Law: Personal Data Protection Act (Act 8/2005) ('the Act')
Regulator: Office for Personal Data Protection ('GPDP')
Summary: The Act provides general personal data protection requirements and provisions, including establishing data subject rights and regulating the activities of data controllers and data processors. The Act does not, however, provide for the appointment of data protection officers and is unclear in relation to data breach notification requirements. In addition to the Act, the Cybersecurity Law No. 13/2019 (only available in Portuguese and Chinese here) ('the Cybersecurity Law') entered into effect on 21 December 2019, and stipulates requirements for operators of critical information infrastructure. The GPDP has released several guidelines on matters including, among other things, app development, data protection in the workplace, and biometric monitoring.