Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Portugal: Health and Pharma Overview

MF3d / Signature collection / istockphoto.com

December 2021

1. Governing Texts

In Portugal, privacy and data protection, as well as healthcare and pharmaceutical products and services, are governed by both harmonised European legislation, as well as national laws.

1.1. Legislation

Privacy and data protection in Portugal are primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition to the GDPR, privacy and data protection in Portugal are also covered by:

There is a specific decree governing data protection and health, which is Decree-Law No. 131/2014, of 29 August and that regulates the protection and confidentiality of genetic information, human genetic databases for the purposes of health care and health research, the conditions for offering and carrying out genetic tests and the terms under which medical genetic consultation is ensured (only available in Portuguese here).

Additionally, and with relevance for the purposes of this Guidance Note, the key legislation relevant from a data protection perspective include:

  • Law No. 95/2019 of 4 September (only available in Portuguese here);
  • Law No. 12/2005 of 26 January on Personal Genetic Information and Health Information (only available in Portuguese here) ('the Genetic Law'), which defines the concept of health and genetic information, the circulation of information and intervention on the human genome in the health system, and provides rules for taking and storing biological products for the purpose of genetic testing or research;
  • Law No. 21/2014 of 16 April for the Clinical Research Law (only available in Portuguese here) ('the Clinical Research Law'), which regulates clinical research and trials; and
  • Decree-Law No. 176/2006 of 30 August (only available in Portuguese here) ('the Human Medicines Law'), which establishes the legal regime governing marketing authorisation and variations thereto, manufacture, import, export, marketing, labelling and information, advertising, pharmacovigilance, and use of medicinal products for human use and inspection thereof, including, in particular, homeopathic medicinal products, radiopharmaceuticals, and traditional herbal medicinal products.

1.2. Supervisory authorities

Supervisory authorities with relevance to the health, pharmaceutical, and privacy and data protection sphere include:

  • National Authority for Medicines and Health Products ('INFARMED') which is the main authority responsible for ensuring the safety of health products during their entire lifespan, from trials to market surveillance;
  • Portuguese National Authority for Health ('DGS'), which is the authority responsible for performing assessments and recommendations in order to improve health quality and efficiency and which also issues accreditation for healthcare facilities;
  • Health Regulatory Entity ('ERS'), which is the authority responsible for regulating the activity of healthcare establishments in the public, private, cooperative, and social sectors;
  • Portuguese data protection authority ('CNPD'), which is the authority responsible for the control and supervision of any legal and regulatory provisions on the protection of personal data, in order to defend the rights, freedoms, and guarantees of individuals with regard to the processing of their personal data; and
  • Ethics Committee for Clinical Investigation ('CEIC'), which is an independent body constituted of health professionals and others, charged with ensuring the protection of the rights, safety, and well-being of participants in clinical trials, and to assure society of this by providing an ethical opinion on the research protocols submitted to it.

1.3. Guidelines

Generally speaking, in Portugal, the health and pharmaceutical sector is governed by national laws, regulations, and ministerial ordinances, EU regulations and directives, and the European Medicines Agency's ('EMA') guidelines and recommendations.

Nevertheless, listed below are some additional measures, such as guidelines or recommendations, issued by some of the supervisory authorities identified above, which are related to data protection and health and pharmaceuticals.

CNPD

  • Guidelines on health data processing provided for in Decree No. 8/2020 of the Council of Ministers in the context of the pandemic due to the SARS-CoV-2 coronavirus and COVID-19 disease (only available in Portuguese here);
  • Principles applicable to the processing of data carried out in the context of clinical research (only available in Portuguese here); and
  • Principles applicable to the processing of personal data carried out within the national pharmacovigilance system for medicinal products for human use (only available in Portuguese here).

ERS

  • Supervision Alert No. 01/2019 on Processing of personal data necessary for the provision of healthcare (only available in Portuguese here); and
  • Informed Consent – Final Report (only available in Portuguese here).

CEIC

  • CEIC's Document on the General Data Protection Regulation (GDPR) in the context of Clinical Research (only available in Portuguese here).

1.4. Definitions

The GDPR includes the following relevant definitions (Article 4 of the GDPR).

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Consent: Any freely given, specific, informed, and unambiguous indication by the data subject of their wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status.Filing system: Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Personal data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The term 'special categories of personal data' has no definition in the GDPR. Special categories of data are any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

It is also important to note that some of the legislation identified above contain specific definitions which are worth making reference to.

Clinical file: Per the Genetic Law, this means any record, whether computerised or not, containing health information about patients or their relatives.

Genetic database: Per the Genetic Law, this means any register, electronic or not, which contains genetic information on a set of persons or families.

Genetic information: Per the Genetic Law, this means health information about the hereditary characteristics of one or more persons related to each other or with common characteristics of that kind, excluding from this definition information derived from kinship tests or zygotic studies on twins, from genetic identification studies for criminal purposes, as well as from the study of somatic genetic mutations in cancer; and information relating to hereditary characteristics obtained by direct analysis of nucleic acids or other sources of genetic information, from an identified natural person or a natural person who can be identified, using codes.

Heath information: Per the Genetic Law, health information covers all types of information directly or indirectly linked to the present or future health of a person, whether living or deceased, and their medical and family history.

Medical information: Per the Genetic Law, this means health information intended to be used in the provision of health care or treatment.

2. Clinical Research and Clinical Trials

Clinical research and clinical trials are both regulated by the Clinical Research Law.

Clinical research must be preceded by a favourable opinion from the CEIC to be issued within 30 days, without which the research may not be carried out. Additionally, clinical research may only be conducted if the following requirements are met in relation to the participant or, if the participant is a minor or person incapable of giving their informed consent, their representative:

  • in a prior interview with the investigator, the objectives, risks, and inconveniences of the clinical trial and the conditions under which it is conducted are explained to them in a comprehensive manner and in language suitable to their capacity for understanding;
  • in the interview referred to in the previous point, they are informed of their right to withdraw at any time from the clinical research without this entailing any change in the healthcare provided or to be provided to them;
  • the right to moral and physical integrity of the participant is ensured, as well as the right to privacy and protection of personal data concerning them, in accordance with the respective legal framework;
  • informed consent is obtained under the terms of the Clinical Research Law;
  • there is insurance that covers the promoter's and the investigator's civil liability;
  • the healthcare provided and the clinical decisions taken in respect to the participant are the responsibility of a healthcare professional duly qualified for such;
  • a contact point is designated, from which the participant may obtain further information; and
  • no incentives or financial inducements are given, without prejudice to the reimbursement of expenses and compensation for damages incurred as a result of participation in the clinical trial.

An authorisation to perform a clinical trial must be submitted to INFARMED, by the sponsor, through the National Register of Clinical Trials ('RNEC'), and must be accompanied by the following elements:

  • the protocol;
  • the investigator's brochure;
  • full identification of the sponsor of the clinical trial, the investigator, the principal investigator, or the investigator-coordinator;
  • the identification and qualifications of all members of the research team involved in the clinical trial;
  • the identification of the clinical trial sites involved, and a statement from the head of the clinical trial sites indicating the terms of their involvement;
  • identification of the respective competent authorities and, if any, the opinions of the ethics committees issued therein, translated into Portuguese, in the case of multicentre clinical trials involving trial centres from other Member States of the EU or third countries;
  • the dossier of the investigational medicinal product, in the event of a clinical trial with an investigational medicinal product; and
  • other elements deemed necessary in accordance with the applicable guideline issued by the European Commission ('the Commission').

INFARMED is responsible for creating a database on clinical research and clinical trials with intervention of medical devices conducted in clinical study centres located on the national territory. Said database must include, some elements, namely a detailed record of:

  • the data extracted from the applications for authorisation to perform clinical trials;
  • data on cases of suspected unexpected serious adverse reactions or serious adverse events, which have been brought to INFARMED's attention; and
  • justification of the need to include personal data that identifies or allows the identification of the participants.

The data contained in the referred database may be made available by INFARMED to the CEIC and, upon reasoned request and subject to the necessary guarantees of confidentiality, to other entities that demonstrate a relevant interest, always in compliance, as appropriate, with the provisions of the Access to Administrative Documents Law and of the Protection of Personal Data Law.

2.1. Data collection and retention

Some of the data collected during a clinic research or clinical trial is considered as health data. Processing of health data must comply with the GDPR requirements and the Protection of Personal Data Law.

Health data is only permitted if one of the situations provided by Article 9(2) of the GDPR is applicable, namely, the data subject's consent.

The controller should comply with the duty of information as set forth in Articles 12 to 14 of the GDPR or assure that it is complied with, since usually, in a clinical research or trial, the controller is not the entity collecting the personal data. Collection of the personal data is, in general, the investigator's responsibility, which is a processor in this data processing, therefore, the controller must assure compliance by the processor with the duty of information, namely through a data processing agreement regulating this matter.

As regards retention periods, no specific term is set in the Clinical Research Law; therefore, pursuant to the 'storage limitation' principle enshrined in Article 5(1)(e) of the GDPR, personal data processed must be stored for no longer than is necessary for the purposes for which the personal data is processed, but may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

Nevertheless, in Deliberation No. 1704/2015 (only available in Portuguese here) ('the Deliberation'), the CNPD established some retention periods deemed as adequate, depending on the type of clinical trial/study, as follows:

  • in the case of clinical trials on investigational medicinal products, the maximum retention period must coincide with the periods laid down in Item 5.2 of Annex I of the Human Medicines Law;
  • in the case of clinical studies with medical devices, in accordance with the Decree-Law No. 145/2009 of 17 June (only available in Portugues here), the maximum retention period is 15 years for implantable medical devices and five years for other medical devices; and
  • in all other cases, the key that produced the code that allows the indirect identification of the data subject must be deleted five years after the end of the study.

However, it is important to stress that the Deliberation is dated prior to the date of application of the GDPR, so it will be up to the controller to assess whether the aforementioned retention dates are appropriate and, if not, to establish a retention period that is in accordance with the 'storage limitation' principle.

2.2. Consent

In general, according to Article 9(1) of the GDPR, processing of a data subject's health data is prohibited. Nevertheless, one of the ways to overcome said prohibition is to obtain the data subject's consent as provided for in Article 9(2)(a) of the GDPR 'data subject has given explicit consent to the processing of those personal data for one or more specified purposes' except where EU or Member State law provide that the prohibition to process special categories of data may not be lifted by the data subject.

Nonetheless, the controller must be able to prove that the data subject has given this consent under valid conditions. Pursuant to Article 7 of the GDPR, 'consent' of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

The controller must inform and permit that the data subject exercises their right to withdraw their consent at any time, which should not affect the lawfulness of processing based on consent before its withdrawal and should be as easy to withdraw as to give.

With regard to individuals without legal capacity, such as children, as per Decree-Law No. 47344 for the Civil Code (only available in Portuguese here), specific conditions for the processing of their personal data apply. As a general rule, individuals without legal capacity cannot give valid consent for the processing of their personal data.

Pursuant to the GDPR, the processing of a minor's personal data (those aged less than 16 years) shall only be lawful if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the minor. Given that the GDPR allows EU Member States to establish a different age threshold for minor's consent, Article 16 of the Protection of Personal Data Law establishes the age of 13 as the minimum age to obtain consent directly from minors.

It is important not to mistake the concept of consent under data protection laws with the concept of informed consent, which is regularly used in the health and pharmaceutical sector.

According to the Clinical Research Law, informed consent is defined as 'the express decision to participate in a clinical trial, taken freely by a fit and proper person or, in the absence of such a person, by his or her legal representative, after being duly informed of the nature, significance, implications and risks of the trial, and the right to withdraw from the trial at any time, without any consequences, in accordance with guidelines issued by the CEIC which shall include the definition of the appropriate means of providing such information, which shall be in writing where applicable'. Without prejudice to that definition, informed consent can be defined, on a broader scope, as 'the informed consent given by the user prior to undergoing a given medical act, any act of healthcare provision, or participation in research or clinical trial.'

Having made the distinction between consent and informed consent, it is important to understand what the consequence of its withdrawal is. In the European Data Protection Board's ('EDPB') Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation (23 January 2019), the EDPB considered that 'the withdrawal of the informed consent, under Article 28(3) of the Clinical Trials Regulation ('CTR') must not be confused with the withdrawal of consent under the GDPR. Under the former, it is expressly provided that the withdrawal of the informed consent, which must not affect the activities already carried out and the use of the data obtained based on informed consent before its withdrawal is '[w]ithout prejudice to the Directive 95/46/EC (now the GDPR)'.

Taking in consideration that, as we have indicated above, consent is not the only way to legitimise the processing of health data, if consent is withdrawn, the controller must cease the processing of health data, unless there are other grounds that legitimise the data processing.

With regard to the possible withdrawal of informed consent, namely in the context of clinical trials, the law provides that the participant or their representative may revoke (expressly or tacitly) informed consent at any time, without incurring any form of liability and without prejudice to the provision of the care required by the participant's state of health. Given that informed consent is a minimum requirement for conducting a clinical trial, it should be understood that if informed consent is revoked, the data of the participant who has revoked their informed consent may not be used in the context of the trial, and it should be noted that Article 30(4) of the Regulation (EU) No 536/2014 of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/20/EC, which will enter into force on 31 January 2022, confirms this understanding.

2.3. Data obtained from third parties

Pursuant to Article 14 of the GDPR, where personal data has not been obtained from the data subject, the controller must provide a series of information to the data subjects.

The information to be provided by the controller in such a case is:

  • the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • the contact details of the data protection officer ('DPO'), where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • if processing is based on legitimate interests, those should be identified;
  • the existence of the data subject rights;
  • if processing is based on the data subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the source from which the personal data originated, and if applicable, whether it came from publicly accessible sources; and
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

A controller does not need to comply with the above-mentioned obligation of information if:

  • the data subject already has the information;
  • the provision of such information proves impossible or would involve disproportionate effort or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing (in such cases the controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available);
  • obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
  • where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law, including a statutory obligation of secrecy.

3. Pharmacovigilance

According to the EMA, pharmacovigilance can be defined as the science and activities relating to the detection, assessment, understanding, and prevention of adverse effects or any other medicine-related problem.

The objective of pharmacovigilance is to allow early detection of unknown side effects in medicinal products and identify risk factors causing the side effects, with a view to inform the public on these side effects and improve patient treatment.

EU law therefore requires each marketing authorisation holder, national competent authority,  and the EMA to operate a pharmacovigilance system. The overall EU pharmacovigilance system operates through cooperation between the EU Member States, the EMA, and the Commission. In some Member States, regional centres are in place under the coordination of the national competent authority, which, in Portugal, is INFARMED.

The National Pharmacovigilance System ('NPS') monitors the safety of medicines with national marketing authorisation, assessing any problems related to adverse drug reactions and implementing safety measures whenever necessary.

The legislation is currently based on the following rules:

The conditions of obtaining a marketing authorisation from INFARMED include the existence of an adequate pharmacovigilance system. The requirement also applies to marketing authorisation applications through the different EU marketing authorisation routes.

From a data protection perspective, the applicable pharmacovigilance legislation imposes various obligations that means health data may be processed.

In accordance with Article 171(1)(c) and (d) of the Human Medicines Law, a medicine marketing authorisation holder is obliged to transmit by electronic means to the database and data processing network referred to in Article 24 of Regulation 726/2004, information on all suspected serious adverse reactions that occur in the EU and in third countries within 15 days from the day after the marketing authorisation holder concerned gained knowledge of the event and to electronically submit to the Eudravigilance database information on all non-serious suspected adverse reactions that occur in the EU within 90 days from the day after the marketing authorisation holder concerned gained knowledge of the event.

