1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Portugal is an EU member state. This Q&A refers to only a few of the relevant applicable legislative provisions.

The main sources of law governing data privacy in the European Union include:

  • EU regulations – legal acts that have general application, are binding in their entirety and are directly applicable in all EU countries; and
  • EU directives – legal acts which require member states to achieve a particular result without dictating the means through which that result should be achieved. Directives normally do not prescribe the exact rules to be adopted.

The main EU legislative framework comprises:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)); and
  • Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by EU institutions, bodies, offices and agencies and on the free movement of such data.

Other relevant EU statutes include:

  • Regulation (EU) 611/2013 on measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications;
  • Regulation (EU) 604/2013, establishing the criteria and mechanisms for determining the member state responsible for examining an application for international protection; and
  • a number of EU directives and decisions.

The Portuguese legislation includes:

  • Act 58/2019, which enforced the GDPR; and
  • Act 59/2019 on the processing of personal data for the prevention, detection, investigation or repression of criminal offences or for the enforcement of criminal sanctions.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Personal genetic information and health information: Act 12/2005 protects health data, both present and future, including information regarding deceased persons. This act further develops the provisions of the GDPR on the protection of sensitive personal data of a genetic or health nature. The act includes provisions on informed and purpose-specific consent, and forbids the use of genetic information for insurance-related, employment-related or adoption-related purposes. The act also includes detailed provisions on the use of DNA and other biologic material in research, with a strong emphasis on the anonymisation of data. The patenting of human genetic heritage is expressly forbidden.

Telecommunications:

The following legislation applies in the telecommunications space:

  • Act 41/2004 (consolidated by Act 46/2012), which establishes a special regime for the privacy of electronic communications. Major innovations introduced in 2012 include a compulsory duty to notify data breaches and opt-in and opt-out lists for unsolicited direct marketing messages;
  • Act 32/2008 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks;
  • Act 5/2004 on the creation of a national database of non-performer subscribers of electronic telecommunication services; and
  • Regulation (EU) 611/2013 regarding notification of personal data breaches.

Video surveillance:

The following legislation applies to video surveillance:

  • Act 34/2013 on the use of video surveillance cameras by private security companies and for self-protection;
  • Act 1/2005 on the use of video surveillance cameras by the security forces on public places; and
  • other acts on the use of electronic surveillance for road traffic purposes and inside public transportation vehicles such as taxis.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

International instruments relating to, or with direct implications for, data privacy which are applicable in Portugal include:

  • the International Covenant on Civil and Political Rights;
  • the Charter of Fundamental Rights of the European Union;
  • the European Convention on Human Rights;
  • the Organisation for Economic Co-operation and Development Guidelines governing the protection of privacy and transborder flows of personal data;
  • Council of Europe Convention 108 (Protection of Individuals with regard to Automatic Processing of Personal Data); and
  • the United Nations Convention on the Rights of the Child.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The National Data Protection Commission (CNPD) is the Portuguese data protection authority.

The CNPD is structured as an independent body. The president and two other members of its board are elected by the national Parliament. The remaining four members of the board comprise one judge, one public prosecutor and two other individuals to be appointed by the government.

The CNPD is vested with powers of authority throughout the national territory. It is endowed with the power to supervise and monitor compliance with the GDPR, laws and regulations in the field of personal data protection, with strict respect for human rights and fundamental freedoms, as well as guarantees enshrined in the Portuguese Constitution and other applicable or relevant legislation.

In exercising its powers, the CNPD accepts complaints and supervises the processing of personal data, with the power to access premises, equipment and other resources of entities or individuals that control or process such data. It has also the power to investigate, solely or in cooperation with other European authorities, cases of non-compliance and to audit European information systems in this regard.

Offences of an administrative nature will incur fines of up to:

  • €20 million for large corporations;
  • €2 million for small and medium-sized companies;
  • 4% of total worldwide annual turnover for companies; or
  • €500,000 for individuals.

