Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Portugal’s data protection laws are in line with those of the European Union. The existing legislation is the result of the transposition of the EU Data Protection Directive (95/46/EC), which is applicable to all EU member states.

Are any changes to existing data protection legislation proposed or expected in the near future?

Yes, following the approval of the EU General Data Protection Regulation (2016/679) – which revokes the EU Data Protection Directive – EU member states, including Portugal, will be subject to new data protection legislation. The new EU General Data Protection Regulation does not require any enabling legislation to be passed by national governments and will be directly binding and applicable from May 25 2018, following a two-year transition period. 

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

In 1998 Portugal issued Law 67/98, a dedicated data protection law which governs personal data processing. A previous data protection law (Law 10/91), dedicated to the protection of personal data processed by automated means, was issued in 1991. This initial law was based on the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention 108), which was adopted by the Council of Europe. The existing Law 67/98 implements the EU Data Protection Directive (95/46/EC). At present, there is no specific legislation based on the EU General Data Protection Regulation (2016/679), which revokes the EU Data Protection Directive.

As regards national constitutional privacy provisions, Article 35 of the Constitution (concerning the use of computerised data) sets out the relevant principles and guarantees regarding personal data protection.

Portugal has also adopted international instruments of relevance to personal data protection, including:

  • Convention 108;
  • the European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8 of which is specifically relevant to personal data protection; and
  • Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Scope and jurisdiction

Who falls within the scope of the legislation?

Law 67/98 applies to both public and private entities.

Video surveillance and other forms of personal data collection, processing and broadcasting comprising sounds or images fall under the definition of ‘personal data processing’ and are subject to Law 67/98 when the controller is established in Portugal or uses a network access provider established in Portugal.

Law 67/98 also applies to the processing of personal data regarding public security, national defence and state security, without prejudice to special rules contained in international law instruments to which Portugal is bound and relevant domestic laws.

What kind of data falls within the scope of the legislation?

Law 67/98 defines ‘personal data’ as any information concerning an identified or identifiable natural person, including sounds and images, regardless of the individual’s authorisation. A natural person is deemed to be identifiable when he or she can be directly or indirectly identified, including by reference to an identification number or to one or more features that are specific to his or her physical, physiological, mental, economic, cultural or social identity.

Under Law 67/98, ‘sensitive data’ refers to any information regarding the data subject’s:

  • philosophical or political beliefs;
  • political party or trade union membership;
  • religious beliefs;
  • private life;
  • racial or ethnic origin; and
  • health or sex life (including genetic data).

It also includes information regarding illegal activities which the data subject is suspected of having carried out, as well as criminal or administrative offences that he or she has committed and decisions resulting in criminal penalties, security measures, administrative fines or additional conviction measures.

Are data owners required to register with the relevant authority before processing data?

Data owners must notify the local data protection authority before processing personal information. In addition, prior authorisation from the local data protection authority is required for:

  • the processing of sensitive personal data or data relating to the data subject’s credit or solvency; and
  • data alignment or a combination not provided for in a legal instrument.

The same applies to the use of personal data for purposes other than those for which it was collected.

The National Commission for the Protection of Data (CNPD) has issued limited-scope decisions that exempt data owners from prior registration or authorisation when processing certain predefined categories of data for specific purposes. These include the processing of:

  • specific categories of employee data for payroll purposes; and
  • client data for invoicing purposes.

Is information regarding registered data owners publicly available?

Yes – the CNPD register (which mainly concerns authorisation decisions) is publicly available, free of charge, on the authority’s website. However, the information available is incomplete.

Is there a requirement to appoint a data protection officer?

The appointment of a data protection officer is not mandatory in Portugal.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The CNPD is the authority responsible for overseeing Law 67/98 in Portugal.

CNPD officers (or delegated staff) have powers to obtain information on personal data processing activities from public and private bodies and rights of access to:

  • the computer systems that support such personal data pro­cessing; and
  • all documentation relating to the processing and transmission of personal data, within the scope of their duties and responsibilities.

