Opinion (Rogério COPETO / Official GNR): THE NEW PARADIGM IN THE DATA PROTECTION.
The subject of data protection is on the agenda, because the next day 25 May, starts the application of General Data Protection Regulation (RGPD) the European Union (EU), revoking in Portugal Data Protection Act 1998 (Lei n.º 67/98, FROM 27 October).
Rogério COPETO
Lieutenant Colonel of the GNR
Master in Law and Security and Homeland Security Auditor
The head of the Education Division / Doctrine Command and Training
The RGPD is dated 27 April 2016 and it is in force since 24 May 2016, going to be applied from next Friday in all member states of the EU, that in the last two years, not approved domestic legislation, including Portugal, so the RGPD is automatically applied in Portugal, establishing new rules for the treatment, by a person, a company or an organization, personal data on persons in the EU.
So, from Friday the paradigm of data protection will change, and the general opinion of all experts, that there are few public or private entities that are prepared to meet the RGPD, because this applies to most public and private entities.
As the only exceptions RGPD not apply to the processing of personal data of deceased persons, of legal persons and in performing household activities, since there is no connection with a professional or commercial activity.
To illustrate where the RGPD applies can give as an example a company based in the EU that provides services to customers located in the Middle East or a business outside the EU space that addresses data-EU citizens. An example which does not apply is the use by any person of their own private address book, for the purpose of personal contacts by phone or e-mail.
In other words, the RGPD applies in virtually all situations where personal data are processed, a saber: The name and surname; The address of a residence; The email address; The number of an ID card; Location data (for example, the location data function on a mobile phone); The IP address (Internet Protocol); The cookies; The advertising identifier of your phone, and; All data held by any public or private entity (hospital or doctor, etc), to identify a person unambiguously.
Although not the intention of this article densify all RGPD, it can be seen easily that their articles 99, change the paradigm of data protection in the EU, The further National Data Protection Commission (CNPD) have been warning, through its President, Filipa Calvão, who in an interview said that the DPA does not have human resources to ensure the supervision of compliance with the new rules of data protection, Public as described in Article "Data Protection Commission 'can not afford' to ensure application of new rules", of 16 May.
Taking into account the latest news, Portugal is not only that it is not prepared to meet the RGPD, as referred to the Business, no day 13 May, in his article entitled "Data protection: only five countries have already updated legislation", which states that "Portugal is not alone in the field of delays in implementing legislation that complements the Data Protection General Regulations".
Perhaps this lack of concern of the EU member states in regulating RGPD is the fact that the data protection now be done according to the principles of self-responsibility and self-regulation, should therefore all entities subject to its application to adopt a set of measures to check the state of data protection, It is necessary for that purpose to take steps in the risk assessment.
The first phase is the diagnostic, which should serve to identify all data that the entity has. What treatment is done? What types of data are? For what purpose? And what is the shelf life? Which the data flows? There are third parties with access to data? Ie should be "tidy the drawer" where the data have been introduced in recent 20 year old, thus minimizing the risk.
The following phase is Review, should confirm the existence of consent of data subjects for their respective treatment and consent documents, and should also be reviewed the privacy policies and terms of use, putting all the documentation in accordance with the provisions of RGPD.
The third phase consists of the appointment of a Data Protection Officer (EPD) wrapping it around the preparation process and blames it for the fourth phase, the Implementation, identifying measures to adopt, evaluate the systems necessary for this purpose and draw up an implementation plan to be able to implement the new measures, making the necessary reviews and corrections, to be fulfilled in the last stage, the Compliance, which will start the next day 25 May.
As mentioned one of the obligations under RGPD is the appointment of a DPO, which according to its Article 37, It is required when: "The treatment is made by an authority or a public body, except the courts in the exercise of its judicial function; The main activities of the controller or the processor consist of processing operations, because of their nature, under and / or purpose, require regular and systematic monitoring of data subjects on a large scale; or The main activities of the controller or the processor consist of large-scale processing operations of special categories of data under Article 9 and of personal data relating to criminal convictions and offenses referred to in Article 10".
The EPD can be a person or a group of people and have the responsibilities and tasks set out in article 38 and 39 of RGPD, concluding that the EPD will be one of the most important officials in any public or private entity, considering Reuters in his the article 14 February 2018 with the title "Rise of the data protection officer, the hottest tech ticket in town", where the EPD "may not have the cachet of entrepreneurs, or geek chic of developers, but data protection officers are suddenly the hottest properties in technology".
This importance of the EPD may result from the amount of the fines to be imposed in case of breach of the rules RGPD, that in less serious cases, You may have a value up 10 million or 2% the annual turnover worldwide, whichever is higher, and in more severe cases, the fine may have a value up 20 million or 4% the annual turnover worldwide, whichever is higher.
Still on the EPD should be noted that all Forces and Security Services are also to appoint a DPO, according to article 32 of policy (EU) 2016/680 the European Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, and on the free movement of such data.
The EPD of a Force or Security Service shall have the responsibility and tasks set out in artº 33 and 34 of Directive (EU) 2016/680, It is responsible for verifying the processing of data in accordance with RGPD, to protect all private data in its custody.
Taking as an example the case of GNR, the DPO should ensure the protection of personal data for military and civilian of the institution and any other citizen who recorded in the databases of GNR.
However most of the processing of personal data in GNR is not based on the consent of their holders, exception being the processing of data relating to support for vulnerable populations in the various special programs of community policing, You need the consent of the parties, properly expressed in the document itself.
This new task is not news to the GNR, because unlike other entities, the implementation of active data protection measures and privacy of all citizens, It is one of the GNR's concerns, since the entry into force of the Data Protection Act in 1998, lying all personal data in databases of encrypted GNR.