Criminal offences will be reported to the National Public Prosecutor's Office.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

In addition to the requirements of the GDPR, controllers may – and are encouraged to – prepare self-binding codes of conduct, extending and/or detailing specific measures to ensure a high degree of compliance with the principles of personal data protection.

To this effect, categories of controllers, represented by their associations or otherwise, may draft codes of conduct and submit them for approval.

While this is in no way compulsory, there are some key issues on which controllers might find themselves more comfortable drafting guidelines and procedures – for example, as regards:

  • the anonymisation of personal data;
  • specific safeguards when dealing with the personal data of children; and
  • procedures for out-of-court dispute resolution.

Once the code has been approved, the controllers (or processors) should adhere to it. Compliance with the code will be monitored by a body that has undergone certification to this effect by the CNPD.

Certification mechanisms and data protection marks or seals are also encouraged, to demonstrate compliance with specific aspects of the GDPR regarding safeguards and other devices for protecting the rights of data subjects.

Certification may also be useful for those controllers which are not subject to the GDPR, in the context of transfers of personal data to third countries for which there is no adequacy decision (see question 6).

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The regime applies to data controllers and data processors. Natural persons, legal persons, public authorities, public bodies and agencies all fall under the regime.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

There are a few specific exemptions from the regime.

One of these concerns the processing of personal data by an individual in the course of a strictly personal or household activity.

Some matters of overriding public interest are also covered by exemptions, such as:

  • matters of common foreign and security policy of the European Union; and
  • matters involving the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, when carried out by competent authorities.

In this regard, although this is not a true exemption, it is notable that the regime does not apply to data after it ceases to be qualified as ‘personal' (eg, through anonymisation). But even in this case, should the data at any point become re-identifiable, the regime will once again apply.

2.3 Does the data privacy regime have extra-territorial application?

Yes. First, the regime applies directly throughout the European Union. Under Article 3 of the General Data Protection Regulation, the regime applies to the processing of personal data in the context of the activities of a controller or a processor in the European Union, even where the processing takes place outside the European Union.

It also applies to the processing of personal data of EU data subjects by a controller or processor which is not established in the European Union, whenever such processing relates to the offering of goods or services to such EU data subjects or to the monitoring of their behaviour, insofar as this takes place within the European Union.

It also applies to the processing of personal data by a controller not established in the European Union, but in a place where member state law applies by virtue of public international law.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identifiable natural person who can be identified, directly or indirectly – in particular, by reference to an identifier such as a name, an identification number, location data or online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person (‘data subject').

(f) Sensitive personal data

Personal data that reveals a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying that person, data concerning his or her health or data concerning his or her sex life or sexual orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of his or her personal data.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

Other key terms, as defined by the General Data Protection Regulation, include the following:

  • ‘Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • ‘Recipient': A natural or legal person, public authority, agency or another body to which personal data is disclosed, whether a third party or not; some exceptions apply.
  • ‘Third party': A natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons under the direct authority of the controller or processor which is authorised to process personal data.
  • ‘Personal data breach': A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • ‘Cross-border processing': The processing of personal data which takes place in the context of the activities of establishments in more than one member state of a controller or processor in the European Union, where the controller or processor is established in more than one member state; or the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one member state.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The registration of data controllers is no longer required under the General Data Protection Regulation.

4.2 What is the process for registration?

Not applicable; see question 4.1.

