Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Portugal: Data Protection in the Financial Sector

sankai / Signature collection / istockphoto.com

1. INTRODUCTION

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is the key legal instrument regulating data protection in Portugal broadly and completely. This European instrument has been duly added and implemented in the Portuguese legal system by Law no. 58/2019, of August 8th, 2019, implementing the GDPR (only available in Portuguese here) ('the GDPR Implementation Law'). Both the GDPR and the GDPR Implementation Law are fully applicable in Portugal.

The pillars of financial legislation are as follows for the following sectors:

Besides the abovementioned legislation, the GDPR, and the GDPR Implementation Law, any EU regulations containing regulatory rules for financial enterprises in Portugal are directly applicable. Such regulations include various obligations for financial enterprises that may result in, or have an impact on, their processing activities (e.g. requiring financial enterprises to collect certain personal data of their customers).

In short, in Portugal there is no specific legal framework exclusively applicable to the financial sector. There are, however, legal provisions in the abovementioned laws that complement or introduce specificities in relation to general legislation. Data processing in the financial sector is guided, with no major exceptions, by the GDPR, the GDPR Implementation Law, the sectoral laws that include data protection provisions, as well as the regulatory standards issued by the Portuguese regulatory authorities (e.g. the Bank of Portugal ('BDP'), the Securities Market Commission ('CMVM'), and the Insurance and Pension Funds Supervisory Authority ('ASF')).

1.1. Legislation

The following EU legislation, among others, is applicable:

The European Data Protection Board ('EDPB') has issued the following relevant Opinion:

The Article 29 Working Party ('WP29') has issued the following relevant guidance:

The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:

Portuguese legislation

The financial sector in Portugal is mainly regulated in a tripartite manner according to the above-mentioned legal regimes in the banking, capital market, and insurance sectors. These legal regimes regulate, among other issues, market entry, the integrity of business operations, and internal procedures for financial enterprises. This legislation is largely based on European instruments on the subject.

If implementation of this European legislation is necessary, it most certainly will be incorporated in the General Regime for Credit Institutions and Financial Companies ('RGICSF'). Since 1992, the RGICSF has served as the basic regulatory regime for banking activity developed in Portugal. However, continuous and consecutive amendments, often due to the implementation of several European directives, has made the RGICSF increasingly difficult to read and apply.

In this sense, the preliminary draft of the Banking Code (only available in Portuguese here), which will fully replace the RGICSF, is under review. Several amendments are expected; however, they cannot yet be specified. Nevertheless, it is important to note that the draft has eight provisions on data protection, most of which are connected with references to provisions already foreseen in the GDPR.

In this context, due to their importance, we mention the following legal texts:

  • Law no. 83/2017, of 18 August, establishes measures to combat money laundering and terrorist financing, partially transposes Directives 2015/849/EU of the European Parliament and of the Council of 20 May 2015 and 2016/2258/EU of the Council of 6 December 2016, implementing the Fourth AML Directive (only available in Portuguese here) ('the AML/CFT Law'). These include an obligation for banks, insurance companies, credit card companies, notaries, casinos, and other designated parties to assess, manage, and communicate the risks related to these criminal activities.

The implementation of the AML/CFT legislation, both nationally and at a European level, does not conflict in any way with the obligations arising from the GDPR.

In 2020, Law no. 58/2020 (only available in Portuguese here) ('Law 58/2020') was approved, which transposed the Fourth AML Directive on the prevention from using the financial system for the purpose of money laundering or terrorist financing, and also amended the AML/CFT Law. Among the amendments introduced are those aimed at countering risks associated to virtual currency, the implementation of enhanced due diligence measures for certain entities (particularly when doing business with high-risk third countries) and the prohibition of accepting transactions using prepaid cards.

Furthermore, the legislative amendments are intended to strengthen cooperation at a national and international level, in particular, by enabling sectoral authorities and professional associations to cooperate, within the scope of their powers, with counterpart authorities in other Member States that are on the public registers maintained by the European Commission.

Law 58/2020 also aims to increase transparency with regard to the identification of the beneficial owner. In fact, the data and information obtained about beneficial owners must now be registered, along with the process carried out to this end, to include any problems detected.

  • Decree-Law no. 91/2018, of 12 November, regulating access to the business of payment institutions and the provision of payment services, as well as access to the business of e-money institutions and the provision of e-money issuing services (only available in Portuguese here) ('Decree-Law 91/2018').
  • Law no. 78/2021, of 24 November, establishes the legal framework for preventing and combating unauthorised financial activity and protecting consumers (only available in Portuguese here) ('Law 78/2021').

