2020-07-23

In a landmark preliminary ruling on data transfers between the European Union (EU) and the United States of America (US), the Court of Justice of the European Union (CJEU) the  EU-US Privacy Shield decision (Privacy Shield) void.

This decision of 16 July 2020 (Schrems II case) is the sequel to a previous ruling, where the CJEU the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, now considered inadequate to ensure the level of protection required by the General Data Protection Regulation (GDPR). In turn, the CJEU considered the Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (SCC) to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user, lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under SCC. M. Schrems claimed that SCC would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019), the CJEU considered SCC as adequate. The Court points out, in particular, that SCC decision imposes an obligation on the data exporter and on the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with SCC, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, the CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities on the basis of US domestic law.

Although SCC remain as valid for international data transfers, organisations currently relying on SCC will have to consider whether considering the type of personal data, the purposes and context of the data processing, and the importer country, an "adequate level of protection" exists as required by EU law. Otherwise, they should consider adopting additional safeguards. Organisations relying on the Privacy Shield will have to urgently seek alternative solutions, in particular the derogations provided for in the GDPR (e.g. data subject’s consent, where the transfer is necessary for the conclusion or performance of a contract). SCC, binding corporate rules, approved codes of conduct or certification mechanisms may be also alternative solutions.

See pdf Share
2020-05-13

Contact tracing has been a priority for app developers over the past few weeks. Local teams, corporations and governments have put efforts into developing apps that trace proximity between smartphones users, which in this case are potential hubs for contagion. The utility of these apps is that once a member of a community is diagnosed with the virus, the chain of transmission may easily be traced back.

These apps pose questions on how data collected is treated (you can read more on this here) and how efficient the technologies used are. The technologies used by tracing apps range from Bluetooth to geolocation, to newer technologies such as DP-3T (Decentralized Privacy-Preserving Proximity Tracing).

All of these technologies have their perks and challenges. Tracing via Bluetooth, for example, will rely on the power of frequencies transmitted from each smartphone to determine proximity: the closer the smartphone is, the higher should be its signal. In theory, that is, because different models and manufacturers build mobile devices that will measure signal strength differently. The measurement is RSSI (Received Signal Strength Indicator). In case different smartphones receive different RSSI measurements, then the measuring accuracy is compromised.

Not only the measurement of signal strength is a weak link, but for measuring to occur, the Bluetooth-running apps must run permanently, which shortens smartphones’ battery life and will most likely be disabled by manufacturers and/or consumers.

Geolocation, also used by some of these apps, shares a certain level of inaccuracy with Bluetooth technology (BLE). As safe distances between people go, people should distance themselves from others at least two meters, but the most common geolocation technologies used are not accurate enough.

On one hand, GPS, which is the most accurate of all (able to determine location of up to five meters, which is still short), will only be able to track people outdoors, will be troubled by weather-related events and is very energy-consuming.

BLE geolocation, on the other, requires infrastructure for the emitting devices nearby to be precisely located by third parties which is an issue that is also shared by Wi-Fi. Network providers could use network triangulation to locate devices, but this technique lacks accuracy as the number of base stations for triangulation varies.

DP-3T, in its turn, is not different technology-wise. Rather, DP-3T is a response to privacy concerns as it is a decentralized alternative to manual tracing of citizens: it is a privacy-by-design type of tracing, rather than a whole different way of locating devices. DP-3T uses Bluetooth and it reverts the process: if a smartphone has stored a record of any of a diagnosed patient’s ephemeral identifier (EphID), then the app knows that the user has been in contact with an infected user.

See pdf Share
2020-04-29

In the current context of the Covid-19 pandemic, companies are now questioning what measures may be implemented to prevent the spread of the virus among their employees with a view to a progressive return to their business activity, including whether it is lawful to collect health data from their employees, namely their body temperature.

The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) has come forward with guidelines on the collection of employees' health data. CNPD considers that the employer may not collect and record the body temperature of employees, except when using health professionals in the field of occupational medicine and upon prior written justification.

Under the General Data Protection Regulation (GDPR), body temperature falls into one of the special categories of data – health data – subject to enhanced legal protection. GDPR prohibits employers from collecting or recording employees' health data except for the purposes of labor law. The Portuguese Labor Code provides that employers may not demand health data from employees, except when specific requirements related to the nature of the activity so justify and the relevant reasons are provided in writing by the employer. Health data must be provided to a medical professional, who may only inform the employer if the employee is able to perform his/her job.

Based on a literal interpretation of the Portuguese Labor Code, CNPD understands that the legislator has not assigned to the employer a role that is exclusive to health authorities, nor have they assigned such role to employers, which is true. However, it is also true that this rule was not drafted to be applied in exceptional situations, but in a so-called "normal" context of the employment relationship. Consequently, the application of this rule is debatable in the current pandemic scenario.

On this matter, the Portuguese Ministry of Labor has already noted that taking employees' body temperature in the workplace may be feasible in certain circumstances. The Portuguese Government should soon clarify this matter by means of a solution that should present itself proportional to the current pandemic situation, and considering that employers have a duty of care, including the duty to ensure the safety of their employees it the workplace.

GDPR (as a regulation, GDPR must be immediately applied, unlike a directive, that must be implemented by each member state into the national law) provides that the processing of health data is lawful, through a health professional (subject to professional secrecy), if processing is necessary for reasons of public interest in the area of public health, including for monitoring epidemics and their spread, which is certainly the case. This is the lawful basis on which employers will be entitled to take employees' body temperatures (obviously, within certain constraints).

In short, very exceptional situations do demand very exceptional measures.

See pdf Share
2020-04-22

The General Data Protection Regulation (GDPR), which is applicable since 25 May 2018, governs the processing of personal data throughout the European Union (EU). GDPR aims at ensuring a consistent and high level of data protection within the EU without jeopardising the free flow of data within the EU.

The GDPR has replaced Directive 95/46/EC of 24 October 1995 in force since 1995, and it superseded national data protection laws, including Law 67/98, of 26 October 1998. Along with the GDPR, Law 58/2018, of 8 August 2019, which implements some local specifics, is also in force in Portugal (GDPR Local Law).

Public and private entities are taking exceptional measures to prevent and mitigate COVID-19 across the EU, including in Portugal, where it was decreed a situation of state of emergency on 19 March 2020 and extended, at least, until 2 May 2020.

In this context, the Portuguese Data Protection Authority (DPA) has issued four papers:

(a)         Resolution number 2020/170 of 16 March 2020, whereby all formal regulatory actions in connection with outstanding information request backlogs are suspended; and

(b)        Three guidelines:

(i)        Guidelines of 2 April 2020 on the use of video surveillance systems and alarms in the COVID-19 context, where the DPA stresses that private security companies are prohibited from carrying out activities falling into the scope of the exclusive powers of judicial or police authorities, including border control and the prevention and repression of crimes in public places;

(ii)       Guidelines of 9 April 2020 on the use of distance learning technologies considering that Portuguese students are taking e-learning classes from their homes; and

(iii)      Guidelines of 17 April 2020 on remote control means of employees under a distance work regime issued in response to several questions on the use of software for control of employees’ performance in teleworking, and the imposition on employees of a permanent connection to the video camera. The DPA clarifies that the use of such software tools is disproportionate and infringes data protection principles, and that labour rules prohibiting distance control means of employees’ activity remain applicable.

Apart from these four initiatives, no additional information is available in connection with data protection and COVID-19. Inversely, other EU data supervisory authorities, for instance, in the UK and Germany, have disclosed a set of materials and FAQs at their websites to respond to data protection questions arising from the current situation.

The current situation may involve the processing of different types of personal data, including special categories of personal data, such as health data, namely within an employment context. In a COVID-19 scenario (not only at the current stage of spreading, but also at subsequent stagnation and mitigation stages), the processing of personal data may be necessary for compliance with employers’ statutory obligations, e.g. obligations relating to health and safety at the workplace, or to the public interest, e.g. the control of diseases and other threats to health.

