Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Portugal

A practical guide to national GDPR compliance requirements across the EEA

Article
|
22 min read

Portugal

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • Act 58/2019 of 8 August (the “Data Protection Act”)
    • Date in force: 9 August 2019
    • Link: In Portuguese: 
      see here 
       
  • Act 43/2004 of 18 August – Comissão Nacional de Proteção de Dados (Portuguese DPA) Organisation and Function (the “Portuguese DPA Act”), as amended by the Data Protection Act
    • Date in force: 23 August 2004
    • Link: In Portuguese: 
      see here 
       

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full. The Data Protection Act has modified the Portuguese DPA Act and has not repealed other legislation containing data protection provisions.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The legislation relating to genetic data and health data regulates the processing of such data for both living and deceased persons.

The Data Protection Act provides that:

  • the sensitive personal data of deceased persons are protected in accordance with the GDPR and the Data Protection Act;
  • the rights referring to personal data of deceased persons must be exercised by someone appointed by the deceased person for that purpose, or by their heirs; and
  • the data subject may decide that the rights in relation to personal data may not be exercised after his or her death.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The following rules govern the processing of personal data for the performance of tasks carried out in the public interest:

  • processing of personal data by a public entity for another purpose than that for which the personal data were initially collected is permitted if carried out in the public interest, in accordance with Arts. 6(1)(e), (4) & 9(2)(g) GDPR;
  • the transmission of personal data between public entities for purposes different than those for which the personal data were initially collected must be subject to a protocol setting out the responsibilities for each entity; and
  • where personal data are published in an official journal, or published in the context of public procurement, and the disclosure of the data subject’s name is sufficient for the purposes of the processing, no other personal data should be disclosed.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

See Q3(b) above.

The transfer of personal data to third countries or international organisations to comply with legal obligations carried out by public authorities in the exercise of their powers is considered to be in the public interest.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

Employers are not permitted to process employees’ genetic data, even if the data subject’s consent has been obtained, except when the workplace involves exposure to significant risks.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employers may not require job candidates or employees to provide information regarding:

  • their private lives, except where such information is strictly necessary and relevant in order to assess their capability to perform the labour contract, and such grounds are supplied in writing; or
  • their state of health or pregnancy, except when the particular circumstances of the profession justify certain requirements, and the grounds are supplied in writing, in which case the information must be supplied to a doctor, who will only inform the employer of whether or not the employee is fit to perform the job.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

Employers may not, for purposes of admission or continuation of work, require that a job candidate or employee present the result of tests or medical exams of any nature to prove physical or mental condition, except when the results are intended to ensure the protection and safety of the employee or third parties, or when justified by particular requirements of the activity, provided that the grounds are supplied in writing to the candidate or employee.

The doctor responsible for the medical exams and tests can only inform the employer of whether or not the employee is fit to perform the activity. Doctors, as well as medical staff and professionals responsible for processing such data, should be subject to a duty of secrecy.

In no circumstances may the employer demand that the candidate or employee perform or present the results of a pregnancy test or exam.

Health data should only be accessible by electronic means, except where: (i) this is not permitted by law, (ii) it is technically impossible; or (iii) the data subject has specified otherwise. The data subject must be notified of any access to their personal data, and the controller should ensure that a mechanism of traceability and notification is put in place.

(iv) Public interest in the area of public health

Processing for the purpose of preventing and controlling contagious diseases and public health risks is permitted to ascertain whether a person’s state of health presents a potential risk to public health.

When the processing and internal disclosure of personal data is considered essential to the evaluation and management of public health risks, personal data may only be processed by health professionals trained in the exercise of preventive medicine, medical diagnosis, provision of health or social care, or management of health services.

Processing must be carried out by persons subject to a duty of secrecy. 
See Q5(b)(iii) regarding restrictions on access to health data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

In the context of clinical research, national law regulates issues of informed consent and consent by minors.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The following rules apply to the processing of this category of data:

  • processing of employees’ biometric data must only be permitted for the purposes of monitoring attendance and control of access to the employer’s facilities, and the employer must ensure that only representations of biometric data are used, and that the data collection procedure does not allow the reverse-identification of such data;
  • health data may only be processed for the purposes of health care, health investigation and other purposes established by law;
  • health data may only be processed in accordance with the written consent of the data subject or of their representative;
  • health systems must assure the separation of health and genetic data from other personal data;
  • insurance companies are not permitted to collect or use any kind of genetic data to refuse a life insurance or to set a higher insurance premium;
  • hiring new employees cannot depend on the requirement, performance or results of genetic tests; and
  • employers are not permitted to require their employees to perform or disclose results of genetic tests, even with their consent, except when the workplace involves exposure to significant risks and the genetic information is used for the protection of employees’ health, provided that the results are exclusively handed to the data subject and their employment situation will not be put into question.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Where the processing is carried out for the purposes of the organisation and functioning of the criminal identification services, national law provides for the following:

