Data protection and cybersecurity laws in Portugal

Data protection

1. Local data protection laws and scope

In addition to the GDPR, the Portuguese legal framework comprises specific local legislation on data protection, namely:

  • Law no. 58/2019 of 8 August, Portuguese Data Protection Law on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (transposing Directive 2016/679 of the European Parliament and of the Council of 27 April 2016);
  • Law no. 59/2019 of 8 August, which approves the rules on the processing of personal data for prevention purposes, detection, investigation or prosecution of criminal offences or the enforcement of penalties (transposed Directive (EU) 2016/680 of the European Parliament and the Council, of 27 April 2016);
  • Law no. 41/2004 of 18 August, amended by the Law no. 46/2012 of 29 August, concerning the processing of personal data and privacy in electronic communications sector (Directive 2002/58/EC on privacy and electronic communications);
  • Law no. 32/2008 of 17 July, concerning the  retention of data generated or processed in the context of electronic communications services (Directive 2006/24/EC);

The Portuguese framework also comprises a set of legal diplomas that foresee multiple legal provisions regarding data protection, such as:

  • Constitution of the Portuguese Republic, sets forth the main principles and fundamental rights regarding privacy and data protection;
  • Law no. 7/2009 of 12 February, (Portuguese Labour Code), that includes provisions on data protection regarding employees;
  • Law no. 34/2013 of 16 May, regarding the use of video surveillance systems  by private security entities and auto protection;
  • Law no. 1/2005 of 10 January, which establishes the provisions concerning the use of video surveillance means by public authorities in public places;
  • Decree-Law no. 207/2005 of 29 November, on electronic surveillance used by public authorities in traffic control.
  • Regulation no. 798/2018, approved by the Portuguese Data Protection Authority regarding the List of Personal Data Processing Activities subject to Data Protection Impact Assessment

2. Data protection authority

Comissão Nacional de Proteção de Dados (CNPD) https://www.cnpd.pt/

3. Anticipated changes to local laws

There are no anticipated changes.

4. Sanctions & non-compliance

CNPD under the current law has administrative supervision and enforcement powers. According to Portuguese Law, CNPD has the power to impose fines when there is serious infringement of:

Administrative sanctions:

1. Law no. 58/2019, of 8 August (Portuguese Data Protection Law)

Serious administrative offences:

  • From EUR 5,000 to EUR 20,000,00 or 4% of annual worldwide turnover, depending on the whichever is higher, being a large company;
  • From EUR 2,000 to EUR 2m or 4% of annual worldwide turnover, as appropriate. Whichever is higher, in the case of SMEs;
  • from EUR 1,000 to EUR 500,000 in the case of natural persons.

Considerable administrative offences:

  • From EUR 2,500 to EUR 10m or 2% of the annual worldwide turnover according to whichever is higher, being a large company;
  • From EUR 1,000 to EUR 1m or 2% of annual worldwide turnover, as appropriate whichever is higher, in the case of SMEs;
  • From EUR 500 to EUR 250,000 in the case of natural persons. 

2. Law no. 41/2004, of 18 August (Processing of personal data and privacy in electronic communications sector)

Serious administrative offences:

  • From EUR 1,500 to EUR 25,000 when committed by natural persons; 
  • From EUR 5,000 to EUR 5m when committed by legal persons.

Considerable administrative offences:

  • From EUR 500 to EUR 20,000 when committed by natural persons; 
  • From EUR 2,500 to EUR 2.5bn when committed by legal persons.

3. Law no. 32/2008, of 8 August (retention of data generated or processed in the context of electronic communications services)

Administrative offences:

  • From EUR 1,500 to EUR 50,000 when committed by natural persons; 
  • From EUR 5,000 to EUR 10m, when committed by legal persons.
Criminal sanctions:

1. Law no. 58/2019, of 8 August  (Portuguese Data Protection Law)

Incompatible use of data with the purpose of processing 
Prison sentence of up to one year or a fine of up to 120 days

Inappropriate access 
Prison sentence of up to one year or a fine of up to 120 days

Misappropriation of data 
Prison sentence of up to one year or a fine of up to 120 days

Tampering or destruction of data 
Prison sentence of up to two years or a fine of up to 240 days

Falsifying data
Prison sentence of up to two years or a fine of up to 240 days

Breach of confidentiality 
Prison sentence of up to one year or a fine of up to 120 days

Disobedience 
Prison sentence of up to one year or a fine of up to 120 days

Note: The attempt of any of the above-mentioned crimes is punishable.

2. Law no. 32/2008, of 8 August (retention of data generated or processed in the context of electronic communications services)

Crimes related to the violation of the security of personal data, non-blocking of data or the access by unauthorised persons in punishable with prison sentence of up to two years or a fine of up to 240 days. This penalty may be doubled if the action is premeditated.

Note: The attempt or negligence of any of the above-mentioned crimes is punishable.

5. Registration / notification / authorisation

With the application of the GDPR there is no obligation to notify the CNPD as a legal requirement to begin processing activities/operations. Hence, data controllers can begin the processing without the need of a prior authorisation and/or inform/registry before the CNPD.

6. Main obligations and processing requirements

There are no derogations from the GDPR. 

7. Data subject rights

There are no derogations from the GDPR. 

8. Processing by third parties

There are no derogations from the GDPR. 

9. Transfers out of country

There are no derogations from the GDPR. 

10. Data Protection Officer

Pursuant to Portuguese Data Protection Law (Law no. 58/2019, of 8 August), the designation of data protection officers in public authorities is mandatory.

Additionally, it states the designation of Data Protection Officers in private entities is mandatory when the data controller and the data processor shall appoint a data protection officer whenever the principal private activity involves:

  • Processing operations which require regular and systematic control of large-scale data subjects, because of their nature, scope and or purpose; or
  • Large-scale processing of special categories of data pursuant to Article 9 of the GDPR, or personal data related to criminal and offense convictions under Article 10 of the GDPR.

11. Security

The GDPR clearly provide that data controller’s and data processor´s must implement appropriate technical and organisational measures to safeguard the data processing risks. Data controllers and data processors should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

The following are examples of the expected security measures:

  • Pseudonymisation and encryption of personal data;
  • Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; and
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In addition, Resolution no. 41/2018 of the Council of Ministers was approved, establishing the minimum compulsory and recommended technical requirements applicable to the IT systems and networks of public entities, which should be adopted until 29 September 2019.

For example, data storage systems must ensure redundancy, resiliency and availability with no single point of failure. Two types of back-ups (online and off-site) should be secured, with the off-site back-ups stored in a separate location.

12. Breach notification

There are no derogations from the GDPR.

13. Direct marketing

Regarding advertising and marketing matters, Portugal has Law no. 41/2004 of 18 August on Personal Data Protection and Privacy in Telecommunications. In Article 13-A on Unsolicited Communications, it states that communications for direct marketing purposes require the individual's consent and the disclosure of adequate information to the data subject. 

For this purpose, data controllers normally rely on an opt-in solution, taking into account that in some cases there can also be a soft opt-in option (particularly in cases where the data subject is already in a contract with the respective data controller). 

General data protection laws (including the GDPR) also give the data subject the right to object at any time to direct marketing purposes, namely through an opt-out option.

We also underline that for marketing purposes the consent must be explicit.

14. Cookies and adtech

Portugal has no particular rule regarding the use of Cookies so we currently use the rules stated in the GDPR and Directive 2002/58/EC (ePrivacy Directive).

The use of cookies requires the individual's explicit consent and the disclosure of adequate information to the data subject. Currently, data controllers need to rely on consent to secure the adequate legal basis for the processing of personal data.

15. Risk scale

Medium (moderate)

Cybersecurity

1. Local cybersecurity laws and scope

The NIS directive was transposed into Portuguese law by Law 46/2018 of 13 August, which embodies the Legal Regime of Cyberspace Security.