Bearing in mind that several questions may arise within an employment context (but not limited to), we have prepared a list of FAQs to help organizations to be able to respond to such new challenges.

1. May employers collect personal data of employees to prevent the spreading of the COVID-19 virus at the workplace? In affirmative case, what personal data is the employer allowed to process in this context?

Yes, employers may collect personal data of employees in order to prevent the spreading of the virus at the workplace to the extent that it is required to fulfil employers’ statutory duties (e.g. duty of care) and to organise the work in line with the Portuguese legislation, namely Portuguese labour rules.

The criteria should be whether the processing is necessary for a given purpose (e.g. processing that is necessary for the protection of the health of employees and for compliance with statutory reporting obligations), and the implementation of the GDPR’s principle of data minimization.

In principle, the collection of the following data will not raise major issues: name, current contact information, contacts with other persons within the organization, previous or intended stay in a high risk area, previous contacts with allegedly infected persons or whether a person is symptom-free.

Inversely, health data, which is considered a special category of data, is subject to restrictions and that require an adequate interrelation between the GDPR, the GDPR Local Law and the Portuguese labour rules, as detailed below.

2. In these circumstances, what requirements must employers comply when they carry out processing of employees’ personal data?

Employers may collect and process personal data of employees, including health information, to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period.

Employers should inform employees about COVID-19 cases and take protective measures, but they must not disclose more information than it is required.

Employers must keep employees informed about cases in their organisation, but they must not name individuals. The disclosure of personal data of infected persons (confirmed and suspected) to inform colleagues or externals is only lawful on condition that it is strictly necessary under exceptional circumstances to know the identity of that person, in order to mitigate the spread of the COVID-19 and allow employees to take relevant safeguards. In these very exceptional cases (where it is necessary to reveal the name of the employees who contracted the virus, e.g. in a preventive context), the concerned employees shall be informed in advance and their dignity and integrity shall be protected.

3. What is the relevant lawful basis for such data processing by employers?

As regards employees, the relevant lawful basis is the GDPR’s legitimate interests (Article 6/1(f) GDPR).

Where health data is processed, the relevant legal basis should be the GDPR’s employment and social protection legal basis, i.e., processing that is necessary for the purpose of carrying out the obligations and exercising specific rights of the employer or of the employees in the field of employment and social security and social protection law (Article 9/2(b) GDPR).

As regards local law, namely the labour law and the GDPR Local Law, we should stress the following rules:

(a)         Article 28/1 of the GDPR Local Law states that the employer may process employees’ personal data for the purposes and within the limits set out in the Portuguese Labour Code;

(b)        Article 17/1 (b) of the Portuguese Labour Code states that the employer may not ask for the employee to disclose health data, save as when exceptional circumstances related to the professional activity may justify such disclosure and relevant grounds are provided in writing by the employer. Health data are provided to a medical doctor, who may only inform the employer on whether the employee is or not able to performance their job functions; and

(c)         Article 29/2 of the GDPR Local Law states that special categories of data, namely health data, may be processed for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, and that suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, must be adopted.

This means that the employer’s legitimate interests’ legal basis and, for health data, the employment and social protection legal basis, result from the general duty of care of the employer toward their employees. Health date must be processed by the employer, through a medical doctor subject to professional secrecy, which means that health data may not, in principle, be disclosed to other employees, unless in exceptional circumstances and insofar it reveals necessary to avoid the spreading of the COVID-19 at the workplace.

Under the duty of care, the employer must ensure the protection of the health of all employees. This also includes carrying out an appropriate response to the dissemination of the COVID-19, for prevention and traceability purposes (i.e., subsequent prevention toward contact persons).

It should be also noted that the GDPR includes derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the public health area (Article 9/2(i) GDPR), on the basis of EU or local law, or where there is the need to protect the vital interests of the individuals (Article 9/2(c) GDPR). As recital 46 GDPR states some types of processing may serve both important grounds of public interest and the vital interests of the individuals as for instance when data processing is necessary for monitoring epidemics and their spread.

