Privacy Law at Portugal
Portugal's data protection framework is governed by Law No. 58/2019, which implements the European Union's General Data Protection Regulation (GDPR). This law establishes specific national requirements and enforcement mechanisms, ensuring the protection of personal data within Portugal.
Key Provisions of Portugal's Data Protection Law
1. Consent and Age of Consent
Age of Consent Individuals must be at least 13 years old to provide valid consent for data processing. For those under 13, consent must be obtained from their legal representative.
Data Processing for Minors Processing personal data of minors is permitted only with explicit consent from their legal representative.
2. Data Protection Officer (DPO)
Appointment Organizations are required to appoint a Data Protection Officer (DPO) based on professional qualities and specialized knowledge in data protection law and practice.
Additional Responsibilities Beyond the GDPR's provisions, the DPO in Portugal must ensure both periodic and unscheduled audits, raise awareness among users about the importance of early detection of security incidents, and maintain relations with data subjects concerning data protection matter.
3. Video Surveillance
Restrictions Video surveillance is permitted only when necessary to protect people and assets. Cameras must not target public roads, areas reserved for clients, users, or workers (such as bathrooms, waiting rooms, and dressing rooms), or ATMs in a manner that captures the keyboard.
4. Data Retention Periods
Retention Limits Personal data should be retained only as long as necessary to fulfill the purpose for which it was collected. The right to be forgotten can only be exercised after the end of the retention period.
5. Freedom of Expression
Exemptions Data protection laws do not hinder the exercise of freedom of speech, information, and press, including the processing of data for journalistic purposes and purposes of literary, artistic, or academic expression. However, such processing must respect the dignity and personality rights of individuals, as provided in the Portuguese Constitution.
⚖️ Enforcement and Penalties
Administrative Penalties
Large Enterprises Fines ranging from €5,000 to €20 million or 4% of global annual turnover, whichever is higher.
Small and Medium Enterprises (SMEs) Fines ranging from €2,000 to €2 million or 4% of global annual turnover, whichever is higher.
Public Entities Subject to fines unless exempted by the Comissão Nacional de Proteção de Dados (CNPD) upon reasoned request.
Criminal Penalties
Individuals Imprisonment of up to one year or a fine of up to *120 days.
Entities Fines ranging from *€1,500 to €15,000.
Sensitive Data Violations Penalties may be doubled, with imprisonment of up to two years or an equivalent monetary fine.
🧭 Enforcement Authority
The Comissão Nacional de Proteção de Dados (CNPD) is Portugal's national data protection authority responsible for overseeing compliance with data protection laws.
📰 Recent Enforcement Actions
In March 2024, the CNPD ordered the Worldcoin Foundation to halt the collection of biometric data for 90 days due to concerns over unauthorized data collection from minors, insufficient information provided to users, and issues with data deletion and consent withdrawal.This action reflects the CNPD's commitment to safeguarding citizens' data protection rigts.
RELATED Blog
0 comments