The Privacy, Data Protection and Cybersecurity Law Review: Portugal

Overview

Portugal, as a Member State of the European Union, is subject to the EU data protection regulation, notably Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

The GDPR is complemented by Law No. 58/2019, of 8 August 2019, implementing the Regulation in the national legal order (Implementation Law)2 and repealing the former Portuguese data protection Law No. 67/98, of 26 October 1998. Law No. 58/0291 further amended and republished Law No. 43/2004, of 18 August 2004, on the organisation and operation of the Portuguese data protection supervisory authority, the National Data Protection Commission (CNPD).

With the coming into force of the GDPR, the issues of privacy and cybersecurity have taken a central position both in social and political concerns, as well as in business strategies.

Additionally, the pandemic has brought home office working to the frontline, forcing companies to process not only large data quantities remotely, namely via cloud, but also to increase safety measures to assure confidentiality and cybersecurity.

Matters involving health reporting, such as mobile applications for covid-19 tracking (e.g., the StayAway covid app) and temperature measuring (and storage of respective data) at workplaces or the entrance of enclosed areas, have demonstrated that the balance between privacy and data protection and the public interest is as complex as it looks in the law books.

In short, the local economy and society have woken up to a reality that, until the GDPR, was seen as secondary, but that is now imposing the need to carefully reflect and decide on issues such as cloud computing, cybersecurity threats, public interest and health reporting.

The year in review

One of the main legislative developments worth mentioning from the past year is the approval of Decree Law No. 65/2021, of 30 July, regulating Law No. 46/2018, of 13 August 2018, on the legal framework for cyberspace security and defining the obligations regarding cybersecurity certification pursuant to Regulation (EU) 2019/881 of the European Parliament, of 17 April 2019.

The Portuguese Charter of Human Rights in the Digital Age3 was also passed recently, including, among other things, the right to be forgotten and the right to protection against abusive geolocation.

Temporary legislation related to the pandemic has also been enacted in the past year, such as Decree-Law No. 20/2020, of 1 May, approving exceptional measures in the context of covid-19 (in particular, workplace body temperature measurements), and Decree-Law No. 52/2020, of 11 August, regulating the StayAway covid system.

The past year has also witnessed increased activity by the CNPD.

Upon being consulted on the processing of data arising from the use of video surveillance systems for monitoring coastal areas with limitations on fishing activity in the autonomous region of the Azores, the CNPD has authorised the Portuguese National Guard to patrol areas with a high risk of wildfire using fixed cameras as well as remotely piloted aircraft systems.4

The CNPD has also issued formal opinions on the processing of personal data through the StayAway covid application5 and the Portuguese Environment Agency's system for identifying the occupancy rate of beaches (Smart Crowd).6

Following a Portuguese municipality disclosure on social media of data concerning two citizens diagnosed with covid-19 after travelling to another country, the CNPD investigated the matter and concluded that the municipality infringed the GDPR by revealing personal health information and details of the patients' travelling records, which in turn could easily identify them. However, after taking into account the financial situation of the public sector, and also, as a mitigating factor, the absence of economic benefit arising out of the infringement, the CNPD imposed a fine of (only) €2,500.7

More recently, the CNPD completed its investigation into the transfer by a municipality to third parties of personal data submitted by the promoters of demonstrations. According to the CNPD, the municipality has been communicating the personal data of such promoters to diplomatic representations and other foreign entities, thus violating the demonstrators' fundamental right to data protection, while putting them at serious risk.

Finally, we highlight the recent creation of technological free zones (TFZs, regulated by Decree-Law No. 67/2021, of 30 July). These TFZs consist of real environments intended for the safe testing by promoters of innovative technologies, products, services and technology-based processes with the support of and monitoring by the respective competent authorities. Although the legal regime stresses that promoters of TFZs are required to protect personal data of participants in the projects developed within such TZF, and ensure their free, informed and express consent for the purpose, the fact is that TFZs are aimed at seizing new spaces of opportunity opened up by the advent of new technologies (such as artificial intelligence, blockchain, the IoT, etc.), by accelerating research, demonstrations and testing of technology, and attracting foreign investment in the area of technology.

