CNPD (Portugal) - Deliberação 2019/494: Difference between revisions

CNPD - Deliberação 2019/494
Authority:	CNPD (Portugal)
Jurisdiction:	Portugal
Relevant Law:	Article 288(2) TFEU; Article 16(2) TFEU Article 4(3) TEU Lei 58/2019
Type:	Advisory Opinion
Outcome:	n/a
Started:
Decided:	03.09.2019
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	Deliberação 2019/494
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Portuguese
Original Source:	CNPD (in PT)
Initial Contributor:	D. Oliveira

With the aim of ensuring the supremacy of EU law, the Portuguese DPA 'disapplied' several provisions of Portuguese Law 58/2019 in light of the GDPR's coming into force. It found that the disapplied articles jeopardised the application of the GDPR.

English Summary

Facts

In its Opinion 20/2018 concerning the draft of Law 58/2019 which ensures the implementation of the GDPR in the portuguese national legal framework, the DPA drew the attention of the national legislator to a set of provisions that could potentially violate EU law, particularly the GDPR.

The DPA emphasized the primacy of EU law as outlined in the EU treaties, particularly reflecting on Article 288 of the Treaty on the Functioning of the European Union (TFEU) and reinforced by the jurisprudence of the CJEU, which has consistently stated that national laws cannot obstruct the direct applicability of EU regulations and must comply with EU law to ensure uniform implementation across the Member States.

However, Law 58/2019 came into force without incorporating all of the DPA's recommendations. The DPA explains that the decision to not apply some of its provisions aims to ensure legal certainty, reinforcing the importance of consistent GDPR application without being hindered by conflicting national rules.

Holding

The DPA has decided to disapply the following provisions of Law 58/2019, in cases of personal data processing under its review due to their conflict with the GDPR:

• Article 2(1)(2): This article broadens the territorial scope of the GDPR to encompass all personal data processing within national territory and processing linked to national establishments outside the territory. The DPA believes this contradicts Article 3 and Article 56 of the GDPR, which outlines the applicable law in cross-border situations. Additionally, it undermines the one-stop-shop mechanism and fails to address instances where the GDPR applies, such as in Portuguese embassies, consulates, ships, and aircraft.

• Article 20(1): This article states that the right to be informed and the right of access cannot be exercised when a duty of secrecy is imposed on the data controller/processor. In the view of the DPA, this article lacks legal relevance in relation to the GDPR, as it merely repeats provisions already present in the GDPR, particularly concerning the possibility of restricting the data subject's right to information in cases where data collection is indirect and a legal duty of confidentiality exists. Regarding the possibility of restricting the right to information when collecting data directly from the data subject, this right can only be restricted under the provisions of Article 23 GDPR, and Law58/2019 does not meet the requirements therein, thus contradicting the norms of the GDPR and the Charter of Fundamental Rights.

• Article 23: This article allows public authorities to reuse personal data for any public interest without ensuring compliance with principles of purpose limitation and data minimization (Article 5 GDPR) and could lead to potential misuse of personal data and a violation of individuals’ rights, as it does not ensure that the reuse of data serves the original purpose for which it was collected nor respecting the requirements imposed in Article 23 GDPR.

• Article 28(3)(a): The employee's consent cannot be the legal basis if the processing results in a legal or economic advantage for the employee. The Portuguese DPA considers it to be a contraction of the doctrine established by European institutions, which accepts employee consent in situations where the act of giving or refusing consent does not, in itself, have negative consequences for the employee. The DPA therefore believes that this provision does not protect the dignity, fundamental rights, and legitimate interests of employees, and thus fails to meet the requirements set forth in Article 9 (2) (b) and Article 88 GDPR.

• Regime of Administrative Offenses – Articles 37, 38, and 39: The DPA notes that some of the violations outlined in the law contradict the exhaustive list provided in the GDPR (Article 83). The DPA also criticizes the distinction in sanctioning frameworks based on the size of companies and the collective or individual nature of the entities conducting data processing, as the impact on personal data does not depend on those characteristics but rather on the nature of the activity being carried out.

• Article 61(2) states that "if the expiration of consent is the reason for terminating a contract in which the data subject is a party, the processing of data is lawful until this occurs." The DPA notes that this provision is incongruent, conflating two types of legal basis: consent and contract execution. The contract in which the data subject is a party is sufficient to justify the processing of the data necessary for its execution.

Regarding the reasons that led to publish this decision, the Portuguese DPA clarifies that it did so in order to ensure the transparency of its future decision-making processes and, in this regard, contribute to legal certainty and security. It also clarifies that the non-application, in future specific cases, of the legal provisions listed above results in the direct application of the GDPR provisions that were manifestly restricted, contradicted, or compromised in their useful effect.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

  Law no. 58/2019, of August 8th  PERSONAL DATA PROTECTION LAW (updated version)The law has not yet been amended

     

Number of articles:  69 

    

SUMMARYEnsures the implementation, in the national legal system, of Regulation (EU) 2016/679 of the Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data_____________________

Law no. 58/2019, of August 8th
Ensures the implementation, in the national legal system, of Regulation (EU) 2016/679 of the Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
The Assembly of the Republic decrees, under the terms of paragraph c) of article 161 of the Constitution, the following:

CHAPTER I
General provisions  Article 1

Object

This law ensures the implementation, in the domestic legal system, of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the General Data Protection Regulation (GDPR).

   Article 2

Scope of application

1 - This law applies to the processing of personal data carried out in the national territory, regardless of the public or private nature of the controller or the processor, even if the processing of personal data is carried out in compliance with legal obligations or in the scope of the pursuit of missions of public interest, applying all the exclusions provided for in article 2 of the GDPR. 2 - This law also applies to the processing of personal data carried out outside the national territory when:
a) It is carried out within the scope of the activity of an establishment located in the national territory; or
b) It affects data subjects who are located in the national territory, when the processing activities are subject to the provisions of paragraph 2 of article 3 of the GDPR; or
c) It affects data that are registered in consular posts of which Portuguese data subjects are resident abroad.
3 - This law does not apply to personal data files created and maintained under the responsibility of the Information System of the Portuguese Republic, which is governed by specific provisions, under the terms of the law.

CHAPTER II
National Data Protection Commission  Article 3

National supervisory authority

The National Data Protection Commission (CNPD) is the national supervisory authority for the purposes of the GDPR and this law.

Article 4

Nature and independence

1 - The CNPD is an independent administrative entity, with legal personality under public law and powers of authority, endowed with administrative and financial autonomy, which operates alongside the Assembly of the Republic.
2 - The CNPD monitors and oversees compliance with the GDPR and this law, as well as other legal and regulatory provisions on the protection of personal data, in order to defend the rights, freedoms and guarantees of individuals in the context of the processing of personal data.
3 - The CNPD acts independently in the pursuit of its duties and in the exercise of the powers conferred upon it by this law.
4 - The members of the CNPD are subject to the regime of incompatibilities established for holders of high public office, and may not, during their term of office, perform any other activity, whether paid or not, with the exception of teaching in higher education and research.

  Article 5

Composition and functioning

The composition, method of appointment and remuneration status of the members of the CNPD, as well as its organisation and staff structure, shall be approved by law of the Assembly of the Republic.

   Article 6

Powers and competences

1 - In addition to the provisions of Article 57 of the GDPR, the CNPD shall have the following powers:
a) To issue non-binding opinions on legislative and regulatory measures relating to the protection of personal data, as well as on legal instruments being prepared by European or international institutions on the same subject;
b) To monitor compliance with the provisions of the GDPR and other legal and regulatory provisions relating to the protection of personal data and the rights, freedoms and guarantees of data subjects, and to correct and sanction any non-compliance;
c) Provide a list of processing operations subject to data protection impact assessment, pursuant to Article 35.4 of the GDPR, also defining criteria that allow for the definition of high risk provided for in that article to be expanded;
d) Prepare and submit to the European Data Protection Board, as provided for in the GDPR, draft criteria for the accreditation of code of conduct monitoring bodies and certification bodies, pursuant to Articles 41 and 43 of the GDPR, and ensure the subsequent publication of the criteria, if approved;
e) Cooperate with the Portuguese Accreditation Institute, I. P. (IPAC, I. P.), regarding the application of the provisions of Article 14 of this law, as well as in the definition of additional accreditation requirements, with a view to safeguarding the consistency of application of the GDPR;
2 - The CNPD exercises the powers provided for in Article 58 of the GDPR.

  Article 7

Prior impact assessments

1 - Under the terms of paragraph 5 of article 35 of the GDPR, the CNPD shall publish a list of types of data processing for which prior impact assessment is not mandatory.

2 - The provisions of the previous paragraph shall not prevent data controllers from carrying out a prior impact assessment on their own initiative.

3 - The lists referred to in paragraphs 4 and 5 of article 35 of the GDPR shall be published on the CNPD website.

   Article 8

Duty to cooperate

1 - Public and private entities shall cooperate with the CNPD, providing it with all the information requested by it in the exercise of its powers and responsibilities. 2 - The duty to cooperate is ensured, in particular, when the CNPD needs, in order to properly perform its duties, to examine the computer system and personal data files, as well as all documentation relating to the processing and transmission of personal data.
3 - The members of the CNPD, as well as their employees, service providers or persons mandated by them, are bound by the duty of professional secrecy, in particular with regard to personal data, professional secrecy, industrial or commercial secrets or confidential information to which they have access in the performance of their duties.
4 - The duty of secrecy continues after the end of their duties.
5 - The duty to cooperate provided for in the previous paragraphs, as well as the CNPD's powers of supervision, do not prejudice the duty of secrecy to which the controller is bound under the law or international standards.

