Sitemap

Sign in

Medium Logo
Write

Sign in

Data Protection & Privacy in Portugal

GFDL Advogados
4 min readMay 21, 2025

A Practical Guide for International Businesses

Overview

Portugal follows the EU General Data Protection Regulation (GDPR), which has been directly applicable since 2018. This EU-wide legislation is supplemented domestically

The Portuguese Constitution enshrines data protection as a fundamental right, reinforcing strong privacy protections under national and EU law.

Supervisory Authority: CNPD

The Comissão Nacional de Proteção de Dados (CNPD) is the independent national authority responsible for:

  • Monitoring compliance with the GDPR and local laws
  • Issuing guidance and opinions
  • Investigating complaints and data breaches
  • Imposing administrative fines

The CNPD is empowered to conduct audits and take enforcement action.

Data Subject Rights

In line with the GDPR, individuals in Portugal have the right to:

  • Access their personal data
  • Request correction or deletion
  • Object to processing
  • Exercise data portability
  • Restrict processing
  • File a complaint with the CNPD

Under Portuguese law, certain rights may be restricted when data is processed for public interest, scientific research, statistical purposes, or archiving.

Whistleblowing regimes are also recognized under Portuguese law, which provides broader grounds for limiting data subject rights in this context.

Research & Data Retention

Under Portuguese law, there are expanded legal grounds for limiting access, rectification, and erasure when processing data for scientific or statistical purposes. These must be necessary and proportionate.

DPO Requirements

Private entities must appoint a Data Protection Officer (DPO) where required by Article 37 GDPR. The DPO must have the technical and professional capacity to fulfill their duties.

Enforcement & Sanctions

The CNPD actively enforces GDPR compliance across both public and private sectors.

Administrative fines under the GDPR can reach up to €20 million or 4% of annual global turnover, whichever is higher.

Obligations for Non-EU Businesses

Any non-EU business that:

  • Offers goods or services to individuals in Portugal (even free of charge), or
  • Monitors individuals’ behavior (e.g., via cookies, profiling, analytics)

must comply with the GDPR and appoint an EU representative under Article 27.
This representative acts as a contact point for supervisory authorities and data subjects.

Appointment of a Data Protection Officer in Portugal

The Data Protection Officer (DPO) role is mandated by the GDPR and by Portuguese law.

A DPO is essential for ensuring legal compliance and governance over personal data processing.

Mandatory Appointment Criteria

A DPO must be appointed if the organization:

  • Is a public authority or body (excluding courts acting in a judicial capacity);
  • Engages in large-scale, regular and systematic monitoring of individuals;
  • Processes special categories of data (e.g., health, biometrics, racial origin, political opinions) on a large scale.

Key Responsibilities of the DPO

  • Inform and advise on GDPR and national compliance obligations
  • Monitor internal compliance (e.g., audits, policies, training)
  • Advise on Data Protection Impact Assessments (DPIAs)
  • Act as the point of contact with the CNPD
  • Be accessible to both data subjects and internal stakeholders

DPO Qualification and Independence

A DPO must:

  • Have expert knowledge of data protection laws and practices
  • Understand the organization’s operations and processing activities
  • Act independently, with no conflict of interest (i.e., not involved in determining the purpose or means of processing)

The DPO may be:

  • An internal employee, or
  • An external service provider (e.g., a law firm)

Notification and Disclosure Requirements

Organizations must formally appoint the DPO and notify the CNPD via its online portal. The notification must include:

  • Full name of the DPO
  • Contact details
  • Whether the appointment is internal or external

The DPO’s identity and contact information must be publicly accessible, such as in the organization’s privacy policy.

Conclusion

Appointing a Data Protection Officer is not only a regulatory obligation but also a strategic compliance measure.
In Portugal, failure to appoint or empower a DPO when required can lead to enforcement action by the CNPD.

Our Assistance

At GFDL Advogados, we provide end-to-end support for clients in determining whether a DPO is required, selecting qualified candidates, formalizing their appointment, and notifying the CNPD.

Our team also offers outsourced DPO services for SMEs and non-EU companies.

Disclaimer

This publication or document contains general information and is not intended to be comprehensive nor to provide legal or tax advice or services. It should not be acted upon, relied upon, or used as a basis for any decision or action that may affect you or your business. Professional legal advice should be requested for specific cases. We do not undertake any continuing obligation to advise on future legal amendments or of the impact on the conclusions herein. Prior results do not guarantee a similar outcome. The contents of this publication or document may not be reproduced, in whole or in part, without the express consent of GFDL Advogados.

Gdpr
Data Privacy
AI
Data Protection
Portugal

--

--

GFDL Advogados
GFDL Advogados

Written by GFDL Advogados

6 followers
0 following

GFDL Advogados is an international law firm based in Lisbon. We advise corporations and individuals with complex needs and innovative projects. www.gfdl.legal

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech