INTRODUCTION
The General Data Protection Regulation (GDPR) governs the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC. The GDPR, currently in force and directly applicable as of 25 May 2018, introduces not only new rules but also high fines for non-compliance, requiring close attention from organisations that handle personal data.
This Regulation is complex, with new principles and concepts, new rights for data subjects that imply new obligations for the companies that handle their data. Impact assessments, privacy by design in new products or services involving data, privacy by default, security breach notifications, and the designation of a Data Protection Officer (DPO) are just a few examples.
The new regulation requires strict management of personal data processing, implying significant changes to existing processes and procedures at idD Portugal.
It applies broadly to all operations involving the collection, consultation, or handling of personal data in the scope of idD Portugal’s activities and demands rigorous, appropriate controls that clearly ensure the preservation of individual citizens’ rights and minimise privacy breach risks.
Information Security is directly related to protecting information from a set of threats, aiming to ensure business continuity, minimise risk, and safeguard its value.
In this regard, idD Portugal’s strategy is defined and directed towards standardising general and specific rules for security activities, based on the following “Fundamental pillars of information security”:
Confidentiality – ensuring that only authorised users have access to the information and it is not accessible to unauthorised users.
Integrity – ensuring the accuracy, precision, and consistency of information throughout its lifecycle.
Availability – ensuring that information is available whenever needed and access is not interrupted during its lifecycle.
To ensure data security, there must be a harmonious connection between technological tools (hardware and software) and adequate internal organisational rules, including:
Regular information to all employees on data security rules and obligations under data protection laws – particularly regarding confidentiality.
Clear distribution of responsibilities and objective description of competences in data processing – especially regarding decisions on personal data processing and transfers to third parties.
Use of personal data only in accordance with instructions from the competent person (DPO) or with general rules.
Access protection to facilities, hardware, and software of the controller or processor, including access authorisation controls; ensuring access rights to personal data are granted by the competent person and require proper documentation.
Automated protocols for access to personal data by electronic means and regular internal control service checks; detailed documentation for other forms of disclosure besides automated access to demonstrate that no illegal data transmissions occurred.
Provision of appropriate training and education on data security to staff – an important and effective preventive security measure.
Implementation of verification procedures to ensure that the appropriate measures set out on paper are implemented and work in practice – Audits.
SCOPE
WHO IT APPLIES TO
To all natural and legal persons who process personal data of EU residents. The purpose is a single European data market with a unified law for all EU Member States.
Thus, the GDPR applies to idD Portugal in the context of all personal data processing activities.
WHEN IT CAME INTO FORCE AND WHEN IT APPLIES
The GDPR is in force, was published on 27 April 2016 in the European Parliament with 95% approval, and has been mandatory since 25 May 2018 in all EU Member States, replacing in Portugal Law 67/98, which transposed the former Directive 95/46/EC.
IMPACT
For the entities covered, policies and measures must be implemented to ensure compliance with the GDPR, under penalty of fines of up to €20 million or 4% of the global annual turnover of the previous financial year (whichever is higher).
REQUIRED ACTIONS
Establish policies and procedures to respond to any security breach and notify the competent authorities within the established deadlines.
Analyse the legal basis for data processing. If it is based on consent, review the given consent to determine whether it meets all the new requirements, or obtain new consent if necessary.
Review forms, templates, and privacy policies. Ensure the language is clear and accessible, and that all information required by the GDPR is provided to data subjects.
Review service subcontracting contracts involving personal data processing to ensure they meet GDPR requirements.
Prepare and establish mechanisms to respond to the exercise of new rights by data subjects: Right to Erasure; Right to Data Portability.
Ensure specific rules are in place to prove compliance with all legal requirements.
Carry out an audit/assessment to verify what is needed to comply with the GDPR (Accountability).
Prepare the appointment and functions of the Data Protection Officer (if applicable) and document all personal data processing activities in detail (if applicable).
Verify where data is hosted and whether it is transferred outside the EU (and if so, whether such transfer is legitimate).
MAIN CHALLENGES
CONSENT
Any personal data processing, even if collected before the regulation, must comply with the GDPR. A cornerstone is the requirement for the data subject’s consent for a clearly defined purpose. Consent must be free, specific, informed, explicit, and given by an unambiguous act. Withdrawing consent must be as easy as giving it.
It is likely that many existing consents will not meet all GDPR requirements, requiring new consent to be obtained.
ACCOUNTABILITY
Organisations must be able to prove compliance with the regulation, namely:
That the personal data they hold is legitimate and limited to what is necessary.
