Last updated September 2016
General | Data Protection Laws
- National Legislation
- National Regulatory Authority
- Personal Data
- Sensitive Personal Data
- Scope of Application
- Rights of Data Subjects
- Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
- National Legislation
- Marketing by E-mail
- Marketing by Telephone
- Marketing by Fax
General | Data Protection Laws
General data protection laws
Directive 95/46 has been implemented by Law 67/98 of 26 October on personal data protection (the “DPA”).
Entry into force
The DPA came into force on 1 November 1998.
Details of the competent national regulatory authority
Comissão Nacional de Protecção de Dados (the “CNPD”)
Rua de São Bento, n.° 148, 3°
Notification or registration scheme and timing
The data controller must notify the CNPD before carrying out any wholly or partly automatic processing of personal data.
In addition, the prior authorisation of the CNPD is required for: (i) the processing of sensitive personal data if that processing does not satisfy a limited range of processing conditions (see “Are there additional rules for processing sensitive personal data?” below). Authorisation will only be given if such processing is essential for the exercise of the legal or statutory rights of the data controller or when the data subject has given his explicit consent for such processing; (ii) the processing of data relating to illegal activities or offences. This type of personal data may only be created and kept by public authorities vested with that specific responsibility; (iii) the processing of data relating to the credit and solvency of the data subjects; (iv) the use of personal data for purposes other than those which determined their collection; and (v) the combination of personal data not provided for in a legal provision. The non-automatic processing of sensitive personal data shall also be subject to authorisation.
Notification costs EUR 75 and authorisation costs EUR 150. If an authorisation request is particularly complex, the CNPD may increase the fee to up to half the minimum wage at the date of the decision (as of July 2015, EUR 252.50).
The CNPD may simplify, or create exemptions to, notification for particular categories of processing that are unlikely, taking account of the data to be processed, to adversely affect the rights and freedoms of the data subjects.
So far the CNPD has issued six exemptions from notification for: (i) processing of employees' salaries and benefits; (ii) management of libraries' and archives' users; (iii) invoicing and contacts with clients, suppliers and service providers; (iv) administrative management of employees, staff and service providers; (v) access control (entries and exits) in buildings; and (vi) collection of quotas for membership in associations and contacts with affiliates.
Processing of personal data necessary in order to keep a public register is also exempted from notification.
Appointment of a data protection officer
There is no legal requirement to appoint a data protection officer.
What is personal data?
The definition of personal data in the DPA is similar to the standard definition of personal data.
Is information about legal entities personal data?
No. The DPA only applies to information about individuals as opposed to legal entities.
What are the rules for processing personal data?
Personal data may be processed if the standard conditions for processing personal data are met. In practice, the legitimate interests condition is frequently relied upon as grounds for processing non-sensitive personal data.
The DPA contains exemptions for certain types of processing. For example, processing of personal data carried out by a natural person in the course of a purely personal or household activity is exempt from the provisions of the DPA.
Are there any formalities to obtain consent to process personal data?
Consent must be freely given, specific, informed and unambiguous. There is no obligation for consent to be in writing. However, the CNPD expects data controllers to maintain a record of consents given by data subjects so in practice consent is normally obtained in writing.
What is sensitive personal data?
Under the DPA, sensitive personal data means data on philosophical or political beliefs, political party or trade union membership, religion, privacy and racial or ethnic origin, and concerning health or sex life, including genetic data. Therefore, the concept of sensitive personal data under the DPA is largely similar to the standard types of sensitive personal data but also includes genetic data and data on the private life of the data subject.
The processing of data about illegal activities and offences, as well as credit and solvency data, is also subject to additional restrictions, namely the requirement to obtain previous authorisation from CNPD in order to start processing such data.
Are there additional rules for processing sensitive personal data?
The processing of sensitive personal data is permitted if it: (i) is necessary to protect the vital interests of the data subject or of another person; (ii) is carried out with the data subject’s consent by a non-profit seeking body; (iii) relates to data made public by the data subject; (iv) is necessary for the establishment, exercise or defence of legal claims; (v) relates to health and sex life, including genetic data; and (vi) is necessary for medical reasons.
The authorisation of the CNPD is needed in any other case (including where processing is based on the consent of the data subject). Authorisation will only be awarded: (i) when such processing is essential for exercising the legal or statutory rights of the data controller; or (ii) when the data subject has given his/her explicit consent for such processing.