4.3 Is registered information publicly accessible?

The original public record of controllers has been discontinued. However, historical data is still available online and searchable by name of the controller.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

In general, the primary requirement for the lawful processing of personal data is the consent of the data subject. Consent is the golden rule of personal data processing; but there are instances in which it becomes either not feasible or not required, such as the following:

  • If the data subject is unable to provide consent and the processing is necessary to protect his or her vital interests (eg, to save his or her life), the data may be lawfully processed without consent.
  • Public authorities, when legitimately exercising their powers, may lawfully carry out tasks involving the processing of personal data without the data subject's consent.
  • Processing carried out to comply with a legal obligation is lawful.
  • The processing of personal data carried out in the performance of a contract to which the data subject is a party is also lawful.
  • If the processing of personal data is required to protect the legitimate interests of the controller (or even of a third party), the lawfulness of that processing depends on an assessment of whether those interests override the interests or fundamental rights of the data subject. In practice, this may be difficult to determine and should be considered only where there is clear and strong evidence in favour of the processing.

Stricter regimes apply in relation to the lawful processing of sensitive personal data and personal data relating to criminal convictions and offences.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Besides lawfulness (see question 5.1), the other core principles of personal data processing are fairness and transparency. These principles translate into a number of explicit rights of data subjects (see question 7).

Fair processing implies that the controller has a duty to make the data subjects aware of any and all potential risks to their privacy involved in the processing. It makes the controller responsible for ensuring, to the fullest extent possible, that data subjects will not be surprised by any unforeseen effects of the processing.

Transparency requires the controller to provide data subjects with details of the following in advance of the data processing:

  • the purposes of the processing;
  • the controller's identity and address;
  • the data subjects' rights to access their data; and
  • all other rights in connection with the processing.

This information must be provided in clear, easily understandable language; and an accessible channel of communication must be provided for data subjects to contact the controller with regard to the processing of their data.

A number of other principles are also recognised:

  • Purpose limitation: The purpose of the processing must be defined before the start of the processing and no further processing of data is allowed for any other purpose that is not fully compatible with the original purpose.
  • Minimal processing: The processing of personal data must be:
    • necessary – that is, it must be pursued only where the purpose cannot be achieved by other, less invasive means; and
    • proportionate to the purpose and kept to the minimum level of interference with the data subjects' rights and interests.
  • Accuracy of data: The controller must ensure that the data is accurate and up to date. The controller must provide effective means to correct or erase any inaccuracies, as appropriate.
  • Storage limitation: Personal data must not be kept for longer than strictly needed for the purposes of the processing and must be either deleted or anonymised as soon as it has served those purposes.
  • Security of data: The controller must ensure the security and confidentiality of personal data by means of technical and organisational measures to that effect.
  • Accountability: The controller is fully responsible for actively ensuring compliance with all principles and rules with regard to the protection of personal data.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

As noted in question 4.1, registration is no longer required under the General Data Protection Regulation.

The former general obligation to notify the supervisory authorities of the processing of personal data created a significant administrative and financial burden, and did not in all cases help to improve the protection of personal data. It was thus abolished and replaced with other mechanisms which focus on likely high risks to the rights and freedoms of natural persons.

One such mechanism is the data protection impact assessment: where a certain type of processing is likely to present a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The assessment must include at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks presented to the rights and freedoms of data subjects; and
  • the measures envisaged to address those risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

If the assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate that risk, the controller must consult the National Data Protection Commission (CNPD) regarding the compliance of the processing with the data protection regime.

In enforcing its opinion on non-compliance, the CNPD may use all its powers.

The controller must appoint a data protection officer in the following circumstances:

  • where the processing is carried out by a public authority; or
  • in the private sector:
    • where the processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
    • where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences (see question 8.1).

He or she must be someone with expert knowledge of data protection laws and practices. His or her role is to assist the controller or processor to monitor internal compliance with the regime.

Data protection officers, whether or not directly employed by the controller, should be in a position to perform their duties and tasks in an independent manner.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Under the current legal framework, data processors and other persons who process personal data under the direct authority of a data controller or processor are not considered third parties.

The transfer of personal data to third parties constitutes, in itself, a form of personal data processing. This may either be included in the original processing or constitute further processing. In the former case, all details regarding the third party, the transfer of the data and the purposes of the transfer must be included in the information provided to the data subject by the controller.

In the case of further processing, this is not permitted unless it is treated as a new type of processing, subject to all requirements that apply to original processing.

Where personal data is intended to be transferred to a third country, specific requirements and restrictions apply (see question 6.2).

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

There are no additional requirements or restrictions for the transfer of personal data within the European Union.

If the destination is outside the European Union (including international organisations), the critical issue is to assess whether, in the jurisdiction of destination, the level of protection conferred on personal data is deemed adequate.

The transfer can take place only if the controller and the processor comply with the requirements for such transfers, including further onward transfers to other third countries.

The key concept is the ‘adequate level of protection' ensured at the destination. The European Commission is empowered to decide whether a jurisdiction provides an adequate level of protection for the purposes of the transfer of personal data. Such decisions have been made for a few countries, such as Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Until quite recently, such a decision was also in force for the United States (limited to the Privacy Shield framework). However, the Court of Justice of the European Union (CJEU), in Schrems II (16 July 2020), invalidated Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield framework. The Privacy Shield framework relies on a system of self-certification by which US organisations commit to a set of privacy principles issued by the US Department of Commerce. While the CJEU considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid, this is nevertheless a game-changer in the field of EU-US data transfers.

Where an adequacy decision does not exist, transfers to third countries may be performed only on the basis of appropriate safeguards, either provided by legally binding instruments (including binding corporate rules) or stipulated in contractual clauses, but in this case subject to the authorisation of the CNPD.

Following the invalidation of the Privacy Shield framework, EU-US data transfers may be carried out only on the basis of appropriate safeguards.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Controllers must be especially aware that their duties and responsibilities are not waived whenever they transfer personal data to another controller. On the contrary, these duties are increased, with the burden of due diligence in ensuring that the recipient of the personal data complies with all requirements of the regime.

Examples of such due diligence include the duty to ensure that any rectification or deletion of personal data required to keep the data accurate is equally and timely performed by the recipient, where necessary.

Most importantly, as noted above for transfers to third countries, the controller and the processor must ensure that the recipient complies with the data protection requirements, including further onward transfers to other third countries.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Right to information: Data subjects have the right to be informed of:

  • the identity and contact details of the controller (and the data protection officer, where there is one);
  • the purposes and legal basis for the processing;
  • the recipients of the data;
  • any intention to transfer the data to a third country;
  • the period for which the personal data will be stored;
  • the existence of the rights to access, rectify or erase data, to object to processing, to withdraw consent and to lodge a complaint;
  • whether the provision of data is required by law or by contract; and
  • the consequences of the data subject's failure to provide the data.

The data subject should also be given meaningful information about any automated decision-making processes involving the data subject's personal data.

Right to access: This includes:

  • the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed;
  • if affirmative, the right to know the purposes of processing, the categories of data concerned, the recipients of the data and the storage period;
  • the right to request from the controller the rectification or erasure of data; and
  • the right to lodge a complaint and be given information about any automated decision-making process involving the data.

Right to rectification: The data subject has the right to request rectification of inaccurate personal data. This right must be notified to the data subject.

Right to be forgotten: The data subject has the right to erasure of personal data in the following circumstances:

  • The data is no longer required for the purposes of the original processing;
  • The data subject withdraws the relevant consent for processing; or
  • The data is being unlawfully processed.

This right must be notified to the data subject.

Right to restriction of processing: Under certain circumstances, data subjects have the right to request restrictions to the processing of their personal data. This must be notified to the data subject.

Right to data portability: Data subjects have the right to receive their personal data (provided by them) in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

Right to object: Data subjects have the right to object on reasonable grounds to the processing of their personal data. In the case of processing for direct marketing purposes, the right to object may be exercised at any time.

Right to individual decision making: Data subjects have the right not to be subject to decisions made by the automatic processing of their data. This includes the right not to be subject to decisions made on the sole basis of profiling.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects may exercise their rights directly before the controller, the controller's representative or, where such a role exists, the data protection officer.

