CNPD under the current law has administrative supervision and enforcement powers. According to Portuguese Law, CNPD has the power to impose fines when there is serious infringement of:
Administrative sanctions:
1. Law no. 58/2019, of 8 August (Portuguese Data Protection Law)
Serious administrative offences:
- From EUR 5,000 to EUR 20,000,00 or 4% of annual worldwide turnover, depending on the whichever is higher, being a large company;
- From EUR 2,000 to EUR 2m or 4% of annual worldwide turnover, as appropriate. Whichever is higher, in the case of SMEs;
- from EUR 1,000 to EUR 500,000 in the case of natural persons.
Considerable administrative offences:
- From EUR 2,500 to EUR 10m or 2% of the annual worldwide turnover according to whichever is higher, being a large company;
- From EUR 1,000 to EUR 1m or 2% of annual worldwide turnover, as appropriate whichever is higher, in the case of SMEs;
- From EUR 500 to EUR 250,000 in the case of natural persons.
2. Law no. 41/2004, of 18 August (Processing of personal data and privacy in electronic communications sector)
Serious administrative offences:
- From EUR 1,500 to EUR 25,000 when committed by natural persons;
- From EUR 5,000 to EUR 5m when committed by legal persons.
Considerable administrative offences:
- From EUR 500 to EUR 20,000 when committed by natural persons;
- From EUR 2,500 to EUR 2.5bn when committed by legal persons.
3. Law no. 32/2008, of 8 August (retention of data generated or processed in the context of electronic communications services)
Administrative offences:
- From EUR 1,500 to EUR 50,000 when committed by natural persons;
- From EUR 5,000 to EUR 10m, when committed by legal persons.
Criminal sanctions:
1. Law no. 58/2019, of 8 August (Portuguese Data Protection Law)
Incompatible use of data with the purpose of processing
Prison sentence of up to one year or a fine of up to 120 days
Inappropriate access
Prison sentence of up to one year or a fine of up to 120 days
Misappropriation of data
Prison sentence of up to one year or a fine of up to 120 days
Tampering or destruction of data
Prison sentence of up to two years or a fine of up to 240 days
Falsifying data
Prison sentence of up to two years or a fine of up to 240 days
Breach of confidentiality
Prison sentence of up to one year or a fine of up to 120 days
Disobedience
Prison sentence of up to one year or a fine of up to 120 days
Note: The attempt of any of the above-mentioned crimes is punishable.
2. Law no. 32/2008, of 8 August (retention of data generated or processed in the context of electronic communications services)
Crimes related to the violation of the security of personal data, non-blocking of data or the access by unauthorised persons in punishable with prison sentence of up to two years or a fine of up to 240 days. This penalty may be doubled if the action is premeditated.
Note: The attempt or negligence of any of the above-mentioned crimes is punishable.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.