Consent is one of the legal bases for the processing of personal data and plays a fundamental role in protecting citizens' privacy.
It is a free, specific, informed, and unambiguous manifestation of will, by which the data subject clearly accepts that their personal data be processed for a determined purpose. It can be given in writing, verbally, or electronically, provided it can be demonstrated.
Whenever there is no other applicable legal basis. It is mandatory, for example:
No. Consent must be given voluntarily. If it is imposed as a condition to access a service that does not require such processing, it is considered invalid.
Yes. The data subject can withdraw their consent at any time, without prejudice to the legality of the previous processing. Withdrawal must be as easy as granting it.
The processing may be considered unlawful, and the responsible entity may be sanctioned. The data subject can also file a complaint with the CNPD.
Organizations must ensure that:
The processing of biometric data requires enhanced care, as this data is considered sensitive and is subject to a higher level of protection.
It is personal data resulting from the technical processing of physical, physiological, or behavioral characteristics (such as fingerprints, facial recognition, iris, voice, etc.) that allow for the unequivocal identification of a person.
When is the use of biometrics allowed?
Only when there is an adequate legal basis, such as:
Can it be used for attendance control?
Yes, but with restrictions. It should only be used if there are no less intrusive alternatives. Workers must be informed, and the principles of proportionality and necessity must be respected.
No. They should only be kept for the strictly necessary time, with appropriate security measures.
In most cases, yes. However, there may be exceptions (e.g., public security or legal obligation), provided they are foreseen in the legislation.
The use of video surveillance cameras must respect the fundamental rights of citizens, including their privacy and personal data protection.
When there is a legitimate justification, such as the security of people and property, access control, or crime prevention. The use must be proportionate and not abusive.
Yes. It may be necessary to notify or obtain authorization from the CNPD. Filmed individuals must be clearly informed, with visible signage.
Images should only be stored for the time necessary for the defined purpose, respecting legal deadlines. Access to images must be restricted and protected.
Yes, but it cannot be used for continuous performance monitoring. Installation must respect labor rights, and workers must be informed.
Video surveillance in public spaces can only be carried out by legally authorized entities. Private cameras cannot film public roads without authorization.
Images should only be stored for the time necessary for the defined purpose, respecting legal deadlines. Access to images must be restricted and protected.
Yes, but it cannot be used for continuous performance monitoring. Installation must respect labor rights, and workers must be informed.
Video surveillance in public spaces can only be carried out by legally authorized entities. Private cameras cannot film public roads without authorization.
In case of abusive use, file a complaint with the CNPD.
The Single Report is a legal obligation of employers, which includes the processing of workers' personal data. The protection of this data is essential.
What obligations do employers have?
They must ensure that:
What data is processed?
No. The processing is based on the fulfillment of a legal obligation. However, workers must be informed about the purpose and processing of their data.
Only for the time necessary to fulfill the legal obligation. After this period, the data must be deleted or anonymized.
The entity must assess the incident and, if necessary, notify the CNPD and the data subjects.
For more info, check out the CNPD.