CHAPTER III
Data protection officer  Article 9

General provision

1 - The data protection officer is appointed based on the requirements set out in Article 37.5 of the GDPR, and does not require professional certification for this purpose.

2 - Regardless of the nature of the legal relationship, the data protection officer performs his/her duties with technical autonomy vis-à-vis the entity responsible for processing or subcontractor.

   Article 10

Duty of secrecy and confidentiality

1 - In accordance with the provisions of Article 38.5 of the GDPR, the data protection officer is bound by a duty of professional secrecy in everything relating to the exercise of these functions, which continues after the end of the functions that gave rise to them. 2 - The data protection officer, as well as those responsible for data processing, including subcontractors, and all persons involved in any data processing operation, are bound by a duty of confidentiality that is additional to the duties of professional secrecy provided for by law.

   Article 11

Duties of the data protection officer

In addition to the provisions of Articles 37 to 39 of the GDPR, the duties of the data protection officer are:
a) To ensure that audits are carried out, whether periodic or unscheduled;
b) To raise awareness among users of the importance of detecting security incidents in a timely manner and of the need to immediately inform the security officer;
c) To ensure relations with data subjects on matters covered by the GDPR and national data protection legislation.

  Article 12

Data protection officers in public entities

1 - Under the terms of paragraph a) of paragraph 1 of article 37 of the GDPR, the appointment of data protection officers in public entities is mandatory, in accordance with the provisions of the following paragraphs.
2 - For the purposes of the previous paragraph, public entities are understood to be:
a) The State;
b) Autonomous regions;
c) Local authorities and supranational entities provided for by law;
d) Independent administrative entities and the Bank of Portugal;
e) Public institutes;
f) Public higher education institutions, regardless of their nature;
g) Companies in the State business sector and regional and local business sectors;
h) Public associations. 3 - Regardless of who is responsible for the processing, there is at least one data protection officer:
a) For each ministry or government department, in the case of the State, appointed by the respective minister, with the power to delegate to any Secretary of State who assists him/her;
b) For each regional secretariat, in the case of the autonomous regions, appointed by the respective regional secretary, with the power to delegate to a senior official of the 1st degree;
c) For each municipality, appointed by the municipal council, with the power to delegate to the president and sub-delegation to any councillor;
d) In parishes where this is justified, in particular those with more than 750 inhabitants, appointed by the parish council, with the power to delegate to the president;
e) For each entity, in the case of the other entities referred to in the previous number, appointed by the respective executive, administrative or management body, with the power to delegate to the respective president.
4 - Under the terms of Article 37.3 of the GDPR, the same data protection officer may be appointed for several ministries or government departments, regional secretariats, local authorities or other public legal entities.
5 - It is up to each entity to appoint the data protection officer, and it is not mandatory for the officer to perform his/her duties exclusively.
6 - The data protection officer of a public entity that has regulatory or control duties may not simultaneously perform these duties in an entity subject to control, or within the regulatory scope of that entity.

   Article 13

Data protection officers in private entities

The controller and the processor shall appoint a data protection officer whenever the private activity carried out, as a main activity, involves:
a) Processing operations that, due to their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or
b) Large-scale processing operations of special categories of data pursuant to Article 9 of the GDPR, or of personal data relating to criminal convictions and administrative offences pursuant to Article 10 of the GDPR.

CHAPTER IV
Accreditation, certification and codes of conduct  Article 14

Accreditation and certification

1 - Under the terms of paragraph b) of paragraph 1 of Article 43 of the GDPR, the competent authority for the accreditation of certification bodies in the area of data protection is IPAC, I. P.
2 - The accreditation act issued by IPAC, I. P., must take into account the requirements provided for in the GDPR, as well as the additional requirements established by the CNPD. 3 - Certification, as well as the issuance of data protection seals and marks, shall be carried out by certification bodies accredited under paragraph 1, and shall be used to certify that the procedures implemented comply with the provisions of the GDPR and this law.

   Article 15

Codes of conduct

1 - The CNPD shall be responsible for encouraging the development of codes of conduct that regulate specific activities, which must take into account the specific needs of micro, small and medium-sized enterprises.

2 - The processing of personal data by the direct and indirect administration of the State shall be subject to specific codes of conduct.

CHAPTER V
Special provisions  Article 16

Consent of minors

1 - Under the terms of Article 8 of the GDPR, the personal data of children may only be processed based on the consent provided for in paragraph a) of paragraph 1 of Article 6 of the GDPR and relating to the direct offer of information society services when they have already reached the age of 13.

2 - If the child is under the age of 13, the processing shall only be lawful if consent is given by the child's legal representatives, preferably using secure authentication methods.

  Article 17

Protection of personal data of deceased persons

1 - Personal data of deceased persons shall be protected under the terms of the GDPR and this law when they fall within the special categories of personal data referred to in paragraph 1 of article 9 of the GDPR, or when they relate to the privacy of private life, image or data relating to communications, except for the cases provided for in paragraph 2 of the same article.

2 - The rights provided for in the GDPR relating to personal data of deceased persons, covered by the previous paragraph, namely the rights of access, rectification and erasure, shall be exercised by the person designated by the deceased person for this purpose or, in their absence, by their heirs.

3 - Data subjects may also, under the applicable legal terms, determine the impossibility of exercising the rights referred to in the previous paragraph after their death.

  Article 18

Data portability and interoperability

1 - The right to data portability, provided for in Article 20 of the GDPR, only covers data provided by the respective data subjects.
2 - Data portability should, whenever possible, take place in an open format.
3 - Within the scope of the Public Administration, whenever data interoperability is not technically possible, the data subject has the right to demand that the data be delivered to him/her in an open digital format, in accordance with the National Regulation on Digital Interoperability in force.

   Article 19

Video surveillance

1 - Without prejudice to specific legal provisions that impose their use, in particular for reasons of public security, video surveillance systems whose purpose is to protect people and property ensure the requirements provided for in Article 31 of Law No. 34/2013, of 16 May, with the limits defined in the following paragraph. 2 - Cameras may not be placed on:
a) Public roads, neighboring properties or other locations that are not the exclusive domain of the person responsible, except where strictly necessary to cover access to the property;
b) The area where ATM codes are entered or other ATM payment terminals are used;
c) The interior of areas reserved for customers or users where privacy must be respected, namely toilets, waiting areas and changing rooms;
d) The interior of areas reserved for workers, namely dining areas, changing rooms, gyms, toilets and areas exclusively used for their rest.
3 - In educational establishments, video surveillance cameras may only be placed on external perimeters and access points, and also on spaces where goods and equipment require special protection, such as laboratories or computer rooms. 4 - In cases where video surveillance is permitted, the recording of sound is prohibited, except during the period in which the monitored premises are closed or with prior authorisation from the CNPD.

   Article 20

Duty of confidentiality

1 - The rights to information and access to personal data provided for in Articles 13 to 15 of the GDPR may not be exercised when the law imposes on the controller or the subcontractor a duty of confidentiality that is enforceable against the data subject.

2 - The data subject may request the CNPD to issue an opinion on the enforceability of the duty of confidentiality, without prejudice to the provisions of Chapter VII.

   Article 21

Period of retention of personal data

1 - The period of retention of personal data is that which is established by law or regulation or, in the absence thereof, that which is necessary for the pursuit of the purpose. 2 - When, due to the nature and purpose of the processing, in particular for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, it is not possible to determine in advance when the processing is no longer necessary, the retention of personal data is lawful, provided that appropriate technical and organisational measures are adopted to guarantee the rights of the data subject, in particular information on their retention.
3 - When personal data are necessary for the controller or subcontractor to demonstrate compliance with contractual or other obligations, they may be retained until the limitation period of the corresponding rights has expired.
4 - When the purpose that motivated the initial or subsequent processing of personal data ceases, the controller must destroy or anonymise the data.
5 - In cases where there is a data retention period imposed by law, the right to erasure provided for in Article 17 of the GDPR may only be exercised after that period has elapsed. 6 - Data relating to contribution statements for retirement or pension purposes may be retained without a time limit in order to assist the data subject in reconstructing his/her contribution careers, provided that appropriate technical and organisational measures are adopted to guarantee the rights of the data subject.

   Article 22

Data transfers

Data transfers to third countries outside the European Union or international organisations, carried out in compliance with legal obligations, by public entities in the exercise of authority, are considered to be in the public interest for the purposes of the provisions of paragraph 4 of Article 49 of the GDPR.

  Article 23

Processing of personal data by public entities for purposes other than those determined by the collection is exceptional in nature and must be duly justified in order to ensure the pursuit of the public interest that cannot otherwise be safeguarded, under the terms of paragraph e) of paragraph 1, paragraph 4 of article 6 and paragraph g) of paragraph 2 of article 9 of the GDPR.

2 - The transmission of personal data between public entities for purposes other than those determined by the collection is exceptional in nature, must be duly justified in accordance with the terms referred to in the previous paragraph and must be the subject of a protocol establishing the responsibilities of each intervening entity, both in the act of transmission and in other processing to be carried out.

CHAPTER VI
Specific situations for the processing of personal data  Article 24

Freedom of expression and information

1 - The protection of personal data, under the terms of the GDPR and this law, does not prejudice the exercise of freedom of expression, information and the press, including the processing of data for journalistic purposes and for purposes of academic, artistic or literary expression.
2 - The exercise of freedom of information, especially when it reveals personal data provided for in paragraph 1 of article 9 of the GDPR and in article 17 of this law, must respect the principle of human dignity provided for in the Constitution of the Portuguese Republic, as well as the personality rights enshrined therein and in national legislation.
3 - Processing for journalistic purposes must respect national legislation on access to and exercise of the profession.
4 - The exercise of freedom of expression does not legitimise the disclosure of personal data such as addresses and contact details, except for those that are generally known.

