Processing and protection of personal data in electronic communications

The publication of Law 46/2012, of 29 August, has significantly altered national legislation on the processing and protection of personal data in electronic communications.

In essence, there have been amendments to various aspects related to the regulation of the use of cookies, the treatment and storage of traffic, breaches of personal data, restrictions on electronic communications and the powers of the CNPD (the National Data Protection Committee) and ICP-ANACOM (the regulatory and supervisory body for communications).

Cookies will now be allowed only with the prior consent of the user, whose non-opposition to their use will cease to be sufficient to obtain the data stored in electronic communication networks. In addition, with regard to the storage and processing of traffic data, a rule has been imposed requiring the prior express consent of the holder of such data, which is to be processed within a short a space of time as possible. Companies that offer electronic communications services accessible to the public will now be obliged to notify any breach of the stored personal data to the CNPD and the respective data holders, unless they are able to prove that all the necessary and appropriate technological measures for the protection of such information have been taken. These companies must also keep an up-to-date register of such occurrences. In respect of unsolicited electronic communications made by any entity for marketing purposes, using the stored personal data to this end, the new legislation states that this type of direct marketing can only be made with the prior express authorisation of the holders of the personal data and tacit authorisation will cease to be possible. Finally, the legislation also imposes an obligation to compile an updated list of individuals who expressly and freely authorise the receipt of promotional correspondence for direct marketing purposes as well as of those who do not object to receiving such correspondence. This obligation also involves monthly consultation of a list of companies and business who have demonstrated their objection to receiving this type of correspondence which is made available and kept up to date by the Directorate General of Consumers.

In the wake of the new obligations imposed on companies providing services related to electronic communications, the National Committee for Data Protection (CNPD) and ICP-ANACOM have been granted new powers. The powers conferred on the CNPD involve the monitoring of compliance with the imposed obligations and ICP-ANACOM has been granted powers to make recommendations on compulsory security measures for this kind of company and also to ask for information whenever its sees fit. In addition to these powers, the CNPD and ICP-ANACOM now also have the power to impose, apart from the existing fines, additional penalties and compulsory monetary penalties of between €500 and €1,000.000 per day.

The amendments made by this law came into force on 30 August 2012 and all companies who provide electronic communications should already be complying with the new obligations and be prepared for a CNPD inspection at any time.

Ana Nobre de Sousa