Corporate governance. What is it?

Corporate governance is the structure of rules, practices, and processes used to direct and manage a company. The basic principles of corporate governance are accountability, transparency, fairness, and responsibility.

These principles and rules are provided for in the Portuguese Companies’ Code, which applies to companies, in general, and some of which subject to stricter requirements (e.g., public listed companies and State-owned companies).

A company’s corporate governance is a key component of investor and community relations, as it reveals a company's direction and business integrity. Consequently, corporate governance helps to promote financial sustainability by creating a long-term investment opportunity for market stakeholders.

Corporate governance entails the areas of environmental awareness, ethical behaviour, corporate strategy, compensation, and risk management.

Core corporate rules.

To engage in good corporate governance practices, it is crucial to well-know the company and its framework, laws, and regulations, share capital structure, corporate and statutory obligations, and the way the company interacts with its employees, customers, suppliers, commercial partners, and the stakeholders in general. There are "core” corporate rules. Amongst these:

• Annual accounting approval. The company’s accounts must be approved on a yearly basis. The annual management report, financial years accounts and accountability documents, which are prepared by the company’s management/ board of directors should be presented to and approved by the shareholders’ general meeting, until three months after the closing of the previous financial year, or, in companies that must present consolidated accounts or use the equity equivalence method, until five months counting from the same date. If, two months after the end of the terms mentioned, the accountability elements are not presented, any shareholder can demand court inquiry. All accounting reports approval by the shareholders must be registered with the Commercial Registry Office. This registry is made by deposit of the accounts. From the deposit, these documents become public information. The accounting reports registry request must be carried out upon the delivery of the document so-called Corporate Simplified Information (IES – Informação Simplificada da Empresa), and until July 15 each year (except if this deadline is extended). If a company fails to comply with the approval and registry of the annual accounts, it will be unable to proceed with the registry of further corporate acts, unless some exceptions (e.g. appointment and termination of the term of office of the corporate bodies, registering of shares, seizures, enrolments and lien on shares or over share rights). Companies that do not register annual account for two consecutive years might be subject to a winding-up and dissolution administrative procedure.

• Duties of the managers/board of directors and of other executive positions. The company’s managers and directors must comply with general loyalty and care duties. The non-compliance with these duties contravenes law, infringement from which may result a compensation claim. The managers/ directors’ civil liability comes from the acts carried out in the performance of or relayed to their duties. The managers/directors are also liable for tax debts, as well as for criminal and misdemeanour liabilities. The rules on civil liability of managers/directors are not applicable to other executive positions, which are not governing bodies and developing their job positions as company’s employees, albeit they can be assigned to exercise management powers, for instance, under a power of attorney. The liability of an executive position is based on a defective fulfilment of his/her obligations towards the company.

• The managers/ directors’ term of office and powers of attorney. Acts involving the conclusion of contracts or the acceptance of obligations by the company towards third parties are subject to signature by the managers/ directors with powers to sign and according to the company’s binding rules. Due to organization, transparency and, above all, accountability reasons, it is necessary that, whenever the mangers/ directors’ terms expire, a procedure to appoint new managers/ directors or renewing the management/re-electing of the management is carried out, despite the fact that the managers’ functions (in public limited liability companies – Lda.) continue until ceasing by dismissal or resignation, and the directors’ functions (in private limited liability companies, S.A.) continue until a new appointment. The appointment of managers/directors must be registered before the Commercial Registry and is only effective against third parties after the registration date. Generally, powers of attorney are not subject to registration, except for irrevocable powers of attorney with powers to transfer ownership of real estate (online powers of attorney). It is, however, possible to register powers of attorney as an additional way of verifying the powers of the representatives to perform a certain act.
• Profits distribution. Shareholders have the right to the distribution of profits generated by the company’s activity according to the proportion of the nominal value of their shares, unless the company’s articles of association or a shareholders’ agreement provide otherwise. The distribution of profits is subject to a shareholders’ resolution to be held at a general meeting. Once the statutory thresholds for the distribution of assets are met, the profits are converted into dividends upon the shareholders’ resolution. Company’s assets may not be distributed to shareholders when the company’s net worth, as provided for in the accounts drawn up and approved, is less than the sum of the share capital plus the reserves not allowed to be distributed by law or agreement or if it becomes less than this sum because of the distribution. The distribution of yearly profits is also not allowed to the extent that such profits are necessary to cover retained losses or reconstitute reserves imposed by law or the articles of association.
• Mandatory mentions in external acts. In all contracts, correspondence, publications, announcements, websites and in general in all external acts, companies must clearly indicate, in addition to the company name, the type, headquarters, the registry office where they are registered, their corporate and tax identification number and, if applicable, that the company is winding up. The mandatory mentions in external acts also apply to local branches of foreign companies. Public and private limited liability companies and limited partnership companies must also indicate the share capital, the amount of paid-up capital, if different, and the amount of equity according to the last approved balance sheet, whenever this is equal to or less than half of the share capital.

