Portugal
Regulation no. 834/2021, of 14 April 2021, approved under Articles 43(1)(b), 43(3) and 57(1)(p) of the GDPR, on additional accreditation requirements for certification bodies in relation to ISO/IEC 17065/2012; Directive no. 2022/1, of 25 January 2022, on electronic direct marketing communications; Directive no. 2023/1, of 10 January 2023, on organisational and security measures applicable to the processing of personal data. Furthermore, organizations can adopt internationally recognized technical standards and best practices to ensure the security and privacy of data. For example, the ISO/IEC 27001 standard serves as an international benchmark specifying the requirements for an Information Security Management System (ISMS) . ISO/IEC 27001 aims to encompass measures for the implementation, operation, monitoring, review, and continuous improvement of the ISMS. This includes identifying information security risks, implementing appropriate security measures, establishing security policies and procedures, and conducting regular audits and assessments to ensure compliance with the standard's requirements. Certification in compliance with ISO/IEC 27001 is internationally recognized and demonstrates an organization's commitment and concern regarding information security. It enhances trust among customers, partners, and stakeholders, while also ensuring compliance with legal and www.mgra.pt
regulatory requirements related to the protection of personal data and privacy SCOPE OF APPLICATION III.1 Legislative Scope I II.1.1 Definition of personal data The GDPR definition of personal data is applicable in Portugal: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” – cf. Article 4(1) of the GDPR. Therefore, personal data shall cover information such as a person's name, home address, email address, identity card number, biometric data (fingerprints or facial features), location data, genetic data, and online identifiers (IP address or cookies). In other words, any information that can be used, either alone or in combination with other information, to identify a natural person is considered personal data and is subject to data protection legislation in Portugal, in particular, and from the outset, to the PDPL.
Made with FlippingBook - PDF hosting