Regulatory framework

i Privacy and data protection legislation and standards

The Portuguese Constitution contains specific norms on the protection of privacy and personal data and the confidentiality of communications.8 Article 26 establishes that all citizens shall have the right to a personal identity, image and respect for the privacy of their personal and family life, and that the law must set out effective guarantees against the procurement and misuse of information concerning individuals and their families, as well as its use contrary to human dignity. Article 34 further determines that personal homes and the secrecy of correspondence and other means of private communication are inviolable and prohibits interfering in any way with correspondence or other means of communication, except as provided by law in relation to criminal proceedings.

The key provision of the Portuguese legal system in the field of personal data protection is, however, Article 35, which reads as follows:

1. All citizens shall have the right to access to all computerised data relating to them, including the right to rectify and update them, as well as the right to be informed of the purpose for which they are intended, as set out in the law.
2. The law shall define the concept of personal data, as well as the terms and conditions applicable to their automatic treatment and connection, transmission and use, and shall guarantee their protection, particularly by means of an independent administrative body.
3. Information technology shall not be used to treat data concerning philosophical or political convictions, party or trade union affiliations, religious beliefs, private life or ethnic origins, except if the data subject consents, if authorised according to the law and with sufficient guarantees of non-discrimination or for the purpose of processing statistical data that cannot be individually identified.
4. Third party access to personal data shall be prohibited, except in exceptional cases, as established by law.
5. The allocation of an individual national number to any citizen shall be prohibited.
6. All citizens shall be guaranteed free access to public-use computer networks, and the law shall define both the rules that shall apply to cross-border data flows and the appropriate means of protecting personal data and any other data that may be justifiably safeguarded in the national interest.
7. Personal data contained in physical files shall have the same level of protection as that established in the preceding articles, in accordance with the law.

On a legal level, the protection of personal data is primarily regulated by the GDPR, which came into force across the European Union on 25 May 2018. The GDPR is occasionally derogated by the Implementation Law, but only in matters where the European regulation allows it, such as, for example, in the extension of the personal data protection regime to certain data of deceased persons.

In addition to the Implementation Law, privacy and data protection are also governed in Portugal by the following regulations passed before the GDPR came into force across the European Union on 25 May 2018:

  1. Law No. 41/2004, of 18 August,9 which transposed Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector into the Portuguese legal order, applicable to personal data processing in the context of networks and electronic communication services available to the public, complementing the general data protection legislation.
  2. Law No. 46/2018, of 13 August,10 which approved the legal regime for the security of cyberspace, and transposed into the national order Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of networks and information systems throughout the Union.
  3. Law No. 109/2009, of 15 September, setting out the substantive and procedural criminal framework for cybercrime and the collection of electronic evidence, implementing into Portuguese law Council Framework Decision 2005/222/JHA of 24 February 2005, on attacks against information systems, and adapting into national law the Convention on Cybercrime of the Council of Europe.

The provisions of the Portuguese Criminal Code are also subsidiarily applicable to the offences set out in the GDPR and the Implementation Law. The Criminal Code is also of relevance to the extent that it regulates unlawful surveillance and breach of privacy and establishes that evidence obtained as a result of the violation of an individual's privacy, home, correspondence or telecommunications, without his or her consent, shall be prohibited.

ii General obligations for data handlers

Obligations for data controllers are mainly those provided for in the GDPR.

Additionally, the CNPD's deliberations and resolutions set out mandatory formal requirements and standards for the approval or exemption of certain types of processing, and the authority's decisions in particular cases and general guidelines are available on the authority's official website. Although some of these rules do not have the force of law and are not exhaustive, and their enforcement may occasionally even be quite flexible, practice shows that they have been welcomed and widely implemented by controllers and legal actors, thus acquiring the form of positive law.

