The entry into force of the General Data Protection Regulation (GDPR) was expected to cause difficulties to data controllers and data processors mostly due to the practical consequences of the accountability principle and the role of risk. However, in Portugal, there were supplementary problems triggered by two events: the long legislative process of the national law implementing the GDPR and the decision of the national supervisory authority to disapply nine provisions of it. In August 2019, the Portuguese Parliament adopted the law implementing the GDPR, Law 58/2019, and one month later, the Portuguese supervisory authority, Comissão Nacional de Proteção de Dados, decided that nine articles of the recently adopted national law were incompatible with European Union Law. This chapter aims to address this chain of events, to understand the reasoning behind the decision of the Portuguese authority, and to tackle its practical consequences to day-to-day data-processing activities of data controllers and data processors. Overall, it also aims to evaluate what is left of the national piece of legislation after this decision.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.