GRDP: If it creates more difficulties, they are welcome


The new General Regulation on Data Protection (GRDP) entered into force on 25th May, but there are still many doubts about its application.

In areas such as events, congresses, incentives, which generate a lot of information and many personal data, this regulation is critical and, therefore, we have been listening to the experts opinion. Graça Canto Moniz has a degree and a master's degree in Law. She was a visiting researcher at the University of Georgetown (USA) and the University of Tilburg (The Netherlands). She is currently a researcher at CEDIS and a doctoral student in Law at Universidade Nova de Lisboa, where she coordinates the Observatory for the Protection of Personal Data along with Professor Francisco Pereira Coutinho.

There is still a lot of confusion about GRDP, some panic situations, database destruction. What is crucial for people to know about this new regulation?

The GRDP is a particularly long and complex diploma and therefore very prone to create confusion. Nevertheless, many of the concepts used are not new (eg personal data, personal data processing, controller, sub-contractor, etc.). What is important for people to know is that compliance with the GRDP is based on two assumptions: (i) knowing what data the organisation is dealing with and (ii) what the risk of such treatment is. Once these two "tasks" have been completed, the organisation can take appropriate measures to comply with the GRDP.

What are the limits and scope of the 'legitimate interest' embodied in the new regulation? What can fit in there?

One of the major doubts about GRDP is that to treat data legally an organisation must have the consent of the data subject. That is not true. The legitimate interest of the organisation can be used to justify the lawfulness of a treatment. However, this legitimate interest is not easy to use because it requires careful consideration of the organisation interests and also the interests and rights of the personal data holder. This test implies identifying the interest of the organisation (eg it corresponds to a fundamental right, it pursues an interest of the community in general, there is a juridical / cultural / social recognition of the legitimacy of that interest) and an evaluation of the impact of the treatment on the interests and rights of the data subject (what are the negative and positive consequences of the treatment, what are the holder's expectations, can he reasonably foresee that his data will be processed?). The Article 29 Working Party suggests that whenever this foundation is used the organisation adopts "additional guarantees", such as data pseudonymisation, more transparency, access restriction, etc.

This may include conventional direct marketing activities and other forms of marketing or advertising; unsolicited non-commercial messages, in particular relating to political campaigns or fund-raising activities for charitable purposes; execution of claims, including collection of debts through non-judicial proceedings; prevention of fraud, misuse of services or money laundering; monitoring the activity of workers for safety or management purposes; among others...

This regulation is only addressed to European citizens. Is it good practice to treat all data, including non-EU data, the same way?

That is not true. The GRPD applies to holders of personal data, irrespective of their nationality or residence.

When is it necessary to have a Data Protection Officer?

It is mandatory to have a DPO in three situations: (i) when the organisation is a public authority or body; (ii) where the main activities of the organisation consist in processing operations which, by reason of their nature, scope and / or purpose, require regular and systematic monitoring of large-scale data holders; or (iii) the main activities of the organisation consist of large-scale treatment of special data categories.

Do you agree that this regulation can make the commercial side of a company more difficult? What are the limits here?

If it creates more difficulties, they are welcome because they translate, above all, into more transparency with both clients and general population. The limits will be two: (i) a company's business practices must be transparent and (ii) the data subjects should have as much control as possible about their data.

Is handing out a business card a consent to receive information?

I do not think so. For two reasons: (1) Article 29 Working Party clarified that consent should be obtained through a written or oral statement registered / recorded and (2) in accordance with art. 7, paragraph 1, the organisation must demonstrate the consent of the data subject. I have doubts that these two conditions are met when a business card is delivered. The condition of lawfulness in these cases will be the legitimate interest.

In an event, various types of suppliers (hotels, transfers, etc.) need to have access to delegate information. What precautions should we have?

As a rule, suppliers are subcontractors. We must review their contracts, adapt them to the new requirements of art. 28 and check the degree of maturity of the subcontractors in relation to the GRPD.

Should these suppliers also make sure that the data they receive have consent?

These suppliers must comply with the instructions given to them in the contract by the controller and, in addition, comply with a set of obligations directly addressed to them in the GRPD: register treatment activities (article 30, paragraph 2), cooperation with the supervisory authority (Article 31), security of personal data (Article 32), notification of data breach (Article 33 (2)), designation of a person in charge of data protection (Article 37).

In accreditation, should there be particularly careful about the printed delegate lists?

If these lists include personal data, yes. For example: does the organisation need all the data collected from delegates? Who has access to it? Where is it stored? How long will it be stored and why?