Data Law Nav­ig­at­or | Por­tugal

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 11 April 2018

Risk scale

Laws

  • Articles 34 and 35 of the Portuguese Constitution set out the main principles and fundamental rights regarding the processing of personal data.
  • Law No. 67/98 of October 1998 – General Data Protection Law (Directive 95/46/EC of the European Parliament and of Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on free movement of such data).
  • Law No. 41/2004 of 18 August 2004, amended by the Law 46/2012 of 29 August, concerning the processing of personal data and privacy in the electronic communications sector (Directive 2002/58/EC on privacy and electronic communications).
  • Law No.32/2008 of 17 July 2008 (Directive 2006/24/EC on the retention of data generated or processed by electronic communications)
  • Law No. 7/2009 of 12 February (Portuguese Labour Code), includes provisions on the protection of employees’ privacy)
  • Law No. 34/2013 of 16 May 2013 regarding the use of video surveillance systems by private security agencies and auto protection
  • Law No. 1/2005 establishes the provisions about the use of video surveillance means by public authorities in public places
  • Law No. 207/2005 of November 2005 on electronic surveillance used by public authorities in traffic control.

Authority

Anticipated changes to law

The direct application of the GDPR will revoke and replace Law no. 67/98 and all national provisions related to data protection law that is not in line with the EU regulation.

If applicable: stage of legislative implementation of GDPR

A public consultation was held (closing date 30 September 2017) that invited comment from private and public organisations about national laws regarding the application of the GDPR.

The public consultation has resulted in the draft of the Law 67/2018 (Proposal for a Law on the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 

2016 [GDPR]).

By the end of February the draft has only been made available for the analysis of some public and private partners who participated in the public consultation.

Nonetheless, we can confirm that through the use of the legislative powers conferred to the Member-States, the Group responsible for the drafting of the Proposal managed to achieve an insufficient result. The Member-State stakeholders are currently providing additional information and amendment proposals which we expect to have a positive effect on the Proposal.

CMS-RPA is currently advising several stakeholders and expects to receive further information during the month of March.

If applicable: local derogations as permitted by GDPR

There is no specific information stating whether Portugal intends to derogate from the provisions of the GDPR. However, considering Portugal’s constitutional background, strong protection of employees in the work environment is likely. Regarding GDPR Article no. 88, the public consultation addressed whether the national law should establish specific regimes to safeguard the protection of the rights and freedoms of employees concerning their personal data and, if so, what kind of safeguards should be established.

Scope

The Portuguese Data Protection Law (67/98)

Material scope

The Law covers the processing of personal data wholly or partly by automatic means, and processing other than by automatic means of personal data which form part of a manual filing system or which are intended to form part of a manual filing systems.

The Law does not apply where the data processing is solely driven by a natural person in the course of a purely personal or household activity.

It applies to the processing of personal data regarding public safety, national defence and state security, without prejudice to special rules in instruments of international law to which Portugal is bound and specific laws that apply to specific sectors.

Territorial scope

The Law applies to the processing of personal data carried out in the context of the activities of an establishment of the data controller on Portuguese territory or in a place where Portuguese law applies under international public law.

It also applies to a controller who is not established on European Union territory and who for purposes of processing personal data makes use of equipment, automated or otherwise, situated on Portuguese territory, unless the equipment is used only for purposes of transit through the territory of the European Union.

The Law applies to video surveillance and other forms of capture, processing and dissemination of sound and images that allow persons to be identified, provided the controller is domiciled or based in Portugal or makes use of a computer or data communication network access provider established on Portuguese territory.

The other laws mainly apply to all processing activities on the Portuguese territory.

Penalties/enforcement

  • CNPD has administrative supervision and enforcement powers under current law.
  • Non-compliance with the General Data Protection Rules (Law no. 67/98) can result in administrative or criminal penalties. 
  • Administrative offences – fine of between EUR 498.80 and EUR 4,987.98. In some cases, the maximum threshold may be doubled.
  • Criminal penalties – imprisonment of up to two years or 240 days-fine. In aggravated circumstances, these penalties may be doubled.
  • Criminal offences are subject to prosecution by the Public Prosecutor and must be filed in the criminal courts.
  • CNPD can apply other administrative sanctions, including for data processing blockage or erasure.
  • Non-compliance with the privacy and electronic communications law (Law no. 41/2004) can result in administrative sanctions. An administrative offence can result in a fine of between the minimum of EUR 500 and a maximum of EUR 5m, depending on the nature of the offender (natural or collective person) and the circumstances of the case. 
  • Recent examples of penalties include:
  • CNPD applied a penalty of EUR 4.5m to OPTIMUS (now NOS. S.A.), divided into four administrative sanctions, for non-compliance with data protection laws.