  • the entity responsible for the criminal identification database;
  • the use of criminal identification data;
  • the access by the data subject to personal data;
  • the rectification of data; and
  • the breach of criminal identification rules.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

There are no specific exemptions to the right to be provided with information under Art. 14 GDPR.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The rights of information and of access under Arts. 13-15 GDPR cannot be exercised against a controller or processor that is subject to a duty of secrecy that applies with respect to the data subject. The data subject may ask the DPA to issue an opinion on the enforceability of such duty of secrecy. When personal data are processed for the purposes of archiving in the public interest, scientific or historical research or statistics, the rights of access, rectification, restriction of processing and the right to object are restricted to the extent necessary, if such rights would make it impossible to achieve, or seriously impair the achievement of, such purposes.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

In addition to the provisions set out in the GDPR, Impact Assessments are required in the following circumstances:

  • when processing information that emerges from the use of electronic devices which transmit health data through communication networks;
  • when processing sensitive personal data;
  • when processing sensitive personal data that have not been obtained from the data subject and the conditions of Art. 14(5)(b) GDPR are satisfied;
  • when processing personal data implies or consists in the creation of user profiles on a large scale;
  • when processing personal data that allows the tracing of data subject’s location or performance (namely, employees, customers or bystanders), and has the effect of evaluating or classifying them, except when the processing is necessary for the provision of services required by data subjects;
  • when processing sensitive personal data for the purpose of archiving in the public interest, scientific or historical research purposes or statistical purposes, with the exception of processing activities authorised by law providing for appropriate safeguards for the rights of data subjects;
  • when processing biometric data for the purpose of uniquely identifying a natural person when they are vulnerable persons, except when processing activities authorised by law which provide for appropriate safeguards for the rights of data subjects;
  • when processing genetic data concerning vulnerable persons, except when processing activities authorised by law subject to a previous Impact Assessment; and
  • when processing sensitive personal data using new technologies or with a new use of existing technologies.

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is required in the following situations:

  • where the processing of genetic data and genetic databases is carried out for a purpose other than that for which such data were initially collected, provided that such genetic data are anonymised and do not allow for the identification of the data subject;
  • the destruction or discontinuation of a genetic database; and
  • the disclosure and interconnection of genetic data.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs have an obligation of secrecy imposed on them, which remains in force after the termination of their functions.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Comissão Nacional de Proteção de Dados
    • Address: Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa, Portugal
    • Website: cnpd.pt

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

When CCTV is permitted, the recording of sound requires the prior authorisation of the DPA if the facilities under surveillance are publicly accessible.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

The decisions of the DPA may be challenged before the administrative court.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

Public and private entities must cooperate with the DPA, in particular when the DPA needs to examine computer systems or relevant filing systems, and all documentation relating to the processing and transmission of personal data in order to exercise the relevant entity’s functions.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

Unions may file judicial claims or start administrative proceedings concerning the interests of their members.

Further, associations that purport to defend data protection interests, including the right to apply for compensation for an aggrieved party, are entitled to bring claims on behalf of individuals provided that they obtain their specific mandate.”

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Public authorities are subject to administrative fines for breach of the GDPR. However, in accordance with Art. 83(7) GDPR, public authorities may ask the DPA for an exemption to the enforcement of administrative fines for a period of three years.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The following activities are punishable with imprisonment for up to four years, in addition to a fine of up to €240,000:

  • use of personal data in a manner incompatible with the purpose for which they were collected;
  • undue access to personal data;
  • data theft;
  • invalidation or destruction of personal data;
  • insertion of false data;
  • violation of the duty of secrecy; and
  • failure to obey an order issued by the DPA under the GDPR before the applicable deadline passes.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

Under the Data Protection Act, the right to protection of personal data does not impair the exercise of the right to freedom of expression and information, including processing for journalistic purposes.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Under the Data Protection Act, the right to protection of personal data does not impair the exercise of the right to freedom of expression and information, including processing for the purposes of academic, artistic and literary expression.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