   Article 25

Publication in an official gazette

1 - The publication of personal data in official gazettes must comply with Article 5 of the GDPR, in particular the principles of purpose and minimisation.
2 - Whenever the personal data “name” is sufficient to ensure the identification of the data subject and the effectiveness of the processing, other personal data must not be published.
3 - Personal data published in an official gazette may not, under any circumstances, be altered, erased or hidden.
4 - The right to erasure of personal data published in an official gazette is exceptional in nature and may only be exercised under the conditions provided for in Article 17 of the GDPR, in cases where this is the only way to safeguard the right to be forgotten and taking into account other interests involved.
5 - The provisions of the previous paragraph are carried out by de-indexing personal data in search engines, always without deleting the publication that is publicly available.
6 - In the event of publication of personal data in official journals, the entity that orders the publication or, in the case of the offices of members of the Government, their respective secretariats-general shall be considered responsible for the processing.

   Article 26.

Access to administrative documents

Access to administrative documents containing personal data shall be governed by the provisions of Law No. 26/2016, of 22 August.

   Article 27.

Publication of data in the context of public procurement

In the context of public procurement, and if the publication of personal data is necessary, no personal data other than the name shall be published, provided that this is sufficient to ensure the identification of the public contractor and the co-contractor.

  Article 28

Employment relations

1 - The employer may process the personal data of its employees for the purposes and within the limits defined in the Labour Code and its complementary legislation or in other sectoral regimes, with the specificities established in this article.
2 - The previous paragraph also covers the processing carried out by a subcontractor or certified accountant on behalf of the employer, for the purposes of managing employment relations, provided that it is carried out under a service provision contract and subject to the same guarantees of confidentiality.
3 - Unless otherwise provided by law, the employee's consent is not a requirement for the legitimacy of the processing of his/her personal data:
a) If the processing results in a legal or economic advantage for the employee; or
b) If such processing is covered by the provisions of paragraph b) of paragraph 1 of article 6 of the GDPR. 4 - Recorded images and other personal data recorded through the use of video systems or other remote surveillance technology, under the terms set out in Article 20 of the Labour Code, may only be used within the scope of criminal proceedings.
5 - In the cases provided for in the previous paragraph, recorded images and other personal data may also be used for the purposes of determining disciplinary liability, insofar as they are used within the scope of criminal proceedings.
6 - The processing of employees' biometric data is only considered legitimate for monitoring attendance and controlling access to the employer's premises, and it must be ensured that only representations of the biometric data are used and that the respective collection process does not allow the reversibility of said data.

   Article 29

Processing of health data and genetic data

1 - In the processing of health data and genetic data, access to personal data is governed by the principle of the need to know the information. 2 - In the cases provided for in paragraphs h) and i) of paragraph 2 of article 9 of the GDPR, the processing of the data provided for in paragraph 1 of the same article must be carried out by a professional bound by confidentiality or by another person subject to a duty of confidentiality, and appropriate information security measures must be guaranteed.
3 - Access to the data referred to in the previous paragraph is exclusively electronic, unless technically impossible or expressly indicated otherwise by the data subject, and its subsequent disclosure or transmission is prohibited.
4 - The heads of bodies, employees and service providers of the person responsible for processing health data and genetic data, the data protection officer, students and researchers in the area of health and genetics and all health professionals who have access to health data are obliged to a duty of confidentiality. 5 - The duty of confidentiality referred to in the previous paragraph also applies to all heads of bodies and employees who, in the context of monitoring, financing or supervising the provision of healthcare, have access to health-related data.
6 - The data subject must be notified of any access made to his/her personal data, and the data controller must ensure that this traceability and notification mechanism is available.
7 - The minimum technical security measures and requirements inherent to the data processing referred to in paragraph 1 shall be approved by order of the members of the Government responsible for the areas of health and justice, which must regulate, in particular, the following matters:
a) Establishment of differentiated access permissions to personal data, based on the need to know and segregation of functions;
b) Requirements for prior authentication of those accessing;
c) Electronic recording of accesses and data accessed.

  Article 30

Centralised health databases or records

1 - Health data may be organised in centralised databases or records based on single platforms, when processed for the purposes legally provided for in the GDPR and in national legislation.

2 - The centralised health databases or records based on the single platforms referred to in the previous paragraph must meet the security and inviolability requirements provided for in the GDPR.

   Article 31

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1 - Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes must comply with the principle of data minimisation and include the anonymisation or pseudonymisation of the data whenever the intended purposes can be achieved by one of these means. 2 - When personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the rights of access, rectification, restriction of processing and objection provided for in articles 15, 16, 18 and 21 of the GDPR shall be affected, to the extent necessary, if these rights are likely to render impossible or seriously impair the achievement of these purposes.
3 - Decree-Law no. 16/93 of 23 January, in its current wording, shall apply to the processing of personal data for archiving purposes in the public interest.
4 - Consent for the processing of data for scientific research purposes may cover several areas of research or be given solely for certain domains or specific research projects, and in any case the ethical standards recognised by the scientific community must be respected. 5 - Without prejudice to the provisions of the National Statistical System Law, personal data processed for statistical purposes must be anonymised or pseudonymised, in order to safeguard the protection of data subjects, in particular with regard to the impossibility of re-identification once the statistical operation has been completed.

CHAPTER VII
Administrative and judicial protection
SECTION I
General provisions  Article 32

Administrative protection

Without prejudice to the right to lodge a complaint with the CNPD, any person may resort to administrative protection measures, in particular of a petition or appeal nature, to ensure compliance with the legal provisions on the protection of personal data, under the terms set out in the Code of Administrative Procedure.

  Article 33

Civil liability

1 - Any person who has suffered damage as a result of unlawful data processing or any other act that violates the provisions of the GDPR or national law on the protection of personal data has the right to obtain compensation for the damage suffered from the controller or processor.

2 - The controller and the processor shall not incur civil liability if they prove that the event that caused the damage is not attributable to them.

3 - The liability of the State and other public legal entities shall be subject to the regime provided for in Law no. 67/2007 of 31 December, amended by Law no. 31/2008 of 17 July.

  Article 34

Jurisdiction

1 - Any person, in accordance with the general rules of legal standing, may bring actions against decisions, in particular of an administrative nature, and omissions of the CNPD, as well as civil liability actions for damages that such acts or omissions may have caused.

2 - Actions brought against the CNPD are the responsibility of the administrative courts.

3 - The data subject may bring actions against the controller or the processor, including civil liability actions.

4 - Actions brought against the controller or a processor shall be brought in national courts if the controller or processor has an establishment in national territory or if the data subject habitually resides there.

  Article 35

Representation of data subjects

Without prejudice to compliance with the rules on legal representation, the data subject shall have the right to mandate a body, organisation or non-profit association established in accordance with national law, whose statutory aims are in the public interest and whose activity includes the protection of the data subject's rights, freedoms and safeguards with regard to the protection of personal data, to exercise, on his or her behalf, the rights provided for in Articles 77, 78, 79 and 82 of the GDPR.

Article 36

Legitimacy of the CNPD

The CNPD has the legitimacy to intervene in legal proceedings in the event of violation of the provisions of the GDPR and this law, and must report to the Public Prosecutor's Office any criminal offences of which it becomes aware, in the exercise of its functions and because of them, as well as carry out the necessary and urgent precautionary measures to ensure the means of proof.

SECTION II
Misdemeanours
Article 37

Very serious misdemeanours

1 - The following constitute very serious misdemeanours:
a) The processing of personal data with willful disregard for the principles enshrined in Article 5 of the GDPR;
b) The processing of personal data that is not based on consent or another condition of legitimacy, under the terms of Article 6 of the GDPR or national legislation;
c) Failure to comply with the rules on the provision of consent provided for in Article 7 of the GDPR; d) The processing of personal data provided for in Article 9.1 of the GDPR without one of the circumstances provided for in Article 9.2 of the same article being met;
e) The processing of personal data provided for in Article 10 of the GDPR that contravenes the rules provided for therein;
f) The requirement to pay a sum of money outside the cases provided for in Article 12.5 of the GDPR;
g) The requirement to pay a sum of money, in the cases provided for in Article 12.5 of the GDPR, that exceeds the costs necessary to satisfy the right of the data subject;
h) Failure to provide relevant information under Articles 13 and 14 of the GDPR, which occurs in the following circumstances:
i) Failure to provide information on the purposes for which the processing is intended;
ii) Failure to provide information on the recipients or categories of recipients of the personal data; iii) Failure to provide information about the right to withdraw consent in the cases provided for in paragraph a) of paragraph 1 of article 6 and paragraph a) of paragraph 2 of article 9 of the GDPR;
i) Failure to allow, ensure or hinder the exercise of the rights provided for in articles 15 to 22 of the GDPR;
j) International transfer of personal data in violation of the provisions of articles 44 to 49 of the GDPR;
k) Failure to comply with the decisions of the supervisory authority provided for in paragraph 2 of article 58 of the GDPR, or refusal to cooperate as required by the CNPD in the exercise of its powers;
l) Violation of the rules provided for in chapter vi of this law. 2 - The administrative offences referred to in the previous paragraph shall be punishable by a fine:
a) From 5,000 (euro) to 20,000,000 (euro) or 4% of the annual turnover, worldwide, whichever is higher, in the case of a large company;
b) From 2,000 (euro) to 2,000,000 (euro) or 4% of the annual turnover, worldwide, whichever is higher, in the case of SMEs;
c) From 1,000 (euro) to 500,000 (euro), in the case of individuals.

