top of page

PORTUGAL - Data Protection and GDPR Review

History of Data Protection in Portugal

The history of data protection in Portugal has evolved significantly over the years, paralleling global trends and European Union directives and regulations. Here's an overview of key milestones:

Pre-1991: Early Beginnings

Before the introduction of any significant data protection laws, the concept of data protection was rather vague in Portugal. There were some attempts at securing personal data, but they were sporadic and not codified into law.

1991: First Data Protection Law

Portugal passed its first Data Protection Law (Lei nº 10/91) in 1991, providing a framework for the protection of personal data processed through automated means. The law was enacted to align with European directives and was the first piece of legislation in Portugal specifically aimed at data protection.

1994: Data Protection Authority Established

The Comissão Nacional de Proteção de Dados (CNPD) was established as the national data protection authority, responsible for the implementation and oversight of data protection laws.

1995: EU Data Protection Directive (Directive 95/46/EC)

Portugal, like other EU member states, was required to implement the EU Data Protection Directive. This led to the adoption of more comprehensive laws governing the processing and transfer of personal data.

2004: Updates to National Legislation

The Data Protection Law underwent substantial changes to adapt to the new digital age. These changes aimed to make the law more comprehensive, covering both manual and automated data processing methods.

2012: Law 67/98

Portugal updated its national data protection law in accordance with changes in the EU’s Data Protection Directive. Law 67/98 was a comprehensive reform that solidified and expanded the rights of data subjects.

2018: GDPR Implementation

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Portugal, like all EU member states, adopted GDPR, and the CNPD was designated as the supervisory authority for its implementation.

2019: Local Adaptations to GDPR

Portugal passed Law no. 58/2019 in August 2019 to ensure the effective application of GDPR within the country. The law specifies certain exceptions and particular conditions, such as the age of digital consent being set at 13.

Present and Future: Ongoing Compliance and Reforms

Data protection remains an important and evolving issue in Portugal. The CNPD actively monitors and enforces GDPR compliance, and there is an increasing emphasis on digital rights, including data protection, in both public discourse and legislation.

Challenges and Innovations

Emerging technologies such as artificial intelligence, Internet of Things (IoT), and blockchain present both challenges and opportunities for data protection law in Portugal.

Portugal's data protection journey has been one of incremental development, heavily influenced by European Union directives and regulations. With the implementation of GDPR, Portugal has entered a new era of data protection that emphasizes individual rights and imposes stricter obligations on data controllers and processors.

As a member state of the European Union, Portugal is subject to the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. This guide aims to provide a comprehensive understanding of data protection in Portugal under the GDPR framework.

Guide of Contents

1. Regulatory Bodies

2. Key Principles

3. National Legislation

4. Rights of Data Subjects

5. Consent Requirements

6. Data Breach Reporting

7. International Data Transfers

8. Compliance for Businesses

9. Penalties and Enforcement

10. FAQs

11. Future Trends

1. Regulatory Bodies

- Comissão Nacional de Proteção de Dados (CNPD): The CNPD is Portugal’s national data protection authority, responsible for the implementation and oversight of data protection laws.

2. Key Principles

Portugal follows the key principles outlined by GDPR, which include:

- Lawfulness, fairness, and transparency

- Purpose limitation

- Data minimization

- Accuracy

- Storage limitation

- Integrity and confidentiality

3. National Legislation

- Law no. 58/2019: This national law was enacted in August 2019 to ensure the effective application of GDPR in Portugal. It provides specific guidelines and exceptions to GDPR in the Portuguese context.

4. Rights of Data Subjects

Data subjects in Portugal have the following rights under GDPR:

- Right to Access: Data subjects can request copies of their personal data.

- Right to Rectification: Allows data subjects to correct inaccurate data.

- Right to Erasure ("Right to be Forgotten"): Data subjects can request the deletion of their data under specific conditions.

- Right to Object: Allows data subjects to object to data processing under certain circumstances.

- Right to Data Portability: Data can be moved, copied, or transferred from one system to another.

5. Consent Requirements

- Informed and Explicit: Consent must be specific, clear, and provided via an affirmative action.

- Minors: The age of digital consent in Portugal is 13, as stipulated by Law no. 58/2019.

6. Data Breach Reporting

- Timeline: Data controllers must report a data breach to the CNPD within 72 hours of becoming aware of it.

- Notification to Data Subjects: If the breach poses a high risk to individuals' rights and freedoms, they must be notified directly.

7. International Data Transfers

- Adequate Protections: Data can be transferred internationally only if the receiving country has adequate data protection measures, as per GDPR.

8. Compliance for Businesses

- Data Protection Officer (DPO)**: Certain organizations are required to appoint a DPO.

- Data Protection Impact Assessment (DPIA)**: Required for high-risk data processing activities.

- Record-Keeping**: Businesses must maintain records of data processing activities.

9. Penalties and Enforcement

- Fines: Non-compliance can lead to fines of up to €20 million or 4% of the global annual turnover, whichever is higher.

- Enforcement**: CNPD is responsible for imposing these fines and penalties.

10. FAQs

- Is Portugal under the jurisdiction of GDPR?**: Yes, as an EU member, Portugal is subject to GDPR.

- What is the role of CNPD?**: CNPD enforces data protection laws and GDPR compliance in Portugal.

11. Future Trends

- Emerging Technologies: The rise of AI, IoT, and other advanced technologies will likely necessitate updates to Portugal’s data protection laws.


In Portugal, GDPR serves as the primary regulation governing data protection, supplemented by national laws for specific conditions and clarifications. Businesses and organizations must ensure they comply with these rules to avoid severe penalties. The CNPD is the regulatory authority ensuring that these guidelines are followed.

This guide is for informational purposes and should not replace professional legal advice. Always consult legal experts for advice specific to your circumstances.


bottom of page