Data Protection – Portuguese GDPR Implementing Law

Data Protection – Portuguese GDPR Implementing Law

On 9 August 2019, the following acts entered into force: (i) Law No. 58/2019, of 8 August (the “Implementing Law”), with the purpose of implementing the General Data Protection Regulation (“GDPR”), and (ii) Law No. 59/2019, of 8 August (“Law 59/2019”).

(i) Implementing Law

With the Implementing Law, the national lawmaker introduced some novelties and details regarding the rules resulting from the GDPR, in force in Portugal (as in the remaining European Economic Area) since 25 May 2018.

In addition to the revocation of the former personal data protection law, Law No. 67/98, of 26 October (“LPDP”), and the amendment and republication of the law on the organization and operation of the National Data Protection Commission (“CNPD”), Law No. 43/2004, of 18 August, the Implementing Law sets out the following:

  1. It is made clear that CNPD is the national supervisory authority for the purposes of such law and the GDPR.
  2. The Portuguese Institute of Accreditation (“IPAC, I.P.”) is granted the competence for the accreditation of data protection certification bodies.
  3. Certain aspects of the performance of the duties of Data Protection Officer (“DPO”) are regulated, with the relevant professional certification not being required and surviving duty of confidentiality to the departure from office. Certain competences of the DPO are further specified, namely (a) ensuring audits, (b) making users aware of security issues and (c) ensuring relationships with data subjects, and the designation of a DPO in public entities is furthermore made mandatory.
  4. The minimum age for consent of minors in the context of direct provision of information society services is set at 13 years, without the need for intervention by the holders of their parental responsibilities (to be noted that this rule is not applicable in other domains, with the general rule of majority being applicable in such other scenarios).
  5. The scope of protection of personal data of deceased persons (including data of special categories, data related to the intimacy of the private life or to the image or communication data) is specified, as is the exercise of rights relating thereto by those designated by the data subject or, in their absence, by their heirs.
  6. It is made clear that the right to data portability only encompasses the data provided by the relevant data subjects and that the portability shall be processed in an open format, if possible.
  7. Limits are set on video surveillance systems for the protection of persons and property, notwithstanding other legal rules regarding their use, in particular for reasons of public security; said limits broadly correspond to the conditions set out by CNPD in the grant of authorisations under LPDP. Sound capture is prohibited, except during the shutdown period of the monitored facilities or subject to CNPD’s authorisation.
  8. The exercise of rights of information and access to personal data within the scope of the GDPR is limited when the controller or processor is legally bound by a duty of secrecy that may be invoked against the data subject.
  9. Specific rules are retained for storage of data, and the exercise of the right to erasure under the GDPR is limited where there is a legally fixed deadline for storage of data.
  10. Limitations apply to the protection of personal data when they are processed for journalistic, academic, artistic or literary expression purposes, public interest archives, scientific or historical research or statistical
  11. The regime for the publication of personal data in the official gazette and in the context of public procurement is clarified.
  12. A differentiated regime for the protection of personal data is provided for when public entities are concerned, which may process personal data for purposes other than those which justified their collection, insofar said processing is exceptional and duly predicated in the public interest, and it is foreseen that they may, by means of reasoned petition, request for CNPD to waive fines for a period of three years from the entry into force of the Implementing Law, although they are also subject to the sanctioning regime.
  13. As regards employment relations, the Implementing Law sets out the conditions under which personal data may be processed without the consent of employees, the use of data recorded via remote surveillance systems (including video surveillance) is limited to criminal proceedings and processing of biometric data is limited to the control of attendance and access to facilities.
  14. Certain aspects of the processing of health and genetic data are governed, providing for certain cases (notably for purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services) where access to data shall exclusively be done electronically, except for technical impossibility or express indication of the data subjection otherwise. It is further set out the obligation to notify the data subject of any access to his or her personal data, being the processor responsible to ensure the availability of said mechanism of traceability and notification. Lastly, the processing of health and genetic data is subject to minimum technical safety requirements to be regulated by government ordinance.
  15. The minimum amounts of the fines are set out, depending on whether the offender is a natural person, a SME or a large company, and may vary from €500 for serious offenses committed by natural persons to €20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the case of very serious breaches by large companies. It should be noted that, except in case of wilful misconduct, the commencement of an infringement proceeding depends on the CNPD’s prior warning of the agent to comply with the omitted obligation or reinstate the ban violated within a reasonable time.
  16. Similarly to the regime under LDPD, crimes are also typified, with penalties of up to 4 years imprisonment or a fine of 480 days, namely (i) use of data inconsistent with the purpose of collection, (ii) improper access, (iii) misuse of data (iv) data misrepresentation or destruction, (v) false data entry, (vi) breach of confidentiality duty and (vii) disobedience.
  17. Lastly, within the scope of the transitional and final provisions, the Implementing Law expressly refers that when the processing of data ongoing on the effective date of said law is based on the data subject’s consent, no further consent shall be required, insofar said consent is compliant with GDPR’s requirements.


(ii) Law 59/2019

As regards Law 59/2019, which adopts rules on the processing of personal data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, it should be noted the prohibition of decisions taken solely on the basis of automated processing, including profiling, except where authorized by law.

Espanha e Associados created a team, within its corporate department, dedicated to advising clients on the fulfilment of their obligations in respect of data protection. Please contact us should you require detailed information on these matters.

Rita Beirôco

Rita Beirôco

Founding Partner/Lawyer