Such responsibilities include:

  • supervising and monitoring compliance with the laws and regulations regarding privacy and personal data;
  • exercising investigative powers relating to any personal data processing activity, including personal data transmission;
  • exercising powers of authority, particularly ordering the blocking, erasure or destruction of personal data or imposing a temporary or permanent mandatory order banning unlawful personal data processing;
  • issuing public warnings or an admonition to personal data owners that fail to comply with personal data protection legal provisions;
  • imposing fines for breaches of Law 67/98 or other specific data protec­tion legal provisions; and
  • reporting criminal offences to the Public Prosecution Office in the con­text of Law 67/98 and pursuing measures to provide evidence thereon.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Law 67/98, a dedicated data protection law which governs personal data processing, requires that the holding of personal data be legitimised on spe­cific grounds.

In the case of non-sensitive data, processing is legitimate where the data subject has given his or her consent or it is required for the personal data owner to:

  • perform a contract or contracts to which the data subject is a party;
  • complete pre-contractual steps, at the data subject’s request, before he or she will enter into a contract or declare his or her will to negotiate;
  • comply with its legal obligations;
  • protect the data subject’s vital interests, where he or she is physically or legally incapable of provid­ing consent;
  • perform a task that is in the public interest or necessary in accordance with the official authority vested in the personal data owner or a third party to which the personal data is disclosed; or
  • meet a need resulting from the legitimate interests of the personal data owner (or third parties to whom the personal data is disclosed), unless overridden by the individual’s fundamental rights, freedoms or guarantees.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Law 67/98 does not specify required retention periods, the general rule being that personal data cannot be held for longer than is necessary for the specific purposes for which it was collected and processed.

The National Commission for the Protection of Data (CNPD) has issued guidelines and decisions which indicate the duration for which certain categories of personal data may be held for specific purposes. In addition, all authorisation and registration procedures filed with the CNPD will specify the duration for which the personal data owner is allowed to hold the relevant personal data. 

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have the right to access their personal information held by personal data owners. While Law 67/98 contains no specific provisions on the formalities for exercising this right of access, it does establish that such access cannot be subject to restrictions, excessive delay or expense.

When notifying individuals that they hold their personal data, personal data owners must advise the individuals of their right to access and correct the data and provide information on the conditions for doing so.

Do individuals have a right to request deletion of their data?

Data subjects are entitled to request the deletion of their data if it is incomplete, inaccurate or being processed for reasons which are incompatible with the data controller’s legitimate grounds and purposes for doing so.

Consent obligations

Is consent required before processing personal data?

The data subject’s consent is not always required before processing personal data – for example, prior consent is not required for:

  • performing a contract or contracts to which the data subject is a party or in order to take steps, at the data subject's request, before he or she will enter into a contract or declare his or her will to negotiate;
  • complying with a legal obligation, other than a contractual obligation;
  • protecting the data subject’s vital interests where he or she is physically or legally incapable of providing consent;
  • undertaking public functions; or
  • pursuing the legitimate interests of the data controller (eg, employer) or third parties to whom the data is disclosed, unless this is overridden by the fundamental rights, freedoms or guarantees of the individual (eg, employee).

There are no specific rules concerning consent by minors.

If consent is not provided, are there other circumstances in which data processing is permitted?

In the case of non-sensitive data, processing is legitimate where the data subject has given his or her consent or it is required for the personal data owner to:

  • perform a contract or contracts to which the data subject is a party;
  • complete pre-contractual steps, at the data subject’s request, before he or she will enter into a contract or declare his or her will to negotiate;
  • comply with its legal obligations;
  • protect the data subject’s vital interests, where he or she is physically or legally incapable of provid­ing consent;
  • perform a task that is in the public interest or necessary in accordance with the official authority vested in the personal data owner or a third party to which the personal data is disclosed; or
  • meet a need resulting from the legitimate interests of the personal data owner (or third parties to whom the personal data is disclosed), unless overridden by the individual’s fundamental rights, freedoms or guarantees.

