Portugal
their behalf and exercise their data protection rights. This can be particularly useful in situations where data subjects are unavailable or unable to act on their own behalf. 6.2 Duties The duties fall on data controllers and processors, which have several obligations as set out in the data protection legislation (notably, the GDPR and the PDPL). Data processing must comply with the principles set out in Article 5 GDPR (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality). The controller is responsible for, and shall be able to, demonstrate compliance with such principles (accountability). Purpose limitation and data minimization imply that data should be collected for specific, explicit and legitimate purposes and should not be processed in a way that is incompatible with those purposes. In addition, data controllers must ensure that the data collected is necessary to achieve the specific purposes of the processing. When the purpose for which personal data was initially or subsequently processed ceases to exist, the controller must destroy or anonymize them. They shall also provide data subjects with clear, concise and easily accessible information about how their data is processed (i.e., through
CNPD starts investigation, takes necessary measures to resolve the issue and ensures compliance with data protection laws (i.e., imposing sanctions on the organization that failed to comply with data protection laws). RIGHTS OF DATA SUBJECTS AND DUTIES OF DATA PROVIDERS 6.1 Rights and remedies The rights of data subjects are provided for in Articles 12 and following of the GDPR and have no major changes in the PDPL. Data subjects have the rights of information and access to personal data, rectification and erasure of personal data, and to object and to not be subject to automated individual decision-making. Data subjects also have the right to withdraw their consent to the processing of their personal data at any time. This means that they can revoke a previously given consent to the processing of their personal data. In addition, data subjects have the right to lodge a complaint with the CNPD if they believe that the processing of their personal data was made or is being made in breach of data protection legislation. Data subjects have the right to obtain information about how their personal data is processed, the purposes of the processing, how the data is used and who has access to it. In addition, data subjects can appoint a representative to act on
www.mgra.pt
Made with FlippingBook - PDF hosting