Portugal
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (except if processing is carried out by public authorities in the performance of their tasks). Where processing is based on consent, the controller shall be able to demonstrate that the data subject has given informed consent to the processing of his/her personal data. The data subject has the right to withdraw the consent at any time, and such withdrawal shall not affect the lawfulness of processing based on consent previous to withdrawal. If www.mgra.pt
consent is withdrawn, the controller must stop processing the data subject's personal data for the specific purposes for which consent was withdrawn. 5.2. Data storage and retention timelines One of the main principles of personal data processing is “storage limitation”, foreseen under Article 5(1) (e) GDPR, which provides general guidelines for limiting the storage of personal data. The storage limits and retention periods for personal data are determined by several factors, including the purpose of the data processing, legal requirements, industry-specific regulations and the organization’s internal policies. In Portugal, the PDPL provides specific guidelines on the storage of personal data. As a general rule, the retention period for personal data is set by law or regulation or, in the absence thereof, the period necessary for the fulfilment of the purpose (Article 21(1) PDPL). Furthermore, when personal data is necessary for the controller or processor to prove the fulfilment of contractual or other obligations, it may be kept for as long as the corresponding rights are not time- barred (Article 21(3) PDPL). It should also be emphasized that when the purpose for which personal data was initially or subsequently processed ceases, the controller must destroy or anonymize such data (Article 21(4) PDPL).
Made with FlippingBook - PDF hosting