Abreu Advogados
What law(s) specifically govern personal data / information?
- The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);
- The Law no. 58/2019, of 8 August (data protection law);
- Law no. 59/2019, of 8 August, which enshrines the regime for processing personal data connected with criminal offences or the execution of criminal sanctions;
- Law no. 12/2005, of 26 January, on personal genetic information and health information;
- Law no. 41/2004, of 18 August, on the processing of personal data and the protection of privacy in the context of publicly available electronic communications services; and
- Law No. 21/2014, of 16 April, on clinical research and Decree-Law No. 131/2014, of 29 August, on Personal Genetic Information.
What are the key data protection principles in this jurisdiction?:
The principles that apply in our jurisdiction are those laid down in Article 5 of the GDPR, which are:
- Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
- Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
- Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
- Accuracy
Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was initially collected.
- Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
CNPD - National Commission for Data Protection,: https://www.cnpd.pt/
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
Yes, in cases where video-surveillance is permitted , any sound recording is forbidden, except during the period in which the premises under surveillance are closed or with prior authorisation from the CNPD.
It is also mandatory to communicate to the CNPD the designation of the Data Protection Officer and the respective contact details.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
What are the key data subject rights under the data protection laws of this jurisdiction?
The main rights conferred to the data subject are those provided for in the GDPR, namely:
- Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
- Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant
Additionally, the Portuguese data protection law (Law 58/2019), provides a particular regime with regard to the protection of personal data of deceased persons in relation to special categories of personal data, as referred to in paragraph 1 of Article 9 of the GDPR, or in relation to privacy, image or communications data, except in the cases provided for in paragraph 2 of the same article. These rights are exercised by whoever the deceased person has designated for this purpose or, in their absence, by their heirs. Data subjects may also, under the applicable legal terms, make it impossible to exercise the rights referred to in the previous paragraph after their death.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes. In order to comply with the provisions of paragraph 4 of Article 35 of the GDPR, the CNDP has provided in its Regulation 1/2018, the situations in which it will be mandatory to conduct an impact assessment. These are:
- Processing of information derived from the use of electronic devices that transmit, over communication networks, personal data relating to health;
- Processing that results in the interconnection of personal data or processing that links personal data provided for in Article 9(1) or 10 of the GDPR or data of a highly personal nature;
- Processing of personal data as provided for in Article 9(1) or Article 10 of the GDPR or data of a highly personal nature of the GDPR or data of a highly personal nature on the basis of an indirect collection where it is not possible or practicable to ensure the right of information right of information under Article 14(5)(b) of the GDPR;
- Processing of personal data which implies or consists of profiling on a large scale;
- Processing of personal data which makes it possible to track the location or behaviour of the data subjects (e.g. employees, customers or just passers-by)), which has the effect of evaluating or classifying them, except when the processing is essential for the provision of services specifically requested by them;
- Processing of data provided for in Article 9(1) or Article 10 of the GDPR or data of a highly personal nature for the purpose of archiving in the public of public interest, scientific and historical research or statistical purposes, with the statistical purposes, with the exception of processing authorised and regulated by law and which provides adequate guarantees for the rights of the data subjects;
- Processing of biometric data for the unequivocal identification of the holders when the latter are vulnerable persons, with the exception of processing authorised and regulated by a law and subject to a previous data protection impact assessment;
- Processing of genetic data of vulnerable people, with the exception of processing authorised and regulated by a law and subject to a previous data protection impact assessment.
- Processing of personal data as provided for in Article 9(1) or 10 of the GDPR or data of a highly personal nature using new technologies or new use of existing technologies.
It is also mandatory to conduct a data protection impact assessment in accordance with legislative or regulatory procedure, which must be sent to the CNPD to accompany a request for an opinion on these provisions prepared by a body with legislative or regulatory power (cf. article 18, no. 4 of Law 43/2004, as amended).
Does this jurisdiction have any specific data breach notification requirements?
