August 2023

1. Governing Texts

The fundamental right to personal data protection was established in the Constitution of the Portuguese Republic 1976 ('the Constitution'). The first Portuguese Data Protection Act No. 10/91 (only available in Portuguese here) was adopted in 1991, foreseeing the creation of the Portuguese supervisory authority in data protection matters. Prior to the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the general rule was the following: before initiating any personal data processing, the controller had to notify the Portuguese data protection authority ('CNPD') or obtain prior processing authorization from the same entity.

The CNPD's decisions taken in accordance with authorization procedures have been very inconsistent. Notably, regarding retention periods of personal data (e.g., for identical personal data processing purposes/activities), the CNPD would establish different retention periods. Hence, it is difficult to predict the interpretations and decisions that the CNPD is likely to adopt within the GDPR. However, it is worth mentioning that the CNPD has been adopting a conservative approach.

1.1. Key acts, regulations, directives, bills

On May 25, 2018, the GDPR entered into force in the EU and, consequently, became applicable in Portugal. The Portuguese Law No. 58/2019 of August 8 (only available in Portuguese here) ('the Data Protection Law'), which assures the execution in the Portuguese legal system of the GDPR, was published on August 8, 2019.

Additional data protection obligations are included in certain sector-specific laws, such as:

• Law No. 12/2005 of January 26 (only available in Portuguese here), which contains specific provisions regarding data protection on genetic and health information;
• Law No. 41/2004 of August 18 (only available in Portuguese here), which regulates the protection of personal data in the electronic communications sector and contains specific provisions for telecommunication service providers; and
• Law No. 59/2009 of August 8 (only available in Portuguese here), which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data.

1.2. Guidelines

The CNPD has issued guidelines (only available in Portuguese here), including the following:

• Guidance on data protection officers (only available in Portuguese here) ('the DPO Guide');
• Electronic direct marketing communications (Guideline 1/2022) (only available in Portuguese here); and
• Organizational and security measures for the processing of personal data (Guideline 1/2023) (only available in Portuguese here).

In addition, the CNPD has issued some opinions on the processing of personal data in very specific contexts such as health (including specific guidance related to Covid-19), human resources, marketing, and telecommunications (only available in Portuguese here and here).

Furthermore, the European Data Protection Board ('EDPB') has published Opinion 18/2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) (September 25, 2018) ('Opinion 18/2018 on processing operations subject to DPIAs').

1.3. Case law

The Portuguese Courts have already ruled on several personal data protection matters (the Portuguese Bar Association has made a selection of case law, only available in Portuguese here).

However, please note that in Portugal judges are not bound by precedent.

2. Scope of Application

2.1. Personal scope

The Data Protection Law ensures the implementation of the GDPR in Portugal. Such law is applicable to the processing of personal data within the Portuguese territory, irrespective of the private or public nature of the data controller or processor, even if the processing of personal data is carried out in compliance with legal obligations or in the pursuit of missions of public interest, and all the exclusions provided for in Article 2 of the GDPR shall apply.

The Data Protection Law is also applicable to the processing of personal data of deceased individuals when such data falls within special categories of personal data or relates to private life, image, or communications, with the exceptions provided in Article 9(2) of the GDPR.

2.2. Territorial scope

Data Protection law shall apply to the processing of personal data carried out within the national territory.

The Data Protection Law shall also apply to the processing of personal data carried out outside the national territory when:

• the processing is carried out within the scope of activity of an establishment situated on the national territory;
• the processing affects data subjects who are on national territory, where the processing activities are subject to the provisions of Article 3(2) of the GDPR; or
• the processing affects data that is registered at consular offices of which the data subjects are Portuguese citizens residing abroad.

This Data Protection Law shall not apply to personal data files constituted and maintained under the responsibility of the Intelligence System of the Portuguese Republic, which shall be governed by specific provisions, in accordance with the Data Protection Law.

2.3. Material scope

Deceased persons' data

Another relevant aspect in Portuguese data protection law is the fact that the Data Protection Law has also provided for the protection of the personal data of deceased persons. The Data Protection Law extends the protections set out in the GDPR to deceased data subjects' special categories of personal data, as well as to personal data pertaining to private life, image, and communications. The deceased data subject's rights may be exercised by a person appointed by the deceased data subject or, in the absence of an appointed person, by the data subject's successors. The deceased data subject may also determine that those rights may not be exercised after their death.

There are numerous conceivable problems with this framework; namely, it is unclear which (if any) formal requirements apply to the decision to appoint another to exercise the rights related to personal data and the decision to bar the exercise of those rights after death, it is unclear if granting the right of access to a deceased data subject's personal data related to private life and communications is compliant with the Constitution, and it is unclear if a deceased data subject's right to bar the exercise of their personal data rights after death should outweigh their successors' right to succeed when such rights conflict.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The CNPD is an independent administrative body, with powers of authority throughout the national territory.

3.2. Main powers, duties and responsibilities

The CNPD's general duty is to supervise and monitor compliance with the laws and regulations in the area of personal data protection with strict respect for human rights and the fundamental freedoms and guarantees enshrined in the Constitution and Portuguese law.

Its main duties and responsibilities, in addition to those stipulated in Article 57 of the GDPR, are the following:

• to supervise and monitor compliance with laws and regulations pertaining to personal data protection and to correct and sanction breaches of such laws and regulations;
• to issue non-binding opinions on any legal or regulatory provisions and on legal instruments, in preparation in Portugal, European, or international institutions, relating to the processing of personal data;
• to provide a public list of the kinds of processing operations which are subject to a Data Protection Impact Assessment ('DPIA') and establish criteria to define the concept of 'high risk' referred to in Article 35 of the GDPR;
• to elaborate and submit to the EDPB the draft criteria for the accreditation of code of conduct monitoring bodies and certification bodies and ensure the subsequent publication of such criteria, if approved; and
• to cooperate with the Portuguese Accreditation Institute ('IPAC').

The CNPD's decisions are binding, but complaints can be lodged against them, and they may be subject to judicial review by the administrative courts.

4. Key Definitions

Data controller: The provisions of the GDPR apply.

Data processor: The provisions of the GDPR apply.

Personal data: The provisions of the GDPR apply.

Sensitive data: The provisions of the GDPR apply.

Health data: The provisions of the GDPR apply.

Biometric data: The provisions of the GDPR apply.

Pseudonymization: The provisions of the GDPR apply.

5. Legal Bases

5.1. Consent

The provisions of the GDPR apply.

5.2. Contract with the data subject

The provisions of the GDPR apply.

5.3. Legal obligations

The provisions of the GDPR apply.

5.4. Interests of the data subject

The provisions of the GDPR apply.

5.5. Public interest

The provisions of the GDPR apply.

5.6. Legitimate interests of the data controller

The provisions of the GDPR apply.

5.7. Legal bases in other instances

Employee data

The employer may process the personal data of their employees for the purposes and within the limits defined in the Labor Code, No. 7/2019 (only available in Portuguese here) and respective supplementary legislation or in other sectorial regimes, with the specificities established in the law.

This also covers the processing carried out by subcontractors or certified accountants on behalf of the employer, for the purposes of managing labor relations, if it is carried out under a contract for the provision of services and subject to equal guarantees of confidentiality.

Unless otherwise provided by law, the worker's consent shall not constitute a legitimate requirement for the processing of their personal data, unless:

• the processing results in a legal or economic advantage for the worker; or
• such processing is covered by the provisions of Article 6(1)(b) of the GDPR.

Recorded images and other personal data recorded through video systems or other technological means of remote surveillance, as provided for in Article 20 of the Labor Code, may only be used in criminal proceedings.

In this scenario, the recorded images and other personal data may also be used for the purposes of ascertaining disciplinary responsibility, to the extent that they are used in criminal proceedings.

The processing of biometric data of employees is only considered legitimate for controlling attendance and for controlling access to the employer's premises; it must be ensured that only representations of the biometric data are used and that the respective collection process does not allow for the reversibility of said data.

National implementation of Article 89 of the GDPR

The Data Protection Law establishes that the processing of personal data for scientific or historical research purposes:

• shall respect the principle of data minimization and shall include the anonymization or pseudonymization of the personal data wherever possible; and
• does not allow the exercise of the rights of access, rectification, restriction of processing, and objection, provided for in Articles 15, 16, 18, and 21 of the GDPR, as necessary, if those rights could seriously undermine or render impossible the achievement of these purposes.

In regard to the processing of personal data for scientific research purposes, the Data Protection Law establishes that the relevant consent could cover several areas of research or be given only to certain areas or projects of scientific research.

6. Principles

The provisions of the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

In Portugal, there are no general national requirements that must be met to process personal data, such as the payment of a fee. Therefore, the general requirements that must be met to process personal data are the requirements contained in the GDPR and the Data Protection Law.

Prior authorization

However, it should be noted that where video surveillance is permitted, sound capture is prohibited, except during the period in which the supervised facilities are closed or with prior authorization from the CNPD (Article 19(4) of the Data Protection Law).

7.2. Data transfers

The provisions of the GDPR apply.

7.3. Data processing records

The provisions of the GDPR apply.

7.4. Data protection impact assessment

According to the GDPR, the controller shall consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. A single assessment may address a set of similar processing operations that present similar high risks (Article 35(1) of the GDPR).

It should be noted that the CNPD published Regulation No. 1/2018 concerning the list of processing activities subject to a DPIA, which contains a non-exhaustive list of operations for which a DPIA is required to be conducted prior to the start of the processing activities and which are the following:

• processing of information arising from the use of electronic devices which transmit, through communication networks, personal data relating to health;
• interconnection of personal data or processing relating to special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature;
• processing of special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature, where such data is not collected directly from the data subject, and it is not possible or feasible to ensure compliance with the GDPR's information duties;
• processing of personal data which involves or consists of large-scale profiling;
• processing of personal data to trace the location or conduct of the respective data subjects (e.g., workers, customers) that has the effect of evaluating or classifying them, except where the processing is indispensable for the provision of services specifically required by the data subjects;
• processing of special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes, except for the processing of personal data regulated by law that provides adequate guarantees of the rights of the data subjects;
• processing of biometric data for the unambiguous identification of the data subjects when they are vulnerable persons, except for processing regulated by law that has been preceded by an impact assessment on data protection;
• processing of genetic data of vulnerable persons, except for processing regulated by law which has been preceded by a DPIA; and
• processing of special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature with the use of new technologies or new use of existing technologies.

In Portugal, there are no national activities that are always subject to prior consultation or authorization by the CNPD. The only case in which the controller shall consult the supervisory authority prior to processing is where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

In addition, the EDPB has published Opinion 18/2018 on processing operation subject to DPIAs.

Furthermore, the CNPD launched, on January 28, 2022, the prior consultation form, which is intended for those responsible for personal data processing and allows the sending of information for the consideration of requests for prior consultation to the CNPD, in compliance with Article 36(1) of the GDPR (only available in Portuguese here).

The CNPD has not issued a list of activities that do not require a DPIA ('Whitelist').

7.5. Data protection officer appointment

The Data Protection Law establishes that the data protection officer ('DPO') is subject to a duty of professional secrecy and has, in addition to the provisions of Articles 37 to 39 of the GDPR, the following tasks:

• to ensure that scheduled audits and non-scheduled audits are carried out;
• to raise user awareness of the importance of timely detection of security incidents and the need to inform the security officer immediately; and
• to ensure relations with data subjects in matters covered by the GDPR and by Portuguese legislation on data protection.

In addition, the Data Protection Law and the DPO Guide outline that a DPO can be appointed without requiring professional certification (Article 9(1) of the Data Protection Law).

Entities established in Portugal must inform the CNPD of the appointment, change, or termination of a DPO via the CNPD's online portal (only available in Portuguese here) (the DPO Guide).

In the case of a group of undertakings, each company within the group must individually inform the CNPD of the appointment of its DPO (the DPO Guide).

Please note that there are conflicting opinions of the Portuguese Bar Association (only available in Portuguese here and here) on the conflict of interests arising from the exercise of the DPO's function by lawyers.

7.6. Data breach notification

The Data Protection Law does not prescribe specific requirements regarding the obligation of notification in the case of a personal data breach. Therefore, the requirements that must be met in the case of a personal data breach are the requirements contained in the GDPR.

According to the GDPR, in the case of a personal data breach, the controller shall, without delay, and, if possible, no later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The notification to the competent supervisory authority shall at least:

• describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the DPO, or other contact point, where more information can be obtained;
• describe the likely consequences of the personal data breach; and
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without delay. This communication must describe clearly and in plain language the nature of the personal data breach and contain, at least, the second, third, and fourth points stated above in relation to the notification to the supervisory authority.

In Portugal, notifications of personal data breaches must be made through the form available on the CNPD's website (only available in Portuguese here). This form may present some peculiarities. For instance, it asks if the notifying controller has notified the data subjects, before notifying the CNPD and if there was any related cross-border processing, yet it does not ask if there were any transfers of personal data to third countries or international organizations.

When necessary, it is possible to send additional information directly to the CNPD via email.

Specific laws, such as the one regulating the telecommunications sector (Article 3-A of Law no. 41/2004 of  August 18, only available in Portuguese here), foresee duties for the controller to notify the CNPD when a personal data breach occurs. In this case, when a provider of publicly available electronic communication services acknowledges a breach, it has to report it to the CNPD, and, if the personal data breach is likely to adversely affect the personal data of the subscriber or user, the provider shall also notify the same breach to the latter.

However, these laws do not provide additional requirements on the personal data breach notification obligation. Therefore, the requirements contained in the GDPR must be met in the case of a personal data breach.

7.7. Data retention

The data retention period shall correspond to the period fixed by law or regulation or, in the absence of law or regulation, to the period which is necessary for the purpose of the processing.

When, due to the nature and purpose of the processing, namely for public interest archiving purposes, scientific or historical research purposes, or statistical purposes, it is not possible to determine in advance when the processing is no longer necessary, the conservation of personal data is lawful, provided that appropriate technical and organizational measures are adopted to guarantee the rights of the data subject, namely the information about their conservation. When the personal data is necessary for the controller or processor to prove compliance with contractual or other obligations, it may be retained until the respective statute of limitation is reached. When the purpose that motivated the initial or subsequent processing of personal data ceases, the controller shall proceed to destroy or anonymize such data.

Data regarding contributory declarations for the purposes of retirement may be retained without any retention period to assist the data subject in reconstituting contribution careers, provided that adequate technical and organizational measures are adopted to guarantee the data subject's rights.

7.8. Children's data

Regarding the age necessary to give consent, it should be noted that the Portuguese Civil Code, Decree-Law No. 47344, Official Gazette No. 274/1966 (only available in Portuguese here) ('the Civil Code'), establishes the general rule according to which minors do not generally have the capacity to exercise their rights (a minor is someone who has not yet reached the age of 18). Such lack of capacity is overcome by parental responsibility, which means that it is generally the parents who have the legitimacy to give consent to the processing of the personal data of the minor.

However, the Data Protection Law establishes that in relation to the offer of information society services directly to a child, the processing of the personal data of a child based on consent shall be lawful if the child is at least 13 years old. If the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of the parental responsibilities over the child.

Additionally, it should be noted that the necessity of the parent's consent should be evaluated on a case-by-case basis since the Civil Code foresees three cases in which minors' acts are valid without such consent (e.g., typical legal transactions of the minor's everyday life that involve only expenses or disposals of assets of minor importance).

7.9. Special categories of personal data

The Data Protection Law does not establish additional requirements regarding the processing of data relating to criminal convictions and offenses. Therefore, the requirements that must be met to process data relating to criminal convictions and offenses are the requirements contained in the GDPR.

With respect to special categories of personal data, the Data Protection Law establishes that the processing of data concerning health or genetic data:

• should be governed by the principle of the need to know the information;
• when performed under Article 9(2)(h) or 9(2)(i) of the GDPR, should be carried out by a professional bound by a duty of secrecy or by another person subject to a duty of confidentiality; and
• must be carried out in a way that ensures that access to this type of personal data is done by electronic means only, unless there is a technical impossibility, or the data subject has expressly indicated otherwise.

It should be noted that, according to the Data Protection Law, the data subjects must be notified of any access to their data concerning health or genetic data, and the controller must ensure that this traceability and notification mechanism is made available. Given how broadly the duty to notify is established, there are relevant practical difficulties associated with the processing of personal health data in the context of health services which will need to be addressed in future case law. The Data Protection Law does not establish additional requirements regarding the processing of other special categories of personal data. Therefore, the requirements that must be met to process other special categories of personal data are the requirements contained in the GDPR.

It is worth mentioning that before the GDPR came into force on May 25, 2018, the CNPD had issued some deliberations and guidelines regarding the processing of special categories of personal data in specific contexts.

It should be noted that Law No. 32/2008 of July 17 (only available in Portuguese here) that transposed the Directive 2006/24/EC of March 15 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC establishes rules on the retention of data generated or processed in connection with the provision of publicly available electronic communication services or of public communications networks, in order to ensure that the data is available for the purpose of the investigation, detection, and prosecution of serious crimes.

7.10. Controller and processor contracts

The provisions of the GDPR apply.

8. Data Subject Rights

8.1. Right to be informed

According to GDPR, the controller shall, at the time when the personal data is obtained, provide the data subject with the following information:

• the identity and the contact details of the controller;
• the contact details of the DPO, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• where the processing is based on legitimate interests pursued by the controller or by a third party, the concrete legitimate interests on which the processing is based;
• the recipients or categories of recipients of the personal data (if any);
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the European Commission (where there is no adequacy decision by the European Commission, the controller should mention the appropriate or suitable safeguards adopted and the means by which the data subject can obtain a copy of them or where they have been made available);
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification of personal data, erasure of personal data, restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability;
• where the processing is based on the consent of the data subject, the existence of the right to withdraw consent at any time;
• the right to lodge a complaint with a supervisory authority;
• the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; and
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data.

Where personal data has not been obtained from the data subject, the controller shall provide the data subject with such information and with the following additional information:

• the categories of personal data concerned; and
• from which source the personal data originates and, if applicable, whether it came from publicly accessible sources.

In this case, the controller shall provide the aforementioned information:

• within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data is processed;
• if the personal data is to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
• if a disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.

It should be noted that the controller does not have to provide the information referenced above when the controller did not obtain the personal data from the data subject and when:

• the data subject already has the information;
• the provision of such information proves impossible or would involve a disproportionate effort (in such cases the controller shall take appropriate measures to protect the data subject's rights, liberties, and legitimate interests, including making the information publicly available);
• obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
• the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law, including a statutory obligation of secrecy.

The Data Protection Law establishes the following additional requirement regarding the right to information to be provided to the data subject, namely the right of information cannot be exercised when the law imposes on the controller or processor a duty of secrecy that is enforceable against the data subject.

8.2. Right to access

The Data Protection Law establishes the following additional requirement regarding the right to access, namely the right to access cannot be exercised when the law imposes on the controller or processor a duty of secrecy that is enforceable against the data subject.

8.3. Right to rectification

The provisions of the GDPR apply.

8.4. Right to erasure

According to the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
• the data subject objects to the processing of personal data concerning them and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of their personal data for direct marketing purposes;
• the personal data has been unlawfully processed;
• the personal data must be erased for compliance with a legal obligation in EU or Member State law to which the controller is subject; or
• the personal data has been collected in relation to the offer of social services.

The right of erasure does not apply where the processing of personal data is necessary for the following purposes:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes insofar as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise, or defense of legal claims.

The Data Protection Law establishes the following additional requirement regarding the right to erasure, namely where there is a retention period imposed by law, the right to erasure can only be exercised when that retention period expires.

8.5. Right to object/opt-out

The provisions of the GDPR apply.

8.6. Right to data portability

According to the GDPR, the data subject has the right to receive personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format.

The data subject also has the right to transmit the personal data concerning them to another controller without hindrance from the controller to which the personal data has been provided, where:

• the processing is based on consent or on a contract in which the data subject is party; and
• the processing is carried out by automated means.

In this case, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The Data Protection Law establishes the following additional requirements regarding the right to data portability, namely this right concerns only the personal data provided by the data subject and the portability of the personal data should be, where possible, carried out in an open format.

8.7. Right not to be subject to automated decision-making

The GDPR stipulates that the data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects them. However, the GDPR establishes three exceptions to this rule, allowing controllers to carry out profiling and automated decision-making that have a legal effect or significantly affect the data subjects in the following cases:

• where it is necessary for entering into, or performance of, a contract between the data subject and a controller;
• where it is authorized by EU or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
• where it is based on the data subject's explicit consent.

It should be noted that if one of these exceptions applies, the controller shall adopt measures to safeguard the data subject's legitimate interests, rights, and freedoms and must provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subjects.

The Data Protection Law does not include specific rules on automated individual decision-making, including profiling.

8.8. Other rights

According to the GDPR the data subject has the right to obtain from the controller the restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise, or defense of legal claims; or
• the data subject has objected to the processing of the personal data, pending verification of whether the legitimate grounds of the controller override those of the data subject.

The Data Protection Law does not establish additional requirements regarding the right to the restriction of processing.

9. Penalties

The GDPR administrative fines may be up to €20 million or up to 4% of the total worldwide annual turnover of the preceding year (whichever is higher). The Data Protection Law establishes different administrative fines, considering the nature of the data controller or processor (large enterprise, small and medium-sized enterprise, or natural person). It should be noted that there are doubts on whether the framework of the administrative offense established in the Data Protection Law is compliant with the GDPR and with the Constitution. Under the Data Protection Law, a breach of certain rules and principles regarding data protection may lead to criminal liability:

• any natural or legal person who uses personal data in a way that it is incompatible with the purpose of the collection shall be liable to up to one year's imprisonment or a fine;
• any natural or legal person who, without due authorization or justification, accesses, by any means, personal data, shall be liable to up to one year's imprisonment or a fine;
• any natural or legal person who copies, subtracts, relinquishes, or transfers personal data, whether for a consideration or free of charge, without legal provision or consent, regardless of the purpose pursued, shall be liable to up to one year's imprisonment or a fine;
• any natural or legal person who, without due authorization erases, destroys, damages, conceals, suppresses, or modifies personal data, making it unusable or affecting its potential for use, shall be liable to up to two years' imprisonment or a fine;
• any natural or legal person who inserts or facilitates the insertion of false personal data, with the intention of obtaining an undue advantage for oneself or for others, or to cause harm, shall be liable to up to two years' imprisonment or a fine;
• any natural or legal person, bound by professional secrecy under the law, who without just cause and without due consent, reveals, or discloses personal data, totally or in part, shall be liable to up to one year's imprisonment or a fine; and
• any natural or legal person who does not comply with the obligations set forth in the GDPR and in the Data Protection Law, after the period prescribed by the CNPD for that purpose has been exceeded, shall be liable to up to one year's imprisonment or a fine.

Furthermore, it is worth mentioning that Portugal's administrative offense procedure is split into two phases:

• an administrative phase, where the supervisory authority investigates the relevant facts and ultimately decides whether or not to impose a penalty; and
• a judicial phase, where the respondent may challenge the supervisory authority's decision in court.

The Administrative Procedure Act No. 4/2015 of 11 July (only available in Portuguese here) establishes that no penalty may be imposed without the defendant first having been heard regarding all the facts under investigation.

If the supervisory authority decides to impose a penalty, then, after hearing the defendant, this decision may be challenged in court.

Defendants in an administrative offense procedure enjoy most due process rights granted in criminal procedure law, namely the presumption of innocence, the right to produce, and present evidence, and the right to appeal against unfavorable decisions. However, in these procedures, the privilege against self-incrimination may be mitigated, since controllers and processors are obliged to cooperate with the CNPD, namely by supplying the authority with the documents required and the information requested in the investigation stage of the procedure.

9.1 Enforcement decisions

On April 27, 2021, under Article 58(2)( j) of the GDPR, the CNPD ordered the Portuguese National Institute for Statistics ('INE'), the public institute for all the official statistics in Portugal, to stop international transfers of personal data collected in the 2021 national census to the U.S. You can read the decision (only available in Portuguese here).

Allegedly, the personal data that was being collected by INE in the 2021 national census was being transferred by INE's processor to servers located in the U.S. Following the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ruling from the Court of Justice of the European Union ('CJEU'), the CNPD considered that the Standard Contractual Clauses ('SCCs') included in the data processing agreement signed between INE and its processor was not a valid ground for international transfer.

On December 21, 2021, under Articles 5(1)(a), (c), and (e), 6, 9, 13, and 35(3)(b) of the GDPR, the CNPD imposed a fine of €1.25 million on the Lisbon Municipality for the commission of 225 infringements (decision only available in Portuguese here).

At issue was the communication of the personal data of demonstration promoters to third parties and municipality services. The CNPD considered that the spread of personal data of demonstration promoters to various national and foreign entities promotes the profiling of data subjects based on their ideas, opinions, or beliefs, illegally, and whose subsequent use is completely beyond the control of the controller. The CNPD also concluded that there were other breaches of the GDPR, in particular, the failure to provide information to promoters on the processing of their personal data.