The Portuguese framework for whistleblowers was approved by Law 93/2021, of 20 December 2021, implementing the 'Whistleblowing Directive' (Directive (EU) 2019/1937 on the protection of whistleblowers) into Portuguese law.

The publication of this law, which, according to the Directive, should have been transposed by 17 December 2021, comes with the anti-corruption strategy approved by the Portuguese Parliament, and introduces a wide range of rights for whistleblowers and mandatory obligations and procedures for Portuguese companies.

Compared to the Whistleblowing Directive, Law 93/2021 is much more comprehensive, as it was expected, considering that the Directive itself determined that its content only set minimum requirements for the Member-States.

This Law applies to complaints regarding (i) public procurement; (ii) financial markets and prevention of money laundering and terrorist financing; (iii) food safety for human and animal consumption, animal health and animal welfare; (iv) public health; (v) protection of privacy and personal data and security of network and information systems; (vi) violent and organised crime, among others.

As to the beneficiaries of the protection, Law 93/2021 is clear when considering as ''whistleblowers'' only those natural persons who report or publicly disclose an infringement based on information obtained during their professional activity regardless of the nature of the activity and the sector in which it is carried out.

“Professional activity” is not limited to employment relationships in force, as it includes relationships that have already ended, pre-contract negotiations and recruitment processes. Shareholders and members of corporate bodies of legal persons, volunteers, and interns, paid or unpaid, are just some of the examples of people who benefit from the protection of this law.
To benefit from the protection, it is only required that the whistleblower acts in good faith and has serious grounds to believe that the information is true, at the time of the report or public disclosure.

In addition to the whistleblower, the safeguard is extended to those who are related to the whistleblower, being covered (i) natural persons who confidentially assist the whistleblower in the whistleblowing procedure, in particular, trade union representatives; (ii) the third party who is connected to the whistleblower who may be subject to retaliation in a professional context; and (iii) legal persons or similar entities that are owned or controlled by the whistleblower, for which the whistleblower works or with which the whistleblower is connected in any way in a professional context.

To make a complaint, the law provides for the existence of:

• Inside channels;
• External channels (managed by the competent authorities); and
• Public disclosure.

Inside reporting channels are mandatory for private and public sector entities employing 50 or more employees and legal persons operating in the fields of financial services, products and markets and the prevention of money laundering and terrorist financing ("obliged entities"). However, local governments which, despite employing 50 or more people, have less than 10,000 inhabitants been excluded from this obligation.

Inside reporting channels must meet certain requirements: (i) they must ensure the secure submission and tracking of reports to ensure completeness, integrity, and preservation of the report; (ii) they must ensure the confidentiality of the identity or anonymity of whistleblowers and the confidentiality of the identity of third parties named in the report; and (iii) they must prevent access by unauthorised persons.

Inside reporting channels may be operated: (i) internally, to receive and follow up on complaints, by persons or services designated for this purpose, or (ii) externally, to receive complaints. In either case, the law provides that independence, impartiality, confidentiality, data protection, secrecy, and absence of conflict of interest must be guaranteed.

Reports may be submitted in writing, verbally, or both. In this context, a verbal report may be made using a voice message or, at the request of the whistleblower, in a face-to-face meeting.

The whistleblower can only resort to external reporting channels when: (i) there is no inside whistleblowing or reporting channel; (ii) the inside whistleblowing channel only admits the submission of complaints by employees, and the whistleblower is not; (iii) it has reasonable grounds to believe that the breach cannot be effectively-known or resolved internally or that there is a risk of retaliation; (iv) when, although the whistleblower has initially complained internally, the measures envisaged or adopted as a result of the complaint are not communicated in the legally prescribed terms; or (v) the infraction constitutes a crime or administrative offence punishable by a fine of more than EUR 50,000.

In turn, public disclosure may only occur in very exceptional circumstances, namely when the whistleblower has reason to believe that (i) the breach may constitute an imminent or manifest danger to the public interest; that (ii) the breach cannot be effectively-known or addressed by the competent authorities, given the specific circumstances of the case; or that (iii) there is a risk of retaliation, including in the case of an external report; or (iv) he/she has made an internal and/or an external report, without adequate measures being taken within the mandatory time-limits.

As regards the procedure to be adopted, obliged entities must, within seven days of receiving the complaint, notify the complainant of the receipt and the requirements for lodging a complaint through external channels managed by competent authorities and within three months at the latest communicate the measures envisaged or taken to act on the complaint. Upon request from the complainant, obliged entities must also communicate to the complainant the outcome of the review of the complaint within fifteen days after its conclusion.

