Privacy Officers Network

24 - 25 November 2010

Lisbon, Portugal

Overview

Attending this Briefing and Roundtable will help you to protect your reputation and reduce your legal risks and costs from failure to comply with Portugal's data protection law.

The risks result from a distinctive Portuguese interpretation of the EU Data Protection Directive in some areas different from the majority of other EU Member States. You will learn about strong Data Protection Commission policies on, for example: whistle blowing, drug and alcohol use records, e-mail, Internet and video monitoring in the workplace, tracking of mobile phones, international transfers of personal data, and circumstances in which the range of enforcement tools, such as inspections and prosecutions are used. Learn how to prepare your own compliance plan.

Briefing Agenda

24th November
Host: Magda Cocco, Partner, Vieira de Almeida & Associados, Lisbon

09.00 Registration and Coffee

09.30 Welcome and Introduction
Magda Cocco, Partner, Vieira de Almeida & Associados, Lisbon
Stewart Dresner, Chief Executive, Privacy Laws & Business, UK

09.50 Unique features of data privacy in Portugal
Magda Cocco, Vieira de Almeida & Associados, Lisbon

  • General overview of the Portuguese data privacy scene
  • Top data privacy issues in Portugal:
    Specific data privacy issues in Portuguese legislation;
    Processing of personal data for marketing purposes;
    Database management; legal and practical issues
    concerning data retention periods and deletion of data;
    Portugal's Data Privacy Authority's — powers and practices
    Specific practical issues regarding particular sectors
    (e.g., telecoms, pharmaceutical, financial services)

11.00 Coffee Break

11.30 Privacy challenges for human resources compliance
Jacinto Moniz de Bettencourt, Attorney, Uría Menéndez, Lisbon

  • Whistleblowing procedures
  • Harassment policies
  • Internet and e-mail monitoring

12.15 Outsourcing
Leonor Vale de Castro, Associate, Vieira de Almeida & Associados, Lisbon

  • Negotiating privacy aspects of an outsourcing agreement
  • Liability in data processing — distinction between data controller/data processor (who is liable?)

12.45 A practical approach to data privacy issues
Introduction of speakers by Leonor Pimenta Pissarra, Managing Associate, Vieira de Almeida & Associados, Lisbon
Pedro Freitas, Legal Director, Associação Portuguesa da Indústria Farmacêutica, Lisbon
A Speaker, Barclays Bank, Portugal

13.15 Lunch

14.15 Data privacy issues in international data transfers
Inês Antas de Barros, Associate, Vieira de Almeida & Associados, Lisbon

  • General Overview of the legal scene
  • Binding Corporate Rules/EU Standard Contractual Clauses/Intra-Group Agreements
  • International data transfer to African Portuguese speaking countries — main issues and data privacy law in
    Angola, Mozambique and the Cape Verde Islands

15.00 How to prepare for inspections, audits and dawn raids by Portugal's Data Protection Authority (CPND)
Sofia Ribeiro Branco, Managing Associate, Vieira de Almeida & Associados, Lisbon

  • How does the CNPD decide who to inspect?
  • Who should be responsible in your company?
  • Preparing a plan

16.00 Coffee Break

16.15 Questions & Answers
Margarida Couto, Partner, Vieira de Almeida & Associados, Lisbon

Open Q&A session to speakers, for example:

  • What kind of data security should my company adopt?
  • What should we do if a laptop computer with personal data is lost or stolen?
  • How should I add privacy to our current audit program?
  • How should I respond if the police requests access to telecommunications and/or e-mail records?
  • How can I persuade management to put privacy on their agenda?
  • Do I need to appoint a Data Protection Officer? If so, what is their role?

17.00 Close

Roundtable Agenda

25th November
Host: Comissão Nacional de Protecção de Dados (CNPD)

09.00 Registration

09.20 Welcome and Introduction
Dr. Luís Novais Lingnau da Silveira, President, Comissão Nacional de Protecção de Dados (CNPD);
Stewart Dresner, Chief Executive, Privacy Laws & Business, UK and Chair for the Roundtable

09.30 Framework for the Commission's decision making
Isabel Cruz, Secretary General, CNPD, Lisbon

  • The constitution, the law and the Commission's codes and guidance
  • Human resources
  • Notification fees and the transition from paper to online notification to the Commission

10.00 Employment issues
Sónia Sousa Pereira, Legal Service, CNPD, Lisbon

  • The Commission's new policy on whistle blowing: A framework for responsible, confidential, but not anonymous, allegations to permit a right of response by the accused
  • Health records and use for management of fitness to work and absence from work
  • Drug and alcohol use records:Criteria for an acceptable access and use policy according to relevance to an individual's role within the organization; and distinction between working time and out of work behaviour

10.40 Questions & Answers

11.00 Coffee Break

11.20 Surveillance
Dr. Luís Novais Lingnau da Silveira, President, CNPD, Lisbon

  • E-mail and Internet monitoring in the work place
  • Telephone monitoring in the work place
  • Monitoring of business and private calls using a company mobile phone or other mobile device
  • Tracking of mobile phones and their location in working and non-working hours
  • Call centres
  • Video surveillance
  • Duties of controllers and processors
  • Monitoring using biometric monitoring, for example, fingerprint, palm and iris scanning

12.20 Questions & Answers

13.00 Lunch

14.00 International transfers of personal data outside the European Economic Area
Clara Guerra, Consultant, International Relations, CNPD, Lisbon

  • The Commission's view of the Binding Corporate Rules (BCR) mutual recognition procedure and other
    countries' Data Protection Authorities' approval of BCR
  • Rationale for the Commission's policy for European Union model contracts and inter-group agreements
  • Duties of controllers and processors
  • The US Safe Harbor program
  • A company designating a processing operation 'adequate' even though it is not in a country declared to
    be 'adequate' by the European Commission (EU Data Protection Directive Art 26.2 — interpretation of 'adequate safeguards')

14.40 Questions & Answers

15.00 Enforcement: Inspections
Carlos Campos Lobo, Commissioner, CNPD, Lisbon

  • How does the Commission decide which organisations to inspect?
  • When does the Commission give advance notice and when does it not do so?
  • Who are in the Commission's inspection term?
  • How much time does an inspection take?
  • Does the inspected organisation have an opportunity to comment on the draft report?
  • In which circumstances will the Commission decide to make recommendations rather than impose a sanction?
  • If a fine is imposed, how can the company appeal?
  • Will the inspection report be published and, if so, how, for example, the Commission's annual report, website?
  • In what circumstances does the Commission delegate its power of inspection to the police?

15.20 Questions & Answers

15.30 Coffee Break

15.45 Enforcement: Prosecutions
Carlos Campos Lobo, Commissioner, CNPD, Lisbon

  • In what circumstances does the Commission prosecute?
  • How can a company defend itself?

16.00 Questions & Answers

16.10 Enforcement: Non-authorisation of a type of processing
Vasco Almeida, Commissioner, CNPD, Lisbon

  • If the Commission refuses to authorize a type of processing (making it illegal), how can a company appeal?
  • If the Commission uses its power to shut down a database, how can a company appeal?
  • If a company applies for Commission authorization to start a type of processing, for example, video surveillance, what should it do if it has not received a reply within a period of, for example, three months?

16.30 Questions & Answers

16.40 Open Q&A Session

17.00 Close