But what indeed is the GDPR, what does it cover, and what are its main purposes and relevant changes? If you have no idea, this article is for you.
First, the Regulation does not need to be implemented in Portugal, as it is automatically applicable under EU rules. This means that, although there will be some internal legislation regarding these matters (still under discussion), the fact that this internal legislation will not be approved before 25 May does not prevent the immediate application of the Regulation in Portugal.
In order to understand the relevant changes, you would need to acknowledge (if you have not already) some important definitions – the basics of the basics which we would strongly recommend you to familiarise yourself with (such as the definition of Personal Data, Processing, Controller, Processor), among other more specific definitions (profiling, pseudonymisation). Only after you know whether you are indeed processing personal data and how, will you be able to understand your specific obligations under the GDPR.
Specifically regarding the principles set out in the Regulation, they are essentially the same as before: (i) the processing of personal data has to be done legally, fairly and transparently; (ii) it has to have a limited purpose – collected for specific, explicit and legitimate purposes), (iii) the data must be minimised – the data processed has to be adequate, relevant and limited to what is necessary for its purposes, (iv) the data must be accurate and up-to-date; (v) there has to be a storage limitation – the data may not be kept any longer than necessary for the purpose of its processing; (vi) companies that process personal data will have to implement appropriate security and organisational methods for its protection; and (vii) companies should be able to demonstrate compliance.
Let’s look in detail at some, although not all, important changes that may affect your company.
1. New rules for consent
To be lawful, the data subject must give their consent to the data processing, although there may be other types of lawful processing (for example, if under a contract or legal obligation, consent does not need to be obtained). The consent will need to be freely given, specific, informed and unambiguous, and given by a statement or a clear affirmative action. This means that, although it can be an oral statement (it does not need to be in writing), it will have to be specific and cannot be tacit: silence or inactivity cannot be taken as consent. Importantly, it is the controller that has to demonstrate consent was provided.

2. Reinforcement of existing rights
Certain rights of the data subject are reinforced, such as the right to information – before you process personal data, you will need to provide broader information to the data subject than you are currently providing.
The right of access is reinforced as well, as the data subject will have the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed and to have access to the personal data processed. The controller will have to provide a copy of the personal data processed if requested, in a readable format.
Additionally, the data subject will have the right to obtain the rectification of any inaccurate data from the controller without undue delay.

3. New rights
Some new rights are established. These include the right to be forgotten. And yes, this does indeed mean the erasure of personal data, without undue delay, whenever the personal data are no longer necessary and there was a withdrawal of the consent provided, or if the data is unlawfully processed. However, there are some exceptions to this right.
We also now have the right to data portability. This is the right to receive one’s own personal data, in a structured, commonly used and machine readable format. It also includes the right to request the transfer of this data to another controller when technically possible, whenever the process is based on consent and carried out by automated means.

4. The Data Protection Officer (DPO)
The Regulation imposes the obligation to appoint a DPO, designated by the controller or processor. However, a DPO is only mandatory in certain situations: when the processing is done by public authorities; when the core activity of the controller or processor consists of processing operations which require regular monitoring of data subjects on a large scale; or when the core activities of the controller or processor consist of large-scale processing of special categories of data.
Outside these situations, it is not mandatory to have a DPO, although companies can always opt to have one.
To perform the duties of DPO, the person appointed must have the right professional qualities and expert knowledge regarding data protection law. This is essential because it is the DPO that informs and advises the controller of its obligations and monitors compliance with the law. The DPO is also the point of contact with the supervisory authority and data subjects, so it is crucial for the DPO to be fully involved in a timely manner with all data protection issues.
The DPO can either be a member of the company’s staff, or a service provider. However, if they work under an employment contract, they cannot be dismissed or penalised for performing their tasks.

5. Impact assessments and prior consultation with the CNPD
If the type of processing your company is doing (using new technologies, for example) is likely to result in a high risk for the data subjects, prior to carrying out any processing, the controller must assess the impact of data processing operations on the data subjects.
This assessment is mandatory when there is: (i) large-scale processing of special categories of certain data; (ii) a systematic evaluation of personal aspects based on automated processing; (iii) a systematic monitoring of an area accessible to the public on a large scale; and (iv) any other situation that may be listed by the CNPD (the Portuguese Data Protection Commission).
When the impact assessment indicates that the processing would result in a high risk for the data subjects, it is mandatory to carry out a prior consultation with the CNPD.

6. Data breach notifications
Another new change of the law is the introduction of the obligation to issue notifications about any data breaches.
There is an obligation to inform the CNPD without undue delay and, whenever possible, not later than 72 hours after becoming aware of the breach, unless there is no serious risk to the rights of data subjects.
There is also an obligation to inform the data subjects themselves, without undue delay, when breach is likely to result in a high risk to their rights and freedoms. Of course, there are some exceptions to this obligation, for example, when the controller has implemented appropriate protection measures, or when the effort involved in informing the data subjects is disproportionate to the risk (although a public communication would be advisable).
Finally, the processor has the obligation to notify the controller immediately of any breach and the controller is required to maintain a register of all breaches.

7. Other relevant obligations
We now have a “risk-based approach”, which changes the accountability of controllers and processors: this means that the obligation to request a prior notification or authorisation from the CNPD will cease. Instead, the controller will have to comply with the rules of its own motion and demonstrate that it has done so. The controller will have to be aware of all data processing it is currently performing, and implement (at the beginning, and by default) any policies necessary to protect the personal data processed.
Companies with more than 250 workers must maintain a register of all data processing.
Finally, the relationship between processor and controller will be subject to a written contract with several obligations and specific provisions.

8. Sanctions – Administrative fines
The administrative fines can rise to EUR 10 million or EUR 20 million, depending on the type of breach, or for companies, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
Please note that each state defines the sanctions applicable to a breach of the Regulations - the minimum limits of these administrative fines and even the breaches that shall not have an administrative fine. We will therefore have to wait for our internal Portuguese law to know what to expect in this regard.
Daniel Reis
Carmen Baptista Rosa