In light of the above obligations, a medicine marketing authorisation holder will necessarily have to process personal data as a result of complying with a legal obligation, and where personal data is processed, the exception provided for in Article 9(2)(i) of the GDPR will necessarily apply, since processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

It is worth mentioning that in accordance with Regulation 'in order to detect, assess, understand, and prevent adverse reactions, and to identify and take actions to reduce the risks of, and increase the benefits from, medicinal products for human use for the purpose of safeguarding public health, it should be possible to process personal data within the Eudravigilance system while respecting the Union legislation relating to data protection. The purpose of safeguarding public health constitutes a substantial public interest and consequently the processing of personal data can be justified if identifiable health data are processed only when necessary and only when the parties involved assess this necessity at every stage of the pharmacovigilance process'.

On the other hand, we stress that INFARMED has implemented a portal that allows a person to report an adverse reaction. In this notification, the person will send their personal data, which may include health data resulting from the adverse reaction they are reporting.

It should be noted that, according to information provided by INFARMED, the processing of personal data resulting from the notification through the portal complies with legal and European data protection requirements, ensuring its security and confidentiality, and personal data are not shared with entities outside the NPS.

4. Biobanking

Portugal has in place a range of legislation regulating the establishment and functioning of biobanks. There is legislation in force to regulate stem cells biobanks (Law No. 12/2009 of 26 March (only available in Portuguese here)), biobanks for criminal and civil purposes (Law No. 5/2008 of 12 February (only available in Portuguese here)), and biobanks (so called bio data banks) for healthcare provision, including disease diagnosis and prevention, and basic or health research.

The Genetic Law defines biobanks as 'any repository of biological samples or their derivatives, with or without time-limited storage, whether using prospective collection or previously collected material, or being obtained as part of routine healthcare, or in screening programmes, or for research purposes, and which includes samples that are identified, identifiable, anonymised, or anonymous'.

The applicable law establishes that stored biological material is considered property of the person from whom it was obtained or - after their death or disability - of their relatives, and should be stored as long as it is of proven use for current and future family members.

For a biobank to be created, prior authorisation is needed from an entity duly accredited by the department in charge of the protection of health (per the Genetic Law). Until the application of the GDPR, prior authorisation of the CNPD was required too, to the extent that personal data was involved. Currently, therefore, these entities (i.e. the biobanks) are mostly under the regulatory authority of the DGS and the CNPD. However, full compliance with the legal requirements also entails a favourable opinion from the CEIC.

The collection of blood and other biological products and the taking of DNA samples for genetic tests should be subject to separate informed consent for the purpose of care tests and for research purposes, stating the purpose of the collection and storage time of samples and products derived therefrom. Informed consent is required for obtaining and using material for a biobank, and the consent form must include information about the purposes of the bank, the person in charge, the types of research to be undertaken, the potential risks and benefits, the conditions and duration of storage, the measures taken to ensure the privacy and confidentiality of the persons participating and the provision for the possibility of communicating or not communicating the results obtained with such material.

Consent to inclusion in the biobank may be revoked at any time. Consent may be withdrawn at any time by the person to whom the biological material belongs or, after their death or disability, by their family members, in which case the biological samples and stored derivatives must be destroyed for good.

In exceptional cases, consent may be waived. This occurs where retrospective use of samples is made, or in special situations where the consent of the persons concerned cannot be obtained due to the amount of data or individuals, their age, or other comparable reason; the material and the data can be processed, but only for scientific research purposes or the collection of epidemiological or statistical data (Article 19(6) of the Genetic Law).

5. Data Management

The GDPR integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested.

One of the direct consequences of the accountability principle is the record of processing activities set forth in Article 30 of the GDPR, according to which the controller, the processor and, where applicable, the controller's representative, should maintain a record of processing activities under its responsibility. It is worth pointing out that, although the record of processing activities is not mandatory for enterprises or organisations with less than 250 employees, the fact is that, as a general rule, it will be very rare that an enterprise/organisation working in the health and pharmaceutical sector is not obliged to maintain a record of processing activities insofar as, under Article 30(5) of the GDPR, even if a given enterprise/organisation does not have the number of employees indicated, it is obliged to maintain the record of processing activities when the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) of the GDPR, which as previously mentioned, is the case of health data.