In this context, it is provided that any person who has knowledge of the advertising, offering, provision, marketing or distribution of financial products, goods or services by a person or entity that is not legally qualified to do so, or who does not act on behalf of a qualified person or entity, must refrain from disseminating, by any means whatsoever, advising or recommending the products, goods or services in question. In addition, the person who becomes aware of the above-mentioned facts must immediately communicate them to the Insurance and Pension Funds Supervisory Authority, the Portugal Bank or the Portuguese Securities Market Commission, by virtue of the nature of the unauthorised activity.

  • Decree-Law no. 12/2021, of 09 February, ensuring the implementation in the internal legal order of Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (available in Portuguese here) ('Decree-Law 12/2021').

1.2. Supervisory authorities

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

In Portugal, the data protection supervisory authority is the Portuguese data protection authority ('CNPD'). The CNPD is charged with the following tasks (Article 57 of the GDPR and Article 6(1) of the GDPR Implementation Law):

  • giving its views, on a non-binding basis, on legislative and regulatory measures relating to the protection of personal data, and on legal instruments in preparation, in European or international institutions, relating to the same subject;
  • monitoring compliance with the provisions of the GDPR and other legal and regulatory provisions on the protection of personal data;
  • providing a list of treatments subject to Data Protection Impact Assessment ('DPIA') under Article 35 of the GDPR;
  • elaborating and submitting to the European Data Protection Committee, foreseen in the GDPR, draft criteria for the accreditation of code of conduct monitoring bodies and certification bodies; and
  • cooperating with the Portuguese Accreditation Institute ('IPAC') in relation to accreditation and certification matters, as well as in the definition of additional accreditation requirements, in order to ensure the application of the GDPR.

The CNPD, as a competent public body, is vested with a set of powers enabling it to carry out its mission. Among others that deserve special mention, the power to (Article 58 of the GDPR and Article 6(2) of the GDPR Implementation Law):

  • carry out investigations in the form of data protection audits;
  • notify the controller or the processor of an alleged infringement of the GDPR or the GDPR Implementation Law;
  • order the controller and processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; and
  • obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with European Union or Member State procedural law.

The CMVM

Under the Securities Market Code, the CMVM is designated as the financial supervisory authority.

Its mission is to supervise and regulate the markets of financial instruments, as well as the agents that act in them, promoting the protection of investors.

These are, among others, the CMVM's duties:

  • sanctioning infringements of the Securities Market Code and complementary legislation;
  • ensuring the stability of financial markets by contributing to the identification and prevention of systemic risk;
  • contributing to the development of markets for financial instruments;
  • providing information and handling complaints from unqualified investors; and
  • mediating conflicts between entities subject to its supervision and between them and investors.

As part of its supervisory powers, the CMVM may oversee and introduce data protection issues specific to the financial sector, such as:

  • financial brokers shall communicate to the issuer, at its request, the relevant categories of their clients;
  • records collated by the CMVM may be integrated and processed in computer applications, under the terms and within the limits of the law on personal data protection; and
  • companies with shares admitted to trading on a regulated market have the right to request the entity managing the centralised system information regarding the identity of its shareholders and the number of shares held by the shareholder. The processing of shareholders' personal data by listed companies finds its legal basis in the Securities Market Code and not in the GDPR. The rationale is to enable shareholders to pursue their rights and become more engaged in the company.

The BDP

The BDP supervises the financial system as a whole and ensures financial stability. The BDP is responsible for the prudential supervision of credit institutions and financial companies. The BDP issues euro banknotes and puts them into circulation, although the European Central Bank ('ECB') has the exclusive right to authorise their issue. It is also responsible for regulating, supervising, and promoting the good functioning of payment systems, managing the country's external assets, and acting as an intermediary in the Member State's international monetary relations, as well as advising the Member State's Government on economic and financial matters. The BDP is responsible for the collection and compilation of monetary, financial, exchange, and balance of payments statistics.

Its functions are defined in its Organic Law, Law no. 5/98, of 31 January ('the BDP Law'). The tasks of this regulator, in accordance with the above-mentioned functions, are described in Article 12 of the BDP Law.