What information must be provided to individuals when personal data is collected?

Data controllers must provide the following information to data subjects before or on collecting personal data directly from them:

  • the data controller’s identity;
  • the purposes for processing the data; and
  • other relevant information, including, at a minimum:
    • the data recipients or category of recipients;
    • the statutory or voluntary nature of response required from the subject (and the consequences of not providing a response);
    • the fact that the data may be circulated on the network without security measures and be at risk of being seen or used by unauthorised third parties, when the data collection is made on an open network; and
    • information on the subject’s rights of access to and correction of his or her personal data.

When the data controller does not obtain the data directly from the subject, it must provide the required information before or on commencing the first processing operation.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Data controllers must implement appropriate technical and organisational measures to protect data against:

  • accidental or unlawful destruction;
  • accidental loss or alteration;
  • unauthorised disclosure or access; and
  • other unlawful forms of processing.

The level of security required must be appropriate in view of the risks represented by the relevant processing activity and the nature of the data being processed. Appropriateness must be measured considering industry standards and the cost of implementation.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Law 67/98 includes no requirement to notify data subjects of a personal data security breach. Nevertheless, in the electronic communications sector, there is a specific requirement to notify the relevant data subjects of a breach if it is likely to affect them adversely. This requirement applies to data security breaches that may lead to identity fraud or theft or physical or reputational damage or humiliation.

Are data owners/processors required to notify the regulator in the event of a breach?

Law 67/98, a dedicated data protection law which governs personal data processing, includes no requirement to notify the National Commission for the Protection of Data (CNPD) of a personal data security breach. Nevertheless, in the electronic communications sector, there is a specific requirement to notify the national regulator of a breach if it is likely to affect the data subjects adversely. This requirement applies to data security breaches that may lead to identity fraud or theft or physical or reputational damage or humiliation.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

When natural persons are concerned, unsolicited electronic commercial communication is limited to cases where prior explicit consent has been provided by the data subject. In the case of legal persons, such communications may be sent without prior consent, but the legal person may express its opposition, in which case no further communications can be sent.

There is an exception to the above rule, as a controller that has made electronic contact with its customers in the context of the sale of products or services may use customer contact details to send commercial communications regarding the products marketed by the controller or similar ones.  Nevertheless, the controller must provide customers with a chance to object to such unsolicited communications, free of charge and in an easy manner. This must be done both when the contact data is collected and each commercial message is sent.

A valid point of contact for objecting to future communications must be provided in all commercial communications. Further, an up-to-date list of subjects that have consented (or not objected) to such communications must be kept at all times.

Cookies

Are there rules governing the use of cookies?

Portugal has adopted legislation implementing Article 5.3 of the EU Privacy and Electronic Communications Directive (2002/58/EC), as amended by the EU E-Privacy Directive (2009/136/EC). The implementing legislation came into effect on August 30 2012.

The use of cookies requires individual consent, on hav­ing been provided with clear and comprehensive information on the use of cookies, as well as the categories of personal data processed and the pur­poses thereof.

There is no explicit provision on the nature of such consent and the CNPD has issued no formal guidelines on its understand­ing. However, the system implemented in Portugal tends to be seen as an opt-in solution.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Companies and all other categories of data controller may transfer data that they process within EU and European Economic Area (EEA) member countries. Transfers outside these geographical boundaries are restricted.

Transferring data to a third country (ie, a non-EU or EEA country) is permitted only when:

  • it complies with the general processing requirements of Law 67/98, a dedicated data protection law which governs personal data processing; and
  • the recipient country ensures an adequate level of protection in light of all of the circumstances surrounding the relevant transfer operations.

Data may be transferred to the United States under the EU-US Privacy Shield, following its adoption by the European Commission on July 12 2016.