No. The procedure and requirements to be applied when verifying a data breach, in Portugal, are the ones required under GDPR, in particular in Article 33.
Therefore, it is an obligation of the controller to notify the CNPD of a data breach, as required in Article 33(1) of the GDPR. Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification must be made within 72 hours of becoming aware of it.
The CNPD provides a specific form for this purpose, available at https://www.cnpd.pt:8086/databreach/?AspxAutoDetectCookieSupport=1 .
Even if the controller considers that notification to the CNPD is not required, the controller is obliged to document any data breaches, pursuant to Article 33(5) of the GDPR.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications ( Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification) .
What restrictions apply to the international transfer of personal data / information?
International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR:
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:
- The transfer may be based on the consent of the relevant data subject.
- The transfer may be based on Standard Contractual Clauses (“SCCs”) drafted by the EU Commission. . The SCCs which took effect from 27 June 2021, are available for the following transfers:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Portuguese data protection law (Law no. 58/2019, of 8 August) applies to the processing of personal data which is carried out outside the national territory when:
- carried out by an organisation established within the national territory; or
- affecting data subjects who are based in the national territory, where the processing activities are subject to the provisions of Article 3(2) of the GDPR; or
- affecting data that is registered at consular offices of which the data subjects are Portuguese citizens residing abroad.
Despite this, we note that the CNPD deliberated (Deliberation No. 2019/294) as to whether or not to apply these provisions to any cases brought before it, as it considered them to be in violation of European Union Law (GDPR). However, we emphasise that this does not mean that a court is bound by such deliberation and therefore the former may apply such sanctions on lawful grounds.
What rules specifically deal with marketing?
These rules are set out in Law No. 41/2004 of 18 August (“Portuguese E-Privacy Law”), for marketing communications through automated means, and in Law No. 6/99 of 27 January, for communications via pre-recorded voice calls or via postal mail.
Do different rules apply to business-to-business and business-to-consumer marketing?
As regards marketing communications through automated means, different rules apply between a business-to-business or a business-to-consumer communication.
For more detailed information, please refer to the answer below.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
In Portugal, the rules applicable to the processing of personal data for direct marketing purposes through automated means (sms, mms, ems, automated calls and fax) and electronic mail are included in the Portuguese E-Privacy Law.
According to this law, there are 3 different applicable situations:
- Potential Customers:
In this case, the data subject should provide his/her express consent for the receipt of direct marketing communications, as the Portuguese E-Privacy Law determines that data subjects who are potential customers must provide their express consent (“opt-in” rule) for the receiving of direct marketing communications through automated means.
- Businesses:
Concerning business entities, the Portuguese E-Privacy Law allows the sending of marketing communications without prior consent, provided that (i) the entity is not included in the official register of entities that do not wish to receive those communications and (ii) the legal entity is given the option of objecting to those communications.
- Existing customers:
With regard to existing customers, in accordance to the Portuguese E- Privacy law, a controller that has already obtained the electronic contact details of the customer in relation to the sale of a product or service, may send direct marketing communications aiming to promote its own or similar products, provided that the customer is given the possibility to oppose the marketing communications (“opt-out” rule), at the time of the collection of the data and at each communication provided that the customer has not initially refused the processing of data for direct marketing communications.
What rules specifically deal with cookies?
There is no specific legislation in Portugal regarding cookies, however, Portuguese E-privacy Law is relevant to cookies, in particular, Article 5 concerning storage and access to information.
According to this Article, the storage of information and the possibility of access to information stored in the equipment of a subscriber or user is only allowed if the subscriber or user has given his or her prior consent in accordance with the data protection law (Law No. 58/2019), notably regarding the purposes of processing.
However, these rules do not prevent storage or access:
- which has as its sole purpose the transmission of a communication over an electronic communications network;
- which is strictly necessary for the provider to provide an information society service as explicitly requested by the subscriber or user.
