Incoming legislation on data protection – PBBR

Within the context of the EU Regulation 2016/679 (General Data Protection Regulation, “GDPR”), which comes into force on 25 May 2018, the Portuguese legislator is preparing the approval of the national legislation that will implement the European framework at domestic level.


This legal act will provide a set of rules complementary to the European regulation, governing a number of topics that are referred to the national legislator in the GDPR.

The draft of the aforementioned legislation is still in discussion, nevertheless based on its contents one may anticipate the most significant aspects that will be provided therein, including a change to the Portuguese Data Protection Authority’s framework (Comissão Nacional de Proteção de Dados, or CNPD).

In line with the change in the compliance regime for personal data protection, there is a shift in the legal functions of CNPD, from prior control based on the performance of administrative formalities, to strengthened surveillance, control and inspection powers.

It should be noted that the processing activities that are the object of CNPD’s authorisation will be subject to the provisions of GDPR as from the date of its entry into force, with the exception of the obligation to carry out a data protection impact assessment, which will be exempted.

Regarding the accreditation of data privacy certification bodies, the competent authority for the accreditation of certification bodies of data privacy proceedings is Instituto Português de Acreditação. Meanwhile, with regard to children’s data, the minimum age at which children can lawfully issue their consent with respect to the processing of their personal data in the context of information society services, is 13 years of age. For children under 13 years, parental consent is required.

Also, the regulation regarding the data protection officer (DPO) is developed – the public entities that are required to have a DPO are specified in the legal draft. With respect to the government, the same DPO may be designated for more than one ministry.

The retention periods for personal data on the part of controllers/processors shall be coincident with the timeframe needed to pursue the underlying purpose. If the retention period is not specified by law or regulation, the controller/processor shall delete or anonymise the data when the relevant purpose is accomplished. Nonetheless, whenever the data is necessary for the controller/processor to evidence compliance with certain obligations, the data may be retained until the date of cancelation of the underlying rights.

The processing of sensible data, which includes health data, shall be carried out by a recognised professional bound by confidentiality duties, and all the persons who have access to the data shall also be subject to confidentiality obligations.

Meanwhile, the GDPR implementation legislation will specify three different thresholds of infractions and underlying sanctions, providing the distinction between very serious infractions (to which the maximum amount of administrative fines set forth in the GDPR, that is 4 per cent of global turnover or €20 million, will apply), serious infractions and minor infractions.

An important aspect that has been the subject of controversy, is that the legislator intends to provide a more favourable regime for public entities in relation to the application of administrative fines, setting either an exception thereto or an exemption period of three years.

Important changes regarding the processing of personal data in the scope of employment relations are also provided, notably to only allow the processing of biometric data for the purposes of access control to premises, or attendance control.

Regarding the adaptation to GDPR requirements, the legal draft provides for a period of six months for controllers to obtain new consents from data subjects with respect to personal data processing activities that rely on the consent of the data subjects, and which consent does not comply with all the requirements set forth by the regulation.

The incoming law on data privacy will clarify certain queries that arise at national level due to the changes introduced by the GDPR, and the shift to the regulatory framework of data protection it entails.

Rita Roque de Pinho is a partner at PBBR. She can be contacted at