Data Protection in Portugal

From GDPRhub
Data Protection in Portugal
Pt.png
Data Protection Authority: CNPD (Portugal)
National Implementation Law (Original): Lei n.º 58/2019
English Translation of National Implementation Law: n/a
Official Language(s): Portuguese
National Legislation Database(s): Link
English Legislation Database(s): Link
National Decision Database(s): Link

Legislation

History

Portugal has recognized the protection of personal data as a fundamental right since the 1976 Constitution.

Portugal enacted its first comprehensive data protection law in 1991 (Law No. 10/91), which established the Portuguese supervisory authority.

National constitutional protections

The Portuguese Constitution contains specific norms on the protection of privacy and personal data and the confidentiality of communications, namely in Articles 26 and 34.

However the key provisions in the field of personal data protection is in its Article 35, which stipulates that the concept of personal data and the possibilities for processing and protection will be defined by the law. The same article reaffirms the data subjects' rights.

Article 35 of the Constitution also establishes that it is prohibited the attribution to an unique national number to citizens.

National GDPR implementation law

In Portugal the GDPR is implemented by the Lei n.º 58/2019.

Age of consent

In Portugal the Age of consent is 13 years old.

Freedom of Speech

Article 24 of Law No. 58/2019 addresses the balance between the right to data protection and the freedom of expression and information. The processing of personal data for journalistic, literary, artistic, or academic purposes must balance the rights and freedoms of data subjects. The exercise of freedom of information, especially when revealing sensitive personal data and personal data of deceased individuals, must respect the human dignity principle and personality rights as enshrined in the Portuguese Constitution and national legislation. Additionally, the freedom of expression does not justify the disclosure of personal data such as addresses and contacts, except for those widely known.

Employment context

Employers may process the personal data of their employees for the purposes and within the limits defined in the Portuguese Labor Code, Law No. 7/2019 and respective supplementary legislation or in other sectorial regimes, with the specificities established in the law.

Workplace Surveillance: Recorded images and other personal data recorded through video systems or other technological means of remote surveillance, as provided for in Article 20 of the Portuguese Labor Code, may only be used in criminal proceedings. In this scenario, the recorded images and other personal data may also be used for the purposes of ascertaining disciplinary responsibility, to the extent that they are used in criminal proceedings.

Biometric Data: Processing of biometric data of employees is only considered legitimate for controlling attendance and for controlling access to the employer's premises. It must be ensured that only representations of the biometric data are used and that the respective collection process does not allow for the reversibility of said data (Article 28(6) of Law No. 58/2019).

Under the national GDPR enforcement Law, employee consent is not a lawful basis for personal data processing if the processing either: results in a legal or economic advantage for the employee (Article 28(3)(a), Law No. 58/2019); is necessary for the performance of the employment contract (Article 28(3)(b) Law No. 58/2019). However, under the CNPD Resolution 494/2019, the CNPD will not apply Article 28(3)(a) because it excessively restricts an employee's right to informational self-determination; and contravenes GDPR Articles 6(1)(a) and 9(2)(a).

Research

The Portuguese Law, in line with Article 89 GDPR, permits controllers to limit certain data subject rights when processing personal data for archiving purposes in the public interest, scientific or historical research, or statistical purposes. Controllers may restrict these rights if honoring them prevents or significantly hinders the achievement of the processing purposes (Article 31, Law No. 58/2019).

Other relevant national provisions and laws

  • Law No. 12/2005 of January 26, which contains specific provisions regarding data protection on genetic and health information.
  • Law No. 59/2019 of August 8, approves the legal (general) framework on the processing of personal data for the purposes of preventing, detecting, investigating, or prosecuting criminal offenses or executing criminal sanctions, transposing Directive (EU) 2016/680 of the European Parliament and of the Council, of April 27, 2016.
  • Law No. 18/2024, of February 5, which regulates access to metadata in the context of criminal investigations, altering Law No. 32/2008, of July 17, which had transposed Directive 2006/24/CE of the European Parliament and of the Council of March 15 2006, following two Constitutional Court decisions (268/2022 and 800/2023).

National ePrivacy Law

The ePrivacy Directive 2002/58/EC was transposed by the Law 41/2004 which regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, The CNPD has issued guidelines on electronic direct marketing communications CNPD's Guidelines No 1/2022.

Data Protection Authority

The Comissão Nacional de Protecção de Dados is the national data protection authority for Portugal.

→ Details see CNPD (Portugal)

Judicial protection

Civil Courts

Tribunal da Relação de Lisboa - 842/16.5T8ALQ.L1-3 on the monitoring the speed of vehicles through radar and the use of photographic evidence provided by radars on criminal and administrative proceedings, without infringing the right to privacy of drivers.

Tribunal da Relação de Coimbra - 4354/19.7T8CBR-A.C2 on balancing the fundamental right to equal pay for equal work with the right to privacy of workers not included in the lawsuit.

Administrative Courts

Supreme Administrative Court - 0856/20.0BELRA on the understanding of the National Tax Number of the owner of a building as personal data, protected under the right to privacy, or personal data that should be publicly available, under the right of information.

Constitutional Court

Tribunal Constitucional - Ruling 464/2019 on whether the access to traffic data provided for in articles 3 and 4 of the Organic Law of SIS and SIED (Portuguese national security and information agencies) by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of ​​criminal proceedings.