In addition to the GDPR, the Portuguese legal framework comprises local legislation on cybersecurity, namely:

  • Law no. 46/2018, of 13 August, which transposes Directive 2016/1148 of 6 July, concerning measures for a high common level of security for networks and information systems across the Union.
  • Law no. 16/2019, of 22 August, which transposes Directive 2017/541 of March, on  combating  terrorism  and  replacing  Council  Framework  Decision  2002/475/JHA  and  amending  Council  Decision  2005/671/JHA
  • Decree-Law no. 69/2014, of 9 May, approving the constitution of the National Cyber Security Centre (CNCS), establishing the terms of its institutional operations, amended by Decree-Law no. 136/2017 of 6 November.
  • Decree-Law no. 62/2011, of 9 May, on the identification and protection proceedings to essential infrastructure (Directive 2008/114/EC of 8 December 2008, on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection).
  • Decree-Law no. 116-A/2006, of 16 July, amended by the Decree-Law no. 161/2012 of 31 July, on the electronic information systems certification for public essential infrastructure.
  • Resolutions and Decisions regarding National Cyber Security policies and strategies (namely, the Resolution of the Council of Ministers no. 12/2012 of 16 January, no. 19/2013 of 5 April, no. 7-A/2015 of 20 February, no. 41/2018 and no. 92/2019 and Decision of the Defence Minister no. 13692/2013 of 28 October).
  • The eIDAS Regulation (EU) 910/2014), which is directly applicable in Portugal without the need for transposition and establishes a wide range of trusted services, as well as the cross-border mutual recognition of electronic means of identification (eID).

Notwithstanding this legislation, the Portuguese framework also comprises a set of legal diplomas that includes dispositions at the level of personal data protection, such as:

  • Law no. 109/2009, of 15 September, implementing the Council Framework Decision 2005/222/JHA, of 24 February 2005, and the Budapest Convention on Cybercrime on the national framework (“Cybercrime Law”).
  • Portuguese Criminal Code (Decree-Law no. 48/95 of 15 March, amended by Law no. 16/2018 of 27 March. 
  • Law no. 52/2003, of 22 August (Law on the Fight Against Terrorism), implementing the Council Framework Decision 2002/475/JHA of 13 June, with the more recent amendments of Law no. 60/2015 of 24 June

2. Anticipated changes to local laws

There is a proposal before the European Commission to update the NISD. Once the proposal is agreed and then adopted, the EU Member States will have 18 months to transpose the updated Directive into their domestic legislation.

3. Application 

  • Law no. 46/2018, of 13 August, establishes the legal framework of cyberspace security, by transposing Directive 2016/1148 of 6 July, concerning measures for a high common level of security of network and information systems across the Union.
    This Law applies to organisations within the following sectors/infrastructures: drinking water, energy (electricity and gas), nuclear, finance, telecom, transportation and water-control.
  • Law no. 16/2019, of 22 August, formally modifies Law no. 52/2003 (counter-terrorism), of 22 August, by transposing Directive 2017/541 of 15 March, on  combating  terrorism  and  replacing  Council  Framework  Decision  2002/475/JHA and  amending  Council  Decision  2005/671/JHA. 
  • Decree-Law no. 62/2011, of 9 May, sets forth the main proceeding to the identification and protection (security) of essential infrastructure, particularly on health, security and economic and social wellbeing in the energy and transport sectors.
  • Decree-Law no. 116-A/2006, of 16 July, amended by the Decree-Law no. 161/2012 of 31 July, on the electronic information systems certification for public essential infrastructure.
  • Resolution of the Council of Ministers no. 12/2012, that proceeds to revise the National Information Security structure and, among others, to establish the basis for the formation of the CNCS. 
  • Decree-Law no. 69/2014 of 9 May, approving the constitution of the CNCS and establishing the terms of its institutional operations. 
  • Resolution of the Council of Ministers no. 19/2013 of 5 April, sets forth the strategic concept of national defence, taking into consideration the risks of cyberterrorism and cybercrime.
  • Resolution of the Council of Ministers no. 41/2018 of 28 May, approves minimum requirements for information systems used by the State administration. 
  • Resolution of the Council of Ministers no. 92/2019 of 5 June, defines the first national strategy on the security of network and information systems (2019-2023). 
  • The decision of the Defence Minister no. 13692/2013 of 28 October that with regard to national defence strategy, establish the main lines of Cyberdefence Policies.
  • Resolution of the Council of Ministers no. 36/2015 provides the National Security Strategies for Cyberspace.
  • Resolution of the Council of Ministers no. 7-A/2015 of 20 February, regarding National Security on the fight against terrorism, particularly implementing the National Plan of Action against Cyberthreats.

