Data Protection Laws of the World Handbook: Second Edition - Portugal

Author:Mr Alec Christie, Cameron Craig, Jim Halpert, Thomas Jansen, Jennifer M. Kashatus, Kate Lucente, Richard Van Schaik, Scott Thiel, Carol A.F. Umhoefer and Patrick Van Eecke
Profession:DLA Piper Australia


Portuguese Data Protection Law - Law No. 67/98, of October 26th - was enacted pursuant to Directive 95/46/EC.


The Portuguese Data Protection Law defines "personal data" as any given information, in any format, including sound and image, related to a specific or an identifiable natural person ("data subject") An identifiable person is one who can be identified, directly or indirectly, namely by reference to a specific number or to one or more elements concerning his/her physical, physiological, mental, economic, cultural or social identity.


Article 7 of the Data Protection Law defines "sensitive personal data" as any personal data revealing one's philosophical or political beliefs, political affiliations or trade union membership, religion, private life and racial or ethnic origin and also data concerning health or sex life, including genetic data.


Comissгo Nacional de Protecзгo de Dados ("National Commission for the Protection of Data" also known as "CNPD").


Data controllers who process personal data shall notify the Data Protection Authority (CNPD), unless an exemption applies. For certain categories of data (sensitive data when permitted, data regarding illicit activities or criminal and administrative offenses or credit and solvability data) and certain specific processing, prior authorization from CNPD is required. Any variations or changes to the processing of personal data will determine the amendment of the registration.

As for the filing requirements, CNPD has an official form that must be submitted in Portuguese with the following information:

Identity of the controller and its representative; Main software features; The purposes of the processing; Third party entity responsible for the processing (if applicable); All the personal data that will be collected in each register; it is also necessary to indicate if sensitive data is to be collected as well as data concerning the suspicion of illegal activities, criminal and/or administrative offences, as well as data regarding credit and solvability. Grounds of legitimacy of the collection and a brief description of the data collection method used; Means and methods available for updating the data; Means of communication of data to other entities and their identification (if applicable); and Any transfers of data to third countries, listing the reasons, grounds and the measures adopted in each transfer. DATA PROTECTION OFFICERS

There is no legal requirement in Portugal for organisations to appoint a data protection officer.


Personal data may only be processed if the data subject has given his/her unambiguous consent or if processing is deemed necessary:

for the execution of an agreement(s) where the data subject is party or in previous diligences for the conclusion of an...

To continue reading