Portugal Passes GDPR Implementation Law

The Portuguese data protection law implementing the European Union’s General Data Protection Regulation (GDPR) published on August 8, 2019—more than 15 months after the GDPR became effective. The GDPR sets certain standards and baselines but leaves the responsibility to each Member State to implement their own compliant law. Portugal is the third-to-last Member State to update its national data protection laws to comply with the GDPR. 

The law applies to the processing of all personal data carried out in Portugal, “regardless of the public or private nature of the controller or the processor,”[1] and including public interest missions. It may also apply to data processing outside of Portugal when the processing is performed for an entity in Portugal or affects individuals in Portugal.  

The law lays out “[v]ery serious offenses,” which include processing personal data without consent or otherwise in violation of certain provisions articles of the GDPR, charging unreasonable fees to provide information under article 12 of the GDPR, and refusal to provide information collected on an individual. The law includes data retention periods based on the type of data. The right to be forgotten may only be exercised after the end of the retention period.

Penalties range between €5,000 to €20,000,000, or 4% whichever is greater, on companies and a maximum penalty of €500,000 for a natural person. In determining fines, the data protection authority considers at least three factors: the economic situation of the violating entity, the continuing nature of the infraction, and the size of the violating entity.

Notably, the law allows for liability of corporate officers. Article 46 states that “any person” who uses the data for reasons other than that for which it was collected can be punished with up to one year’s imprisonment. Further, the law specifies that “[a]nyone who, due to professional confidentiality legal obligations, without legal grounds and without proper consent, discloses in whole or in part personal data” can also face up to one year in prison, and doubles that for data protection officers or those seeking illegitimate personal gain.

Tip: Given the evolving international data protection laws, companies should understand what data their websites collect and identify the global privacy laws that may be triggered.


[1] English translations come from a translation found at https://www.servulo.com/en/knowledge/Last-but-not-least-Portugal-has-finally-implemented-legislation-for-the-execution-of-the-GDPR/6633/

This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.