Regarding the age of consent of the youngsters, the possibility of choosing the age of 16 was considered, imposing the maximum limit defined by the Regulation, but the bill eventually settled at the age of 13, as had already been advanced, and following the proposed by most EU countries.
The document approved (here still in proposal before the vote) maintains the values of fines that had already been advanced and that can go up to 20 thousand euros, or 4% of annual turnover in the case of very serious misconduct. Of the amount paid in fines 60% is delivered to the State and 40% is retained by the CNPD, formally considered "the national control authority for the purposes of the RGPD and this law," as indicated in the document.
The exception for public organizations, which for 3 years can be fined but without imposition of a fine, is still written in the draft law, but has to be requested from the National Commission on Data Protection. "Pursuant to Article 83 (7) of the RGPD, public entities may, upon duly substantiated request, request the National Data Protection Commission to waive the imposition of fines for a period of three years of the entry into force of this law, "the document states.
It is recalled that despite the lack of the implementing law, which has now been adopted, the RGPD has been in force since May 25, 2018 and that organizations had already enjoyed a two-year period of adaptation to the regulation. Yet last year there was a "rush" to the implementation of the new rules in an effort to get the consent of customers and consumers that generated an unusual volume of requests for acceptance of conditions by email.
After one year the CNPD has already taken stock of the implementation of the new rules, and so far only four fines have been applied in Portugal, one to the most significant hospital center in Barreiro and three others to private companies, two of which are stores that did not indicate customer video surveillance. The total value of these fines is 424 thousand euros.