Data Protection in Portugal

Transfer in Portugal

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The EU-US Privacy Shield Framework does not constitute an appropriate safeguard for transferring personal data to the USA since the European Commission Decision 2016/1250 (which was the legal basis for the EU-US Privacy Shield) has been invalidated by the European Court of Justice on 16 July 2020 (Case C-311/18, Schrems II). The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

  1. Explicit informed consent has been obtained
  2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
  3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
  4. The transfer is necessary for important reasons of public interest
  5. The transfer is necessary for the establishment, exercise or defense of legal claims
  6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
  7. The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.


Portugal regulation

Transfers to non-EU/EEA countries or international organizations follow GDPR rules. In respect of transfers of personal data to third countries or international organizations, where the processing is necessary for compliance with a legal obligation and where it is carried out by public entities in the exercise of authority powers, said transfers shall be considered as in the public interest.

Continue reading

  • no results

Previous topic
Back to top