Corporate governance models.

Strictly speaking, it is from the preliminary acts, and not only after the company’s incorporation, that a set of duties arise to shareholders, governing bodies, management, employees, and that they crucial to define the corporate governance model. Following the revision of the Portuguese Companies’ Code (CSC) in 2006 and the recommendations on good corporate governance practices issued by the Portuguese Securities Market Commission, three corporate governance models (optional) may be distinguished: 

• The monist model: A General Meeting, a Board of Directors (composed by an odd number of executive and non-executive members) and a Supervisory Board or Statutory Auditor. An enhanced monist model also includes a Statutory Auditor, which is not a member of the supervisory board. The classic monist model is commonly used by limited liability companies in Portugal;
• The dualist model: A General Meeting of Shareholders, a General Supervisory Board (appointed by the General Meeting of Shareholders), an Executive Board of Directors (proposed by the General Supervisory Board) and a Statutory Auditor; and
• The Anglo-Saxon model: A General Meeting of Shareholders, a Board of Directors with an Audit Committee, and a Statutory Auditor. This model includes an Audit Committee (with at least three non-executive directors) appointed by the General Meeting,

Currently, the best corporate governance practices go far beyond the choice of the corporate governance model, as provided by law. For instance, public listed companies and State-owned companies have been following the guidelines issued by the Corporate Governance Code of the Portuguese Institute for Corporate Governance and including the fundamental principles and rules of corporate social responsibility into their value chain.

Corporate social responsibility.

Corporate Social Responsibility (CSR) may be defined as the responsibility of companies for their impact on society and, therefore, it should be company led. Companies can become socially responsible by integrating social, environmental, ethical, consumer, and human rights concerns into their business strategy and operations following the law.

No general definition of CSR however exists.

According to the European Commission, CSR includes human rights, labour, and employment practices (such as training, diversity, gender equality and employee health and well-being), environmental issues (such as biodiversity, climate change, resource efficiency, life-cycle assessment, and pollution prevention), and combating bribery and corruption. Community involvement and development, the integration of disabled persons, and consumer interests, including privacy, are also part of the CSR.

The OECD uses the term “Responsible Business Conduct” (RBC). RCB which entails above all compliance with laws, such as those on respecting human rights, environmental protection, labour relations, and financial accountability. It also involves responding to societal expectations communicated by channels other than the law, e.g., inter-governmental organisations, within the workplace, by local communities and trade unions, or via the press. Private voluntary initiatives addressing this latter aspect of RBC are often referred to as Corporate Social Responsibility (CSR).

For companies seeking a formal approach to CSR, authoritative guidance is provided by internationally recognised principles and guidelines, in particular the recently updated OECD Guidelines for Multinational Enterprises, the ten principles of the United Nations Global Compact, the ISO 26000 Guidance Standard on Social Responsibility, the ILO Tri-partite Declaration of Principles Concerning Multinational Enterprises and Social Policy, and the United Nations Guiding Principles on Business and Human Rights. This core set of internationally recognised principles and guidelines represents an evolving and recently strengthened global framework for CSR.

In this context, they are growing initiatives, transversal to the public and private sectors, aimed at the adoption of the best governance practices, including:

• Human Rights Policy;
• Code of Ethics and Conduct;
• General Risk Management Plan;
• Plan for Prevention of Risks of Corruption and Related Infractions;
• Gender Equality Plan;
• Anti-Harassment Policy in the Workplace.

Human Rights Policy.

Companies have a responsibility to respect international human rights standards. A human rights policy is a company’s public expression of its commitment to meet its responsibility to respect internationally recognized human rights standards, including, but not limited to, the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labour Organization’s Declaration on Fundamental Principles and Rights at Work.

Code of Ethics and Conduct.

The Code of Ethics and Conduct is one of main instruments to embed the company in a social responsibility culture. It has three main goals: (i) set the fundamental principles and values of the company; (ii) define the standards of conduct which employees must follow, regardless of their position or function; and (iii) inform all stakeholders interacting with the company on the fundamental ethical guidelines applicable in relations between employees and shareholders, investors, customers, suppliers, and society in general.

To ensure compliance with ethic principles and values of your company, a whistleblowing may help to address wrongdoings such as fraud and misconduct. If you fail to recognise, address, and ultimately put an end to such violations, you risk exposure your company to legal, social, and reputational sanctions.

The appointment of an Ethics Committee – directly reporting to the Board of Directors – may also have a relevant role. The Ethics Committee aims to promote and strengthen good practices, as well as to clarify doubts, issue opinions on matters relating to compliance with the Code of Ethics and Conduct and carry out the necessary inspections and diligences with a view to solving irregularities.

General Risk Management Plan.

The company’s responsibility is to demonstrate that it has recognized the risks it could face and has taken reasonable safeguards to prevent them from causing harm to shareholders, board members, employees, clients, property, or reputation.

A risk management plan is a document to foresee risks (e.g., operational, economic, and financial, legal risks), estimate impacts, and define responses to risks. The purpose of risk management is to identify potential issues before they occur so that risk-handling activities may be planned and then mitigate adverse impacts on achieving the company’s goals.

Once risks have been identified, they must be assessed, by means of a risk matrix, for potential severity of loss and probability of occurrence.
Risk management plans should be periodically reviewed to avoid having the analysis become obsolete and not reflective of actual potential risks.

A risk management plan can be implemented together with a report where misconducts occurred within the company are detailed to avoid them repeat in the future.

Given significant legislative changes over the last few years, entities are required to review existing anti-money laundering and terrorist financing (AML/TF) procedures and apply new ones to be compliant with AML/TF law, including requirements on ‘Know Your Customer’ (KYC), ultimate beneficial owner (UBO), enhanced due diligence (EDD), reporting of suspicious transactions.

According to their business activities and related money laundering risk-levels, entities must be well-informed, particularly on their clients, and apply adequate procedures as a result of the nature and complexity of their business (the business-wide risk assessment) and the ML/TF risk to which they are exposed as a result of entering into a business relationship or carrying out an occasional transaction (individual risk assessments).

Each risk assessment should consist of two distinct but related steps: (i) the identification of ML/TF risk factors; and (ii) the assessment of ML/TF risk. The actions an entity should take to identify and assess ML/TF risk across its business must be proportionate to the nature and size of each entity.

In any case, entities should ensure that their AML/TF policies and procedures build on, and reflect, their risk assessment and that they are readily available, applied, effective, and understood by all relevant staff.

Be aware on “To Do’s and Don’ts” on AML/TF matters is crucial to be successful, provide a valuable training to your staff and cooperate with competent authorities.

Know Your Customer (KYC) and Customer Due Diligence (CDD).

Each entity with individual business relationships or occasional transactions or even with a suspicion of ML/TF, must be aware of the identification and due diligence procedures to be performed.

