Data & Privacy - Portugal

The GDPR applies directly. Law no. 58/2019 of 8 August does not transpose the GDPR but 'ensures its execution' in Portugal, filling the discretionary openings the Regulation leaves to member states (e.g., processing in employment, health, special data, minors' digital-consent age set at 13).

The Comissão Nacional de Proteção de Dados is the national data protection authority — an independent administrative body with legal personality and administrative/financial autonomy operating under the Portuguese Parliament. It holds investigative and corrective powers, can impose administrative fines, issues binding decisions, opinions on legislation and sectoral guidelines.

In Deliberation 494/2019, weeks after Law 58/2019 entered into force, the CNPD decided not to apply several of its provisions (including aspects of fines, retention, and public-interest processing), holding them incompatible with the directly-applicable GDPR — a notable feature of how the regime operates in practice.

Law no. 59/2019 of 8 August governs the processing of personal data for the prevention, detection, investigation or prosecution of criminal offences and enforcement of penalties, transposing the EU Law Enforcement Directive (Directive (EU) 2016/680).

Law no. 41/2004 of 18 August transposes the ePrivacy Directive (2002/58/EC), regulating privacy in electronic communications. Cookies and similar trackers require prior informed consent unless strictly necessary to provide a user-requested service; the CNPD has issued guidance on cookies and electronic direct marketing.

Controllers/processors must observe GDPR principles (lawfulness, transparency, purpose/data minimisation, security), maintain records, conduct DPIAs, appoint DPOs where required, and report breaches. Data subjects hold GDPR rights — access, rectification, erasure, restriction, portability and objection — enforceable via the CNPD, whose binding decisions are appealable to the administrative courts.