Data Protection & GDPR Compliance

Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Essentially, if the information can be used to identify a person, it is considered personal data. 

Direct all data access requests to the Data Protection Officer (DPO) at pt.compliance@devoteam.com. The DPO will coordinate the response and ensure that it complies with the GDPR’s requirements. 

Yes, personal data can be shared with third-parties, but only if there is a legal basis for doing so. This may include obtaining consent from the data subject or ensuring that there is a contract in place that stipulates the obligations of the third-party regarding data protection. Always consult the DPO before sharing personal data. 

Once a data subject exercises their right to be forgotten, all their stored data must be deleted or anonymized, preventing any further contact based on internal records. However, a new contact may occur if the data subject's information is publicly available, for example, on LinkedIn or other similar platform. In this case, it is crucial to ensure that the contact complies with GDPR principles, such as transparency, legitimacy, and purpose.

Can we contact a data subject via LinkedIn after they have requested to be forgotten?

Yes, it is possible to contact a data subject via LinkedIn, provided that:

• The data subject's profile is public and accessible without relying on previously deleted data.

• The contact is made within the permissions and purposes allowed by LinkedIn’s terms of use.

• The data subject is clearly informed about who is making the contact, the purpose, and their rights, including the option to refuse further interaction.

How can we ensure that a new contact does not violate the right to be forgotten?

To mitigate risks, we must document and follow these best practices:

• Confirm that the data subject’s information was fully deleted from internal records as requested.

• Ensure that the new contact is based solely on publicly available information and does not reuse previously stored data.

• Provide clear information to the data subject about the purpose of the contact and their rights.

What if the data subject questions the new contact?

If the data subject believes that the contact violates their right to be forgotten, we must be prepared to demonstrate that:

• Their personal data was entirely deleted from internal records.

• The contact was made solely based on publicly accessible information.

• The purpose of the contact aligns with the data subject’s expectations as a user of the platform where they were found (e.g., LinkedIn).

Non-compliance with GDPR can lead to significant penalties, including fines of up to €20 million or 4% of the company’s global annual turnover, whichever is higher. Additionally, non-compliance can damage our organisation’s reputation and erode trust with clients and stakeholders. It is crucial to adhere to all regulations. 

• What are the general principles for transferring personal data outside the EU (Article 44)?
  Transfers of personal data to non-EU countries or international organizations (Chapter V GDPR) are allowed only if the level of protection guaranteed by GDPR is maintained. This applies to onward transfers as well.

• What is an adequacy decision (Article 45)?
  The European Commission may decide that a country, territory, or specific sector provides an adequate level of data protection. Transfers to such entities do not require additional safeguards or authorizations.

• What if there is no adequacy decision (Article 46)?
  If no adequacy decision exists, transfers are permitted if appropriate safeguards are in place, such as:

  • Legally binding agreements

  • Standard contractual clauses (SCCs) approved by the Commission

  • Binding Corporate Rules (BCRs) for intra-group transfers

• Can personal data be transferred under special circumstances (Article 49)?

Yes, transfers are allowed under specific conditions, such as:

• Explicit consent from the data subject

• Necessity for the performance of a contract

• Public interest reasons

• Protection of vital interests or legal claims

• Are there restrictions on requests from non-EU authorities (Article 48)?

Any transfer required by a non-EU court or authority is only valid if based on an international agreement, such as a mutual legal assistance treaty.

A Supervisory Authority is a public authority responsible for monitoring and enforcing GDPR compliance within its jurisdiction. In each EU member state, there is a designated Supervisory Authority (also known as a Data Protection Authority, or DPA), which handles tasks such as:

• Investigating complaints from individuals regarding the processing of their personal data

• Conducting audits to ensure organisations comply with GDPR

• Issuing warnings, reprimands, or fines for non-compliance

• Providing guidance on data protection issues

In Portugal, the Comissão Nacional de Proteção de Dados (CNPD) is the Supervisory Authority responsible for overseeing GDPR compliance. Organisations must cooperate with the CNPD and notify them in the event of certain data breaches, particularly if there is a risk to individuals' rights and freedoms.