4. Authority

  • National Cyber Security Centre
  • National Cyber Security Centre (CNCS): https://www.cncs.gov.pt
  • Computer security incident response team (CERT)

5. Key obligations 

Law no. 46/2018, of 13 August:

  • The obligation to ensure appropriate and proportional technical and organisational security measures taken in response to evaluated risk level of security of network and information systems for public administrations.
  • The obligation to communicate any incident with substantial impact to the Upper Council of Cyberspace Security for digital service providers, operators of essential services and public administrations.

Decree-Law no. 62/2011, of 9 May: 

  • The obligation to make a security plan and to review it annually (the review must be conducted by the competent national authorities);
  • The need to designate an agent to be a point of contact in matters related to the security of Critical European Infrastructures (ICT), particularly in the exchange of information with the competent authorities concerning related risks and threats; 
  • There is an obligation to conduct an annual assessment of the threats across ICT sub-sectors.

Decree-Law no. 116-A/2006, of 16 July:

  • The law establishes an obligation to certify electronic information systems for public essential infrastructure;
  • GNS is the public entity that is responsible for accrediting natural and collective persons to access and handle classified information, as well as authorities for the accreditation and oversight of entities that operate within the scope of the Certification System State Electronic - Public Key Infrastructure (SCEE).

6. Sanctions & non-compliance 

Administrative sanctions:

1. Law no. 46/2018, of 13 August

Serious administrative offences:

  • From EUR 5,000 to EUR 5,000 when committed by natural persons;
  • From EUR 10,000 to EUR 50,000, when committed by legal persons.

Considerable administrative offences:

  • From EUR 1,000 to EUR 3,000 when committed by natural persons;
  • From EUR 3,000 to EUR 9,000 when committed by legal persons.

Administrative offences due to negligence:

  • Negligence is punishable, with minimum and maximum fines being reduced by half
Criminal sanctions:
  1. Law no. 109/2009, of September 15

IT fraudulent misrepresentation
Prison sentence of up to five years or a fine from 120 up to 600 days.
If the damage caused is considered high value, the prison sentence is up to ten years.

Damage to programmes or other computer data
Prison sentence of up to three years or an application of a fine;
If the damage caused is of high value, the prison sentence is up to five years or a fine up to 600 days;
If the damage caused is of very high value, the prison sentence is from one year up to 10 years. 

Computer sabotage
Prison sentence of up to five years or a fine up to 600 days

Illegal access
Prison sentence of up to five years or a fine up to 120 days

Unlawful interception
Prison sentence up to three years or an application of a fine

Illegal reproduction of protected programme
Prison sentence of up to three years or an application of a fine

Note: The attempt of any of the above-mentioned crimes is punishable

2. Law no. 52/2003, of 22 August

Crimes against communications or acts that destroy or render impossible the functioning of channels of communication or divert from their normal purpose, either definitively or temporarily, totally or partially, are punishable by prison sentence from two to ten years.

Anyone broadcasting a message to the public inciting the practice of the acts mentioned above through electronic communication media will be punished with a prison sentence from one to six years.

3. Specific criminal provisions under the Portuguese Criminal Code.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CERT.PT is a service within the CNCS that coordinates responses to incidents involving State entities, critical infrastructure, operators of essential services, digital service providers and, in general, the national cyberspace, including any device belonging to a network or address block attributed to an operator of electronic communications, institution, collective or individual person based, or physically located, in Portuguese territory.

Also, there is a National Network of CSIRTs that provides a set of services to its members, coordinating any situations with the CNCS.

8. National cybersecurity incident management structure

The CNCS provides a response structure for handling cybersecurity crises and incidents that require national-level coordination and/or management (see the response above).

9. Other cybersecurity initiatives 

The CNCS is cooperating with international entities regarding cybersecurity matters (i.e. European Commission, ENISA, ISAC, NATO, OSCE and Project “No more Ransom”)

Portrait ofJosé Luís Arnaut
José Luís Arnaut
Managing Partner
Lisbon
Portrait ofJoão Leitão Figueiredo
João Leitão Figueiredo
Partner
Lisbon
Portrait ofSara Rocha
Sara Rocha
Associate
Lisbon
Portrait ofRicardo Pintão
Ricardo Pintão
Associate
Lisbon