 |
IT and Data Protection
| January 2011 |  PDF version of this article |
We have selected four current topics for the CRA January Newsletter.
Data Protection – online forms and new fees from the PDPA
Online forms for processing notification purpose are already available. This is expected to speed up the existing administrative system and also to reduce the time taken by the Portuguese Data Protection Authority (PDPA) to issue decisions. CCTV authorizations will now be issued in no more than 30 days.
The fees for processing notifications have been updated. As from January 1st 2011, the fee for notifications of processing that requires prior authorization is € 150 (an increase of € 50). The fee for notifications of processing, which do not require prior authorization is now € 75 (an increase of € 25).
However, whenever notifications are particularly complex, the PDPA may increase the fee to up to half of the national minimum salary in force, which, in 2011, means a maximum fee of € 242.50.
Drug and Alcohol Testing in the Workplace – New Guidelines
Companies, which wish to carry out drug and alcohol testing in the workplace, must not only comply with the Portuguese Labour Code but also with Opinion no. 890/2010, issued last November by the Portuguese Data Protection Authority (PDPA).
This processing is subject to the prior authorization of the PDPA as it involves sensitive data. Companies may therefore only carry out such processing after being authorized by the PDPA and in accordance with the terms and conditions of the authorization.
The controller is always the employer, even if the Health & Safety Services are outsourced. In case of outsourcing, the relationship between the outsourcer and the employer must be enshrined in a written contract, or in some other binding document in writing, which expressly provides that the processor (outsourcer) will act only in accordance with the controller’s instructions and will adopt appropriate technical and organizational measures to ensure the protection of the sensitive data.
The conduct of drug and alcohol testing of employees will only be authorized if its purpose is limited to medical prevention or treatment. Despite the fact that these tests cannot be used to evaluate the employees’ employment capacity and the fact that substance use is not per se grounds for dismissal, the PDPA permits the use of personal data so collected as evidence in disciplinary proceedings.
Furthermore, processing will only be considered to be lawful if there is a relevant public interest, which exists in the case of the protection of the physical integrity of the employee and/or third parties.
The PDPA also requires compliance with the following requirements: (i) processing of personal data only when this is strictly indispensible in terms of the purposes for which the data was collected (ii) the scope of processing is restricted to those employees whose activity may jeopardize their own physical integrity or that of third parties (iii) the inclusion of these tests in an occupational health programme with medical prevention and treatment objectives, and (iv) the drafting of a specific regulation containing the procedures to be adopted with regard to the testing, which ensures the participation of the employees’ representatives.
So far as security measures are concerned, the company must implement the special legal measures in force regarding the processing of sensitive data, i.e.: (i) logical separation of administrative data from health which means the implementation of access to information according to various data levels and the implementation of passwords, which must be changed periodically (ii) health data should only be accessible by a doctor or, by other health professionals, who are subject to a duty of secrecy and who are supervised by a doctor (iii) health data must not be disclosed to the employer, which may only be informed as to the employee’s fitness via fitness sheet, in terms such as fit, not fit, or fit subject to restrictions (iv) data circulating on open networks must be encoded (v) keeping of an audit record of access to sensitive data, access to which must be restricted (vi) data back-ups must only be accessible to the system administrator.
Employees must be provided with information regarding the processing, objectives and ways to access and rectify personal data at the time it is collected. Access to personal data and the rectification thereof must always be processed via a doctor, or other health professional subject to a duty of secrecy.
No personal data may be disclosed, other than to the Public Authorities or to the Employment Authority’s doctors and data may be retained for no more than 1 year, except in cases of pending litigations when data can be retained for such longer period of time as is strictly necessary.
PDPA updated the Guidelines over Employee Health and Safety at Work
Information
The PDPA issued Decision no. 840/2010 in November 2010, the primary purpose of which is to update of the Opinion issued in 2006 regarding this matter, so as to bring it into line with the 2009 Labour Code. This new Decision increases the data retention period to 5 years, and also stresses the need has reminded the urge for companies to legalise their data processing in the context of Health and Safety in the Workplace, which is mandatory, according to the Labour Code and other regulations.
Online Gambling
Given the growing interest in online gambling, especially after the decision of the European Court of Justice (ECJ) in the cases between Santa Casa da Misericórdia (Santa Casa) and the Austrian multinational Bwin and the Liga Portuguesa de Futebol Profissional (LPFP), the Portuguese Government decided to set up a working group to evaluate and study the Portuguese legislation and practice regarding on online gambling.
Given the challenges associated with online gambling, particularly the control of the gamblers’ profile and age, tax evasion, or problems with a broader impact, such as unfair competition, the Ministry of Presidency by Order no. 13721/2010, of 27th August, entrusted the working group with the following tasks:
a) to analyse the current model of the online gambling market in Portugal and in the European Union
b) to analyse online gambling in terms of Portugal’s national gaming policy
c) to propose measures regarding online gambling
d) to propose the definition of the purpose and terms of the legislation necessary to implement the measures proposed
e) to identify the characteristics of the measures necessary in order to monitor and control the implementation of the measures proposed
f) to identify the organizations and bodies that should be consulted regarding the proposed measures
According to the current legislation, i.e. Decree-Law 282/2003, of 8th November, Santa Casa is the only entity authorized to offer online gambling in Portugal.
In its decision of 8th September 2009, the ECJ considered that the Santa Casa’s monopoly does not infringe EU law and left decisions regarding the extent to which other bodies should be prevented from offering online gambling in Portugal and the question of the civil liability of Bwin and the LPFP to the Santa Casa da Misericórdia de Lisboa, to the Portuguese Courts.
The IP, IT and DP Group
The present Newsletter was elaborated by Coelho Ribeiro’s IP, IT and DP Group. It contains general information which must not be relied upon for any decision without professional or other advice being sought for the specific case.
If you would like to know more about the subject covered in this Newsletter, please contact: Jaime Medeiros – e-mail: jaime.medeiros@cralaw.com or Mónica Oliveira Costa – e-mail: monica.costa@cralaw.com.