   Article 38

Serious administrative offences

1 - The following constitute serious administrative offences:
a) Violation of the provisions of Article 8 of the GDPR; b) Failure to provide the remaining information provided for in Articles 13 and 14 of the GDPR;
c) Violation of the provisions of Articles 24 and 25 of the GDPR;
d) Violation of the obligations provided for in Article 26 of the GDPR;
e) Violation of the provisions of Article 27 of the GDPR;
f) Violation of the obligations provided for in Article 28 of the GDPR;
g) Violation of the provisions of Article 29 of the GDPR;
h) Failure to record the processing of personal data in violation of the provisions of Article 30 of the GDPR;
i) Violation of the security rules provided for in Article 32 of the GDPR;
j) Failure to comply with the duties provided for in Article 33 of the GDPR;
k) Failure to comply with the duty to inform the data subject in the situations provided for in Article 34 of the GDPR; l) Failure to comply with the obligation to carry out impact assessments in the cases provided for in Article 35 of the GDPR;
m) Failure to comply with the obligation to consult the supervisory authority prior to carrying out data processing operations in the cases provided for in Article 36 of the GDPR;
n) Failure to comply with the duties provided for in Article 37 of the GDPR;
o) Violation of the provisions of Article 38 of the GDPR, in particular with regard to guarantees of independence of the data protection officer;
p) Failure to comply with the duties provided for in Article 39 of the GDPR;
q) The performance of acts of supervision of codes of conduct by bodies not accredited by the supervisory authority under Article 41 of the GDPR;
r) Failure by bodies supervising codes of conduct to comply with the provisions of Article 41(4) of the GDPR; s) The use of data protection seals or marks that had not been issued by certification bodies duly accredited under the terms of articles 42 and 43 of the GDPR;
t) Failure by certification bodies to comply with the duties provided for in article 43 of the GDPR;
u) Violation of the provisions of article 19 of this law.
2 - The administrative offences referred to in the previous paragraph are punishable by a fine of:
a) From 2,500 (euro) to 10,000,000 (euro) or 2% of the annual turnover, worldwide, whichever is higher, in the case of a large company;
b) From 1,000 (euro) to 1,000,000 (euro) or 2% of the annual turnover, worldwide, whichever is higher, in the case of SMEs; c) From 500 (euro) to 250,000 (euro), in the case of individuals.

   Article 39

Determination of the size of the fine

1 - In determining the size of the fine, the CNPD takes into account, in addition to the criteria established in paragraph 2 of article 83 of the GDPR:
a) The economic situation of the agent, in the case of an individual, or the turnover and annual balance sheet, in the case of a legal entity;
b) The ongoing nature of the infringement;
c) The size of the entity, taking into account the number of employees and the nature of the services provided. 2 - For the purposes of applying the provisions of the previous articles, the concepts of small and medium-sized enterprises (SMEs) and large enterprises are those defined in Recommendation No. 2003/361/EC of the European Commission, of 6 May 2003.
3 - Except in cases of intent, the initiation of administrative offence proceedings depends on prior warning of the offender, by the CNPD, to comply with the obligation omitted or reinstate the prohibition violated within a reasonable period.

   Article 40.

Statute of limitations for administrative offence proceedings

The administrative offence proceedings shall be extinguished by the statute of limitations as soon as the following periods have elapsed since the commission of the administrative offence:
a) Three years, in the case of a very serious administrative offence;
b) Two years, in the case of a serious administrative offence.

  Article 41

Limitation period for fines

The fines provided for in this law shall expire within the following time limits:
a) Three years, in the case of fines exceeding 100,000 (euro);
b) Two years, in the case of fines equal to or less than 100,000 (euro).

   Article 42

Allocation of fines

The amount of the fines collected shall revert 60% to the State and 40% to the CNPD.

   Article 43

Compliance with an omitted duty

Whenever the administrative offence results from the omission of a duty, the application of the sanction and the payment of the fine shall not exempt the offender from complying with it if this is still possible.

  Article 44

Scope of application of administrative offences

1 - The fines provided for in the GDPR and in this law apply equally to public and private entities.
2 - Under the terms of paragraph 7 of article 83 of the GDPR, public entities, upon duly substantiated request, may request the CNPD to waive the application of fines for a period of three years from the entry into force of this law.
3 - Public entities are subject to the CNPD's powers of correction, as provided for in the GDPR and in this law, with the exception of the application of fines under the terms defined in the previous paragraph.

   Article 45

Subsidiary regime

In all matters not provided for in this law in terms of administrative offences, the provisions of the general regime of mere social regulation offences shall apply.

SECTION III
Crimes  Article 46

Use of data in a manner incompatible with the purpose of collection

1 - Anyone who uses personal data in a manner incompatible with the purpose of collection shall be punished with a prison sentence of up to one year or a fine of up to 120 days.

2 - The penalty shall be doubled within its limits when it concerns the personal data referred to in articles 9 and 10 of the GDPR.

   Article 47

Unlawful access

1 - Anyone who, without due authorisation or justification, accesses, by any means, personal data shall be punished with a prison sentence of up to one year or a fine of up to 120 days.

2 - The penalty shall be doubled within its limits when it concerns the personal data referred to in articles 9 and 10 of the GDPR. 3 - The penalty shall also be doubled within its limits when access:
a) Is obtained through a breach of technical security rules; or
b) Has provided the agent or third parties with a financial benefit or advantage.

   Article 48

Misappropriation of data

1 - Anyone who copies, removes, assigns or transfers, whether for a fee or free of charge, personal data without legal provision or consent, regardless of the purpose pursued, shall be punished with a prison sentence of up to 1 year or a fine of up to 120 days.
2 - The penalty shall be doubled within its limits when it concerns personal data referred to in articles 9 and 10 of the GDPR.
3 - The penalty shall also be doubled within its limits when access:
a) Is obtained through a breach of technical security rules; or
b) Has provided the agent or third parties with a financial benefit or advantage.

  Article 49.

Tampering or destruction of data

1 - Anyone who, without due authorisation or justification, deletes, destroys, damages, conceals, suppresses or modifies personal data, rendering them unusable or affecting their potential for use, shall be punished with a prison sentence of up to 2 years or a fine of up to 240 days.
2 - The penalty shall be doubled within its limits if the damage caused is particularly serious.
3 - In the situations provided for in the previous paragraphs, if the agent acts negligently, he/she shall be punished with a prison sentence:
a) Up to 1 year or a fine of up to 120 days, in the case provided for in paragraph 1;
b) Up to 2 years or a fine of up to 240 days, in the case provided for in paragraph 2.

  Article 50

Insertion of false data

1 - Anyone who inserts or facilitates the insertion of false personal data, with the intention of obtaining undue advantage for themselves or a third party, or to cause harm, shall be punished with a prison sentence of up to 2 years or a fine of up to 240 days.
2 - The penalty shall be increased to double its limits if the insertion referred to in the previous paragraph results in actual harm.

  Article 51

Breach of the duty of confidentiality

1 - Anyone who, under the terms of the law, is required to observe professional secrecy, without just cause and without due consent, reveals or discloses personal data in whole or in part, shall be punished with a prison sentence of up to 1 year or a fine of up to 120 days.

2 - The penalty shall be doubled if the perpetrator:

a) Is a public servant or equivalent, under the terms of criminal law;

b) Is a data protection officer;

c) Is determined by the intention of obtaining any financial advantage or other illegitimate benefit;

d) Endangers the reputation, honour or privacy of third parties.

3 - Negligence shall be punishable with a prison sentence of up to 6 months or a fine of up to 60 days.

  Article 52

Disobedience

1 - Anyone who fails to comply with the obligations set out in the GDPR and in this law, after the deadline set by the CNPD for compliance has passed, shall be punished with a prison sentence of up to 1 year or a fine of up to 120 days.

2 - The penalty shall be increased to double its limits if, after being notified to that effect, the agent:
a) Does not interrupt, cease or block the unlawful processing of data;
b) Does not proceed with the deletion or destruction of data when legally required, or after the retention period set out under this law has expired; or
c) Refuses, without just cause, to cooperate as required under Article 8 of this law.

   Article 53

Punishability of attempts

In the crimes provided for in this section, attempts are always punishable.

  Article 54

Liability of legal persons

Legal persons and similar entities, with the exception of the State, legal persons exercising the prerogatives of public power and organisations under public international law, are liable for the crimes provided for in this section, under the terms of Article 11 of the Criminal Code.

SECTION IV
Common provisions  Article 55

Concurrent offences

1 - If the same act simultaneously constitutes a crime and an offence, the perpetrator shall always be punished under the crime.
2 - Where there is a concurrent crime and an offence, or where, for the same act, one person must be held liable under the crime and another under the offence, the prosecution of the offence shall be the responsibility of the authorities competent for criminal proceedings, under the terms of the general regime for offences of mere social order.

  Article 56

Additional sanctions

1 - In conjunction with the sanctions applied, the temporary or permanent prohibition of processing, blocking, erasure or total or partial destruction of data may be ordered as an additional measure.

2 - In the case of crimes, or fines exceeding 100,000 (euros), the publication of the conviction may be ordered as an additional measure, by means of an extract containing the identification of the perpetrator, the details of the offence and the sanctions applied, on the Citizen's Portal, for a period of no less than 90 days.

CHAPTER VIII
Final and transitional provisions  Article 57

National Data Protection Commission

The members of the CNPD in office on the date of entry into force of this law shall remain in office until the end of their respective terms of office.

  Article 58

Technical guidelines

The technical guidelines for the application of the GDPR by the direct and indirect State administration are approved by resolution of the Council of Ministers, which may also recommend its application to the State business sector.