In turn, employees’ consent cannot be considered as a lawful basis, as, in an employment relationship, there is a clear imbalance between employees (data subjects) and the employer (controller). It is unlikely that employees’ consent is freely given in the context of an employment relationship.

4. May employers process personal data of workplace visitors for COVID-19 related purposes?

Yes, employers may process personal data of workplace visitors for COVID-19 related purposes to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period, and to the extent that the measures to be adopted are proportionate.

As regards visitors, measures against third parties that require the processing of health data can be justified based on the GDPR’s lawful basis regarding processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9/2(i) GDPR).

The consent of visitors (data subjects) can only be considered as a lawful basis for COVID-19 measures if they comply with all consent requirements, including if visitors are informed about the data processing and can provide consent about the measures voluntarily. This means that visitors should be aware at least of the identity of the data controller (the organization) and the purposes of the processing for which the personal data are intended in the context of COVID-19.

5. Are private mobile phone numbers and email addresses of employees allowed to be collected?

During the pandemic, employees may work from home more frequently than usual and they can use their own device or communications equipment. The collection of private mobile phone numbers and email addresses of employees may be necessary and hence lawful if they are to be used to ensure their "ongoing availability" during the current COVID-19 crisis, namely if  employees are working through a distance work regime.

It may be also necessary if, for instance, an overload of the organization's IT infrastructure makes it necessary to communicate within the employer and/or other employees. In this case, care must be taken to ensure that no sensitive data is disclosed by means of "unsafe" communication means, namely email services, where there is a risk of unauthorized access to data by third parties.

Employers and employees need to consider the same kinds of security measures for homeworking that they use in normal circumstances, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files. The data may only be used for the intended purpose and must be deleted immediately after the processing purpose has ceased to apply.

6. May employers use technological solutions for remote control of their employees’ performance through a distance work regime? May videoconference calls between employees or between the employer and employees be recorded?

According to recent guidelines issued by the DPA, the general rule prohibiting the use of means of remote surveillance to monitor employees’ performance is fully applicable in a distance work context. The same conclusion would always be reached by applying the principles of proportionality and minimization of personal data, since the use of such means implies an unnecessary and excessive restriction of employees’ private life.

For this reason, technological solutions for remote control of the employee's performance are not allowed. Examples of this are software that, in addition to tracking working time and inactivity, records the Internet pages visited, the location of the terminal in real time, the uses of peripheral devices (mousse and keyboards), capture images of the working environment, observe and record when the access to an application is initiated, control the document in which the employee is working and record the respective time spent on each task (e.g., TimeDoctor, Hubstaff, Timing, Manic Time, TimeCamp, Toggl, Harvest ). This type of tools manifestly collects excessive personal data from employees, promoting the work control at a higher level than that which can legitimately be carried out at the employer’s premises. The fact that the work is being carried out from home does not justify a further restriction towards employees. To that extent, the collection and subsequent processing of such data violates the principle of minimisation of personal data.

Similarly, it is not allowed to require the employee to keep the video camera on a permanent basis, nor, it is, in principle, allowed to record videoconferences between the employer and employees.

Despite the prohibition of the use of such tools, the employer keeps the power to control the activity of the employee, which it may do, namely, by setting objectives, creating reporting obligations as often as it deems necessary, scheduling meetings by videoconference.

7. May employees’ files be processed in an employee’s home office (e.g. in the home office of the Human Resources staff)?

The processing of employees’ files in an employee’s home office can only take place in exceptional circumstances if it is strictly necessary and to the extent that technical and organizational measures are taken to protect personal data, including, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files, not printing in the home office.

If you need any further clarifications or assistance in any questions on data protection matters, please do not hesitate to contact us.

See pdf Share
2020-04-21

The European Commission has recently issued guidelines for the development of contact tracing and warning applications in the fight against COVID-19, which can have a significant impact in the control of the disease and play an important role as part of containment measures.

Contents. These applications may include: (i) accurate information about the COVID-19 pandemic for users; (ii) self-diagnostic questionnaires and guidance for users (symptom control feature); (iii) alert notification to persons who have been in close contact with an infected person for testing or be isolated (contact tracing and warning features); and/or (iv) a communication forum between patients and physicians, including providing further diagnosis and treatment advice (e-treatment advice).

Applicable regulations and supervision. Given the extremely sensitive nature of the data (in particular health data) and the purpose of the applications, they must comply with the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive. They must also be implemented in close coordination with and under the supervision of the relevant public health authorities and national data protection authorities.

User control and consent. Users must keep full control over personal data and hence they must give their prior consent (complying with GDPR requirements) and separately for each application’s features.

In case of use of location data, this data must be stored on the user's device and only be shared with their prior consent; users must be able to exercise their rights under the GDPR and, among others, they have to be entitled to, at any time, withdraw their consent.

Principle of data minimization and data accuracy. Applications must comply with the principle of data minimization and it may be only processed personal data required for the purpose at stake. For example, for the purpose of tracing contacts, the European Commission considers that the processing of location data is not necessary and thus it does not advise its use.

EU rules require that processed personal data are accurate. Therefore, the Commission considers that technologies such as Bluetooth should be used to more accurately assess contact between different users. The data must be stored on the user's device and encrypted and must only be kept for the necessary period, in medical terms, and for the duration of the containment measures.

For the success of these applications, the confidence of citizens and those who feel safe with their use is essential, which must be ensured under strict compliance with EU rules on personal data protection.

See pdf Share
2019-05-23

We are still waiting…

Portugal has not yet approved a local law implementing the General Data Protection Regulation (GDPR).

On March 2018, the Portuguese Council of Ministers presented a bill to the Portuguese Parliament. The new law was supposed to come into force on the same application date of the GDPR, 25 May 2018. In May 2019, we are still waiting for the bill to be voted.

During the last year, the Portuguese GDPR bill was criticized by many, including the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), which had no say on the drafting of the bill.

Among other issues, the Government’s proposal replicated several provisions of the GDPR and, in some cases, contravened the GDPR. For instance, the bill proposal stated that the local law would apply to “the processing of personal data of data subjects resident in Portugal”, instead of referring to the data subjects who are in Portugal, irrespectively whether they are (or not) resident in Portugal, which limits the scope of the law and leaves unprotected non-residents that happen to be in Portugal.

After the discussion period and a review by Portuguese Parliament members, the territorial scope provision was amended to comply with the GDPR. The current version also shows some effort in avoiding useless duplications of the GDPR text.

The exemption of fines to public entities was another provision receiving a strong disapproval by the Portuguese supervisory authority. In this regard, Article 83/7 of the GDPR states that “(…) each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

In Portugal, there is no tradition of exempting public entities from fines. There is no material reason for a different treatment between public and private entities. In fact, the proposed exemption gave many public entities the idea that controls would not apply to them and that they would have more time to implement the GDPR. As a consequence, the public sector, along with the SMEs, have been delaying implementing the GDPR.

In the meantime, answering to the public criticism, the Portuguese Parliament proposed a compromise. In the current draft bill, the exemption will be applicable under justified grounds on a case by case basis by the Portuguese supervisory authority and for a maximum period of three years. All the other rules, including corrective GDPR measures, will apply to public entities.

However, this compromise solution is still considered a sensitive matter. If this provision was approved, it is very likely that the Portuguese supervisory authority will apply the exemption in very exceptional cases only.

The Portuguese bill also includes specific provisions on the Data Protection Officer (DPO), including secrecy and confidentiality duties, tasks, and which public entities are obliged to appoint a DPO.

In general terms, the GDPR establishes that public authorities are required to appoint a DPO. In order to determine which public entities have to fulfil this obligation, the Portuguese GDPR bill provides a list of public entities, including the Portuguese State, the Autonomous Region of Madeira, the Autonomous Region of Azores, municipalities, independent supervisory authorities, public institutes, public law schools, State, municipal business sectors and public associations.

Between the earlier version and the latest one, there are two major differences. Portuguese parish councils (juntas de freguesia) with more than 750 inhabitants are obliged to appoint a DPO. Earlier, the appointment of a DPO was decided by each parish on a case by case basis.

