GDPR

General Data Protection Regulation.

OVERVIEW

In the “Information Age”, the protection of personal and sensitive information has become increasingly imperative as a way of ensuring privacy. Since 1981, Convention n. 108 of the Council of Europe has looked over concerns about the automated processing of personal data, being the first international legal instrument adopted in the areas of data protection.

With the advances in information technology, such as the internet, there was a need to adapt legislation over the data protection, by the Regulation (EU) 2016/679, General Regulation of Data Protection or GDPR, and Law 58/2019, of August 8, which ensured the execution of GDPR in Portuguese, later approved.

In that ways, as public or private companies and natural persons who collect, store, transmit, structure and preserve personal data, they are considered responsible for the processing data and must do it in a lawful, loyal and transparent guidelines, in accordance with the GDPR and national legislation.

In addition, the GDPR is applicable to entities that process the personal data of residents in the European area, even if provided for the European Union. Therefore, any company worldwide can be considered responsible for unfair data management if it belongs to an EU resident, regardless of their nationality.

Data protection standards

Data protection rules Infringements can lead to the payment of fines around 500 to 20 million euros, depending on the company proportion. In Portugal, the National Data Protection Commission of Portugal (CNPD) is a national control authority for the GDPR purposes that is competent to apply fines.

Also, the figure of the Data Protection Officer (EPD) or Data Protection Officer (DPO) was created by recent the legislation. For public entities, it is always mandatory to designate an EPD, while in the private sector companies, the obligation to contract an EPD is mainly imposed in two cases: (i) if the main activity consists in the treatment of relevant data - personal information such as ethnicity, religion, sexual orientation, etc; or (ii) when there is large-scale processing that requires regular and systematic data management.

As indicated by Working Group 29 - an independent European advisory counsel on data protection and privacy [1] - a company that is not required by law to designate an EPD and does not intend to designate it on your own basis, can use external consultants to ensure compliance with the provisions of the GDPR and national legislation.

GDPR Consulting

Martins Castro is composed of lawyers and information technology consultants who directly assist national and international companies seeking to adequate processed data management.

Our consulting service offers not only security to clients by preventing future infractions but also adequates specific business needs according to the GDPR rules, as well as national legislation regarding the right treatment in a lawful, fair and transparent way.

The services consist of:

Contract management in GDPR compliance;
Risk analysis when creating or changing procedures and implementing new technologies;
Privacy policy definition;
Data protection assessment report development;
Prevention Planning for data management;
Procedures in case of data protection violation.

[1] https://www.cnpd.pt/home/rgpd/docs/wp243rev01_pt.pdf

Related legislation:

General Data Protection Regulation, GDPR, Law 58/2019, of 08 August

More about the original text

language