GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Portugal
Portugal’s Law no. 58/2019 of 8 August implemented the GDPR in the country. Under this Law, employers can process personal employee data within the purposes and limits outlined in the Portuguese Labor Code.
There are some clauses within Law no. 58/2019 of 8 August that are inconsistent with GDPR standards and requirements. For example, Art. 28, Paragraph 3(a) states that employee consent is not considered to be a lawful ground to process employee data, even if the processing results in a legal or economic advantage to the employee. Due to these inconsistencies, Portugal’s data protection commission (Comissão Nacional de Proteção de Dados) issued a Deliberation (no. 2019/494 on 3rd September of 2019), stating that they will not apply certain sections of Portugal’s implementation law, including the above Article, as it’s incompatible with EU law.