The law also establishes measures to protect whistleblowers:

• Confidentiality of the whistleblower's identity, which can only be revealed by a legal obligation or a court order, preceded by a communication to the whistleblower indicating the reasons for disclosure;
• Prohibition of retaliation against the whistleblower, including, for this purpose, the inversion of the burden of proof and the presumption that certain acts, such as changes in working conditions or the application of a disciplinary sanction, when committed up to two years after the complaint or public disclosure, are motivated by the complaint or public disclosure;
• Legal protection in general terms, such as protection for witnesses in criminal proceedings; and
• Non-imposition of a disciplinary, civil, misdemeanour or criminal liability in cases of denunciation or public disclosure of offences made by the requirements imposed by law.

The violation of these rules constitutes an administrative offence, to which procedure is to be carried by the National Anti-Corruption Mechanism:

• Between €1,000 and €25,000 (natural persons) or €10,000 and €250,000 (legal persons), in case of a very serious offence, namely: preventing the lodging or not following up on the complaint; retaliatory acts; breach of the duty of confidentiality; communication or public dissemination of false information;
• Between €500 and €12,500 (individuals) or €1,000 to € 125,000 (legal persons) in case of a serious administrative offence, such as not having an inside reporting channel or having an internal channel without guarantees of completeness, integrity or preservation of complaints or confidentiality of the identity or anonymity of the complainants or third parties mentioned in the complaint, or without rules preventing access to unauthorised persons; failure to inform the complainant of the outcome of the analysis of the complaint, if the complainant has requested it; failure to train the staff responsible for handling complaints; failure to record or retain the complaint received for at least five years or during the pendency of judicial or administrative proceedings.

Bearing in mind the adaptation to the new procedures and obligations, the law provides for a transitional period of 180 days, so it will come into force on 18 June 2022. During the first half of 2022, companies should prepare themselves by establishing a whistleblowing channel, allowing the guarantees of confidentiality, anonymity and independence set out in the law to be safeguarded, and with well-defined procedures to follow up on complaints within the legal deadlines, without retaliation.

See pdf Share

Law 82/2021, of 30 November strengthens the control and monitoring of access to contents protected by copyrights and related rights in the digital environment. These control and supervision powers will be carried out by the Inspectorate General for Cultural Activities (Inspeção-Geral das Atividades Culturais - IGAC), the local supervisory authority for copyright and related rights.

Several creations/works are protected by copyright, among others: (i) literary works such as books, magazines, newspapers, lectures, lessons, speeches, poems; (ii) dramatic and dramatic-musical works; (iii) choreographic works; (iv) musical compositions with or without lyrics; films; television programs; (v) artistic works such as drawings, paintings, sculptures, ceramics, photographs, applied arts, illustrations, architectural designs and advertising slogans.

The digital environment is suited to illicit sharing of IP protected content, which rapidly surfs the Internet and may be difficult to control. The illicit disclosure of IP-protected content may occur by means of:

• Communication, sharing, or storage of protected content without consent from the holders of copyright and related rights;
• Making services or means intended for use by third parties in violation of copyright and related rights, or intended to interfere with the normal and regular functioning of the market for works and performances available; and/ or
• Provision of services to counteract effective technological measures for the protection of copyright and related rights or information devices for electronic rights management.

In a recent Portuguese case involving the illicit sharing of IP protected periodicals and cinematographic/audio-visual works by Telegram channels, the Intellectual Property Court prohibited this practice ordering an injunction filed by Gedipe - Association for the Management of Copyrights, Producers and Publishers and one of its associates Visapress.

It is, therefore, no coincidence the time chosen for the publication of this law, which comes into force on 29 January 2022, and defines a set of specific measures for the removal of illicit IP protected content available on the Internet. Among these measures are:

• Following an inspection by IGAC (by its own initiative or complaint), the person responsible for the illicit making available of protected content will have 48 hours to cease and remove the service or content, after notification by IGAC;
• If the 48-hour deadline is not followed, IGAC will notify the intermediary network service providers to remove or to disable access to the protected content, for example, by preventing access to a certain URL or associated domain name system (DNS), or, in certain cases, access to content provided by a certain IP;
• If it is not possible to identify the person responsible for making the content available or when the 48-hour period does not have the desired useful effect, for example because the content is available for a limited time or in real time, IGAC will directly notify the intermediary providers to proceed with the removal of the content;
• Intermediary network service providers must adopt a proactive and cooperative conduct with IGAC: (i) immediately inform IGAC when they become aware of illegal activities taking place via the services they provide (in case of obvious illegality) and (ii) comply with IGAC's requests to identify the recipients of the services with whom they have storage agreements.

Without prejudice to other sanctions, the illicit sharing of IP protecting content is an administrative offense punishable by a fine between €5,000 (five thousand euros) and €100,000 (one hundred thousand euros).