Are there restrictions on the geographic transfer of data?

The transfer of personal data to another EU or EEA country is not restricted, whereas the transfer of personal data outside these territories is. In the latter case, transfer is permitted only when it complies with Law 67/98 and the state to which the personal data is being transferred ensures an adequate level of protection in light of all of the circumstances surrounding the personal data transfer, with special consideration being given to:

  • the nature of the personal data to be transferred;
  • the purpose and duration of the proposed processing;
  • the country of final destination;
  • the rules of law in force in the state in question (both general and sector rules); and
  • the rules and security measures that must be complied with in such country.

Personal data may be transferred from Portugal to non-EU or EEA countries that have been the subject of a European Commission adequacy decision which acknowledges that such country ensures an adequate level of protection by way of its domestic law or international commitments. Transfer may also be made under contracts that follow the standard form model clauses approved by the European Commission. The National Commission for the Protection of Data (CNPD) does not accept binding corporate rules regarding the transfer of personal data. In 2015 it issued a guideline stating that entities within a single corporate group may enter into intragroup agreements that are compatible with the approved standard form model clauses. In addition, transfer to the United States may be performed under the EU-US Privacy Shield framework, following its adoption by the European Commission on July 12 2016. Transfer may also take place, subject to the CNPD’s prior authorisation, if a derogation case applies. Derogations include, among others specified by law:

  • the individual having given his or her unambiguous consent to the proposed transfer; or
  • the transfer being necessary for:
    • the performance of a contract between the individual and the personal data owner or the implementation of pre-contractual measures at the individual’s request;
    • the performance of a contract between the personal data owner and a third party, which is in the individual’s interest;
    • legal proceedings; or
    • the protection of the individual’s vital interests. 

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

When a third party (processor) processes personal data on behalf of the data controller, it must act only on the controller’s instructions, unless required to act otherwise by law. The processor must enter into a written contract with the controller. The contract or an equivalent mutually binding instrument must contain provisions which:

  • ensure that the processor is bound to act only on the controller’s instructions; and
  • guarantee that the relevant security measures are also incumbent on the processor.

When selecting a processor, the controller must ensure that the selected entity provides sufficient guarantees for carrying out the required technical and organisational security measures. The data controller must ensure that the processors comply with the relevant measures. 

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Both administrative penalties and orders and criminal penalties may arise from data protection law violations or breaches.

Law 67/98, a dedicated data law which governs personal data processing, sets out two levels of fine (each of which is then divided into two further levels), depending on the seriousness of the misdemeanour.

In the case of less serious administrative offence acts or omissions, applicable fines range from €498.79 to €4,987.97. This limit is doubled in the case of specific offences (eg, processing data without having obtained the data subject’s unambiguous consent, with the exception of cases where other legal grounds allow processing and such consent is thus not required).

For more serious offences, the value of fines is set at three times the above indicated amounts. Such offences include failing to comply with the obligation to notify the competent data protection authority. These amounts are doubled if the same offence involves sensitive data.

Sector-specific legislation in the electronic communications sector foresees much higher administrative fines for data protection law breaches, with a maximum fine of €5 million.

Law 67/98 also establishes criminal penalties in certain cases, such as:

  • intentionally failing to notify or submit an authorisation application to the competent authority, where applicable;
  • intentionally providing false information to the competent data protection authority;
  • intentionally misappropriating personal data;
  • providing the offender undue and unauthorised access to prohibited personal data, by any means;
  • erasing, destroying, damaging, deleting or modifying personal data, without authorisation, making it unusable or affecting its capacity for use; and
  • breaching the legal duty of confidentiality regarding personal data.

Criminal offences are punishable by up to two years’ imprisonment or a 240-day fine, both of which can be doubled.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Where an individual suffers damage as a result of an act or omis­sion purported by the personal data owner in breach of Law 67/98, he or she is entitled to compensation, which can be claimed through the courts. Compensation for serious injury to feelings may also be claimed.

