CNPD's Deliberation 2019/494

SÉRVULO PUBLICATIONS 24 Sep 2019

The National Data Protection Commission (“CNPD”) decided, by determination of 3 September 2019 Deliberation 2019/494, not to apply a set of rules of the law implementing GDPR, grounded on the fact the CNPD considers that such rules violate the GDPR dispositions.

In total, the CNPD delimited ten rules of Law no. 58/2019 that will not be applicable, thus directly applying the rules of the GDPR.

These rules include:

• Article 20/1, which deals with the right to information, and possible restrictions on the confrontation with a legal duty of secrecy, which “added nothing” to the wording of Article 14/5 / d) of the GDPR; 

• Article 23/1, which allows the processing of personal data by public entities to be carried out for purposes other than those justifying data collection, not complying, in the view of the CNPD, with the requirements imposed by article 6./4 of the GDPR, and the principle of purposes of collection;

• Article 28/3/a), which regulates situations in which an employee  consent does not constitute a requirement for the legitimacy of the processing of his/ her personal data, given the later does not comply with the requirements of articles 9. /2 /b) and 88/2 of the GDPR;

 • Article 39/1 concerning misdemeanors namely because the aggravating or mitigating factors  should be considered by the administrative or judicial entity on a  case by case basis. 

The CNPD has clarified that it makes this deliberation public in order to ensure the transparency of its future decision-making procedures and, as such, contribute to legal certainty.