IGAC’s final decision must be notified to the complainant, the person responsible for the website or service and the intermediary provider of hosting services, being subject to appeal, in first instance, to the Intellectual Property Court, and in second instance, to the Court of Appeal.

See pdf Share

The European Commission (EC) published the final version of the Standard Contractual Clauses (SCCs) on June 4, following the draft proposal on November 12, 2020. The topic is of great interest for companies operating outside the European Economic Area (EEA) or working with companies that are. SCCs should give these companies a hand at being GDPR-compliant.

For those less acquainted with SCCs, these take part in ensuring safer international data transfers. A principle of accountability applies to controllers which export personal data to countries outside of the EEA: controllers must ensure that no matter what mechanism and supplemental measures govern a data transfer, the data must receive the same protection at its destination as it would in the European Union (EU), or else the data transfer will be violating the GDPR.

For international data transfers to be possible, the GDPR requires the adoption of mechanisms/measures that ensure that transfers are carried out safely, which may include obtaining the data subject’s consent, adopting Binding Corporate Rules (BCR), ad hoc contractual clauses, approving codes of conduct or certification mechanisms, and/or SCCs.

SCCs set out appropriate safeguards regarding data transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor, and (iv) processor to controller.

The new SCCs include general provisions that are applicable to all transfers of data, regardless of the nature of the parties, and specific provisions that the parties should include if they see fit to their specific situation (again, a principle of accountability applies).

General obligations include ensuring that data protection rules in the country of destination do not prevent the processing of personal data according with the standard contractual clauses applied, as well as ensuring the minimization of data disclosure to public authorities, a shared responsibility between the parties in case of a data breach, etc.

The new SCCs also address both onward transfers and subscription by third parties. Onward transfers of personal data can lawfully occur, provided the third party subscribes to the SCCs. Subscription to the SCCs is enabled through a docking clause.

The EC sets out a transitional period, within which companies relying on old SCCs under existing data transfer agreements will be able to rely on those outdated SCCs for 18 months after the publication of the new SCCs. For companies entering into new data transfer agreements, the new SCCs ought to be the mechanism to rely on for the purpose of international data transfers, as the new SCCs will be repealed for future use three months after their publication.

See pdf Share

Considering that Artificial Intelligence (AI) can bring a range of economic and social benefits, but also create new risks, the European Commission recently published a Regulation Proposal on a European Approach for Artificial Intelligence (the ‘AI Draft Act’ or ‘Draft Act’).
Following a public consultation on the Commission’s White Paper on AI of February 2020, the AI Draft Act aims to harmonize existing laws on AI, ensure the protection of fundamental European Union (EU) rights and safety of AI system users, as well as trust in the development and uptake of AI.
The Draft Act applies to public and private players (i.e., providers, importers, distributors, and users of AI systems) established within the EU or in a third country that places AI systems on the market or puts them into service within the EU, or where their use affects people located in the EU. The Draft Act is divided into twelve titles of which we highlight the following:

• Scope and definitions (Title I): including, among other definitions, ‘AI’ and ‘AI system’. ‘AI system’ is broadly defined as a software product developed using certain listed techniques and approaches that can generate outputs influencing the environments they interact with;
• Prohibited AI practices (Title II): the Draft Act uses a risk-based approach distinguishing between (i) unacceptable risk (e.g. AI systems that can exploit vulnerabilities of a specific group of persons or use real-time remote biometric identification in publicly accessible spaces, subject to some exceptions); (ii) high-risk to the health and safety or fundamental rights of natural persons (e.g. AI systems that perform a safety function in certain products, such as mobile devices, robotics, medical devices and other machinery); and (iii) low or minimal risk (e.g. AI-enabled video games or chatbots);
• High-risk AI systems (Title III): once a high-risk AI system is identified, compliance obligations should be reinforced (Title IV), including obligations covering risk management, data governance, technical documentation, record-keeping requirements, transparency and provision of information to users, human oversight, robustness, accuracy, cybersecurity, post-market monitoring and incident reporting;
• Governance, enforcement and sanctions (Titles VI to XII): the Draft Act provides for the establishment of a European Artificial Intelligence Board (EAIB) composed by the national supervisory authorities and the European Data Protection Supervisor. The AI Draft Act provides for substantial penalties of up to EUR 30 million or up to 6% of annual worldwide turnover, whichever is higher to be levied against companies for non-compliance.

Once discussed (and probably subject to changes) and approved by the European Parliament and the Council, the AI Regulation will apply directly across the EU and with a wide-reaching impact.

See pdf Share

In a landmark preliminary ruling on data transfers between the European Union (EU) and the United States of America (US), the Court of Justice of the European Union (CJEU) the  EU-US Privacy Shield decision (Privacy Shield) void.