The right to claim monetary damage and compensation is exercis­able through the judicial system and not directly enforced by the super­visory authority.  

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes, there is specific legislation covering cybercrime. In addition to specific provisions in the Penal Code which criminalise certain cyber offences, the Cybercrime Bill 2009 creates new criminal offences and establishes a general legal framework for the collection of digital evidence. As for cybersecurity, no specific general legislation exists, although several provisions relating to cybersecurity may be found in laws governing other sectors, such as public procurement, telecoms and healthcare.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Specific standards tend to be required in the public sector. For example, for public procurement purposes, the security standards that are usually required are ISO/IEC 20000 and 27001. Some requirements also exist for the financial sector, with the Bank of Portugal requiring that the entities subject to its supervision implement the European Banking Authority’s guidance for security in online payments. Other regulatory provisions tend to follow a technologically neutral approach.

Which cyber activities are criminalised in your jurisdiction?

The activities criminalised in Portugal are fundamentally those included in the Council of Europe’s Cybercrime Convention 2001 (ie, illegal access, illegal interception, data and system interference, misuse of devices, computer-related forgery, computer-related fraud and offences relating to child pornography). Other offences are included in the Criminal Law, such as:

  • child grooming;
  • privacy intrusion through computer means;
  • computer-related swindling; and
  • computer fraud for tax purposes.

Further provisions exist which criminalise certain conduct that is not necessarily committed through a computer system, but is frequently done so, such as:

  • infringements relating to copyright and related rights;
  • illegal access to personal data;
  • stalking; and
  • racial, religious or sexual discrimination.

Which authorities are responsible for enforcing cybersecurity rules?

The relevant authorities are:

  • the Communications Sector National Authority for the telecoms sector;
  • the Bank of Portugal for the financial sector (as regards its general competence to enforce its orders); and
  • the National Commission for the Protection of Data for all remaining data protection-related issues.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, this is fairly common in sectors where data processing is more common or where there are high security risks – such as the telecoms and financial sectors – but is still emerging in other sectors.

Are companies required to keep records of cybercrime threats, attacks and breaches?

At present, the obligation to keep records of data breaches exists only in the telecoms sector. In the public health sector, this obligation was also implemented recently, although its goal is to implement a centralised registry with the National Cybersecurity Centre.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Only companies in the telecoms sector must report data breaches.

Are companies required to report cybercrime threats, attacks and breaches publicly?

Such a duty exists only in the telecoms sector, where companies must report data breaches to the relevant authority and the subscribers or users that may be negatively affected by it. This obligation exists only if the data controller has not implemented security measures apt to prevent access to the information unlawfully obtained.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Under the Portuguese legislation applicable to cybercrime, a wide range of criminal penalties apply, with some offences being subject to different penalties depending on the verification of aggravating circumstances. Such circumstances may depend on, among other things:

  • the value of the damages caused or the benefits collected;
  • the sensitivity of the information unlawfully accessed;
  • the fact that the crime has been committed through the violation of security measures; and
  • the effects of the offence.

Thus, penalties for cybercrimes may range from a mere fine (eg, in the case of illegal access, where the penalty may be a fine of up to 120 days or one year’s imprisonment) to 10 years’ imprisonment. These harsher sentences are reserved for cases where the cybercrime results in high-value damages (eg, in the case of damage caused to programs or other computer data and computer-related fraud) or when the disruption will have a serious or long-term effect on a computer system supporting an activity with vital social functions – namely:

  • supply chains;
  • individual health, safety or economic wellbeing; or
  • the proper operation of public services (as is the case in computer-related fraud). 

What penalties may be imposed for failure to comply with cybersecurity regulations?

In general, the applicable penalties range from a regulatory offence punishable by a fine of up to €5 million (the Law for Privacy in the Electronic Communications Sector) to two years’ imprisonment or a fine of up to 240 days (under the data retention legal regime).