There is a dialogical relationship between the BDP and the CMVM. While the CMVM focuses on the supervision of companies, the BDP is dedicated to prudential supervision.

As for the BDP, the same reasoning as for the CMVM applies. In this sense, the BDP may address some data protection issues specific to the banking sector. Therefore, see that:

  • The BDP may exchange information subject to a duty of secrecy, including information relating to recovery plans, with authorities in third countries. When the information exchanged involves personal data, the transmission of such data to authorities in third countries and the processing thereof shall be subject to the rules of the European Union as well as to the applicable national data protection law.
  • Anyone who has any information about serious indications of wrongdoing should report them. To this end, the RGICC provides that the personal data of the whistleblower and the suspected offender must be ensured by banking laws and regulations.

The ECB

Prudential supervision on banks is also conducted by the ECB through direct prudential supervision of Portuguese banks, and therefore also working together with the BDP. It establishes and implements European monetary policy, conducts exchange operations, and ensures the smooth operation of payment systems.

2. PERSONAL AND FINANCIAL DATA MANAGEMENT

2.1. Legal basis for processing

According to the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency (Article 5(1)(a) of the GDPR). In addition, processing shall only be lawful if (Article 6(1) of the GDPR):

  • the data subject has given consent to the processing for one or more specific purpose;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
  • the processing is necessary for the compliance with a legal obligation to which the controller is subject;
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

According to the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency (Article 5(1)(a) of the GDPR). In addition, processing shall only be lawful if (Article 6(1) of the GDPR):

  • the data subject has given consent to the processing for one or more specific purpose;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
  • the processing is necessary for the compliance with a legal obligation to which the controller is subject;
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Moreover, within the category of personal data, a more restricted core of data we call sensitive data stands out. According to Article 9(2) of the GDPR, the processing of these data is prohibited. However, some exceptions are allowed. The financial sector, especially the insurance sector, may have a special appetite for sensitive data such as genetic data, health condition, or union membership.

According to Article 46 of the GDPR Implementation law, anyone who uses personal data in a way incompatible with the purpose for which it was collected shall be punished by imprisonment for up to one year or a fine for up to 120 days. The penalty shall be doubled in its limits for personal data referred to in Articles 9 and 10 of the GDPR; that is, for data related to special categories and criminal matters. This sanction stems from the provision which states that Member States will have to ensure the GDPR is effectively executed (see recital 129 of the GDPR, in particular when it states that each Member State must ensure the necessary powers of correction and sanction to give effect to European privacy policy). Along with Denmark and Estonia, only Portugal has not recognised the system of administrative penalties as implemented by the GDPR.

According to Decree Law 95/2006 of May 29 (only available in Portuguese here) ('Decree-Law 95/2006'), which provides for the purchase of financial products remotely, the collection of data by the financial service provider is dependent on the consent of the consumer. When communications are sent by any other means which allows individual communication with the person concerned, such communications are permitted if the person concerned has not objected to them. In short, it must be guaranteed by the supplier of the financial service that there has been consent on the consumer's side to collect the data. On this point, the GDPR applies in everything that this law does not contradict.

2.2. Privacy notices and policies

Pursuant to Article 5(1)(a) of the GDPR and the principle of transparency, concerned data subjects must be provided with certain information (typically referred to as a privacy notice or privacy policy). According to Articles 13 and 14 of the GDPR, such information must include, for example, the controller's identity and the contact details of the controller, the categories of personal data processed and the purposes of the processing, the recipients of the data, retention periods, and information concerning the existence of the data subject's rights.

There are no specific requirements for financial enterprises to provide customers with notice of the institution's privacy policies and practices. However, the general information obligations under the GDPR apply.

2.3. Data security and risk management

Taking into account the costs of implementation, nature, scope, context, and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors in the financial sector must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).

To this end, it must adopt a risk management policy that ensures the pseudonymisation and encryption of personal data; the ability to ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for testing, assessing, and regularly evaluating the effectiveness of technical and organisational measures to ensure the safety of treatment.

If a financial institution has carried out a client screening pursuant to the AML/CFT Act, the institution must keep this data in systems equipped with secure channels that guarantee the confidentiality of the requests referred to in that screening (Article 51 of the AML/CTF Act). There are no further specific requirements in relation to data security and risk management in the financial sector.

Financial companies must appoint a data protection officer ('DPO'). This is a person appointed by the organisation whose duties involve informing and advising the company on data protection compliance and advising on DPIAs. He or she must also train the company's team on these issues and conduct audits on a regular basis on compliance with current legislation.

2.4. Data retention/record keeping

Personal data must not be retained in a form which permits the identification of the data subject for longer than what is necessary (Article 5(1)(e) of the GDPR). The period for which the personal data is stored should be limited to a minimum and time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).

The GDPR does not foresee a set time period for the financial sector. Thus, financial firms must retain data in order to comply with a comprehensive set of withholdings imposed by different legal provisions. Among the most important, we highlight:

  • Article 40 of the Portuguese Commercial Code (only available in Portuguese here): Every merchant is obliged to archive correspondence issued and received, his business records, and related documents, and must keep everything for a period of ten years. These documents may be filed using electronic means;
  • Articles 19 (1) and (2) of Decree Law no. 28/2019, dated February 15 (only available in Portuguese here): Taxable persons shall be required to keep and preserve in good order all books, records, and supporting documents for a period of ten years, if no other period is laid down in a special provision; and
  • Article 90-A of the RGICSF: Credit institutions shall register and store communications they establish with customers to sign contracts, preserving them for a period of five years, and the BDP may establish, by means of a notice, that they are kept for a longer period and up to seven years.

In addition, there may be reasons to retain personal financial data even longer. This may be due to an investigation or pending court case, a claim pending, or for security reasons. It can also be done by regulatory rule when the law allows it.

3. FINANCIAL REPORTING AND MONEY LAUNDERING

On this subject, Portugal has accompanied European legislative initiatives, namely with the partial transposition of the Fourth AML Directive and Directive 2016/2258/EU of the Council of 6 December 2016 through the AML/CFT Law. This law is applicable to financial entities by indication of Article 3. According to Article 58 of the AML/CFT Law, financial entities are allowed and obliged to process, among others, the following categories of personal data:

  • client identification;
  • natural persons: among others, photograph, full name, signature, date of birth, nationality, profession, civil and tax residence, and civil identification;
  • legal persons: among others, name, object, full address of the registered office, identification number of the legal person, identification of holders of a percentage of the share capital equal to or greater than 5%, identification of board members, and Economic Activities Classification Code ('CAE');
  • elements characterising the activities pursued;
  • details of the political or public offices that are or have already been held;
  • relative and affinity elements, as well as relevant corporate, commercial, professional, or social relationships;
  • financial and banking data: among others, creditworthiness and solvency of their holders, information about the purpose and nature of the business relationship;
  • information on suspected criminal offences; and
  • information on suspicious transaction reports.

The entities must adopt the security measures that prove necessary to ensure the effective protection of the information and personal data. To this end, customers are provided with a general warning of the legal obligations of entities obliged to process personal data for the purpose of preventing money laundering and terrorist financing.

The above-mentioned Portuguese law on financial reporting and money laundering also allows for communication, transmission, and interconnection of data. They may, inter alia, be reported to or transferred to the Criminal Action Department of the Public Prosecution Service, Tax Authority, and other judicial, police, and sectoral authorities, as well as between financial entities that have or do not have a group relationship.

It should not be forgotten that these financial institutions must still comply with GDPR standards.

For the purposes of the AML/CFT Law, financial entities shall mean, among other things, credit institutions, payment institutions, electronic money institutions, investment firms and other financial companies, and venture capital companies.

Law 58/2020 introduced important new provisions, already detailed in a previous point. In this regard, it is also important to report that the present law extends the subjective scope of the AML/CFT Law, adding new categories to the range of entities required to comply with the regulations contained in this legal regime. Thus, new financial entities, as well as non-financial and similar entities, are included, namely:

  • the securities investment companies to promote the economy;
  • managers of qualified venture capital funds;
  • qualified social entrepreneurship fund managers;
  • self-managed long-term investment funds of the European Union under the designation 'ELTIF';
  • Real Estate Investment and Management Companies ('SIGI'); or
  • entities that carry out any activity with virtual coins.

4. BANKING SECRECY AND CONFIDENTIALITY

Portuguese law contains a general principle of banking secrecy. All customer data must be treated as confidential by banks. Breaches of these provisions can lead to civil liability in contract or tort law. According to Article 78 of the RGICSF, members of the administrative or supervisory bodies of credit institutions, their employees, agents, commissioners, and other persons who render services to them on a permanent or occasional basis shall not disclose or use information concerning facts or elements relating to the life of the institution or its relations with its customers, which come to their knowledge exclusively through the performance of their duties or the provision of its services.

