The New Data Protection Regulation in Portugal

The New Data Protection Regulation in Portugal

The General Data Protection Regulation (RGPD) entered into force on May 25, 2018 and replaces the current data protection directive and law. This regulation was approved by the European Union and enforces the rules on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and sets new rules and procedures from a technological point of view.

What are the main aspects of this Regulation?

In recent months, much has been said in the media and in digital networks of this new regulation. But after all, what are its main aspects?

RGPD imposes on the companies the obligation to inform about the legal basis for the processing of data, period of retention of personal data and its transfer. Thus, companies must inform their clients of all their rights, namely, the client should be informed of the reason why the company needs the personal data of the customer, the reason for which the data is processed, the time period by which will be kept and who will be the recipient.

Companies are required to obtain the express consent of natural persons for the processing of personal data. The lack of response is not worth as authorization, consent must be by express statement or other unequivocal act.

On the other hand, consent for the processing of personal data can not be presumed nor can pre-selected options be used on internet sites.

As regards minors, the company must also check the age of the person in order to obtain parental consent, as the case may be.

What are the rights of citizens?

Right away, citizens have the right to know all their personal data that the company obtained and what type of use. Citizens also have the right to request companies to have their personal data not subject to certain processing or uses. They may also request that your information be updated or corrected or deleted.

As for direct marketing and portability, citizens have the right to opt out of receiving direct marketing that uses their personal data; or instead, citizens are still entitled to portability, that is, they can request that their information be passed on to another organization or competitor.

What are the situations which require additional attention?

Enterprises have to be extra careful when processing personal data relate to automated rights and decisions, information on health, race, sexual orientation, religion and political beliefs as they fall within the concept of sensitive data as defined by the Regulation. Depending on the size and context of these specific data processing may be required to appoint a Data Protection Officer.

If you do not comply with the RGPD, what happens?

In case of non-compliance in RGPD, it provides for the imposition of fines in very high amounts. Let’s see.

In the less serious cases of breach of the Regulation, the fine may be worth up to EUR 10 million or 2% of the annual worldwide turnover, whichever is the greater. In more severe cases, the fine may have a value up to 20 million or 4% of the annual turnover worldwide, whichever is higher.

After all, what should I do to comply with the new RGPD?

To comply with the new Data Protection Regulation, companies should establish measures of physical and digital security to ensure that all data and system are secure. That is, companies should demonstrate that there is concern and effective action to protect the personal data of citizens.