Registration / notification

The data controller must notify CNPD for each data processing purpose. In cases where the processing involves non-sensitive data, the notification will only serve to inform/registry CNPD. If the processing involves sensitive data, notification is required for authorisation, which is mandatory before the processing can begin.

Main obligations and processing requirements

Under general data protection laws:

  • Information requirements are identical to those established in the EU laws, mainly the Directive 95/46/CE.
  • Under the Law no. 67/98 (General Data Protection Law), consent is a legitimate ground for the processing of non-sensitive and sensitive data. Explicit consent is not required for the processing of non-sensitive data.
  • Regarding the transposition of EU Directive 2002/58/EC (articles 5 and 6), under the Law. 41/2004, the use of cookies or even communication for marketing purposes requires the individual's consent, in line with the requirement to provide prior clear and comprehensive information. For this purpose, data controllers normally rely on opt-in and opt-out solutions (in some cases there may also be a soft opt-in option). Note that for marketing purposes the consent must be explicit.

There are also other several obligations that data controller must comply with, including the implementing of appropriate technical and organisational measures to address data processing risks.

Data subject rights

Under general data protection laws, data subjects have the right:

  • when the data is being collected, to specific information that must be provided by the data controller
  • of access to some information concerning their personal data without constraint within a reasonable period of time and without excessive delay or expense (i.e. information, rectification, erasure or blocking of the data collected)
  • to object to particular processing of data (including direct marketing)
  • not to be subject to a decision which produces effects concerning them or significantly affects them, and which is based solely on the automated processing of data intended to evaluate certain personal aspects relating to them, in particular their performance at work, creditworthiness, reliability or conduct.  

Processing by third parties

Under the Law. 67/98 (General Data Protection Law), there must be a contract or legal act binding the data processor to the controller, which binds the data processor to the same data protection obligations as  the data controller. The data processor must act only on instructions from the controller and adopt appropriate technical and organisational security measures to protect the personal data.

The agreement must also contain clear provisions on liability between the data controller and data processor in the event of a breach of privacy.

Transfers out of country

Not possible to transfer personal data outside the EEA to a country that does not have an adequate level of data protection unless: the necessary safeguards are in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification); or the transfer has the explicit consent of the data subject.

Data Protection Officer

No requirement.

Security

Under Law No. 67/98 (General Data Protection Act), the data controller and the data processor must implement appropriate technical and organisational measures to address data processing risks. These measures must cover: control of entry to premises; control of data media; control of input; control of use; control of transmission; and the control of transport.

Breach notification

No requirement.

Direct marketing

Under Law. No. 41/2004, communication for direct marketing purposes requires the individual's consent, in line with the requirement to provide prior clear and comprehensive information. 

For this purpose, data controllers normally rely on opt-in solution, taking into account that in some cases there can be also a soft opt-in option (particularly in cases where the data subject is already in a contract with the data controller). 

General data protection laws (including the Law 67/98) also give the data subject the right to object at any given time to direct marketing purposes through an opt-out option.

Note that for marketing purposes the consent must be explicit.

Cookies

The use of cookies requires the individual's consent, in line with the requirement to provide prior clear and comprehensive information. Controllers normally rely on an opt-in solution.

Useful links

 

Cyber Security 

Last updated 11 April 2018

Risk scale

Laws and regulations

Decree-Law No. 62/2011 of May 9th, on the identification and protection proceedings to essential infrastructure (Directive 2008/114/EC of 8 December 2008, on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection).

Decree-Law No. 116-A/2006 of 16 July, amended by the Decree-Law No. 161/2012 of 31 July, on electronic information systems certification regarding public essential infrastructures.

Decree-Law no. 69/2014 of May 9th, approving the constitution of the National Cyber Security Center (CNCS), establishing the terms of its institutional operations.