This decision of 16 July 2020 (Schrems II case) is the sequel to a previous ruling, where the CJEU the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, now considered inadequate to ensure the level of protection required by the General Data Protection Regulation (GDPR). In turn, the CJEU considered the Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (SCC) to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user, lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under SCC. M. Schrems claimed that SCC would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019), the CJEU considered SCC as adequate. The Court points out, in particular, that SCC decision imposes an obligation on the data exporter and on the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with SCC, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, the CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities on the basis of US domestic law.

Although SCC remain as valid for international data transfers, organisations currently relying on SCC will have to consider whether considering the type of personal data, the purposes and context of the data processing, and the importer country, an "adequate level of protection" exists as required by EU law. Otherwise, they should consider adopting additional safeguards. Organisations relying on the Privacy Shield will have to urgently seek alternative solutions, in particular the derogations provided for in the GDPR (e.g. data subject’s consent, where the transfer is necessary for the conclusion or performance of a contract). SCC, binding corporate rules, approved codes of conduct or certification mechanisms may be also alternative solutions.

See pdf Share

Contact tracing has been a priority for app developers over the past few weeks. Local teams, corporations and governments have put efforts into developing apps that trace proximity between smartphones users, which in this case are potential hubs for contagion. The utility of these apps is that once a member of a community is diagnosed with the virus, the chain of transmission may easily be traced back.

These apps pose questions on how data collected is treated (you can read more on this here) and how efficient the technologies used are. The technologies used by tracing apps range from Bluetooth to geolocation, to newer technologies such as DP-3T (Decentralized Privacy-Preserving Proximity Tracing).

All of these technologies have their perks and challenges. Tracing via Bluetooth, for example, will rely on the power of frequencies transmitted from each smartphone to determine proximity: the closer the smartphone is, the higher should be its signal. In theory, that is, because different models and manufacturers build mobile devices that will measure signal strength differently. The measurement is RSSI (Received Signal Strength Indicator). In case different smartphones receive different RSSI measurements, then the measuring accuracy is compromised.

Not only the measurement of signal strength is a weak link, but for measuring to occur, the Bluetooth-running apps must run permanently, which shortens smartphones’ battery life and will most likely be disabled by manufacturers and/or consumers.

Geolocation, also used by some of these apps, shares a certain level of inaccuracy with Bluetooth technology (BLE). As safe distances between people go, people should distance themselves from others at least two meters, but the most common geolocation technologies used are not accurate enough.

On one hand, GPS, which is the most accurate of all (able to determine location of up to five meters, which is still short), will only be able to track people outdoors, will be troubled by weather-related events and is very energy-consuming.

BLE geolocation, on the other, requires infrastructure for the emitting devices nearby to be precisely located by third parties which is an issue that is also shared by Wi-Fi. Network providers could use network triangulation to locate devices, but this technique lacks accuracy as the number of base stations for triangulation varies.

DP-3T, in its turn, is not different technology-wise. Rather, DP-3T is a response to privacy concerns as it is a decentralized alternative to manual tracing of citizens: it is a privacy-by-design type of tracing, rather than a whole different way of locating devices. DP-3T uses Bluetooth and it reverts the process: if a smartphone has stored a record of any of a diagnosed patient’s ephemeral identifier (EphID), then the app knows that the user has been in contact with an infected user.

See pdf Share

In the current context of the Covid-19 pandemic, companies are now questioning what measures may be implemented to prevent the spread of the virus among their employees with a view to a progressive return to their business activity, including whether it is lawful to collect health data from their employees, namely their body temperature.

The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) has come forward with guidelines on the collection of employees' health data. CNPD considers that the employer may not collect and record the body temperature of employees, except when using health professionals in the field of occupational medicine and upon prior written justification.

Under the General Data Protection Regulation (GDPR), body temperature falls into one of the special categories of data – health data – subject to enhanced legal protection. GDPR prohibits employers from collecting or recording employees' health data except for the purposes of labor law. The Portuguese Labor Code provides that employers may not demand health data from employees, except when specific requirements related to the nature of the activity so justify and the relevant reasons are provided in writing by the employer. Health data must be provided to a medical professional, who may only inform the employer if the employee is able to perform his/her job.

Based on a literal interpretation of the Portuguese Labor Code, CNPD understands that the legislator has not assigned to the employer a role that is exclusive to health authorities, nor have they assigned such role to employers, which is true. However, it is also true that this rule was not drafted to be applied in exceptional situations, but in a so-called "normal" context of the employment relationship. Consequently, the application of this rule is debatable in the current pandemic scenario.

