Portugal
data subject may request the CNPD to issue an opinion on the enforceability of the duty of secrecy (Article 20 PDPL). PROCESSING OF CHILDREN OR MINORS’ DATA The processing of personal data of children or minors in Portugal is subject to specific provisions to ensure adequate protection, taking into account the vulnerability of these individuals. The GDPR is directly applicable in Portugal and establishes that consent for the processing of personal data of children is only valid if the child is at least 16 years old. If the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, in Portugal, the personal data of children can only be processed on the basis of the consent provided for in Article 6(1)(a) GDPR and relating to the direct offer of information society services when they have reached the age of 13 (see Articles 8 GDPR and 16 PDPL). If a child is under 13, consent for the processing of his or her personal data must be given or authorized by his or her parents or legal guardians, preferably by means of secure authentication.
Purpose data minimization imply that data should be collected for specific, explicit, and legitimate purposes and should not be processed in a way that is incompatible with those purposes. In addition, data controllers must ensure that the data collected is necessary to achieve the specific purposes of the processing. When the purpose for which personal data were initially or subsequently limitation and processed ceases to exist, the controller must destroy or anonymize them. They shall also provide data subjects with clear, concise, and easily accessible information about how their data is processed (i.e., through privacy policies, privacy notices or consent forms) and ensure data security by implementing appropriate technical and organizational measures to protect against unauthorized access, disclosure, alteration, accidental or unlawful destruction (in other words, personal data breaches). Public or private organizations must also cooperate with the CNPD, providing it with all the information it requests in the exercise of its powers and competences. On the other hand, the DPO is also subject to duties of secrecy and confidentiality. Finally, the rights to information and access to personal data provided for in Articles 13 to 15 GDPR cannot be exercised when the law imposes a duty of secrecy on the controller or processor that is enforceable against the data subject; nevertheless, the www.mgra.pt
Made with FlippingBook - PDF hosting