Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Portugal: Overview of Vendor Privacy Contracts

Xanya69 / Essentials collection /

September 2021

1. Governing Texts

1.1. Legislation

  • The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
  • Law No. 59/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data (only available in Portuguese here) ('the Law').
  • The Labour Code (only available in Portuguese here).

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:

The Portuguese data protection authority ('CNPD') has not issued guidance on vendor privacy contracts.

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

The CNPD has not issued any templates on vendor privacy contracts so far.

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 23(4) of the Law provides that engaging processors to process personal data on a controller's behalf must be governed by a written contract or other legal act.

3.2. What content should be included?

Article 23(4) of the Law provides that the contract, or other legal, should set out the object, duration, nature and purpose of the processing, types and categories of personal data as well as the obligations and rights of the party responsible for the processing the personal data.

In particular, Article 23(5) details that the contract, or other legal act, should provide that the processor:

  • only acts in accordance with the instructions of the controller;
  • ensures that persons authorised to process personal data make a confidentiality commitment or are subject to confidentiality obligations;
  • provides assistance to the controller by all appropriate means to ensure compliance with the provisions in relation to data subject rights;
  • after completing the processing services, permanently delete or return the data to the controller, upon the controller's choice, and delete existing copies, unless their conservation is required by law;
  • provides the controller with the information necessary to demonstrate compliance with the provisions of Article 23 of the Law;
  • respects the conditions referred to in Articles 25(2) and (3) of the Law in relation to the hiring of sub-contractors; and
  • adopts the appropriate technical and organisational measures to ensure the protection of personal data, taking into account the principle of data protection by design and by default.

Moreover, Articles 10(2) and 25 of the Law provide that processors are bound by a duty of confidentiality and professional secrecy.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Similarly, Article 23(5)(c) of the Law provides that the processor should assist the controller by all appropriate means to ensure compliance with the provisions in relation to data subject rights.

For further information see Portugal – Data Subject Rights.

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Article 27(1) of the Law provides that the controller and processor keep processing activities in automated chronological records in respect of the following processing operations:

  • collection;
  • change;
  • consultation;
  • disclosure, including data trasnfers;
  • interconnection;
  • erasure; and
  • limitation of treatment, including start and end dates of the limitations.

Furthermore, Article 27(2) of the Law provides that the records of consultation and dissemination operations must show:

  • the purposes behind each;
  • the data and time of these operations;
  • identification of the person who consulted or disclosed the personal data; and
  • the identity of the recipients of personal data, where possible.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Article 31 of the Law provides that the controller and processor must adopt technical and organisational measures appropriate to ensure an adequate level of security appropriate to the risk.

In particular, Article 31(2) of the Law specifies that in relation to automated data processing, the person responsible for the processing (controller or processor) shall implement measures that:

  • prevent access by unauthorised persons to the equipment used for processing personal data;
  • prevent data carriers from being read, copied, altered, or removed without authorisation;
  • prevent unauthorised entry of personal data as well as any unauthorised operations in relation to retained personal data;
  • prevent automated processing systems from being used by unauthorised users;
  • ensure persons authorised to use automated processing systems only have access to the personal data necessary;
  • ensure that it can be verified and determined to which bodies personal data may be transmitted or provided;
  • ensure personal data can be verified and determined before its introduced into an automated processing system, including the time and source of their introduction;
  • prevent the ability to read, copy, alter, or delete data without authorisation during the transfer of personal data;
  • ensure that systems used can be restored/recovered in the event of an interruption; and
  • ensure that system functions work without operating errors and are reliable, and that personal data stored cannot be falsified by system malfunction to safeguard its integrity.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

There are no national variations. For more information see Portugal - Data Breach

For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The data processor may not use a subprocessor without the prior specific or general authorisation, in writing, from the data controller, except in cases where sub-processing is provided for by law (Article 23(3) of the Law).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

There are no national variations. For more information see Portugal - Data Transfers.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'

For further information on data transfers under the GDPR, see EU – GDPR – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Article 30(1) of the Law provides that the controller or processor should consult the supervisory authority before processing personal data in the following cases:

  • a DPIA, pursuant to Article 29(1) of the Law, indicates that the processing would result in a high risk, in the absence of adequate measures to mitigate that risk; and/or
  • the type of processing involves a high risk to the rights, freedoms, and guarantees of data subjects, particularly if new technologies are being used.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data protection officer ('DPO')

There are no national variations. For more information see Portugal - Data Protection Officer Appointment.

For further information on DPOs under the GDPR, see EU - Data Protection Officer Appointment.


There are no national variations.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

There are no national variations.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.