On this matter, the Portuguese Ministry of Labor has already noted that taking employees' body temperature in the workplace may be feasible in certain circumstances. The Portuguese Government should soon clarify this matter by means of a solution that should present itself proportional to the current pandemic situation, and considering that employers have a duty of care, including the duty to ensure the safety of their employees it the workplace.

GDPR (as a regulation, GDPR must be immediately applied, unlike a directive, that must be implemented by each member state into the national law) provides that the processing of health data is lawful, through a health professional (subject to professional secrecy), if processing is necessary for reasons of public interest in the area of public health, including for monitoring epidemics and their spread, which is certainly the case. This is the lawful basis on which employers will be entitled to take employees' body temperatures (obviously, within certain constraints).

In short, very exceptional situations do demand very exceptional measures.

See pdf Share

The General Data Protection Regulation (GDPR), which is applicable since 25 May 2018, governs the processing of personal data throughout the European Union (EU). GDPR aims at ensuring a consistent and high level of data protection within the EU without jeopardising the free flow of data within the EU.

The GDPR has replaced Directive 95/46/EC of 24 October 1995 in force since 1995, and it superseded national data protection laws, including Law 67/98, of 26 October 1998. Along with the GDPR, Law 58/2018, of 8 August 2019, which implements some local specifics, is also in force in Portugal (GDPR Local Law).

Public and private entities are taking exceptional measures to prevent and mitigate COVID-19 across the EU, including in Portugal, where it was decreed a situation of state of emergency on 19 March 2020 and extended, at least, until 2 May 2020.

In this context, the Portuguese Data Protection Authority (DPA) has issued four papers:

(a)         Resolution number 2020/170 of 16 March 2020, whereby all formal regulatory actions in connection with outstanding information request backlogs are suspended; and

(b)        Three guidelines:

(i)        Guidelines of 2 April 2020 on the use of video surveillance systems and alarms in the COVID-19 context, where the DPA stresses that private security companies are prohibited from carrying out activities falling into the scope of the exclusive powers of judicial or police authorities, including border control and the prevention and repression of crimes in public places;

(ii)       Guidelines of 9 April 2020 on the use of distance learning technologies considering that Portuguese students are taking e-learning classes from their homes; and

(iii)      Guidelines of 17 April 2020 on remote control means of employees under a distance work regime issued in response to several questions on the use of software for control of employees’ performance in teleworking, and the imposition on employees of a permanent connection to the video camera. The DPA clarifies that the use of such software tools is disproportionate and infringes data protection principles, and that labour rules prohibiting distance control means of employees’ activity remain applicable.

Apart from these four initiatives, no additional information is available in connection with data protection and COVID-19. Inversely, other EU data supervisory authorities, for instance, in the UK and Germany, have disclosed a set of materials and FAQs at their websites to respond to data protection questions arising from the current situation.

The current situation may involve the processing of different types of personal data, including special categories of personal data, such as health data, namely within an employment context. In a COVID-19 scenario (not only at the current stage of spreading, but also at subsequent stagnation and mitigation stages), the processing of personal data may be necessary for compliance with employers’ statutory obligations, e.g. obligations relating to health and safety at the workplace, or to the public interest, e.g. the control of diseases and other threats to health.

Bearing in mind that several questions may arise within an employment context (but not limited to), we have prepared a list of FAQs to help organizations to be able to respond to such new challenges.

1. May employers collect personal data of employees to prevent the spreading of the COVID-19 virus at the workplace? In affirmative case, what personal data is the employer allowed to process in this context?

Yes, employers may collect personal data of employees in order to prevent the spreading of the virus at the workplace to the extent that it is required to fulfil employers’ statutory duties (e.g. duty of care) and to organise the work in line with the Portuguese legislation, namely Portuguese labour rules.

The criteria should be whether the processing is necessary for a given purpose (e.g. processing that is necessary for the protection of the health of employees and for compliance with statutory reporting obligations), and the implementation of the GDPR’s principle of data minimization.

In principle, the collection of the following data will not raise major issues: name, current contact information, contacts with other persons within the organization, previous or intended stay in a high risk area, previous contacts with allegedly infected persons or whether a person is symptom-free.

Inversely, health data, which is considered a special category of data, is subject to restrictions and that require an adequate interrelation between the GDPR, the GDPR Local Law and the Portuguese labour rules, as detailed below.

2. In these circumstances, what requirements must employers comply when they carry out processing of employees’ personal data?

Employers may collect and process personal data of employees, including health information, to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period.

Employers should inform employees about COVID-19 cases and take protective measures, but they must not disclose more information than it is required.