However, there may also be exceptions to the principle that data must be kept secret. A bank is entitled to disclose data to third parties when statutorily obliged. The breach of confidentiality is exceptional in nature and only applies in relation to, among others, the BDP, the CMVM, the ASF, the Deposit Guarantee Fund, Investor Compensation Scheme, Resolution Fund, judicial authorities in the context of criminal proceedings, and tax authorities.

As for the BDP, Article 81-A of the RGICSF provides for the circumstances in which this regulator may share the information stored in its database, on bank accounts domiciled in Portugal, with other public entities.

In its relationship with other countries, Portugal provides in its legislation that it will only exchange data with foreign regulators that offer guarantees of confidentiality.

5. INSURANCE

The GDPR applies in full to the processing of data in the insurance industry and in accordance with the Insurance Law.

The ASF must ensure the existence of specific procedures for receiving and analysing reports, as well as the protection of the personal data of the whistleblower and of the suspected offender.

The regulator also imposes, within the scope of insurance distribution, that insurance, reinsurance, or ancillary insurance intermediaries must have a handling policy, whose operating principles are set out in a written document that guarantees fair treatment of customers and the proper handling of their personal data and complaints. Failure to comply with this policy is punishable with a serious administrative offence, punishable by a fine of between €1,000 and €500,000, or between €3,000 and €2.5 million, depending on whether it is applied to a natural person or a legal entity.

In parallel, the disclosure of untrue or inaccurate data regarding insurance companies, insurance intermediaries, ancillary insurance, or policyholders is also a serious administrative offence, punishable by a fine of between €1,000 and €500,000 or of €3,000 and €2.5 million, depending on whether it is applied to a natural or a legal person.

6. PAYMENT SERVICES

As of November 2018, PSD2 is implemented in Portugal, which modernises the rules on payment services by enhancing consumer rights, introducing new security requirements, and by applying the rules for payment initiation services and account information services. It was implemented namely through Decree-Law 91/2018, of 12 November.

According to Article 13(2)(a) of Decree-Law 91/2018, payment institutions and electronic money institutions are authorised to store and process data within the scope of their current activity.

For these institutions to be authorised to operate in Portugal, they must submit to the BDP a description of the procedure created to classify, verify, track, and restrict access to sensitive payment data.

In this context, they should also make available to the regulator a document on their security policy, which includes the policy for managing the misuse of sensitive and personal data. This document should indicate how these standards ensure a high level of technical security and data protection.

Under PSD2, payment service providers must be granted access by other payment service providers to a customer's payment account, if the customer gives his/her explicit consent. Such explicit consent should, under PSD2, be interpreted in the sense that, when entering a contract with a payment service provider, customers must be made fully aware of the purposes for which their personal data will be processed and explicitly agree to such clauses. These clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject.

In addition to PSD2, the GDPR applies in full to payment service providers.

7. DATA TRANSFERS AND OUTSOURCING

See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.

Portuguese legislation does not foresee any sector specific requirements in relation to the transfer of financial personal data by financial enterprises, the use of such data by third parties, or cloud computing.

When transferring personal data to third countries, the implementing decision (EU) 2021/914 of the European Commission on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 should be considered.

8. BREACH NOTIFICATION

As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.

Pursuant to such requirements, financial enterprises must report a data breach to the CNPD in the event of a data breach, unless it is unlikely to result in a risk to data subjects. Where such breach concerns financial data, which may be considered to be extra sensitive, the risk to data subjects will generally be high. The notification must be made within 72 hours.

There are additional sector-specific requirements for financial enterprises to notify regulators, clients, or consumers of a data breach. Article 71 of the Decree-Law 91/2018 stipulates that in the event of an incident in the financial sector, a notification obligation applies to the financial institution. This also includes IT incidents such as a personal data breach. Financial services may therefore be required to inform the BDP and/or the CMVM of any data breach.

With regard to the notification of security incidents, Decree-Law 91/2018, that foresees the legal framework applicable to payment service providers that issue electronic money, provides that any payment service provider shall report a security incident to the BDP without undue delay. Where the security incident is classified as severe, in accordance to the Instruction no. 01/2019 of the BDP (only available in Portuguese here), the payment service provider shall comply with the additional rules foreseen in such instruction.