7.3 What remedies are available to data subjects in case of breach of their rights?

Data subjects have the right to lodge a complaint with the National Data Protection Commission (CNPD). Where corrective action may be taken, the CNPD has the power to order that such corrective action be taken by the controller or the processor (eg, the erasure of data).

Data subjects have the right to resort to judicial remedies against the handling of their complaints by the CNPD or against decisions taken by the CNPD that adversely affect their rights.

Regardless of the administrative remedies outlined above, data subjects may also start judicial proceedings against controllers or processors in case of a breach of their rights. These proceedings may be brought before the courts of the member state in which the controller or processor has an establishment or before the courts of the data subject's country of residence.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

In cases where processing is carried out by a public authority or body, except for courts acting in their judicial capacity, a data protection officer must be appointed.

In the private sector, a data protection officer must also be appointed where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

Finally, a data protection officer must also be appointed where the core activities of the controller or the processor consist of the processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

The failure to appoint a data protection officer, where mandatory, is deemed a serious administrative offence and is subject to fines of up to €10 million or 2% of annual worldwide turnover, in the case of large corporations. For small and medium-sized enterprises, the first limit becomes €1 million; this shall not exceed €250,000 in the case of natural persons.

Payment of the fine does not exempt a data controller from the duty to appoint a data protection officer.

8.2 What qualifications or other criteria must the data protection officer meet?

Portugal does not require the professional certification of data protection officers.

The requirements of the General Data Protection Regulation (GDPR) apply: the data protection officer should be appointed on the basis of his or her professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil his or her tasks (see question 8.3).

8.3 What are the key responsibilities of the data protection officer?

The key responsibilities of a data protection officer include the following:

  • to inform and advise the controller or the processor, and employees who carry out data processing, of their obligations pursuant to the regime;
  • to monitor compliance with the regime and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations, and related audits;
  • to provide advice where requested as regards data protection impact assessments and monitor their performance; and
  • to cooperate with the CNPD and act as the contact point for the CNPD on issues relating to processing.

In performing these tasks, the data protection officer should have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

Additionally, the data protection officer should:

  • ensure that regular and random audits are conducted;
  • promote awareness of the importance of early detection of security incidents; and
  • actively engage data subjects on all matters relating to the data protection regime.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

The data protection officer may be, but need not be, an employee of the data controller or processor.

As provided by the GPDR, a data protection officer may fulfil his or her tasks on the basis of a service contract.

Exclusivity is not a mandatory requirement: two or more controllers (more often in the public sector) may have the same data protection officer.

However, a data protection officer must carry out his or her tasks with complete technical independence and is under a strict duty of secrecy, unlimited by time.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

The burden of proof of compliance with all requirements of the regime rests on the data controller.

This means that the data controller must maintain a record of processing activities under its responsibility, including, at least:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to which the personal data has been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where applicable, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of the technical and organisational security measures adopted.

As a general rule, these requirements do not apply to controllers with fewer than 250 employees, although some exceptions exist.

The data controller has a duty to keep documentation on key aspects of the data processing, such as the data subject's consent. Failure to produce such documentation may render the processing unlawful.

Specifically, the controller must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation will enable the supervisory authority to verify compliance with the duty of notification of such data breaches.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Under Article 8 of the GDPR, the legal age for a data subject to consent to the processing of his or her personal data in relation to the offer of information society services is 16 years.

However, member states may specify a lower age for those purposes, provided that this is not below 13 years. This is the case for Portugal, where the age of consent for such purposes has been set at 13 years.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

When processing personal data, the controller and the processor are fully responsible for adopting and using appropriate technical and organisational measures to ensure the appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

In doing so, the controller shall take into account:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of processing; and
  • the likelihood and severity of the risks presented to the rights and freedoms of natural persons.

Technical and organisational measures may include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The controller shall also conduct a security risk assessment and is encouraged to adhere to an appropriate code of conduct in this regard, where this is available.

The controller and the processor have a special duty to ensure that anyone who has access to personal data does not process it except under the controller's or processor's instructions.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

In the case of a personal data breach, the controller must – without undue delay and, where feasible, within 72 hours of becoming aware of it – notify the personal data breach to the National Data Protection Commission (CNPD).

Where the supervisory authority is not notified within 72 hours, the controller must specify reasons for the delay.

The notification must include, at least:

  • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If not all information is available immediately, the information which is available should be notified to the CNPD without undue delay in stages.

If the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons, the controller shall nevertheless fully document the incident, stating the facts relating to the personal data breach, its effects and the remedial action taken. This will enable the CNPD to verify compliance.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Data subjects need not be notified of data breaches in all circumstances.

Whenever such notification is carried out, it should be in clear and plain language and include, at least:

  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

However, if the risk to the rights and freedoms of natural persons is not deemed to be high, the controller may opt not to notify the data subjects.

In this event, the CNPD, upon an assessment that the risk might be high, may order the controller to notify the data subjects accordingly.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Data controllers are entrusted with the precious personal details of many individuals.

Regardless of any mandatory measures provided by law, the social responsibility of controllers entails an ethical duty to take every possible step to minimise the impact of a data breach on the lives of the data subjects.

Common measures adopted by controllers include, where appropriate:

  • public disclosure of a data breach;
  • the establishment of information centres to provide details of the compromised categories of data; and
  • clear instructions on how to prevent any further negative consequences, where possible.

These measures should be adopted at the earliest feasible stage.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The protection of personal data in the context of employment is covered extensively by the Portuguese Labour Code, which is the main source of statutory law on labour relations matters.

Act 58/2019, enforcing the General Data Protection Regulation, explicitly endorses the provisions of the Labour Code, subjecting them to specific rules. In this regard, the consent of an employee is not required if the processing:

  • results in an economic or legal advantage for him or her; or
  • is necessary for the performance of the labour contract.

The Labour Code prevents the collection of personal data of an employment applicant or employee regarding his or her private life, unless that data is required, under the terms of written reasoning, to assess the data subject's capabilities in relation to the performance of the contract.

The collection of data on employees' health, in particular regarding pregnancy, is also forbidden, except in very exceptional circumstances. In this case, the data must be collected by a physician, who cannot disclose any information beyond an assessment of ‘capable' or ‘not capable' to perform the contract.

The processing of biometric data requires notification to the National Data Protection Commission (CNPD) and is limited to the purposes of controlling attendance or access to premises or areas thereof. Only irreversible representations of such biometric data may be used, meaning that the data cannot be reconstructed from the representation.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Video surveillance may not be used in the employment to control or assess an employee's professional performance.

As a general rule, such processing may be carried out only for the purposes of security of persons, goods and premises; and a clear notice to that effect must be displayed at the locations under surveillance.

The collected images may be used solely within the context of criminal proceedings or, where connected, in a disciplinary process, subject to the scope and extent of its use in the criminal case.

Remote surveillance of work locations is subject to the prior authorisation of the CNPD. This data must be destroyed upon termination of the contract or upon transfer of the employee to a different work location.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

A layered notice is recommended to explain, in adequate detail, the employer's privacy policy with regard to the processing of employees' personal data.

Depending on the level of detail required by the employee in a particular situation, a clear summary of the purposes of the processing, the categories of data processed, the employees' rights and similar items might be appropriate. A more precise reference to all conditions might be reserved for occasions where the employee needs specific legal information. Other intermediate levels may be designed as convenient.

This approach provides the data subject with the appropriate level of knowledge that he or she considers necessary to make an informed decision on the particular aspect of personal data processing that requires his or her attention.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

Cookies are small text files that websites place on the user's device during browsing. The information stored on cookies may be examined and further used to enhance the functionality of websites. Users generally have easy access to tools that enable cookies to be viewed and deleted.

