Data Protection & GDPR Compliance
FAQ's
What is GDPR, and why is it important?
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, establishes rules concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repeals Directive 95/46/EC (General Data Protection Regulation). It became applicable from 25 May 2018. The GDPR aims to protect the privacy and personal data of individuals, giving them greater control over how their data is collected, stored, and processed. Compliance with GDPR is crucial for maintaining the trust of clients and employees, avoiding legal penalties, and safeguarding Devoteam Portugal's reputation.
What constitutes personal data under GDPR?
Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Essentially, if the information can be used to identify a person, it is considered personal data.
How do I know if I need to collect consent for data processing?
You must obtain consent if you are processing personal data for purposes other than those necessary for the performance of a contract, compliance with a legal obligation, or legitimate interests. Examples of such purposes include marketing communications, profiling, or sharing data with third parties. Always ensure that consent is informed, specific, and freely given, and that it can be easily revoked at any time, using the same method as it was provided. If you have any questions about the need to collect consent, please contact the Data Protection Officer (DPO) at pt.compliance@devoteam.com.
What should I do if I receive a data access request from an employee or client?
Direct all data access requests to the Data Protection Officer (DPO) at pt.compliance@devoteam.com. The DPO will coordinate the response and ensure that it complies with the GDPR’s requirements.
What steps should I take in the event of a data breach?
If you suspect a data breach, immediately notify the Data Protection Officer (DPO) through Service Desk > Security & Data Privacy > Information Security Weakness / Event / Incident. The DPO will ensure that the Data Breach Response Procedure is followed to assess the situation and take appropriate action.
Can personal data be shared with third-parties?
Yes, personal data can be shared with third-parties, but only if there is a legal basis for doing so. This may include obtaining consent from the data subject or ensuring that there is a contract in place that stipulates the obligations of the third-party regarding data protection. Always consult the DPO before sharing personal data.
How long can we retain personal data?
Personal data should only be retained for as long as necessary to fulfil the purposes for which it was collected or to meet legal obligations. After this period, the data must be securely deleted or anonymized. Each area/unit must comply with the PT-PROC5.0-SP13.0 - Information Management Policy, which outlines specific retention periods for different categories of data.
Can we contact a data subject again after they have exercised their right to be forgotten? (ex. on LinkedIn)
Once a data subject exercises their right to be forgotten, all their stored data must be deleted or anonymized, preventing any further contact based on internal records. However, a new contact may occur if the data subject's information is publicly available, for example, on LinkedIn or other similar platform. In this case, it is crucial to ensure that the contact complies with GDPR principles, such as transparency, legitimacy, and purpose.
Can we contact a data subject via LinkedIn after they have requested to be forgotten?
Yes, it is possible to contact a data subject via LinkedIn, provided that:
The data subject's profile is public and accessible without relying on previously deleted data.
The contact is made within the permissions and purposes allowed by LinkedIn’s terms of use.
The data subject is clearly informed about who is making the contact, the purpose, and their rights, including the option to refuse further interaction.
How can we ensure that a new contact does not violate the right to be forgotten?
To mitigate risks, we must document and follow these best practices:
Confirm that the data subject’s information was fully deleted from internal records as requested.
Ensure that the new contact is based solely on publicly available information and does not reuse previously stored data.
Provide clear information to the data subject about the purpose of the contact and their rights.
What if the data subject questions the new contact?
If the data subject believes that the contact violates their right to be forgotten, we must be prepared to demonstrate that:
Their personal data was entirely deleted from internal records.
The contact was made solely based on publicly accessible information.
The purpose of the contact aligns with the data subject’s expectations as a user of the platform where they were found (e.g., LinkedIn).
Can we maintain a database to ensure that a data subject who exercised their right to be forgotten is not contacted again?
No. Keeping a record for the purpose of avoiding future contacts could be considered contradictory to the right to be forgotten. The best practice is to ensure that any new contact results solely from publicly available information at the time of prospecting.
What are the consequences of non-compliance with GDPR?
Non-compliance with GDPR can lead to significant penalties, including fines of up to €20 million or 4% of the company’s global annual turnover, whichever is higher. Additionally, non-compliance can damage our organisation’s reputation and erode trust with clients and stakeholders. It is crucial to adhere to all regulations.
What is a Data Protection Impact Assessment (DPIA), and when is it required?
A Data Protection Impact Assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks of a project or processing activity. It is required when data processing is likely to result in a high risk to the rights and freedoms of individuals. This includes cases such as:
Large-scale processing of sensitive data (e.g., health, race, or biometric data)
Systematic monitoring of public areas (e.g., CCTV)
Automated decision-making with significant effects on individuals (e.g., profiling)
Conducting a DPIA helps ensure that privacy risks are assessed and mitigated, and it demonstrates compliance with GDPR’s accountability principles. If you're unsure whether a DPIA is required for a specific project, consult the Data Protection Officer (DPO) for guidance.
Transfers of Personal Data Outside the EU
What are the general principles for transferring personal data outside the EU (Article 44)?
Transfers of personal data to non-EU countries or international organizations (Chapter V GDPR) are allowed only if the level of protection guaranteed by GDPR is maintained. This applies to onward transfers as well.
What is an adequacy decision (Article 45)?
The European Commission may decide that a country, territory, or specific sector provides an adequate level of data protection. Transfers to such entities do not require additional safeguards or authorizations.
What if there is no adequacy decision (Article 46)?
If no adequacy decision exists, transfers are permitted if appropriate safeguards are in place, such as:Legally binding agreements
Standard contractual clauses (SCCs) approved by the Commission
Binding Corporate Rules (BCRs) for intra-group transfers
Can personal data be transferred under special circumstances (Article 49)?
Yes, transfers are allowed under specific conditions, such as:
Explicit consent from the data subject
Necessity for the performance of a contract
Public interest reasons
Protection of vital interests or legal claims
Are there restrictions on requests from non-EU authorities (Article 48)?
Any transfer required by a non-EU court or authority is only valid if based on an international agreement, such as a mutual legal assistance treaty.
What are Binding Corporate Rules?
Binding Corporate Rules (BCRs) are internal rules adopted by multinational companies to ensure personal data is protected during international transfers. They must be approved by a supervisory authority and provide enforceable rights for data subjects.
What is the role of the Supervisory Authority in GDPR?
A Supervisory Authority is a public authority responsible for monitoring and enforcing GDPR compliance within its jurisdiction. In each EU member state, there is a designated Supervisory Authority (also known as a Data Protection Authority, or DPA), which handles tasks such as:
Investigating complaints from individuals regarding the processing of their personal data
Conducting audits to ensure organisations comply with GDPR
Issuing warnings, reprimands, or fines for non-compliance
Providing guidance on data protection issues
In Portugal, the Comissão Nacional de Proteção de Dados (CNPD) is the Supervisory Authority responsible for overseeing GDPR compliance. Organisations must cooperate with the CNPD and notify them in the event of certain data breaches, particularly if there is a risk to individuals' rights and freedoms.
Who should I contact if I have questions about data protection?
If you have any questions or concerns regarding data protection or GDPR compliance, please reach out to our Data Protection Officer at pt.compliance@devoteam.com.
Last updated: 22/02/2025Author: Rute Reizinho, Compliance Director & DPO at Devoteam Portugal