The General Data Protection Regulation (hereinafter "GDPR") has given the supervisory authorities an extremely active role in the mission to ensure respect for the rights of data
1. Guiding Activity:
Over the past two years, the National Commission for Data Protection (hereinafter "CNPD") has issued two sectorial guidelines. One of which, in relation to the European Parliament elections - Guideline/2019/1, of 25 March - addressed the processing of personal data in the context of electoral campaigns and political marketing. In turn, Guideline/2019/2, of 3 September, dealt with the processing of personal data in the context of smart electricity distribution networks.
In 2019, the CNPD also issued two further deliberations, Deliberation 2019/494 and Deliberation/2019/495. While the first refers to the need for the CNPD to disregard some rules of Law no. 58/2019 of 8 August, as they irremediably contradict the GDPR, the second refers to the waiver of the application of fines to public entities, which is now ending.
In 2020, there were 7 Guidelines, mostly related to the treatment of health data, among which we highlight the Guidance on the dissemination of information on those infected by Covid-19, of 22 April, the Guidance on remote control in telework, of 17 April, and the Guidance on the collection of health data of workers, in the context of the pandemic caused by the coronavirus SARS-CoV-2, of 23 April.
2. Procedural Activity
Within the scope of its procedural activity, the CNPD opened a total of 1839 cases during 2019 and 1926 cases during 2020.
With regard to the CNPD's advisory function, it should be noted that 81 opinion cases were opened in 2019, which represents a significant increase over the previous year, a trend that continued the following year, with the opening of 105 cases. As for cross-border cases, 27 cooperation cases were opened in 2019, and, in 2020, the number of cases increased to 52.
Regarding the CNPD's deliberative function, during 2019, 936 investigation cases were opened and, in 2020, 1108 cases. As such, there was an upward trend in the number of open cases resulting from complaints from citizens or their representatives, and also from reports made to other authorities, such as the ACT (Authority for Working Conditions), ASAE (Food and Economic Security Authority), Social Security, the Public Prosecutor's Office, the Public Security Police, or at the CNPD's own initiative.
With regard to rights enforcement, 121 cases were opened in 2019, concerning the exercise of the rights of access, rectification, deletion and opposition. Of these 121 cases, 89 were related to exercising the rights to access, rectify and delete data from the Schengen Information System (SIS). In 2020, there was a decrease in the number of rights enforcement cases to a total of 92, with only 73 relating to the exercise of SIS rights.
Of particular significance in this activity report are the notifications relating to personal data breach proceedings under Article 33 of the GDPR. In 2019, 240 cases were opened and in 2020, 301 cases. This increase, according to CNPD, is also indicative of a greater awareness on the part of data controllers, towards the fulfilment of their notification obligation.
Another fundamental aspect resulting from the aforementioned report concerns the sanctioning proceedings. In this regard, 34 fines were applied in 2019, amounting to approximately EUR 600,000 of these fines, 7 corresponded to infringements of the GDPR, in the amount of EUR 410,000, and the remaining sanctions were applied under the previous national data protection legislation (Law No. 67/98 of 26 October), as it was the most favorable regime in cases prior to the application of the GDPR, and also under the legislation on privacy in electronic communications (Law No. 41/2004 of 18 August). In turn, in 2020, the CNPD applied 15 fines amounting to EUR 47,000, most of which for violations of the legislation on privacy in electronic communications, for unsolicited marketing.
Still in this regard, it should be mentioned that the CNPD, in its Deliberation 2019/494, considered that the sanctioning regime provided in the national law on personal data protection in effect (Law no. 58/2019 of 8 August) is contrary to the GDPR and the European Union Law, therefore decided for its non-application. In these terms, the CNDP understood that in cases of violation of the applicable rules on data protection, the sanctions provided for in the GDPR will apply directly. However, it is important to note that this decision is not binding and a court, in case of dispute, may determine the application of fines provided for in the National Law.
3. Organization and procedural management
In 2019 and 2020 the CNDP promoted interaction by electronic means, in order to expedite responses to the doubts and questions raised by citizens,
In fact, in 2019 a specific form was developed for the submission of complaints about unsolicited electronic communications, through the CNPD website. Moreover, in 2020, two specific forms were developed and created for submitting reports on data processing through video surveillance and biometric systems, recording 122 reports (of which 120 were related to neighborhood video surveillance systems).
In view of the above, one can conclude that the CNPD made an effort to be able to meet the two major challenges that were imposed in this two-year period: in 2019, the challenge of the implementation of Law 58/2019 that ensured the enforcement of the GDPR in the Portuguese jurisdiction, and in 2020, the challenge of the pandemic caused by the coronavirus SARS-CoV-2 that strongly impacted the CNPD's activity. However, it seems that the second overshadowed the first and there is still a long way to go ensure an effective enforcement of the GDPR in Portugal.
Article provided by: Ricardo Henriques (Abreu Advogados, Portugal)