Without prejudice of the above, where the security incident involves a personal data breach, such security incident shall also be reported to the CNPD. Failure to report or late reporting may result in penalties, as discussed below.

9. FINTECH

At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Further to this, in September 2020 the European Commision followed up on this with a 2020 Action plan on fintech including a strategy on an integrated EU payments market. The plan and strategy were included in the European Commission's digital finance package. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.

In Portugal, there is no special, stand-alone body of standards for FinTech. Thus, FinTech companies will be subject to the above rules depending on whether they involve banking FinTech, insurance FinTech, or FinTech engaged in activities regulated by the CMVM. There is no regulatory initiative in the Portuguese legal system to exempt FinTech companies from the rules applicable to them under the financial legislation discussed above.

The development of local regulatory initiatives is, moreover, something that the European Union wants to supply as the European digital financial market is fragmented given its regulation by the different national laws.

In this context, Portugal will monitor the ongoing implementation of the European digital finance package, adopted on 24 September 2020. According to the EU, this package will contribute to bringing down national barriers and spurring competition in areas such:

  • online banking, online payment, and transfer services;
  • peer-to-peer lending; and
  • personal investment advice and services.

In this innovative direction, Decree-Law No. 67/2021 (only available in Portuguese here) was published, establishing the system and defining the governance model for the promotion of technology-based innovation through the creation of technology free zones, promoting and facilitating research, demonstration and testing activities, in a real environment, of innovative technologies, products, services, processes and models in Portugal. Its goal is to take advantage of all the opportunities brought by new technologies - from artificial intelligence ('AI'), to Blockchain, bio and nanotechnology, 3D printing, virtual reality, robotics and the Internet of Things ('IoT'), and including Big Data and the 5G network, among others.

10. ENFORCEMENT

The GDPR provides for administrative fines of up to (Article 83 of the GDPR):

  • €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
  • €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects' rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.

The GDPR Implementation Law contains a two-tier structure for the fines, based on the size of the company in question. The two categories are:

First, very serious administrative offences, in cases of:

  • processing of personal data in breach of the principles enshrined in Article 5 of the GDPR;
  • processing of personal data which is not based on consent or any other condition of legitimacy, in accordance with Article 6 of the GDPR or national legislation;
  • failure to comply with the rules on the provision of consent set out in Article 7 of the GDPR;
  • processing of personal data provided for in Article 9(1) of the GDPR when none of the circumstances referred to in Article 9(2) are verified;
  • processing of personal data provided for in Article 10 of the GDPR which contravenes the rules laid down therein;
  • requiring the payment of a sum of money outside the cases provided for in Article 12(5) of the GDPR;
  • requiring the payment of a sum of money in the cases provided for in Article 12(5) of the GDPR which exceeds the costs necessary to satisfy the right of the data subject;
  • failure to provide relevant information in accordance with Articles 13 and 14 of the GDPR, which occurs in the following circumstances:
    • omission of information about the purposes for which the processing is intended;
    • omission of information about the recipients or categories of recipients of personal data; or
    • omission of information about the right to withdraw consent in the cases provided for in Articles 6(1)(a) and 9(2)(a) of the GDPR;
  • to forbid, to not ensure, or to impede the exercise of the rights provided for in Articles 15 to 22 of the GDPR;
  • the international transfer of personal data in breach of Articles 44 to 49 of the GDPR;
  • a failure to comply with the decisions of the supervisory authority provided for in Article 58(2) of the GDPR, or refusal to cooperate as required by the CNPD in the exercise of its powers; or
  • violation of the rules set out in Chapter VI of the GDPR Implementation Law.

The administrative offences referred to in the previous number are punished with a fine:

  • from €5,000 to € 20 million or 4 % of the annual turnover, on a worldwide level, whichever is greater, in the case of large enterprises;
  • from €2,000 to € 2 million or 4 % of annual turnover, on a worldwide level, whichever is higher in the case of small and medium-sized enterprises; and
  • from €1,000 to € 500,000 in the case of natural persons.

