The enactment of the diploma was made and communicated at the end of last week, together with seven other diplomas, and was the missing step so that the law that ensures the implementation in Portugal of the General Data Protection Regulation (RGPD) could be effectively applied. Now awaiting publication in Diário da República.
After another year of discussion and preparation at the RGPD Working Committee in Parliament, the diploma was approved in June after a lengthy review by the Working Committee with opinions from various entities, and published last week in its final version. Only the promulgation by the President of the Republic was missing.
"Since the present statute has not been opposed by the Assembly of the Republic, and the Regulation, under the terms of the Constitution of the Portuguese Republic and European Union Law, is a legislative act, binding and directly applicable in its entirety, – and although national legislation has not, as the CNPD has stated in its Opinion, received more attention in the rule-making economy and further clarification of rights and freedoms concerning the processing of personal data – but bearing in mind that the General Regulation on Data Protection is applicable since 25 May 2018, the President of the Republic promulgated the Diploma ensuring the implementation, in the national legal order, of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April On the protection of individuals with regard to the processing of personal data and on the free movement of such data " of the Republic.
Despite the lack of the implementing law, which has now been enacted, the RGPD has been in force since 25 May 2018 and organizations had already enjoyed a two-year period of adaptation to the regulation. Even so last year there was a "rush" to implementing the new rules with an effort to gain customer and consumer consent that generated an unusual volume of email acceptance requests.
At the end of a year, the CNPD took stock of the implementation of the new rules, and so far only four fines have been imposed in Portugal, one to the Barreiro hospital center, the most significant, and three others to private companies, two of which are stores that did not indicate customer video surveillance. The total amount of these fines that were imposed is 424 thousand euros.
Fines for very serious infringements can be up to 4% of an organization's annual turnover, with a ceiling of € 20 million for large companies and 2 million for SMEs. In the case of natural persons the limit of the fines was set at 500 thousand euros.
The State and Public Administration bodies were not exempt from fines for three years, as had been proposed by the Government, and this was one of the themes that divided the deputies in the approval of the final text of the diploma as told by SAPO TEK Andreia Neto, MP PSD and Coordinator of the Working Group.
Portugal at the tail of Europe in adapting the RGPD
In Europe only Portugal, Greece and Slovenia had not yet adapted the General Data Protection Regulation (GDPR), but the European executive claims that the first year of implementation is a success. The latest Eurobarometer data show that European citizens are more aware of data protection rules and their rights, but only 20% know who is the data protection authority. That is why the European Commission is launching a new campaign this summer to encourage Europeans to read privacy statements and optimize configuration on the services and applications they use.
The regulation empowers national authorities to take action in cases of data breaches and also reinforces companies' obligations to report cases in a timely manner. But it also increases international cooperation, and according to today's report, by the end of June 2019, the cooperation mechanism managed 516 cross-border cases.