Data Protection in Portugal

Registration in Portugal

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.


Portugal regulation

Under the prior Personal Data Protection Law data controllers who processed personal data should notify such activity to the supervisory authority (CNPD), unless a specific exemption applies. However, such obligations are, as general rule, no longer applicable.

Under Law no 58/2019 of 8 August, the implementation of video surveillance systems with sound recording is not allowed except in cases where the monitored premises are closed or there is prior authorization from the supervisory authority.

Continue reading

  • no results

Previous topic
Back to top