PORTUGAL Law and Practice Contributed by: Jorge Silva Martins, João Carminho and Inês Coré, CS’Associados
• Cybersecurity governance: (a) implement a Cybersecurity Management System aligned with standards such as ISO/IEC 27001 and ENISA guidelines for IoT security; and (b) conduct regular vulnerability assessments and penetration testing to identify and mitigate risks associated with IoT devices. • IoT-specific policies and controls: (a) develop governance policies for IoT deployments, covering areas such as device authentication, encryption stand - ards, and data lifecycle management; and (b) establish clear guidelines for third-party IoT vendors, ensuring compliance with Portuguese and EU data protection and cybersecurity laws. IoT companies in Portugal must comply with the following key legal requirements regarding data sharing: • General Data Protection Regulation (GDPR): (a) Personal data sharing must align with GDPR principles, including lawfulness, fairness, transparency, purpose limitation, and data minimisation. (b) Processing personal data requires a valid legal basis (eg, user consent or legiti - mate interests), and users must be clearly informed about how their data will be shared and for what purpose. • Data Act (Regulation (EU) 2023/2854): The Data Act introduces additional obligations for IoT manufacturers and service provid - ers to facilitate access to and the sharing of data generated by connected devices. Key requirements include: (a) User empowerment: Users (individuals or businesses) must be able to access 4.3 Data Sharing Key Legal Requirements
and share the data generated by their IoT devices with third parties of their choice; (b) Fair, reasonable, and non-discriminatory (FRAND) terms: Data-sharing agreements, particularly in B2B contexts, must adhere to FRAND principles. (c) Business-to-government (B2G) sharing: IoT companies may be required to share data with public authorities in cases of emergencies or public interest needs. • Sector-specific rules: Certain industries, such as healthcare, finance, and energy, are sub - ject to heightened data-sharing requirements due to their reliance on high-value or sensitive data. Heightened Requirements for Specific Data Categories • Special categories of personal data: GDPR imposes stricter requirements for processing and sharing special categories of data (eg, health data, biometric data) generated by IoT devices. • Trade secrets and proprietary data: The Data Act protects trade secrets and ensures that data sharing does not undermine a compa - ny’s intellectual property, provided confidenti - ality safeguards are applied. 5. Audiovisual Media Services 5.1 Requirements and Authorisation Procedures Provision of Audio–Visual Media Services in Portugal The provision of audio–visual media services (AVMS) in Portugal is primarily governed by the following legislation: • Decree-Law No 46/2023 (which transposes into national law Directive (EU) 2019/789
388 CHAMBERS.COM
Powered by FlippingBook