Portugal: Privacy and Data Protection-related Laws

For EU’s GDPR regulation, please visit Europe: Privacy and Data Protection-related Laws.

The provisions of Directive 95/46/EC on data protection (Data Protection Directive) were implemented into Portuguese law through Law 67/98 of 26 October 1998 (Data Protection Act). The fundamental principles and guarantees on personal data protection are also set out in the Portuguese Constitution (Article 35 on the use of computerised data). In Portugal, the Data Protection Act (DPA) applies to both public and private entities.

Video surveillance and other forms of personal data collection, processing and broadcasting consisting of sound or image also fall with the definition of personal data processing and are subject to the DPA’s provisions, whenever the controller is established in Portugal or uses a network access provider established in Portuguese territory.

The provisions of the DPA also apply to the processing of personal data regarding public security, national defence and state security, without prejudice, however, to any special rules set out in international law instruments to which Portugal is bound or any specific domestic laws.

The Data Protection Act (DPA) defines personal data as “any information relating to an identified or identifiable natural person, regardless of its support, including sound and image”. A natural person is deemed to be identifiable when he/she can be directly or indirectly identified, including by reference to an identification number or to one or more features that are specific to his/her physical, physiological, mental, economic, cultural or social identity.

All operations qualifying as personal data processing are covered by the provisions of the Data Protection Act. These include all operations performed upon personal data (whether or not my automatic means). This includes data collection, recording, organisation, storage, data adaptation or alteration, data retrieval, data consultation, use and data disclosure by transmission, dissemination or by any other means of making data available as well as data alignment or combination and data blocking, erasure or destruction.

The provisions of the Data Protection Act (DPA) cover the processing of personal data carried out by entities located within Portuguese territory or where Portuguese law applies by virtue of international public law.

The provisions of the DPA also apply to the processing of personal data carried out by entities established outside the EU that use a means of automated or non-automated processing that is located within Portuguese territory. The only exclusion being cases where such means or equipment, although located in Portugal, serves only for mere data transit purposes to allow data to pass through the country.

The main obligation on data controllers to ensure that data is processed properly derives from the following principles, which are explicitly set out in the Data Protection Act:

Personal data must be:

  • Processed lawfully and fairly (subject to a bona fide principle rule).
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and non-excessive for the purposes for which they are collected and subsequently processed.
  • Accurate and, where necessary, updated. Reasonable steps must be taken to ensure that where personal data is inaccurate or incomplete (having regard to the purposes for which they were collected or further processed) is erased or rectified.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected or subsequently processed.

The data controller must also ensure that personal data is processed in a manner that ensures appropriate security of the data, including protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using the appropriate technical or organisational measures.

Data controllers must put in place appropriate technical and organisational measures to protect data against:

  • Accidental or unlawful destruction.
  • Accidental loss or alteration.
  • Unauthorised disclosure or access.
  • Any other unlawful forms of processing.

The level of security required must be appropriate in view of the risks represented by the relevant processing activity and the nature of the data being processed. The appropriateness of this is measured taking into account the state of the art and the cost required for their implementation.

Data subjects can request the deletion of their data if the data being processed is incomplete or inaccurate, or where the data is being processed in terms that are not compatible with legitimate grounds and purposes of the data controller. Companies and any other categories of data controllers can transfer data they process within the territory of EU member states and EEA member countries. However, transfers outside the EU/EEA is restricted. Under the Data Protection Law, there is no requirement to store any type of personal data in Portugal.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus