Home / Publications / Data Law Navigator | Portugal

Data Law Navigator | Portugal

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last updated November 2020

Risk scale

Risk Scale Orange

Laws

  • Constitution of the Portuguese Republic,  sets forth the main principles and fundamental rights regarding privacy and data protection;
  • General Data Protection Regulation,  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ; and,
  • Law no. 58/2019 of 8 August, Portuguese Data Protection Law (transposed Directive 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data); 
  • Law no. 59/2019 of 8 August, that approves the rules on the processing of personal data for prevention purposes, detection, investigation or prosecution of criminal offences or the enforcement of penalties (transposed Directive (EU) 2016/680 of the European Parliament and the Council, of April 27, 2016);
  • Law no. 41/2004 of 18 August, amended by the Law no. 46/2012 of 29 August, concerning the processing of personal data and privacy in electronic communications sector (Directive 2002/58/EC on privacy and electronic communications);
  • Law no. 32/2008 of 17 July (Directive 2006/24/EC on the retention of data generated or processed electronic communications);
  • Law no. 7/2009 of 12 February (Portuguese Labour Code), that includes some provisions on data protection regarding employees;
  • Law no. 34/2013 of 16 May, regarding the use of video surveillance systems  by private security agencies and auto protection;
  • Law no. 1/2005 of 10 January, which establishes the provisions about the use of video surveillance means by public authorities in public places;
  • Law no. 207/2005 of 29 November, on electronic surveillance used by public authorities in traffic control.
  • Regulation no. 1/2018 of 16 October, approved by the Portuguese Data Protection Authority regarding the List of Personal Data Processing Activities subject to Data Protection Impact Assessment

Authority

Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or “CNPD”):

  • The CNPD controls and supervises compliance with the GDPR and this law, as well as other legal and regulatory provisions on the protection of personal data, in order to defend the rights, freedoms and guarantees of natural persons in connection with the processing of personal data. The CNPD acts independently in the fulfilment of its attributions and in the exercise of the powers attributed to it by the present law.
  • The members of the CNPD shall be subject to the incompatibility regime established for the holders of high public office and may not, during their term of office, perform any other activity, paid or unpaid, except for teaching in higher education and research.

Anticipated changes to law

Proposal for a Regulation of the European parliament and of the council concerning the respect for private life, confidentiality of communications and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). This new EU Regulation, while particularising and complementing the GDPR, should result in the amendment of Law No. 41/2004 of 18 August concerning personal data protection and privacy in the electronic communications sector.

If applicable: stage of legislative implementation of GDPR

On 8th of August 2019, came into force the Portuguese Data Protection Law to reform the current Portuguese Law. The aim of the new legislation is to bring the Portuguese data protection regime up to the General Data Protection Regulation's (GDPR) standards and to provide an interpretation to some of the broader concepts in the GDPR.

Notwithstanding, CNPD on 23th of September 2019, has decided that it will not apply some rules of Law 58/2019 of 8 August because they manifestly contradict the provisions of the GDPR, which violates the principle of the primacy of the Union, as well as seriously undermining the functioning of the coherence mechanism which aims at a uniform application of data protection rules throughout the EU. The CNPD's decision is based on the Portuguese Constitution and on the jurisprudence of the EU Court of Justice.

If applicable: local derogations as permitted by GDPR

The following local derogations, as permitted by the GDPR, have been expressly included in the Portuguese Law:

  • Protection of personal data of deceased persons - The personal data of deceased persons shall be protected in accordance with the GDPR and this law when they fall within the special categories of personal data referred to in Article 9(1) of the GDPR, or when they relate to privacy, image or communications data, except in certain cases;
  • Data portability and interoperability - The right to data portability, provided for in Article 20 of the GDPR, covers only the data provided by its data subjects and within the Public Administration, whenever data interoperability is not technically possible, the data subject shall have the right to demand that the data be delivered in an open digital format, in accordance with the National Digital Interoperability Regulation in force;
  • Video surveillance - Without prejudice to the specific legal provisions imposing their use, namely for reasons of public safety, video surveillance systems whose purpose is the protection of persons and property shall ensure the requirements provided for in Article 31 of Law No. 34/2013, of 16 May, with the limits defined based on other applicable national law;
  • Labour relations - The employer may process the personal data of its employees for the purposes and within the limits defined in the Labour Code and its complementary legislation or other sectorial regimes, with the specificities established on the Portuguese Law.
  • Processing of health and genetic data: The Controller is obliged to ensure access to health and genetic data exclusively in electronic form, unless it is technically impossible or expressly indicated to the contrary by the data subject, who shall be prohibited from further disclosure or transmission.The data subject has the right to be notified of any access to his/her personal data, and the controller is responsible for ensuring that this traceability and notification mechanism is made available.

The minimum technical security measures and requirements inherent to the processing of data shall be approved by order of the members of the Government responsible for the areas of health and justice, which shall regulate, inter alia, the following matters:

  1. Establishment of differentiated permissions for access to personal data, due to the need to know and the segregation of functions;
  2. Requirements for prior authentication of those accessing;
  3. Electronic recording of access and data accessed.

Scope

Material scope – Both GDPR and Law no. 58/2019 covers the processing of personal data wholly or partly by automatic means and to processing other than by automatic means of personal data which form part of the manual filing system or which are intended to form part of manual filing systems.
Also, the law will not apply in the case where the data processing is solely driven by a natural person in course of a purely personal or household activity.

Also, it shall be applied to the processing of personal data regarding public safety, national defence and state security, without prejudice to special rules in instruments of international law to which Portugal is bound and specific laws pertinent to the respective sectors.

Territorial scope – The GDPR shall apply to the processing of personal data carried out in the context of the activities of an establishment of the controller on Portuguese territory or in a place where Portuguese law applies under international public law. It will be also applied to a controller who is not established on European Union territory and who for purposes of processing personal data makes use of equipment, automated or otherwise, situated on Portuguese territory, unless such equipment is used only for purposes of transit through the territory of the European Union.

Notwithstanding, Law no. 58/2019 applies to the processing of personal data carried out within the national territory, regardless of the public or private nature of the controller or processor, even if the processing of personal data is performed in compliance with legal obligations or the pursuit of public interest, applying all the exclusions provided for in the GDPR.

This law also applies to the processing of personal data performed outside national territory when:

  • are carried out as part of the business of an establishment situated on national territory; or
  • Affect data subjects who are on the national territory, when the processing activities are subject to the provisions of the GDPR; or
  • Affect data that are entered in consular posts held by Portuguese residents abroad.

This law shall not apply to personal data files constituted and maintained under the responsibility of the Information System of the Portuguese Republic, which is governed by specific provisions, in accordance with the law.

Penalties/enforcement

CNPD under the current law has administrative supervision and enforcement powers.
According the Portuguese Law, CNPD has the power to impose fines when serious infringement of:

  1. from € 5000 to € 20 000 000 or 4% of the annual worldwide turnover, depending on thewhichever is higher, being a large company;
  2. from 2000 € to 2 000 000 € or 4% of annual worldwide turnover, as appropriate.whichever is higher, in the case of SMEs;
  3. From 1000 € to 500 000 € in the case of natural persons.

In addition, under the Portuguese Law, CNPD also has the power to impose fines when considerable administrative offences of:

  1. from 2500 to 10 000 000 € or 2% of the annual worldwide turnover according to whichever is higher, being a large company;
  2. from € 1000 to € 1 000 000 or 2% of annual worldwide turnover, as appropriate whichever is higher, in the case of SMEs;
  3. From 500 € to 250 000 €, in the case of natural persons.

Bearing this in mind, CNPD has fined Centro Hospitalar do Barreiro e do Montijo E.P.E. by EUR 400.000,00 (four hundred thousand euros) in total, due to three violations of the General Data Protection Regulation legal framework.

Also, it has imposed a fine of EUR 107,000 (one hundred and seven thousand euros) on Portuguese Association for Consumer Protection (DECO) regarding the sending of unsolicited commercial communications containing advertising content to a person's e-mail address.
Additionally, other fines were applied regarding the insufficient fulfilment of information obligations pursuant article 13 and 15 of the GDPR.

Registration / notification

With the application of the GDPR there is no obligation to notify CNPD as a legal requirement to begin processing activities/operations. Hence, the Controller can begin the processing without the need of a prior authorization and/or inform/registry to CNPD.

Main obligations and processing requirements

The main obligations are as follows:

Data Processing Principles

Art 5(1) GDPR sets out the seven data protection principles that must be complied with when processing personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
Demonstrating compliance

Art 5(2) GDPR includes a new accountability principle, which means that Data Controllers must be able to demonstrate how they are complying with their obligations under the principles in Art 5(1) (set out above).

Art 24 GDPR includes the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR. Implementing adequate data protection policies and adhering to approved data protection codes of conduct or approved certification mechanisms are ways to demonstrate compliance with this obligation.

Transparency information

Data controllers are required to inform data subjects of information relating to the processing of their personal data collected.  This involves information relating to the personal data processed, who the data is processed by and for what purposes the data is processed. The full list of information to be provided to a data subject is provided in Art 13 and 14 GDPR.

This information is to be provided at the time the personal data is obtained from the data subject. However, in the event the data is not obtained directly from the data subject, the information must be provided by the data controller within a reasonable period, and no later than at the point of sharing the data with another party or at the time of first communication when using the data to communicate with the data subject. In any event, the information should be communicated no later than a month after obtaining the personal data.

Data subject rights

Under Art 15 – 22 GDPR, data subject have the following rights:

  • The right to information and transparency.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Right not to be subject to a decision based solely on automated processing, including profiling.

The DPA however contains restrictions on these data subject rights (as covered in the derogations section above).

Data controllers are required to comply with requests from data subjects exercising these data subject rights, without undue delay and in any event within one month of receipt of the request.

Processing by third parties

Under the GDPR, there must be a relation governed by a contract binding the processor to the controller (i.e. Data Processing Agreement). In particular, the processor shall act only according to the instructions from the Controller and is obliged to adopt appropriate technical and organizational measures to protect personal data. 

Furthermore, such agreement should also contain clear provisions on liability between the controller and the processor in the event of a data breach.

Transfers out of country

Under the GDPR, transfer of personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with the explicit consent of data subject is in principle forbidden.

Art 44 GDPR imposes restrictions on the transfer of personal data to a third party or an international organisation outside of the European Union unless the transfer is to an adequate jurisdiction (Art 45 GDPR), a lawful transfer mechanism exists (Art 46 GDPR), or an exemption or derogation applies (Art 49 GDPR).

Some of the Art 49 GDPR exceptions to the abovementioned restrictions, are:

  • where the transfer is made with an individual’s informed consent;
  • where a transfer is necessary for the performance of a contract between the individual and the organisation;
  • where a transfer is necessary for the performance of a contract made in the interests of the individual between the data controller and another person.

Data Protection Officer

Pursuant to Portuguese Law, the designation of data protection officers in public authorities is mandatory.

Additionally, it states the designation of Data Protection Officers in Private Entities is mandatory when the controller and the processor shall appoint a data protection officer whenever the principal private activity involves:

  1. processing operations which, because of their nature, scope and or purpose, require regular and systematic control of large-scale data subjects; or
  2. large-scale processing of special categories of data pursuant to Article 9 of the GDPR, or personal data related to criminal and offense convictions under Article 10 of the GDPR.

Similarly to the GDPR, Data controllers are required to have a lawful basis for all processing of personal data.

Security

The GDPR clearly provide that the Controller and the Processor must implement appropriate technical and organizational measures to safeguard the data processing risks, particularly the Controller and the Processor should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

The following are examples of the expected security measures:

  • pseudonymisation and encryption of personal data;
  • ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In addition, was approved the Resolution no. 41/2018 of the Council of Ministers establishes the minimum compulsory and recommended technical requirements applicable to the IT systems and networks of public entities, which should be adopted until 29 of September of 2019.

For example, foresee that the data storage systems must ensure redundancy, resiliency and availability with no single point of failure. Two types of backups (online and offsite) should be secured being the offsite backups stored in a location geographically different.

Breach notification

The controllers are required to report a data security breach to the relevant data protection supervisory authority within 72 hours of becoming aware of that breach, and the concerned individual without undue delay, except where the data breach is unlikely to result in any harm to data subjects. 

Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.

A data breach under the GDPR is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

Under the application of GDPR is now mandatory to notify the data subjects when a data breach, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, is likely to result in a risk or high risk to the rights and freedoms of natural persons.

This requirement to notify affected individuals does not apply if:

  • the data controller has implemented security measures to the affected personal data which render the data unintelligible to anyone without proper access (e.g. encryption);
  • the data controller takes measures which ensure the high risk posed initially is unlikely to materialise; and
  • It would involve disproportionate effort to make such notification(s) and the data controller has used alternative public communications to ensure all affected individuals are informed effectively.

CNPD has a form exclusively for notifications of violations of personal data, in accordance with Art 33 of the GDPR. Any complaints or doubts submitted will be subject to analysis or response.

Direct marketing

Regarding advertising and marketing matters, Portugal has the Law No. 41/2004 of 18 August referent to Personal Data Protection and Privacy in Telecommunications which states the following on article 13-A regarding Unsolicited Communications, that communications for direct marketing purposes requires the individual's consent, taking into account the necessary previous clear and comprehensive information that needs to be provided. 

For this purpose, Controllers normally rely on opt-in solution, taking into account that in some cases there can be also a soft opt-in option (particularly in cases where the data subject is already in a contract with the respective Controller). 

General data protection laws (including GDPR) also give the data subject the right to object at any time to direct marketing purposes, namely through an opt-out option.
We also underline that for marketing purposes the consent must be explicit.

Cookies

Portugal has no particular rule regarding the use of Cookies so we currently use the rules stated on GDPR and Directive 2002/58/EC (ePrivacy Directive).

The use of cookies requires the individual's explicit consent, taking into account the necessary previous clear and comprehensive information that needs to be provided. At the present moment Controllers need to rely on consent to the processing.

Useful links

Cyber Security 

Last updated March 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
  • Law no. 16/2019 of 22 August, which transposes Diretive 2017/541 of March, on  combating  terrorism  and  replacing  Council  Framework  Decision  2002/475/JHA  and  amending  Council  Decision  2005/671/JHA.
  • Law no. 46/2018 of 13 August, which transposes Diretive 2016/1148 of 6 July, concerning measures for a high common level of security of network and information systems across the Union.
  • Decree-Law no. 69/2014 of 9 May, approving the constitution of the National Cyber Security Centre (CNCS), establishing the terms of its institutional operations, amended by Decree-Law no. 136/2017 of 6 November.
  • Decree-Law no. 62/2011 of 9 May, on the identification and protection proceedings to essential infrastructure (Directive 2008/114/EC of 8th December 2008, on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection).
  • Decree-Law no. 116-A/2006 of 16 July, amended by the Decree-Law no. 161/2012 of 31 July, on the electronic information systems certification regarding the public essential infrastructures.
  • Resolutions and Decisions regarding Nacional Cyber Security policies and strategies (namely, the Resolution of the Council of Ministers no. 12/2012 of 16 January, no. 19/2013 of 5 April, no. 36/2015, no. 7-A/2015 of 20 February, no. 41/2018 and no. 92/2019 and Decision of the Defense Miniter no. 13692/2013 of 28 October). 
  • National punitive and repressive framework:
    • Law no. 109/2009, of 15 September, implementing the Council Framework Decision 2005/222/JHA, of 24 February 2005, and the Budapest Convention on Ciber Crime on the national framework (“Ciber Crime Law”).
    • Portuguese Criminal Code (Decree-Law no. 48/95 of 15 March, amended by the Law no. 16/2018 of 27 March. 
    • Law on the Fight Against Terrorism, implementing the Council Framework Decision 2002/475/JHA of 13 June, with the more recent amendments of the Law no. 60/2015 of 24 June.  

Application

  • Law no. 46/2018 establishes the legal framework of cyberspace security, by transposing Diretive 2016/1148 of 6 July, concerning measures for a high common level of security of network and information systems across the Union.
  • This Law applies to organisations within the following sectors/infrastructures: drinking water, energy (electricity and gas), nuclear, finance, telecom, transportation and water-control.
  • Law no. 16/2019 formally modifies Law no. 52/2003 (counter-terrorism), by transposing Diretive 2017/541 of 15 March, on  combating  terrorism  and  replacing  Council  Framework  Decision  2002/475/JHA  and  amending  Council  Decision  2005/671/JHA. 
  • Decree-Law no. 62/2011 sets forth the main proceeding to the identification and protection (security) of essential infrastructures, particularly on health, security and the economic and social heal being of the society in the energy and transport sectors.
  • Decree-Law no. 116-A/2006 of 16 July, amended by the Decree-Law no. 161/2012 of 31 July, on the electronic information systems certification regarding the public essential infrastructures.
  • Resolution of the Council of Ministers no. 12/2012, that proceeds to the revise of the National Information Security structure and, among other, establish the necessity for the formation of the CNCS. 
  • Decree-Law no. 69/2014 of 9 May, approving the constitution of the CNCS and establishing the terms of its institutional operations. 
  • Resolution of the Council of Ministers no. 19/2013 of 5 April, sets forth the strategic concept of national defence, taking into consideration the risks of cyberterrorism and cybercrime.
  • Resolution of the Council of Ministers no. 41/2018 of 28 May, approves minimum requirements for information systems used by State administration. 
  • Resolution of the Council of Ministers no. 92/2019 of 5 June, defines the first national strategy on the security of network and information systems (2019-2023). 
  • The decision of the Defense Minister no. 13692/2013 of 28 October that having regard to the national defense strategy, establish the main lines on the Policies of Cyberdefense.
  • Resolution of the Council of Ministers no. 36/2015 provides the Nacional Security Strategies regarding the Cyberspace.
  • Resolution of the Council of Ministers no. 7-A/2015 of 20 February, regarding the National Security on the fight against terrorism, particularly implementing the National Plan of Action against Cyberthreats.

Authority

Key obligations

Law no. 46/2018
  • The obligation to ensure appropriate and proportional technical and organisational security measures taken in response to evaluated risk level of security of network and information systems for public administrations.
  • The obligation to communicate any incident with substancial impact to Superior Council of Cyberspace Security for digital service providers, operators of essential services and public administrations.
Decree-Law no. 62/2011
  • The obligation to make a security plan and to review it annually (the review must be conducted by the competent national authorities);
  • The need to designate an agent to be a point of contact in matters related to the security of the Critical European Infrastructures (ICT), particularly in the exchange of information with the competent authorities concerning risks and threats related; 
  • There is an obligation to conduct an annual assessment to the treats regarding the subsectors of the ICT.
Decree-Law no. 116-A/2006
  • The law establishes the obligation for the electronic information systems certification concerning public essential infrastructures.
  • GNS is the public entity that is responsible for the accreditation of natural and collective persons for the access and handling of classified information, as well as authorities for the accreditation and oversight of entities that operate within the scope of the Certification System State Electronic - Public Key Infrastructure (SCEE).

Penalties/enforcement

  • Law no. 109/2009, following its articles, establish multiple procedural dispositions regarding crimes committed through computerized means or in relation to which is necessary the recollection of evidence in an electronic support. In this regard it is foreseen the following criminal penalties: imprisonment up to 10 years or 600 days-fine, considering special and aggravated situations.
  • Law no. 46/2018, establish multiple procedural dispositions regarding obligations to communicate any incident with substancial impact. In this regard it is foreseen the following penalties: fine of EUR 1.000,00 to EUR 9.000,00, considering special and aggravated situations.
  • Law no. 16/2019, following its articles, establish multiple terrorist crimes. In this regard it is foreseen the following criminal penalties: imprisonment up to 20 years or 480 days-fine, considering special and aggravated situations.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT.PT is a service integrated in the CNCS that coordinates the response to incidents involving State entities, critical infrastructures, operators of essential services, digital service providers and, in general, the national cyberspace, including any device belonging to a network or address block attributed to an operator of electronic communications, institution, collective or singular person based, or physically located, in Portuguese territory.

Also, there is a National network of CSIRT that provides a set of services to its members, coordinating a possible situation with CNCS.

Is there a national incident management structure for responding to cyber security incidents?

Yes. CNCS provides a response structure for handling cybersecurity crises and incidents that require national-level coordination and/or management (see the response above)

Other cyber security initiatives

CNCS is cooperating with several international entries regarding cybersecurity matters (i.e. European Commission, ENISA, ISAC, NATO, OSCE and Project “No more Ransom”).

Useful links

<< back to Overview 

Authors

Picture of Jose Luis Arnaut
José Luís Arnaut
Managing Partner
Lisbon
Picture of João Figueiredo
João Leitão Figueiredo
Associate
Lisbon