Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Law 67/98, a dedicated data protection law which governs personal data processing, requires that the holding of personal data be legitimised on spe­cific grounds.

In the case of non-sensitive data, processing is legitimate where the data subject has given his or her consent or it is required for the personal data owner to:

  • perform a contract or contracts to which the data subject is a party;
  • complete pre-contractual steps, at the data subject’s request, before he or she will enter into a contract or declare his or her will to negotiate;
  • comply with its legal obligations;
  • protect the data subject’s vital interests, where he or she is physically or legally incapable of provid­ing consent;
  • perform a task that is in the public interest or necessary in accordance with the official authority vested in the personal data owner or a third party to which the personal data is disclosed; or
  • meet a need resulting from the legitimate interests of the personal data owner (or third parties to whom the personal data is disclosed), unless overridden by the individual’s fundamental rights, freedoms or guarantees.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Law 67/98 does not specify required retention periods, the general rule being that personal data cannot be held for longer than is necessary for the specific purposes for which it was collected and processed.

The National Commission for the Protection of Data (CNPD) has issued guidelines and decisions which indicate the duration for which certain categories of personal data may be held for specific purposes. In addition, all authorisation and registration procedures filed with the CNPD will specify the duration for which the personal data owner is allowed to hold the relevant personal data. 

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have the right to access their personal information held by personal data owners. While Law 67/98 contains no specific provisions on the formalities for exercising this right of access, it does establish that such access cannot be subject to restrictions, excessive delay or expense.

When notifying individuals that they hold their personal data, personal data owners must advise the individuals of their right to access and correct the data and provide information on the conditions for doing so.

Do individuals have a right to request deletion of their data?

Data subjects are entitled to request the deletion of their data if it is incomplete, inaccurate or being processed for reasons which are incompatible with the data controller’s legitimate grounds and purposes for doing so.

Consent obligations

Is consent required before processing personal data?

The data subject’s consent is not always required before processing personal data – for example, prior consent is not required for:

  • performing a contract or contracts to which the data subject is a party or in order to take steps, at the data subject's request, before he or she will enter into a contract or declare his or her will to negotiate;
  • complying with a legal obligation, other than a contractual obligation;
  • protecting the data subject’s vital interests where he or she is physically or legally incapable of providing consent;
  • undertaking public functions; or
  • pursuing the legitimate interests of the data controller (eg, employer) or third parties to whom the data is disclosed, unless this is overridden by the fundamental rights, freedoms or guarantees of the individual (eg, employee).

There are no specific rules concerning consent by minors.

If consent is not provided, are there other circumstances in which data processing is permitted?

In the case of non-sensitive data, processing is legitimate where the data subject has given his or her consent or it is required for the personal data owner to:

  • perform a contract or contracts to which the data subject is a party;
  • complete pre-contractual steps, at the data subject’s request, before he or she will enter into a contract or declare his or her will to negotiate;
  • comply with its legal obligations;
  • protect the data subject’s vital interests, where he or she is physically or legally incapable of provid­ing consent;
  • perform a task that is in the public interest or necessary in accordance with the official authority vested in the personal data owner or a third party to which the personal data is disclosed; or
  • meet a need resulting from the legitimate interests of the personal data owner (or third parties to whom the personal data is disclosed), unless overridden by the individual’s fundamental rights, freedoms or guarantees.

What information must be provided to individuals when personal data is collected?

Data controllers must provide the following information to data subjects before or on collecting personal data directly from them:

  • the data controller’s identity;
  • the purposes for processing the data; and
  • other relevant information, including, at a minimum:
    • the data recipients or category of recipients;
    • the statutory or voluntary nature of response required from the subject (and the consequences of not providing a response);
    • the fact that the data may be circulated on the network without security measures and be at risk of being seen or used by unauthorised third parties, when the data collection is made on an open network; and
    • information on the subject’s rights of access to and correction of his or her personal data.

When the data controller does not obtain the data directly from the subject, it must provide the required information before or on commencing the first processing operation.

Click here to view the full article.