PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
technical or organizational measures (‘integrity and confidentiality’)”. This principle is materialised by Article 32 (secu - rity of processing) and Articles 33 and 34, which relate to notification and communication obliga - tions in the event of a personal data breach. In light of this legal framework, Controllers and Processors are required to adopt “appropri - ate” technical and organisational measures to ensure a level of security that is appropriate to the potential risks. The adjective “appropriate” allows for a risk-based approach regarding the controls that should be implemented, taking into account the state of the art. For this purpose, the Article lists some controls that represent the professional consensus on security controls for processing, such as encryption and pseu - donimisation. When assessing the adequacy of the technical and operational measures to be implemented, the Controller or Processor con - cerned may take into consideration the cost of implementation, the risks associated with the processing activities and their severity for the rights and freedoms of data subjects. However, it is mandatory that Controllers and Processors have in place adequate mechanisms for detecting personal data breaches, which cor - responds to a breach of security resulting in the accidental or unlawful destruction, loss, altera - tion, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (see Article 4(12)). When the Controller becomes aware of such a breach, it must consider the obligation to notify the supervisory authority without undue delay where there is a foreseeable risk to the rights and freedoms of natural persons. If the Control - ler or the supervisory authority subsequently
concludes that there is a high risk to the rights of data subjects, it is obliged to communicate the personal data breach to the data subjects without undue delay and in accordance with the provisions of Article 34. The national law implementing the GDPR (Law No 58/2019) does not provide any further speci - fications regarding the security of processing. Nevertheless, it is worth noting that the Por - tuguese data protection authority ( Comissão Nacional de Proteção de Dados , or CNPD) has issued guidelines (Diretriz/2023/1, CNPD, avail - able in Portuguese here ) proposing indicative security measures to be implemented by data Controllers. In terms of organisational measures, the CNPD suggests that Controllers and Pro - cessors consider implementing analysis proce - dures for monitoring network flows and carrying out periodic IT security audits and vulnerability assessments. With regard to technical meas - ures, the CNPD suggests, inter alia, increasing the robustness of servers. Given the synergies between cybersecurity and the protection of personal data, the CNCS acts in collaboration with the CNPD whenever a cybersecurity incident involves a breach of per - sonal data. 6.2 Cybersecurity and AI As artificial intelligence systems are composed of digital components, they are particularly vul - nerable to cyber-attacks and cybersecurity inci - dents. These incidents can impact not only the AI system’s performance but also its end users. For instance, a cybersecurity breach affecting the algorithm or training data of a credit scoring AI system could have severe consequences for users seeking to obtain credit.
212 CHAMBERS.COM
Powered by FlippingBook