Data Protection and Personal Privacy Legislation in Portugal

Portuguese Law No. 58/2019 of 8 August is a data privacy law that was recently passed in 2019. Portuguese Law No. 58/2019 of 8 August was passed for the purposes of implementing the provisions of the European Union’s General Data Protection Regulation into Portuguese law, as the country of Portugal is a member state of the European Union and the EU’s GDPR law allows for nation-states to create their own national data privacy legislation. As such, Portuguese Law No. 58/2019 of 8 August and the General Data Protection Regulation serve as the foremost legal basis upon which data processing activities may be carried out within Portugal. Moreover, the laws also establish the punishments that data controllers and processors stand to face should they fail to achieve compliance.

What are the variations between Portuguese Law No. 58/2019 of 8 August and the EU’s GDPR law?

While the key definitions, scope and application, and rights of data subjects are largely identical between Portuguese Law No. 58/2019 of 8 August and the EU’s GDPR law, there are certain aspects of these two laws that differ from each other. For example, Portuguese Law No. 58/2019 of 8 August mandates that the “processing of personal data for scientific or historical research purposes:”

• Shall respect the principle of data minimization and shall include the anonymization or pseudonymization of the personal data wherever possible;
• Does not allow the exercise of the rights of access, rectification, restriction of processing and object, provided for in Articles 15, 16, 18, and 21 of the GDPR, as necessary, if those rights could seriously undermine or render impossible the achievement of these purposes.

Alternatively, Portuguese Law No. 58/2019 of 8 August also gives the Portuguese data protection authority or CNPD for short the legal authority to enforce the various provisions set forth in the law. To this point, CNPD “published Regulation No. 1/2018 concerning the list of processing activities subject to a DPIA, which contains a non-exhaustive list of operations for which a DPIA is required to be conducted prior to the start of the processing activities.” These operations include but are not limited to the following:

• The “processing of information arising from the use of electronic devices which transmit, through communication networks, personal data relating to health;”
• The “interconnection of personal data or processing relating to special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature;”
• The “processing of special categories of personal data or personal data relating to criminal convictions and offenses or data of a highly personal nature, where such data is not collected directly from the data subject and it is not possible or feasible to ensure compliance with the GDPR’s information duties;”
• “The processing of personal data which involves or consists of large-scale profiling;”

Furthermore, while the EU’s GDPR law mandates that organizations that collect and process personal data appoint a data protection officer or DPO to oversee such activities, Portuguese Law No. 58/2019 of 8 August mandates that said DPO’s also perform certain tasks as it pertains to data protection. These tasks include ensuring that both scheduled and nonscheduled audits are carried out, raising the awareness of data controllers and processors within Portugal as it pertains to the importance of detecting security breaches and incidents in a timely manner, as well as informing all affected parties, as well as ensuring that data subjects within Portugal have an understanding of the ways in which Portuguese Law No. 58/2019 of 8 August and the EU’s GDPR law protect their privacy rights.

What are the differences between Portuguese Law No. 58/2019 of 8 August and the EU’s GDPR law in terms of enforcement?

While fines under the EU’s GDPR law include administrative fines of up to €20 million ($22,526,200) or up to 4% of the total worldwide annual turnover of the preceding year, whichever amount is higher, Portuguese Law No. 58/2019 of 8 August also establishes administrative fines that data controllers and processors operating within the country also stand to face should they violate the rights of data subjects under the law. What’s more, Portuguese Law No. 58/2019 of 8 August states that certain actions pertaining to data protection and personal privacy also carry criminal liability under the law. Such liabilities include but are not limited to:

• Any natural or legal person who uses personal data in a way that it is incompatible with the purpose of the collection shall be liable to up to one year’s imprisonment or a fine;
• Any natural or legal person who, without due authorization or justification, accesses, by any means, personal data, shall be liable to up to one year’s imprisonment or a fine;
• Any natural or legal person who copies, subtracts, relinquishes, or transfers personal data, whether for a consideration or free of charge, without legal provision or consent, regardless of the purpose pursued, shall be liable to up to one year’s imprisonment or a fine;

Through the passing of Portuguese Law No. 58/2019 of 8 August, the provisions of the EU’s GDPR law were implemented into the legislation of Portugal. More importantly, however, the law provides data subjects within the country with another layer of protection as it pertains to the protection of their personal data. Most notably, the creation of provisions allowing for the CNPD to impose criminal liabilities against data controllers and processors who violate the law is extremely significant, as the applicable punishments under the EU’s GDPR law are largely monetary in nature. As such, data controllers and processors operating within Portugal stand to face a number of consequences should they fail to uphold the rights of Portuguese citizens at all times.