Data & Privacy · Portugal
Data protection & privacy laws in Portugal (2026)
Portugal shaded by its data & privacy status
As an EU member state, Portugal applies the GDPR directly as its comprehensive personal-data protection regime, complemented nationally by Law no. 58/2019 of 8 August (which executes the GDPR in the Portuguese legal order rather than transposing it). Sector-specific laws complete the framework: Law no. 59/2019 covers data processing for criminal/law-enforcement purposes (transposing Directive (EU) 2016/680), and Law no. 41/2004 governs privacy in electronic communications (ePrivacy/cookies). The Comissão Nacional de Proteção de Dados (CNPD) is the independent supervisory authority.
Key points
The GDPR applies directly. Law no. 58/2019 of 8 August does not transpose the GDPR but 'ensures its execution' in Portugal, filling the discretionary openings the Regulation leaves to member states (e.g., processing in employment, health, special data, minors' digital-consent age set at 13).
The Comissão Nacional de Proteção de Dados is the national data protection authority — an independent administrative body with legal personality and administrative/financial autonomy operating under the Portuguese Parliament. It holds investigative and corrective powers, can impose administrative fines, issues binding decisions, opinions on legislation and sectoral guidelines.
In Deliberation 494/2019, weeks after Law 58/2019 entered into force, the CNPD decided not to apply several of its provisions (including aspects of fines, retention, and public-interest processing), holding them incompatible with the directly-applicable GDPR — a notable feature of how the regime operates in practice.
Law no. 59/2019 of 8 August governs the processing of personal data for the prevention, detection, investigation or prosecution of criminal offences and enforcement of penalties, transposing the EU Law Enforcement Directive (Directive (EU) 2016/680).
Law no. 41/2004 of 18 August transposes the ePrivacy Directive (2002/58/EC), regulating privacy in electronic communications. Cookies and similar trackers require prior informed consent unless strictly necessary to provide a user-requested service; the CNPD has issued guidance on cookies and electronic direct marketing.
Controllers/processors must observe GDPR principles (lawfulness, transparency, purpose/data minimisation, security), maintain records, conduct DPIAs, appoint DPOs where required, and report breaches. Data subjects hold GDPR rights — access, rectification, erasure, restriction, portability and objection — enforceable via the CNPD, whose binding decisions are appealable to the administrative courts.
Timeline - major decisions & events
Portugal's data watchdog opened a record 3,201 investigation processes and received 472 breach notifications in 2025 — a 42 % rise from 2024 — yet issued just 2 sanctions totalling €47,000, a collapse attributed to severe resource constraints with only 36 staff and procedural backlogs.
ppc.land (citing CNPD 2025 Annual Report) ↗The government appointed ANACOM (the telecom regulator) as national market surveillance authority under the EU AI Act, while CNPD retains competence wherever AI systems process personal data — establishing a split-authority governance model for AI regulation.
CMS Expert Guide ↗Law 2/2025 of 23 January transposed Regulation (EU) 2022/868 into domestic law, establishing rules on the re-use of public-sector data, data intermediary services, and data altruism organisations — extending Portugal's data regulatory perimeter beyond personal-data protection.
Diário da República Eletrónico (DRE) ↗The CNPD imposed a record €4.3 million fine on INE (Instituto Nacional de Estatística) for five violations during the 2021 national census, including unlawful processing of special-category data and failure to provide transparency notices. INE appealed to Portuguese courts; the case remained pending as of mid-2026.
European Data Protection Board (EDPB) ↗The CNPD found that Lisbon's mayor's office had transmitted personal data of 52 protest organisers to foreign embassies — including Russia — on 225 occasions between 2018 and 2021, violating Articles 5 and 6 GDPR. At the time this was the largest public-body GDPR fine in Southern Europe.
DataGuidance (citing CNPD decision) ↗Law 58/2019 of 8 August exercised Portugal's GDPR member-state discretions — setting the digital consent age at 13, confirming CNPD as the sole supervisory authority, and establishing national rules for employee data, scientific research, and public-interest processing. It formally repealed Lei 67/98.
Diário da República Eletrónico (DRE) ↗Centro Hospitalar Barreiro Montijo was fined €400,000 — among the earliest GDPR fines in Europe — for granting medical-records access to 985 user accounts (only 296 were physicians), including non-medical staff, and for failing to conduct a Data Protection Impact Assessment under Article 35 GDPR.
IAPP ↗Law 41/2004 transposed Directive 2002/58/EC, regulating confidentiality of electronic communications, traffic-data retention, and — critically — requiring prior informed consent before accessing or storing information on users' terminal equipment, creating the legal basis for cookie-consent obligations in Portugal.
WIPO Lex (Council of Europe) ↗Law 67/98 of 26 October fully transposed Directive 95/46/EC, replacing Law 10/91, introducing data subject rights of access and rectification, restricting third-country transfers, and renaming the supervisory authority from CNPDPI to the current Comissão Nacional de Proteção de Dados (CNPD).
ANACOM (official Portuguese regulatory authority) ↗Created by Law 10/91, the Comissão Nacional de Protecção de Dados Pessoais Informatizados (CNPDPI) became operational on 7 January 1994 — four years before the EU directive required member states to establish such bodies — marking the start of formal independent data-protection supervision in Portugal.
CNPD (official) ↗Law 10/91 of 29 April was Portugal's inaugural dedicated data protection law, implementing the principles of Council of Europe Convention 108 (1981) and creating the supervisory authority (CNPDPI). It covered automated processing of personal data and laid the enforcement architecture that successive laws have built upon.
Diário da República Eletrónico (DRE) ↗Portugal's post-revolution Constitution — a direct response to PIDE/DGS secret-police surveillance under the Salazar dictatorship — included Article 35 ('Use of Information Technology'), guaranteeing citizens the right to access, correct, and control their computerised personal data. This pre-dated the GDPR by four decades and remains the supreme legal anchor for data protection in Portugal.
Assembleia da República (Portuguese Parliament) ↗Portugal - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →