Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Data controllers must implement appropriate technical and organisational measures to protect data against:

  • accidental or unlawful destruction;
  • accidental loss or alteration;
  • unauthorised disclosure or access; and
  • other unlawful forms of processing.

The level of security required must be appropriate in view of the risks represented by the relevant processing activity and the nature of the data being processed. Appropriateness must be measured considering industry standards and the cost of implementation.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Law 67/98 includes no requirement to notify data subjects of a personal data security breach. Nevertheless, in the electronic communications sector, there is a specific requirement to notify the relevant data subjects of a breach if it is likely to affect them adversely. This requirement applies to data security breaches that may lead to identity fraud or theft or physical or reputational damage or humiliation.

Are data owners/processors required to notify the regulator in the event of a breach?

Law 67/98, a dedicated data protection law which governs personal data processing, includes no requirement to notify the National Commission for the Protection of Data (CNPD) of a personal data security breach. Nevertheless, in the electronic communications sector, there is a specific requirement to notify the national regulator of a breach if it is likely to affect the data subjects adversely. This requirement applies to data security breaches that may lead to identity fraud or theft or physical or reputational damage or humiliation.

Click here to view the full article.