General Regulation of Data Protection – main concepts

General Regulation of Data Protection – main concepts

Publicado em December 11, 2018 at 4:38 am

The General Regulation on Data Protection (RGPD), which enters into force on 25 May, regulates the protection of natural persons with regard to the processing of personal data and the free movement of such data. This regulation introduces not only new rules but also high fines in case of non-compliance, which requires careful attention from organizations dealing with personal data.
The great challenge is to ensure control over the privacy of data in our information society, where the increasing adoption of the internet, social networks and digital business models creates a duality. On the one hand, people are attracted to and share data from their personal lives; on the other, organizations are increasingly capturing information about their customers, usually with the aim of providing more and better services, or as a way of monetizing information.
The RGPD represents an essential change in the way the EU regards the processing and access to personal data, in a new approach that maintains the focus on the self-responsibility of Organizations. In the EU it is believed that companies exploit personal data in an excessive way and mainly for their own benefit, with a lack of transparency on the way and the purpose of the treatment. 
The new regulations are complex and represent a challenge for all companies and organizations, public and private, that will have to implement specific control tools and procedures for the management and protection of their customers’ data. 
In this technical article, we propose to know the main specificities brought by the RGPD regulatory framework.

The RGPD regulates the processing of personal data either by means wholly or partly automated means or by non-automated means. 
• not subject to EU law; 
• natural persons in the exercise of personal or domestic activities; 
• authorities for the purpose of prevention, investigation, detection and prosecution of offenses or for the enforcement of sanctions. 
It is applicable in establishments in the EU, or even in establishments outside the EU, which: (a) offer goods or services in the European area, whether citizens of Europe or citizens of third countries; b) control the behavior of citizens in the European area.

Key concepts namely: 
• Personal data 
“information concerning a holder of personal data” “any information relating to an individual identified or identifiable through them” 
• Sensitive data 
“philosophical or political beliefs, party or trade union membership, faith religious, private and racial or ethnic origin, health and sex life, genetic data ” 
• Data processing
“Operation or a set of operations carried out on personal data”, in particular “collection, registration, organization, structuring, preservation, adaptation or alteration, extraction, consultation, use, dissemination through transmission, dissemination or any other form of making available, comparison or combination, restriction, erasure or destruction ” 
• Treatment 
person – natural or legal person 
– individually or jointly with others 
– determines the purposes and means of treatment of personal data

• Subcontractor 
– natural or legal person 
– treats personal data on behalf of the controller

• Data breach 
– accidentally or unlawfully 
– causes destruction, loss, alteration, disclosure, unauthorized access

Rights of holders (New) 
• Transparency and accessible language (more information, more communications, more exercise of rights) 
• Right to information 
• Right of access 
• Right to correct, erase (oblivion) ​​and limit 
• Right of opposition 
• Right not to be the subject of automated decisions 
• The right to portability 
• Communication of violation of personal data to the holder

Obligations of the person responsible for the treatment 
• Licitation of the treatment: 
– Consent: it becomes a free, specific, informed and explicit (opt-in) consent, unlike the current pre-validated options or silence (opt-out) 
– Contract 
• Measures technical and organizational measures to ensure and prove the treatment in accordance with RGPD 
• Privacy by design: 
– technical and organizational measures, as pseudonymisation and anonymisation 
– guarantees necessary for the fulfillment of RGPD (lawfulness of processing, policies, procedures, codes of conduct) 
• Privacy by default: technical and organizational measures such as minimization and access control
• Notification of violation to the Control Authority in 72 hours 
• Adequate guarantees from the subcontractor 
• Company with more than 250 employees: mandatory registration of treatment activities 
• Privacy Impact Assessment: mandatory if there is profiling, sensitive data, large-scale treatment. Prior consultation required by the CNPD 
• International transfers

DPO – Data Protection Officer 
The existence of a DPO is mandatory in the following organizations: 
• Authority or Public Body (except Courts and OPCs) 
• Large data 
processing • Large-scale treatment of sensitive data and / or related to infractions or convictions 
DPO functions: 
• Information / Awareness 
• RGPD compliance control 
• Advice and control of IPP implementation – Privacy Impact Assessment 
• Cooperation and point of contact with the Control Authority

Fines and Control Authority 
• More independence of the Authority 
– Responsibility for monitoring the application of the RGPD 
– Preventive activity for the controller and / or subcontractor 
• Harmonization 
– Requests for authorization in different MS with different decisions 
– Delay in obtaining a response 
– Harmonization of rules, in particular on international transfers 
• More international cooperation between MS Authorities and the European Commission 
• Research power | Power of correction | Power of attorney and authorization 
– Conduct of audits 
– Warnings, reprimands and ordering the satisfaction of requests for the exercise of rights of the holders
– deliver opinions; authorize treatment; approve codes of conduct 
Application of sanctions 
The maximum limit for the imposition of fines was defined by the RGPD, with each Member State defining a minimum ceiling. In Portugal, the frame has not yet been defined, so at this moment the application of any fine is illegal and unconstitutional. 
Limits on fines: 
• Lowest severity: 10 million euros, or 2% of annual turnover (of the two, the highest) 
• Highest severity: 20 million euros, or 4% of the annual turnover two, the highest value)
In addition to the application of sanctions by the competent authority, one of the main issues which is likely to raise problems for organizations is the right to compensation of the holder for material and / or moral damages.

Follow the RGPD, step by step 
1. Diagnostic Phase 
Read the regulation. Identify the data that exists in the company and the treatment that is done. What types of data are there? For what purpose? And what is the shelf life? Understand what data flows exist. Are there vendors with access to them?

2. Review Phase 
Review if there is consent of the holders for use and treatment of data that already exists. Verify consent documents. Review privacy policies and terms of use, as well as contracts with suppliers and other subcontractors. Place all documentation in compliance with the RGPD.

3. Phase of the DPO Find out 
if the company meets the requirements to have to appoint a Data Protection Officer (DPO). Name a DPO if necessary and involve it in the preparation process.

4. Implementation Phase 
Identify the measures to be taken. Evaluate whether IT systems need to be replaced. Acquire the necessary systems. Draw an implementation plan. Implement the new measures and assess whether everything is in compliance.

5. Phase of compliance 
Training for employees. Ensure continued compliance with the RGPD. Business as usual from May 25.

Outros artigos

Linha de Apoio à Produção

Linha de Apoio à Produção

March 22, 2022

Já está disponível a Linha de Apoio à Produção, com uma dotação de 400M€.

Complaints book: Digital format becomes mandatory as of July 1

Complaints book: Digital format becomes mandatory as of July 1

December 11, 2018

The electronic complaints book, available from 1 July 2017 only for essential public services, has b

Opening of Applications SI2E

Opening of Applications SI2E

Applications under the SI2E measure for areas affected by fires are open. This measure aims at the

Practical table of VAT rates in food and beverage services

Practical table of VAT rates in food and beverage services

Attached documents  VAT Rates (29.16kB)

Simply Subscribe

Subscribe to our regular information service. By subscribing, we'll send you emails with useful information, warnings, and reminders whenever necessary. You may cancel your subscription at any time.
Get in touch