Portugal’s new data protection law

Portugal’s new data protection law “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” was finally published and entered into force last month, following its approval in June. This makes Portugal one of the last EU states to implement the GDPR regulations in national law. The new law regulates among other things the following points:

Consent:

Persons aged 13 and over can give effective consent. In an employment relationship, an employee’s consent is considered a legitimate legal basis only if it leads to a legal or economic advantage for the employee or if it is necessary to fulfil a contract.

Data Protection Officer:

In addition to the tasks defined in the GDPR, the Data Protection Officer in Portugal must ensure that audits are carried out, that Controllers are aware of the importance of early detection of data protection incidents and the relations with the Data Subjects regarding data protection.

Video surveillance:

The law stipulates that in some areas, such as bathrooms or changing rooms, video surveillance is prohibited. ATMs may also only be filmed in such a way that the customer’s keyboard and the associated PIN entry cannot be seen.

Retention periods:

If no retention period is specified, the duration necessary to achieve the purpose shall be decisive. However, the right to be forgotten can only be exercised at the end of the retention period. In contrast to the GDPR the Portuguese data protection law permits a storage of certain dates for always. This applies only to data about the social security amounts for the retirement if suitable technical and organizational measures are taken.