Employers must keep employees informed about cases in their organisation, but they must not name individuals. The disclosure of personal data of infected persons (confirmed and suspected) to inform colleagues or externals is only lawful on condition that it is strictly necessary under exceptional circumstances to know the identity of that person, in order to mitigate the spread of the COVID-19 and allow employees to take relevant safeguards. In these very exceptional cases (where it is necessary to reveal the name of the employees who contracted the virus, e.g. in a preventive context), the concerned employees shall be informed in advance and their dignity and integrity shall be protected.

3. What is the relevant lawful basis for such data processing by employers?

As regards employees, the relevant lawful basis is the GDPR’s legitimate interests (Article 6/1(f) GDPR).

Where health data is processed, the relevant legal basis should be the GDPR’s employment and social protection legal basis, i.e., processing that is necessary for the purpose of carrying out the obligations and exercising specific rights of the employer or of the employees in the field of employment and social security and social protection law (Article 9/2(b) GDPR).

As regards local law, namely the labour law and the GDPR Local Law, we should stress the following rules:

(a)         Article 28/1 of the GDPR Local Law states that the employer may process employees’ personal data for the purposes and within the limits set out in the Portuguese Labour Code;

(b)        Article 17/1 (b) of the Portuguese Labour Code states that the employer may not ask for the employee to disclose health data, save as when exceptional circumstances related to the professional activity may justify such disclosure and relevant grounds are provided in writing by the employer. Health data are provided to a medical doctor, who may only inform the employer on whether the employee is or not able to performance their job functions; and

(c)         Article 29/2 of the GDPR Local Law states that special categories of data, namely health data, may be processed for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, and that suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, must be adopted.

This means that the employer’s legitimate interests’ legal basis and, for health data, the employment and social protection legal basis, result from the general duty of care of the employer toward their employees. Health date must be processed by the employer, through a medical doctor subject to professional secrecy, which means that health data may not, in principle, be disclosed to other employees, unless in exceptional circumstances and insofar it reveals necessary to avoid the spreading of the COVID-19 at the workplace.

Under the duty of care, the employer must ensure the protection of the health of all employees. This also includes carrying out an appropriate response to the dissemination of the COVID-19, for prevention and traceability purposes (i.e., subsequent prevention toward contact persons).

It should be also noted that the GDPR includes derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the public health area (Article 9/2(i) GDPR), on the basis of EU or local law, or where there is the need to protect the vital interests of the individuals (Article 9/2(c) GDPR). As recital 46 GDPR states some types of processing may serve both important grounds of public interest and the vital interests of the individuals as for instance when data processing is necessary for monitoring epidemics and their spread.

In turn, employees’ consent cannot be considered as a lawful basis, as, in an employment relationship, there is a clear imbalance between employees (data subjects) and the employer (controller). It is unlikely that employees’ consent is freely given in the context of an employment relationship.

4. May employers process personal data of workplace visitors for COVID-19 related purposes?

Yes, employers may process personal data of workplace visitors for COVID-19 related purposes to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period, and to the extent that the measures to be adopted are proportionate.

As regards visitors, measures against third parties that require the processing of health data can be justified based on the GDPR’s lawful basis regarding processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9/2(i) GDPR).

The consent of visitors (data subjects) can only be considered as a lawful basis for COVID-19 measures if they comply with all consent requirements, including if visitors are informed about the data processing and can provide consent about the measures voluntarily. This means that visitors should be aware at least of the identity of the data controller (the organization) and the purposes of the processing for which the personal data are intended in the context of COVID-19.

5. Are private mobile phone numbers and email addresses of employees allowed to be collected?

During the pandemic, employees may work from home more frequently than usual and they can use their own device or communications equipment. The collection of private mobile phone numbers and email addresses of employees may be necessary and hence lawful if they are to be used to ensure their "ongoing availability" during the current COVID-19 crisis, namely if  employees are working through a distance work regime.

It may be also necessary if, for instance, an overload of the organization's IT infrastructure makes it necessary to communicate within the employer and/or other employees. In this case, care must be taken to ensure that no sensitive data is disclosed by means of "unsafe" communication means, namely email services, where there is a risk of unauthorized access to data by third parties.

Employers and employees need to consider the same kinds of security measures for homeworking that they use in normal circumstances, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files. The data may only be used for the intended purpose and must be deleted immediately after the processing purpose has ceased to apply.

6. May employers use technological solutions for remote control of their employees’ performance through a distance work regime? May videoconference calls between employees or between the employer and employees be recorded?

According to recent guidelines issued by the DPA, the general rule prohibiting the use of means of remote surveillance to monitor employees’ performance is fully applicable in a distance work context. The same conclusion would always be reached by applying the principles of proportionality and minimization of personal data, since the use of such means implies an unnecessary and excessive restriction of employees’ private life.

