Labor relations and insurance are the areas most affected by the lack of a law that runs the General Data Protection Regulation (RGPD) in Portugal, according to the chair of the National Commission for Data Protection (CNPD).
Across the European Union, only Portugal and Greece do not yet have national law implementing the regulation, which has been in effect for a year in all member states since May 25, 2018.
"The law makes us want. It was urgent that the law be approved, a year after the regulation was applied, it is a long time to be without national law, "he said in an interview with Lusa Filipa Calvão, president of CNPD, noting that, except for Portugal and Greece, all other states national laws implementing the Community regulation.
The first year of implementation of the RGPD, which is being fulfilled on the 25th of this month, was "a bit difficult" for the CNPD, according to its president, because the lack of specific legislation "is having practical consequences" in several data treatments personal.
"It has consequences in the context of labor relations, regarding the biometric data for attendance control, on which labor law is not sufficient in this matter", says the person in charge, also highlighting consequences of this lack of legislation in the insurance activity that involves health data .
The CNPD argues that the request for consent that insurers have made to customers "is not relevant or legally relevant" and says that a framework is needed that legitimizes such data processing.
"It is a lack of framework that is essential and that the parliament is forgetting," he said, referring to the fact that the latest working group bill does not solve this problem.
In the first year of application of the RGPD, the Commission fined four entities, amounting to EUR 424 thousand, and opened 864 inquiries which may result in mismanagement or in the application of corrective measures or recommendations.
The RGPD began to be applied in Portugal and other Member States on 25 May last year, introducing penalties for non-compliance which could go up to 20 million euros or 4% of annual turnover in the most serious cases worldwide, whichever is the greater.
In the least serious cases of infringement of personal data, fines may amount to up to EUR 10 million or 2% of annual worldwide turnover.
According to the regulation, citizens have to give explicit consent for their personal data to be used – and for what purpose – and can ask them to be erased at any time.
The implementation of the RGPD lacks national legislation that is being drafted and discussed by a working group in parliament but has not yet been subject to final voting.