On the 14th of June 2019 (one year later than expected) Portugal finally approved Draft Law no. 120/XIII/3.ª (GOV), implementing the (EU) Regulation 2016/679 (General Data Protection Regulation or GDPR) in Portugal.
The Draft Law shall enter into force on the day following that of its publication in the Portuguese Official Journal, which is dependent of previous ratification by the President of the Republic of Portugal.
Throughout the preparation and approval process of the Draft Law, several concerns were raised, namely by the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), which, rather strangely, was not actively involved on the drafting of the Law.
Although some of those concerns were subject of revision and amendment, the final version of the Draft Law kept several controversial provisions, which we will address in detail below.
PUBLIC ENTITIES : MANDATORY DATA PROTECTION OFFICER
In order to comply with Article 37 of the GDPR, the Draft Law established an exhaustive list of the public entities required to appoint a DPO, including, amongst others, Municipalities, Public Institutes, Public Schools and State, Regional and Local Business Sector Entities (Setor Empresarial do Estado).
CERTIFICATION MECHANISMS : PORTUGUESE ACCREDITATION INSTITUTE
As provided in Article 43 of GDPR, the Draft Law also determines the accreditation and certification process. Accordingly, GDPR related codes of conduct or certification mechanisms must be approved by a certification body which shall be recognized by the (IPAC, I.P.). The requirements established by the Portuguese Supervisory Authority (CNPD) shall be considered by IPAC, IP on the approval decision.
MINORS CONSENT : INFORMATION SOCIETY SERVICES
Pursuant to Article 8 of GDPR, regarding the offer of information society services, the Draft Law establishes that personal data processing of a child above the age of 13 years will not require consent by the respective legal representatives.
PUBLIC ENTITIES : EXEMPTION
The exemption granted to public entities was another provision which received a strong disapproval by the Portuguese supervisory authority when the first draft of the law was made public. Regarding this topic, GDPR left to each Member State the decision on whether and to what extent administrative fines should be imposed on public authorities and bodies. The Portuguese Parliament came up with a compromise solution...