Data Protection in Portugal

Data protection laws in Portugal

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Portugal regulation

Currently, processing of personal data in Portugal is governed by GDPR and Law no 58/2019 of 8 August, ensuring the execution of GDPR in Portugal. However, local supervisory authority (CNPD) issued the Decision 494/2019 deciding not to apply certain provisions of such law as they were considered in contradiction with GDPR:

  • article 2(1) and (2): scope of the Law;
  • article 20(1): duty of secrecy;
  • article 23: processing of personal data by public entities for different purposes;
  • article 28(3)(a): consent of employee in an employment context;
  • article 37(1)(a)(h)(k) and (2): misdemeanors and applicable sanctions;
  • article 38(1)(b) and (2): misdemeanors and applicable sanctions;
  • article 39(1) and (3): misdemeanors and applicable sanctions;
  • article 61(2): connection between the expiry of consent and termination of the agreement (for existing agreements);
  • article 62(2): revocation of provisions requiring prior authorization or notification to CNPD with effect from the date of entry into force of the GDPR.

Furthermore, Law no 59/2019 of 8 August contains provisions related with personal data processing for purposes of prevention, detection, investigation and repression of criminal offenses and for purposes of execution of criminal sanctions, transposing EU Directive 2016/680 of the European Parliament and the Council of 27, April, 2016.

Relevant data protection provisions in the context of electronic communications may also be found in Law 41/2004, of 18 August (Law on the processing of personal data and the protection of privacy in the electronic communications, as amended by Law 46/2012, of 29 August and enacted pursuant to Directive 2002/58/EC) (with subsequent amendments arising from Article 2 of Directive 2009/136/EC).

Continue reading

  • no results

Back to top