Public Consultation and Guidelines issued by CNPD

According to the CNPD, the purpose of this guideline is to address the lack of legal rules governing the status of DPOs within public entities, particularly regarding their performance evaluation when they accumulate other functions in the public entity. This led the CNPD to initiate a public consultation in order to gather feedback, including practical experiences, that can broaden perspectives and enhance the usefulness and appropriateness of the forthcoming guideline.

The current legislation, Law no. 58/2019, implemented in the Portuguese legal system to comply with Regulation (EU) 2016/679 of the Parliament and of the Council of April 27, 2016 (RGPD), was deemed insufficient to address this issue. Public organizations, due to the principle of legality, have more limited organizational autonomy when it comes to evaluating their employees. Consequently, it becomes more challenging to establish suitable evaluation methods for workers who also serve as DPOs within public entities. Therefore, until specific regulation on this matter is approved, the CNPD has decided to issue a new public consultation prior to the Guideline.

In the view of the CNPD, regarding the assessment of workers who perform DPO duties, it is crucial to distinguish between different functional activities they undertake, and it is of utmost importance that the tasks assigned to the worker outside the functional perimeter of the DPO do not include the duties and responsibilities of a DPO. Thus, regarding the activity outside the DPO functional perimeter, the employee may be evaluated under the general terms of the legal regime of evaluation of employees exercising public functions. This approach ensures the worker evaluations do not conflict with other interests.

Regarding the activity performed by the employee as a DPO, the manager of the department (where the employee performs the activity outside the DPO's functional perimeter) can never set the objectives and assess the performance of his/her duties. It is also deemed unreasonable to have a combined performed evaluation of the two functional activities by the same supervisor.

In cases where the worker exclusively carries out DPO functions, the CNPD has concluded that the assessment should be conducted by the highest hierarchical body to which the DPO reports, given that the competence to assess the worker performance is implicit in the competence of the person who appointed the DPO.

Additionally in April, the CNPD approved five new guidelines, our of which focus on the disclosure and sharing of data on the Internet with third parties through other means. 

These subjects are often topic of consultations and requests for clarification, leading the CNPD to issue guidelines on the following subjects: 

 

Furthermore, this independent administrative body has published a guideline concerning the incompatibility between the duties of the Data Protection Officer (DPO) and the functions performed by the Information Access Officer (IAO). The CNPD identified a potential conflict of interest in the activities carried out by the DPO and IAO, as decision-making is subject to control and audit by the DPO.