12 April 2018
The Government introduced, on 26 March 2018, law proposal no. 120/XIII for the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (‘the Draft Law’). The Draft Law includes provisions on the functioning and competences of the Portuguese data protection authority (‘CNPD’), data protection officers (‘DPOs’), employee personal data processing, terms for data retention, special categories of personal data, as well as administrative fines and criminal sanctions.
Mónica Oliveira Costa, Partner at Coelho Ribeiro & Associados, Sociedade Civil de Advogados, RL, told DataGuidance, “The intention of the legislator was to be as minimalist as possible, however, in certain provisions this was not accomplished. [In general], there is a lot of room for improvement in order to avoid potential interpretation issues and adverse consequences for all stakeholders.”
Processing of employee data is regulated by Article 28 of the Draft Law, which stipulates that the employer needs the employee’s consent to process such data, except for cases where processing may result in a legal or economic advantage for the employee, if it is necessary for the performance of a contract to which the employee is party, or in order to take steps at the request of the employee prior to entering a contract.
Oliveira Costa highlighted, “The wording of Article 28 of the Draft Law may raise issues as it can ultimately lead to the interpretation that employers will not be able to process data on the basis of the employee’s or another person’s vital interests as well as the controller’s legitimate interests. [This could be viewed] as an excessive restriction, given the limits already foreseen in the GDPR in this regard. Broad concepts, such as ‘legal or economic advantage’ should be avoided at all costs as they raise more doubts than answers.”
Hopefully, the provisions that refer to transfers of employee data will be removed from the final version
Additionally, the Draft Law provides that the transfer of employee data is only permitted in case of temporary assignment between undertakings that are in a parent-subsidiary, group relationship or with common organisational structures, provided that the transfer is necessary, proportional and adequate.
Oliveira Costa concluded, “Any [other] transfers of employee data will not be allowed, [which] not only is unreasonable, but also against the GDPR’s principles (for example, binding corporate rules, which will be a legitimate ground for international transfers are not mentioned at all). Above all, the interests and rights of the employees are not safeguarded, quite the contrary. Hopefully, [these] provisions will be removed from the final version.”
NIKOS PAPAGEORGIOU | Junior Privacy Analyst