Home / Publications / Data Law Navigator | Portugal

Data Law Navigator | Portugal

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 11 April 2018

Risk scale

Risk Scale Orange

Laws

  • Constitution of the Portuguese Republic, sets forth the main principles and fundamental rights regarding privacy and data protection;
  • General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ; and,
  • Law no. 67/98 of October 28th, Portuguese Data Protection Law (transposed Directive 95/46/EC of the European Parliament and of Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on free movement of such data);
  • Law no. 41/2004 of August 18th, amended by the Law no. 46/2012 of 29 August, concerning the processing of personal data and privacy in electronic communications sector (Directive 2002/58/EC on privacy and electronic communications);
  • Law no. 32/2008 of July 17th, (Directive 2006/24/EC on the retention of data generated or processed electronic communications);
  • Law no. 7/2009 of  February 12th (Portuguese Labour Code), that includes some provisions on data protection regarding employees;
  • Law no. 34/2013 of May 16th, regarding the use of video surveillance systems  by private security agencies and auto protection;
  • Law no. 1/2005 of January 10th that establish the provisions about the use of video surveillance means by public authorities in public places;
  • Law no. 207/2005 of November 29th, on electronic surveillance used by public authorities in traffic control.

Authority

Comissão Nacional de Proteção de Dados (CNPD) (Portuguese Data Protection Authority)

Anticipated changes to law

The new Data Protection Law is yet to be enacted and specific areas of the Regulation (EU) 2016/679 are expected to be amended.

If applicable: stage of legislative implementation of GDPR

If applicable: stage of legislative implementation of GDPR
The expected national Law regarding the application of the GDPR was not approved by the national Parliament, wherefore there is still no Law in the Portuguese national context. Until this moment, the proposal is under discussion in the national Parliament and it is expected to be passed by the end of 2019.

In this regard, we would like to emphasize that the CNPD issued a legal statement in which criticized a significant set of the provisions enshrined in the aforementioned proposal.

Hence, there is currently a high level of discretion due to the self-regulation embedded in the Regulation, which allow both controllers and processors to implement multiple technical and organizational measures that are considered to be adequate and proportional to the processing of personal data.

Notwithstanding, we do have Regulation no. 41/2018 referent to the list of processing of personal data subject to Data Protection Impact Assessment approved by the Portuguese Data Protection Authority.

If applicable: local derogations as permitted by GDPR

There is no specific information at the moment to state if Portugal intends to derogate any provisions of the GDPR. Nevertheless, considering the Portuguese constitutional background, we believe that there will be a strong protection of employees in the work environment. Also, pursuant article no 88º, we underline that the public consultation addressed the question if the national law should establish specific regimes to safeguard the protection of rights and liberties of the employees concerning their personal data and, if so, what kind of safeguards should be established.

Moreover, it is to be expected changes in the criminal liability legal framework in what concerns the processing of personal data.

Scope

Where not tacitly repealed by the GDPR, the Portuguese Data Protection Law (Law no. 67/98):

Material scope - The Law covers the processing of personal data wholly or partly by automatic means and to processing other than by automatic means of personal data which form part of the manual filing system or which are intended to form part of manual filing systems.

Also, the law will not apply in the case where the data processing is solely driven by a natural person in course of a purely personal or household activity.

It shall be applied to the processing of personal data regarding public safety, national defence and state security, without prejudice to special rules in instruments of international law to which Portugal is bound and specific laws pertinent to the respective sectors.

Territorial scope – The law shall apply to the processing of personal data carried out in the context of the activities of an establishment of the controller on Portuguese territory or in a place where Portuguese law applies under international public law.

It will be also applied to a controller who is not established on European Union territory and who for purposes of processing personal data makes use of equipment, automated or otherwise, situated on Portuguese territory, unless such equipment is used only for purposes of transit through the territory of the European Union.

Finally, the law specifies that it shall be applied to video surveillance and other forms of capture, processing and dissemination of sound and images allowing persons to be identified, provided the controller is domiciled or based in Portugal or makes use of a computer or data communication network access provider established on Portuguese territory.

Regarding the application of the GDPR in the national context, the material and territorial scope of the Regulation shall be applicable in its exact terms.

