Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Portugal's data law places emphasis on consent [2000] PLBIRp 23; (2000) 54 Privacy Laws and Business International Report 6

Portugal's data law places emphasis on consent

PORTUGAL WAS ONE OF THE FEW countries to implement the EU Data Protection Directive in 1998. Daniel Reis of PLMJ - Sociedade de Advogados, Portugal's largest law firm, examines how the Directive has been transposed into national law.

Portugal's new data protection law, Law No. 67/98, of 26 October 1998, came into force on 27th October 1998. This act implemented the EU Data Protection Directive 95/46/EC, and almost complied with the implementation date established by the Directive. The rules established by this law replaced the existing Portuguese data protection rules, which were set out in Law No. 10/91 of 29th April 1991, as amended by Law No. 28/94 of 29th August 1991.

This report aims to give an overview of the current rules applicable to the processing of personal data in Portugal, and especially the extent to which Portugal's law differs from the EU Data Protection Directive.

SCOPE OF THE LAW NOW INCLUDES MANUAL DATA

Personal data is defined as any information relating to an identified or identifiable natural person. This information, according to Article 3 of the current law, includes sound and images. With regard to sound and images, Article 4(4) which defines the scope of application of the law, makes an express reference to surveillance by video and other technical means that capture, process and transmit sounds and images. These forms of data processing are within the scope of the law insofar as the data controller is established in Portugal.

Sensitive personal data is subject to a more restrictive regime as processing of such data is allowed only in limited cases. Sensitive personal data is defined as personal data relating to philosophical, religious or political beliefs, membership of a political party or a trade union, private life and racial or ethnic origin, as well as data related to health and sex life, including genetic data.

This definition, contained in Article 7 of the law, has a very interesting aspect that is not mentioned in Article 8 of the Directive, namely "private life". This concept originates in the definition contained in Law No. 10/91. As yet, there is no case law that would have clarified the meaning of the expression "private life". The implications may be significant, however, as it is arguable that consumer habits may be considered to represent "private life".

The Directive excludes from the scope of its application the processing of personal data related to public security, defence, State security and the activities of the State in areas of criminal law. The Portuguese law, on the other hand, even though it allows for different rules that may emerge from sector specific regulations and international treaties, establishes that the processing of personal data that has as its objective public safety, national security and State security are covered by the law.

The scope of the new law is wider than Law No. 10/91, because Law No. 10/91 covered only the automated processing of personal data. The earlier law was called the Data Protection and Computer Technology Law. The new rules, as prescribed by the Directive, also cover manual processing of personal data.

THE LAW REQUIRES CONSENT

The fundamental principle applicable to data processing is that any processing must be done in a transparent way and with respect to the data subject's right to privacy. This principle means, in practice, that the processing of personal data must be done with the data subject's consent and for specified purposes.

The principle of consent is laid down in Article 6 of the law. Personal data may be processed only when data subjects have unequivocally given their consent.

The exceptions to this rule are identified in Article 6 and correspond to the exceptions contained in Article 7 of the Directive: processing is necessary for the performance of a contract, a legal obligation, a vital interest of the data subject, a task carried out in the public interest or for the purposes of legitimate interests pursued by the controller.

Article 5 (1)(b) states that personal data must be gathered for specified, explicit, and legitimate purposes, and may not be processed in a way that is incompatible with such purposes.

RIGHTS GRANTED TO DATA SUBJECTS

The data subject is granted four important rights by the law: the right to be informed; the right of access to data; the right to object to processing; and the right not to be subject to automated individual decisions.

With regard to the right to be informed, Article 10 states that the data subject must be informed of the identity of the data controller. In addition, the controller must declare the purposes of the processing for which the data are intended, and any further information such as the recipients, or categories of recipients of the data, whether replies to any written questions are obligatory or voluntary, as well as possible consequences of failure to reply. Data subjects must also be informed of subject access and the right to have false data rectified.

SUBJECT ACCESS

With regard to the right of access, the data subject may approach the data controller, without restrictions, excessive cost, or delays, and obtain confirmation of whether his personal data is being processed.

If this is the case, the data subject may access such data, be informed of the logic behind the processing, and correct or have unlawfully processed data deleted. In some cases the right of access must be exercised by proxy. This is the case with health data that must be accessed by a doctor, and data relating to State security and criminal investigations that must be accessed by the Portuguese Data Protection Commissioner (Comissão Nacional de Dados Pessoais - CNPD).

The data subject has a general right to oppose any processing of personal data, whenever there is no express legal provision to the contrary. The data subject may always oppose any data processing that is connected with direct marketing and must be informed whenever such data is communicated to third parties, also having the right to oppose these transfers.

Any person has the right not to be subjected to a decision that is based exclusively on automated processing of data in order to determine certain aspects of his personality, such as professional ability, creditworthiness, trust or behaviour. An exception to this rule is contained in Article 13 of the law, which relates to performance of a contract.

EXEMPTIONS FROM NOTIFICATION

Data controllers must notify the CNPD about their processing of personal data. This rule is included in Article 27, but the second paragraph of this article states that in certain cases the CNPD may exempt from notification certain types of data processing. The CNPD has so far published six exemptions regarding the processing of data:

1) relating to employees with regard to the calculation and payment of salaries;

2) relating to the management of libraries;

3) with the exclusive aim of invoicing clients, suppliers and service providers;

4) relating to the administration of employees' and service providers' records;

5) relating to the recording of the entry and exit of persons to buildings;

6) relating to associations' membership administration.

In all these cases the exemptions define the type of data that may be processed, the length of time for which it may be kept and the persons to whom it may be communicated.

These exemptions from notification do not exempt data controllers from complying with the rest of the law's provisions.

In some cases the data controller must seek prior authorisation in order to process data. Article 28 contains the circumstances where authorisation is needed. Prior authorisation is required for the processing of sensitive data, the processing of data relative to creditworthiness, data matching and the use of data for purposes that are not identified on collection.

All authorisations granted by the Data Protection Commissioner must be published.

EFFECTIVE PENALTIES

There are three types of liability that may arise from unlawful processing of personal data: civil liability, misdemeanours and criminal liability.

Article 34 states that any person that suffers damages from unlawful processing of personal data may sue the data controller for damages.

If a data controller fails to notify the CNPD of the processing of personal data, he commits a misdemeanour that is subject to a fine of up to PTE 3,000,000 (approximately £9,300).

If the data controller intentionally does not notify the CNPD, does not seek authorisation, or uses data for purposes other than those declared, a crime is committed. The penalty is a prison sentence of up to one year. Whenever sensitive data is involved, the maximum sentence is two years.

TRANSBORDER DATA FLOWS

Personal data may be transferred freely between the EU Member States. Personal data may only be transferred to countries that are not Member States when they can ensure an adequate level of data protection. The decision on whether a country provides an adequate level of data protection rests with the CNPD.

Article 20 of Portugal's law contains certain situations where personal data may be transferred to countries that do not ensure an adequate level of data protection. This situation may occur when the data subject has given his unequivocal consent, when the CNPD authorises the transfer, or when the transfer is necessary for the performance of a contract.

Other grounds include transfers to protect an important public interest, to protect the interests of the data subject or transfers made from a public registry. The CNPD frequently authorises transfers of personal data between companies of the same group.

Daniel Reis is a lawyer within the IT Department of A.M. Pereira, Sáragga Leal, Oliveira Martins, Júdice & Associados (PLMJ), the largest law firm in Portugal with approximately 100 lawyers specialised in different fields of law. Contact details:

PLMJ - Sociedade de Advogados

Tel.: + 351 213 197 323

Fax: + 351 213 197 309.