Portugal - Data Breach Guide

Portugal

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

According to Article 33 GDPR, it is mandatory to notify the DPA without undue delay, and where feasible, not later than 72 hours after having become aware of the breach, through the required form. If the deadline is not met, a justification for the delay is required together with the notification.

As to individuals, it is only necessary to notify them if the breach is likely to result in a high risk to the rights and freedoms of natural persons.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

Please refer to the chapter on the European Union for the specifics of the notification obligations pursuant to Articles 33 and 34 GDPR.

The rules are meant to apply to every type of data that is breached. According to the previous answer, the relevant aspect, when referring to individuals, is if the breach is likely to result in a high risk to the rights and freedoms of natural persons.

The entity does not have to be Portuguese to be susceptible of application of these rules. If doubts remain about where the notification should be presented, it can be submitted to the local authority.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

The notification shall meet the requirements stated in Article 33 (3) of the GDPR, which include describing the nature of the personal data breached, communicating the name and contact details of the data protection officer or contact point, describe the consequences of the personal data breach and the measures taken or proposed to be taken by the controller to address the breach.

The breach must be notified through a form provided by the Comissão Nacional de Proteção de Dados ("CNPD").

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

The fines, according to national law’s Article 38 and GDPR’s Article 83 (4) lit. a), may fluctuate from EUR 2,500 to 10,000,000 or up to 2 % of the annual worldwide turnover, whichever is higher, if it is a big company; from EUR 1,000 to 1,000,000 or 2 % of the annual worldwide turnover, whichever is higher, in case of a small and medium sized enterprise; or from EUR 500 to 250,000, in case of a natural person.

It is also important to state that according to the Deliberation 2019/494, in respect of Articles 83 and 84 of the GDPR, the CNPD declared it will no longer enforce the provisions set out in the national law, which are Articles 37 to 39 of Law 58/2019 of 8 of August. This means that, despite depending on a Court decision to state the national rules are contrary to the GDPR, the CNPD will not be making any decisions considering the national rules, when considering Articles 37 to 39 of Law 58/2019 of 8 of August.

The right to compensation is regulated in Article 82 of the GDPR.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

The notification to individuals follows the standards set out in point 1. Besides that, there is only one case where notification to individuals is mentioned: National Law (Law no. 58/2019 of 8 of August) specifies the processing of health and genetic data and requires a notification to the data holder whenever its data is accessed, not necessarily breached.

1.6 What are the applicable (data protection) laws or guidelines within your country?

Recently in Portugal, two legal diplomas have entered into force. Aforementioned Law no. 58/2019 of 8 of August relating to the execution of the GDPR and Law no. 59/2019 of 8 of August, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.

There are also other rules and diplomas relating to Personal Data Protection, such as Constitution’s Article 35, Law no. 2/94 of 19 February establishing the control and surveillance mechanisms for the Schengen Information System, Law no. 36/2003 of 22 August, which lays down detailed rules for the implementation of the Council Decision establishing EUROJUST.

Other diplomas govern other topics that may be intertwined, such as electronic communications, video surveillance, genetic information or others. All national legal diplomas are stated on the CNPD’s website under the tab "Legislação".

Also, the CNPD provides deliberations which complement the GDPR, as the one stated in clause 1.4, which states that some Portuguese rules are contrary to GDPR and, in that way, are not to be enforced.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: