In Portugal, data protection and cybersecurity are governed by a combination of European Union regulations and national legislation. The key elements of this framework are as follows:

The General Data Protection Regulation (GDPR) has direct effect in Portugal and constitutes the main legal framework governing the processing of personal data.

The Portuguese Data Protection Law (Law No. 58/2019) implements and supplements the GDPR in Portugal.

GDPR and national data protection law apply to both public and private entities across all sectors processing personal data. According to the Portuguese Data Protection Law, the personal data of deceased persons are protected under the GDPR and national law when such data fall within the special categories of personal data, or when they relate to the intimacy of private life.

Moreover, Law No. 41/2004, as amended transposes the EU ePrivacy Directive and governs privacy in the context of electronic communications.

Article 35 of the Constitution of the Portuguese Republic provides a constitutional basis for privacy and data protection in Portugal.

Portugal has also adopted several international instruments relevant to the protection of personal data, such as Convention 108, the European Convention on Human Rights, and the Charter of Fundamental Rights of the European Union, which includes Articles 7 and 8 that protect the right to respect for private and family life and the protection of personal data.

The Legal Framework for Cyberspace Security (Law No. 46/2018) transposes the EU Directive on Security of Network and Information Systems (NIS Directive) and creates the Legal Framework for Cyberspace Security, which is complemented by Decree-Law No. 65/2021.

The Legal Framework for Cyberspace Security applies to public administration entities, operators of critical infrastructure, operators of essential services, digital service providers, and any other entities that use information networks and systems.

As for the national competent authorities, the National Cybersecurity Centre (CNCS) acts as the operational coordinator and national authority in cybersecurity in relation to entities within the scope of the NIS Directive and, in the future, of the NIS2 Directive. CNCS oversees cybersecurity matters and enforces the obligations of relevant entities under the Legal Framework for Cyberspace Security.

Comissão Nacional de Proteção de Dados (CNPD) is the Portuguese Data Protection Authority. It is an independent public authority responsible for supervising and enforcing the application of data protection laws, including the GDPR and Law No. 58/2019.

Portugal is in the process of transposing the EU Directive 2022/2555 (NIS2) into national law.

The Digital Operational Resilience Act (DORA) entered into application on 17 of January of 2025 and ensures that banks, insurance companies, investment firms and other financial entities are taking a proactive stance in terms of protecting their information security assets and withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.

The Portuguese Government submitted to the Parliament a draft law, which aims to define the national implementing rules of the DORA Regulation and designates the Bank of Portugal, the CMVM, and the Insurance and Pension Funds Supervisory Authority (ASF) as the competent supervisory authorities, as well as the applicable sanctioning regime.

Under the GDPR, there are no specific national registration or licensing requirements for entities operating within Portugal. Entities that are obligated to designate a Data Protection Officer (DPO) under the GDPR shall communicate the contact details of the DPO to the supervisory authority. While this is not a licensing requirement, it is mandatory for compliance.

The Legal Framework for Cyberspace Security establishes several obligations. These include the requirement for entities in scope to notify CNCS of the commencement of their activities. The law also requires the notification of security incidents—some of which are mandatory, while others are optional—as well as the submission of additional information when requested.

Moreover, certain entities are obliged to submit a list of their assets, communicate the appointment of a permanent point of contact and a security officer, and send an annual cybersecurity report. Failure to comply with the notification obligations constitutes a serious administrative offence punishable by a fine of EUR 1,000 to EUR 3,000 in the case of natural persons, and EUR 3,000 to EUR 9,000 in the case of legal persons.

The new Legal Framework for Cyberspace Security (which will transpose the NIS2 Directive) requires entities in scope to perform self-qualification and registration notifications as either essential entities or important entities under such framework. Failing to perform such notifications can be punishable with fines up to EUR 5 000 000,00, or 1% of the annual turnover, whichever is higher.

In Portugal, the key definitions related to data protection are primarily derived from the GDPR.

The principles governing the processing of personal data are those set forth in Article 5 of the GDPR. Accordingly:

(i) Lawfulness (Article 5(1)(a) GDPR): Processing must rest on a valid legal basis. Article 6 GDPR provides an exhaustive list of such bases, while Article 9 GDPR sets out additional requirements for the processing of special categories of personal data.

(ii) Fairness (Article 5(1)(a) GDPR): Personal data must be handled in a manner that individuals could reasonably expect, ensuring that the processing does not create unjustified or disproportionate effects for data subjects.

(iii) Transparency (Article 5(1)(a) GDPR): Data subjects must be provided with clear and accessible information regarding the processing, using plain and intelligible language. This principle is further detailed in Articles 13 and 14 GDPR.

(iv) Purpose limitation (Article 5(1)(b) GDPR): Personal data may only be collected for specified, explicit, and legitimate purposes. The purpose must be determined before processing begins, and subsequent processing purposes incompatible with the original intent are prohibited.

(v) Data minimisation (Article 5(1)(c) GDPR): Only the personal data strictly necessary to achieve the stated purpose may be collected and processed.

(vi) Accuracy (Article 5(1)(d) GDPR): Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be rectified or erased without delay.

(vii) Storage limitation (Article 5(1)(e) GDPR): Personal data may not be retained in a form permitting the identification of data subjects for longer than is necessary for the purposes pursued.

(viii) Integrity and confidentiality (Article 5(1)(f) GDPR): Personal data must be processed securely, ensuring protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This obligation encompasses not only technical safeguards but also appropriate physical and organisational security measures.

According to Portuguese law, specifically Article 21 of the Portuguese Data Protection Law, which ensures the implementation of the GDPR in Portugal, the retention period of personal data must align with the duration established by legal or regulatory provisions or, in the absence of such provisions, with the period necessary to fulfil the purpose of the processing.

When, due to the nature and purpose of the processing—namely for archiving in the public interest, scientific or historical research purposes, or statistical purposes—it is not possible to determine in advance the point at which the data is no longer needed, the retention of personal data is lawful, provided that appropriate technical and organisational measures are adopted to safeguard the rights of data subjects, particularly the provision of information regarding the retention.

Additionally, when personal data is necessary for the controller or the processor to demonstrate compliance with contractual or other obligations, it may be retained until the expiration of the corresponding limitation period for such rights.

When the purpose for processing personal data, either initial or subsequent, no longer applies, the controller must proceed with the destruction or anonymisation of the data. In cases where a data retention period is imposed by law, the right to erasure provided in Article 17 of the GDPR can only be exercised once that period has expired.

Finally, data related to contribution declarations for retirement or pension purposes may be retained indefinitely to assist the data subject in reconstructing their contribution history, provided that adequate technical and organisational measures are in place to protect the rights of the data subject.

Consent is one of the lawful grounds for the processing of personal data, as established under Article 6(1)(a) and Article 9(2)(a) of the GDPR.

Accordingly, the processing of personal data is lawful where the data subject has consented in a manner that meets the requirements for valid consent, as defined in Article 4(11) and further detailed in Articles 7 and 8 of the GDPR. For consent to be valid, it must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

In this context, consent is not always an appropriate legal basis for all types of data processing. Where the conditions for valid consent are unlikely to be met – particularly when the data subject is unable to make a decision free from social, financial, psychological, or other forms of pressure – the requirement of being “freely given” is not satisfied. Consequently, in such circumstances, consent would not be considered valid. As the EDPB Guidelines 05/2020 on consent (“EDPB Guidelines on Consent”) highlights, relying on consent is generally inappropriate in certain contexts, including the following:

(i) Exercise of public authority – according to Recital 43 of the GDPR, consent cannot usually substitute the legal basis provided under Article 6(1)(e) for the lawful processing of personal data by public authorities. This is due to the inherent imbalance between public authorities and individuals, which compromises the freedom of consent.

(ii) Employment context – consent is often not a valid legal basis due to the imbalance of power between employer and employee. Article 6(1)(f) allows for processing based on legitimate interests, but this cannot always be replaced by obtaining employee consent, as such consent is unlikely to be truly freely given — an essential condition for validity under the GDPR; and

(iii) In situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable. If consent is given in this situation, it is presumed to be not freely given (recital 43).

In addition, often, there is no need to rely on consent because Articles 6(1)(b) to (e) of the GDPR provide suitable legal bases for several processing activities.

Consent is the preferred legal basis for certain types of processing activities. This includes, most notably:

(i) Direct marketing – Electronic Communications Law (which transposed the e-Privacy Directive), as amended, establishes a narrow legal basis for direct marketing on which controllers can rely. Specifically, senders must obtain consent from data subjects before sending direct marketing communications.

(ii) Placement of non-essential cookies – Under the Electronic Communications Law, websites must obtain prior and informed consent before storing cookies or similar technology on users’ terminal equipment. Such consent must adhere to GDPR standards: it must be given freely, must be a specific, informed, and must consist of an indication of the data subject’s wishes, either through a statement or explicit affirmative action. Websites are required to provide detailed information about cookies, including types, function, duration, and identification of third parties storing cookies.

In addition, with regard to the offer of information society services directly to a child, the processing of personal data based on consent is lawful where the child is at least 13 years old, in accordance with Article 16(1) of the Portuguese Data Protection Law. Where the child is under the age of 13, processing is only lawful if consent is provided by the child’s legal representatives, preferably through secure means of authentication, as set out in paragraph 2 of the same provision.

Furthermore, under Article 9(2)(a) of the GDPR, special categories of personal data may only be processed on the basis of consent if explicit consent has been given. Explicit consent means that the data subject must give an express statement of consent.

Under Article 7(1) GDPR, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The GDPR does not prescribe the form or shape in which information must be provided in order to fulfil the requirement of informed consent. This means valid information may be presented in various ways, such as written or oral statements, or audio or video messages. However, the GDPR puts several requirements for informed consent in place, predominantly in Article 7(2) and Recital 32. This leads to a higher standard for the clarity and accessibility of the information.

For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Nonetheless there are transparency requirements controllers must fulfill under articles 13 and 14 of the GDPR, according to the EDPB Guidelines on Consent, the EDPB takes the view that, at a minimum, in the consent form, the following information is required to be there for obtaining valid consent: (i) the controller’s identity; (ii) the purpose of each of the processing operations for which consent is sought, (iii) what (type of) data will be collected and used, (iv) the existence of the right to withdraw consent, (v) information about the use of the data for automated decision-making in accordance with

Article 22 (2)(c) where relevant, and (vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.

According to article 7 (2) of the GDPR, if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. According to the EDPB Guidelines on Consent, this requirement essentially means that information relevant to making informed decisions on whether consent may not be hidden in general terms and conditions.

Furthermore, according to the EDPB Guidelines on Consent, if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment

As mentioned in the EDPB Guidelines on Consent, a service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. As mentioned above, consent must be specific, and this requirement must be interpreted in line with the principle of granularity, which is also essential to ensure that consent is truly freely given.. If consent is not provided separately for each distinct purpose, it lacks granularity and, consequently, will not be considered valid under data protection regulations.

At last, data subject may withdraw their consent at any time. Article 7(3) of the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time.

Article 9(1) of the GDPR establishes a general prohibition on the processing of special categories of personal data – that is, data considered particularly sensitive by the legislator due to its potential impact on individuals’ rights and freedoms. Specifically, data concerning health ( Article 4 (15) of the GDPR) is considered a special category of data.

However, Article 9(2) provides for exceptions to this prohibition, allowing processing when specific conditions are met. Accordingly, special categories of data may be processed in one of the following situations applies:

(i) The data subjects has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides otherwise (paragraph a));

(ii) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject (paragraph b));

(iii) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (paragraph c));

(iv) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects (paragraph d));

(v) Processing relates to personal data which are manifestly made public by the data subject (paragraph e));

(vi) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (paragraph f));

(vii) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject(paragraph g));

(viii) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to certain conditions and safeguards (paragraph h));

(ix) Processing is necessary for reasons of public interest in the area of public health on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (paragraph i)); or

(x) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (paragraph j)).

Article 9(3) sets out additional conditions and safeguards to when Article 9 (2) paragraph h) applies. Accordingly, personal data may be processed for that purpose when those data are processed by or under the responsibility of a professional subject to the obligation of

professional secrecy under the applicable legislation or by another person also subject to an obligation of secrecy under the applicable legislation, such as by healthcare professionals or legal practitioners.

Finally, Article 9(4) gives Member States the discretion to introduce or maintain additional conditions or restrictions, particularly concerning the processing of genetic data, biometric data, or data concerning health. On this matter, the Portuguese legislator, in article 29 of the Portuguese Data Protection Law, established, regarding genetic data and data concerning health, that, namely:

(i) In the cases provided for in points (h) and (i) of Article 9(2) of the GDPR , the processing of genetic data and data concerning health must be carried out by a professional subject to secrecy obligations or by another person bound by a duty of confidentiality, and appropriate information security measures must be ensured. (Article 29 (2) of the Portuguese Data Protection Law);

(ii) Access to the data referred to in the previous paragraph shall be carried out exclusively by electronic means, except in cases of technical impossibility or if expressly indicated otherwise by the data subject. The subsequent disclosure or transmission of such data is prohibited (Article 29 (3) of the Portuguese Data Protection Law);

(iii) All office holders, employees, and service providers of the data controller responsible for processing genetic data and data concerning health, data protection officers, students and researchers in the fields of health and genetics, as well as all healthcare professionals who have access to health-related data, are bound by a duty of confidentiality. This obligation also extends to office holders and employees who, in the context of monitoring, funding, or supervising healthcare service provision, access such data (Article 29 (4) and (5) of the Portuguese Data Protection Law); and

(iv) The data subject must be notified of any access made to their personal data. It is the responsibility of the data controller to ensure the implementation of both a traceability mechanism and a notification mechanism (Article 29 (6) of the Portuguese Data Protection Law).

Children’s data are not classified as sensitive personal data by default. Nonetheless, the GDPR recognises that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data (Recital 38 of the GDPR). In line with this principle, the GDPR – as further detailed by the Portuguese Data Protection Law – includes specific provisions concerning the processing of children’s data:

(i) As mentioned above, when consent applies as a legal basis and information society services are offered directly to a child, the processing of personal data is lawful if the child is at least 13 years old, in accordance with Article 16(1) of the Portuguese Data

Protection Law. If the child is under 13, processing is only lawful with consent from the child’s legal representantives, preferably obtained through secure means of authentication, as stipulated in Article 16(2). Additionally, Article 8(2) of the GDPR requires that the controller make “reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”

(ii) According to Article 12(1) of the GDPR, data controllers must ensure that children and their legal guardians are clearly and appropriately informed about the processing of personal data. This information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language suitable for a child’s level of understanding. On this matter, the Article 29 Working Party Guidelines on Transparency highlight that where a data controller is targeting children or is, or should be, aware that their goods/ services are particularly utilised by children (including where the controller is relying on the consent of the child), it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them.

Yes, the Portuguese Data Protection Law includes additional derogations and limitations beyond those already described. Two key provisions are particularly noteworthy:

(i) On processing for archiving, research, and statistical purposes – Pursuant to Article 31 of the Portuguese Data Protection Law, certain data subject rights—specifically the rights of access, rectification, restriction of processing, and objection, as provided under Articles 15, 16, 18, and 21 of the GDPR—may be restricted when personal data is processed for scientific or historical research purposes, statistical purposes, or archiving in the public interest. These limitations are allowed where the exercise of such rights is likely to render impossible or seriously impair the achievement of the intended purposes.

(ii) On freedom of expression, information, and the press – Under Article 24 of the Portuguese Data Protection Law, the legislator established that the protection of personal data, in accordance with the GDPR, does not hinder the exercise of freedom of expression, information, and the press. However, the exercise of freedom of information—particularly where it involves the disclosure of personal data falling within the categories listed in Article 9(1) of the GDPR—must respect the principle of human dignity and the personality rights enshrined in the Portuguese Constitution, as well as the personality rights. Furthermore, paragraphs 3 and 4 of Article 24 clarify that the processing of personal data for journalistic purposes must comply with national laws governing access to and the practice of journalism, and that the right to freedom of expression does not legitimize the disclosure of personal data such as addresses and contact details, except where such information is already generally known.

Under the GDPR, organizations are expected to carry out risk assessments in relation to their personal data processing activities, particularly where such processing is likely to result in a high risk to the rights and freedoms of data subjects. In such cases, a data protection impact assessment (DPIA) must be conducted prior to commencing the processing, as required by Article 35 of the GDPR.

The GDPR sets out a non-exhaustive list of situations that may constitute high-risk processing, including in case of (i) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (ii) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; and (iii) a systematic monitoring of a publicly accessible area on a large scale. It is essential that the organisation’s DPO is involved in the assessment process.

In Portugal, CNPD has further clarified these obligations through Regulation no. 798/2018, which outlines specific types of processing that require a mandatory DPIA. These include, among others:

(i) Processing of information resulting from the use of electronic devices that transmit, via communication networks, personal data concerning to health;

(ii) Interconnection of personal data or processing that links personal data as referred to in Article 9(1) or Article 10 of the GDPR, or other data of a highly personal nature;

(iii) Processing of personal data referred to in Article 9(1) or Article 10 of the GDPR, or data of a highly personal nature, based on indirect collection, where it is not possible or feasible to ensure the right to information in accordance with Article 14(5)(b) of the GDPR;

(iv) Processing of personal data that involves or consists of large-scale profiling;

(v) Processing of personal data that enables tracking of the location or behaviour of the data subjects (e.g., employees, customers, or even passers-by), resulting in their evaluation or classification, except where the processing is strictly necessary for the provision of services specifically requested by the data subjects;

(vi) Processing of data referred to in Article 9(1) or Article 10 of the GDPR, or other data of a highly personal nature, for purposes of archiving in the public interest, scientific or historical research, or statistical purposes, except where such processing is authorized and regulated by law that provides adequate safeguards for the rights of the data subjects;

(vii) Processing of biometric data for the unequivocal identification of data subjects who are considered vulnerable persons, except where such processing is authorised and regulated by law and preceded by a data protection impact assessment;

(viii) Processing of genetic data of vulnerable persons, except where such processing is authorised and regulated by law and preceded by a data protection impact assessment;

(ix) Processing of personal data as referred to in Article 9(1) or Article 10 of the GDPR, or of a highly personal nature, using new technologies or a new use of existing technologies.

According to CNPD’s understanding expressed regarding DPIAs on its official page, DPIA is also mandatory when required by legislative or regulatory procedures that must be submitted to CNPD alongside a formal request for an opinion (Article 18(4) of Law no. 43/2004, as amended).

Additionally, when relying on legitimate interests as a lawful basis for processing under Article 6(1)(f) of the GDPR, it is considered best practice for controllers to carry out a Legitimate Interests Assessment. This involves a balancing test to ensure that the controller’s interests do not override the rights and freedoms of the data subjects.

If personal data is being transferred to a third country outside the EEA not covered by an adequacy decision, a Transfer Impact Assessment (TIA) should be conducted. According to relevant case law (e.g., Schrems II ruling, C-311/18 – Facebook Ireland and Schrems) and to EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, when relying on one of the transfer mechanisms under Article 46 of the GDPR and is necessary to assess whether the destination country ensures an equivalent level of data protection, or if supplementary measures are required. This means assessing if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the selected transfer tool in the context of a specific transfer.

Looking ahead, with the expected entry into force of the AI Act, certain categories of high-risk AI systems will be subject to additional risk assessment obligations, which must be carried out alongside data protection risk assessments.

Under Article 15 of the Portuguese Data Protection Law, CNPD may issue codes of conduct or approve sectoral codes under Article 40 of the GDPR. In Portugal, although there are not yet sectoral codes of conduct formally approved under Articles 40 and 41 of the GDPR, CNPD has issued guidelines and recommendations regarding data processing in specific contexts, such as:

(i) On organisational and security measures applicable to the processing of personal data (CNPD guideline 1/2023);

(ii) On electronic communications for direct marketing (CNPD guideline 1/2022);

(iii) Regarding the processing of personal data in the context of smart electricity distribution networks (CNPD guideline 2/2019);

(iv) Regarding the processing of personal data in the context of electoral campaigns and political marketing (CNPD guideline 1/2019);

(v) Provision of personal data of students, teaching staff, and other workers on the websites of higher education institutions (CNPD guideline 1/2018);

(vi) Processing of personal data carried out in the context of clinical research (CNPD deliberation 1704/2015);

(vii) Principles applicable to the processing of personal data resulting from the monitoring of the use of communication technologies for private purposes in the employment context (CNPD deliberation 1638/2013);

(viii) Principles applicable to the processing of data for the purposes of preventive and curative medicine in the context of alcohol and drug testing of workers (CNPD deliberation 890/2010);

(ix) On call recording (CNPD deliberation 1039/2017);

(x) On the incompatibility of accumulating the functions of Data Protection Officer and Internal Reporting Officer (CNPD Guidance of 11.04.2023); etc.

Article 30 of the GDPR requires controllers, processors, and their representatives to maintain a record of their data processing activities. This record must be kept in writing, including in electronic form, be regularly updated, and made available to CNPD upon request.

According to article 30 (5) of the GDPR, the obligations to maintain a record of processing activities shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

On 21 May 2025, the European Commission put forward a legislative proposal to amend Article 30(5) of the GDPR. The amendment seeks to broaden the scope of the existing derogation from the obligation to maintain records of processing activities. Specifically: (i) it extends the derogation, currently limited to SMEs, to small mid-cap enterprises (SMCs), defined as organisations with fewer than 750 employees; (ii) For both SMEs and SMCs, the obligation to keep records would arise only where the processing is likely to result in a high risk to the rights and freedoms of data subjects – thereby raising the threshold for when the exemption ceases to apply; and (iii) it further clarifies that the processing of special categories of personal data, in particular in the context of employment, social security, or social protection law under Article 9(2)(b) GDPR, would not automatically trigger the record-keeping obligation to the enterprises covered by this provision.

For controllers, that record shall contain all of the following information:

a. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

b. the purposes of the processing;

c. a description of the categories of data subjects and of the categories of personal data;

d. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

e. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

f. where possible, the envisaged time limits for erasure of the different categories of data;

g. where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

For processors, that record shall contain the following information:

a. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

b. the categories of processing carried out on behalf of each controller;

c. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

d. where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

To support compliance with this obligation, particularly by micro, small, and medium-sized enterprises, CNPD provides standard templates that organisations may use for this purpose.

Article 5 of the GDPR establishes that personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the data is processed. While the GDPR does not specify exact retention periods, it requires controllers to determine appropriate time limits for the erasure of personal data and to conduct periodic reviews to assess whether continued retention is justified.

To demonstrate compliance with this requirement, it is strongly recommended that organisations implement a written data retention policy.

Furthermore, Article 21 of the Portuguese Data Protection Law governs the retention period of personal data. It states:

(i) The retention period for personal data is determined by law or regulation, or, in the absence of such provisions, by what is necessary for the pursuit of the processing purpose. On this notice, is important to highlight that certain pieces of Portuguese legislation impose minimum retention periods for specific categories of personal data, such as records relating to employees, correspondence sent and received, the accounting records, and the related documents, etc;

(ii) If, due to the nature and purpose of processing, such as for public interest archiving, scientific or historical research, or statistical purposes, it is not possible to determine in advance when the data will no longer be necessary, personal data may be retained, provided that appropriate technical and organisational measures are taken to ensure the rights of the data subject, particularly informing them of the retention;

(iii) When personal data is needed by the controller or the processor to demonstrate compliance with contractual or other obligations, the data may be retained until the corresponding limitation period expires;

(iv) Once the purpose for which the data was initially or subsequently processed has ceased, the controller must proceed with its destruction or anonymisation;

(v) When a statutory retention period applies, the right to erasure under Article 17 of the GDPR can only be exercised once that period has expired;

(vi) Data relating to contributory declarations for retirement or pension purposes may be retained indefinitely to assist the data subject in reconstructing their contributory history, provided that appropriate technical and organisational measures are in place to protect the rights of the data subject.

Under Article 36 of the GDPR, the controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Data processing may not begin until the CNPD has assessed the request.

In the context of the prevention, detection, and investigation of criminal offences or the prosecution of criminal offences, the DPIA must also be submitted for prior consultation with the CNPD, under the conditions laid down in Article 30(1) of the Portuguese Law No. 59/2019 of 8 August.

The request for prior consultation, which includes the CNPD’s review of the DPIA carried out by the data controller, is subject to the payment of a fee, in accordance with CNPD Regulation No. 310/2020.

Article 37 GDPR specifies three cases in which it is mandatory for controllers and processors to appoint a Data Protection Officer (DPO):

(i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(ii) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(iii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The Portuguese Data Protection Law further specifies which entities fall within the notion of “public authority or body” (e.g., municipal authorities, public institutes, etc).

Under Article 39 of the GDPR, the Data Protection Officer is entrusted with the following core duties:

(i) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

(ii) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(iii) to provide advice when requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

(iv) to cooperate with the supervisory authority; and

(v) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

In addition, article 11 of the Portuguese Data Protection Law further adds that the Data Protection Officer is entrusted with the following tasks:

(i) Ensure the conduct of audits, both periodic and unplanned;

(ii) Raise user awareness about the importance of timely detection of security incidents and the need to immediately inform the security officer; and

(iii) Manage relations with data subjects on matters covered by the GDPR and national data protection legislation.

While neither the GDPR nor Portuguese Data Protection law explicitly mandates employee training on data protection, the principle of accountability and the requirement to implement appropriate organizational measures to safeguard personal data are generally interpreted as including training obligations as a matter of best practice. Specifically, CNPD, in its Guidelines/2023/1 on organizational and security measures, explicitly recommends promoting a culture of privacy and information security among employees, so that each staff member is able to recognize potential threats and act accordingly—as a way to reduce both the likelihood and impact of human error.

In addition, under Article 39(1)(b) of the GDPR, one of the formal duties of the DPO is to oversee staff training related to data protection. Furthermore, the Portuguese Labour Code requires that employers implement general employee training programs, which may include data privacy components, especially when personal data processing is involved in the employee’s role.

Yes, data protection laws in Portugal—through the direct application of the GDPR—require data controllers to provide notice to data subjects regarding the processing of their personal data.

Under the transparency principle in Article 5(1)(a) of the GDPR, controllers must ensure that individuals are fully informed about how their data is being used. This obligation is further detailed in:

(i) Article 13 GDPR: When personal data is collected directly from the data subject, controllers must provide information such as the identity of the controller, the purposes and legal basis of processing, recipients of the data, data retention periods, data subject rights, and the right to lodge a complaint with the supervisory authority (in Portugal, CNPD).

(ii) Article 14 GDPR: When data is obtained indirectly (e.g., from third parties), similar information must be provided, along with the source of the data and the categories of personal data involved.

The required notice—commonly delivered via a privacy notice or privacy policy—must be concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child, as outlined in Article 12 GDPR.

Under the Portuguese e-privacy framework, implemented by the Electronic Communications Law (as amended), users must be provided with clear and complete information before any non-essential cookies are stored or accessed on their device. This includes specific details such as (i) the duration for which cookies remain active on the user’s device, and (ii) whether third parties will have access to those cookies.

Yes, data protection laws in Portugal—through the direct application of the GDPR—draw a clear distinction between the responsibilities of controllers and processors of personal data. Under Article 4(7) of the GDPR, a controller is the entity that determines the purposes and means of processing personal data. The controller holds primary responsibility for ensuring that all processing activities comply with the requirements of the GDPR. In contrast, a processor, as defined in Article 4(8), processes personal data on behalf of the controller and strictly in accordance with the controller’s instructions.

The implications of this distinction are significant. Controllers are fully accountable for the lawfulness of the processing and are liable for any damage caused by processing that infringes the GDPR. This includes, among others, the obligation to implement appropriate technical and organisational measures, ensure respect for the data protection principles, and uphold data subject rights. Article 82(2) of the GDPR confirms that any controller involved in the processing is liable for damage caused by a violation of the Regulation, regardless of whether

the controller personally caused the infringement, as long as they are considered a controller in the context of the specific processing activity.

Processors, while subject to fewer obligations, are not exempt from liability. The GDPR imposes specific duties on processors, including the requirement to enter into a data processing agreement with the controller (Article 28), maintain a record of processing activities (Article 30), ensure the security of processing (Article 32), and report data breaches to the controller without undue delay (Article 33). A processor becomes liable under Article 82(2) if it fails to comply with those processor-specific obligations or if it acts outside or contrary to the lawful instructions of the controller. In such cases, the processor may be held directly responsible for any resulting damages.

Furthermore, if a processor independently determines the purposes and means of processing—essentially stepping outside its delegated role—it may be reclassified as a controller for those processing activities and assume full legal responsibility accordingly.

Neither the GDPR nor the Portuguese Data Protection Law define “monitoring”, although it is referred in connection with operations of processing of personal data for different purposes. For example, under Article 35 (3), paragraph c), the controller shall carry out a DPIA in the case of “a systematic monitoring of a publicly accessible area on a large scale.”

Article 4 (4) of the GDPR defines “profiling” as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The definition is applicable within the Portuguese Data Protection framework.

On the employment context, monitoring of targeted employees’ activity is forbidden in certain cases, such as to control performance at work, or use of employment assets for personal purposes. These restrictions are clarified in Deliberation No. 1638/2013 of the CNPD. Deliberation No. 7680/2014 also establishes certain rules concerning the use of geolocation technologies in the context of employment.

Neither the GDPR nor the Portuguese Data Protection Law expressly define “automated decision-making”. However, subject to certain exceptions, Article 22 of the GDPR grants individuals the right not to be subjected to decisions based solely on automated processing, including profiling, where such decisions produce legal effects or similarly significant consequences for them. The Portuguese Data Protection Law does not introduce any additional provisions on this matter.

Neither the GDPR nor the Portuguese Data Protection Law nor the Portuguese E-Privacy Law define the terms “cookies” or “tracking technologies,” nor do they refer to any equivalent concepts. However, under the Portuguese E-Privacy Law, storing cookies or similar technology on the user’s terminal equipment requires prior and informed consent. Consent must be obtained as provided for the GDPR (i.e., any freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or clear affirmative action). This requirement does not prevent the use of cookies or similar technologies where the sole purpose is: (i) the transmission of a communication over an electronic communications network; or (ii) to provide an information society service explicitly requested by the subscriber or user and where such storage or access is strictly necessary for that purpose.

In Portugal, neither the GDPR, the Portuguese Data Protection Law, nor the Portuguese E-Privacy Law expressly define the terms “targeted advertising” or “behavioural advertising”, nor do they refer to any equivalent concepts. These practices are instead governed by the general provisions of the GDPR and the E-Privacy Portuguese Law, given that targeted advertising frequently relies on the use of cookies or similar tracking technologies. Accordingly, such processing is subject to the requirements of informed and freely given consent under the GDPR. For further detail on cookies and consent requirements, please refer to question 18.

As for target advertising or marketing, CNPD issued Guidelines 2022/1 which conclude that:

(i) the sending of electronic communications for direct marketing can be carried out if there is already a customer relationship (and consent is required only if the marketing relates to products or services different from those previously purchased by the customer), or if there is no prior legal relationship between the controller and the recipient, it can only be done with the data subject’s prior and explicit consent;

(ii) The controller shall maintain an updated list of the data subject who expressly provided consent and those who have opposed to such reception of adversiting/marketing communications, and shall be able to prove such consent/opposition;

(iii) The data subject’s consent must always be informed, specific, freely given, unequivocal, and explicit; and

(iv) The following types of “consent” for the use of personal data for the purpose of sending electronic direct marketing communications are not considered valid:

a. Ambiguous and lacking transparency on how the processing is explained and how the consent declaration is drafted, collected as a condition for participating in sweepstakes or online contests, which seek to obtain authorizations for sharing data with third parties or for carrying out direct marketing campaigns on behalf of third parties.

b. Collected by a given entity requesting authorization from the data subject for processing by a third party, without expressly, clearly, and transparently identifying the third party and the specific context in which the subsequent data processing will take place.

c. Required as a condition for accessing websites or participating in certain activities (e.g., sweepstakes, viewing content), making such access or participation dependent on subscribing to and accepting all personal data processing operations in bulk, including both those strictly necessary for access or participation and others, among which direct marketing is included.

At EU level, DSA and the DMA impose directly applicable rules in Portugal, reinforcing transparency obligations and restricting the use of profiling for advertising.

Portuguese law does not provide a specific definition of “sale” in the context of personal data. However, the sale of personal data is considered a form of “processing” under the GDPR. As such, it is subject to the full range of obligations imposed on controllers and processors.

Recently, in Deliberation 2024/137, CNPD imposed a three-month ban on the Worldcoin Foundation’s processing of biometric data, citing serious GDPR violations. The controller used an app and in-person devices to collect iris, eye, and facial data in exchange for tokens and financial incentives. CNPD found that consent—required under Article 9(2) GDPR for processing special category data—was not validly obtained due to inadequate, unclear, and English-only information, particularly affecting minors. It also found violations of transparency, the right to erasure, and the right to withdraw consent (Articles 5(1)(a), 7(3), 9(1), 13, and 17(1) GDPR). Given the high risk to data subjects, especially minors, and the irreversible nature of the violations, CNPD ordered urgent temporary restrictions under Article 58(2)(f) GDPR.

In Portugal, direct marketing by telephone, text, and email is mainly regulated by two laws:

(i) Law No. 41/2004, which governs the processing of personal data and privacy in electronic communications, including rules on unsolicited electronic marketing.; and

(ii) Law no. 6/99 of 27 of January, which governs advertising by post, direct distribution, telephone, and fax.

According to the Portuguese E-Privacy Law, sending unsolicited electronic communications for direct marketing—such as emails, text messages (SMS, EMS, MMS), faxes, or automated phone calls—requires the prior and explicit consent of the individual receiving them. However, there is an exception: where there is an existing customer relationship, if a company has obtained a customer’s contact details during the sale of products or services, it may use those details to promote similar products or services. This is allowed only if the customer was clearly informed of this possibility at the time of data collection and was given an easy and free opportunity to opt out, both initially and in every subsequent communication.

Importantly, if these marketing communications target natural persons or involve any processing of personal data, they must also comply with general data protection rules, most notably the GDPR and Portuguese Data Protection Law. For instance, data subjects have the right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3) of the GDPR). Please refer to the answer provided in Question 19.

If marketing communications are aimed at legal entities (such as companies) and do not involve personal data, the rules may be less strict, though recipients must still be given the ability to opt out.

Regardless of the recipient type, the law expressly forbids sending marketing emails that hide or disguise the sender’s identity or that fail to provide a valid contact method through which the recipient can request to stop further communications.

Failure to comply with these requirements can lead to enforcement actions by the national data protection authority and potentially significant penalties.

A definition of biometric data can be found in Article 4(14) GDPR. Accordingly, “biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Biometric data is classified as a special category of personal data under Article 9(1) of the GDPR. Therefore, the considerations outlined in the response to question 7 regarding the processing of special categories of data are equally applicable here. Under GDPR, a DPIA is mandatory when processing a large scale of biometric data, given its sensitive nature.

According to Article 9 (4) of the GDPR, Member States may maintain or introduce further conditions, including limitations, with regard to the processing of biometric data. In Portugal, the processing of employees’ biometric data is permitted for the purposes of control of attendance and access to employer’s premises, under certain conditions.

The AI Act introduces strict limitations on the use of biometric data in AI systems, building upon existing data protection concerns and adding specific prohibitions and obligations. Within the workplace and education institutions, the AI Act categorises emotion recognition systems as presenting an unacceptable risk, thereby prohibiting their use. It also prohibits the biometric categorisation of individuals for the purpose of inferring sensitive characteristics such as race, political opinions, trade union membership, religious or philosophical beliefs, or sexual orientation. Similarly, the real-time remote biometric identification of individuals in publicly accessible spaces by law enforcement is prohibited, subject only to narrow exceptions based on significant public interest, such as the prevention of terrorism or serious crime.

Most AI systems involving biometric data that are not outright prohibited are classified as “high-risk,” making them subject to the most rigorous compliance requirements under the AI Act. With the AI Act set to become applicable in phases from 2025 following political agreement in December 2023, its provisions will significantly tighten the regulation of facial recognition and biometric categorisation systems.

Additionally, the AI Act imposes a complete ban on the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage. This prohibition is absolute, with no exceptions, although it applies solely to facial images and does not extend to biometric databases created using other data types, such as voice recordings.

Portugal has not yet enacted AI-specific legislation. However, the EU’s Artificial Intelligence Act (Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024) entered into force on August 1, 2024, and is directly applicable in all member states, including Portugal. While the regulation will be fully applicable from August 2, 2026, However, transfers to third countries or international organisations of specific AI practices and AI literacy requirements—already took effect on February 2, 2025.

There are no specific requirements or restrictions for the cross-border transfer of personal data within EU.

However, transfers to third countries or international organisations can only occur if the conditions outlined in Chapter V of the GDPR are met by both controllers and processors. This also applies to onward transfers. The GDPR adopts a layered approach to international data transfers, establishing a three-tiered legal structure:

(i) Adequacy decisions (Article 45 GDPR);

(ii) Appropriate safeguards (Articles 46 and 47 GDPR); and

(iii) Derogations (Article 49 GDPR) – a fallback option, used only when the first two are unavailable.

This means that where an adequacy decision has been adopted by the European Commission, it should be relied upon. If there is no adequacy decision, appropriate safeguards must be used. Only in the absence of both should derogation be considered.

Regarding adequacy decisions:

To date, the European Commission has adopted adequacy decisions for the following jurisdictions: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (limited to commercial organizations participating in the EU-U.S. Data Privacy Framework), and Uruguay.

Regarding appropriate safeguards:

In the absence of an adequacy decision, personal data may still be transferred to a third country if appropriate safeguards are provided by the recipient organization. Additionally, individuals must retain the ability to exercise their rights and have access to effective legal remedies.

Article 46 of GDPR provides a list of transfer mechanisms that constitute “appropriate safeguards,” particularly relevant for private organizations. These include:

(i) Standard Contractual Clauses (SCCs);

(ii) Binding Corporate Rules (BCRs);

(iii) Approved codes of conduct;

(iv) Approved certification mechanisms;

(v) Ad hoc contractual clauses.

Among these, Standard Contractual Clauses (SCCs) are most commonly used by private entities. However, their use must be complemented by a Transfer Impact Assessment (TIA) to evaluate whether additional measures are needed to ensure compliance with GDPR principles.

In particular, it is crucial to verify whether the legislation of the third country—which naturally prevails over any contractual provisions—does not undermine or nullify the guarantees provided by the SCCs.

The SCCs accommodate various transfer scenarios. Depending on the specific nature of the data flow, the appropriate module should be selected:

(i) Module 1: Controller to Controller;

(ii) Module 2: Controller to Processor;

(iii) Module 3: Processor to Processor;

(iv) Module 4: Processor to Controller (when the processor is in the EU and the controller is in a third country).

Transfers may also be based on contracts between the data exporter and the data importer, provided they meet the GDPR’s standards. Such contracts may require prior approval from the competent data protection authority.

Another viable mechanism is the use of Binding Corporate Rules, particularly for transfers within a corporate group. BCRs require prior approval by the relevant data protection authority and must include mechanisms ensuring legal enforceability across all group members.

Regarding derogations:

As a last resort and subject to strict conditions, derogations under Article 49 GDPR may be used. For example, a transfer may be permitted when it is:

(i) made with the individual’s explicit consent;

(ii) necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;

(iii) necessary for the performance of a contract made in the interests of the individual between the data controller and another person;

(iv) necessary for important reasons of public interest;

(v) necessary for the establishment, exercise or defence of legal claims;

(vi) necessary to protect the vital interests of the individual in question or other persons, where the individual is physically or legally incapable of giving consent; or

(vii) made from a register which, under the national law of an EEA country or EU law, is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).

The principle of integrity and confidentiality, as outlined in Article 5(1)(f) of the GDPR, requires that personal data be processed in a manner that ensures appropriate security. This includes both technical and organisational measures to prevent unauthorised or unlawful processing, as well as the loss, damage, or destruction of personal data.

This principle is further developed in Article 32 of the GDPR, which relates specifically to the security of processing. Under Article 32, controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security that is proportionate to the risk. This includes consideration of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, alongside the potential impact on the rights and freedoms of individuals.

In determining what constitutes an appropriate level of security, Article 32(2) identifies specific risks to consider, such as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. To demonstrate compliance, Article 32(3) recognises that adherence to approved codes of conduct (under Article 40) or approved certification mechanisms (under Article 42) may serve as supporting evidence.

Furthermore, Article 32(4) requires that anyone acting under the authority of the controller or processor must only process personal data in accordance with the controller’s documented instructions, unless otherwise required by law.

To support the implementation of these principles, CNPD has issued Guideline/2023/1 on organisational and security measures for the protection of personal data. Among its key recommendations, CNPD stresses the importance of conducting security audits and vulnerability assessments to help organisations identify system weaknesses.

CNPD also advises monitoring users who may be more vulnerable and investing in targeted training and awareness efforts to enhance overall security. At the organisational level, it recommends the implementation of alert systems capable of detecting unauthorised access or misuse attempts, which enables quicker detection and response to security incidents.

From a technical perspective, security measures should be adapted to the specific context of each organisation. For example, CNPD recommends the use of network segmentation or isolation technologies to prevent the spread of malware, both internally and externally. Finally, when devices are used outside the organisation’s premises, CNPD underlines that access to systems should be granted exclusively via a VPN, as a fundamental security safeguard.

Article 4 (12) of the GDPR defines data breaches as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The controller is required to notify CNPD of a personal data breach, in accordance with Article 33(1) of the GDPR. Unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification must be made within 72 hours of becoming aware of the incident. To facilitate this, CNPD provides a specific notification form here.

The controller should have an internal policy in place to detect and manage security incidents that affect the protection of personal data. Where data processing is carried out by processors, the controller must also implement effective monitoring mechanisms to ensure that the actions of those processors do not compromise the controller’s compliance with data protection obligations.

Even if the controller considers that notification to CNPD is not required, they are still obliged to document all data breaches, as stipulated in Article 33(5) of the GDPR.

Furthermore, the data controller is also required to inform data subjects of a personal data breach, provided the legal conditions set out in Article 34 of the GDPR are met.

Regarding data subject rights:

In the Portuguese jurisdiction you have to look to the GDPR to understand which rights data subjects are granted with. Specifically, the GDPR establishes ten rights:

(i) Right to be informed (Articles 12–14): Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

(ii) Right of access (Article 15): A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data. Additionally, the data subject may request a copy of the personal data being processed.

(iii) Right to rectification (Article 16): Data subjects have the right to obtain the rectification of inaccurate personal data or completion of incomplete data without undue delay.

(iv) Right to erasure (“right to be forgotten”) (Article 17): Data subjects have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds provided in Article 17 apply, such as when the data is no longer necessary for the purposes for which it was collected or when consent is withdrawn. This right is not absolute and may be subject to legal limitations.

(v) Right to restrict processing (Article 18): Data subjects have the right to obtain from the controller the restriction of the processing of their personal data in the specific cases listed in Article 18, for instance when the accuracy of the data is contested or when the data is no longer needed by the controller but required by the data subject for the establishment, exercise or defence of legal claims.

(vi) Right to data portability (Article 20): Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, without hindrance from the controller to which the personal data have been provided, where processing is based on consent or contract and is carried out by automated means.

(vii) Right to object (Article 21): Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights. Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.

(viii) Right to withdraw consent (Article 7(3)): A data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

(ix) Right to lodge a complain to the relevant data protection authority (Article 77): Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority. In Portugal, the competent authority is CNPD (Comissão Nacional de Proteção de Dados).

(x) Rights related to automated decision-making and profiling (Article 22): Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. Exceptions apply in certain cases, such as where automated processing is necessary for a contract or is based on explicit consent.

Regarding the exercise of data subject rights:

Data subjects shall exercise their rights directly before the controller, the controller’s representative or, where such a role exists, the data protection officer. In situations of joint controllership, the data subject may exercise their rights in relation to, and against, each of the joint controllers—regardless of the terms agreed between those controllers.

The controller must facilitate the exercise of these rights and provide the data subject with information regarding any action taken in response to a request under Articles 15 to 22 of the GDPR. This information must be provided without undue delay and, in any case, within one month of receiving the request.

Where necessary—taking into account the complexity and number of requests—this period may be extended by a further two months. The controller must inform the data subject of any such extension within one month of receiving the request, providing reasons for the delay.

If the controller does not take action in response to a data subject’s request, they must inform the data subject without delay, and at the latest within one month of receipt of the request. This notice must include the reasons for not taking action, along with information on the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

In principle, the exercise of the above-mentioned rights shall be free of charge. However, where a data subject’s request is manifestly unfounded or excessive—particularly if repetitive in nature—the controller may:

(i) charge a reasonable fee, taking into account the administrative costs of providing the requested information or taking the requested action; or

(ii) refuse to act on the request.

The Portuguese Data Protection Law provides specific provisions regarding the exercise of rights over the personal data of deceased individuals. In cases involving sensitive data (as defined in Article 9(1) of the GDPR), or data relating to private life, image, or communications, such rights may be exercised by a person previously designated by the data subject. In the absence of such a designation, these rights may be exercised by the deceased’s legal heirs. Furthermore, under Article 17 of Law No. 58/2019 of 8 August, the data subject may specify that no third party shall be permitted to exercise any rights over their personal data after their death.

Under article 19 of the Portuguese Law no. 59/2019, of 8 of August, the rights to information, access, rectification, erasure, and restriction of the processing of personal data contained in a criminal proceeding, a judicial decision, or a criminal record shall be exercised in accordance with the Portuguese criminal procedural law and other applicable legislation.

Chapter 8 of the GDPR and Chapter VII of the Portuguese Data Protection Law address enforcement mechanisms, including the right to lodge complaints, initiate legal proceedings, and seek compensation for damages.

Accordingly, data subjects may exercise the following private rights of action:

(i) Right to lodge a complaint with CNPD: Article 77(1) GDPR stipulates the data subject’s right to lodge a complaint with a supervisory authority. In Portugal, the supervisory authority is CNPD. The right to file a complaint does not limit any other administrative or judicial remedies available, and it is not restricted, in terms of object, to the “rights of the data subject” as established in Chapter 3 of the GDPR. It follows from this very broad notion of complaint that the GDPR does not impose any particular form requirement, either. Additional elements may be imposed by national law in light of the principle of procedural autonomy of the Member States. In Portugal, article 47 (2) of the Law no. 59/2019 of 8 of August (“Law 59/2019”) merely establishes that if the complaint is not initially submitted to CNPD, the supervisory authority that receives it shall, without undue delay, forward it to CNPD if it is the competent authority. The data subject must be informed of this forwarding and, upon request, provided with further assistance. Additionally, Article 47(3) of the same law, in line with Article 77(2) of the GDPR, stipulates that the data subject must be kept informed by the supervisory authority about the progress and outcome of the complaint, including the possibility of pursuing legal action.

In addition, article 32 of the Portuguese Data Protection Law establishes that, without prejudice to the right to lodge a complaint with CNPD, any person may resort to administrative remedies to ensure compliance with the legal provisions on personal data protection, as provided for in the Portuguese Code of Administrative Procedure.

(ii) Right to an effective judicial remedy against a supervisory authority: Article 78 of the GDPR, Article 34 of the Portuguese Data Protection Law, and Article 48 of Law 59/2019 reflect the general principle of judicial protection against actions or omissions by supervisory authorities. Specifically, it guarantees the right to judicial review of legally binding decisions made by supervisory authorities. This right extends to cases of inactivity by a supervisory authority, following the submission of a complaint under Article 77. These cases include situations where the supervisory authority fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. According to Article 34 (2) of the Portuguese Data Protection Law, legal actions brought against CNPD fall within the jurisdiction of the administrative courts.

(iii) Right to an effective judicial remedy against a controller or processor: Article 79 of the GDPR and Article 49 of Law 59/2019 establish the data subject’s right to an effective judicial remedy against a controller or processor when they believe their rights under the GDPR have been infringed due to the unlawful processing of their personal data. This provision sets out a two-stage cumulative test to determine the applicability of this right: (i) the data subject must believe that a controller or processor has violated their rights under the GDPR; and (ii) the violation must result from the processing of their personal data in a manner that does not comply with the GDPR. Under Article 79(2) of the GDPR, the data subject may bring proceedings against the controller or processor either: (i) before the courts of the Member State where the controller or processor has an establishment; or (ii) before the courts of the Member State where the data subject has their habitual residence.

(iv) Right to mandate a non-profit body, organisation or association: Article 80 GDPR grants data subjects the right to mandate not-for-profit organisations to act on their behalf in enforcing their rights under the GDPR. Article 35 of the Portuguese Data Protection Law, together with the combined interpretation of Article 2(1) of Decree-Law No. 114-A/2023 of 5 December and point 56 of Annex I to Directive (EU) 2020/1828 of the European Parliament and of the Council, incorporates—under an opt-out system—into the Portuguese legal framework the data subject’s right to mandate a not-for-profit organisation to lodge complaints and exercise the rights set out in Articles 77, 78, and 79 of the GDPR; and

(v) Right to compensation and liability: Article 82 of the GDPR establishes a right to compensation for damage resulting from a breach of data protection law. In accordance with Article 82(1) of the GDPR and Article 33 of the Portuguese Data Protection Law, any individual who has suffered material or non-material damage due to an infringement of the applicable data protection legislation is entitled to receive compensation from the controller or processor responsible for the harm. The conditions for bringing such a claim, as set out in Article 82(1), must be interpreted in line with EU law as further detailed below as further detailed below.

Pursuant to Article 82 (1) of the GDPR and Article 33 of the Portuguese Data Protection Law, any person who has suffered material or non-material damage as a result of an infringement of the applicable data protection legislation shall have the right to receive compensation from the controller or processor for the damage suffered.

The mere infringement of a provision of the applicable data protection legislation is not sufficient. According to this provision, the right to compensation is subject to three cumulative conditions:

(i) an infringement of the provisions of the GDPR;

(ii) the existence of “damage”, whether material or non-material which has been suffered; and

(iii) the causal link between that damage and that infringement.

The GDPR and the Portuguese Data Protection Law do not contain any provision defining the rules on the assessment of damages suffered under the two aforementioned provisions. Nonetheless, recital 85 of the GDPR lists a number of examples of possible damages such as loss of control over personal data, limitation of data subjects’ rights, discrimination, damage to reputation, loss of confidentiality of personal data protected by professional secrecy and any other significant economic or social disadvantage.

According to the CJEU, the GDPR makes no reference to the law of the Member States as regards the meaning and scope of the terms set out in Article 82 of the GDPR, in particular as regards the concept of ‘non-material damage’. It follows that this term must be interpreted in a uniform manner in all of the Member States, and that Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. Therefore, even though article 496 of the Portuguese Civil Code mentions that “In determining the compensation, consideration must be given to non-material damages which, due to their seriousness, warrant legal protection”, according to CJEU’s case law, this provision shall not be interpreted in a way that it establishes a specific threshold of seriousness.

In Portugal, data protection laws are enforced by CNPD, which holds broad investigative and corrective powers under Article 58 of the GDPR, which include, among others, (i) ordering the controller or the processor to comply with the data subject’s requests to exercise his or her rights, (ii) ordering the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period, (iii) imposing a temporary or definitive limitation including a ban on processing, and (iv) imposing administrative fines.

Beyond regulatory enforcement by CNPD, data subjects also have judicial remedies available through the administrative and civil court systems. Administrative courts are primarily competent for matters involving the protection of personal data within the public administration, as well as for actions brought directly against CNPD under Article 34(2) Portuguese Data Protection Law. They are effective in safeguarding rights when administrative bodies deny or restrict their exercise. When cases extend beyond the scope of the administrative relationship and procedural matters—such as those assessed under the Administrative Procedure Code—into more substantive GDPR issues, these courts may approach the disputes primarily from a procedural perspective. Consequently, resolutions often focus on formal aspects of the case, with substantive data protection considerations addressed more selectively.

The data subject may bring actions against the controller or the processor, including civil liability actions (Article 34(3) Portuguese Data Protection Law). Civil courts, on the other hand, have jurisdiction over claims for damages or compensation arising from violations of data protection rights, in accordance with the rules of civil liability and Article 82 of the GDPR. This avenue is gaining relevance, with an increasing trend toward private enforcement, particularly in actions against private-sector entities.

In practice, enforcement in Portugal operates through a combination of regulatory action by CNPD and judicial protection via administrative or civil courts, depending on whether the infringement arises in the public or private sphere and on the nature of the rights at stake.

Infringements of certain provisions of the GDPR may be subject to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

The highest fine applied in Portugal for the violation of data protection rules was imposed on 02.11.2022, amounting to EUR 4,300,000. The Portuguese National Statistical Institute was sanctioned for breaches of Article 5(1)(a), Article 9(1), Articles 12 and 13, Articles 28(1), (6), and (7), Article 35(1)–(3)(b), Article 44, and Article 46(2) of the GDPR.

Under Portuguese law, criminal offences involving personal data — including use of data in a manner incompatible with the purpose of collection, unlawful access, misappropriation or diversion of data, tampering with or destruction of data, insertion of false data, breach of the duty of confidentiality, and disobedience to supervisory authority orders — are punishable by up to one year’s imprisonment or a fine of up to 120 days, or, in the most serious cases such as tampering with or destruction of data and insertion of false data, up to two years’ imprisonment or a fine of up to 240 days. Penalties can be doubled in aggravated circumstances, notably when involving sensitive data in some cases.

On 14 May 2023, the European Data Protection Board (EDPB) adopted Version 2.1 of its Guidelines 04/2022 on the calculation of administrative fines under the GDPR, establishing a harmonised methodology for supervisory authorities across the EU to promote consistent application and effective enforcement of the Regulation.

Article 39(1) of the Portuguese Data Protection Law adds three criteria for setting fines — the offender’s economic situation (or turnover and annual balance sheet for legal persons), the continuous nature of the infringement, and the size of the entity based on staff and services. However, following deliberation 2019/494, CNPD applies these only to infringements not covered by Article 83(4) and (5) GDPR, in line with Article 84 GDPR, as the Regulation does not allow Member States to add further criteria for those offences.

Yes. Decisions, orders, and other measures adopted by administrative authorities in the course of proceedings are subject to judicial challenge by the defendant or by the person to whom they are addressed. The appeal may be lodged by the defendant or their legal counsel. It must be submitted in writing to the administrative authority that imposed the fine within 20 days from the date on which the defendant was notified of the decision. The appeal must include both the statement of grounds and a summary of conclusions. CNPD then forwards the appeal to the competent court, which will re-examine the facts and the application of the law. In certain cases, further appeal to the Court of Appeal is available.

In addition to challenging the administrative decision, individuals who have suffered damage as a result of unlawful data processing may bring civil liability actions before the competent civil courts, seeking compensation for material and/or non-material damages, under the terms of the GDPR and Portuguese civil law. In certain cases, decisions in such civil proceedings are also subject to appeal to the higher courts, in accordance with the general rules of Portuguese civil procedure.

Yes. While CNPD no longer publishes individual enforcement decisions or detailed information on pending administrative proceedings, certain trends and priorities can still be identified from public statements and its 2025 Annual Activity Plan. Namely:

(i) Procedural modernisation: CNPD intends to propose legislation introducing a fully electronic procedure for administrative offence cases, aiming to eliminate repetitive paper-based tasks, shorten case duration, and clarify judicial competence in appeals.

(ii) Sectoral focus: Industries that rely heavily on unsolicited communications for business or marketing purposes are likely to face heightened scrutiny.

(iii) Protection of minors’ data: The processing of personal data relating to children remains a particularly sensitive and high-priority area for enforcement.

(iv) Effectiveness of sanctioning: A declared objective is to increase the efficiency and deterrent effect of sanctions, suggesting a more streamlined and possibly more proactive enforcement approach.

Under the Legal Framework for Cyberspace Security (Law no. 46/2018), public administration entities, operators of critical infrastructure, operators of essential services and digital service providers are required to adopt technical and organisational measures that are proportionate and appropriate to the prevention, detection, and mitigation of cybersecurity risks affecting their networks and information systems.

Regarding public administration entities, operators of critical infrastructure and operators of essential services, these obligations are further specified in Decree-Law No. 65/2021, which, establishes that such operators must:

(i) designate at least one Permanent Point of Contact to ensure the flow of operational and technical information with CNCS;

(ii) appoint an Information Security Officer responsible for managing the set of measures adopted in relation to security requirements and incident notification;

(iii) carry out risk assessments;

(iv) prepare and maintain an up-to-date inventory of all assets essential to the provision of their services, which must be signed by the designated security officer;

(v) prepare and maintain an up-to-date security plan, duly documented and signed by the security officer, which shall include, inter alia, the security policy and a description of all measures adopted regarding security requirements and incident notification;

(vi) draw up an annual report, covering the previous calendar year, which shall include, inter alia, an aggregated analysis of security incidents with a relevant or substantial impact, containing information on:

– the number of users affected by the service disruption;

– the duration of the incidents;

– the geographical distribution of the affected area, including any cross-border impact;

(vii) implement the necessary technical and organisational measures to manage the risks to the security of the networks and information systems they use, including conducting a risk analysis in accordance with the provisions of the following article; and

(viii) carry out a risk analysis in respect of all assets necessary to ensure the continuity of the operation of the networks and information systems they use and, in the case of operators of essential services, also in relation to the assets that ensure the provision of those essential services under specific terms.

Given that Portugal is still in the process of implementing the NIS 2 Directive, further regulatory updates and clarifications may arise in the meantime.

In addition, DORA applies directly across the EU, including in Portugal, and establishes a harmonised set of obligations for entities in the financial sector. DORA sets out a comprehensive framework of obligations applicable to financial entities. These cover, in particular, requirements applicable to financial entities in relation to:

(i) information and communication technology (ICT) risk management;

(ii) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;

(iii) reporting of major operational or security payment-related incidents to the competent authorities by some financial entities;

(iv) digital operational resilience testing;

(v) information and intelligence sharing in relation to cyber threats and vulnerabilities; and

(vi) measures for the sound management of ICT third-party risk.

It further covers (i) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities, and (ii) rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities.

Among the principal obligations imposed on financial entities are the following:

(i) the implementation of a comprehensive ICT risk management framework, encompassing strategies, policies, procedures, protocols and tools necessary to achieve a high level of digital operational resilience;

(ii) the establishment of appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents;

(iii) implementation of detection mechanism/reactive measures, which, namely, include the establishment of mechanisms capable of promptly detecting anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure;

(iv) the adoption of a comprehensive ICT business continuity policy; and

(v) the development and documentation of backup policies and procedures, as well as restoration and recovery procedures and methods for the purpose of ensuring the restoration of ICT systems and data with minimum downtime.

Other than the general obligations on risk management measures outlined above, the Portuguese Legal Framework for Cyberspace Security does not provide for specific rules governing supply chain management.

In April 2020, CNCS issued the “National Cybersecurity Reference Framework”, consolidating internationally recognised standards to promote a risk-based approach to cyber threats and providing voluntary guidance for the implementation of security measures for networks and information systems. With regard to supply chain management, CNCS emphasises that organisations should:

(i) identify and classify suppliers within relevant supply chains, taking into account the services and resources provided under contractual arrangements;

(ii) assess and audit stakeholders using the same risk-management methodology applied internally;

(iii) identify networks, information systems, components, and service providers through defined processes for cyber supply chain management;

(iv) categorise suppliers based on their access to personal or sensitive data, their impact on the supply chain, and the goods or services provided; and

(v) ensure that suppliers comply with internal rules on the handling and protection of digital information, with supply chain contracts including adequate measures to secure alignment with internal information security policies and supply chain management plans.

Taking into account the requirements laid down in the NIS2 Directive, the forthcoming Portuguese transposition will result in significant updates in this area, given that supply chain risk management in included in one of the minimum information security measures to be adopted by entities in scope.

As for DORA Regulation, there are specific measures for the risk assessment of ICT third-party providers, both throughout the Regulation and in Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 with regard to the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

Yes.

Under Decree-Law 65/2021, of 30 July (“Decree-Law No. 65/2021”), entities shall notify the CNCS about incidents with substantial or relevant impact (Articles 11 to 16). The notification must be made in accordance with Article 6 of Regulation No. 183/2022, 21 February, from the CNCS, which governs incident notifications.

In addition, entities that fall within the scope of Decree-Law No. 65/2021, are obliged to prepare and submit an annual report to CNCS which include, among other aspects, quarterly statistics of all incidents and an aggregated analysis of significant incidents (e.g., number of users affected and duration of disruptions) (Article 8). Under Article 6, entities are required to maintain an inventory of essential assets and to communicate this inventory to CNCS, initially within 20 business days of starting activity and thereafter annually, together with the annual report.

Even though there is no mandatory obligation to do so, the Legal Framework for Cyberspace Security contemplates, in Article 20, the possibility of voluntary information sharing by entities in scope, regarding important information security incidents for the continuity of their business. Such incidents do not require notification to CNCS (as they are not incidents with substantial or relevant impact) but are considered to improve and promote resilience across sectors.

Under DORA, financial entities are subject to a series of information-sharing and notification obligations, notably:

(i) Reporting of serious ICT-related incidents: Financial entities must collect, analyse, and report relevant information on serious ICT-related incidents to the competent authority (FSMA). Where such incidents materially affect clients’ financial interests, entities are further required to inform the affected clients, together with details of the mitigation measures adopted (Article 19);

(ii) Maintenance of an Information Register and notification of new ICT service agreements: Financial entities are obliged to maintain and regularly update, at entity level and at sub-consolidated and consolidated levels, a comprehensive register of information covering all contractual arrangements for the use of ICT services provided by ICT third-party service providers, clearly distinguishing those that support critical or important functions from those that do not. They must report at least annually to the competent authority (FSMA) on the number of new arrangements, the categories of ICT third-party service providers, the type of contractual arrangements, and the ICT services and functions provided, and must make available, upon request, the full register or specified sections thereof together with any information necessary for effective supervision. In addition, financial entities are required to inform the FSMA in a timely manner of any planned contractual arrangement involving ICT services that support critical or important functions, as well as when an existing function becomes critical or important (Article 28(3));

(iii) Voluntary notifications of cyberthreats: Financial entities may, on a voluntary basis, notify the FSMA of significant cyberthreats when they deem the threat to be of relevance to the financial system, service users or clients (Article 19 (2)); and

(iv) Voluntary information-sharing between financial entities: Financial entities may exchange cyber-threat information and intelligence (e.g., indicators of compromise, tactics, techniques, procedures, alerts, and configuration tools) where such sharing (i) enhances digital operational resilience by improving awareness, detection, defence, and response; (ii) occurs within trusted communities of financial entities; and (iii) is conducted under arrangements that safeguard confidentiality, personal data, and competition rules. Entities must also notify the competent authority of their participation in, or withdrawal from, such information-sharing arrangements (Article 45).

Yes. Pursuant to Decree-Law 65/2021, entities falling within its scope are required to designate and notify CNCS of both a permanent point of contact (Article 4) and a security officer (Article 5).

Under Article 4, entities must appoint at least one permanent point of contact to ensure operational and technical information flows with CNCS. The functions of this point of contact include, inter alia:

(i) ensuring inter-sectoral coordination, particularly in relation to the effectiveness of responses to security incidents with sectoral impact;

(ii) receiving operational and technical information following the notification of relevant or substantial incidents, whether submitted by the entity itself or by third parties;

(iii) obtaining and updating situational awareness in the context of incidents with relevant or substantial impact;

(iv) facilitating information-sharing whenever civil protection emergency plans or civil emergency planning measures for cyberspace are activated, or when national or European critical infrastructure security plans are engaged;

(v) implementing procedures arising from emergency or critical infrastructure security plans; and

(vi) receiving technical instructions issued by CNCS under the Cybersecurity Legal Framework.

The permanent point of contact must be continuously available on a 24/7 basis during activation periods, and entities are required to notify CNCS within 20 business days of the commencement of their activity of the individuals designated for this function, including their primary and alternative contact details. Any changes must be communicated immediately.

In addition, pursuant to Article 5, entities are obliged to appoint a security officer responsible for the overall management of security measures and for incident reporting obligations under the Legal Framework for Cyberspace Security and Decree-Law 65/2021. The designation of the security officer must likewise be notified to CNCS within 20 business days of the commencement of activity, with any subsequent replacement to be communicated without delay

Furthermore, Portuguese Regulation no. 183/2022 of 21 February lays down the technical instructions governing communication and information requirements concerning permanent points of contact and security officers, among other matters. In particular, this Regulation provides further detail on the procedures by which such communications are to be made to CNCS.

As previously referred, the Legal Framework for Cyberspace Security is applicable to public administration entities, operators of critical infrastructure, operators of essential services and digital service providers.

With regard to other sectors, the following instruments and provisions shall be highlighted:

(i) Regarding healthcare: Order 8877/2017 mandates that all entities within the National Health Service adopt both a cybersecurity policy and a contingency plan specifically designed for the prevention, management, and response to cybersecurity incidents. The sector is also under the scope of Law No. 46/2018 and Decree-Law 65/2021, as the national health system is considered both a public administration entity and a provider of essential services.

(ii) Regarding banking and finance: In addition to DORA, it shall be highlighted that Instruction No. 21/2019 of the Bank of Portugal regulates the reporting of cybersecurity incidents by entities supervised by the Bank of Portugal and by significant credit institutions headquartered in Portugal that are under the supervision of the European Central Bank. It establishes that financial institutions, investment firms, and payment service providers must report significant or severe cybersecurity incidents within two hours of detection. Reporting criteria include impacts on users, economic or reputational consequences, crisis activation, systemic risk, and legal infringements.

(iii) Regarding telecommunications and electronic communications: Pursuant Article 60 of the Portuguese Law on Electronic Communications (Law No. 16/2022, of 16 August), companies offering public electronic communications networks or publicly available electronic communications services must: (i) notify the ANACOM and CNCS, without undue delay, of any security incident with a significant impact on the operation of the networks or services; and (ii) inform the public. Regulation No. 303/2019 of ANACOM establishes the conditions under which electronic communications companies must disclose to the public any security breaches or integrity losses with significant impact, defines the rules and procedures for such reporting, sets obligations to carry out regular security audits and submit reports to ANACOM in line with specific requirements, and imposes the duty to implement a program of security exercises, at least every two years, to assess and improve the adequacy of networks and services; and

(iv) Regarding the insurance sector: The Portuguese Insurance and Pension Funds Supervisory Authority (ASF) oversees cybersecurity in insurance companies. ASF has implemented Regulatory Standard No 9/2024-R for reporting severe ICT incidents and Standard No 7/2024-R concerning security, governance of ICT, and subcontracting to cloud computing providers in the management of pension funds by insurance companies.

CNCS has expressed its interest in publishing national regulations in collaboration with other national regulatory authorities.

International and European cybersecurity standards play a decisive role in shaping the Portuguese legal and regulatory framework. At the European level, Portugal, as an EU Member State, is bound to transpose directives into national law and to ensure the direct application of regulations. International standards, in turn, provide the operational and technical foundations that complement and support this legal framework.

International standards certifications are widely adopted to demonstrate adherence to best practice, build trust with regulators and clients, and strengthen organisational resilience. Although not legally binding, within the Portuguese jurisdiction, CNCS expressly encourages alignment with these standards, recognising their value as instruments that complement binding legislation and promote a culture of cybersecurity by design.

The international standards most frequently incentivised or referenced by Portuguese regulators include:

(i) ISO/IEC 27001: focuses on the requirements for information security management systems;

(i) ISO/IEC 27002: provides a code of practice for information security controls, offering detailed guidance on the implementation of security measures that support the principles and requirements set out in ISO/IEC 27001;

(ii) ISO/IEC 27005: addresses information security risk management, establishing a structured process for identifying, assessing, and treating risks, and ensuring alignment with the risk management requirements of ISO/IEC 27001;

(iii) ISO/IEC 27011:2016 or Recommendation ITU-T X.1051 (04/2016): adapts the guidance of ISO/IEC 27002 to the specific needs of telecommunications organisations, setting out best practices for information security management in this highly regulated and strategically sensitive sector;

(iv) ISO 22301: defines the requirements for business continuity management systems, focusing on organisational resilience, the ability to respond effectively to disruptive incidents, and the protection of critical services;

(v) NIST Cybersecurity Framework: A framework of non-mandatory principles aimed at supporting organizations in assessing and strengthening their capacity to anticipate, identify, and address cybersecurity risks;

(vi) European Cybersecurity Certification Scheme (EUCC): builds upon internationally recognised standards, namely ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation) and ISO/IEC 18045 (Evaluation Methodology for IT Security). These standards form the basis for assessing and certifying the security properties of ICT products and services, and their integration into EU certification schemes ensures consistency and mutual recognition across Member States, including Portugal.

Cybersecurity legislation in Portugal establishes a comprehensive framework of obligations concerning the management and reporting of cybersecurity incidents. These obligations primarily stem from Legal Framework for Cyberspace Security, Decree-Law No. 65/2021, and DORA, each of which addresses incident definitions and reporting requirements in distinct contexts.

Definition of Cybersecurity Incidents

Legal Framework for Cyberspace Security defines a cybersecurity incident as “an event with an actual adverse effect on the security of networks and information systems” (Article 3, paragraph c)).

Incident-related reporting obligations:

Public administration entities, critical infrastructure operators, essential services operators and digital service providers must report ICT-related incidents with relevant or substantial impact through an initial, interim, and final report (Article 11 to 15 Decree-Law 65/2021).

The specific notification requirements vary depending on the type of entity. For instance:

(i) Pursuant to Article 15 of the Legal Framework for Cyberspace Security, public administration entities and critical infrastructure operators must notify CNCS of incidents with a significant impact on the security of networks and information systems, within the applicable legal deadlines. Notifications should include information enabling the assessment of cross-border impact and take into account factors such as the number of users affected, the duration, and the geographical spread of the incident. Such notifications do not create additional liability for the reporting entity, and CNCS may provide feedback or, after consulting the notifier, disclose specific incidents in the public interest;

(ii) Pursuant to Article 17 of the Legal Framework for Cyberspace Security, essential services operators must notify the CNCS of incidents that have a significant impact on the continuity of the essential services they provide, within the applicable legal deadlines. Notifications should enable the assessment of cross-border impact and take into account factors such as the number of users affected, the duration, and the geographical spread of the incident. Such notifications do not create additional liability for the reporting operator. Based on the information received, CNCS informs the single points of contact of other Member States when the continuity of essential services is affected abroad, while safeguarding the operator’s security, interests and confidentiality. CNCS may also provide feedback to assist with incident handling and, after consulting the notifier, may disclose incidents in the public interest. Where an operator relies on a third-party digital service provider, it must also notify any major impact arising from incidents affecting that provider

(iii) Pursuant to Article 3 (4) of the Legal Framework for Cyberspace Security, digital service providers are subject to Commission Implementing Regulation (EU) 2018/151 of 30 January 2018, regarding security requirements and incident notification; and

(iv) The notifications sent by the operators of critical infrastructures shall include information enabling CNCS to determine the cross-border impact of incidents. CNCS takes into consideration: (i) the number of users affected; (ii) the duration of the incident; and (iii) the geographical distribution with regard to the area affected by the incident to determine the scale of the incident’s impact. With regard to digital service providers, CNCS further takes into account: (iv) the severity of the disruption to the operation of the service; and (v) the extent of the impact on economic and societal activities.

(v) According to Article 60 of the Portuguese Law on Electronic Communications, companies offering public electronic communications networks or publicly available electronic communications services must: (i) notify the ANACOM and CNCS, without undue delay, of any security incident with a significant impact on the operation of the networks or services; and (ii) inform the public.

The Legal Framework for Cyberspace Security designates CNCS as the National Cybersecurity Authority. From a regulatory perspective, CNCS is vested with the power to issue cybersecurity regulations and to oversee compliance with the applicable legal framework. In this capacity, CNCS may initiate administrative proceedings against offenders and impose fines.

As for DORA Regulation, the national competent authorities are the Bank of Portugal, the Portuguese Securities Market Commission (“CMVM”) and Insurance and Pension Funds Supervisory Authority (“ASF”), depending on the type of entity that is being supervised. These sectoral authorities shall work in strict cooperation with the CNCS.

In Portugal, CNCS, acting as the National Cybersecurity Authority, is entrusted with broad oversight, supervisory and sanctioning powers under the Portuguese Legal Framework for Cybersecurity. CNCS exercises functions of regulation, supervision, inspection and enforcement. It may issue binding cybersecurity instructions, define the national cybersecurity alert level, and provide prior opinions on any legislative provisions concerning cybersecurity. In addition, CNCS is responsible for conducting supervisory and inspection activities to verify compliance, for initiating and instructing administrative offence proceedings in cases of breaches, and for applying sanctions, with fines imposed by its highest-ranking official.

The national Computer Security Incident Response Team is CERT.PT, which operates within CNCS. Among its responsibilities, CERT.PT is mandated to monitor incidents with national-level implications and to intervene in the response, analysis, and mitigation of such incidents.

CNCS likewise fulfils the functions of the National Cybersecurity Certification Authority, pursuant to Decree-Law No. 65/2021, which transposes and implements Regulation (EU) 2019/881.

Under Legal Framework for Cyberspace Security for cybersecurity, fines could go:

(i) From EUR 1,000 to EUR 3,000, in the case of a natural person, and from EUR 3,000 to EUR 9,000, in the case of a legal person, for serious infringements. Negligence is punishable, with the minimum and maximum limits of fines reduced by half.

(ii) From EUR 5,000 to EUR 25,000, in the case of a natural person, and of EUR 10,000 to EUR 50,000, in the case of a legal person, for very serious infringements. Negligence is punishable, with the minimum and maximum limits of fines reduced by half.

According to Decree-Law 65/2021, fines range from EUR 1,000.00 to EUR 3,740.98 in the case of natural persons, and from EUR 5,000.00 to EUR 44,891.81 in the case of legal persons.

After the transposition of NIS2 Directive, the fines will range between EUR 250,00 to EUR 10 000 000,00 or 2% of the annual turnover, whichever is higher, depending on the severity of the infraction, the classification of the entity and on aggravating or mitigating circumstances.

Failure to comply with DORA provisions may lead to administrative fines of:

(i) Up to 2% of an undertaking’s total annual worldwide turnover, or up to 1% of its average daily worldwide turnover;

(ii) Natural persons as well as legal persons may be subject to fines of up to EUR 1,000,000; and

(iii) Critical third-party ICT service providers supporting financial entities may incur even more severe penalties, with fines reaching up to EUR 5,000,000 for legal persons and EUR 500,000 for natural persons.

In addition, under Law No. 109/2009, of September 15, the practice of unlawful conduct may give rise to criminal liability, including, among others, the following scenarios:

(i) Computer-related forgery: In general terms, the intentional introduction, modification, deletion, or suppression of computer data, or any other interference with data processing, carried out with the purpose of producing inauthentic data or documents, with the intent that they be considered or used as genuine for legally relevant purposes. This offence is punishable with a prison sentence of up to 5 years or a fine of 120 to 600 day-fines.

(ii) Damage to computer programs or other data: Whoever, without legal permission or authorization from the owner or other lawful right-holder of the system (or part thereof), deletes, alters, destroys (in whole or in part), damages, suppresses, or renders unusable or inaccessible computer programs or other data belonging to another, or otherwise affects their capacity for use, commits an offence punishable with a prison sentence of up to 3 years or a fine. If the damage caused is of high value, the offence is punishable with a prison sentence of up to 5 years or a fine of up to 600 day-fines. If the damage caused is of considerably high value, the offence is punishable with a prison sentence of 1 to 10 years.

(iii) Computer sabotage: Whoever, without legal permission or authorization from the owner or other lawful right-holder of the system (or part thereof), hinders, prevents, interrupts, or seriously disrupts the functioning of a computer system by introducing, transmitting, deteriorating, damaging, altering, deleting, blocking access to, or suppressing programs or other computer data, or by any other form of interference with a computer system, commits an offence punishable with a prison sentence of up to 5 years or a fine of up to 600 day-fines. The offence is punishable with a prison sentence of 1 to 5 years if the damage resulting from the disruption is of high value. The offence is punishable with a prison sentence of 1 to 10 years if: (i) the damage resulting from the disruption is of considerably high value; or (ii) the disruption seriously or durably affects a computer system supporting an activity intended to ensure critical social functions, namely supply chains, health, safety and the economic well-being of persons, or the regular functioning of public services.

(iv) Unlawful access: Whoever, without legal permission or authorisation from the owner or other lawful right-holder of the system (or any part thereof), gains access to a computer system in any manner, commits an offence punishable by a prison sentence of up to 1 year or a fine of up to 120 day-fines. The offence is punishable with a prison sentence of up to 2 years or a fine of up to 240 day-fines if the access is intended to obtain data recorded on, incorporated in, or pertaining to a payment card or any other physical or virtual device that enables access to a system or means of payment. It is punishable with a prison sentence of up to 3 years or a fine if access is obtained by breaching security rules or if, through such access, the agent obtains data recorded on, incorporated in, or pertaining to a payment card or any such device. The offence is punishable with a prison sentence of 1 to 5 years if, through the access, the agent becomes aware of a trade or industrial secret or other confidential data protected by law, or if the financial or patrimonial benefit obtained is of considerably high value.

(v) Unlawful interception: Whoever, without legal permission or authorization from the owner or other lawful right-holder of the system (or any part thereof), and by technical means, intercepts computer data transmissions taking place within a computer system, destined to it or originating from it, commits an offence punishable with a prison sentence of up to 3 years or a fine.

(vi) Unlawful reproduction of a protected program: Whoever unlawfully reproduces, distributes, or communicates to the public a computer program protected by law commits an offence punishable with a prison sentence of up to 3 years or a fine.

Under Law No. 52/2003, of 22 August, crimes involving the breach of cybersecurity measures that can qualify as terrorist offences – namely, unlawful interference with an information system or its data, carried out through a computer program, password, access code, or similar means, where such conduct affects a significant number of systems, causes serious damage, or targets critical infrastructure – are punishable with a prison sentence of 2 to 10 years. Furthermore, any person who publicly broadcasts a message inciting the commission of such acts is punishable with a prison sentence of 1 to 5 years, or 1 to 6 years if the conduct is carried out through electronic communication means.

Additional provisions of the Portuguese Criminal Code may likewise be applicable. In such cases, further penalties may apply.

CNCS has not yet issued specific guidance on the calculation of fines for breaches of cybersecurity provisions. At present, such fines are determined in accordance with the degree of seriousness of the infringement and the level of culpability.

Yes. Decisions, orders, and other measures adopted by administrative authorities in the course of proceedings are subject to judicial challenge by the defendant or by the person to whom they are addressed. The appeal may be lodged by the defendant or their legal counsel. It must be submitted in writing to the administrative authority that imposed the fine within 20 days from the date on which the defendant was notified of the decision. The appeal must include both the statement of grounds and a summary of conclusions. CNCS then forwards the appeal to the competent court, which will re-examine the facts and the application of the law. In certain cases, further appeal to the Court of Appeal is available.

The most pressing priority remains the transposition of the NIS2 Directive. In its Cybersecurity in Portugal Report (2024), CNCS emphasised that, given the increasing sophistication of cyber threats, strengthening the human factor is essential across public administration, the private sector, and academia. The report highlights the particular vulnerability of local governments, which are often targeted by ransomware, and of SMEs, which, despite limited resources, continue to be attractive targets for cyberattacks.

CNCS has so far taken a proactive, largely supportive approach, focusing on awareness-raising through the publication of technical recommendations, guides, and frameworks, rather than on sanctioning. Their guiding principle has been to reduce risks and potential damage by cultivating a culture of compliance with legal standards. This emphasis is evident in the relatively limited use of penalties for cybersecurity breaches. Instead, CNCS has been especially active in organising events, publishing newsletters, and drafting codes of best practice and standards to reinforce compliance across the Portuguese market. A recent milestone in this strategy has been the publication of several reports assessing cybersecurity conditions and practices across different sectors. While these reports do not constitute enforcement actions in themselves, they mark an important preparatory step in that direction. By setting out structured analyses, comparative baselines, international references, and recommendations, these reports may also encourage other jurisdictions to monitor market practices more closely.