1. GUIDELINES ON THE DESIGNATION OF A DPO: The designation of a DPO, whether mandatory or voluntary, is made for all data processing activities carried out by the data controller or by the data processor; The WP29 recommends that the DPO is based in the EU, even if the data controller or processor are not;  Even if the DPO is subject to secrecy and confidentiality, he/she may always ask for guidance concerning the data processing carried out by the controller from the Data Protection Authorities; Each organisation must have only one DPO, even if he/she is supported by a team; Senior Managers, such as the Head of Human Resources, Marketing or IT, may not act as DPO. 2. GUIDELINES ON THE RIGHT TO DATA PORTABILITY: Data controllers are not accountable for the data processing operations carried out by the data subject or by the controller to whom the data are transmitted following a data portability request; Data processors must assist the controllers in responding to data subjects’ portability requests; Organizations receiving the personal data are not obliged to accept and process the received data, following a data portability request; Personal data related to the data subjects’ activity (such as logs or browser search history) are covered by the right to data portability; Controllers must explore two complementary ways to ensure data portability: (i) direct transfer of data and (ii) use of an automatic data extraction tool. The choice shall be made in a case-by-case basis. 3. GUIDELINES ON THE LEAD SUPERVISORY AUTHORITY: In the event of joint controllership between controllers based in different Member-States, said controllers must find a transparent way to define their respective responsibilities. Moreover, in order to benefit from the onestop-shop mechanism, they should identify the establishment with the powers to determine the purposes and means of the data processing; The one-stop-shop mechanism may also benefit data processors with branches in different Member-States; In any event, when several data controllers and processors, located in different Member-States, are involved in the same data processing operation, the lead Supervisory Authority will be the authority in the country where the main establishment of the controller is located – which means that the data processor may have to deal with different supervisory authorities. 

On 28th January, 2017, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados/CNPD) published a document establishing 10 measures for entities to prepare for the application of the General Data Protection Regulation (“GDPR”). Since the GDPR will apply from 25 May 2018 onwards, CNPD points out that both public and private entities should begin to implement internal procedures and mechanisms so as to ensure compliance with the new data processing. CNPD highlights 10 main areas of intervention and provides some actions towards ensuring compliance, including the following: Data subject information: given the new rules arising from the GDPR, all forms, privacy policies and other informative texts used should be reviewed and adjusted so as to include the additional information required by the GDPR; Exercising data subject rights: organisations should review their internal proceedings for replying to data subject requests, including in what concerns the exercise of new rights (such as the right to portability and to be forgotten), so as to ensure compliance with the timings and formalities imposed by the GDPR; Data subject consent: organisations should verify the format, terms and circumstances in which data subject consent was obtained. Should this consent not comply with the GDPR rules, new consent is required; Sensitive data: it is necessary to evaluate the categories of personal data processed, so as to identify the possible processing of sensitive data (special categories of data, as set out in the GDPR) and thus determine which criteria will apply to this processing; Documentation and records of processing activities: the activities associated with personal data processing should be documented, through internal registries of data processing activities and through the implementation of other internal procedures. This is an essential measure towards ensuring that both data controllers and data processors are able to verify and demonstrate compliance with the GDPR; Data processing agreements: agreements entered into with data processors should be reviewed, so as to include a vast set of information that the GDPR has deemed to be mandatory. Moreover, in the event of subcontracting by the data processors, the latter should not only check existing agreements, but also confirm whether or not this subcontracting was authorised by the controllers; Data protection officer: whenever the GDPR imposes a mandatory appointment of a Data Protection Officer, organisations should ensure its existence beforehand, considering the data privacy officers’ key role during the implementation of the GDPR. Even when this appointment is not mandatory, CNPD points out its advantages in what concerns ensuring compliance with the obligations set by the GDPR; Technical and organisational security measures for processing: organisations should review all policies, practices and internal measures, in order to ensure an adequate level of security associated with the processing. Organisations should also implement the measures deemed necessary in order to ensure and verify compliance with the GDPR; Data protection by design and impact assessment: it is necessary to carry out a thorough assessment of all projected future processing activities, so as to analyse their nature and context, as well as possible risks for data subjects. Organisations will thus guarantee the application of the principles of data protection by design and by default, as set out in the GDPR; Security breach notification: organisations should adopt and implement internal procedures towards notifying breaches involving personal data. These procedures should include rules and processes regarding the detection, identification and investigation of the circumstances surrounding the breach, mitigating actions, information flows between the controller and the processor, data protection officer involvement and, if applicable, notification to CNPD and to the data subjects. The organisations which have not yet started implementing the GDPR should, as swiftly as possible, review and adapt their internal proceedings regarding personal data protection, so as to ensure compliance with the GDPR by 25th May 2018. CNPD will continue to issue guidelines on the GDPR, in order to ensure that it is applied consistently by organisations. 

Law No. 7/17, concerning the Protection of Networks and Information Systems (LPNIS) was recently published in the Official Gazette, which imposes a set of new obligations to several players in the Angola market. Electronic communication undertakings, information society service providers, primary storage service providers, critical infrastructure service providers (e.g., entities responsible for supply chains, health, security and utilities), as well as entities providing critical social functions (financial sector, transportation, Oil&Gas) are now subject to obligations in what concerns information and information systems protection and security, storage of data, data retention for investigation purposes, cooperation with the competent authority and interception of communications, depending on the scope of activity carried out. LEGAL FRAMEWORK Similarly to legislative acts on the security of networks and storage of data within pertaining to electronic communications in force in other countries and/or regions, as is the case in the European Union, this law aims at responding to the new challenges posed by the information society, particularly fostering the protection of the Angolan cyberspace against cyber attacks, which are becoming more frequent, and easing the use of information in the digitalspace for purposes of criminal investigation. Among the main obligations set out in the LPNIS, we highlight the following: The implementation of defence mechanisms and response to incidents, including presenting to the entities responsible for regulating data protection and for fostering information society services a plan for the management of accidents and incidents, as well as fostering the registration of users; The storage of data in an electronic communications network and in information society systems, including traffic data, for the maximum period of 6 months; Retention of a significant volume of data by publicly available electronic communications operators, which are required to store traffic, location and related data for a period of 12 months (as of conclusion of the relevant communication) solely for purposes of investigation, detection and crime repression. Failure to comply with these obligations may constitute a contravention punishable with fines ranging between a minimum amount of 3,000,000.00 Kz (three million Kwanzas) and a maximum amount of 200.000.000,00 Kz (two hundred million Kwanzas), depending on the specific breach, and the aforementioned thresholds shall be aggravated in the double of whenever the infringement is attributed to a legal person. The Agency for the Protection of Personal Data is the entity responsible for pursuing contravention proceedings as well as for assessing the respective fines. It should be stressed, however, that this Agency, albeit created by Law nr. 22/11 of 17 June – Personal Data Protection Law-, is not functioning yet. This law also foresees a Computer Incident Monitoring and Response Team, which organization and functioning shall be established in a separate act, not published to date. IMPACTS OF THE LPNIS For a correct implementation and compliance with the LPNIS, entities providing services based upon information networks and systems which activities are comprehended within the scope of such act, shall have to, including but not limited to: Implement teams at management level with the task of assessing how the LPNIS may apply to the activity carried out by undertakings Implement/review network security measures and incident notification procedures to relevant entities Have in place a strategy and an accident and incident management and response plan, in accordance with the parameters to be defined by the relevant authorities, which shall imply coordination of board of directors, legal and business managers of the entities subject to the LPNIS Seek to coordinate the adoption of a security strategy with public policies adopted in the near future for the fostering of security of the cyberspace in Angola