This is the case with CNPD Regulation 1/2018, of 16 October, which approves the list of personal data processing subject to a data protection impact assessment, in addition to those measures provided for in Article 35(3) of the GDPR.

The CNPD also requires controllers to register the contact details of their data protection officers (DPOs) and any changes thereto through a specific form available on the CNPD's website.

iii Data subject rights

As with obligations of the data handler, data subjects' rights are primarily contained in the GDPR. However, the Implementation Law has introduced specific aspects regarding these rights, such as:

  1. rights relating to personal data of deceased persons, namely the rights of access, rectification and elimination, which are exercised by whoever the deceased person has designated for that purpose or, in their absence, by the respective heirs.
  2. the right of data portability, provided for in Article 20 of the GDPR, which shall only cover the data provided by the respective data subjects;
  3. the right to erase personal data published in an official journal which has an exceptional nature and can only be exercised pursuant to Article 17 of the GDPR in cases where this is the only way to safeguard the right to be forgotten and considering the other interests at stake.

Additionally, when personal data is processed for archiving purposes for reasons of the public interest, scientific or historical research or statistical data, the rights of access, rectification, limitation of processing and opposition provided for in Articles 15, 16, 18 and 21 of the GDPR shall not apply insofar as such rights are likely to render impossible or seriously impair the achievement of the specific purposes of the processing.

iv Specific regulatory areas

Privacy in the workplace is subject to a specific framework. Article 22 of the Labour Code establishes a general principle of confidentiality that protects communications of a personal nature exchanged by employees during the exercise of their functions.11 The Implementation Law further establishes that employees' images and other personal data processed through video systems or remote surveillance methods may only be used within the scope of criminal and disciplinary proceedings. Additional guidelines have been approved by the CNPD specifically for the monitoring of employees' use of email and the internet.12

Decree-Law No. 131/2014, of 29 August, sets out the specific regime for the protection and confidentiality of genetic information, human genetic databases for healthcare and health research purposes, conditions for offering and carrying out genetic tests, and the terms under which medical genetics consultation is provided. In turn, Law No. 21/2014, of 16 April (amended by subsequent regulations), approving the legal framework for conducting clinical trials and other clinical studies in Portugal, establishes a specific regime for protection of personal data processed in connection with those trials.

Video surveillance is subject to the specific provisions of Decree-Law No. 35/2004, of 21 February, governing the provision of private security services, according to which the providers of security services shall be authorised to install video cameras and record images and sounds. Such records may only be kept for 30 days and disclosed to police and judicial authorities pursuant to criminal procedure law.

Law No. 41/2004 regulates the processing of personal data within the context of publicly available electronic communications services and networks by the relevant providers, specifying and complementing the provisions of the general data protection legislation, and establishes that electronic communications services providers must work together to take appropriate technical and organisational measures to safeguard security of their services and, if necessary, the security of the network itself.

v Technological innovation

Distance learning

The CNPD issued specific guidelines on the use of technologies to support distance learning in 2020, providing orientation to universities that wish to implement remote evaluation procedures.13

According to the CNPD, the processing of that data can be rooted in the legitimate interest of the university, provided that the legitimate test is met. Additionally, universities should be able to evidence, by carrying out a data protection impact assessment, that the rights and interests of data subjects should not prevail over the university's interest, and that no less intrusive alternatives than distance learning technologies are available.

Location tracking

According to the CNPD's guidelines on the use of geolocation devices in a working environment,14 as a rule, location data obtained through devices installed on an employee's vehicles or on smart mobile devices, such as mobile phones or laptops, may only be processed pursuant to Law No. 41/2004, of 18 August, which requires anonymisation and the relevant data subject's consent. However, as consent is not generally considered as a valid legal basis for processing of employees' data, the CNPD is of the view that the use of location devices for remote surveillance should be accepted only if for protection and safety of people and goods or when that use is justified by the specific nature of the activity concerned (e.g., provision of technical assistance in connection within the scope of fleet management services; distribution of goods; transportation of goods or passengers; private security services; or transportation of hazardous materials or high value goods), provided in both cases that geolocation data is not used to monitor employees' performance, either directly or indirectly.