The remaining legal framework mainly apply to all processing activities on the Portuguese territory.

Penalties/enforcement

CNPD under the current law already has administrative supervision and enforcement powers.

Non-compliance with the General Data Protection Rules (GDPR and Law no. 67/98) can result in administrative or criminal penalties.

Committing an administrative offense is punishable with fines up to up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year.

Bearing this in mind, CNPD has fined Centro Hospitalar do Barreiro e do Montijo E.P.E. by EUR 400.000,00 (four hundred thousand euros) in total, due to three violations of the General Data Protection Regulation legal framework.

Under Law no. 67/98, criminal penalties can be punishable by a prison term of over two years or 240 days-fine, considering that both cases can, in specific scenarios, be aggravated to double the referred amount.

Criminal offenses are subject to the prosecution through a Public Prosecutor and must be filed in the competent criminal courts.

Non-compliance with privacy and electronic communications law (Law no. 41/2004) can also result in the application administrative sanctions.

Committing an administrative offense, taking into account the nature of the offender (natural or legal person) and also the particularities of the case can result in a fine between the minimum of €500 and a maximum of €5 million.

CNPD applied a penalty of 4,5M€ to OPTIMUS (current NOS. S.A.), later on reduced to 600k€, divided into four administrative sanctions, regarding the noncompliance of data protection laws.

Registration / notification

With the application of the GDPR there is no obligation to notify CNPD as a legal requirement to begin processing activities/operations. Hence, the Controller can begin the processing without the need of a prior authorization and/or inform/registry to CNPD.

Main obligations and processing requirements

The main obligations are as follows:

Data Processing Principles

Art 5(1) GDPR sets out the seven data protection principles that must be complied with when processing personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Demonstrating compliance

Art 5(2) GDPR includes a new accountability principle, which means that Data Controllers must be able to demonstrate how they are complying with their obligations under the principles in Art 5(1) (set out above).
Art 24 GDPR includes the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR. Implementing adequate data protection policies and adhering to approved data protection codes of conduct or approved certification mechanisms are ways to demonstrate compliance with this obligation.

Transparency information

Data controllers are required to inform data subjects of information relating to the processing of their personal data collected. This involves information relating to the personal data processed, who the data is processed by and for what purposes the data is processed. The full list of information to be provided to a data subject is provided in Art 13 and 14 GDPR.

This information is to be provided at the time the personal data is obtained from the data subject. However, in the event the data is not obtained directly from the data subject, the information must be provided by the data controller within a reasonable period, and no later than at the point of sharing the data with another party or at the time of first communication when using the data to communicate with the data subject. In any event, the information should be communicated no later than a month after obtaining the personal data.

Data subject rights

Under Art 15 – 22 GDPR, data subject have the following rights:

  • The right to information and transparency.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Right not to be subject to a decision based solely on automated processing, including profiling.

The DPA however contains restrictions on these data subject rights (as covered in the derogations section above).

Data controllers are required to comply with requests from data subjects exercising these data subject rights, without undue delay and in any event within one month of receipt of the request.

Processing by third parties

Under the GDPR, there must be a relation governed by a contract binding the processor to the controller (i.e. Data Processing Agreement). In particular, the processor shall act only according to the instructions from the Controller and is obliged to adopt appropriate technical and organizational measures to protect personal data.

Furthermore, such agreement should also contain clear provisions on liability between the controller and the processor in the event of a data breach.

Transfers out of country

Under the GDPR, transfer of personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with the explicit consent of data subject is in principle forbidden.

Art 44 GDPR imposes restrictions on the transfer of personal data to a third party or an international organisation outside of the European Union unless the transfer is to an adequate jurisdiction (Art 45 GDPR), a lawful transfer mechanism exists (Art 46 GDPR), or an exemption or derogation applies (Art 49 GDPR).

Some of the Art 49 GDPR exceptions to the abovementioned restrictions, are:

  • where the transfer is made with an individual’s informed consent;
  • where a transfer is necessary for the performance of a contract between the individual and the organisation;
  • where a transfer is necessary for the performance of a contract made in the interests of the individual between the data controller and another person.

Data Protection Officer

Under the GDPR, certain organisations are required to have a Data Protection Officer (DPO).