Bearing in mind that the health and pharmaceutical area is one where much of the personal data processed is considered a special category of data and where the means for their processing are increasingly advanced and using new technologies (which often do not keep up with legislative developments), it is essential that the controllers, prior to the processing, taking into account the nature, scope, context, and purposes of the processing and the likelihood of the processing resulting in a high risk to the rights and freedoms of natural persons, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, usually referred to as a Data Protection Impact Assessment ('DPIA'). In this regard, it should be noted that the CNPD, in accordance with Article 35(4) of the GDPR, published a list of processing operations subject to a mandatory DPIA (only available to download in Portuguese here), which, with greater relevance to the health and pharmaceutical area, we identify below:

  • processing of information arising from the use of electronic devices that transmit, via communication networks, personal data concerning health;
  • interconnection of personal data or processing which relates personal data as provided for in Article 9(1) or Article 10 of the GDPR or data of a highly personal nature;
  • processing of personal data provided for in Article 9(1) or Article 10 of the GDPR or data of a highly personal nature on the basis of indirect collection thereof, where it is not possible or feasible to ensure the right of information under Article 14(5)(b) of the GDPR;
  • processing of data provided for under Article 9(1) or Article 10 of the GDPR or data of a highly personal nature for archiving purposes in the public interest, scientific and historical research, or statistical purposes, with the exception of processing provided for and regulated by law providing adequate safeguards for the rights of data subjects;
  • processing of biometric data for the unequivocal identification of their subjects, where these are vulnerable persons, with the exception of processing provided for and regulated by a law which has been preceded by a DPIA;
  • processing of genetic data of vulnerable persons with the exception of processing provided for and regulated by a law preceded by a DPIA; and
  • processing of personal data provided for in Article 9(1) or 10 of the GDPR or data of a highly personal nature using new technologies or new use of existing technologies.

On the other hand, the adoption of the principles of Privacy by Design and Privacy by Default is fundamental in the health and pharmaceutical area.

6. Outsourcing

In general, in an outsourcing relationship one of the parties will be considered as a controller and the other party (the outsourcer) as a processor.

In the context of clinical trials, the sponsor (entity responsible for the implementation and financing of a clinical trial) may sign agreements with other contracting parties, such as contract research organisations ('CRO') (organisations solely focused and specialised on clinical trials in order to respond to the growing complexity of clinical trials and to improve efficiency in this process), in order to carry out certain, or all, stages of the clinical trial.

The processing of personal data collected during the clinical trial must always be conducted in accordance with the technical and organisational measures ensuring a level of security appropriate to the risk, as set forth by Article 32 of the GDPR.

In general, the sponsor is the controller, as it defines the means and purposes of data processing and is responsible for the processing of personal data, and the CRO is the processor. Therefore, in accordance with Article 28(3) of the GDPR, both parties should enter into an agreement, usually referred to as data processing agreement, that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

Nevertheless, if the CRO is authorised by the sponsor to define the purposes and means of processing based on its expertise, the CRO will be considered as a joint controller with the sponsor and, in that case, both parties should enter into a joint controller agreement as provided for in Article 26(1) of the GDPR in order to regulate their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of the GDPR.

7. Data Transfers

The assessment to be made regarding a data transfer will depend on whether the personal data is to be transferred to a country within the EU or to a country outside the EU, since a controller/processor may not transfer personal data to a jurisdiction that is not an EU Member State if that country (third-country) does not provide an adequate level of the protection of personal data (subject to an adequacy decision).

In the absence of an adequacy decision and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards. Said safeguards may be provided by:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • Binding Corporate Rules ('BCRs');
  • Standard Contractual Clauses ('SCCs') adopted by the Commission or adopted by a supervisory authority and approved by the Commission; and
  • an approved code of conduct or certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

In the absence of either an adequacy decision or appropriate safeguards, a transfer of personal data to a third-country or international organisation must take place only on one of the derogations provided by Article 49 of the GDPR:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise, or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and
  • the transfer is made from a register which according to EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or Member State law for consultation are fulfilled in the particular case.

