During the first year of GDPR enforcement, the Portuguese DPA imposed four fines as a consequence of data privacy breaches.
In 2018, a fine amounting to EUR 400,000 was issued as result of indiscriminate access from hospital staff to patients’ data and the data processor’s inability (hospital) to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault in its actions.
Minor fines were imposed during the course of 2019. A fine of EUR 20,000 was imposed on a call centre’s client (the data controller). The call centre did not provide a customer with records of phone calls after being requested by the latter to do so. The other fines of EUR 2.000,00 each were imposed as result of the lack of warning in cases of video surveillance.
Up to February 2019, more than 200 complaints were notified to the Portuguese DPA. Considering the number of complaints and the four fines already publicised, there is clear a lack of means and responsiveness from the Portuguese DPA (a fact that is also recognised by the Authority).
The Portuguese Government has not approved any national legislation aiming at adapting the GDPR. This delay is related to the negative opinion issued by the Portuguese DPA regarding the draft law that was published last year and subject to public consultation. We anticipate a national law will be approved in the coming months. Data privacy concerns are common in employment relations and courts are slowly being asked to decide cases involving privacy issues. The GDPR focussed the attention of companies on privacy matters and after the initial stress of its entry into force the litigation environment is currently calm.
There is significant interest and anticipation regarding the proposed Portuguese national law on data protection and how the DPA will conduct its future inspection mission.