News And Publications

Projeto de Internacionalização



The National Data Protection Commission (NDPC) has been asked to comment on the draft decree-law approved at a meeting of the Council of Ministers which amends the legal framework on medicinal products for human use, by implementing the European Commission Directive (EU) 2017/1572.

This draft decree-law deals with various aspects of the manufacture of medicinal products and all the related operations, introducing amendments to prevent falsifications in the legal supply chain of medicinal products, thereby preventing threats to public health.

According to the opinion of the NDPC issued on March 23, the amendments introduced by the Government in the draft decree-law do include several measures falling within the legal system on personal data protection.

For example, according to the NDPC, article 65 of the decree-law draft foresees a “quality control system”, which shall include a “document” with “the duties of the managerial and supervisory staff of the medicinal product including the qualified persons responsible for implementing and operating good manufacturing practices, as well as the respective hierarchical relationship”.

In this regard, the NDPC points out that this entails the existence of records containing the identification of employees of the manufacturer of the medicinal product, who are responsible for the management and supervision of the good practices in the manufacture of medicinal products, which consist of personal data processing.

In article 71 of the decree-law draft, the NDPC identifies a second type of personal data processing, which consists in the obligation falling on the manufacturer to have a system for recording and reviewing complaints. As certain complainants could be natural persons that will be identified, the NDPC considers that “there is a chance that the complaints will contain health data of identified or identifiable natural persons”.

For the sake of compliance with the legal data protection regulation and, particularly, with the General Data Protection Regulation (Regulation (UE) 2016/670), which shall be enforced as of May 25, 2018, the NDPC recommends the inclusion in the law of “a general rule defining that personal data processing” is subject to the legal data protection system and of a specific rule which “regulates the exercise of the right of access by natural persons, whose data will be processed”.

It should be recalled that the rights of data subjects have been strongly reinforced by the General Data Protection Regulation, namely the right to information, according to which the person who is responsible for the data processing shall provide the data subject with information on the data processing and on the data subject’s rights.


Co-financed by:
This website uses cookies to improve your navigation experience. By navigating without disabling cookies, you are giving consent to our cookie policy. Please consult our Terms and Conditions and Privacy Policy.    OK