It is important to note that, following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), it is recommended that any data transfer should be subject to a risk-based approach as per the EDPB's Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (10 November 2020).

8. Breach Notification

According to the GDPR, a personal data breach can be defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

The controller must ensure the security and confidentiality of the personal data processed through the implementation of measures so as to prevent data breaches and react appropriately in the detection of a data security breach. It is important to ensure, through initial investigations, that a data breach had occurred and to determine the seriousness of the breach.

Failure to take timely and appropriate technical and organisational measures in case of a personal data breach may cause physical and moral damage to natural persons, such as:

  • loss of control over their personal data;
  • limitation of their rights; identity theft, or fraud;
  • financial losses;
  • reputational damage;
  • loss of confidentiality of personal data protected by professional secrecy; or
  • any other significant economic or social disadvantage to the natural person concerned.

In the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons, the controller should, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, which in Portugal, as referred previously, is the CNPD. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

The CNPD has published a specific form on its website (only available in Portuguese here) for a personal data breach to be notified.

The notification to the supervisory authority should at least:

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the DPO or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

It is essential that the controller documents any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken

In cases where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject without undue delay. A high risk is considered to exist when the data breach may result in substantial harm to the data subjects.

The notification to data subjects must be in clear and plain language, describe the nature of the data breach, as well as provide recommendations for the data subject to mitigate the potential adverse effects arising from the breach and contain at least:

  • the point of contact where further information about the data breach can be obtained;
  • a description of the potential consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken to mitigate possible adverse effects and with a view to containing and resolving the personal data breach.

Nevertheless, it is not necessary to notify the data breach to the data subject if:

  • appropriate protective measures, both technical and organisational, have been implemented and those measures have been applied to the personal data affected by the breach, especially measures rendering the personal data unintelligible to any person not authorised to access that data, such as encryption;
  • subsequent measures ensuring that the high risk to the rights and freedoms of data subjects is no longer likely to materialise have been taken; or
  • it would involve a disproportionate effort - in such case, a public announcement should be made or a similar measure taken whereby the data subjects are informed in an equally effective manner.

A personal data breach should be considered to have occurred if there is sufficient knowledge of its nature and scope, as well as concrete evidence of its existence.

Mere suspicion, without any knowledge of the circumstances, does not mean that a notification should be sent under the terms indicated above, since, on the basis of a mere suspicion, it will not be possible, in most cases, to carry out an assessment of the risk to the rights and freedoms of data subjects.

As for the processors, according to Article 33(2) of the GDPR they must notify the controller without undue delay after becoming aware of a personal data breach. Since the controller has a reduced period to proceed, or not, with the above-mentioned notifications, it is important that this matter is appropriately addressed in the data processing agreement executed by the controller and processor in accordance with Article 28(3) of the GDPR.

9. Data Subject Rights

The GDPR has established several rights for the data subject, such as:

  • the right to be informed (Articles 13 and 14 of the GDPR);
  • the right of access (Article 15 of the GDPR);
  • the right to rectification (Article 16 of the GDPR);
  • the right to erasure (Article 17 of the GDPR);
  • the right to restriction of processing (Article 18 of the GDPR);
  • the right to data portability (Article 20 of the GDPR);
  • the right to object to processing, and rights in relation to automated decision-making and profiling (Articles 21 and 22 of the GDPR);
  • the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7 of the GDPR); and
  • to lodge a complaint with a supervisory authority.

Although Recital 27 of the GDPR establishes that it is not applicable to the personal data of deceased persons, it leaves the possibility to regulate on this matter to the Member States, at their own discretion. Thus, the Protection of Personal Data Law regulates on the topic of deceased persons' rights as follows:

  • Personal data of deceased persons is protected under the terms of the GDPR and the Protection of Personal Data Law when it is to be considered as special categories of personal data or when it is related to privacy, image, or communications data.
  • The rights of access, rectification, and erasure may be exercised by whoever the deceased person has designated for the purpose or, in their absence, by their heirs. Nevertheless, data subjects may, under the terms of the applicable law, make it impossible to exercise the referred rights after their death.

