🇵🇹General Data Protection Regulation in Portugal
A comprehensive guide to General Data Protection Regulation compliance for organisations operating in Portugal. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About General Data Protection Regulation
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
General Data Protection Regulation Enforcement in Portugal
Portugal's CNPD was one of the first data protection authorities in Europe, established in 1994. The Portuguese GDPR implementation law (Lei 58/2019) includes specific provisions on employee consent (generally not considered valid in employment relationships), processing for public interest, and research exemptions. The CNPD has been particularly notable for its independent stance on certain GDPR interpretations, including its 2022 decision ordering the Portuguese National Institute of Statistics to stop transferring census data to the US in the wake of Schrems II. The CNPD has also scrutinised government digital services and health data processing. Portugal sets the age of digital consent at 13, the lowest in the EU.
Data Protection Authority
Comissão Nacional de Proteção de Dados (CNPD)
Key Enforcement Focus Areas in Portugal
- International data transfers (post-Schrems II enforcement)
- Government digital services and census data
- Employee data protection and consent validity
- Health data processing
- Statistical and research data processing
Notable Enforcement Actions in Portugal
Instituto Nacional de Estatística (INE)
Census 2021 data transfer to Cloudflare in the US without adequate safeguards under Schrems II
Centro Hospitalar Barreiro Montijo
Allowing non-medical staff access to patient records — 985 active doctor profiles but only 296 actual doctors
Câmara Municipal de Lisboa
Disclosing personal data of protest organisers and activists to foreign embassies without legal basis
TAP Air Portugal
Failure to implement adequate security measures preventing a data breach affecting 1.5 million customers
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Portugal
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".