GDPR Enforcement in Portugal

Trend: Have the national data protection authorities in Portugal focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

Since the CNPD no longer publishes its decisions and administrative proceedings on individual cases, it is not possible to identify any particular trend in the types of non-compliance that the CNPD intends to track more closely in the future. However, in its Annual Plan of Activities for 2025, the CNPD has explicitly stated that it is committed to increasing the efficiency of sanctioning actions. In this context, for example, the CNPD has announced that it will present a bill to the Portuguese Assembly of the Republic and the Government – with a view to creating an electronic procedure, by allowing:

1. the elimination of repetitive and paper-based acts;
2. a reduction in the duration of the administrative offence procedure (which is always possible in an electronic procedure); and
3. in the event of a judicial challenge to an administrative offence decision, a clear provision as to which court has jurisdiction and that the CNPD can intervene autonomously (like other regulatory bodies such as the National Communications Authority, the Bank of Portugal or the Securities Market Commission);

As for the sectors that are more likely to be on the radar of CNPD, we believe that all sectors whose business models and marketing approach rely heavily on sending unsolicited communications are particularly prone to close supervision by the CNPD. On the other hand, the processing of personal data of minors is also a very up-to-date issue that will certainly be closely followed by the CNPD.

Overall, what was the most significant fine in Portugal to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

To date, the most significant administrative fine applied by the Portuguese supervisory authority in Portugal was in December 2022 for EUR 4,300,000.00 to Instituto Nacional de Estatística (INE), which is the entity responsible for producing and publishing official statistics in Portugal. This fine was imposed due to several violations committed by INE, namely the unlawful processing of personal data relating to health and religion, failure to comply with the obligation to inform data subjects, failure to comply with the obligation to exercise due diligence in the selection of subcontractors, failure to comply with the legal provisions relating to the international transfer of data and failure to comply with the obligation to carry out a privacy impact assessment in relation to a specific processing activity.

The fine has been challenged by the INE before the courts and there is still no final decision.

How is the data protection authority organised in Portugal? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The Comissão Nacional de Proteção de Dados (CNPD) is the independent administrative and supervisory authority responsible for overseeing and enforcing data protection laws in Portugal and is not assigned to any specific ministry.

The most recent publicly available activities report to date is from 2025 and according to it, the annual budget for that year was EUR 3.7 million. With regard to how many staff are employed, CNPD had 36 employees as of 2025.

How does a fine procedure work in Portugal? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The CNPD has full autonomy to impose fines and ancillary sanctions without the need of any prior authorisation from any other public or private entity.

In Portugal, the misdemeanour process, particularly concerning administrative offences related to data protection, is governed by Law no. 58/2019 of 8 August 2019, which implements certain aspects of the GDPR. The process can be divided into two main phases: (i) the administrative phase and (ii) the judicial phase.

Administrative phase

1. Detection and reporting of the offence:

• The process begins when a potential data protection violation is detected. This can be reported by individuals or organisations or identified through inspections by the CNPD.
• Except in the case of wilful misconduct, the initiation of administrative offense proceedings depends on the CNPD's prior warning of the agent to comply with the neglected obligation or reinstate 

2. Investigation:

• The CNPD investigates to gather evidence and determine whether a data protection law has been violated. This may involve requesting information from the alleged offender, conducting audits and interviewing witnesses.

3. Notification of the alleged offender:

• If the CNPD finds sufficient evidence of a violation, it notifies the alleged offender of the charges. The notification includes details of the alleged offence, the evidence collected and the potential penalties.

4. Right to a hearing:

• The alleged offender has the right to present their defence. They can submit written statements, provide additional evidence and request a hearing to present their case orally.

5. Decision:

• After considering the evidence and the defence, the CNPD issues a decision. If the CNPD finds the alleged offender guilty, it imposes administrative sanctions, which can include fines, warnings or orders to cease certain activities.

6. Notification of the decision:

• The CNPD notifies the offender of its decision and the imposed sanctions. The notification includes information on the right to appeal the decision.