10. Penalties

According to the GDPR, infringements to the rules on data protection can be subject to administrative fines up to €20 million or up to 4% of the annual worldwide turnover of the company.

The Protection of Personal Data Law provides a specific administrative offence by dividing the administrative offences, applicable under the GDPR, into two types: very serious and serious.

The fine varies depending on the type of administrative offence at issue, therefore:

  • If it falls within the range of very serious administrative offences, the applicable fines are:
    • from €5,000 to €20 million or 4% of the annual worldwide turnover, whichever is higher, in the case of a large company;
    • from €2,000 to €2 million or 4% of the annual worldwide turnover, whichever is the higher, in the case of a small-to-medium enterprise; or
    • from €1,000 to €500,000, in the case of natural persons.
  • If it falls within the range of serious administrative offences, the applicable fines are:
    • from €2,500 to €10 million or 2% of the annual worldwide turnover, whichever is higher, in the case of a large company;
    • from €1,000 to €1 million or 2% of the annual worldwide turnover, whichever is the higher, in the case of an small-to-medium enterprise; or
    • from €500 to €250,000, in the case of natural persons.

In addition to the criteria for determining the applicable fine established in Article 84 of the GDPR, the Protection of Personal Data Law establishes the following criteria:

  • the economic situation of the agent, in case the agent is a natural person, or the turnover and annual balance sheet, in the case the agent is a company;
  • the continued nature of the transgression; or
  • the size of the entity, taking into account the number of employees and the nature of the services provided.

Finally, it is important to note that, according to the Protection of Personal Data Law, fines are prescribed within the following time limits:

  • three years, in the case of fines exceeding €100,000; or
  • two years, in the case of fines equal to or less than €100,000.

In addition to the administrative penalties referred above, the Protection of Personal Data Law contains significant criminal penalties for breach of its provisions, and for the unlawful processing of personal data ranging from a prison sentence of up to one to two years or a fine of up to 120 to 240 days.

11. Other Areas of Interest

Telemedicine

Although telemedicine is a reality first mentioned in Ordinance No. 567/2006 (only available in Portuguese here) (which identifies telemedicine as 'the use of interactive, audio-visual, and data communications in medical consultation within the presence of the patient, who uses these means to obtain an opinion at a distance from at least one other doctor and with mandatory recording on the equipment and in the patient's clinical file') and also in Normative Guidance No. 010/2015 (only available in Portuguese here) from the DGS, there are no laws regulating telemedicine in Portugal, even though, especially following the breakout of the COVID-19 pandemic, many healthcare facilities, especially in the private sector, have adopted telemedicine practices.

Nevertheless, it is important to point out that telemedicine is regulated by Articles 46 to 49 of Medical Ethics Regulation No. 707/2016 (only available in Portuguese here) (note this is soft law). From a data protection standpoint, it is worth mentioning the following:

  • as regards non-medical staff participating in the transmission or reception of data, the practitioner must ensure that these professionals are adequately trained and competent to ensure appropriate use of telemedicine and to safeguard medical confidentiality;
  • the practitioner must ensure that the security measures established to protect patient confidentiality are applied;
  • the practitioner should use telemedicine only after ensuring that the team in charge of telemedicine ensures a sufficiently high level of quality, operates appropriately, and complies with the stipulated standards;
  • the practitioner should have support systems and use quality control and evaluation procedures to monitor the accuracy and quality of the information received and transmitted;
  • the practitioner should only use telemedicine after ensuring that the system used and its users guarantee medical confidentiality, namely through encryption of names and other identifying data; and
  • informatic methods of storage and transmission of patient data should only be used when sufficient measures have been taken to protect the confidentiality and security of the information recorded or exchanged.

Electronic Health Records

There are no specific laws governing electronic health records ('EHR') in Portugal and, as a result, the general legislation on data protection, and in particular on health data, is applicable.

There is also no express definition of EHR in Portuguese legislation, however, the definition of health records contained in the Genetic Law also covers records in 'electronic format' i.e. health records are defined independently of their format.


João Peixe Senior Associate
[email protected]
Vasconcelos Arruda & Associados, Lisbon

Feedback