VdA

vda.ptvda.ptvda.pt
Region Area

News and developments

Cnpd Approves 10 Measures To Prepare For The General Data Protection Regulation

On 28th January, 2017, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados/CNPD) published a document establishing 10 measures for entities to prepare for the application of the General Data Protection Regulation (“GDPR”).

Since the GDPR will apply from 25 May 2018 onwards, CNPD points out that both public and private entities should begin to implement internal procedures and mechanisms so as to ensure compliance with the new data processing.

CNPD highlights 10 main areas of intervention and provides some actions towards ensuring compliance, including the

following:

  • Data subject information: given the new rules arising from the GDPR, all forms, privacy policies and other

    • informative texts used should be reviewed and adjusted so as to include the additional information required by the

    GDPR;

  • Exercising data subject rights: organisations should review their internal proceedings for replying to data subject

    • requests, including in what concerns the exercise of new rights (such as the right to portability and to be forgotten), so as to ensure compliance with the timings and formalities imposed by the GDPR;

  • Data subject consent: organisations should verify the format, terms and circumstances in which data subject consent was obtained. Should this consent not comply with the GDPR rules, new consent is required;

  • Sensitive data: it is necessary to evaluate the categories of personal data processed, so as to identify the possible processing of sensitive data (special categories of data, as set out in the GDPR) and thus determine which criteria will apply to this processing;

  • Documentation and records of processing activities: the activities associated with personal data processing should

    • be documented, through internal registries of data processing activities and through the implementation of other internal procedures. This is an essential measure towards ensuring that both data controllers and data processors are able to verify and demonstrate compliance with the GDPR;

  • Data processing agreements: agreements entered into with data processors should be reviewed, so as to include a

    • vast set of information that the GDPR has deemed to be mandatory. Moreover, in the event of subcontracting by the data processors, the latter should not only check existing agreements, but also confirm whether or not this subcontracting was authorised by the controllers;

  • Data protection officer: whenever the GDPR imposes a mandatory appointment of a Data Protection Officer, organisations should ensure its existence beforehand, considering the data privacy officers’ key role during the implementation of the GDPR. Even when this appointment is not mandatory, CNPD points out its advantages in what concerns ensuring compliance with the obligations set by the GDPR;

  • Technical and organisational security measures for processing: organisations should review all policies, practices

    • and internal measures, in order to ensure an adequate level of security associated with the processing. Organisations should also implement the measures deemed necessary in order to ensure and verify compliance with the GDPR;

  • Data protection by design and impact assessment: it is necessary to carry out a thorough assessment of all projected future processing activities, so as to analyse their nature and context, as well as possible risks for data

    • subjects. Organisations will thus guarantee the application of the principles of data protection by design and by default, as set out in the GDPR;

  • Security breach notification: organisations should adopt and implement internal procedures towards notifying breaches involving personal data. These procedures should include rules and processes regarding the detection, identification and investigation of the circumstances surrounding the breach, mitigating actions, information flows

    • between the controller and the processor, data protection officer involvement and, if applicable, notification to CNPD and to the data subjects.

    The organisations which have not yet started implementing the GDPR should, as swiftly as possible, review and adapt

    their internal proceedings regarding personal data protection, so as to ensure compliance with the GDPR by 25th May

    2018. CNPD will continue to issue guidelines on the GDPR, in order to ensure that it is applied consistently by organisations.

    © 2024 Legalease Ltd. All rights reserved

    Registered company in England & Wales No. 2423756 VAT 324572722

    Registered address: 188 Fleet Street, London, EC4A 2AG