The obligation to have a DPO, applies where:

  • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

Security

The GDPR clearly provide that the Controller and the Processor must implement appropriate technical and organizational measures to safeguard the data processing risks, particularly the Controller and the Processor should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

The following are examples of the expected security measures:

  • pseudonymisation and encryption of personal data;
  • ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In addition, the Resolution no. 41/2018 of the Council of Ministers establishes the minimum compulsory and recommended technical requirements applicable to the IT systems and networks of public entities, which should be adopted until 29 of September of 2019.

For example, foresees that the data storage systems must ensure redundancy, resiliency and availability with no single point of failure. Two types of backups (online and offsite) should be secured being the offsite backups stored in a location geographically different.

Breach notification

Under the application of GDPR is now mandatory to notify CNPD or even the data subjects when a data breach, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, is likely to result in a risk or high risk to the rights and freedoms of natural persons without undue delay, and where feasible not later than 72 hours after having become aware of the breach.

This requirement to notify affected individuals does not apply if:

  • the data controller has implemented security measures to the affected personal data which render the data unintelligible to anyone without proper access (e.g. encryption);
  • the data controller takes measures which ensure the high risk posed initially is unlikely to materialise; and
  • It would involve disproportionate effort to make such notification(s) and the data controller has used alternative public communications to ensure all affected individuals are informed effectively.

CNPD has a form exclusively for notifications of violations of personal data, in accordance with Art 33 of the GDPR. Any complaints or doubts submitted will be subject to analysis or response.

Direct marketing

Under Law no. 41/2004, the communication for direct marketing purposes requires the individual's consent, taking into account the necessary previous clear and comprehensive information that needs to be provided.

For this purposes, Controllers normally rely on opt-in solution, taking into account that in some cases there can be also a soft opt-in option (particularly in cases where the data subject is already in a contract with the respective Controller).

General data protection laws (including GDPR) also give the data subject the right to object at any time to direct marketing purposes, namely through an opt-out option.

We also underline that for marketing purposes the consent must be explicit.

Cookies

The use of cookies requires the individual's explicit consent, taking into account the necessary previous clear and comprehensive information that needs to be provided. At the present moment Controllers need to rely on consent to the processing.

Useful links

 

Cyber Security 

Last updated 11 July 2019

Risk scale

Risk Scale Orange

Laws and regulations

  • Law no. 46/2018 of August 13th, which transposes Diretive 2016/1148 of July 6th, concerning measures for a high common level of security of network and information systems across the Union.
  • Law no. 16/2019 of August 22nd, which transposes Diretive 2017/541 of March 15th, on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA.
  • Decree-Law no. 62/2011 of May 9th, on the identification and protection proceedings to essential infrastructure (Directive 2008/114/EC of 8th December 2008, on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection).
  • Decree-Law no. 116-A/2006 of 16th July, amended by the Decree-Law no. 161/2012 of 31st July, on the electronic information systems certification regarding the public essential infrastructures.
  • Decree-Law no. 69/2014 of May 9th, approving the constitution of the National Cyber Security Centre (CNCS), establishing the terms of its institutional operations, amended by Decree-Law no. 136/2017 of November 6th.

Resolutions and Decisions regarding Nacional Cyber Security policies and strategies (namely, the Resolution of the Council of Ministers no. 12/2012 of January 16th, no. 19/2013 of April 5th, no. 36/2015, no. 7-A/2015 of February 20th, no. 41/2018 and no. 92/2019 and Decision of the Defense Miniter no. 13692/2013 of October 28th).

Application

  • Law no. 46/2018 establishes the legal framework of cyberspace security, by transposing Diretive 2016/1148 of July 6th, concerning measures for a high common level of security of network and information systems across the Union.

The present Law applies to organisations within the following sectors/infrastructures: drinking water, energy (electricity and gas), nuclear, finance, telecom, transportation and water-control.

  • Law no. 16/2019 formally modifies Law no. 52/2003 (counter-terrorism), by transposing Diretive 2017/541 of March 15th, on  combating  terrorism  and  replacing  Council  Framework  Decision  2002/475/JHA  and  amending  Council  Decision  2005/671/JHA.
  • Decree-Law no. 62/2011sets forth the main proceeding to the identification and protection (security) of essential infrastructures, particularly on health, security and the economic and social heal being of the society in the energy and transport sectors.
  • Decree-Law no. 116-A/2006 of 16th July, amended by the Decree-Law no. 161/2012 of 31st July, on the electronic information systems certification regarding the public essential infrastructures.

