TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

PORTUGAL

 

The Comissão Nacional de Protecção de Dados (CNPD) (The Portuguese Data Protection Authority) website: http://www.cnpd.pt/english/index_en.htm

 

The Act on the Protection of Personal Data (Act 67/98): http://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM

 

What needs to be done prior to collection?

 

NOTIFY THE CNPD

 

Article 27 – Obligation to notify the CNPD

 

  1. The controller or his representative, if any, must notify the CNPD before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes

 

  1. The CNPD may authorise the simplification of or exemption from notification for particular categories of processing which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the data subjects and to take account of criteria of speed, economy and efficiency

 

  1. The authorisation, which must be published in the Diario da Republica, must specify the purposes of the processing, the data or category of data to be processed, the category or categories of data subjects, the recipients or categories of recipient to whom the data may be disclosed and the length of time the data are to be stored

 

  1. Processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest shall be exempted from notification

 

Article 29 – Contents of notifications

 

Notifications submitted to the CNPD shall include the following information:

 

(a)     The name and address of the controller and of his representative, if any,

(b)     The purposes of the processing;

(c)     A description of the category or categories of data subjects and of the data or categories of personal data relating to them;

(d)     The recipients or categories of recipients to whom the data might be disclosed and in what circumstances;

(e)     The body entrusted with processing the information, if it is not the controller himself;

(f)      Any combinations of personal data processing;

(g)     The length of time for keeping personal data;

(h)     The form and circumstances in which the data subjects may be informed of or may correct the personal data relating to them;

(i)      Proposed transfers to third countries;

(j)      A general description allowing a preliminary assessment to be made of the adequacy of the measures taken under Articles 14 and 15 to ensure security of processing  

 

CONTACT THE DATA SUBJECT

 

Article 10 – Data Subject Right to Information

 

  1. The controller or his representative shall provide a data subject from whom data relating to himself are collected with the following information, except where he already has it:
    1. The identity of the controller and of his representative, if any;
    2. The purposes of the processing;
    3. Other information such as;

                                                               i.      The recipients or categories of recipient;

                                                             ii.      Whether replies are obligatory or voluntary, as well as the possible consequences of failure to reply;

                                                           iii.      The existence and conditions of the right of access and the right to rectify, provided they are necessary, taking account of the specific circumstances of collection of the data in order to guarantee the data subject that they will be processed fairly

 

  1. The documents supporting the collection of personal data shall contain the information set down in the previous number

 

  1. If the data are not collected from the data subject and except where he already has it, the controller or his representative must provide the data subject with the information set down in 1 at the time of undertaking the recording of data or, if a disclosure to third parties is envisaged, on later than the time the data are first disclosed

 

  1. If data are collected on open networks the data subject shall be informed, except where he is already aware of it, that personal data relating to him may be circulated on the network without security measures and may be at risk of being seen and used by unauthorised third parties

 

  1. The obligation to provide information may be waived by a legal person or decision of the CNPD on the grounds of State Security and criminal prevention or investigation and also in particular for processing for statistical purposes or for the purposes of historical or scientific research, when the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law

 

  1. The obligation to provide information under this Article shall not apply to the processing of data carried out solely for journalistic purposes or for the purpose of artistic or literacy expression

 

What needs to be done prior to shipping?

 

Article 18 – Transfer of personal data in the European Union

 

Without prejudice to the tax or customs decisions of the Community, personal data may move freely between Member States of the European Union

 

Article 19 – Transfer of personal data outside the European Union

 

  1. Without prejudice to the following Article, the transfer to a State which is not a member of the European Union of personal data which are undergoing processing or intended for processing may only take place subject to compliance with this Act and provided the State to which they are transferred ensures an adequate level of protection

 

  1. The adequacy of the level of protection of a State which is not a member of the European Union shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the State in question and the professional rules and security measures which are complied with in that country

 

  1. It is for the CNPD to decide whether a State which is not a member of the European Union ensures an adequate level of protection

 

  1. By means of the Ministry of Foreign Affairs the CNPD shall inform the European Commission of cases where it considers that a State does not ensure an adequate level of protection

 

  1. The transfer of personal data identical to those the European Commission has considered do not enjoy adequate protection in the State to which they are sent shall be prohibited

 

Article 20 – Derogations

 

  1. A transfer of personal data to a State which does not ensure an adequate level of protection within the meaning of Article 19 (2) may be allowed by the CNPD if the data subject has given his consent unambiguously to the proposed transfer or that transfer:
    1. Is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or
    2. Is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party; or
    3. Is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of a legal claims; or
    4.  Is necessary in order to protect the vital interests of the data subject; or
    5. Is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided the conditions laid down in law for consultation are fulfilled in the particular case

 

  1. Without prejudice to paragraph 1 the CNPD may authorise a transfer or a set of transfers of personal data to a State which does not ensure an adequate level of protection within the meaning of Article 19 (2), provided the controller adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals with respect to their exercise, particularly by means of appropriate contractual clauses

 

  1. By means of the Minister of Foreign Affairs the CNPD shall inform the European Commission and the competent authorities of the other Member States of the European Union of the authorisations it grants under 2

 

  1. The authorisations provided for in 2 shall be granted or derogated by the CNPD according to its own procedures and the decisions of the European Commission

 

  1. Whenever there are specimen contractual clauses approved by the European Commission according to its own procedures, because they provide the adequate guarantees referred to in 2, the CNPD shall authorise the transfer of personal data made under such clauses

 

  1.  A transfer of personal data which is necessary for the protection of State Security, defence, public safety and the prevention, investigation and prosecution of criminal offences shall be governed by special legal provisions or by the international conventions and agreements to which Portugal is a party

 

What are the sanctions for non-compliance?

 

Article 34 – Liability

 

  1. Any person who has suffered damage as a result of an unlawful processing operation or of any other act incompatible with legal provisions in the area of personal data protection is entitled to receive compensation from the controller for the damage suffered

 

  1. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible  for the event giving rise to the damage

 

 

Article 37 – Omission or inadequate compliance with obligations

 

  1. Bodies which negligently fail to comply with the obligation to notify the CNPD of the processing of personal data referred to in Article 27 (1) and (5), provide false information or comply with the obligation to notify without observing Article 29 or, having been notified by the CNPD, continue to allow access to open data transmission networks to controllers who fail to comply with the provisions of this Act are committing an administrative offence punishable with the following fines:
    1. In the case of a natural person, a minimum of PTE 50,000$00[1] and a maximum of PTE 500,000$00[2]
    2. In the case of a legal person or a body without legal personality, a minimum of PTE 300,000$00[3] and a maximum of PTE 3,000,000$00[4]

 

Article 38 – Administrative offences

 

  1. Bodies which fail to comply with any of the following provisions of this Act are committing an administrative offence punishable with a minimum fine of PTE 100,000$00[5] and a maximum of PTE 1,000,000$00[6]

[This includes observance of the obligation under Article 10]

 

  1. The penalty shall be increased to double to maxima in the case of failure to comply with the obligations in Articles 19 and 20

 

 

 

 

 

Please refer to the CNPD website for further details on the Statute


 

[1] Still expressed in ‘PTE’ although Portugal has now joined the Euro – PTE 50,000$00 =  EUR 249.39

[2] PTE 500,000$00 = EUR 2,493.99

[3] PTE 300,000$00 = EUR 1,496.39

[4] PTE 3,000,000$00 = EUR 14,963.94

[5] PTE 100,000$00 = EUR 498.79

[6] PTE 1,000,000$00 = EUR 4,987.97
© TRILANTIC - All rights reserved. | Disclaimer | Client Login