Typically, a Know Your Customer (KYC) diligence, which is aimed at identifying clients (existing and new clients), must be adopted as soon as possible and even before entering into a business relationship (a business relationship which is anticipated to be long-lasting) or carrying out an occasional transaction (where no business relationship has been proposed or established and includes a single operation or two or more operations that appear to be linked).

An initial customer due diligence (CDD) should include at least risk-sensitive measures to:

• Identify the client and, where applicable, the client’s beneficial owner;
• Verify the client’s identity based on reliable and independent sources and, where applicable, verify the beneficial owner’s identity in such a way that the entity is satisfied that it knows who the beneficial owner is; and
• Establish the purpose and intended nature of the business relationship.

Entities should adjust the extent of initial CDD measures on a risk-sensitive basis, considering the findings from their business-wide risk assessment. Where the risk associated with a business relationship is likely to be low, and to the extent permitted by local law, entities may be able to apply simplified customer due diligence measures (SDD). Where the risk associated with a business relationship is likely to be increased, entities must apply enhanced customer due diligence measures (EDD).

Enhanced Due Diligence (EDD).

In addition to initial customer due diligence (CDD), you should be aware that it might be required to strengthen ongoing measures in situations involving an increased risk of ML/FT.

You should be able to identify situations involving an increased risk of ML/FT, by using risk indicators. For example, transactions with high-risk third countries (as detailed in official lists) require you to boost your due diligence duties.

If your client is a politically exposed persons (PEP) or holder of a political or public position is also a risky situation.

Once the potentially higher risk situation is identified, enhanced due diligence (EDD) must apply, including, inter alia:

• Additional information on clients and/or operations planned or carried out;
• Extra due diligence measures to verify the provided information;
• Reinforce the monitoring of the business relationship;
• Require the client’s first payment be made by traceable means from a payment account opened with another legally qualified entity that has proven to apply equivalent identification and due diligence measures.

Ultimate Beneficial Owner (UBO).

If your client is a legal person, you must understand who your client’s ultimate beneficial owners (UBO) are, that is, the individuals who have the ownership and control over your client.

To know on your client’s ownership and control structure, you should perform, on a risk-sensitive basis, the followings two steps:

• Ask your client who their beneficial owners are and document the obtained information;
• Take all necessary and reasonable measures to verify the information provided by your client. To get this, you may use beneficial ownership registers, if available.

In Portugal, entities, which intend to establish a business relationship or open a bank account in Portugal, are obliged to identify their UBO upon filing a statement before the beneficial ownership register (Registo Central do Beneficiário Efetivo – RCBE). After the register of the first UBO filings, any changes must be updated within 30 days from the change event. If there are no changes to the UBO filings, an annual confirmation must be, in any case, submitted until 31 December each year.

You should be aware that using information contained in beneficial ownership registers could be not enough and that additional steps may be required to identify and verify your client’s UBO, namely if the risk associated with the business relationship is increased or you have doubts that the person shown in the register is the UBO.

Reporting suspicious transactions.

If a reporting entity suspects or has reasonable grounds to suspect that funds are the proceeds of a money laundering activity, or are related to terrorist financing, it must promptly report its suspicions to the Financial Intelligence Unit (FIU) and the Central Investigation and Criminal Action Department of the Attorney General's Office (DCIAP). These communications are made by electronic means to the following email addresses: uif.comunicaçoes@pj.pt and uai.dciap@pgr.pt.

You must report the transaction if you have the suspicious that:

• The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any law or regulation or to avoid any transaction reporting requirement under law;
• The transaction has no business or apparent lawful purpose or is not the sort in which the client would normally be expected to engage, and you know of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

Entities need to have systems in place that ensure that reports are made when required. Once a suspicion has been created, a report must be made as soon as possible. The care with which the report is written may make the difference in whether the described conduct and its possible criminal nature are clearly understood.

The reporting entities must then act with the necessary caution towards their clients, avoiding any steps that, for any reason, might rise the suspicion before the client that any procedures are in progress to investigate suspicions of money laundering or terrorist financing.
Cash payment thresholds.

