Portugal
precautionary
acts
to
secure
Other violations of personal data are classified as very serious or serious administrative offences (Articles 37 and 38 PDPL). The fines for these offences vary depending on the nature of the offender (natural or legal person) and its size (in the case of legal persons). In the case of legal persons, very serious offences can range from €2000 to €20.000.000, or 4% of annual worldwide turnover, whichever is higher, while serious offences can range from €1000 to €10.000.000, or 2% of annual worldwide turnover, whichever is higher. Furthermore, organizations that do not comply with the GDPR and or the PDPL may be required to take corrective action to remedy the breach and mitigate any harm caused to data subjects. This may include implementing measures to protect the affected data, notifying data subjects of the breach and, where appropriate, providing compensation for any material or non-material damage. Additionally, they may be subject to the mentioned criminal and administrative offences typified by law. The CNPD has the power to issue warnings and impose administrative fines on organizations that violate data protection laws. The CNPD may also intervene in legal proceedings in the event of a breach of the provisions of the GDPR and the PDPL, and must report to the Public Prosecutor's Office any criminal offences of which it becomes aware, in the performance of its duties or on account thereof, as well as carry out any necessary and urgent www.mgra.pt
evidence. I X.2 Consequences and penalties for other violations and non- compliance In addition to administrative sanctions, the person(s) and/or organization(s) that violate(s) data protection legislation may face civil actions brought by affected data subjects seeking compensation for damages caused by the breach and or non-compliance with the GDPR and or the PDPL. Additionally, the data subject has always the right to lodge a complaint with the CNPD. Depending on the nature and severity of the breach and or non- compliance, regulatory authorities may end up revoking or suspending an organization’s licenses and authorizations to operate in certain sectors, such as telecommunications, financial services or healthcare. It should be noted that the PDPL does not make a profound distinction between data breaches (in the strict sense) and other breaches of the GDPR or the PDPL, treating data breaches (in the broad sense) as a unitary issue. Therefore, and in summary, data breaches in Portugal can lead to various consequences and sanctions, including criminal investigations and judgements, administrative and or civil legal actions, administrative fines, reputational damages, loss or suspension of licenses, and complaints to the CNPD as well.
Made with FlippingBook - PDF hosting