   Article 59

Applicability of fines to public entities

The possibility of not applying fines to public entities, under the terms set out in paragraph 2 of article 44 of this law, must be subject to reassessment three years after the entry into force of this law.

   Article 60

Situations of pre-existing personal data processing

1 - The processing of personal data subject to public registration, under the terms of article 31 of Law no. 67/98, of 26 October, shall remain under the responsibility of the CNPD and available for free consultation by any person. 2 - Notifications and requests for authorisation already decided by the CNPD at the time this law comes into force, but not yet published, must be so decided in accordance with the legislation provided for in the previous paragraph.
3 - Applications for registration and authorisation pending with the CNPD on the date this law comes into force shall expire upon its entry into force.
4 - Those responsible for the processing of personal data carried out on the basis of authorisations issued under Law No. 67/98 of 26 October, as well as subcontractors, are required to comply with the obligations imposed by the GDPR, with the exception of the data protection impact assessment referred to in Article 35 of that regulation.

   Article 61

Renewal of consent

1 - When the processing of personal data in progress at the date this law comes into force is based on the consent of the respective data subject, it is not necessary to obtain new consent if the previous consent complied with the requirements set out in the GDPR. 2 - If the expiry of consent is grounds for termination of a contract to which the data subject is a party, data processing shall be lawful until such termination occurs.

   Article 62

Personal data protection regimes

1 - The rules on the protection of personal data provided for in special legislation shall remain in force, insofar as they do not contradict the provisions of the GDPR and this law, without prejudice to the provisions of the following paragraph.

2 - All rules that provide for authorisations or notifications of the processing of personal data to the CNPD, outside the cases provided for in the GDPR and this law, shall cease to be in force on the date of entry into force of the GDPR.

CHAPTER IX
Legislative amendments  Article 63

Amendment to Law No. 43/2004, of August 18

1 - Articles 2, 3, 8, 16 to 22 and 24 to 31 of the Law on the Organization and Functioning of the National Data Protection Commission, approved by Law No. 43/2004, of August 18, amended by Law No. 55-A/2010, of December 31, shall be worded as follows:
«Article 2
[...]
1 - The CNPD is an independent administrative entity, with legal personality under public law and powers of authority, endowed with administrative and financial autonomy, which operates alongside the Assembly of the Republic.
2 - The CNPD is the national supervisory authority for the purposes of the General Data Protection Regulation (GDPR), approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and of the law that ensures its implementation in the domestic legal system.
3 - The CNPD monitors and oversees compliance with the GDPR and this law, as well as other legal and regulatory provisions on the protection of personal data, in order to defend the rights, freedoms and guarantees of individuals in the context of the processing of personal data.
4 - The CNPD acts independently in the pursuit of its duties and in the exercise of the powers conferred on it by this law.
Article 3
Composition, appointment and term of office of members
1 - The CNPD is composed of seven members of recognised integrity and merit:
a) A president, elected by the Assembly of the Republic;
b) Two individuals elected by the Assembly of the Republic according to the highest d'Hondt average method; c) Two magistrates, one being a judicial magistrate, appointed by the Superior Council of the Judiciary, and one being a magistrate of the Public Prosecution Service, appointed by the Superior Council of the Public Prosecution Service;
d) Two individuals appointed by the Government.
2 - The term of office of the members of the CNPD is five years, renewable twice, and ends when the new members take office.
3 - The appointment of the members of the CNPD is included in a list published in the 1st series of the Official Gazette.
4 - The members of the CNPD take office before the President of the Assembly of the Republic within 10 days of the publication of the list referred to in the previous paragraph. Article 8
[...]
The duties of the members of the CNPD are:
a) ...
b) ...
c) To maintain confidentiality regarding the issues or processes that are being assessed, under the terms set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and in Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.
Article 16
Publicity
1 - The deliberations relating to:
a) Accreditation and certification;
b) Revocation and cancellation of accreditation and certification;
c) Codes of conduct;
d) Authorisations;
e) Binding rules shall be published on the CNPD website. 2 - Regulations and opinions on legal and regulatory provisions and legal instruments being prepared by European Union and international institutions, as well as general guidelines and recommendations, shall also be published on that website.
3 - Administrative regulations, including those relating to the setting of fees and those issued under the provisions of paragraph 3 of article 22, shall be published in the 2nd series of the Official Gazette.
Article 17
Complaints and reports
1 - Complaints and reports shall be submitted in writing, in a specific place for that purpose on the CNPD website, without prejudice to the fact that, exceptionally, provided that they are duly substantiated, their submission by e-mail or post may be permitted, and confirmation of the identity of their authors may be required.
2 - (Repealed.)
3 - ...
4 - ...
Article 18
[...]
1 - ...
2 - The CNPD may approve models or forms, in electronic format, with a view to enabling better processing of cases.
3 - (Repealed.)
4 - Requests for an opinion on legal and regulatory provisions under preparation must be forwarded to the CNPD by the head of the body with legislative or regulatory power, accompanied by the respective impact study on the protection of personal data.
5 - Requests for an opinion on any other European Union or international legal instruments under preparation, relating to the processing of personal data, must be forwarded to the CNPD by the entity representing the Portuguese State in the process of preparing the initiative, accompanied by due instructions.
Article 19
[...]
1 - ...:
a) ...
b) ...
c) ...
d) After hearing the Commission, appoint the staff of the map and authorise transfers, requisitions and secondments; e) ...
f) ...
g) ...
h) ...
i) ...
j) ...
l) ...
2 - ...
Article 20
[...]
1 - The revenue and expenditure of the CNPD, which enjoys administrative and financial autonomy, are set out in the annual budget.
2 - In addition to the appropriations allocated to it in the budget of the Assembly of the Republic, under the terms of Law No. 59/90 of 21 November, the following constitute revenue for the CNPD:
a) ...
b) Proceeds from the sale of publications;
c) ...
d) The amount of fines collected which, under the terms of the law, revert to its benefit;
e) ...
f) Subsidies, grants, contributions, donations and legacies granted by public and private entities, national, foreign, from the European Union or international; 3 - ...
4 - ...
5 - ...
6 - The management of the CNPD budget, including the allocations not included in the budget of the Assembly of the Republic, is subject to the latter's regime, and the regime provided for in paragraph 10 of article 60 of Law no. 71/2018, of December 31, is also applicable.
Article 21
[...]
1 - ...
a) For accreditation and certification;
b) For prior consultation;
c) For issuing authorizations;
d) For assessing codes of conduct;
e) In other cases provided for by law.
2 - The amount of the fees, which must be proportional to the complexity of the request and the service provided, is set by regulation by the CNPD.
3 - ...
Article 22
[...]
1 - The CNPD has its own support services comprising units and centers.
2 - The support services are made up of the following units:
a) Rights and Sanctions Unit;
b) Inspection Unit;
c) Public and International Relations Unit;
d) IT Unit;
e) Administrative and Financial Support Unit.
3 - The CNPD is responsible for approving the regulations governing the organisation and operation of support services, as well as the regulations for employee assessment.
4 - (Previous no. 3.)
5 - The secretary is appointed by order of the president, having obtained a favourable opinion from the Commission, in compliance with the legal requirements appropriate to the performance of the respective functions, preferably chosen from among employees already on the CNPD roster, qualified with a degree and of recognised competence for the performance of the position.
6 - (Previous no. 5.)
Article 24
Rights and Sanctions Unit
The Rights and Sanctions Unit is responsible for providing technical and legal support, namely:
a) Instructing administrative offence proceedings, as well as other proceedings opened based on reports or complaints; b) Prepare procedural documents and represent the CNPD in legal proceedings, when mandated to do so;
c) Prepare opinions on legislative and regulatory projects and on legal instruments being prepared by European Union and international institutions;
d) Analyse and prepare guidelines on data protection impact assessment studies;
e) Instruct and propose decisions on prior authorisation processes in cases provided for by law;
f) Instruct and propose decisions on accreditation and accreditation review and certification processes;
g) Analyse and prepare decisions in personal data breach notification processes;
h) Analyse and prepare decisions on codes of conduct;
i) Interact with data protection officers;
j) Collaborate in the organisation of colloquia, seminars and other initiatives to disseminate personal data protection matters;
k) Instruct and propose decisions on the exercise of rights by personal data subjects;
l) Perform any other technical-legal tasks. Article 25
Public and International Relations Unit
The Public and International Relations Unit is responsible for providing support in the areas of information, documentation and public relations and in interaction with European and international authorities, in particular:
a) Managing the content of the CNPD website and intranet;
b) Organising and keeping up to date a documentation centre with the function of collecting bibliography, documentation, texts, legal diplomas, normative and administrative acts and other scientific and technical information related to the protection of personal data;
c) Promoting the dissemination and clarification of rights and obligations relating to the protection of personal data;
d) Ensuring contact with the media;
e) Organising, advising and promoting the holding of colloquia, seminars and other events;
f) Collaborating in the design and editing of publications, as well as in the annual activity report;
g) Performing any other tasks within the scope of information and communication; h) Manage institutional relations with European Union or international organisations on the protection of personal data;
i) Ensure relations with similar supervisory authorities, in particular within the scope of the powers of the European Data Protection Board;
j) Instruct and prepare decisions on cooperation and consistency procedures;
k) Instruct and prepare decisions on international transfers of personal data.
Article 26.
IT Unit
1 - The IT Unit is responsible for ensuring the normal functioning of the CNPD's information and communication infrastructures and the necessary technical support in the area of information technologies, namely:
a) Ensure the integrated management and maintenance of the CNPD's IT equipment and its communications system;
b) Ensure the correct functioning of the CNPD's IT network and information systems;
c) Carry out the technical studies necessary for the acquisition of IT and communication equipment; d) Provide support to users of information and communication systems and encourage them to adopt good practices for the safe and appropriate use of these systems;
e) Ensure the application of security standards that guarantee the reliability, confidentiality and durability of information systems;
f) Design the overall architecture of the CNPD information system;
g) Design, develop and operate the applications and interfaces necessary for the exercise of the CNPD's activity;
h) Design, develop and operate the CNPD's website;
i) Conduct studies on new technologies that have an impact on the processing of personal data.
Article 27
Administrative and Financial Support Unit
The Administrative and Financial Support Unit is responsible for supporting the CNPD in the management of processes and human, financial and material resources, in particular:
a) [Previous paragraph c).]
b) [Previous paragraph d).]
c) [Previous paragraph e).]
d) Promote the acquisition of goods and services;
e) Manage consumer goods, as well as manage the facilities, vehicles and other equipment at the service of the CNPD;
f) Prepare and keep the general inventory up to date;
g) Promote the recruitment, promotion and hiring of workers, as well as the application of mobility instruments;
h) Process the salaries of workers, CNPD members and the sole inspector;
i) Organize and keep up to date information regarding workers, CNPD members and the sole inspector;
j) Promote the training of workers;
k) Promote the execution of the evaluation of workers;
l) Instruct and propose decisions in disciplinary proceedings;
m) Act as secretary to the president and the secretary;
n) Ensure the registration and forwarding of correspondence, as well as the organization and filing of documents;
o) Ensure external assistance and support for meetings;
p) Ensure the driving and maintenance of vehicles and receive and deliver documents and orders; q) Perform any other tasks that, within the scope of their functional area, are determined by the president or the secretary.
Article 28
[...]
1 - The general regime for work in public functions applies to CNPD workers.
2 - ...
Article 29
[...]
CNPD workers are provided with an identification card stating the position held and the powers inherent to their function.
Article 30
[...]
1 - ...
2 - ...
3 - ...
4 - The period provided for in paragraph 1 of article 97 of the General Law on Work in Public Functions, approved in the annex to Law no. 35/2014, of June 20, is not applicable to the mobility regime for the CNPD support services, although mobility may be terminated by decision of the president, after hearing the Committee, or at the request of the interested party.
5 - ...
6 - For the performance of functions in the CNPD support services within the scope of mobility mechanisms, and whenever it is done at the initiative of the worker, the agreement of the service of origin is waived.
Article 31
Workers in public functions
The appointment by service commission of workers in public functions to the position of consultant does not result in the opening of a vacancy in the map of origin, and all rights inherent to their previous positions or functions are safeguarded, in particular for the purposes of promotion or progression.»