Resolution of the Council of Ministers no. 12/2012, that proceeds to the revise of the National Information Security structure and, among other, establish the necessity for the formation of the CNCS.

  • Decree-Law no. 69/2014 of May 9th, approving the constitution of the CNCS and establishing the terms of its institutional operations.
  • Resolution of the Council of Ministers no. 19/2013 of April 5th, sets forth the strategic concept of national defence, taking into consideration the risks of cyberterrorism and cybercrime.
  • Resolution of the Council of Ministers no. 41/2018 of May 28th approves minimum requirements for information systems used by State administration.
  • Resolution of the Council of Ministers no. 92/2019 of June 5th defines the first national strategy on the security of network and information systems (2019-2023).
  • The decision of the Defense Minister no. 13692/2013 of October 28th that having regard to the national defense strategy, establish the main lines on the Policies of Cyberdefense.
  • Resolution of the Council of Ministers no. 36/2015 provides the Nacional Security Strategies regarding the Cyberspace.
  • Resolution of the Council of Ministers no. 7-A/2015 of February 20th regarding the National Security on the fight against terrorism, particularly implementing the National Plan of Action against Cyberthreats.

Authority

Key obligations 

  • Law no. 46/2018:

The obligation to ensure appropriate and proportional technical and organisational security measures taken in response to evaluated risk level of security of network and information systems for public administrations.

The obligation to communicate any incident with substancial impact to Superior Council of Cyberspace Security for digital service providers, operators of essential services and public administrations.

  • Decree-Law no. 62/2011: 

The obligation to make a security plan and to review it annually (the review must be conducted by the competent national authorities);

The need to designate an agent to be a point of contact in matters related to the security of the Critical European Infrastructures (ICT), particularly in the exchange of information with the competent authorities concerning risks and threats related; 

There is an obligation to conduct an annual assessment to the treats regarding the subsectors of the ICT.

  • Decree-Law no. 116-A/2006:

The law establishes the obligation for the electronic information systems certification concerning public essential infrastructures.

GNS is the public entity that is responsible for the accreditation of natural and collective persons for the access and handling of classified information, as well as authorities for the accreditation and oversight of entities that operate within the scope of the Certification System State Electronic - Public Key Infrastructure (SCEE).

Penalties/enforcement

  • Law no. 109/2009, following its articles, establish multiple procedural dispositions regarding crimes committed through computerized means or in relation to which is necessary the recollection of evidence in an electronic support. In this regard it is foreseen the following criminal penalties: imprisonment up to 10 years or 600 days-fine, considering special and aggravated situations.
  • Law no. 46/2018, establish multiple procedural dispositions regarding obligations to communicate any incident with substancial impact. In this regard it is foreseen the following penalties: fine of EUR 1000,00 to EUR 9000,00, considering special and aggravated situations.
  • Law no. 16/2019, following its articles, establish multiple terrorist crimes. In this regard it is foreseen the following criminal penalties: imprisonment up to 20 years or 480 days-fine, considering special and aggravated situations.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT.PT is a service integrated in the CNCS that coordinates the response to incidents involving State entities, critical infrastructures, operators of essential services, digital service providers and, in general, the national cyberspace, including any device belonging to a network or address block attributed to an operator of electronic communications, institution, collective or singular person based, or physically located, in Portuguese territory.

Also, there is a National network of CSIRT that provide a set of services to its members, coordinating a possible situation with CNCS.

Is there a national incident management structure for responding to cyber security incidents?

Yes. CNCS provides a response structure for handling cybersecurity crises and incidents that require national-level coordination and/or management (see the response above) 

Other cyber security initiatives

CNCS is cooperating with several international entries regarding cybersecurity matters (i.e. European Commission, ENISA, ISAC, NATO, OSCE and Project “No more Ransom”).

Useful links

< back to Overview 

Authors

Picture of Jose Luis Arnaut
José Luís Arnaut
Managing Partner
Lisbon