The legislation regulating citizens’ cards (which contain the relevant data of each citizen, including the civil identity number, the tax number, the health system user number and the social security number) sets out the provisions regarding personal data processing, disclosure, controller, information, access and rectification rights, secrecy, storage and security safeguards.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

The following rules apply to the processing of employee data:

  • except when otherwise stipulated by law, the consent of an employee does not provide a legal basis for processing the employee’s personal data if there is an economic or legal advantage for the employee emerging from such processing;
  • images, and other personal data, recorded through the use of video systems or other remote technological methods, may only be used in the context of criminal proceedings and could be used to determine employees’ disciplinary responsibilities inasmuch as they could be used in the context of criminal proceedings;
  • employers cannot use technological remote monitoring methods at the workplace to control the professional performance of employees, except where such monitoring is intended to protect the safety of persons or property, or when it is justified by the particular circumstances;
  • without prejudice to employers’ right to establish rules regarding the use of electronic resources in the workplace employees are entitled to confidentiality in respect of the content of personal messages and access to non-professional information sent or received through electronic means;
  • employers must keep a recruitment register for a period of five years, including, with disaggregation by gender, the results of admission or selection tests;
  • employers must keep an updated register of employees in each establishment, including name, birth and admission dates, type of contract, job status, promotion, salary, dates of beginning and ending of vacation periods and absences that imply loss of salary or reduction of vacation time; and
  • employers must keep a register of working times that allows the determination of the number of daily and weekly hours performed by the employee.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

The Portuguese Employment Code contains provisions recognising freedom of expression and dissemination of thoughts and opinions within an organisation, with due respect for the privacy of the employee, and setting out the obligation of employer and employee to respect each other’s right to privacy. This includes both the access to, as well as the disclosure of, personal data relating to:

  • family life;
  • emotional and sexual life;
  • state of health; and
  • political and religious beliefs.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

Public authorities are not subject to the corrective powers of the DPA.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

The DPA has issued a resolution challenging the validity of several provisions of the Data Protection Act, including in relation to the applicability of the Act, exemptions under the Act, and restrictions that the Act imposes on the use of consent in an employment context.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA does not publish its decisions regarding the administrative fines it has imposed. Nevertheless, the DPA has initiated several administrative proceedings for breaches of the GDPR without specifying the violations, nor the number of proceedings that have been initiated. In a recent case, the DPA issued a decision against a hospital, imposing three fines totalling €400,000 for breach of the GDPR, including:

  • €150,000 for breach of Art. 5(1)(c) GDPR, pursuant to Art. 83(5)(a) GDPR, for allowing indiscriminate access to an excessive number of users;
  • €150,000 for breach of Art. 5(1)(f) GDPR (integrity and confidentiality), pursuant to Art. 83(5)(a) GDPR, for failing to implement sufficient protection measures; and
  • €100,000 for breach of Art. 32(1)(b) GDPR, pursuant to Art. 83(4)(a) GDPR, for failing to implement appropriate technical and organisational measures to ensure an appropriate level of security considering the risk.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:

  • FAQs on the application of the GDPR (see here);
  • a list of personal data processing operations subject to Impact Assessments (see here);
  • forms to be used by controllers and data processors to comply with the obligation to register data processing activities (see here); 
  • the form concerning the registration of the DPO with the DPA (see here cnpd.pt/DPO/?AspxAutoDetectCookieSupport=1);
  • the form concerning the notification of a personal data breach to the DPA (see here); 
  • a decision to challenge the validity of certain provisions of the Data Protection Act; and
  • proceedings regarding the exemption of public authorities from administrative fines.

———

[back to top of page]

 

 

VC Associados contributors

António Vigário

António Vigário
Partner, VC Associados
T +351 226 056 790
E antoniovigario@vcassociados.pt

António advises national and international clients on Portuguese and EU privacy and data protection law, providing legal advice on datarelated strategies and compliance programmes and implementing privacy policies. António also advises his clients on contractual and commercial matters, regulatory issues and litigation. His pragmatic, client-focused approach is valued highly by his clients.

João Paulo

João Paulo Pimenta
Partner, VC Associados
T +351 239 841 215
E joaoppimenta@vcassociados.pt

João Paulo has wide-ranging experience in litigation and providing legal advice on matters relating to commercial and corporate law and connected areas, including civil and commercial contracts. He also provides legal advice on the areas of privacy and data protection. Clients appreciate João Paulo’s extensive knowledge of the subjects and great attention to clients.

João Paulo is a member of the High Council of the Portuguese Bar Association.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top