Covid-19 tracking

The CNPD deliberation on the use of StayAway covid,15 a mobile application for contact tracing that sends notifications to users according to the risk of covid-19 contagion for each individual when in contact with someone infected, concluded that:

  1. the application should ensure its users have options that effectively give them the power to control the application;
  2. installation of the application on users' equipment should be optional; and
  3. the legal basis for processing of health data through this application, even for the purposes of covid-19 contagion tracking, is the users' consent.

Temperature screening

Temperature screening has been widely adopted by all sorts of organisations and employers to prevent or detect covid-19 infections pursuant to the Decree of the Portuguese Council of Ministers No. 8/2020, of 8 November. According to the CNPD's opinion on the processing of personal data pursuant to such Decree,16 the processing of data by digital thermometers corresponds to an automated processing of health data, which may potentially allow for the identification of data subjects when combined with other surveillance techniques. The CNPD considers this sort of processing may be authorised in the public interest in the area of public health pursuant to Article 9 of the GPPR, provided, however, certain conditions are met (e.g., no video recordings should be made, unless expressly permitted by the data subject, and digital thermometers should be preferred).

Biometrics

According to Article 28(6) of the Implementation Law, the processing of employees' biometric data is only considered legitimate for the control of attendance or access control to the employer's premises, provided that only representations of the biometric data are used and that the respective collection process does not allow the reversibility of this data.

The CNPD former guidelines on the use of biometric data to control access and monitor the number of hours worked had already recognised the usefulness of biometric systems as a method for controlling access to premises or specific areas, as long as the use thereof is either beneficial to or otherwise consented to by the relevant employees, and that such systems are not used in combination with other technologies, such as video surveillance.17

International data transfer and data localisation

Portuguese law fundamentally follows the GDPR's provisions on non-domestic transfers of data, that is, transfers of data to third countries outside the European Union, according to which such transfers may only be carried out:

  1. to countries that, according to the EU, ensure an adequate level of protection (white-listed' countries);18
  2. if specific safeguards are adopted (such as binding corporate rules or sets of model clauses approved by the European Commission); or
  3. on the grounds of one of the derogations of Article 49 of the GDPR (such as, e.g., the relevant data subjects' consent).

There are specific situations, however. Under Law No. 59/2019 of 8 August, on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offenses or applying criminal sanctions, the transfer of data may only take place in specific circumstances such as those specifically indicated in the GDPR. In this context, Portuguese law allows the transfer of data without prior consent, if this cannot be obtained in a timely manner and the transfer is necessary to prevent an immediate and serious threat to the public security of a Member State or a country or third party, or to the essential interests of a Member State. Law No. 59/2019 further establishes that the transfer of data to third countries, carried out by public authorities, shall be deemed as based on the public interest in accordance with Article 49 (4) of the GDPR.

Company policies and practices

The implementation of the GDPR has brought data protection into the spotlight. Moreover, as the public has begun to perceive data protection as an important issue, Portugal has assisted in an actual shift in behaviour regarding this subject.

Companies now pay much greater attention to questions of personal data. This attention is applied not only to relevant aspects of their corporate and labour structure, such as ethic lines, privacy policies, compliance programmes, and email and internet utilisation policies, but also to questions related to video surveillance, social networks, voice records and the development of marketing databases, among other aspects. However, there are still no relevant business and associative initiatives in relation to the definition and dissemination of codes and standards of conduct or in the development of certification processes and 'seals' for specific economic sectors or activities. Possibly, this will undergo relevant evolution in the coming years.

