Deliberation 2019/494, CNPD’s Position on Law no. 58/201904 October, 2019
On September 3rd, 2019, it was approved, at a meeting of the National Data Protection Commission («CNPD»), Deliberation 2019/494, which defines the understanding of this regulatory entity about some of the rules of Law No. 58/2019 of August 8th, which ensures the implementation in Portugal of Regulation (EU) 2016/679 of the Parliament and the Council of 27 April 2016 on the protection of individuals in what regards the processing of personal data and the free movement of such data («GDPR»).
- To establish the understanding that certain provisions of this law are manifestly incompatible with European Union law, focusing in this deliberation on those provisions which, due to their relevance and frequency of application, call for the formal adoption of such understanding.
- That based on the principle of the primacy of European Union law and, in the other arguments which are set out in the deliberation, will not apply those provisions in future cases concerning the processing of data and conduct of controllers or processors.
Therefore, under Deliberation 2019/494, CNPD considers that the following articles of Law no. 58/2019 will not be taken into consideration by this regulator when analyzing future cases:
- Article 2 (1) and (2), which establish the scope of the Law. According to CNPD, this rule compromises the application of procedural rules and the distribution of powers between national supervisory authorities, where cross-border processing is concerned.
- Article 20 (1), which restricts the rights of information and access in the event of a duty of secrecy against the data subject. CNPD understands that its contents goes beyond the limits imposed by GDPR to the rights of information and access of the data subjects and that any legal limitation to the exercise of rights, in particular the exercise of a fundamental right such as the right of access, must never result from a generic rule such as Article 20 (1).
- Article 23, which refers to the processing of personal data by public entities and the possibility of transfer between public entities for purposes other than those that justified data collection. At this point, CNPD believes that the public interest, defined in such a broad way, cannot surpass the rights of the data subjects and cannot be extended in such a way that it loses its inherent characterization. In addition, CNPD considers that the article in question disregards the purpose limitation principle, protected under article 5 of GDPR.
- Article 28 (3) (a), which establishes that, unless there is a law that states otherwise, the consent of the worker is not a requirement of lawfulness of the processing of his data if the processing results in a legal or economic advantage for the worker. CNPD considers that this is an excessively restrictive limitation of worker consent, which does not guarantee the dignity and fundamental rights of workers.
- Article 37 (1) (a), which stipulates that the processing of data with intentional non-compliance with the principles set out in article 5 of GDPR corresponds to a very serious offense. CNPD understands that GDPR does not distinguish between willful and negligent non-compliance with these principles, and all breaches, whether willful or negligent, are punishable.
- Articles 37 (1) (h) and 38 (1) (b), where it is determined that failure to provide relevant information under articles 13 and 14 of GDPR is a very serious offense and not providing the remaining information mentioned in those articles is “only” a serious offense. CNPD clarifies that GDPR makes no distinction between the relevant information and the rest of the information, and that all situations of failure to comply with the information duties provided for in articles 13 and 14 of the RGPD are punishable as very serious breaches.
- Article 37 (1) (k), which stipulates that the refusal to cooperate with CNPD is a very serious offense, where, under GDPR, a less serious offense framework is applicable.
- Articles 37 (2) and 38 (2), which establish different fines according to the dimension and legal nature of the agent. CNPD states that GDPR makes no differentiation, so Portuguese law cannot deviate from the limits established by GDPR.
- Article 39 (1), which establishes criteria for determining the amount of the fines. The CNPD understands that they go beyond GDPR provisions.
- Article 39 (3), which determines that, unless there is a willful misconduct, any contravention procedure depends on CNPD providing the agent prior notification. CNPD states that such provision establishes a special framework for negligent misconduct, which is not compatible with GDPR.
- Article 61 (2), which stipulates that «if the expiry of the consent is a reason for termination of a contract to which the data subject is a party, the processing of the data shall be lawful until expiry takes place». CNPD understands that this rule is incongruent, as it confuses two types of legal basis, consent and contract enforcement. The contract to which the data subject is a party is enough to justify the processing of the data necessary for its execution.
Article 62 (2), which determines the retroactive application (at 25 May 2016) of the expiry of the rules that foresee the need of authorizations or notifications to CNPD. CNPD clarifies that GDPR only became applicable from 25 May 2018 on.