The Law no. 121 / IX / 2021, of 17 March, came to change the legal framework on the protection of personal data of natural persons.
Due to the development of Information and Communication Technologies (ICT) it was necessary to adopt legal measures, in order to protect the rights, liberties and fundamentals guarantees of each individual.
One of the first amendments is the definition of Consent of the Data Subject. With the new wording, the expression of will has to be through a declaration or unequivocal positive act.
According with the referred Law, now is also permitted to do special personal data processing, when the National Office of Data Protection “Comissão Nacional de Proteção de Dados” (hereinafter as “CNPD”) gives an authorization, in the cases of the process is based on important public interest or where is necessary for pursuit legitimate interests of the processing responsible, with the guarantees of non-discrimination and with the appropriate safety measures.
Regarding to the processing of personal data related to suspected illegal activities, criminal offences, misdemeanours, criminal convictions, decisions imposing security measures, fines, additional penalties and disciplinary infractions may be authorized by the CNPD, in compliance with the rules on standards of data protection and information security, when such processing is necessary for the execution of legitimate purposes of the person responsible, provided that the rights, liberties and guarantees of the data subject.
Henceforth, the interconnection of personal data which is not established in a legal provision is subject to the authorization by the CNPD, requested by the person responsible or jointly by the corresponding persons responsible for the processing.
Regarding to access rights, the data subject can also obtain from the data responsible the confirmation as to whether or not his data is processed, as well as the information on the purposes of such processing, the categories of data and the recipients or categories of recipients to whom the data are disclosed, he may request a copy of his personal data. Also, the data subject has the right to obtain the notification to third parties to whom the data have been communicated of any rectification, erasure or destruction, unless this proves impossible or involves a disproportionate effort.
One of the most important additions that this new Law made is the article about conditions applicable to consent.
Therefore, this article mentions that the data responsible has to be capable to demonstrate the data subject that he gave his consent for the processing.
Furthermore, the data subject can withdraw his consent at any time, easily and without being prejudiced.
Other important addition is the article regarding the right of rectification.
This new article refers that the data subject has the right to obtain from the data responsible the rectification of the inaccurate personal data and in consideration of the purposes of the processing the data subject has the right to his personal data are complete, including through additional declaration.
Another important article alludes to the right to erasure.
Hence, the data subject has the right to obtain from the processing responsible the erasure or destruction of his personal, therefore the processing responsible has the obligation to erase personal data, when one of the reasons that are mentioned on the Law are meet.
Moreover, the data subject has the right to obtain from the processing responsible the processing limitation if one of the situations mentioned in the Law arise.
Furthermore, the personal data of deceased persons are protected by this Law.
Other novelty is that in the event of a personal data breach, the processing responsible shall notify the CNPD, unless the breach does not violate rights, liberties and guarantees of natural persons. This notification is confidential. Also, in case of a personal data breach which is likely to result in a high risk to the rights, liberties and guarantees of the data subject, the processing responsible shall communicate the breach to the data subject, please be aware that this communication can have some exceptions.
In addition, it is introduced the figure of the data protection officer.
The processing responsible and the processor shall designate a data protection officer in different situations. The data protection officer has different functions, for instance:
- Contact point for the CNPD on issues related to the processing of personal data carried out;
- Informs and advises the processing responsible or processor as well as the employees processor about their obligations;
- Cooperate with the CNPD and other more.
At last, this diploma recommends new crimes be criminalized, such as misappropriation of data, use of data in a manner incompatible with the purpose of the collection, illegal interconnection of data and the insertion of false data.
The present Law entered into force on 17 April 2021.
Article by Marco Correia Gadanha
Marco Correia Gadanha is a partner of the Portuguese law office MC&A. He is specialized in legal advice to international transactions. Marco has extensive experience of legal practice in Portugal and in the Portuguese-speaking African countries. Since 2008, he has practiced mainly in the areas of labor and litigation, assisting national and international clients in these and other matters, namely corporate law, especially in Portugal, Angola and Mozambique. He graduated at the University of Coimbra in 2005 and he holds post-graduations in Labor and Angolan Law.