The processing of personal data relating to illegal activities or offences is also subject to prior authorisation. Furthermore, central registers relating to persons suspected of illegal activities or found guilty of offences, may only be created and kept by public authorities vested with that specific responsibility.
Are there any formalities to obtain consent to process sensitive personal data?
Consent must be freely given, specific, informed and explicit. There is no obligation for consent to be in writing. However, the CNPD expects data controllers to maintain a record of consents given by data subjects so in practice consent is normally obtained in writing.
The person responsible for compliance with the DPA is the data controller. Where the purposes and means of processing are determined by laws or regulations, the data controller shall be designated in the statute establishing the organisation and functioning, or in the articles of association of the legal or statutory body competent to protect the personal data concerned.
Are both manual and electronic records subject to data protection legislation?
Yes. The DPA applies personal data processed wholly or partly by automatic means or on a manual filing system.
Any person who has suffered damages as a result of an unlawful processing operation or any other breach of personal data legislation is entitled to receive compensation from the data controller for the damage suffered. The data controller may be exempted from this liability, in whole or in part, if it proves that it was not responsible for the event giving rise to the damage.
Fair processing information
A data controller must provide the fair processing information to data subjects. The data controller must also provide other information such as the recipients or categories of recipients, whether replies are mandatory or voluntary, and the existence and conditions of the right of access and the right to rectify, provided they are necessary, taking into account the specific circumstances of collection of the data, in order to guarantee to the data subject that they will be processed fairly.
Rights to access information
The data subject has the right to obtain his/her subject access information by written request to data controllers at reasonable intervals and without excessive delay or expenses.
Objection to direct marketing
A data subject may require in writing that a data controller stop processing his/her personal data for direct marketing purposes or any other form of research. The data controller must then cease such processing within a reasonable period.
The data subject has the right to obtain from the data controller the rectification, erasure or blocking of data, the processing of which does not comply with the DPA and the right of notification to third parties to whom the data has been disclosed of any such rectification, erasure or blocking.
The data subject has the right to object at any time, on compelling legitimate grounds relating to his/her particular situation, to the processing of data relating to him/her.
Security requirements in order to protect personal data
The data controller must comply with the general data security obligations. These include measures to: (i) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; (ii) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and (iii) ensure the implementation of a security policy with respect to the processing of personal data.
The National Communications Authority, ICP-ANACOM, is able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which those measures should achieve.
A data controller who processes sensitive personal data under an authorisation of the CNPD or who processes personal data relating to illegal activities or offences must take additional measures.
These additional measures require the data controller to: (i) prevent unauthorised access to the premises used for processing such data; (ii) prevent data media from being read, copied, altered or removed by unauthorised persons; (iii) prevent unauthorised input and/or control over inputs; (iv) prevent unauthorised use of processing equipment; (v) prevent unauthorised access to data; (vi) confirm the details of the persons to whom the data is transmitted; (vii) keep an audit trail of all inputs; and (viii) protect information while it is being transmitted (which at the CNPD’s direction may include encryption). Furthermore, the systems used must guarantee the logical separation between data relating to health and sex life, including genetic data, and other personal data.
Specific rules governing processing by third party agents (processors)
The data processor chosen by the data controller must provide sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out and must ensure compliance with those measures.
There must be a contract or legal act binding the data processor to the data controller and stipulating in particular that the data processor shall comply with the standard processor obligations.
Notice of breach laws
The DPA does not contain any obligation to inform the CNPD or the data subjects of a security breach.
Law 46/2012, which implemented the Citizens’ Rights Directive, requires providers of electronic communications to promptly inform the CNPD whenever there is a breach of personal data.
Electronic communication providers must also promptly inform data subjects whose data has been breached of that fact, if the breach negatively affects the data subject and appropriate technological protection measures have not been used to render the affected data unreadable.
Restrictions on transfers to third countries
The transfer of personal data to a country that is not a member of the EU may only take place provided that that country ensures an adequate level of protection or the standard conditions for transborder dataflow are satisfied. It is for the CNPD to decide whether a State which is not a member of the European Union ensures an adequate level of protection. However, in 2004 the CNPD issued an interpretative notice stating that it would follow any decision by the European Commission considering that an adequate level of protection exists.
Notification and approval of national regulator (including notification of use of Model Contracts)
All transfers of data must be notified to the CNPD.
Furthermore, all transfers of data to countries outside the EEA are subject to prior authorisation from the CNPD unless they are to whitelisted countries or made under the Model Contracts.
Use of binding corporate rules
Pursuant to the Decision No. 1770/2015, dated 10 November 2015, the CNPD expressly acknowledged the use of Intra-group agreements (“IGA”) for the purpose of transferring personal data to third countries.
Pursuant to this Decision, the CNPD considers that the rules of IGAs identical to or compliant with the model clauses approved by the European Commission provide adequate protection (thus dismissing the need for prior authorisation by the CNPD).
The sanctions have a quasi-criminal and criminal nature: the imposition of fines of up to EUR 30,000 and imprisonment for up to four years. In addition, the entity that breaches the DPA is liable, under general legal rules of law, for the damages caused to the data subject or third parties.
The number of investigations and prosecutions is not publicly available.
There have been no significant fines publicised recently. One of the highest fines imposed was the EUR 20,000 fine applied to Radiotelevisão Portuguesa, S.A. (“RTP”), the public television company, in April 2004. This fine was imposed as a result of RTP reviewing the professional skills of its employees. It hired a company to assess various pieces of data about its workers but failed to notify its employees of this assessment process. Under Portuguese law, RTP was obliged to notify the CNPD before carrying out such a data processing operation. RTP also informed the contractor about the trade union membership of its employees, which was not authorised by CNPD or consented to by the data subjects. The CNPD also found that RTP had a video surveillance system in operation in its building which had not been authorised by the CNPD.
Recently, the CNPD imposed its highest fine to date. Optimus, a Portuguese telecommunications company (now named NOS), was initially fined EUR 4,500,000 by CNPD. The fine was not applied on the grounds of breach of the data protection act but because of data protection related rules in telecoms law. In 2010, an Optimus’ employee has accessed and transmitted personal data of a journalist (specifically, telephonic data) to a third party. CNPD found Optimus liable for not having adequate security measures for personal data in place, for abuse of client’s privacy and for non compliance with the data processing and retention rules. In the first appeal the fine was reduced to EUR 600,000; in the last appeal, on February 2015, the fine was ultimately reduced to EUR 100,000.
In general, the level of fines are lower than this and are mainly applied for unauthorised disclosure of health information, keeping credit history details for an excessive period or video surveillance.
The CNPD has the power to investigate data controllers, including by carrying out dawn raids. Following an investigation it can apply fines. Data controllers can appeal to the courts against those fines._____________________________________________________________________ Top
ePrivacy | Marketing and cookies
Article 13 of the Privacy and Electronic Communications Directive has been implemented by Decree-Law No. 7/2004 of 7 January 2004 (the “ECA”). Currently, the provisions regarding unsolicited communications and direct marketing are laid down by Law 41/2004, as amended by Law 46/2012 (“Law 41/2004”).
Conditions for direct marketing by e-mail to individual subscribers
Direct marketing by e-mail to individual subscribers is authorised provided the addressee gives its prior consent.
Conditions for direct marketing by e-mail to corporate subscribers
Direct marketing by e-mail to corporate subscribers is permitted without their prior consent but they must be given the right to object to this marketing at any time.
Exemptions and other issues
It is permitted to send e-mail for the purposes of direct marketing if the similar products and services exemption applies. Law 41/2004 also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; (ii) an opt-out address is not provided; or (iii) the e-mail encourages recipients to visit websites that do not clearly identify: (a) the promotional nature of the message; (b) the advertiser; and (c) promotional offers, such as discounts, premiums and gift promotional competitions or games, and their respective terms and conditions.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Direct marketing by telephone to individual subscribers is permitted without their prior consent but they must be given the right to object to this marketing at any time.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Direct marketing by telephone to corporate subscribers is permitted without their prior consent but they must be given the right to object to this marketing at any time.
Exemptions and other issues
Conditions for direct marketing by fax to individual subscribers
Direct marketing by fax to individual subscribers is authorised provided the addressee gives its prior consent.
Conditions for direct marketing by fax to corporate subscribers
Direct marketing by fax to corporate subscribers is permitted without their prior consent but they must be given the right to object to this marketing at any time.
Exemptions and other issues