In Portugal, transactions in cash are subject to specific thresholds:

• Up to €2,999 (or the equivalent in foreign currency) for (i) Portuguese tax residents and (ii) non-resident legal entities or individuals acting in the course of a business activity;
• Up to €9,999 (or the equivalent in foreign currency) for non-resident individuals;
• Up to €999 (or the equivalent in foreign currency) for residents, which are taxpayers of (i) corporate income tax or (ii) personal income tax that are or should be required to keep organized accounts. They must use means of payment allowing their recipients’ identification, e.g., bank transfer, check or direct debit.

Taxes above €500 cannot be paid in cash, as well.

The limits on any payments of goods and services are calculated considering the entire amount due, even when the payments are made through split operations.

Carrying out cash transactions that exceed the statutory cash thresholds is fined from €180 and up to €4,500 for individuals and €360 to €9,000 for legal persons.

These thresholds do not apply to financial entities that receive deposits, provide payment services, issue electronic money, or carry out manual exchange transactions. They also do not apply to payments resulting from judicial decisions or orders and specific situations otherwise provided for in law.

Detailed attention to labour compliance has been growing with major changes brought by European Union and local laws. New measures are seeking to address ethics, equality, and transparency issues, including non-discrimination, equal pay, anti-harassment, close the gap for women and minorities, fight against corruption and related offences.

To follow these changes, employers are compelled to apply a set of policies, procedures, and actions such as (i) Gender Equality Plan; (ii) Anti-Harassment Policy; (iii) Employee Pay Report (Women and Men); (iv) Plan for Prevention of Risks of Corruption and Related Infractions.

The current approach also entails employers be proactive and regularly keep employees informed on their rights and obligations, by means of written notices, policies, codes of conduct on the day-to-day requirements (e.g., payroll, worktime, and days off, disciplinary sanctions).

In case of failure to comply with the implementation of these policies and employers’ related duties, employers may face heavy fines.

New labour compliance challenges will surely arise in the coming years.

Gender Equality Plan (GEP).

The Gender Equality Plan (GEP) purpose is to promote equal treatment and opportunities between women and men, end sex-based discrimination and safeguard conciliation between personal, family, and professional life.

For public listed companies, public sector companies and local public sector companies, a Gender Equality Plan is mandatory. The GEP must be prepared/reviewed on an annual basis.

In general, employers must keep an integrated approach as to the promotion of equality of opportunities on grounds of age, sexual orientation, religious or similar philosophical belief, race, disability, political opinion, sex, pregnancy/maternity leave, married status/civil partnership status.

To achieve this goal, employers must implement an Equality Plan to promote affirmative and positive actions, where appropriate, e.g., equal pay, balance between personal and professional life, etc. An Equality Plan preparation must comply with a mandatory legal procedure and a set of recommendations issued by the local authority for equality in labour and employment (Comissão para a Igualdade no Trabalho e no Emprego), including, inter alia, the preparation of a diagnosis of the company's situation, the preparation, submission and publication of the plan and the adoption of measures to ensure that it is implemented.

Anti-Harassment Policy.

An Anti-Harassment Policy aims to prevent and fight against harassment situations in the workplace and ensuring each employee the right to work in a good dignity conditions environment.
All employers hiring seven or more employees must prepare and publish an Anti-Harassment Policy, instrument which should follow the guidelines issued by the local authority for equality in labour and employment (Comissão para a Igualdade no Trabalho e no Emprego).

Employee Pay Report (Women and Men).

The Employee Pay Report is part of the set of measures to promote equal pay for men and women.

In general, employers must promote a transparent pay policy based on objective criteria and on an evaluation of the different job components.

In public sector, where companies are subject to stricter requirements, they are obliged to prepare and publish annual reports where they review their employees’ salaries, in order to identify and mitigate situations of different salaries based on gender.

Employees’ Training Plan.

Employees’ Training Plans are mandatory. As a rule, employers must apply a training plan for their employees based on an assessment of their skill needs.

This plan must be detailed and specify objectives, training entities, as well as the location and the time of the training sessions.

Plan for Prevention of Risks of Corruption and Related Infractions.

