GDPR Implementation and Enforcement
A Pan-European comparative analysis including infringements and sanctions in the past year and a half.
Portugal, by Raquel Brizida Castro
One of the first sanctions imposed after GDPR became enforceable was to the Hospital of Barreiro, one of the most populous public hospitals of Lisbon region. The infringement related to the indiscriminate access to clinical data. The sanction was grounded on the following infringements of GDPR: the data minimization principle; because the Hospital allowed indiscriminate access to an excessive data set for professionals who could only access them in cases previously justified; integrity and confidentiality principles, for failing to implement organizational and technical measures aiming to prevent unlawful access to personal data; inability of the Hospital to ensure integrity, confidentiality, availability and permanent resilience of systems and processing services and failure to implement appropriate organizational and technical measures to ensure a level of security appropriate to the risk, in particular a process to test, assess and evaluate regularly the effectiveness of the security measures of data processing. The Portuguese DPA (CNPD) imposed on Hospital of Barreiro a fine in the sum of EUR 400.000.
In addition to the case of Hospital do Barreiro, the Portuguese DPA (CNPD) issued, this year, three other fines on private entities. However, CNPD decided to not disclose the identities of the companies. The highest one was in the sum of EUR 20,000 and involved the violation of the data subject’s right of access to his/her data. In the others two cases, CNPD issued fines of 2.000 euros, grounded on violations of article 13/1 and 2, GDPR (Information to be provided where personal data are collected from the data subject), related to use of video surveillance.
On the other hand, this year, our Parliament was invested in a “frenzy behavioural legislative production” on data protection, that, in my opinion, created a regulatory and institutional tangle. Last June, the Parliament approved four new laws on data protection: i) the new law implementing GDPR and the new law developing GDPR only for judicial system, with another DPA. Also, Directives 2016/680 and 2016/1148 have been transposed in the national legislation, one of them with another DPA.
However, the law implementing GDPR only for judicial system was vetoed by the President of the Republic. The law assigns judicial magistrates and the MP of responsibility for the processing of data in the context of processes of its competence and created a new DPA, whose (ministerial) composition is contested and is likely to violate the principle of separation of powers.
Also, through a juridical interesting deliberation, CNPD decided not to apply fifteen articles of the law that implements GDPR, only with a month of life. CNPD justifies that those articles are not compliant with GDPR.
In the last months, CNPD has published two relevant deliberations. First of all, the list of data processing activities that need to be covered by a DIPA. On the other hand, Portuguese DPA also released an Interpretative deliberation on the possibility of public authorities being exempted from fines, provided by the new law, during next three years. Since several public entities have requested this exemption, CNPD decided that can only decide it, in casu.