  Article 64

Amendment to Law No. 43/2004, of 18 August

Articles 19-A and 24-A are added to Law No. 43/2004, of 18 August, with the following wording:
«Article 19-A
Sole auditor
1 - The sole auditor is the body responsible for monitoring the legality, regularity and sound financial and asset management of the CNPD, and for consulting the latter in this area.
2 - The sole auditor is an official auditor, appointed by the Assembly of the Republic, by resolution, and who takes office before the President of the Assembly of the Republic.
3 - The sole auditor's term of office is five years, non-renewable, and he/she remains in office until effectively replaced.
4 - The sole auditor is remunerated at an amount corresponding to 25% of the base remuneration received by the members of the CNPD.
5 - The sole auditor is responsible, in particular, for:
a) Monitoring and controlling the financial and asset management of the CNPD;
b) Periodically examining the financial and economic situation of the CNPD and verifying compliance with the rules regulating its activity;
c) Issuing a prior opinion, within a maximum period of 10 days, on the acquisition, encumbrance, lease and disposal of movable property;
d) Issuing an opinion on any matter submitted to it by the CNPD;
e) Reporting any irregularities detected to the competent authorities. Article 24-A
Inspection Unit
The Inspection Unit shall be responsible for carrying out inspections and audits within the scope of ongoing proceedings, with a mandate from the CNPD, in particular:
a) Monitoring compliance with the processing of personal data, and may, for this purpose, access the premises of the controller and the subcontractor, the equipment, the data processing means, as well as all documentation that may be necessary;
b) Investigating, within the scope of mutual assistance and joint operations provided for in Articles 61 and 62 of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016, the processing of personal data, under the conditions set out in the previous paragraph;
c) Carrying out audits of the national part of the European information systems, in accordance with European Union legislation.»

  Article 65

Amendment to Law No. 26/2016, of August 22

Article 6 of the regime for access to administrative and environmental information and the reuse of administrative documents, approved by Law No. 26/2016, of August 22, shall be worded as follows:
«Article 6
[...]
1 - ...
2 - ...
3 - ...
4 - ...
5 - ...
6 - ...
7 - ...
8 - ...
9 - Without prejudice to the considerations provided for in the previous paragraphs, in requests for access to nominative documents that do not contain personal data revealing ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health-related data, or data relating to the privacy of a person's private life, sexual life or sexual orientation, it shall be presumed, in the absence of another indicated by the applicant, that the request is based on the right of access to administrative documents.»

   Article 66

Repealing provision

1 - Law no. 67/98 of 26 October, which transposes into Portuguese law Directive 95/45/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, is hereby repealed.

2 - No. 3 of Article 15 and No. 2 of Article 17 of Law no. 43/2004 of 18 August, amended by Law no. 55-A/2010 of 31 December, are hereby repealed.

  Article 67

Republication

Law No. 43/2004 of 18 August is republished as an annex to this law, of which it forms an integral part, with its current wording and the necessary formal corrections.

   Article 68

Entry into force and effects

1 - This law shall come into force on the day following its publication.
2 - The sole auditor to be elected under the terms of Article 19-A of Law No. 43/2004 of 18 August may only begin his term of office on 1 January 2020.
Approved on 14 June 2019.
The President of the Assembly of the Republic, Eduardo Ferro Rodrigues.
Promulgated on 26 July 2019.
Let it be published.
The President of the Republic, Marcelo Rebelo de Sousa.
Countersigned on 30 July 2019.
By the Prime Minister, Augusto Ernesto Santos Silva, Minister of Foreign Affairs.