Discovery and disclosure

Discovery and disclosure procedures are mainly regulated under Law No. 109/2009 of 15 September, which approved the substantive and procedural criminal framework for cybercrime and the collection of electronic evidence, implemented in the national order Council Framework Decision 2005/222/JHA of 24 February 2005, on attacks against information systems, and adapted into national law the Convention on Cybercrime of the Council of Europe.

More recently, Law No. 59/2019 of 8 August has adopted the legal (general) framework on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offences or the execution of criminal sanctions, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.

The general regime of Law No. 59/2019 is complemented by Law No. 32/2008 of 17 July governing the retention and transmission by providers of electronic communications services or networks of traffic and location data on both natural persons and legal entities, and of the related data necessary to identify the subscriber or registered user, for the purpose of the investigation, detection and prosecution of serious crime by the competent authorities. According to this specific regime, providers are required to retain certain data and to destroy data at the end of the period of retention other than data that is to be preserved by court order.

Finally, it should be noted that the principle of freedom of access to information is limited under several statutes on the grounds of personal privacy. This is the case under the Criminal Procedure Law, which sets out the rules on secrecy according to which, during the course of a criminal investigation, neither the police nor suspects can reveal any information regarding an investigation, particularly details about potential suspects. This is also the case with Law No. 46/2007, of 24 August, on access to administrative documents, under which data may be withheld for the purposes of protecting privacy.

Public and private enforcement

i Enforcement agencies

The Portuguese supervisory body in charge of enforcing the relevant privacy and personal data laws and regulations is the CNPD, an independent body that operates under the aegis of the Portuguese Parliament.

According to Law No. 43/2004, of 18 August (as amended by the Implementation Law), the CNPD's duties and responsibilities include:

  1. issuing non-binding opinions on legislative and regulatory measures on the matter of protection of personal data;
  2. monitoring compliance with the GDPR and other legal and regulatory provisions on the protection of personal data, and correcting and sanctioning non-compliance;
  3. making available a list of processing activities that require the carrying out of data protection impact assessments and the criteria for determining processing activities as of high risk; and
  4. proposing to the European Data Protection Board draft criteria for the accreditation of codes of conduct monitoring bodies and certification.

ii Recent enforcement cases

Some relevant situations of enforcement of personal data protection regulations by the CNPD have taken place recently.

One was the transfer of data collected in the recent Portuguese population census, which began in April 2021, to a third country (the US). In 27 April 2021, the CNPD initiated an investigation after several reports were filed by Portuguese citizens about the processing of their data in the context of the then-ongoing population census, as a result of which the CNPD imposed a suspension on the transfer of data to a major web infrastructure service provider based in the US.19 The CNPD considered the supplier's infrastructure did not guarantee an adequate degree of protection under the GDPR standards and that the Portuguese body responsible for carrying out the census (the Statistics Portugal authority, the INE) did not negotiate or impose additional security measures or specific conditions upon the supplier, having only subscribed to the terms of the business plan made available on the supplier's website. As a result of this, the INE did not have control over the data, having no way of knowing whether data was being transferred to servers located outside the European Union or to other processors.

The CNPD further approved Deliberation 662/2021, of 11 May, imposing the elimination of all information on university students' exams taken remotely that was being processed and stored in servers located in the US. This was imposed upon students by a Portuguese university to prevent students from using non-authorised applications and to monitor students' behaviour during exams.

Finally, we highlight the modification of two key decisions of the CNPD in the application of fines of significant value that could otherwise become landmarks in the enforcement of the GDPR.

One of these fines – €107,000 – was applied in 2019 taking into account that the controller had committed 46 misdemeanours in connection with massive sending of unsolicited emails for direct marketing and advertising purposes without obtaining the recipients' prior consent.20 The controller appealed, and in 2020, while recognising the data protection violation, the court reduced the fine to €2,500, considering that the emails sent in 2011 and 2012 were already prescribed and that the facts were all part of a single behaviour continuous over time.

