Portugal
5.5 Disclosure, sharing and transfer of data Disclosure, sharing and transfer of personal data involves the communication or sharing of personal data between different parties, whether within the same organization or between different organizations. In many cases, the disclosure, sharing or transfer of personal data requires the explicit consent of the data subject. In some situations, the disclosure or transfer of personal data may be necessary for the performance of a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or for the performance of tasks carried out in the public interest or in the exercise of official authority. Organizations must therefore implement appropriate security measures to protect personal data during disclosure, sharing or transfer. This includes access controls, activity monitoring and protection against unauthorized access. Tests to identify potential vulnerabilities or threats to data security during disclosure, sharing or transfer also have to be conducted. In addition, where personal data is shared with third parties, organizations shall enter into confidentiality agreements to ensure that personal data is treated in accordance with data protection laws.
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Access to personal data should be limited to authorized individuals who need the information to perform their duties. Access controls such as multi-factor authentication and monitoring of access activities ought to be implemented. In addition, security measures should be implemented on devices used to process or store personal data, including firewalls, anti-virus software, regular software updates, and restrictions on the installation of unauthorized applications. Monitoring and auditing systems must be put in place to detect and respond to suspicious or unauthorized activities related to the processing of personal data. In the event of an incident, it is important to develop response plans to effectively manage data security breaches in accordance with legal requirements. In Portugal, the competent authority for accrediting data protection certification bodies is the IPAC, I. P. (Article 14(1) PDPL) and the competent authority for drafting codes of conduct governing specific activities is the CNPD (Article 15(1) PDPL).
www.mgra.pt
Made with FlippingBook - PDF hosting