For this reason, technological solutions for remote control of the employee's performance are not allowed. Examples of this are software that, in addition to tracking working time and inactivity, records the Internet pages visited, the location of the terminal in real time, the uses of peripheral devices (mousse and keyboards), capture images of the working environment, observe and record when the access to an application is initiated, control the document in which the employee is working and record the respective time spent on each task (e.g., TimeDoctor, Hubstaff, Timing, Manic Time, TimeCamp, Toggl, Harvest ). This type of tools manifestly collects excessive personal data from employees, promoting the work control at a higher level than that which can legitimately be carried out at the employer’s premises. The fact that the work is being carried out from home does not justify a further restriction towards employees. To that extent, the collection and subsequent processing of such data violates the principle of minimisation of personal data.

Similarly, it is not allowed to require the employee to keep the video camera on a permanent basis, nor, it is, in principle, allowed to record videoconferences between the employer and employees.

Despite the prohibition of the use of such tools, the employer keeps the power to control the activity of the employee, which it may do, namely, by setting objectives, creating reporting obligations as often as it deems necessary, scheduling meetings by videoconference.

7. May employees’ files be processed in an employee’s home office (e.g. in the home office of the Human Resources staff)?

The processing of employees’ files in an employee’s home office can only take place in exceptional circumstances if it is strictly necessary and to the extent that technical and organizational measures are taken to protect personal data, including, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files, not printing in the home office.

If you need any further clarifications or assistance in any questions on data protection matters, please do not hesitate to contact us.

See pdf Share

The European Commission has recently issued guidelines for the development of contact tracing and warning applications in the fight against COVID-19, which can have a significant impact in the control of the disease and play an important role as part of containment measures.

Contents. These applications may include: (i) accurate information about the COVID-19 pandemic for users; (ii) self-diagnostic questionnaires and guidance for users (symptom control feature); (iii) alert notification to persons who have been in close contact with an infected person for testing or be isolated (contact tracing and warning features); and/or (iv) a communication forum between patients and physicians, including providing further diagnosis and treatment advice (e-treatment advice).

Applicable regulations and supervision. Given the extremely sensitive nature of the data (in particular health data) and the purpose of the applications, they must comply with the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive. They must also be implemented in close coordination with and under the supervision of the relevant public health authorities and national data protection authorities.

User control and consent. Users must keep full control over personal data and hence they must give their prior consent (complying with GDPR requirements) and separately for each application’s features.

In case of use of location data, this data must be stored on the user's device and only be shared with their prior consent; users must be able to exercise their rights under the GDPR and, among others, they have to be entitled to, at any time, withdraw their consent.

Principle of data minimization and data accuracy. Applications must comply with the principle of data minimization and it may be only processed personal data required for the purpose at stake. For example, for the purpose of tracing contacts, the European Commission considers that the processing of location data is not necessary and thus it does not advise its use.

EU rules require that processed personal data are accurate. Therefore, the Commission considers that technologies such as Bluetooth should be used to more accurately assess contact between different users. The data must be stored on the user's device and encrypted and must only be kept for the necessary period, in medical terms, and for the duration of the containment measures.

For the success of these applications, the confidence of citizens and those who feel safe with their use is essential, which must be ensured under strict compliance with EU rules on personal data protection.

See pdf Share

We are still waiting…

Portugal has not yet approved a local law implementing the General Data Protection Regulation (GDPR).

On March 2018, the Portuguese Council of Ministers presented a bill to the Portuguese Parliament. The new law was supposed to come into force on the same application date of the GDPR, 25 May 2018. In May 2019, we are still waiting for the bill to be voted.

During the last year, the Portuguese GDPR bill was criticized by many, including the Portuguese supervisory authority, the Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), which had no say on the drafting of the bill.

Among other issues, the Government’s proposal replicated several provisions of the GDPR and, in some cases, contravened the GDPR. For instance, the bill proposal stated that the local law would apply to “the processing of personal data of data subjects resident in Portugal”, instead of referring to the data subjects who are in Portugal, irrespectively whether they are (or not) resident in Portugal, which limits the scope of the law and leaves unprotected non-residents that happen to be in Portugal.

After the discussion period and a review by Portuguese Parliament members, the territorial scope provision was amended to comply with the GDPR. The current version also shows some effort in avoiding useless duplications of the GDPR text.

The exemption of fines to public entities was another provision receiving a strong disapproval by the Portuguese supervisory authority. In this regard, Article 83/7 of the GDPR states that “(…) each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.”

In Portugal, there is no tradition of exempting public entities from fines. There is no material reason for a different treatment between public and private entities. In fact, the proposed exemption gave many public entities the idea that controls would not apply to them and that they would have more time to implement the GDPR. As a consequence, the public sector, along with the SMEs, have been delaying implementing the GDPR.