The other fine – €380,000, the highest fine imposed by the CNPD since the GDPR came into force – was applied to a hospital whose internal authentication systems and access rules allowed social workers as well as more than 900 medical doctors (although there were only 296 doctors in the hospital' staff) to continue to actively access clinical repository accounts.21 In July 2020 the CNPD decided to accept the hospital's request for waiving the fine considering that, in a pandemic context, the specific situation of the hospital and the specific public interest affected by the application of the fine prevails, in these exceptional circumstances, over the public interest of punishing the infringer.

iii Private litigation

Court decisions regarding private litigation in Portugal based on damage suffered as a result of GDPR violations are not yet known. However, under Portuguese civil law, any person who has suffered damage caused by unlawful actions of another party is entitled to receive compensation for the damage suffered. This general principle is fully compatible with Article 82(1) of the GDPR on the right to compensation that establishes the right of any person who has suffered material or non-material damage as a result of an infringement of the GDPR to receive compensation from the controller or processor for the damage suffered.

However, the controller may be exempt from this liability where it is not responsible for the act giving rise to the damage. In this regard, the Portuguese Civil Code essentially adopts the principles of tort liability, and thus the principles and provisions of the Civil Code will apply to determine the causal link between the controller or processor's behaviour and the damage suffered, the standard of behaviour expected and the amount of damages to be awarded.

Considerations for foreign organisations

The CNPD, despite having a relatively limited budget22 and not very abundant sanctioning activity,23 has historically taken a conservative approach, especially in matters involving the processing of employees' data or the use of technologies (such as drones or AI).

In this context, it is worth noting that the CNPD considered, even before the entry into force of the Implementation Law that extended the protection of personal data under the GDPR to certain data on deceased persons, that such data was to be considered personal data, thus opposing the public disclosure of the causes of death of the victims of the Portugal June 2017 wildfires.

It will be interesting to see how the CNPD will deal with the creation of the TFZs, regulated by Decree-Law No. 67/2021, of 30 July, and the possible lessening of legal requirements in favour of a testing environment for new technologies (see Section II). The projects developed therein, despite being subject to the GDPR and requiring the consent of participants, aim to accelerate innovation in new spaces of opportunity brought about by new technologies (such as AI, blockchain, IoT). An excessively conservative approach by the CNPD may, therefore, prevent the full realisation of this type of project.

Cybersecurity and data breaches

Law No. 46/2018, of 13 August 2018 (Law No. 46/2018), approved the cyberspace security legal framework and transposed into the national order Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS Directive).

Law No. 46/2018 requires certain operators to notify the Portuguese supervisory authority (CNCS) of any incidents with material impact on the continuity of the services they provide. Notifications must include all information required for the CNCS to assess the cross-border impact of incidents, and take into account the incident's parameters that are relevant for determining the incident's impact, such as the number of users affected, the duration of the incident and the geographical areas affected by it. The CNCS may then inform the public about specific incidents, after consulting with the notifying operator, on the grounds of public interest.

According to the recently enacted Decree-Law No. 65/2021, of 30 July, which regulates Law No. 46/2018, the public administration, critical infrastructure operators, essential service operators and digital service providers are now required to notify the CNCS within two hours of detection of an incident as well as indicate a permanent point of contact with the CNCS, available 24 hours a day seven days a week, and designate a security officer who will be responsible for managing security measures adopted to comply with security requirements and carry out any incident notifications, among other obligations.

The above regulations apply to cybersecurity regardless of the involvement of personal data. Personal data breaches are specifically regulated under the GDPR, and neither the Implementation Law nor the CNPD have established additional notification requirements or obligations. However, it should be noted that the CNPD makes available on its website a specific, comprehensive form for reporting data breaches.

Outlook

For years to come, privacy and cybersecurity will rightly be on the Portuguese agenda for several reasons, of which we highlight three.

First, the public attention generated by recent 'political' facts that led to a broad discussion about what should be considered compliance and the role of DPOs in public administration. There is growing pressure from public opinion on matters of personal data protection, especially after the various incidents involving the disclosure by a municipality of personal data of demonstrators to foreign embassies, and the various discussions raised by covid-19 tracking through mobile applications.