Cookies have the potential to identify the user. In this respect, some cookies may be considered as personal data.

Cookies may be either temporary or persistent; may be placed on users' devices by the website they are visiting or by some third party, such as an advertiser; and the information they store may be used for a wide range of different purposes.

Under the General Data Protection Regulation (GDPR), and especially the e-Privacy Directive, the use of cookies requires the controller to:

  • obtain users' consent before using any cookies, except ‘strictly necessary' cookies (eg, for holding items in a shopping cart);
  • provide accurate and specific information about the data that each cookie tracks and its purpose in plain language before consent is received;
  • document and store consent received from users;
  • allow users to access the service even if they refuse to allow the use of certain cookies; and
  • make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Cloud computing services affect the privacy of natural persons insofar as their data is stored on servers under the control of the service provider.

Typical uses of cloud storage include plain storage, but also sharing of files (eg, photos or videos) that are difficult to share using email.

Apart from concerns over security and availability of data stored in the cloud, the main restriction is that the data of EU citizens must be stored either within the European Union or in a jurisdiction that confers an appropriate level of protection.

Until recently, the Privacy Shield framework was used, allowing cloud service providers located in the United States to prove they provided an adequate level of protection for data. However, this is no longer the case (see question 6.2).

The debate remains ongoing and it is far from clear which solutions will be adopted for the provision by US companies of cloud services to EU citizens.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

Marketing in the online and networked context is no longer a local business; it is global.

Companies that operate in this global market must pay attention to the multiplicity of requirements that impact on their activities – not just at their own national or regional level, but at the global level.

The requirements of the GDPR set the standard for any controller in the online marketing field and will usually be the most demanding to fulfil.

If a potential market extends across a number of jurisdictions, it is not possible to adopt a one-size-fits-all solution; careful study of the additional requirements of those jurisdictions (if any) should be considered at all times.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Usually, most controllers take appropriate preventive steps to avoid personal data protection disputes in the first place. Seeking the advice of the National Data Protection Commission (CNPD) is one of these steps; but increasingly, resorting to the services of data protection professionals when planning a project that involves the processing of personal data is effective in preventing disputes.

Disputes nonetheless arise, however, and lodging a complaint with the CNPD is usually the preferred response.

Cases involving breaches of personal data protection rights may have either a civil or a criminal nature. Judicial cases of an administrative nature may also involve aspects of personal data protection. Judicial courts have full jurisdiction in all such cases.

12.2 What issues do such disputes typically involve? How are they typically resolved?

A wide range of typical disputes have been observed.

Often, a data subject will object to some type of processing (eg, video surveillance) that he or she perceives as unlawfully impacting on his or her privacy. Such issues are easily dealt with by means of a complaint to the CNPD.

At the other end of the spectrum, someone may illegally access personal data (even of a sensitive nature) and publicly disclose that data for the purpose of discrediting the data subject. This is a criminal offence, possibly involving significant civil liability, and must be heard in a court of law.

12.3 Have there been any recent cases of note?

The Portuguese courts are not bound by the rule of precedent. Case law may give some indication of how courts tend to enforce the regime; but as discussed below, contradictory decisions on the same theme exist. Moreover, there are no available statistics on cases involving personal data protection. Therefore, a sample of cases decided in the higher courts in recent years is presented below. Please note that all these cases involved the previous regime and not the General Data Protection Regulation.

Case 1: Images collected by a video surveillance system installed in a retail shop to safeguard the security of persons, goods and premises are admissible as evidence in a court of law, as long as there is just cause for their collection (eg, documenting a criminal offence) and the images do not reveal intimate aspects of the private life of the suspect (10 October 2012, High Court of Coimbra).