In the meantime, answering to the public criticism, the Portuguese Parliament proposed a compromise. In the current draft bill, the exemption will be applicable under justified grounds on a case by case basis by the Portuguese supervisory authority and for a maximum period of three years. All the other rules, including corrective GDPR measures, will apply to public entities.

However, this compromise solution is still considered a sensitive matter. If this provision was approved, it is very likely that the Portuguese supervisory authority will apply the exemption in very exceptional cases only.

The Portuguese bill also includes specific provisions on the Data Protection Officer (DPO), including secrecy and confidentiality duties, tasks, and which public entities are obliged to appoint a DPO.

In general terms, the GDPR establishes that public authorities are required to appoint a DPO. In order to determine which public entities have to fulfil this obligation, the Portuguese GDPR bill provides a list of public entities, including the Portuguese State, the Autonomous Region of Madeira, the Autonomous Region of Azores, municipalities, independent supervisory authorities, public institutes, public law schools, State, municipal business sectors and public associations.

Between the earlier version and the latest one, there are two major differences. Portuguese parish councils (juntas de freguesia) with more than 750 inhabitants are obliged to appoint a DPO. Earlier, the appointment of a DPO was decided by each parish on a case by case basis.

There is also another change, which may have a significant impact on the State business sector (sector empresarial do Estado – «SEE»): while the first proposal provided that only the public undertakings (entidades públicas empresariais – «EPE») were obliged to appoint a DPO, the new version includes all public business entities of the SEE, all of them must have a DPO.

The Portuguese bill also provides the following:

(a) GPDR codes of conduct or certification mechanisms must be approved by a certification body recognized by Instituto Português de Acreditação (IPAC, I.P.) and in accordance with the requirements established by the Portuguese supervisory authority. As far as we know, no codes of conduct or certification mechanisms about GDPR are in place until now;

(b) In relation to the offer of information society services, the Portuguese bill establishes that data processing of a child above the age of 13 years will not require consent given by the parents. Although Portuguese law usually adopts a conservative approach on minors’ rights establishing the age of 16 years, as a reference age, the Portuguese bill opted to follow the majority of the Member States, which consider the age of 13 years old for information society services;

(c) The Portuguese bill provides for specific rules on the processing of employees' personal data in the employment context, in particular as regards the conditions under which employees’ personal data may be processed on the basis of the employee’s consent, as well on the use of video surveillance systems and employees’ biometric data. Generally, the employee’s consent is not a lawful basis for employees’ data processing if: (i) from the employee’s data processing results a legal or financial advantage for the employee; or (ii) the data processing is necessary for the performance of the employment contract. Video surveillance systems may only be used against employees in the scope of a criminal lawsuit. The use of employees’ biometric data is only lawful for purposes of employees’ attendance and access controls to the employer’s premises.

(d) The processing of genetic data and data concerning health rules are subject to the principle of “need-to-know” the data. Data controllers are obliged to give notice to data subjects of  all accesses to their personal data concerning health. This means that data controllers will have then to implement such traceability mechanism;

(e) No data retention deadlines are applicable for data concerning Social Security contributions for retirement purposes;

(f) Except for willful cases, the starting of a misdemeanor proceeding by the Portuguese supervisory authority must be preceded by a warning for the remedy of the breach within a reasonable deadline. For very serious infringements, the fines thresholds are divided into three different recipients categories: (i) €5,000 to €20,000,000 or 4% of the annual turnover, for large companies; (ii) €2,000 to €2,000,000 or 4% of the annual turnover, for SMEs; and (iii) €1,000 to €500,000 for individuals. Half of these amounts are applicable in case of serious infringements.

In some matters, the Portuguese GDPR bill is silent. For instance, the bill does not establish specific rules applicable to private life data, including solvency and creditworthiness. This data was considered similar to sensitive data (now, special categories of data) under the former Portuguese data protection law.

The Portuguese GDPR bill also does not contain specific provisions about the relationship between the GDPR provisions and the access right to public documents, nor private enforcement rules in relation to the decisions taken by the supervisory authority.

Moreover, the Portuguese bill surprisingly establishes a «standstill» period for new consents, entitling data controllers, either private or public entities, to obtain new data subjects’ consents within an additional period of six months from the effective date of the local law. This provision, which remains unchanged in both versions of the bill, clearly contravenes the GDPR, which is directly applicable in all Member States, including Portugal. The GDPR does not include any special rules on consent matter, which allow Portugal to set a different deadline beyond 25 May 2018. Therefore, it is expected that this provision is not incorporated into the statutes of law.

Although some sensitive issues still remain, the final text should be voted and approved by the Portuguese Parliament’s members during next month.

See pdf Share

For further information about GDPR, please see «Notícias».