Portugal
requirements, industry-specific regulations, and an organization’s internal policies. In Portugal, the PDPL provides specific guidelines on the storage of personal data. As a general rule, the retention period for personal data is that which is set by law or regulation or, in the absence thereof, that which is necessary for the fulfilment of the purpose (Article 21(1) PDPL). Furthermore, when personal data is necessary for the controller or processor to prove the fulfilment of contractual or other obligations, it may be kept for as long as the corresponding rights are not time- barred. (Article 21(3) PDPL). It should also be emphasized that when the purpose for which personal data was initially or subsequently processed ceases, the controller must destroy or anonymize it (Article 21(4) PDPL). V.3. Data correction, completion, updating or erasure of data According to GDPR (Articles 12-23 GDPR), data subjects have several rights related to their personal data, framed in (i) information and access to personal data, (ii) rectification and erasure, (iii) right to object, and to not be subject to automated individual decision-making. Such rights, however, can be restricted (Article 23 GDPR). In other words, data subjects have the right to correct, complete, update or even delete their personal data. A data subject may request the rectification or update of inaccurate or incomplete personal data (i.e., inaccurate or out of date personal data) to ensure that it is accurate and reflects reality. www.mgra.pt
With respect to deletion, data subjects have the right to request the deletion of their personal data in certain circumstances (i.e., personal data is no longer necessary for the purposes for which it was collected, data subjects withdraw consent, or personal data is processed unlawfully). The rights of the data subject may be restricted when such restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, for example, national security, defence, or public security. In particular, the right to erasure (“right to be forgotten”) is restricted to the extent that processing is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims. Organizations are required to provide mechanisms for data subjects to exercise their rights, usually through a process for requesting the correction, completion, updating, or deletion of personal data. This process should be easily accessible, and data subjects should not be subject to unjustified obstacles in exercising these rights.
Made with FlippingBook - PDF hosting