Case 2: Information on the identity and address of the registered owner of a toll tag for use in a private car, and details of the locations where the tag has been active, are protected as personal data. This data must not be disclosed in the benefit of private interests, such as for repossession of the car in a judicial enforcement (27 March 2014, High Court of Évora).

Case 3: Information on the identity and address of the registered owner of a toll tag for use in a private car, and details of the locations where the tag has been active, are protected as personal data and may be qualified as ‘sensitive'. However, this protection may be waived where the information is needed to enforce the repossession of the car in a judicial enforcement (17 May 2016, High Court of Porto).

Case 4: The simple fact that personal data that was unlawfully processed was already public at the time of processing does not preclude the breach of the data subject's rights, as the reach of protection goes beyond mere privacy, extending to the right of informational self-determination. The further processing of such personal data (for purposes that are not compatible with those which justified its collection) is unlawful and the data subjects affected are entitled to fair compensation (16 October 2014, Supreme Court of Justice).

Case 5: When installing a video surveillance system in a work area, accessible only to employees of the data controller, a balance must be achieved to ensure that use of the surveillance system is proportionate to, and justified by, a reasonable security risk or a specific danger, not just for the generic purpose of prevention or security. The use of such a system must be appropriate, necessary and proportionate (6 November 2014, Central Administrative Court–South).

Case 6: A person who worked as a hair stylist for a company and subsequently promoted her own business as a hair stylist, using personal data collected by her former employer, committed a criminal offence of failure to fulfil her duties to protect personal data (22 April 2015, High Court of Porto).

Case 7: The plaintiff in a judicial case requested an expert assessment of his psychological condition, which was granted. The expert report was entered into the proceedings of the case. Subsequently, the same plaintiff requested the removal and destruction of all copies of the report, invoking the Personal Data Protection Act, which he deemed applicable due to the sensitive nature of his own data. The request was denied and the plaintiff appealed. The appeal was rejected on the grounds that, regardless of its contents, the report had been entered as means of proof into the proceedings, not as a ‘personal data file', but rather as an expert report, which was not subject to the regime of protection of personal data (11 February 2016, High Court of Guimarães).

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The diverse range of problems presented by the COVID-19 pandemic has placed significant demands on the privacy regulators and their responses to these problems have been somewhat fragmentary and mostly reactive.

The problems faced by the National Data Protection Commission (CNPD) include:

  • issues with apps intended to trace natural persons;
  • temperature controls of persons, where this involves the collection of personal sensitive data;
  • disclosure of data on infected persons; and
  • remote teaching and remote working environments.

It is possible that the data protection authorities will consider a more proactive approach to this new reality and coordinate efforts at the international level.

Meanwhile, the situation created by the Schrems II decision (see question 6.2) demands that all concerned parties – including governments and large global corporations – come up with a workable solution to the persistent problem of the compatibility of the EU protection principles with the US paradigm of self-regulation.

As the safe harbour and the Privacy Shield framework schemes have both failed to ensure a stable framework for EU-US data transfers, the biggest question mark concerns how global players will approach their next attempt to resolve this problem.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

The single most important tip for effective data protection hinges on the word ‘prevention'. The fundamental rights of the data subject are fragile in nature. A data subject may never fully regain the privacy breached by a data leak and the damage may very well be beyond repair.

The right to be forgotten took many years and a lengthy legal battle to acquire its current legal status of a recognised fundamental right.

With this in mind, at the end of the day, the safest and most effective way to achieve prevention is to observe the core principles of personal data processing and do this ‘by design' – that is, embedding the protection of privacy at each step in the processing of personal data.

Furthermore, it has been observed that the future of privacy cannot be assured solely by compliance with the regulatory frameworks; instead, privacy assurance must ideally become an organisation's default mode of operation.

Recalling the response in question 12.1, engaging the services of data protection professionals when planning for a project that involves the processing of personal data is effective not just in preventing disputes from arising, but also – most importantly – in ensuring fairness and transparency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.