And second, serious administrative offences, in cases of:

  • violation of the provisions of Article 8 of the GDPR;
  • failure to provide the other information provided for in Articles 13 and 14 of the GDPR;
  • violation of the provisions of Articles 24 and 25 of the GDPR;
  • breach of the obligations under Article 26 of the GDPR;
  • violation of the provisions of Article 27 of the GDPR;
  • breach of the obligations under Article 28 of the GDPR;
  • violation of Article 29 of the GDPR;
  • failure to register the processing of personal data in breach of the provisions of Article 30 of the GDPR;
  • breach of the security rules laid down in Article 32 of the GDPR;
  • failure to comply with the obligations set out in Article 33 of the GDPR;
  • non-compliance with the duty to inform the data subject in the situations provided for in Article 34 of the GDPR;
  • non-compliance with the obligation to carry out impact assessments in the cases provided for in Article 35 of the GDPR;
  • non-compliance with the obligation to consult the supervisory authority prior to data processing operations in the cases provided for in Article 36 of the GDPR;
  • non-compliance with the obligations provided for in Article 37 of the GDPR;
  • a breach of Article 38 of the GDPR, in particular on what regards the guarantees of the independence of the DPO; and
  • failure to comply with the obligations laid down in Article 39 of the GDPR;
  • carrying out of acts of supervision of codes of conduct by bodies not accredited by the supervisory authority in accordance with Article 41 of the GDPR:
    • non-compliance by the certification bodies of the conducts provided for in Article 41(4) of the GDPR; and
    • the use of data protection seals or marks which had not been issued by certification bodies duly accredited in accordance with Articles 42 and 43 of the GDPR;
  • the failure by the certification bodies of fulfilment of their obligations under Article 43 of the GDPR; or
  • violation of the provisions of Article 19 of the GDPR Implementation Law.

The offences referred to in the previous number are punished with a fine of:

  • from € 2,500 to € 10 million or 2% of the of the annual turnover, on a worldwide level, in the case of large enterprises;
  • from € 1,000 to € 1 million or 3% of annual worldwide turnover, whichever is higher in the case of small and medium-sized enterprises; and
  • from € 500 to € 250,000 in the case of natural persons.

With regard to the abovementioned two-tier structure for the fines, we would like to point out that the CNPD recently issued a Deliberation stating that they will not apply some of the rules foreseen in the GDPR Implementation Law, one of those rules being the ones that foresee this two-tier structure for the fines. The CNPD stated that the issue of this Deliberation intends to ensure the transparency of its future decision-making procedures and to this extent contribute to legal certainty and also clarifies that the non-application, in future particular cases, of the legal provisions listed above, results in the direct application of the GDPR rules which were being manifestly restricted, contradicted, or compromised in their useful effect.

As far as crimes are concerned, the GDPR Implementation Law provides for criminal sanctions for:

  • use of data in a way incompatible with the purpose of the collection;
  • undue access to data;
  • data deviation;
  • data vitiation or destruction;
  • entering false data;
  • violation of the duty of secrecy; and
  • disobedience for failure to comply with obligations under the GDPR and the CNPD guidelines to comply with them.

These crimes are applicable to financial entities, either individually or collectively, if the respective assumptions of criminal responsibility are verified.

Lastly, the infringement of the rules foreseen in Decree-Law 95/2006 with regard to unsolicited communications is punishable with a fine from €2,500 up to €1.5 million if committed by a legal person, or €1,250 to €750,000 if carried out by a natural person.

Regarding the violation of the duty of secrecy, Article 84 of the RGICSF provides that it is punishable under the Criminal Code, without prejudice to other applicable sanctions. Thus, the violation of the duty of secrecy can be punishable:

  • with a prison sentence of up to one year or a fine of up to 240 days (Article 84 of the RGICSF and Articles 195 (Violation of the duty of secrecy) and 196 (Exploitation of the duty of secrecy) of the Portuguese Criminal Code); or
  • with administrative fines of up to € 1.5 million or € 500,000 depending if the same are applied to a legal person or a natural person.

As for the AML/CFT Law it provides that the illegitimate disclosure, to customers or third parties, of personal data or information is punishable with a sentence of imprisonment of up to three years, or a fine.

In case of legal persons or entities legally equivalent, such offence is punishable by a fine of at least 50 days.

In addition, the disclosure of information and the violation of the duty of secrecy may also be punished with fines:

  • up to € 5 million if the agent is a credit or financial institution; or
  • of up to € 1million if the agent is not a credit or financial institution.

Lastly, failure to notify the BDP of a security incident (as foreseen in Decree-Law 91/2018) is punishable.

11. ADDITIONAL AREAS OF INTEREST

Not applicable.

Ricardo Henriques Partner
[email protected]
Abreu Advogados, Lisbon

Feedback