Serrão de Carvalho | Advogados

Menu

Data Protection

Data Protection

On May 25, 2018, the General Data Protection Regulation came into force in all Member States of the European Union, and on August 8, 2019, the Portuguese Law, Law 58/2019 of August 8, was published, which regulates the execution of the same in the national legal system.

 

The General Data Protection Regulation intended to respond to a set of challenges, which are quite current, from which we can highlight:

 

  • Harmonize data protection laws in all member countries of the European Union
  • Create clearer rules for data transfer across borders
  • Improve control over personal data
  • Obliging organizations to be more rigorous and responsible in the collection and processing of personal data

 

Thus, being considered as "Personal data" any information relating to a natural person that allows it to be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, between others. And since any operation carried out on them is considered as treatment, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, use, dissemination by transmission, dissemination or any other form of availability, it is of particular importance that all organizations take special care in this matter.

 

It is essential for all organizations to know specifically what their situation is with regard to personal data, so it is especially important to carry out a "Due Diligence" to data protection, so that you can know, namely:

 

  • What personal data exists in the organization?
  • On what legal basis are the data being processed?
  • If consent-based: Will it be necessary to obtain new consent?
  • Do I need to review printouts, forms and privacy policies?
  • Is the language used clear, accessible and are data subjects provided with all mandatory information?
  • Are there specific rules to prove that all legal requirements are met?
  • Where is the data housed?
  • Is there data transfer outside the European Union and if so is it legitimate?

 

Based on the results obtained in each organization and taking the existing situation as a starting point, it will be essential to ensure compliance with the obligations imposed by the General Data Protection Regulation, namely to establish policies and procedures that allow reacting to any security breach and notify the competent authorities within the established deadlines, prepare documents for the subcontracting of services that meet the required requirements, establish mechanisms to respond to the exercise of rights by data subjects and, fundamentally, implement actions aimed at complying with the General Data Protection Regulation, such as:

 

  • Define and write internal privacy policies
  • Prepare procedure manuals, statutes and codes of action
  • Define consent mechanisms
  • Review contracts and legal documentation

 

It is equally essential for any organization to develop a follow-up schedule through regular compliance audits, impact assessment when a new type of treatment is introduced, and regular testing to verify intrusion vulnerabilities and data access.

Logo Icon- Main (Gold)
More Information
en_USEnglish
pt_PTPortuguese en_USEnglish