(referred to in Article 67)
Republication of Law No. 43/2004, of 18 August
CHAPTER I
General provisions
Article 1
Scope
This law regulates the organisation and functioning of the National Data Protection Commission (CNPD), as well as the personal status of its members.
Article 2
Nature, powers and competences
1 - The CNPD is an independent administrative entity, with legal personality under public law and powers of authority, endowed with administrative and financial autonomy, which operates within the Assembly of the Republic.
2 - The CNPD is the national supervisory authority for the purposes of the General Data Protection Regulation (GDPR), approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and of the law that ensures its implementation in the domestic legal system.
3 - The CNPD monitors and oversees compliance with the GDPR and this law, as well as other legal and regulatory provisions on the protection of personal data, in order to defend the rights, freedoms and guarantees of individuals in the context of the processing of personal data.
4 - The CNPD acts independently in the pursuit of its duties and in the exercise of the powers conferred on it by this law.
CHAPTER II
Members of the CNPD
Article 3
Composition, appointment and term of office of members
1 - The CNPD is composed of seven members of recognised integrity and merit:
a) A President, elected by the Assembly of the Republic; b) Two individuals elected by the Assembly of the Republic according to the highest average d'Hondt method;
c) Two magistrates, one judicial magistrate, appointed by the Superior Council of the Judiciary, and one magistrate of the Public Prosecutor's Office, appointed by the Superior Council of the Public Prosecutor's Office;
d) Two individuals appointed by the Government;
2 - The term of office of the members of the CNPD is five years, renewable twice, and ends when the new members take office.
3 - The appointment of the members of the CNPD is included in a list published in the 1st series of the Diário da República.
4 - The members of the CNPD take office before the President of the Assembly of the Republic within 10 days of the publication of the list referred to in the previous paragraph.
Article 4
Disqualifications and incompatibilities
1 - Only citizens who are in full enjoyment of their civil and political rights may be members of the CNPD.
2 - The members of the CNPD are subject to the regime of incompatibilities established for holders of high public office.
Article 5
Irremovability
1 - The members of the CNPD are irremovable and their duties may not cease before the end of their term of office, except in the following cases:
a) Death or permanent physical incapacity or disability that is expected to last longer than the end of the term of office;
b) Resignation from office;
c) Loss of office.
2 - In the event of a vacancy for one of the reasons provided for in the previous paragraph, the vacancy must be filled within 30 days of its occurrence, through the appointment of a new member by the competent entity.
3 - The member appointed under the terms of the previous paragraph completes the term of office of the member he/she replaces.
Article 6
Resignation
1 - The members of the CNPD may resign from office by means of a written declaration submitted to the Commission.
2 - The resignation becomes effective upon its announcement and is published in the 2nd series of the Official Gazette. Article 7
Loss of office
1 - Members of the CNPD shall lose their office if they:
a) Are affected by any of the incapacities or incompatibilities provided for by law;
b) Are absent, in the same calendar year, from three consecutive meetings or six interpolated meetings, unless there is a justified reason;
c) Commit a violation of the provisions of paragraph c) of article 8, provided that it is declared by court order.
2 - The loss of office shall be subject, depending on the case, to a deliberation or declaration to be published in the 2nd series of the Official Gazette.
Article 8
Duties
The duties of members of the CNPD shall be:
a) To exercise their position impartially, rigorously and independently;
b) To participate actively and assiduously in the work of the body of which they are a member; c) Maintain confidentiality regarding the issues or processes that are being assessed, under the terms set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and in Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.
Article 9
Remuneration status
1 - The president of the CNPD shall be remunerated in accordance with the indicative scale and the regime established for the post of director-general, with the remaining members receiving remuneration equal to 85% of that, without prejudice to the option of opting for the remuneration corresponding to the post of origin.
2 - The president of the CNPD shall be entitled to a monthly allowance for representation expenses of an amount equal to that granted to the directors-general.
3 - The remaining members of the CNPD shall be entitled to a monthly allowance for representation expenses of an amount equal to that granted to the deputy directors-general. 4 - Members of the CNPD shall benefit from the general social security scheme, unless they are covered by another more favourable scheme.
Article 10
Guarantees
Members of the CNPD shall benefit from the following guarantees:
a) They shall not be prejudiced in the stability of their employment, their professional career or the social security scheme from which they benefit;
b) The period corresponding to the exercise of the mandate shall be considered, for all legal purposes, as having been served in the place of origin;
c) The term of office shall suspend, at the request of the interested party, the counting of deadlines for the submission of curriculum reports or the taking of tests for the career of higher education teacher or for scientific research, as well as the counting of the deadlines of contracts for visiting professors, assistants, trainee assistants or guests;
d) They shall have the right to be exempted from their public or private activities, when they are in national or international representation of the Commission. Article 11
Impediments and suspicions
1 - The provisions of the Code of Administrative Procedure shall apply, with the necessary adaptations, to impediments and suspicions.
2 - Impediments and suspicions are assessed by the CNPD.
Article 12
Identification card
1 - Members of the CNPD have an identification card, stating their position, privileges and rights inherent to their role.
2 - The identification card is simultaneously for free transit and access to all locations where personal data subject to the control of the CNPD are processed.
CHAPTER III
Operation of the CNPD
Article 13
Meetings
1 - The CNPD operates on a permanent basis.
2 - The CNPD holds ordinary and extraordinary meetings.
3 - Extraordinary meetings take place:
a) At the initiative of the president;
b) At the request of three of its members.
4 - The CNPD meetings are not public and are held at its premises or, by its decision, at any other location in the national territory, with the frequency established in terms appropriate to the performance of its functions. 5 - The president, when he deems it appropriate, may, with the agreement of the Commission, invite any person whose presence is considered useful to participate in meetings, except at the decision-making stage.
6 - Minutes shall be drawn up of the meetings, which, after being approved by the CNPD, shall be signed by the president and the secretary.
Article 14
Agenda
1 - The agenda for each ordinary meeting shall be set by the president and shall be communicated to the members at least two working days in advance of the date scheduled for the meeting.
2 - The agenda shall include the matters indicated to it for this purpose by any member, provided that they are within the competence of the body and the request is submitted in writing at least five days in advance of the date of the meeting.
Article 15
Deliberations
1 - The CNPD may only meet and deliberate with the presence of at least four members.
2 - The CNPD's deliberations shall be taken by a majority of the members present, with the president having a casting vote. 3 - (Repealed.)
Article 16
Publicity
1 - The following decisions are published on the CNPD website:
a) Accreditation and certification;
b) Revocation and cancellation of accreditation and certification;
c) Codes of conduct;
d) Authorizations;
e) Binding rules.
2 - Regulations and opinions on legal and regulatory provisions and legal instruments being prepared by European Union and international institutions, as well as general guidelines and recommendations, are also published on that website. 3 - Administrative regulations, including those relating to the setting of fees and those issued under the provisions of paragraph 3 of article 22, shall be published in the 2nd series of the Official Gazette.
Article 17
Complaints and reports
1 - Complaints and reports shall be submitted in writing, in a specific place for this purpose on the CNPD website, without prejudice to the fact that, exceptionally, provided that they are duly substantiated, they may be submitted by email or post, and confirmation of the identity of their authors may be required.
2 - (Repealed.)
3 - When the issue raised does not fall within the jurisdiction of the CNPD, it must be forwarded to the competent entity, with information to the complainant.
4 - Manifestly unfounded complaints, grievances and petitions may be archived by the member of the Commission to whom the respective file has been distributed.
Article 18. Formalities 1 - Documents sent to the CNPD and subsequent processing are not subject to special formalities. 2 - The CNPD may approve models or forms, in electronic format, with a view to enabling better processing of cases. 3 - (Repealed.) 4 - Requests for an opinion on legal and regulatory provisions under preparation must be sent to the CNPD by the head of the body with legislative or regulatory power, accompanied by the respective impact study on the protection of personal data. 5 - Requests for an opinion on any other European Union or international legal instruments under preparation, relating to the processing of personal data, must be sent to the CNPD by the entity representing the Portuguese State in the process of preparing the initiative, accompanied by duly instructed documents. Article 19. Powers and replacement of the president 1 - The president shall: a) Represent the Commission; b) Supervise the support services; c) Convene sessions and set the agenda; d) After hearing the Commission, appoint the staff of the list and authorise transfers, requisitions and secondments;
e) After hearing the Commission, authorise the hiring of the staff referred to in paragraph 5 of article 30;
f) Grant contracts on behalf of the Commission and bind it in other legal transactions;
g) Authorise expenditure within the limits legally included in the competence of ministers;
h) Apply fines and approve deliberations, under the terms provided for by law;
i) After hearing the Commission, establish the rules for the distribution of cases;
j) Submit the activity plan for approval by the Commission;
l) In general, ensure compliance with the laws and the regularity of deliberations.
2 - The president shall be replaced, in his absence or impediment, by the member designated by the Commission.
Article 19-A
Sole auditor
1 - The sole auditor is the body responsible for monitoring the legality, regularity and sound financial and asset management of the CNPD, and for consulting the latter in this area.
2 - The sole auditor is an official auditor, appointed by the Assembly of the Republic, by resolution, and who takes office before the President of the Assembly of the Republic.
3 - The sole auditor's term of office is five years, non-renewable, and he/she remains in office until effectively replaced.
4 - The sole auditor is remunerated at an amount corresponding to 25% of the base remuneration received by the members of the CNPD.
5 - The sole auditor is responsible, in particular, for:
a) Monitoring and controlling the financial and asset management of the CNPD;
b) Periodically examining the financial and economic situation of the CNPD and verifying compliance with the rules regulating its activity;
c) Issuing a prior opinion within a maximum period of 10 days on the acquisition, encumbrance, lease and disposal of movable property; d) Issue an opinion on any matter submitted to it by the CNPD;
e) Report any irregularities it detects to the competent authorities.
CHAPTER IV
Financial system
Article 20
Revenue and expenditure system
1 - The revenue and expenditure of the CNPD, which enjoys administrative and financial autonomy, are set out in the annual budget.
2 - In addition to the allocations allocated to it in the budget of the Assembly of the Republic, under the terms of Law No. 59/90 of 21 November, the following constitute revenue for the CNPD:
a) The proceeds of fees charged;
b) The proceeds from the sale of publications;
c) The proceeds from the costs of issuing certificates and access to documents;
d) The amount of fines collected which, under the terms provided for by law, revert to its benefit;
e) The management balance from the previous year; f) Subsidies, grants, contributions, donations and legacies granted by public and private entities, national, foreign, European Union or international;
g) Any other revenues attributed to it by law or contract.
3 - The CNPD's expenses are those resulting from the charges and responsibilities arising from its operation, as well as any other expenses related to the pursuit of its duties.
4 - The annual budget, any amendments thereto and the accounts are approved by the CNPD.
5 - The CNPD's accounts are subject, in general terms, to the control of the Court of Auditors.
6 - The management of the CNPD's budget, including the allocations not included in the budget of the Assembly of the Republic, is subject to the latter's regime, and the regime provided for in paragraph 10 of article 60 of Law no. 71/2018, of December 31, is also applicable. Article 21.