Secondly, Portugal is increasingly committed to invest in data-related projects, which will likely attract the interest of foreign companies. This is the case with Sines 4.0, which involves a €3.5 billion investment in the creation of a sustainable data processing megacentre in Sines, designed to handle the growing data processing needs of large and growing companies and with a capacity of up to 450 megawatts.

Finally, it is worth mentioning again the (pioneer and unprecedented) creation of the TFZs as part of the government's strategy to promote research and real environment technology testing, innovative technologies, products, services, processes and models in the country. These zones will basically offer temporary testing environments for new technologies with less bureaucratic and compliance burdens, including, potentially, with regard to the level of compliance required in matters of privacy.

Footnotes

1 Jacinto Moniz de Bettencourt is a partner and Beatriz Assunção Ribeiro is an associate at CTSU Sociedade de Advogados SP, RL, SA.

2 Following the publication of the Implementation Law, the CNPD resolved in Decision No. 494/2019, of September 2019, to disregard and not apply certain provisions of such law as they were considered to be in contradiction of the GDPR. Such provisions relate to, e.g., the processing of personal data by public entities for purposes other than those that justified the data collection, and additional restrictions on the validity of consent provided by employees.

3 Law No. 27/2021, of 17 May.

4 Deliberation 424/2000, of 15 September.

5 Deliberation 277/2020, of 29 June.

6 Deliberation 251/2020, of 3 June.

7 Deliberation 548/2021, of 27 April.

8 Portugal was the first EU Member State to include personal data protection in its Constitution.

9 Law No. 41/2004, as amended by Law No. 46/2012, of 29 August.

10 Recently regulated under Decree-Law No. 65/2021, of 30 July.

11 Approved by Law No. 7/2009, of 12 February, as subsequently amended.

12 Deliberation No. 1638/2013, applicable to the processing of personal data arising from the control of the use for private purposes of information and communication technologies in the employment context, adopted on 16 July 2013, available at https://www.cnpd.pt/media/kuqbxfdv/delib_controlo_tics.pdf (last accessed 30 July 2021).

13 Guidelines on distance assessment in higher education institutions, dated 20 May 2020, available at https://www.cnpd.pt/media/0mwfxdcp/orientacoes_avaliacao_distancia_ensino_superior.pdf (last accessed 30 July 2021).

14 Deliberation No. 7680/2014, applicable to the processing of personal data arising from the use of geolocation technologies in the employment context, approved on 28 October 2014, available at https://www.cnpd.pt/media/zvxmdfad/del_7680-2014_geo_laboral.pdf (last accessed 30 July 2021).

15 Deliberation No. 2020/277, approved on 29 June 2020, available through https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/121773 (last accessed 6 August 2021).

16 Guidelines on the processing of personal health data regulated in Decree No. 8/2020 of 8 November, dated 13 November 2020, available at https://www.cnpd.pt/media/1bbppegs/orienta%C3%A7%C3%B5es_decreto_8_2020.pdf (last accessed 6 August 2021).

17 Principles on the use of biometric data in access and attendance controls, dated 26 February 2004, available at https://www.cnpd.pt/media/uqunywgn/principios-biom-assiduidade-acesso.pdf (last accessed 30 July 2021).

18 Currently, Andorra, Argentina, Canada (only commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.

19 Deliberation 533/2021, of 27 April.

20 Deliberation No. 297/2019, of 6 May.

21 Deliberation 948/2018, of 9 October.

22 In 2020, the CNPD's budget was €2.385.701, with €2,375,701 coming from the Portuguese national budget and €10,000 from the CNPD itself (self-funding).

23 Until May 2021, the CNPD has only imposed eight fines (seven in 2019, and one in 2020) on the grounds of GDPR infringement, in an aggregate amount of €30,000.

Get unlimited access to all The Law Reviews content