A Plan for Prevention of Risks of Corruption and Related Infractions is mandatory for all public entities carrying out management activities and administration of money, values, and public assets.

The plan must include several requirements, in particular: (i) identification, for each organic unit, of the risks of corruption and related infractions; (ii) a list of preventive measures; (iii) definition and identification of the employees responsible for managing the plan; (iv) annual preparation of a report on the implementation of the plan.
Companies must also prepare an annual report on the implementation of the plan.

Companies must also prepare an annual report on the implementation of the plan.

Since 25 May 2018, the effective date of the General Data Protection Regulation (GDPR), all Member States of the European Union (EU) have been bound by common rules on personal data protection. Organizations based outside the EU are also subject to GDPR when their data processing activities are related to the provision of goods or services to EU data subjects or to behaviour monitoring of data subjects in the EU.

The GDPR applies without the need to approve national legislation, unlike Directive 95/46/EC, which was transposed by Law 67/98 of 26 October 1998, which approved the Personal Data Protection Act (LPDP) and was then repealed by GDPR. This does not however mean that specific data processing situations, like those in the employment context, are not subject to local legislation. In Portugal, Law 58/2019 of 8 August 2019 implements a few specifics on data protection rules. GDPR also applies together with special legislation.

GDPR is based on a self-regulation model. This means that entities are now accountable for interpreting and enforcing data protection rules, as well as ensuring and regularly evidencing its compliance with GDPR. This has a relevant impact on the organizations’ day-to-day. Furthermore, entities are subject to supervision and monitoring from the supervisory authority in the country where they have its main or sole establishment ("one-stop shop" system).

Organizations must understand their risk profile and think about what to do to comply with GDPR and demonstrate such compliance. The penalties for non-compliance may include fines of up to 4% of the annual turnover (worldwide) or 20 million euros.

Personal data processing.

Personal data processing is an operation or a set of operations on personal data, i.e., on information concerning a living, identified or identifiable person, referred to as the "data subject".

Examples of personal data are first and last name, address, e-mail address, identification number, location data, IP (Internet protocol) address, cookies.

Personal data that has been made permanently anonymous so that the person is not or is no longer identifiable, ceases to be considered personal data.

Processing includes the collection, recording, organization, structuring, storage, adjustment or change, retrieval, consultation, use, publication through transmission, making available, comparison or interconnection, limitation, erasure, or personal data destruction. Data processing operations are, for example, accessing a contact database containing personal data, personnel, and payroll management, sending promotional messages by e-mail, video recording (CCTV), storage of IP addresses.

Data subject’s consent.

GDPR requires that consent be given through a clear positive act indicating a free, specific, informed and unequivocal expression of will that the data subject is consenting to the processing of data concerning him/her. For example, written declarations (including electronic format), validation of an option when accessing a website, or even acts clearly indicating that the data subject accepts the processing, fulfil these requirements.

Declarations obtained through silence, pre-validated options when visiting a website or the ones that require the data subject to consent to the use of such data as a condition for accessing a service are not considered consent.

Other lawful grounds.

There are other legitimate grounds for data processing besides the data subject’s consent. Data processing is lawful when necessary for the execution or conclusion of a contract, in order to fulfil a legal obligation that an organization is subject to, in the performance of a task concerning public interest or exercise of public authority, to pursue the legitimate interests of one’s organization (including third parties with whom the company shares personal data), or to protect a fundamental interest of the data subject or any other natural person.

When informing the data subject that a data processing operation is based on a specific lawful ground, this cannot be subsequently changed without justification, even if that lawful basis is considered more convenient. This information provision should be performed when collecting the data or at first contact (if after the collection of data) with the data subject.

Data subjects’ rights.

Every organization processing personal data must ensure that the data subject is able to request and, if necessary, have access, modify, or erase their data, free of charge. Organizations must also ensure that individuals have the means to exercise their right to object. Data subjects may also oppose to the processing of data for marketing purposes. Companies must answer the data subjects’ requests without undue delay and no longer than one month. If entities intend to refuse a data subject’s request, they must provide with a duly reason.