Cyber security is a national priority, as reflected in several resolutions and decisions concerning national cyber security policies and strategies. These include: Resolution of the Council of Ministers No. 12/2012 of January 16th; No. 19/2013 of April 5th; No. 36/2015 and No. 7-A/2015 of February 20th; and Decision of the Defense Minister No. 13692/2013 of October 28th..

Criminal law framework:

  • Law No. 109/2009, September 15th, implementing the Council Framework Decision 2005/222/JHA, of 24 February 2005, and the Budapest Convention on Cyber Crime on the national framework (“Cyber Crime Law”).
  • Portuguese Penal Code (Decree-Law No. 48/95 of March 15th, amended by the Law No. 94/2017 of August 23rd).
  • Law on the Fight Against Terrorism, implementing the Council Framework Decision 2002/475/JHA of June 13th, with the more recent amendments of the Law No. 60/2015 of June 24th.

Anticipated changes to law

Portugal has not yet transposed EU Directive 2016/1148, changes to the current national framework are expected shortly.

Application

  • Decree-Law no. 62/2011 sets out the main requirements for the identification and protection (security) of essential infrastructures – particularly those affecting the health, security, economic and social well-being of society – in the energy and transport sectors.
  • Decree-Law No. 116-A/2006 of 16th July, amended by the Decree-Law No. 161/2012 of 31st July, on electronic information systems certification regarding public essential infrastructures.
  • Resolution of the Council of Ministers No. 12/2012 revises the national information security structure and establishes the need for the CNCS.
  • Decree-Law no. 69/2014 of May 9th, approving the constitution of the CNCSand establishing the terms of its institutional operations.
  • Resolution of the Council of Ministers no. 19/2013 of April 5th, sets out the strategic concept of national defence, taking into consideration the risks of cyber-terrorism and cybercrime.
  • The decision of the Defence Minister, No. 13692/2013 of October 28th concerning the national defense strategy, establishes the policy priorities for cyber-defence.
  • Resolution of the Council of Ministers No. 36/2015 provides the national security strategies concerning cyber space.
  • Resolution of the Council of Ministers No. 7-A/2015 of February 20th regarding national security in the fight against terrorism, particularly implementing the National Plan of Action against Cyber-threats.

Authority

National Office of Security (GNS): https://www.gns.gov.pt/missao.aspx 

National Cyber Security Center (CNCS): https://www.cncs.gov.pt/

Key obligations 

Decree-Law No. 62/2011

The obligation to make a security plan and to review it annually (the review must be conducted by the competent national authorities).

The need to designate an agent to be a point of contact in matters related to the security of Critical European Infrastructures (ICT), particularly in the exchange of information with the competent authorities concerning risks and threats.

There is an obligation to conduct an annual assessment of the threats regarding the subsectors of the ICT.

Decree-Law No. 116-A/2006

The law establishes the obligation for electronic information systems certification concerning public essential infrastructures.

GNS is the public entity responsible for the accreditation of natural and collective persons for the access and handling of classified information, and authorities for the accreditation and oversight of entities that operate within the scope of the Certification System State Electronic - Public Key Infrastructure (SCEE).

Penalties/enforcement

Law 109/2009 establishes multiple procedures for dealing with crimes committed through computerised means, or that require the gathering of evidence in an electronic support.

Criminal penalties include imprisonment of up to 10 years or 600 days-fine, for special and aggravated situations.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT.PT is a service integrated in the CNCS that coordinates the response to incidents involving state entities, critical infrastructures, operators of essential services, digital service providers and, in general, the national cyber space. These incidents may involve any device belonging to a network or address block attributed to an operator of electronic communications, institution, collective or singular person based or physically located in Portuguese territory.

A national network of CSIRTs provide services to its members, coordinating with CNCS.

Is there a national incident management structure for responding to cyber security incidents?

Yes. CNCS provides a response structure for handling cyber security crises and incidents that require national-level coordination and/or management (see the response above)

Other cyber security initiatives

CNCS is cooperating with several international entries regarding cyber security matters (i.e. European Commission, ENISA, ISAC, NATO, OSCE and Project “No more Ransom”).

Useful links

 

< back to Overview

Authors

Picture of Jose Luis Arnaut
José Luís Arnaut
Managing Partner
Lisbon