ILN Data Privacy Paper

Portugal

There may also be exemptions for the processing of personal data for reasons of public interest in areas such as public health, public security, crime prevention or protection against threats to public security. However, the data controller, within the scope of these exemptions, is still required to ensure that the processing of personal data is fair, transparent and proportionate to the specific purposes (in other words, subject to appropriate and specific measures to protect the rights and freedoms of natural persons). 3.3 Territorial and extra-territorial application As a general rule, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the EU or not (Article 3(1) GDPR). The GDPR may also be applicable to the processing of personal data of data subjects who are in the EU by a controller or processor not established in this territory (Article 3(2) GDPR) and/or to the processing of personal data by a controller not established in the EU but in a place where the Member State law applies by virtue of public international law (Article 3(3) GDPR). The PDPL applies to the processing of personal data conducted within Portugal, regardless of the public or private nature of the controller or the processor, even if the processing of personal data is carried out in fulfilment of legal obligations or in the pursuit of public interest

missions, with all the exclusions provided for in Article 2 of the GDPR applying. Regarding the extra-territorial application, the PDPL also applies to the processing of personal data carried out outside Portugal when: It is carried out within the scope of the activity of an establishment located in Portugal; or It affects data subjects who are in Portugal, when the processing activities are subject to Article 3(2) of the GDPR; or It affects data registered in consular offices of Portuguese nationals residing abroad. Legislative Framework 4.1 Key stakeholders The data controller plays a central role in the context of personal data protection. The definition of data controller is given by the GDPR (Article 4(7) GDPR) and adopted by the PDPL: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In addition to the data controller, we find:

www.mgra.pt

Made with FlippingBook - PDF hosting