Privacy Officers Network
24 - 25 November 2010
Lisbon, Portugal
Overview
Attending this Briefing and Roundtable will help you to protect your reputation and reduce your legal risks and costs from failure to comply with Portugal's data protection law.
Briefing Agenda
24th November
Host: Magda Cocco, Partner, Vieira de Almeida & Associados, Lisbon
09.00 Registration and Coffee
09.30 Welcome and Introduction
Magda Cocco, Partner, Vieira de Almeida & Associados, Lisbon
Stewart Dresner, Chief Executive, Privacy Laws & Business, UK
09.50 Unique features of data privacy in Portugal
Magda Cocco, Vieira de Almeida & Associados, Lisbon
- General overview of the Portuguese data privacy scene
- Top data privacy issues in Portugal:
Specific data privacy issues in Portuguese legislation;
Processing of personal data for marketing purposes;
Database management; legal and practical issues
concerning data retention periods and deletion of data;
Portugal's Data Privacy Authority's — powers and practices
Specific practical issues regarding particular sectors
(e.g., telecoms, pharmaceutical, financial services)
11.00 Coffee Break
11.30 Privacy challenges for human resources compliance
Jacinto Moniz de Bettencourt, Attorney, UrÃa Menéndez, Lisbon
- Whistleblowing procedures
- Harassment policies
- Internet and e-mail monitoring
12.15 Outsourcing
Leonor Vale de Castro, Associate, Vieira de Almeida & Associados, Lisbon
- Negotiating privacy aspects of an outsourcing agreement
- Liability in data processing — distinction between data controller/data processor (who is liable?)
12.45 A practical approach to data privacy issues
Introduction of speakers by Leonor Pimenta Pissarra, Managing Associate, Vieira de Almeida & Associados, Lisbon
Pedro Freitas, Legal Director, Associação Portuguesa da Indústria Farmacêutica, Lisbon
A Speaker, Barclays Bank, Portugal
13.15 Lunch
14.15 Data privacy issues in international data transfers
Inês Antas de Barros, Associate, Vieira de Almeida & Associados, Lisbon
- General Overview of the legal scene
- Binding Corporate Rules/EU Standard Contractual Clauses/Intra-Group Agreements
- International data transfer to African Portuguese speaking countries — main issues and data privacy law in
Angola, Mozambique and the Cape Verde Islands
15.00 How to prepare for inspections, audits and dawn raids by Portugal's Data Protection Authority (CPND)
Sofia Ribeiro Branco, Managing Associate, Vieira de Almeida & Associados, Lisbon
- How does the CNPD decide who to inspect?
- Who should be responsible in your company?
- Preparing a plan
16.00 Coffee Break
16.15 Questions & Answers
Margarida Couto, Partner, Vieira de Almeida & Associados, Lisbon
Open Q&A session to speakers, for example:
- What kind of data security should my company adopt?
- What should we do if a laptop computer with personal data is lost or stolen?
- How should I add privacy to our current audit program?
- How should I respond if the police requests access to telecommunications and/or e-mail records?
- How can I persuade management to put privacy on their agenda?
- Do I need to appoint a Data Protection Officer? If so, what is their role?
17.00 Close
Roundtable Agenda
25th November
Host: Comissão Nacional de Protecção de Dados (CNPD)
09.00 Registration
09.20 Welcome and Introduction
Dr. LuÃs Novais Lingnau da Silveira, President, Comissão Nacional de Protecção de Dados (CNPD);
Stewart Dresner, Chief Executive, Privacy Laws & Business, UK and Chair for the Roundtable
09.30 Framework for the Commission's decision making
Isabel Cruz, Secretary General, CNPD, Lisbon
- The constitution, the law and the Commission's codes and guidance
- Human resources
- Notification fees and the transition from paper to online notification to the Commission
10.00 Employment issues
Sónia Sousa Pereira, Legal Service, CNPD, Lisbon
- The Commission's new policy on whistle blowing: A framework for responsible, confidential, but not anonymous, allegations to permit a right of response by the accused
- Health records and use for management of fitness to work and absence from work
- Drug and alcohol use records:Criteria for an acceptable access and use policy according to relevance to an individual's role within the organization; and distinction between working time and out of work behaviour
10.40 Questions & Answers
11.00 Coffee Break
11.20 Surveillance
Dr. Luís Novais Lingnau da Silveira, President, CNPD, Lisbon
- E-mail and Internet monitoring in the work place
- Telephone monitoring in the work place
- Monitoring of business and private calls using a company mobile phone or other mobile device
- Tracking of mobile phones and their location in working and non-working hours
- Call centres
- Video surveillance
- Duties of controllers and processors
- Monitoring using biometric monitoring, for example, fingerprint, palm and iris scanning
12.20 Questions & Answers
13.00 Lunch
14.00 International transfers of personal data outside the European Economic Area
Clara Guerra, Consultant, International Relations, CNPD, Lisbon
- The Commission's view of the Binding Corporate Rules (BCR) mutual recognition procedure and other
countries' Data Protection Authorities' approval of BCR - Rationale for the Commission's policy for European Union model contracts and inter-group agreements
- Duties of controllers and processors
- The US Safe Harbor program
- A company designating a processing operation 'adequate' even though it is not in a country declared to
be 'adequate' by the European Commission (EU Data Protection Directive Art 26.2 — interpretation of 'adequate safeguards')
14.40 Questions & Answers
15.00 Enforcement: Inspections
Carlos Campos Lobo, Commissioner, CNPD, Lisbon
- How does the Commission decide which organisations to inspect?
- When does the Commission give advance notice and when does it not do so?
- Who are in the Commission's inspection term?
- How much time does an inspection take?
- Does the inspected organisation have an opportunity to comment on the draft report?
- In which circumstances will the Commission decide to make recommendations rather than impose a sanction?
- If a fine is imposed, how can the company appeal?
- Will the inspection report be published and, if so, how, for example, the Commission's annual report, website?
- In what circumstances does the Commission delegate its power of inspection to the police?
15.20 Questions & Answers
15.30 Coffee Break
15.45 Enforcement: Prosecutions
Carlos Campos Lobo, Commissioner, CNPD, Lisbon
- In what circumstances does the Commission prosecute?
- How can a company defend itself?
16.00 Questions & Answers
16.10 Enforcement: Non-authorisation of a type of processing
Vasco Almeida, Commissioner, CNPD, Lisbon
- If the Commission refuses to authorize a type of processing (making it illegal), how can a company appeal?
- If the Commission uses its power to shut down a database, how can a company appeal?
- If a company applies for Commission authorization to start a type of processing, for example, video surveillance, what should it do if it has not received a reply within a period of, for example, three months?
16.30 Questions & Answers
16.40 Open Q&A Session
17.00 Close