Portugal
V.4 Data protection and security practices and procedures The security of processing of personal data is essential to ensure the privacy and integrity of the information of data subjects. Article 32(1) GDPR establishes that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: The pseudonymization and encryption of personal data; The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; The ability to restore the availability and access to personal data promptly in the event of a physical or technical incident; A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Access to personal data should be limited to authorized individuals who need the information to perform their jobs. Access controls such as multi- factor authentication and monitoring of access activities should be implemented. In addition, security measures should be implemented on devices used to process or store personal data, including firewalls, anti-virus software, regular software updates, and restrictions on the installation of unauthorized applications. www.mgra.pt
Monitoring and auditing systems should be in place to detect and respond to suspicious or unauthorized activities related to the processing of personal data. In the event of an incident, it is important to develop response plans to effectively manage data security breaches in accordance with legal requirements. In Portugal, the competent authority for accrediting data protection certification bodies is IPAC, I. P. (Article 14(1) PDPL), and the competent authority for drafting codes of conduct governing specific activities is CNPD (Article 15(1) PDPL). V.5 Disclosure, sharing, and transfer of data Disclosure, sharing, and transfer of personal data involve the communication or sharing of personal data between different parties, whether within the same organization or between different organizations. In many cases, the disclosure, sharing or transfer of personal data requires the explicit consent of the data subject. In some situations, the disclosure or transfer of personal data may be necessary for the performance of a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or for the performance of tasks carried out in the public interest or in the exercise of official authority.
Made with FlippingBook - PDF hosting