There is also another change, which may have a significant impact on the State business sector (sector empresarial do Estado «SEE»): while the first proposal provided that only the public undertakings (entidades públicas empresariais – «EPE») were obliged to appoint a DPO, the new version includes all public business entities of the SEE, all of them must have a DPO.

The Portuguese bill also provides the following:

(a) GPDR codes of conduct or certification mechanisms must be approved by a certification body recognized by Instituto Português de Acreditação (IPAC, I.P.) and in accordance with the requirements established by the Portuguese supervisory authority. As far as we know, no codes of conduct or certification mechanisms about GDPR are in place until now;

(b) In relation to the offer of information society services, the Portuguese bill establishes that data processing of a child above the age of 13 years will not require consent given by the parents. Although Portuguese law usually adopts a conservative approach on minors’ rights establishing the age of 16 years, as a reference age, the Portuguese bill opted to follow the majority of the Member States, which consider the age of 13 years old for information society services;

(c) The Portuguese bill provides for specific rules on the processing of employees' personal data in the employment context, in particular as regards the conditions under which employees’ personal data may be processed on the basis of the employee’s consent, as well on the use of video surveillance systems and employees’ biometric data. Generally, the employee’s consent is not a lawful basis for employees’ data processing if: (i) from the employee’s data processing results a legal or financial advantage for the employee; or (ii) the data processing is necessary for the performance of the employment contract. Video surveillance systems may only be used against employees in the scope of a criminal lawsuit. The use of employees’ biometric data is only lawful for purposes of employees’ attendance and access controls to the employer’s premises.

(d) The processing of genetic data and data concerning health rules are subject to the principle of “need-to-know” the data. Data controllers are obliged to give notice to data subjects of  all accesses to their personal data concerning health. This means that data controllers will have then to implement such traceability mechanism;

(e) No data retention deadlines are applicable for data concerning Social Security contributions for retirement purposes;

(f) Except for willful cases, the starting of a misdemeanor proceeding by the Portuguese supervisory authority must be preceded by a warning for the remedy of the breach within a reasonable deadline. For very serious infringements, the fines thresholds are divided into three different recipients categories: (i) €5,000 to €20,000,000 or 4% of the annual turnover, for large companies; (ii) €2,000 to €2,000,000 or 4% of the annual turnover, for SMEs; and (iii) €1,000 to €500,000 for individuals. Half of these amounts are applicable in case of serious infringements.

In some matters, the Portuguese GDPR bill is silent. For instance, the bill does not establish specific rules applicable to private life data, including solvency and creditworthiness. This data was considered similar to sensitive data (now, special categories of data) under the former Portuguese data protection law.

The Portuguese GDPR bill also does not contain specific provisions about the relationship between the GDPR provisions and the access right to public documents, nor private enforcement rules in relation to the decisions taken by the supervisory authority.

Moreover, the Portuguese bill surprisingly establishes a «standstill» period for new consents, entitling data controllers, either private or public entities, to obtain new data subjects’ consents within an additional period of six months from the effective date of the local law. This provision, which remains unchanged in both versions of the bill, clearly contravenes the GDPR, which is directly applicable in all Member States, including Portugal. The GDPR does not include any special rules on consent matter, which allow Portugal to set a different deadline beyond 25 May 2018. Therefore, it is expected that this provision is not incorporated into the statutes of law.

Although some sensitive issues still remain, the final text should be voted and approved by the Portuguese Parliament’s members during next month.

See pdf Share
2018-05-21

For further information about GDPR, please see «Notícias».

Share
search

IFLR 1000

"Excellent service, says a client on a refinancing transaction: I always trust on them when I have a legal issue in Portugal. [They are]...

Chambers and Partners

"Macedo Vitorino remains the go-to legal adviser for major telecoms players and specialises in the financing of public companies. Recent...

Chambers and Partners

"A compact but technically strong team, recognised for its corporate and M&A experience. Provides particular expertise in the TMT, energy...