What are the consequences of non compliance with data protections laws (including marketing laws)?
According to Law No. 58/2019, non-compliance with data protection law will constitute:
Very serious administrative offences, punishable:
- From 5000 (euro) to 20 000 000 (euro) or 4 percent of the annual worldwide turnover, whichever is higher, in the case of a large company;
- From 2000 (euro) to 2 000 000 (euro) or 4 percent of the annual world-wide turnover, whichever is higher, in the case of an SME;
- From 1000 (euro) to 500 000 (euro), in the case of natural persons.
Serious administrative offences, punishable:
- From 2500 (euro) to 10 000 000 (euro) or 2 percent of the annual worldwide turnover, whichever is higher, in the case of a large company;
- From 1000 (euro) to 1 000 000 (euro) or 2 percent of the annual world-wide turnover, whichever is the higher, in the case of an SME;
- Between 500 (euro) and 250 000 (euro), in the case of natural persons.
The non-compliance with data protection rules may also constitute a crime. In this regard, Law No. 58/2019, typifies as crimes:
The use of data in a manner incompatible with the purpose of collection - punishable by a prison sentence of up to 1 year or a fine of up to 120 days. The maximum penalty is doubled when special category personal data or criminal convictions data (referred to in Articles 9 and 10 of the GDPR) is involved;
Improper access - punishable by a prison sentence of up to 1 year or a fine of up to 120 days. The maximum penalty is doubled when special category personal data or criminal convictions data (referred to in Articles 9 and 10 of the GDPR) is involved;
Data misappropriation - punishable by a prison sentence of up to 1 year or a fine of up to 120 days. The maximum penalty is doubled when special category personal data or criminal convictions data (referred to in Articles 9 and 10 of the GDPR) is involved;
Vitiating or destroying data without proper authorization or justification - punishable by a prison sentence of up to 2 years or a fine of up to 240 days;
Entering false data - punishable by a prison sentence of up to 2 years or a fine of up to 240 days;
Breach of confidentiality - punishable by a prison sentence of up to 1 year or a fine of up to 120 days;
In case of disobedience, i.e. failure to comply with the obligations of the GDPR and the data protection law after the deadline for compliance has expired, is punishable by a prison sentence of up to 1 year or a fine of up to 120 days.
In turn, according to Law No. 41/2004 (relating to marketing communications through automated means), non compliance with marketing rules will constitute:
An administrative offence punishable by a minimum fine of (euro) 1500 to a maximum fine of (euro) 25,000 when committed by natural persons, and a minimum fine of (euro) 5000,000 to a maximum fine of (euro) 5.000,000 when committed by legal persons, for sending communications for direct marketing purposes in violation of article 13-A (1) and (2).
As regards to Law No. 6/99 (for communications via pre-recorded voice calls or via postal mail), non-compliance with marketing rules will constitute:
An administrative offence, punishable by a fine of from (euro) 997,60 to (euro) 2.494,00 for a natural person or from (euro) 1.995,19 to (euro) 29.927,91, for a legal entity.
Notwithstanding the aforementioned, we note that the CNPD deliberated on the question (Deliberation No. 2019/294) of not to apply some of the above sanction rules of Law No. 58/2019 as it considered them to be in violation of European Union Law (GDPR). However, we emphasise that this does not mean that a court is bound by such deliberation and therefore the former may apply such sanctions on lawful grounds.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
For the processing of certain categories of personal data, among which we highlight health data, it is advisable to consult the applicable legislation (Article 29, 30 and 31 of Law No. 58/2019; Article 4 of Law No. 12/2005; Law No. 21/2014 and Decree-Law No. 131/2014).
Controllers and processors who are not established in the EEA are generally required under article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA
What upcoming data protection developments should multinational organisations be aware of?
At the European Union level, attention should be paid to the E-Privacy Regulation that is expected to come into force soon.