Judicial phase

1. Appeal to the court:

• If the offender disagrees with the CNPD's decision, they can appeal to the competent court. The appeal must be filed within a specified period (usually 30 days) from the date of notification of the CNPD's decision.

2. Judicial review:

• The court reviews the CNPD's decision, the evidence and the arguments presented by both parties. The court may request additional evidence or hold hearings to gather more information.

3. Court decision:

• After reviewing the case, the court issues a decision. The court can uphold, modify or overturn the CNPD's decision. If the court finds in favour of the offender, it may annul the sanctions imposed by the CNPD.

4. Further appeals:

• If either party is dissatisfied with the court's decision, they may have the right to further appeal to higher courts, such as the Court of Appeal (Tribunal da Relação) or the Supreme Court of Justice (Supremo Tribunal de Justiça), depending on the nature and significance of the case.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

60% of the amount of the fines collected is allocated to the Portuguese state and 40% is allocated to the CNPD.

Is there a common, official calculation methodology for fines in Portugal (such as the fining models in the Netherlands or Germany)?

Whenever there is an application of an administrative fine, the CNPD resorts to the requirements provided in the GDPR, Law no. 58/2019 of 8 August 2019 (“Portuguese Data Protection Act”) and in the Administrative Fine General Law.

Specifically, the CNPD also considers the following criteria set forth in the Portuguese Data Protection Act: (a) the economic situation of the agent in the case of an individual or the turnover and annual balance sheet in the case of a legal entity; (b) the continuous nature of the infraction; (c) the size of the entity, the number of employees and the nature of the services provided.

Can public authorities be fined in Portugal? If they can: Where does this money go?

Yes. The administrative fines provided for in the GDPR and in national law are equally applied to public and private entities.

60% of the amount of the fines collected is allocated to the Portuguese state and 40% is allocated to the CNPD.

In Portugal, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

As of 2022, CNPD no longer publishes information on cases involving individual fines and the affected companies are not identifiable in publications.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Yes. Each year, CNPD publishes an activity report where, among other information, it details the number of cases and the fine amounts applied. From 2019 until 2023 (the latest activity report published), the numbers are the following:

• 2019: 34 fines with a total value of EUR 600,000;
• 2020: 15 fines with a total value of EUR 45,000;
• 2021: 60 fines with a total value of EUR 1,491,500;
• 2022: 71 fines with a total value of EUR 4,802,000;
• 2023: 90 fines with a total value of EUR 559,950;
• 2024: 23 fines with a total value of EUR 138,375;
• 2025: 2 fines with a total value of EUR 47,000

Does Portugal have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Data subjects have the right to appoint a non-profit body, organisation or association, constituted in accordance with national law, whose statutory purposes are in the public interest and whose activity covers the defence of the rights, freedoms and guarantees of the data subject with regard to the protection of personal data, to exercise on their behalf rights regarding the enforcement of the GDPR and national law.

As an example, in 2023, Ius Omnibus, a European non-profit consumer rights association filed three lawsuits regarding non-compliance with data protection rules against three different companies: (i) TikTok for excessive collection of personal data, especially from minors, without proper consent; (ii) FloHealth, the developer of a female health tracking app, for sharing sensitive personal data with third parties without transparency or valid consent; and (iii) PubMatic, a digital marketing company, for the use pf tracking technologies without user authorisation and lack of clarity regarding how personal data are collected, processed and transferred outside the EU.

It is also possible for data subjects to join a class action (ação popular) under the general administrative national laws.

What is more relevant in Portugal: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Both forms of action — fines imposed by the CNPD and judicial actions — are highly relevant in the context of data protection in Portugal. On the one hand, fines have an immediate impact and serve as an effective deterrent mechanism to ensure compliance with the law. On the other hand, judicial actions, particularly collective ones led by associations, such as Ius Omnibus, have been gaining relevance, especially in the digital sector and areas with greater exposure to the processing of personal data. In the coming years, it is expected that both mechanisms will gain prominence, complementing each other and working together to strengthen the protection of citizens' rights.