Fees
1 - The CNPD may charge fees:
a) For accreditation and certification;
b) For prior consultation;
c) For issuing authorisations;
d) For assessing codes of conduct;
e) In other cases provided for by law.
2 - The amount of the fees, which must be proportional to the complexity of the request and the service provided, shall be set by regulation by the CNPD.
3 - In the event of proven financial insufficiency, the interested party may be exempted, in whole or in part, from paying the fees referred to in paragraph 1, by means of a decision by the CNPD.
CHAPTER V
Support services
Article 22.
Organisation of support services
1 - The CNPD has its own support services comprising units and centres.
2 - The support services are made up of the following units:
a) Rights and Sanctions Unit;
b) Inspection Unit;
c) Public and International Relations Unit; d) IT Unit;
e) Administrative and Financial Support Unit.
3 - The CNPD is responsible for approving the regulations governing the organisation and operation of the support services, as well as the regulations for assessing employees.
4 - The support services are headed by a secretary, who is entitled to the highest salary of a coordinating consultant, as well as a monthly allowance for representation expenses in the amount of 8% of the base salary.
5 - The secretary is appointed by order of the president, having obtained a favourable opinion from the Commission, in compliance with the legal requirements appropriate to the performance of the respective functions, preferably chosen from among employees already on the CNPD roster, qualified with a degree and of recognised competence for the performance of the post.
6 - The secretary is appointed on a secondment basis, for periods of three years.
Article 23
Powers of the secretary
1 - The secretary is responsible for:
a) Acting as secretary to the Commission;
b) Implement the Commission's decisions, in accordance with the President's guidelines;
c) Ensure the proper organisation and operation of support services, particularly with regard to financial management, personnel, facilities and equipment, in accordance with the President's guidelines;
d) Prepare the draft budget, as well as any amendments thereto, and ensure its implementation;
e) Prepare the draft annual report.
2 - The secretary shall be replaced, in his absence or impediment, by the senior technician or consultant appointed by the president, having obtained a favourable opinion from the Commission.
Article 24
Rights and Sanctions Unit
The Rights and Sanctions Unit shall be responsible for ensuring technical and legal support, namely:
a) Instructing administrative offence proceedings, as well as other proceedings opened on the basis of reports or complaints;
b) Preparing procedural documents and representing the CNPD in legal proceedings, when mandated for this purpose;
c) Preparing opinions on legislative and regulatory projects and on legal instruments being prepared by European Union and international institutions;
d) Analysing and preparing guidelines on data protection impact assessment studies;
e) Instructing and proposing decisions on prior authorisation processes in the cases provided for by law;
f) Instructing and proposing decisions on accreditation and accreditation and certification review processes;
g) Analysing and preparing decisions in personal data breach notification processes;
h) Analyse and prepare decisions on codes of conduct;
i) Interact with data protection officers;
j) Collaborate in the organisation of colloquia, seminars and other initiatives to disseminate personal data protection matters;
k) Instruct and propose decisions regarding the exercise of rights by data subjects;
l) Perform any other technical and legal tasks.
Article 24-A
Inspection Unit
The Inspection Unit is responsible for carrying out inspections and audits within the scope of ongoing processes, with a mandate from the president of the CNPD, in particular:
a) Monitor compliance with the processing of personal data, and may, for this purpose, access the premises of the controller and the subcontractor, the equipment, the data processing means, as well as all documentation that is deemed necessary; b) Investigate, within the scope of mutual assistance and joint operations provided for in Articles 61 and 62 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the processing of personal data, under the conditions set out in the previous paragraph;
c) Carry out audits of the national part of the European information systems, in accordance with European Union legislation.
Article 25
Public and International Relations Unit
The Public and International Relations Unit is responsible for providing support in the area of information, documentation and public relations and in interaction with European and international authorities, in particular:
a) Manage the content of the CNPD website and intranet;
b) Organise and keep up to date a documentation centre with the function of collecting bibliography, documentation, texts, legal diplomas, normative and administrative acts and other elements of scientific and technical information related to the protection of personal data; c) Promote the dissemination and clarification of rights and obligations relating to the protection of personal data;
d) Ensure contact with the media;
e) Organise, advise and promote the holding of colloquia, seminars and other events;
f) Collaborate in the design and editing of publications, as well as in the annual activity report;
g) Perform any other tasks in the area of information and communication;
h) Manage institutional relations with European Union or international organisations in the area of personal data protection;
i) Ensure relations with similar supervisory authorities, in particular within the scope of the powers of the European Data Protection Board;
j) Instruct and prepare decisions in cooperation and consistency procedures;
k) Instruct and prepare decisions regarding international transfers of personal data. Article 26.
IT Unit
1 - The IT Unit is responsible for ensuring the normal functioning of the CNPD's information and communication infrastructures and the necessary technical support in the area of information technologies, namely:
a) Ensuring the integrated management and maintenance of the CNPD's IT infrastructure and its communications system;
b) Ensuring the correct functioning of the CNPD's IT network and information systems;
c) Carrying out the technical studies necessary for the acquisition of IT and communication equipment;
d) Ensuring support for users of the information and communication systems, as well as encouraging them to adopt good practices for the safe and appropriate use of these systems;
e) Ensuring the application of security standards that guarantee the reliability, confidentiality and durability of the information systems;
f) Designing the overall architecture of the CNPD's information system;
g) Designing, developing and operationalising the applications and interfaces necessary for the exercise of the CNPD's activity; h) Design, develop and operate the CNPD website;
i) Conduct studies on new technologies that have an impact on the processing of personal data.
Article 27
Administrative and Financial Support Unit
The Administrative and Financial Support Unit is responsible for supporting the CNPD in the management of processes and human, financial and material resources, in particular:
a) Prepare budget proposals and monitor their implementation;
b) Ensure the processing and accounting of revenue and expenditure;
c) Prepare the management account and the respective report;
d) Promote the acquisition of goods and services;
e) Manage consumer goods, as well as manage the facilities, vehicles and other equipment at the service of the CNPD;
f) Prepare and keep the general inventory up to date;
g) Promote the recruitment, promotion and hiring of workers, as well as the application of mobility instruments;
h) Process the salaries of workers, CNPD members and the sole auditor;
i) Organize and keep up to date information on workers, CNPD members and the sole inspector;
j) Promote the training of workers;
k) Promote the implementation of worker assessments;
l) Instruct and propose decisions in disciplinary proceedings;
m) Act as secretary to the president and the secretary;
n) Ensure the registration and forwarding of correspondence, as well as the organization and filing of documents;
o) Ensure external assistance and support for meetings;
p) Ensure the driving and maintenance of vehicles and receive and deliver documents and orders;
q) Perform any other tasks that, within the context of their functional area, are determined by the president or the secretary.
Article 28
Staff regime
1 - The general regime for work in public functions applies to CNPD workers.
2 - CNPD staff are exempt from working hours and therefore are not entitled to any remuneration for overtime, without prejudice to the provisions of Article 33.
Article 29
Identification card
CNPD employees are provided with an identification card stating the position held and the powers inherent to their function.
CHAPTER VI
Final and transitional provisions
Article 30
Staffing structure
1 - The staffing structure, as well as the functional content of the respective careers, is established by resolution of the Assembly of the Republic.
2 - CNPD consultant positions will be filled on a secondment basis, for an indefinite period, requisition or secondment, in the case of the appointment of a civil servant, or on an individual employment contract basis, when not linked to the Public Administration.
3 - The essential conditions for the recruitment of consultants are high professional competence and valid experience for the exercise of the function, to be assessed on the basis of their respective CVs.
4 - The period provided for in paragraph 1 of article 97 of the General Law on Employment in Public Functions, approved in the annex to Law no. 35/2014, of June 20, is not applicable to the mobility regime for the CNPD support services, although mobility may be terminated by decision of the president, after hearing the Committee, or at the request of the interested party.
5 - When the complexity and/or specificity of the matters so requires, the president may authorize the hiring of staff under a service provision contract.
6 - For the performance of functions in the CNPD support services within the scope of mobility mechanisms, and whenever this is done at the employee's initiative, the agreement of the service of origin is waived. Article 31
Public sector workers
The appointment of public sector workers to the position of consultant by commission of service does not create a vacancy in the list of origin, and all rights inherent to their previous positions or functions are safeguarded, particularly for the purposes of promotion or progression.
Article 32
Base remuneration, recruitment, promotion and progression of consultants
1 - The monthly base remuneration of CNPD consultants is set out in list i attached to this law, of which it forms an integral part.
2 - Promotion and progression in the categories of coordinating consultant and consultant are governed by the principles applicable to the senior technical career.
3 - Direct recruitment to the category of coordinating consultant may take place, provided that candidates have the appropriate qualifications and professional experience for this purpose.
4 - Individuals with a degree and qualifications to perform the function may be recruited as assistant consultants, provided that recruitment in the consultant category is not justified.
Article 33. Permanent availability 1 - CNPD staff are entitled to a salary supplement, as permanent availability, of a monthly amount corresponding to 12.5% of the base salary. 2 - The supplement is paid in 12 monthly instalments and is relevant for retirement purposes, being considered in the calculation of the pension using the formula provided for in paragraph b) of No. 1 of article 47 of the Retirement Statute. 3 - CNPD staff covered by No. 1, 2, 7 and 9 of article 34 are not granted the supplement referred to in the previous numbers.
Article 34
Staff currently working for the CNPD
1 - The employees and agents currently working for the CNPD and who benefit from the regime set out in Article 26.3 of Law No. 67/98 of 26 October, shall be transferred to the new framework in accordance with the rules set out in the following paragraphs, maintaining their current remuneration status, which shall be considered personal remuneration.
2 - The CNPD staff not linked to the Public Administration who are in the situation set out in the previous paragraph shall be subject to the same remuneration regime, although their legal employment relationship shall be that of an individual employment contract, under the general law applicable to the Public Administration.
3 - The positions in the senior technical and IT specialist careers provided for in the staff framework, to ensure the transition set out in paragraphs 1 and 2, shall be abolished when they become vacant.
4 - Civil servants linked to the Public Administration providing services to the CNPD on the date of entry into force of this law shall transfer to the new framework, by decision of the latter, to the career and category that includes the functions that the civil servant effectively performs, without prejudice to the legally required qualifications and skills, in a step corresponding to the same salary index, or, when there is no coincidence of index, in a step corresponding to the closest higher index in the structure of the career for which the transition takes place.
5 - The correspondence referred to in the previous paragraph is established between the salary indexes defined for step 1 of the category in which the civil servant is located and step 1 of the category of the new career.
6 - Civil servants who, under the terms of paragraph 1, transfer to a different category shall be counted, in the latter, for all legal purposes, the time of service provided in the previous category, provided that the functions are identical or similar to those of the new career. 7 - The provisions of paragraph 1 also apply to the current secretary, with the necessary adaptations arising from the regime of performance of duties.
8 - The transition to the posts of the CNPD staff is made by order of the president, regardless of any other formalities, without prejudice to the provisions of paragraph 1.
9 - The CNPD may decide to maintain the commissions, requisitions or secondments of the staff in its service on the date of entry into force of this law, with the employees who benefit from paragraph 3 of article 26 of Law no. 67/98 maintaining their current remuneration status, which shall be of the nature of personal remuneration.
Article 35
Transitional rule
1 - The suspension of the service commission of the president of the CNPD shall remain in force until the end of his term of office.
2 - This law shall be applied in the current year within the budgetary framework approved for the CNPD in 2004.
Article 36
Repealing provision
The following are hereby repealed:
a) Decree-Law no. 121/93 of 16 April;
b) Resolution of the Assembly of the Republic no. 53/94 of 19 August.
ANNEX
MAP I
(referred to in no. 1 of article 32)
(see original document)