Data Protection in Portugal

Enforcement in Portugal

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories. 
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

  • The basic principles for processing including conditions for consent
  • Data subjects’ rights
  • International transfer restrictions
  • Any obligations imposed by Member State law for special cases such as processing employee data
  • Certain orders of a supervisory authority

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

  • Obligations of controllers and processors, including security and data breach notification obligations
  • Obligations of certification bodies
  • Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

  • Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
  • Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).


Portugal regulation

CNPD is the supervisory authority responsible for the enforcement of personal data protection laws and regulations in Portugal. Failure to comply with applicable data protection and privacy legal requirements may result in criminal, civil and administrative liability. Law no 58/2019 of 8 August  contains provisions related with civil administrative and criminal liability :

(a) The use of personal data in a manner that is incompatible with the purposes of collection, unauthorized access, or deviation of personal data; the vitiation or erasure of personal data; the insertion of false data, the violation of the duty of secrecy and disobedience, constitute crimes punishable by a prison sentence of up to four years or a fine of up to 480 days. In general terms, legal persons and similar entities have criminal liability.

(b) Any person who has suffered damages due to the unlawful processing of personal data or any other act that violates the provisions of the GDPR or of the national law on personal data protection, has the right to compensation from the data controller or the processor for the damage suffered.

(c) Very serious administrative offences shall be punishable with a fine:

  • From EUR 5,000 to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the cases of large companies
  • From EUR 2,000 to EUR 2,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the case of SMEs
  • From EUR 1,000 to EUR 500,000, in the case of natural persons

Serious administrative offences shall be punishable with a fine:

  • From EUR 2,500 to EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the cases of large companies
  • From EUR 1,000 to EUR 1,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the cases of SMEs
  • From EUR 500 to EUR 250,000, in the case of natural persons

However, that local supervisory authority issued the Decision 494/2019 deciding not to apply certain provisions of Law no 58/2019 of 8 aAugust, notably the ones related with the sanctions applicable to the administrative offenses as were considered in contradiction with GDPR. As so, local supervisory authority, will apply the sanctions described in GDPR.

Continue reading

  • no results

Previous topic
Back to top