Data controllers and data processors.

A data controller is the natural or legal person that determines the purposes and means of the processing of personal data. Data processor is a natural or legal person that carries out personal data processing activities on behalf of the data controller.

When data processing activities are entrusted to a data processor, a written agreement between the data controller and the data processor is required. This agreement should set out the scope and duration of the relationship, the nature and purposes of the data processing, the type of personal data and the data subjects’ categories, considering the tasks and responsibilities at stake and the risks regarding the data subject’s rights, as well as ensure that the data processor offers sufficient guarantees, in particular when it comes to confidentiality, expertise, reliability and resources, especially when implementing technical and organizational measures, always preserving the processing security.

The data processor must keep records of the processing activities as well as cooperate with the supervisory authority by presenting such records, if requested. Once the processing is completed, the data processor must return or delete the personal data, as agreed, unless the storage of the data is legally required.

Data breach.

In case of a personal data breach, the entity must notify the supervisory authority without undue delay, if possible, within 72 hours of becoming aware of the breach, unless the breach is not likely to involve a risk to the rights and freedoms of individuals (data subjects), and the entity can prove it.

If it is not possible for the entity to meet this deadline, the notification will have to include the reasons why. This information can be provided to the supervisory authority in stages, again, without undue delay.

When it is likely that the breach will result in damage/high risk to the individuals’ rights and freedoms, the entity must inform the data subjects of the breach without undue delay and allow them to take the necessary precautions. This notification should be made as soon as reasonably possible and in cooperation with the supervisory authority and in compliance with the guidance provided by it.

Keeping record of data processing activities.

It is mandatory for organizations with 250 or more employees to keep record of their data processing activities. Organizations with less than 250 employees are not obliged to do the same, unless the processing carried out endangers the individuals’ rights and freedoms, is not occasional or covers special categories of data (genetic data, biometric data, health data) or personal data relating to criminal convictions and offences.

Data Protection Officer.

The appointment of the Data Protection Officer (DPO) does not depend on the number of employees in the organization. Every organization that carries out personal data processing operations is obliged to appoint a DPO if:

• It is a public authority or body, except for courts in the performance of their judicial function;
• Its main activities consist of processing operations that, due to their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale. For example, telecommunications services, granting of credits to customers, insurance companies; or
• Its main activities consist of large-scale processing operations concerning special data categories (genetic data, biometric data, health data) or personal data related to criminal convictions and offences. For example, hospital treatment data regarding the health of their patients.

The DPO can be an employee of the company (internal DPO), or an individual/ organization hired under a contract for the provision of services.

When the DPO is an external service provider, several people working for the DPO can perform the DPO's functions as a team, if a “key contact” and a "responsible person" are assigned to the customer.

Do the right thing.

Companies that are compliant earn and secure their ‘social license to operate’ and may better anticipate and manage operational and regulatory risks and they are well poised to comply with future legal and regulatory requirements and build increased trust with stakeholders and to start to understand and address their concerns.

Bearing this in mind, MVCOMPLIANCE takes an integrated approach to business. We provide a comprehensive assessment and assist companies in developing internal tools of prevention, management, risk control and reaction. We provide our clients a basis for embedding the responsibility to respect through all their business concerns and hence building a true ethical, transparent, integral, and competitive culture.

Our team is prepared to identify policy gaps and initiate a process that alerts you to the adoption of good practices on governance and social responsibility, labour compliance (e.g., promotion of equality, non-discrimination, anti-harassment), anti-money laundering (e.g. KYC and beneficial ownership) and privacy and data protection.

Companies that are compliant may gain commercial benefits associated with good practices, e.g., attracting investment, procurement, top-quality recruits, and reputational benefits. All matters are linked.

If you have any questions, please do not hesitate to contact us at: COMPLIANCE@MACEDOVITORINO.COM.

For more information on our practice and expertise areas, please see our MVCOMPLIANCE presentation.

See pdf