That the data is up to date, secure, and confidential.
That they have formalised policies, procedures, codes of conduct, and internal instructions available to supervisory bodies.
That they have systems to monitor compliance with policies and procedures.
Thus, it is necessary to have rules but also evidence of compliance with the GDPR.
NEW RIGHTS
The GDPR lists several rights for data subjects, some requiring significant changes in operations, including:
Right to be forgotten – the data subject can request data deletion.
Right to data portability – the data subject can request that the data provided to a service provider be transferred to another provider, where technically feasible.
Right not to be subject to decisions based solely on automated processing.
DATA BREACH NOTIFICATION
The CNPD or the designated supervisory authority must be notified (within 72 hours) of all data breaches posing a risk to the data subject. Organisations must be able to detect any data breach as soon as it occurs or becomes known.
CONTAINING AND MINIMISING DATA BREACH IMPACT
After a confirmed data breach detection, the organisation must implement all measures from its Contingency Plan to contain the spread, recover data where possible, or permanently delete it remotely if recovery is not possible.
DATA PROTECTION OFFICER (DPO)
Public authorities or bodies, entities that regularly monitor personal data on a large scale, and/or those processing sensitive data on a large scale must appoint a DPO.
Even where a DPO is not mandatory, the entity should designate a responsible person for personal data processing and protection.
DATA SECURITY
Security means ensuring the permanent confidentiality, integrity, availability, and resilience of processing systems and services. In practice, this means the legal requirement to implement an information security management system.
It is essential to locate personal data and eliminate non-compliant data, whether in systems or on paper, both within the organisation and with processors. Significant costs may arise from adapting systems to new rules and recommended protection techniques.
The concept of Privacy by Design is introduced, requiring data protection to be considered from the design stage and by default, including this aspect in data processing development processes.
OUTSOURCING AND DATA PROCESSING
It is common for personal data to be processed partially or fully by subcontractors. Subcontractors now have responsibilities, requiring contracts that set out rules between the parties. Existing contracts must be reviewed.
Subcontractors must prove compliance with all contractual and GDPR requirements, particularly regarding confidentiality and security.
KEY CONCEPTS
Personal data – Information relating to an identified or identifiable natural person (“data subject”), who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Genetic data – Personal data relating to genetic characteristics of a natural person providing unique information about their physiology or health, resulting in particular from the analysis of a biological sample.
Biometric data – Personal data resulting from specific technical processing related to a natural person’s physical, physiological, or behavioural characteristics, enabling or confirming unique identification, such as facial images or fingerprints.
Health data – Personal data related to a natural person’s physical or mental health, including healthcare services, revealing information about their health status.
Sensitive data – Special categories of data including genetic and biometric data, subject to stricter conditions for processing.
Processing – Any operation performed on personal data, whether by automated or non-automated means, such as collection, storage, retrieval, use, disclosure, erasure, or destruction.
Limitation of processing – Marking stored personal data to restrict its processing in the future.
Profiling – Any automated processing of personal data to evaluate certain personal aspects, such as performance, health, preferences, reliability, behaviour, location, or movements.
File – Any structured set of personal data accessible according to specific criteria, centralised or distributed.
Controller – The entity that determines the purposes and means of personal data processing.
Processor – The entity processing personal data on behalf of the controller.
Recipient – The entity receiving personal data.
Third party – Any entity other than the data subject, controller, processor, and persons authorised to process data under their authority.
Main establishment – The main location of a controller or processor within the EU where decisions on processing purposes and means are made.
Representative – An EU-based person or entity designated in writing to act on behalf of the controller or processor.
PRINCIPLES (Article 5 GDPR)
Lawfulness – Processing must have a legal basis (consent, contract, legal obligation, etc.).
Transparency – Information to data subjects must be clear and understandable.
Fairness – Organisations must provide sufficient information to data subjects about processing and rights.
Accuracy – Data must be accurate and kept up to date.
Purpose limitation – Data collected for specific, explicit, and legitimate purposes must not be further processed for incompatible purposes.
Data minimisation – Data must be adequate, relevant, and limited to what is necessary.
Storage limitation – Data must not be kept longer than necessary.
Security – Data must be processed securely to prevent unlawful access, loss, or damage.
Accountability – The controller or processor must be able to demonstrate compliance with the GDPR.
REVIEW AND UPDATE
This GDPR application policy is reviewed periodically and may be updated. Users should consult it regularly.
Current version: 1.0
Last update: 01.10.2024