Data Protection in Portugal

Breach notification in Portugal

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not executed within 72 hours, it shall be accompanied by the reasons for the delay.When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.


Portugal regulation

Personal data breach notifications are required in the circumstances provided in Article 33 GDPR. The Portuguese supervisory authority (CNPD) set out the procedure for a personal data breach notification. A specific form on the supervisory authority's website should be completed and submitted to notify data breaches (the form is available here). The supervisory authority makes also available a form which allows a previously submitted notification to be amended (the form is available here).

Also Law 41/2004, of 18 August (as amended) establishes that companies that provide electronic communications services accessible to the public shall, without undue delay, notify the Data Protection Authority (CNPD) of a personal data breach. When the personal data breach may affect negatively the subscriber’s or user’s personal data, companies providing electronic communications services to the public should also, without undue delay, notify the breach to the subscriber or user so that they can take the necessary precautions.

For these purposes, a negative effect on personal data exists when the breach may result namely in theft or identity fraud, physical harm, significant humiliation or damage to reputation.

Continue reading

  • no results

Previous topic
Back to top